VDM Technology in Industry Peter Gorm Larsen March

VDM Technology in Industry Peter Gorm Larsen March 2006 VDM Technology in Industry 1

Personal Background • Theoretical Work • VDM-SL Semantics (ISO standard) • VDM-SL Proof Rules (Ph. D work) • More Practical Work • • VDM and SA in combination IFAD VDMTools Transfer VDM to Industry Intensive use Industrially • Employed by • For 13 years: IFAD • For 3, 5 years: Systematic • For ¾ year: Engineering College of Aarhus March 2006 VDM Technology in Industry 2

VDM Technology in Industry Ø Where does VDM fit in? • IFAD Clients Experiences • ”Bootstrapping” VDMTools • Overview of VDMTools • Vision for the future March 2006 VDM Technology in Industry 3

The Life-cycle Model Where does the VDM technology fit in? System Analysis System Test Software Design Module Test Coding March 2006 Unit Test VDM Technology in Industry 4

VDM for Requirements Analysis Animation System Analysis VDM Model Test Cases System Test Modelling & Validation Software Design Module Test Coding March 2006 VDM Technology in Industry Unit Test 5

VDM for Analysis & Design Animation VDM Model System Analysis Test Cases System Test Modelling & Validation Software Design Module Test Coding March 2006 Unit Test VDM Technology in Industry 6

VDM for the Full Life-cycle Model Animation System Analysis VDM Model Test Cases System Test Modelling & Validation Software Design Module Test Code Generation March 2006 VDM Technology in Industry Unit Test 7

VDM Technology in Industry ü Where does VDM fit in? Ø IFAD Clients Experiences • ”Bootstrapping” VDMTools • Overview of VDMTools • Vision for the future March 2006 VDM Technology in Industry 8

References, World-wide, 2001 More than 150 clients world-wide France Aerospatiale Espace et Defense Dassault Aviation Dasssault Electronique CISI CEA et Defense CEA Leti Cap Gemini LAAS Matra Bae Dynamics U. K. British Aerospace Systems & Equipment British Aerospace Defense Adelard ICL Enterprise Engineering Rolls Royce Transitive Technologies March 2006 Italy ENEA Ansaldo The Netherlands Dutch Dept. of Defence Origin Chess Portugal Sidereus Denmark Baan Nordic Odense Steel Shipyard DDC International VDM Technology in Industry North America Boeing Rockwell Collins Lockheed Martin DDC-I, Inc. Rational Software Corp. Formal Systems Inc. Concordia University Japan RTRI (Japan Railways) JFITS Germany GAO mb. H 9

Con. Form (1994) • Organisation: British Aerospace (UK) • Domain: Security (gateway) • Tools: The IFAD VDM-SL Toolbox • Experience: • Prevented propagation of error • Successful technology transfer • At least 4 more applications without support • Statements: • “Engineers can learn the technique in one week” • “VDMTools can be integrated gradually into a traditional existing development process” March 2006 VDM Technology in Industry 10

Dust. Expert (1995 -7) • • Organisation: Adelard (UK) Domain: Safety (dust explosives) Tools: The IFAD VDM-SL Toolbox Experience: • Delivered on time at expected cost • Large VDM-SL specification • Testing support valuable • Statement: • “Using VDMTools we have achieved a productivity and fault density far better than industry norms for safety related systems” March 2006 VDM Technology in Industry 11

Adelard Metrics • 31 faults in Prolog and C++ (< 1/kloc) • Most minor, only 1 safety-related • 1 (small) design error, rest in coding March 2006 VDM Technology in Industry 12

CAVA (1998 -) • Organisation: Baan (Denmark) • Domain: Constraint solver (Sales Configuration) • Tools: The IFAD VDM-SL Toolbox • Experience: • Common understanding • Faster route to prototype • Earlier testing • Statement: • “VDMTools has been used in order to increase quality and reduce development risks on high complexity products” March 2006 VDM Technology in Industry 13

Dutch Do. D (1997 -8) • Organisation: Origin, The Netherlands • Domain: Military • Tools: The IFAD VDM-SL Toolbox • Experience: • Higher level of assurance • Mastering of complexity • Delivered at expected cost and on schedule • No errors detected in code after delivery • Statement: • “We chose VDMTools because of high demands on maintainability, adaptability and reliability” March 2006 VDM Technology in Industry 14

Do. D, NL Metrics (1) • Estimated 12 C++ loc/h with manual coding! March 2006 VDM Technology in Industry 15

Do. D - Comparative Metrics Traditional: 900 2000 ANALYSIS & DESIGN CODING 700 TESTING VDMTools®: 1200 ANALYSIS & DESIGN 500 CODING 600 TESTING 100% 64% 0% March 2006 VDM Technology in Industry Cost 16

BPS 1000 (1997 -) • Organisation: GAO, Germany • Domain: Bank note processing • Tools: The IFAD VDM-SL Toolbox • Experience: • Better understanding of sensor data • Errors identified in other code • Savings on maintenance • Statement: • VDMTools provides unparalleled support for design abstraction ensuring quality and control throughout the development life cycle. March 2006 VDM Technology in Industry 17

Flower Auction (1998) • Organisation: Chess, The Netherlands • Domain: Financial transactions • Tools: The IFAD VDM++ Toolbox • Experience: • Successful combination of UML and VDM++ • Use iterative process to gain client commitment • Implementers did not even have a VDM course • Statement: • “The link between VDMTools and Rational Rose is essential for understanding the UML diagrams” March 2006 VDM Technology in Industry 18

SPOT 4 (1999) • Organisation: CS-CI, France • Domain: Space (payload for SPOT 4 satellite) • Tools: The IFAD VDM-SL Toolbox • Experience: • 38 % less lines of source code • 36 % less overall effort • Use of automatic C++ code generation • Statement: The cost of applying Formal methods is significantly lower than without them. March 2006 VDM Technology in Industry 19

K-LINE • Organisation: Sidereus, Portugal • Domain: reverse engineering of database systems • Tools: The IFAD VDM-SL/++ Toolbox • Experience: • Development of a tool for FM-based data-intensive operations (data-migration and data-quality) • Semi-automatic generation of ISO/IEC 13817 -1 abstract descriptions out of informal or poorly structured meta-data. • Statement: • Formal properties of data provide a firm basis for quality control in maintaining legacy information systems, thus saving costs in data cleansing/reverse specification contracts. March 2006 VDM Technology in Industry 20

IFAD VDM Applications • VDMTools • • March 2006 VDM interpreter VDM static semantics VDM to C++ code generator Specification manager UML mapper Java static semantics Java VDM++ translator MUSTER: Emergency response training VDM Technology in Industry 21

Japanese Railways (2000 -2001) • Domain: Railways (database and interlocking) • Experience: • Prototyping important • Now also using it for ATC system • Engineer working at IFAD for two years March 2006 VDM Technology in Industry 22

Stock-options (2000 - ) • • March 2006 Organisation: JFITS, Japan Domain: Financial Tools: The IFAD VDM++ Toolbox Ongoing and still expanding VDM Technology in Industry 23

Further Information • Applying Formal Specification in Industry. P. G. Larsen, J. Fitzgerald and T. Brookes. Published in "IEEE Software" vol. 13, no. 3, May 1996 • A Lightweight Approach to Formal Methods S. Agerholm and P. G. Larsen. In Proceedings of the International Workshop on Current Trends in Applied Formal Methods, Boppard, Germany, Springer-Verlag, October 1998. • Applications of VDM in Banknote Processing P. Smith and P. G. Larsen. + Application of VDM-SL to the Development of the SPOT 4 Programming Messages Generator, A. Puccetti and J. Y. Tixadou + Formal Specification of an Auctioning System Using VDM++ and UML, M. Verhoef et. al. Published at the First VDM Workshop: VDM in Practice with the FM'99 Symposium, Toulouse, France, September 1999. March 2006 VDM Technology in Industry 24

VDM Technology in Industry ü Where does VDM fit in? ü IFAD Clients Experiences Ø ”Bootstrapping” VDMTools • Overview of VDMTools • Vision for the future March 2006 VDM Technology in Industry 25

Development Choices Taken J Executable models þTesting and animation J Partial “analysis” (validation) þSystem level testing J Code generation þVDM for source code L Formal refinement and formal verification March 2006 VDM Technology in Industry 26

Staff Overview 91 92 MV PGL ETN NP PBL MA HC HV NK JNJ SA LTO JWT OS JKP KS +JR PM March 2006 93 94 95 96 97 BF BA Kd. B CA SN JKP VS 98 OO 99 00 GW JKP WS +ML +RM VDM Technology in Industry JSF 27

Development Environment • • March 2006 GNU C++/Visual C++ Generic VDM C++ library GUI: Previously: Tcl/Tk, Now: Qt flex and bison CVS/Ediff version control OSs: Windows, Linux, Unix Test environments Development procedures VDM Technology in Industry 28

The “Bootstrapping” Process VDM++ VDM-SL VDM-SL DS spec SS spec CG spec SM spec PM spec VDM++ VDM-SL VDM-SL DS impl SS impl CG impl SM impl PM impl Implicit time line March 2006 VDM Technology in Industry 29

Specification Sizes March 2006 VDM Technology in Industry 30

Component Categories • Purely hand-coded • VDM + hand coding • VDM + code generation March 2006 VDM Technology in Industry 31

Purely Hand-coded Components • • Scanner/parser (lex/yacc) pretty-printer (simple C++ component) GUI (previously: Tcl/Tk, now: Qt) Interface to third party tools • Rational Rose • Corba for API • ML for HOL • Generic VDM C++ library March 2006 VDM Technology in Industry 32

VDM + Hand Coding • • • March 2006 Dynamic semantics (SL and ++) Static semantics (SL and ++) Java/C++ Code generators (SL and ++) Test environments for each component Reused at implementation level Java/C++ code generators now themselves partially code generated VDM Technology in Industry 33

Maintenance Approach • • • March 2006 Bugs first reproduced at specification level Tested using the VDM debugger Check that all tests are satisfactory Implement changes of specification Rerun all tests at implementation level VDM Technology in Industry 34

VDM + code generation • • Animator for SA/RT Specification Manager (SL and ++) VDM++ to/from UML translation Proof support (SL) Parts of GUI now code generated VDM model becomes source Trade-off with abstraction March 2006 VDM Technology in Industry 35

Further Information • An Executable Subset of Meta-IV with Loose Specification, P. G. Larsen, P. B. Lassen, VDM '91: Formal Software Development Methods, 1991 • The IFAD VDM-SL Toolbox: A Practical Approach to Formal Specifications, R. Elmstrøm, P. G. Larsen, P. B. Lassen, ACM Sigplan Notices, September 1994 • Computer-aided Validation of Formal Specifications, P. Mukherjee, Software Engineering Journal, July 1995 • Ten Years of Historical Development - ”Bootstrapping” VDMTools, P. G. Larsen, Journal of Universal Computer Science, 2001 March 2006 VDM Technology in Industry 36

VDM Technology in Industry ü Where does VDM fit in? ü IFAD Clients Experiences ü ”Bootstrapping” VDMTools Ø Overview of VDMTools • Vision for the future March 2006 VDM Technology in Industry 37

VDMTools® Overview Syntax & Type Checker Java to VDM++ Integrity Checker The Rose-VDM++ Link Interpreter (Debugger) Document Generator API (Corba), DL Facility Code Generators - C++, Java March 2006 VDM Technology in Industry 38

Japanese Support via Unicode March 2006 VDM Technology in Industry 39

Validation with VDMTools® VDM specs Actual results Comparison Execution Test cases March 2006 Expected results VDM Technology in Industry 40

Documentation in MS Word/RTF One compound document: • Documentation • Specification • Test coverage statistics March 2006 VDM Technology in Industry 41

Architecture of the Rose VDM++ Link VDM++ Toolbox Rational Rose 2000 UML Diagrams Class Repository Merge Tool Class Repository UML model file VDM++ Files March 2006 VDM Technology in Industry 42

Integrity checker March 2006 VDM Technology in Industry 43

Reference Material • • March 2006 The VDM++ Language for VICE, CSK, 2005 The VDM++ User Manual, CSK, 2005 The VDM++ Installation Guide, CSK, 2005 Rational Rose Link Plug-in Installation and User Guide, CSK, 2005 VDM Technology in Industry 44

Further Information • An Executable Subset of Meta-IV with Loose Specification, P. G. Larsen, P. B. Lassen, VDM '91: Formal Software Development Methods, 1991 • The IFAD VDM-SL Toolbox: A Practical Approach to Formal Specifications, R. Elmstrøm, P. G. Larsen, P. B. Lassen, ACM Sigplan Notices, September 1994 • Computer-aided Validation of Formal Specifications, P. Mukherjee, Software Engineering Journal, July 1995 • Ten Years of Historical Development - ”Bootstrapping” VDMTools, P. G. Larsen, Journal of Universal Computer Science, 2001 March 2006 VDM Technology in Industry 45

