Conference Paper

METEOR: A successful application of B in a large project

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

The automatic train operating system for METEOR, the rst driverless metro in the city of Paris, is designed to manage the traf- c of the vehicles controlled automatically or manually. This system, developed by Matra Transport International for the RATP, requires a very high level of dependability and safety for the users and the opera- tor. To achieve this, the safety critical software located in the dierent control units (ground, line and on-board) was developed using the B formal method,together with the Vital Coded Processor. This architec- ture thus ensures an optimum,level of safety agreed with the customer. This experience with the METEOR project has convinced Matra Trans- port International of the advantages of using this B formal method,for large-scale industrial developments.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... (1) For modules using machine learning, the safety of the intended functionality no longer just depends on correctness of a specification and its software implementation, but also on the completeness and unbiasedness of the training data used [12] (Flammini et al. [8] call this "the opaque nature of underlying techniques and algorithms"). (2) Agent behaviour based on belief databases and plans cannot be fully specified at type certification time, since the behaviour can change in a significant way later on, due to machine learning effects, updates of the belief database, and changes of plans during runtime [3]. ...
... https://www.youtube.com/watch?app=desktop&v=xCIjxiVO48Q&feature=youtu. be.2 The driverless Paris metro METEOR, for example, is operative since 1998[2]. ...
... be.2 The driverless Paris metro METEOR, for example, is operative since 1998[2]. A list of automated train systems is available under https://en.wikipedia.org/wiki/ ...
Chapter
Full-text available
In this paper, we review software-based technologies already known to be, or expected to become essential for autonomous train control systems with grade of automation GoA 4 (unattended train operation) in existing open railway environments. It is discussed which types of technology can be developed and certified already today on the basis of existing railway standards. Other essential technologies, however, require modifications or extensions of existing standards, in order to provide a certification basis for introducing these technologies into non-experimental “real-world” rail operation. Regarding these, we check the novel pre-standard ANSI/UL 4600 with respect to suitability as a certification basis for safety-critical autonomous train control functions based on methods from artificial intelligence. As a thought experiment, we propose a novel autonomous train controller design and perform an evaluation according to ANSI/UL 4600. This results in the insight that autonomous freight trains and metro trains using this design could be evaluated and certified on the basis of ANSI/UL 4600 .
... Shortly after, the first non-systematic surveys of formal methods in the railway domain were published [17,109]; these are both very personal, informal reviews of formal techniques and tools and exemplary applications to railway systems. Also worth mentioning are a tutorial introduction to the B method [3] and a brief description and discussion of two of its best-known applications in industry [2]: the development of safety-critical parts of the subway line 14 and the Roissy airport shuttle of Paris [7,14] The classical 2009 survey on formal methods [127], "perhaps the most comprehensive review ever made of formal methods application in industry", reviews the application of formal methods in 62 different industrial projects world-wide, in all but 6 cases by collecting data directly from individuals who had been involved in the projects. One of the eight highlighted projects is from the railway domain. ...
... 68% of the studies have academic authors only, 8% have authors coming exclusively from industry and 24% have mixed affiliations. The majority (68%) considers industrial problems in laboratory settings, 16% validate the results with industrial partners and 5% document the development of real railway products with formal methods [7,14,62,64,82,96]. ...
... Formal modeling is applied in 95% of the studies and formal verification in 67%. Model checking is the most commonly adopted technique (47%) [9,15,20,35,37,38,41,47,64,82,87,91,96,116,117,128], followed by simulation (27%) [9,15,20,36,41,57,64,82,96,116,117,124], theorem proving (19.5%) [14,41,68,72,84] and refinement (18%) [7,37,68,81,82,84,91,96,116]. Less commonly used techniques are those strictly related to code, like test generation (6%) [31,64,124], code generation (6%) [7,14,62,64,96,117] and static analysis (1%) [62,117]. ...
Article
Full-text available
Formal methods are mathematically based techniques for the rigorous development of software-intensive systems. The railway signaling domain is a field in which formal methods have traditionally been applied, with several success stories. This article reports on a mapping study that surveys the landscape of research on applications of formal methods to the development of railway systems. Following the guidelines of systematic reviews, we identify 328 relevant primary studies, and extract information about their demographics, the characteristics of formal methods used and railway-specific aspects. Our main results are as follows: (i) we identify a total of 328 primary studies relevant to our scope published between 1989 and 2020, of which 44% published during the last 5 years and 24% involving industry; (ii) the majority of studies are evaluated through Examples (41%) and Experience Reports (38%), while full-fledged Case Studies are limited (1.5%); (iii) Model checking is the most commonly adopted technique (47%), followed by simulation (27%) and theorem proving (19.5%); (iv) the dominant languages are UML (18%) and B (15%), while frequently used tools are ProB (9%), NuSMV (8%) and UPPAAL (7%); however, a diverse landscape of languages and tools is employed; (v) the majority of systems are interlocking products (40%), followed by models of high-level control logic (27%); (vi) most of the studies focus on the Architecture (66%) and Detailed Design (45%) development phases. Based on these findings, we highlight current research gaps and expected actions. In particular, the need to focus on more empirically sound research methods, such as Case Studies and Controlled Experiments, and to lower the degree of abstraction, by applying formal methods and tools to development phases that are closer to software development. Our study contributes with an empirically based perspective on the future of research and practice in formal methods applications for railways. It can be used by formal methods researchers to better focus their scientific inquiries, and by railway practitioners for an improved understanding of the interplay between formal methods and their specific application domain.
... The software engineering community has acquired substantial scientific knowledge, several formal methods, and a variety of technology for helping on the construction of trustworthy real systems. Indeed, in the last decades, many successful examples of large-scale industrial software have been reported, from which we would like to mention the Sel4 microkernel [13,1], the Paris Mètro Line 14 [7] and the Rotterdam Storm Surge Barrier [21]. Moreover, the application of all the technology necessary to ensure reliability of safety-critical software may well be the major reason for the absence, in the last 10 or 15 years, of serious damage caused by software failures. ...
... To carry out a real task, the code should be completed with more actions after the method calls, but we would like to concentrate on termination of this kind of mutual recursion.7 In the three methods type variable T is instantiated to int. ...
Preprint
Full-text available
This paper is a tutorial for newcomers to the field of automated verification tools, though we assume the reader to be relatively familiar with Hoare-style verification. In this paper, besides introducing the most basic features of the language and verifier Dafny, we place special emphasis on how to use Dafny as an assistant in the development of verified programs. Our main aim is to encourage the software engineering community to make the move towards using formal verification tools.
... To achieve such a high-level of safety assurance of those complex signalling systems, scenario-based testing methods are far from being sufficient, despite that they are still widely used in the industry. Alternatively, formal methods have been successfully applied in the railway domain [6,9] and seem quite fitted for dealing with railway signalling systems. However, little has been done in the field of formal methods to address the cyber-physical nature of modern railway signalling systems. ...
... Comput. communication_centre_extension_1 ANY rb, rq, ex, tr WHERE grd 1 : rb ∈ RBC grd 2 : rq ∈ req grd 3 : ex ∈ (EXT \ ext) grd 4 : reqd(rq) = rb grd 5 : extd(ex) = reqs(rq) grd 6 : exts(ex) = reqd(rq) grd 7 : extv(ex) > nEoA(reqs(rq)) grd 8 : extv(ex) < ppos(pmap(ntp(reqs(rq)))) grd 9 : ∀tr · tr ∈ TR ∧ tr reqs(rq) ⇒ extv(ex) < ntp(tr)(t) To model movement_authority_extension message sending we apply reply message modelling pattern which adds a new message to the channel and removes the replied message. In order to avoid having a single super-event, it was decided to split message sending into two events which respectively model movement authority extension over a line and over a point. ...
Article
For years formal methods have been successfully applied in the railway domain to formally demonstrate safety of railway systems. Despite that little has been done in the field of formal methods to address the cyber-physical nature of modern railway signalling systems. In this paper, we present an approach for a formal development of cyber-physical railway signalling systems which is based on a refinement-based modelling and proof-based verification. Our approach utilises the Event-B formal specification language together with a hybrid system and communication modelling patterns to developing a generic hybrid railway signalling system model which can be further refined to capture a specific railway signalling system. The main technical contribution of this paper is the refinement of the hybrid train Event-B model with other railway signalling sub-systems. The complete model of the cyber-physical railway signalling system was formally proved to ensure a safe rolling stock separation and prevent their derailment. Furthermore, the paper demonstrates the advantage of the refinement-based development approach of cyber-physical systems which enables a problem decomposition and in turn reduction in the verification and modelling effort.
... In this context, the LChIP Project 1 was founded with the objective of using formal methodologies of specification in order to support the analysis, verification and code generation of RIS. The formal specification language used in this project is B-method [4], which has been successfully used in many railway projects, like [5], [6] and [7], and whose mathematical background and supporting tools allow the automatic safety proof and refinement in order to generate safety-proved computer-controlled systems. The generated code may then be installed on industrial micro-controllers embedding two processors as a way to support software redundancy, allowing the code generated in two different refinement processes to run on both processors. ...
... As a way to allow the formal specification of relay-based RIS, the use of B-method as a formal language has been proposed in a previous work [10]. B-method is considered as one of the strongest approaches for the specification of railway systems [11] and its success has been proved by its use in many industrial projects ( [5], [6], [7] ). ...
... In fact, this kind of process is accepted by STRMTG (https://www.strmtg.developpement-durable.gouv.fr/), the French Technical service for ski lifts and guided transport, to assess metros in France. Since the first automated metro line in Paris, Meteor line [14], the use of formal methods for system validation and verification in urban railways has been an undeniable industrial success, at least for software components but not only the study [15]. The Event-B method is supported by tools providing visual animations which allows experts to validate high-level behaviour of a system [16,17]. ...
... They are used to ensure that software systems are correct, consistent, and secure, and that they meet their requirements and specifications. Target software are for example Automatic Train Protection for the computation of braking curves, or Boolean equations solver to compute interlocking states [5] [9] [13]. Formal methods are either part of the development process or implemented in the verification and validation phase. ...
Chapter
Full-text available
System safety is based on the implementation of technical and organisational principles to ensure that a feared event cannot occur more frequently than expected. Such a demonstration, so-called safety case, relies on domain specific standards which capitalise on experience gained after decades of development and operation. For more than a decade, the threat of human attacks aimed at disrupting the operation of such systems has become more acute. In the railways, communications between on board and track-side equipment are naturally subject to targeted attacks aimed at reducing the availability of the equipment or disrupting its operational safety to the point of creating accidents. This paper aims to sketch the range of logical and hardware attacks practised today that could be used in the future to attack railway systems to make them less available or less secure. It also presents a combination of techniques and technologies that, assisted by formal methods, can reduce the chances of success of such attacks.Keywordsformal methodscybersecuritysafety
... In [3], the Vital Coded Processor is used in combination with the B formal method to respectively detect errors in the code production chain (compiling, linking, etc.) or resulting from hardware failures, and to detect design or coding errors. ...
Chapter
Full-text available
The distribution of safety functions along the tracks requires the networking of the ECUs (Electronic Control Unit is an embedded system that controls one or more electrical systems or subsystems) that support them, to facilitate their operation and maintenance. The latter enables logs to be sent, commands to be received and sent that will lead to a state change of one of the connected equipment, and the ECU application software to be updated. All these activities are naturally subject to targeted attacks aimed at reducing the availability of the equipment or disrupting its operational safety to the point of creating accidents. This article presents an innovative approach partitioning security and safety on two different computers. One computer connected to the network ensures security and is regularly updated according to known threats. The other computer ensures safety and communicates only through a secure filter. Each computer embeds technological elements that have been specified, implemented and proven with 2 different formal methods.KeywordsFormal methodsCybersecuritySafety
... However, next to the aforementioned case study by Pfleeger and Hatton [40], who investigated the effects of using FM in an industrial setting in which professionals developed an air-traffic-control information system, there are some examples of case studies developed by academics in close collaboration with practitioners-and also partially carried out inside the companies they work for [176,177]. In particular the railway domain contains a fair number of case studies on applying FM [178][179][180][181][182], among which one of the best known success stories of applying FM in industry [183]. • Pointers to external guidelines: the primary reference for case study research is the book by Runeson [174], including also several examples. ...
Article
Full-text available
Empirical studies on formal methods and tools are rare. In this paper, we provide guidelines for such studies. We mention their main ingredients and then define nine different study strategies (usability testing, laboratory experiments with software and human subjects, case studies, qualitative studies, surveys, judgement studies, systematic literature reviews, and systematic mapping studies) and discuss for each of them their crucial characteristics, the difficulties of applying them to formal methods and tools, typical threats to validity, their maturity in formal methods, pointers to external guidelines, and pointers to studies in other fields. We conclude with a number of challenges for empirical formal methods.
... In particular the railway domain contains a fair number of case studies on applying FM [168,169,170,171,172], among which one of the best known success stories of applying FM in industry [173]. ...
Preprint
Full-text available
Empirical studies on formal methods and tools are rare. In this paper, we provide guidelines for such studies. We mention their main ingredients and then define nine different study strategies (laboratory experiments with software and human subjects, usability testing, surveys, qualitative studies, judgment studies, case studies, systematic literature reviews, and systematic mapping studies) and discuss for each of them their crucial characteristics, the difficulties of applying them to formal methods and tools, typical threats to validity, their maturity in formal methods, pointers to external guidelines, and pointers to studies in other fields. We conclude with a number of challenges for empirical formal methods.
... Examples of such systems can be real ones with which a person comes into contact most often. While human presence is still legally required to operate the systems in the automotive domain, there are examples of mass train systems functioning entirely autonomously (for example, metro lines in Paris (Behm et al, 1999) and Singapore (May, 2004). Accordingly, during their development, modeling and verification methods have been used for a long time to avoid the appearance of potential critical errors in production. ...
Article
Full-text available
A eurobalise is designed to broadcast the current state of the railway to a passing train. Such a transmitter is activated with an approaching train and its goal is to dispatch messages called telegrams. In this article, we consider the encoding process of such telegrams. Since the CRC checksum building method is based on operations with polynomials over the Galois field modulo 2, we describe a proven library to work with polynomials. Next, we present the implementation of the encoder in a modeling language according to the open specification and then discuss its verification strategies using the Model Checking method.
... Even though formal methods have been successfully used in the railway domain (e.g. [1], [2]), their industry application is scarce. In spite of a large body of academic studies addressing issues of formal verification of railway systems, they typically remain an academic exercise due to a prohibitive cost of initial investment for their industrial deployment. ...
Article
Full-text available
SafeCap is a modern toolkit for modelling, simulation and formal verification of railway networks. This paper discusses the use of SafeCap for formal analysis and automated scalable safety verification of solid state interlocking (SSI) programs a technology at the heart of many railway signalling solutions around the world. The main driving force behind SafeCap development was to make it easy for signalling engineers to use the technology and thus to ensure its smooth industrial deployment. The unique qualities and the novelty of SafeCap are in making the use of formal notations and proofs fully transparent for the engineers. In this paper we explain the formal foundations of the proposed method, its tool support, and their successful application by railway companies in developing industrial signalling projects.
... In addition to reducing the state space of the original model, the proposed approach provides richer counterexamples: since the 1 Organisation européene pour la recherche nucléaire (European Council for Nuclear Research). 2 It is publicly available under https://gitlab.com/plcverif-oss transformed variables represent intervals, the counterexamples produced are defined as a set of inequalities, describing a whole space of counterexamples instead of specific values for each variable. ...
Conference Paper
Full-text available
Software model checking has recently started to be applied in the verification of programmable logic controller (PLC) programs. It works efficiently when the number of input variables is limited, their interaction is small and, thus, the number of states the program can reach is not large. As observed in the large code base of the CERN industrial PLC applications, this is usually not the case: it thus leads to the well-known state-space explosion problem, making it impossible to perform model checking. One of the main reasons that causes state-space explosion is the inclusion of numeric variables due to the wide range of values they can take. In this paper, we propose an approach to discretize PLC input numeric variables (modelled as non-deterministic). This discretization is complemented with a set of transformations on the control-flow automaton that models the PLC program so that no extra behaviours are added. This approach is then quantitatively evaluated with a set of empirical tests using the PLC model checking framework PLCverif and three different state-of-the-art model checkers (CBMC, nuXmv, and Theta), showing beneficial results for BDD-based model checkers.
... Examples exist based on the type of system, such as the article by Essamé et al. (2006), which presents the application of the B method for safety-critical software of the New York City Canarsie Line. Another example is the report by Behm et al. (1999), who presented the processes followed for the development of an automatic train operating system for the Paris Metro line 14 alongside insights about the organization and team's roles within the project. Finally, successful instances of FMs applications exist, from both the academic (Haxthausen, 2010;Vu, Haxthausen and Peleska, 2014;Vu, 2015) and the industrial perspective (Cimatti et al., 1998), for interlocking systems which are assigned with the highest Safety Integrity Level 4 (SIL4) in CENELEC's EN50128 guidelines. ...
Article
Full-text available
It is now more evident than ever before that the organizations that develop or utilize railway signaling systems need to take advantage of modern scientific disciplines and technologies in order to meet transportation demand, improve train services, and re-assure the financial and environmental sustainability of railways. Although several game-changing technologies have emerged both in academic studies and the industry, adoption has differed across industries and sectors, with some of them employing modern tools and extracting their benefits, while others not. While this phenomenon can be attributed to the levels of demand for technological solutions according to the needs of each market, on the other hand, it can be accredited to the unsuccessful attempt to understand how the implementation of adoption itself could take place. In the current article, it is discussed how the study of the adoption of Formal Methods, and the tools that can be developed based on them, can occur in a systematic way in order to extract critical insights for this process. The analysis included in this article is part of the on-going discussion on the systematic study of the adoption of emerging technologies in railways and the currently developed scientific literature on the topic.
... In recent years, there has been a push by industries with a strong focus on distributed systems to incorporate formal methods into their system development processes [HHK+17,New14]. The railway domain has proved to be a fruitful area for applying various formal methods, but considerably less has been done in applying them for distributed railway systems by industry and academia [BBFM99,ED06]. Therefore, the long-term aim of our research is to lower the barriers of applying formal methods for the development of complex railway signalling systems, including distributed [SIK+20], heterogeneous [SI17] and hybrid [SDS+19] railway systems. ...
Article
Full-text available
The decentralised railway signalling systems have a potential to increase capacity, availability and reduce maintenance costs of railway networks. However, given the safety-critical nature of railway signalling and the complexity of novel distributed signalling solutions, their safety should be guaranteed by using thorough system validation methods. To achieve such a high-level of safety assurance of these complex signalling systems, scenario-based testing methods are far from being sufficient despite that they are still widely used in the industry. Formal verification is an alternative approach which provides a rigorous approach to verifying complex systems and has been successfully used in the railway domain. Despite the successes, little work has been done in applying formal methods for distributed railway systems. In our research we are working towards a multifaceted formal development methodology of complex railway signalling systems. The methodology is based on the Event-B modelling language which provides an expressive modelling language, a stepwise development and a proof-based model verification. In this paper, we present the application of the methodology for the development and verification of a distributed protocol for reservation of railway sections. The main challenge of this work is developing a distributed protocol which ensures safety and liveness of the distributed railway system when message delays are allowed in the model.
... Formal methods and formal verification [34] denote a wide range of techniques aiming at proving the correctness of a system with mathematical guarantee -reasoning over all possible inputs and paths of the system, with methods drawn from logic, automated reasoning and program analysis. The last two decades have seen an extraordinary blooming of the field, with significant case-studies ranging from pure mathematics [68] to complete software architectures [100,109] and industrial systems [16,94]. In addition to offering an alternative to testing, formal verification has in principle the decisive additional advantages to both enable parametric proof certificates and offer once-for-all absolute guarantees for the correctness of programs. ...
Preprint
Full-text available
While recent progress in quantum hardware open the door for significant speedup in certain key areas (cryptography, biology, chemistry, optimization, machine learning, etc), quantum algorithms are still hard to implement right, and the validation of such quantum programs is achallenge. Moreover, importing the testing and debugging practices at use in classical programming is extremely difficult in the quantum case, due to the destructive aspect of quantum measurement. As an alternative strategy, formal methods are prone to play a decisive role in the emerging field of quantum software. Recent works initiate solutions for problems occurring at every stage of the development process: high-level program design, implementation, compilation, etc. We review the induced challenges for an efficient use of formal methods in quantum computing and the current most promising research directions.
... This holds for both industrial and academic applications. This success story started with the application of B for the development of the driverless Paris Metro 14, where B was used for both software verification and data validation [BBFM99]. The core B formalism is based on quantified first-order logic and provides a theorem prover for automated and interactive verification of correctness properties. ...
Article
Full-text available
In this paper, an efficient approach to data validation of distributed geographical interlocking systems (IXLs) is presented. In the distributed IXL paradigm, track elements are controlled by local computers communicating with other control components over local and wide area networks. The overall control logic is distributed over these track-side computers and remote server computers that may even reside in one or more cloud server farms. Redundancy is introduced to ensure fail-safe behaviour, fault-tolerance, and to increase the availability of the overall system. To cope with the configuration-related complexity of such distributed IXLs, the software is designed according to the digital twin paradigm: physical track elements are associated with software objects implementing supervision and control for the element. The objects communicate with each other and with high-level IXL control components in the cloud over logical channels realised by distributed communication mechanisms. The objective of this article is to explain how configuration rules for this type of IXLs can be specified by temporal logic formulae interpreted on Kripke Structure representations of the IXL configuration. Violations of configuration rules can be specified using formulae from a well-defined subset of LTL. By decomposing the complete configuration model into sub-models corresponding to routes through the model, the LTL model checking problem can be transformed into a CTL checking problem for which highly efficient algorithms exist. Specialised rule violation queries that are hard to express in LTL can be simplified and checked faster by performing sub-model transformations adding auxiliary variables to the states of the underlying Kripke Structures. Further performance enhancements are achieved by checking each sub-model concurrently. The approach presented here has been implemented in a model checking tool which is applied by Siemens Mobility for data validation of geographical IXLs.
