European Industrial use of

1
European Industrial use of Formal Methods
Dr Peter Gorm Larsen IFAD A/S Forskerparken
10A DK-5230 Odense M Denmark
www.ifad.dk
2
European Industrial use of FM

• European Academia
• FME Profile
• The ESPRIT Programme
• European Tool Support
• Example Industrial Projects
• Concluding Remarks

3
European Academia

• Tradition with Abstract Models
• Focus on Formal Development
• US focus on Automatic Verification
• FM taught at most European Universities
• Spreading from the UK
• Strong push from EU academia for standards of FM

4
What are Formal Methods?

• Formal Methods refers to the use of techniques
  from logic and discrete mathematics in the
  specification, design and development of computer
  systems and software.
• Mastering of complexity using abstraction.
• Reduce argumentation to a calculation which can
  be checked by mechanical means.
• Replace reviews with a repeatable analysis.
• Formal methods can be used at different levels of
  rigour.

5
Classes of Formal Methods

• Model-based approaches (VDM, Z, B)
• Algebraic approaches (Act One, Larch, OBJ)
• Process algebras (CSP, CCS)
• Logic-based approaches (RTL, TLA)
• Reactive approaches (Petri-nets, SDL, SAO)
• Combinations like RAISE (VDM CSP) and LOTOS
  (Act One CCS).
• ISO standards for VDM, Z, LOTOS and ITU standard
  for SDL

6
European Industrial use of FM

• European Academia
• FME Profile
• The ESPRIT Programme
• European Tool Support
• Example Industrial Projects
• Concluding Remarks

7
FME Mission

• FME Formal Methods Europe
• Stimulate the use of formal methods by industry.
• Promote international co-operation among
  researchers and users of formal methods.
• Exchange ideas identify common interests.
• Provide links between research and application
  areas.

8
FME (VDM) Conferences
Conferences Brussels, Belgium (1987) LNCS
252 Dublin, Ireland (1988) LNCS 328 Kiel,
Germany (1990) LNCS 428 Noordwijkerhout,
Netherlands (1991) LNCS 551/2 Odense,
Denmark (1993) LNCS 670 Barcelona,
Spain (1994) LNCS 873 Oxford, UK (1996) LNCS
1051 Graz, Aus tria (1997) LNCS 1313 Toulouse,
France (1999) LNCS 1708/9 Berlin, Germany
(2001) LNCS 2021 Copenhagen, Denmark (2002)
LNCS ??
9
FME Projects

• FMERail (using FM in the railway domain)
  http//www.ifad.dk/Projects/fmerail.htm
• FMEIndSem (industrial seminars)
  http//www.ifad.dk/Projects/FMEIndSem/fmeindsem.ht
  m
• FMEInfRes (information resources)
  http//www.ifad.dk/Projects/fmeinfres.htm
• Databases for publications, tools and
  applications!
• FMGuides (FM guidelines, web/video)
  http//www.ifad.dk/Projects/fmguides.htm

10
FME Board

• John Fitzgerald (Transitive Technologies, Chair)
• Nico Plat (West Consulting,Secretary)
• Kees Pronk (Delft University of
  Technology,Treasurer)

11
FME Legal Status

• Non-profit organisation
• 'Vereniging' under Dutch Law,
• Formally located in Delft, The Netherlands
• Organize bi-annual conference
• Meetings approximately 4 times a year
• Subgroups
• Education
• Marketing
• Scope
• Symposium

12
FME Membership
Membership Ordinary members approx.
100 Institutional members - Membership
fee - Membership advantages network Find us
at http//www.fmeurope.org/ Participation is
not restricted to EU members
Please become an active member!
13
European Industrial use of FM

• European Academia
• FME Profile
• The ESPRIT Programme
• European Tool Support
• Example Industrial Projects
• Concluding Remarks

14
The ESPRIT Programme

• European Strategic Programme on Research on
  Information Technology
• Supported financially by the European Union
• Started in 1984
• Several large multi-annual programme in different
  phases
• Cordis URL http//www.cordis.lu/ist/

15
Different Levels of Research

• Long-term research
• Research and pre-competitive development
• Trial projects
• Best practice projects

16
METEOR and VIP

• METEOR An Integrated Formal Approach to
  Industrial Software Development
• VIP VDM Interfaces for PCTE
• Both examples of projects with no effect
  afterwards!

