Content uploaded by Akram Idani
Author content
All content in this area was uploaded by Akram Idani on Apr 30, 2024
Content may be subject to copyright.
The B Method meets MDE
Review, progress and future
Akram Idani[0000000322673639]
Univ. Grenoble Alpes, Grenoble INP, CNRS, LIG, F-38000 Grenoble France
Akram.Idani@univ-grenoble-alpes.fr
Abstract. Existing surveys about language workbenches (LWBs) rang-
ing from 2006 to 2019 observe a poor usage of formal methods within
domain-specific languages (DSLs) and call for identifying the reasons.
We believe that the lack of automated formal reasoning in LWBs, and
more generally in MDE, is not due to the complexity of formal meth-
ods and their mathematical background, but originates from the lack
of initiatives that are dedicated to the integration of existing tools and
techniques. To this aim we developed the Meeduse LWB an d in v e st ig at e d
the use of the B method to rigorously define the semantics of DSLs. The
current applications of Meeduse show that the integration of DSLs to-
gether with theorem proving, animation and model-checking is viable
and should be explored further. This technique is especially interesting
for executable DSLs (xDSLs), which are DSLs with behavioural features.
This paper is a review of our Formal MDE (FMDE) approach for xDSLs
and a proposal for new avenues of investigation.
Keywords: DSLs, B Method, Formal Methods, MDE.
1 Introduction
Developers can find a plethora of tools and approaches for building Domain-
Specific Languages (DSLs) from several perspectives: design, execution, debug-
ging and code generation. The reader can refer to [15] for a survey about DSL
tools that are referenced from 2006 to 2012, and to [14] for the period between
2012 and 2019. These studies can help engineers to choose the best DSL option
for a specific context and select the ones that fulfill their requirements. Un-
fortunately, despite that the aforementioned surveys show that DSL tools have
reached a good level of maturity, they also show a major limitation of these
tools; i.e., the lack of formal reasoning. Kosar et al., [15] observed that only
5.7% of primary studies applied a formal analysis approach, and mentions that
“there is an urgent need in DSL research for identifying the reasons for lack of
using formal methods within domain analysis and possible solutions for improve-
ment”. One possible reason identified by Bryant et al. [4] is that the syntactical
description of DSLs is often straightforward, but specifying detailed behavior
(semantics) is much more harder. This would explain why only the syntax of
DSLs are formally described, but the semantics are left toward “other less than
2 Akram Idani
desirable means” [4]. The recent study of [14], appeared in 2020 (more than seven
years after [15] and [4]), does not report on a better situation because it only
refers to testing (the formal dimension is completely absent). This study shows
that among the 59 discussed tools only 9 provide supports for testing. This is
an important shortcoming because it weakens the applicability of DSLs, espe-
cially for safety-critical systems. Indeed, in these systems correctness is a strong
requirement and it is often addressed by the application of formal methods.
During the last three years we investigated and developed a solution to this
problem by proposing a Formal Model-Driven Engineering (FMDE) approach to
create zero-fault DSLs, which are DSLs whose semantics (static and dynamic)
are mathematically proved correct with regards to their structural and logical
properties. We developed the Meeduse tool [10] to make the bridge between MDE
and the formal B method [1]. Technically the tool is built on EMF [28] (The
Eclipse Modeling Framework) and ProB [20], an animator and model-checker
of the B method that is certified T2 SIL4 (Safety Integrity Level), which is the
highest safety level according to the Cenelec EN 50128 standard. ProB is also
used by companies such as Alstom, Thales, Siemens, General Electric, ClearSy
and Systerel. In addition to the formal reasoning about the semantics of DSLs,
the Meeduse tool o↵ers execution and debugging facilities, which is a major
contribution in comparison with other works built on Abstract State Machines
and Maude [25]. The overall idea is that animation done in ProB is equivalently
applied to the input EMF model leading to a correct model execution.
This paper surveys the current situation of xDSLs and presents the contribu-
tions of our FMDE approach for xDSLs. Note that Meeduse has been discussed
in several other papers. However, every publication explored a specific facet of
DSLs and the B method without a clear vision about the situation. The contri-
butions of this paper are therefore:
1. review progress made, tool support, and case studies, which attests to the
interest and power of our FMDE approach to building xDSLs.
2. put certain criticisms and received ideas concerning formal methods and
translational approaches into perspectives.
3. provide useful research directions that may help gain visibility and also
strengthen the application of FMDE in system design.
In section 2 we present the strengths and the limitations of the two major
approaches for xDSLs: translational and in-line approaches. In section 3 we pro-
vide an overview about Meeduse and discuss its originality in comparison with
existing works. Section 4 discusses three successful realistic applications of the
tool. Finally, section 5 presents the conclusion and perspectives of our works.
