Transcript Diffusion of Formal Methods – situation from 1993

Diffusion of Formal Methods – situation from 1993
An International Survey of Industrial Applications of Formal Methods
• An exemplary article was made by Craigen, Gerhart and Ralston for U.S.
Department of Commerce – National Institute of Standards and Technology
• This slideset tells some of their findings (from 1993… Situation has changed!)
• “The primary use of formal methods … are re-engineering existing systems;
stabilizing system requirements….; Communication between and among various
levels of system stakeholders (design team & QA managers); as evidence of
“best practice” (regulations and standards)
Company Confidential
1
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Diffusion of Formal Methods – situation from 1993 (2)
• “Tool support … has been found neither necessary nor sufficient for the
successful application of formal methods…. Tools can be developed as
needed…. The presence of a tool did not stimulate the choice to use a particular
method”
RECOMMENDATIONS for R&D
• A need for improved integration of formal methods techniques with other sw
engineering practices
• Industry needs ruggedized versions of formal method tools; not research
prototypes
• There needs to be a notation suitable to use by individuals not expert in formal
methods or mathematical logic
Company Confidential
2
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Diffusion of Formal Methods – situation from 1993 (3)
RECOMMENDATIONS….
• Improved automated deduction support is required (especially for cases requiring
regulatory approval)
• Expansion of FM capabilities to real-time, concurrency, and asynchronous
processes
• Easing of transition of Formal Methods to broader user base
Company Confidential
3
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Diffusion of Formal Methods – situation from 1993 (4)
SUMMARY of CASES
Darlington: Trip Computer Software (DNGS)
• Ontario Hydro and AECL developed computer-controlled shutdown systems for
Darlington Nuclear Generation Station (DNGS).
• Atomic Energy Board of Canada (AEBC) wanted more assurance on the
correctness of sw before issuing the license.
• Plenty of proofs (25 binders) for the correctness were produced, and license was
granted
• Formalism Used: SCR (Software Cost Reduction) – Excel tool that compares
program functional tables with the original specifications
Company Confidential
4
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Diffusion of Formal Methods – situation from 1993 (5)
MGS (Multinet Gateway System)
• Internet device providing protocol-based datagram service for the secure delivery
of datagrams
• 10 pages of (written) specifications described the security model
• Gypsy Verification Environment (GVE) was used in verification (80 pages of
formal specification)
• Underlying operating system had 6000 lines of code
SACEM
• Program developed certified safety-critical railway signaling system.
• This was profitable effort: reduced train separation from 2 min 30 seconds to 2 min
while maintaining safety requirements  this meant that a third railway line in Paris
did not have to be constructed
Company Confidential
5
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Diffusion of Formal Methods – situation from 1993 (6)
SACEM
• B method and Hoare logic were used in verification
• System consists of 9000 lines of verified code; 120 000 hours were spent on
formal methods effort
• System is real: it allows 60 000 passengers to be carried per hour
TCAS (Traffic Alert and Collision Avoidance System)
• Purpose of TCAS was to reduce risk of midair collisions between aircraft
• Functions as separate system from air traffic control
• Consists of 2 components: Collision Avoidance System (CAS) and surveillance
system.
• CAS has been formally specified (7000 lines of pseudocode). Surveillance
system was work in progress at the time of writing
Company Confidential
6
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Diffusion of Formal Methods – situation from 1993 (7)
SSADM Toolset (Structured Systems Analysis and Design Method)
• Z language was used to develop a formal specification of toolset infrastructure.
• This resulted in 37000 lines of Objective C, and a 350 page specification
Customer Information Control System (CICS)
• CICS is a large transaction processing system developed by IBM.
• Recent release was re-engineered using Z method. (kloc = 1000 lines of code)
• CICS is about 800 kloc before the changes. 50 kloc were added to the new
release
• 37 kloc of the new 50 kloc were specified completely with Z; 11 kloc of the new
code were partially specified with Z
• IBM says that use of Z reduced development cost and error rates
Company Confidential
7
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Diffusion of Formal Methods – situation from 1993 (8)
Software Architecture for Oscilloscopes using Z (Tektronix)
• Tektronix used Z language to develop a reusable software architecture to be
shared among oscilloscope products.
• Z was used as a mathematical modelling language for exploring design ideas.
• Software architecture is 200 kloc, and 30 pages of Z
Company Confidential
8
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials