Conference Paper

Using Formal Proof and B Method at System Level for Industrial Projects

Authors:
To read the full-text of this research, you can request a copy directly from the author.

Abstract

Since several years, ClearSy has driven large projects about using formal proofs at system level in the railway domain. The fundamental goal in these projects is to extract the rigorous reasoning establishing that the considered system ensures its requested properties, and to assert that this reasoning is correct and fully expressed. In this paper, we give feedback about the methodology used in all these projects, about the differences made by whether the concerned system is currently under design or already existing and about the benefits obtained. The formal proofs are performed using Event-B, with the Atelier-B toolkit.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the author.

... About 30% of the Communication-Based Train Control (CBTC) systems worldwide contain software developed using the B formal method. Formal methods also play a role in safety cases and certification at the system level [26,25,4,5]. For autonomous systems, however, classical certification approaches have reached a major obstacle [6]. ...
... In Section 3 we present the formal B model of the system, which enables one to formalize and verify mitigating measures (solution 1), but also study the impact of undetected errors of the AI to be able to conduct solution 2 (which we tackle in Section 4). Therefore, we decide to use the formal B method [1] which was also used for other railway systems [26,25,4,5]. While this work focuses mostly on formally modelling and verifying the steering system and environment, we plan to address direct verification of the perception system in future work. ...
... Railway Systems. Formal methods, especially the B method have been used to model several railway systems such as Abrial's interlocking system [2], CBTC systems [26,25,4,5], and the Hybrid Level 3 system [11]. Similar to our approach, the main goal is to formally describe all behaviours in the railway system, and to verify/validate certain properties. ...
Chapter
Full-text available
The research project KI-LOK aims to develop a certification methodology for incorporating AI components into rail vehicles. In this work, we study how to safely incorporate an AI for obstacle detection into an ATO (automatic train operation) system for shunting movements. To analyse the safety of our system we present a formal B model comprising the steering and AI perceptions subsystems as well as the shunting yard environment. Classical model checking is applied to ensure that the complete system is safe under certain assumptions. We use SimB to simulate various scenarios and estimate the likelihood of certain errors when the AI makes mistakes.
... To accomplish the first task, we decided to derive a formal B model from the HL3 specification. The decision was based on diverse work (e.g., [7,[10][11][12][13][14][15]) which provided evidence that B is well suited for the railway domain. Moreover, first experiments were very promising: in a few days it was possible to model some simpler transitions of the HL3 specification. ...
... However, we ourselves do not yet have enough understanding of HL3 specification to understand why it is safe and how a proof and refinement strategy should look like. Developing a system-level proof of HL3 specification is worthy of another research project, and can get inspiration from successful use of Event-B for similar demonstrations for the Flushing line in New York [14] or the Octys line in Paris [15]. ...
Article
Full-text available
In this article, we present a concrete realisation of the ETCS hybrid level 3 concept, whose practical viability was evaluated in a field demonstration in 2017. Hybrid level 3 introduces virtual subsections as sub-divisions of classical track sections with trackside train detection. Our approach introduces an add-on for the radio block centre (RBC) of Thales, called virtual block function (VBF), which computes the occupation states of the virtual subsections using the train position reports, train integrity information, and the track occupation states. From the perspective of the RBC, the VBF behaves as an interlocking that transmits all signal aspects for virtual signals introduced for each virtual subsection to the RBC. We report on the development of the VBF, implemented as a formal B model executed at runtime using ProB and successfully used in a field demonstration to control real trains.
... Either the verified model is very complex to be addressed by the verification process, or the safety properties cannot be directly expressed using the high-level interface of the system. A related study (Sabatier 2016) starts from a refinement approach by modeling with B-method the highest level of system properties. The RATP approach, at the opposite, is to start from the source code (which will be compiled and embedded) and have an abstraction approach to reach the highest level of system properties possible. ...
... The overall methodology is schematized in Figure 4. The refinement process starts from high level properties and tries to refine them in order to reach the targeted abstract model (Sabatier 2016). The abstraction process does the opposite. ...
... Taking into account both continuous and discrete aspects [2], for describing physical laws and controller timed actions, is constrained at the moment to toy models and lacks proof tools able to handle resulting heterogeneous verification conditions. Modelling the safety reasoning rather than the structural and behavioural aspects of a system seems to overcome the constraints of size and complexity [31] [32] [10] at the cost of a greater effort to communicate with the architects of the system in order to find the reasons that led to its specification. ...
