The B Formal Method Bibliography

In this paper we suggest to use the B formal method to model a protocol dedicated to smart cards. We use a pragmatic approach to prove the dynamic properties of the protocol by using historical variables to express the past. We check manually that those variables have been correctly updated in the different operations. With this approach we can avoid the use of a model checker to verify the dynamic properties. We show the advantages of this method to express general properties and service properties. We focused on the formalisation of the rules given in the standard and on the refinement process. We introduce new events and invariants at each level. Using this method enabled us to bring to the fore some ambiguities and errors of the protocol. [AFADL98-Ledru] Yves Ledru and Rémy Salanville. Description d’architecture logicielle par connexion de machines abstraites. In AFADL’98 [AFADL98], pages 37–48. [AFADL98-Ledru2] Yves Ledru, Catherine Oriat, and Marie-Laure Potet. Le raffinement vu comme primitive de spécification une comparaison de VDM, B, Specware. In AFADL’98 [AFADL98], pages 63–76. [AFIS02] Jean-Louis Boulanger and Georges Mariano. Formalization of digital circuits using the B method. In AFIS, EUSEC 3rd European Systems Engineering Conference Systems Engineering : a focus of European expertise, session 10 Modelling & Tool, Toulouse (France)., pages 281–290, May 2002. [AFM-DeMe] Babak Dehbonei and Fernando Mejia. Formal development of safety-critical software systems in railway signalling. In Hinchey and Bowen [AFM95], pages 227–252. [AFM-JHoare] Jonathan P. Hoare. Application of the B-method to CICS. In Hinchey and Bowen [AFM95], pages 97–124. [AFM95] M. G. Hinchey and J. P. Bowen, editors. Applications of Formal Methods. Series in Computer Science. Prentice Hall International, 1995. [ALNS91] Jean-Raymond Abrial, M. K. O. Lee, D. S. Neilson, P. N. Scharbach, and I. H. Sorensen. The Bmethod (software development). In S. Prehn and J. W. Toetenel, editors, VDM 91. Formal Software Development Methods. 4th International Symposium of VDM Europe Proceedings., volume 2, pages 398–405. BP Res., Sunbury Res. Centre, Sunbury-on-Thames, UK, Springer-Verlag, Berlin, Germany, October 1991. Abstract : The B-method is a formal software development process for the production of highly reliable, portable and maintainable software which is verifiably correct with respect to its functional specification. The method uses the abstract machine notation (AMN) as the language for specification, design and implementation within the process. AMN is a sugared and extended version of E.W. Dijkstra’s (1976), guarded command notation with built-in structuring mechanisms for the construction of large systems. The B-method is a formal software development process for the production of highly reliable, portable and maintainable software which is verifiably correct with respect to its functional specification. The method uses the abstract machine notation (AMN) as the language for specification, design and implementation within the process. AMN is a sugared and extended version of E.W. Dijkstra’s (1976), guarded command notation with built-in structuring mechanisms for the construction of large systems. [email protected] c ©1999–2007 INRETS-ESTAS 4/59 B Method Bibliography Georges Mariano The method is supported over the entire spectrum of activities from specification to implementation by a set of computer-aided tools. (3 Refs) [ASM05-Butler] Michael J. Butler, M. Leuschel, and C. Snook. Tools for system validation with B abstract machines. In Proceedings of ASM 2005 : 12th International Workshop on Abstract State Machines, Paris, 2005. Abstract : In this paper we give an overview of some tools that we have developed to support the application of the B Method. ProB is an animation and model checking tool for the B method. ProB’s animation facilities allow users to gain confidence in their specifications. ProB contains a temporal and a state-based model checker, both of which can be used to detect various errors in B specifications. We also overview a recent extension of ProB that supports checking of specifications written in a combination of CSP and B. Finally we describe the UML-B profile and associated U2B tool that allows UML and B to be combined and is intended to make modelling with B more appealing to software engineers. In this paper we give an overview of some tools that we have developed to support the application of the B Method. ProB is an animation and model checking tool for the B method. ProB’s animation facilities allow users to gain confidence in their specifications. ProB contains a temporal and a state-based model checker, both of which can be used to detect various errors in B specifications. We also overview a recent extension of ProB that supports checking of specifications written in a combination of CSP and B. Finally we describe the UML-B profile and associated U2B tool that allows UML and B to be combined and is intended to make modelling with B more appealing to software engineers. [AVIS2001-Bellegarde] Françoise Bellegarde, C. Darlot, Jacques Julliand, and O. Kouchnarenko. How to verify LTL perperties of infinite refined systems by proof and model-checking cooperation. In Proc. Int. Ws. on Automated Verification of Infinite-State Systems (AVIS’2001), joint to FME’01, Berlin, Allemagne, March 2001. [Abri84a] Jean-Raymond Abrial. Specification or how to give reality to abstraction. Technique et Science Informatiques, 1984. Abstract : The specification and construction of an algorithm for managing secondary memory space are described. This algorithm contains mechanisms for commitment and for recovery in the event of a breakdown. (3 Refs) The specification and construction of an algorithm for managing secondary memory space are described. This algorithm contains mechanisms for commitment and for recovery in the event of a breakdown. (3 Refs) [Abri84b] Jean-Raymond Abrial. The mathematical construction of a program. Science of Computer Programming, 4(1), April 1984. Abstract : This paper is an exercise in program construction using mathematics as a tool. The program which the author undertook the construction of is a general purpose proof checker. It is ’general purpose’ in that it may take as input the axiomatization of a formal theory together with a proof written within this theory. As output it delivers a result which tells us whether the proof is correct or not. In order to test the generality of the proposed approach, the author uses the proof checker to check proofs written within theories such as propositional calculus and predicate calculus and set theory. (7Refs This paper is an exercise in program construction using mathematics as a tool. The program which the author undertook the construction of is a general purpose proof checker. It is ’general purpose’ in that it may take as input the axiomatization of a formal theory together with a proof written within this theory. As output it delivers a result which tells us whether the proof is correct or not. In order to test the generality of the proposed approach, the author uses the proof checker to check proofs written within theories such as propositional calculus and predicate calculus and set theory. (7Refs [Abri88a] Jean-Raymond Abrial. The B tool (proof proving tool). In R. Bloomfield, L. Marshall, and R. Jones, editors, VDM 88. VDM The Way Ahead. 2nd VDM-Europe Symposium. Proceedings. Springer-Verlag, Berlin, West Germany, September 1988. Abstract : Summary form only given. B is an interactive program whose function is to assist people in doing formal proofs. The basic features of B are outlined. Built on these elementary features, B also contains a simplistic inference engine allowing simple goal-oriented proofs to be conducted in an interactive mode. The tool has a few built-in rules corresponding to a very limited knowledge of first-order predicate logic. Summary form only given. B is an interactive program whose function is to assist people in doing formal proofs. The basic features of B are outlined. Built on these elementary features, B also contains a simplistic inference engine allowing simple goal-oriented proofs to be conducted in an interactive mode. The tool has a few built-in rules corresponding to a very limited knowledge of first-order predicate logic. [Abri88b] Jean-Raymond Abrial. A formal approach to software system development. Génie Logiciel et Systèmes Experts, 1(11) :22–8, March 1988. Abstract : Attention is directed to aspects of software specification such as mathematical models of the data, animation of the models and coherence of such data models. Attention is directed to aspects of software specification such as mathematical models of the data, animation of the models and coherence of such data models. [email protected] c ©1999–2007 INRETS-ESTAS 5/59 B Method Bibliography Georges Mariano Considerations in software programming and unification of the two concepts are also covered.(22 Refs) [Abri89] Jean-Raymond Abrial. A formal approach to large software construction. In J. L. A. Van de Snepscheut, editor, Mathematics of Program Construction. 375th Anniversary of the Groningen University International Conference. Proceedings, pages 1–20. Springer-Verlag, Berlin, West Germany, June 1989. Abstract : Is the rationalisation of software construction the main preoccupation of computer scientists today ? The author presents, briefly and informally, a number of results concerning the so called axiomatic answer to this question. One of the recent trends of the discipline is to reduce the traditional distinction of the two main activities of software construction, namely specification and programming. This trend sometimes takes the form of ’executable specifications’ ; the author adopts a somewhat different approach, that of ’non necessarily executable programs’. The author shows that the main concepts of specification and those of programming can be unified. From this unification, a new activity, called design, will emerge ; design is situated between specification and programming and its role is to ensure the systematic passage from one to the other. (20 Refs) Is the rationalisation of software construction the main preoccupation of computer scientists today ? The author presents, briefly and informally, a number of results concerning the so called axiomatic answer to this question. One of the recent trends of the discipline is to reduce the traditional distinction of the two main activities of software construction, namely specification and programming. This trend sometimes takes the form of ’executable specifications’ ; the author adopts a somewhat different approach, that of ’non necessarily executable programs’. The author shows that the main concepts of specification and those of programming can be unified. From this unification, a new activity, called design, will emerge ; design is situated between specification and programming and its role is to ensure the systematic passage from one to the other. (20 Refs) [Abri91] Jean-Raymond Abrial. A refinement case study (using the Abstract Machine Notation). In J. M. Morris and R. C. Shaw, editors, 4th Refinement Workshop. Proceedings of the 4th Refinement Workshop, pages 51–96. Springer-Verlag, Berlin, Germany, January 1991. Abstract : The author develops in detail a classical little example of refinement from initial specification down to final code. He insists on a few methodological points among which are the following : the importance of a sound mathematical preamble ; the systematic usage of data refinement steps based on clear and intuitive technical decisions ; and the reusability of already specified and refined pieces of code. The exercise is conducted using an homogeneous notational style based on abstract machines and generalized substitutions. (8 Refs) The author develops in detail a classical little example of refinement from initial specification down to final code. He insists on a few methodological points among which are the following : the importance of a sound mathematical preamble ; the systematic usage of data refinement steps based on clear and intuitive technical decisions ; and the reusability of already specified and refined pieces of code. The exercise is conducted using an homogeneous notational style based on abstract machines and generalized substitutions. (8 Refs) [Abri92] Jean-Raymond Abrial. On constructing large software systems. In Algorithms, Software, Architecture. Information Processing 92. IFIP 12th World Computer Congress, volume A-12, pages 103–12, September 1992. Abstract : Some general principles are presented that one could follow in order to build large software systems with reduced probability of failure.The following topics are discussed : people, framing, set theory, programming languages, proof and tools. (0 Refs) Some general principles are presented that one could follow in order to build large software systems with reduced probability of failure.The following topics are discussed : people, framing, set theory, programming languages, proof and tools. (0 Refs) [Abrial88] J.-R. Abrial. The B tool. In R. R. Bloomfield ; L. Marshall ; Jones, editor, Proceedings of the 2nd VDM-Europe Symposium, volume 328 of Lecture Notes in Computer Science (Springer-Verlag), pages 86–87, Berlin, September 1988. Springer. [Abrial98] Jean-Raymond Abrial and Louis Mussat. Specification and design of a transmission protocol by successive refinements using B. In Manfred Broy and Birgit Schieder, editors, Mathematical Methods in Program Development, volume 158 of NATO ASI Series F : Computer ans Systems Sciences, pages 129–200. Springer, 1997. [Abrial :1998 :B] J.-R Abrial. On B. Lecture Notes in Computer Science (Springer-Verlag), 1393 :1–8, 1998. [AbrialDSM] Jean-Raymond Abrial. Discrete system models. Internal Notes / summer school, February 2002. [email protected] c ©1999–2007 INRETS-ESTAS 6/59 B Method Bibliography Georges Mariano [Aertryck97a] Lionel Van Aertryck, Marc Benveniste, and Daniel Le Metayer. CASTING : une m’ethode formelle de génération de cas de tests. In AFADL : Approches formelles dans l’assistance au développement de logiciel, pages 99–112, Toulouse, France, May 1997. [Aertryck97b] Lionel Van Aertryck, Marc Benveniste, and Daniel Le Metayer. CASTING : A formally based software test generation method. In ICFEM’97, First IEEE International Conference on Formal Engineering Methods, pages 101–111, Hiroshima, Japon, November 1997. [Aertryck98-PhD] Lionel Van Aertryck. Une méthode et un outil pour l’aide à la génération de jeux de tests de logiciels. Thèse de doctorat, Université de Rennes I, January 1998. Abstract : Pour obtenir un exemplaire [email protected] Pour obtenir un exemplaire [email protected] [Ait-Ameur-ISPS03] Y. Aït-Ameur, M. Baron, and N. Kamel. Utilisation de techniques formelles dans la modélisation d’interfaces homme-machine. une expérience comparative entre B et promela/SPIN. In In Proceedings of 6th International Symposium on Programming and Systems, Algérie, pages 57–66. ISPS 2003, May 2003. Abstract : Cet article présente une expérience dans l’utilisation des techniques formelles pour la conception, la vérification et la validation d’IHM au travers de l’utilisation de deux techniques dans un développement incrémental. La première technique est fondée sur le raffinement et la preuve avec B et la seconde est fondée sur la vérification sur modèle avec Promela/SPIN. Différentes propriétés telles que la robustesse, l’atteignabilité, l’insistance sont vérifiées grâce à l’utilisation de ces techniques. Nous discutons également les avantages et inconvénients de ces deux techniques. Cet article présente une expérience dans l’utilisation des techniques formelles pour la conception, la vérification et la validation d’IHM au travers de l’utilisation de deux techniques dans un développement incrémental. La première technique est fondée sur le raffinement et la preuve avec B et la seconde est fondée sur la vérification sur modèle avec Promela/SPIN. Différentes propriétés telles que la robustesse, l’atteignabilité, l’insistance sont vérifiées grâce à l’utilisation de ces techniques. Nous discutons également les avantages et inconvénients de ces deux techniques. [Ait-Ameur-SERP03] Y. Aït-Ameur, M. Baron, and P. Girard. Formal validation of HCI user tasks. In In Proceedings of The 2003 International Conference on Software Engineering Research and Practice, Las Vegas, Nevada USA, pages 732–738. SERP 2003, CSREA Press, 2003, June 2003. Abstract : Our work focuses on the use of formal techniques in order to increase the quality of HCI software and of all the processes resulting from the development, verification, design and validation activities. This paper shows how the B formal technique can be used for user tasks modelling and validation. A trace based semantics is used to describe either the HCI or the user tasks. Each task is modelled by a sequence of fired events. Each event is defined in the abstract specification and design of the HCI system. Our work focuses on the use of formal techniques in order to increase the quality of HCI software and of all the processes resulting from the development, verification, design and validation activities. This paper shows how the B formal technique can be used for user tasks modelling and validation. A trace based semantics is used to describe either the HCI or the user tasks. Each task is modelled by a sequence of fired events. Each event is defined in the abstract specification and design of the HCI system. [Aljer2003] Ammar Aljer, Philippe Devienne, Sophie Tison, Jean-Louis Boulanger, and Georges Mariano. BHDL : Circuits design in B. In IEEE Computer Society Press, editor, ACSD’03Proceeeding of the Third International Conference Application of Concurrency to System Design, June 2003. [Aljer2003b] Ammar Aljer, Philippe Devienne, Sophie Tison, Jean-Louis Boulanger, and Georges Mariano. BHDL : Circuits design in B. In IEEE Computer Society Press, editor, ACSD’03Proceeeding of the Third International Conference Application of Concurrency to System Design, June 2003. Abstract : The main goal of this project is to provide a method of correct design of digital circuit. It combines the advantages of VHDL, the well-known language of circuit design, with the power of B method that guarantees the correct design (w.r.t. a formal specification). This allows avoiding the design test since it is "correct by proven construction". Furthermore, this project provides a tool, called BHDL, with a graphical interface for creating, editing, viewing and proving modular hardware architectures. The main goal of this project is to provide a method of correct design of digital circuit. It combines the advantages of VHDL, the well-known language of circuit design, with the power of B method that guarantees the correct design (w.r.t. a formal specification). This allows avoiding the design test since it is "correct by proven construction". Furthermore, this project provides a tool, called BHDL, with a graphical interface for creating, editing, viewing and proving modular hardware architectures. [Alnet96] Stéphane Alnet. Test de programme à partir de spécifications B. Rapport de DEA, September 1996. [email protected] c ©1999–2007 INRETS-ESTAS 7/59 B Method Bibliography Georges Mariano Abstract : Nous étudions le test «boîte-noire» de programme écrits à partir de la méthode B. Nous proposons de plus une sémantique pour de tels programmes, sémantique observationnelle basée sur des traces. [Ameur98a] Y. Aït-Ameur, P. Girard, and F. Jambon. Using the B formal approach for incremental specification design of interactive systems. In IFIP Working Conference on Engineering for Human-Computer Interaction (EHCI’98), Heraklion (Crete), Greece, September 1998. [Ameur98b] Y. Aït-Ameur, P. Girard, and F. Jambon. A uniform approach for the specification and design of interactive systems : the B method. In 5th International Eurographics Workshop on Design, Specification, pages 333–352, Cosener’s House, Abingdon, UK, June 1998. [Attiogbe97] Christian Attiogbé. Réutilisation de composantes formelles par filtrage sémantique : Cas des machines abstraites de B. In Le Génie Logiciel est ses Applications – 1o eme Journées Internatinales ACTES, number 46 in Génie Logiciel, pages 95–99, December 1997. [B-DC] Samuel Colin, Georges Mariano, and Vincent Poirriez. Duration calculus : a real-time semantic for B. In First International Colloquium on Theoretical Aspects of Computing. UNU-IIST, September 2004. Guiyang, China. [B07] Jacques Julliand and Olga Kouchnarenko, editors. B 2007 : Formal Specification and Development in B, 7th International Conference of B Users, Besançon, France, January 17-19, 2007, Proceedings, volume 4355 of Lecture Notes in Computer Science. Springer, 2006. [B07-Benaissa] Nazim Benaïssa, Dominique Cansell, and Dominique Méry. Integration of security policy into system modeling. In Julliand and Kouchnarenko [B07], pages 232–247. [B07-Bendisposto] Jens Bendisposto and Michael Leuschel. BE4 : The B extensible eclipse editing environment. In Julliand and Kouchnarenko [B07], pages 270–273. Abstract : The open-source Eclipse platform has become hugely popular as an integrated development environment for Java, and a considerable number of plug-ins have been developed for other programming languages (e.g., C++,PHP, Eiffel, Python, Fortran, etc.). In this paper we present a new plug-in for Eclipse, supporting the B-method and B’s abstract machine notation (AMN). In addition to providing editing and syntax highlighting, the plug-in displays syntax and structural errors in the B source code, as well as suggesting fixes for those errors. The open-source Eclipse platform has become hugely popular as an integrated development environment for Java, and a considerable number of plug-ins have been developed for other programming languages (e.g., C++,PHP, Eiffel, Python, Fortran, etc.). In this paper we present a new plug-in for Eclipse, supporting the B-method and B’s abstract machine notation (AMN). In addition to providing editing and syntax highlighting, the plug-in displays syntax and structural errors in the B source code, as well as suggesting fixes for those errors. [B07-Bendisposto-b] Jens Bendisposto and Michael Leuschel. A generic flash-based animation engine for ProB. In Julliand and Kouchnarenko [B07], pages 266–269. [B07-Bostrom] Pontus Boström, Mats Neovius, Ian Oliver, and Marina Waldén. Formal transformation of platform independent models into platform specific models. In Julliand and Kouchnarenko [B07], pages 186–200. [B07-Boulme] Sylvain Boulmé and Marie-Laure Potet. Interpreting invariant composition in the B method using the spec# ownership relation : A way to explain and relax B restrictions. In Julliand and Kouchnarenko [B07], pages 4–18. [B07-Bouquet] Fabrice Bouquet, Jean-Francois Couchot, Frédéric Dadeau, and Alain Giorgetti. Instantiation of parameterized data structures for model-based testing. In Julliand and Kouchnarenko [B07], pages 94–108. [B07-Bouquet-b] Fabrice Bouquet, Frédéric Dadeau, and Julien Groslambert. JML2B : Checking JML specifications with B machines. In Julliand and Kouchnarenko [B07], pages 285–288. [B07-Cansell] Dominique Cansell, Dominique Méry, and Joris Rehm. Time constraint patterns for event B development. In Julliand and Kouchnarenko [B07], pages 140–154. [email protected] c ©1999–2007 INRETS-ESTAS 8/59 B Method Bibliography Georges Mariano [B07-Chan] Edward Chan, Ken Robinson, and Brett Welch. Patterns for B : Bridging formal and informal development. In Julliand and Kouchnarenko [B07], pages 125–139. [B07-Chemouil] David Chemouil. The design of spacecraft on-board software. In Julliand and Kouchnarenko [B07], page 3. Abstract : This presentation deals with the way Space Systems and particularly Spacecraft On-Board Software are designed. I will try to show how the design of Space Systems is undergoing a shift from a seasoned-expert craft to a methodology based upon modelling. First, I will introduce Space Systems by presenting their applications and architecture. Then I will detail the design of such systems, insisting on systems and software aspects. Finally, I will describe some directions currently followed by CNES regarding modelling technologies. Among them, I will bring the notion of pre-proven business-specific refinement patterns to the forefront, as a possible (partial) solution to the reluctance to proof-based development methods in industry. David Chemouil works in the On-Board Software Office at the French Space Agency (CNES) in Toulouse. His activities include monitoring the development of On-Board Software contracted by CNES and carrying out R&D; on Embedded Software Engineering. David Chemouil holds a PhD in Computer Science from Université Paul Sabatier, Toulouse (2004). This presentation deals with the way Space Systems and particularly Spacecraft On-Board Software are designed. I will try to show how the design of Space Systems is undergoing a shift from a seasoned-expert craft to a methodology based upon modelling. First, I will introduce Space Systems by presenting their applications and architecture. Then I will detail the design of such systems, insisting on systems and software aspects. Finally, I will describe some directions currently followed by CNES regarding modelling technologies. Among them, I will bring the notion of pre-proven business-specific refinement patterns to the forefront, as a possible (partial) solution to the reluctance to proof-based development methods in industry. David Chemouil works in the On-Board Software Office at the French Space Agency (CNES) in Toulouse. His activities include monitoring the development of On-Board Software contracted by CNES and carrying out R&D; on Embedded Software Engineering. David Chemouil holds a PhD in Computer Science from Université Paul Sabatier, Toulouse (2004). [B07-Clabaut] Mathieu Clabaut. A tool for firewall administration. In Julliand and Kouchnarenko [B07], pages 255–256. [B07-Dunne] Steve Dunne. Chorus angelorum. In Julliand and Kouchnarenko [B07], pages 19–33. [B07-Essame] Didier Essamé and Daniel Dollé. B in large-scale projects : The canarsie line CBTC experience. In Julliand and Kouchnarenko [B07], pages 252–254. [B07-Evans] Neil Evans and Wilson Ifill. Hardware verification and beyond : Using B at AWE. In Julliand and Kouchnarenko [B07], pages 260–261. [B07-Gervais] Frédéric Gervais, Marc Frappier, and Régine Laleau. Refinement of EB3 process patterns into B specifications. In Julliand and Kouchnarenko [B07], pages 201–215. [B07-Groslambert] Julien Groslambert. Verification of LTL on B event systems. In Julliand and Kouchnarenko [B07], pages 109–124. [B07-Haddad] Amal Haddad. Meca : A tool for access control models. In Julliand and Kouchnarenko [B07], pages 281–284. [B07-Hallerstede] Stefan Hallerstede. Justifications for the event-B modelling notation. In Julliand and Kouchnarenko [B07], pages 49–63. [B07-Hoffmann] Sarah Hoffmann, Germain Haugou, Sophie Gabriele, and Lilian Burdy. The B-method for the construction of microkernel-based systems. In Julliand and Kouchnarenko [B07], pages 257–259. [B07-Ifill] Wilson Ifill, Steve A. Schneider, and Helen Treharne. Augmenting B with control annotations. In Julliand and Kouchnarenko [B07], pages 34–48. [B07-Jaffuel] Eddie Jaffuel. Using B machines for model-based testing of smartcard software. In Julliand and Kouchnarenko [B07], page 2. Abstract : Automated test generation from B abstract machines is commonly used in the smart card industry since 2003. Several domains are concerned such as mobile communication applications (e.g. SIM cards) [1], identity applications (e.g. health cards or identity cards) and banking applications. The model-based testing tool LTG (LEIRIOS Test Generator) [2] makes it possible to generate executable test scripts from a B formal model of the functional requirements. Therefore, the design of the test cases and Automated test generation from B abstract machines is commonly used in the smart card industry since 2003. Several domains are concerned such as mobile communication applications (e.g. SIM cards) [1], identity applications (e.g. health cards or identity cards) and banking applications. The model-based testing tool LTG (LEIRIOS Test Generator) [2] makes it possible to generate executable test scripts from a B formal model of the functional requirements. Therefore, the design of the test cases and [email protected] c ©1999–2007 INRETS-ESTAS 9/59 B Method Bibliography Georges Mariano the development of the test scripts are based on a modeling and automated test generation approach. The model-based testing process is structured in 3 main steps : Model. The first step consists in developing a behavior model using the B abstract machine notation. The model represents the expected behavior of the smart card application under test. Configure test generation. The configuration of the test generation with LTG is based on model coverage criteria. Three families of criteria give a precise control over the test generation : decision coverage, operation effect coverage and data coverage. Adapt. The generated test cases are then translated in executable test scripts using an adaptor customized for the test execution environment and the project. This talk show how B abstract machines are developed in the context of model-based testing of smart card applications, how model coverage criteria makes it possible to generate accurate test cases and how those test cases are adapted into executable test scripts for a targeted test execution environment. [B07-JaffuelL] Eddie Jaffuel and Bruno Legeard. LEIRIOS test generator : Automated test generation from B models. In Julliand and Kouchnarenko [B07], pages 277–280. [B07-Leuschel] Michael Leuschel, Michael Butler, Corinna Spermann, and Edd Turner. Symmetry reduction for B by permutation flooding. In Julliand and Kouchnarenko [B07], pages 79–93. [B07-Oliver] Ian Oliver. Experiences in using B and UML in industrial development. In Julliand and Kouchnarenko [B07], pages 248–251. [B07-Servat] Thierry Servat. BRAMA : A new graphic animation tool for B models. In Julliand and Kouchnarenko [B07], pages 274–276. [B07-Snook] Colin Snook and Marina Waldén. Refinement of statemachines using event B semantics. In Julliand and Kouchnarenko [B07], pages 171–185. [B07-Stoddart] Bill Stoddart, Dominique Cansell, and Frank Zeyda. Modelling and proof analysis of interrupt driven scheduling. In Julliand and Kouchnarenko [B07], pages 155–170. [B07-Stouls] Nicolas Stouls and Marie-Laure Potet. Security policy enforcement through refinement process. In Julliand and Kouchnarenko [B07], pages 216–231. [B07-Yang] Letu Yang and Michael Poppleton. Automatic translation from combined and CSP specification to java programs. In Julliand and Kouchnarenko [B07], pages 64–78. [B96-Abrial] Jean-Raymond Abrial. Extending B without changing it (for developing distributed systems). In Habrias [B96-Habrias], pages 169–191. [B96-Behm] Patrick Behm. Développement formel des logiciels sécuritaires de METEOR. In Habrias [B96-Habrias], pages 3–10. [B96-Bert] Didier Bert, Marie-Laure Potet, and Yves Rouzaud. A study on components and assembly primitives in B. In Habrias [B96-Habrias], pages 47–62. [B96-Burdy] Lilian Burdy. Obligations de preuve de raffinement en B. In Habrias [B96-Habrias], pages 121– 132. [B96-Butler] Michael J. Butler and M. Walden. Distributed system development in B. In Habrias [B96-Habrias], pages 155–168. [B96-Chauvet] Jean-Yves Chauvet. Une étude de cas en B : les feux tricolores. In Habrias [B96-Habrias], pages 329–352. [B96-Clutterbuck] D. Clutterbuck, J. Bicarregui, and B. Matthews. Experiences with proof in a formal development. In Habrias [B96-Habrias], pages 27–46. [email protected] c ©1999–2007 INRETS-ESTAS 10/59 B Method Bibliography Georges Mariano [B96-Draper] Jonathan Draper. The use of the B-Method on an avionics example the MIST project. In Habrias [B96-Habrias], pages 303–305. [B96-Dune] Steve Dunne and Bill Stoddart. Hypersubstitutions : Extending the generalised substitution to model semi-decidable operations. In Habrias [B96-Habrias], pages 221–237. [B96-El-Koursi] El Miloudi El Koursi and Georges Mariano. Safety critical software assessment : Past experience and new approach. In Habrias [B96-Habrias], pages 11–26. [B96-Facon] P. Facon, R. Laleau, and H. P. Nguyen. Dérivation de spécifications formelles B à partir de spécifications semi-formelles de systèmes d’information. In Habrias [B96-Habrias], pages 271–290. [B96-Fraer] Ranan Fraer. Formal development in B of a minimum spanning tree algorithm. In Habrias [B96-Habrias], pages 305–328. [B96-Habrias] Henri Habrias, editor. Proceedings of the 1st Conference on the B method, Putting into Practice methods and tools for information system design, 3 rue du Maréchal Joffre, BP 34103, 44041 Nantes Cedex 1, November 1996. B1996, IRIN Institut de recherche en informatique de Nantes. [B96-Lano] Kevin Lano, J. Bicarregui, and A. Sanchez. Using B to design and verify controllers for chemical processing. In Habrias [B96-Habrias], pages 237–270. [B96-Lopez] N. Lopez. La construction de la spécification formelle d’un système complexe. In Habrias [B96-Habrias], pages 63–120. [B96-Mery] Dominique Mery. Machines abstraites temporelles. analyse comparative de B et TLA+. In Habrias [B96-Habrias], pages 169–191. [B96-Robinson] K. A. Robinson. Early experiences in teaching the B-Method. In Habrias [B96-Habrias], pages 297–302. Abstract : This paper describes some of the experiences of teaching software development using the B-Method and the B-Toolkit to a small class of postgraduate students at the University of New South Wales. Difficulties experienced and lessons learnt are discussed. [B96-Shore] Richard Shore. Object-oriented modelling in B. In Habrias [B96-Habrias], pages 133–154. [B98] Didier Bert, editor. B’98 : The 2nd International B Conference, Recent Advances in the Development and Use of the B Method, volume 1393 of Lecture Notes in Computer Science (SpringerVerlag), Montpellier, April 1998. B1998, LIRRM Laboratoire d’Informatique, de Robotique et de Micro-électronique de Montpellier, Springer-Verlag. [B98-Abrial] Jean-Raymond Abrial and Louis Mussat. Introducing dynamic constraints in B. In Bert [B98], pages 83–128. Abstract : In B, the expression of dynamic constraints in notoriously missing. In this paper, we make various proposals for introducing them. They all express, in different complementary ways, how a system is allowed to evolve. Such descriptions are independent of the proposed evolutions of the system, which are defined, as usual, by means of a number of operations. Some proof obligations are thus proposed in order to reconcile the two points of view. We have been very careful to ensure that these proposals are compatible with refinement. They are illustrated by several little examples, and a larger one. In a series of small appendices, we also give some theoretical foundations to our approach. In writing this paper, we have been heavily influenced by a pioneering works of Z. Manna and P. Pnueli, L. Lamport, R. Back and M. Butler. [B98-Banach] R. Banach and M. Poppleton. Retrenchment : An engineering variation on refinement. In Bert [B98], pages 129–147. [email protected] c ©1999–2007 INRETS-ESTAS 11/59 B Method Bibliography Georges Mariano Abstract : It is argued that refinement, in which I/O signatures stay the same, preconditions are weakened and postconditions strengthened, is too restrictive to describe all but a fraction of many realistic developments. An alternative notion is proposed called retrenchment, which allows information to migrate between I/O and state aspects of operations at different levels of abstraction, and which allows only a fraction of the high level behaviour to be captured at the low level. This permits more of the informal aspects of design to be formally captured and checked. The details are worked out for the B-Method. [B98-Behm] P. Behm, L. Burdy, and J.