Lessons Learned/Sharing the Experience of Developing a Metro System Case Study

In this document we share the experiences gained throughout the development of a metro system case study. The model is constructed in Event-B using its respective tool set, the Rodin platform. Starting from requirements, adding more details to the model in a stepwise manner through refinement, we identify some keys points and available plugins necessary for modelling large systems (requirement engineering, decomposition, generic instantiation, among others), which ones are lacking plus strengths and weaknesses of the tool.

💡 Research Summary

The paper presents a comprehensive case study of developing a metro system using the formal method Event‑B and the Rodin platform. Beginning with the capture and formalization of system requirements, the authors employ the Requirements Engineering plug‑in to map textual specifications to Event‑B contexts and machines, ensuring traceability and early detection of conflicting requirements. The model is then refined step‑by‑step: an initial abstract machine captures high‑level events such as train departure, arrival, and door operations. Subsequent refinements decompose the system into logical subsystems—train control, signaling, and passenger flow—using Rodin’s Decomposition plug‑in. Each subsystem is modeled as an independent machine, sharing interface variables through contexts, which preserves consistency across refinements. Proof obligations (POs) generated during refinement are largely discharged automatically, but complex concurrency and timing constraints require manual proof assistance; the authors mitigate this by inserting proof hints and restructuring problematic parts of the model.

To address the repetitive nature of metro control logic across multiple track sections, the study leverages the Generic Instantiation plug‑in. A parameterized template machine is defined, with parameters such as section identifier, length, and speed limits. Instantiating this template for each section dramatically reduces model size (by over 30 %) and simplifies change management, as updates to parameters propagate automatically throughout the system.

The authors evaluate the strengths and weaknesses of the Rodin toolset in the context of a large‑scale system. Strengths include a rich ecosystem of plug‑ins, a powerful automatic prover that catches many errors early, and effective support for hierarchical decomposition, which aids in managing complexity. However, several limitations are identified: (1) performance degradation of the automatic prover on large models, leading to long proof times; (2) incompatibilities and unclear interfaces among plug‑ins, causing integration difficulties; (3) a lack of visualization and simulation capabilities, which hampers communication with non‑technical stakeholders; and (4) insufficient support for reasoning about concurrency and real‑time constraints, forcing reliance on manual proofs.

Based on these observations, the paper proposes concrete directions for future work. Enhancing the prover with more sophisticated algorithms and possibly cloud‑based distributed proof services could alleviate performance bottlenecks. Standardizing plug‑in interfaces through a unified integration framework would improve compatibility and reuse. Developing graphical extensions for model visualization and simulation would bridge the gap between formal engineers and domain experts. Finally, dedicated extensions for timed and concurrent Event‑B (e.g., a Timed Event‑B plug‑in) would provide native support for the temporal aspects intrinsic to metro operations.

In summary, the case study demonstrates that Event‑B and Rodin can be effectively applied to the development of complex transportation infrastructure, provided that tool support is extended in the areas of proof automation, plug‑in interoperability, visualization, and time‑aware modeling. The lessons learned and recommendations offered aim to guide both practitioners and tool developers toward more scalable and user‑friendly formal development environments.