Is it possible to take advantage of formal models beyond using them to guarantee certain properties of a system?

for example, to automate or simplify certain development and QA tasks?

Main -> FAQ -> EM-EA-1


 * Theme: Exploiting Models (EM)
 * Role: QAP

Answer


The primary use of a formal model is generally to have a precise description of the behavior of the system under construction and to be able to reason on it in order to have the assurance it fulfill a number of required properties.

Beyond this usage, formal models can be exploited in various ways also increasing the return on investment of the formalisation effort. The following figure summarises such use at various stage of the development cycle (requirements validation, code generation, testing...). The rest of this FAQ details them and also give a few illustration from the DEPLOY project or other projects.

Validation through animation
Model animation is about executing the formal model, potentially with a business-specific interface (system maps, UI displays, control panels, etc) to validate the model by domain experts and final users. This approach is a good requirements engineering technique that typically allows one to identify incorrect requirements.

Within DEPLOY: the ProB tool includes an animator with can be coupled with the B-Motion Studio graphical animator.

Safety Analysis (FMEA)
A failure modes and effects analysis (FMEA) is a inductive failure analysis used in product development, systems engineering / Reliability Engineering and operations management for analysis of potential failure modes within a system for classification by the severity and likelihood of the failures. FMEA are required in many domains as part of the safety assurance process.

Within DEPLOY: safety reasoning can be made based on the system-level models such as Event-B. It was investigated by many partners:
 * Siemens developed a practical way to integrate and facilitate FMEA analysis from their Event-B model, including a simplified way to reason about the probability.
 * SSF developed a mode-rich layered system from which FMEA analysis can be performed. It relies on a generic specification pattern for a system mode manager. This pattern captures a formalisation of reasoning about systems with non-instantaneous mode transitions and also covers the error recovery logic. When instantiated and refined, this pattern enables an incremental verification of the global mode consistency hence avoiding checking the property for the whole architecture at once. It also contributes to the specification modularity.

Design refinement
Similar or different formalisms can be used at different level of the software design and development. In the model-driven engineering, models are naturally forming a chain from abstract system description to more software specification and then to more concrete architectural and code-level models.

Within DEPLOY: Event-B is managing the system level with different level of refinements starting from a simple abstract description with the key properties and progressively introducing more complex system details and behaviours. Refinements are supported by the language. Transition can be made to B (e.g. with AtelierB) and from there components can be further developed using B refinements down to implementation level from which code can directly be generated.

Code generation
Code generation consists in generating executable source code automatically from a formal model. Unless it is for simulation purposes, the targetted model should be concrete enough to be mapped on an imperative language, meaning the absence of determinism and the use of concrete data structures.

Within DEPLOY: a code generator was developed for Event-B in relation with specific extension such as to specify control flows. This was however not a major focus of the project.

Model-based testing
Model-based testing (MBT) is about generating a set of test cases out of a formal model. The use of formal technologies able to systematically explore all the possible behavior results in the ability to generate test suites of very high quality in terms of coverage type and completeness.

A number of commercial tools are available for this, e.g. Smartesting (previously Leirios) and ConformiQ from MathWorks (previously Qtronic)

Within DEPLOY: a large effort was devoted by SAP to MBT and resulted in a tool ready for transfer. It is described in the success story about Benefits of Model-Based Test Automation

Rich traceability
In addition, formal methods also provide built-in traceability inside and between models. For instance, one can trace a high-level invariant in Event-B, to a set of preconditions or postconditions is each events of the model, thanks to the proofs, and to lower-level state machine. Furthermore, a specific plug-in was developed in Rodin, to enable one tracing requirements to any artefact of the model.