- Formal methods
In
computer science andsoftware engineering , formal methods are particular kind ofmathematically -based techniques for the specification, development and verification ofsoftware andhardware systems.cite web|author=R. W. Butler|title=What is Formal Methods?|url=http://shemesh.larc.nasa.gov/fm/fm-what.html|date=2001-08-06|accessdate=2006-11-16] The use of formal methods for software and hardware design is motivated by the expectation that, as in other engineering disciplines, performing appropriate mathematical analyses can contribute to the reliability and robustness of a design. [cite paper|author=C. Michael Holloway|title=Why Engineers Should Consider Formal Methods|url=http://klabs.org/richcontent/verification/holloway/nasa-97-16dasc-cmh.pdf| publisher=16th Digital Avionics Systems Conference (27-30 October 1997)|accessdate=2006-11-16] However, the high cost of using formal methods means that they are usually only used in the development of high-integrity systems, [cite paper|author= M. Archer, C. Heitmeyer and E. Riccobene|title= Proving invariants of I/O automata with TAME|publisher= Automated Software Engineering, 9, 201-232 (2002)] wheresafety orsecurity is important.Taxonomy
Formal methods can be used at a number of levels:
Level 0:
Formal specification may be undertaken and then a program developed from this informally. This has been dubbed "formal methods lite". This may be the most cost-effective option in many cases.Level 1: Formal development and
formal verification may be used to produce a program in a more formal manner. For example, proofs of properties or refinement from the specification to a program may be undertaken. This may be most appropriate in high-integrity systems involvingsafety orsecurity .Level 2:
Theorem prover s may be used to undertake fully formal machine-checked proofs. This can be very expensive and is only practically worthwhile if the cost of mistakes is extremely high (e.g., in critical parts of microprocessor design).Further information on this is expanded below.
As with the sub-discipline of programming language semantics, styles of formal methods may be roughly classified as follows:
*
Denotational semantics , in which the meaning of a system is expressed in the mathematical theory of domains. Proponents of such methods rely on the well-understood nature of domains to give meaning to the system; critics point out that not every system may be intuitively or naturally viewed as a function.
*Operational semantics , in which the meaning of a system is expressed as a sequence of actions of a (presumably) simpler computational model. Proponents of such methods point to the simplicity of their models as a means to expressive clarity; critics counter that the problem of semantics has just been delayed (who defines the semantics of the simpler model?).
*Axiomatic semantics , in which the meaning of the system is expressed in terms ofprecondition s andpostcondition s which are true before and after the system performs a task, respectively. Proponents note the connection to classicallogic ; critics note that such semantics never really describe what a system "does" (merely what is true before and afterwards).Lightweight formal methods
Some practitioners believe that the formal methods community has overemphasized full formalization of a specification or design. [Daniel Jackson and Jeannette Wing, [http://people.csail.mit.edu/dnj/publications/ieee96-roundtable.html "Lightweight Formal Methods"] , "IEEE Computer", April 1996] [Vinu George and Rayford Vaughn, [http://www.stsc.hill.af.mil/crosstalk/2003/01/George.html "Application of Lightweight Formal Methods in Requirement Engineering"] , "Crosstalk: The Journal of Defense Software Engineering", January 2003] They contend that the expressiveness of the languages involved, as well as the complexity of the systems being modelled, make full formalization a difficult and expensive task. As an alternative, various "lightweight" formal methods, which emphasize partial specification and focused application, have been proposed. Examples of this lightweight approach to formal methods include the Alloy object modelling notation, [Daniel Jackson, [http://people.csail.mit.edu/dnj/publications/alloy-journal.pdf "Alloy: A Lightweight Object Modelling Notation"] , "ACM Transactions on Software Engineering and Methodology (TOSEM)", Volume 11, Issue 2 (April 2002), pp. 256-290] Denney's synthesis of some aspects of the
Z notation withuse case driven development, [Richard Denney, "Succeeding with Use Cases: Working Smart to Deliver Quality", Addison-Wesley Professional Publishing, 2005, ISBN 0-321-31643-6.] and the CSK VDM Tools. [Sten Agerholm and Peter G. Larsen, [http://home0.inet.tele.dk/pgl/fmtrends98.pdf "A Lightweight Approach to Formal Methods"] , In "Proceedings of the International Workshop on Current Trends in Applied Formal Methods", Boppard, Germany, Springer-Verlag, October 1998]Uses
Formal methods can be applied at various points through the development process. (For convenience, we use terms common to the
waterfall model , though any development process could be used.)pecification
Formal methods may be used to give a description of the system to be developed, at whatever level(s) of detail desired. This formal description can be used to guide further development activities (see following sections); additionally, it can be used to verify that the requirements for the system being developed have been completely and accurately specified.
