Industry Day Paris 10.09.07 Rodin Methodology for Developing Fault Tolerant Systems Elena Troubitsyna Åbo Akademi University, Turku, Finland
Jan 03, 2016
Industry Day Paris 100907
Rodin Methodology for Developing Fault Tolerant Systems
Elena Troubitsyna Aringbo Akademi UniversityTurku Finland
Industry Day Paris 100907
Motivation
Formal methods and fault tolerance complement each other in achieving system dependability
Formal methods help us to clean up architecture handle complexity facilitate verification
Fault tolerance provide us with techniques to cope with failures of physical components
RODIN integrates fault tolerance and formal methods in systems approach
Industry Day Paris 100907
Talk outline Systems approach
Fault tolerant control systems
Distributed systems fault tolerance in service-oriented development
Middleware for fault tolerant multi-agent systems
Replicated data-base systems fault tolerant transactions
Industry Day Paris 100907
Systems approach System approach assumes that while developing SW we have a
picture of whole system in mind
Software fault ldquoBugrdquo -- bad implementation of good requirements Design fault -- good implementation of bad requirements
We cannot obtain ldquogoodrdquo requirements if we do not understand how the whole system works (and fails)
M Butler E Sekerinski and K Sere An Action System Approach to the Steam Boiler Problem In J-R Abrial E Borger and HLangmaack eds Formal Methods for Industrial Applications Specifying and Programming the Steam Boiler Control LNCS 1165 1996
IHayes MJackson CJones Determining the specification of a control system from that of its environment In KAraki SGnesi D Mandrioli (eds) FME 2003 Formal Methods LNCS 2805 2003
Industry Day Paris 100907
Control Systems
Computer
Sensors
Actuators
PlantEnvironment(Plant) evolves
Sensors registerthe state of plant
Controller reads sensors andcalculates how to set actuators to achieve the desired behaviour
Controller sets actuators
Traditional development focus on controller (SW)
Industry Day Paris 100907
Control Systems
Computer
Sensors
Actuators
PlantEnvironment(Plant) evolves
Sensors registerthe state of plant
Controller reads sensors andcalculates how to set actuators to achieve the desired behaviour
Controller sets actuators
Systems approach model entire system and derive controlling SW by refinement and decomposition
Traditional development focus on controller (SW)
Industry Day Paris 100907
Developing fault tolerant control systems by refinement Abstract specification of entire system abstract model of plant
routine control and failure Safety invariant
Specification with refined error detection mechanism elaborated description of plantrsquos dynamics representation of components failures error detection
Specification of the system supplemented with redundancy representation of redundant components refinement of error detection criticality of errors error recovery
Decomposition the specification of overall system is split into specifications of the controller and the plant
Implementation executable code of controller is produced
Industry Day Paris 100907
Benefits of systems approach
Well-structured correct-by-construction development
Assumptions about environment behaviour and fault assumptions are documented as a part of the model which allows us rigorously model fault tolerance
Abstraction helps to tackle complexity
Stepwise requirement capturing
LLaibinis and ETroubitsyna Refinement of fault tolerant control systems in BIn M Heisel P Liggesmeyer S Wittmann (Eds) Proc of SAFECOMPrsquo2004 LNCS 3219
Industry Day Paris 100907
Transient faults in control systems
Normal Recover Freez Input
Input_Ok Input_Suspected
Input_Confirmed
Input_Ok
Input_Suspected
Rigorous development of controller subsystem (called Failure Management System in avionics) implementing mechanism for tolerating transient sensor faults
Formal patterns for detecting sensor failures and recovering from them
DIlic E Troubitsyna L Laibinis and C Snook Formal Development of Mechanisms for Tolerating Transient Faults In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 4157 2006
Tolerating transient faults to not overreact neither to neglect
Industry Day Paris 100907
Fault tolerance in service-oriented development Lyra is service-oriented method for developing
distributed communicating systems
Design flow is based on the concepts of decomposition and preservation of externally observable behaviour
The system behaviour is modularised and organised into layers according to external communication interfaces
Distributed network architecture is derived from functional requirements via model transformations
Industry Day Paris 100907
11
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service specification system-level services and interfaces are defined
Industry Day Paris 100907
12
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service decompositionthe abstract model is decomposed into a set of service components and interfaces between them
Industry Day Paris 100907
13
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service distribution the logical architecture of services is distributed over a given network
Industry Day Paris 100907
14
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service implementation low-level implementation details are added and platform specific code is generated
Industry Day Paris 100907
Formalizing Lyra Service component is a coherent piece of functionality that
provides its services to a service consumer via PSAP
Formalized as ACC ndash Abstract Communicating Component consisting of
ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component
SYSTEM ACChellipEVENTS communicational
input output functional calculate
ENDNot only success but also
service failure
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Motivation
Formal methods and fault tolerance complement each other in achieving system dependability
Formal methods help us to clean up architecture handle complexity facilitate verification
Fault tolerance provide us with techniques to cope with failures of physical components
RODIN integrates fault tolerance and formal methods in systems approach
Industry Day Paris 100907
Talk outline Systems approach
Fault tolerant control systems
Distributed systems fault tolerance in service-oriented development
Middleware for fault tolerant multi-agent systems
Replicated data-base systems fault tolerant transactions
Industry Day Paris 100907
Systems approach System approach assumes that while developing SW we have a
picture of whole system in mind
Software fault ldquoBugrdquo -- bad implementation of good requirements Design fault -- good implementation of bad requirements
We cannot obtain ldquogoodrdquo requirements if we do not understand how the whole system works (and fails)
M Butler E Sekerinski and K Sere An Action System Approach to the Steam Boiler Problem In J-R Abrial E Borger and HLangmaack eds Formal Methods for Industrial Applications Specifying and Programming the Steam Boiler Control LNCS 1165 1996
IHayes MJackson CJones Determining the specification of a control system from that of its environment In KAraki SGnesi D Mandrioli (eds) FME 2003 Formal Methods LNCS 2805 2003
Industry Day Paris 100907
Control Systems
Computer
Sensors
Actuators
PlantEnvironment(Plant) evolves
Sensors registerthe state of plant
Controller reads sensors andcalculates how to set actuators to achieve the desired behaviour
Controller sets actuators
Traditional development focus on controller (SW)
Industry Day Paris 100907
Control Systems
Computer
Sensors
Actuators
PlantEnvironment(Plant) evolves
Sensors registerthe state of plant
Controller reads sensors andcalculates how to set actuators to achieve the desired behaviour
Controller sets actuators
Systems approach model entire system and derive controlling SW by refinement and decomposition
Traditional development focus on controller (SW)
Industry Day Paris 100907
Developing fault tolerant control systems by refinement Abstract specification of entire system abstract model of plant
routine control and failure Safety invariant
Specification with refined error detection mechanism elaborated description of plantrsquos dynamics representation of components failures error detection
Specification of the system supplemented with redundancy representation of redundant components refinement of error detection criticality of errors error recovery
Decomposition the specification of overall system is split into specifications of the controller and the plant
Implementation executable code of controller is produced
Industry Day Paris 100907
Benefits of systems approach
Well-structured correct-by-construction development
Assumptions about environment behaviour and fault assumptions are documented as a part of the model which allows us rigorously model fault tolerance
Abstraction helps to tackle complexity
Stepwise requirement capturing
LLaibinis and ETroubitsyna Refinement of fault tolerant control systems in BIn M Heisel P Liggesmeyer S Wittmann (Eds) Proc of SAFECOMPrsquo2004 LNCS 3219
Industry Day Paris 100907
Transient faults in control systems
Normal Recover Freez Input
Input_Ok Input_Suspected
Input_Confirmed
Input_Ok
Input_Suspected
Rigorous development of controller subsystem (called Failure Management System in avionics) implementing mechanism for tolerating transient sensor faults
Formal patterns for detecting sensor failures and recovering from them
DIlic E Troubitsyna L Laibinis and C Snook Formal Development of Mechanisms for Tolerating Transient Faults In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 4157 2006
Tolerating transient faults to not overreact neither to neglect
Industry Day Paris 100907
Fault tolerance in service-oriented development Lyra is service-oriented method for developing
distributed communicating systems
Design flow is based on the concepts of decomposition and preservation of externally observable behaviour
The system behaviour is modularised and organised into layers according to external communication interfaces
Distributed network architecture is derived from functional requirements via model transformations
Industry Day Paris 100907
11
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service specification system-level services and interfaces are defined
Industry Day Paris 100907
12
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service decompositionthe abstract model is decomposed into a set of service components and interfaces between them
Industry Day Paris 100907
13
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service distribution the logical architecture of services is distributed over a given network
Industry Day Paris 100907
14
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service implementation low-level implementation details are added and platform specific code is generated
Industry Day Paris 100907
Formalizing Lyra Service component is a coherent piece of functionality that
provides its services to a service consumer via PSAP
Formalized as ACC ndash Abstract Communicating Component consisting of
ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component
SYSTEM ACChellipEVENTS communicational
input output functional calculate
ENDNot only success but also
service failure
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Talk outline Systems approach
Fault tolerant control systems
Distributed systems fault tolerance in service-oriented development
Middleware for fault tolerant multi-agent systems
Replicated data-base systems fault tolerant transactions
Industry Day Paris 100907
Systems approach System approach assumes that while developing SW we have a
picture of whole system in mind
Software fault ldquoBugrdquo -- bad implementation of good requirements Design fault -- good implementation of bad requirements
We cannot obtain ldquogoodrdquo requirements if we do not understand how the whole system works (and fails)
M Butler E Sekerinski and K Sere An Action System Approach to the Steam Boiler Problem In J-R Abrial E Borger and HLangmaack eds Formal Methods for Industrial Applications Specifying and Programming the Steam Boiler Control LNCS 1165 1996
IHayes MJackson CJones Determining the specification of a control system from that of its environment In KAraki SGnesi D Mandrioli (eds) FME 2003 Formal Methods LNCS 2805 2003
Industry Day Paris 100907
Control Systems
Computer
Sensors
Actuators
PlantEnvironment(Plant) evolves
Sensors registerthe state of plant
Controller reads sensors andcalculates how to set actuators to achieve the desired behaviour
Controller sets actuators
Traditional development focus on controller (SW)
Industry Day Paris 100907
Control Systems
Computer
Sensors
Actuators
PlantEnvironment(Plant) evolves
Sensors registerthe state of plant
Controller reads sensors andcalculates how to set actuators to achieve the desired behaviour
Controller sets actuators
Systems approach model entire system and derive controlling SW by refinement and decomposition
Traditional development focus on controller (SW)
Industry Day Paris 100907
Developing fault tolerant control systems by refinement Abstract specification of entire system abstract model of plant
routine control and failure Safety invariant
Specification with refined error detection mechanism elaborated description of plantrsquos dynamics representation of components failures error detection
Specification of the system supplemented with redundancy representation of redundant components refinement of error detection criticality of errors error recovery
Decomposition the specification of overall system is split into specifications of the controller and the plant
Implementation executable code of controller is produced
Industry Day Paris 100907
Benefits of systems approach
Well-structured correct-by-construction development
Assumptions about environment behaviour and fault assumptions are documented as a part of the model which allows us rigorously model fault tolerance
Abstraction helps to tackle complexity
Stepwise requirement capturing
LLaibinis and ETroubitsyna Refinement of fault tolerant control systems in BIn M Heisel P Liggesmeyer S Wittmann (Eds) Proc of SAFECOMPrsquo2004 LNCS 3219
Industry Day Paris 100907
Transient faults in control systems
Normal Recover Freez Input
Input_Ok Input_Suspected
Input_Confirmed
Input_Ok
Input_Suspected
Rigorous development of controller subsystem (called Failure Management System in avionics) implementing mechanism for tolerating transient sensor faults
Formal patterns for detecting sensor failures and recovering from them
DIlic E Troubitsyna L Laibinis and C Snook Formal Development of Mechanisms for Tolerating Transient Faults In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 4157 2006
Tolerating transient faults to not overreact neither to neglect
Industry Day Paris 100907
Fault tolerance in service-oriented development Lyra is service-oriented method for developing
distributed communicating systems
Design flow is based on the concepts of decomposition and preservation of externally observable behaviour
The system behaviour is modularised and organised into layers according to external communication interfaces
Distributed network architecture is derived from functional requirements via model transformations
Industry Day Paris 100907
11
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service specification system-level services and interfaces are defined
Industry Day Paris 100907
12
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service decompositionthe abstract model is decomposed into a set of service components and interfaces between them
Industry Day Paris 100907
13
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service distribution the logical architecture of services is distributed over a given network
Industry Day Paris 100907
14
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service implementation low-level implementation details are added and platform specific code is generated
Industry Day Paris 100907
Formalizing Lyra Service component is a coherent piece of functionality that
provides its services to a service consumer via PSAP
Formalized as ACC ndash Abstract Communicating Component consisting of
ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component
SYSTEM ACChellipEVENTS communicational
input output functional calculate
ENDNot only success but also
service failure
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Systems approach System approach assumes that while developing SW we have a
picture of whole system in mind
Software fault ldquoBugrdquo -- bad implementation of good requirements Design fault -- good implementation of bad requirements
We cannot obtain ldquogoodrdquo requirements if we do not understand how the whole system works (and fails)
M Butler E Sekerinski and K Sere An Action System Approach to the Steam Boiler Problem In J-R Abrial E Borger and HLangmaack eds Formal Methods for Industrial Applications Specifying and Programming the Steam Boiler Control LNCS 1165 1996
IHayes MJackson CJones Determining the specification of a control system from that of its environment In KAraki SGnesi D Mandrioli (eds) FME 2003 Formal Methods LNCS 2805 2003
Industry Day Paris 100907
Control Systems
Computer
Sensors
Actuators
PlantEnvironment(Plant) evolves
Sensors registerthe state of plant
Controller reads sensors andcalculates how to set actuators to achieve the desired behaviour
Controller sets actuators
Traditional development focus on controller (SW)
Industry Day Paris 100907
Control Systems
Computer
Sensors
Actuators
PlantEnvironment(Plant) evolves
Sensors registerthe state of plant
Controller reads sensors andcalculates how to set actuators to achieve the desired behaviour
Controller sets actuators
Systems approach model entire system and derive controlling SW by refinement and decomposition
Traditional development focus on controller (SW)
Industry Day Paris 100907
Developing fault tolerant control systems by refinement Abstract specification of entire system abstract model of plant
routine control and failure Safety invariant
Specification with refined error detection mechanism elaborated description of plantrsquos dynamics representation of components failures error detection
Specification of the system supplemented with redundancy representation of redundant components refinement of error detection criticality of errors error recovery
Decomposition the specification of overall system is split into specifications of the controller and the plant
Implementation executable code of controller is produced
Industry Day Paris 100907
Benefits of systems approach
Well-structured correct-by-construction development
Assumptions about environment behaviour and fault assumptions are documented as a part of the model which allows us rigorously model fault tolerance
Abstraction helps to tackle complexity
Stepwise requirement capturing
LLaibinis and ETroubitsyna Refinement of fault tolerant control systems in BIn M Heisel P Liggesmeyer S Wittmann (Eds) Proc of SAFECOMPrsquo2004 LNCS 3219
Industry Day Paris 100907
Transient faults in control systems
Normal Recover Freez Input
Input_Ok Input_Suspected
Input_Confirmed
Input_Ok
Input_Suspected
Rigorous development of controller subsystem (called Failure Management System in avionics) implementing mechanism for tolerating transient sensor faults
Formal patterns for detecting sensor failures and recovering from them
DIlic E Troubitsyna L Laibinis and C Snook Formal Development of Mechanisms for Tolerating Transient Faults In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 4157 2006
Tolerating transient faults to not overreact neither to neglect
Industry Day Paris 100907
Fault tolerance in service-oriented development Lyra is service-oriented method for developing
distributed communicating systems
Design flow is based on the concepts of decomposition and preservation of externally observable behaviour
The system behaviour is modularised and organised into layers according to external communication interfaces
Distributed network architecture is derived from functional requirements via model transformations
Industry Day Paris 100907
11
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service specification system-level services and interfaces are defined
Industry Day Paris 100907
12
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service decompositionthe abstract model is decomposed into a set of service components and interfaces between them
Industry Day Paris 100907
13
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service distribution the logical architecture of services is distributed over a given network
Industry Day Paris 100907
14
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service implementation low-level implementation details are added and platform specific code is generated
Industry Day Paris 100907
Formalizing Lyra Service component is a coherent piece of functionality that
provides its services to a service consumer via PSAP
Formalized as ACC ndash Abstract Communicating Component consisting of
ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component
SYSTEM ACChellipEVENTS communicational
input output functional calculate
ENDNot only success but also
service failure
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Control Systems
Computer
Sensors
Actuators
PlantEnvironment(Plant) evolves
Sensors registerthe state of plant
Controller reads sensors andcalculates how to set actuators to achieve the desired behaviour
Controller sets actuators
Traditional development focus on controller (SW)
Industry Day Paris 100907
Control Systems
Computer
Sensors
Actuators
PlantEnvironment(Plant) evolves
Sensors registerthe state of plant
Controller reads sensors andcalculates how to set actuators to achieve the desired behaviour
Controller sets actuators
Systems approach model entire system and derive controlling SW by refinement and decomposition
Traditional development focus on controller (SW)
Industry Day Paris 100907
Developing fault tolerant control systems by refinement Abstract specification of entire system abstract model of plant
routine control and failure Safety invariant
Specification with refined error detection mechanism elaborated description of plantrsquos dynamics representation of components failures error detection
Specification of the system supplemented with redundancy representation of redundant components refinement of error detection criticality of errors error recovery
Decomposition the specification of overall system is split into specifications of the controller and the plant
Implementation executable code of controller is produced
Industry Day Paris 100907
Benefits of systems approach
Well-structured correct-by-construction development
Assumptions about environment behaviour and fault assumptions are documented as a part of the model which allows us rigorously model fault tolerance
Abstraction helps to tackle complexity
Stepwise requirement capturing
LLaibinis and ETroubitsyna Refinement of fault tolerant control systems in BIn M Heisel P Liggesmeyer S Wittmann (Eds) Proc of SAFECOMPrsquo2004 LNCS 3219
Industry Day Paris 100907
Transient faults in control systems
Normal Recover Freez Input
Input_Ok Input_Suspected
Input_Confirmed
Input_Ok
Input_Suspected
Rigorous development of controller subsystem (called Failure Management System in avionics) implementing mechanism for tolerating transient sensor faults
Formal patterns for detecting sensor failures and recovering from them
DIlic E Troubitsyna L Laibinis and C Snook Formal Development of Mechanisms for Tolerating Transient Faults In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 4157 2006
Tolerating transient faults to not overreact neither to neglect
Industry Day Paris 100907
Fault tolerance in service-oriented development Lyra is service-oriented method for developing
distributed communicating systems
Design flow is based on the concepts of decomposition and preservation of externally observable behaviour
The system behaviour is modularised and organised into layers according to external communication interfaces
Distributed network architecture is derived from functional requirements via model transformations
Industry Day Paris 100907
11
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service specification system-level services and interfaces are defined
Industry Day Paris 100907
12
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service decompositionthe abstract model is decomposed into a set of service components and interfaces between them
Industry Day Paris 100907
13
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service distribution the logical architecture of services is distributed over a given network
Industry Day Paris 100907
14
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service implementation low-level implementation details are added and platform specific code is generated
Industry Day Paris 100907
Formalizing Lyra Service component is a coherent piece of functionality that
provides its services to a service consumer via PSAP
Formalized as ACC ndash Abstract Communicating Component consisting of
ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component
SYSTEM ACChellipEVENTS communicational
input output functional calculate
ENDNot only success but also
service failure
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Control Systems
Computer
Sensors
Actuators
PlantEnvironment(Plant) evolves
Sensors registerthe state of plant
Controller reads sensors andcalculates how to set actuators to achieve the desired behaviour
Controller sets actuators
Systems approach model entire system and derive controlling SW by refinement and decomposition
Traditional development focus on controller (SW)
Industry Day Paris 100907
Developing fault tolerant control systems by refinement Abstract specification of entire system abstract model of plant
routine control and failure Safety invariant
Specification with refined error detection mechanism elaborated description of plantrsquos dynamics representation of components failures error detection
Specification of the system supplemented with redundancy representation of redundant components refinement of error detection criticality of errors error recovery
Decomposition the specification of overall system is split into specifications of the controller and the plant
Implementation executable code of controller is produced
Industry Day Paris 100907
Benefits of systems approach
Well-structured correct-by-construction development
Assumptions about environment behaviour and fault assumptions are documented as a part of the model which allows us rigorously model fault tolerance
Abstraction helps to tackle complexity
Stepwise requirement capturing
LLaibinis and ETroubitsyna Refinement of fault tolerant control systems in BIn M Heisel P Liggesmeyer S Wittmann (Eds) Proc of SAFECOMPrsquo2004 LNCS 3219
Industry Day Paris 100907
Transient faults in control systems
Normal Recover Freez Input
Input_Ok Input_Suspected
Input_Confirmed
Input_Ok
Input_Suspected
Rigorous development of controller subsystem (called Failure Management System in avionics) implementing mechanism for tolerating transient sensor faults
Formal patterns for detecting sensor failures and recovering from them
DIlic E Troubitsyna L Laibinis and C Snook Formal Development of Mechanisms for Tolerating Transient Faults In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 4157 2006
Tolerating transient faults to not overreact neither to neglect
Industry Day Paris 100907
Fault tolerance in service-oriented development Lyra is service-oriented method for developing
distributed communicating systems
Design flow is based on the concepts of decomposition and preservation of externally observable behaviour
The system behaviour is modularised and organised into layers according to external communication interfaces
Distributed network architecture is derived from functional requirements via model transformations
Industry Day Paris 100907
11
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service specification system-level services and interfaces are defined
Industry Day Paris 100907
12
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service decompositionthe abstract model is decomposed into a set of service components and interfaces between them
Industry Day Paris 100907
13
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service distribution the logical architecture of services is distributed over a given network
Industry Day Paris 100907
14
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service implementation low-level implementation details are added and platform specific code is generated
Industry Day Paris 100907
Formalizing Lyra Service component is a coherent piece of functionality that
provides its services to a service consumer via PSAP
Formalized as ACC ndash Abstract Communicating Component consisting of
ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component
SYSTEM ACChellipEVENTS communicational
input output functional calculate
ENDNot only success but also
service failure
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Developing fault tolerant control systems by refinement Abstract specification of entire system abstract model of plant
routine control and failure Safety invariant
Specification with refined error detection mechanism elaborated description of plantrsquos dynamics representation of components failures error detection
Specification of the system supplemented with redundancy representation of redundant components refinement of error detection criticality of errors error recovery
Decomposition the specification of overall system is split into specifications of the controller and the plant
Implementation executable code of controller is produced
Industry Day Paris 100907
Benefits of systems approach
Well-structured correct-by-construction development
Assumptions about environment behaviour and fault assumptions are documented as a part of the model which allows us rigorously model fault tolerance
Abstraction helps to tackle complexity
Stepwise requirement capturing
LLaibinis and ETroubitsyna Refinement of fault tolerant control systems in BIn M Heisel P Liggesmeyer S Wittmann (Eds) Proc of SAFECOMPrsquo2004 LNCS 3219
Industry Day Paris 100907
Transient faults in control systems
Normal Recover Freez Input
Input_Ok Input_Suspected
Input_Confirmed
Input_Ok
Input_Suspected
Rigorous development of controller subsystem (called Failure Management System in avionics) implementing mechanism for tolerating transient sensor faults