-M. Meynadier. Well defined B. In Bert [B98], pages 29–45. Abstract : B is a language with a three valued semantics : terms like min() can be ill defined, consequently formulas containing ill defined terms can also be ill defined or not. Therefore the deduction system we use for the proof obligations proof should be constructed from a three valued logic. Here, we present a deduction system which allows to make proofs in two valued logic if new proof obligations called well definedness lemmas are also proved. We define this deduction system and the new proof obligations that ensure the well definedness of B machines. The soundness of this new deduction system is not proved here but we completely define the well definedness lemmas for machine, refinement and implementation. B is a language with a three valued semantics : terms like min() can be ill defined, consequently formulas containing ill defined terms can also be ill defined or not. Therefore the deduction system we use for the proof obligations proof should be constructed from a three valued logic. Here, we present a deduction system which allows to make proofs in two valued logic if new proof obligations called well definedness lemmas are also proved. We define this deduction system and the new proof obligations that ensure the well definedness of B machines. The soundness of this new deduction system is not proved here but we completely define the well definedness lemmas for machine, refinement and implementation. [B98-Chartier] Pierre Chartier. Formalisation of B in Isabelle/HOL. In Bert [B98], pages 66–82. Abstract : We describe a semantic embedding of the basic concepts of the B language in the higher-order logic instance of the generic theorem prover Isabelle (IsabelleHOL). This work aims at a foundation to formalise the full abstract machine notation, in order to produce a formally checked proof obligation generator. The formalisation is based on the B-Book [BBook]. First we present an encoding of the mathematical basis. Then we formalise generalised substitutions by the before-after model and we prove the equivalence with the weakest precondition axiomatic model. Finally we define operations and abstract machines. We describe a semantic embedding of the basic concepts of the B language in the higher-order logic instance of the generic theorem prover Isabelle (IsabelleHOL). This work aims at a foundation to formalise the full abstract machine notation, in order to produce a formally checked proof obligation generator. The formalisation is based on the B-Book [BBook]. First we present an encoding of the mathematical basis. Then we formalise generalised substitutions by the before-after model and we prove the equivalence with the weakest precondition axiomatic model. Finally we define operations and abstract machines. [B98-Ducasse] Mireille Ducasse. Teaching B at a technical university is possible and rewarding. In Habrias and Dunn [B98-educational]. [B98-Heuberger] Ph. Heuberger. Two strategies to data-refine an equivalence to a forest. In Bert [B98], pages 261–272. Abstract : Well-known strategies give incentive to the algorithmic refinement of programs and we ask in this paper whether general patterns also exist for data refinement. In order to answer this question, we study the equivalence relation problem and identify the motivations to replace the equivalence relation by a data structure suitable for efficient computation. Well-known strategies give incentive to the algorithmic refinement of programs and we ask in this paper whether general patterns also exist for data refinement. In order to answer this question, we study the equivalence relation problem and identify the motivations to replace the equivalence relation by a data structure suitable for efficient computation. [B98-Julliand] Jacques Julliand, Bruno Legeard, T. Machicoane, B. Parreaux, and Bruno Tatibouët. Specification of an integrated circuit card. protocol application using the B method and linear temporal logic. In Bert [B98], pages 273–292. Abstract : In this paper we propose a construction method of multiformalism specifications based on B and linear temporal logic. We examined this method with a case study of communication protocol between an integrated circuit card and a device such a terminal studied in collaboration with the Schlumberger company. We show the current advantages and limits to joining many specifications formalisms the associated toolkits ; Atelier B and SPIN. Finally, we draw a few conclusions about future directions of In this paper we propose a construction method of multiformalism specifications based on B and linear temporal logic. We examined this method with a case study of communication protocol between an integrated circuit card and a device such a terminal studied in collaboration with the Schlumberger company. We show the current advantages and limits to joining many specifications formalisms the associated toolkits ; Atelier B and SPIN. Finally, we draw a few conclusions about future directions of [email protected] c ©1999–2007 INRETS-ESTAS 12/59 B Method Bibliography Georges Mariano research on the proof of heterogeneous specifications, incremental verification and on tool cooperation to assist in the verification step (e.g. a prover, a model-checker and an animator) Keyword : communication protocol ; model-checking ; SPIN ; Atelier B ; linear temporal logic ; smartcards [B98-Malioukov] A. Malioukov. An object-based approach to the B formal method. In Bert [B98], pages 162– 181. Abstract : In this paper, we describe an approach to the design of distributed systems that integrate object-oriented methods (OOM) and the non objectoriented B formal method. Our goal is to retain some OOM advantages and produce a flexible and reliable specification, and through the use of our example we show how this is achieved. We prove formally that our design meets its informal specification with the help of BToolkit Release 3.3.1. We illustrate the approach by the B specification of A Computerized Visitor Information System (ACVIS). Using Object Modeling Technique diagrams allows us to make ACVIS more readable and open for changes. In this paper, we describe an approach to the design of distributed systems that integrate object-oriented methods (OOM) and the non objectoriented B formal method. Our goal is to retain some OOM advantages and produce a flexible and reliable specification, and through the use of our example we show how this is achieved. We prove formally that our design meets its informal specification with the help of BToolkit Release 3.3.1. We illustrate the approach by the B specification of A Computerized Visitor Information System (ACVIS). Using Object Modeling Technique diagrams allows us to make ACVIS more readable and open for changes. [B98-Matthews] B. Matthews, B. Ritchie, and J. Bicarregui. Synthesising structure from flat specifications. In Bert [B98], pages 148–161. Abstract : Within the design process, a high-level specification is subject to two conflicting tensions. It is used as vehicle for validating the requirements, and also as a first step of the refinement process. Whilst the structuring mechanisms available in the B method are well-suited for the latter purpose, the rich type constructions of VDM are useful for the former. In this paper we propose a method which synthesises a structured B design from a flat VDM specification by analysing how type definitions are used within the VDM state in order to generate a corresponding B machine hierarchy. Within the design process, a high-level specification is subject to two conflicting tensions. It is used as vehicle for validating the requirements, and also as a first step of the refinement process. Whilst the structuring mechanisms available in the B method are well-suited for the latter purpose, the rich type constructions of VDM are useful for the former. In this paper we propose a method which synthesises a structured B design from a flat VDM specification by analysing how type definitions are used within the VDM state in order to generate a corresponding B machine hierarchy. [B98-Petin] J.-F. Pétin, G. Morel, D. Méry, and P. Lamboley. Process control engineering : contribution to a formal structuring framework with the B method. In Bert [B98], pages 198–209. Abstract : This paper explores the use of the B method as a formal framework for structuring and verifying the process control systems engineering. In particular, it is shown how the B method can be used to define implementation independent modular specifications. Benefits are related to the re-use of verified and perennial specifications for the control system facing with a fast evolution of the implementation technologies. Limits are related to the compliance of formal methods with the other methods or methodologies involved in the development of a production system. That justifies a methodological framework needed for representing, reasonning and verifying the control system as interacting with other technological or human systems. The approach is illustrated and discussed using a level control system example. This paper explores the use of the B method as a formal framework for structuring and verifying the process control systems engineering. In particular, it is shown how the B method can be used to define implementation independent modular specifications. Benefits are related to the re-use of verified and perennial specifications for the control system facing with a fast evolution of the implementation technologies. Limits are related to the compliance of formal methods with the other methods or methodologies involved in the development of a production system. That justifies a methodological framework needed for representing, reasonning and verifying the control system as interacting with other technological or human systems. The approach is illustrated and discussed using a level control system example. [B98-Potet] Marie-Laure Potet and Yann Rouzaud. Composition and refinement in the B method. In Bert [B98], pages 46–65. Abstract : In this paper, we propose a framework to study refinement of abstract machines in the B method. It allows us to properly deal with shared variables, possibly introduced by composition primitives SEES and IMPORTS. We exhibit local conditions on components which are sufficient to ensure global correctness of a software system. Finally, we show how restrictions on the architecture of software systems may guarantee these conditions. In this paper, we propose a framework to study refinement of abstract machines in the B method. It allows us to properly deal with shared variables, possibly introduced by composition primitives SEES and IMPORTS. We exhibit local conditions on components which are sufficient to ensure global correctness of a software system. Finally, we show how restrictions on the architecture of software systems may guarantee these conditions. [email protected] c ©1999–2007 INRETS-ESTAS 13/59 B Method Bibliography Georges Mariano [B98-Sekerinski] E. Sekerinski. Graphical design of reactive systems. In Bert [B98], pages 182–197. Abstract : Reactive systems can be designed graphically using statecharts. This paper presents a scheme for the translation of statecharts into Abstract Machine Notation (AMN) of the B method. By an example of a conveyor system, we illustrate how the design can be initially expressed graphically with statecharts, then translated to AMN and analysed in AMN, and then further refined to executable code. Reactive systems can be designed graphically using statecharts. This paper presents a scheme for the translation of statecharts into Abstract Machine Notation (AMN) of the B method. By an example of a conveyor system, we illustrate how the design can be initially expressed graphically with statecharts, then translated to AMN and analysed in AMN, and then further refined to executable code. [B98-Stoddart] B. Stoddart, S. Dunne, A. Galloway, and R. Store. Abstract state machines : Designing distributed systems with state machines and B. In Bert [B98], pages 226–242. Abstract : We outline a theory of communicating state machines. The state of our machines can be factored into a behavioural state and a data state. The behavioural states are shown on a state diagram, whose transitions are labelled with B operations which describe I/O and changes to the machines data state. The paper includes simple examples, the translation of Abstract State Machines to B Action Systems, the translation of high level Abstract State Machines into primitive Abstract State Machines, the parallel combination of high level Abstract State Machines, and short notes on pre-conditions, choice, refinement, and time. We outline a theory of communicating state machines. The state of our machines can be factored into a behavioural state and a data state. The behavioural states are shown on a state diagram, whose transitions are labelled with B operations which describe I/O and changes to the machines data state. The paper includes simple examples, the translation of Abstract State Machines to B Action Systems, the translation of high level Abstract State Machines into primitive Abstract State Machines, the parallel combination of high level Abstract State Machines, and short notes on pre-conditions, choice, refinement, and time. [B98-Traverson] S. Taouil-Traverson and S. Vignes. Designing a B model for safety-critical software systems. In Bert [B98], pages 210–225. Abstract : The observations described in this paper are based on the experience we gained in applying the B method to a realistic safety-critical case study. The main goal was to integrate the B method into the heart of development cycle, particularly for such applications. We outline a framework to reason about control process systems in order to capture functional and safetyrelated properties and to organise the conceptual architecture of these systems. Thus, we describe how a B Model can be designed both with respect to safety constraints and in terms of software architecture abstractions. We use the B method to support architectural abstraction, codifying the interactions of components. Finally, we present essential results of the case study and we show the significant impact of such a B formal development on the development process by giving some metrics. The observations described in this paper are based on the experience we gained in applying the B method to a realistic safety-critical case study. The main goal was to integrate the B method into the heart of development cycle, particularly for such applications. We outline a framework to reason about control process systems in order to capture functional and safetyrelated properties and to organise the conceptual architecture of these systems. Thus, we describe how a B Model can be designed both with respect to safety constraints and in terms of software architecture abstractions. We use the B method to support architectural abstraction, codifying the interactions of components. Finally, we present essential results of the case study and we show the significant impact of such a B formal development on the development process by giving some metrics. [B98-Treharne] Helen Treharne, Jonathan Draper, and Steve Schneider. Test case preparation using a prototype. In Bert [B98], pages 293–311. Abstract : This paper reports on the preparation of test cases using a prototype within the context of a formal development. It describes an approach to building a prototype using an example. It discusses how a prototype contributes to the testing activity as part of a lifecycle based on the use of formal methods. The results of applying the approach to an embedded avionics case study are also presented. This paper reports on the preparation of test cases using a prototype within the context of a formal development. It describes an approach to building a prototype using an example. It discusses how a prototype contributes to the testing activity as part of a lifecycle based on the use of formal methods. The results of applying the approach to an embedded avionics case study are also presented. [B98-Walden] M. Walden. Layering distributed algorithms within the B-method. In Bert [B98], pages 243–260. Abstract : Superposition is a powerful program modularization and structuring method for developing parallel and distributed systems by adding new functionality to an algorithm while preserving the original computation. We present an important special case of the original superposition method, namely, that considering each new functionality as a layer that is only allowed to read the variables of the previous layers. Thus, the superposition method with layers structures the presentation of the derivation. Each derivation step is, however, large and involves many complicated proof obligations. Tool support is important for getting confidence in these proofs and for administering Superposition is a powerful program modularization and structuring method for developing parallel and distributed systems by adding new functionality to an algorithm while preserving the original computation. We present an important special case of the original superposition method, namely, that considering each new functionality as a layer that is only allowed to read the variables of the previous layers. Thus, the superposition method with layers structures the presentation of the derivation. Each derivation step is, however, large and involves many complicated proof obligations. Tool support is important for getting confidence in these proofs and for administering [email protected] c ©1999–2007 INRETS-ESTAS 14/59 B Method Bibliography Georges Mariano the derivation steps. We have chosen the B-method for this purpose. We propose how to extend the B-method to make it more suitable for expressing the layers and assist in proving the corresponding superposition steps in a convenient way. [B98-educational] H. Habrias and S. E. Dunn, editors. B’98 : The 2nd International B Conference, Proceedings of the Educational Session, Nantes, April 1998. Association de Pilotage des Conférences B. [BB94] Pierre Bieber and N. Boulahia-Cuppens. Formal development of authentication protocols. In Proceedingsof BCS-FACS Sixth Refinement Workshop, 1994. Abstract : In this paper, we apply the B method to the formal development of authentification protocols. Our approach consists in first providing a very abstract specification of authentification, and then refining progressively this specification in order to obtain an authentification protocol. During the refinement process we consider various ways to use encrypted messages and to distribute encryption keys that relate with several existing protocols. In this paper, we apply the B method to the formal development of authentification protocols. Our approach consists in first providing a very abstract specification of authentification, and then refining progressively this specification in order to obtain an authentification protocol. During the refinement process we consider various ways to use encrypted messages and to distribute encryption keys that relate with several existing protocols. [BBLW93] Pierre Bieber, N. Boulahia-Cuppens, T. Lehmann, and E. van Wickeren. Abstract machines for communication security. In Proceedingsof IEEE Workshop on Foundations of Computer Security VI, 1993. Abstract : We use an existing formal software developement method called B in order to build and verify specification of a communication channel, cryptographic fonctions and security properties. We show on an example how these basic specifications may be combinated in order to write abstract specifications of cryptographic protocols and to verify their security. We use an existing formal software developement method called B in order to build and verify specification of a communication channel, cryptographic fonctions and security properties. We show on an example how these basic specifications may be combinated in order to write abstract specifications of cryptographic protocols and to verify their security. [BBook] Jean-Raymond Abrial. The B Book Assigning Programs to Meanings. Cambridge University Press, August 1996. [BRILLANT05a] Samuel Colin, Dorian Petit, Jérôme Rocheteau, Rafaël Marcano, Georges Mariano, and Vincent Poirriez. BRILLANT : An open source and XML-based platform for rigourous software development. In SEFM (Software Engineering and Formal Methods), Koblenz, Germany, September 2005. AGKI (Artificial Intelligence Research Koblenz), IEEE Computer Society Press. [BUGM99] FM’99 – B Users Group Meeting – Applying B in an industrial context : Tools, Lessons and Techniques. Springer-Verlag, 1999. [BUGM99-Bellegarde] Françoise Bellegarde, Jacques Julliand, and Hassan Mountassir. Model-based verification through refinement of B event systems. In FM’99 – B Users Group Meeting – Applying B in an industrial context : Tools, Lessons and Techniques [BUGM99], pages 16–26. [BUGM99-Bodeveix] Jean-Paul Bodeveix, Mamoun Filali, and César Munoz. A formalization of the B method in Coq and PVS. In FM’99 – B Users Group Meeting – Applying B in an industrial context : Tools, Lessons and Techniques [BUGM99], pages 32–48. [BUGM99-Burdy] Lilian Burdy and Jean-Marc Meynadier. Automatic refinement. In FM’99 – B Users Group Meeting – Applying B in an industrial context : Tools, Lessons and Techniques [BUGM99], pages 3–15. [BUGM99-Butler] Michael J. Butler. An overview of the CSP2B tool. In FM’99 – B Users Group Meeting – Applying B in an industrial context : Tools, Lessons and Techniques [BUGM99], pages 1–2. [BUGM99-Lano] Kevin Lano, Juan Bicarregui, and A. Sanchez. Invariant-based synthesis and composition of control algorithms using B. In FM’99 – B Users Group Meeting – Applying B in an industrial context : Tools, Lessons and Techniques [BUGM99], pages 69–86. [email protected] c ©1999–2007 INRETS-ESTAS 15/59 B Method Bibliography Georges Mariano [BUGM99-Lopez] Nestor Lopez. An "event based B" industrial experience. In FM’99 – B Users Group Meeting – Applying B in an industrial context : Tools, Lessons and Techniques [BUGM99], page 87. [BUGM99-Stoddart] Bill Stoddart, Steve Dunne, and Antonis Papatsaras. A graphical interface tool to support modelling and refinement in B using communicating abstract state machines. In FM’99 – B Users Group Meeting – Applying B in an industrial context : Tools, Lessons and Techniques [BUGM99], pages 27–32. [BUGM99-Treharne] Helen Treharne and Steve Schneider. Classifying and capturing timing requirements. In FM’99 – B Users Group Meeting – Applying B in an industrial context : Tools, Lessons and Techniques [BUGM99], pages 49–68. [BUT-Bicarregui95] J. C. Bicarregui. Formal methods into practice : case studies in the application of the B method. Technical report, B User Trial, 1995. Abstract : Contact authors. [BUT-D2] Brian Matthews and Juan Bicarregui. Architecture for proof engineering : a comparison of two models of support for the proof process. Deliverable BUT/RAL/BMM/12/V1, B User Trial, Rutherford Appleton Laboratory, Chilton, Oxon, OX11 0QX, June 1994. Abstract : Contact authors. [BUT-D8] Juan Bicarregui and Brian Matthews. Architecture for structuring proof. Deliverable BUT/RAL/BMM/11/V1, B User Trial, Rutherford Appleton Laboratory, Chilton, Oxon, OX11 0QX, April 1994. Abstract : Contact authors. [Baron-2003] Mickaël Baron. Vers une approche sûre du développement des Interfaces Homme-Machine. PhD thesis, Université de Poitiers, December 2003. Abstract : Les interfaces homme-machine (IHM) constituent une part indispensable dans la quasi-totalité des systèmes informatiques. Le recours à des notations de description des IHM, et à des modèles de spécification, de développement, de vérification et de validation devient indispensable pour assurer que le système satisfait les propriétés définissant la notion d’utilisabilté. Aujourd’hui, on peut considérer que deux approches exploitant les modèles du domaine de l’IHM peuvent être mises en parallèle pour la vérification de propriétés : les approches fondées sur le développement formel et les approches fondées sur la définition d’outils. Malgré des avancées intéressantes, aucune d’elles n’est encore parvenue à s’imposer. Nous proposons dans cette thèse deux nouvelles approches permettant le développement sûr d’interfaces homme-machine, fondées sur une même méthode formelle (la méthode B). La première fondée sur le développement formel permet, d’intégrer des notations et des techniques hétérogènes du domaine de l’IHM dans une seule et unique méthode formelle (la méthode B), afin d’exprimer, vérifier et valider des propriétés du système interactif. La seconde, fondée sur la définition d’outils, (SUIDT), permet de concevoir de manière interactive le dialogue entre un noyau fonctionnel développé formellement en B et une présentation graphique de l’interface, tout en garantissant le respect des propriétés exprimées à la fois dans le noyau fonctionnel et au niveau des tâches de l’utilisateur. [Bcases98] E. Sekerinski and K. Sere, editors. Program Development by Refinement : Case Studies Using the B Method. Number ISBN 1-85233-053-8 in Formal Approaches to Computing and Information Technology. Springer-Verlag London, December 1998. [Bcases98-Robinson] Ken Robinson. Introduction to the B Method. In Sekerinski and Sere [Bcases98], December 1998. [email protected] c©1999–2007 INRETS-ESTAS16/59 B Method BibliographyGeorges Mariano[Behm93] Patrick Behm. Application d’une méthode formelle aux logiciels sécuritaires ferroviaires. InAtelier Logiciel Temps Réel, 6ème Journées Internationales du Génie Logiciel, 1993. Abstract : La méthode B est utilisé à Matra Transport pour la formalisation des logi-ciels sécuritaires des automatismes de METEOR, la future ligne parisienne de métrosans conducteur. Nous présentons plus particulièrement la formalisation du Pilote Au-tomatique Embarqué et nous tâchons de dégager de cette expérience des éléments deréponse au problème de l’application des méthodes formelles aux développements in-dustriels La méthode B est utilisé à Matra Transport pour la formalisation des logi-ciels sécuritaires des automatismes de METEOR, la future ligne parisienne de métrosans conducteur. Nous présentons plus particulièrement la formalisation du Pilote Au-tomatique Embarqué et nous tâchons de dégager de cette expérience des éléments deréponse au problème de l’application des méthodes formelles aux développements in-dustriels [Behm97] Patrick Behm, Pierre Desforges, and Fernando Mejia. Application de la méthode B dans l’industrieferroviaire, chapter 3, pages 59–88. In OFTA [arago20], 1997. [Behnia-PhD] Salimeh Behnia. Test de modèles formels en B : cadre théorique et critères de couvertures. Thèsede doctorat, Institut National Polytechnique de Toulouse, October 2000. [Behnia98] Salimeh Behnia and Hélène Waeselynck. External verification of a B development process. Tech-nical Report 98085, LAAS (TSF) – INRETS (ESTAS), 1998. [Bert-2002] Didier Bert. Event system specification in B and representation as finite labelled transition systems.In IFIP WG1.3, L’Alpe d’Huez (France), January 2002. Abstract : The talk first introduces the B specification method. B belongs to model-oriented specification methods. Data specification relies upon Set Theory, static andinvariant properties are written in First-Order Logic and actions (operations) are de-scribed by predicate transformers. A specification unit is called a "machine" whichencapsulates a state and provides exported operations. A machine can be refined byanother kind of unit called "refinement". The last refinement in a development chain iscalled an "implementation". These units must fulfill syntactic conditions. For example,operations in implementations must be fully deterministic. Moreover, it is possible tocombine machines by the way of aggregating links "includes" and "uses". A complexdevelopment can be split in a structured way by means of "imports" and "sees" primi-tives. Validation conditions (called proof obligations) ensures that operations preservethe invariant of the state and that a refinement preserves the observable effect of the ma-chine (or the refinement) that it refines. Event systems are an extension of the formalismthat allow the user to specify systems evolving by means of "events". The events may betriggered only if their guard is true. The theoretical framework of Event-B is the sameas the one of classical B. Nevertheless, refinement conditions are more flexible becausethey allow introduction of new events which are not present (or not perceptible) at amore abstract level. So, it is admitted that Event-B is more powerful than classical Bfrom a user point of view. For a presentation of Event-B. The second part of the talkis devoted to the presentation of the construction of finite labelled transition systems(LTS) from B abstract systems. This work is done in our team to investigate the benefitsof a (sometimes partial) representation of the behaviour of B event systems. We chooseto decompose the state of an abstract system in several disjunctive predicates. Thesepredicates provide the basis for defining a set of states which are the nodes of the LTS,while the events are the transitions. We illustrate the method by developing the SCSI-2(Small Computer Systems Interface) input-output system. We intend to carry out a con-nection between the B environment (Atelier B) and the Caesar/Aldebaran DevelopmentPackage (CADP) which is able to deal with finite LTS. The talk first introduces the B specification method. B belongs to model-oriented specification methods. Data specification relies upon Set Theory, static andinvariant properties are written in First-Order Logic and actions (operations) are de-scribed by predicate transformers. A specification unit is called a "machine" whichencapsulates a state and provides exported operations. A machine can be refined byanother kind of unit called "refinement". The last refinement in a development chain iscalled an "implementation". These units must fulfill syntactic conditions. For example,operations in implementations must be fully deterministic. Moreover, it is possible tocombine machines by the way of aggregating links "includes" and "uses". A complexdevelopment can be split in a structured way by means of "imports" and "sees" primi-tives. Validation conditions (called proof obligations) ensures that operations preservethe invariant of the state and that a refinement preserves the observable effect of the ma-chine (or the refinement) that it refines. Event systems are an extension of the formalismthat allow the user to specify systems evolving by means of "events". The events may betriggered only if their guard is true. The theoretical framework of Event-B is the sameas the one of classical B. Nevertheless, refinement conditions are more flexible becausethey allow introduction of new events which are not present (or not perceptible) at amore abstract level. So, it is admitted that Event-B is more powerful than classical Bfrom a user point of view. For a presentation of Event-B. The second part of the talkis devoted to the presentation of the construction of finite labelled transition systems(LTS) from B abstract systems. This work is done in our team to investigate the benefitsof a (sometimes partial) representation of the behaviour of B event systems. We chooseto decompose the state of an abstract system in several disjunctive predicates. Thesepredicates provide the basis for defining a set of states which are the nodes of the LTS,while the events are the transitions. We illustrate the method by developing the SCSI-2(Small Computer Systems Interface) input-output system. We intend to carry out a con-nection between the B environment (Atelier B) and the Caesar/Aldebaran DevelopmentPackage (CADP) which is able to deal with finite LTS. [email protected] c©1999–2007 INRETS-ESTAS17/59 B Method BibliographyGeorges Mariano[Bert2003] Didier Bert, Sylvain Boulmé, Marie-Laure Potet, Antoine Requet, and Laurent Voisin. Adaptabletranslator of B specifications to embedded C programs. In K. Araki, S. Gnesi, and D. Mandrioli,editors, FME 2003, volume 2805, pages 94–113. Formal Methods Europe, Springer-Verlag, 2003. [BiRi93] J. Bicarregui and B. Ritchie. Invariants, frames and postconditions : a comparison of the VDMand B notations. In Springer-Verlag, editor, FME’93, volume 670 of Lecture Notes in ComputerScience (Springer-Verlag). FME’93 Proceedings, 1993. [BiRi95] Juan Bicarregui and Brian Ritchie. Invariant, frames and postconditions : a comparison of theVDM and B notations. In IEEE Transaction On Software Engineering [BiRi93], pages 79–89. Abstract : VDM and B are two “model-oriented” fromal methods. Each gives a nota-tion for the specification of systems as state machines in terms of a set of states withoperations defined as relations on that set.. . .This paper makes a comparison of the two notations throuhg an example of a commu-nications protocol previously formalized.Particular attention is paid to three areas where the notations differ : the use of postcon-ditions that enforce it ; the explicit “framing” of operations as ooposed to the “minimalframe” approach ; and the use of relationnal postconditions as opposed to generalizedsubstitutions. (9 Refs) VDM and B are two “model-oriented” fromal methods. Each gives a nota-tion for the specification of systems as state machines in terms of a set of states withoperations defined as relations on that set.. . .This paper makes a comparison of the two notations throuhg an example of a commu-nications protocol previously formalized.Particular attention is paid to three areas where the notations differ : the use of postcon-ditions that enforce it ; the explicit “framing” of operations as ooposed to the “minimalframe” approach ; and the use of relationnal postconditions as opposed to generalizedsubstitutions. (9 Refs) [Bicarregui95] J. C. Bicarregui and B. M. Matthews. Formal methods in practice : a comparison of two supportsystems for proof. In SOFSEM ‘95 : Theory and Practice of Informatics. 