This paper proposes a method for deriving formal specifications of systems. To accomplish this task we pass through a non trivial number of steps, concepts and tools where the first one, the most important, is the concept of method itself, since we realized that computer science has a proliferation of languages but very few methods. We also propose the idea of Layered Fault Tolerant Specification (LFTS) to make the method extensible to Dependable Systems. The principle is layering the specification, for the sake of clarity, in (at least) two different levels, the first one for the normal behavior and the others (if more than one) for the abnormal. The abnormal behavior is described in terms of an Error Injector (EI) which represents a model of the erroneous interference coming from the environment. This structure has been inspired by the notion of idealized fault tolerant component but the combination of LFTS and EI using rely guarantee thinking to describe interference can be considered one of the main contributions of this work. The progress toward this method and the way to layer specifications has been made experimenting on the Transportation and the Automotive Case Studies of the DEPLOY project.

Domain engineers describe universes of discourse such as bookkeeping, the financial service industry, container shipping lines, logistics, oil pipelines, railways, etc. In doing so domain engineers have to decide on such issues as identification of that which is to be described; which of the describable phenomena and concepts are (to be described as) entities, operations, events, and which as behaviours; which entities are (to be described as) continuous which are (...) discrete, which are (...) atomic, which are (...) composite and what are the attributes of either and the mereology of composite entities, i.e., the way in which they are put together from sub-entities. For each of these issues and their composite presentation the domain engineer has to decide on levels of abstraction, what to include and what to exclude. In doing so the domain engineer thus has to have a firm grasp on the a robust understanding and practice of the very many issues of description: what can be described, identifying what is to be described, how to describe, description principles, description techniques, description tools and laws of description. This paper will outline the issues in the slanted type font.

Abstract. Formal methods based tools and techniques have been recognised to be a promising approach to support the process of verification and validation of a critical system in early stage of the development. Specially, medical devices are very prone to show an unexpected behavior of the system in operating due to stochastic nature of the system and when a system uses traditional methods for system testing. Device-related problems are responsible for a large number of serious injuries. FDA officials has found that many deaths and injuries related to the devices are caused by product design and engineering flaws. Cardiac pacemaker and implantable cardioverter-defibrillators (ICDs) are main critical medical devices, which require close-loop modeling (integration of system and environment modeling) for verification purpose to obtain a certificate from certification bodies. No any technique is available to provide an environment modeling to verify the developed system model. This report presents a methodology to model a biological system, like heart, for modeling a biological environment. The heart model is mainly based on electrocardiography analysis, which models the heart system at cellular level. Main objective of this methodology is to model the heart system and integrate with medical device model like cardiac pacemaker to specify a close-loop model. Close-loop model of an environment and a device is an open problem in real world. Industries are striving for such kind of approach from long time to validate a system model under a virtual biological environment. Our approach involves the pragmatic combination of formal specification of a system and a biological environment to model a close-loop system to verify the correctness of a system and helps in quality improvement of the system.

Abstract not found

Abstract. Ability to scale up from toy examples to real life problems is a crucial issue for formal methods. Formalizing a algorithm used in vehicle automation (platooning control) in a certification perspective, we had the opportunity to study the scaling up when going from a (toy) model in 1D to a (more realistic) model in 2D. The formalism, Event-B, belongs to the family of mathematical state based methods. Increase was quantitative: 3 times more events and 4 times more proofs; and qualitative: trigonometric functions and integrals are used. Edition and verification of the specification scale up well. The crucial part of the work was the adaptation of the mathematical and physical model through standard heuristics. The validation of temporal properties and behaviors do not scale up so well. Analysis of the difficulties suggests improvements in both tool support and formalism. 1

Abstract—This paper explores the possibility to incorporate validation in the stepwise development process of formal specifications. Formal methods based on refinement break the intractable proof of the correctness of implementation into a sequence of many smaller proofs. Likewise, the validation of the specification could be broken into smaller steps associated to refinements with the technique of animation. Animating an abstract specification often requires to alter it in ways that proof obligations cannot be discharged anymore. So, we have developed a process and a set of transformation rules whose application produces an animatable specification which may be non-provable, but which is assured to have the same behavior. Guaranteeing behavioral preservation requires us to define an ad-hoc relationship between specifications based on a kind of trace semantics. 10 rules have been identified and proven to preserve behavior. Observations on the use of the technique on two case-studies are presented. Keywords-Formal methods, B, Event-B, Validation, Animation I.

Formal methods such as B [1] or Event-B [2] are designed around the idea that a piece of code can be “correct per construction. ” They use the usual notion of correctness: the program is a mathematically proven implementation of the specification. They are good candidates for industrial use for two major reasons: they embody a development process, refinement, which breaks the notoriously difficult correctness proof into many small and manageable proof obligations, and they have effective tool support. Through the realization and the analysis of two important case-studies using Event-B in the area of transportation [6,5,8,9], we have discovered that proofs alone are not sufficient to produce a “good ” software: we need also to execute, i.e., to test, the software. Two main reasons justify this proposition. Some properties, notably temporal, are virtually impossible to model with constructs such as states, invariants, or events which Event-B provides us. We need to ensure that the specification is an adequate model of the problem we want to solve. Software must be verified and validated. Waiting to have an executable program to begin the validation leads to the same difficulties as proving a program against its specification: costly, very complex, soon

Many properties of a system may not be obvious just by a quick inspection of the corresponding Event-B model. Users typically rely on animation, scenario analysis, and inspection of state transition graphs for discovering certain behavior of the system. We propose a methodology for generating a hierarchical representation of the system for visualising Event-B models. Our representation is succinct and it provides multiple views to aid in better comprehension of the Event-B models. Keywords: Event-B, Model visualization, Hierarchical state based representation

Summary. In this paper we present an approach to modelling, verification and testing for cell-like P-systems based on Event-B and the Rodin platform. We present a general framework for modelling P systems using Event-B, which we then use to implement two P-system models in the Rodin platform. For each of the two models, we use the associated Pro-B model checker to verify properties and we present some of the results obtained. 1

Abstract. Test and Simulation are the only verification techniques used for any biomedical devices such as pacemaker system, implantable cardioverter/defibrillators (ICDs) etc. The construction of formal models of Pacemaker systems is a considerable practical challenge. Formal modeling of an artificial Pacemaker system is a case study proposed by the software quality research laboratory at McMaster University 1 in the Grand Challenge Initiative. Using an incremental proof-based approach, we model functionalities of the Pacemaker. The approach is illustrated by developing a new formal model of the cardiac pacemaker system. Our contribution are in this report to model the single electrode pacemaker system using Event-B and prove it. The incremental proof-based development is mainly driven by the refinement between an abstract model of the system and its detailed design through a series of refinements. A series of refinements is progressively added the functional and the timing properties to the abstract system-level specifications using some intermediate models. The properties express system architecture, action-reaction and timing behavior. This paper uses all possible operational modes of a single electrode Pacemaker system that helps to develop better hardware. Every stage of refinement includes the detail information about operating modes. The models are expressed in Event-B modeling language and validated primarily by the ProB tool in different situation such as hysteresis and rate adapting pacing under real-time constraints. In each stages of refinements include the detail information and more events are introduced. The final step of refinement completely localized the events and similar to implementation of single electrode pacemaker operating modes system. The stepwise refinement of the single electrode Pacemaker system contributes to achieve a high degree of automatic proof.