Professor%20Peter%20Gorm%20Larsen

1
Tools for VDM in Industry

• Professor Peter Gorm Larsen
• Engineering College of Aarhus
• (pgl_at_iha.dk)

2
Personal Background

• Theoretical Work
• VDM-SL Semantics (ISO standard)
• VDM-SL Proof Rules (PhD work)
• More Practical Work
• VDM and Structured Analysis in combination
• VDMTools architect
• Transfer VDM to Industry
• Intensive use Industrially
• Employed by
• For 13 years IFAD A/S
• For 3,5 years Systematic Software Engineering
  A/S
• For 2,5 years
• Engineering College of Aarhus

3
Tools for VDM in Industry

• Industrial Experience with VDM
• Bootstrapping VDMTools
• Overview of VDMTools
• The Overture/Eclipse Initiative
• Vision for the future

4
References, World-wide, 2001
More than 150 VDMTools clients world-wide
France Aerospatiale Espace et Defense Dassault
Aviation Dasssault Electronique CISI CEA et
Defense CEA Leti Cap Gemini LAAS Matra Bae
Dynamics U.K. British Aerospace Systems
Equipment British Aerospace Defense Adelard ICL
Enterprise Engineering Rolls Royce Transitive
Technologies
North America Boeing Rockwell Collins Lockheed
Martin DDC-I, Inc. Rational Software Corp. Formal
Systems Inc. Concordia University Japan RTRI
(Japan Railways) JFITS Felica Networks Germany GA
O mbH
Italy ENEA Ansaldo The Netherlands Dutch Dept.
of Defence Origin Chess Portugal Sidereus Denmar
k Baan Nordic Odense Steel Shipyard DDC
International
5
ConForm (1994)

• Organisation British Aerospace (UK)
• Domain Security (gateway)
• Tools The VDM-SL Toolbox
• Experience
• Prevented propagation of error
• Successful technology transfer
• At least 4 more applications without support
• Statements
• Engineers can learn the technique in one week
• VDMTools? can be integrated gradually into a
  traditional existing development process

6
DustExpert (1995-7)

• Organisation Adelard (UK)
• Domain Safety (dust explosives)
• Tools The VDM-SL Toolbox
• Experience
• Delivered on time at expected cost
• Large VDM-SL specification
• Testing support valuable
• Statement
• Using VDMTools? we have achieved a productivity
  and fault density far better than industry norms
  for safety related systems

7
Adelard Metrics

• 31 faults in Prolog and C (lt 1/kloc)
• Most minor, only 1 safety-related
• 1 (small) design error, rest in coding

8
CAVA (1998-)

• Organisation Baan (Denmark)
• Domain Constraint solver (Sales Configuration)
• Tools The VDM-SL Toolbox
• Experience
• Common understanding
• Faster route to prototype
• Earlier testing
• Statement
• VDMTools? has been used in order to increase
  quality and reduce development risks on high
  complexity products

9
Dutch DoD (1997-8)

• Organisation Origin, The Netherlands
• Domain Military
• Tools The VDM-SL Toolbox
• Experience
• Higher level of assurance
• Mastering of complexity
• Delivered at expected cost and on schedule
• No errors detected in code after delivery
• Statement
• We chose VDMTools? because of high demands on
  maintainability, adaptability and reliability

10
DoD, NL Metrics (1)

• Estimated 12 C loc/h with manual coding!

11
DoD - Comparative Metrics
12
BPS 1000 (1997-)

• Organisation GAO, Germany
• Domain Bank note processing
• Tools The VDM-SL Toolbox
• Experience
• Better understanding of sensor data
• Errors identified in other code
• Savings on maintenance
• Statement
• VDMTools provides unparalleled support for design
  abstraction ensuring quality and control
  throughout the development life cycle.

