Deploy Repository: No conditions. Results ordered -Date, Title. 2018-01-17T12:23:00ZEPrintshttp://deploy-eprints.ecs.soton.ac.uk/images/sitelogo.gifhttp://deploy-eprints.ecs.soton.ac.uk/2012-07-18T08:41:55Z2013-01-28T11:05:43Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/423This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/4232012-07-18T08:41:55ZIndustrial deployment of system engineering methods providing high dependability and productivity. Alexander Romanovskyalexander.romanovsky@ncl.ac.ukMartyn Thomas2012-07-23T06:29:23Z2012-09-11T18:36:40Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/425This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/4252012-07-23T06:29:23ZA Systematic Approach to Atomicity Decomposition in Event-BAsieh Salehi FathabadiMichael ButlerAbdolbaghi Rezazadeh2012-03-15T09:45:21Z2012-09-11T18:39:18Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/375This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3752012-03-15T09:45:21ZFormal modelling for Ada implementations: Tasking Event-BThis paper describes a formal modelling approach, where Ada code is automatically generated from the modelling artefacts. We introduce an implementation-level specification, Tasking Event-B, which is an extension to Event-B. Event-B is a formal method, that can be used to model safety-, and business-critical systems. The work may be of interest to a section of the Ada community who are interested in applying formal modelling techniques in their development process, and automatically generating Ada code from the model. We describe a streamlined process, where the abstract modelling artefacts map easily to Ada language constructs. Initial modelling takes place at a high level of abstraction. We then use refinement, decomposition, and finally implementation-level annotations, to generate Ada code. We provide a brief introduction to Event-B, before illustrating the new approach using small examples taken from a larger case study.Andrew EdmundsAbdolbaghi RezazadehMichael Butler2012-05-17T14:15:58Z2012-09-11T18:35:57Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/402This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/4022012-05-17T14:15:58ZControl systems: phenomena and structuring functional requirement documentsInfluenced by the Parnas and Madey?s fourvariable model and the concept of phenomena in problem frames, we desire to provide guidelines to facilitate refinement-based formal modelling. These guidelines are based on monitored, controlled, mode and commanded (MCMC) phenomena of a control system. Commanded phenomena reflect the role that an operator plays in system control. The mode phenomenon captures the states of the controller. Requirements of several case studies have been formally modelled using the MCMC phenomena. This helped to identify some of the ambiguities and advantages of the guidelines. In particular, we realised that the concept of commanded phenomena and its difference with monitored phenomena can cause confusion. Also, it was noticed that the mode is a special phenomenon, as it can be modified by operator requests or internally by the control system. In this paper we clarify the concept of commanded phenomena and differentiate between monitored and commanded phenomena clearly. The concept of mode phenomenon is also introduced in details. As practical examples, the phenomena of two case studies, namely a cruise control system and a lane centering controller (LCC), are identified. The MCMC phenomena are also used to structure the requirement document (RD) of a control system. This can help with the transition from an informal RD to a formal model. This approach is used to structure the RD of the LCC case study which is supported by our industrial partner.Sanaz YeganefardMichael Butler2012-05-10T15:27:44Z2012-05-10T15:27:44Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/397This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3972012-05-10T15:27:44ZEnsuring Extensibility within Code GenerationMaking the step from Event-B to code is a process that can be aided through automatic code generation. The code generation plug-in for Rodin is a new tool for translating Event-B models to concurrent programmes. However users of such a tool will likely require a diverse range of target languages and target platforms, for which we do not currently provide translations. Some of these languages may be subtly different to existing languages and only have modest differences between the translation rules, for example C and C++, whilst others may have more fundamental differences. As the translation from Event-B to executable code is non-trivial and to reduce the likelihood of error, we want to generalise as much of the translation as possible so that existing translation rules are re-used. Therefore significant effort is needed to ensure that such a translation tool is extensible to allow additional languages to be included with relative ease. Here we concentrate on translation from a previously defined intermediary language, called IL1, which Event-B translates to directly.Chris LovellAndy EdmundsRenato SilvaIssam MaamriaMichael Butler2012-05-08T09:25:39Z2012-05-08T09:25:39Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/396This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3962012-05-08T09:25:39ZTooling: Code Generation UpdateAndrew EdmundsChris LovellRenato SilvaIssam MaamriaMichael Butler2012-03-06T18:52:06Z2012-03-06T18:52:06Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/372This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3722012-03-06T18:52:06ZAugmenting formal development with use case reasoningState-based methods for correct-by-construction software development rely on a combination of safety constraints and refinement obligations to demonstrate design correctness. One prominent challenge, especially in an industrial setting, is ensuring that a design is adequate: requirements compliant and fit for purpose. The paper presents a technique for augmenting state-based, refinement-driven formal developments with reasoning about use case scenarios; in particular, it discusses a way for the derivation of formal verification conditions from a high-level, diagrammatic language of use cases, and the methodological role of use cases in a formal modelling process.Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>2012-07-26T15:19:17Z2012-07-26T15:22:46Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/445This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/4452012-07-26T15:19:17ZDeployment of Formal Methods in Industry: the Legacy of the FP7 ICT DEPLOY Integrated ProjectThe work of the major EU-funded ICT DEPLOY Integrated Project (February 2008 – April 2012) on Industrial Deployment of Advanced System Engineering Methods for High Productivity and Dependability was driven by the tasks of achieving and evaluating industrial take-up, initially by DEPLOY industrial partners, of DEPLOY methods and tools, together with the necessary further research on methods and tools. Our previous SEN paper introduced the project. The project has been one of the most significant efforts focusing on understanding the issues researchers and engineers face during the deployment of formal methods. This paper briefly reports on the project legacy and provides pointers to the various sources of information produced by the projects.Romanovsky Alexanderalexander.romanovsky@ncl.ac.uk2012-04-27T14:42:34Z2012-04-27T14:42:34Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/386This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3862012-04-27T14:42:34ZDeveloping Mode-Rich Satellite Software by Refinement in Event-BOne of the guarantees that the designers of on-board satellite systems need to provide, so as to ensure their dependability, is that the mode transition scheme is implemented correctly, i.e. that the states of system components are consistent with the global system mode. There is still, however, a lack of scalable approaches to developing and verifying systems with complex mode transitions. This paper presents an approach to formal development of mode-rich systems by refinement in Event-B. We formalise the concepts of modes and mode transitions as well as deriving specification and refinement patterns which support correct-by-construction system development. The proposed approach is validated by a formal development of the Attitude and Orbit Control System (AOCS) undertaken within the ICT DEPLOY project. The experience gained in the course of developing of as complex an industrial-size system as AOCS shows that refinement in Event-B provides the engineers with a scalable formal technique that enables both mode-rich systems development and proof-based verification of their mode consistency.Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Elena TroubitsynaElena.Troubitsyna@abo.fiLinas LaibinisLinas.Laibinis@abo.fiAlexander Romanovskyalexander.romanovsky@ncl.ac.ukKimmo VarpaaniemiDubravka IlicTimo Latvala2012-05-01T12:49:18Z2012-07-26T15:12:58Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/393This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3932012-05-01T12:49:18ZFormal Engineering of Resilient Systems: Achievements and ChallengesIn this paper we overview the work on formal engineering of resilient systems carried out in the FP7 EU DEPLOY project. We discuss our experience and open issues.Elena TroubitsynaElena.Troubitsyna@abo.fiAlexander Romanovskyalexander.romanovsky@ncl.ac.uk2012-06-29T07:54:42Z2012-06-29T07:54:42Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/407This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/4072012-06-29T07:54:42ZFormal Modelling and Verification of Service-Oriented Systems in Probabilistic Event-BModelling and refinement in Event-B provides a scalable sup- port for the development of complex service-oriented systems. Refinement in Event-B supports a systematic service development by a gradual trans- formation of an abstract specification into a detailed service architecture. In this paper we aim at integrating quantitative assessment of desired quality of essential service attributes into formal modelling process. We propose an approach to creating and verifying a dynamic service architecture in Event- B. Such an architecture can be augmented with stochastic information and transformed into the corresponding continuous-time Markov chain represen- tation. By relying on probabilistic model-checking techniques, we allow for quantitative evaluation of quality of service attributes at early development stages. The approach is illustrated by a simple case study.Anton TarasyukAnton.Tarasyuk@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fiLinas LaibinisLinas.Laibinis@abo.fi2012-07-18T12:48:03Z2012-09-11T18:38:26Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/424This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/4242012-07-18T12:48:03ZSMT Solvers for RodinFormal development in Event-B generally requires the validation of a large number of proof obligations. Some automatic tools exist to automatically discharge a significant part of them, thus augmenting the efficiency of the formal development. We here investigate the use of SMT (Satisfiability Modulo Theories) solvers in addition to the traditional tools, and detail the techniques used for the cooperation between the Rodin platform and SMT solvers.
Our contribution is the definition of two approaches to use SMT solvers, their implementation in a Rodin plug-in, and an experimental evaluation on a large sample of industrial and academic projects. Adding SMT solvers to Atelier B provers reduces to one fourth the number of sequents that need to be proved interactively.David Déharbedavid@dimap.ufrn.brPascal FontainePascal.Fontaine@inria.frYoann Guyotyoann.guyot@systerel.frLaurent Voisinlaurent.voisin@systerel.fr2012-05-16T08:20:52Z2012-05-18T14:17:01Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/398This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3982012-05-16T08:20:52ZTowards the Composition of Specifications in Event-BThe development of a system can start with the creation of a specification. Following this viewpoint, we claim that often a specification can be constructed from the combination of specifications which can be seen as composition. Event-B is a formal method that allows modelling and refinement of systems. The combination, reuse and validation of component specifications are not currently supported in Event-B. We extend the Event-B formalism using shared event composition as an option for developing (distributed) systems. Refinement is used in the development of specifications using composed machines and we prove that properties and proof obligations of specifications can be reused to ensure valid composed specifications. The main contributions of this work are the Event-B extension to support shared event composition and refinement including the proof obligations for a composed machine.Renato Silvaras07r@ecs.soton.ac.uk2011-10-02T09:59:53Z2011-10-02T09:59:53Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/347This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3472011-10-02T09:59:53ZPatterns for Representing FMEA in Formal Specification of Control SystemsFailure Modes and Effects analysis (FMEA) is a widely used technique for inductive safety analysis. FMEA provides engineers with valuable information about failure modes of system components as well as procedures for error detection and recovery. In this paper we propose an approach
that facilitates representation of FMEA results in formal
Event-B specifications of control systems. We define a number of patterns for representing requirements derived from FMEA in formal system model specified in Event-B. The patterns help the developers to trace the requirements from safety analysis to formal specification. Moreover, they allow them to increase automation of formal system development by refinement. Our approach is illustrated by an example - a sluice control system.Ilya LopatkinIlya.Lopatkin@newcastle.ac.ukAlexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Alexander Romanovskyalexander.romanovsky@ncl.ac.ukYuliya ProkhorovaYuliya.Prokhorova@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fi2012-03-15T09:45:38Z2012-03-15T09:45:38Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/373This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3732012-03-15T09:45:38Z From Event-B Models to Code: Sensing, Actuating, and the Environment The Event-B method is a formal approach for modelling systems in safety-, and business-critical, domains. We focus, in this paper, on multi-tasking, embedded control systems. Initially, system specification takes place at a high level of abstraction; detail is added in refinement steps as the development proceeds toward implementation. In previous work, we presented an approach for generating code, for concurrent programs, from Event-B. Translators generate program code for tasks that access data in a safe way, using shared objects. We did not distinguish between tasks of the environment and those of the controller. The work described in this paper offers improved modelling and code generation support, where we separate the environment from the controller. The events in the system can participate in actuating or sensing roles. In the resulting code, sensing and actuation can be simulated using a form of subroutine call; or additional information can be provided to allow a task to read/write directly from/to a specfied memory location.Andrew Edmunds12039Abdolbaghi Rezazadeh10385Michael Butler182011-09-02T08:43:33Z2012-05-18T14:19:02Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/330This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3302011-09-02T08:43:33ZProceedings of the 11th workshop on Automated Verification of Critical SystemsThis volume contains the proceedings of the 11th workshop on Automated Verification of Critical Systems that was hosted by Newcastle University and took place during September 12-14, 2011 in Newcastle upon Tyne, UK. The workshop is supported by DEPLOY.Jens BendispostoCliff JonesMichael LeuschelAlexander Romanovsky2011-09-04T11:57:29Z2011-09-04T11:57:29Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/329This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3292011-09-04T11:57:29ZQuantitative Verification of System Safety in Event-B