22nd Seminar on CurrentTrends in Theory and Practice of Informatics. Proceedings, 1995. Abstract : This paper discusses the use of formal methods in the light of experiencegained from two industrial projects using the B Abstract Machine Notation. A simpleexample is presented which demonstrates the use of formal specification, refinementand proof in the B-Method, and this is compared with a similar development in VDM.The role of fully formal proof is considered and, in particular, the construction of appli-cation specific theories for balancing automation and interaction in the verification ofdesigns is explored. (24 Refs) This paper discusses the use of formal methods in the light of experiencegained from two industrial projects using the B Abstract Machine Notation. A simpleexample is presented which demonstrates the use of formal specification, refinementand proof in the B-Method, and this is compared with a similar development in VDM.The role of fully formal proof is considered and, in particular, the construction of appli-cation specific theories for balancing automation and interaction in the verification ofdesigns is explored. (24 Refs) [Bicarregui97] J. C. Bicarregui. Formal methods into practice : case studies in the application of the B method.IEE Proceedings on Software Engineering, 144(2) :119–133, April 1997. [Bicarregui98] Kevin Lano, J. C. Bicarregui, and P. Kan. Experiences of using formal methods for chemicalprocess control specification. pages 119–133, June 1998. [Bicarregui99] Juan C. Bicarregui, Th. Dimitrakos, Kevin Lano, T. Maibaum, B. M. Matthews, and B. Ritchie.The VDM+B project : Objectives and progress. In FM’99 VDM workshop at FM’99 WorldCongress On Formal Methods In The Development Of Computing Systems, Toulouse, France,September 1999. [Bieber95] Pierre Bieber. Spécification et Vérification avec la méthode B d’un protocole de sécurité. InJournées Formalisation des Activités Concurrentes, Toulouse, April 1995. [Bieber96a] Pierre Bieber. Interprétation d’un modèle de sécurité. Techniques et Sciences Informatiques, 15(6),April 1996. Abstract : Cet article décrit une application des méthodes formelles dans le cadre dudéveloppement d’un produit de sécurité. Le travail réalise vise a permettre une évalu-ation de la sécurité selon les critères ITSEC. Pour cela un modèle formel de securite aété développé. Ce modèle a été décrit et vérifié a l’aide de la méthode B. Puis il a été Cet article décrit une application des méthodes formelles dans le cadre dudéveloppement d’un produit de sécurité. Le travail réalise vise a permettre une évalu-ation de la sécurité selon les critères ITSEC. Pour cela un modèle formel de securite aété développé. Ce modèle a été décrit et vérifié a l’aide de la méthode B. Puis il a été [email protected] c©1999–2007 INRETS-ESTAS18/59 B Method BibliographyGeorges Marianomis en correspondance avec les spécifications du produit. Ce travail d’interprétation dumodèle a permis de guider la conception des fonctions de securite du produit. Availableat ftp ://ftp.cert.fr/pub/ssi/acsac96.ps.gz [Bieber96b] Pierre Bieber. Formal techniques for an ITSEC-E4 secure gateway. In proceedings of the 12th An-nual Computer Security Applications Conference. IEEE computer society press, December 1996.Abstract : In this paper we describe the method used to develop a gateway capable ofmeeting the ITSEC E4 requirements. The security policy was formally modelled andproven consistent with the functional specifications by means of an interactive theoremprover. The formalisms were used to assist in the design of the security architecture.Available at ftp ://ftp.cert.fr/pub/ssi/tsi.ps.gz [Bon-PhD] Philippe Bon. Du cahier des charges aux spécifications formelles : une méthode basée sur lesréseaux de Petri de haut niveau. Thèse de doctorat, Université des Sciences et Techniques deLille, October 2000. [Bos92] Gheorghe Bosilca. Développement et Preuve formelle de programmes. Mémoire de DEA. Univer-sité d’Orsay Paris XI, 1992.Abstract : En reprenant l’expérience d’autres disciplines scientifiques, la commu-nauté informatique a développé son propre modèle pour représenter le cycle de vied’un produit informatique. Depuis 1968 ont été développées des méthodes formellesde développement d’un produit informatique afin de réaliser leurs preuves formellesde correction. Quelques unes sont passées dans la pratique industrielle, permettantquelques fois d’affirmer à la légère que le produit a été prouvé du point de vue mathé-matique comme une garantie totale en ce qui concerne sa correction absolue. [Boulanger2001] J.-L. Boulanger, Georges Mariano, and Ammar Aljer. Conception sûre de circuits basée sur lanotion de propriété. In ICSSEA’2001 – 14th Int. Conf. on Software Systels Engineering and TheirApplications, volume 2, CNAM, Paris, France, December 2001. [Bro93] M. Brossard. Spécification, programmation et preuve formelles. Tome 2 : Technique ensemblistes.France Télécom CNET, December 1993.Abstract : Ce tome 2 est consacré à la famille des langages ensemblistes comme Z ouB, et à la technique d’écriture de programme de Dijkstra. Les diverses techniques sontabordées sous l’angle de la comparaison. Outre leurs principales caractéristiques, ontrouvera les points communs qu’elles présentent et leurs différences fondamentales. [Btoolkit] anonymous. The B-Toolkit demonstration. In TAPSOFT’95 : Theory and Practice of SoftwareDevelopment. 6th International Joint Conference CAAP/FASE. Proceedings, 1995.Abstract : The B-Toolkit is a suite of integrated programs which implement the B-Method for software development. The B-Method is a collection of mathematical basedtechniques which give a formal basis to those activities of software development thatrange from software specification, through design and integration, to code generationand into maintenance. The B-Toolkit’s components tools are implemented in the BTheory Language and is interpreted by the B-Tool. The B Theory Language is a specialpurpose language for writing software engineering tools including interactive and auto-matic proof assistants and other tools where pattern matching, substitution and rewritemechanisms are used (e.g. translators, interpreters and generators). (0 Refs) [BuechiICFEM98] Martin Büchi. The B bank : A complete case study. In Proceedings of ICFEM98, the SecondInternational Conference on Formal Engineering Methods, pages 190–199. IEEE Press, December1998. [email protected] c©1999–2007 INRETS-ESTAS19/59 B Method BibliographyGeorges Mariano[Burdy-PhD] Lilian Burdy. Traitement des expressions dépourvues de sens de la théorie des ensembles : Appli-cation à la méthode B. Thèse de doctorat, CEDRIC-CNAM, 2000. Abstract : Ce travail porte sur la définition d’une logique pour un langage avec fonc-tions partielles. Une interprétation tri-valuée est choisie pour les formules. A partir decette sémantique, une relation de conséquence est définie et deux systèmes de déduc-tion incorporant les preuves de bonne definition sont proposés, le dernier a l’avantagede ne pas melanger les preuves de bonne définition avec les preuves usuelles et donneainsi à l’utilisateur l’impression de toujours travailler dans une logique à deux valeurs.Ces choix ont été guides par le fait que ce système a pour objectif d’ètre implanté dansun outil d’aide à la preuve. Ce travail a ete etendu sur un langage avec fonction partiellequi est le langage logique sous jacent à la méthode B. Un outil de generation d’obliga-tions de preuve de bonne definition estspécifie. Ces preuves sont ajoutées aux preuvesde validation des différents composants B. Ce travail porte sur la définition d’une logique pour un langage avec fonc-tions partielles. Une interprétation tri-valuée est choisie pour les formules. A partir decette sémantique, une relation de conséquence est définie et deux systèmes de déduc-tion incorporant les preuves de bonne definition sont proposés, le dernier a l’avantagede ne pas melanger les preuves de bonne définition avec les preuves usuelles et donneainsi à l’utilisateur l’impression de toujours travailler dans une logique à deux valeurs.Ces choix ont été guides par le fait que ce système a pour objectif d’ètre implanté dansun outil d’aide à la preuve. Ce travail a ete etendu sur un langage avec fonction partiellequi est le langage logique sous jacent à la méthode B. Un outil de generation d’obliga-tions de preuve de bonne definition estspécifie. Ces preuves sont ajoutées aux preuvesde validation des différents composants B. [Butler02] Michael J. Butler. A system-based approach to the formal development of embedded controllersfor a railway. Design Automation for Embedded Systems, 6(4), July 2002. ISSN 0929-5585. [CADE15] Horatiu Cirstea and Claude Kirchner. Using rewriting and strategies for describing the B predicateprover. In CADE-15 : Workshop on Strategies in automated deduction, pages 25–36, Lindau,Germany, July 1998. [CBD2002-Petit] Dorian Petit, Vincent Poirriez, and Georges Mariano. Development of Formal ComponentsUsing the B Method. In Manuel Carro, Claudio Vaucheret, and Kung-Kiu Lau, editors, Proceed-ings of the First COLOGNET Joint Workshop on Component-based Software Development andImplementation Technology for Computational Logic Systems, number CLIP4/02.0, pages 35–46,September 2002. Abstract : The aim of this paper is to merge two approaches of software development.The first one is the component approach. Developping software components is now anew challenge in the software industry. The second approach is the formal one. Theseapproaches are not so distant if we consider B. Meyer’s opinion : a component withoutcontracts can not be reused (more rigorously, he said that it was more complicated toreuse such a component). One of the difficulties with the design by contract approach isto find the contracts. In some formal approach -we will use the B method in this paper-the software properties (the contracts) are expressed in the specifications. We present inthis paper a tool we have developped to generate code from B specifications. We willsee how we can link the notion of component and the B specifications. The aim of this paper is to merge two approaches of software development.The first one is the component approach. Developping software components is now anew challenge in the software industry. The second approach is the formal one. Theseapproaches are not so distant if we consider B. Meyer’s opinion : a component withoutcontracts can not be reused (more rigorously, he said that it was more complicated toreuse such a component). One of the difficulties with the design by contract approach isto find the contracts. In some formal approach -we will use the B method in this paper-the software properties (the contracts) are expressed in the specifications. We present inthis paper a tool we have developped to generate code from B specifications. We willsee how we can link the notion of component and the B specifications. Keyword : Bmethod, code generation, Design-by-contract, BRILLANT [CCL97-Cirstea] Horatiu Cirstea and Claude Kirchner. Theorem proving using computational systems : The caseof the B predicate prover. In Workshop CCL’97, SchloB Dagstuhl, Germany, September 1997. [CDDM92] M. Carnot, C. DaSilva, B. Dehbonei, and F. Mejia. Error-free software development for criticalsystems using the B-methodology. IEEE, pages 274–281, 1992. Abstract : The paper describes the process of software developpement for critical sys-tems using the B-methodology designed by Abrial, Jean-Raymond The paper describes the process of software developpement for critical sys-tems using the B-methodology designed by Abrial, Jean-Raymond [CLPSB :STTT] Fabrice Bouquet, Bruno Legeard, and Fabien Peureux. CLPS A constraint solver to animate a Bspecification. International Journal on Software Tools for Technology Transfer (STTT), 6(2) :143–157, August 2004. [email protected] c©1999–2007 INRETS-ESTAS20/59 B Method BibliographyGeorges MarianoAbstract : This paper proposes an approach to evaluating B formal specifications usingconstraint logic programming with sets (CLPS). This approach is used to animate andgenerate test sequences from B formal specifications. The solver, called CLPS-B, isdescribed in terms of constraint domains, consistency verification, and constraint prop-agation. It is more powerful than most constraint systems because it allows the domainof variable to contain other variables, which increases the level of abstraction. The con-strained state propagates the nondeterminism of the B specifications and reduces thenumber of states in a reachability graph. We illustrate this approach by comparing theconstrained state graph exploration with the concrete one in a simple example 2̆013process scheduler. We also describe the automated test generation method that uses theCLPS-B solver to better control combinational explosion.[CPA07] Department of Computing at University of Surrey. Communication Process Architecture 2007,Guildford, Surrey, U.K, July 2007. [CPA07-Grant] Neil Grant and Neil Evans. Towards the formal verification of a java processor in event-B. InCommunication Process Architecture 2007 [CPA07].Abstract : Formal verification is becoming more and more important in the productionof high integrity microprocessors. The general purpose formal method called Event-Bis the latest incarnation of the B Method : it is a proof-based approach with a formalnotation and refinement technique for modelling and verifying systems. Refinementenables implementation-level features to be proven correct with respect to an abstractspecification of the system. In this paper we demonstrate an initial attempt to modeland verify Sandia National Laboratories Score processor using Event-B. The processoris an (almost complete) implementation of a Java Virtual Machine in hardware. Thus,refinement-based verification of the Score processor begins with a formal specifica-tion of Java bytecode. Traditionally, B has been directed at the formal developmentof software systems. The use of B in hardware verification could provide a means ofdeveloping combined software/hardware systems, i.e. codesign[CPA07-Ifill] Wilson Ifill and Steve Schneider. A step towards refining and translating B control annotations toHandel-C. In Communication Process Architecture 2007 [CPA07].Abstract : Research augmenting B machines presented at B2007 has demonstratedhow fragments of control flow expressed as annotations can be added to associatedmachine operations, and shown to be consistent. This enables designers understand-ing about local relationships between successive operations to be captured at the pointthe operations are written, and used later when the controller is developed. This paperintroduces several new annotations and I/O into the framework to take advantage ofhardware s parallelism and to facilitate refinement and translation. To support the newannotations additional CSP control operations are added to the control language thatnow includes : recursion, prefixing, external choice, if-then-else, and sequencing. Weinformally sketch out a translation to Handel-C for prototyping.[CPA07-McEwan] Alistair A. McEwan and Steve Schneider. Modeling and analysis of the AMBA bus using CSPand B. In Communication Process Architecture 2007 [CPA07].Abstract : In this paper, we present a formal model and analysis of the AMBA Ad-vanced High-performance Bus (AHB) on-chip bus. The model is given in CSPkB anintegration of the process algebra CSP and the state-based formalism B. We describethe theory behind the integration of CSP and B. We demonstrate how the model is de-veloped from the informal ARM specification of the bus. Analysis is performed using [email protected] c©1999–2007 INRETS-ESTAS21/59 B Method BibliographyGeorges Marianothe model-checker ProB. The contribution of this paper may be summarised as follows :presentation of work in progress towards a formal model of the AMBA AHB protocolsuch that it may be used for inclusion in, and analysis of, co-design systems incorpo-rating the bus, an evaluation of the integration of CSP and B in the production of sucha model, and a demonstration and evaluation of the ProB tool in performing this analy-sis. The work in this paper was carried out under the Future Technologies for SystemsDesign Project at the University of Surrey, sponsored by AWE. [CPA07-Yang] Letu Yang and Michael R. Poppleton. JCSProB : Implementing integrated formal specificationsin concurrent java. In Communication Process Architecture 2007 [CPA07]. Abstract : The ProB model checker provides tool support for an integrated formal spec-ification approach, combining the classical state-based B language with the eventbasedprocess algebra CSP. In this paper, we present a developing strategy for implementingsuch a combined Prob specification as a concurrent Java program. A Java implementa-tion of the combined B and CSP model has been developed using a similar approachto JCSP. A set of translation rules relates the formal model to its Java implementation,and we also provide a translation tool JCSProB to automatically generate a Java pro-gram from a Prob specification. To demonstrate and exercise the tool, several B/CSPmodels, varying both in syntactic structure and behavioural/concurrency properties, aretranslated by the tool. The models manifest the presence and absence of various safety,deadlock, and bounded fairness properties ; the generated Java code is shown to faith-fully reproduce them. Run-time safety and bounded fairness checking is also demon-strated. The Java programs are discussed to demonstrate our implementation of theabstract B/CSP concurrencymodel in Java. In conclusion we consider the effectivenessand generality of the implementation strategy. The ProB model checker provides tool support for an integrated formal spec-ification approach, combining the classical state-based B language with the eventbasedprocess algebra CSP. In this paper, we present a developing strategy for implementingsuch a combined Prob specification as a concurrent Java program. A Java implementa-tion of the combined B and CSP model has been developed using a similar approachto JCSP. A set of translation rules relates the formal model to its Java implementation,and we also provide a translation tool JCSProB to automatically generate a Java pro-gram from a Prob specification. To demonstrate and exercise the tool, several B/CSPmodels, varying both in syntactic structure and behavioural/concurrency properties, aretranslated by the tool. The models manifest the presence and absence of various safety,deadlock, and bounded fairness properties ; the generated Java code is shown to faith-fully reproduce them. Run-time safety and bounded fairness checking is also demon-strated. The Java programs are discussed to demonstrate our implementation of theabstract B/CSP concurrencymodel in Java. In conclusion we consider the effectivenessand generality of the implementation strategy. [Cha92] P. Chapront. Vital coded processor and safety related software design. In H. H. Frey, editor,Safety of Computer Control Systems 1992 (SAFECOMP 92) Computer Systems in Safety-CriticalApplications. Proceedings of the IFAC Symposium, pages 141–145. Div. of Transp., GEC Alsthom,Saint-Ouen, France, Pergamon, Oxford, UK, October 1992. Abstract : The implementation of a vital coded processor is discussed. Constraints ofsafety critical software for a train control system are described, and a presentation offormal methods is made. The B-method is described with more details on specificationand design. Corresponding tools are mentioned. Some results obtained in applicationare given. Production of software for the vital coded processor is described and the linkwith the B-method is made. Conclusions of GEC ALSTHOM experience are given. (4Refs) The implementation of a vital coded processor is discussed. Constraints ofsafety critical software for a train control system are described, and a presentation offormal methods is made. The B-method is described with more details on specificationand design. Corresponding tools are mentioned. Some results obtained in applicationare given. Production of software for the vital coded processor is described and the linkwith the B-method is made. Conclusions of GEC ALSTHOM experience are given. (4Refs) [Colin-PhD] Samuel Colin. Contribution à l’intégration de temporalité au formalisme B : utilisation du calculdes durées en tant que sémantique pour B. Thèse de doctorat, Université de Valenciennes et duHainaut-Cambrésis, October 2006. Abstract : In the field of automated systems where reliability is the first requirement,formal methods proved to be efficient for the design of safe software. The dependencytowards such systems is increasing, and the constraints to be met by these systems be-come more and more various and precise, particularly timed constraints. Some formalmethods, notably the B method, make designing difficult under these constraints, be-cause this is not what they have been made for in the first place. We therefore propose toextend the B method so that it can help specifying and validating systems with complex In the field of automated systems where reliability is the first requirement,formal methods proved to be efficient for the design of safe software. The dependencytowards such systems is increasing, and the constraints to be met by these systems be-come more and more various and precise, particularly timed constraints. Some formalmethods, notably the B method, make designing difficult under these constraints, be-cause this is not what they have been made for in the first place. We therefore propose toextend the B method so that it can help specifying and validating systems with complex [email protected] c©1999–2007 INRETS-ESTAS22/59 B Method BibliographyGeorges Marianotimed constraints. We use calculi of durations in order to express the semantics of the Blanguage and deduce a conservative extension allowing its use in both its original con-text and in the context of time-constrained systems. We also study the problem of usinga generic proof tool for validating duration calculus formulas. The genericity of thiskind of tool helps answering the growing number of formal methods, but introduces theproblem of adapting the mathematical foundations of such formal methods to a generictool. We thus propose to study the implementation of duration calculus as a shallowembedding in the Coq proof assistant. We draw from it more general conclusions aboutthe implementation of a particular modal logic in a generic-oriented tool. [Couchot2003] J.-F. Couchot, F. Dadeau, D. Deharbe, A. Giorgetti, and S. Ranise. Proving and debugging set-based specifications. In Proc. of the 6th Workshop on Formal Methods, Campina Grande, PB,Brazil, October 2003. UFCG. [DDM91] C. DaSilva, B. Dehbonei, and F. Mejia. Formal specification in the development of industrialapplications : The subway speed control mechanism, 1991. [DM94] Babak Dehbonei and Fernando Mejia. Formal development of software in railways safety criti-cal systems. In B. T. K. S. Murthy, C. A. Mellitt, G. Brebbia, and S. Sciutto, editors, RailwayOperations, volume 2, pages 213–219. COMPRAIL94, Computational Mechanics Publications,1994. Abstract : Software is increasingly involved in the new generation of railways sig-nalling systems. In systems such as interlocking, train routing devices or automatictrain protection, electronic or electromechanical devices that previously provided safetycritical functions are being replaced by computers Software is increasingly involved in the new generation of railways sig-nalling systems. In systems such as interlocking, train routing devices or automatictrain protection, electronic or electromechanical devices that previously provided safetycritical functions are being replaced by computers [DM94b] Babak Dehbonei and Fernando Mejia. Formal methods in the railways signalling industry. InSpringer-Verlag, editor, FME’94 : Industrial Benefits of Formal Methods, volume 873 of LectureNotes in Computer Science (Springer-Verlag), pages 26–34. 1994. [DSSE-TR-96-6] Michael J. Butler. An approach to the design of distributed systems with B AMN. Techni-cal report, Declarative Systems & Software Engineering Group, Department of Electronics andComputer Science, University of Southampton, September 1996. Abstract : In this paper, we describe an approach to the design of distributed systemswith B AMN. The approach is based on the action-system formalism which providesa framework for developing state-based parallel reactive systems. More specifically,we use the so-called CSP approach to action systems in which interaction betweensubsystems is by synchronised message passing and there is no sharing of data. Weshow that the abstract machines of B may be regarded as action systems and show howreactive refinement and decomposition of action systems may be applied to abstractmachines. The approach fits in closely with the stepwise refinement method of B. In this paper, we describe an approach to the design of distributed systemswith B AMN. The approach is based on the action-system formalism which providesa framework for developing state-based parallel reactive systems. More specifically,we use the so-called CSP approach to action systems in which interaction betweensubsystems is by synchronised message passing and there is no sharing of data. Weshow that the abstract machines of B may be regarded as action systems and show howreactive refinement and decomposition of action systems may be applied to abstractmachines. The approach fits in closely with the stepwise refinement method of B. [DSSE-TR-99-2] Michael J. Butler. CSP2B : A practical approach to combining CSP and B. Technical report,Declarative Systems & Software Engineering Group, Department of Electronics and ComputerScience, University of Southampton, February 1999. Abstract : This paper describes the tool CSP2B which provides a means of combiningCSP-like descriptions with standard B specifications. The notation of CSP provides aconvenient way of describing the order in which the operations of a B machine may oc-cur. The function of the tool is to convert CSP-like specifications into standard machine-readable B specifications which means that they may be animated and appropriate proof This paper describes the tool CSP2B which provides a means of combiningCSP-like descriptions with standard B specifications. The notation of CSP provides aconvenient way of describing the order in which the operations of a B machine may oc-cur. The function of the tool is to convert CSP-like specifications into standard machine-readable B specifications which means that they may be animated and appropriate proof [email protected] c©1999–2007 INRETS-ESTAS23/59 B Method BibliographyGeorges Marianoobligations may be generated. Use of CSP2B means that abstract specifications and re-finements may be specified purely using CSP or using a combination of CSP and B.The translation is justified in terms of an operational semantics.[Diller93b] Antoni Diller and Rosemary Docherty. A comparison of Z and Abstract Machine Notation. Tech-nical Report CSR-93-9, University of Birmingham, School of Computer Science, August 1993.Abstract : In this paper we compare the formal specification languages Z and AbstractMachine Notation (AMN) ; the later of which is due to Abrail. The strategy adopted isthat of presenting the same specification both in Z and AMN and of commenting onsalient differences as they arise. The specification chosen is a slightly revised versionof the specification of an Internal Telephone Number Database found in Diller (1990),pp.35-55. the end of the paper some general conclusions are drawn.[Docherty93] Rosemary Docherty and Antoni Diller. CAVIAR in AMN. Technical Report CSR-93-3, Universityof Birmingham, School of Computer Science, May 1992.Abstract : This specification illustrates many aspects of Z the interleaving of mathe-matical text with informal prose, and the facilities to parameterise specifications and tobuild descriptions of large systems from smaller ones.[EDCC4] Jean-Louis Boulanger, Ammar Aljer, and Georges Mariano. B/HDL, an experiment to formalizinghardware by software formals specifications. In EDCC4, Fourth European Dependable ComputingConference, Parc des Expositions,Toulouse , France, October 2002.Abstract : In this paper, we presented a part of our work to create B libraries whichcorrespond to some VHDL packages, as the STD_LOGIC_1164 package. This projectenables us to take advantage of the power of the B method to develop a secure circuit.We write the specification of a desired circuit, then little by little we refine our spec-ifications to reach to the implementation of this circuit which depends on the desiredlibraries. The B method due to J.R Abrial is a formal method for the incremental de-velopment of specifications and their refinements down to an implementation. It is amodel-based approach similar to Z and VDM. The software design in B starts frommathematical specifications. Little by little, through many refinement steps , the de-signer tries to obtain a complete and executable specification. This process must bemonotonic, that is any refinement has to be proven coherent according to the previoussteps of refinement. The B tool can automatically decide which induced proofs are nec-essary to verify this correctness. Then these proofs are produced either automaticallyfor the simple ones or in cooperation with the designer for the comlex ones. The ab-stract machine is the basic element of a B development. It encapsulates some state dataand offers some operations. In the B development, the proofs accompany the construc-tion of software. Each time an abstract machine is defined or modified, there are proofobligations related to its mathematical consistency ; if the machine is a refinement oran implementation, there are also proofs of its correctness with respect to the previoussteps of the development chain. The B tool allow to generate automatically the proofobligations for each abstract machine. Generally speaking, the proof obligations willbe all the more complex as concrete details are introduced. So, at the last refinement,the implementation, we obtain a secure software which does not need to be tested. Onthe other hand, VHDL (VHSIC Very High Speed Integrated Circuits Hardware De-scription Language) is an IEEE Standard since 1987. It is "a formal notation intendedfor use in all phases of the creation of electronic systems [ ... ] it supports the devel-opment, verification, synthesis, and testing of hardware designs, the communication [email protected] c©1999–2007 INRETS-ESTAS24/59 B Method BibliographyGeorges Marianoof hardware design data ..." (Preface to the IEEE Standard VHDL Language ReferenceManual). This presentation is devoted to showing the cross fertilisation between the cir-cuit design methodology and the B method concepts. In fisrt work , the famous standardVHDL package, the STD_LOGIC_1164, is transposed in the form of a B library as anexample to be used as a set of B elementary components.In the same way, other VHDLpackages can be translated as B circuit components in order to give to the designer ahigh-level view. Using this approach, one can develop a circuit of which each part ofthe specification is proven to be correct. A B circuit may be easily improved and it maybe integrated with the other elements in the environment to satisfy safety conditions.We intend to create several libraries in B equivalent to the VHDL libraries, in order tofacilitate the circuit design in B. Also this facilitates the transformation operation fromB to VHDL. We try to find a common rule which may be used to automise the transla-tion. Also we may solve this problem by creating a physical library in B that containsthe characteristics of the basic electronic elements or by retranslating the results of acircuit development from B to VHDL. Semi-automatic translation of similar VHDLspecification to B abstract machine is another way of work. In a first step, where wedefine the properties of the new compoents. The second step, is graphical, it introducethe components synthesis by composition of basic components. [EJC2000-JRA1] Jean-Raymond Abrial. B : 2000 et plus. École Jeunes chercheurs en programmation, March2000. [EJC2000-JRA2] Jean-Raymond Abrial. Bridge. École Jeunes chercheurs en programmation, March 2000. [EJC2000-JRA3] Jean-Raymond Abrial. Event driven sequential program construction. École Jeunes chercheursen programmation, March 2000. [ENTCS-Idani] Akram Idani and Yves Ledru. Object oriented concepts identification from formal B specifica-tions. In Electronic Notes in Theoretical Computer Science, volume 133, pages 159–174. Elsevier,2005. sciencedirect.com. [ESTAS-RT1999-25] Georges Mariano and Jean-Louis Boulanger. Modélisation formelle de circuits numériquespar la méthode B. Rapport Technique 1999-25, INRETS-ESTAS, INRETS-ESTAS, 20 rue EliseeReclus,59650 Villeneuve d’Ascq, December 1999. [FACIT-Frappier] Hassan Diab and Marc Frappier. B : A Model-Based Method Using Generalised Substitutions.Number ISBN : 1-85233-353-7 in Formal Approaches to Computing and Information Technology.Springer-Verlag, 2002. [FDL06-Oliver] Ian Oliver. A demonstration of specifying and synthesising hardware using B and bluespec. InForum on Specification and Design Languages, Darmstadt, September 2006. European ElectronicChips & Systems design Initiative. [FEM98-Waeselynck] Hélène Waeslynck and Salimeh Behnia. B model animation for external verification. InJ. Staples, M. Hinchey, and S. Liu, editors, Second International Conference on Formal Engineer-ing Methods, pages 36–45. IEEE Computer Society Press, December 1998. [FM99-Behnia] Salimeh Behnia and Hélène Waeselynck. Test criteria definition for B models. In Wing et al.[FM99-I], pages 509–529. [FM99-Buchi] Martin Büchi and Ralph Back. Compositional symmetric sharing in B. In Wing et al. [FM99-I],pages 431–451. Abstract : Sharing between B constructs is limited, both on the specification andthe implementation level. The limitations stem from the single writer/multiple readSharing between B constructs is limited, both on the specification andthe implementation level. The limitations stem from the single writer/multiple [email protected] c©1999–2007 INRETS-ESTAS25/59 B Method BibliographyGeorges Marianoers paradigm, restricted visibility of shared variables, and structural constraints to pre-vent interference. As a consequence, applications with inherent sharing requirementshave to either be described as large monolithic constructs or be underspecified, lead-ing to a loss of modularity respectively certain desirable properties being unprovable.We propose a new compositional symmetric shared access mechanism based on rolesdescribing rely/guarantee conditions. The mechanism provides for multiple writers onshared constructs,... [FM99-Butler] Michael J. Butler. CSP2B : A practical approach to combining CSP and B. In Wing et al.[FM99-I]. [FM99-Dunne] Steve Dunne. The safe machine : A new specification construct for B. In Wing et al. [FM99-I],pages 472–489. [FM99-I] Jeannette M. Wing, Jim Woodcock, and Jim Davies, editors. Proceedings of FM’99 : WorldCongress on Formal Methods, number 1709 in Lecture Notes in Computer Science (Springer-Verlag). Springer-Verlag, September 1999. [FM99-II] Jeannette M. Wing, Jim Woodcock, and Jim Davies, editors. Proceedings of FM’99 : WorldCongress on Formal Methods, number 1708 in Lecture Notes in Computer Science (Springer-Verlag). Springer-Verlag, September 1999. [FM99-MATRA] Patrick Behm, Paul Benoit, Alain Faivre, and Jean-Marc Meynadier. METEOR : A successfulapplication of B in a large project. In Wing et al. [FM99-I], pages 369–387. [FM99-Matthews] Brian Matthews and Elvira Locuratolo. Formal development of databases in ASSO and B. InWing et al. [FM99-I], pages 388–410. [FM99-Meyer] Eric Meyer and Jeanine Souquières. Systematic approach to transform OMT diagrams to a Bspecification. In Wing et al. [FM99-I], pages 875–895. [FM99-Munoz] César Munõz and John Rushby. Structural embeddings : Mechanization with method. In Winget al. [FM99-I], pages 452–471. [FM99-Rouzaud] Yann Rouzaud. Interpreting the B-method in the refinement calculus. In Wing et al. [FM99-I],pages 411–430. [FM99-Sabatier] Denis Sabatier and Pierre Lartigue. The use of the B formal method for the design and thevalidation of the transaction mechanism for smart card applications. In Wing et al. [FM99-I],pages 348–368. Abstract : This document describes an industrial application of the B method in smartcard applications. In smart card memory, data modification may be interrupted due toa card withdrawal or a power loss. The EEPROM memory may result in an unstablestate and the values subsequently read may be erroneous. The transaction mechanismprovides a secure means for modifying data located in the EEPROM. As the security insmart card applications is paramount, the use of the B formal method brings high con-fidence and provides mathematical proof that the design of the transaction mechanismfulfills the security requirements. This document describes an industrial application of the B method in smartcard applications. In smart card memory, data modification may be interrupted due toa card withdrawal or a power loss. The EEPROM memory may result in an unstablestate and the values subsequently read may be erroneous. The transaction mechanismprovides a secure means for modifying data located in the EEPROM. As the security insmart card applications is paramount, the use of the B formal method brings high con-fidence and provides mathematical proof that the design of the transaction mechanismfulfills the security requirements. [FME03-Butler] Michael Leuschel and Michael J. Butler. ProB : A model checker for B. In Araki Keijiro,Stefania Gnesi, and Mandrio Dino, editors, Proceedings of Formal Methods Europe 2003, pages855–874, Pisa, Ital, 2003. Abstract : We present ProB, an animation and model checking tool for the B method.ProB’s animation facilities allow users to gain confidence in their specifications, andunlike the animator provided by the B-Toolkit, the user does not have to guess the right We present ProB, an animation and model checking tool for the B method.ProB’s animation facilities allow users to gain confidence in their specifications, andunlike the animator provided by the B-Toolkit, the user does not have to guess the right [email protected] c©1999–2007 INRETS-ESTAS26/59 B Method BibliographyGeorges Marianovalues for the operation arguments or choice variables. ProB contains a model checkerand a constraint-based checker, both of which can be used to detect various errors in Bspecifications. We present our first experiences in using ProB on several case studies,highlighting that ProB enables users to uncover errors that are not easily discovered byexisting tools. [FME2001-Bellegarde] Françoise Bellegarde, C. Darlot, Jacques Julliand, and O. Kouchnarenko. Reformulation :a way to combine dynamic properties and B refinement conférence. In International SymposiumFormal Methods Europe 2001, FME 2001, volume 2021 of Lecture Notes in Computer Science(Springer-Verlag), pages 2–19, March 2001. [FME96-Lano] Kevin Lano. Formal development in B Abstract Machine Notation : FME’96 Tutorial, 1996. [FMP97] K. A. Robinson. Specification and implementation of a random access data type : A case studyusing the B-method. In Formal Methods Pacific 97, pages 313–314, Wellington New Zealand, July1997. Abstract : In this tutorial the specification, design and implementation of a random ac-cess data type is explored. The development is carried out within the discipline of the BMethod and using the B Toolkit, and the paper is a tutorial on the use of the B Method’sabstract machine notation for the specification and design of abtract datatypes. Thetreatment presented here is intended to be the first part of a unified treatment of datatypes, in which the basic functionality of the data types is emphasized. This constrastswith the treatment given in conventional intermediate data structure treatments in whichdata types are differentiated on the basis of implementation specific functionality. In this tutorial the specification, design and implementation of a random ac-cess data type is explored. The development is carried out within the discipline of the BMethod and using the B Toolkit, and the paper is a tutorial on the use of the B Method’sabstract machine notation for the specification and design of abtract datatypes. Thetreatment presented here is intended to be the first part of a unified treatment of datatypes, in which the basic functionality of the data types is emphasized. This constrastswith the treatment given in conventional intermediate data structure treatments in whichdata types are differentiated on the basis of implementation specific functionality. [FORMS04] E. Schnieder and G. Tarnai, editors. Formal Methods and Automation and Safety in Railway andAutomotive Systems, Braunschweig, Germany, December 2004. [FORMS04-Boulanger] Jean-Louis Boulanger and Philippe Bon. BRAIL requirement analysis. In Schnieder andTarnai [FORMS04], pages 221–229. [FORMS04-Marcano] Rafael Marcano, Georges Mariano, and Philippe Bon. UML-based design and formalanalysis of railway traffic control systems. In Schnieder and Tarnai [FORMS04], pages 173–182. [FORMS2003-Petit] Dorian Petit, Georges Mariano, Vincent Poirriez, and Jean-Louis Boulanger. AutomaticAnnotated Code Generation from B Formal Specifications. In G. Tarnai and E. Schnieder, editors,Symposium on Formal Methods for Railway Operation and Control Systems, IEEE, 2003. Abstract : In this paper, we present a new approach to generating different codes fromspecifications developped with the B method. This code generator is based on the flat-tening algorithm and the use of a rewriting tool (an XSLT processor, for example).Currently, the commercial code generation processors are black box tools, and it is verydifficult to modify them. We will show that our approach simplifies code generationspecification, which makes the specification of new code generators for new target lan-guages easier and faster. Another benefit of our approach is that it allows assertions tobe added to the code generated. Assertions, are expressed in the specifications but theyare forgot in the current code generation process. In this paper, we present a new approach to generating different codes fromspecifications developped with the B method. This code generator is based on the flat-tening algorithm and the use of a rewriting tool (an XSLT processor, for example).Currently, the commercial code generation processors are black box tools, and it is verydifficult to modify them. We will show that our approach simplifies code generationspecification, which makes the specification of new code generators for new target lan-guages easier and faster. Another benefit of our approach is that it allows assertions tobe added to the code generated. Assertions, are expressed in the specifications but theyare forgot in the current code generation process. [Faivre99] Alain Faivre and Paul Benoit. Safety critical software of meteor developed with the B formalmethod and the vital coded processor. In WCRR’99. World Congress on Railway Research, Tokyo,Japan, October 1999. [GSW93] T. Gunther, K.-D. Schewe, and I. Wetzel. On the derivation of executable database programs fromformal specifications. In J. C. P. Woodcock and P. G. Larsen, editors, FME93 : Industrial-Strength [email protected] c©1999–2007 INRETS-ESTAS27/59 B Method BibliographyGeorges MarianoFormal Methods. First International Symposium of Formal Methods Europe Proceedings, pages351–66. Dept. of Comput. Sci., Hamburg Univ., Germany, Springer-Verlag, Berlin, Germany, April1993. Abstract : Achieving wide acceptance of formal methods in software developmentrequires a smooth integration with requirements analysis, design and implementation.Especially for database application systems there exist well-known approaches to con-ceptual modeling as well as a sophisticated implementation technology on the basisof database programming languages. The work described is based on a scenario, wherethe B method is coupled with a conceptual modeling language TDL and a database pro-gramming language DBPL. Both these languages can be represented in B. The authorsconcentrate on the problem of characterizing those B specifications that are sufficientlyrefined in order to be transformed into equivalent DBPL programs. This gives rise tosome kind of implementability proof obligation. Moreover, it is shown that the trans-formation itself can be regarded as a term rewriting task based on a representation byterm algebras of the languages involved. For this task they exploit order-sorted algebraby using the OBJ system. (14 Refs) Achieving wide acceptance of formal methods in software developmentrequires a smooth integration with requirements analysis, design and implementation.Especially for database application systems there exist well-known approaches to con-ceptual modeling as well as a sophisticated implementation technology on the basisof database programming languages. The work described is based on a scenario, wherethe B method is coupled with a conceptual modeling language TDL and a database pro-gramming language DBPL. Both these languages can be represented in B. The authorsconcentrate on the problem of characterizing those B specifications that are sufficientlyrefined in order to be transformed into equivalent DBPL programs. This gives rise tosome kind of implementability proof obligation. Moreover, it is shown that the trans-formation itself can be regarded as a term rewriting task based on a representation byterm algebras of the languages involved. For this task they exploit order-sorted algebraby using the OBJ system. (14 Refs) [Gervais-PhD] Frédéric Gervais. Combinaison de spécifications formelles pour la modélisation des systèmesd’information. PhD thesis, Conservatoire national des arts et metiers CNAM Université de Sher-brooke, December 2006. Abstract : Our aim is to use only formal notations and techniques to specify infor-mation systems (IS), contrary to current methodologies that are based on semi-formalnotations. On one hand, EB3 is a trace-based formal language specially created for thespecification of such systems. On the other hand, B is a state-based formal languagewell adapted for the specification of IS static properties. A new approach called EB4has been defined to integrate both EB3 and B. Process expressions described in EB3are first used to represent the behaviour of the system. Then, the specification is trans-lated into B in order to specify the main static properties. For the implementation, aset of translation rules has been defined to automatically synthesize relational databasetransactions from the data model described in EB3. Our aim is to use only formal notations and techniques to specify infor-mation systems (IS), contrary to current methodologies that are based on semi-formalnotations. On one hand, EB3 is a trace-based formal language specially created for thespecification of such systems. On the other hand, B is a state-based formal languagewell adapted for the specification of IS static properties. A new approach called EB4has been defined to integrate both EB3 and B. Process expressions described in EB3are first used to represent the behaviour of the system. Then, the specification is trans-lated into B in order to specify the main static properties. For the implementation, aset of translation rules has been defined to automatically synthesize relational databasetransactions from the data model described in EB3. [Gomes2007] Bruno Emerson Gurgel Gomes, Anamaria Martins Moreira, and David Déharbe. Developing javacard applications with B. Electronic Notes in Theoretical Computer Science, 184 :81–96, 2007. [Gue95] M. Guerlus and F. Klay. Spécification formelle : exemple issu du projet FRÉGATE. Technicalreport, CNET, 1995. Abstract : Postscript available at : http ://estas1.inrets.fr :8001/ESTAS/BUG/Publis Postscript available at : http ://estas1.inrets.fr :8001/ESTAS/BUG/Publis [HASE00-Requet] Antoine Requet, Ludovic Casset, and Gilles Grimaud. Application of the B formal method tothe proof of a type verification algorithm. In HASE 2000, Albuquerque (NM), November 2000. Abstract : Smart cards are credit-card sized devices embedding a microprocessor. Theyare typically used to provide security to an information system. Open cards are smartcards able to download code after their issuance. The card security is usually ensuredby a third part that sends a cryptographic certificate with the code to authenticate it.On card code verification could be a solution for improving card deployment flexibil-ity. However, due to the small amount of resources, the verification process is generallydone off card, and checking downloaded code on card is a real challenge. The FAÇADEarchitecture proposes to split the verification process in two parts and to embed a ver-ifier on card. The type inference, the most expensive part, is performed off card, and Smart cards are credit-card sized devices embedding a microprocessor. Theyare typically used to provide security to an information system. Open cards are smartcards able to download code after their issuance. The card security is usually ensuredby a third part that sends a cryptographic certificate with the code to authenticate it.On card code verification could be a solution for improving card deployment flexibil-ity. However, due to the small amount of resources, the verification process is generallydone off card, and checking downloaded code on card is a real challenge. The FAÇADEarchitecture proposes to split the verification process in two parts and to embed a ver-ifier on card. The type inference, the most expensive part, is performed off card, and [email protected] c©1999–2007 INRETS-ESTAS28/59 B Method BibliographyGeorges Marianoa part of the result is sent with the code to the card. The card performs a linear typeinference and uses the result to verify that the loaded code is well typed. This articleproposes to model the second part of the FAÇADE verification process and to prove thecorrectness of the algorithm. As the precomputation used for the verification cannot betrusted, it is necessary to ensure that the verification algorithm will never accept an ill-typed program, even if the precomputation has been modified. We present the approachchosen to prove that if the program is accepted, then it is correct versus the FAÇADEsemantics. We use the B method to abstract the algorithm and to prove it. [HDR-Potet] Marie-Laure Potet. Spécifications et développements formels : Etude des aspects compositionnelsdans la méthode B. Thèse d’habilitation, LSR-IMAG, 2002. Abstract : À ce jour, les méthodes formelles ont montré qu’elles étaient applicablesavec succès au développement de logiciels industriels. Pour maîtriser la complex-ité croissante de ces applications, la mise en œuvre des paradigmes d’abstraction etde composition est incontournable. La méthode B permet d’assister le processus dedéveloppement des spécifications au code et offre une notion de modularité qui permetde composer à la fois les spécifications et les développements. La compositionnalitédes preuves est assurée par des restrictions imposées par le langage, qui limitent lesformes d’architectures autorisées. A la suite de nos précédents travaux, le manuscritprésenté ici explicite les principes de composition des spécifications et des développe-ments, énonce les théorèmes sous-jacents à la composition des preuves et complète etvalide les restrictions imposées par la méthode B. Bien que dédiés à la méthode B, lesrésultats présentés sont plus généraux : ils peuvent s’appliquer à d’autres approchesformelles basées sur la notion d’état, comme les approches objet. À ce jour, les méthodes formelles ont montré qu’elles étaient applicablesavec succès au développement de logiciels industriels. Pour maîtriser la complex-ité croissante de ces applications, la mise en œuvre des paradigmes d’abstraction etde composition est incontournable. La méthode B permet d’assister le processus dedéveloppement des spécifications au code et offre une notion de modularité qui permetde composer à la fois les spécifications et les développements. La compositionnalitédes preuves est assurée par des restrictions imposées par le langage, qui limitent lesformes d’architectures autorisées. A la suite de nos précédents travaux, le manuscritprésenté ici explicite les principes de composition des spécifications et des développe-ments, énonce les théorèmes sous-jacents à la composition des preuves et complète etvalide les restrictions imposées par la méthode B. Bien que dédiés à la méthode B, lesrésultats présentés sont plus généraux : ils peuvent s’appliquer à d’autres approchesformelles basées sur la notion d’état, comme les approches objet. [HL94a] Howard Haughton and Kevin Lano. Testing and safety analysis of B AMN specifications. InRefinement Workshop, January 1994. [Habrias2001] Henri Habrias. Spécification formelle avec B. Lavoisier-Hermès, 2001. [Haughton96] Howard Haughton. Specification in B : An Introduction Using the B Toolkit. World ScientificPublishing, 1996. [Hoa95] J. P. Hoare. Application of the B-Method to CICS, chapter 6. Prentice Hall International, 1995. [Hoare96] J. Hoare, J. Dick, D. Neilson, and I. Sorensen. Applying the B technologies to CICS. In FME ’96 :Industrial Benefit and Advances in Formal Methods. Third International Symposium of FormalMethods Europe. Proceedings, pages 74–84, 1996. Abstract : This paper reports on the experiences of IBM Hursley in using the Z notationand the B-Method (Abrial, 1993 ; 1995) in developing a new function for IBM’s CICSproduct. A major constraint on the project was the need to produce code that not onlycorresponded to its required function, but also met a number of stringent non-functionalrequirements in areas such as integration, performance and maintenance. The Z notationwas used to capture the required function, and the resulting specification was hand-translated into AMN. The B-Toolkit, with project-specific extensions, was then usedfor the development down to PL/X code. The success of this endeavour is discussed.The use of Z and the B-Method were very successful in addressing the new functionalrequirements. Meeting the non-functional requirements, however, was more difficult.(13 Refs) This paper reports on the experiences of IBM Hursley in using the Z notationand the B-Method (Abrial, 1993 ; 1995) in developing a new function for IBM’s CICSproduct. A major constraint on the project was the need to produce code that not onlycorresponded to its required function, but also met a number of stringent non-functionalrequirements in areas such as integration, performance and maintenance. The Z notationwas used to capture the required function, and the resulting specification was hand-translated into AMN. The B-Toolkit, with project-specific extensions, was then usedfor the development down to PL/X code. The success of this endeavour is discussed.The use of Z and the B-Method were very successful in addressing the new functionalrequirements. Meeting the non-functional requirements, however, was more difficult.(13 Refs) [ICFEM2005] Kung-Kiu Lau and Richard Banach, editors. Formal Methods and Software Engineering : 7thInternational Conference on Formal Engineering Methods, ICFEM 2005, number 3785 in Lecture [email protected] c©1999–2007 INRETS-ESTAS29/59 B Method BibliographyGeorges MarianoNotes in Computer Science (Springer-Verlag), Manchester,UK, November 2005. ISBN : 3-540-29797-9. [ICFEM2005-Idani] Akram Idani, Yves Ledru, and Didier Bert. Derivation of UML class diagrams as staticviews of formal B developments. In Lau and Banach [ICFEM2005], pages 37–51. ISBN : 3-540-29797-9.Abstract : Although formal methods provide excellent techniques for the precise de-scription of systems, understanding these descriptions is often restricted to experts. Thispaper investigates a practical solution to assist the understanding of a formal specifica-tion, written in B, by providing a complementary view of the specification as UML classdiagram. Our technique improves the state of the art by taking into account operationsin the construction of the diagram, through the use of concept formation techniques. Adocumentation tool automates the approach. It has been applied to several specificationsbuilt independently of the tool. [ICSSEA01] Jean-Louis Boulanger, Georges Mariano, and Ammar Aljer. Conception sûre de circuit basée surla notion de propriété. In 14èmes Journées Internationales GéNIE LOGICIEL & INGéNIERIEDE SYSTÈMES et leurs APPLICATIONS. SESSION 8 : MéTHODES FORMELLES. ICSSEA’01,CNAM Paris, December 2001.Abstract : The goal of this paper is to show how it is possible to combine the advantagesof the B method in order to design secure digital circuits that may be easily developedand does not need a design test. The circuit design may be based on the libraries ofwell-known circuit design language like VHDL. Our goal is to make use of B methodto produce the electronic or numeric circuits. At the beginning, the circuit specificationsare written in the abstract machine. The refinement direction is determined by the basicelements which are used to construct the desired circuit. So the designer can orient thedevelopment to the needed level. This level can be found as a basic library in B. Wedemonstrate how VHDL packages can be tanslated as circuit components for giving tothe designer a high-level view. Using this approach, one can develop a circuit of whicheach part of the specification has proved to be correct. From the B model it is possibleto generate the VHDL code. In this paper, we describes and models some synchronizedbasic components which will be then reused. A synchronized circuit is view as a box,within which an (or more) input line is entering, and out of which an output line (ormore) is emerging. A synchronized circuit is supposed to be synchronized by a clock.Our aim is to give a general method to model a circuit without knowing the details ofthe desired circuit. At first the analogy of development between the b method and thenumeric circuits design is presented. Using this approach, one can develop a circuit ofwhich each part of the specification is proved to be correct. A circuit may be easilyimproved and it may be integrated with the other elements in the environment to satisfysafety conditions. The last section of this paper summarises this work and shows itsadvantages and disadvantages. This paper continue the previous work. We illustratethe method with an example extract from [2] which describes a fail-safe interface ableto generate the fail-safe signaIs required in this railways system. Actuators in safetycritical systems must be driven by failsafe signais. Under a failure in the system, such asignal must be either on the correct or on the safe state (e.g. red colour in traffic contra !lights). [IDPT2003-Petit] Dorian Petit, Vincent Poirriez, and Georges Mariano. The B method and the component-basedapproach. In Formal Reasoning on Software Components and Component Based Software [email protected] c©1999–2007 INRETS-ESTAS30/59 B Method BibliographyGeorges Marianotectures, 2003. Special topic session of the Seventh Conference on Integrated Design and ProcessTechnology. Abstract : The aim of this paper is to merge two approaches of software development.The first one is the component approach. Developping software components is nowa technique widely used by the software industry. The second approach is the formalone. These approaches are not so distant if we consider Bertrand Meyer’s opinion :a component without contracts can not be reused (more exactly, he said that it wasmore complicated to reuse such a component). One of the difficulties with the designby contract approach is to find the contracts. In some formal approach -we will usethe B method in this paperthe software properties (the contracts) are expressed in thespecifications. We present in this paper an approach to generate code in the spirit of thecomponent approach from B specifications. The aim of this paper is to merge two approaches of software development.The first one is the component approach. Developping software components is nowa technique widely used by the software industry. The second approach is the formalone. These approaches are not so distant if we consider Bertrand Meyer’s opinion :a component without contracts can not be reused (more exactly, he said that it wasmore complicated to reuse such a component). One of the difficulties with the designby contract approach is to find the contracts. In some formal approach -we will usethe B method in this paperthe software properties (the contracts) are expressed in thespecifications. We present in this paper an approach to generate code in the spirit of thecomponent approach from B specifications. [IFM04] Fourth International Conference on Integrated Formal Methods, number 2999 in Lecture Notesin Computer Science (Springer-Verlag), Canterbury, Kent, England, April 2004. Springer Berlin /Heidelberg. [IFM04-Lano] K. Lano, D. Clark, and K. Androutsopoulos. UML to B : Formal verification of object-orientedmodels. In IFM’2004 [IFM04], pages 187–206.Abstract : The integration of UML and formal methods such as B and SMV providesa bridge between graphical specification techniques usable by mainstream software en-gineers, and precise analysis and verification techniques, essential for the developmentof high integrity and critical systems. In this paper we define a translation from UMLclass diagrams into B, which is used to verify the consistency of UML models and toverify that expected properties of these models hold. [IFM05] Fifth International Conference on Integrated Formal Methods, number 3771 in Lecture Notesin Computer Science (Springer-Verlag), Eindhoven, The Netherlands, November 2005. SpringerBerlin / Heidelberg. [IFM05-Bodeveix] Jean-Paul Bodeveix, Mamoun Filali, Julia Lawall, and Gilles Muller. Formal methods meetdomain specific languages. In IFM’2005 [IFM05], pages 187–206. [IFM05-Bostrom] Pontus Bostrom and Marina Waldén. Development of fault tolerant grid applications usingdistributed B. In IFM’2005 [IFM05], pages 167–186.Abstract : Computational grids have become popular for constructing large scale dis-tributed systems. Grid applications typically run in a very heterogeneous environmentand fault tolerance is therefore very important for their correctness. Since the construc-tion of correct distributed systems is difficult with traditional development methods wepropose the use of formal methods. We use Event B as our formal framework, whichwe extend with new constructs such as remote procedures and notifications for reason-ing about grid systems. The extended language, called Distributed B, ensures that theapplication can handle both node and network failures. Furthermore, the new constructsin Distributed B enable straightforward implementation of the specifications, as well asautomatic generation of the needed proof obligations. [IFM05-Gervais] Frédéric Gervais, Marc Frappier, and Régine Laleau. Synthesizing B specifications from EB3attribute definitions. In IFM’2005 [IFM05], pages 207–226.Abstract : EB is a trace-based formal language created for the specification of infor-mation systems (IS). Attributes, linked to entities and associations of an IS, are com-puted in EB by recursive functions on the valid traces of the system. On the other [email protected] c©1999–2007 INRETS-ESTAS31/59 B Method BibliographyGeorges Marianohand, B is a state-based formal language also well adapted for the specification of IS.In this paper, we deal with the synthesis of B specifications that correspond to EBattribute definitions, in order to specify and verify safety properties like data integrityconstraints. Each action in the EB specification is translated into a B operation. Thesubstitutions are obtained by an analysis of the CAML-like patterns used in the re-cursive functions that define the attributes in EB. Our technique is illustrated by anexample of a simple library management system. [IFM05-Okalas] Dieu Donné Okalas Ossami, Jean-Pierre Jacquot, and Jeanine Souquières. Consistency in UMLand B multi-view specifications. In IFM’2005 [IFM05], pages 386–405. Abstract : We present the notion of consistency relation in UML and B multi-viewspecifications. It is defined as a semantic relation between both views. It provides uswith a sound basis to define the notion of development operator. An operator models adevelopment step ; it separates the design decisions from their expression in the specifi-cation formalisms. Operator correctness is defined as a property which guarantees thatthe application of an operator on a consistent specification state yields a consistent newstate. An operator can be proven once and for all to be correct. A classical case-study,the Generalized Railroad Crossing (GRC), demonstrates how the different notions canbe put in practice to provide specifiers with a realistic development model. We present the notion of consistency relation in UML and B multi-viewspecifications. It is defined as a semantic relation between both views. It provides uswith a sound basis to define the notion of development operator. An operator models adevelopment step ; it separates the design decisions from their expression in the specifi-cation formalisms. Operator correctness is defined as a property which guarantees thatthe application of an operator on a consistent specification state yields a consistent newstate. An operator can be proven once and for all to be correct. A classical case-study,the Generalized Railroad Crossing (GRC), demonstrates how the different notions canbe put in practice to provide specifiers with a realistic development model. [IFM05-Schneider] Steve Schneider, Helen Treharne, and Neil Evans. Chunks : Component verification inCSP||B. In IFM’2005, pages 89–108, 2005. Abstract : CSP||B is an approach to combining the process algebra CSP with the for-mal development method B, enabling the formal description of systems involving bothevent-oriented and state-oriented aspects of behaviour. The approach provides architec-tures which enable the application of CSP verification tools and B verification tools tothe appropriate parts of the overall description. Previous work has considered how largedescriptions can be verified using coarse grained component parts. This paper presentsa generalisation of that work so that CSP||B descriptions can be decomposed into finergrained components, chunks, which focus on demonstrating the absence of particulardivergent behaviour separately. The theory underpinning chunks is applicable not onlyto CSP||B specification but to CSP specifications. This makes it an attractive techniqueto decomposing large systems for analysing with FDR. CSP||B is an approach to combining the process algebra CSP with the for-mal development method B, enabling the formal description of systems involving bothevent-oriented and state-oriented aspects of behaviour. The approach provides architec-tures which enable the application of CSP verification tools and B verification tools tothe appropriate parts of the overall description. Previous work has considered how largedescriptions can be verified using coarse grained component parts. This paper presentsa generalisation of that work so that CSP||B descriptions can be decomposed into finergrained components, chunks, which focus on demonstrating the absence of particulardivergent behaviour separately. The theory underpinning chunks is applicable not onlyto CSP||B specification but to CSP specifications. This makes it an attractive techniqueto decomposing large systems for analysing with FDR. [IFM2000-Bert] Didier Bert and F. Cave. Construction of finite labelled transition systems from B abstract sys-tems. In Proc. of the Second International Conference Integrated Formal Methods, IFM’2000,number 1945 in Lecture Notes in Computer Science (Springer-Verlag), pages 235–254, DagstuhlCastle, November 2000. Springer-Verlag. Abstract : Cet article présente une étude pour représenter le comportement de systèmesabstraits B par des systèmes de transitions étiquetées (STE). Nous choisissons de dé-composer l’état d’un système abstrait en plusieurs prédicats disjonctifs. Ces prédicatsforment la base pour définir un ensemble d’états qui sont les noeuds du STE, tandis queles événements forment les transitions. Nous illustrons la méthode en développant lesystème SCSI-2 d’entrée-sortie (Small Computer Systems Interface). Les conclusionsportent sur la faisabilité de l’approche et sur les retombées possibles de cette représen-tation en terme d’analyse de propriétés. Cet article présente une étude pour représenter le comportement de systèmesabstraits B par des systèmes de transitions étiquetées (STE). Nous choisissons de dé-composer l’état d’un système abstrait en plusieurs prédicats disjonctifs. Ces prédicatsforment la base pour définir un ensemble d’états qui sont les noeuds du STE, tandis queles événements forment les transitions. Nous illustrons la méthode en développant lesystème SCSI-2 d’entrée-sortie (Small Computer Systems Interface). Les conclusionsportent sur la faisabilité de l’approche et sur les retombées possibles de cette représen-tation en terme d’analyse de propriétés. [IFM2000-Julliand] Jacques Julliand, P-A. Masson, and H. Mountassir. Modular verification for a class of PLTLproperties. In International Workshop on Integrated Formal Methods, IFM’2000, volume 1945 of [email protected] c©1999–2007 INRETS-ESTAS32/59 B Method BibliographyGeorges MarianoLecture Notes in Computer Science (Springer-Verlag), pages 398–419, Dagstuhl, Saarland, Ger-many, November 2000. [IFM2000-Meyer] Éric Meyer and Thomas Santen. Behavioural conformance verification in an integrated ap-proach using UML and B. In Proc. of the Second International Conference Integrated For-mal Methods, IFM’2000, number 1945 in Lecture Notes in Computer Science (Springer-Verlag),Dagstuhl Castle, November 2000. Springer-Verlag. [INRETS01-717] Jean-Louis Boulanger, Ammar Aljer, Georges Mariano, Sophie Tison, and Philippe Devienne.Formalization of digital circuits using the B method. RT 01-717, INRETS-ESTAS, July 2001. [INRETS9925] Jean-Louis Boulanger and Mariano Georges. Modélisation formelle de circuits numériques parla méthode B. Technical Report TR-99-25, INRETS-ESTAS, October 1999. [J3ea05-boulanger] Jean-louis Boulanger. Conception sûr de circuit numérique. J3ea Journal sur l’enseigne-ment des sciences et technologies de l’information et des systèmes, 4(4), November 2005.Abstract : Initialement cette étude constituait un simple exercice de style ayant pourobjectif d’évaluer la modélisation de circuits numériques simples à l’aide de la méthodeB. Cette expérimentation était essentiellement motivée par la perception d’une analogieforte entre le domaine cible et les principes de la méthode B. Les circuits numériquessont de plus en plus complexes tant du point de vue de l’intégration que du point devue des fonctions traitées. Actuellement, la principale activité de validation des circuitsnumériques consiste à réaliser une campagne de test. Il ne nous semble pas évidentde faire front à cette complexité uniquement au travers d’activités de test. Le but decet article est de présenter une approche méthodologique basée sur le couplage d’uneconception V HDL et sur une vérification par preuve formelle basée sur la méthode B. [JFLA04-Rocheteau] Jérôme Rocheteau, Samuel Colin, Georges Mariano, and Vincent Poirriez. évaluation del’extensibilité de phoX : B/PhoX un assistant de preuves pour B. In Valérie Ménissier-Morain,editor, Journées Francophones des Langages Applicatifs (JFLA 2004), pages 37–54. INRIA, 2004. [JFLA2002-Petit] Dorian Petit, Georges Mariano, and Vincent Poirriez. Vers un système de module à la Harper-Lillibridge-Leroy pour les spécifications formelles B. In JFLA : Journées Francophones des Lan-gages Applicatifs, January 2002. 