

## Automatic Refinement and Code Generation - lessons learned -

**Thierry Lecomte** 

thierry.lecomte@clearsy.com

C L E A R S Y System Engineering

#### Introduction

- Automatic Refinement
- Code generation
- Perspectives



## Introduction

B model is not end-product

 Hardly readable/understandable even by its creator

#### double dutch

Totally alien to you, something you don't understand.

I don't understand this C++ stuff, it's all double dutch to me!

Urbandictionnary.com

# No processor so far able to natively execute B models



## Introduction

Hence some transformations are required:

- Animation
- (Automatic) Refinement
- "Code" Generation
- This presentation focuses on last two items



- Refinement is for easing proof
- Why a designer would spend (lost?) time to help a tool doing its job ?
- Expected outcome: time (money) saved when applying the tool
- Errors in the tool are detected when proving the generated models



Input: complete set-theoristic model of a softwareOutput: refinements and implementations



#### Refinement engine: applying transformation rules

```
      RULE assign_a_bool_subset_b_c_11
      RULE

      REFINES
      REFIN

      @a := bool(@b <: @c-@d)</td>
      @

      REFINEMENT
      @a := bool(@b <: @c & @b /\ @d = {})</td>

      @a := bool(@b <: @c & @b /\ @d = {})</td>
      @

      END;
      END;
```

```
RULE assign_a_bool_belongs_b_c_16
REFINES
    @a := bool(@b|->@d : @c*@e)
REFINEMENT
    @a := bool(@b:@c & @d:@e)
END;
```







SYSTEM ENGINEERING

- Outcomes: development time divided by 2
- Safety Critical Software usually require twice more workload
- SCS developed with non SCS budget
- 700 refinement rules written down
- Deployed worldwide for several metros
- Biggest implementation: Val de Roissy Shuttle
  - Alarm Control Unit: 265 kloc B model (40 kloc handwritten), 186 kloc Ada code
  - Section Automatic pilots: 67 kloc B model, 50 kloc Ada code







## Automatic Refinement

### How is it practical ? (-> LIVE DEMO)

- How is it efficient ?
  - Generated models are more decomposed
  - Many small steps leading to easier proof
  - For some constructions (abstract iterator), interactive demonstration could be provided automatically



10



## Pattern matching in detail





## Feedback

#### Initial set of refinement rules is not sufficient

Need to be extended to address your modelling and expectations

### Initial set of rules is not bug free

Detected by typechecking (syntax errors) and by proof



Several code generators in use: C, C++, Ada, HIA

- Incoming Ladder and VHDL
- Using different technologies (redundancy)
  - Encoding (FIDARE),
  - diversity (inverse mirror),
  - specific hardware (coded secure processor)

Almost each industrial project has its own translator

#### The current situation is .....





## Code generation

Based on different tools to avoid common mode failure

Type-checker, B-parser, B-compiler





#### Translators to be used in pair





## C Code generation

#### Safety critical standards recommend:

- (1) A limited use of pointers
- (2) No recursion
- (3) No dynamic memory allocation
- With instantiated machines, point (1) was not reachable
- Development of a translator based on cocktail compiler compiler: ComenC
- C code more readable
- But discontinued support





Transformation of a B model into a ladder code in order to feed a PLC



For S7 Simatic (Siemens)Generation of png files !





- define the properties expressing system safety
- demonstrate that any train + PSD system veryfing some properties is safe
- open train doors iff train is at the standstill and doors in front of PSD
  - open PSD iff train at the standstill is present or in case of evacuation
  - a train should not move if at least one PSD is not closed







FM'2009 - FMICS

20









## Verifications





FM'2009 - FMICS

23



SVSTEM

ENGINEERING

Applied several times for safety critical systems

- Typing Ladder programs using SIMATIC S7 PLC is risky
- Envisaging to directly generate binary code



# VHDL Code Generation (B4SYN)

#### Not a 1-to-1 translation schema

#### What is translated

- Variables
- Constants
- Events

#### What is needed

- Invariants
- Properties
- Valuation for the constants
- List of synchronous events and outputs
- List of asynchronous events
- List of combinatorial events and outputs



## **B4Syn Translation schema**





FM'2009 - FMICS

27

## Extra information

- Synchronous events: modelling computations performed on a clock tick.
  - The inputs are acquired
  - Outputs are positioned
  - Registers are updated
- Asynchronous events: modelling interrupted events
  - Registers should be initialized
  - cold reset, warm reset
- Combinatorial events: events triggered before the component stabilizes.
  - is necessary to check that the disjunction of their guards is true.

#### Supported grammar:

[ASYNCHRONOUS | (SYNCHRONOUS ; ASYNCHRONOUS) | (SYNCHRONOUS ; COMBINATORIAL)]\* 28



## Extra information

- Circuit definition
  - Synchronous outputs
  - Combinatorial outputs (handled in a separate process)
  - Clocks
  - Sequencer variable
  - Inputs
- Valuation information (sets, functions, relations, integers, elements)
  - Values used for driving the translation process
    - S = a..b indicates that the set is a range of values from a to b
    - *S* = (0..*b*)\*BIT indicates that the set is a range of bits, and that bit to bit operations are possible
  - Predefined functions:
    - *NthBit* =  $\lambda(x,n).(x \in (0..i)*BIT \land n \in 0..i \mid x(n))$

## VHDL types supported

- STD\_LOGIC
- STD\_LOGIC\_VECTOR(x downto y)
- INTEGER
- Arrays of the previous types



## Structure of the rtl file

- Process sample inputs
- Process registers reset
- Process output management
- Combinatorial events



Translator used with success on a microciruit

- Adequate generated VHDL models:
  - Size (5k gates)
  - Workload (even if different profiles)
  - Able to be tested with product testbenches

Translator probably lacking of generality



## Generating Ada code from Event B model

Application of aggregation rules to transform a set of events into an algorithm

```
SELECT P ∧ Q THEN R END

[]

SELECT P ∧ not Q THEN S END

~>

SELECT P THEN

IF Q THEN R ELSE S END

END
```

Condition: P ∧ Q => [R] not P P ∧ Q => [S] not P



SELECT P THEN R END
[]
SELECT Q THEN S END
~>
SELECT P THEN R;S END

*Condition: P* => [*R*] *Q* 



# Generating Ada code from Event B model

- Obtained algorithm is not checkable with B
- Applied on part of the Ariane 5 flight software
- To obtain finally 80 lines of Ada, comparable to the handwritten ones
- Around 20 000 events would be required to replicate the branching structure of an Automatic Train Pilot



-

.

## Semantics of B models





Path to cyclic software well explored

 Different approaches for event based models, even not 1 to 1 translation

Still lot to do



Thank you for your attention

 $C \ \mathsf{L} \ \mathsf{E} \ \mathsf{A} \ \mathsf{R} \ S \ \mathsf{Y}$  System Engineering