March 2009Tools for VDM in Industry1 Professor Peter Gorm Larsen Engineering College of Aarhus Also adjunct professor at Aarhus University

March 2009Tools for VDM in Industry2 Personal Background Theoretical Work VDM-SL Semantics (ISO standard) VDM-SL Proof Rules (PhD work) More Practical Work VDM and Structured Analysis in combination VDMTools architect Transfer VDM to Industry Intensive use Industrially Employed by For 13 years: IFAD A/S For 3,5 years: Systematic Software Engineering A/S For 3,5 years: Engineering College of Aarhus

March 2009Tools for VDM in Industry3  Industrial Experience with VDM ”Bootstrapping” VDMTools Overview of VDMTools The Overture/Eclipse Initiative Vision for the future

March 2009Tools for VDM in Industry4 References, World-wide, 2001 France Aerospatiale Espace et Defense Dassault Aviation Dasssault Electronique CISI CEA et Defense CEA Leti Cap Gemini LAAS Matra Bae Dynamics U.K. British Aerospace Systems & Equipment British Aerospace Defense Adelard ICL Enterprise Engineering Rolls Royce Transitive Technologies ItalyENEAAnsaldo The Netherlands Dutch Dept. of Defence OriginChessPortugalSidereusDenmark Baan Nordic Odense Steel Shipyard DDC International North America Boeing Rockwell Collins Lockheed Martin DDC-I, Inc. Rational Software Corp. Formal Systems Inc. Concordia University Japan RTRI (Japan Railways) JFITS Felica Networks Germany GAO mbH More than 150 VDMTools clients world-wide

March 2009Tools for VDM in Industry5 ConForm (1994) Organisation: British Aerospace (UK) Domain: Security (gateway) Tools: The VDM-SL Toolbox Experience: Prevented propagation of error Successful technology transfer At least 4 more applications without support Statements: “Engineers can learn the technique in one week” “VDMTools  can be integrated gradually into a traditional existing development process”

March 2009Tools for VDM in Industry6 DustExpert (1995-7) Organisation: Adelard (UK) Domain: Safety (dust explosives) Tools: The VDM-SL Toolbox Experience: Delivered on time at expected cost Large VDM-SL specification Testing support valuable Statement: “Using VDMTools  we have achieved a productivity and fault density far better than industry norms for safety related systems”

March 2009Tools for VDM in Industry7 Adelard Metrics 31 faults in Prolog and C++ (< 1/kloc) Most minor, only 1 safety-related 1 (small) design error, rest in coding

March 2009Tools for VDM in Industry8 CAVA (1998-) Organisation: Baan (Denmark) Domain: Constraint solver (Sales Configuration) Tools: The VDM-SL Toolbox Experience: Common understanding Faster route to prototype Earlier testing Statement: “VDMTools  has been used in order to increase quality and reduce development risks on high complexity products”

March 2009Tools for VDM in Industry9 Dutch DoD (1997-8) Organisation: Origin, The Netherlands Domain: Military Tools: The VDM-SL Toolbox Experience: Higher level of assurance Mastering of complexity Delivered at expected cost and on schedule No errors detected in code after delivery Statement: “We chose VDMTools  because of high demands on maintainability, adaptability and reliability”

March 2009Tools for VDM in Industry10 DoD, NL Metrics (1) Estimated 12 C++ loc/h with manual coding!

March 2009Tools for VDM in Industry11 DoD - Comparative Metrics CODINGTESTING CODINGTESTING ANALYSIS & DESIGNTraditional: VDMTools ® : Cost ANALYSIS & DESIGN % 64% 100%

March 2009Tools for VDM in Industry12 BPS 1000 (1997-) Organisation: GAO, Germany Domain: Bank note processing Tools: The VDM-SL Toolbox Experience: Better understanding of sensor data Errors identified in other code Savings on maintenance Statement: VDMTools provides unparalleled support for design abstraction ensuring quality and control throughout the development life cycle.

March 2009Tools for VDM in Industry13 Flower Auction (1998) Organisation: Chess, The Netherlands Domain: Financial transactions Tools: The VDM++ Toolbox Experience: Successful combination of UML and VDM++ Use iterative process to gain client commitment Implementers did not even have a VDM course Statement: “The link between VDMTools and Rational Rose is essential for understanding the UML diagrams”

March 2009Tools for VDM in Industry14 SPOT 4 (1999) Organisation: CS-CI, France Domain: Space (payload for SPOT4 satellite) Tools: The VDM-SL Toolbox Experience: 38 % less lines of source code 36 % less overall effort Use of automatic C++ code generation Statement: The cost of applying Formal methods is significantly lower than without them.

