Deploy Repository: No conditions. Results ordered Title. 2018-01-17T12:22:40ZEPrintshttp://deploy-eprints.ecs.soton.ac.uk/images/sitelogo.gifhttp://deploy-eprints.ecs.soton.ac.uk/2009-07-31T09:10:57Z2010-12-08T11:04:44Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/143This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1432009-07-31T09:10:57ZA Code Generation Example for Event-B:
A Shared Channel with Concurrent Read/WritersWe present an example involving processes reading and writing to a shared channel. A channel may have at most one reader reading, and at most one writer writing at any one time; however a number of processes may be waiting to read from, or write to, the channel. In our most abstract model data is transferred as a block in a single atomic step. A write event constitutes moving a block from a writing process to a channel buffer; and a read event constitutes
moving a block from a channel buffer to a reader. The atomicity of the read and write activity is altered in the refinement - we introduce blocks that are made up of packets, and each packet is written to the channel individually. This allows the reader to begin reading as soon as there is data in the channel - without the
writer having to complete the data transfer. We continue with an overview of our implementation notation (OCB), and show the implementation level specification for the concurrent read/writers example. We then present details of the implementation level refinement that results from the translation of the OCB model into Event-B, and also show details of the source code generated by the Java translator.Andrew Edmundsae2@ecs.soton.ac.ukMichael Butlermjb@ecs.soton.ac.uk2010-01-12T10:11:26Z2010-01-12T10:11:26Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/181This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1812010-01-12T10:11:26ZAbstraction is all we've got: auxiliary variables considered harmful.Cliff B JonesCliff.Jones@ncl.ac.uk2010-01-12T10:11:20Z2010-01-12T10:11:20Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/180This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1802010-01-12T10:11:20ZAn outline of a proposed system that learns from experts how to discharge proof obligations automatically. Alan BundyGudmund GrovCliff B JonesCliff.Jones@ncl.ac.uk2012-07-23T11:09:11Z2012-07-23T11:09:11Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/435This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/4352012-07-23T11:09:11ZAnimation of UML-B State-machinesAnimation is important because it allows the modeller to validate that a model behaves as intended. Visualisation of animations assists the modeller in making this assessment. UML-B is a visual 'front-end' to the Event-B notation and includes a state-machine diagram editor. Here we describe a new plug-in which, using the Pro-B model checker as animation engine, provides animation of UML-B state-machine diagrams. Multiple diagrams can be animated simultaneously so that the behaviour of refinements and/or nested state-machines can be explored. Vitaly SavicksColin SnookMichael Butler2009-09-07T08:16:40Z2010-04-19T15:05:57Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/146This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1462009-09-07T08:16:40ZApplying Model Checking to Generate Model-based Integration Tests from Choreography ModelsChoreography models describe the communication protocols
between services. Testing of service choreographies is an important task for the
quality assurance of service-based systems as used e.g. in the context of
service-oriented architectures (SOA). The formal modeling of service
choreographies enables a model-based integration testing (MBIT) approach.
We present MBIT methods for our service choreography modeling approach
called Message Choreography Models (MCM). For the model-based testing of
service choreographies, MCMs are translated into Event-B models and used as
input for our test generator which uses the model checker ProB.S. WieczorekV. KozyuraA. RothMichael Leuschelleuschel@cs.uni-duesseldorf.deJens BendispostoDaniel Plaggeplagge@cs.uni-duesseldorf.deI. Schieferdecker2009-01-16T15:02:01Z2010-04-19T15:05:52Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/63This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/632009-01-16T15:02:01ZBosch switch mini-pilotMichael Butler2012-07-23T11:02:33Z2012-07-23T11:02:33Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/433This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/4332012-07-23T11:02:33ZClass and State Machine Refinement in UML-B UML-B is a ’UML-like’ graphical front end for Event-B. It adds support for object oriented modeling concepts while visually retaining the Event-B
modeling concepts. In the continuity of the work on UML-B, we strengthen its
refinement concepts. Development in Event-B is done through refinements of an
abstract model. Since Event-B is reflected in UML-B, the abstraction-refinement
concepts must also be catered for in UML-B. UML-B introduced the new concept of refinement, where model complexity is managed by introducing more
detailed versions of a machine. We extend this refinement concept by introducing
the notion of refined classes and refined state machines. A refined class is one that
refines a more abstract class and a refined state machine is one that refines a more
abstract state machine. The UML-B drawing tool and Event-B translator are extended to support the refinement concepts. A case study of an auto teller machine
(ATM) is presented to demonstrate the notion of refined classes and refined state
