Article

Automatic refinement

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... In order to deepen our knowledge concerning formal requirements and automatic verification and validation, we have focused on control-like methodologies that were inspired from software design and use similar paradigms such as B method [10] and Contract Based design [11] [12]. However, these approaches are limited when dealing with physical systems such as ME-CPS. ...
... B is a method for designing software using mathematical proof and successive refinements of specifications in order to develop a correct by construction product. B presents automatic refinement processes to get over the time consuming manual programming [10]. Automatic refinement is at the heart of the B method. ...
Conference Paper
Today's large distributed energy cyber-physical systems such as power networks with multiple production units are becoming more and more complex due to the increasing share of renewables. They are characterized by long-lived lifecycles that can even be eternal such as electric grids where design and operational phases can overlap. These systems exhibit dynamic configurations and involve several interacting disciplines and manifold stakeholders that can, at any time, take part in the system or leave it. A pressing need has emerged for means to test a large number of scenarios all along the system design, operation and maintenance phases. Doing so requires the ability to model the system behavior and perform simulation on each of its facets using accurate tools for the purpose of automated testing, verification and validation. Existing industrial engineering design practices are becoming obsolete and do not have the means to follow the growing complexity of such multi-disciplinary and multi-stakeholder systems. For this matter, we have explored systems engineering (SE) practices among research communities and tool editors. Design methodologies found in literature are generally based on the functional breakdown of requirements and use general modeling languages for representing the system behavior. They are limited to finite state machines representation with a wide gap regarding the physical aspects that are neglected or at best developed in a separate corner. A survey on existing engineering methodologies is presented in this work. The main common missing aspects of these practices are identified and emphasized. A focus on formal approaches for system design and especially for automatic verification and validation processes is also introduced. Finally, an outlook of the main concepts that we chose to focus on in future works concerning the engineering of multi-energy systems is presented in this paper.
... the human modellers and their experience. For the development of the Meteor metro safety automation, MATRA Transport [5] has developed and documented refinement techniques to systematise their use. This resulted in an automatic refinement tool that was later redeveloped for Atelier B. This tool (BART) automates the refinement of a B machine, using an extensible base of refinement rules and an inference engine to apply these rules to an abstract B model. ...
Conference Paper
Full-text available
Despite significant advancements in the design of formal integrated development environments, applying formal methods in software industry is still perceived as a difficult task. To ease the task, providing tools that help during the development cycle is essential but proper education of computer scientists and software engineers is also an important challenge to take up. This paper summarises our experience of 20 years spent in the education of engineers, either colleagues or customers, and students, together with the parallel design and improvement of supporting modelling tools.
... The semantic gap between logic and railway concepts is formidable. This leads to generally low productivity (but we should notice efforts like the BART tool for automatic refinement of B models [7]), difficulties in interpreting tool feedback, and posing verification statements in a manner convincing to a non-expert reviewer. ...
Conference Paper
Full-text available
The paper presents an experience of verifying a large scale, real-life dataset describing various aspects of railway station design. We discuss how a number of assorted digital artefacts were pooled together and converted into a set-theoretic model over which a type inference procedure is run. The typed model is then used to confirm or contradict logical conjectures over data elements. We employ a number of state-of-the-art SMT solvers as a verification back-end. The project is ongoing but has already identified a number of issues in topology definition and signalling data that were missed by other automated tests and not revealed by simulation tools.
... The semantic gap between logic and railway concepts is formidable. This leads to generally low productivity (but we should notice efforts like the BART tool for automatic refinement of B models [13]), difficulties in interpreting tool feedback, and posing verification statements in a manner convincing to a non-expert reviewer. ...
Conference Paper
Full-text available
This paper presents the SafeCap Platform approach to the verification of railway safety properties. We discuss how the hierarchy of formal theories is used to capture the railway domain and interface with verification tools; we explain the contribution of each individual theory to the overall task of safety verification and capacity assessment. Finally, we briefly relate our experience of using two independent verification chains to validate concrete track layouts and control tables against the SafeCap safety theories.
... Rationale. Automatic refinement has been initially imagined [6], developed and put into existence by Matra Transport with the automated "Canarsie line" metro in New-York [9]. By abstract model (see Figure 5), we do not mean the collection of all specification models of the project but a selection of related top level components, including specification, refinement and implementation models, that capture the specification of the software. ...
Conference Paper
Full-text available
Refining a B specification into an implementation can be a complex and time consuming process. This process can usually be separated in two distinct parts: the specification part, where the refinement is used to introduce new properties and specification details, and the implementation, where refinement is used to convert a detailed B specification into a B0 implementation. This article presents experience on the development and use of a refiner tool that automates the production of implementable models, in a number of industrial applications.
... Siemens and Alstom claim today to develop most safety critical software with B. Siemens has also developed a useful technology, a tool able to generate semiautomatically refinements and implementations, leading to have safety-critical software developed for a cost similar to any other not-safety related software [3]. However, the "magic" of a 100% proven software also requires verifying that its formal specification complies with requirements written in natural language. ...
Conference Paper
Full-text available
This article presents industrial experience of applying the B formal method in the industry, on diverse application fields (railways, automotive, smartcard, etc.). If the added value of such an approach has been demonstrated over the year, using a formal method is not the panacea and requires some precautions when introduced in an industrial development cycle.
... This tool performs semi-automatic data-refinements. It has been succinctly described in various articles [7,8]. ...
Conference Paper
Two real projects using the B formal method are quickly presented. They show how some important parts of complex systems can be developed in such a way that the outcome is "correct by construction". A number of factors are then analyzed relating the pros, the cons, and the difficulties in applying this approach in Industry.
... The balance between effort and insight gained here is problematic from an industrial perspective unless either there is substantial automation or the correctness of the application is sufficiently important to warrant the extra cost in such a fully formal develop- ment [33,68] . However, there is also work towards automated support for refine- ment [69]. Theorem provers: The ultimate advantage of using a formal over an informal model is the ability to verify its properties to a high level of rigour [70], even for infinite state systems. ...
Conference Paper
Full-text available
This paper is a contribution to the Festschrift marking the 70th birthdays of Prof. Dines Bjoerner and Prof. Zhou Chaochen. Our goal is to help the developers of computer-based systems to make informed design decisions on the basis of insights gained from the rigorous analysis of abstract system models. The early work on model-oriented specification has inspired the development of numerous formalisms and tools supporting modelling and analysis. There are also many stories of successful industrial application, often driven by a few champions possessing deep a priori understanding of formalisms. There are fewer cases of successful take-up or adoption of the technologyin the long term.We argue that successful industrial adoption of this technology requires that potential users strike a balance between the effort expended in producing and analysing a model and insight gained. In order to support this balancing act, tools need to offer a range of levels of effort and insight. Further, educators need to recognise that training in formal development techniques must support this trade-off process.
Chapter
The B-Method has an interesting history, where language and tools have evolved over the years. This not only led to considerable research and progress in the area of formal methods, but also to numerous industrial applications, in particular in the railway domain. We present a survey of the industrial usage of the B-Method since the first toolset in 1993 and the inauguration of the driverless metro line 14 in Paris in 1999. We discuss the various areas of applications, from software development to data validation and on to systems modelling. The evolution of the tooling landscape is also analysed, and we present an assessment of the current situation, lessons learned and possible new directions.
Conference Paper
Event-B is one of more popular notations for model-based, proof-driven specification. It offers a fairly high-level mathematical language based on FOL and ZF set theory and an economical yet expressive modelling notation. Model correctness is established by proving a number of conjectures constructed via a syntactic instantiation of schematic conditions. A significant part of provable conjectures requires proof hints from a user. For larger models this becomes extremely onerous as identical or similar proofs have to be repeated over and over, especially after model refactoring stages. In the paper we discuss an approach to making proofs more generic and thus less fragile and more reusable. The crux of the technique is offering an engineer an opportunity to complete a proof by positing and proving a generic lemma that may be reused in the same or even another project. To assess the technique potential we have developed a plug-in to the Rodin Platform and used it to prove a number of pre-existing Event-B models.
Conference Paper
This paper investigates the techniques to generate efficient code from abstract programs with abstract data types. Two techniques are used to generate efficient code. The first one is based on the properties derived through data-flow analysis to generate efficient code. The second one is based on element, which is an abstract data type and declares a variable belonging to an existing container. These techniques are used to choose efficient implementations for ADTs operations and to avoid data structure copies. To demonstrate these techniques, SimpleL, a small high level language is used in this paper. This language supports abstract data types including finite set, finite list and finite map. One can specify the data structures to implement these abstract types.