March 2009Tools for VDM in Industry15 IFAD VDM Applications VDMTools VDM interpreter VDM static semantics VDM to C++ code generator Specification manager UML mapper Java static semantics Java VDM++ translator MUSTER: Emergency response training

March 2009Tools for VDM in Industry16 Japanese Railways ( ) Domain: Railways (database and interlocking) Experience: Prototyping important Subsequent also using it for ATC system Engineer working at IFAD for two years

March 2009Tools for VDM in Industry17 TradeOne, CSK, Full TradeOne system is 1.3 MLOC system Mission-critical backbone system keeping track of financial transactions conducted Used by securities companies and brokerage houses Tax exemption subsystem has particularly complex regulations to implement. Modelled in VDM++. Options Subsystem handles the business process for trading options. Modelled in VDM++

March 2009Tools for VDM in Industry18 TradeOne Cost Effectiveness SubsystemCOCOMO estimate Real timeTime saving Tax exemptionEffort:38.5 PM Schedule:9M OptionsEffort:147.2 PM Schedule:14.3M Effort:14 PM Schedule: 3.5 M Effort:74% Schedule:61% Effort: 60.1 PM Schedule:7M Effort: 60% Schedule: 51% Overall sizes Total TradeOne 1,342,858 Tax exemption subsystem 18,431 Option subsystem 60,206

March 2009Tools for VDM in Industry19 The FeliCa Mobile Chip Project Mobile FeliCa IC chips can be embedded inside mobile phones Used for different on-line services including payment Uses Near-Field-Communication technology Used for example for metro ticking in Tokyo The IC Chips contains an operating system as firmware for 50 million mobile phones This is fully developed using the VDM++ technology Between 50 and 60 people in total on the project 23.5 mm

March 2009Tools for VDM in Industry20 Specification and Implementation Growth Specification v.1.0 Specification PhaseImplementation Phase 形式仕様書 /72006/4 Specification Implementation kLOC The average productivity of VDM++ code for the formal specifications was about 1,900 LOC per engineer per month.

March 2009Tools for VDM in Industry21 Number of Changes 形式仕様書 0.9 Specification v.1.0 Specification PhaseImplementation Phase 2004/7 Number of Changes /4

March 2009Tools for VDM in Industry22 Further Information Applying Formal Specification in Industry. P.G. Larsen, J. Fitzgerald and T. Brookes. Published in "IEEE Software" vol. 13, no. 3, May 1996 A Lightweight Approach to Formal Methods S.Agerholm and P.G. Larsen. In Proceedings of the International Workshop on Current Trends in Applied Formal Methods, Boppard, Germany, Springer-Verlag, October Applications of VDM in Banknote Processing P. Smith and P.G. Larsen. + Application of VDM-SL to the Development of the SPOT4 Programming Messages Generator, A. Puccetti and J.Y. Tixadou + Formal Specification of an Auctioning System Using VDM++ and UML, M.Verhoef et. al. Published at the First VDM Workshop: VDM in Practice with the FM'99 Symposium, Toulouse, France, September Application of a Formal Specification Language in the Development of the ``Mobile FeliCa'' IC Chip Firmware for Embedding in Mobile Phone, Taro Kurita and Miki Chiba and Yasumasa Nakatsugawa, Springer-Verlag, FM2008, May 2008.

March 2009Tools for VDM in Industry23 Tools for VDM in Industry Industrial Experience with VDM  ”Bootstrapping” VDMTools Overview of VDMTools The Overture/Eclipse Initiative Vision for the future

March 2009Tools for VDM in Industry24 Development Choices Taken Executable models þTesting and animation Partial “analysis” (validation) þSystem level testing Code generation þVDM for source code  Formal refinement and formal verification

March 2009Tools for VDM in Industry25 Staff Overview PGL PBL MA ETN HC HV NK JNJ SA LTO JWT OS JKP KS PM NP MV KdB CABFBA SN JKP VSJKP WS JSF GWOO +JR+ML+RM