2 Executable DSLs: Correctness and Challenges
2.1 Observations
Several research works have been devoted by the MDE community in order to
deal with executable DSLs. The major intention is to support early validation
The B Method meets MDE 3
and verification in the development process. Indeed, an executable model not
only represents the structural features of a system, but also deals with its be-
haviour. The model is therefore intended to behave like the final system should
run, which provides the capability to simulate, animate and debug the sys-
tem’s properties before its implementation. In the literature there are two major
approaches to implement the execution semantics of a DSL: translational ap-
proaches and in-place approaches. The former translate the DSL semantics into
a well-established semantic domain that is assisted by numerous tools, such as
MAUDE, ASM or FIACRE. The latter weave the execution semantics into meta-
models, which is often done by extending the semantic domain of a DSL with
action languages. Every approach has its strengths and limitations that can be
summarized by [5]:
–Translational approaches:
•Strengths: apply available tools, such as animators and/or model-checkers
to ensure the execution capabilities of the DSL.
•Limitations: first, often these approaches require complex transforma-
tions to implement the mapping from the DSL to the target semantic
domain, and second, the execution results are only obtained in the target
domain.
–In-place approaches:
•Strengths: allow a more intuitive definition of executable DSLs since the
language engineer has only to deal with concepts of the DSL and not
with another target language.
•Limitations: require to implement for each DSL all the execution-based
tools.
Since the objective of an xDSL is to ensure early validation during the de-
velopment process, the developer must have some confidence in the underlying
verification tool. Nonetheless, on the one hand [15,14] show that the verification
feature of existing LWBs is very limited; and on the other hand, the dependabil-
ity of the resulting system is strongly related to the correctness of the DSL. In
[32], the authors analysed the risks of using LWBs regarding the introduction
of faults into a critical software component. The authors observed that existing
LWBs have not been developed using a safety process and attested that “par-
ticular DSLs could be, but that is only of limited use if the underlying LWB is
not”. In this sense, a translational approach is much more pragmatic because it
reuses well-established verification tools, that are often widely accepted by the
formal methods community. In [9] we have done an empirical study with various
existing xDSL platforms, and we showed that failures may originate from several
concerns:
C1: The abstract syntax of the DSL, often represented with a meta-model and
the associated modeling operations such as object creation and destruction,
and also the setters and getters. This kind of failures is due to the fact that
the execution semantics of the DSL apply the modeling operations in order
to update a given model during its execution.
4 Akram Idani
C2: The model itself, because LWBs may apply some internal choices that are
not conformant to the standard semantics of meta-models. Hence, incorrect
behaviours may not be exhibited while executing the model but they still
possible in the final system.
C3: The execution engine of the meta-language. For example, OCL based engines
often wrongly support non-determinism as discussed in [2,31], and even if
these theoretical solutions exist they are not yet integrated within tools.
2.2 Discussion
Undoubtedly, the usage of a formal method with well-established verification
tools is a solution to neutralize bugs that may originate from the DSL and the
modeling layer. The question is therefore “how to provide the good mixture be-
tween correctness and expressiveness?”. We believe that the answer depends on
the application domain of the xDSL. Indeed, formal methods are often negatively
perceived by developers due to their mathematical notations, and consequently
translational approaches have a limited usage for general purpose applications.
Nonetheless, formal methods showed their strengths in the safety-critical do-
main, and they became a strong requirement to ensure zero-fault applications.
Obviously, DSLs and language workbenches (LWBs) provide several benefits to
this field due to their ability to share, visualize and communicate about do-
main concepts. Both formal methods and model-driven engineering are highly
desirable in safety critical systems because domain-specific representations are
omnipresent, as well as the use of provers and model-checkers. We assume that
the reader may agree with this claim, even if it appears that for larger scale
projects formal methods are not as widespread, because of the overhead they
may create during the development activities.
In our opinion, bridging the gap between both worlds (MDE and FM) does
not require innovative solutions and can be done by integrating well-established
tools provided by both the Formal Methods community and the MDE commu-
nity. The lack of automated formal reasoning in LWBs, and more generally in
MDE, is not due to the complexity of formal methods and their mathematical
background, but originates from the lack of initiatives that are dedicated to the
integration of both techniques. A supporting argument could be the assertion by
[15] that “researchers within the DSL community are more interested in creat-
ing new techniques than they are in performing rigorous [empirical] evaluations”.
Moreover, the MoDeVVa Workshop (Model-Driven Engineering, Verification and
Validation) collocated with the MODELS conference, and also the international
conference on integrated formal methods (IFM) are good illustrations of this
claim, because they have presented many approaches over the years where for-
mal methods found their way in MDE techniques, and vice-versa. We can as-
sume that the required material to provide a viable FMDE for DSL execution in
LWBs already exists. Unfortunately, not only the integration attempts remain
poor, but also the applications of existing approaches remain limited to illus-
trative examples without going further towards realistic safety-critical require-
ments. This observation may explain why existing approaches [25,7,23,30,33] are
The B Method meets MDE 5
not discussed at all in [15,14]. As far as we know, the only modeling tool with
execution facilities that is proven correct is Scade [6], but this means that one
cannot extend it with domain-specific constructs without proving the correct-
ness of these constructs and the underlying behavioural semantics. Our solution
provides a LWB (called Meeduse [22]) that allows one to formally define and
reason about the semantics (static and dynamic) of xDSLs using the formal B
method [1]. The underlying approach is a translational approach, but it goes a
step further in comparison with existing translational approaches by addressing
the three concerns discussed above and by providing realistic applications from
the safety-critical domain.
3 The Meeduse LWB
3.1 Overall view
Figure 1 summarises the main concepts of the approach. First, the MDE ex-
pert defines the meta-model of a DSL and its underlying contextual constraints.
Then, Meeduse translates the meta-model into the B language, which produces
a functional formal model describing the static semantics of the DSL (step (1)
Translation).
(1) Translation
Dynamic Semantics
AtelierB Proof
Instance
(2) Valuations
(3) Execution (ProB)
Formal methods expert
Domain expert
MDE expert
safety-Free
Model
safe
Model
Functional
Model
Static Semantics
Fig. 1. The Meeduse approach.
Regarding the dynamic semantics, it is specified using additional B models
(safety-free and safe models) by means of B operations and additional invariants.
6 Akram Idani
The safety-free model is an open model from which one can exhibit undesirable
scenarios, and the safe model improves the latter with additional invariants and
preconditions such that the undesirable behaviours are neutralized. Having these
formal models, a prover (e.g. AtelierB) can be used in order to guarantee their
correctness. This task is performed by experts in formal methods and requires
skills in theorem proving.
To ensure the execution of the DSL, Meeduse applies ProB [20]. First, it
injects a given model, instance of the DSL meta-model, within the B specifica-
tion of the static semantics (step (2) Valuations). This step produces valuated
B variables whose state transitions are managed by ProB given the B opera-
tions of the dynamic semantics machine. The tool makes the bridge between the
model and the valuations of the B variables: for every animation step, the tool
automatically updates the model resource such that it remains equivalent to the
valuations of the B variables. Hence, traversing transitions produced by ProB
result in an automatic animation of the input model (step (3) Execution).
3.2 Towards a viable formal abstract syntax
Even if Meeduse is a recent tool (its reference papers appeared in 2020), the un-
derlying approach is not new since it provides a translation semantics to a DSL:
the meta-model of the DSL is mapped in the B language through a model-to-
model transformation. The limitations of translational approaches were widely
discussed in the literature [4]. The first one is that it “is very challenging to cor-
rectly map the constructs of the DSL into the constructs of the target language”.
This limitation originates from the fact that the mappings may not be at the
same abstraction level and the target language may not have a simple mapping
from the constructs in the source language. The use of the B method in Mee-
duse provides objective answers to these observations because meta-models are
semantically similar to the mathematical space of the B method. Indeed, the
semantics of meta-models is standardized by the Object Management Group
using the MOF (the Meta-Object Facility) in which this semantics is defined by
means of OCL constructs. These are built on the set theory and the first order
predicate logic, which are also the foundations of the B language. Furthermore,
both the MOF and the B method are state-based modeling formalisms; the se-
mantic di↵erence is that B applies the theory of generalized substitutions, which
makes it executable. We can then assume that B and MOF have the ability to
build models at the same abstraction level.
Structurally the MOF is a restriction of UML, which is comforting because
this means that mapping the MOF into B is not very challenging. It can be done
via a classical UML-to-B approach, which has been addressed in the past by a
plethora of works and tools:
–UML2SQL [17,18]: this work provides a formal framework for the develop-
ment of database applications. The B specifications are extracted from UML
class diagrams, state-transition diagrams and activity diagrams. Refinement
tactics are proposed in order to incrementally generate a correct implemen-
tation of a relational database.
The B Method meets MDE 7
–U2B [27,26]: this work proposes to produce a B specification, called “nat-
ural”, so that the proof obligations are as simple as possible. For example,
instead of generating a B machine from each UML class (of a class diagram),
the authors generate a unique B machine that gathers the B constructs of
the whole package.
–ArgoUML+B [19,24]: this work tried to take into account complex UML
features. It proposed, on the one hand, various solutions for the translation of
the UML inheritance mechanism, and on the other hand, a new formalization
of behavioural UML diagrams.
Table 1 summarizes the structural features of UML class diagrams that are
addressed by these approaches. The table shows that each approach has its
advantages and limitations and that obviously for a better coverage of UML a
combination of the various approaches is needed. The challenge is how to gather
into a unified framework several UML-to-B approaches from the rich state of the
art. In Meeduse the user is able to select the desired UML-to-B transformation
technique and also to combine rules coming from various techniques. This is
interesting because UML has been mapped into numerous state-based formal
languages with similar principles (e.g. Z, Object-Z and ASM), and therefore the
only remaining piece is to integrate these mappings within a unifying LWB such
as Meeduse.