Conference Paper
It is common practice in critical software development, and compulsory in railway software developed according to EN 50128 standard, to separate software specification from software implementation. Verification activities should be performed to ensure that the latter is a correct refinement of the former. When the specification is formalized, for example in B method, the refinement relation can even be formally proved. In this article, we present how a similar proof of refinement can be performed at the level of the programming language used for implementation, using the SPARK technology. We describe two techniques to specify abstractly the behavior of a software component in terms of mathematical structures (sequences, sets and maps) and a methodology based on the SPARK tools to prove automatically that an efficient imperative implementation is a correct refinement of the abstract specification.
Article
Full-text available
e de Valenciennes et du Hainaut Camb esis LAMIH/ROI F-59313 Valenciennes Cedex 9, France [dorian.petit,vincent.poirriez]@univ-valenciennes.fr ¾ Institut National de REcherche sur les Transport et leur ecurí e ESTAS, ABSTRACT: The aim of this paper is to merge two approaches of software development: the component ap-proach and the formal development approach. Developping software components is now a technique widely used by the software industry. These two approaches are not so distant if we consider Bertrand Meyer's opinion: it is more com-plicated to reuse a component without contracts. One of the difficulties with the design by contract approach is to find the contracts. This difficulty can be removed by the use of the B method. In the B method, the software properties (the contracts) are expressed in the specifications. We present in this paper an approach to generate code in the spirit of the component approach from B specifications.
Conference Paper
Full-text available
In this article we would like to present some recent applications of the B formal method to the development of safety critical system. These SIL3/SIL4 1 compliant systems have their functional specification based on a formal model. This model has been proved, guaranteeing a correct by construction behaviour of the system in absence of failure of its components. The constructive process used during system specification and design leads to a high quality system which has been qualified 2 by French authorities.
Conference Paper
The automatic train operating system for METEOR, the rst driverless metro in the city of Paris, is designed to manage the traf- c of the vehicles controlled automatically or manually. This system, developed by Matra Transport International for the RATP, requires a very high level of dependability and safety for the users and the opera- tor. To achieve this, the safety critical software located in the dierent control units (ground, line and on-board) was developed using the B formal method,together with the Vital Coded Processor. This architec- ture thus ensures an optimum,level of safety agreed with the customer. This experience with the METEOR project has convinced Matra Trans- port International of the advantages of using this B formal method,for large-scale industrial developments.
Conference Paper
Full-text available
The paper presents an approach that enables the elaboration of an automatic prover dedicated to the refinement of database applications. The approach is based on a strategy of proof reuse and on the specific characteristics of such applications. The problem can be stated as follows. Having established a set of basic refinement proofs associated to a set of refinement rules, the issue is to study how these basic proofs can be reused to establish more elaborate refinements. Elaborate refinements denote refinements that require the application of more than one refinement rule. We consider the B refinement process. In B, substitutions are inductively built using constructors. For each B constructor, we have formally defined the necessary and sufficient conditions that enable the reuse of the basic proofs. An application of our approach to data-intensive applications is presented.
Conference Paper
In this article we would like to go back on B used to design software, by presenting the industrial process established through years by Siemens Transportation Systems on a real project: the VAL shuttle for Roissy Charles de Gaulle airport. In this project, the logical core of an equipment located along the tracks and driving the shuttles is designed with B. By confronting this B software development, with the historical context, we show that B can be used as a high-level programming language offering the feature of proving properties. We show how this process is used to build, by construction, a large size software with very few design errors ever since its first release, and for a predefined cost.
Conference Paper
Full-text available
Formal modelling is indispensable for engineering highly dependable systems. However, a wider acceptance of formal methods is hindered by their in- sufficient usability and scalability. In this paper, we aim a t assisting developers in rigorous modelling and design by increasing automation of development steps. We introduce a notion of refinement patterns - generic repres entations of typi- cal correctness-preserving model transformations. Our definition of a refinement pattern contains a description of syntactic model transfor mations, as well as the pattern applicability conditions and proof obligations fo r verification of correct- ness preservation. This establishes a basis for building a t ool supporting formal system development via pattern reuse and instantiation. We present a prototype of such a tool and some examples of refinement patterns for autom ated development in the Event B formalism.
ResearchGate has not been able to resolve any references for this publication.