machines.Mar Yah SaidMichael ButlerColin Snook2009-09-07T11:30:33Z2009-09-07T11:30:33Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/147This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1472009-09-07T11:30:33ZCounterexamples in Probabilistic LTL Model Checking for Markov Chains.Matthias SchmalzDaniele VaraccaHagen Völzer2008-12-04T11:14:56Z2008-12-04T11:14:56Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/51This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/512008-12-04T11:14:56ZDecomposition Structures for Event-BMichael Butler2010-02-05T10:35:54Z2010-02-05T10:35:54Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/205This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2052010-02-05T10:35:54ZDeveloping Topology Discovery in Event-BWe present a formal development in Event-B of a distributed topology discovery algorithm. Distributed topology discovery is at the core of several routing algorithms and is the problem of each node in a network discovering and maintaining information on the network topology. One of the key challenges is specifying the problem itself. Our specification includes both safety properties, formalizing invariants that should hold in all system states, and liveness properties that characterize when the system reaches stable states. We establish these by appropriately combining proofs of invariant preservation, event refinement, event convergence, and deadlock freedom. The combination of these features is novel and should be useful for formalizing and developing other kinds of semi-reactive systems, which are systems that react to, but do not modify, their environment.Thai Son Hoanghtson@inf.ethz.chHironobu KurumaDavid Basinbasin@inf.ethz.chJean-Raymond Abrialjabrial@inf.ethz.ch2010-02-05T09:55:00Z2010-02-05T09:55:00Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/203This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2032010-02-05T09:55:00ZDeveloping topology discovery in Event-BWe present a formal development in Event-B of a distributed topology discovery algorithm. Distributed topology discovery is at the core of several routing algorithms and is the problem of each node in a network discovering and maintaining information on the network topology. One of the key challenges in developing this algorithm is specifying the problem itself. We provide a specification that includes both safety properties, formalizing invariants that should hold in all system states, and liveness properties that characterize when the system reaches stable states. We prove these properties by appropriately combining proofs of invariants, event refinement, event convergence, and deadlock freedom. The combination of these features is novel and should be useful for formalizing and developing other kinds of semi-reactive systems, which are systems that react to, but do not modify, their environment. Our entire development has been formalized and machine checked using the Rodin tool.Thai Son Hoanghtson@inf.ethz.chHironobu KurumaDavid Basinbasin@inf.ethz.chJean-Raymond Abrialjabrial@inf.ethz.ch2009-02-11T15:00:58Z2010-04-19T15:05:53Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/82This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/822009-02-11T15:00:58ZDevelopment of a Network Topology Discovery AlgorithmThai Son Hoanghtson@inf.ethz.chDavid Basinbasin@inf.ethz.chHironobu KurumaJean-Raymond Abrialjabrial@inf.ethz.ch2010-01-12T10:11:11Z2010-11-27T16:19:08Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/184This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1842010-01-12T10:11:11ZElucidating concurrent algorithms via layers of abstraction and reification.Cliff B JonesCliff.Jones@ncl.ac.ukKen G Piercek.g.pierce@ncl.ac.uk2009-06-03T23:23:26Z2010-04-19T15:05:54Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/109This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1092009-06-03T23:23:26ZEvent Model DecompositionJean-Raymond Abrialjabrial@inf.ethz.ch2010-02-05T10:29:56Z2010-02-05T10:29:56Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/204This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/2042010-02-05T10:29:56ZEvent-B Patterns and Their Tool SupportEvent-B has given developers the opportunity to construct models of complex systems which are correct by construction. However, there is no systematic approach, especially in terms of reusing, which could help with the construction of these models. We introduce the notion of design patterns within the framework of Event-B to shorten this gap. Our approach preserves the correctness of the models which is critical in formal methods and also reduces the proving effort. Within our approach, an Event-B design pattern is just another model devoted to the formalisation of a typical sub-problem. As a result, we can use patterns to construct a model which can subsequently be used as a pattern to construct a larger model. We also present the interaction between developers and the future tool support within the associated Rodin Platform of Event-B. The approach has been applied successfully in some medium-size industrial case studies.Thai Son Hoanghtson@inf.ethz.chAndreas Fürstandreas.fuerst@inf.ethz.chJean-Raymond Abrialjabrial@inf.ethz.ch2009-07-14T17:21:23Z2010-04-19T15:05:56Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/136This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1362009-07-14T17:21:23ZEvent-B Project BepiColombo_Models_v5.0A model of BepiColombo SIXS (Solar Intensity X-ray Spectrometer) / MIXS (Mercury Imaging X-ray Spectrometer) OBSW (On-Board SoftWare) requirements. An improvement with respect to all older WP3 pilot models.Dubravka IlicKimmo Varpaaniemi2010-01-03T12:30:33Z2010-04-19T15:05:59Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/165This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1652010-01-03T12:30:33ZEvent-B Project Modes_v2Åbo Akademi's Event-B model of a simplified variant of "DEPLOY Satellite".Linas LaibinisLinas.Laibinis@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fi2009-04-20T09:10:23Z2009-04-20T09:10:23Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/94This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/942009-04-20T09:10:23ZFault Tolerant Middleware for Agent Systems: A Refinement ApproachAgent technology offers a number of advantages over traditional distributed systems, such as asynchronous communication, anonymity of individual agents and ability to change operational context. However, it is notoriously difficult to ensure dependability of agent systems. In