Formal methods

Formal methods

In computer science and software engineering, formal methods are particular kind of mathematically-based techniques for the specification, development and verification of software and hardware systems.cite web|author=R. W. Butler|title=What is Formal Methods?|url=|date=2001-08-06|accessdate=2006-11-16] The use of formal methods for software and hardware design is motivated by the expectation that, as in other engineering disciplines, performing appropriate mathematical analyses can contribute to the reliability and robustness of a design. [cite paper|author=C. Michael Holloway|title=Why Engineers Should Consider Formal Methods|url=| publisher=16th Digital Avionics Systems Conference (27-30 October 1997)|accessdate=2006-11-16] However, the high cost of using formal methods means that they are usually only used in the development of high-integrity systems, [cite paper|author= M. Archer, C. Heitmeyer and E. Riccobene|title= Proving invariants of I/O automata with TAME|publisher= Automated Software Engineering, 9, 201-232 (2002)] where safety or security is important.


Formal methods can be used at a number of levels:

Level 0: Formal specification may be undertaken and then a program developed from this informally. This has been dubbed "formal methods lite". This may be the most cost-effective option in many cases.

Level 1: Formal development and formal verification may be used to produce a program in a more formal manner. For example, proofs of properties or refinement from the specification to a program may be undertaken. This may be most appropriate in high-integrity systems involving safety or security.

Level 2: Theorem provers may be used to undertake fully formal machine-checked proofs. This can be very expensive and is only practically worthwhile if the cost of mistakes is extremely high (e.g., in critical parts of microprocessor design).

Further information on this is expanded below.

As with the sub-discipline of programming language semantics, styles of formal methods may be roughly classified as follows:

* Denotational semantics, in which the meaning of a system is expressed in the mathematical theory of domains. Proponents of such methods rely on the well-understood nature of domains to give meaning to the system; critics point out that not every system may be intuitively or naturally viewed as a function.
* Operational semantics, in which the meaning of a system is expressed as a sequence of actions of a (presumably) simpler computational model. Proponents of such methods point to the simplicity of their models as a means to expressive clarity; critics counter that the problem of semantics has just been delayed (who defines the semantics of the simpler model?).
* Axiomatic semantics, in which the meaning of the system is expressed in terms of preconditions and postconditions which are true before and after the system performs a task, respectively. Proponents note the connection to classical logic; critics note that such semantics never really describe what a system "does" (merely what is true before and afterwards).

Lightweight formal methods

Some practitioners believe that the formal methods community has overemphasized full formalization of a specification or design. [Daniel Jackson and Jeannette Wing, [ "Lightweight Formal Methods"] , "IEEE Computer", April 1996] [Vinu George and Rayford Vaughn, [ "Application of Lightweight Formal Methods in Requirement Engineering"] , "Crosstalk: The Journal of Defense Software Engineering", January 2003] They contend that the expressiveness of the languages involved, as well as the complexity of the systems being modelled, make full formalization a difficult and expensive task. As an alternative, various "lightweight" formal methods, which emphasize partial specification and focused application, have been proposed. Examples of this lightweight approach to formal methods include the Alloy object modelling notation, [Daniel Jackson, [ "Alloy: A Lightweight Object Modelling Notation"] , "ACM Transactions on Software Engineering and Methodology (TOSEM)", Volume 11, Issue 2 (April 2002), pp. 256-290] Denney's synthesis of some aspects of the Z notation with use case driven development, [Richard Denney, "Succeeding with Use Cases: Working Smart to Deliver Quality", Addison-Wesley Professional Publishing, 2005, ISBN 0-321-31643-6.] and the CSK VDM Tools. [Sten Agerholm and Peter G. Larsen, [ "A Lightweight Approach to Formal Methods"] , In "Proceedings of the International Workshop on Current Trends in Applied Formal Methods", Boppard, Germany, Springer-Verlag, October 1998]


Formal methods can be applied at various points through the development process. (For convenience, we use terms common to the waterfall model, though any development process could be used.)


Formal methods may be used to give a description of the system to be developed, at whatever level(s) of detail desired. This formal description can be used to guide further development activities (see following sections); additionally, it can be used to verify that the requirements for the system being developed have been completely and accurately specified.

The need for formal specification systems has been noted for years. In the ALGOL 60 Report, John Backus presented a formal notation for describing programming language syntax (later named Backus normal form or Backus-Naur form (BNF)); Backus also described the need for a notation for describing programming language semantics. The report promised that a new notation, as definitive as BNF, would appear in the near future; it never appeared.


Once a formal specification has been developed, the specification may be used as a guide while the concrete system is developed (i.e. realized in software and/or hardware). Examples:
* If the formal specification is in an operational semantics, the observed behavior of the concrete system can be compared with the behavior of the specification (which itself should be executable or simulateable). Additionally, the operational commands of the specification may be amenable to direct translation into executable code.
* If the formal specification is in an axiomatic semantics, the preconditions and postconditions of the specification may become assertions in the executable code.


Once a formal specification has been developed, the specification may be used as the basis for proving properties of the specification (and hopefully by inference the developed system).

Human-directed proof

Sometimes, the motivation for proving the correctness of a system is not the obvious need for re-assurance of the correctness of the system, but a desire to understand the system better. Consequently, some proofs of correctness are produced in the style of mathematical proof: handwritten (or typeset) using natural language, using a level of informality common to such proofs. A "good" proof is one which is readable and understandable by other human readers.