Anton TarasyukAnton.Tarasyuk@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fiLinas LaibinisLinas.Laibinis@abo.fi2012-05-17T14:27:55Z2012-05-17T14:27:55Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/403This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/4032012-05-17T14:27:55ZStructuring functional requirements of control systems to facilitate refinement-based formalisation Good requirements structure can greatly facilitate the construction of formal models of systems. This paper describes an approach to requirements structuring for control systems that aims to facilitate refinement-based formalisation. In addition to the well-known monitored and controlled phenomena used to analyse control systems, we also identify commanded phenomenon reflecting the special role that an operator plays in system control. These system phenomena guide the structure of the requirements analysis and documentation as well as the structure of the formal models. We model systems using the Event-B formalism, making use of refinement to support layering of requirements. The structuring provided by the system phenomena and by the refinement layers supports clear traceability and validation between requirements and formal models. As a worked example, we structured the requirements of an automotive lane departure warning system using this approach. We found missing requirements through this process and we evolved the requirement document through domain experts? feedback and formal modelling.Sanaz YeganefardMichael Butler2011-11-16T09:32:55Z2011-11-16T09:32:55Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/356This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3562011-11-16T09:32:55ZConcurrent Scheduling of Event-B ModelsEvent-B is a refinement-based formal method that has been shown to be useful in developing concurrent and distributed programs. Large models can be decomposed into sub-models that can be refined semi-independently and executed in parallel. In this paper, we show how to introduce explicit control flow for the concurrent sub-models in the form of event schedules. We explore how schedules can be designed so that their application results in a correctness-preserving refinement step. For practical application, two patterns for schedule introduction are provided, together with their associated proof obligations. We demonstrate our method by applying it on the dining philosophers problem.Pontus BoströmFredrik DegerlundKaisa SereMarina Waldén2011-05-06T13:17:45Z2011-05-06T13:17:45Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/303This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3032011-05-06T13:17:45ZTasking Event-B: An Extension to Event-B for Generating Concurrent CodeThe Event-B method is a formal approach for modelling systems in safety-, and business-critical, domains. Initially, system specification takes place at a high level of abstraction; detail is added in refinement steps as the development proceeds toward implementation. Our aim has been to develop a novel approach for generating code, for concurrent programs, from Event-B. We formulated the approach so that it integrates well with the existing Event-B methodology and tools. In this paper we introduce a tasking extension for Event-B, with Tasking and Shared Machines. We make use of refinement, decomposition, and the extension, to structure projects for code generation for multitasking implementations. During the modelling phase decomposition is performed; decomposition reduces modelling complexity and makes proof more tractable. The decomposed models are then extended with sufficient information to enable generation of code. A task body describes a task?s behaviour, mainly using imperative, programming-like constructs. Task priority and life-cycle (periodic, triggered, etc.) are also specified, but timing aspects are not modelled formally. We provide tool support in order to validate the practical aspects of the approach. Andrew EdmundsMichael Butler2011-08-02T12:57:38Z2011-08-02T12:57:38Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/319This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3192011-08-02T12:57:38ZCorrect-by-Construction Development of Fault Tolerant Systems (Tutorial at FM 2011)Ensuring system fault tolerance is one of the major concerns in developing critical industrial applications. The tutorial shows how to rigorously develop systems that are not only functionally correct but also fault tolerant. The material of the tutorial is built on the results of two EC projects, RODIN and DEPLOY, that created and validated in the industrial settings the RODIN platform - an Eclipse-based development environment supporting formal modelling in Event-B. The focus of the tutorial is on demonstrating how fault tolerance can be systematically specified and verified as an intrinsic part of the overall system behavior. The general principles are demonstrated by several industrial case studies based on our work with telecommunication, space and business information sectors. As part of the tutorial we will introduce and demonstrate a number of RODIN tools that support model structuring using modes, modules, and fault tolerance views, and facilitate fault tolerance modelling.
All materials of this tutorial are available on http://iliasov.org/fm2011/
Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Linas LaibinisLinas.Laibinis@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fiAlexander Romanovskyalexander.romanovsky@ncl.ac.uk2012-06-29T07:54:19Z2012-06-29T07:54:19Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/405This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/4052012-06-29T07:54:19ZDerivation and Formal Verification of a Mode Logic for Layered Control SystemsModes are widely used to structure the behaviour of control systems. For many such systems, derivation and verification of a mode logic is challenging due to a large number of modes and complex mode transitions. In this paper we propose an approach to deriving, formalising and verifying consistency of a mode logic for fault tolerant control systems. We demonstrate how to use Failure Modes and Effects Analysis (FMEA) to systematically derive the fault tolerance part of the mode logic. To tackle the problem of mode consistency, we propose a formalisation of the mode logic and mode consistency conditions for layered systems with reconfigurable components. We use our formalisation to develop and verify a mode-rich system by refinement in Event-B.Yuliya ProkhorovaYuliya.Prokhorova@abo.fiLinas LaibinisLinas.Laibinis@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fiKimmo VarpaaniemiTimo Latvala2012-06-29T07:54:30Z2012-06-29T07:54:30Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/406This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/4062012-06-29T07:54:30ZDeriving Mode Logic for Fault-Tolerant Control SystemsYuliya ProkhorovaYuliya.Prokhorova@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fiLinas LaibinisLinas.Laibinis@abo.fiKimmo VarpaaniemiTimo Latvala2012-06-29T07:53:39Z2012-06-29T07:53:39Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/404This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/4042012-06-29T07:53:39ZDevelopment of Safety-Critical Control Systems in Event-B Using FMEAApplication of formal methods, in particular Event-B, helps us to build control systems correct by construction. On the other hand, to guarantee safety of such a system, we need to incorporate safety and fault tolerance requirements into its formal specification. In this chapter, we demonstrate how to integrate the results obtained during fault analysis, specifically, failure mode and effect analysis (FMEA), into the control system development process in Event-B. The proposed methodology is exemplified by a case study.Yuliya ProkhorovaYuliya.Prokhorova@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fiLinas LaibinisLinas.Laibinis@abo.fiVyacheslav Kharchenko2011-08-02T10:47:15Z2011-08-02T10:47:15Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/317This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3172011-08-02T10:47:15ZFormal Approach to Ensuring Interoperability of Mobile AgentsLinas LaibinisLinas.Laibinis@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fiAlexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Alexander Romanovskyalexander.romanovsky@ncl.ac.uk2011-08-02T13:08:31Z2011-08-02T13:11:37Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/320This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3202011-08-02T13:08:31ZFormal Derivation of a Distributed Program in Event BAchieving high dependability of distributed systems remains