this paper we present a formal approach for the top-down development of fault tolerant middleware for agent systems. We demonstrate how to develop the middleware that besides providing agent coordination is also able to cope with their failures. We focus on handling agent crushes and transient faults caused by volatile communication environment. We argue that formal development of middleware with integrated fault tolerance mechanisms has potential to enhance dependability of an agent system.Linas LaibinisLinas.Laibinis@abo.fiElena TroubitsynaElena.Troubitsyna@abo.fiAlexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Alexander Romanovskyalexander.romanovsky@ncl.ac.uk2012-07-23T10:58:28Z2012-07-23T10:58:28Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/432This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/4322012-07-23T10:58:28ZFeature composition - towards product lines of Event-B modelsEvent-B is a formal language for modelling reactive systems, based on set theory and first-order logic. The RODIN toolkit provides comprehensive tool support for modelling and renement in Event-B, analysis and verification using animator/model-checkers and theorem provers. We consider the need to support reuse, in particular product line reuse, in such a formal development method. Feature modelling is an established technique for reuse in product lines. We introduce concepts of feature modelling and composition in Event-B to support the reuse of formal models and developments. A prototype feature composition tool has been developed (as a RODIN plug-in) for Event-B, based on the Eclipse Modelling Framework (EMF). Using an MDD philosophy, the tool extends the Event-B language meta-model to a composition meta model, and implements prototype composition patterns for Event-B features. Thus, a required composite model can be constructed by selecting, specializing, and composing input features in a defined way. The tool is the first step towards full feature modelling for product line model reuse for Event-B. We describe future work required to meet this goal.Ali GondalMike PoppletonColin Snook2010-01-08T09:47:17Z2010-04-19T15:05:59Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/169This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1692010-01-08T09:47:17ZFormal Methods in Industry: The State of Practice of Formal Methods in South America and Far EastThe use of formal methods has constantly increased, al- though with basically two constraints: their use has been concentrated mostly in Europe, their Mother land and they have been used only by big companies which are in charge to develop some kind of safety critical applications, what, in a first look seems correct. The aim of this paper is to present the usage stage of formal methods in other parts of the world, mainly South America, and Far East. A personal comparison of some formal method tools, namely: Atelier B[1], RODIN[2], and SCADE[3]is also presented. The comparison methodology is based on three different points of view: capability, I mean, how these tools can satisfy project constraints, usability, basically, what’s the difficulty the user faces when trying to use the tool, and adequacy to the current development pro- cess.This work describes also real applications in industry, sometimes not the formal method usage itself, but how the formal method culture can drasticaly helps on the development process. Finally, some of the gaps in industry wishes that could be fulfilled by some applications are sorted.Aryldo G Russo Jragrj@aes.com.br2009-10-25T17:48:19Z2010-04-19T15:05:58Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/161This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1612009-10-25T17:48:19ZFormal Methods: Practice and ExperienceFormal methods use mathematical models for analysis and verification at any part of the program life-cycle. We describe the state of the art in the industrial use of formal methods, concentrating on their increasing use at the earlier stages of specification and design. We do this by reporting on a new survey of industrial use, comparing the situation in 2009 with the most significant surveys carried out over the last 20 years. We describe some of the highlights of our survey by presenting a series of industrial projects, and we draw some observations from these surveys and records of experience. Based on this, we discuss the issues surrounding the industrial adoption of formal methods. Finally, we look to the future and describe the development of a Verified Software Repository, part of the worldwide Verified Software Initiative. We introduce the initial projects being used to populate the repository, and describe the challenges they address.Jim WoodcockJim.Woodcock@cs.york.ac.ukPeter Gorm Larsenpgl@iha.dkJuan Bicarreguijuan.bicarregui@stfc.ac.ukJohn S. Fitzgeraldjohn.fitzgerald@ncl.ac.uk2009-06-06T10:52:07Z2010-04-19T15:05:54Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/110This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1102009-06-06T10:52:07ZFormal Modelling and Analysis of Business Information Applications with Fault Tolerant MiddlewareDistributed information systems are critical to the functioning of many businesses; designing them to be dependable is a challenging but important task. We report our experience in using formal methods to enhance processes and tools for development of business information software based on service-oriented architectures. In our work, which takes place in an industrial setting, we focus on the configuration of middleware, verifying application-level requirements in the presence of faults. In pilot studies provided by SAP, we used the Event-B formalism and the open Rodin tools platform to prove properties of models of business protocols and expose weaknesses of certain middleware configurations with respect to particular protocols. We then extended the approach to use models automatically generated from diagrammatic design tools, opening the possibility of seamless integration with current development environments.
