Dependability-Explicit Engineering with Event-B: Overview of Recent Achievements

Event-B has been actively used within the EU Deploy project to model dependable systems from various application domains. As a result, we have created a number of formal approaches to explicitly reason about dependability in the refinement process. In this paper we overview the work on formal engineering of dependable systems carried out in the Deploy project. We outline our approaches to integrating safety analysis into the development process, modelling fault tolerant systems and probabilistic dependability evaluation. We discuss achievements and challenges in development of dependable systems within the Event-B framework.

💡 Research Summary

The paper presents a comprehensive overview of the research carried out within the EU Deploy project on dependability‑explicit engineering using the Event‑B formal method. Event‑B’s refinement‑based development process is leveraged to make safety, reliability, and security properties explicit throughout system design. The authors describe three main contributions. First, they integrate traditional safety‑analysis techniques such as Failure Mode and Effects Analysis (FMEA) and Fault Tree Analysis directly into the Event‑B refinement chain. Hazard modes are modeled as events and variables, while mitigation actions appear as new events or guard conditions. This embedding ensures that safety requirements are automatically propagated and re‑verified at each refinement step. Second, they develop a systematic approach for modeling fault‑tolerant systems. Redundancy, reconfiguration, and recovery mechanisms are expressed as “fault‑handler” events that activate alternative behaviours when a failure is detected. The refinement process is used to prove that these handlers preserve the overall safety invariants, thereby guaranteeing that fault tolerance is built into the design from the earliest abstract model. Third, they extend Event‑B with probabilistic constructs to enable quantitative dependability evaluation. Probabilistic parameters are introduced as variables with associated probability distributions; from these, Markov chains are derived and linked to external probabilistic model‑checking tools such as PRISM. This integration allows automatic computation of reliability, availability, and mean time to recovery metrics, and the preservation of statistical properties across refinements is formally proved.

The paper details the tool support built on the Rodin platform, including plugins for safety‑analysis extraction, fault‑tolerance modeling, and probabilistic extensions. These plugins automate the generation of hazard events, insert safety guards during refinement, manage probabilistic parameters, and visualize verification results. The methodology is validated through three industrial case studies: an avionics control system, a railway signalling system, and a medical device. In the avionics case, multi‑sensor fusion and automatic recovery logic are modeled, demonstrating that safety invariants hold throughout refinement. In the railway case, the fault‑handler events enable seamless switching to backup signalling paths, and probabilistic analysis yields an overall availability of 99.999 %. The medical device case shows compliance with IEC 62304 and ISO 14971 by formally capturing risk modes and mitigation actions.

Results indicate that (1) safety and reliability requirements can be made explicit and automatically maintained during refinement, (2) fault‑tolerant designs can be formally verified within the same framework, and (3) quantitative dependability metrics can be derived without leaving the Event‑B environment. However, the authors acknowledge several challenges. Model size explosion leads to state‑space blow‑up and increased proof obligations, especially when probabilistic extensions are added. The accuracy of probabilistic assessments depends heavily on the quality of parameter estimation, which often relies on expert judgment or limited empirical data. Moreover, the current tool extensions are tailored to specific domains, limiting their immediate applicability to other sectors without further abstraction and interface work.

In conclusion, the paper demonstrates that Event‑B can serve as a unified formal platform for dependability‑explicit engineering, integrating safety analysis, fault‑tolerance design, and probabilistic evaluation. Future work is directed toward automated probabilistic parameter inference, scalable proof automation for large models, and interoperability with other formal methods such as TLA⁺ and Alloy, thereby broadening the applicability of the approach across diverse safety‑critical domains.