25 November 2002 DeSIRE, Pisa

Methods and Tools for Formal Methods and Tools for Formal Design and ValidationDesign and Validation

Michael ButlerMichael Butler

University of SouthamptonUniversity of Southampton

mjb@ecs.soton.ac.ukmjb@ecs.soton.ac.uk

25 November 2002 DeSIRE, Pisa

Other ContributorsOther Contributors

Thierry Lecomte, ClearSy (FR)Thierry Lecomte, ClearSy (FR) Colin O’Halloran, QinetiQ (UK)Colin O’Halloran, QinetiQ (UK) Jerome Falampin, Siemens Transportation (FR)Jerome Falampin, Siemens Transportation (FR) Michael Goldsmith, Formal Systems (UK)Michael Goldsmith, Formal Systems (UK) Traian Muntean, CNRS (FR)Traian Muntean, CNRS (FR) Kaisa Sere, ÅKaisa Sere, Åbo Akademi (FIN)bo Akademi (FIN) Ursula Martin, University of St Andrews (UK)Ursula Martin, University of St Andrews (UK)

(Mostly MATISSE Partners)(Mostly MATISSE Partners)

25 November 2002 DeSIRE, Pisa

FMs and DependabilityFMs and Dependability

Fault Prevention (SW / HW)Fault Prevention (SW / HW) Code / design verification (MC / TP)Code / design verification (MC / TP)

Property languages (TL)Property languages (TL) Assertion languages (e.g. JML, Ada Compliance Notation)Assertion languages (e.g. JML, Ada Compliance Notation)

Correct by construction (e.g., VDM, B, Z)Correct by construction (e.g., VDM, B, Z) Stepwise design from system-level modelsStepwise design from system-level models Verification conditions at each step discharged using MC / TP Verification conditions at each step discharged using MC / TP Final step: automatic code generation Final step: automatic code generation

Fault RemovalFault Removal Code / design verification (MC / TP)Code / design verification (MC / TP) Model-based testingModel-based testing

25 November 2002 DeSIRE, Pisa

FMs and DependabilityFMs and Dependability

Fault ToleranceFault Tolerance Validation of fault tolerance mechanisms through Validation of fault tolerance mechanisms through

inclusion of faults in formal modelsinclusion of faults in formal modelsE.g., verify that a high-integrity system continues to satisfy E.g., verify that a high-integrity system continues to satisfy safety/security property in the presence of faults/attackssafety/security property in the presence of faults/attacks

Validation of failure modesValidation of failure modes

Fault EvaluationFault Evaluation Use of model checking to discover whether / how Use of model checking to discover whether / how

component faults can lead to system failurescomponent faults can lead to system failures Combine with risk analysis to target verification effortCombine with risk analysis to target verification effort

25 November 2002 DeSIRE, Pisa

FMs and DependabilityFMs and Dependability

CertificationCertification Formal models of system-level behaviour to Formal models of system-level behaviour to

aid identification and analysis of hazardsaid identification and analysis of hazards Specification reviewsSpecification reviews Proofs of safety preservation in designProofs of safety preservation in design Stronger validation of SW control wrt control Stronger validation of SW control wrt control

lawslaws Fully verified code / more thorough testingFully verified code / more thorough testing

25 November 2002 DeSIRE, Pisa

MATISSE ExperienceMATISSE Experience

Based on B Method and Atelier-BBased on B Method and Atelier-B Previous formal experience varied Previous formal experience varied

RailwayRailway: Formal relationship between system-: Formal relationship between system-level model and SW modellevel model and SW model

Smart CardsSmart Cards: formally developed applet verifier: formally developed applet verifier Modest increase in effort – for significant decrease in Modest increase in effort – for significant decrease in

design / programming errorsdesign / programming errors HealthcareHealthcare: analysis of fault tolerance and : analysis of fault tolerance and

failure modes for diagnostic device (UML+B)failure modes for diagnostic device (UML+B)

25 November 2002 DeSIRE, Pisa

ChallengesChallenges

More complex fault models at system levelMore complex fault models at system level Stronger integration of hazard analysis with Stronger integration of hazard analysis with

formal modelling and verificationformal modelling and verification Integration of numerical analysis / simulation Integration of numerical analysis / simulation

tools with verification toolstools with verification tools More powerful verification toolsMore powerful verification tools Make formal modelling and verification more Make formal modelling and verification more

appealing to systems engineersappealing to systems engineers Develop domain-specific specialisations / toolsDevelop domain-specific specialisations / tools Gather domain-specific evidenceGather domain-specific evidence

25 November 2002 DeSIRE, Pisa

Application AreasApplication Areas

AerospaceAerospace DefenceDefence TransportationTransportation UtilitiesUtilities E-commerce - security, dependable transactionsE-commerce - security, dependable transactions Fault-tolerant communications infrastructuresFault-tolerant communications infrastructures Ubiquitous computing devices and infrastructuresUbiquitous computing devices and infrastructures

25 November 2002 DeSIRE, Pisa

IST Projects using FMsIST Projects using FMs MATISSE (rail, smart cards, healthcare)MATISSE (rail, smart cards, healthcare) RISE (automotive)RISE (automotive) SAFEAIR, DAEDALUS (aerospace)SAFEAIR, DAEDALUS (aerospace) ADVANCE (telecoms)ADVANCE (telecoms) MAFTIA (comms infrastructures)MAFTIA (comms infrastructures) DSoS (dependable systems)DSoS (dependable systems) PROTOCURE (healthcare)PROTOCURE (healthcare) VERIFICARD (smart cards)VERIFICARD (smart cards) SYMBAD, PUSSEE (embedded electronics)SYMBAD, PUSSEE (embedded electronics) ……