a major challenge due to complexity arising from concurrency and communication. There are a number of formal approaches to verification of properties of distributed algorithms. However, there is still a lack of methods that enable a transition from a verified formal model of communication to a program that faithfully implements it. In this paper we aim at bridging this gap by proposing a state-based formal approach to correct-by-construction development of distributed programs. In our approach we take a systems view, i.e., formally model not only application but also its environment. We decompose such an integrated specification to obtain the distributed program that should be deployed on the targeted network infrastructure. To illustrate our approach, we present a development of a distributed leader election protocol.Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Linas LaibinisLinas.Laibinis@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fiAlexander Romanovskyalexander.romanovsky@ncl.ac.uk2011-08-02T10:53:00Z2011-08-02T13:15:03Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/318This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3182011-08-02T10:53:00ZFormal Stepwise Development of Scalable and Reliable Multiagent SystemsThis chapter considers the coordination aspect of large-scale dynamically-reconfigurable multi-agent systems in which agents cooperate to achieve a common goal. The agents reside on distributed nodes and collectively represent a distributed system capable of executing tasks that cannot be effectively executed by an individual node. The two key requirements to be met when designing such a system are scalability and reliability. Scalability ensures that a large number of agents can participate in computation
without overwhelming the system management facilities and thus allows agents to join and leave the system without affecting its performance. Meeting the reliability requirement guarantees that the system has enough redundancy to transparently tolerate a number of node crashes and agent failures, and is therefore free from single points of failures. The Event B formal method is used to validate the design formally and to ensure system scalability and reliability.Denis GrotsevAlexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Alexander Romanovskyalexander.romanovsky@ncl.ac.uk2011-10-05T12:32:28Z2011-10-29T18:22:06Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/348This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3482011-10-05T12:32:28ZGeneration of certifiably correct programs from formal modelsApplication of formal notations and verifications
techniques helps to deliver systems that are free from engineering defects. A code generator is an essential tool for formal development of real-world systems; it transforms models into runnable software quickly, consistently and reproducibly. Commonly, a code generator is a program constructed informally and producing an output that is not formally traced to an input. Industrial standards to the development of safety-critical systems, such as IEC 61508, require a justification for any tool used in a development: extensive prior experience or a formal certification. An extensive experience is often not an option as there are very few sufficiently mature modelling toolsets. The
certification of a code generator is a major effort increasing costs and development time. We propose an approach where a modeller places no trust whatsoever in the code generation stage but rather obtains software that is certifiable without any further effort. The essence of the approach is in the transformation of a formal model into runnable software that is demonstratively correct in respect to a given set of verification criteria, coming from a requirements document. A Hoare logic is used to embedded correctness criteria into the resultant program; the approach supports design-by-contract annotations to allow developer to mix formal and informal parts with a fair degree of rigour.Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>2011-09-04T11:57:36Z2011-09-04T11:57:36Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/328This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3282011-09-04T11:57:36ZQuantitative Reasoning about Dependability in Event-B: Probabilistic Model Checking Approach
Anton TarasyukAnton.Tarasyuk@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fiLinas LaibinisLinas.Laibinis@abo.fi2011-09-23T13:15:27Z2011-09-23T13:15:27Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/343This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3432011-09-23T13:15:27ZRigorous Development of Dependable Systems using Fault Tolerance ViewsThis paper introduces the Mode and Fault Tolerance Views approach to stepwise rigorous development of critical systems. It supports systematic, structured and recursive modelling of system fault tolerance, including error detection, error recovery and degraded modes. Built on our previous work extending the Event-B method with reasoning about fault tolerance, the paper focuses on a practical application and evaluation of the approach. The proposed modelling approach is backed by an integrated toolset. The paper is illustrated with a case study from the aerospace domain.Ilya LopatkinIlya.Lopatkin@newcastle.ac.ukAlexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Alexander Romanovskyalexander.romanovsky@ncl.ac.uk2011-12-11T22:19:01Z2011-12-11T22:19:01Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/360This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3602011-12-11T22:19:01ZScaling Event-B to industrial applications: the role of formal design decomposition (Industry Paper)In this talk we report on scaling methodological and tool support of a formal method to size of problems relevant to industrial users. The report is based on the experience of the ICT Deploy project - a research project where a number
of academic and industrial partners work together on advancing the agenda of formal modelling in the industrial setting. We present a summary of developments conducted by industrial users, the problems they have faced compiling
requirements, building models, doing formal proofs and their views on the return form the investment in formal modelling training. In particular, we will focus on the transitions from initial, small-scale, feasibility studies to larger, realistic, developments and the challenges thus uncovered.Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Alexander Romanovskyalexander.romanovsky@ncl.ac.uk2011-07-04T12:44:57Z2011-10-29T18:28:41Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/315This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3152011-07-04T12:44:57ZUse case scenarios as verification conditions: Event-B/Flow approachModel-oriented formalisms rely on a combination of safety
constraints and satisfaction of refinement obligations to demonstrate model correctness. We argue that for a significant class of models a substantial part of the desired model behaviour would not be covered by such correctness conditions, meaning that a formal development potentially ends with a correct model inadequate for its purpose. In this paper we present a method for augmenting Event-B specifications with additional proof obligations expressed in a visual, diagrammatic way. A case study illustrates how the method may be used to strengthen a model by translating use case scenarios from requirement documents into formal statements over a modelled system.Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>2012-05-16T08:21:11Z2012-05-18T14:16:58Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/399This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3992012-05-16T08:21:11ZShared Event Composition/Decomposition in Event-BThe construction of specifications is often a combination of smaller sub-components. Composition and decomposition are techniques that support reuse and allow us to formally combine sub-components through refinement steps while reusing their properties. Sub-components can result from a design or architectural goal and a refinement framework should allow further parallel development over the sub-components. We propose the definition of composition and decomposition in the Event-B formalism following a shared event approach where sub-components interact via synchronisation over shared events and shared states are not allow. We define the necessary proof obligations to ensure a valid composition or decomposition. We also show that shared event composition preserves refinement proofs for sub-components, that is, in order to maintain refinement of compositions, it is sufficient to prove refinement between corresponding subcomponents. A case study applying these two techniques is illustrated using Rodin, the Event-B toolset.Renato Silvaras07r@ecs.soton.ac.ukMichael Butlermjb@ecs.soton.ac.uk2011-09-04T11:57:40Z2011-09-04T11:57:40Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/327This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3272011-09-04T11:57:40ZTowards Probabilistic Modelling in Event-BAnton TarasyukAnton.Tarasyuk@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fiLinas LaibinisLinas.Laibinis@abo.fi2011-09-04T11:57:15Z2011-09-04T11:57:15Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/325This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3252011-09-04T11:57:15ZAugmenting Formal Development of Control Systems with Quantitative Reliability Assessment
