Elena Troubitsyna

Supporting reuse in event b development: modularisation approach

Recently, Space Systems Finland has undertaken formal Event B development of a part of the on-board software for the BepiColombo space mission. As a result, lack of modularisation mechanisms in Event B has been identified as a serious obstacle to scalability. One of the main benefits of modularisation is that it allows us to decompose system models into components that can be independently developed. It also helps to manage complexity of models that in the industrial setting are usually very large and difficult to comprehend. On the other hand, modularisation enables reuse of formally developed components in the formal product line development. In this paper we propose a conservative extension of Event B formalism to support modularisation. We demonstrate how our approach can support reuse in the formal development in the space domain.

Methods, Models and Tools for Fault Tolerance

Introducing a new hobby for other people may inspire them to join with you. Reading, as one of mutual hobby, is considered as the very easy hobby to do. But, many people are not interested in this hobby. Why? Boring is the reason of why. However, this feel actually can deal with the book and time of you reading. Yeah, one that we will refer to break the boredom in reading is choosing methods models and tools for fault tolerance as the reading material.

Fault tolerance in a layered architecture: a general specification pattern in B

Dependable control systems are usually complex and prone to errors of various natures. Such systems are often built in a modular and layered fashion. To guarantee system dependability, we need to develop software that is not only fault-free but also is able to cope with faults of other system components. In this paper we propose a general formal specification pattern that can be recursively applied to specify fault tolerance mechanisms at each architectural layer. Iterative application of this pattern via stepwise refinement in the B method results in development of a layered fault tolerant system correct by construction. We demonstrate the proposed approach by an excerpt from a realistic case study - development of liquid handling workstation Fillwell.

Patterns for Representing FMEA in Formal Specification of Control Systems

Failure Modes and Effects analysis (FMEA) is a widely used technique for inductive safety analysis. FMEA provides engineers with valuable information about failure modes of system components as well as procedures for error detection and recovery. In this paper we propose an approach that facilitates representation of FMEA results in formal Event-B specifications of control systems. We define a umber of patterns for representing requirements derived from FMEA in formal system model specified in Event-B. The patterns help the developers to trace the requirements from safety analysis to formal specification. Moreover, they allow them to increase automation of formal system development by refinement. Our approach is illustrated by an example - a sluice control system.

Formal development of reactive fault tolerant systems

Usually complex systems are controlled by an operator co-operating with a computer-based controller. The controlling software runs in continuous interaction with the operator and constantly reacts on operators interruptions by dynamically adapting system behaviour. Simultaneously it catches the exceptions signalling about errors in the system components and performs error recovery. Since interruptions are asynchronous signals they might concurrently co-exist and conflict with exceptions. To ensure dependability of a dynamically adaptable system, we propose a formal approach for resolving conflicts and designing robust interruption and exception handlers. We present a formal specification pattern for designing components of layered control systems that contain interruption and exception handlers as an intrinsic part of the specification. We demonstrate how to develop a layered control system by recursive application of this pattern.

Towards probabilistic modelling in event-B

Event-B provides us with a powerful framework for correct-by-construction system development. However, while developing dependable systems we should not only guarantee their functional correctness but also quantitatively assess their dependability attributes. In this paper we investigate how to conduct probabilistic assessment of reliability of control systems modeled in Event-B. We show how to transform an Event-B model into a Markov model amendable for probabilistic reliability analysis. Our approach enables integration of reasoning about correctness with quantitative analysis of reliability.

Refinement of Fault Tolerant Control Systems in B

Application of formal methods helps us to gain confidence in building correct software. On the other hand, to guarantee dependability of the overall system we need to build fault tolerant software, i.e., software which is not only fault-free but also is able to cope with faults of other system components. Obviously, this goal is attainable only if fault tolerance mechanisms constitute an intrinsic part of software behaviour. In this paper we propose a formal approach to model-driven development of fault tolerant control systems. We demonstrate how to integrate fault tolerance into the automated refinement process in the B method. The proposed approach is exemplified by a case study – a derivation of safe and fault tolerant controller of a heating system.

Formal Development of Critical Multi-agent Systems: A Refinement Approach

Multi-agent systems (MAS) are increasingly used in critical applications. To ensure dependability of MAS, we need powerful development techniques that would allow us to master complexity inherent to MAS and formally verify correctness and safety of collaborative agent activities. In this paper we present a development of hospital MAS by refinement in Event-B. We demonstrate that Event-B allows the developers to rigorously specify complex agent interactions and verify their correctness and safety.

Elicitation and Specification of Safety Requirements

In this paper we demonstrate how to derive software requirements from system safety analysis in such a way that they could be easily captured in a software specification. We propose an integral approach for incorporating results of fault tree analysis (FTA) and failure mode and effect analysis (FMEA) into the requirements specification. In our approach statecharts facilitate construction of a control system and serve as a basis for structuring and integrating results of FTA and FMEA. The use of statecharts as a communication media between safety and software engineers assists the process of requirements discovery. The approach is illustrated by excerpts from the development of realistic industrial system - the liquid handling workstation Fillwelltrade.

Developing mode-rich satellite software by refinement in Event-B

One of the guarantees that the designers of on-board satellite systems need to provide, so as to ensure their dependability, is that the mode transition scheme is implemented correctly, i.e. that the states of system components are consistent with the global system mode. There is still, however, a lack of scalable approaches to developing and verifying systems with complex mode transitions. This paper presents an approach to the formal development of mode-rich systems by refinement in Event-B. We formalise the concepts of modes and mode transitions as well as deriving specification and refinement patterns which support correct-by-construction system development. The proposed approach is validated by a formal development of the Attitude and Orbit Control System (AOCS) undertaken within the ICT DEPLOY project. The experience gained in the course of developing such a complex industrial system as AOCS, shows that Event-B refinement provides the engineers with a scalable formal technique. Moreover, the case study has demonstrated that Event-B can facilitate formal development of mode-rich systems and, in particular, proof-based verification of their mode consistency.