85–100.Abstract : Nous nous proposons ici de réutiliser un calcul des modules à la SML et del’appliquer au calcul des modules du langage support de la méthode B. En cherchantà exprimer la modularité de B dans un calcul des modules «à la Harper-Lillibridge-Leroy» nous cherchons à obtenir une modélisation claire de celle-ci et simultanémentun outillage. Cette étude étant expérimentale, nous nous limiterons à une partie dulangage B : les composant dits «d’implémentation». [Jambon-2001] Francis Jambon, Patrick Girard, and Aït-Ameur Yamine. Engineering for human-computer in-teraction. In Reed Murray Little and Laurence Nigay, editors, 8th IFIP International Conference,EHCI’01, Toronto, Canada, May 2001, volume 2254, pages 39–55, 2001.Abstract : This paper introduces a new technique for the verification of both safety andusability requirements for safety-critical interactive systems. This technique uses themodel-oriented formal method B and makes use of an hybrid version of the MVC andPAC software architecture models. Our claim is that this technique -that uses proofsobligationscan ensure both usability and safety requirements, from the specificationstep of the development process, to the implementation. This technique is illustrated bya case study : a simplified user interface for a Full Authority Digital Engine Control(FADEC) of a single turbojet engine aircraft. [email protected] c©1999–2007 INRETS-ESTAS33/59 B Method BibliographyGeorges Mariano[LH94a] Kevin Lano and H. Haughton. Improving the process of system specification and development inB AMN. In Refinement Workshop, January 1994. [LM02000-Marcano] Rafael Marcano-Kamenoff and F. Losavio. Spécification formelle de patterns d’architec-tures distribuées en UML et B. In LMO’2000, Langages et modèles à objets, Mont St Hilaire,Québec, January 2000. Hermès Science Publications. [LPAR07-Jaeger] Éric Jaeger and Catherine Dubois. Why would you trust B ? In LPAR, 14th International Con-ference on Logic for Programming Artificial Intelligence and Reasoning, pages 288–302, 2007. Abstract : The use of formal methods provides confidence in the correctness of de-velopments. Yet one may argue about the actual level of confidence obtained whenthe method itself – or its implementation – is not formally checked. We address thisquestion for the B, a widely used formal method that allows for the derivation of cor-rect programs from specifications. Through a deep embedding of the B logic in Coq,we check the B theory but also implement B tools. Both aspects are illustrated by thedescription of a proved prover for the B logic. The use of formal methods provides confidence in the correctness of de-velopments. Yet one may argue about the actual level of confidence obtained whenthe method itself – or its implementation – is not formally checked. We address thisquestion for the B, a widely used formal method that allows for the derivation of cor-rect programs from specifications. Through a deep embedding of the B logic in Coq,we check the B theory but also implement B tools. Both aspects are illustrated by thedescription of a proved prover for the B logic. [LS90] Y. Ledru and P. Y. Schobbens. Applying VDM to large developments. In International Work-shop on Formal Methods in Software Development, volume 15-4, pages 55–8. SIGSOFT SoftwareEngineering Notes, September 1990. Abstract : The paper focuses on the use of VDM. Meta-IV, the specification languageof VDM, was proved successful to specify large systems. Although many specifica-tions have been written in Meta-IV, only a few complete VDM developments have beenachieved. Experiments with VDM and the B theorem prover have provided some insighton this problem. The author gives an overview of VDM ; he points out several weak-nesses of the approach in the perspective of large scale developments ; and discussesthe benefits of the use of the B tool. (19 Refs) The paper focuses on the use of VDM. Meta-IV, the specification languageof VDM, was proved successful to specify large systems. Although many specifica-tions have been written in Meta-IV, only a few complete VDM developments have beenachieved. Experiments with VDM and the B theorem prover have provided some insighton this problem. The author gives an overview of VDM ; he points out several weak-nesses of the approach in the perspective of large scale developments ; and discussesthe benefits of the use of the B tool. (19 Refs) [LS91] M. Lee and I. H. Sorensen. B-tool (formal specification). In S. Prehn and W. J. Toetenel, editors,VDM91. Formal Software Development Methods. 4th International Symposium of VDM EuropeProceedings., volume 1, pages 695–6. Springer-Verlag, Berlin, Germany, October 1991. Abstract : B-Tool provides the platform for solving the problem of specification andcorrect construction of software systems. It is a flexible inference engine which formsthe basis of a computer-aided system for the formal construction of provably correctsoftware. When used as a theorem proving assistant, B-Tool gives the software engineerthe ability to verify the logical correctness of programs. (1 Refs) B-Tool provides the platform for solving the problem of specification andcorrect construction of software systems. It is a flexible inference engine which formsthe basis of a computer-aided system for the formal construction of provably correctsoftware. When used as a theorem proving assistant, B-Tool gives the software engineerthe ability to verify the logical correctness of programs. (1 Refs) [LSS91b] M. K. O. Lee, P. N. Scharbach, and I. H. Sorensen. Engineering real software using formal meth-ods. In J. M. Morris and R. C.. Shaw, editors, 4th Refinement Workshop. Proceedings of the 4thRefinement Workshop, pages 6–33. Springer-Verlag, Berlin, Germany, January 1991. Abstract : B is a formal method for the incremental development of specifications aretheir refinements. A prototype set of software tools supporting the method has beendeveloped. The tools support the method in the development of verifiably correct soft-ware over the spectrum of activities from early specification to coding. The platformof the toolkit is the B tool, an interactive proof assistant. The process followed usingthe method and tools is illustrated in the development of a document management sys-tem. The authors present some early indications of the productivity of the method. Theyintend to establish the practicality of fully applying formal techniques at all stages ofsoftware development. (7 Refs) B is a formal method for the incremental development of specifications aretheir refinements. A prototype set of software tools supporting the method has beendeveloped. The tools support the method in the development of verifiably correct soft-ware over the spectrum of activities from early specification to coding. The platformof the toolkit is the B tool, an interactive proof assistant. The process followed usingthe method and tools is illustrated in the development of a document management sys-tem. The authors present some early indications of the productivity of the method. Theyintend to establish the practicality of fully applying formal techniques at all stages ofsoftware development. (7 Refs) [email protected] c©1999–2007 INRETS-ESTAS34/59 B Method BibliographyGeorges Mariano[LaFi96] Kevin Lano, J. Fiadeiro, and Jeremy Dick. Extending B AMN with concurrency. Technical report,Dept. of Computing, Imperial College, 1996. [LaHa96] Kevin Lano and Howard Haughton. Specification in B : An Introduction Using the B Toolkit.Imperial College Press, London, 1996. [Lafontaine90] Christine Lafontaine, Yves Ledru, and Pierre-Yves Schobbens. An experiment in formal softwaredevelopment : using the B theorem prover on a VDM case study. In IEEE Computer Society Press,editor, ICSE’90 : Proceeding of th 12th international conference in Software engineering, pages34–42, Los Alamitos, CA, USA, 1990. [Lafontaine91] Christine Lafontaine, Yves Ledru, and Pierre-Yves Schobbens. An experiment in formal softwaredevelopment : using the B theorem prover on a VDM case study. Communications of the ACM,34(5) :62–71, May 1991. [Laleau-2000] Philippe Facon, Régine Laleau, and Hong Phuong Nguyen. From OMT Diagrams to B Specifica-tions. Springer, FACIT series, 2000. [Laleau00] Regine Laleau and Amel Mammar. Using a formal refinement to derive relational database imple-mentations from B specifications. Technical report, CNAM-CEDRIC, February 2000. Abstract : In this paper, an approach for refining B abstract specifications describingdata-intensive applications into relational database implementations is presented. Usingthe refinement process of the B method, a set of generic refinement rules are describedthat take into account both data and operations. The last step consists of mapping thefinal refined component into a relational database implementation. The different ruleshave been checked with the AtelierB prover. The aim of the work is to automate therefinement steps. This is possible thanks to the genericity feature of the rules. The ap-proach is illustrated through a running example. In this paper, an approach for refining B abstract specifications describingdata-intensive applications into relational database implementations is presented. Usingthe refinement process of the B method, a set of generic refinement rules are describedthat take into account both data and operations. The last step consists of mapping thefinal refined component into a relational database implementation. The different ruleshave been checked with the AtelierB prover. The aim of the work is to automate therefinement steps. This is possible thanks to the genericity feature of the rules. The ap-proach is illustrated through a running example. [Laleau2001] Régine Laleau and Fiona Polack. A rigorous metamodel for UML static conceptual modelling ofinformation systems. In K. R. Dittrich, A. Geppert, and M. C. Norrie, editors, Advanced Informa-tion Systems Engineering, volume 2068 of Lecture Notes in Computer Science (Springer-Verlag),pages 402–416, Interlaken, Switzerland, June 2001. Springer-Verlag. [Laleau2006] Régine Laleau and Amel Mammar. From UML Diagrams to B Specifications. ISTE London, 2006. [Lanet2004] Jean-Louis Lanet. Produire des logiciels sûrs. Thèse d’habilitation, Université de Méditerranée,March 2004. [Lanet98] Jean-Louis Lanet and Pierre Lartigue. The use of formal methods for smartcards, a comparisonbetween B and SDL to model the T=1 protocol. In Proceedings of International Workshop onComparing Systems Specification Techniques, Nantes, March 1998. Abstract : In order to obtain high confidence in the software embedded into a smartcard, we evaluated different techniques like model checking and theorem proving. Nev-ertheless due to the low cost of smart cards and mechanical constraints, the amount ofmemory available on chips is small. The code generated by the tools must be compactenough to fit the constraints. In this paper we compare different code generators with acase study of a protocol dedicated to smart cards. We show that under some conditions,the model checking tools are able to generate code with an acceptable overhead forsmart cards. Our work on the B method is in progress. The invariants are more difficultto express and to prove but we pointed out some ambiguities and errors contained inthe standard. In order to obtain high confidence in the software embedded into a smartcard, we evaluated different techniques like model checking and theorem proving. Nev-ertheless due to the low cost of smart cards and mechanical constraints, the amount ofmemory available on chips is small. The code generated by the tools must be compactenough to fit the constraints. In this paper we compare different code generators with acase study of a protocol dedicated to smart cards. We show that under some conditions,the model checking tools are able to generate code with an acceptable overhead forsmart cards. Our work on the B method is in progress. The invariants are more difficultto express and to prove but we pointed out some ambiguities and errors contained inthe standard. [email protected] c©1999–2007 INRETS-ESTAS35/59 B Method BibliographyGeorges Mariano[Lanet98b] Jean-Louis Lanet and Antoine Requet. Formal proof of smart card applets correctness. In Pro-ceedings of the Third Smart Card Research and Advanced Application Conference (CARDIS’98),pages 85–97, Louvain-la-Neuve, (be), September 1998. Abstract : The new Gemplus smart card is based on the Java technology, embeddinga virtual machine. The security policy uses mechanisms that are based on Java prop-erties. This language provides segregation between applets. But due to the smart cardconstraints a byte code verifier can not be embedded. Moreover, in order to maximisethe number of applets the byte code must be optimised. The security properties mustbe guaranteed despite of these optimisations. For this purpose, we propose an originalmanner to prove the equivalence between the interpreter of the JVM and our Java Cardinterpreter. It is based on the refinement and proof process of the B formal method. The new Gemplus smart card is based on the Java technology, embeddinga virtual machine. The security policy uses mechanisms that are based on Java prop-erties. This language provides segregation between applets. But due to the smart cardconstraints a byte code verifier can not be embedded. Moreover, in order to maximisethe number of applets the byte code must be optimised. The security properties mustbe guaranteed despite of these optimisations. For this purpose, we propose an originalmanner to prove the equivalence between the interpreter of the JVM and our Java Cardinterpreter. It is based on the refinement and proof process of the B formal method. [Lano95] K. Lano and H. Haughton. Formal development in B Abstract Machine Notation. Information andSoftware Technology, 37(5-6) :303–316, May–June 1995. Abstract : The paper gives a comprehensive introduction to the B Abstract MachineNotation (AMN), a formal method which is based on Z and which is supported byan industrial quality toolset. The paper describes development techniques for AMN,including the formalization of requirements, specification construction, design and im-plementation. Results from a large scale safety critical development using the methodare also given. (17 Refs) The paper gives a comprehensive introduction to the B Abstract MachineNotation (AMN), a formal method which is based on Z and which is supported byan industrial quality toolset. The paper describes development techniques for AMN,including the formalization of requirements, specification construction, design and im-plementation. Results from a large scale safety critical development using the methodare also given. (17 Refs) [Lano96] Kevin Lano. The B Language and Method : A guide to Practical Formal Development. Springer-Verlag London Ltd., 1996. Abstract : B is a formal approach to software specification and development basedon the Z specification language. It has been successfully applied in industry, and hasrobust, commerciallly available tool support for the entire development lifecycle, fromspecification through to code generation. "The B language and method" provides a com-prehensive introduction to the B abstract machine notation, and how it can be used tosupport formal specification and development of high integrity systems. Beginning witha discussion of the history of B, it builds up a description of the notation from the basicmathematical notation for sets and sequences, through to the structuring mechanismsof the language, and how it supports "programming in the large". Particular emphasis isplaced on the use of B in the context of existing software development methods, includ-ing object-oriented analysis and design. Specifically designed to support the teaching ofB at undergraduate and postgraduate level, the text includes a large number of workedexamples and graduated exercises in B AMN specification. It also includes two ex-tended case studies of the development process, and an appendix of proof techniquessuitable for B. B is a formal approach to software specification and development basedon the Z specification language. It has been successfully applied in industry, and hasrobust, commerciallly available tool support for the entire development lifecycle, fromspecification through to code generation. "The B language and method" provides a com-prehensive introduction to the B abstract machine notation, and how it can be used tosupport formal specification and development of high integrity systems. Beginning witha discussion of the history of B, it builds up a description of the notation from the basicmathematical notation for sets and sequences, through to the structuring mechanismsof the language, and how it supports "programming in the large". Particular emphasis isplaced on the use of B in the context of existing software development methods, includ-ing object-oriented analysis and design. Specifically designed to support the teaching ofB at undergraduate and postgraduate level, the text includes a large number of workedexamples and graduated exercises in B AMN specification. It also includes two ex-tended case studies of the development process, and an appendix of proof techniquessuitable for B. [Lee91] M. K. O. Lee. The B formal software engineering technology and its technology transfer intoindustry. In K. R. Subramanian and E. S. Seumahu, editors, Computer, Communication and Net-working Systems : An Integrated Perspective. Proceedings of the International Conference on In-formation Engineering ICIE 91, volume 1, pages 332–40. Dept. of Inf. Syst., City Polytech. ofHong Kong, Kowloon, Hong Kong, Elsevier, Amsterdam, Netherlands, December 1991. Abstract : The B Technology is a software development technology based on formalmathematical notions of set theory and predicate calculus and is used for the develop-ment and production of high precision, portable and maintainable software which isverifiably correct with respect to functional specification. The B Technology comprises The B Technology is a software development technology based on formalmathematical notions of set theory and predicate calculus and is used for the develop-ment and production of high precision, portable and maintainable software which isverifiably correct with respect to functional specification. The B Technology comprises [email protected] c©1999–2007 INRETS-ESTAS36/59 B Method BibliographyGeorges Marianothree components, viz, the B-method, the B Toolkit, and the B-Tool. The B-method isa software development process based on Dijkstra’s guarded command notation, withbuilt-in structuring mechanisms for the construction of large systems. The B Toolkit isa fully integrated CASE toolset supporting the B-method from formal systems spec-ification through automatic coding to correctness verification. The operating platformof the B Toolkit is a flexible symbolic inference engine which also acts as a theoremproving assistant. This paper gives a brief summary of the B Technology. (9 Refs) [Levy02a] Nicole Levy, Rafael Marcano, and Jeanine Souquières. From requirements to formal specifica-tion using UML and B. In 2nd International Conference in Computer Systems and TechnologiesCompSysTech2002, Sofia, Bulgaria, June 2002. [MOSIM06-Fadil] H. Fadil and Jean-Luc Koning. Vers une spécification formelle des protocoles d’interactiondes systèmes multi-agents en B. In 6ème Conférence Francophone de Modélisation et SimulationModélisation, Optimisation et Simulation des Systèmes, Rabat, Maroc, April 2006. [MOSIM06-Mosbahi] O. Mosbahi and L. Jemni Ben Ayed. Utilisation conjointe de B événementiel et la logiquetemporelle TLA+ pour la modélisation et la vérification de systèmes réactifs. In 6ème ConférenceFrancophone de Modélisation et Simulation Modélisation, Optimisation et Simulation des Sys-tèmes, Rabat, Maroc, April 2006. [Marcano-PhD] Rafael Marcano-Kamenoff. Spécification formelle à objets en UML/OCL et B : Une approchetransformationnelle. Thèse de doctorat, Université de Versailles – PRiSM, December 2002. [Marcano00c] Rafael Marcano. Formalizing patterns applicability : An approach based on UML and B. InAutomated Software Engineering (ASE’2000) Doctoral Symposium, Grenoble, France, September2000. Technical report number PI-1353, IRISA. [Marcano02a] Rafael Marcano and Nicole Levy. Using B formal specifications for analysis and verification ofUML/OCL models. In Workshop on consistency problems in UML-based software development.5th International Conference on the Unified Modeling Language, Dresden, Germany, September2002. [Marcano02b] Rafael Marcano and Nicole Levy. Transformation rules of OCL constraints into B formal expres-sions. In CSDUML’2002, Workshop on critical systems development with UML. 5th InternationalConference on the Unified Modeling Language, Dresden, Germany, September 2002. [Mariano-PhD] Georges Mariano. Évaluation de logiciels critiques développés par la méthode B : une approchequantitative. Thèse de doctorat, Universitée de Valenciennes et du Hainaut-Cambrésis, December1997. [Mariano2002] Georges Mariano, Jean-Louis Boulanger, and Ammar Aljer. Formalization of digital circuits usingthe B method. In CompRail VIII, Eighth International Conference on Computer Aided Design,Manufacture and Operation in the Railway and Other Advanced Mass Transit Systems, Lemnos,Greece, June 2002. [Mariano96] Georges Mariano and El Miloudi El Koursi. Formal methods and metrics : Application to B devel-opment assessment. In W. B. Samson, I. M. Marshall, and D. G. Edgar-Nevill, editors, Proceedingsof the 5th Software Quality Conference, pages 37–55, University of Abertay Dundee, Bell Street,Dundee DD1 HG, July 1996. [Masson-2001] Pierre-Alain Masson. Vérification par model-checking modulaire de propriétés dynamiques PLTLexprimées dans le cadre de spécifications B événementielles. PhD thesis, UFR des Sciences etTechniques de Besançon, Université de Franche-Comté, December 2001. [email protected] c©1999–2007 INRETS-ESTAS37/59 B Method BibliographyGeorges MarianoAbstract : Le travail présenté dans cette thèse prend pour cadre la spécification desystèmes réactifs sous forme d’événements B. A une spécification B événementielle,on intègre l’expression de propriétés dynamiques décrites en termes de formules delogique temporelle linéaire propositionnelle (PLTL). La vérification de ces propriétéspar une technique de preuve n’est pas automatisable, aussi nous proposons d’effectuerleur vérification par modelchecking. Afin de faire face au problème de l’explosioncombinatoire lié à l’utilisation du modelchecking, nous proposons de découper parpartition le graphe d’accessibilité issu de la spécification en un ensemble de modulesde petite taille, et de mener la vérification sur chacun des modules de manière séparée.Cette méthode est appelée Vérification Modulaire. Nous voulons être en mesure, à par-tir de la vérification séparée d’une propriété sur chacun des modules, de décider si lapropriété est vérifiée globalement. Toutes les propriétés ne se prêtent pas à une tellevérification car certaines d’entre elles peuvent être fausses globalement bien que vraiessur chacun des modules. Nous définissons alors les propriétés qui se prêtent à une tellevérification de la maniêre suivante (ces propriétés sont dites modulaires) : une propriétéest modulaire si et seulement si le fait qu’elle est vraie sur chaque module impliquequ’elle est vraie globalement. Il faut noter également que tous les découpages n’aurontpas la même efficacité relativement à la vérification des propriétés. En effet, la propriétéa besoin d’être vraie sur chaque module pour que nous puissions conclure. Or, un dé-coupage aléatoire aurait de fortes chances de voir échouer la vérification d’une propriétédans un ou plusieurs modules, du fait que certains chemins qui rendent la propriété vraiepourraient être coupés. Le problème est donc de produire un découpage modulaire enaccord avec les propriétés que l’on cherche à vérifier. En résumé, nous tentons de répon-dre aux questions suivantes : * Quelles sont les propriétés vérifiables modulairement ? *Comment produire un "bon" découpage modulaire ? En réponse à la première question,nous prouvons formellement que les propriétés PLTL issues des 3 schémas de con-traintes dynamiques introduits par J.-R. Abrial et L. Mussat sont vérifiables de manièremodulaire. Nous prouvons également que tout une classe de propriétés PLTL, incluantles 3 schémas précités, est vérifiable de manière modulaire. Nous exhibons une con-dition suffisante de modularité d’une propriété. Cette condition de modularité reposesur l’analyse syntaxique de l’automate de Büchi qui code la négation d’une propriétéPLTL. Elle est donc facilement automatisable. Afin de répondre à la deuxième question,nous proposons de guider la décomposition modulaire par le raffinement B, ce qui of-fre l’avantage de produire un découpage sémantique du graphe d’accessibilité à chaqueniveau du raffinement. Nous faisons alors la distinction entre les nouvelles propriétés,introduites à un niveau donné de raffinement, et les anciennes propriétés, établies auxniveaux précédents de raffinement et conservées par celui-ci. La vérification modulaireporte sur les nouvelles propriétés. [Mejia93] Babak Dehbonei and Fernando Mejia. Verification of proofs for the B formal development process.ACM SIGPLAN Notices, 28(11) :16–21, November 1993. Abstract : Formal methods are more frequently used in the realization of industrialsafety-critical systems. From the specification through a refinement process, all thesteps are mathematically proved, generally with the help of automatic tools such asprovers. This papers adresses the problem of the verification of such tools in the frame-work of the B formal development technique. The tools are written in the languagecalled Theory Language for wich the basic proof mechanism is pattern-matching. We Formal methods are more frequently used in the realization of industrialsafety-critical systems. From the specification through a refinement process, all thesteps are mathematically proved, generally with the help of automatic tools such asprovers. This papers adresses the problem of the verification of such tools in the frame-work of the B formal development technique. The tools are written in the languagecalled Theory Language for wich the basic proof mechanism is pattern-matching. We [email protected] c©1999–2007 INRETS-ESTAS38/59 B Method BibliographyGeorges Marianopropose a technique, based on a unification mechanism, for verifying programs writ-ten in this language. Some figures concerning the experimentation of this technique onreal-life programs are given. [Mejia97] Fernando Mejia. La méthode B, chapter 18, pages 231–246. In OFTA [arago20], 1997. [Mermet96] Bruno Mermet. Extension of the B method to the specification of distributed systems. Technicalreport, CRIN-CNRS and INRIA Lorraine, 1996. [Meyer-PhD] Eric Meyer. Développement formel par objets : utilisation conjointe de B et UML. Thèse dedoctorat, Université de Nancy, 2001. [Motre-Teri] Stéphanie Motré and Corinne Téri. Using formal and semi-formal methods for a common criteriaevaluation. In Eurosmart, Marseille (France), June 2000. Abstract : A smart card is an embedded system that is generally used to supply securityto an information system. Traditionally the application and the OS were developed in asecure environment by the card issuer. For a few years, open platforms (e.g., Java Card,MultOS and Smart Card for Windows) have provided new facilities for application de-velopers. They allow dynamic storage and execution of downloaded executable code.Such architecture introduces new risks : it offers the possibility to attack the card froman applet by exploiting some implementation faults. This document provides a practi-cal overview of a Common Criteria (CC) high Evaluation Assurance Level (EAL) of aJava Card. It is not dedicated to smart card specialist as it presents the security stakesof such a technology. We present the motivation for a Java Card evaluation : reach thesame security level for the new open smart card than for traditional embedded plat-forms. We introduce the SDL, UML and the B method to illustrate the semi-formaland formal models required for a high level evaluation. The B method has been alreadyused in GEMPLUS to formal model security parts of the Java Card : bytecode verifier,interpreter and firewall. These case studies reveal the interest to use the B method toformalise the Java Card Virtual Machine (JCVM). SDL and UML are both semi-formalmodelling languages that could be used in a high EAL. This document also proposesa comparison between these two languages based on the analysis of the Java Card se-curity mechanisms specification. In a CC evaluation the use of semi-formal and formaltechniques is required to obtain the assurance of a high security level. A smart card is an embedded system that is generally used to supply securityto an information system. Traditionally the application and the OS were developed in asecure environment by the card issuer. For a few years, open platforms (e.g., Java Card,MultOS and Smart Card for Windows) have provided new facilities for application de-velopers. They allow dynamic storage and execution of downloaded executable code.Such architecture introduces new risks : it offers the possibility to attack the card froman applet by exploiting some implementation faults. This document provides a practi-cal overview of a Common Criteria (CC) high Evaluation Assurance Level (EAL) of aJava Card. It is not dedicated to smart card specialist as it presents the security stakesof such a technology. We present the motivation for a Java Card evaluation : reach thesame security level for the new open smart card than for traditional embedded plat-forms. We introduce the SDL, UML and the B method to illustrate the semi-formaland formal models required for a high level evaluation. The B method has been alreadyused in GEMPLUS to formal model security parts of the Java Card : bytecode verifier,interpreter and firewall. These case studies reveal the interest to use the B method toformalise the Java Card Virtual Machine (JCVM). SDL and UML are both semi-formalmodelling languages that could be used in a high EAL. This document also proposesa comparison between these two languages based on the analysis of the Java Card se-curity mechanisms specification. In a CC evaluation the use of semi-formal and formaltechniques is required to obtain the assurance of a high security level. [Motre2000] Stéphanie Motré. A B automaton for authentication process. In WITS’2000, Geneva (Switzerland),July 2000. Abstract : An authentication procedure can be used in various occasions. Nowadays,you have to show your personal badge to enter your firm building, your car is identifiedby an electronic tag on its windshield at the parking entrance, your retina is scanned atyour desk door, and a finger prints analyzer permits you to access confidential networkfrom your computer. All these procedures are applications that include informationcollection (tag information obtaining, retina picture construction...), client server infor-mation exchanges (Who corresponds to the collected information ? Which permissionsare granted to the person that has been identified ?), and an authentication policy. Thesecurity policy describes the constraints that should be enforced by any execution ofthe authentication procedure. It is represented by a security automaton, which shall beglobal to any authentication mechanism. F. Schneider [She-99] exposes that a securityautomaton can be applied to access control, information flow or resources availability An authentication procedure can be used in various occasions. Nowadays,you have to show your personal badge to enter your firm building, your car is identifiedby an electronic tag on its windshield at the parking entrance, your retina is scanned atyour desk door, and a finger prints analyzer permits you to access confidential networkfrom your computer. All these procedures are applications that include informationcollection (tag information obtaining, retina picture construction...), client server infor-mation exchanges (Who corresponds to the collected information ? Which permissionsare granted to the person that has been identified ?), and an authentication policy. Thesecurity policy describes the constraints that should be enforced by any execution ofthe authentication procedure. It is represented by a security automaton, which shall beglobal to any authentication mechanism. F. Schneider [She-99] exposes that a securityautomaton can be applied to access control, information flow or resources availability [email