Increased automation in the verification process, through
domain-specific models and theories, is a goal for future
work.
KEYWORDS: Verification, Fault Modelling, Service-
Oriented Architectures, Event-B, Tool SupportJeremy W. BryansJeremy.Bryans@ncl.ac.ukJohn S. FitzgeraldJohn.Fitzgerald@ncl.ac.ukAlexander RomanovskyA.Romanovsky@ncl.ac.ukAndreas RothAndreas/Roth@sap.com2009-01-24T18:35:27Z2010-04-19T15:05:52Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/78This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/782009-01-24T18:35:27ZFrameworks for designing and implementing dependable systems using Coordinated Atomic Actions: A comparative study
Alfredo CapozuccaNicolas GuelfiPatrizio PelliccioneAlexander Romanovskyalexander.romanovsky@ncl.ac.ukAvelino Zorzo2009-04-20T09:35:14Z2010-04-19T15:05:53Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/91This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/912009-04-20T09:35:14ZFrom Goal-Oriented Requirements to Event-B SpecificationsIn goal-oriented requirements engineering methodologies, goals are structured into refinement
trees from high-level system-wide goals down to fine-grained requirements assigned to specific software/
hardware/human agents that can realise them. Functional goals assigned to software agents
need to be operationalised into specification of services that the agent should provide to realise those
requirements. In this paper, we propose an approach for operationalising requirements into specifications
expressed in the Event-B formalism. Our approach has the benefit of aiding software designers
by bridging the gap between declarative requirements and operational system specifications in a rigorous
manner, enabling powerful correctness proofs and allowing further refinements down to the
implementation level. Our solution is based on verifying that a consistent Event-B machine exhibits
properties corresponding to requirements.Benjamin Azizbenjamin.aziz@stfc.ac.ukAlvaro Arenasalvaro.arenas@stfc.ac.ukJuan Bicarreguijuan.bicarregui@stfc.ac.ukChristophe Ponsardchristophe.ponsard@cetic.bePhilippe Massonetphilippe.massonet@cetic.be2009-09-21T10:00:35Z2010-04-19T15:05:57Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/151This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1512009-09-21T10:00:35ZGoal-Oriented Requirements Engineering in
Action in the Transportation SectorThis report presents the goal-oriented approach to engineer high-quality requirements. Starting from informally structured textual requirements, this report illustrates
some of the benefits of using a goal-oriented approach in terms of guarantee of completeness, consistency, reasoning on the system boundaries, identifying the responsibilities and dealing with potential conflicts. This report
is mainly on semi-formal notations but it also shortly considers the formalization process. It is consistently illustrated on the first simplified pilot problem
developed by the transportation sector during the DEPLOY project and known as "mini-pilot".Renaud Delandtsheerrenaud.delandtsheer@cetic.beChristophe Ponsardchristophe.ponsard@cetic.be2009-03-25T17:08:38Z2010-04-19T15:05:53Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/88This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/882009-03-25T17:08:38ZImproving reliability of cooperative concurrent systems with exception flow analysisDevelopers of fault-tolerant distributed systems need to guarantee that fault tolerance mechanisms they
build are in themselves reliable. Otherwise, these mechanisms might in the end negatively affect overall
system dependability, thus defeating the purpose of introducing fault tolerance into the system. To
achieve the desired levels of reliability, mechanisms for detecting and handling errors should be developed
rigorously or formally. We present an approach to modeling and verifying fault-tolerant distributed
systems that use exception handling as the main fault tolerance mechanism. In the proposed approach, a
formal model is employed to specify the structure of a system in terms of cooperating participants that
handle exceptions in a coordinated manner, and coordinated atomic actions serve as representatives of
mechanisms for exception handling in concurrent systems. We validate the approach through two case
studies: (i) a system responsible for managing a production cell, and (ii) a medical control system. In both
systems, the proposed approach has helped us to uncover design faults in the form of implicit assumptions
