Dr Peter Gorm Larsen
Associate Professor
University College of Aarhus +
PGL Consult

• Theoretical Work
– VDM-SL Semantics (ISO standard)
– VDM-SL Proof Rules (PhD work)
• More Practical Work
– VDM and SA in combination
– IFAD VDMTools
– Transfer VDM to Industry
– Intensive use Industrially
• Employed by
– For 13 years: IFAD
– For 3,5 years: Systematic
– Now:
• University College of Aarhus and
• PGL Consult
Slide 2
Ingeniørhøjskolen i Århus


•
•
Slide 3
Ingeniørhøjskolen i Århus

• VDM-SL and VDM++
– ISO Standardisation of VDM-SL
– VDM++ is an object-oriented extension
• Model-oriented specification:
– Simple, abstract data types
– Invariants to restrict membership
– Functional specification:
• Referentially transparent functions
• Operations with side effects on state variables
• Implicit specification (pre/post)
• Explicit specification (functional or imperative)
• Underdeterminedness and non-determinism
Ingeniørhøjskolen i Århus
Slide 4

class <class-name> instance variables
...
types values functions operations
...
thread
...
sync
...
end <class-name>
Internal object state
Definitions
Dynamic behaviour
Synchronization control
Ingeniørhøjskolen i Århus
Slide 5

• The VDM-SL Toolbox
• The VDM++ Toolbox
• Different experimental extensions:
– Reverse engineering from Java to VDM++
– PROSPER for proof support on top of VDM-SL
– VICE for support for real-time systems
Slide 6
Ingeniørhøjskolen i Århus

®
Syntax & Type Checker
Integrity Checker
The Rose-VDM++ Link
Interpreter (Debugger)
Document Generator
API (Corba), DL Facility
Code Generators
- C++, Java
Ingeniørhøjskolen i Århus
Slide 7

More than 150 clients world-wide in 2001
France
Aerospatiale Espace et Defense
Dassault Aviation
Dasssault Electronique
CISI CEA et Defense
CEA Leti
Cap Gemini
LAAS
Matra Bae Dynamics
Italy
ENEA
Ansaldo
The Netherlands
Dutch Dept. of Defence
Origin
Chess
Portugal
Sidereus U.K.
British Aerospace Systems &
Equipment
British Aerospace Defense
Adelard
ICL Enterprise Engineering
Rolls Royce
Transitive Technologies
Denmark
Baan Nordic
Odense Steel Shipyard
DDC International
North America
Boeing
Rockwell Collins
Lockheed Martin
DDC-I, Inc.
Rational Software Corp.
Formal Systems Inc.
Concordia University
Japan
RTRI (Japan Railways)
JFITS
Germany
GAO mbH
Ingeniørhøjskolen i Århus
Slide 8



•
Slide 9
Ingeniørhøjskolen i Århus

• VDM-SL Static Semantics (7 slides)
• VDM-SL Domain Universe (12 slides)
• VDM-SL Dynamic Semantics (32 slides)
• Unfortunately using old legacy technology 
Slide 10
Ingeniørhøjskolen i Århus




Slide 11
Ingeniørhøjskolen i Århus

• Organisation: British Aerospace (UK)
• Domain: Security (gateway)
• Tools: The IFAD VDM-SL Toolbox
• Experience:
– Prevented propagation of error
– Successful technology transfer
– At least 4 more applications without support
• Statements:
– “Engineers can learn the technique in one week”
– “ VDMTools
 can be integrated gradually into a traditional existing development process”
Ingeniørhøjskolen i Århus
Slide 12

• Organisation: Adelard (UK)
• Domain: Safety (dust explosives)
• Tools: The IFAD VDM-SL Toolbox
• Experience:
– Delivered on time at expected cost
– Large VDM-SL specification
– Testing support valuable
• Statement:
– “Using VDMTools
 we have achieved a productivity and fault density far better than industry norms for safety related systems”
Ingeniørhøjskolen i Århus
Slide 13

Initial requirements 450 pages
VDM specification 16kloc (31 modules)
12kloc (excl comments)
Prolog implementation
C++ GUI implementation
37kloc
16kloc (excl comments)
23kloc
18kloc (excl comments)
• 31 faults in Prolog and C++ (< 1/kloc)
• Most minor, only 1 safety-related
• 1 (small) design error, rest in coding
Ingeniørhøjskolen i Århus
Slide 14