Formal patterns for detecting sensor failures and recovering from them
DIlic E Troubitsyna L Laibinis and C Snook Formal Development of Mechanisms for Tolerating Transient Faults In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 4157 2006
Tolerating transient faults to not overreact neither to neglect
Industry Day Paris 100907
Fault tolerance in service-oriented development Lyra is service-oriented method for developing
distributed communicating systems
Design flow is based on the concepts of decomposition and preservation of externally observable behaviour
The system behaviour is modularised and organised into layers according to external communication interfaces
Distributed network architecture is derived from functional requirements via model transformations
Industry Day Paris 100907
11
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service specification system-level services and interfaces are defined
Industry Day Paris 100907
12
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service decompositionthe abstract model is decomposed into a set of service components and interfaces between them
Industry Day Paris 100907
13
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service distribution the logical architecture of services is distributed over a given network
Industry Day Paris 100907
14
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service implementation low-level implementation details are added and platform specific code is generated
Industry Day Paris 100907
Formalizing Lyra Service component is a coherent piece of functionality that
provides its services to a service consumer via PSAP
Formalized as ACC ndash Abstract Communicating Component consisting of
ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component
SYSTEM ACChellipEVENTS communicational
input output functional calculate
ENDNot only success but also
service failure
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Benefits of systems approach
Well-structured correct-by-construction development
Assumptions about environment behaviour and fault assumptions are documented as a part of the model which allows us rigorously model fault tolerance
Abstraction helps to tackle complexity
Stepwise requirement capturing
LLaibinis and ETroubitsyna Refinement of fault tolerant control systems in BIn M Heisel P Liggesmeyer S Wittmann (Eds) Proc of SAFECOMPrsquo2004 LNCS 3219
Industry Day Paris 100907
Transient faults in control systems
Normal Recover Freez Input
Input_Ok Input_Suspected
Input_Confirmed
Input_Ok
Input_Suspected
Rigorous development of controller subsystem (called Failure Management System in avionics) implementing mechanism for tolerating transient sensor faults
Formal patterns for detecting sensor failures and recovering from them
DIlic E Troubitsyna L Laibinis and C Snook Formal Development of Mechanisms for Tolerating Transient Faults In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 4157 2006
Tolerating transient faults to not overreact neither to neglect
Industry Day Paris 100907
Fault tolerance in service-oriented development Lyra is service-oriented method for developing
distributed communicating systems
Design flow is based on the concepts of decomposition and preservation of externally observable behaviour
The system behaviour is modularised and organised into layers according to external communication interfaces
Distributed network architecture is derived from functional requirements via model transformations
Industry Day Paris 100907
11
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service specification system-level services and interfaces are defined
Industry Day Paris 100907
12
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service decompositionthe abstract model is decomposed into a set of service components and interfaces between them
Industry Day Paris 100907
13
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service distribution the logical architecture of services is distributed over a given network
Industry Day Paris 100907
14
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service implementation low-level implementation details are added and platform specific code is generated
Industry Day Paris 100907
Formalizing Lyra Service component is a coherent piece of functionality that
provides its services to a service consumer via PSAP
Formalized as ACC ndash Abstract Communicating Component consisting of
ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component
SYSTEM ACChellipEVENTS communicational
input output functional calculate
ENDNot only success but also
service failure
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Transient faults in control systems
Normal Recover Freez Input
Input_Ok Input_Suspected
Input_Confirmed
Input_Ok
Input_Suspected
Rigorous development of controller subsystem (called Failure Management System in avionics) implementing mechanism for tolerating transient sensor faults
Formal patterns for detecting sensor failures and recovering from them
DIlic E Troubitsyna L Laibinis and C Snook Formal Development of Mechanisms for Tolerating Transient Faults In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 4157 2006
Tolerating transient faults to not overreact neither to neglect
Industry Day Paris 100907
Fault tolerance in service-oriented development Lyra is service-oriented method for developing
distributed communicating systems
Design flow is based on the concepts of decomposition and preservation of externally observable behaviour
The system behaviour is modularised and organised into layers according to external communication interfaces
Distributed network architecture is derived from functional requirements via model transformations
Industry Day Paris 100907
11
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service specification system-level services and interfaces are defined
Industry Day Paris 100907
12
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service decompositionthe abstract model is decomposed into a set of service components and interfaces between them
Industry Day Paris 100907
13
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service distribution the logical architecture of services is distributed over a given network
Industry Day Paris 100907
14
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service implementation low-level implementation details are added and platform specific code is generated
Industry Day Paris 100907
Formalizing Lyra Service component is a coherent piece of functionality that
provides its services to a service consumer via PSAP
Formalized as ACC ndash Abstract Communicating Component consisting of
ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component
SYSTEM ACChellipEVENTS communicational
input output functional calculate
ENDNot only success but also
service failure
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Fault tolerance in service-oriented development Lyra is service-oriented method for developing
distributed communicating systems
Design flow is based on the concepts of decomposition and preservation of externally observable behaviour
The system behaviour is modularised and organised into layers according to external communication interfaces
Distributed network architecture is derived from functional requirements via model transformations
Industry Day Paris 100907
11
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service specification system-level services and interfaces are defined
Industry Day Paris 100907
12
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service decompositionthe abstract model is decomposed into a set of service components and interfaces between them
Industry Day Paris 100907
13
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service distribution the logical architecture of services is distributed over a given network
Industry Day Paris 100907
14
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service implementation low-level implementation details are added and platform specific code is generated
Industry Day Paris 100907
Formalizing Lyra Service component is a coherent piece of functionality that
provides its services to a service consumer via PSAP
Formalized as ACC ndash Abstract Communicating Component consisting of
ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component
SYSTEM ACChellipEVENTS communicational
input output functional calculate
ENDNot only success but also
service failure
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
11
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service specification system-level services and interfaces are defined
Industry Day Paris 100907
12
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service decompositionthe abstract model is decomposed into a set of service components and interfaces between them
Industry Day Paris 100907
13
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service distribution the logical architecture of services is distributed over a given network
Industry Day Paris 100907
14
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service implementation low-level implementation details are added and platform specific code is generated
Industry Day Paris 100907
Formalizing Lyra Service component is a coherent piece of functionality that
provides its services to a service consumer via PSAP
Formalized as ACC ndash Abstract Communicating Component consisting of
ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component
SYSTEM ACChellipEVENTS communicational
input output functional calculate
ENDNot only success but also
service failure
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
12
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service decompositionthe abstract model is decomposed into a set of service components and interfaces between them
Industry Day Paris 100907
13
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service distribution the logical architecture of services is distributed over a given network
Industry Day Paris 100907
14
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service implementation low-level implementation details are added and platform specific code is generated
Industry Day Paris 100907
Formalizing Lyra Service component is a coherent piece of functionality that
provides its services to a service consumer via PSAP
Formalized as ACC ndash Abstract Communicating Component consisting of
ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component
SYSTEM ACChellipEVENTS communicational
input output functional calculate
ENDNot only success but also
service failure
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
13
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service distribution the logical architecture of services is distributed over a given network
Industry Day Paris 100907
14
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service implementation low-level implementation details are added and platform specific code is generated
Industry Day Paris 100907
Formalizing Lyra Service component is a coherent piece of functionality that
provides its services to a service consumer via PSAP
Formalized as ACC ndash Abstract Communicating Component consisting of
ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component
SYSTEM ACChellipEVENTS communicational
input output functional calculate
ENDNot only success but also
service failure
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
14
Service
Service Specification
SubserviceSC SubserviceSC SubserviceSC
Service Decomposition
Service Distribution
Service Implementation
Lyra Design Method
Service implementation low-level implementation details are added and platform specific code is generated
Industry Day Paris 100907
Formalizing Lyra Service component is a coherent piece of functionality that
provides its services to a service consumer via PSAP
Formalized as ACC ndash Abstract Communicating Component consisting of
ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component
SYSTEM ACChellipEVENTS communicational
input output functional calculate
ENDNot only success but also
service failure
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Formalizing Lyra Service component is a coherent piece of functionality that
provides its services to a service consumer via PSAP
Formalized as ACC ndash Abstract Communicating Component consisting of
ldquokernelrdquo ie the provided functionality ldquocommunication wrapperrdquo ie the communication channels via which data are supplied to and consumed from the component
SYSTEM ACChellipEVENTS communicational
input output functional calculate
ENDNot only success but also
service failure
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Service Decomposition Phase
hellip
SS1 SS2 SS3 SSN-1 SN
S
To provide service S system should execute subservices SS1SSN
In B model decomposition is represented as refinement of the initial abstract pattern ACC
New event Service_Director orchistrates execution flow
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying execution of failed subservice
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Service decomposition faults in execution flow
hellip
SS1 SS2 SS3 SSN-1 SN
S
Service failure
Success
Unrecoverable errorAbort service execution
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by retrying infinite retry
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Convergence of error recovery
hellip
SS1 SS2 SS3 SSN-1 SN
S
Error recovery by rollback domino effect
We introduce Maximal Service Response Time (Max_SRT)New event Time decrements the execution time left
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Abort of service due to timeout
hellip
SS1 SS2 SS3 SSN-1 SN
S
Execution_time gtMax_SRT
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Service Distribution (B Model)
Service Distribution phase of Lyra corresponds to one or several B refinements
Refinement steps introduce separate B components modelling external service components
All new B components are specified according to the same (ACC) pattern
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Proposed approach establishes a basis for automating service-oriented development of fault tolerant communicating systems
Formal verification will be hidden behind UML facade (hence smooth integration into existing development process)
LLaibinis E Troubitsyna S Leppaumlnen J Lilius and Q Malik Formal Service-Oriented Development of Fault Tolerant Communicating Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Fault tolerance in open systems challenges openness of the multi-agent systems
mobility and autonomy of agents
asynchrony and anonymity of the communication
complex types of faults temporal loss of connectivity mismatching interfaces
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Interoperability of agents
Formal specification of middleware for mobile location-based systems
Location is abstraction of context
System approach start from specification of location and agents together and arrive at the specification of entire middleware
Decompose into part to be implemented by location and by agents
Individual agents can be developed independently but preserve ldquostandardrdquo part
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Abstract specification
Implicit modelling of normal termination
and failure
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Handling agent failure
Refining Disengage
1048708Agent can complete its activity and disengage
1048708Agent activity can be terminated by a (detectable) crash
1048708Agent can silently crash (eg disconnect or become slow)
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Compatibility on functional levelbullScopes partition coordination space
bullEach scope supports certain set of roles ndash abstraction of agent functionality
bullFormal definition of scope properties
bullCompatibility on the level of agent functionality
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
System approach in MAS Ensuring interoperability of the independently developed agents and
supporting this by top-down stepwise development methods
Identifying and verifying system properties that express specific fault tolerance and mobility-related characteristics
Formal specifications in B provide input to model checking of dynamic properties
LLaibinis ETroubitsyna AIliasov and ARomanovsky Rigorous Development of Fault-Tolerant Agent Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
AIliasov VKhomenko MKoutny ARomanovsky On Specification and Verification of Location-Based Fault Tolerant Mobile Systems In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Fault tolerant transactions in replicated database systems DYadav MButler Rigorous design of Fault Tolerant Transations for replicated
database systems using Event B In M Butler C Jones A Romanovsky and E Troubitsyna (Eds) Rigorous Development of Complex Fault-Tolerant Systems LNCS 41572006
Replication improves availability of distributed database systems
when the transaction workload is predominantly read only
Keeping replicas identical during updates is difficult due to site failures and conflicting transactions
One Copy Serializability criterionInterleaved execution of transactions in replicas should be equivalent to serial execution of those transactions on one copy of database
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Approach
Verify through refinement that design of replicated database satisfies One Copy Serializability criterion
Abstract Model is based on Single Copy Database
Refinement is based on Replicated Database
Gluing Invariants discovered by B Tools defines relationship among abstract single copy database and replicated database
The gluing invariants provides an deeper understanding of system and facilitates further development of more complex replica control mechanism
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky
Industry Day Paris 100907
Other topics in RODIN methodology Extension of Event B language by J-R Abrial
Library of case studies in J-R Abrial book
Extension of Event B to represent records by NEvans and MButler
Model checking of mobile fault tolerant systems by MKoutny et al
Methods for rigorous development of generic requirements patterns by CSnook MPoppleton and IJohnson
Formalization of UML in B by CSnook MButler MWalden
Design of various exception handling approaches by AIliasov and ARomanovsky