... Around 30% of the automatic metros ATP specification are modelled with the B language (Fig. 7). Their implementation are proved [3] to be correct refinements (no contradiction wrt specification). The model is huge, representing more than 50,000 lines of specification. ...
Chapter
Full-text available
The railways have a quite long modelling history, covering many technical aspects from infrastructure to rolling stock, train movement, maintenance, etc. These models are mostly separate and operated independently by various stakeholders and with diverse objectives. This article presents some of the various digital modelling activities, including formal ones, that are undertaken by the railway industry, for design, development, validation, qualification, and exploitation. It also introduces trends toward regrouping models to obtain more significant results together with a larger scope, prefiguring digital twins.
... Shortly after, the first non-systematic surveys of formal methods in the railway domain were published [13,84]; these are both very personal, informal reviews of formal techniques and tools and exemplary applications to railway systems. Also worth mentioning are a tutorial introduction to the B method [2] and a brief description and discussion of two of its best-known applications in industry [1]: the development of safety-critical parts of the subway line 14 and the Roissy airport shuttle of Paris [6,11]. ...
Preprint
Full-text available
Formal methods are mathematically-based techniques for the rigorous development of software-intensive systems. The railway signaling domain is a field in which formal methods have traditionally been applied, with several success stories. This article reports on a mapping study that surveys the landscape of research on applications of formal methods to the development of railway systems. Our main results are as follows: (i) we identify a total of 328 primary studies relevant to our scope published between 1989 and 2020, of which 44% published during the last 5 years and 24% involving industry; (ii) the majority of studies are evaluated through Examples (41%) and Experience Reports (38%), while full-fledged Case Studies are limited (1.5%); (iii) Model checking is the most commonly adopted technique (47%), followed by simulation (27%) and theorem proving (19.5%); (iv) the dominant languages are UML (18%) and B (15%), while frequently used tools are ProB (9%), NuSMV (8%) and UPPAAL (7%); however, a diverse landscape of languages and tools is employed; (v) the majority of systems are interlocking products (40%), followed by models of high-level control logic (27%); (vi) most of the studies focus on the Architecture (66%) and Detailed Design (45%) development phases. Based on these findings, we highlight current research gaps and expected actions. In particular, the need to focus on more empirically sound research methods, such as Case Studies and Controlled Experiments, and to lower the degree of abstraction, by applying formal methods and tools to development phases that are closer to software development. Our study contributes with an empirically based perspective on the future of research and practice in formal methods applications for railways.
... Several embedded safetycritical systems are not encoded using the Java language (e.g. Meteor subway [40] was developed in ADA), and hence, it may be a little dangerous to let the debugging tools make internal choices, not conformant to the semantics, and which may not reflect the final system. The practical contribution of an executable DSL is its ability to behave as the final system should run. ...
Article
Full-text available
One of the promising techniques to address the dependability of a system is to apply, at early design stages, domain-specific languages (DSLs) with execution semantics. Indeed, an executable DSL would not only represent the expected system’s structure, but it is intended to itself behave as the system should run. In order to make executable DSLs a powerful asset in the development of safety-critical systems, not only a rigorous development process is required but the domain expert should also have confidence in the execution semantics provided by the DSL developer. To this aim, we recently developed the Meeduse tool and showed how to bridge the gap between MDE and a proof-based formal approach. In this work, we apply our approach to the Petri-net DSL and we present MeeNET, a proved Petri-net designer and animator powered by Meeduse. MeeNET is built on top of PNML (Petri-Net Markup Language), the international standard ISO/IEC 15909 for Petri-nets, and provides underlying formal static and dynamic semantics that are verified by automated reasoning tools. This paper first presents simplified MDE implementations of Petri-nets applying Java, QVT, Kermeta and fUML that we experimented in order to debug a safety-critical system and summarises the lessons learned from this study. Then, it provides formal alternatives, based on the B method and process algebra, which are well-established techniques allowing interactive animation on the one hand and reasoning about the behaviour correctness, on the other hand.
... • The detect-and-avoid system for unmanned aircraft system developed by NASA (formalized in PVS) [ORSVH95] • Compcert, a C compiler certified (formalized in Coq) [Ler16] • CakeML, a certified compiler for a functional programming language (formalized in HOL4) [KMNO14] • The correctness of the automatic Paris metro line 14 (formalized in B) [BBFM99] These lists are not exhaustive. The reader may found a deeper inspection of the use of proof assistants in [Geu09]. ...
Thesis
Proof systems are tools used to formally prove theorems, and in particular that software is bug-free. Proof systems provide the highest degree of confidence to prove the absence of bugs in software. However, using such tools require a high level of expertise which makes them difficult to use. The interaction with a proof system requires the user to prove and formalize many mathematical concepts. Such work is time-consuming and may require a significant amount of manpower (e.g. four-color theorem or the Hales-Kepler theorem). The diversity of proof systems has the negative consequence that these theorems (e.g. The little Fermat’s theorem) are formalized many times. This thesis investigates, both on the theoretical and the practical side, ways to translate (semi-)automatically theorems proved in one proof system to another.
... The increasing complexity of modern digital interlocking, both in terms of geographical coverage and functionality, poses a major challenge to ensuring railway safety. Even though formal methods have been successfully used in the railway domain (e.g., [13], [14]), their industrial application is scarce. SafeCap offers an industry-strength verification approach that does not require engineers to learn mathematical notations and can be applied to real-life stations providing user-friendly reports within seconds. ...
Article
Industry applications of formal verification to signaling control tables require formulation of a large number of mathematical conjectures expressing verification rules. It is paramount to establish the validity and completeness of these conjectures. This article discusses a mutation-based validation technique that guides domain experts in the construction of such verification rules. Furthermore, we use genetic programming to quickly generate millions of well-formed data mutations of control tables and to synthesize mutation programs. The technique is illustrated by a synthetic running example and a discussion of our experience in using it in the industrial setting.
... Some of the tools have been "certified by usage" since 1998 [6], but the newest tools of this toolchain have no history to rely on for certification. It is not a problem for railway standards as the whole product is certified (with its environment, the development and verification process, and other elements). ...
Article
Full-text available
The CLEARSY Safety Platform (CSSP) was designed to ease the development of safety critical systems and to reduce the overall costs (development, deployment, and certification) under the pressure of the worldwide market. A smart combination of hardware features (double processor) and formal method (B method and code generators) was used to produce a SIL4-ready platform where safety principles are built-in and cannot be altered by the developer. Summarizing a 5-year return of experience in the effective application in the railways, this article explains how this approach is a game-changer and tries to anticipate the future of this platform for safety critical systems. In particular, the education of future engineers and the seamless integration in existing engineering processes with the support of Domain Specific Languages are key topics for a successful deployment in other domains. DSL like Robosim to program mobile robots and relay circuits to design railway signalling systems are connected to the platform.
... Automatic and/or manual mathematical proof is accordingly possible to demonstrate whether invariant properties consistently hold when the system is operated. Many B-method industrial applications have been achieved, mainly found in rail systems such as the automatic train control systems, such as Paris metro line 14 [28] or the automation of Paris line 1 by the RATP. ...
Chapter
Full-text available
From straightforward knowledge management to sophisticated AI models, ontologies have proved great potential in capturing expertise while being particularly apposite to today’s data abundance and digital transformation. AI and data are reshaping a wide range of sectors, in particular, human resources management and talent development, which tend to involve more automation and growing quantities of data. Because they bring implications on workforce and career planning, jobs transparency and equal opportunities, overseeing what fuels AI and analytical models, their quality standards, integrity and correctness becomes an imperative for HR departments aspiring to such systems. Based on the combination of formal methods, namely, the B-method and CPNs, we present in this paper a preliminary approach to constructing and validating career ontology graphs with what we will define as B-CPNs.
... Some of the tools have been "certified by usage" since 1998 [4], but the newest tools of this toolchain have no history to rely on for certification. It is not a problem for railway standards as the whole product is certified (with its environment, the development and verification process, and other elements). ...
Preprint
Full-text available
The CLEARSY Safety Platform (CSSP) was designed to ease the development of safety critical systems and to reduce the overall costs (development, deployment, and certification) under the pressure of the worldwide market. A smart combination of hardware features (double processor) and formal method (B method and code generators) was used to produce a SIL4-ready platform where safety principles are built-in and cannot be altered by the developer. Summarizing a 5-year return of experience in the effective application in the railways, this article explains how this approach is a game-changer and tries to anticipate the future of this platform for safety critical systems. In particular, the education of future engineers and the seamless integration in existing engineering processes with the support of Domain Specific Languages are key topics for a successful deployment in other domains. DSL like Robosim to program mobile robots and relay circuits to design railway signalling systems are connected to the platform.
Chapter
This paper, written in honour of Tiziana Margaria, aims to provide a comprehensive presentation of where mainstream formal methods are currently used for modelling and analysis of railway applications.
Article
Formal methods encompass a wide choice of techniques and tools for the specification, development, analysis, and verification of software and hardware systems. Formal methods are widely applied in industry, in activities ranging from the elicitation of requirements and the early design phases all the way to the deployment, configuration, and runtime monitoring of actual systems. Formal methods allow one to precisely specify the environment in which a system operates, the requirements and properties that the system should satisfy, the models of the system used during the various design steps, and the code embedded in the final implementation, as well as to express conformance relations between these specifications. We present a broad scope of successful applications of formal methods in industry, not limited to the well-known success stories from the safety-critical domain, like railways and other transportation systems, but also covering other areas such as lithography manufacturing and cloud security in e-commerce, to name but a few. We also report testimonies from a number of representatives from industry who, either directly or indirectly, use or have used formal methods in their industrial project endeavours. These persons are spread geographically, including Europe, Asia, North and South America, and the involved projects witness the large coverage of applications of formal methods, not limited to the safety-critical domain. We thus make a case for the importance of formal methods, and in particular of the capacity to abstract and mathematical reasoning that are taught as part of any formal methods course. These are fundamental Computer Science skills that graduates should profit from when working as computer scientists in industry, as confirmed by industry representatives.
Conference Paper
Accidents at level crossings often cause dramatic material and human damages that seriously affect the reputation of rail safety. Research on Level Crossing (LC) safety has attracted considerable attention in recent years. In this paper, we rely on formal methods, based on mathematical rigour, which provide real help for the designer to evaluate the behaviour of a system and avoid errors before its implementation. Thereby, we propose a railway LC system that suggests a new architecture which prevents very risky situations causing several accidents. To do so, we adopted the Event-B formal method to specify the safety requirements of our system and verify its correctness. Event-B is based on the refinement technique which allows a problem decomposition and then reduces modelling and verification effort.