• Organisation: Baan (Denmark)
• Domain: Constraint solver (Sales Configuration)
• Tools: The IFAD VDM-SL Toolbox
• Experience:
– Common understanding
– Faster route to prototype
– Earlier testing
• Statement:
– “ VDMTools
 has been used in order to increase quality and reduce development risks on high complexity products”
Ingeniørhøjskolen i Århus
Slide 15

• Organisation: Origin, The Netherlands
• Domain: Military
• Tools: The IFAD VDM-SL Toolbox
• Experience:
– Higher level of assurance
– Mastering of complexity
– Delivered at expected cost and on schedule
– No errors detected in code after delivery
• Statement:
– “We chose VDMTools
 because of high demands on maintainability, adaptability and reliability”
Ingeniørhøjskolen i Århus
Slide 16

spec manual impl automatic impl test tot AL total code kloc hours loc/hour
15 1196 13
4 471
90
NA
0
612
94 2279
8.5
NA
NA
41.2
• Estimated 12 C++ loc/h with manual coding!
Ingeniørhøjskolen i Århus
Slide 17

Traditional:
900
ANALYSIS &
DESIGN
CODING
VDMTools
®
:
1200
ANALYSIS &
DESIGN
CODING
500
TESTING
600
2000
TESTING
700
0%
Slide 18
64%
100%
Cost
Ingeniørhøjskolen i Århus

• Organisation: GAO, Germany
• Domain: Bank note processing
• Tools: The IFAD VDM-SL Toolbox
• Experience:
– Better understanding of sensor data
– Errors identified in other code
– Savings on maintenance
• Statement:
– VDMTools provides unparalleled support for design abstraction ensuring quality and control throughout the development life cycle.
Ingeniørhøjskolen i Århus
Slide 19

• Organisation: Chess, The Netherlands
• Domain: Financial transactions
• Tools: The IFAD VDM++ Toolbox
• Experience:
– Successful combination of UML and VDM++
– Use iterative process to gain client commitment
– Implementers did not even have a VDM course
• Statement:
– “The link between VDMTools and Rational
Rose is essential for understanding the UML diagrams”
Ingeniørhøjskolen i Århus
Slide 20

• Organisation: CS-CI, France
• Domain: Space (payload for SPOT4 satellite)
• Tools: The IFAD VDM-SL Toolbox
• Experience:
– 38 % less lines of source code
– 36 % less overall effort
– Use of automatic C++ code generation
• Statement:
The cost of applying Formal methods is significantly lower than without them.
Ingeniørhøjskolen i Århus
Slide 21

• Domain: Railways (database and interlocking)
• Experience:
– Prototyping important
– Now also using it for ATC system
• Engineer working at IFAD for two years with
PROSPER proof support
Ingeniørhøjskolen i Århus
Slide 22

• Organisation: JFITS (CSK group company), Japan
• Domain: Financial
• Tools: The IFAD VDM++ Toolbox
• Reason for CSK to purchase VDMTools
Tax exemption COCOMO
Effort 38,5 person months
Realized
14 person months
Schedule 9 months 3,5 months
Options
Effort
Schedule
COCOMO Realized
147,2 person months 60,1 person months
14,3 months 7 months
Ingeniørhøjskolen i Århus
Slide 23

• Organisation: Boeing
• Domain: Avionics
• Tools: The IFAD VDM++ Toolbox
• Included development of Java to VDM++ reverse engineering feature
Slide 24
Ingeniørhøjskolen i Århus

• Organisation: Transitive Technologies, UK
• Domain:Embedded
• Tools: The IFAD VDM-SL Toolbox
• Making software independent of hardware platform
Slide 25
Ingeniørhøjskolen i Århus

• Applying Formal Specification in Industry . P.G. Larsen, J.
Fitzgerald and T. Brookes. Published in "IEEE Software" vol. 13, no. 3, May 1996
• A Lightweight Approach to Formal Methods S.Agerholm and
P.G. Larsen. In Proceedings of the International Workshop on
Current Trends in Applied Formal Methods, Boppard, Germany,
Springer-Verlag, October 1998.
• Applications of VDM in Banknote Processing P. Smith and P.G.
Larsen. + Application of VDM-SL to the Development of the
SPOT4 Programming Messages Generator, A. Puccetti and J.Y.
Tixadou + Formal Specification of an Auctioning System Using
VDM++ and UML, M.Verhoef et. al.
Published at the First VDM Workshop: VDM in Practice with the
FM'99 Symposium, Toulouse, France, September 1999.
Ingeniørhøjskolen i Århus
Slide 26