Dana Dghaym

Class diagrams for Abstract Data Types

We propose to extend iUML-B class-diagrams to elaborate Abstract Data Types (ADTs) specified using Event-B theories. Classes are linked to data types, while attributes and associations correspond to operators of the data types. Axioms about the data types and operators are specified as constraints on the class. We illustrate our approach on a development of a control system in the railway domain.

Formal Modelling Techniques for Efficient Development of Railway Control Products

We wish to model railway control systems in a formally precise way so that product lines can be adapted to specific customer requirements. Typically a customer is a railway operator with national conventions leading to different variation points based on a common core principle. A formal model of the core product must be precise and manipulatable so that different feature variations can be specified and verified without disrupting important properties that have already been established in the core product. Cyber-physical systems such as railway interlocking, are characterised by the combination of device behaviours resulting in an overall safe system behaviour. Hence there is a strong need for correct sequential operation with safety “interlocks” making up a process. We utilise diagrammatic modelling tools to make the core product more accessible to systems engineers. The RailGround example used to discuss these techniques is an open source model of a railway control system that has been made available by Thales Austria GmbH for research purpose, which demonstrates some fundamental modelling challenges.

A Graphical Tool for Event Refinement Structures in Event-B

The Event Refinement Structures ERS approach provides a graphical extension of the Event-B formal method to represent event decomposition and control-flow explicitly. In this paper we present an improved version of the ERS plug-in, which provides a graphical environment for the ERS approach within the Event-B tool, Rodin. The improved ERS plug-in is based on the available frameworks that are developed to support Event-B with an EMF framework, language extensions and generic diagram extensions.

Evaluation of graphical control flow management approaches for Event-B modelling

Integrating graphical representations with formal methods can help bridge the gap between requirements and formal modelling. In this paper, we compare and evaluate two graphical approaches aiming at describing control flows and refinement in Event-B, and we use a fire dispatch system case study to perform this evaluation. The fire dispatch system case study provides a good example of a complex workflow through which we try to identify a process that facilitates defining the structural and the behavioural parts of the Event-B model. In our case study, we focus on building the dynamic part of the model to evaluate the two diagrammatic notations: UML Activity Diagrams and Atomicity Decomposition Diagrams. Based on our evaluation, we try to identify the advantages and limitations of both approaches. Finally, we try to compare how both graphical notations can affect the Event-B formal modelling of our case study.

Diagram-Led Formal Modelling Using iUML-B for Hybrid ERTMS Level 3

We demonstrate diagrammatic Event-B formal modelling of a hybrid, ‘fixed virtual block’ approach to train movement control for the emerging European Rail Traffic Management System (ERTMS) level 3. We perform a refinement-based formal development and verification of the no-collision safety requirement. The development reveals limitations in the specification and identifies assumptions on the environment. We reflect on our team-based approach to finding useful modelling abstractions and demonstrate a systematic modelling method using the UML-like state and class diagrams of iUML-B. We suggest enhancements to the existing iUML-B method that would have benefitted this development.

Extending the ERS approach for workflow modelling in Event-B

The Event Refinement Structures (ERS) approach augments the Event-B formal method with hierarchical diagrams, providing explicit support for control fow and refinement relationships. ERS was originally designed to decompose the atomicity of the events in Event-B and later enriched with control flow combinators. Combining graphical workflow approaches with formal methods has been a subject of interest in both industry and academia, resulting in a diversity of approaches. In this thesis, we present an approach for workflow modelling that addresses both control flow and data handling. ERS is used for control flow, while Event-B mathematical notation supports the data handling. This separation simplifies the modelling by avoiding an extensive number of patterns, though separation does not mean the independence of control flow from data handling. The dependency is achieved by the ERS semantics, which are acquired by transforming the diagrams to Event-B. This combination not only benefits from the verification capabilities of Event-B and the graphical nature of ERS, but also supports incremental modelling through refinement and hierarchy. Our studies resulted in extending the ERS approach to support more flexible behaviour like unbounded replication and exception handling. Unbounded replication is needed when the number of instances of a flow to be executed is unknown and additional instances can be initiated during execution. We also enhance some of the existing ERS combinators such as the loop. We validate our approach and extensions by applying them to two complex work flows, the fire dispatch system and the travel agency booking system. Finally, we extend the ERS formal language with new translation rules to support our new ERS extensions. We formally define the new translation rules of ERS to Event-B, using the Augmented Backus-Naur Form (ABNF), to be easily integrated in the ERS plug-in. The ERS plug-in is a tool providing automatic generation of part of the Event-B model representing types and sequencing. We also evaluate the ERS combinators in control flow modelling against already published criteria.