2018-01-17T12:23:17Z EPrints http://deploy-eprints.ecs.soton.ac.uk/images/sitelogo.gif http://deploy-eprints.ecs.soton.ac.uk/ 2012-07-18T08:41:55Z 2013-01-28T11:05:43Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/423 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/423 2012-07-18T08:41:55Z Alexander Romanovsky alexander.romanovsky@ncl.ac.uk Martyn Thomas 2012-03-15T09:44:44Z 2012-03-15T09:44:44Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/376 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/376 2012-03-15T09:44:44Z

After several decades, formal methods are gaining ground in Industry. However, as pointed out by the results of Woodcock et al’s survey, formal methods still need significant additional effort in several areas, most notably in collecting evidence on the use of formal methods and tools in Industry. Such material is crucial for helping companies considering the adaption of formal methods in their decision and deployment process. This talk presents a practical approach for building a repository of evidence material. The main benefits of the proposed approach are first to make it possible to integrate information for many Industry pilots that have tested diverse formal methods. The secondary benefit is that the current implementation of the repository as a wiki of that project is simple yet efficient in managing access but also contribution rights. We highlight different usage scenarios both as passive user, from different roles in the organization, and as contributors, either to point out missing material or as provider of new material.

Jean-Christophe Deprez jcd@cetic.be Christophe Ponsard christophe.ponsard@cetic.be 2012-05-08T09:23:13Z 2012-09-11T18:17:22Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/394 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/394 2012-05-08T09:23:13Z

The Event-B method is a formal modelling approach; our interest is the final step, of generating code for concurrent programs, from Event-B. Our Tasking Event-B tool integrates Event-B to facilitate code generation. The theory plug-in allows mathematical extensions to be added to an Event-B development. When working at the implementation level we need to consider how to translate the newly added types and operators into code. In this paper, we augment the theory plug-in, by adding a Translation Rules section to the tool. This enables us to define translation rules that map Event-B formulas to code. We illustrate the approach using a small case study, where we add a theory of arrays, and specify translation rules for generating Ada code.

Andrew Edmunds Michael Butler Issam Maamria Renato Silva Chris Lovell 2012-03-06T18:52:06Z 2012-03-06T18:52:06Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/372 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/372 2012-03-06T18:52:06Z

State-based methods for correct-by-construction software development rely on a combination of safety constraints and refinement obligations to demonstrate design correctness. One prominent challenge, especially in an industrial setting, is ensuring that a design is adequate: requirements compliant and fit for purpose. The paper presents a technique for augmenting state-based, refinement-driven formal developments with reasoning about use case scenarios; in particular, it discusses a way for the derivation of formal verification conditions from a high-level, diagrammatic language of use cases, and the methodological role of use cases in a formal modelling process.

Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> 2012-02-13T10:23:32Z 2012-02-13T10:23:32Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/368 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/368 2012-02-13T10:23:32Z Ian J. Hayes Alan Burns Brijesh Dongol Cliff B. Jones 2012-07-26T15:19:17Z 2012-07-26T15:22:46Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/445 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/445 2012-07-26T15:19:17Z

The work of the major EU-funded ICT DEPLOY Integrated Project (February 2008 – April 2012) on Industrial Deployment of Advanced System Engineering Methods for High Productivity and Dependability was driven by the tasks of achieving and evaluating industrial take-up, initially by DEPLOY industrial partners, of DEPLOY methods and tools, together with the necessary further research on methods and tools. Our previous SEN paper introduced the project. The project has been one of the most significant efforts focusing on understanding the issues researchers and engineers face during the deployment of formal methods. This paper briefly reports on the project legacy and provides pointers to the various sources of information produced by the projects.

Romanovsky Alexander alexander.romanovsky@ncl.ac.uk 2012-04-27T14:42:34Z 2012-04-27T14:42:34Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/386 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/386 2012-04-27T14:42:34Z

One of the guarantees that the designers of on-board satellite systems need to provide, so as to ensure their dependability, is that the mode transition scheme is implemented correctly, i.e. that the states of system components are consistent with the global system mode. There is still, however, a lack of scalable approaches to developing and verifying systems with complex mode transitions. This paper presents an approach to formal development of mode-rich systems by refinement in Event-B. We formalise the concepts of modes and mode transitions as well as deriving specification and refinement patterns which support correct-by-construction system development. The proposed approach is validated by a formal development of the Attitude and Orbit Control System (AOCS) undertaken within the ICT DEPLOY project. The experience gained in the course of developing of as complex an industrial-size system as AOCS shows that refinement in Event-B provides the engineers with a scalable formal technique that enables both mode-rich systems development and proof-based verification of their mode consistency.

Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> Elena Troubitsyna Elena.Troubitsyna@abo.fi Linas Laibinis Linas.Laibinis@abo.fi Alexander Romanovsky alexander.romanovsky@ncl.ac.uk Kimmo Varpaaniemi Dubravka Ilic Timo Latvala 2012-06-29T07:54:52Z 2012-06-29T07:54:52Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/408 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/408 2012-06-29T07:54:52Z

Goal-Oriented Development facilitates structuring complex requirements. To ensure resilience the designers should guarantee that the system achieves its goals despite changes, e.g., caused by failures of system components. In this paper we propose a formal goal-oriented approach to development of resilient MAS. We formalize the notion of goal and goal achievement in Event-B and propose the specification and refinement patterns that allow us to guarantee that the targeted goals are reached despite agent failures. We illustrate our approach by a case study – development of an autonomous multi-robotic system.

Inna Pereverzeva Inna.Pereverzeva@abo.fi Elena Troubitsyna Elena.Troubitsyna@abo.fi Linas Laibinis Linas.Laibinis@abo.fi 2012-06-29T07:54:42Z 2012-06-29T07:54:42Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/407 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/407 2012-06-29T07:54:42Z

Modelling and refinement in Event-B provides a scalable sup- port for the development of complex service-oriented systems. Refinement in Event-B supports a systematic service development by a gradual trans- formation of an abstract specification into a detailed service architecture. In this paper we aim at integrating quantitative assessment of desired quality of essential service attributes into formal modelling process. We propose an approach to creating and verifying a dynamic service architecture in Event- B. Such an architecture can be augmented with stochastic information and transformed into the corresponding continuous-time Markov chain represen- tation. By relying on probabilistic model-checking techniques, we allow for quantitative evaluation of quality of service attributes at early development stages. The approach is illustrated by a simple case study.

Anton Tarasyuk Anton.Tarasyuk@abo.fi Elena Troubitsyna Elena.Troubitsyna@abo.fi Linas Laibinis Linas.Laibinis@abo.fi 2012-02-13T10:21:31Z 2012-02-13T10:21:31Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/367 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/367 2012-02-13T10:21:31Z Ian J. Hayes Cliff B. Jones Robert J. Colvin 2012-03-15T09:45:38Z 2012-03-15T09:45:38Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/373 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/373 2012-03-15T09:45:38Z

The Event-B method is a formal approach for modelling systems in safety-, and business-critical, domains. We focus, in this paper, on multi-tasking, embedded control systems. Initially, system specification takes place at a high level of abstraction; detail is added in refinement steps as the development proceeds toward implementation. In previous work, we presented an approach for generating code, for concurrent programs, from Event-B. Translators generate program code for tasks that access data in a safe way, using shared objects. We did not distinguish between tasks of the environment and those of the controller. The work described in this paper offers improved modelling and code generation support, where we separate the environment from the controller. The events in the system can participate in actuating or sensing roles. In the resulting code, sensing and actuation can be simulated using a form of subroutine call; or additional information can be provided to allow a task to read/write directly from/to a specfied memory location.

Andrew Edmunds 12039 Abdolbaghi Rezazadeh 10385 Michael Butler 18 2012-02-13T10:30:08Z 2012-02-13T10:30:08Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/370 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/370 2012-02-13T10:30:08Z Ian J. Hayes Alan Burns Brijesh Dongol Cliff B. Jones 2011-09-02T08:43:33Z 2012-05-18T14:19:02Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/330 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/330 2011-09-02T08:43:33Z

This volume contains the proceedings of the 11th workshop on Automated Verification of Critical Systems that was hosted by Newcastle University and took place during September 12-14, 2011 in Newcastle upon Tyne, UK. The workshop is supported by DEPLOY.

Jens Bendisposto Cliff Jones Michael Leuschel Alexander Romanovsky 2011-09-04T11:57:29Z 2011-09-04T11:57:29Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/329 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/329 2011-09-04T11:57:29Z Anton Tarasyuk Anton.Tarasyuk@abo.fi Elena Troubitsyna Elena.Troubitsyna@abo.fi Linas Laibinis Linas.Laibinis@abo.fi 2011-11-16T09:32:55Z 2011-11-16T09:32:55Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/356 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/356 2011-11-16T09:32:55Z

Event-B is a refinement-based formal method that has been shown to be useful in developing concurrent and distributed programs. Large models can be decomposed into sub-models that can be refined semi-independently and executed in parallel. In this paper, we show how to introduce explicit control flow for the concurrent sub-models in the form of event schedules. We explore how schedules can be designed so that their application results in a correctness-preserving refinement step. For practical application, two patterns for schedule introduction are provided, together with their associated proof obligations. We demonstrate our method by applying it on the dining philosophers problem.

Pontus Boström Fredrik Degerlund Kaisa Sere Marina Waldén 2011-05-06T13:17:45Z 2011-05-06T13:17:45Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/303 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/303 2011-05-06T13:17:45Z

The Event-B method is a formal approach for modelling systems in safety-, and business-critical, domains. Initially, system specification takes place at a high level of abstraction; detail is added in refinement steps as the development proceeds toward implementation. Our aim has been to develop a novel approach for generating code, for concurrent programs, from Event-B. We formulated the approach so that it integrates well with the existing Event-B methodology and tools. In this paper we introduce a tasking extension for Event-B, with Tasking and Shared Machines. We make use of refinement, decomposition, and the extension, to structure projects for code generation for multitasking implementations. During the modelling phase decomposition is performed; decomposition reduces modelling complexity and makes proof more tractable. The decomposed models are then extended with sufficient information to enable generation of code. A task body describes a task?s behaviour, mainly using imperative, programming-like constructs. Task priority and life-cycle (periodic, triggered, etc.) are also specified, but timing aspects are not modelled formally. We provide tool support in order to validate the practical aspects of the approach.