and omissions in the original specifications.Fernando Castor FilhoAlexander Romanovskyalexander.romanovsky@ncl.ac.ukCecilia Rubira2009-10-25T17:47:31Z2010-04-19T15:05:58Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/160This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1602009-10-25T17:47:31ZIndustrial Practice in Formal Methods: a ReviewWe examine the the industrial application of formal methods
using data gathered in a review of 62 projects taking place over the last 25 years. The review suggests that formal methods are being applied in a wide range of application domains, with increasingly strong tool support. Significant challenges remain in providing usable tools that can be integrated into established development processes; in education and training; in taking formal methods from first use to second use, and in gathering and evidence to support informed selection of methods and tools.J. C. BicarreguiJuan.Bicarregui@stfc.ac.ukJ. S. FitzgeraldJohn.Fitzgerald@ncl.ac.ukP. G. Larsenpgl@iha.dkJ. C. P. WoodcockJim.Woodcock@cs.york.ac.uk2009-05-02T09:53:06Z2010-04-19T15:05:54Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/95This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/952009-05-02T09:53:06ZLanguage and Tool Support for Class and State Machine Refinement in UML-BMar Yah Saidmys05r@ecs.soton.ac.ukMichael Butlermjb@ecs.soton.ac.ukColin Snookcfs@ecs.soton.ac.uk2012-07-23T11:05:24Z2012-07-23T11:05:24Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/434This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/4342012-07-23T11:05:24ZLanguage and tool support for class and state machine refinement in UML-BUML-B is a ?UML-like? graphical front end for Event-B that provides support for object-oriented modelling concepts. In particular, UML-B supports class diagrams and state machines, concepts that are not explicitly supported in plain Event-B. In Event-B, refinement is used to relate system models at different abstraction levels. The same abstraction-refinement concepts can also be applied in UML-B. This paper introduces the notions of refined classes and refined state machines to enable refinement of classes and state machines in UML-B. Together with these notions, a technique for moving an event between classes to facilitate abstraction is also introduced. Our work makes explicit the structures of class and state machine refinement in UML-B. The UML-B drawing tool and Event-B translator are extended to support the new refinement concepts. A case study of an auto teller machine (ATM) is presented to demonstrate application and effectiveness of refined classes and refined state machines.Mar Yah SaidMichael ButlerColin Snook2010-01-12T10:11:30Z2010-01-12T10:11:30Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/179This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1792010-01-12T10:11:30ZLearning from experts to aid the automation of proof search.Alan BundyGudmund GrovCliff B JonesCliff.Jones@ncl.ac.uk2010-01-21T09:21:33Z2010-04-19T15:06:00Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/190This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1902010-01-21T09:21:33ZLocal Enforceability and Inconsumable Messages in Choreography ModelsChoreography models describe the communication protocols between services. Every choreography model can be considered either from a global or from a local point of view. The global model specifies a high-level view of the conversation between service components, and can be considered as being interpreted from an observer point of view. The local model is derived from the global model, and specifies the communication-relevant behavior of each component. The connection between global and local models is achieved differently by connecting observing steps with either the send steps or with the receive steps. The consistency of the global model and the local model can be assured by the local enforceability property: any behavior that the local model permits is also possible to observe in the global model.
Another important property of choreography models requires the absence of inconsumable messages, i.e., any messages ready to be received may always be received. In this paper, we study the relations between local enforceability and inconsumable messages in case that the local model is obtained from the global model without modification or
further constraints. As a part of the conclusions, we show that if a choreography model is free of inconsumable messages, it is also local enforceable no matter how the global model is connected with the local one.