17
RAISE and LACOS

• RAISE Rigorous Approach to Industrial Software
  Engineering
• LACOS Large-Scale Correct Systems Using Formal
  Methods
• Has had an effect afterwards
• Now main development at UNU/IIST
• Industrial application Ørsted satellite

18
IPTES

• IPTES Integrated Development Environment for
  Embedded Real-Time Systems
• Prime IFAD
• Partners (10) including VTT, SF PdM, I MARI,
  UK CEA, F TID, E
• Basis for VDM-SL Toolbox

19
AFRODITE

• AFRODITE Applying Formal Methods to Real-Size
  Object-Oriented Designs in Technical Environments
• Prime Cap Gemini, The Netherlands
• Partners (9) including Helintec, GR Cern, CH
  Manchester Uni, UK Loyds Register, UK
• Basis for VDM Toolbox

20
INFORMA

• INFORMA Integrated Formal Approaches for
  Embedded Real-time Systems
• Prime IFAD
• Partners (6) including Ansaldo, I OSS, DK PdM,
  I SSG, F
• Tool extensions including
• Java code generator
• Rose-VDM mapper
• Extensions and improvements of VDM

21
VICE

• VICE VDM Specification In a Constrained
  Environment
• Prime Matra Bae Dynamics, France
• Tool extensions including
• Support for real-time
• Parallel interpreter
• Extensions and improvements of VDM

22
PROSPER

• Proof and Specification Assisted Design
  Environments
• Prime Glasgow University, UK
• Partners (6) including Cambridge Uni, UK Prover
  Technology, S, Edinburgh Uni, UK
• Long-term Research
• Proof support for IFAD VDM-SL Toolbox
• Engineer from RTRI for two years

23
European Industrial use of FM

• European Academia
• FME Profile
• The ESPRIT Programme
• European Tool Support
• Example Industrial Projects
• Concluding Remarks

24
European Tool Support

• VDMTools from IFAD
• Atelier-B from Stéria Méditérranée
• B-Toolbox from B-Core
• FDR from Formal Systems Europe
• NP Tools from Prover Technology
• Telelogic Tau from Telelogic
• Lots of prototype/academic tools

25
VDMTools

• Company IFAD, Denmark
• Main users Boeing, BAe, GAO, Chess
• Notations VDM-SL and VDM
• A suite of professional software development
  tools for modelling, validation and code
  generation
• Rose VDM link
• VDM-SL VDM tools
• C Java Code Generators

26
Atelier-B

• Company Stéria Méditérranée, France
• Main users Matra, Alstrom
• Notations B
• Professional development tools for modelling,
  refinement and proof
• Automatic proof support
• Formal refinement support
• Limited code generation to C

27
B-Toolbox

• Company B-Core, UK
• Main users IBM
• Notations B
• Professional development tools for modelling,
  some proof and code generation
• Very small organisation
• Some proof support
• Limited code generation to C

28
FDR

• Company Formal Systems Europe, UK
• Main users DERA
• Notations CSP
• Professional development tools for model-checking
  CSP descriptions
• Very small organisation
• Automatic model-checking

29
NP Tools

• Company Prover Technology, Sweden
• Main users Swedish Railways, Intel
• Notations Logic
• Professional development tools for model-checking
  first-order propositional logic
• Automatic model-checking
• Low level descriptions

30
Telelogic Tau

• Company Telelogic, Sweden
• Main users Telecom companies
• Notations SDL, MSC, UML
• Professional development tools for modelling and
  validating SDL descriptions
• Professional user interface
• Monopoly in telecom sector
• Rather low level

31
European Industrial use of FM

• European Academia
• FME Profile
• The ESPRIT Programme
• European Tool Support
• Example Industrial Projects
• Concluding Remarks

32
Example Industrial Projects

• DDC Ada Compiler
• CICS
• Sizewell B
• Transputer
• Airbus CIDS
• CDIS
• SACEM
• Météor
• SHOLIS
• Mondex smart card

• ConForm
• DustExpert
• CAVA
• Dutch DoD
• BPS 1000
• Flower Auction
• SPOT4
• K-LINE
• VDMTools/MUSTER

33
DDC Ada Compiler (197X)

• Organisation DDC (Denmark)
• Domain Compiler
• Tools VDM notation
• Experience
• First European validated Ada compiler
• Cheaper than without FM
• No verification or validation
• Tools are lacking

34
CICS (198X)

• Organisation IBM (UK)
• Domain Transaction Processing
• Tools Z notation
• Experience
• Reduction in development cost 9
• Code developed from Z had 2½ times fewer problems
• Parsing, type checking tools increased
  productivity

35
Sizewell B (198X)

• Organisation TACS, UK
• Domain Nuclear
• Tools Malpas
• Experience
• 100000 lines of code
• Formal verification at source code
• About 200 man years of effort!
• Still favourable compared to retesting

36
Transputer

• Organisation INMOS, UK
• Domain Processor with floating-point hardware
• Tools Z notation
• Experience
• IEEE standard formalised in Z
• occam code derived from Z
• Many algorithm errors discovered
• Commercial success
• Queens Award for Technological Achievements

37
Airbus CIDS (199X)

• Organisation DST, Germany
• Domain Avionics
• Tools DST-Z Kiel Uni prototype
• Experience
• Uncovered many logical errors
• Straight forward to implement from Z
• Test case derivation initiated

38
CDIS (199X)

• Organisation Praxis, UK
• Domain Air Traffic Control
• Tools VDM and CCS notations
• Experience
• No net cost in using formal methods
• Quality of the software was much higher
• Defect rate of about 0.75 faults per KLOC
• Tools from VIP too prototypic