Andrew Edmunds Michael Butler 2011-08-02T12:57:38Z 2011-08-02T12:57:38Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/319 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/319 2011-08-02T12:57:38Z

Ensuring system fault tolerance is one of the major concerns in developing critical industrial applications. The tutorial shows how to rigorously develop systems that are not only functionally correct but also fault tolerant. The material of the tutorial is built on the results of two EC projects, RODIN and DEPLOY, that created and validated in the industrial settings the RODIN platform - an Eclipse-based development environment supporting formal modelling in Event-B. The focus of the tutorial is on demonstrating how fault tolerance can be systematically specified and verified as an intrinsic part of the overall system behavior. The general principles are demonstrated by several industrial case studies based on our work with telecommunication, space and business information sectors. As part of the tutorial we will introduce and demonstrate a number of RODIN tools that support model structuring using modes, modules, and fault tolerance views, and facilitate fault tolerance modelling. All materials of this tutorial are available on http://iliasov.org/fm2011/

Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> Linas Laibinis Linas.Laibinis@abo.fi Elena Troubitsyna Elena.Troubitsyna@abo.fi Alexander Romanovsky alexander.romanovsky@ncl.ac.uk 2012-06-29T07:54:30Z 2012-06-29T07:54:30Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/406 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/406 2012-06-29T07:54:30Z Yuliya Prokhorova Yuliya.Prokhorova@abo.fi Elena Troubitsyna Elena.Troubitsyna@abo.fi Linas Laibinis Linas.Laibinis@abo.fi Kimmo Varpaaniemi Timo Latvala 2012-02-13T10:17:51Z 2012-02-13T10:17:51Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/365 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/365 2012-02-13T10:17:51Z Cliff B. Jones Ken G. Pierce 2011-08-02T10:47:15Z 2011-08-02T10:47:15Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/317 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/317 2011-08-02T10:47:15Z Linas Laibinis Linas.Laibinis@abo.fi Elena Troubitsyna Elena.Troubitsyna@abo.fi Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> Alexander Romanovsky alexander.romanovsky@ncl.ac.uk 2011-08-02T13:08:31Z 2011-08-02T13:11:37Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/320 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/320 2011-08-02T13:08:31Z

Achieving high dependability of distributed systems remains a major challenge due to complexity arising from concurrency and communication. There are a number of formal approaches to verification of properties of distributed algorithms. However, there is still a lack of methods that enable a transition from a verified formal model of communication to a program that faithfully implements it. In this paper we aim at bridging this gap by proposing a state-based formal approach to correct-by-construction development of distributed programs. In our approach we take a systems view, i.e., formally model not only application but also its environment. We decompose such an integrated specification to obtain the distributed program that should be deployed on the targeted network infrastructure. To illustrate our approach, we present a development of a distributed leader election protocol.

Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> Linas Laibinis Linas.Laibinis@abo.fi Elena Troubitsyna Elena.Troubitsyna@abo.fi Alexander Romanovsky alexander.romanovsky@ncl.ac.uk 2011-10-05T12:32:28Z 2011-10-29T18:22:06Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/348 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/348 2011-10-05T12:32:28Z

Application of formal notations and verifications techniques helps to deliver systems that are free from engineering defects. A code generator is an essential tool for formal development of real-world systems; it transforms models into runnable software quickly, consistently and reproducibly. Commonly, a code generator is a program constructed informally and producing an output that is not formally traced to an input. Industrial standards to the development of safety-critical systems, such as IEC 61508, require a justification for any tool used in a development: extensive prior experience or a formal certification. An extensive experience is often not an option as there are very few sufficiently mature modelling toolsets. The certification of a code generator is a major effort increasing costs and development time. We propose an approach where a modeller places no trust whatsoever in the code generation stage but rather obtains software that is certifiable without any further effort. The essence of the approach is in the transformation of a formal model into runnable software that is demonstratively correct in respect to a given set of verification criteria, coming from a requirements document. A Hoare logic is used to embedded correctness criteria into the resultant program; the approach supports design-by-contract annotations to allow developer to mix formal and informal parts with a fair degree of rigour.

Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> 2011-09-04T11:57:36Z 2011-09-04T11:57:36Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/328 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/328 2011-09-04T11:57:36Z Anton Tarasyuk Anton.Tarasyuk@abo.fi Elena Troubitsyna Elena.Troubitsyna@abo.fi Linas Laibinis Linas.Laibinis@abo.fi 2011-11-14T11:00:48Z 2011-11-14T11:00:48Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/354 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/354 2011-11-14T11:00:48Z

Im August 2011 hat das Requirements Modeling Framework (RMF) als ein neues Eclipse-Projekt das Licht der Welt erblickt. RMF besteht aus einem Kern, der Daten im Requirements Exchange Format (RIF/ReqIf) verarbeiten kann, und einem GUI namens ProR, mit dem sich diese Daten komfortabel bearbeiten lassen. ProR stellt einen Extension Point zur Verf\"{u}gung, der die Integration mit anderen Werkzeugen erm\"{o}glicht.

Michael Jastram Andreas Graf 2011-07-04T12:44:57Z 2011-10-29T18:28:41Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/315 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/315 2011-07-04T12:44:57Z

Model-oriented formalisms rely on a combination of safety constraints and satisfaction of refinement obligations to demonstrate model correctness. We argue that for a significant class of models a substantial part of the desired model behaviour would not be covered by such correctness conditions, meaning that a formal development potentially ends with a correct model inadequate for its purpose. In this paper we present a method for augmenting Event-B specifications with additional proof obligations expressed in a visual, diagrammatic way. A case study illustrates how the method may be used to strengthen a model by translating use case scenarios from requirement documents into formal statements over a modelled system.

Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> 2011-09-04T11:57:40Z 2011-09-04T11:57:40Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/327 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/327 2011-09-04T11:57:40Z Anton Tarasyuk Anton.Tarasyuk@abo.fi Elena Troubitsyna Elena.Troubitsyna@abo.fi Linas Laibinis Linas.Laibinis@abo.fi 2011-09-04T11:57:15Z 2011-09-04T11:57:15Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/325 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/325 2011-09-04T11:57:15Z Anton Tarasyuk Anton.Tarasyuk@abo.fi Elena Troubitsyna Elena.Troubitsyna@abo.fi Linas Laibinis Linas.Laibinis@abo.fi 2010-01-14T17:31:53Z 2010-01-14T17:31:53Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/187 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/187 2010-01-14T17:31:53Z

With our growing reliance on computers, the total societal costs of their failures are hard to underestimate. Nowadays computers control critical systems from various domains such as aerospace, automotive, railway, business etc. Obviously, such systems must have a high degree of dependability — a degree of trust that can be justifiably placed on them. Although the currently operating systems do have an acceptable level of dependability, we believe that they development process is still rather immature and ad-hoc. The constantly growing system complexity poses an increasing challenge on the system developers and requires significant improvement on the existing developing practice. To address this problem, we investigated how to establish a set of refinement-based engineering methods that can provide the designers with a systematic methodology for development of complex systems.

Jean-Raymond Abrial Michael Butler Rajev Joshi Elena Troubitsyna Jim C. P. Woodcock 2011-01-31T17:19:46Z 2011-01-31T17:19:46Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/282 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/282 2011-01-31T17:19:46Z C. B. Jones K. G. Pierce 2011-01-31T17:19:39Z 2011-01-31T17:19:39Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/283 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/283 2011-01-31T17:19:39Z C. B. Jones K. G. Pierce 2010-11-29T11:54:15Z 2010-11-29T11:54:15Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/257 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/257 2010-11-29T11:54:15Z Cliff B. Jones Ken G. Pierce 2010-10-21T10:03:34Z 2010-10-21T10:05:22Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/248 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/248 2010-10-21T10:03:34Z Jeremy W. Bryans jeremy.bryans@ncl.ac.uk Wei Wei wei01.wei@sap.com 2010-01-12T10:11:34Z 2010-11-27T16:28:08Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/183 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/183 2010-01-12T10:11:34Z Cliff B Jones Cliff.Jones@ncl.ac.uk 2010-11-29T11:55:36Z 2010-12-09T15:37:47Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/254 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/254 2010-11-29T11:55:36Z C.B. Jones A.W. Roscoe 2010-11-12T08:53:11Z 2010-11-12T08:53:11Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/253 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/253 2010-11-12T08:53:11Z

Complex modern applications have to be developed to be dependable to meet their requirements and expectations of their users. An important part of this is their ability to deal with various threats (such as faults in the system environment, operator's mistakes, underlying hardware and software support problems). Development of modern applications is complicated by the need for systematic and rigorous integration of fault tolerance measures. The paper focuses on reuse of fault tolerance modelling. First, it introduces the idea of general modelling templates reflecting abstract views on system behaviour with respect to faults. These templates are used during system detalisation (re�finement) to capture the user's view on system external behaviour. Secondly, it proposes to use a library of concrete modelling patterns allowing developers to systematically integrate speci�c fault tolerance mechanisms (e.g. recovery blocks, checkpoints, exception handling) into the models. The proposed solutions are linked to the Event-B method and demonstrated using a case study.

Ilya Lopatkin Ilya.Lopatkin@newcastle.ac.uk Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> Alexander Romanovsky alexander.romanovsky@ncl.ac.uk 2010-11-29T11:54:32Z 2010-11-29T11:54:32Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/256 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/256 2010-11-29T11:54:32Z 2010-11-29T11:55:32Z 2010-12-09T15:37:40Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/255 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/255 2010-11-29T11:55:32Z C. B. Jones 2010-12-07T14:23:11Z 2010-12-09T15:36:32Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/261 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/261 2010-12-07T14:23:11Z Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> 2010-12-07T14:29:00Z 2010-12-09T15:36:12Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/263 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/263 2010-12-07T14:29:00Z Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> 2010-07-14T12:58:15Z 2010-07-14T13:14:22Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/239 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/239 2010-07-14T12:58:15Z

Space satellites are examples of complex embedded systems. Dynamic behaviour of such systems is typically described in terms of operational modes that correspond to the different stages of a mission and states of the components. Components are susceptible to various faults that complicate the mode transition scheme. Yet the success of a mission depends on the correct implementation of mode changes. In this paper we propose a formal approach that ensures consistency of mode changes while developing a system architecture by refinement. The approach relies on recursive application of modelling and refinement patterns that enforce correctness while implementing the mode transition scheme. The proposed approach is exemplified by the development of an Attitude and Orbit Control System undertaken within the ICT DEPLOY project.

Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> Elena Troubitsyna Elena.Troubitsyna@abo.fi Linas Laibinis Linas.Laibinis@abo.fi Alexander Romanovsky alexander.romanovsky@ncl.ac.uk Kimmo Varpaaniemi Pauli Väisänen Pauli.Vaisanen@ssf.fi Dubravka Ilic Timo Latvala 2009-12-12T16:28:19Z 2010-04-19T15:05:58Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/163 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/163 2009-12-12T16:28:19Z

The Instruction Set Architecture (ISA) is that part of a computing machine visible for programming, including its native data types, instructions, registers, memory architecture, exception handling and external interfaces. The ISA also includes the specification of the machine’s native language: that is its instructions and their actions. This thesis proposes the use of the Event-B formal notation to construct a sequence of formal specifications applicable to a range of ISAs, by abstractly capturing their shared properties. Initial, very abstract, descriptions are refined by the incremental addition of greater detail, each increment providing a template for development of the next. The use of Event-B allows correctness, i.e. the preservation of the properties of the previous step, to be verified over successive refinements. This is achieved by the creation and proving of logical hypotheses, or proof obligations. The process enables development of ISAs with predictable behaviour when executing both correct and erroneous programs, by identification of the precise preconditions required for successful execution of instructions, their resulting actions, and all possible error conditions. Application of property proving techniques allows for the formal verification of desirable properties. A methodology is proposed for the incremental construction of the common elements of an ISA, and its features are discussed. The methodology is initially used to construct a generic description, which is then demonstrated by refinement to two representative ISAs capable of executing compiled C binary executables. The complete refinement process is demonstrated by the creation and testing of Virtual Machines automatically generated via novel translation tools. Prior art has relied on the provision of single-layered descriptions of specific ISAs to enable formal verification of implementations, placing a burden of correctness on these specifications. This work contributes by the provision of a common context for correct derivation of these previously independant descriptions. The work introduces novel levels of abstraction to allow re-use on any sequential computing machine, provides a framework for the comparison of different ISAs relative to a single datum, and enables analysis of design options during the creation and extension of ISAs. Further contributions are the construction of multiple ISAs from a single abstract description, and the introduction of automatic source-code generation techniques to the Event-B method, which include features to assist in the development and test of useable ISAs.

Stephen Wright stephen.wright@bris.ac.uk 2009-05-27T20:31:51Z 2010-04-19T15:05:54Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/105 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/105 2009-05-27T20:31:51Z

The two dependability means considered in this paper are rigorous design and fault tolerance. It can be complex to rigorously design some classes of systems, including fault tolerant ones, therefore appropriate abstractions are needed to better support system modelling and analysis. The abstraction proposed in this paper for this purpose is the notion of operation mode. Modes are formalised and their relation to a state-based formalism in a refinement approach is established. The use of modes for fault tolerant systems is then discussed and a case study presented. Using modes in state-based modelling allows us to improve system structuring, the elicitation of system assumptions and expected functionality, as well as requirement traceability.

Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> Fernando Dotti Fernando Luis Dotti <fernando.dotti@pucrs.br> Alexander Romanovsky alexander.romanovsky@ncl.ac.uk 2009-05-27T20:48:29Z 2010-04-19T15:05:54Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/106 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/106 2009-05-27T20:48:29Z

Formal modelling is indispensable for engineering highly dependable systems. However, a wider acceptance of formal methods is hindered by their insufficient usability and scalability. In this paper, we aim at assisting developers in rigorous modelling and design by increasing automation of development steps. We introduce a notion of refinement patterns – generic representations of typical correctness-preserving model transformations. Our definition of a refinement pattern contains a description of syntactic model transformations, as well as the pattern applicability conditions and proof obligations for verification of correctness preservation. This establishes a basis for building a tool supporting formal system development via pattern reuse and instantiation. We present a prototype of such a tool and some examples of refinement patterns for automated development in the Event B formalism.

Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> Elena Troubitsyna Elena.Troubitsyna@abo.fi Linas Laibinis Linas.Laibinis@abo.fi Alexander Romanovsky alexander.romanovsky@ncl.ac.uk 2009-01-24T18:35:27Z 2010-04-19T15:05:52Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/78 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/78 2009-01-24T18:35:27Z Alfredo Capozucca Nicolas Guelfi Patrizio Pelliccione Alexander Romanovsky alexander.romanovsky@ncl.ac.uk Avelino Zorzo 2010-01-12T10:11:26Z 2010-01-12T10:11:26Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/181 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/181 2010-01-12T10:11:26Z Cliff B Jones Cliff.Jones@ncl.ac.uk 2010-01-12T10:11:20Z 2010-01-12T10:11:20Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/180 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/180 2010-01-12T10:11:20Z Alan Bundy Gudmund Grov Cliff B Jones Cliff.Jones@ncl.ac.uk 2010-01-12T10:11:11Z 2010-11-27T16:19:08Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/184 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/184 2010-01-12T10:11:11Z Cliff B Jones Cliff.Jones@ncl.ac.uk Ken G Pierce k.g.pierce@ncl.ac.uk 2009-10-25T17:48:19Z 2010-04-19T15:05:58Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/161 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/161 2009-10-25T17:48:19Z

Formal methods use mathematical models for analysis and verification at any part of the program life-cycle. We describe the state of the art in the industrial use of formal methods, concentrating on their increasing use at the earlier stages of specification and design. We do this by reporting on a new survey of industrial use, comparing the situation in 2009 with the most significant surveys carried out over the last 20 years. We describe some of the highlights of our survey by presenting a series of industrial projects, and we draw some observations from these surveys and records of experience. Based on this, we discuss the issues surrounding the industrial adoption of formal methods. Finally, we look to the future and describe the development of a Verified Software Repository, part of the worldwide Verified Software Initiative. We introduce the initial projects being used to populate the repository, and describe the challenges they address.

Jim Woodcock Jim.Woodcock@cs.york.ac.uk Peter Gorm Larsen pgl@iha.dk Juan Bicarregui juan.bicarregui@stfc.ac.uk John S. Fitzgerald john.fitzgerald@ncl.ac.uk 2009-06-06T10:52:07Z 2010-04-19T15:05:54Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/110 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/110 2009-06-06T10:52:07Z

Distributed information systems are critical to the functioning of many businesses; designing them to be dependable is a challenging but important task. We report our experience in using formal methods to enhance processes and tools for development of business information software based on service-oriented architectures. In our work, which takes place in an industrial setting, we focus on the configuration of middleware, verifying application-level requirements in the presence of faults. In pilot studies provided by SAP, we used the Event-B formalism and the open Rodin tools platform to prove properties of models of business protocols and expose weaknesses of certain middleware configurations with respect to particular protocols. We then extended the approach to use models automatically generated from diagrammatic design tools, opening the possibility of seamless integration with current development environments. Increased automation in the verification process, through domain-specific models and theories, is a goal for future work. KEYWORDS: Verification, Fault Modelling, Service- Oriented Architectures, Event-B, Tool Support

Jeremy W. Bryans Jeremy.Bryans@ncl.ac.uk John S. Fitzgerald John.Fitzgerald@ncl.ac.uk Alexander Romanovsky A.Romanovsky@ncl.ac.uk Andreas Roth Andreas/Roth@sap.com 2010-01-12T10:11:30Z 2010-01-12T10:11:30Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/179 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/179 2010-01-12T10:11:30Z Alan Bundy Gudmund Grov Cliff B Jones Cliff.Jones@ncl.ac.uk 2010-01-12T10:10:59Z 2010-04-19T15:05:59Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/185 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/185 2010-01-12T10:10:59Z Cliff B Jones Cliff.Jones@ncl.ac.uk 2009-01-19T10:50:44Z 2009-01-19T10:50:44Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/68 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/68 2009-01-19T10:50:44Z Alexander Romanovsky alexander.romanovsky@ncl.ac.uk 2009-01-20T09:35:06Z 2009-01-20T09:35:06Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/69 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/69 2009-01-20T09:35:06Z Nicolas Guelfi Henry Muccini Patrizio Pelliccione Alexander Romanovsky alexander.romanovsky@ncl.ac.uk 2009-01-19T10:33:45Z 2009-01-19T10:33:45Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/67 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/67 2009-01-19T10:33:45Z Nicolas Guelfi Henry Muccini Patrizio Pelliccione Alexander Romanovsky alexander.romanovsky@ncl.ac.uk 2008-07-11T13:09:31Z 2010-04-19T15:05:50Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/27 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/27 2008-07-11T13:09:31Z Alexander Romanovsky alexander.romanovsky@ncl.ac.uk 2008-05-16T14:51:33Z 2008-05-16T14:51:33Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/24 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/24 2008-05-16T14:51:33Z

While pervasive systems offer versatile computing environment, their complexity poses a significant challenge to their developers. Hence ensuring resilience of pervasive systems is an important issue, which should be tackled by adopting rigorous design methods and systems approach. In this short paper we identify the key research directions in engineering pervasive resilient systems and our experience in rigorous development of a multi-agent application called Ambient Campus.

Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> Linas Laibinis Linas.Laibinis@abo.fi Alexander Romanovsky alexander.romanovsky@ncl.ac.uk Kaisa Sere Kaisa.Sere@abo.fi Elena Troubitsyna Elena.Troubitsyna@abo.fi 2010-01-12T10:10:40Z 2010-01-12T10:10:40Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/182 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/182 2010-01-12T10:10:40Z Jeremy W. Bryans jeremy.bryans@ncl.ac.uk John S. Fitzgerald john.fitzgerald@ncl.ac.uk David Greathead David.Greathead@ncl.ac.uk Cliff B Jones Cliff.Jones@ncl.ac.uk Richard Payne Richard.Payne@ncl.ac.uk 2008-08-06T19:46:58Z 2010-04-19T15:05:50Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/30 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/30 2008-08-06T19:46:58Z

We describe a study of the industrial use of animation in the analysis of a formal model of information flow in dynamic virtual organisations (VOs). A generic formal model of a VO structure composed of autonomous agents sharing information was developed using the Vienna Development Method (VDM). An exploratory environment was also developed in which the model was animated via an interpreter running an application-specific script developed with domain experts. A user interface encouraged interaction with the model without requiring exposure to the formalism. The use of the interface and model by domain experts was observed and recorded before debrief, allowing us to draw conclusions about the suitability of formal models for exploring, in an industrial setting, the design of policies governing VOs.

John S Fitzgerald John.Fitzgerald@ncl.ac.uk Jeremy W Bryans Jeremy.Bryans@ncl.ac.uk David Greathead David.Greathead@ncl.ac.uk Clifff B Jones Cliff.Jones@ncl.ac.uk Richard Payne Richard.Payne@ncl.ac.uk 2009-01-19T10:05:52Z 2009-01-19T10:05:52Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/65 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/65 2009-01-19T10:05:52Z Alexander Romanovsky alexander.romanovsky@ncl.ac.uk 2008-08-06T19:47:12Z 2010-04-19T15:05:50Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/28 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/28 2008-08-06T19:47:12Z

The construction of formal models of real-time distributed systems is a considerable practical challenge. We propose and illustrate a pragmatic incremental approach in which detail is progressively added to abstract system-level specifications of functional and timing properties via intermediate models that express system architecture, concurrency and timing behaviour. The approach is illustrated by developing a new formal model of the cardiac pacemaker system proposed as a “grand challenge” problem in 2007. The models are expressed using the Vienna Development Method (VDM) and are validated primarily by scenario-based tests, including the analysis of timed traces. We argue that the insight gained using this staged modelling approach will be valuable in the subsequent development of implementations, and in detecting potential bottlenecks within suggested implementation architectures.

Hugo Daniel Macedo Peter Gorm Larsen John Fitzgerald John.Fitzgerald@ncl.ac.uk 2010-01-12T10:11:16Z 2010-04-19T15:05:59Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/177 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/177 2010-01-12T10:11:16Z John R.D Hughes Cliff B Jones Cliff.Jones@ncl.ac.uk 2009-05-06T11:54:45Z 2010-04-19T15:05:54Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/99 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/99 2009-05-06T11:54:45Z

The paper puts forward the idea of using fault tolerance refinement patterns to assist system developers in disciplined application of software fault tolerance mechanisms in rigorous system design. Two patterns are proposed to support a correct introduction of recovery blocks and N-version programming into a system model; these are formally defined and their correctness proven. We also discuss several important issues involved in the use of these patterns in engineering systems, including tool support and pattern composition.design) as a major means for improving the quality of products.

Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> Alexander Romanovsky alexander.romanovsky@ncl.ac.uk 2010-01-12T10:11:06Z 2010-01-12T10:11:06Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/178 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/178 2010-01-12T10:11:06Z Cliff B Jones Cliff.Jones@ncl.ac.uk 2011-01-31T17:18:49Z 2011-01-31T17:18:49Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/274 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/274 2011-01-31T17:18:49Z Cliff B. Jones 2010-01-12T10:10:28Z 2010-04-19T15:05:59Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/176 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/176 2010-01-12T10:10:28Z Cliff B Jones Cliff.Jones@ncl.ac.uk Ken G Pierce k.g.pierce@ncl.ac.uk 2012-09-13T09:16:59Z 2013-02-18T14:59:23Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/455 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/455 2012-09-13T09:16:59Z

The RODIN, and DEPLOY projects have laid solid foundations for further theoretical, and practical (methodological and tooling) advances with Event-B; we investigated code generation for embedded, multi-tasking systems. This work describes activities from a follow-on project, ADVANCE; where our interest is co-simulation of cyber-physical systems. We are working to better understand the issues arising in a development when modelling with Event-B, and animating with ProB, in tandem with a multi-simulation strategy. With multi-simulation we aim to simulate various features of the environment separately, in order to exercise the deployable code. This paper has two contributions, the first is the extension of the code generation work of DEPLOY, where we add the ability to generate code from Event-B state-machine diagrams. The second describes how we may use code, generated from state-machines, to simulate the environment, and simulate concurrently executing state-machines, in a single task. We show how we can instrument the code to guide the simulation, by controlling the relative rate that non-deterministic transitions are traversed in the simulation.

Andrew Edmunds ae2@ecs.soton.ac.uk John Colley J.L.Colley@ecs.soton.ac.uk Michael Butler mjb@ecs.soton.ac.uk 2011-05-06T13:18:02Z 2011-05-09T09:43:39Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/304 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/304 2011-05-06T13:18:02Z Andrew Edmunds ae2@ecs.soton.ac.uk 2011-09-04T11:57:43Z 2011-09-04T11:57:43Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/326 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/326 2011-09-04T11:57:43Z Anton Tarasyuk Anton.Tarasyuk@abo.fi Elena Troubitsyna Elena.Troubitsyna@abo.fi Linas Laibinis Linas.Laibinis@abo.fi 2010-01-29T22:37:57Z 2011-06-28T10:13:15Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/198 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/198 2010-01-29T22:37:57Z

The second DEPLOY annual plenary meeting was held from 21st to 23rd of October in Aix-en-Provence, France. The main difference with respect to the first meeting has been a significant amount of time dedicated to technical presentations of papers. We invited all the academic and industrial partners to submit papers about the work they were carrying on inside the DEPLOY project. The accepted submissions have been then organized in five different sessions, each regarding a DEPLOY relevant topic, plus one for short papers. The structure of this document reflects exactly the structure of the workshop, each of the parts represents a workshop session: 1. Event-B and Extensions 2. Code Generation 3. Event-B Metrics and Tools 4. Model Checking 5. Business Information Systems 6. Short Papers

Mazzara Manuel 2011-11-10T17:31:25Z 2011-11-10T17:31:25Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/351 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/351 2011-11-10T17:31:25Z

Event-B is a formal method which is widely used in modelling safety critical systems. So far, the main properties of interest in Event-B are safety related. Even though some liveness properties, e.g., termination, are already within the scope of Event-B, more general liveness properties, e.g. progress or persistence, are currently unsupported. We present in this paper proof rules to reason about important classes of liveness properties. We illustrate our proof rules by applying them to prove liveness properties of realistic examples. Our proof rules are based on several proof obligations that can be implemented in a tool support such as the Rodin platform.

Thai Son Hoang htson@inf.ethz.ch Jean-Raymond Abrial 2009-07-08T15:31:36Z 2010-04-19T15:05:56Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/134 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/134 2009-07-08T15:31:36Z

Several safety-critical systems, such as avionic, transportation and space systems, use the notion of operation modes. Operation modes are useful structuring units that facilitate design, specially if used with state-based formal methods. However, modelling abstractions to support the specification, analysis and correct construction of modal systems are still lacking. The contribution of this paper is twofold: (i) modal systems and modal systems refinement are discussed and formalized; (ii) the relation of a modal system specification with an Event-B model is discussed, showing how to demonstrate that the behaviour of an Event-B model can satisfy a modal system.

Fernando Dotti Fernando Luis Dotti <fernando.dotti@pucrs.br> Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> Alexander Romanovsky alexander.romanovsky@ncl.ac.uk 2009-10-14T10:25:46Z 2010-04-19T15:05:58Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/159 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/159 2009-10-14T10:25:46Z

Recently, Space Systems Finland has undertaken formal Event B development of a part of on-board software for the BepiColombo space mission. As a result, lack of modularization mechanisms in Event B has been identified as a serious obstacle to scalability. One of the main benefit of modularization is that it allows us to decompose system models into components that can be independently developed. It also helps to manage complexity of models that in the industrial setting are usually very large and difficult to comprehend. On the other hand, modularization enables reuse of formally developed components in the formal product line development. In this paper we propose a conservative extension of Event B formalism to support modularization. We demonstrate how our approach can support reuse in the formal development in the space domain.

Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk> Elena Troubitsyna Elena.Troubitsyna@abo.fi Linas Laibinis Linas.Laibinis@abo.fi Alexander Romanovsky alexander.romanovsky@ncl.ac.uk Kimmo Varpaaniemi Dubravka Ilic Timo Latvala 2011-01-18T14:05:51Z 2011-01-18T14:05:51Z http://deploy-eprints.ecs.soton.ac.uk/id/eprint/268 This item is in the repository with the URL: http://deploy-eprints.ecs.soton.ac.uk/id/eprint/268 2011-01-18T14:05:51Z

The Flows plugin is an extension of the Event B Rodin platform. Its purpose is to allow a modeller to verify a range of properties related to the order of event enabling in an Event B model. The tool offers a simple graphical notation and is meant to complement the core Event B development method.

Alexei Iliasov "Alexei Iliasov" <Alexei.Iliasov@newcastle.ac.uk>