UML2SQL ArgoUML+B U2B
Classes (undetermined instances) + + +
Classes (fixed instances) - - +
Class attributes + + +
Distinction between multi/mono-valued attributes + - -
Inheritance + + +
Associations multiplicities + + +
Associations navigation direction - + +
Roles + - +
Associations constraints + + -
Distinction between fixed/non-fixed associations + - -
Association + + -
Associative classes + - -
Parametrized classes - - +
Legend : “+” (considered criterion ) ; “-” (non considered criterion)
Tab l e 1 . Overview of the supported UML structural features
3.3 ProB as an execution engine of xDSLs
The second limitation of translational approaches, as discussed in [4], is that
“the mapping of execution results back into the DSL is not covered”. Indeed, in
8 Akram Idani
the existing works [25,7,23,30,33] the execution results are only obtained in the
target domain because getting back the results in the source language is often
claimed to be difficult and requires to extend the abstract syntax in order to
model these results. The work of U. Tikhonova [29] uses the EventB language
but applies classical visual animation using BMotion Studio1to the formal spec-
ifications. Unfortunately, this is time consuming because the DSL syntax must
be redefined in BMotion Studio. Moreover, it also requires some additional ver-
ifications in order to address the compatibility between the initial DSL syntax
and the graphical visualization that is managed by BMotion Studio.
None of the existing techniques o↵er a way to execute jointly the formal
model and the domain model. They start from a DSL definition, produce a
formal specification and then they “get lost” in the formal process. Meeduse
gives an new vision to the integration of xDSLs and formal methods and provides
solutions to this limitation (steps (2) Valuation and (3) Execution of Figure 1).
Meeduse shows that getting back the execution results in the source language
is not a complicated task because, as explained in the previous section, MOF
and B are both built on the set theory and the first order predicate logic. The
difficulty may come from the theory on which the target language is built. By
using a state-based language built on the set theory and the first order predicate
logic, the semantical gap with MOF can be easily managed. We refer the reader
to [10] for the technical details about how the execution results can be translated
back to the original model without extending the abstract syntax of the DSL.
The proposed approach is inspired by [16], where the authors assume that a
tool like an animator or model checker is able to compute all execution traces
of a system and propose to implement the software system on top of programs
that execute in background the formal model by choosing traversing transitions.
By using xDSLs, we go a step further and reduce the e↵ort required for writ-
ing the aforementioned programs that interact with the animator. Indeed, in
our approach the developer focuses on the definition of the model’s semantics
and Meeduse generates a standard specification and implementation that can be
executed and controlled by the animator. The solution provided by Meeduse is
to guarantee the equivalence between the execution traces of the DSL and the
B data provided by ProB [20] (Steps 2 and 3 in Figure 1). As the two models,
managed respectively by the LWB and ProB, evolve together during the exe-
cution and remain equivalent to each other, then debugging can be done using
either the ProB tool, due to its numerous facilities for interactive animation,
or an EMF-based LWB such as the Gemoc Studio [8] . Debugging with ProB
(or other formal tools) may be required while developing the formal semantics
of the DSL, and debugging with the Gemoc Studio (or other LWBs) may be
recommended to the end users (or domain experts) who are often uncomfortable
with formal tools.
Figure 2 is a screen-shot of Meeduse while running a Petri-Net model of
the bounded-bu↵er producer/consumer synchronisation [3]. The top-left side
shows the graphical representation of the Petri-Net model where two processes
1http://www.stups.hhu.de/ProB/index.php5/BMotion_Studio
The B Method meets MDE 9
share a common bu↵er: the producer (whose states are pending and progress)
and the consumer (whose states are ready and accept). In this model, sequence
(start ;produce)⇤increases the number of tokens in place bu↵er until a fixed
bound is reached; and sequence (request ;consume)⇤decreases this number by
five. The other views of Figure 2 are provided by Meeduse for interactive anima-
tion and debugging: (1) the execution view from which the user can select and
run possible instances of the B operation for transition firing, (2) the execution
history view allowing an omniscient debugging, which is useful to go backward
in time, and (3) the state view giving the various valuations of the B variables
in the current state. The tool also informs the user whether the invariant is
preserved or not. In addition to the animation of xDSLs, Meeduse benefits from
the numerous model-checking strategies of ProB such as (without being exhaus-
tive): heuristic-based and breadth/depth search, reachability analysis with LTL
formulas and predicate decomposition.
Fig. 2. Running a Petri-Net model in Meeduse
4 Applications
Meeduse has been successfully applied to realistic case studies showing the via-
bility of our Formal MDE (FMDE) approach and the benefits of the tool to the
development of correct executable DSLs:
10 Akram Idani
1. To simulate safe train behaviours [11,12]. This application builds on a graph-
ical DSL that can be used by railway experts to design railroad topologies
and simulate (un)safe train movements.
2. To execute model-to-model transformations [13]. This application was car-
ried out during the 12th edition of the transformation tool contest (TTC’19)
and won the award of best verification and the third audience award.
3. To prove the execution semantics of PNML (Petri-Net Markup Language),
the international standard ISO/IEC 15909 for Petri-nets, and to take benefit
of the capabilities of the B method in the Petri-net field. This application
led to a full-fledged tool called MeeNET (Meeduse for Petri-Nets).