Anton TarasyukAnton.Tarasyuk@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fiLinas LaibinisLinas.Laibinis@abo.fi2010-12-22T15:10:08Z2010-12-22T15:10:08Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/267This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2672010-12-22T15:10:08ZRodin: An Open Toolset for Modelling and Reasoning in Event-BEvent-B is a formal method for system-level modelling and analysis. Key features of Event-B are the use of set theory as a modelling notation, the use of refinement to represent systems at different abstraction levels and the use of mathematical proof to verify consistency between refinement levels. In this article we present the Rodin modelling tool that seamlessly integrates modelling and proving. We outline how the Event-B language was designed to facilitate proof and how the tool has been designed to support changes to models while minimising the impact of changes on existing proofs. We outline the important features of the prover architecture and explain how well-definedness is treated. The tool is extensible and configurable so that it can be adapted more easily to different application domains and development methods. Jean-Raymond AbrialMichael ButlerStefan HallerstedeThai Son HoangFarhad MehtaLaurent Voisin2010-03-22T15:47:25Z2010-04-19T15:06:01Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/214This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2142010-03-22T15:47:25ZSystem Architecture, Dependability and ModesThe mode, defining the specific type of functional behaviour that a system exhibits during its operation, is an
important architectural level concept, which has a significant impact on system design, verification and dependability. The notions of modes and mode changes are widely used by the industrial engineers to structure reasoning about different conditions of system functioning. Even though there has been some work on developing modal systems, we still lack a general understanding of how to architect, verify and ensure dependability of such systems. In our work we rely on formal modelling and verification to study intricate relationships between fault tolerance, operation modes and architectural design.Linas LaibinisLinas.Laibinis@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fiAlexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Alexander Romanovskyalexander.romanovsky@ncl.ac.uk2010-02-04T10:31:55Z2010-02-04T10:31:55Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/202This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2022010-02-04T10:31:55ZAn EMF Framework for Event-BThe Rodin platform for Event-B formal modelling is based on a bespoke model repository. While this approach has some advantages it also means that the platform does not benefit from the host of emerging technologies and supporting packages that are freely available for open source modelling frameworks. The Eclipse Modelling Framework (EMF) has emerged as the de-facto standard package upon which to build any Eclipse based modelling tool. In order to make this support available for our Rodin tools we have now engineered a front-end EMF based representation of Event-B. Colin SnookFabian FritzAlexei Illisaov2010-10-29T09:04:41Z2010-10-29T09:04:41Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/252This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2522010-10-29T09:04:41ZA Basis for Feature-Oriented Modelling in Event-BFeature-oriented modelling is a well-known approach for Software Product
Line (SPL) development. It is a widely used method when developing groups of
related software. With an SPL approach, the development of a software product
is quicker, less expensive and of higher quality than a one-off development since
much effort is re-used. However, this approach is not common in formal methods
development, which is generally high cost and time consuming, yet crucial in
the development of critical systems. With the increase of more complex critical
systems, it becomes more important to apply formal methods to the development
cycle, and we propose a method that allows the application of SPL development
techniques to formal methods. This results in faster and cheaper development of
formal systems.
Our method combines Event-B [1] and feature models [2]. A feature in a
feature model represents a requirement of the product family and is formally
described in Event-B using special feature modelling patterns. A feature repre-
sented in Event-B is referred to as component. We develop composition rules,
which allow components to be composed. Special composition proof obligations
allow the verification of the composition.
The feature model is formed by features which may be associated with Event-
B components. A subset of features from the feature model can be selected to
form a feature model instance, thereby selecting several of these Event-B com-
ponents. These components are composed pair-wise, and composition POs can
be discharged to prove properties and to ensure consistency of the composition.
The final Event-B machine represents the formal specification which is associated
with the feature model instance and is obtained by composing these components.
The motivation of our work is to allow product line development for critical
systems. We use traditional product line methods, i.e. feature modelling, and
link it with the formal method Event-B.
Future work is focussed on amending feature diagrams to reflect Event-B
components more precisely. Refinement patterns will also be addressed.
Jennifer Sorgejhs06r@ecs.soton.ac.ukMichael Poppletonmrp@ecs.soton.ac.ukMichael Butlermjb@ecs.soton.ac.uk2010-02-01T13:06:24Z2010-04-19T15:06:00Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/200This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2002010-02-01T13:06:24ZDecomposition Tool for Event-BTwo methods have been identified for Event-B model decomposition: shared variable and shared event. The purpose of this paper is to introduce the two approaches and the respective tool support in the Rodin platform. Besides alleviating the complexity for large systems and respective proofs, decomposition allows team development in parallel over the same model which is very attractive in the industrial environment.Renato SilvaCarine PascalT. Son HoangMichael Butler2010-03-22T10:47:57Z2010-04-19T15:06:01Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/213This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2132010-03-22T10:47:57ZAn Event-B model of the Attitude and Orbit Control SystemAlexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Linas LaibinisLinas.Laibinis@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fi2010-07-14T13:04:50Z2010-07-14T13:13:09Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/240This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2402010-07-14T13:04:50ZDeveloping Mode-Rich Satellite Software by Refinement in Event BTo ensure dependability of on-board satellite systems, the
designers should, in particular, guarantee correct implementation of the mode transition scheme, i.e., ensure that the states of the system components are consistent with the global system mode. However, there is still a lack of scalable approaches to formal verification of correctness of complex mode transitions. In this paper we present a formal development of an Attitude and Orbit Control System (AOCS) undertaken within the ICT DEPLOY project. AOCS is a complex mode-rich system, which has an intricate mode-transition scheme. We show that re�finement in Event B provides the engineers with a scalable formal technique that enables both development of mode-rich systems and proof-based verification of their mode consistency.Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Elena TroubitsynaElena.Troubitsyna@abo.fiLinas LaibinisLinas.Laibinis@abo.fiAlexander Romanovskyalexander.romanovsky@ncl.ac.ukKimmo VarpaaniemiDubravka IlicTimo Latvala2010-07-12T08:22:17Z2010-07-12T08:22:17Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/237This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2372010-07-12T08:22:17ZFormal Analysis of BPMN Models using Event-B The use of business process models has gone far beyond documentation
