The landing gear system in multi-machine Hybrid Event-B

Abstract: A system development case study problem based on a set of aircraft landing gear is examined in Hybrid Event-B (an extension of Event-B that includes provision for continuously varying behaviour as well as the usual discrete changes of state). Although tool support for Hybrid Event-B is currently lacking, the complexity of the case study provides a valuable challenge for the expressivity and modelling capabilities of the Hybrid Event-B formalism. The size of the case study, and in particular, the number of over… Show more

“…They have been modelled faithfully by the patterns just described since the blood pump has been modelled in reasonable detail. 5 Of the rest, R-5 to R-11 and R-14 to R-17 also concern initiation/connection, involve the blood pump, and fit the patterns described. Of these, R-11 is modelled (though not the switching off of the blood pump, since it is unclear from the various parts of [16] when exactly the pump is to be switched on or off during initiation/connection).…”

“…without the faults derailing the strategy to an unconvincing degree. This aspects is to be contrasted with the landing gear case study treated in [3,5], where (and especially in [5]) great benefit was derived from focusing first on the nominal development, and then incorporating the faulty regime, using retrenchment [10,9,8]. There, the various levels of fault tolerance would have made a flat treatment unhelpfully complex.…”

Hemodialysis Machine in Hybrid Event-B

“…They have been modelled faithfully by the patterns just described since the blood pump has been modelled in reasonable detail. 5 Of the rest, R-5 to R-11 and R-14 to R-17 also concern initiation/connection, involve the blood pump, and fit the patterns described. Of these, R-11 is modelled (though not the switching off of the blood pump, since it is unclear from the various parts of [16] when exactly the pump is to be switched on or off during initiation/connection).…”

“…without the faults derailing the strategy to an unconvincing degree. This aspects is to be contrasted with the landing gear case study treated in [3,5], where (and especially in [5]) great benefit was derived from focusing first on the nominal development, and then incorporating the faulty regime, using retrenchment [10,9,8]. There, the various levels of fault tolerance would have made a flat treatment unhelpfully complex.…”

Hemodialysis Machine in Hybrid Event-B

“…This gave rise to the need for a number of tIIi's distributed around the various interfaces. The case study was revisited and extended in [8], and this time the earlier modelling decisions were overturned and a hypergraph architecture as we recommend here emerged naturally. It proved possible to eliminate all use of tIIi's thereby.…”

“…Larger case studies have already been mentioned: [7,8,10]. The case studies here are restricted to a small development done in discrete Event-B in Section 10.1, and, in Section 10.2, there is a reexamination of the European Train Control System, first examined using Hybrid Event-B as a single machine in PaperI.…”

“…16. 8 Observe that if all the train variables τ. lived in the TrainController (train) machine, and all the movement authority variables m. lived in the RadioBlockController (RBC) machine, then if we put inv9 into the RBC machine, then we would have to existentially quantify the train variables in inv9. While it is one thing to say that values for the train variables exist that make inv9 true, it is quite another to say that the current train variable values do so.…”

Core Hybrid Event-B II: Multiple cooperating Hybrid Event-B machines

A Simple Hybrid Event-B Model of an Active Control System for Earthquake Protection