13
Flower Auction (1998)

• Organisation Chess, The Netherlands
• Domain Financial transactions
• Tools The VDM Toolbox
• Experience
• Successful combination of UML and VDM
• Use iterative process to gain client commitment
• Implementers did not even have a VDM course
• Statement
• The link between VDMTools and Rational Rose is
  essential for understanding the UML diagrams

14
SPOT 4 (1999)

• Organisation CS-CI, France
• Domain Space (payload for SPOT4 satellite)
• Tools The VDM-SL Toolbox
• Experience
• 38 less lines of source code
• 36 less overall effort
• Use of automatic C code generation
• Statement
• The cost of applying Formal methods is
  significantly lower than without them.

15
IFAD VDM Applications

• VDMTools
• VDM interpreter
• VDM static semantics
• VDM to C code generator
• Specification manager
• UML mapper
• Java static semantics
• Java VDM translator
• MUSTER Emergency response training

16
Japanese Railways (2000-2001)

• Domain Railways (database and interlocking)
• Experience
• Prototyping important
• Subsequent also using it for ATC system
• Engineer working at IFAD for two years

17
TradeOne, CSK, 2000 - 2001

• Full TradeOne system is 1.3 MLOC system
• Mission-critical backbone system keeping track of
  financial transactions conducted
• Used by securities companies and brokerage houses

Options Subsystem handles the business process
for trading options. Modelled in VDM
Tax exemption subsystem has particularly complex
regulations to implement. Modelled in VDM.
18
TradeOne Cost Effectiveness
Subsystem COCOMO estimate Real time Time saving
Tax exemption Effort38.5 PM Schedule9M
Options Effort147.2 PM Schedule14.3M
Effort14 PM Schedule 3.5 M
Effort74 Schedule61
Effort 60 Schedule 51
Effort 60.1 PM Schedule7M
19
The FeliCa Mobile Chip Project

• Mobile FeliCa IC chips can be embedded inside
  mobile phones
• Used for different on-line services including
  payment
• Uses Near-Field-Communication technology
• Used for example for metro ticking in Tokyo
• The IC Chips contains an operating system as
  firmware
• This is fully developed using the VDM
  technology
• More than 50 people in total on the project

20
Further Information

• Applying Formal Specification in Industry. P.G.
  Larsen, J. Fitzgerald and T. Brookes. Published
  in "IEEE Software" vol. 13, no. 3, May 1996
• A Lightweight Approach to Formal Methods
  S.Agerholm and P.G. Larsen. In Proceedings of the
  International Workshop on Current Trends in
  Applied Formal Methods, Boppard, Germany,
  Springer-Verlag, October 1998.
• Applications of VDM in Banknote Processing P.
  Smith and P.G. Larsen. Application of VDM-SL to
  the Development of the SPOT4 Programming Messages
  Generator, A. Puccetti and J.Y. Tixadou Formal
  Specification of an Auctioning System Using VDM
  and UML, M.Verhoef et. al.
• Published at the First VDM Workshop VDM in
  Practice with the FM'99 Symposium, Toulouse,
  France, September 1999.

21
Tools for VDM in Industry

• Industrial Experience with VDM
• Bootstrapping VDMTools
• Overview of VDMTools
• The Overture/Eclipse Initiative
• Vision for the future

22
Development Choices Taken

• Executable models
• Testing and animation
• Partial analysis (validation)
• System level testing
• Code generation
• VDM for source code
• Formal refinement and formal verification

23
Staff Overview
91
92
93
94
95
96
97
98
99
00
MV
CA
BF
BA
GW
OO
PGL
KdB
NP
SN
JKP
ETN
PBL
MA
HC
VS
JKP
HV
NK
JNJ
SA
WS
LTO
JWT
OS
JKP
KS
JSF
JR
ML
RM
PM
24
Development Environment

• GNU C/Visual C
• Generic VDM C library
• GUI PreviouslyTcl/Tk, Now Qt
• flex and bison
• CVS/Ediff version control
• OSs Windows, Linux, Unix
• Test environments
• Development procedures

25
The Bootstrapping Process
VDM-SL DS spec
VDM-SL DS impl
Implicit time line
26
Specification Sizes
27
Component Categories

• Purely hand-coded
• VDM hand coding
• VDM code generation

28
Purely Hand-coded Components

• Scanner/parser (lex/yacc)
• pretty-printer (simple C component)
• GUI (previously Tcl/Tk, now Qt)
• Interface to third party tools
• Rational Rose
• Corba for API
• ML for HOL
• Generic VDM C library

29
VDM Hand Coding

• Dynamic semantics (SL and )
• Static semantics (SL and )
• Java/C Code generators (SL and )
• Test environments for each component
• Reused at implementation level
• Java/C code generators now themselves partially
  code generated

30
Maintenance Approach

• Bugs first reproduced at specification level
• Tested using the VDM debugger
• Check that all tests are satisfactory
• Implement changes of specification
• Rerun all tests at implementation level

31
VDM code generation

• Animator for SA/RT
• Specification Manager (SL and )
• VDM to/from UML translation
• Proof support (SL)
• Parts of GUI now code generated
• VDM model becomes source
• Trade-off with abstraction

32
Further Information

• An Executable Subset of Meta-IV with Loose
  Specification, P.G. Larsen, P.B. Lassen, VDM '91
  Formal Software Development Methods, 1991
• The IFAD VDM-SL Toolbox A Practical Approach to
  Formal Specifications, R. Elmstrøm, P.G. Larsen,
  P.B. Lassen, ACM Sigplan Notices, September 1994
• Computer-aided Validation of Formal
  Specifications, P. Mukherjee, Software
  Engineering Journal, July 1995
• Ten Years of Historical Development -
  Bootstrapping VDMTools, P.G. Larsen, Journal of
  Universal Computer Science, 2001

33
Tools for VDM in Industry

• Industrial Experience with VDM
• Bootstrapping VDMTools
• Overview of VDMTools
• The Overture/Eclipse Initiative
• Vision for the future

34
VDMTools Overview
Experimentally linked to HOL
Syntax Type Checker
Syntax Type Checker
Round Trip Engineering support
35
Japanese Support via Unicode
36
Validation with VDMTools
VDM specs
Actual results
Comparison
Execution
Test cases
Expected results
37
Documentation in MS Word/RTF
One compound document

• Documentation
• Specification
• Test coverage
• Test coverage statistics

38
Architecture of the Rose VDM Link
VDM Toolbox
Rational Rose 2000
UML Diagrams
Class Repository
Class Repository
Merge Tool
UML model file
VDM Files
39
Integrity checker
40
Reference Material

• The VDM Language for VICE, CSK, 2005
• The VDM User Manual, CSK, 2005
• The VDM Installation Guide, CSK, 2005
• Rational Rose Link Plug-in Installation and User
  Guide, CSK, 2005

41
Further Information

• An Executable Subset of Meta-IV with Loose
  Specification, P.G. Larsen, P.B. Lassen, VDM '91
  Formal Software Development Methods, 1991
• The IFAD VDM-SL Toolbox A Practical Approach to
  Formal Specifications, R. Elmstrøm, P.G. Larsen,
  P.B. Lassen, ACM Sigplan Notices, September 1994
• Computer-aided Validation of Formal
  Specifications, P. Mukherjee, Software
  Engineering Journal, July 1995
• Ten Years of Historical Development -
  Bootstrapping VDMTools, P.G. Larsen, Journal of
  Universal Computer Science, 2001

42
Tools for VDM in Industry

• Industrial Experience with VDM
• Bootstrapping VDMTools
• Overview of VDMTools
• The Overture/Eclipse Initiative
• Vision for the future

43
Overture versus VDMTools

• VDMTools (http//www.vdmtools.jp/en)
• Closed source, proprietary (available under NDA)
• Monolithic architecture (single binary), C
• Optimized for performance, industry strength
• Overture Tool project (http//www.overturetool.org
  )
• Open source, GPL license
• Plug-in architecture, Eclipse, Java
• Optimized for flexibility, targets academic use
• (partly) developed using VDMTools