Chapter
Full-text available
System safety is based on the implementation of technical and organisational principles to ensure that a feared event cannot occur more frequently than expected. Such a demonstration, so-called safety case, relies on domain specific standards which capitalise on experience gained after decades of development and operation. For more than a decade, the threat of human attacks aimed at disrupting the operation of such systems has become more acute. In the railways, communications between on board and track-side equipment are naturally subject to targeted attacks aimed at reducing the availability of the equipment or disrupting its operational safety to the point of creating accidents. This paper aims to sketch the range of logical and hardware attacks practised today that could be used in the future to attack railway systems to make them less available or less secure. It also presents a combination of techniques and technologies that, assisted by formal methods, can reduce the chances of success of such attacks.Keywordsformal methodscybersecuritysafety
... The use of various formalisms to verify the ETCS is a topic covered in several articles. For instance, the B-Method and the Atelier-B toolbox are utilized in [9,10]. The use of CSP-B and Pro-B is explained in [11]. ...
Article
Full-text available
The ERTMS/ETCS is the newest automatic train protection system. This is a system that supports the driver in driving the train. It is currently being implemented throughout the European Union. This system’s latest specifications also provide additional functions to increase the energy efficiency of train driving in the form of ATO (automatic train operation). These functions of the ETCS will be valuable, provided they operate without failure. To achieve errorless configuration of the ETCS, a methodology for automatic system verification using the IMDS (Integrated Model of Distributed Systems) formalism and the temporal tool Dedan was applied. The main contribution is asynchronous and timed verification, which appropriately models the distributed nature of the ETCS and allows the designer not only to analyze time dependencies but also to define the range of train velocities in which the operational scenario is valid. Additionally, the novelties of the presented verification methodology are the graphical design of the system components and automated verification freeing the designer from using textual design. We express the verified properties as observer automata rather than in temporal logic. Moreover, we check partial properties related to system fragments, which is crucial in distributed systems. This paper presents the verification of an example ETCS system application. The verification results are presented as sequence diagrams leading to a correct/incorrect final state.
... Many papers concern the verification on a higher abstraction level, in which control systems are treated as black boxes, interchanging signals. For example, in [20] and [21] B-Method and Atelier-B toolkit are used. The application of CSP‖B and ProB is described in [22]. ...
Article
Full-text available
Relay-based traffic control systems are still used in railway control systems. Their correct-ness is most often verified by manual analysis, which does not guarantee correctness in all conditions. Passenger safety, control reliability, and failure-free operation of all components require formal proof of the control system's correctness. Formal evidence allows certification of control systems , ensuring that safety will be maintained in correct conditions and the in event of failure. The operational safety of systems in the event of component failure cannot be manually checked practically in the event of various types of damage to one component, pairs of components, etc. In the article, we describe the methodology of automated system verification using the IMDS (integrated model of distributed systems) temporal formalism and the Dedan tool. The novelty of the presented verification methodology lays in graphical design of the circuit elements, automated verification liberating the designer from using temporal logic, checking partial properties related to fragments of the circuit, and fair verification preventing the discovering of false deadlocks. The article presents the verification of an exemplary relay traffic control system in the correct case, in the case of damage to elements, and the case of an incorrect sequence of signals from the environment. The verification results are shown in the form of sequence diagrams leading to the correct/incorrect final state.
... A different formal methodology was then invented [19] [6] where the design reasoning is modelled and proved against properties, based on assumptions admitted by all experts. Fig. 9 below illustrates its different stages, which can be called "the ideal formal world" and which makes it possible to obtain a system that is guaranteed to be zero-defect: ...
Chapter
Full-text available
The railways have a quite long modelling history, covering many technical aspects from infrastructure to rolling stock, train movement, maintenance, etc. These models are mostly separate and operated independently by various stakeholders and with diverse objectives. This article presents some of the various digital modelling activities, including formal ones, that are undertaken by the railway industry, for design, development, validation, qualification, and exploitation. It also introduces trends toward regrouping models to obtain more significant results together with a larger scope, prefiguring digital twins.
... e traditional process analysis methods, such as Petri nets [10], CCS (Calculus of Communicating Systems) [11,12], and CSP (Communication Sequential Processes) [13,14], can model different aspects of the system from different angles and abstractions, but the powers of description for functional and nonfunctional attribute and constraint condition are deficient. e traditional model languages such as V [15,16], B [17], and Z [18,20] are good at modelling description, but poor at describing system concurrency. At present, the integrated specification languages are a hot topic, which produced CSPZ [21], TCOZ [22], PZN [23,24], and so on. ...
