Applying Reenement in an Industrial Pilot Project Using Cogito Applying Reenement in an Industrial Pilot Project Using Cogito

This paper reports on a collaborative industrial pilot project on the use of formal methods in the development of safety-related software. In particular we report on our experiences with the use of the reenement techniques ooered by the Cogito methodology as part of the pilot project. The project focused on a software subsystem of a testing device that determines the operational status of a piece of equipment. The software determines appropriate scheduling of tests as well as controlling the communication between the testing device and the equipment unit under test. Development also addressed the issue of assuring that speciic safety-criteria were met by the test unit, for example, if any unit failed any single test then that unit must be determined to be faulty. The use of formal development techniques in this project included: the formulation of a top-level speciication; the validation of various safety criteria; and construction of a detailed design using data reenement techniques. The Cogito methodology and system has been used extensively throughout the project to provide tool support for these formal development tasks. This paper reports on two main aspects: Experience with reenement from an industrial perspective. The system being developed is a real system and the industrial developers had little prior experience with formal methods. The approach required signiicant eeort in training and technology transfer. We report on the relative success of the technology transfer eeort. Technical issues encountered during development. The testing device is a \control inten-sive" application whereas the Cogito methodology is more suited to modelling data-oriented systems (involving state). This orientation shift induced a number of \inconveniences" at diierent stages of development. To overcome these problems alternative development strategies were sought. In hindsight we believe a number of improvements in these strategies are achievable.