Chapter
Component-based software engineering (CBSE) is a widely used software development paradigm. With software systems becoming increasingly sophisticated, CBSE provides an effective approach to construct reusable, extensible, and maintainable software systems. Formal verification provides a rigorous and systematic approach to validate the correctness of software systems by mathematically proving properties or checking them exhaustively against specified requirements. Using formal verification techniques in component-based development can further enhance the correctness of the development process. However, the adoption of component-based development supported by formal methods is hardly widespread in the industry. It serves to a limited extent in domains with stringent requirements for safety and reliability. In this paper, we aim to analyze the successful application scenarios of formal methods in component-based development, identify the challenges faced during their application, and explore methods to further broaden their adoption.
Chapter
This chapter outlines the use of formal techniques and tools for modeling and analysis of safety systems. When used judiciously, this approach can have marked influence on the system reliability. Moreover, such formal modeling and analysis is often supported by tools which can enhance the automated development of systems, which are correct by construction.
Article
Formal Methods is a term used to describe the use of a formal language for the specification of a software product at some level. The use of a formal language allows requirements to be specified more crisply and less ambiguously than a textual document. It can also allow the developers to formally prove that an implementation meets the specified requirements. Some formal languages can even be transformed into executable code. The use of formal methods is explored for large software projects in commercial enterprises, government, and the military. A comparison is made of the attributes and results of these projects. A table at the end supports the conclusion that formal methods can be successful on a large scale.
Article
The automation of programming, which lies at the intersection of software engineering and artificial intelligence, enables machines to automatically generate programs that satisfy given requirements. In the context of B formal design modeling, one of the challenges is the refactoring of substitutions in design specifications, which often uses state transitions to describe how program or system statuses change during execution. This paper proposes a condition and substitution refactoring algorithm for the B formal specification language. The aim of the work is to automatically derive B operational predicates based on given transitions. The work has been extremely useful to machine‐driven formal design model repair as well as automated design specification generation. Given a set of state transitions, common relations of their state variables can be discovered and clustered into a number of classes. These relations can be further used to synthesize substitutions that derive new states from existing states. To restrict application domains of the synthesized substitutions, conditions that guard these substitutions are generated using first‐order logic. We have implemented the proposed algorithm as an extension to the ProB model checker. Experiments were conducted based on the B model public dataset. The evaluation results demonstrated that our solution is able to synthesize conditions and substitutions for various sets of state transitions in a wide range of B models.
Article
The design of complex and/or critical systems requires handling the environment constraints in which these systems evolve. Formal methods allow system developers to design models of such systems. They provide constructs for modelling components and views of these systems. However, these formal methods do not include built-in constructs for modelling the environment, and more broadly, domain knowledge associated with system models. Although ontologies have demonstrated their efficiency in modelling domain-specific features, they are not available as built-in constructs in formal methods. This paper shows how formal ontologies can be used to model domain-specific knowledge, as well as how system models may refer to these ontologies through annotation. We rely on the Event-B refinement and proof state-based method, and the associated theories, to define a framework in which domain-specific knowledge ontologies are formalised as Event-B theories defining data types used to type Event-B system design models. Finally, this framework is deployed for the specific case of interactive critical systems. To illustrate the proposed approach, a case study of the Traffic Collision Avoidance System (TCAS) is developed.
Thesis
Modern bug-finding techniques have become effective enough that the bottleneck is not finding bugs but finding the time to fix them. A popular way to address this problem is to focus first on bugs with a security impact, also known as vulnerabilities. This leads to the question of vulnerability assessment: could an attacker take advantage of a bug? In this thesis we attempt to assess one particular dimension contributing to the security impact of a bug: whether an attacker could trigger it reliably. We call this property replicability. Our goal is to formalize replicability to design bug-finding techniques which only report bugs which are replicable enough. We do so by considering a threat model where inputs to the program which the attacker can choose (like network inputs) are distinguished from inputs which the attacker does not control nor know (like entropy sources). We propose two approaches to replicability. Firstly, we define robust reachability, a qualitative property that expresses that a bug is not only reachable, but that when he chooses the right inputs, the attacker triggers the bug whatever the values of the program inputs he does not control. Secondly, we refine robust reachability quantitatively as the proportion of uncontrolled inputs that let the optimal attacker trigger the bug. We adapt symbolic execution to prove robust reachability and compute this proportion. Robust reachability is more coarse-grained because it is all-or-nothing but scales better than the quantitative approach. We illustrate in case studies the potential applications of these techniques, notably in terms of vulnerability assessment.
Article
Full-text available
Implementing applicable security measures into system engineering applications is still one of the most challenging processes in building secure infrastructure. This process needs to consider a variety of security attributes to support securing system components against numerous cyberattacks that could exploit vulnerable points in the system. The redundancy in these attributes is also another challenge that could degrade system functionality and impact the availability of the system’s services. Therefore, it is crucial to choose appropriate security properties by considering their ability to address cyber threats with minimal negative impacts on the system’s functionality. This process is still subjected to inconsistencies due to ad- oc determinations by a specialist. In this work, we propose a novel algorithm for optimizing the implementation of security mechanisms in IoT applications for the agricultural domain to ensure the effectiveness of the applied mechanisms against the propagation of potential threats. We demonstrate our proposed algorithm on an IoT application in the farming domain to see how the algorithm helps with optimizing the applied security mechanisms. In addition, we used THREATGET to analyze cyber risks and validate the optimized security attributes against the propagation of cyber threats.