purposes. In the development of business applications, they can play
the role of an artifact on which high level properties can be
verified and design errors can be revealed in an effort to reduce
overhead at later software development and diagnosis stages. This
paper demonstrates how formal verification may add value to the
specification, design and development of business process models in
an industrial setting. The analysis of these models is achieved via
an algorithmic translation from the de-facto standard business
process modeling language BPMN to Event-B, a widely used formal
language supported by the Rodin platform which offers a range of
simulation and verification technologies.Jeremy BryansJeremy.Bryans@ncl.ac.ukWei Wei wei01.wei@sap.com2010-10-21T10:03:34Z2010-10-21T10:05:22Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/248This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2482010-10-21T10:03:34ZFormal Analysis of BPMN Models Using Event-BJeremy W. Bryansjeremy.bryans@ncl.ac.ukWei Wei wei01.wei@sap.com2010-11-12T08:53:11Z2010-11-12T08:53:11Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/253This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2532010-11-12T08:53:11ZOn Fault Tolerance Reuse during RefinementComplex modern applications have to be developed to be dependable to meet their requirements and expectations of their users. An important part of this is their ability to deal with various threats (such as faults in the system environment, operator's mistakes, underlying hardware and software support problems). Development of modern applications is complicated by the need for systematic and rigorous integration of fault tolerance measures. The paper focuses on reuse of fault tolerance modelling. First, it introduces the idea of general modelling templates reflecting abstract views on system behaviour with respect to faults. These templates are used during system detalisation (re�finement) to capture the user's view on system external behaviour. Secondly, it proposes to use a library of concrete modelling patterns allowing developers to systematically integrate speci�c fault tolerance mechanisms (e.g. recovery blocks, checkpoints, exception handling) into the models. The proposed solutions are linked to the Event-B method and demonstrated using a case study.Ilya LopatkinIlya.Lopatkin@newcastle.ac.ukAlexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Alexander Romanovskyalexander.romanovsky@ncl.ac.uk2010-02-16T12:51:17Z2010-04-19T15:06:00Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/207This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2072010-02-16T12:51:17ZPatterns for Modelling Time and Consistency in Business Information SystemsMaintaining semantic consistency of data is a significant problem in distributed information systems, particularly those on which a business may depend. Our current work aims to use Event-B and the Rodin tools to support the specification and design of such systems in a way that integrates well into existing development processes. This paper presents Event-B patterns that may be used to represent recovery from timebounded inconsistency and illustrates their use in a model derived from industrial applications.Jeremy W. Bryansjeremy.bryans@ncl.ac.ukJohn S. Fitzgeraldjohn.fitzgerald@ncl.ac.ukAlexander Romanovskyalexander.romanovsky@ncl.ac.ukA. Roth2010-12-03T11:16:09Z2010-12-09T15:37:03Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/259This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2592010-12-03T11:16:09ZPatterns for Refinement AutomationFormal modelling is indispensable for engineering highly dependable systems. However, a wider acceptance of formal methods is hindered by their insufficient usability and scalability. In this paper, we aim at assisting developers in rigorous modelling and design by increasing automation of development steps. We introduce a notion of refinement patterns – generic representations of typical correctness-preserving model transformations. Our definition of a refinement pattern contains a description of syntactic model transformations, as well as the pattern applicability conditions and proof obligations for verifying correctness preservation. This work establishes a basis for building a tool that would support formal system development via pattern reuse and instantiation. We present a prototype of such a tool and some examples of refinement patterns for automated development in the Event B formalism.Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Elena TroubitsynaElena.Troubitsyna@abo.fiLinas LaibinisLinas.Laibinis@abo.fiAlexander Romanovskyalexander.romanovsky@ncl.ac.uk2010-01-11T08:48:50Z2010-04-19T15:05:59Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/172This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1722010-01-11T08:48:50ZSupporting Reuse in Event B Development: Modularisation Approach
Recently, Space Systems Finland has undertaken formal Event B development of a part of on-board software for the BepiColombo space mission. As a result, lack of modularization mechanisms in Event B has been identified as a serious obstacle to scalability. One of the main benifits of modularization is that it allows us to decompose system models into components that can be independently developed. It also helps to manage complexity of models that in the industrial setting are usually very large and difficult to comprehend. On the other hand, modularization enables reuse of formally developed components in the formal product line development. In this paper we propose a conservative extension of Event B formalism to support modularization. We demonstrate how our approach can support reuse in the formal development in the space domain.
Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Elena TroubitsynaElena.Troubitsyna@abo.fiLinas LaibinisLinas.Laibinis@abo.fiAlexander Romanovskyalexander.romanovsky@ncl.ac.ukKimmo VarpaaniemiDubravka IlicTimo Latvala2010-12-07T14:23:11Z2010-12-09T15:36:32Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/261This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2612010-12-07T14:23:11ZTutorial on the Flow plugin for Event-BAlexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>2010-12-07T14:29:00Z2010-12-09T15:36:12Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/263This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2632010-12-07T14:29:00ZTutorial on the modularization plugin for Event-BAlexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>2009-12-12T16:28:19Z2010-04-19T15:05:58Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/163This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1632009-12-12T16:28:19ZPhD Thesis: Formal Construction of Instruction Set ArchitecturesThe Instruction Set Architecture (ISA) is that part of a computing machine visible for programming, including its native data types, instructions, registers, memory architecture, exception handling and external interfaces. The ISA also includes the specification of the machine’s native language: that is its instructions and their actions. This thesis proposes the use of the Event-B formal notation to construct a sequence of formal specifications applicable to a range of ISAs, by abstractly capturing their shared properties. Initial, very abstract, descriptions are refined by the incremental addition of greater detail, each increment providing a template for development of the next. The use of Event-B allows correctness, i.e. the preservation of the properties of the previous step, to be verified over successive refinements. This is achieved by the creation and proving of logical hypotheses, or proof obligations.
The process enables development of ISAs with predictable behaviour when executing both correct and erroneous programs, by identification of the precise preconditions required for successful execution of instructions, their resulting actions, and all possible error conditions. Application of property proving techniques allows for the formal verification of desirable properties.
A methodology is proposed for the incremental construction of the common elements of an ISA, and its features are discussed. The methodology is initially used to construct a generic description, which is then demonstrated by refinement to two representative ISAs capable of executing compiled C binary executables. The complete refinement process is demonstrated by the creation and testing of Virtual Machines automatically generated via novel translation tools.