4.1 FMDE for railway systems
It is known that the usage of formal methods in safety-critical railway systems
is a strong requirement because their failures may lead to accidents and human
loss. However, while formal methods provide solutions to the verification prob-
lem, human errors may lead to erroneous validation of the specification, which
may produce the wrong system. Thus, involving the domain expert in the devel-
opment process makes sense; first to avoid the eventual misunderstandings of the
requirements by the developer and second to have a well-defined specification.
Furthermore, in the railway domain, textual and graphical representations of do-
main concepts are widely used in the various reference documents, which allows
sharing the knowledge about several railway mechanisms such as track circuits,
signalling rules and interlocking systems. Formal methods and DSLs are there-
fore inescapable for railway systems definition and development. Unfortunately,
most modeling tools (e.g. SafeCap, RailAid) are not built on a formal approach;
and most formal solutions are not supported by domain-specific modeling tools.
The application of Meeduse to the railway field showed its strength to mix both
aspects in the same tool. The work was funded by the NExTRegio project of
IRT Railenium and supported by SNCF R´eseau. The intention was to deal with
the analysis of railway signalling systems based on emergent train automation
solutions, especially the European Rail Traffic Management System (ERTMS)
and the underlying Train Control System (called ETCS). There are three levels
of ERTMS/ETCS which di↵er by the used equipments and the operating mode.
The first two levels are already operational, and the third one is still in design
and experimentation phases: it aims at replacing signalling systems with a global
European GPS-based solution for the acquisition of train positions. Our FMDE
solution led to a graphical DSL equipped with proved formal semantics, which
safely assists domain experts while defining the domain models and simulating
the underlying operating rules. Figure 3 gives di↵erent states of the domain
model (left hand side) with the list of B operations (right hand side) that can
be enabled by the animator at every state.
In the first state, on top of this Figure, the domain expert can: (i) change the
direction of trains TRAIN1 and TRAIN2; (ii) change the switch from straight
to divergent; (iv) arm the auto train stop (ATS) of PORTION2; and (v) com-
pose train routes using instances of operation Safe MA AddPortion.Theexe-
The B Method meets MDE 11
Fig. 3. Meeduse animation of a railroad model with safe execution semantics
cution of operation Safe MA AddPortion(MA2,PORTION3) followed by operation
Safe MA AddPortion(MA2,PORTION2), reaches the state presented in the mid-
dle of Figure 3 where the color of PORTION2 and PORTION3 became orange
meaning that these portions are reserved for some train. In this state, operation
safe Train Move can be enabled in order to start moving TRAIN2. Operation
Safe Train Move(TRAIN2) can be animated twice which leads to the state in
bottom of Figure 3 where TRAIN2 occupies PORTION2 after consuming the
authorizations provided by its route.
4.2 FMDE for model transformations
Model transformation is a core concept in MDE. It aims to automate the extrac-
tion of platform specific representations and/or executable artifacts from high
level models. Thus, the developer focuses on the modeling activities rather than
on coding. After more than a decade of maturation, several tools have been
developed (e.g. QVTo, ATL, TGG) and it became possible to leverage model
transformations within software development and use them to build large-scale
and complex systems. In this respect, the correctness of model transformations
became crucial. Despite the advances in this field, the Verification & Validation
(V&V) of model transformations still remains scattered, and perspectives on the
subject are still open. Between 2012 and 2016, the international Workshop on
Verification of Model Transformations (VOLT) tried to o↵er researchers a ded-
icated forum to classify, discuss, propose, and advance verification techniques
dedicated to model transformations. Several solutions have been proposed: in-
12 Akram Idani
cremental deductive verification, testing via classifying terms, applying reduc-
tion techniques, using model transformations to verify model transformations
themselves. Unfortunately, these techniques were not generalized and realistic
applications remain very limited or almost absent. We believe that this is due to
the fact that the underlying V&V are not focused on safety-critical systems, but
presented as solutions to software engineering in general where testing remains
the norm. For example, proving the transformation of UML class diagrams into
RDBMS may show the complexity of a formal approach, but clearly hides how
useful it is in practice, since the case does not deal with safety. A FMDE ap-
proach makes sense once critical concerns have to be taken into account. This
is confirmed by our participation in the 2019 edition of the transformation tool
contest (TTC’19), where the call for solutions was about a case study that is
well-known in safety-critical systems: the transformation of Truth Tables (TT)
into Binary Decision Diagrams (BDD). Our major observation is that among
the seven participants, Meeduse was the only attempt that addressed V&V; the
other solutions addressed flexibility, performance and optimality. Meeduse was
not only used to verify the model transformation, but also to execute it, which
is its novelty in comparison with the discussed approaches. However, the down-
side is its low performance when executing the transformation of huge models.
Nonetheless, as the transformation is written in B, proved and attested for mid-
dle size models, it can therefore be used as a reference specification from which
one can build a low-code model transformation.
Fig. 4. Application of Meeduse to DSL transformation.