Article
Full-text available
Nowadays, the Internet of Vehicles has become the focus of global technological innovation and transformation in the automotive industry. Its flow modelling appears to play a very important role for designing and controlling the transportation systems, since it is not only necessary for improving safety and transportation efficiency but also can yield a series of society, economy, and ecosystem environment problems. Considering the characteristics of the frame structure includes states and actions and discrete and continuous aspects of traffic flow dynamics, both petri net and Z have proved to be useful tools for modelling the Internet of Vehicles. It can formally describe the vehicle behavior accurately with petri net and more details with Z frame structure. A new integration formal method of time petri net and Z is presented in this paper for modelling the vehicle behaviors and traffic rules through taking into account state dependencies on external rules. Moreover, a case study in the Internet of Vehicles is proposed to deal with the accurate localization of events. It shows that this formal verification methods significantly improves the safety and intelligence of the Internet of Vehicles.
... Lack of understanding, employees without proper education, difficulty to integrate existing development cycles, no explicit requirement from the market, etc. are explanations often heard for not being more formal. Our experience with formal methods, accumulated over the last 20 years [2][3] [4][5] [7] [8], clearly indicates that not every one is able to abstract, refine, and prove mathematically. The Swiss psychologist Piaget claimed that only one third of the population is able to handle abstraction 1 . ...
Chapter
Full-text available
Industrial applications involving formal methods are still exceptions to the general rule. Lack of understanding, employees without proper education, difficulty to integrate existing development cycles, no explicit requirement from the market, etc. are explanations often heard for not being more formal. This article reports some experience about a game changer that is going to seamlessly integrate formal methods into safety critical systems engineering.
... However formal methods are highly recommended just like many other non-formal (combination of) techniques, as these recommendations are setup collectively and represent the industrial best practices. Convinced that formal methods could help to obtain better products [20][21] [28] [23], more easily certifiable, a generic, safe execution platform has been researched for years, combining safety electronics and defect-free proven software 1 . The CLEARSY Safety Platform was initially an in-house development project before being funded by the R&D collaborative project LCHIP (Low Cost High Integrity Platform) to obtain a generic version of the platform (i.e. ...
Article
Full-text available
The CLEARSY Safety Platform (CSSP) was designed to ease the development of safety critical systems and to reduce the overall costs (development, deployment, and certification) under the pressure of the worldwide market. A smart combination of hardware features (double processor) and formal method (B method and code generators) was used to produce a SIL4-ready platform where safety principles are built-in and cannot be altered by the developer. Summarizing a 5-year return of experience in the effective application in the railways, this article explains how this approach is a game-changer and tries to anticipate the future of this platform for safety critical systems. In particular, the education of future engineers and the seamless integration in existing engineering processes with the support of Domain Specific Languages are key topics for a successful deployment in other domains. DSL like Robosim to program mobile robots and relay circuits to design railway signalling systems are connected to the platform.
... However formal methods are highly recommended just like many other non-formal (combination of) techniques, as these recommendations are setup collectively and represent the industrial best practices. Convinced that formal methods could help to obtain better products [11][12] [19] [14], more easily certifiable, a generic, safe execution platform has been researched for years, combining safety electronics and defect-free proven software 1 . The CLEARSY Safety Platform was initially an in-house development project before being funded by the R&D collaborative project LCHIP (Low Cost High Integrity Platform) to obtain a generic version of the platform (i.e. ...
Preprint
Full-text available
The CLEARSY Safety Platform (CSSP) was designed to ease the development of safety critical systems and to reduce the overall costs (development, deployment, and certification) under the pressure of the worldwide market. A smart combination of hardware features (double processor) and formal method (B method and code generators) was used to produce a SIL4-ready platform where safety principles are built-in and cannot be altered by the developer. Summarizing a 5-year return of experience in the effective application in the railways, this article explains how this approach is a game-changer and tries to anticipate the future of this platform for safety critical systems. In particular, the education of future engineers and the seamless integration in existing engineering processes with the support of Domain Specific Languages are key topics for a successful deployment in other domains. DSL like Robosim to program mobile robots and relay circuits to design railway signalling systems are connected to the platform.
... Lack of understanding, employees without proper education, difficulty to integrate existing development cycles, no explicit requirement from the market, etc. are explanations often heard for not being more formal. Our experience with formal methods, accumulated over the last 20 years [2][3] [4][5] [7] [8], clearly indicates that not every one is able to abstract, refine, and prove mathematically. The Swiss psychologist Piaget claimed that only one third of the population is able to handle abstraction 1 . ...