protected] c©1999–2007 INRETS-ESTAS39/59 B Method BibliographyGeorges Marianoprocesses. In this document, he describes the execution monitoring as a way to super-vise an application execution and to detect any illegal action. D. Walker [Wal-00] hasgiven a way to type those automata using formal semantics. [Moulding95a] M. R. Moulding, A. R. Newton, and T. G. A. Rushton. Évaluation of the B technology for formalrequirements expression. In Proceedings of the 4th Software Quality Conference, volume 1, pages21–9, 1995. Abstract : The B technology is a novel mathematically-formal approach to the de-velopment of software, which has been devised primarily to address the stages fromsoftware design specification to executable program. It comprises a formal specifica-tion language, called abstract machine notation (AMN), a B method and a B toolkit.AMN allows a large specification to be structured as a number of component specifica-tions, and supports the progressive refinement of these components down to executablecode. The B method provides guidance on the use of AMN for a software development,and the B toolkit provides advanced facilities to support a formal AMN development,including specification construction, animation, proof and code generation. This paperreports on a case study which has been undertaken as part of a DTI-funded project toevaluate the broader applicability of the B technology. The case study is concerned withthe use of AMN with the CORE requirements modelling method for a short term con-flict alert (STCA) air traffic control function. The paper provides a brief introduction tothe B technology and the STCA CORE experiment, before discussing the overall resultsof the case study. Generally, the B technology is considered to offer potential advan-tages over existing formal specification technologies, but enhancements are requiredto improve its effectiveness for the analysis and design stages of complex informationsystems ; notably, in the handling of highly structured data. (5 Refs) The B technology is a novel mathematically-formal approach to the de-velopment of software, which has been devised primarily to address the stages fromsoftware design specification to executable program. It comprises a formal specifica-tion language, called abstract machine notation (AMN), a B method and a B toolkit.AMN allows a large specification to be structured as a number of component specifica-tions, and supports the progressive refinement of these components down to executablecode. The B method provides guidance on the use of AMN for a software development,and the B toolkit provides advanced facilities to support a formal AMN development,including specification construction, animation, proof and code generation. This paperreports on a case study which has been undertaken as part of a DTI-funded project toevaluate the broader applicability of the B technology. The case study is concerned withthe use of AMN with the CORE requirements modelling method for a short term con-flict alert (STCA) air traffic control function. The paper provides a brief introduction tothe B technology and the STCA CORE experiment, before discussing the overall resultsof the case study. Generally, the B technology is considered to offer potential advan-tages over existing formal specification technologies, but enhancements are requiredto improve its effectiveness for the analysis and design stages of complex informationsystems ; notably, in the handling of highly structured data. (5 Refs) [NFM96-DT] Jonathan Draper and Helen Treharne. The refinement of embedded software with the B-method. InNorthern Formal Methods Workshops in Computer Science, Workshops in Computing, Bradford,November 1996. Springer-Verlag. Abstract : The paper described the use of formal refinement within the MIST project.MIST (Measurable Improvement in Specification Techniques) was ESSI applicationexperiment 10228. It details a specification style developed by the project that modelsembedded software within a system context. The paper described the use of formal refinement within the MIST project.MIST (Measurable Improvement in Specification Techniques) was ESSI applicationexperiment 10228. It details a specification style developed by the project that modelsembedded software within a system context. [Nei91] D. Neilson. Machine support on Z : the zedB tool. In J. E. Nicholls, editor, Z User Workshop,Oxford 1990. Proceedings of the Fifth Annual Z User Meeting, pages 105–28. Springer-Verlag,Berlin, Germany, December 1991. Abstract : Many operations on schemas are purely systematic processes ; for exam-ple, decoration, expansion, evaluation of Delta and Xi schemas, and the calculation ofschema composition, hiding, and precondition, up to the application of the so-calledone-point rule. Each of these activities may therefore be fully automated. The ITRU(Information Technology Research Unit) at BP Research is engaged in research intoformal software development methods has developed B : a formal method built on theB tool. The author describes an application of the B tool which provides a theorem prov-ing environment for the analysis of Z specifications, incorporating the full automationof many schema operations. (11 Refs) Many operations on schemas are purely systematic processes ; for exam-ple, decoration, expansion, evaluation of Delta and Xi schemas, and the calculation ofschema composition, hiding, and precondition, up to the application of the so-calledone-point rule. Each of these activities may therefore be fully automated. The ITRU(Information Technology Research Unit) at BP Research is engaged in research intoformal software development methods has developed B : a formal method built on theB tool. The author describes an application of the B tool which provides a theorem prov-ing environment for the analysis of Z specifications, incorporating the full automationof many schema operations. (11 Refs) [Neilson94] D. S. Neilson and I. H. Sorensen. The B-Technologies : a system for computer aided programming.In Proceedings 6th Nordic Workshop on Programming Theory, pages 18–35, 1994. [email protected] c©1999–2007 INRETS-ESTAS40/59 B Method BibliographyGeorges MarianoAbstract : The paper introduces the B-Technologies, a mathematically based formalmethod and a toolset for computer aided software engineering. The B-Technologies(comprising three components-the B-Method, the B-Tool and the B-Toolkit) have beendesigned to scale up formal methods for practical application. The B-Method and the B-Toolkit are described. The B-Method is designed to provide a notation and a methodol-ogy for the formal specification, design, implementation and maintenance of industrial-scale software systems. The features of incremental construction of layered software aswell as its incremental verification have been guiding principles in the development ofthe B-Method. The method uses Abrial’s (1993) Abstract Machine Notation (AMN) asthe language for specification, design and implementation within the software process.AMN is is based on an extension of Dijkstra’s (1976) guarded command notation, withbuilt-in structuring mechanisms for the construction of large systems. The B-Toolkitsupports the method over the entire spectrum of activities from specification throughdesign and implementation into maintenance. The B-Toolkit comprises automatic andinteractive theorem-proving assistants, a proof printer and a set of software develop-ment tools : an AMN syntax and type checker, a specification animator and generatorspromoting an object oriented approach at all stages of development, and the reuse ofspecification models/software modules. All tools are integrated with the proof assistantsinto a window-based development environment. (22 Refs) [Okalas-PhD] Dieudonné Okalas-Ossami. Construction Simultanée de Spécifications Multi-Vues UML et B. PhDthesis, LORIA-Université Nancy2, October 2006. [PRA95b] C. H. Pratten. The AMN-PROOF tool : Proving AMN specifications with the HOL theorem prover.http ://louis.ecs.soton.ac.uk/ chp/papers.html, May 1995. [Parreaux-PhD] Benoît Parreaux. Vérification de systèmes d’événements B par model-checking PLTL ; Con-tribution à la réduction de l’explosion combinatoire en utilisant de la résolution de contraintesensemblistes. Thèse de doctorat, Laboratoire d’Informatique de l’Université de Franche-Comté(L.I.F.C.), 2000. [Petit-PhD] Dorian Petit. Génération automatique de composants logiciels sûrs à partir de spécificationsformelles B. Thèse de doctorat, Université de Valenciennes et du Hainaut-Cambrésis, December2003. [Plosila-2000] Juha Plosila, Kaisa Sere, and Marina Waldén. Component-based asynchronous circuit design inB. Technical Report 377, Turku Center for Computer Science, December 1999. Abstract : Action systems offer a component-based approach to circuit design.Component-based approaches are well established in hardware design, but are only re-cently more established in software design. However, software oriented methods allowa higher level of abstraction than the often quite low-level hardware design methodsused today. We propose a method to organise a large circuit derivation within the BMethod via its library facilities as provided by the tools. The developer proceeds froman abstract high-level specification of the intended behaviour of the target circuit viacorrectness-preserving transformation steps towards an implementable circuit descrip-tion. At each step some part of the specification is implemented using a library com-ponent chosen by the designer and the correctness of the step is proved using the toolsupport of the B Method. We develop the needed program transformation rules that thedesigner can appeal to when using library components in his or her design. Action systems offer a component-based approach to circuit design.Component-based approaches are well established in hardware design, but are only re-cently more established in software design. However, software oriented methods allowa higher level of abstraction than the often quite low-level hardware design methodsused today. We propose a method to organise a large circuit derivation within the BMethod via its library facilities as provided by the tools. The developer proceeds froman abstract high-level specification of the intended behaviour of the target circuit viacorrectness-preserving transformation steps towards an implementable circuit descrip-tion. At each step some part of the specification is implemented using a library com-ponent chosen by the designer and the correctness of the step is proved using the toolsupport of the B Method. We develop the needed program transformation rules that thedesigner can appeal to when using library components in his or her design. [email protected] c©1999–2007 INRETS-ESTAS41/59 B Method BibliographyGeorges Mariano[RBH94] B. Ritchie, J. Bicarregui, and H. Haughton. Experiences in using the Abstract Machine Notationin a GKS case study. In Springer-Verlag, editor, FME’94 : Industrial Benefits of Formal Methods,volume 873 of Lecture Notes in Computer Science (Springer-Verlag), pages 93–104. 1994. Abstract : The paper discusses the authors’ experiences in reengineering and subse-quently refining part of a Z style specification of the Graphics Kernel System using theAbstract Machine Notation as supported in the B Toolkit. (10 Refs) The paper discusses the authors’ experiences in reengineering and subse-quently refining part of a Z style specification of the Graphics Kernel System using theAbstract Machine Notation as supported in the B Toolkit. (10 Refs) [RODIN-BEvt] Christophe Metayer, Jean-Raymond Abrial, and Laurent Voisin. Event-B language. RODINProject Deliverable D7, May 2005. [Requet00] Antoine Requet. A B model for ensuring soundness of the Java card virtual machine. InFMICS’2000, Berlin, March 2000. Abstract : Java Cards are a new generation of smart cards that use the Java program-ming language. As smart cards are usually used to supply security to a system, securityrequirements are very strong and certification can become a competitive advantage.Such a certification to a high Common Criteria or ITSEC level requires the proof of allthe security mechanisms. Those security mechanisms include the byte code interpreterand verifier of the virtual machine. Previous works have been done on methodology forproving the soundness of the byte code interpreter and verifier using the B method. Itrefines an abstract defensive interpreter into a byte code verifier and a byte code inter-preter. However, this work had only been tested on a very small subset of the Java Cardinstruction set. This paper presents a work aiming at verifying the scalability of thisprevious work. The original instruction subset of about ten instructions has been ex-tended to more than one hundred instructions, and the additional cost of the proof hasbeen managed by modifying the specification in order to group opcodes by properties. Java Cards are a new generation of smart cards that use the Java program-ming language. As smart cards are usually used to supply security to a system, securityrequirements are very strong and certification can become a competitive advantage.Such a certification to a high Common Criteria or ITSEC level requires the proof of allthe security mechanisms. Those security mechanisms include the byte code interpreterand verifier of the virtual machine. Previous works have been done on methodology forproving the soundness of the byte code interpreter and verifier using the B method. Itrefines an abstract defensive interpreter into a byte code verifier and a byte code inter-preter. However, this work had only been tested on a very small subset of the Java Cardinstruction set. This paper presents a work aiming at verifying the scalability of thisprevious work. The original instruction subset of about ten instructions has been ex-tended to more than one hundred instructions, and the additional cost of the proof hasbeen managed by modifying the specification in order to group opcodes by properties. [Robinson97] K. A. Robinson. The B-method and the B-toolkit. In Sixth International Conference, AlgebraicMethodology and Software Technology, pages 576–580. Sydney, Springer, December 1997. Abstract : The B Method is a full spectrum formal software development method thatcovers the software process from specification to implementation. The method usesstate machines, defined using logic and set theory with a notation similar to that of Z,that export operations. The method supports a notion of refinement and implementation,which is based on the notion of refinement in the refinement calculus with the exceptionthat there is no distinction between procedural and data refinement. The B Toolkit is aconfiguration tool that manages developments under the B Method, generating proofobligations and supporting tools for the discharge of those proof obligations. There isalso support for the generation of documentation, and for the browsing of developments. The B Method is a full spectrum formal software development method thatcovers the software process from specification to implementation. The method usesstate machines, defined using logic and set theory with a notation similar to that of Z,that export operations. The method supports a notion of refinement and implementation,which is based on the notion of refinement in the refinement calculus with the exceptionthat there is no distinction between procedural and data refinement. The B Toolkit is aconfiguration tool that manages developments under the B Method, generating proofobligations and supporting tools for the discharge of those proof obligations. There isalso support for the generation of documentation, and for the browsing of developments. [SAC06-Fekih] Houda Fekih, Leila Jemni Ben Ayed, and Stephan Merz. Transformation of B specifications intoUML class diagrams and state machines. In 21st Annual ACM Symposium on Applied ComputingSAC 2006, volume 2, pages 1840–1844, Dijon, France, April 2006. [SCI04-Boulanger] Jean-Louis Boulanger. BHDL an example. In SCI 2004 The 8th World Multi-Conferenceon Systemics, Cybernetics and Informatics, Orlando, Florida, USA, volume IX, pages 150–155.International Institute of Informatics and Systemics, July 2004. [SH94] A. C. Storey and H. P. Haughton. A strategy for the production of verifiable code using the BMethod. In Springer-Verlag, editor, FME ’94 : Industrial Benefit of Formal Methods. SecondInternational Symposium of Formal Methods Europe. 1994.Abstract : The purpose of this paper is to describe extensions to the B Method in or-der to facilitate the generation of provably correct SPARK Ada, code. Two strategies [email protected] c©1999–2007 INRETS-ESTAS42/59 B Method BibliographyGeorges Marianoare provided. Firstly, a process model for the B Method is stated that allows the semi-automatic production of refinements through the use of standard library machines. Sec-ondly, transformation rules are given for the automatic generation of SPARK Ada codefrom these refinement’s. Finally, an overview is given of how the semantics of AbstractMachine Notation and SPARK Ada can be used in order to verify these transformationrules. (7 Refs) [SOFSEM95] J. C. Bicarregui and B. M. Matthews. Formal methods in practice : a comparison of two supportsystems for proof. In Bartosek and al., editors, SOFSEM’95 : Theory and Practice of Informatics,volume 1012 of Lecture Notes in Computer Science (Springer-Verlag). Springer-Verlag, 1995. Abstract : http ://theory.doc.ic.ac.uk :80/ jcb1/sofsem95.ps http ://theory.doc.ic.ac.uk :80/ jcb1/sofsem95.ps [Schneider05] Steve Schneider, Thai Son Hoang, Ken Robinson, and Helen Treharne. Tank monitoring : A pAMNcase study. Electronic Notes in Theoretical Computer Science, 137(2) :183–204, 2005. Abstract : The introduction of probabilistic behaviour into the B-Method is a recentdevelopment. In addition to allowing probabilistic behaviour to be modelled, the rela-tionship between expected values of the machine state can be expressed and verified.This paper explores the application of probabilistic B to a simple case study : trackingthe volume of liquid held in a tank by measuring the flow of liquid into it. The flow canchange as time progresses, and sensors are used to measure the flow with some degreeof accuracy and reliability, modelled as non-deterministic and probabilistic behaviourrespectively. At the specification level, the analysis is concerned with the expectationclause in the probabilistic B machine and its consistency with machine operations. Atthe refinement level, refinement and equivalence laws on probabilistic GSL are used toestablish that a particular design of sensors delivers the required level of reliability. The introduction of probabilistic behaviour into the B-Method is a recentdevelopment. In addition to allowing probabilistic behaviour to be modelled, the rela-tionship between expected values of the machine state can be expressed and verified.This paper explores the application of probabilistic B to a simple case study : trackingthe volume of liquid held in a tank by measuring the flow of liquid into it. The flow canchange as time progresses, and sensors are used to measure the flow with some degreeof accuracy and reliability, modelled as non-deterministic and probabilistic behaviourrespectively. At the specification level, the analysis is concerned with the expectationclause in the probabilistic B machine and its consistency with machine operations. Atthe refinement level, refinement and equivalence laws on probabilistic GSL are used toestablish that a particular design of sensors delivers the required level of reliability. [Schneider2002] Steve Schneider. The B-Method : An Introduction. Palgrave, 2002. Abstract : This book provides a comprehensive introduction to the B-Method, whichis a rigorous methodology for the development of correct software, underpinned bypowerful state-of-the-art tool support. It covers the B approach to software developmentfrom specification through refinement, down to implementation and automatic codegeneration, with verification at each stage. The book assumes no prior knowledge andis written in a tutorial style, containing numerous illustrative examples, exercises andself-tests with answers. http ://www.palgrave.com/science/computing/schneider/ This book provides a comprehensive introduction to the B-Method, whichis a rigorous methodology for the development of correct software, underpinned bypowerful state-of-the-art tool support. It covers the B approach to software developmentfrom specification through refinement, down to implementation and automatic codegeneration, with verification at each stage. The book assumes no prior knowledge andis written in a tutorial style, containing numerous illustrative examples, exercises andself-tests with answers. http ://www.palgrave.com/science/computing/schneider/ [Sekerinski2001] E. Sekerinski and R. Zurob. iState : A statechart translator. In M. Gogolla and Kobryn C.,editors, UML 2001 The Unified Modeling Language, Toronto, Canada, number 2185, pages 376–390. Lecture Notes in Computer Science, Springer-Verlag, October 2001. [Sekerinski2002] E. Sekerinski and R. Zurob. Translating statecharts to B. In Proceedings of Integrated FormalMethods, Turku, Finland. IFM 2002, Lecture Notes in Computer Science, Springer-Verlag, May2002. Abstract : We present algorithms for the translation of statecharts to the Abstract Ma-chine Notation of the B method. These algorithms have been implemented in iState, atool for translating statecharts to various programming languages. The translation pro-ceeds in several phases. We give a model of statecharts, a model of the code in AMN,as well as the intermediate representations in terms of class diagrams and their textualcounterpart. The translation algorithms are expressed in terms of these models. We alsodiscuss optimizations of the generated code. The translation scheme is motivated bymaking the generated code comprehensible. We present algorithms for the translation of statecharts to the Abstract Ma-chine Notation of the B method. These algorithms have been implemented in iState, atool for translating statecharts to various programming languages. The translation pro-ceeds in several phases. We give a model of statecharts, a model of the code in AMN,as well as the intermediate representations in terms of class diagrams and their textualcounterpart. The translation algorithms are expressed in terms of these models. We alsodiscuss optimizations of the generated code. The translation scheme is motivated bymaking the generated code comprehensible. [email protected] c©1999–2007 INRETS-ESTAS43/59 B Method BibliographyGeorges Mariano[Snook-2002] Colin Snook. Combining UML and B. In In Proceedings of Forum on Specification & DesignLanguages, Marseille. FDL 2002, 2002. Abstract : Formal specification is recognised as a difficult task (Snook & Harrison,2001) and the adaptation of semi-formal object oriented modelling tools has beenproposed by several authors including Meyer & Souquieres (1999). Here we give anoverview of a prototype tool for converting annotated UML (OMG, 2001) class andstate diagrams into the B notation. The tool was developed during the "MATISSE"project in a healthcare case study (Petre, Troubitsyna, and Waldén, 2002). In this casestudy, B-Action systems were used to analyse the safety of a pharmaceutical labora-tory instrument in several stages of refinement. B-Action systems (Butler and Waldén,1998, Waldén and Sere, 1998) are specifications of distributed systems written in the BMethod (Abrial, 1996) using a style based on stepwise refinement of event based mod-els. The tool enabled each stage of refinement to be specified in a clear visual (UMLbased) form prior to conversion to B for verification. The U2B translator converts Ra-tional Rose (Rational 2000) UML Class diagrams and attached state charts, into the Bnotation. Formal specification is recognised as a difficult task (Snook & Harrison,2001) and the adaptation of semi-formal object oriented modelling tools has beenproposed by several authors including Meyer & Souquieres (1999). Here we give anoverview of a prototype tool for converting annotated UML (OMG, 2001) class andstate diagrams into the B notation. The tool was developed during the "MATISSE"project in a healthcare case study (Petre, Troubitsyna, and Waldén, 2002). In this casestudy, B-Action systems were used to analyse the safety of a pharmaceutical labora-tory instrument in several stages of refinement. B-Action systems (Butler and Waldén,1998, Waldén and Sere, 1998) are specifications of distributed systems written in the BMethod (Abrial, 1996) using a style based on stepwise refinement of event based mod-els. The tool enabled each stage of refinement to be specified in a clear visual (UMLbased) form prior to conversion to B for verification. The U2B translator converts Ra-tional Rose (Rational 2000) UML Class diagrams and attached state charts, into the Bnotation. [Snook-2003] Colin Snook and Kim Sandström. Using UML-B and U2B for formal refinement of digital com-ponents. In In Proceedings of Forum on specification & design languages, Frankfurt. FDL2003,2003. Abstract : In this paper we look at using formal methods to verify the transformationof a digital design from abstract functional specification to bit level implementation. Asboth authors are in-experienced in formal proof we saw this as a test of the practical-ity of introducing proof tools in an industrial setting rather than an exemplar of suchmethods Rigorous verification is desirable in digital design because mistakes can beextremely costly. However, there are drawbacks and barriers to introducing formal no-tations. Formal notations are abstraction hungry, viscous and require insight, experienceand look-ahead. Hence we specialise the UML to alleviate these problems by providinga semi-graphical form of the formal notation B based on existing visual modelling tools.With a small case study, we show the use of B-UML using an event style of modellingto refine a macro level function into a cascade of single bit cells. We attempt to provethe refinement with the assistance of available proof tools but find that the problem isdeceptively difficult In this paper we look at using formal methods to verify the transformationof a digital design from abstract functional specification to bit level implementation. Asboth authors are in-experienced in formal proof we saw this as a test of the practical-ity of introducing proof tools in an industrial setting rather than an exemplar of suchmethods Rigorous verification is desirable in digital design because mistakes can beextremely costly. However, there are drawbacks and barriers to introducing formal no-tations. Formal notations are abstraction hungry, viscous and require insight, experienceand look-ahead. Hence we specialise the UML to alleviate these problems by providinga semi-graphical form of the formal notation B based on existing visual modelling tools.With a small case study, we show the use of B-UML using an event style of modellingto refine a macro level function into a cascade of single bit cells. We attempt to provethe refinement with the assistance of available proof tools but find that the problem isdeceptively difficult [Sorensen2001] Ib Sorensen and David Neilson. B : towards zero defect software. pages 23–42, 2001. [Sorensen94] I. H. Sorensen. Demonstration of the B-Toolkit. In Proceedings 6th Nordic Workshop on Pro-gramming Theory, 1994. Abstract : The B-Toolkit is a suite of integrated programs which implement the B-Method for software development. The BMethod is a collection of formal techniqueswhich give a basis to those activities of software development that range from tech-nical software specification, through design and integration, to code generation andinto maintenance. The B-Method and the specification language AMN (Abstract Ma-chine Notation) are in many respects similar to other "model oriented" formal methods.They employ a conventional "pseudo" programming style. The B-Tool is a languageinterpreter for the B Theory Language. This language is a special purpose languagefor writing interactive and automatic proof assistants and other systems where patternmatching, substitution and re-write mechanisms can be used. The B-Toolkit’s compoThe B-Toolkit is a suite of integrated programs which implement the B-Method for software development. The BMethod is a collection of formal techniqueswhich give a basis to those activities of software development that range from tech-nical software specification, through design and integration, to code generation andinto maintenance. The B-Method and the specification language AMN (Abstract Ma-chine Notation) are in many respects similar to other "model oriented" formal methods.They employ a conventional "pseudo" programming style. The B-Tool is a languageinterpreter for the B Theory Language. This language is a special purpose languagefor writing interactive and automatic proof assistants and other systems where patternmatching, substitution and re-write mechanisms can be used. The B-Toolkit’s [email protected] c©1999–2007 INRETS-ESTAS44/59 B Method BibliographyGeorges Marianonent tools are implemented in the B Theory Language and is interpreted by the B-Tool.(0 Refs) [Sto92] A. Storey. A specification case study using the B-methodology. Software Testing, Verification andReliability, 2(4) :187–202, December 1992. Abstract : The B-Method is a complete formal development process for mathemat-ically transforming software systems from specification through to code. This articleprovides the reader with an overview of the process including a description of the lan-guage used for specifying systems (Abstract Machine Notation) and demonstrates itsapplication by a simple, real-life case study. The method has tool support in the form ofa tool-kit which is described and applied to the case study. The results of the case studyshow how a system can be validated and verified in the early stages of its developmentthrough proof of the mathematical specification and an animating tool. (12 Refs) The B-Method is a complete formal development process for mathemat-ically transforming software systems from specification through to code. This articleprovides the reader with an overview of the process including a description of the lan-guage used for specifying systems (Abstract Machine Notation) and demonstrates itsapplication by a simple, real-life case study. The method has tool support in the form ofa tool-kit which is described and applied to the case study. The results of the case studyshow how a system can be validated and verified in the early stages of its developmentthrough proof of the mathematical specification and an animating tool. (12 Refs) [Stoddart94] Bill Stoddart. Forth as an abstract machine. In euroForth ’94 Conference Proccedings, MPE Ltd,133 Hill Lane, Southampton SO1 5AF, UK, November 1994. Forth Interest Group. Abstract : This is a work in progress paper on producing a formal equivalent to theForth ANSI Standard. The chosen notation is AMN (Abstract Machine Notation). Thepaper gives some comments on the formalisation process and on some features of AMN. This is a work in progress paper on producing a formal equivalent to theForth ANSI Standard. The chosen notation is AMN (Abstract Machine Notation). Thepaper gives some comments on the formalisation process and on some features of AMN. [Stoddart99] Bill Stoddart, Steve Dunne, and Andy Galloway. Undefined expressions and logic in Z and B.Formal Methods in System Design : An International Journal, 15(3) :201–215, November 1999. [TSI20-Julliand] J. Julliand, P.-A. Masson, and H. Mountassir. Vérification par model-checking modulaire despropriétés dynamiques introduites en B. TSI (Technique et Science Informatiques), 20(7) :927–957, 2001. [TSI21-Boite] Olivier Boite. Automatiser les preuves d’un sous-langage de la méthode B. Technique et ScienceInformatique, 21(8), 2002. [TSI22-Abrial] Jean-Raymond Abrial. B : passé, présent, futur. Technique et Science Informatique, 22(1) :89–118, 2003. [TSI22-Burdy] Lilian Burdy, Ludovic Casset, and Antoine Requet. Développement formel d’un vérifieur embar-qué de byte-code java. Technique et Science Informatique, 22(1) :33–60, 2003. [TSI22-Dolle] D. Dollé, D. Essamé, and J. Falampin. B dans le transport ferroviaire. L’expérience de siemens.Technique et Science Informatique, 22(1) :11–32, 2003. [TSI22-Potet] Marie-Laure Potet. Spécificiation et développements structurés dans la méthode B principes etvalidation. Technique et Science Informatique, 22(1) :61–88, 2003. [TTV96] S. Taouil-Traverson and S. Vignes. A preliminary analysis cycle for B development. In Bey-ong 2000 : Hardware and Software Design Strategies, pages 319–325. EUROMICRO 96, Prague,Czech Republic, September 1996. [TUCS-TR-53] Michael J. Butler and M. Walden. Distributed system development in B. Technical Report 53,Turku Centre for Computer Science, Finland, October 1996. Abstract : The B-Method is a method for the stepwise derivation of sequential pro-grams. In this paper we show how the B-Method can be used for designing distributedsystems by embedding action systems within this method. The action system formalismis designed for the construction of parallel and distributed systems in a stepwise mannerwithin the refinement calculus. We describe how action systems are written in B AMN.We also show the correspondence between refinement rules for action systems and the The B-Method is a method for the stepwise derivation of sequential pro-grams. In this paper we show how the B-Method can be used for designing distributedsystems by embedding action systems within this method. The action system formalismis designed for the construction of parallel and distributed systems in a stepwise mannerwithin the refinement calculus. We describe how action systems are written in B AMN.We also show the correspondence between refinement rules for action systems and the [email protected] c©1999–2007 INRETS-ESTAS45/59 B Method BibliographyGeorges Marianoproof obligations generated in the B-Method. Furthermore, we propose an extensionof the B-Method to cover parallel and distributed systems. Familiarity with B AMN isassumed. [Tatibouet2001] Bruno Tatibouët and J. C. Voisinet. jBTools and B2UML : a platform and a tool to provide aUML class diagram since à B specification. In ICSSEA’2001 – 14th Int. Conf. on Software SystemsEngineering and Their Applications, volume 2, CNAM, Paris, France, December 2001. [Tatibouet2003] Bruno Tatibouët, Antoine Requet, Jean-Christophe Voisinet, and Ahmed Hammad. Java cardcode generation from B specifications. In J. S. Dong and J. Woodcock, editors, ICFEM, volume2885, pages 306–318. Formal Methods and Software Engineering, Springer-Verlag, 2003. [Thuan-PhD] N. Thuan. Utilisation de B pour la vérification de spécifications UML et le développement formelorienté objet. PhD thesis, LORIA -Université Nancy2, 2006.Abstract : The coupling of object-oriented approaches with the B method makes im-provement the activities of software specification and development. The B methodprovides notations for the specification and powerful tools, allowing to specify andverify models. The object-oriented approaches provide interesting mechanisms for thestructuring and the development of large systems. The contribution of this thesis dealswith the activities of coupling between these two formalisms by using the B proversto validate and verify UML specifications. By extending the derivation of UML to Bof preceding works realised in the Dedale research group, we propose an approachof the derivation to B of the UML meta-models, the static diagrams and the dynamicdiagrams. The aim of this proposition is to check semantics and coherence betweendifferent diagrams of UML specification. Our thesis brings also a contribution to thedevelopment of objects oriented specifications using B. The first proposition concernsthe taking into account some types of association between classes during the derivationto B. The second relates the validation of object-oriented specifications described byUML2.0 sequence diagrams. [Traverson-PhD] Souâd Taouil-Traverson. Stratégie d’intération de la méthode B dans la construction de logicielcritique. Thèse de doctorat, Ecole Nationale Supèrieure des Télécommunications, 1997. [Traverson97] Souad Traverson and Sylvie Vignes. Intégration de la méthode B dans la construction de logicielscritiques. In Le Génie Logiciel est ses Applications – 1o eme Journées Internatinales ACTES,number 46 in Génie Logiciel, pages 100–106, December 1997. [Treharne99a] Helen Treharne and Steve Schneider. Using a process algebra to control B OPERATIONS. Tech-nical Report CSD-TR-99-01, Royal Holloway, Department of Computer Science, University ofLondon, Egham, Surrey TW20 0EX, England, June 1999. [Treharne99b] Helen Treharne and Steve Schneider. Capturing timing requirements formally in AMN. TechnicalReport CSD-TR-99-06, Royal Holloway, Department of Computer Science, University of London,Egham, Surrey TW20 0EX, England, June 1999. [Treharne :IFM99] Helen Treharne and Steve Schneider. Using a process algebra to control B OPERATIONS. InIFM’99 1st International Conference on Integrated Formal Methods, pages 437–457, York, June1999. Springer-Verlag.Abstract : The B-Method is a state-based formal method that describes system be-haviour in terms of MACHINES whose state changes under OPERATIONS. The pro-cess algebra CSP is an event-based formalism that enables descriptions of patterns ofsystem behaviour. This paper is concerned with the combination of these complemen-tary views, in which CSP is used to describe the control executive for a B Abstract [email protected] c©1999–2007 INRETS-ESTAS46/59 B Method BibliographyGeorges MarianoSystem. We discuss consistency between the two views and how it can be formallyestablished. A typical avionics system motivates the work. Its specification and con-trol executive are presented in the paper. The relationship with other approaches is alsodiscussed.