Formal Methods

T HE HAS EENA N OUR E EN

P h D S CHOL A R
 Formal Methods
Formal methods are particular kind of mathematically based techniques for the
specification, development and verification of software and hardware systems.
 Formal Methods

◦ Formal methods are particularly effective early in development at the

requirements and specification levels of software engineering.

◦ The approach is especially important in high-integrity systems/Safety-Critical

Computer Systems,.

◦ The systems where safety or security is important, to help ensure that errors are
not introduced into the development process.

3
Formal vs. Informal Methods

◦ Lots of possible inconsistencies

◦ Decision tables
◦ Decision Trees
◦ Computer tools to help overcome the difficulties, but the
problems may still exist

4
Mathematics vs. Natural Language for System
Specification
Deficiencies of natural language
◦ Can be ambiguous
◦ Can be self-contradictory
◦ Can be incomplete
◦ Encourages imprecise thinking
◦ Cannot easily handle abstractions

5
Mathematics – good features
◦ Easily handle abstractions
◦ Can be used for reasoning about, and describing a system
◦ Is concise
◦ Is non-ambiguous

6
Mathematics – good features
◦ Is applied widely to the real world

◦ Can approximate where exactness is unnecessary

◦ Changes are slower than computing

7
Formal Notation – Drawbacks
◦ The customer cannot easily understand the specification

◦ The mathematics used is unfamiliar to many of the staff

◦ In real world, getting user requirements document is a

problem

8
Formal Methods Parts

1. Formal specification
2. Formal verification
3. Automated theorem proving
4. Model checking

9
1.Formal Specification
A definition of what a computer program is expected to do
It can be
◦ informal, in which case it can be considered as a blueprint or user
manual from a developer point of view, or
◦ formal, in which case it has a definite meaning defined in
mathematical or programmatic terms.

10
Purpose of FS
oTo state what system should do without describing how to do it
omay be used to give a description of the system to be developed, at any level

oFormalizes system requirements using a formal language with unambiguously defined

syntax and semantics.
oTo reduce faults in systems
◦ Requirement errors can be discovered as early as possible and resolved
o Used to verify that the requirements for the system being developed have been completely and
accurately specified.
Formal specification Components

Syntax - grammatical rules to determine if sentences are well formed

Semantics - rules for interpreting the sentences in a precise, meaningful way within the domain

Proof Theory - rules for inferring useful information from the specification
2.Formal Verification
o Deciding the undecidable

o formally proving that system does exactly what is stated in the program specification.

o more specific because it verifies the code itself, not only some abstract model

of the program.

◦ Intel, AMD: verify chips

◦ BMW: automotive system

13
Simulation vs FV
Simulation is input-driven, FV is output-driven:
◦ Mind-set in simulation: first to generate input vectors and then to
derive reference outputs
◦ In FV: user starts out by stating what output behavior is desirable
and then lets the formal checker prove or disprove it.
◦ Simulation checks one output point at a time, while FV: checks a
group of output points at time.
3.Automated Theorem Proving
o Semi automatic

o proving of mathematical theorems by a computer program.

o Uses logic

o Depending on the underlying logic,

o the problem of deciding the validity of a theorem varies from trivial to

impossible.

16
4.Model checking

o Fully automatic

o algorithmically verify formal systems.

o This is achieved by verifying if the model, often deriving from a

hardware or software design, satisfies a formal specification.

o The specification is often written as temporal logic formulas.

17
 How does Model Checking work?

Finite State
Model

System meets
Model Checker or not

Properties

18
Model checking
Used in studying behaviors of reactive systems
Typically involves three steps:
◦ Create a finite state model (FSM) of the system design
◦ Specify critical correctness properties
◦ Validate the model w/r to the specifications
Variety of formal methods

o Abstract State Machines –

The Abstract State Machine (ASM) implies that any algorithm can be modeled by an appropriate
ASM.
o B-Method –
B is a formal method for the development of program code from a specification in the Abstract
Machine Notation.
Z – Method
o A specification language used for describing computer-based systems

o Uses mathematical notation to provide exact definitions of a system

o System is described in a number of small Z modules, which can cross-refer each other

o Each module is expected to have some descriptive English text to help users understand it
- Based on set theory and first order predicate logic
- Unified Modeling Language (UML)
◦ provides system architects…with one consistent language for
◦ specifying,
◦ visualizing,
◦ constructing,
◦ documenting the artifacts of software systems..
 Do we really need Formal Methods?
Digital systems can fail in catastrophic ways leading to death or tremendous
financial loss.
Potential causes of failure include:
o physical failure
o human error
o environmental factors
o design errors- Design errors are the major culprit.
Effects of Design Errors
Between June 1985 and January 1987, a computer-controlled radiation therapy machine, called
the Therac-25 , massively overdosed six people, killing two.
On April 30, 1999 Titan I cost taxpayers 1.23-billion dollars, all due to a software malfunction
(incorrectly entered roll rate filter constant)

Denver Airport’s computerized baggage handling system delayed opening by 16 months.

Airport cost was $3.2 billion over budget.
Formal methods are needed to

o Improve SW Quality

o Reduce cost of verifying system

o Improve quality and rigor of entire development process

o Reduce specification errors and provide a rational basis for choosing test data

o Explore the properties of a design architecture

Applications
o Software Engineering, specification, verification

o Embedded Systems (hybrid systems)

o Business Processes

o Biological Processes

o Security

o Web services & grid computing

Myths of Formal Methods
Formal methods can guarantee that software is perfect.
Work by proving that programs are correct.
Only highly critical systems benefit from their use.
They involve complex math.
They increase the cost of development.
They are incomprehensible to clients.