Preprint
Full-text available
Industrial applications involving formal methods are still exceptions to the general rule. Lack of understanding, employees without proper education, difficulty to integrate existing development cycles, no explicit requirement from the market, etc. are explanations often heard for not being more formal. This article reports some experience about a game changer that is going to seamlessly integrate formal methods into safety critical systems engineering.
... This approach was used for the system formal verification for the CBTC of New York subway line 7 in 2012 and Flushing in 2014 (effort divided by two due to models reuse). It is now deployed in Paris for all the new automatic metro lines [15]. Even if based on refinement, the formal modeling effort is now manageable (each model is one or two pages long) and only requires engineers able to reason (not our best practitioners any more). ...
Preprint
Full-text available
Industrial applications involving formal methods are still exceptions to the general rule. Lack of understanding, employees without proper education, difficulty to integrate existing development cycles, no explicit requirement from the market, etc. are explanations often heard for not being more formal. Hence the feedback provided by industry to academics is not as constructive as it might be. Summarizing a 25-year return of experience in the effective application of a formal method - namely B and Event-B - in diverse application domains (railways, smartcard, automotive), this article makes clear why and where formal methods have been applied, explains the added value obtained so far, and tries to anticipate the future of these two formalisms for safety critical systems.
... Lack of understanding, employees without proper education, difficulty to integrate existing development cycles, no explicit requirement from the market, etc. are explanations often heard for not being more formal. Our experience with formal methods, accumulated over the last 20 years [2][3] [4][5] [7] [8], clearly indicates that not every one is able to abstract, refine, and prove mathematically. The Swiss psychologist Piaget claimed that only one third of the population is able to handle abstraction 1 . ...
Conference Paper
Full-text available
Industrial applications involving formal methods are still exceptions to the general rule. Lack of understanding, employees without proper education, difficulty to integrate existing development cycles, no explicit requirement from the market, etc. are explanations often heard for not being more formal. This article reports some experience about a game changer that is going to seamlessly integrate formal methods into safety critical systems engineering.
... Related Work Several examples using Event-B for system modelling, notably one railway example, can be found in Abrial's book [1]. ClearSy has used Event-B in two previous projects [6,3] (Flushing Line for NYCT and Octys for RATP) to perform a safety analysis of CBTC systems. These were system-wide safety analyses and did not make the link to a software component, such as in the presented case. ...
... This approach was used for the system formal verification for the CBTC of New York subway line 7 in 2012 and Flushing in 2014 (effort divided by two due to models reuse). It is now deployed in Paris for all the new automatic metro lines [15]. Even if based on refinement, the formal modeling effort is now manageable (each model is one or two pages long) and only requires engineers able to reason (not our best practitioners any more). ...
Conference Paper
Full-text available
Industrial applications involving formal methods are still exceptions to the general rule. Lack of understanding, employees without proper education, difficulty to integrate existing development cycles, no explicit requirement from the market, etc. are explanations often heard for not being more formal. Hence the feedback provided by industry to academics is not as constructive as it might be.
... Formal proof, instrumented with a formal method such as Event-B [1] and the accompanying software Atelier B, has been shown to be a powerful tool to perform rigorous safety analysis at the system level [6,5]. ...
Conference Paper
Full-text available
This paper describes a safety analysis effort on RATP’s communication-based train control (CBTC) system Octys. This CBTC is designed for multi-sourcing and brownfield deployment on an existing interlocking infrastructure. Octys is already in operation on several metro lines in Paris, and RATP plans its deployment on several other lines in the forthcoming years. Besides the size and complexity of the system, the main technical challenges of the analysis are to handle the existing interlocking functionalities without interfering with its design and to clearly identify the responsibilities of each subsystem supplier. The distinguishing aspect of this analysis is the emphasis put on intellectual rigor, this rigor being achieved by using formal proofs to structure arguments, then using the Atelier B tool to mechanically verify such proofs, encoded in the Event-B notation.
