Thierry Lecomte ETMF 2016

Thierry LecomteETMF 2016

Natal

•

•

•

•

•

•

•

•

•

•

•

•

≡

•

•

•

•

≡

Chain A

Voter

Chain B

inputsA

inputsB

outputs

Chain A

Chain B

inputsA

inputsB

Outputs (power)

Outputs (command)

Control

≡•

•

•

≡•

•

•

≡

•

•

≡

•

•

•

•

•

≡

•

≡

≡

Code generator 1 Instance 1

B model

Code generator 2 Instance 2

•

•

B Specification

B Implementation

C generated code

« Only inactive sequences can be added to the activesequences execution queue. »

Natural languagerequirement

Binary code

Behaviour+

properties

Behaviour+

properties

B Specification

B Implementation

C generated code

« Only inactive sequences can be added to the activesequences execution queue. »

Natural languagerequirement

Binary code

Philosophy:Avoid to introduce errors during the development (proof)

instead of trying to detect them close to the end of the development (tests)

Proof (refinement)

Proof (coherence)

Proof (coherence)

•

–

–

–

–

–

•

•

•

•

•

•

•

•

•

•

•

•

•

•

–

–

–

–

–

–

•

•

•

•

•

•

:

&

:

: : & :

v0

v1v2

v0

v1

v2

decision

V0

OK/KOV1

V2

n

&

o

y n o

e y & y

! y

# n ! n

n

<

>

:

/

N N

•

•

OPERATIONS bodies are identical:What is proved is ….. the copy-paste

•

–

–

–

–

•

–

•

–

•

–

–

–

–

–

•

•

•

•

–

–

–

–

–

•

•

•

•

–

–

–

–

–

•

•

•

•

•

•

•

•

•

•

•

Chain1

V0

CC (OK/KO)V1

V2

Chain2

W0

DD (OK/KO)W1

W2

Cross-verification ofW0, W1, W2, LB, UB, DD

Chain1

V0

CC (OK/KO)V1

V2

Chain2

W0

DD (OK/KO)W1

W2

Cross-verification ofW0, W1, W2, LB, UB, DD

A

B K

C

D

E

F

G H

I

J

L

A

B K

C

D

E

F

G H

I

J

L

Thierry LecomteETMF 2016

Natal