[UMLB] Jean P. Mermet, editor. UML-B Specification for Proven Embedded Systems Design. ChDL.Kluwer Academic Publishers, 2004. [UMLB-Kronlof] Klaus Kronlof and Ian Oliver. Formally Unified System Specification Environment with UML,B and SystemC., chapter 2, pages 21–36. Kluwer Academic Publishers, 2004. [UMLB-Voros] Nikolaos S. Voros, Colin Snook, Stefan Hallerstede, and Thierry Lecomte. Embedded SystemDesign Using the PUSSEE Method, chapter 3, pages 37–51. Kluwer Academic Publishers, 2004. [VDM88] R. Bloomfield, L. Marshall, and R. Jones, editors. VDM 88. VDM The Way Ahead. 2nd VDM-Europe Symposium. Proceedings. Springer-Verlag, Berlin, West Germany, September 1988.Abstract : The following topics were dealt with : Vienna Development Method ; spec-ification languages ; formal specification ; program verification ; standardisation ; com-puter graphics ; B tool ; compiler prototyping ; NUSL ; formal reasoning ; Flagship ;Modula-2 ; VIP ; SAMPLE ; three-valued logic and predicates ; MetaSoft ; algebraicdomain equations ; proof rules ; Muffin ; RAISE ; term rewriting ; software support ;and Chinese characters.[VDM91] S. Prehn and W. J. Toetenel, editors. VDM91. Formal Software Development Methods. 4th In-ternational Symposium of VDM Europe Proceedings. Vol.2 : Tutorials. Springer-Verlag, Berlin,Germany, October 1991.Abstract : The following topics were dealt with : VDM (Vienna Development Method-ology) ; formal software development ; Larch and LCL specification languages ; RAISEspecification language ; ABEL formal development ; PROSPECTRA methodology ; re-finement calculus ; the B method ; and mathematical methods for reliable systems de-velopment.[VoisinetTJ05] Jean-Christophe Voisinet, Bruno Tatibouët, and Isabelle Jacques. Generation of OCL constraintsfrom B abstract machines. In Software Engineering Research and Practice, pages 260–266, 2005. [WB95] Hélène Waëselynck and Jean-Louis Boulanger. The role of testing in the B formal developmentprocess. In Proceedings of 6th International Symposium on software Reliability Engineering (IS-SRE’95), pages 205–28. Toulouse, IEEE Comput. Soc. Press, Los Alamitos, CA, USA, October1995.Abstract : The B method is a formal approach covering all the software developmentprocess, through a series of proved refinement steps. An on-going debate in the B com-munity is the removal of some classical verification steps of the design, e.g. unit andintegration testing : this paper is aimed to support the maintaining stringent testingpolicies. We first recall previous work that addresses the general question of the limitsof formal methods for ultra-high dependability. Then, the discussion is focused on thecase of the B method. Although the method significantly contributes to fault avoidance,it is shown that additional verifications are still required throughout the developmentprocess, whether inspections or tests. (20 Refs)[Waeselynck97a] Hélène Waeselynck and Salimeh Behnia. B model animation for external verification. TechnicalReport 97392, LAAS (TSF) – INRETS (ESTAS), 1997. [Waeselynck97b] Hélène Waeselynck and Salimeh Behnia. Towards a framework for testing B models. TechnicalReport 97225, LAAS (TSF) – INRETS (ESTAS), 1997. [email protected] c©1999–2007 INRETS-ESTAS47/59 B Method BibliographyGeorges Mariano[Watrin01] David Watrin. Formalisation des modèles d’information d’administration de réseaux à l’aide dela méthode B : Application au langage GDMO. Thèse de doctorat, Ecole nationale supérieure destélécommunications (Paris), 2001. Abstract : Suite à la libéralisation des marchés de télécommunications et à la mul-tiplication de l’offre de services, l’Administration de Réseaux de Télécommunicationsconnaît un réel essor. A l’exception de SNMP, les différentes technologies qui adressentcette activité ont fait le choix de langages orientés objets afin de décrire leurs modèlesd’information. Ce choix est motivé par des considérations d’évolutivité bien connues.Cependant une constante se dégage à travers ces langages : I’utilisation du langage na-turel pour décrire les contraintes et les comportements des objets gérés, des attributset autres "templates". Ce choix induit l’introduction d’ambigu ̈ıtés dans la spécificationet n’autorise pas de traitement automatique afin de simuler ou tester le comportement,de vérifier la cohérence du modèle ou de produire un code exécutable. Enfin les mod-èles sont difficiles à appréhender en raison d’une distribution anarchique de l’inforrna-tion. Ce travail de thèse propose une solution basée sur la formalisation des modèlesà l’aide de la méthode B. Cette dernière offre en effet un langage rigoureux et au-tomatise les concepts de preuve formelle et de raffinement. Afin de définir une solutiongénérique, les propriétés communes aux modèles d’information de gestion de réseauxont été isolées. Un ensemble de règles de traduction vers le formalisme B couvrant lesstructures de données et les modèles statique et dynamique est proposé. Des variantessont avancées et analysées lorsque aucune règle n’est pleinement satisfaisante. Ces rè-gles ont été appliquées avec succès à un modèle GDMO. La spécification B obtenuepermet de prouver la cohérence interne du modèle et d’amorcer le processus de raffine-ment. En outre, un traducteur automatique depuis un modèle GDMO vers une spécifi-cation B a été développé. Il offre une large couverture du langage et permet de saisirdes propriétés formelles via une interface graphique. Il contribue à un enrichissementdu modèle d’information. Suite à la libéralisation des marchés de télécommunications et à la mul-tiplication de l’offre de services, l’Administration de Réseaux de Télécommunicationsconnaît un réel essor. A l’exception de SNMP, les différentes technologies qui adressentcette activité ont fait le choix de langages orientés objets afin de décrire leurs modèlesd’information. Ce choix est motivé par des considérations d’évolutivité bien connues.Cependant une constante se dégage à travers ces langages : I’utilisation du langage na-turel pour décrire les contraintes et les comportements des objets gérés, des attributset autres "templates". Ce choix induit l’introduction d’ambigu ̈ıtés dans la spécificationet n’autorise pas de traitement automatique afin de simuler ou tester le comportement,de vérifier la cohérence du modèle ou de produire un code exécutable. Enfin les mod-èles sont difficiles à appréhender en raison d’une distribution anarchique de l’inforrna-tion. Ce travail de thèse propose une solution basée sur la formalisation des modèlesà l’aide de la méthode B. Cette dernière offre en effet un langage rigoureux et au-tomatise les concepts de preuve formelle et de raffinement. Afin de définir une solutiongénérique, les propriétés communes aux modèles d’information de gestion de réseauxont été isolées. Un ensemble de règles de traduction vers le formalisme B couvrant lesstructures de données et les modèles statique et dynamique est proposé. Des variantessont avancées et analysées lorsque aucune règle n’est pleinement satisfaisante. Ces rè-gles ont été appliquées avec succès à un modèle GDMO. La spécification B obtenuepermet de prouver la cohérence interne du modèle et d’amorcer le processus de raffine-ment. En outre, un traducteur automatique depuis un modèle GDMO vers une spécifi-cation B a été développé. Il offre une large couverture du langage et permet de saisirdes propriétés formelles via une interface graphique. Il contribue à un enrichissementdu modèle d’information. [Watson97] Geoffrey Norman Watson. A comparison of modularity in B and Cogito. In S. Reeves andL. Groves, editors, Formal Methods Pacific, pages 263–286, 1997. [Wordsworth96] John Wordsworth. Software Engineering with B. Addison-Wesley, September 1996. [Z2B-BDW95] Juan Bicarregui, Jeremy Dick, and Eoin Woods. Supporting the length of formal development :from diagrams to VDM to B to C. In Henri Habrias, editor, Proc. Z Twenty Years on What is itsFuture, pages 63–75. IRIN-IUT de Nantes, October 1995. Abstract : This paper reports on the experience gained in the MaFMeth project whichis undertaking a formal development with tool support for several parts of the life cyclefrom requirements capture through to C code generation. A number of issues arise fromthe limitations of different notations and tools and from their combination when appliedto the development of software components destined to be integrated into a broadersystem context. We describe the problems we encountered, the mistake we made, andthe solutions we adopted, for the benefit of both these applying formal methods to realproduct development, and for the creators and designers of methods and tools. This paper reports on the experience gained in the MaFMeth project whichis undertaking a formal development with tool support for several parts of the life cyclefrom requirements capture through to C code generation. A number of issues arise fromthe limitations of different notations and tools and from their combination when appliedto the development of software components destined to be integrated into a broadersystem context. We describe the problems we encountered, the mistake we made, andthe solutions we adopted, for the benefit of both these applying formal methods to realproduct development, and for the creators and designers of methods and tools. [Z2B-Chauvet95] J. Y. Chauvet. Le cas "legislation vieillesse". In Henri Habrias, editor, Proc. Z Twenty Years onWhat is its Future, pages 242–264. IRIN-IUT de Nantes, October 1995. [Z2B-Docherty95] Rosemary F. Docherty. Translation from Z to AMN. In Habrias [B96-Habrias], pages 205–228. [email protected] c©1999–2007 INRETS-ESTAS48/59 B Method BibliographyGeorges MarianoAbstract : This paper gives details of a B-rulebase which I have written to translateZ specifications into Abstract Machine Notation (AMN). Although some Z constructstranslate easily, others cause problems and the theory behind the conversion rules isgiven. The rulebase cannot translate certain Z constructs and the reasons for this are ex-plained. The paper ends with some conclusions on the different manner and advantagesspecification in the two languages. [Z2B-Pratten95] C. H. Pratten. An introduction to proving AMN specifications with PVS and the AMN-PROOFtool. In Henri Habrias, editor, Proc. Z Twenty Years on What is its Future, pages 149–165.IRIN-IUT de Nantes, October 1995. Abstract : The AMN-PROOF Tool generates proof obligations for AMN specificationconsistency and refinement validity in a form suitable for consideration by the PVS andHOL theorem provers. In this paper, we discuss our PVS representation of AMN proofobligations and introduce the PVS facilities of the AMN-PROOF Tool. We consider anexample refinement, for which the proof obligations have been generated by the Tooland proved by PVS. The AMN-PROOF Tool generates proof obligations for AMN specificationconsistency and refinement validity in a form suitable for consideration by the PVS andHOL theorem provers. In this paper, we discuss our PVS representation of AMN proofobligations and introduce the PVS facilities of the AMN-PROOF Tool. We consider anexample refinement, for which the proof obligations have been generated by the Tooland proved by PVS. [ZB00] ZB’2000 – International Conference of B and Z Users, volume 1878 of Lecture Notes in ComputerScience (Springer-Verlag), Helsington, York, UK YO10 5DD, August 2000. [ZB00-Banach] R. Banach and M. Poppleton. Retrenchment, refinement and simulation. In ZB’2000 – Interna-tional Conference of B and Z Users [ZB00], pages 304–323. [ZB00-Bellegarde] Françoise Bellegarde, C. Darlot, Jacques Julliand, and O. Kouchnarenko. Reformulate dy-namic properties during B refinement and forget variants and loop invariants. In ZB’2000 – Inter-national Conference of B and Z Users [ZB00], pages 230–249. [ZB00-Bontron] Pierre Bontron and Marie-Laure Potet. Automatic construction of validated B components fromstructured developments. In ZB’2000 – International Conference of B and Z Users [ZB00], pages127–147. [ZB00-Butler] Michael J. Butler and Mairead Meagher. Performing algorithmic refinement before data refinementin B. In ZB’2000 – International Conference of B and Z Users [ZB00], pages 324–343. [ZB00-Cansell] Dominique Cansell and Dominique Méry. Playing with abstraction and refinement for managingfeatures interactions. A methodological approach to feature interaction problem. In ZB’2000 –International Conference of B and Z Users [ZB00], pages 148–167. [ZB00-Dimitrakos] Theo Dimitrakos, Juan Bicarregui, Brian Matthews, Tom Maibaum, and Ken Robinson. Com-positional structuring in the B method : A logical viewpoint of the static context. In ZB’2000 –International Conference of B and Z Users [ZB00], pages 107–126. [ZB00-Laleau] Regine Laleau and Amel Mammar. A generic process to refine a B specification into a relationaldatabase implementation. In ZB’2000 – International Conference of B and Z Users [ZB00], pages22–41. [ZB00-Lanet] Jean-Louis Lanet. Are smart cards the ideal domain for applying formal methods ? In ZB’2000 –International Conference of B and Z Users, pages 363–374, 2000. Abstract : The need of formal methods in the smart card domain has three origins :mastering the complexity of the new operating systems (fault avoidance), certifying ata high level a part of the smart card and reducing the cost of the test. In a first part, afterpresenting the smart card and its security requirements, we explain the certificationprocess that appears to be the most important vector for introducing formal methods inthe software development cycle. Then we present some attempts to formalise complex The need of formal methods in the smart card domain has three origins :mastering the complexity of the new operating systems (fault avoidance), certifying ata high level a part of the smart card and reducing the cost of the test. In a first part, afterpresenting the smart card and its security requirements, we explain the certificationprocess that appears to be the most important vector for introducing formal methods inthe software development cycle. Then we present some attempts to formalise complex [email protected] c©1999–2007 INRETS-ESTAS49/59 B Method BibliographyGeorges Marianosoftware elements of smart cards. The use of model checkers in order to automaticallygenerate the test suites can notably increase the productivity of applet development.The second part of this paper explains why smart cards are not currently the expectedsuccess story of formal methods. Then we present some clues to help integration ofthese methods in the software development cycle. [ZB00-Lopez] Nestor Lopez, Marianne Simonot, and Veronique Viguie Donzeau-Gouge. Deriving software spec-ifications from event based models. In ZB’2000 – International Conference of B and Z Users[ZB00], pages 209–229. [ZB00-Robinson] Ken Robinson. Reconciling axomatic and modelbased specifications using the B method. InZB’2000 – International Conference of B and Z Users [ZB00], pages 95–106. [ZB00-Stoddart] Bill Stoddart. An execution architecture for GSL. In ZB’2000 – International Conference of Band Z Users [ZB00], pages 394–413. [ZB00-Treharne] Helen Treharne and Steve Schneider. How to drive a B machine. In ZB’2000 – InternationalConference of B and Z Users [ZB00], pages 188–208. [ZB02] LSR-IMAG. ZB’2002 – Formal Specification and Development in Z and B, volume 2272 of Lec-ture Notes in Computer Science (Springer-Verlag), Grenoble, France, January 2002. [ZB02-Abrial] Jean-Raymond Abrial and Louis Mussat. On using conditional definitions in formal theories. InZB’2002 – Formal Specification and Development in Z and B [ZB02], pages 242–269. [ZB02-Abrial2] Jean-Raymond Abrial, Dominique Cansell, and Guy Lafitte. "higher-order" mathematics in B.In ZB’2002 – Formal Specification and Development in Z and B [ZB02], pages 370–393. [ZB02-Bellegarde] Françoise Bellegarde, Jacques Julliand, and Olga Kouchnarenko. Synchronised parallel com-position of events systems in B. In ZB’2002 – Formal Specification and Development in Z and B[ZB02], pages 436–457. [ZB02-Bellegarde2] Françoise Bellegarde, Samir Chouali, and Jacques Julliand. Vérification of dynamic con-straints for B event systems under fairness assumptions. In ZB’2002 – Formal Specification andDevelopment in Z and B [ZB02], pages 477–496. [ZB02-Blow] James Blow and Andy Galloway. Generalised subtitution language and differentials. In ZB’2002– Formal Specification and Development in Z and B [ZB02], pages 396–415. [ZB02-Bodeveix] Jean-Paul Bodeveix and Mamoun Filali. Type synthesis in B and the translation of B to PVS.In ZB’2002 – Formal Specification and Development in Z and B [ZB02], pages 350–369. [ZB02-Cansell] Dominique Cansell, Ganesh Gopalakrishnan, Mike Jones, and Dominique Mery. Incrementalproof of the producer/consumer property for the PCI protocol. In ZB’2002 – Formal Specificationand Development in Z and B [ZB02], pages 22–41. [ZB02-Chartier] Pierre Chartier. ABS project, merging the best practices in software design from railway andaicraft industries. In ZB’2002 – Formal Specification and Development in Z and B [ZB02]. [ZB02-Doche] Marielle Doche and Andrew Gravell. Extraction of abstraction invariants for data refinement. InZB’2002 – Formal Specification and Development in Z and B [ZB02], pages 120–139. [ZB02-Dunne] Steve Dunne. A theory of generalised substitutions. In ZB’2002 – Formal Specification andDevelopment in Z and B [ZB02], pages 270–290. [ZB02-Laleau] Régine Laleau and Fiona Polack. Coming and going from UML to B : A proposal to supporttraceability in rigorous IS development. In ZB’2002 – Formal Specification and Development in Zand B [ZB02], pages 517–534. [email protected] c©1999–2007 INRETS-ESTAS50/59 B Method BibliographyGeorges Mariano[ZB02-Legeard] Bruno Legeard, Fabien Peureux, and Mark Utting. A comparison of the BTT and TTF test-generation methods. In ZB’2002 – Formal Specification and Development in Z and B [ZB02],pages 309–329. [ZB02-Mikhailov] Leonid Mikhailov and Michael J. Butler. An approach to combining B and Alloy. In ZB’2002– Formal Specification and Development in Z and B [ZB02], pages 140–161. [ZB02-Papatsaras] Antonis Papatsaras and Bill Stoddart. Global and communicating state machine models inevent driven B : A simple railway case study. In ZB’2002 – Formal Specification and Developmentin Z and B [ZB02], pages 458–476. [ZB02-Poppleton] Michael Poppleton and Richard Banach. Controlling control systems : An application of evolv-ing retranchement. In ZB’2002 – Formal Specification and Development in Z and B [ZB02], pages42–61. [ZB02-Schneider] Steve Schneider and Helen Treharne. Communicating B MAchines. In ZB’2002 – FormalSpecification and Development in Z and B [ZB02], pages 416–435. [ZB03] Didier Bert, Jonathan P. Bowen, S. King, and M. Waldén, editors. ZB’2003 – Formal Specificationand Development in Z and B,International Conference of B and Z Users, Turku, Finland, June 4-6,2003, Proceedings, volume 2651 of Lecture Notes in Computer Science (Springer-Verlag), Turku,Finland, June 2003. Springer. [ZB03-Abrial] Jean-Raymond Abrial. B# : Toward a synthesis between Z and B. In Bert et al. [ZB03], pages168–177.Abstract : In this paper, I present some ideas and principles underlying the realizationof a new project called B#. This project follows the main ideas and principles alreadyat work in B, but it also follows a number of older concepts developed in Z. In B#, theintent is to have a formal system to be used to model complex system in general, notonly software systems. [ZB03-Abrial2] Jean-Raymond Abrial, Dominique Cansell, and Dominique Méry. Formal derivation of spanningtrees algorithms. In Bert et al. [ZB03], pages 457–476.Abstract : Graphs algorithms and graph-theoretical problems provide a challengingbattle field for the incremental development of proved models. The B event-based ap-proach implements the incremental and proved development of abstract models whichare translated into algorithms ; we focus our methodology on the minimum spanningtree problem and on Prim’s algorithm. The correctness of the resulting solution is basedon properties over trees and we show how the greedy strategy is efficient in this case.We compare properties proven mechanically to the properties found in a classical algo-rithms textbook. [ZB03-Aguirre] Nazareno Aguirre, Juan Bicarregui, and Theo Dimitrakos. Towards dynamic population man-agement of abstract machines in the B Method. In Bert et al. [ZB03], pages 528–545.Abstract : We study some restrictions associated with the mechanisms for structur-ing and modularising specifications in the B abstract machine notation. We proposean extension of the language that allows one to specify machines whose constituentmodules (other abstract machines) may change dynamically, i.e., at run time. In thisway, we increase the expressiveness of B by adding support for a common activity ofthe current systems design practice. The extensions were made without having to makeconsiderable changes in the semantics of standard B. We provide some examples toshow the increased expressive power, and argue that our proposed extensions respectthe methodological principles of the B method. [email protected] c©1999–2007 INRETS-ESTAS51/59 B Method BibliographyGeorges Mariano[ZB03-Blazy] Sandrine Blazy, Frédéric Gervais, and Régine Laleau. Reuse of specification patterns with the BMethod. In Bert et al. [ZB03], pages 40–57. Abstract : This paper describes an approach for reusing specification patterns. Specifi-cation patterns are design patterns that are expressed in a formal specification language.Reusing a specification pattern means instantiating it or composing it with other spec-ification patterns. Three levels of composition are defined : juxtaposition, compositionwith inter-patterns links and unification. This paper shows through examples how to de-fine specification patterns in B, how to reuse them directly in B, and also how to reusethe proofs associated with specification patterns. This paper describes an approach for reusing specification patterns. Specifi-cation patterns are design patterns that are expressed in a formal specification language.Reusing a specification pattern means instantiating it or composing it with other spec-ification patterns. Three levels of composition are defined : juxtaposition, compositionwith inter-patterns links and unification. This paper shows through examples how to de-fine specification patterns in B, how to reuse them directly in B, and also how to reusethe proofs associated with specification patterns. [ZB03-Burdy] Lilian Burdy and Antoine Requet. Extending B with control flow breaks. In Bert et al. [ZB03],pages 513–527. Abstract : This paper describes extensions of the B language concerning control flowbreaks in implementations and specification of operations with exceptional behaviors. Itdoes not claim to define those extensions in a pure formal and complete way. It is rathera presentation of what could be done and how it could be done. A syntax is proposedand proof obligations are defined using a weakest precondition calculus extended todeal with abrupt termination. Examples emphasizing the advantages of these extensionsare also given. This paper describes extensions of the B language concerning control flowbreaks in implementations and specification of operations with exceptional behaviors. Itdoes not claim to define those extensions in a pure formal and complete way. It is rathera presentation of what could be done and how it could be done. A syntax is proposedand proof obligations are defined using a weakest precondition calculus extended todeal with abrupt termination. Examples emphasizing the advantages of these extensionsare also given. [ZB03-Dunne] Steve Dunne. Introducing backward refinement into B. In Bert et al. [ZB03], pages 178–196. Abstract : The B Method exploits a direct first-order wp predicate-transformer for-mulation of downward simulation to generate its proof obligations for a refinement,so B’s notion of refinement is restricted to that of forward refinement. Therefore somerefinements we would intuitively recognise as valid cannot be proved so in B. Whilerelational formulations of upward simulation abound in the refinement literature, theonly predicate-transformer formulations proposed hitherto have been higher-order onesquantified over all postconditions, which cannot be conveniently exploited by the BMethod. Here, we propose a new first-order predicate-transformer formulation of up-ward simulation suitable to be adopted by B for backward refinement. The B Method exploits a direct first-order wp predicate-transformer for-mulation of downward simulation to generate its proof obligations for a refinement,so B’s notion of refinement is restricted to that of forward refinement. Therefore somerefinements we would intuitively recognise as valid cannot be proved so in B. Whilerelational formulations of upward simulation abound in the refinement literature, theonly predicate-transformer formulations proposed hitherto have been higher-order onesquantified over all postconditions, which cannot be conveniently exploited by the BMethod. Here, we propose a new first-order predicate-transformer formulation of up-ward simulation suitable to be adopted by B for backward refinement. [ZB03-Ferreira] Carla Ferreira and Michael J. Butler. Using B refinement to analyse compensating businessprocesses. In Bert et al. [ZB03], pages 477–496. Abstract : This paper explores the refinement of compensating business processes,which are modelled in a heterogeneous notation that combines StAC and B. In our re-finement approach, the StAC behavioural and compensation information are explicitlyembedded in a B machine. As the resulting machine is standard B one can use the Bnotion of refinement to prove the refinement of business processes. We also show howthe Atelier-B prover can help in constructing the gluing invariant. This paper explores the refinement of compensating business processes,which are modelled in a heterogeneous notation that combines StAC and B. In our re-finement approach, the StAC behavioural and compensation information are explicitlyembedded in a B machine. As the resulting machine is standard B one can use the Bnotion of refinement to prove the refinement of business processes. We also show howthe Atelier-B prover can help in constructing the gluing invariant. [ZB03-Frappier] Marc Frappier and Régine Laleau. Proving event ordering properties for information systems.In Bert et al. [ZB03], pages 421–436. Abstract : This paper presents an approach to prove event ordering properties for Bspecifications of information systems. The properties are expressed using the E3 nota-tion, where input event ordering properties are defined using a process algebra similarto CSP and output events are specified by recursive functions on the input traces as-sociated to the process expression. By proving that the E3 specification is refined bythe B specification, using the B theory of refinement, we ensure that both specificationsaccept and refuse exactly the same event traces. The proof relies on an extended labeled This paper presents an approach to prove event ordering properties for Bspecifications of information systems. The properties are expressed using the E3 nota-tion, where input event ordering properties are defined using a process algebra similarto CSP and output events are specified by recursive functions on the input traces as-sociated to the process expression. By proving that the E3 specification is refined bythe B specification, using the B theory of refinement, we ensure that both specificationsaccept and refuse exactly the same event traces. The proof relies on an extended labeled [email protected] c©1999–2007 INRETS-ESTAS52/59 B Method BibliographyGeorges Marianotransition system, generated using the operational semantics of the process algebra, inorder to deal with unbounded systems. The gluing invariant is generated from the E3recursive functions. [ZB03-Hallerstede] Stefan Hallerstede. Parallel hardware design in B. In Bert et al. [ZB03], pages 101–102. Abstract : We present the design of a parallel synchronous hardware component froma purely functional description of its behaviour. Starting from an abstract specificationof a linear time-invariant (LTI) system in Event-B a pipelined implementation is devel-oped. The presented approach is applicable to LTI systems that can be represented aslinear constant-coefficient difference equations. In the development of embedded sys-tems space requirements and performance of used circuits are often the two most im-portant constraints. To achieve high performance a high degree of parallelism is needed.At the same time, space requirements demand the use of as few components as possi-ble. In this study we show how the B method may be used to design systems that meetthese requirements. We use a variant of the B method called Event-B. Event-B has beenconceived particularly for the modelling of abstract systems. Such systems are closed inthe sense that they do not interact with some kind of environment. The environment ispart of the specification. Event-B has been used to construct proved circuits. We followa similar approach in this study. We present the design of a parallel synchronous hardware component froma purely functional description of its behaviour. Starting from an abstract specificationof a linear time-invariant (LTI) system in Event-B a pipelined implementation is devel-oped. The presented approach is applicable to LTI systems that can be represented aslinear constant-coefficient difference equations. In the development of embedded sys-tems space requirements and performance of used circuits are often the two most im-portant constraints. To achieve high performance a high degree of parallelism is needed.At the same time, space requirements demand the use of as few components as possi-ble. In this study we show how the B method may be used to design systems that meetthese requirements. We use a variant of the B method called Event-B. Event-B has beenconceived particularly for the modelling of abstract systems. Such systems are closed inthe sense that they do not interact with some kind of environment. The environment ispart of the specification. Event-B has been used to construct proved circuits. We followa similar approach in this study. [ZB03-MacIver] Annabelle McIver, Carroll Morgan, and Thai Son Hoang. Probabilistic termination in B. In Bertet al. [ZB03], pages 216–239. Abstract : The B Method does not currently handle probability. We add it in a limitedform, concentrating on "almost-certain" properties which hold with probability one ;and we address briefly the implied modifications to the programs that support B. TheGeneralised Substitution Language is extended with a binary operator ⊕ representing"abstract probabilistic choice", so that the substitution prog1 ⊕ prog2 means roughly"choose between prog1 and prog2 with some probability neither one nor zero". We thenadjust B’s proof rule for loops – specifically, the variant rule – so that in many casesit is possible to prove "probability-one" correctness of programs containing the newoperator, which was not possible in B before, while remaining almost entirely withinthe original Boolean logic. Applications include probabilistic algorithms such as theIEEE 1394 Root Contention Protocol ("FireWire") in which a probabilistic "symmetry-breaking" strategy forms a key component of the design. The B Method does not currently handle probability. We add it in a limitedform, concentrating on "almost-certain" properties which hold with probability one ;and we address briefly the implied modifications to the programs that support B. TheGeneralised Substitution Language is extended with a binary operator ⊕ representing"abstract probabilistic choice", so that the substitution prog1 ⊕ prog2 means roughly"choose between prog1 and prog2 with some probability neither one nor zero". We thenadjust B’s proof rule for loops – specifically, the variant rule – so that in many casesit is possible to prove "probability-one" correctness of programs containing the newoperator, which was not possible in B before, while remaining almost entirely withinthe original Boolean logic. Applications include probabilistic algorithms such as theIEEE 1394 Root Contention Protocol ("FireWire") in which a probabilistic "symmetry-breaking" strategy forms a key component of the design. [ZB03-Morgan] Thai Son Hoang, Zhendong Jin, Ken Robinson, Annabelle McIver, and Carroll Morgan. Proba-bilistic invariants for probabilistic machines. In Bert et al. [ZB03], pages 240–259. Abstract : Abrial’s Generalised Substitution Language [4] can be modified to operateon arithmetic expressions, rather than Boolean predicates, which allows it to be ap-plied to probabilistic programs [13]. We add a new operatorp⊗ to GSL, for probabilis-tic choice, and we get the probabilistic Generalised Substitution Language (pGSL) : asmooth extension of GSL that includes random algorithms within its scope. In this paperwe begin to examine the effect of pGSL on B’s larger-scale structures : its machines. Inparticular, we suggest a notion of probabilistic machine invariant. We show how theseinvariants interact with pGSL, at a fine-grained level ; and at the other extreme we inves-tigate how they affect our general understanding "in the large" of probabilistic machinesand their behaviour. Overall, we aim to initiate the development of probabilistic B (pB),complete with a suitable probabilistic AMN. We discuss the practical extension of the Abrial’s Generalised Substitution Language [4] can be modified to operateon arithmetic expressions, rather than Boolean predicates, which allows it to be ap-plied to probabilistic programs [13]. We add a new operatorp⊗ to GSL, for probabilis-tic choice, and we get the probabilistic Generalised Substitution Language (pGSL) : asmooth extension of GSL that includes random algorithms within its scope. In this paperwe begin to examine the effect of pGSL on B’s larger-scale structures : its machines. Inparticular, we suggest a notion of probabilistic machine invariant. We show how theseinvariants interact with pGSL, at a fine-grained level ; and at the other extreme we inves-tigate how they affect our general understanding "in the large" of probabilistic machinesand their behaviour. Overall, we aim to initiate the development of probabilistic B (pB),complete with a suitable probabilistic AMN. We discuss the practical extension of the [email protected] c©1999–2007 INRETS-ESTAS53/59 B Method BibliographyGeorges MarianoB-Toolkit [5] to support pB, and we give examples to show how pAMN can be used toexpress and reason about probabilistic properties of a system. [ZB03-Poerschke] Christine Poerschke, David E. Lightfoot, and John L. Nealon. A formal specification in B ofa medical decision support system. In Bert et al. [ZB03], pages 497–512. Abstract : We have used the B notation to formally specify an existing medical deci-sion support system. The system runs on a palmtop computer and helps patients withinsulin-dependent diabetes decide on a dose of insulin to inject. Using extracts we bothqualitatively and quantitatively describe the formal specification and compare it withthe existing C/C++ implementation of the system. We also report our experience of thespecification process, the benefits derived from and the challenges presented by it. Weconclude that the use of an abstract machine notation such as B for the formal speci-fication and documentation of a knowledge-based medical decision support system isboth feasible and viable. We have used the B notation to formally specify an existing medical deci-sion support system. The system runs on a palmtop computer and helps patients withinsulin-dependent diabetes decide on a dose of insulin to inject. Using extracts we bothqualitatively and quantitatively describe the formal specification and compare it withthe existing C/C++ implementation of the system. We also report our experience of thespecification process, the benefits derived from and the challenges presented by it. Weconclude that the use of an abstract machine notation such as B for the formal speci-fication and documentation of a knowledge-based medical decision support system isboth feasible and viable. [ZB03-Pouzancre] Guilhem Pouzancre. How to diagnose a modern car with a formal B model ? In Bert et al.