Article
We present a distributed railway interlocking (IXL) method based on trains communicating with switch boxes deployed along the railway network for switching points and monitoring the occupancy states of track elements. The method does not require any centralised IXL components. A distributed architecture is proposed that carefully separates the overall business logic and automated train operation from the safety-critical automated train protection and distributed IXL logic. This architecture is also suitable for autonomous trains traversing the railway network. The safety of the IXL logic is formally proven, using the Isabelle/HOL proof assistant. Experiments confirm that this proof-based approach is superior to model checking approaches, since the model checking effort grows exponentially with the size of the railway network. In contrast to this, the mathematical safety proof is performed once and for all railway networks fulfilling a realistic well-formedness condition. For a concrete network, only the well-formedness of the network and its initial train placements has to be verified, whereas the safety of the dynamic behaviour is a consequence of the network-independent safety proof.
Chapter
The influential article “Specifications are not (necessarily) executable” by Hayes and Jones from 1989 argues that a formal specification should not be overcomplicated or over-specified due to the secondary goal of making the specification executable. In this paper, we examine to what extent the following two goals can be reconciled: 1) developing natural high-level specifications not marred by implementation aspects and 2) bringing these high-level specifications to life to detect inconsistencies. We first review the examples of non-executable specifications from the paper by Hayes and Jones, and check to what extent they can now be animated 35 years later by the ProB validation tool, and other current tools. We also present an approach for writing high-level specifications for proof and readability, while creating instances for animation, execution, visualization and model checking.
Chapter
This work aims to formally ensure the safety of modern moving block systems. For this a proof model was developed in Event-B which captures several safety critical aspects. The new model identifies several key concepts, that are at the heart of the mathematical safety proof and which should later be at the heart of the safety case for a moving block system with trackside train detection. Some of the key concepts were inspired by earlier CBTC models and adapted for ETCS moving block, and a few novel key concepts were developed to deal safely with delays of train position reports and trackside train detection. The invariants of the proof model have proven mathematically with the Rodin toolset, thereby establishing safety properties of the modelled system. The proof model can also be animated and visualised using the ProB validation tool. By necessity, the proof model abstracts away from irrelevant details and still has some restrictions in scope (such as linear topology). Nonetheless, even with current restrictions, the key concepts already proved valuable when reasoning about safety of moving block systems. In the article we also present our modelling and tooling methodology, outlining the importance of complementing proof with animation. We also explain the importance of inductive properties and argue that a train-centric approach is more promising for proof of a moving block system than a track-centric approach.
Chapter
In modern railway systems, verification of system and software are usually performed independently, even though the refinement from system to software level is covered. However, experience shows that this conventional approach is error-prone and inadequate for complex functions that are increasingly common. Bugs resulting from the gap between system and software levels often go undetected until late in the development process, making corrections costly and raising concerns about other bugs that may have been missed. In an ideal scenario, comprehensive verification would identify such bugs early on, regardless of the gap. This paper introduces a verification approach that intends to bridge the gap between system and software levels through the formal verification of system level safety properties on a model of the software. Its application on a pilot project revealed several safety critical bugs that would not have been detected using the aforementioned activities.
Chapter
Railway systems belong to the domain of critical systems, where safety is a paramount concern. To ensure safety, testing methods have been implemented to adhere to certain standards. However, for large projects, it is impossible to test every possible scenarios, which can lead to gaps in the testing process.
Chapter
The B method is a formal method to design software components and to prove that they are compliant with some formalized requirements, giving a way to build safety-critical programs. However, the correctness of the obtained programs obviously rely on the correctness of those formalized software requirements. Using the CLEARSY Safety Platform, a vital processing solution developed by CLEARSY (SIL4 certified, Certifer 9594/0262) with native B capabilities, we demonstrate here a method to develop vital software with formal proofs directly attached to the key system properties. For instance, a train localization system is proven regarding the property stating that the computed location interval shall always contain the actual train. Such proofs become possible by combining software variables with variables representing physical entities and their timed evolution, thanks to the guaranteed time and deadlines of the CLEARSY Safety Platform. Thus, we avoid the problem of ensuring the correctness of a complex set of formalized software requirements by directly ensuring the wanted system properties. Assumptions and properties for the non-software parts are included in the same B model used to develop the software on the CLEARSY Safety Platform.KeywordsFormal modellingSystem reliability
Chapter
The system of a train line crossing a border must consider the operating rules of each country. Furthermore, a safe transient mode must be implemented, allowing the system to switch from a set of rules to another. This chapter presents how safety operating rules may be designed by a model-based approach. UML and B-method are used in order to allow conceptual modelisation and formal specification of these rules. In addition, this chapter discusses about some issues in existing Railway Interlocking Systems modelling approaches and the importance of knowledge representation.