This is a desired result because the mechanical checking of
inconsumable messages is much more efficient than that of local enforceability. In case of finite state systems one can check the absence of inconsumable messages in a linear time in the size of the local model, whereas checking local enforceability has an exponential complexity.Vitaly KozyuraAndreas RothWei Wei2009-04-01T16:20:41Z2009-04-03T08:47:51Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/89This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/892009-04-01T16:20:41ZMethods, Models and Tools for Fault ToleranceMichael ButlerCliff B JonesCliff.Jones@ncl.ac.ukAlexander Romanovskyalexander.romanovsky@ncl.ac.ukElena TroubitsynaElena.Troubitsyna@abo.fi2009-06-06T10:51:41Z2010-04-19T15:05:53Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/84This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/842009-06-06T10:51:41ZMIDAS: A Formally Constructed Virtual MachineMIDAS (Microprocessor Instruction and Data Abstraction System) is a specification of an Instruction Set Architecture (ISA) capable of executing binary images compiled from the C language. It was developed to demonstrate a methodology for formal construction of various ISAs in Event-B via a generic model. It is intended to be representative of typical microprocessor ISAs, but using a minimal number of defined instructions, in order to make complete refinement practical. The intention is to simplify the number and complexity of the defined instructions at the cost of compiler complexity, run-time performance and code density, without compromising representativeness. There are two variants: a stack-based machine and a randomly accessible register array machine. The two variants employ the same instruction codes, the differences being limited to register file behavior.Stephen Wrightstephen.wright@bris.ac.uk2009-09-22T07:20:12Z2010-04-19T15:05:57Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/153This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1532009-09-22T07:20:12ZModal Systems: Specification, Refinement and Realisation
Operation modes are useful structuring units that facilitate design of several safety-critical systems such as such as avionic, transportation and space systems. Although some support to the construction of modal systems can be found in the literature, modelling abstractions for the formal specification, analysis and correct construction of modal systems are still lacking. This paper discusses existing support for the construction of modal systems and proposes both a formalisation and a refinement notion for modal systems. A modal system, specified using the proposed abstractions, can be realised using different specification languages. Complementing the contribution, we define the requirements for an Event-B model to realise a modal system specification. A case study illustrates the proposed approach.
Fernando DottiFernando Luis Dotti <fernando.dotti@pucrs.br>Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Leila RiberiroAlexander Romanovskyalexander.romanovsky@ncl.ac.uk2009-08-11T16:17:31Z2010-04-19T15:05:57Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/144This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1442009-08-11T16:17:31ZOn Event-B and Control Flow
Event-B is a general purpose formal development method
suitable for the design and detailed development of safety-critical systems. Being a data-driven formalism, it lacks any control flow constructs. This turns out to be a limitation for systems with rich control flow properties. In Event-B, control flow information has to be embedded into
guards and event actions and this results in an entanglement of control flow and functional specification with the additional downside of extra model variables. This paper proposes a method for extending Event-B models with an new viewpoint portraying control flow properties of a
model. The novelty of the work is in relying solely on theorem proving to demonstrate the consistency of control flow and main Event-B specification. The focus is placed on the practicality of working with such an extension and also on achieving proof economy. A detailed formal
treatment of the method is presented and illustrated with a case study. A proof of concept implementation for the RODIN platform is briefly discussed.
Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>2009-12-12T16:28:19Z2010-04-19T15:05:58Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/163This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1632009-12-12T16:28:19ZPhD Thesis: Formal Construction of Instruction Set ArchitecturesThe Instruction Set Architecture (ISA) is that part of a computing machine visible for programming, including its native data types, instructions, registers, memory architecture, exception handling and external interfaces. The ISA also includes the specification of the machine’s native language: that is its instructions and their actions. This thesis proposes the use of the Event-B formal notation to construct a sequence of formal specifications applicable to a range of ISAs, by abstractly capturing their shared properties. Initial, very abstract, descriptions are refined by the incremental addition of greater detail, each increment providing a template for development of the next. The use of Event-B allows correctness, i.e. the preservation of the properties of the previous step, to be verified over successive refinements. This is achieved by the creation and proving of logical hypotheses, or proof obligations.
The process enables development of ISAs with predictable behaviour when executing both correct and erroneous programs, by identification of the precise preconditions required for successful execution of instructions, their resulting actions, and all possible error conditions. Application of property proving techniques allows for the formal verification of desirable properties.
A methodology is proposed for the incremental construction of the common elements of an ISA, and its features are discussed. The methodology is initially used to construct a generic description, which is then demonstrated by refinement to two representative ISAs capable of executing compiled C binary executables. The complete refinement process is demonstrated by the creation and testing of Virtual Machines automatically generated via novel translation tools.