March 2009Tools for VDM in Industry26 Development Environment GNU C++/Visual C++ Generic VDM C++ library GUI: Previously:Tcl/Tk, Now: Qt flex and bison CVS/Ediff version control OSs: Windows, Linux, Unix Test environments Development procedures

March 2009Tools for VDM in Industry27 VDM++ The “Bootstrapping” Process VDM-SL DS spec VDM-SL DS impl VDM-SL SM spec VDM-SL SM impl VDM-SL PM spec VDM-SL PM impl VDM-SL CG spec VDM-SL CG impl VDM-SL SS spec VDM-SL SS impl Implicit time line

March 2009Tools for VDM in Industry28 Specification Sizes

March 2009Tools for VDM in Industry29 Component Categories Purely hand-coded VDM + hand coding VDM + code generation

March 2009Tools for VDM in Industry30 Purely Hand-coded Components Scanner/parser (lex/yacc) pretty-printer (simple C++ component) GUI (previously: Tcl/Tk, now: Qt) Interface to third party tools Rational Rose and XMI based UML tools Corba for API ML for HOL Generic VDM C++ library

March 2009Tools for VDM in Industry31 VDM + Hand Coding Dynamic semantics (SL and ++) Static semantics (SL and ++) Java/C++ Code generators (SL and ++) Test environments for each component Reused at implementation level Java/C++ code generators now themselves partially code generated

March 2009Tools for VDM in Industry32 Maintenance Approach Bugs first reproduced at specification level Tested using the VDM debugger Check that all tests are satisfactory Implement changes of specification Rerun all tests at implementation level

March 2009Tools for VDM in Industry33 VDM + code generation Animator for SA/RT Specification Manager (SL and ++) VDM++ to/from UML translation Proof support (SL) Parts of GUI now code generated VDM model becomes source Trade-off with abstraction

March 2009Tools for VDM in Industry34 Tools for VDM in Industry Industrial Experience with VDM ”Bootstrapping” VDMTools  Overview of VDMTools The Overture/Eclipse Initiative Vision for the future

March 2009Tools for VDM in Industry35 VDMTools Overview Rose-VDM++ Link Document Generator Code Generators - C++, Java Syntax & Type Checker API (Corba), DL Facility Interpreter (Debugger) Integrity Checker Java to VDM++ Round Trip Engineering support Experimentally linked to HOL Syntax & Type Checker Integrity Checker

March 2009Tools for VDM in Industry36 Japanese Support via Unicode

March 2009Tools for VDM in Industry37 Validation with VDMTools ® VDM specs Test cases Expected results Actual results Comparison Execution

March 2009Tools for VDM in Industry38 Documentation in MS Word/RTF One compound document: Documentation Specification Test coverage Test coverage statistics

March 2009Tools for VDM in Industry39 Architecture of the Rose VDM++ Link VDM++ Toolbox Rational Rose 2000 ClassRepositoryClassRepository Merge Tool VDM++ Files UMLDiagrams UML model file

March 2009Tools for VDM in Industry40 Integrity checker

March 2009Tools for VDM in Industry41 Toolbox API Request Result

March 2009Tools for VDM in Industry42 Dynamic Link Facility VDM Specification Dynamic Link Module External Code Type Conversion Module

March 2009Tools for VDM in Industry43 Further Information An Executable Subset of Meta-IV with Loose Specification, P.G. Larsen, P.B. Lassen, VDM '91: Formal Software Development Methods, 1991 The IFAD VDM-SL Toolbox: A Practical Approach to Formal Specifications, R. Elmstrøm, P.G. Larsen, P.B. Lassen, ACM Sigplan Notices, September 1994 Computer-aided Validation of Formal Specifications, P. Mukherjee, Software Engineering Journal, July 1995 Ten Years of Historical Development - ”Bootstrapping” VDMTools, P.G. Larsen, Journal of Universal Computer Science, 2001 VDMTools: advances in support for formal modeling in VDM, J. S. Fitzgerald and P. G. Larsen and S. Sahara, ACM Sigplan Notices, February 2008

March 2009Tools for VDM in Industry44 Tools for VDM in Industry Industrial Experience with VDM ”Bootstrapping” VDMTools Overview of VDMTools  The Overture/Eclipse Initiative Vision for the future