Chapter
The B landscape can be confusing to formal methods outsiders, especially due to the fact that it is partitioned into classical B for software and Event-B for systems modelling. In this article we shed light on commonalities and differences between these formalisms, based on our experience in building tools that support both of them. In particular, we examine not so well-known pitfalls. For example, despite sharing a common mathematical foundation in predicate logic, set theory and arithmetic, there are formulas that are true in Event-B and false in classical B, and vice-versa.
Chapter
During the last five years, Event-B formal modelling has been successfully applied to various railway systems to demonstrate safety early in the design process or once systems are in operation. This approach is aimed at formalising a safety reasoning instead of modelling every bit of the system. This approach is intrinsically fit to scale up to large systems (or system of systems), hence able to handle centralised or distributed systems.
Chapter
The B-Method has an interesting history, where language and tools have evolved over the years. This not only led to considerable research and progress in the area of formal methods, but also to numerous industrial applications, in particular in the railway domain. We present a survey of the industrial usage of the B-Method since the first toolset in 1993 and the inauguration of the driverless metro line 14 in Paris in 1999. We discuss the various areas of applications, from software development to data validation and on to systems modelling. The evolution of the tooling landscape is also analysed, and we present an assessment of the current situation, lessons learned and possible new directions.
Chapter
The CLEARSY Safety Platform (CSSP) is aimed at easing the development and the deployment of safety critical applications, up to the safety integrity level 4 (SIL4). It relies on the smart integration of the B formal method, redundant code generation and compilation, and a hardware platform that ensures a safe execution of the software. This paper exposes the programming model of the CSSP used to develop control & command applications based on digital I/Os.
Article
This paper considers the challenge of designing and verifying control protocols for geographically distributed railway interlocking systems. It describes how this challenge can be tackled by stepwise development and model checking of state transition system models in a new extension of the RAISE Specification Language. Railway interlocking systems are reconfigurable systems which can be configured by supplying data describing the network to be controlled and other details. Therefore, such systems are natural candidates for being modelled by generic state transition systems, which abstract away from the concrete configuration at the time of modelling, and can later be instantiated with concrete data. For a real-world case study, a generic state transition system is developed in steps, starting with an abstract model of the essential system behaviour and incrementally adding details and restrictions. The stepwise development method allows different variants of the control protocol to be explored. The generic models are instantiated with concrete configuration data, after which desired properties, in particular safety properties, of the system models are verified using model checking.
Book
A presentation of real examples of industrial uses for formal methods such as SCADE, the B-Method, ControlBuild, Matelo, etc. in various fields, such as railways, aeronautics, and the automotive industry, the purpose of this book is to present a summary of experience on the use of these "formal methods" (such as proof and model-checking) in industrial examples of complex systems. It is based on the experience of people who are currently involved in the creation and evaluation of safety critical system software. The involvement of people from within the industry allows us to avoid the usual problems of confidentiality which could arise and thus enables us to supply new useful information (photos, architecture plans, real examples, etc.).
Article
Tribute Foreword Introduction Part I. Mathematics: 1. Mathematical reasoning 2. Set notation 3. Mathematical objects Part II. Abstract Machines: 4. Introduction to abstract machines 5. Formal definition of abstract machines 6. Theory of abstract machines 7. Constructing large abstract machines 8. Examples of abstract machines Part III. Programming: 9. Sequencing and loop 10. Programming examples Part IV. Refinement: 11. Refinement 12. Constructing large software systems 13. Examples of refinement Appendixes Index.
Conference Paper
The New York City Transit Authority has included formal proofs at system level as part of the safety assessment for its New York subway Line 7 modernization project, based on the CBTC from Thales Toronto. ClearSy carries out these proofs. In this paper, we describe the expected results and benefits of such proofs. We also discuss the methodology, in particular the importance of obtaining a natural language precursor for proofs. This step is paramount to find the simplest reasons why the design ensures the wanted properties.
Book
A practical text suitable for an introductory or advanced course in formal methods, this book presents a mathematical approach to modelling and designing systems using an extension of the B formal method: Event-B. Based on the idea of refinement, the author's systematic approach allows the user to construct models gradually and to facilitate a systematic reasoning method by means of proofs. Readers will learn how to build models of programs and, more generally, discrete systems, but this is all done with practice in mind. The numerous examples provided arise from various sources of computer system developments, including sequential programs, concurrent programs and electronic circuits. The book also contains a large number of exercises and projects ranging in difficulty. Each of the examples included in the book has been proved using the Rodin Platform tool set, which is available free for download at www.event-b.org.