SD3049 Formal Methods

Formal MethodsModule Leader

Dr Aaron Kans (a.kans@uel.ac.uk)

What is this module about?

What is this module about?

What is this module about?Ariane5 rocket crash

What is this module about?Ariane5 rocket crash

What is this module about?Developing software like an ENGINEER

High Integrity Software DevelopmentBy the end of this lecture you should be able to:define the term high integrity software;distinguish between different types of critical software;identify the weaknesses of testing as an approach to software verification;identify the weaknesses of natural language specifications;distinguish between formal and informal methods of software development;

Introduction Often software is integrated into a mechanical or electronic system Such software is known as embedded softwareCosts of software failure in these systems can be dangerously high Require a higher degree of confidence in the correctness of the software.Such software is known as HIGH INTEGRITY SOFTWARE.

Critical Software business critical softwaremission critical softwaresafety critical software

Integrity LevelsIntegrity level 5Integrity level 1

TESTINGSPECIFICATIONThe importance of the specification

Limitations of Testing Testing cannot take place until some implementation is available.Testing can only help to uncover errors - it cannot guarantee the absence of them. Testing is always carried out with respect to requirements as laid down in the specification.

UML: a review BankAccount

accountNumber: StringaccountName: Stringbalance: Real

deposit (Real)withdraw (Real) : BooleancurrentBalance(): Real

Weakness of natural language specificationsWithdraw:Receives a requested amount to withdraw from the bank account and, if there are sufficient funds in the account, meets the request.Returns a boolean value indicating success or failure of the attempt to withdraw money from the account.Natural language descriptions do not have a fixed meaning, they are ambiguous.

These notations do not have a fixed semantics

Incomplete specificationsA specification can be considered incomplete when the behaviour is not completely defined. Withdraw:Receives a requested amount to withdraw from the bank account and, if there are sufficient funds in the account, meets the request.Returns a boolean value indicating success or failure of the attempt to withdraw money from the account.

Inconsistent specifications A specification is inconsistent when it contains within it contradictions. Withdraw:Receives a requested amount to withdraw from the bank account and, if there are sufficient funds in the account, meets the request.Returns a boolean value indicating success or failure of the attempt to withdraw money from the account.OVERDRAFT?

Formal languages It is desirable to use a specification notation with a fixed, unambiguous, semantics. Notations that have a fixed semantics are known as formal notations, or formal languages. A fixed semantics is achieved by defining a language in a completely unambiguous way using a mathematical framework.

Formal Methods initial formal specification1st transformation2nd transformationnth transformationfinal programA formal method includes a proof system for demonstrating that each transformation preserves the formal meaning captured in the previous step.

Advantages of formal methods Generates good test cases;increases confidence that the specification accurately captures the real system requirements;important properties of the initial specification can be checked mathematically;proofs can help uncover design errors as soon as they are made;a proof of program correctness can be constructed.

Classifying formal methods Algebraic Model-based Sequential systems Larch Vienna Development Method (VDM) Z B Concurrent Systems Calculus of Communicating Systems (CCS) OBJ Prototype Verification System (PVS) Concurrent Sequential Processes (CSP)