Figure 4 shows the various views of Meeduse where the modeling view deals
with the representation of the input DSL. In this application, formal operational
The B Method meets MDE 13
semantics, written in B, consume truth table elements and progressively produce
a binary decision diagram. This application allowed us, on the one hand, to figure
out how far we can push the abilities of a formal method to be integrated within
model-driven engineering, and on the other hand, to present an original approach
to think, reason and execute DSL transformations using a formal method.
4.3 FMDE for XML standards
XML is used across a lot of domains because it favours readability (due to its
structuring features) and interoperability between platforms (due to the avail-
ability of parsers). Several communities have developed XML-based exchange
standards to structure domain concepts and improve the interoperability of the
growing number of computer applications that use these domain concepts. In the
railway field, we can refer to RailML (Railway Markup Language, an open XML
based data exchange format for data interoperability of railway applications).
An XML file is a DSL, whose static semantics (well-formedness rules) are es-
tablished via an XML schema, which is itself a meta-model in the MDE jargon.
Dealing with XML documents opens a broad spectrum of possibilities to FMDE,
since a formal approach can be applied to any domain standard approved by ex-
perts. Having this argument, we applied Meeduse to PNML (Petri-Net Markup
Language), the international standard ISO/IEC 15909 for Petri-nets. PNML
provides an agreed-on interchange format that is compliant with a formal def-
inition of Petri-nets and is managed by EMF-based platforms such as PNML
Framework and The ePNK. This application was motivated by the following
points:
–There exist several widely known tools that implement the Petri-net theory
for verification purposes.
–Petri-nets were applied to the safety-critical domain with several success
stories such as the Oslo subway.
A FMDE approach for PNML contributes towards this field by providing
practitioners the possibility to benefit from the rich catalog of MDE tools without
losing sight of correctness and rigorous development. This application led to a
tool called MeeNET in which a PNML file can be executed, debugged, verified
and translated into an implementation.
5 Discussion and Future
This paper has given an overview of our FMDE approach and presented realistic
applications of our tool support, which shows that the integration of executable
DSLs together with theorem proving, animation and model-checking is viable
and should be explored further. However, in safety-critical systems, tools must
be qualified before being used. Voelter et al., in [32] state that “one way to qual-
ify a given tool based on domain standards is to show that the tool has been used
14 Akram Idani
successfully in industrial projects built on the aforementioned standards, collect
usage reports and malfunctioning reviews, and define process-based mitigation
that should be used when the tool is applied”. The formal aspects of Meeduse
can be qualified in this way because it is built on the B method which is al-
ready proven in use: the B method provides a safe development process ranging
from theorem proving to code generation, and both AtelierB and ProB were
successfully used in several real-life safety-critical systems.
However, it is difficult to objectively apply the same principles to the non-
formal aspects of Meeduse because it is an emergent approach and even if it
has had several realistic applications, including a major one in the railway field,
these applications were not at an industrial scale. Other ways to qualify a tool
include proof and extensive validation that the tool is correct or showing that
the tool itself has been developed with a formal and safe process. This is a much
more realistic way because although the OMG did not establish guidelines for
qualifying MOF-compliant tools, the MOF reference document provides a semi-
formal specification applying XMI (for the syntax) and OCL (for the semantics).
Checking that Meeduse is MOF-compliant can be done via a formal definition
of the MOF semantics and the proof that data structures and algorithms used
in the tool preserve these semantics all along the execution. Currently, we are
working on this direction by formalizing the concepts of Meeduse using Meeduse
itself, which would provide much more confidence in the tool and the underlying
approach.
Furthermore, it is worthreviewing to mention that the usage of B appears as
a good choice for several reasons: (1) the availability of a rich UML-to-B state
of the art, that allowed us to provide a viable translation from MOF into B
(considering that MOF is a restriction of UML); and (2) the usage of theorem
proving, in addition to model-checking, to guarantee zero-fault DSLs. In most ap-
plication domains such as Requirements Engineering, Enterprise Architectures,
Business Process Management and Legal Contracts, where DSLs do exist, the
commonly used verification tools are model checkers and/or SAT/SMT solvers.
Meeduse may introduce theorem proving to these domains. Besides our own ex-
perience and judgement, the B Method has been compared to other state based
formal methods and tools in [21] and got several good points. Regarding scala-
bility, which is “the ability to be well applicable to arbitrarily large and complex
projects”, the B method is ranked (Good). The work also highly ranks the verifi-
cation features of B and its tool support. Nonetheless, we are aware that in order
to broaden the spectrum of Meeduse several target formal approaches have to be
addressed. This objective belongs to our short term perspectives (Figure 5) and
do not seem technically difficult since the power of Meeduse comes from ProB,
and ProB is itself a multi-target platform covering (in addition to B) Event-B,
Z, Alloy and TLA+. Translations from UML to these languages have already
been investigated in the past; we just need to integrate them within Meeduse.We
recall that we built this paper on the (strong) claim that FMDE does not need
innovative solutions, but rather integrative initiatives of existing well-established
approaches.
