EUROPARC de PichauryBâtiment C21330, av. Guillibert de la Lauzière13 856 Aix en Provence Cedex 3

Téléphone : 04.42.37.12.70Télécopie : 04.42.37.12.71

www.clearsy.com

C L E A R S Y

C L E A R S YFormalized Operation Principles

Denis SABATIER

CLEARSY/PRES/COP

The PEUGEOT project : principleThe PEUGEOT project : principle

Source documents : design specifications

STEDS

STEDS

STEDS

Interviews,mails & phone

BModelizations

BB

FormalizedOperationPrinciples

(FOP)

Re-translation into natural language

Event-driven B

CLEARSY/PRES/COP

Expected benefitsExpected benefits

Pressing the remotecontrol buttonshould unlock

the doors

B

Door state(i) : {locked, unlocked} handle state(i) : {raised, normal}

HF event = Door state(i) := unlocked

for i = ???Trunk ?Works if handle

raised ?

Remove ambiguous statementsdiscover missing information

Consistency Completeness No ambiguous

statements Uniform level of

detail

CLEARSY/PRES/COP

The chosen level of detail : replacable The chosen level of detail : replacable unitsunits

Divide the car into Replacable Units Define the behavior of each Replacable Unit

What it should do in every situationInterfaces : define the semantics, not the format

FOP + Interface format documents = you can predict what messages and signals are exchanged in every situation

CLEARSY/PRES/COP

ProofProof

Abstract B model(specification)

Less abstract B model(design)

The B theory tellswhat predicates must be proven

Theorem prover(Atelier B)

Standart use of B:

B invariants(consistency, simple

functionnal properties)

B model(design specification)

Theorem prover(Atelier B)

CLEARSY/PRES/COP

Size & CostsSize & Costs

Project duration : from june 99 to dec 01 2 vehicles (307, 206 mux)

About 2 x 150,000 lines of documents produced All domains

From motor to radio player 1st vehicle ~ 14 man.year, 2nd ~ 5.6 m.y.

CLEARSY/PRES/COP

Key pointsKey points

Directive sentences No pseudo programming!

« Write models that are the best way you find to describe (predict) how the system reacts »

« Your models should be usable to predict the system's reactions without pseudo executing the models »

« Do not use any abstract variable that don't represent something in real life »

Link the model to reality« whatever the real situation is, you should always be able to

tell what are the values of the abstract variables corresponding to this situation, and what are the B events corresponding to the observed events »Even if such a valuation would require unfeasible measurements or

unknown key values...

CLEARSY/PRES/COP

ResultsResults

Very efficient to find missing informationFormalization forces consistent definition of each detail

from the specifications Can be done by a complete team of engineers Efficent questions for domain experts interviews

When information is missing, B Models are completed using hypotheses; hypotheses become questions

But...Formalized documents made afterward are difficult to

insert in the product's processFormalization quality depends upon capacity of

abstractionModel quality cannot be checked by compiling and

running

CLEARSY/PRES/COP

Model accuracyModel accuracy

No automated tests between source documents and B models

Because source documents are informal No automated tests between the real device

and B modelsTests can be done, but won't be exhaustive

Next step: early formalization and formal development

More proofs !

CLEARSY/PRES/COP

NextNext

Many people asked for a more global level of descriptionReplacable unit level necessary for car diagnosysGlobal descriptions done informally

difficult... FOP engineers want to prove their models against an

more global level

First models:level = replacable units

Find true functions' lawsat car level

Car levelB models

Replacable units levelB models as refinements

CLEARSY/PRES/COP

Industrial point of viewIndustrial point of view

Goal = « the project & product must be a commercial success »

« product 100% functionnal » is not directly a goalSub-goal 1: time & cost of the project to minimum requiredSub-goal 2: product satisfies the customer's needs

The rôle of formal methods : Master the complexityTo control projects' time & costsTo obtain products that meet customer needs

Formal methods paybackDifficult to measure

Measurements exists (ex: METEOR), but discussion also exists

Still perceived as a matter of conviction Need to gather more and more industrial success stories

CLEARSY/PRES/COP

Trends (now)Trends (now)

Marketing studiesHigh level requirementsResearchGeneral designArchitecture design

Detailed requirementsModule requirementsInterfacesCode generationTests / CompilingHardware design

Abstract

Concrete

=Manual =Automated

FormalFormalMethodsMethods

CLEARSY/PRES/COP

Trends (next)Trends (next)

Marketing studiesHigh level requirementsResearchGeneral designArchitecture design

Detailed requirementsModule requirementsInterfacesCode generationTests / CompilingHardware design

Abstract

Concrete

=Manual =Automated

FormalFormalMethodsMethods