Chapter
The B method is a formal method to design software components and to prove that they are compliant with some formalized requirements, giving a way to build safety-critical programs. However, the correctness of the obtained programs obviously rely on the correctness of those formalized software requirements. Using the CLEARSY Safety Platform, a vital processing solution developed by CLEARSY (SIL4 certified, Certifer 9594/0262) with native B capabilities, we demonstrate here a method to develop vital software with formal proofs directly attached to the key system properties. For instance, a train localization system is proven regarding the property stating that the computed location interval shall always contain the actual train. Such proofs become possible by combining software variables with variables representing physical entities and their timed evolution, thanks to the guaranteed time and deadlines of the CLEARSY Safety Platform. Thus, we avoid the problem of ensuring the correctness of a complex set of formalized software requirements by directly ensuring the wanted system properties. Assumptions and properties for the non-software parts are included in the same B model used to develop the software on the CLEARSY Safety Platform.KeywordsFormal modellingSystem reliability
Chapter
Formal system modelling languages lack explicit constructs to model domain knowledge, hindering clear separation of this knowledge from system design models. Indeed, in many cases, this knowledge is hardcoded in the system formal specification or is simply overlooked. Providing explicit domain knowledge constructs and properties would yield a significant improvement in the robustness and confidence of the system design models. Therefore, it speeds up formal verification of safety properties and advances system certification since certification standards and requirements rely on domain knowledge models. The purpose of this paper is to show how formal system design models can benefit from explicit handling of domain knowledge, represented as ontologies. To this end, state-based Event-B modelling language and theories are used to model system models and domain knowledge ontologies, respectively. Our proposition is exemplified by the TCAS (Traffic Collision Avoidance System) system, a critical airborne avionic component. Finally, we provide an assessment highlighting the overall approach.
Chapter
We present a Software Quality course taught in a MSc program in Computer Science and Engineering. The course takes an overview (‘breadth’) approach, reviewing the most important topics that contribute to the quality of software. The course has been taught traditionally as well as online; we discuss the advantages and disadvantages of both styles and point out what should be kept from the online experience. We also discuss the students’ evaluation and feedback.
Chapter
The system of a train line crossing a border must consider the operating rules of each country. Furthermore, a safe transient mode must be implemented, allowing the system to switch from a set of rules to another. This chapter presents how safety operating rules may be designed by a model-based approach. UML and B-method are used in order to allow conceptual modelisation and formal specification of these rules. In addition, this chapter discusses about some issues in existing Railway Interlocking Systems modelling approaches and the importance of knowledge representation.
Article
Hybrid systems are complex systems where a software controller interacts with a physical environment, usually named a plant, through sensors and actuators. The specification and design of such systems usually rely on the description of both continuous and discrete behaviours. From complex embedded systems to autonomous vehicles, these systems became quite common, including in safety critical domains. However, their formal verification and validation as a whole is still a challenge. To address this challenge, this article contributes to the definition of a reusable and tool supported formal framework handling the design and verification of hybrid system models that integrate both discrete (the controller part) and continuous (the plant part) behaviours. This framework includes the development of a process for defining a class of basic theories and developing domain theories and then the use of these theories to develop a generic model and system-specific models. To realise this framework, we present a formal proof tool chain, based on the Event-B correct-by-construction method and its integrated development environment Rodin, to develop a set of theories, a generic model, proof processes, and the required properties for designing hybrid systems in Event-B. Our approach relies on hybrid automata as basic models for such systems. Discrete and continuous variables model system states and behaviours are given using discrete state changes and continuous evolution following a differential equation. The proposed approach is based on refinement and proof using the Event-B method and the Rodin toolset. Two case studies borrowed from the literature are used to illustrate our approach. An assessment of the proposed approach is provided for evaluating its extensibility, effectiveness, scalability, and usability.
Chapter
Formal methods for thirty years have promised to be the solution for the safety certification headaches of railway software designers. This chapter looks at the current industrial application of formal methods in the railway domain. After a recall of the dawning of formal methods in this domain, recent trends are presented that focus in particular on formal verification by means of model checking engines, with its potential and limitations. The paper ends with a perspective into the next future, in which formal methods will be expected to pervade in more respects the production of railway software and systems.
Article
The modelling and verification of systems security is an open research topic whose complexity and importance needs, in our view, the use of formal and non-formal methods. This paper addresses the modelling of security using misuse cases and the automatic verification of survivability properties using model checking. The survivability of a system characterises its capacity to fulfil its mission (promptly) in the presence of attacks, failures, or accidents, as defined by Ellison. The original contributions of this paper are a methodology and its tool support, through a framework called surreal. The methodology starts from a misuse case specification enriched with UML profile annotations and obtains, as a by-product, a survivability assessment model (SAM). Using predefined queries the survivability properties are proved in the SAM. A total of fourteen properties have been formulated and also implemented in surreal, which encompasses tools to model the security specification, to create the SAM and to prove the properties. Finally, the paper validates the methodology and the framework using a cyber-physical system (CPS) case study, in the automotive field.
Article
Tribute Foreword Introduction Part I. Mathematics: 1. Mathematical reasoning 2. Set notation 3. Mathematical objects Part II. Abstract Machines: 4. Introduction to abstract machines 5. Formal definition of abstract machines 6. Theory of abstract machines 7. Constructing large abstract machines 8. Examples of abstract machines Part III. Programming: 9. Sequencing and loop 10. Programming examples Part IV. Refinement: 11. Refinement 12. Constructing large software systems 13. Examples of refinement Appendixes Index.
  • L Burdy
  • D Dollé
  • Book
[BMB99] Burdy L., Dollé D., B Method Book; Internal document ref. DRL/XT/39.2617.98/DD/AA (1999).
B Validation Book; Internal document ref
  • A Faivre
  • C Milonnet
Faivre A., Milonnet C., B Validation Book ; Internal document ref. DSF/XT/32.1374.96/CM/CM (1999).
Automatic Refinement; BUGM at FM’
  • L Burdy
  • J M Meynadier