The B Method meets MDE 15
Figure 5 gives the evolution time-line of Meeduse with the major highlights
and our current and short-term perspectives. The red time-lines refer to DSL
tools that are powered by Meeduse and which have their own existence, such as
MeeNET. The latter allowed us to investigate several interesting research direc-
tions such as DSL refinements and transpilation. Meeduse is a language work-
bench dedicated to formally instrument any EMF-based DSL with correctness
concerns. We experimented it on various kinds of applications in order to evalu-
ate its strength. For example, in the smart-home domain (project DomoSur) we
focused on the execution of the DSL at run-time, being inspired by [16]. The ap-
proach also covers model transformations (M2M). Indeed, we have adapted our
TTC’19 proposal to provide a LWB that is suitable for model transformations.
Currently, we are working on bi-directional transformations by addressing two
features: (1) proving the isomorphism of a transformation in B, and (2) updating
the input model from changes done in the output model (propagation).
2018
NextRegio Project!
(Railway systems)
V1 (POC)
2019
TTC’19!
(Awarded)
V2 (Beta)
Big models
2020
MeeNET!
(Powered by Meeduse)
V3 (Stable)
Basic!
PTNets
2021
DomoSur Project!
(New features)
Debugging
Deferred Sets
Multiple models
PNML!
(XML) PNML!
Refinements
Transpilation!
Of PNML
Other PTNet!
Models
2022
xOWL Project
Ontologies
Patterns
Evolution
2023
Multi-targets
Event-B
Z
Alloy
M2M
@Runtime
SmartHome
Isomorphism
Propagation
Fig. 5. Evolution time-line of Meeduse.
The applications discussed in this paper provide a narrow view of DSLs that
is focused on safety-critical systems. The xOWL project (executable OWL),
started this year, addresses knowledge engineering. It has a di↵erent view and
studies the possibility to consider other application domains, which would allow
us to analyse the implications of FMDE outside safety-critical systems. The mo-
tivation of the project is that domain ontologies evolve continuously, which leads
to several problems, especially change impact analysis and resolution. Among ex-
isting works, pattern-driven techniques have been proposed to provide guidance
during the ontology evolution so that it remains consistent. In the xOWL project,
ontologies are described via the Ontology Web Language (OWL). Considering
that OWL is a DSL, our proposal is to rethink the underlying evolution patterns
by means of execution semantics that apply the expected changes to a given on-
tology. We have instrumented the W3C functional syntax of OWL in Meeduse,
16 Akram Idani
leading to a lightweight development approach. Indeed, the development e↵ort
is limited to the specification of the evolution patterns and their verification and
validation. All the other features of xOWL (execution, verification and debug-
ging) are provided by Meeduse.
Acknowledgements. The author would like to thank the LIG lab and CNRS
for supporting the development of Meeduse, and he is much obliged to German
Vega for his great technical contribution to the tool.
References
1. Abrial, J.R.: The B-book: Assigning Programs to Meanings. Cambridge University
Press, New York, NY, USA (1996)
2. Baar, T.: Non-deterministic constructs in OCL - what does any() mean. In: Model
Driven - 12th International SDL Forum. LNCS, vol. 3530, pp. 32–46. Springer
(2005). https://doi.org/10.1007/11506843 3
3. Bobbio, A.: System modelling with petri nets. In: Colombo, A.G., de Bustamante,
A.S. (eds.) Systems Reliability Assessment. pp. 103–143. Springer (1990)
4. Bryant, B.R., Gray, J., Mernik, M., Clarke, P.J., France, R.B., Karsai, G.: Chal-
lenges and directions in formalizing the semantics of modeling languages. Comput.
Sci. Inf. Syst. 8(2), 225–253 (2011). https://doi.org/10.2298/CSIS110114012B,
https://doi.org/10.2298/CSIS110114012B
5. Combemale, B.: Towards Language-Oriented Modeling. Habilitation `a diriger des
recherches, Universit´e de Rennes 1 (Dec 2015)
6. Dormoy, F.X.: SCADE 6: A Model Based Solution For Safety Critical Software De-
velopment. In: Embedded Real Time Software and Systems (ERTS2008). toulouse,
France (Jan 2008), https://hal-insu.archives-ouvertes.fr/insu-02270108
7. Gargantini, A., Riccobene, E., Scandurra, P.: Combining formal methods and mde
techniques for model-driven system design and analysis. International Journal On
Advances in Software 1&2 (2010)
8. Gemoc: Gemoc, http://gemoc.org/
9. Idani, A.: Formal model-driven executable DSLs: Application to Petri-Nets. In-
ternational Journal on Innovations in Systems and Software Engineering (ISSE)
18(1) (2022). https://doi.org/10.1007/s11334-021-00408-4
10. Idani, A., Ledru, Y., Vega, G.: Alliance of Model Driven Engineering with a Proof-
based Formal Approach. Innovations in Systems and Software Engineering 16(3),
289–307 (2020)
11. Idani, A., Ledru, Y., Wakrime, A.A., Ayed, R.B., Bon, P.: Towards a tool-based
domain specific approach for railway systems modeling and validation. In: Third
International Conference on Reliability, Safety, and Security of Railway Systems.