[ZB03], pages 98–100. Abstract : We introduce a modern method to diagnose vehicles. The method has beenstudied for Automobiles Peugeot. The classical methods to diagnose a car are basedon technician’s experience and failure knowledge (e.g., diagnostic trees). However carsbecome more and more complex and failures less and less predictable. The moderncars are increasingly complex due to electronic components and services : lights andwipers turn on automatically, engine controller manages efficiently the torque and carradio manages the sound depending on the car speed. Therefore, diagnostic of deficientcomponents is complex, because of the car complexity and distributed functionalities :for example wheel sensors deficiency can induce effects on the car radio. On the otherhand, deficiencies are mostly unpredictable, due to a wide variety of suppliers, car op-tions and the short component life-cycle. Furthermore, garage mechanics have to diag-nose bugs, which are, by definition, unpredictable. However, all failures have a similarcharacteristic : a functional component does not respect its nominal specification. In ourdiagnosis method, event B models formalize the nominal functional specification and aB model interpreter (BI) checks which component does not match its specification. Todiagnose a car with this method we need : Correct and complete description of everyvehicle component (vehicle B model) A rigourous link between the concrete car andthe B models (dictionaries) A method to compare the components behaviour with theirspecification (record analysis) We introduce a modern method to diagnose vehicles. The method has beenstudied for Automobiles Peugeot. The classical methods to diagnose a car are basedon technician’s experience and failure knowledge (e.g., diagnostic trees). However carsbecome more and more complex and failures less and less predictable. The moderncars are increasingly complex due to electronic components and services : lights andwipers turn on automatically, engine controller manages efficiently the torque and carradio manages the sound depending on the car speed. Therefore, diagnostic of deficientcomponents is complex, because of the car complexity and distributed functionalities :for example wheel sensors deficiency can induce effects on the car radio. On the otherhand, deficiencies are mostly unpredictable, due to a wide variety of suppliers, car op-tions and the short component life-cycle. Furthermore, garage mechanics have to diag-nose bugs, which are, by definition, unpredictable. However, all failures have a similarcharacteristic : a functional component does not respect its nominal specification. In ourdiagnosis method, event B models formalize the nominal functional specification and aB model interpreter (BI) checks which component does not match its specification. Todiagnose a car with this method we need : Correct and complete description of everyvehicle component (vehicle B model) A rigourous link between the concrete car andthe B models (dictionaries) A method to compare the components behaviour with theirspecification (record analysis) [ZB03-Stoddart] Bill Stoddart and Frank Zeyda. Expression transformers in B-GSL. In Bert et al. [ZB03], pages197–215. Abstract : The B concept of generalised substitutions is applied to expressions as wellas predicates to obtain "expression transformers", which formalise the idea of specu-lative computation and form part of the executable subset of our language. We defineexpression transformers over the syntactic constructs of B-GSL, and show this defini-tion is equivalent to an alternative based on before-after predicates. The use of expres-sion transformers is illustrated by example programs which combine functional andimperative programming styles and exploit backtracking. The B concept of generalised substitutions is applied to expressions as wellas predicates to obtain "expression transformers", which formalise the idea of specu-lative computation and form part of the executable subset of our language. We defineexpression transformers over the syntactic constructs of B-GSL, and show this defini-tion is equivalent to an alternative based on before-after predicates. The use of expres-sion transformers is illustrated by example programs which combine functional andimperative programming styles and exploit backtracking. [ZB03-Treharne] Helen Treharne, Steve Schneider, and Marchia Bramble. Composing specifications using com-munication. In Bert et al. [ZB03], pages 58–78. [email protected] c©1999–2007 INRETS-ESTAS54/59 B Method BibliographyGeorges MarianoAbstract : This paper develops a case study using the process algebra CSP to enablecontrolled interaction between B machines. This illustrates how B machines are es-sential components within a combined communicating system. The development stepsused to build the case study are new : they are applications of theoretical results whichallow us to focus on the external interface of a combined communicating system, com-positionally verify it, and show that it is a refinement of a more abstract specificationdescribed in CSP. This allows safety and liveness properties to be established for com-binations of communicating B machines. [ZB05] Helen Treharne, Steve King, Martin C. Henson, and Steve Schneider, editors. ZB’2005 : FormalSpecification and Development in Z and B, 4th International Conference of B and Z Users, Guild-ford, UK, April 13-15, 2005, Proceedings, volume 3455 of Lecture Notes in Computer Science.Springer, 2005. [ZB05-Abrial] Jean-Raymond Abrial, Dominique Cansell, and Dominique Méry. Refinement and reachability inEvent B. In Treharne et al. [ZB05], pages 222–241. Abstract : Since the early 90’s (after the seminal article of R. Back [4]), the refinementof stuttering steps [5] are performed by means of new actions (called here events) refin-ing skip. It is shown in this article that such a refinement method is not always possiblein the development of large systems. We shall instead use events refining some kind ofnon-deterministic actions maintaining the invariant (sometimes called keep). We showthat such new refinements are completely safe. In a second part, we explain how such amechanism can be used to express some reachability conditions that were otherwise ex-pressed using some special temporal logic statements à la TLA [5] in a previous article[2]. Examples will be used to illustrate our proposals. Since the early 90’s (after the seminal article of R. Back [4]), the refinementof stuttering steps [5] are performed by means of new actions (called here events) refin-ing skip. It is shown in this article that such a refinement method is not always possiblein the development of large systems. We shall instead use events refining some kind ofnon-deterministic actions maintaining the invariant (sometimes called keep). We showthat such new refinements are completely safe. In a second part, we explain how such amechanism can be used to express some reachability conditions that were otherwise ex-pressed using some special temporal logic statements à la TLA [5] in a previous article[2]. Examples will be used to illustrate our proposals. [ZB05-Attiogbe] Christian Attiogbé. A stepwise development of the Peterson’s mutual exclusion algorithm usingB Abstract Systems. In Treharne et al. [ZB05], pages 124–141. Abstract : We present a stepwise formal development of the Petersonrsquos mutualexclusion algorithm using Event B. We use a bottom-up approach where we introducethe parallel composition of subsystems which are separately specified. First, we specifysubsystems as B abstract systems ; then we compose the subsystems to get a first ab-stract solution for the mutual exclusion. This solution is improved to obtain the Peter-son’s algorithm. This is achieved by refinement and composition of the former abstractsubsystems. Therefore the result is formally proved on the basis of correctness (safety)properties added to the invariant. Atelier B (a B prover) is used to check completely thedevelopment. We present a stepwise formal development of the Petersonrsquos mutualexclusion algorithm using Event B. We use a bottom-up approach where we introducethe parallel composition of subsystems which are separately specified. First, we specifysubsystems as B abstract systems ; then we compose the subsystems to get a first ab-stract solution for the mutual exclusion. This solution is improved to obtain the Peter-son’s algorithm. This is achieved by refinement and composition of the former abstractsubsystems. Therefore the result is formally proved on the basis of correctness (safety)properties added to the invariant. Atelier B (a B prover) is used to check completely thedevelopment. [ZB05-Badeau] Frédéric Badeau and Arnaud Amelot. Using B as a high level programming language in anindustrial project : Roissy VAL. In Treharne et al. [ZB05], pages 334–354. Abstract : In this article we would like to go back on B used to design software, bypresenting the industrial process established through years by Siemens TransportationSystems on a real project : the VAL shuttle for Roissy Charles de Gaulle airport. In thisproject, the logical core of an equipment located along the tracks and driving the shut-tles is designed with B. By confronting this B software development, with the historicalcontext, we show that B can be used as a high-level programming language offering thefeature of proving properties. We show how this process is used to build, by construc-tion, a large size software with very few design errors ever since its first release, and fora predefined cost. In this article we would like to go back on B used to design software, bypresenting the industrial process established through years by Siemens TransportationSystems on a real project : the VAL shuttle for Roissy Charles de Gaulle airport. In thisproject, the logical core of an equipment located along the tracks and driving the shut-tles is designed with B. By confronting this B software development, with the historicalcontext, we show that B can be used as a high-level programming language offering thefeature of proving properties. We show how this process is used to build, by construc-tion, a large size software with very few design errors ever since its first release, and fora predefined cost. [email protected] c©1999–2007 INRETS-ESTAS55/59 B Method BibliographyGeorges Mariano[ZB05-Banach] Richard Banach and Simon Fraser. Retrenchment and the B-Toolkit. In Treharne et al. [ZB05],pages 203–221. Abstract : An experiment to incorporate retrenchment into the B-Toolkit is described.The syntax of a retrenchment construct is given, as is the proof obligation which givesretrenchment its semantics. The practical aspects of incorporating these into the existingB-Toolkit are then investigated. It transpires that the B-Toolkit’s internal architecture isheavily committed to monolithic refinement, because of B-Method philosophy, and thisrestricts what can be done without a complete rebuild of the toolkit. Experience withcase studies is outlined. An experiment to incorporate retrenchment into the B-Toolkit is described.The syntax of a retrenchment construct is given, as is the proof obligation which givesretrenchment its semantics. The practical aspects of incorporating these into the existingB-Toolkit are then investigated. It transpires that the B-Toolkit’s internal architecture isheavily committed to monolithic refinement, because of B-Method philosophy, and thisrestricts what can be done without a complete rebuild of the toolkit. Experience withcase studies is outlined. [ZB05-Bert] Didier Bert, Marie-Laure Potet, and Nicolas Stouls. GeneSyst : A tool to reason about behavioralaspects of B Event specifications. application to security properties. In Treharne et al. [ZB05],pages 299–318. Abstract : In this paper, we present a method and a tool to build symbolic labelled tran-sition systems from B specifications. The tool, called GeneSyst, can take into accountrefinement levels and can visualize the decomposition of abstract states in concrete hi-erarchical states. The resulting symbolic transition system represents all the behaviorsof the initial B event system. So, it can be used to reason about them. We illustrate theuse of GeneSyst to check security properties on a model of electronic purse. This workwas done in the GECCOO project of program "ACI : Sécurité Informatique" supportedby the French Ministry of Research and New Technologies. It is also suported by CNRSand ST-Microelectronics by the way of a doctoral grant. In this paper, we present a method and a tool to build symbolic labelled tran-sition systems from B specifications. The tool, called GeneSyst, can take into accountrefinement levels and can visualize the decomposition of abstract states in concrete hi-erarchical states. The resulting symbolic transition system represents all the behaviorsof the initial B event system. So, it can be used to reason about them. We illustrate theuse of GeneSyst to check security properties on a model of electronic purse. This workwas done in the GECCOO project of program "ACI : Sécurité Informatique" supportedby the French Ministry of Research and New Technologies. It is also suported by CNRSand ST-Microelectronics by the way of a doctoral grant. [ZB05-Bostrom] Pontus Boström and Marina A. Waldén. An extension of Event B for developing grid systems.In ZB05, pages 142–161, 2005. Abstract : Computational grids have become widespread in organizations for handlingtheir need for computational resources and the vast amount of available information.Grid systems, and other distributed systems, are often complex and formal reasoningabout them is needed, in order to ensure their correctness and to structure their de-velopment. Event B is a formal method with tool support that is meant for stepwisedevelopment of distributed systems. To facilitate the implementation of grid systemswe here propose extensions to Event B that take grid specific features into account. Weadd new constructs to model the client-server architecture of grid systems, as well asimportant features like communication and synchronisation. We introduce the exten-sions in such a manner that the necessary proof obligations are automatically generatedand the system can be implemented in a straightforward manner. Computational grids have become widespread in organizations for handlingtheir need for computational resources and the vast amount of available information.Grid systems, and other distributed systems, are often complex and formal reasoningabout them is needed, in order to ensure their correctness and to structure their de-velopment. Event B is a formal method with tool support that is meant for stepwisedevelopment of distributed systems. To facilitate the implementation of grid systemswe here propose extensions to Event B that take grid specific features into account. Weadd new constructs to model the client-server architecture of grid systems, as well asimportant features like communication and synchronisation. We introduce the exten-sions in such a manner that the necessary proof obligations are automatically generatedand the system can be implemented in a straightforward manner. [ZB05-Bouquet] Fabrice Bouquet, Frédéric Dadeau, and Julien Groslambert. Checking JML specifications withB machines. In Treharne et al. [ZB05], pages 434–453. Abstract : This paper presents a solution to the lack of tool-support for the JML mod-els verification. We propose an approach for expressing JML specifications within theB abstract machines notation. The B machines generated from the JML can then bechecked to ensure their correctness. Thus, we deduce the correctness of the originalJML specification, ensured by rewriting rules which give the semantical equivalenceof the two models. More generally, this translation can be applied to object-orientedspecification languages using before-after predicates. This paper presents a solution to the lack of tool-support for the JML mod-els verification. We propose an approach for expressing JML specifications within theB abstract machines notation. The B machines generated from the JML can then bechecked to ensure their correctness. Thus, we deduce the correctness of the originalJML specification, ensured by rewriting rules which give the semantical equivalenceof the two models. More generally, this translation can be applied to object-orientedspecification languages using before-after predicates. [ZB05-Dunne] Steve Dunne and Stacey Conroy. Process refinement in B. In Treharne et al. [ZB05], pages 45–64. [email protected] c©1999–2007 INRETS-ESTAS56/59 B Method BibliographyGeorges MarianoAbstract : We describe various necessary and sufficient conditions with which to aug-ment B existing refinement proof obligations for forward and backward refinement inorder to capture within the B Method a variety of CSP process refinement relations,including most significantly that of failures-divergences which provides the standarddenotational semantics of CSP processes. [ZB05-Hoang] Thai Son Hoang, Zhendong Jin, Ken Robinson, Annabelle McIver, and Carroll Morgan. Devel-opment via refinement in Probabilistic B foundation and case study. In Treharne et al. [ZB05],pages 355–373. Abstract : In earlier work, we introduced probability to the B by providing a probabilis-tic choice substitution and by extending Brsquos semantics to incorporate its meaning[8]. This, a first step, allowed probabilistic programs to be written and reasoned aboutwithin B. This paper extends the previous work into refinement within B. To allowprobabilistic specification and development within B, we must add a probabilistic spec-ification substitution ; and we must determine the rules and techniques for its rigorousrefinement into probabilistic code. Implementation in B frequently contains loops. Wegeneralise the standard proof obligation rules for loops giving a set of rules for reason-ing about the correctness of probabilistic loops. We present a small case-study that usesthose rules, the randomised Min-Cut algorithm. In earlier work, we introduced probability to the B by providing a probabilis-tic choice substitution and by extending Brsquos semantics to incorporate its meaning[8]. This, a first step, allowed probabilistic programs to be written and reasoned aboutwithin B. This paper extends the previous work into refinement within B. To allowprobabilistic specification and development within B, we must add a probabilistic spec-ification substitution ; and we must determine the rules and techniques for its rigorousrefinement into probabilistic code. Implementation in B frequently contains loops. Wegeneralise the standard proof obligation rules for loops giving a set of rules for reason-ing about the correctness of probabilistic loops. We present a small case-study that usesthose rules, the randomised Min-Cut algorithm. [ZB05-Leuschel] Michael Leuschel and Edd Turner. Visualising larger state spaces in Pro B. In Treharne et al.[ZB05], pages 6–23. Abstract : ProB is an animator and model checker for the B method. It also allows tovisualise the state space of a B machine in graphical way. This is often very useful andallows users to quickly spot whether the machine behaves as expected. However, forlarger state spaces the visualisation quickly becomes difficult to grasp by users (and thecomputation of the graph layout takes considerable time). In this paper we present tworelatively simple algorithms to often considerably reduce the complexity of the graphs,while still keeping relevant information. This makes it possible to visualise much largerstate spaces and gives the user immediate feedback about the overall behaviour of a ma-chine. The algorithms have been implemented within the ProB toolset and we highlighttheir potential on several examples. We also conduct a thorough experimentation of thealgorithm on 47 B machines and analyse the results. ProB is an animator and model checker for the B method. It also allows tovisualise the state space of a B machine in graphical way. This is often very useful andallows users to quickly spot whether the machine behaves as expected. However, forlarger state spaces the visualisation quickly becomes difficult to grasp by users (and thecomputation of the graph layout takes considerable time). In this paper we present tworelatively simple algorithms to often considerably reduce the complexity of the graphs,while still keeping relevant information. This makes it possible to visualise much largerstate spaces and gives the user immediate feedback about the overall behaviour of a ma-chine. The algorithms have been implemented within the ProB toolset and we highlighttheir potential on several examples. We also conduct a thorough experimentation of thealgorithm on 47 B machines and analyse the results. [ZB05-Morgan] Carroll Morgan, Thai Son Hoang, and Jean-Raymond Abrial. The challenge of probabilisticEvent B extended abstract. In ZB05, pages 162–171, 2005. Abstract : Among the many opportunities offered by computational semantics forprobability, the challenge of probabilistic Event B (pEB) is one of the most attrac-tive. The B method itself is now almost 20 years old, and has been much improved andadapted over that time by the many projects to which it has been applied, and by itsphilosophy – right from the start – that it must be practical, effective and amenable totool support. ; more recently, Event B has extended it and altered its style of use. Theprobabilistic-program semantics we appeal to is even older (in Kozen’s original form),but has only recently been ldquorevivedrdquo in the context of B-style abstraction andrefinement. The especial attraction of putting the two together is the likely interplaybetween the probabilistic theory, on the one hand, and the decades of practical experi-ence that have by now been built-in to the B approach, on the other. In particular, thereare areas where a full theoretical treatment of probability, concurrency, abstraction and Among the many opportunities offered by computational semantics forprobability, the challenge of probabilistic Event B (pEB) is one of the most attrac-tive. The B method itself is now almost 20 years old, and has been much improved andadapted over that time by the many projects to which it has been applied, and by itsphilosophy – right from the start – that it must be practical, effective and amenable totool support. ; more recently, Event B has extended it and altered its style of use. Theprobabilistic-program semantics we appeal to is even older (in Kozen’s original form),but has only recently been ldquorevivedrdquo in the context of B-style abstraction andrefinement. The especial attraction of putting the two together is the likely interplaybetween the probabilistic theory, on the one hand, and the decades of practical experi-ence that have by now been built-in to the B approach, on the other. In particular, thereare areas where a full theoretical treatment of probability, concurrency, abstraction and [email protected] c©1999–2007 INRETS-ESTAS57/59 B Method BibliographyGeorges Marianorefinement – all at once – seems prohibitively complex ; and yet in practice either thecomplexities seldom occur, or the exigencies of Brsquos having been so-often appliedto real, non-toy problems has forced it to evolve styles for avoiding such complexities.In short, we want to use (event) B to guide us towards the issues that truly are important.Rabin’s randomized mutual-exclusion algorithm is used as a motivating case study. [ZB05-Rezazadeh] Abdolbaghi Rezazadeh and Michael Butler. Some guidelines for formal development of web-based applications in B-method. In Treharne et al. [ZB05], pages 472–492. Abstract : Web-based applications are the most common form of distributed systemsthat have gained a lot of attention in the past ten years. Today many of us are relyingon scores of mission-critical Web-based systems in different areas such as banking, fi-nance, e-commerce and government. The development process of these systems needs asound methodology, which ensures quality, consistency and integrity. Formal Methodsprovide systematic and quantifiable approaches to create coherent systems. Despite thisthere has been limited work on the formal modelling of Web-based applications. In thispaper our aim is to provide researchers with some guidelines based on results from on-going work to model a Web-based system using the B-Method. Session and state man-agement, developing formal models for complex data types, abstraction of distributeddatabase systems and formal representation of communication links between differentcomponents of a web-based system are the main issues that we have examined. Web-based applications are the most common form of distributed systemsthat have gained a lot of attention in the past ten years. Today many of us are relyingon scores of mission-critical Web-based systems in different areas such as banking, fi-nance, e-commerce and government. The development process of these systems needs asound methodology, which ensures quality, consistency and integrity. Formal Methodsprovide systematic and quantifiable approaches to create coherent systems. Despite thisthere has been limited work on the formal modelling of Web-based applications. In thispaper our aim is to provide researchers with some guidelines based on results from on-going work to model a Web-based system using the B-Method. Session and state man-agement, developing formal models for complex data types, abstraction of distributeddatabase systems and formal representation of communication links between differentcomponents of a web-based system are the main issues that we have examined. [ZB05-Zeyda] Frank Zeyda, Bill Stoddart, and Steve Dunne. A prospective-value semantics for the GSL. InTreharne et al. [ZB05], pages 187–202. Abstract : We present a prospective-value (pv) semantics for the Generalised Substitu-tion Language. Whereas wp semantics captures the meaning of a computation in termsof the weakest precondition that must be fulfilled for a generalised substitution S toestablish any given postcondition Q, pv semantics expresses the meaning of a compu-tation in terms of the value any expression E would take were the computation to becarried out. To integrate non-termination we formulate improper bunch theory, an ex-tended version of Hehnerrsquos bunch theory where each type is augmented with animproper bunch. Algebraic simplification laws for the pv expression transformer arepresented, and proved to be sound. Iteration is treated as a fixed-point in expressions,and a corresponding theorem is presented allowing us to infer the pv effect of the while-loop construct. We present a prospective-value (pv) semantics for the Generalised Substitu-tion Language. Whereas wp semantics captures the meaning of a computation in termsof the weakest precondition that must be fulfilled for a generalised substitution S toestablish any given postcondition Q, pv semantics expresses the meaning of a compu-tation in terms of the value any expression E would take were the computation to becarried out. To integrate non-termination we formulate improper bunch theory, an ex-tended version of Hehnerrsquos bunch theory where each type is augmented with animproper bunch. Algebraic simplification laws for the pv expression transformer arepresented, and proved to be sound. Iteration is treated as a fixed-point in expressions,and a corresponding theorem is presented allowing us to infer the pv effect of the while-loop construct. [ZB05-Zimmermann] Yann Zimmermann and Diana Toma. Component reuse in B using ACL2. In Treharneet al. [ZB05], pages 279–298. Abstract : We present a new methodology that permits to reuse an existing hardwarecomponent that has not been developed within the B framework while maintaining acorrect design flow. It consists of writing a specification of the component in B andproving that the VHDL description of the component implements the specification us-ing the ACL2 system. This paper focuses on the translation of the B specification intoACL2. We present a new methodology that permits to reuse an existing hardwarecomponent that has not been developed within the B framework while maintaining acorrect design flow. It consists of writing a specification of the component in B andproving that the VHDL description of the component implements the specification us-ing the ACL2 system. This paper focuses on the translation of the B specification intoACL2. [arago20] OFTA, editor. Application des techniques formelles au logiciel. Observatoire Français des Tech-niques Avancéees & Lavoisier TEC & DOC, 1997. [eventb-reference-manual] ClearSy. Event B reference manual, June 2001. [matisse-cir] Jean-Raymond Abrial. Event driven circuit construction. MATISSE project, August 2000. [email protected] c©1999–2007 INRETS-ESTAS58/59 B Method BibliographyGeorges Mariano[matisse-dis] Jean-Raymond Abrial. Event driven distributed program construction. MATISSE project, August2001. [matisse-fg] Jean-Raymond Abrial. Guidelines to formal system studies. MATISSE project, November 2000. [matisse-pap] Jean-Raymond Abrial. Event driven sequential program construction. MATISSE project, October2000. [reactive-B] Kevin Lano. Specifying reactive systems in B AMN. Lecture Notes in Computer Science(Springer-Verlag), 1212 :242–275, 1997. [zum94 :Diller] A. Diller and R. Docherty. Z and Abstract Machine Notation : a comparison. In Proceedings of8th Z User Meeting ZUM’94, pages 250–263, 1994. Abstract : Compares the formal specification languages Z and Abstract Machine No-tation (AMN) ; the latter of which is due to Abrial. The strategy adopted is that ofpresenting the same specification both in Z and AMN and of commenting on salientdifferences as they arise. The specification chosen is a slightly revised version of thespecification of an Internal Telephone Number Database found in chapter 4 of A.Z.Diller (1994). At the end of the paper some general conclusions are drawn. (11 Refs) Compares the formal specification languages Z and Abstract Machine No-tation (AMN) ; the latter of which is due to Abrial. The strategy adopted is that ofpresenting the same specification both in Z and AMN and of commenting on salientdifferences as they arise. The specification chosen is a slightly revised version of thespecification of an Internal Telephone Number Database found in chapter 4 of A.Z.Diller (1994). At the end of the paper some general conclusions are drawn. (11 Refs) [email protected] c©1999–2007 INRETS-ESTAS59/59