The need for formal specification systems has been noted for years. In the
ALGOL 60 Report,John Backus presented a formal notation for describing programming language syntax (later namedBackus normal form orBackus-Naur form (BNF)); Backus also described the need for a notation for describing programming language semantics. The report promised that a new notation, as definitive as BNF, would appear in the near future; it never appeared.Development
Once a formal specification has been developed, the specification may be used as a guide while the concrete system is developed (i.e. realized in software and/or hardware). Examples:
* If the formal specification is in an operational semantics, the observed behavior of the concrete system can be compared with the behavior of the specification (which itself should be executable or simulateable). Additionally, the operational commands of the specification may be amenable to direct translation into executable code.
* If the formal specification is in an axiomatic semantics, the preconditions and postconditions of the specification may become assertions in the executable code.Verification
Once a formal specification has been developed, the specification may be used as the basis for proving properties of the specification (and hopefully by inference the developed system).
Human-directed proof
Sometimes, the motivation for proving the correctness of a system is not the obvious need for re-assurance of the correctness of the system, but a desire to understand the system better. Consequently, some proofs of correctness are produced in the style of
mathematical proof : handwritten (or typeset) usingnatural language , using a level of informality common to such proofs. A "good" proof is one which is readable and understandable by other human readers.Critics of such approaches point out that the
ambiguity inherent in natural language allows errors to be undetected in such proofs; often, subtle errors can be present in the low-level details typically overlooked by such proofs. Additionally, the work involved in producing such a good proof requires a high level of mathematical sophistication and expertise.Automated proof
In contrast, there is increasing interest in producing proofs of correctness of such systems by automated means. Automated techniques fall into two general categories:
*Automated theorem proving , in which a system attempts to produce a formal proof from scratch, given a description of the system, a set of logical axioms, and a set of inference rules.
*Model checking , in which a system verifies certain properties by means of an exhaustive search of all possible states that a system could enter during its execution.Neither of these techniques work without human assistance. Automated theorem provers usually require guidance as to which properties are "interesting" enough to pursue; model checkers can quickly get bogged down in checking millions of uninteresting states if not given a sufficiently abstract model.
Proponents of such systems argue that the results have greater mathematical certainty than human-produced proofs, since all the tedious details have been algorithmically verified. The training required to use such systems is also less than that required to produce good mathematical proofs by hand, making the techniques accessible to a wider variety of practitioners.
Critics note that such systems are like oracles: they make a pronouncement of truth, yet give no explanation of that truth. There is also the problem of "verifying the verifier"; if the program which aids in the verification is itself unproven, there may be reason to doubt the soundness of the produced results.
Criticisms
The field of formal methods has its critics. At the current state of the art, proofs of correctness, whether handwritten or computer-assisted, need significant time (and thus money) to produce, with limited utility other than assuring correctness. This makes formal methods more likely to be used in fields where the benefits of having such proofs, or the danger in having undetected errors, makes them worth the resources. Example: in
aerospace engineering , undetected errors may causedeath , so formal methods are more popular than in other application areas.At times, proponents of formal methods have claimed that their techniques would be the
silver bullet to thesoftware crisis . Of course, it is widely believed that there isno silver bullet for software development, and some have written off formal methods due to those overstated, overreaching claims.Formal methods and notations
There are a variety of formal methods and notations available, including
*Abstract State Machines (ASMs)
* Alloy
*B-Method
*Process calculi
** CSP
** LOTOS
** π-calculus
*Actor model
*Esterel
* Lustre
*mCRL2
*Petri nets
* RAISE
* VDM
** VDM-SL
** VDM++
*Z notation
*Rebeca Modeling Language ee also
*
Formal verification
*Formal system
*Automated theorem proving
*Model checking
*Software engineering
*
*References
External links
* [http://www.bmethod.com B Method.com] : his site is designed to present different work and subjects concerning the B method, a formal method with proof
*
* [http://www.fmeurope.org/ Formal Methods Europe (FME)]
* [http://www.fmeurope.org/twiki/bin/view/ FME's wiki on formal methods]
* [http://vl.fmnet.info/pubs/ Formal methods publications]
* [http://vl.fmnet.info/ Virtual Library formal methods]
* [http://vl.fmnet.info/whos-who/ Who's who in formal methods]
* [http://vl.fmnet.info/meetings/ Meetings]
* [http://vl.fmnet.info/orgs/ Organizations]
* [http://vl.fmnet.info/companies/ Companies]
Wikimedia Foundation. 2010.