LNCS, vol. 11495, pp. 23–40. Springer (2019)
12. Idani, A., Ledru, Y., Wakrime, A.A., Ayed, R.B., Dutilleul, S.C.: Incremental de-
velopment of a safety critical system combining formal methods and dsmls: Appli-
cation to a railway system. In: 24th International Conference on Formal Methods
for Industrial Critical Systems. LNCS, vol. 11687, pp. 93–109. Springer (2019)
13. Idani, A., Vega, G., Leuschel, M.: Applying formal reasoning to model transforma-
tion: The meeduse solution. In: Proceedings of the 12th Transformation Tool Con-
test, co-located with STAF’2019, Software Technologies: Applications and Foun-
dations. CEUR Workshop Proceedings, vol. 2550, pp. 33–44 (2019)
The B Method meets MDE 17
14. Iung, A., Carbonell, J., Marchezan, L., Rodrigues, E.M., Bernardino, M., Basso,
F.P., Medeiros, B.: Systematic mapping study on domain-specific language devel-
opment tools. Empirical Software Engineering 25(5), 4205–4249 (2020)
15. Kosar, T., Bohra, S., Mernik, M.: Domain-specific languages: A systematic map-
ping study. Information and Software Technology 71, 77–91 (2016)
16. K¨orner, P., Bendisposto, J., Dunkelau, J., Krings, S., Leuschel, M.: Embedding
high-level formal specifications into applications. In: International Conference on
Formal Methods (FM). LNCS, vol. 11800. Springer (2019)
17. Laleau, R., Mammar, A.: An Overview of a Method and Its Support Tool for
Generating B Specifications from UML Notations. In: 15th IEEE International
Conference on Automated Software Engineering. pp. 269–272 (2000)
18. Laleau, R., Polack, F.: Coming and going from uml to b: A proposal to support
traceability in rigorous is development. In: 2nd International Conference of B and
Z Users. LNCS, vol. 2272, pp. 517–534. Springer (2002)
19. Ledang, H.: Automatic translation from uml specifications to b. In: Automated
Software Engineering. p. 436 (2001)
20. Leuschel, M., Butler, M.: ProB: an automated analysis toolset for the B method.
Software Tools for Technology Transfer (STTT) 10(2), 185–203 (2008)
21. Mashkoor, A., Kossak, F., Egyed, A.: Evaluating the suitability of state-based for-
mal methods for industrial deployment. Software Practice and Experience 48(12),
2350–2379 (2018)
22. Meeduse: http://vasco.imag.fr/tools/meeduse/, accessed: 15-12-2020
23. Merilinna, J., P¨arssinen, J.: Verification and validation in the context of domain-
specific modelling. In: Proceedings of the 10th Workshop on Domain-Specific Mod-
eling. pp. 9:1–9:6. ACM, New York, NY, USA (2010)
24. Meyer, E.: D´eveloppements formels par objets : utilisation conjointe de B et
d’UML. Ph.D. thesis, Universit´e de Nancy 2 (Mars 2001)
25. Rivera, J., Dur´an, F., Vallecillo, A.: Formal specification and analysis of domain
specific models using maude. Simulation 85, 778–792 (10 2009)
26. Snook, C., Butler, M.: UML-B: Formal modeling and design aided by UML. ACM
Transactions on Software Engineering and Methodology 15(1) (2006)
27. Snook, C., Butler, M.: U2B-A tool for translating UML-B models into B. In: Mer-
met, J. (ed.) UML-B Specification for Proven Embedded Systems Design (2004)
28. Steinberg, D., Budinsky, F., Paternostro, M., Merks, E.: EMF: Eclipse Modeling
Framework 2.0. Addison-Wesley Professional, 2nd edn. (2009)
29. Tikhonova, U., Manders, M., Brand, van den, M., Andova, S., Verhoe↵, T.: Ap-
plying model transformation and Event-B for specifying an industrial DSL. In:
Workshop on Model Driven Engineering, Verification and Validation. pp. 41–50.
CEUR Workshop Proceedings, CEUR-WS.org (2013)
30. Tikhonova, U.: Reusable specification templates for defining dynamic semantics of
dsls. Software & Systems Modeling (Mar 2017)
31. Vallecillo, A., Gogolla, M.: Adding random operations to OCL. In: Proceedings
of MODELS 2017 Satellite Event. pp. 324–328. CEUR Workshop Proceedings,
CEUR-WS.org (2017)
32. Voelter, M., Kolb, B., Birken, K., Tomassetti, F., Al↵, P., Wiart, L., Wortmann,
A., Nordmann, A.: Using language workbenches and domain-specific languages for
safety-critical software development. Softw. Syst. Model. 18(4), 2507–2530 (Aug
2019), https://doi.org/10.1007/s10270-018-0679-0
33. Zalila, F., Cr´egut, X., Pantel, M.: Formal verification integration approach for
dsml. In: Model-Driven Engineering Languages and Systems. pp. 336–351. Springer
(2013)