Prior art has relied on the provision of single-layered descriptions of specific ISAs to enable formal verification of implementations, placing a burden of correctness on these specifications. This work contributes by the provision of a common context for correct derivation of these previously independant descriptions. The work introduces novel levels of abstraction to allow re-use on any sequential computing machine, provides a framework for the comparison of different ISAs relative to a single datum, and enables analysis of design options during the creation and extension of ISAs. Further contributions are the construction of multiple ISAs from a single abstract description, and the introduction of automatic source-code generation techniques to the Event-B method, which include features to assist in the development and test of useable ISAs.Stephen Wrightstephen.wright@bris.ac.uk2009-05-02T09:53:06Z2010-04-19T15:05:54Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/95This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/952009-05-02T09:53:06ZLanguage and Tool Support for Class and State Machine Refinement in UML-BMar Yah Saidmys05r@ecs.soton.ac.ukMichael Butlermjb@ecs.soton.ac.ukColin Snookcfs@ecs.soton.ac.uk2008-12-04T11:14:56Z2008-12-04T11:14:56Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/51This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/512008-12-04T11:14:56ZDecomposition Structures for Event-BMichael Butler2009-07-31T09:10:57Z2010-12-08T11:04:44Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/143This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1432009-07-31T09:10:57ZA Code Generation Example for Event-B:
A Shared Channel with Concurrent Read/WritersWe present an example involving processes reading and writing to a shared channel. A channel may have at most one reader reading, and at most one writer writing at any one time; however a number of processes may be waiting to read from, or write to, the channel. In our most abstract model data is transferred as a block in a single atomic step. A write event constitutes moving a block from a writing process to a channel buffer; and a read event constitutes
moving a block from a channel buffer to a reader. The atomicity of the read and write activity is altered in the refinement - we introduce blocks that are made up of packets, and each packet is written to the channel individually. This allows the reader to begin reading as soon as there is data in the channel - without the
writer having to complete the data transfer. We continue with an overview of our implementation notation (OCB), and show the implementation level specification for the concurrent read/writers example. We then present details of the implementation level refinement that results from the translation of the OCB model into Event-B, and also show details of the source code generated by the Java translator.Andrew Edmundsae2@ecs.soton.ac.ukMichael Butlermjb@ecs.soton.ac.uk2009-06-06T10:52:07Z2010-04-19T15:05:54Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/110This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1102009-06-06T10:52:07ZFormal Modelling and Analysis of Business Information Applications with Fault Tolerant MiddlewareDistributed information systems are critical to the functioning of many businesses; designing them to be dependable is a challenging but important task. We report our experience in using formal methods to enhance processes and tools for development of business information software based on service-oriented architectures. In our work, which takes place in an industrial setting, we focus on the configuration of middleware, verifying application-level requirements in the presence of faults. In pilot studies provided by SAP, we used the Event-B formalism and the open Rodin tools platform to prove properties of models of business protocols and expose weaknesses of certain middleware configurations with respect to particular protocols. We then extended the approach to use models automatically generated from diagrammatic design tools, opening the possibility of seamless integration with current development environments.
Increased automation in the verification process, through
domain-specific models and theories, is a goal for future
work.
KEYWORDS: Verification, Fault Modelling, Service-
Oriented Architectures, Event-B, Tool SupportJeremy W. BryansJeremy.Bryans@ncl.ac.ukJohn S. FitzgeraldJohn.Fitzgerald@ncl.ac.ukAlexander RomanovskyA.Romanovsky@ncl.ac.ukAndreas RothAndreas/Roth@sap.com2009-08-11T16:17:31Z2010-04-19T15:05:57Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/144This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1442009-08-11T16:17:31ZOn Event-B and Control Flow
Event-B is a general purpose formal development method
suitable for the design and detailed development of safety-critical systems. Being a data-driven formalism, it lacks any control flow constructs. This turns out to be a limitation for systems with rich control flow properties. In Event-B, control flow information has to be embedded into
guards and event actions and this results in an entanglement of control flow and functional specification with the additional downside of extra model variables. This paper proposes a method for extending Event-B models with an new viewpoint portraying control flow properties of a
model. The novelty of the work is in relying solely on theorem proving to demonstrate the consistency of control flow and main Event-B specification. The focus is placed on the practicality of working with such an extension and also on achieving proof economy. A detailed formal
treatment of the method is presented and illustrated with a case study. A proof of concept implementation for the RODIN platform is briefly discussed.
Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>2009-01-19T10:50:44Z2009-01-19T10:50:44Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/68This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/682009-01-19T10:50:44ZDEPLOY: Industrial Deployment of Advanced System Engineering Methods for High Productivity and DependabilityAlexander Romanovskyalexander.romanovsky@ncl.ac.uk2008-07-11T13:09:31Z2010-04-19T15:05:50Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/27This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/272008-07-11T13:09:31ZDEPLOY: Industrial Deployment of Advanced System Engineering Methods for High Productivity and DependabilityAlexander Romanovskyalexander.romanovsky@ncl.ac.uk2008-07-04T10:17:26Z2010-04-19T15:05:50Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/26This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/262008-07-04T10:17:26ZOn the Purpose of Event-B Proof ObligationsEvent-B is a formal modelling method which is claimed to be suitable for diverse modelling domains, such as reactive systems and sequential program development. This claim hinges on the fact that any particular model has an appropriate semantics. In Event-B this semantics is provided implicitly by proof obligations associated with a model. There is no fixed semantics though. In this article we argue that this approach is beneficial to modelling because we can use similar proof obligations across a variety of modelling domains. By way of two examples we show how similar proof obligations are linked to different semantics. A small set of proof obligations is thus suitable for a whole range of modelling problems in diverse modelling domains.Stefan Hallerstedesth@ecs.soton.ac.uk2008-10-07T21:38:26Z2008-10-07T21:38:26Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/39This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/392008-10-07T21:38:26ZLinking Event-B and Concurrent Object-Oriented Programs Andrew EdmundsMichael Butler2008-05-16T14:51:33Z2008-05-16T14:51:33Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/24This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/242008-05-16T14:51:33ZTowards Rigorous Engineering of Resilient Pervasive SystemsWhile pervasive systems offer versatile computing environment, their complexity poses a significant challenge to their developers. Hence ensuring resilience
of pervasive systems is an important issue, which should be tackled by adopting rigorous design methods and systems approach. In this short paper we identify the key research directions in engineering pervasive resilient systems and our experience in rigorous development of a multi-agent application called Ambient Campus.Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Linas LaibinisLinas.Laibinis@abo.fiAlexander Romanovskyalexander.romanovsky@ncl.ac.ukKaisa SereKaisa.Sere@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fi2009-01-19T10:05:52Z2009-01-19T10:05:52Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/65This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/652009-01-19T10:05:52ZDEPLOY: industrial deployment of advanced system engineering methods for high productivity and dependabilityAlexander Romanovskyalexander.romanovsky@ncl.ac.uk2009-05-06T11:54:45Z2010-04-19T15:05:54Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/99This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/992009-05-06T11:54:45ZRefinement Patterns for Fault Tolerant SystemsThe paper puts forward the idea of using fault tolerance refinement patterns to assist system developers in disciplined application of software fault tolerance mechanisms in rigorous system design. Two patterns are proposed to support a correct introduction of recovery blocks and N-version programming into a system model; these are formally defined and their correctness proven. We also discuss several important issues involved in the use of these patterns in engineering systems, including tool support and pattern composition.design) as a major means for improving the quality of products.
Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Alexander Romanovskyalexander.romanovsky@ncl.ac.uk2010-05-21T13:00:15Z2010-05-24T07:54:18Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/227This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2272010-05-21T13:00:15ZA Lecture on modularisation method and plugin: Introduction and Parking Lot Case Studytraining material on modularisation in Event-BAlexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>2009-06-20T09:49:55Z2010-04-19T15:05:56Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/125This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1252009-06-20T09:49:55ZApplying Event and Machine Decomposition to a Flash-Based Filestore in Event-BEvent-B is a formal method used for specifying and reasoning about
systems. Rodin is a toolset for developing system models in
Event-B. Our experiment which is outlined in this paper is aimed
at applying Event-B and Rodin to a flash-based filestore.
Refinement is a useful mechanism that allows developers to sharpen models step by step. Two uses of refinement, feature augmentation and structural refinement, were employed in our development. Event decomposition and machine decomposition are techniques on which we focus in this work. We present an outline of a verified refinement chain for the flash filestore. We also
outline evidence of the applicability of the method and tool
together with some guidelines.
Kriangsak Damchoomkd06r@ecs.soton.ac.ukMichael Butlermjb@ecs.soton.ac.uk2012-03-30T14:10:28Z2012-03-30T14:10:28Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/385This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3852012-03-30T14:10:28ZAugmenting Event-B Modelling with Real-Time VerificationAbstract—A large number of dependable embedded systems
have stringent real-time requirements imposed on them. Analysis of their real-time behaviour is usually conducted at the implementation level. However, it is desirable to obtain an evaluation of real-time properties early at the development cycle, i.e., at the modelling stage. In this paper we present an approach to augmenting Event-B modelling with verification of real-time properties in Uppaal. We show how to extract a process-based view from an Event-B model that together with introducing time constraints allows us to obtain a timed automata model – an input model of Uppaal. We illustrate the approach by development and verification of the data processing software of the BepiColombo Mission.Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Linas LaibinisLinas.Laibinis@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fiAlexander Romanovskyalexander.romanovsky@ncl.ac.ukTimo Latvala2011-05-06T13:18:02Z2011-05-09T09:43:39Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/304This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3042011-05-06T13:18:02ZEvent-B Project Archives, for Tasking Event-B TutorialAndrew Edmundsae2@ecs.soton.ac.uk2013-03-26T15:12:41Z2013-03-26T15:13:35Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/463This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/4632013-03-26T15:12:41ZFrameworks for developing Event-B modelling extensions in EMFThese Slides are intended for for plugin developers who wish to extend the Event-B notation using EMF modelling facilities. Diagrammatic editors are also supported. (Some of these slides were originally developed in the deploy project and have been extended during the Advance project)Colin SnookVitaly SavicksFabian FritzAlexei Illisaov2011-09-04T11:57:43Z2011-09-04T11:57:43Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/326This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/3262011-09-04T11:57:43ZFrom Formal Specification in Event-B to Probabilistic Reliability Assessment
Anton TarasyukAnton.Tarasyuk@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fiLinas LaibinisLinas.Laibinis@abo.fi2010-12-03T15:11:00Z2010-12-09T15:36:52Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/260This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2602010-12-03T15:11:00ZPresentation Slides - Tasking Event-B for Code GenerationAndrew Edmundsae2@ecs.soton.ac.ukMichael Butlermjb@ecs.soton.ac.uk2010-01-29T22:37:57Z2011-06-28T10:13:15Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/198This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1982010-01-29T22:37:57ZProceedings of the First Deploy Technical WorkshopThe second DEPLOY annual plenary meeting was held from 21st to 23rd of October in Aix-en-Provence, France. The main difference with respect to the first meeting has been a significant amount of time dedicated to technical presentations of papers. We invited all the academic and industrial partners to submit papers about the work they were carrying on inside the DEPLOY project. The accepted submissions have been then organized in five different sessions, each regarding a DEPLOY relevant
topic, plus one for short papers. The structure of this document reflects exactly the structure of the workshop, each of the parts represents a workshop session:
1. Event-B and Extensions
2. Code Generation
3. Event-B Metrics and Tools
4. Model Checking
5. Business Information Systems
6. Short PapersMazzara Manuel 2009-09-21T15:42:14Z2010-04-19T15:05:57Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/152This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1522009-09-21T15:42:14ZProof Assisted Model Checking for BThe archives contain the models for proof supported model checking. For detailed description see
Bendisposto, Leuschel: Proof Assisted Model Checking for B
Proceedings of International Conference on Formal Engineering
Methods (ICFEM 09), LNCS, to appear
1) pomc_paper.zip: Contains the model that is guaranteed to terminate, but assumes finite(STATES)
2) pomc paper-wo_termination.zip: Contains the model without the assumption, but does not guarantee terminationJens Bendispostobendisposto@cs.uni-duesseldorf.deMichael Leuschelleuschel@cs.uni-duesseldorf.de2009-07-08T15:31:36Z2010-04-19T15:05:56Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/134This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1342009-07-08T15:31:36ZSpecifying Modal Systems using Event-BSeveral safety-critical systems, such as avionic, transportation and space systems, use the notion of operation modes. Operation modes are useful structuring units that facilitate design, specially if used with state-based formal methods. However, modelling abstractions to support the specification, analysis and correct construction of modal systems are still lacking. The contribution of this paper is twofold: (i) modal systems and modal systems refinement are discussed and formalized; (ii) the relation of a modal system specification with an Event-B model is discussed, showing how to demonstrate that the behaviour of an Event-B model can satisfy a modal system.Fernando DottiFernando Luis Dotti <fernando.dotti@pucrs.br>Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Alexander Romanovskyalexander.romanovsky@ncl.ac.uk2009-10-14T10:25:46Z2010-04-19T15:05:58Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/159This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1592009-10-14T10:25:46ZSupporting Reuse in Event B Development: Modularisation ApproachRecently, Space Systems Finland has undertaken formal Event B development of a part of on-board software for the BepiColombo space mission. As a result, lack of modularization mechanisms in Event B has been identified as a serious obstacle to scalability. One of the main benefit of modularization is that it allows us to decompose system models into components that can be independently developed. It also helps to manage complexity of models that in the industrial setting are usually very large and difficult to comprehend. On the other hand, modularization enables reuse of formally developed components in the formal product line development. In this paper we propose a conservative extension of Event B formalism to support modularization. We demonstrate how our approach can support reuse in the formal development in the space domain.
Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Elena TroubitsynaElena.Troubitsyna@abo.fiLinas LaibinisLinas.Laibinis@abo.fiAlexander Romanovskyalexander.romanovsky@ncl.ac.ukKimmo VarpaaniemiDubravka IlicTimo Latvala