VDM Technology in Industry ü Where does VDM fit in? ü IFAD Clients Experiences ü ”Bootstrapping” VDMTools ü Overview of VDMTools Ø Vision for the future March 2006 VDM Technology in Industry 46

VDMTools future • IFAD went bankrupt April 2004 • CSK (mother company for JFITS) from Japan bought the IPR for VDMTools from the bankruptcy • VDMTools executable and documentation is available again • Academic version • Non-commercial version • Commercial version • A new book on VDM++ was released January 2005 March 2006 VDM Technology in Industry 47

Overture – an open-source initiative • Based on the Eclipse platform • Extendible open VDM++ tool support • Initial tool support produced in MSc project in NL • MSc project carried out at TUD • Jacob Porsborg Nielsen and Jens Kielsgaard Hansen • New MSc project at Aarhus University • Thomas Christensen • Aimed for • Academic research around the globe • Eventually industrial quality support • If this succeeds VDMTools may stop • Workshop about Overture was held at FM’ 05 March 2006 VDM Technology in Industry 48

Extending VDM++ with better support for distributed real-time • Today embedded real-time systems are increasingly distributed • Hard to master complexity within tight time schedules • Current research work extend VDM++ with better support for describing and analyzing this • Possibility to use CPU’s and BUS’es inside system • Deployment of objects to CPUs • Setting priorities of operations • Introduction of asynchronous operations • Cycles statement in addition to duration statement March 2006 VDM Technology in Industry 49

Case study overview environment model stimulus Volume Knob application view Handle. Key. Press deployment view computation view communication view Adjust. Volume response CPU 1 Update. Volume CPU 2 response Transmit TMC Update. TMC Decode. TMC stimulus CPU 3 Handle. TMC system model March 2006 VDM Technology in Industry 50

In-car navigation case study system Rad. Nav. Sys instance variables -- create an MMI class instance static public mmi : MMI : = new MMI(); -- define the first CPU with fixed priority scheduling and 22 E 6 MIPS CPU 1 : CPU : = new CPU (<FP>, 22 E 6); -- create an Radio class instance static public radio : Radio : = new Radio(); -- define the second CPU with fixed priority scheduling and 11 E 6 MIPS CPU 2 : CPU : = new CPU (<FP>, 11 E 6); -- create an Navigation class instance static public navigation : Navigation : = new Navigation(); -- define third CPU with fixed priority scheduling and 113 MIPS CPU 3 : CPU : = new CPU (<FP>, 113 E 6); -- create a communication bus that links the three CPU's together BUS 1 : BUS : = new BUS (<FCFS>, 72 E 3, {CPU 1, CPU 2, CPU 3}). . . March 2006 VDM Technology in Industry 51

In-car navigation case study operations public Rad. Nav. Sys: () ==> Rad. Nav. Sys () == ( -- deploy mmi on CPU 1. deploy(mmi, "MMIT"); CPU 1. set. Priority("Handle. Key. Press", 100); CPU 1. set. Priority("Update. Screen", 90); -- deploy radio on CPU 2. deploy(radio, "Radio. T"); CPU 2. set. Priority("Adjust. Volume", 100); CPU 2. set. Priority("Decode. TMC", 90); -- deploy navigation on CPU 3. deploy(navigation, "Nav. T"); CPU 3. set. Priority("Database. Lookup", 100); CPU 3. set. Priority("Decode. TMC", 90) ); end Rad. Nav. Sys March 2006 VDM Technology in Industry 52

An email from an old (very good) student … At that time I understood that a formal specification would be an advantage for big projects but I had no idea how desperately this is also needed in smaller projects when there are many people involved. Today I do know: At the moment I am working at BMW in the communications department. We work on the integration of the car telephone (including a telematics unit with GPS coordinates) into the overall car. There is a lot of interaction between the telephone and the HMI of the car and there are different versions and types of all the involved devices. There also five companies (BMW, Motorola, Siemens VDO, Harmann-becker, Alpine) who develop the different units. The system should not be so complex because many of the devices should (!) behave similarly. But the specifications we write are English plain text (hundreds of pages), in our department more than 10 people are involved and we do not know anymore how the devices will behave ourselves. . . every external company has an own interpretation of the specs and this interpretation changes over time. If you ask the same person twice you get different answers (I frankly admit that I am no exception). . . You can imagine how "efficient" everything is and its a miracle that the system still works (with a number of bugs though). . . March 2006 VDM Technology in Industry 53

Go out and use the principles at least! March 2006 VDM Technology in Industry 54