Thierry Lecomte ETMF 2016
65
Thierry Lecomte ETMF 2016 Natal
Transcript of Thierry Lecomte ETMF 2016
Thierry LecomteETMF 2016
Natal
•
•
•
•
•
•
•
•
•
•
•
•
≡
•
•
•
•
≡
Chain A
Voter
Chain B
inputsA
inputsB
outputs
Chain A
Chain B
inputsA
inputsB
Outputs (power)
Outputs (command)
Control
≡•
•
•
≡•
•
•
≡
•
•
≡
•
•
•
•
•
≡
•
≡
≡
Code generator 1 Instance 1
B model
Code generator 2 Instance 2
•
•
B Specification
B Implementation
C generated code
« Only inactive sequences can be added to the activesequences execution queue. »
Natural languagerequirement
Binary code
Behaviour+
properties
Behaviour+
properties
B Specification
B Implementation
C generated code
« Only inactive sequences can be added to the activesequences execution queue. »
Natural languagerequirement
Binary code
Philosophy:Avoid to introduce errors during the development (proof)
instead of trying to detect them close to the end of the development (tests)
Proof (refinement)
Proof (coherence)
Proof (coherence)
•
–
–
–
–
–
•
•
•
•
•
•
•
•
•
•
•
•
•
•
–
–
–
–
–
–
•
•
•
•
•
•
:
&
:
: : & :
v0
v1v2
v0
v1
v2
decision
V0
OK/KOV1
V2
n
&
o
y n o
e y & y
! y
# n ! n
n
<
>
:
/
N N
•
•
OPERATIONS bodies are identical:What is proved is ….. the copy-paste
•
–
–
–
–
•
–
•
–
•
–
–
–
–
–
•
•
•
•
–
–
–
–
–
•
•
•
•
–
–
–
–
–
•
•
•
•
•
•
•
•
•
•
•
Chain1
V0
CC (OK/KO)V1
V2
Chain2
W0
DD (OK/KO)W1
W2
Cross-verification ofW0, W1, W2, LB, UB, DD
Chain1
V0
CC (OK/KO)V1
V2
Chain2
W0
DD (OK/KO)W1
W2
Cross-verification ofW0, W1, W2, LB, UB, DD
A
B K
C
D
E
F
G H
I
J
L
A
B K
C
D
E
F
G H
I
J
L
Thierry LecomteETMF 2016
Natal
