An Approach to Modelling and Refining Timing Properties in B

The work described in this extended abstract is being undertaken as part of the EU-funded MATISSE project (IST-1999-11435). One of the major case studies of MATISSE involves the application of the B Method [2] to a railway control system. The emphasis of the work is on system-level modelling and analysis. This means we are not just modelling pieces of control software in B, but we are using B to model relevant aspects of an entire network. For example, a system-level model would include physical connections between track sections, the positions of trains in terms of the sections they currently occupy, and under what system-level conditions the emergency brakes should be applied to ensure safety. This system-level model has been decomposed and refined into distributed trackside and on-board controllers with messages passing between them. This allows us to derive the software specifications for the individual controllers in a way that increases our confidence that the combination of the software and physical components achieve the desired system-level safety properties. While taking a systems approach to the development of the railway controllers, it became clear that it was important to model timing constraints in some form. For example, without any model of time we could represent a requirement on the emergency brakes in B in one of two forms: