Peter Gorm Larsen

The IFAD VDM-SL toolbox: a practical approach to formal specifications

The IFAD VDM SL Toolbox is a collection of tools for formal speci cations development using the latest version of the VDM SL standard In addition to the full language it also supports a module based structur ing mechanism for large speci cations The Toolbox features extensive semantics checking documentation support test coverage analysis and debugging support We have focused on supporting real life speci cations development in industrial settings This paper presents the Toolbox and also reports on our own experience us ing it for the development of large speci cations

The overture initiative integrating tools for VDM

Overture is a community-based initiative that aims to develop a common open-source platform integrating a range of tools for constructing and analysing formal models of systems using VDM. The mission is to both provide an industrial-strength tool set for VDM and also to provide an environment that allows researchers and other stakeholders to experiment with modifications and extensions to the tools and language. This paper presents the current status and future vision of the Overture project.

Modeling and validating distributed embedded real-time systems with VDM++

The complexity of real-time embedded systems is increasing, for example due to the use of distributed architectures. An extension to the Vienna Development Method (VDM) is proposed to address the problem of deployment of software on distributed hardware. The limitations of the current notation are discussed and new language elements are introduced to overcome these deficiencies. The impact of these changes is illustrated by a case study. A constructive operational semantics is defined in VDM++ and validated using VDMTools. The associated abstract formal semantics, which is not specific to VDM, is presented in this paper. The proposed language extensions significantly reduce the modeling effort when describing distributed real-time systems in VDM++ and the revised semantics provides a basis for improved tool support.

Systems of Systems Engineering: Basic Concepts, Model-Based Techniques, and Research Directions

The term “System of Systems” (SoS) has been used since the 1950s to describe systems that are composed of independent constituent systems, which act jointly towards a common goal through the synergism between them. Examples of SoS arise in areas such as power grid technology, transport, production, and military enterprises. SoS engineering is challenged by the independence, heterogeneity, evolution, and emergence properties found in SoS. This article focuses on the role of model-based techniques within the SoS engineering field. A review of existing attempts to define and classify SoS is used to identify several dimensions that characterise SoS applications. The SoS field is exemplified by a series of representative systems selected from the literature on SoS applications. Within the area of model-based techniques the survey specifically reviews the state of the art for SoS modelling, architectural description, simulation, verification, and testing. Finally, the identified dimensions of SoS characteristics are used to identify research challenges and future research areas of model-based SoS engineering.

Features of CML: A formal modelling language for Systems of Systems

We discuss the initial design for CML, the first formal language specifically designed for modelling and analysing Systems of Systems (SoSs). It is presented through the use of an example: an SoS of independent telephone exchanges. Its overall behaviour is first specified as a communicating process: a centralised telephone exchange. This description is then refined into a network of telephone exchanges, each handling a partition of the set of subscribers (telephone users). The refinement is motivated by a non-functional requirement to minimise the cabling required to connect geographically distributed subscribers, who are clustered. The exchanges remain as independent systems with respect to their local subscribers, whose service is unaffected by the loss of remote exchanges.

An overview of the ISO/VDM-SL standard

VDM-SL, the notation incorporated in the formal method VDM, is currently being standardized under auspices of the International Standards Institution (ISO) and the British Standards Institution (BSI). It is one of the few formal languages of which the syntax and the semantics have been completely formally defined. In this paper we present an overview of the standard, including a report on the current status of the standardization effort.

Vienna Development Method

The Vienna Development Method (VDM) is one of the longest established model-oriented formal methods for the development of computer-based systems and software. It consists of a group of mathematically well-founded languages and tools for expressing and analyzing system models during early design stages, before expensive implementation commitments are made. The construction and analysis of the model help to identify areas of incompleteness or ambiguity in informal system specifications, and to provide some level of confidence that a valid implementation will have key properties, especially those of safety or security. VDM has a strong record of industrial application, in many cases by practitioners who are not specialists in the underlying formalism or logic. Experience with the method suggests that the effort expended on formal modeling and analysis can be recovered in reduced rework costs that develop from design errors. Keywords: vienna development method; VDM-SL; system modeling; model validation; proof obligations; validation conjectures; tool support

An Executable Subset of Meta-IV with Loose Specification

In ESPRIT project no. EP5570 called IPTES1 a methodology and a supporting environment for incremental prototyping of embedded computer systems is developed. As a part of this prototyping tool an interpreter for an executable subset of a VDM dialect is developed. Based on a comparative study of different notations inspired by VDM we have now selected an executable subset of the BSI/VDM-SL2 notation. This executable subset is interesting because it enables the designer to use loose specification. None of the executable VDM dialects which we have investigated contain as large a part of looseness as our subset does. In this article we will focus mainly on which constructs we have in this subset and how we have dealt with the looseness. Furthermore we will sketch the connection between the semantics of our subset and the semantics for the full BSI/VDM-SL.

Combinatorial Testing for VDM

Combinatorial testing in VDM involves the automatic generation and execution of a large collection of test cases derived from templates provided in the form of trace definitions added to a VDM specification. The main value of this is the rapid detection of run-time errors caused by forgotten preconditions as well as broken invariants and post-conditions. Trace definitions are defined as regular expressions describing possible sequences of operation calls, and are conceptually similar to UML sequence diagrams. In this paper we present a tool enabling test automation based on VDM traces, and explain how it is possible to reduce large collections of test cases in different ways. Its use is illustrated with a small case study.

A Formal Semantics of Data Flow Diagrams

This paper presents a formal semantics of data flow diagrams as used in Structured Analysis, based on an abstract model for data flow transformations. The semantics consists of a collection of VDM functions, transforming an abstract syntax representation of a data flow diagram into an abstract syntax representation of a VDM specification. Since this transformation is executable, it becomes possible to provide a software analyst/designer with two ‘views’ of the system being modelled: a graphical view in terms of a data flow diagram, and a textual view in terms of a VDM specification. In this paper emphasis is on the motivation for the choices made in the transformation. The main aspects of the transformation itself are described using annotated VDM functions with some examples.