Domain-specific scenarios for refinement-based methods
Domain-specific scenarios for refinement-based methods
Formal methods use abstraction and rigorously verified refinement to manage the design of complex systems, ensuring that they satisfy important invariant properties. However, formal verification is not sufficient: models must also be tested to ensure that they behave according to the informal requirements and validated by domain experts who may not be expert in formal modelling. This can be satisfied by scenarios that complement the requirements specification. The model can be animated to check whether the scenario is feasible in the model and that the model reaches the states expected in the scenario. However, there are two problems with this approach. 1) The natural language used to describe the scenarios is often verbose, ambiguous and therefore difficult to understand; especially if the modeller is not a domain expert. 2) Provided scenarios are typically at the most concrete level corresponding to the full requirements and cannot be used until all the refinements have been completed in the model. We show by example how a precise and concise domain specific language can be used for writing these abstract scenarios in a style that can be easily understood by the domain expert (for validation purposes) as well as the modeller (for behavioural verification) and can be used as the persistence for automated tool support. We propose two alternative approaches to using scenarios during formal modelling: A method of refining scenarios before the model is refined so that the scenarios guide the modelling, and a method of abstracting scenarios from provided concrete ones so that they can be used to test early refinements of the model. We illustrate the two approaches on the ‘Tokeneer’ secure enclave example and the ERTMS/ETCS Hybrid Level 3 specification for railway controls. We base our approach on the Cucumber framework for scenarios and the Event-B modelling language and tool set. We have developed a new ‘Scenario Checker’ plugin to manage the animation of scenarios.
Cucumber, Domain Specific Language, Event-B, Validation
Snook, Colin
b2055316-9f7a-4b31-8aa1-be0710046af2
Hoang, Thai Son
dcc0431d-2847-4e1d-9a85-54e4d6bab43f
Dghaym, Dana
b7b69fe2-c9ff-43ad-a6ba-8b41d6fd19fc
Salehi Fathabadi, Asieh
b799ee35-4032-4e7c-b4b2-34109af8aa75
Butler, Michael
54b9c2c7-2574-438e-9a36-6842a3d53ed0
1 January 2021
Snook, Colin
b2055316-9f7a-4b31-8aa1-be0710046af2
Hoang, Thai Son
dcc0431d-2847-4e1d-9a85-54e4d6bab43f
Dghaym, Dana
b7b69fe2-c9ff-43ad-a6ba-8b41d6fd19fc
Salehi Fathabadi, Asieh
b799ee35-4032-4e7c-b4b2-34109af8aa75
Butler, Michael
54b9c2c7-2574-438e-9a36-6842a3d53ed0
Snook, Colin, Hoang, Thai Son, Dghaym, Dana, Salehi Fathabadi, Asieh and Butler, Michael
(2021)
Domain-specific scenarios for refinement-based methods.
Journal of Systems Architecture, 112, [101833].
(doi:10.1016/j.sysarc.2020.101833).
Abstract
Formal methods use abstraction and rigorously verified refinement to manage the design of complex systems, ensuring that they satisfy important invariant properties. However, formal verification is not sufficient: models must also be tested to ensure that they behave according to the informal requirements and validated by domain experts who may not be expert in formal modelling. This can be satisfied by scenarios that complement the requirements specification. The model can be animated to check whether the scenario is feasible in the model and that the model reaches the states expected in the scenario. However, there are two problems with this approach. 1) The natural language used to describe the scenarios is often verbose, ambiguous and therefore difficult to understand; especially if the modeller is not a domain expert. 2) Provided scenarios are typically at the most concrete level corresponding to the full requirements and cannot be used until all the refinements have been completed in the model. We show by example how a precise and concise domain specific language can be used for writing these abstract scenarios in a style that can be easily understood by the domain expert (for validation purposes) as well as the modeller (for behavioural verification) and can be used as the persistence for automated tool support. We propose two alternative approaches to using scenarios during formal modelling: A method of refining scenarios before the model is refined so that the scenarios guide the modelling, and a method of abstracting scenarios from provided concrete ones so that they can be used to test early refinements of the model. We illustrate the two approaches on the ‘Tokeneer’ secure enclave example and the ERTMS/ETCS Hybrid Level 3 specification for railway controls. We base our approach on the Cucumber framework for scenarios and the Event-B modelling language and tool set. We have developed a new ‘Scenario Checker’ plugin to manage the animation of scenarios.
Text
JSA
- Accepted Manuscript
More information
Accepted/In Press date: 24 June 2020
Published date: 1 January 2021
Additional Information:
Funding Information:
This work was supported, in part, by the HICLASS project, funded by the Aerospace Technology Institute and Innovate UK , as project number 113213 .
Publisher Copyright:
© 2020
Keywords:
Cucumber, Domain Specific Language, Event-B, Validation
Identifiers
Local EPrints ID: 442450
URI: http://eprints.soton.ac.uk/id/eprint/442450
ISSN: 1383-7621
PURE UUID: c29a43ee-9f98-42e2-843f-9ff46e554752
Catalogue record
Date deposited: 15 Jul 2020 16:31
Last modified: 17 Mar 2024 05:44
Export record
Altmetrics
Contributors
Author:
Colin Snook
Author:
Thai Son Hoang
Author:
Dana Dghaym
Author:
Asieh Salehi Fathabadi
Author:
Michael Butler
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics