Industrial usage of VDM Dr Peter Gorm Larsen Associate Professor University College of Aarhus + PGL Consult

Industrial usage of VDM

Dr Peter Gorm LarsenDr Peter Gorm LarsenAssociate ProfessorAssociate Professor

University College of Aarhus +University College of Aarhus +PGL ConsultPGL Consult

Ingeniørhøjskolen i ÅrhusSlide 2

Personal Background• Theoretical Work

– VDM-SL Semantics (ISO standard)– VDM-SL Proof Rules (PhD work)

• More Practical Work– VDM and SA in combination– IFAD VDMTools– Transfer VDM to Industry– Intensive use Industrially

• Employed by– For 13 years: IFAD– For 3,5 years: Systematic– Now:

• University College of Aarhus and• PGL Consult


VDM Technology in Industry

Overview of VDM Concepts

• Overview of VDM-SL Semantics

• Industrial usage of VDM


Vienna Development Method

• VDM-SL and VDM++– ISO Standardisation of VDM-SL– VDM++ is an object-oriented extension

• Model-oriented specification:– Simple, abstract data types– Invariants to restrict membership– Functional specification:

• Referentially transparent functions• Operations with side effects on state variables • Implicit specification (pre/post)• Explicit specification (functional or imperative)• Underdeterminedness and non-determinism


VDM++ Class Outline

class class <class-name><class-name>

end end <class-name><class-name>

instance variablesinstance variables

......

typestypes

valuesvalues

functionsfunctions

operationsoperations

......

threadthread

......

syncsync

......

Internal object stateInternal object state

DefinitionsDefinitions

Dynamic behaviourDynamic behaviour

Synchronization controlSynchronization control


What is VDMTools?

• The VDM-SL Toolbox• The VDM++ Toolbox• Different experimental extensions:

– Reverse engineering from Java to VDM++– PROSPER for proof support on top of VDM-SL– VICE for support for real-time systems


VDMTools® Overview

The Rose-VDM++ Link

Document Generator

Code Generators- C++, Java

Syntax & Type Checker

API (Corba), DL Facility

Interpreter (Debugger)

Integrity Checker


References, World-wide

FranceFranceAerospatiale Espace et DefenseAerospatiale Espace et DefenseDassault AviationDassault AviationDasssault ElectroniqueDasssault ElectroniqueCISI CEA et DefenseCISI CEA et DefenseCEA LetiCEA LetiCap GeminiCap GeminiLAASLAASMatra Bae DynamicsMatra Bae Dynamics

U.K.U.K.British Aerospace Systems & British Aerospace Systems & EquipmentEquipmentBritish Aerospace DefenseBritish Aerospace DefenseAdelardAdelardICL Enterprise EngineeringICL Enterprise EngineeringRolls RoyceRolls RoyceTransitive TechnologiesTransitive Technologies

ItalyItalyENEAENEAAnsaldoAnsaldo

The NetherlandsThe NetherlandsDutch Dept. of DefenceDutch Dept. of DefenceOriginOriginChessChess

PortugalPortugalSidereusSidereus

DenmarkDenmarkBaan NordicBaan NordicOdense Steel ShipyardOdense Steel ShipyardDDC InternationalDDC International

North AmericaNorth AmericaBoeingBoeingRockwell CollinsRockwell CollinsLockheed MartinLockheed MartinDDC-I, Inc.DDC-I, Inc.Rational Software Corp.Rational Software Corp.Formal Systems Inc.Formal Systems Inc.Concordia UniversityConcordia University

JapanJapanRTRI (Japan Railways)RTRI (Japan Railways)JFITSJFITS

GermanyGermanyGAO mbHGAO mbH

More than 150 clients world-wide in 2001




Overview of VDM-SL Semantics

• Industrial usage of VDM


VDM-SL Semantics Presentations

• VDM-SL Static Semantics (7 slides)• VDM-SL Domain Universe (12 slides)• VDM-SL Dynamic Semantics (32 slides)• Unfortunately using old legacy technology




Overview of VDM-SL Semantics

Industrial usage of VDM


ConForm (1994)• Organisation: British Aerospace (UK)• Domain: Security (gateway)• Tools: The IFAD VDM-SL Toolbox

• Experience:

– Prevented propagation of error

– Successful technology transfer

– At least 4 more applications without support

• Statements:

– “Engineers can learn the technique in one week”

– “VDMTools can be integrated gradually into a traditional existing development process”


DustExpert (1995-7)• Organisation: Adelard (UK)• Domain: Safety (dust explosives)• Tools: The IFAD VDM-SL Toolbox • Experience:

– Delivered on time at expected cost

– Large VDM-SL specification

– Testing support valuable

• Statement:

– “Using VDMTools we have achieved a productivity and fault density far better than industry norms for safety related systems”