Critics of such approaches point out that the ambiguity inherent in natural language allows errors to be undetected in such proofs; often, subtle errors can be present in the low-level details typically overlooked by such proofs. Additionally, the work involved in producing such a good proof requires a high level of mathematical sophistication and expertise.

Automated proof

In contrast, there is increasing interest in producing proofs of correctness of such systems by automated means. Automated techniques fall into two general categories:
* Automated theorem proving, in which a system attempts to produce a formal proof from scratch, given a description of the system, a set of logical axioms, and a set of inference rules.
* Model checking, in which a system verifies certain properties by means of an exhaustive search of all possible states that a system could enter during its execution.

Neither of these techniques work without human assistance. Automated theorem provers usually require guidance as to which properties are "interesting" enough to pursue; model checkers can quickly get bogged down in checking millions of uninteresting states if not given a sufficiently abstract model.

Proponents of such systems argue that the results have greater mathematical certainty than human-produced proofs, since all the tedious details have been algorithmically verified. The training required to use such systems is also less than that required to produce good mathematical proofs by hand, making the techniques accessible to a wider variety of practitioners.

Critics note that such systems are like oracles: they make a pronouncement of truth, yet give no explanation of that truth. There is also the problem of "verifying the verifier"; if the program which aids in the verification is itself unproven, there may be reason to doubt the soundness of the produced results.


The field of formal methods has its critics. At the current state of the art, proofs of correctness, whether handwritten or computer-assisted, need significant time (and thus money) to produce, with limited utility other than assuring correctness. This makes formal methods more likely to be used in fields where the benefits of having such proofs, or the danger in having undetected errors, makes them worth the resources. Example: in aerospace engineering, undetected errors may cause death, so formal methods are more popular than in other application areas.

At times, proponents of formal methods have claimed that their techniques would be the silver bullet to the software crisis. Of course, it is widely believed that there is no silver bullet for software development, and some have written off formal methods due to those overstated, overreaching claims.

Formal methods and notations

There are a variety of formal methods and notations available, including
* Abstract State Machines (ASMs)
* Alloy
* B-Method
* Process calculi
** CSP
** π-calculus
* Actor model
* Esterel
* Lustre
* mCRL2
* Petri nets
** VDM++
* Z notation
* Rebeca Modeling Language

ee also

* Formal verification
* Formal system
* Automated theorem proving
* Model checking
* Software engineering


External links

* [ B] : his site is designed to present different work and subjects concerning the B method, a formal method with proof
* [ Formal Methods Europe (FME)]
* [ FME's wiki on formal methods]
* [ Formal methods publications]
* [ Virtual Library formal methods]
* [ Who's who in formal methods]
* [ Meetings]
* [ Organizations]
* [ Companies]

Wikimedia Foundation. 2010.

Игры ⚽ Нужна курсовая?

Look at other dictionaries:

  • Formal Methods Europe — (FME) is an organization whose aim is to encourage the research and application of formal methods for the improvement of software and hardware in computer based systems. The association s members are drawn from academia and industry. It is based… …   Wikipedia

  • Formal equivalence checking — process is a part of electronic design automation (EDA), commonly used during the development of digital integrated circuits, to formally prove that two representations of a circuit design exhibit exactly the same behavior. Equivalence checking… …   Wikipedia

  • Formal epistemology — is a subdiscipline of epistemology that utilizes formal methods from logic, probability theory and computability theory to elucidate traditional epistemic problems. TopicsSome of the topics that come under the heading of formal epistemology… …   Wikipedia

  • Formal Aspects of Computing — Infobox Magazine title = Formal Aspects of Computing | image size = 200px | image caption = editor = Jim Woodcock Cliff Jones frequency = Quarterly circulation = category = Formal methods company = Springer firstdate = 1989 country = Germany… …   Wikipedia

  • Formal — The term formal has a number of uses, including:General*relating to formality *opposite of informalocial* Formal occasion ** Formal attire worn on such occasions ** Formals are particular meals at some British universities ** In Australian or… …   Wikipedia

  • Formal verification — In the context of hardware and software systems, formal verification is the act of proving or disproving the correctness of intended algorithms underlying a system with respect to a certain formal specification or property, using formal methods… …   Wikipedia

  • Formal specification — A formal specification is a mathematical description of software or hardware that may be used to develop an implementation. It describes what the system should do, not (necessarily) how the system should do it. Given such a specification, it is… …   Wikipedia

  • Formal interpretation — A formal interpretation [ pg=PA74 lpg=PA74 dq=%22Formal+interpretation%22+%22formal+language%22 source=web ots=pLN ms7Wi2 sig=P JqwdzOqLcX4nMpP64qmacnkDU hl=en#PPA74,M1 Cann Ronnie, Formal Semantics:… …   Wikipedia

  • Formal science — A formal science is a theoretical study that is concerned with theoretical formal systems, for instance, logic, mathematics, systems theory and the theoretical branches of computer science, information theory, economics, statistics, and… …   Wikipedia

  • Methods of detecting extrasolar planets — Any planet is an extremely faint light source compared to its parent star. In addition to the intrinsic difficulty of detecting such a faint light source, the light from the parent star causes a glare that washes it out. For those reasons, only a …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”