March 2009Tools for VDM in Industry Overture versus VDMTools VDMTools ( Closed source, proprietary (available under NDA) Monolithic architecture (single binary), C++ Optimized for performance, industry strength Overture Tool project ( Open source, GPL license Plug-in architecture, Eclipse, Java Optimized for flexibility, targets academic use (partly) developed using VDMTools

March 2009Tools for VDM in Industry46 Overture – an open-source initiative Based on the Eclipse platform Extendible open VDM++ tool support Initial tool support produced in MSc project in NL MSc project carried out at TUD Jacob Porsborg Nielsen and Jens Kielsgaard Hansen MSc project at Aarhus University Thomas Christensen MSc projects at Engineering College of Aarhus Hugo Macedo, Minho University Sander Vermolen, University of Nijmegen Adriana Sucena, Minho University Carlos Vilhena, Minho University Augusto Ribeiro, Minho University Kenneth Lausdahl and Hans Christian Lintrup, IHA

March 2009Tools for VDM in Industry47 Basic automatic checks and GUI Overture Architecture Overview Syntax Check Connection to standard development environments UML, SysML AADL Visualisation Support Code Generators - C++, Java GUI generators Reverse Engineering support Type Check Refactoring support OML editor With syntax highlighting Validation support Pretty Printing With coverage Interpreter (Debugger) With API capabilities Test Generation support Visualization Support for Execution traces Verification support Proof Obligation generation Automatic Proof support Interactive Proof support Model Checking support Eclipse AST Not yet available Planned A version is available Connection to JML

March 2009Tools for VDM in Industry48 Example Screen dump

March 2009Tools for VDM in Industry Automatic AST generation OVERTURE AST spec (VDM-SL subset) ASTGEN sed script JAVA interfaces VDM++ classes VDMTools java classes sed modified java classes “implements” ● specified in VDM++ ● code generated other users can use these specs to specify their own OVERTURE extensions (in VDM++)

March 2009Tools for VDM in Industry Tracefile Viewer (1)

March 2009Tools for VDM in Industry Tracefile Viewer (2)

March 2009Tools for VDM in Industry Tracefile Viewer (3)

March 2009Tools for VDM in Industry53 Tools for VDM in Industry Industrial Experience with VDM ”Bootstrapping” VDMTools Overview of VDMTools The Overture/Eclipse Initiative  Vision for the future

March 2009Tools for VDM in Industry54 Extending VDM++ with better support for distributed real-time Today embedded real-time systems are increasingly distributed Hard to master complexity within tight time schedules Current research work extend VDM++ with better support for describing and analyzing this Possibility to use CPU’s and BUS’es inside system Deployment of objects to CPUs Setting priorities of operations Introduction of asynchronous operations Cycles statement in addition to duration statement

March 2009Tools for VDM in Industry Combining with continuous time

March 2009Tools for VDM in Industry56 Beyond the Ordinary: Design of Embedded Real-time Control BODERC ESI Sept Apr 2007 Multi-disciplinary design mechanics electronics software High-tech systems focus Early life cycle trade-off analysis Industry as a laboratory

March 2009Tools for VDM in Industry57 continuous validation Printer paper path - case study VDM++VDMTools Bond graphs 20-sim co-sim results VDM++VDMTools Bond graphs 20-sim SIL sim results C++ HOST COMPILER DLL VDM++VDMToolsC++ TARGET COMPILER ctrl app measure- ments

March 2009Tools for VDM in Industry58 An from an old (very good) student … At that time I understood that a formal specification would be an advantage for big projects but I had no idea how desperately this is also needed in smaller projects when there are many people involved. Today I do know: At the moment I am working at BMW in the communications department. We work on the integration of the car telephone (including a telematics unit with GPS coordinates) into the overall car. There is a lot of interaction between the telephone and the HMI of the car and there are different versions and types of all the involved devices. There are also five companies (BMW, Motorola, Siemens VDO, Harmann-becker, Alpine) who develop the different units. The system should not be so complex because many of the devices should (!) behave similarly. But the specifications we write are English plain text (hundreds of pages), in our department more than 10 people are involved and we do not know anymore how the devices will behave ourselves...every external company has an own interpretation of the specs and this interpretation changes over time. If you ask the same person twice you get different answers (I frankly admit that I am no exception)... You can imagine how "efficient" everything is and its a miracle that the system still works (with a number of bugs though)...

March 2009Tools for VDM in Industry59 Go out and use the principles at least!