Adelard Metrics

• 31 faults in Prolog and C++ (< 1/kloc)• Most minor, only 1 safety-related• 1 (small) design error, rest in coding

Initial requirements 450 pages

VDM specification 16kloc (31 modules)12kloc (excl comments)

Prologimplementation

37kloc16kloc (excl comments)

C++ GUIimplementation

23kloc18kloc (excl comments)


CAVA (1998-2000)• Organisation: Baan (Denmark)

• Domain: Constraint solver (Sales Configuration)

• Tools: The IFAD VDM-SL Toolbox

• Experience:

– Common understanding

– Faster route to prototype

– Earlier testing

• Statement:

– “VDMTools has been used in order to increase quality and reduce development risks on high complexity products”


Dutch DoD (1997-8)

• Organisation: Origin, The Netherlands

• Domain: Military


• Experience:

– Higher level of assurance

– Mastering of complexity

– Delivered at expected cost and on schedule

– No errors detected in code after delivery

• Statement:

– “We chose VDMTools because of high demands on maintainability, adaptability and reliability”


DoD, NL Metrics (1)

• Estimated 12 C++ loc/h with manual coding!

kloc hours loc/hour

spec 15 1196 13

manual impl 4 471 8.5

automatic impl 90 0 NA

test NA 612 NA

total code 94 2279 41.2totAL


DoD - Comparative Metrics

CODING TESTING

CODING TESTINGANALYSIS &

DESIGN

Traditional:Traditional:

VDMToolsVDMTools®®::

CostCost

ANALYSIS & DESIGN

900900 20002000 700700

12001200 500500 600600

0% 64%

100%


BPS 1000 (1997-)• Organisation: GAO, Germany• Domain: Bank note processing• Tools: The IFAD VDM-SL Toolbox• Experience:

– Better understanding of sensor data

– Errors identified in other code

– Savings on maintenance

• Statement:

– VDMTools provides unparalleled support for design abstraction ensuring quality and control throughout the development life cycle.


Flower Auction (1998) • Organisation: Chess, The Netherlands

• Domain: Financial transactions

• Tools: The IFAD VDM++ Toolbox

• Experience:

– Successful combination of UML and VDM++

– Use iterative process to gain client commitment

– Implementers did not even have a VDM course

• Statement:

– “The link between VDMTools and Rational Rose

is essential for understanding the UML diagrams”


SPOT 4 (1999)

• Organisation: CS-CI, France

• Domain: Space (payload for SPOT4 satellite)


• Experience:

– 38 % less lines of source code

– 36 % less overall effort

– Use of automatic C++ code generation

• Statement:

The cost of applying Formal methods is significantly lower than without them.


Japanese Railways (2000-2001)

• Domain: Railways (database and interlocking)

• Experience:

– Prototyping important

– Now also using it for ATC system

• Engineer working at IFAD for two years with PROSPER proof support


Stock-options (2000- )• Organisation: JFITS (CSK group company), Japan• Domain: Financial• Tools: The IFAD VDM++ Toolbox• Reason for CSK to purchase VDMTools

Tax exemption COCOMO Realized

Effort 38,5 person months 14 person months

Schedule 9 months 3,5 months

Options COCOMO Realized

Effort 147,2 person months 60,1 person months

Schedule 14,3 months 7 months


Reverse Engineering (2001)

• Organisation: Boeing• Domain: Avionics• Tools: The IFAD VDM++ Toolbox• Included development of Java to VDM++ reverse

engineering feature


Optimisation (2001)• Organisation: Transitive TechnologiesTransitive Technologies, UK, UK• Domain:EmbeddedDomain:Embedded• Tools: The IFAD VDM-SL ToolboxTools: The IFAD VDM-SL Toolbox• Making software independent of hardware Making software independent of hardware

platformplatform


Further Information• Applying Formal Specification in Industry. P.G. Larsen, J.

Fitzgerald and T. Brookes. Published in "IEEE Software" vol. 13, no. 3, May 1996

• A Lightweight Approach to Formal Methods S.Agerholm and P.G. Larsen. In Proceedings of the International Workshop on Current Trends in Applied Formal Methods, Boppard, Germany, Springer-Verlag, October 1998.

• Applications of VDM in Banknote Processing P. Smith and P.G. Larsen. + Application of VDM-SL to the Development of the SPOT4 Programming Messages Generator, A. Puccetti and J.Y. Tixadou + Formal Specification of an Auctioning System Using VDM++ and UML, M.Verhoef et. al.

Published at the First VDM Workshop: VDM in Practice with the FM'99 Symposium, Toulouse, France, September 1999.

Documents

Industrial usage of VDM Dr Peter Gorm Larsen Associate Professor University College of Aarhus + PGL Consult