Prior art has relied on the provision of single-layered descriptions of specific ISAs to enable formal verification of implementations, placing a burden of correctness on these specifications. This work contributes by the provision of a common context for correct derivation of these previously independant descriptions. The work introduces novel levels of abstraction to allow re-use on any sequential computing machine, provides a framework for the comparison of different ISAs relative to a single datum, and enables analysis of design options during the creation and extension of ISAs. Further contributions are the construction of multiple ISAs from a single abstract description, and the introduction of automatic source-code generation techniques to the Event-B method, which include features to assist in the development and test of useable ISAs.Stephen Wrightstephen.wright@bris.ac.uk2009-09-09T07:52:36Z2010-04-19T15:05:57Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/148This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1482009-09-09T07:52:36ZPie Tree VisualizationVisualizing graphs with a large number of edges and vertices can be cumbersome and ineffective. This is due to the presence of countless overlapping arrows, which makes a graph unclear and hard to understand and interpret by a human. The aim of this paper is to try to address this problem using a new concept of data visualization, namely pie tree visualization. We illustrate this technique on the module architecture of a real-life development from the project Deploy. We first describe pie tree visualization, and then, present its advantages.Mireille SamiaMichael Leuschelleuschel@cs.uni-duesseldorf.de2008-02-12T21:54:40Z2010-04-19T15:05:49Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/11This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/112008-02-12T21:54:40ZRodin Manual and Language DefinitionJean-Raymond AbrialChristophe MetayerLaurent Voisin2009-07-21T14:14:31Z2010-04-19T15:05:56Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/137This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1372009-07-21T14:14:31ZRodin User and Developer Workshop 2009 - Extended AbstractsMichael Butlermjb@ecs.soton.ac.ukStefan HallerstedeLaurent Voisin2009-07-02T12:34:50Z2010-04-19T15:05:56Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/130This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1302009-07-02T12:34:50ZRodin: An Open Toolset for Modelling and Reasoning in Event-BEvent-B is a formal method for system-level modelling and
analysis. Key features of Event-B are the use of
set theory as a modelling notation, the use of refinement to
represent systems at different abstraction levels and the use of
mathematical proof to verify consistency between refinement
levels. In this article we present the Rodin modelling tool that
seamlessly integrates modelling and proving.
We outline how the Event-B language was designed to facilitate proof
and how the tool has been designed to support changes to models
while minimising the impact of changes on existing proofs.
We outline the important features of the prover architecture and
explain how well-definedness is treated.
The tool is extensible and configurable so that it can
be adapted more easily to different application domains and
development methods.Jean-Raymond AbrialMichael Butlermjb@ecs.soton.ac.ukStefan Hallerstedesth@ecs.soton.ac.ukThai Son Hoanghtson@inf.ethz.chFarhad MehtaLaurent Voisin2009-07-13T11:09:14Z2010-04-19T15:05:56Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/133This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1332009-07-13T11:09:14ZSAL, Kodkod, and BDDs for Validation of B Models. Lessons and Outlook.PROB is a model checker for high-level B and Event-B models based on constraint-solving. In this paper we investigate alternate approaches for validating high-level B models using alternative techniques and tools based on using BDDs, SAT-solving and SMT-solving. In particular, we examine whether PROB can be complemented or even supplanted by using one of the tools BDDBDDB, Kodkod or SAL.Daniel Plaggeplagge@cs.uni-duesseldorf.deMichael Leuschelleuschel@cs.uni-duesseldorf.deIlya LopatkinIlya.Lopatkin@newcastle.ac.ukAlexei IliasovAlexei.Iliasov@newcastle.ac.ukAlexander RomanovskyAlexander.Romanovsky@newcastle.ac.uk2009-04-01T16:27:01Z2010-04-19T15:05:53Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/90This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/902009-04-01T16:27:01ZStep-wise Development of Resilient Ambient Campus ScenariosThis paper puts forward a new approach to developing resilient ambient applications. In its core is a novel rigorous development method supported by a formal theory that enables us to produce a well-structured step-wise design and to ensure disciplined integration of error