44
Overture an open-source initiative

• Based on the Eclipse platform
• Extendible open VDM tool support
• Initial tool support produced in MSc project in
  NL
• MSc project carried out at TUD
• Jacob Porsborg Nielsen and Jens Kielsgaard Hansen
• MSc project at Aarhus University
• Thomas Christensen
• MSc projects at Engineering College of Aarhus
• Hugo Macedo, Minho University
• Sander Vermolen, University of Nijmegen
• New MSc projects at Engineering College of Aarhus
• Adriana Sucena, Minho University
• Carlos Vilhena, Minho University
• Augusto Ribeiro, Minho University

45
Overture Architecture Overview
Validation support
Basic automatic checks and GUI
Syntax Check
Type Check
Refactoring support
OML editor With syntax highlighting
Interpreter (Debugger) With API capabilities
Test Generation support
Connection to JML
AST
Eclipse
Visualization Support for Execution traces
Verification support
Pretty Printing With coverage
Proof Obligation generation
Automatic Proof support
Interactive Proof support
Model Checking support
Planned
Currently under development
Not yet available
46
Automatic AST generation

• specified in VDM
• code generated

implements
OVERTURE AST spec (VDM-SL subset)
other users can use these specs to specify their
own OVERTURE extensions (in VDM)
47
Tracefile Viewer (1)
48
Tracefile Viewer (2)
49
Tracefile Viewer (3)
50
Tools for VDM in Industry

• Industrial Experience with VDM
• Bootstrapping VDMTools
• Overview of VDMTools
• The Overture/Eclipse Initiative
• Vision for the future

51
Extending VDM with better support for
distributed real-time

• Today embedded real-time systems are increasingly
  distributed
• Hard to master complexity within tight time
  schedules
• Current research work extend VDM with better
  support for describing and analyzing this
• Possibility to use CPUs and BUSes inside system
• Deployment of objects to CPUs
• Setting priorities of operations
• Introduction of asynchronous operations
• Cycles statement in addition to duration
  statement

52
Combining with continuous time
53
Beyond the Ordinary Design of Embedded
Real-time Control

• BODERC project _at_ ESI
• Sept 2002 - Apr 2007
• Multi-disciplinary design
• mechanics
• electronics
• software
• High-tech systems focus
• Early life cycle trade-off analysis
• Industry as a laboratory
• http//www.esi.nl/boderc

54
Printer paper path - case study
VDM
VDMTools
continuous validation
co-sim results
Bondgraphs
20-sim
VDM
VDMTools
C
HOST COMPILER
DLL
SIL sim results
Bondgraphs
20-sim
measure- ments
VDM
VDMTools
C
TARGET COMPILER
ctrl app
55
An email from an old (very good) student

• At that time I understood that a formal
  specification would be an advantage for big
  projects but I had no idea how desperately this
  is also needed in smaller projects when there are
  many people involved. Today I do know
• At the moment I am working at BMW in the
  communications department. We work on the
  integration of the car telephone (including a
  telematics unit with GPS coordinates) into the
  overall car. There is a lot of interaction
  between the telephone and the HMI of the car and
  there are different versions and types of all the
  involved devices. There are also five companies
  (BMW, Motorola, Siemens VDO, Harmann-becker,
  Alpine) who develop the different units. The
  system should not be so complex because many of
  the devices should (!) behave similarly. But the
  specifications we write are English plain text
  (hundreds of pages), in our department more than
  10 people are involved and we do not know anymore
  how the devices will behave ourselves...every
  external company has an own interpretation of the
  specs and this interpretation changes over time.
  If you ask the same person twice you get
  different answers (I frankly admit that I am no
  exception)... You can imagine how "efficient"
  everything is and its a miracle that the system
  still works (with a number of bugs though)...

56
Go out and use the principles at least!