39
SACEM (198X)

• Organisation GEC Alsthom, France
• Domain Railways (Paris RER)
• Tools B-Toolkit (early version)
• Experience
• Formal refinement in B
• Verification but no animation
• Same price as for non FM development
• Tools improved during project
• High customer satisfaction

40
Météor (199X)

• Organisation Matra Transport, France
• Domain Railways (Paris Metro)
• Tools Atelier-B
• Experience
• Cost savings for safety-critical software
• Formal refinements
• Formal verification
• Tools improved during project

41
SHOLIS (199X)

• Organisation Praxis (UK) for Lockheeds C130J
• Domain Avionics (Military, Helicopter)
• Tools SPARK and CADiZ
• Experience
• Z Specification verification efficient
• SPARK code verification less efficient
• Better tool support needed

42
Mondex Smart Card (1999)

• Organisation LOGICA, UK
• Domain Smart card for e-finance
• Tools Z notation
• Experience
• Big security risk of financial loss
• Security verified by hand
• Major security flaw detected
• First successful ITSEC E6
• Repeated on other projects

43
ConForm (1994)

• Organisation British Aerospace (UK)
• Domain Security (gateway)
• Tools The IFAD VDM-SL Toolbox
• Experience
• Prevented propagation of error
• Successful technology transfer
• At least 4 more applications without support
• Statements
• Engineers can learn the technique in one week
• VDMTools? can be integrated gradually into a
  traditional existing development process

44
DustExpert (1995-7)

• Organisation Adelard (UK)
• Domain Safety (dust explosives)
• Tools The IFAD VDM-SL Toolbox
• Experience
• Delivered on time at expected cost
• Large VDM-SL specification
• Testing support valuable
• Statement
• Using VDMTools? we have achieved a productivity
  and fault density far better than industry norms
  for safety related systems

45
Adelard Metrics

• 31 faults in Prolog and C (lt 1/kloc)
• Most minor, only 1 safety-related
• 1 (small) design error, rest in coding

46
CAVA (1998-)

• Organisation Baan (Denmark)
• Domain Constraint solver (Sales Configuration)
• Tools The IFAD VDM-SL Toolbox
• Experience
• Common understanding
• Faster route to prototype
• Earlier testing
• Statement
• VDMTools? has been used in order to increase
  quality and reduce development risks on high
  complexity products

47
Dutch DoD (1997-8)

• Organisation Origin, The Netherlands
• Domain Military
• Tools The IFAD VDM-SL Toolbox
• Experience
• Higher level of assurance
• Mastering of complexity
• Delivered at expected cost and on schedule
• No errors detected in code after delivery
• Statement
• We chose VDMTools? because of high demands on
  maintainability, adaptability and reliability

48
DoD, NL Metrics (1)

• Estimated 12 C loc/h with manual coding!

49
DoD - Comparative Metrics
50
BPS 1000 (1997-)

• Organisation GAO, Germany
• Domain Bank note processing
• Tools The IFAD VDM-SL Toolbox
• Experience
• Better understanding of sensor data
• Errors identified in other code
• Savings on maintenance
• Statement
• VDMTools provides unparalleled support for design
  abstraction ensuring quality and control
  throughout the development life cycle.

51
Flower Auction (1998)

• Organisation Chess, The Netherlands
• Domain Financial transactions
• Tools The IFAD VDM Toolbox
• Experience
• Successful combination of UML and VDM
• Use iterative process to gain client commitment
• Implementers did not even have a VDM course
• Statement
• The link between VDMTools and Rational Rose is
  essential for understanding the UML diagrams

52
SPOT 4 (1999)

• Organisation CS-CI, France
• Domain Space (payload for SPOT4 satellite)
• Tools The IFAD VDM-SL Toolbox
• Experience
• 38 less lines of source code
• 36 less overall effort
• Use of automatic C code generation
• Statement
• The cost of applying Formal methods is
  significantly lower than without them.

53
K-LINE

• Organisation Sidereus, Portugal
• Domain reverse engineering of database systems
• Tools The IFAD VDM-SL/ Toolbox
• Experience
• Development of a tool for FM-based data-intensive
  operations (data-migration and data-quality)
• Semi-automatic generation of ISO/IEC 13817-1
  abstract descriptions out of informal or poorly
  structured meta-data.
• Statement
• Formal properties of data provide a firm basis
  for quality control in maintaining legacy
  information systems, thus saving costs in data
  cleansing/reverse specification contracts.

54
IFAD VDM Applications

• VDMTools
• VDM interpreter
• VDM static semantics
• VDM to C code generator
• Specification manager
• UML mapper
• Java static semantics
• Java VDM translator
• MUSTER Emergency response training

55
The Bootstrapping Process
VDM-SL DS spec
VDM-SL DS impl
Implicit time line
56
European Industrial use of FM

• European Academia
• FME Profile
• The ESPRIT Programme
• European Tool Support
• Example Industrial Projects
• Concluding Remarks

57
Concluding Remarks

• Strong European FM supplier side
• Industrial FM usage outside critical domains
  started
• USA still strongest on model checking for
  hardware
• Hopefully Japanese industrial use of FM will
  increase