recovery measures into the resulting implementation. The development method, called AgentB, uses the idea of modelling database to support a coherent development of and reasoning about several model views, including the variable, event, role, agent and protocol views. This helps system developers in separating various modelling concerns and makes it easier for future tool developers to design a toolset supporting this development. Fault tolerance is systematically introduced during the development of various model views. The approach is demonstrated through the development of several application scenarios within an ambient campus case study conducted at Newcastle University (UK) as part of the FP6 RODIN project.Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Budi AriefAlexander Romanovskyalexander.romanovsky@ncl.ac.uk2009-05-27T20:31:51Z2010-04-19T15:05:54Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/105This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1052009-05-27T20:31:51ZStructuring Specifications with ModesThe two dependability means considered in this paper are rigorous design and fault tolerance. It can be complex to rigorously design some classes of systems, including fault tolerant ones, therefore appropriate abstractions are needed to better support system modelling and analysis. The abstraction proposed in this paper for this purpose is the notion of operation mode. Modes are formalised and their relation to a state-based formalism in a refinement approach is established. The use of modes for fault tolerant systems is then discussed and a case study presented. Using modes in state-based modelling allows us to improve system structuring, the elicitation of system assumptions and expected functionality, as well as requirement traceability.Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Fernando DottiFernando Luis Dotti <fernando.dotti@pucrs.br>Alexander Romanovskyalexander.romanovsky@ncl.ac.uk2010-01-27T17:28:27Z2010-01-27T17:28:27Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/195This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1952010-01-27T17:28:27ZSupporting Reuse of Event-B Developments through Generic InstantiationRenato SilvaMichael Butler2010-01-12T10:10:59Z2010-04-19T15:05:59Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/185This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1852010-01-12T10:10:59ZThe role of auxiliary variables in the formal development of concurrent programs.Cliff B JonesCliff.Jones@ncl.ac.uk2009-05-28T16:20:05Z2010-04-19T15:05:54Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/108This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1082009-05-28T16:20:05ZTowards a Cookbook for Modelling and Refinement of Control ProblemsMichael Butlermjb@ecs.soton.ac.uk2009-05-27T20:48:29Z2010-04-19T15:05:54Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/106This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1062009-05-27T20:48:29ZTowards Automated Refinement: Patterns in Event B Formal modelling is indispensable for engineering highly dependable systems. However, a wider acceptance of formal methods is hindered by their insufficient usability and scalability. In this paper, we aim at assisting developers in rigorous modelling and design by increasing automation of development steps. We introduce a notion of refinement patterns – generic representations of typical correctness-preserving model transformations. Our definition of a refinement pattern contains a description of syntactic model transformations, as well as the pattern applicability conditions and proof obligations for verification of correctness preservation. This establishes a basis for building a tool supporting formal system development via pattern reuse and instantiation. We present a prototype of such a tool and some examples of refinement patterns for automated development in the Event B formalism.
Alexei Iliasov"Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>Elena TroubitsynaElena.Troubitsyna@abo.fiLinas LaibinisLinas.Laibinis@abo.fiAlexander Romanovskyalexander.romanovsky@ncl.ac.uk2009-05-28T15:30:52Z2010-04-19T15:05:54Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/107This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1072009-05-28T15:30:52ZUsing Event-B Refinement to Verify a Control StrategyIn this paper we outline some on-going research on approximating continuous
behaviour in Event-B in order to model and reason about a control system.
We make a distinction between a control goal and a control strategy.
We outline how both can be modelled and how refinement can be used to
prove that a strategy satisfies a goal.Michael Butlermjb@ecs.soton.ac.uk2009-09-07T08:06:16Z2010-04-19T15:05:57Zhttp://deploy-eprints.ecs.soton.ac.uk/id/eprint/145This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/1452009-09-07T08:06:16ZViewpoints for Modeling Choreographies in Service-Oriented ArchitecturesComponent integration plays a decisive role in
service-oriented architectures (SOAs). The technical
implementation must faithfully reflect business and
enterprise integration requirements. This implies a
good understanding of the globally observable
message choreography but also of how messages are
handled by the involved components and by the SOA
middleware. In this paper we present a solution to the
problem of keeping global and local viewpoints in
synchronization via a common message choreography
metamodel. As main contribution we shape various
interpretations of global choreographies, which were
left unspecified in state-of-the-art choreography
approaches. We have implemented a message
choreography modeling (MCM) environment
incorporating these contributions. MCM seamlessly
complements existing models at SAP. We show how
service integration experts, architects, and testers can
benefit from our approach that enables model-based
integration testing and model verification facilities.S. WieczorekA. RothA. StefanescuV. KozyuraA. CharfiF. M. KraftI. Schieferdecker