Today, nearly every software engineering or computer science course given in either British university or in university around the world, includes the teaching of formal methods .Formal methods are controversial .The issue about this formal method is the degree to which mathematical sophistication and the theorem proving skills should be needed to apply a formal method but several classes of analysis has proved that is more useful in the software development. it is ought to be too obvious to need saying but nothing can achieve perfection ,unfortunately sometimes proponents of formal methods claim they offer an absolute guarantee that cannot be achieved any other way. This paper outlines some of the benefits of including formal methods are proving great success in few industry or in commercial projects too. The formal method to describe any approach they make use of this formal specification language and specify the role of that formal specification during the software development process. In other words, the use of a formal method will not necessarily imply any formal refinement process, formal reasoning or proof. The term formal specification language is the used to specify the whole or part of software in a way amenable to formal reasoning. CASE tools are directly considered as their relevance depends on the extend to which they are based on the traditional structured design or on formal methods.
The term Formal Method are widely used ,there does not seem to be any clear definition as to exactly what constitute a formal method .On many occasion the term is simply to imply the use of a formal specification language ,but not to include any prescription of how , or the extent of its usage ,eg:- if the whole or just a part of the part of the program to be specified; is there is any requirement for successive refinement or reasoning or proof. Even the term formal specification of the problem should be included, eg:-SDL (CCITT 1988).In other words how much abstraction should the language allow, in order for it to be called a formal specification language.
There is a growing interest in formal method because they offer rigorous support of computer system development .Formal methods are particularly desirable in safety -critical applications such process control ,aviation, medical system, railway signaling and many others. Other application may not threaten life if they fail, but most may be described as quality -critical. However the main reason that formal method are limited in their use is that on a cost-benefit analysis they are often not justified.
Formal Method are collection of tools and technique that use Mathematical models for the Specification, design and verification of the software system. Mathematical rigour enables users to analyse and verify these models at any part of the program life-cycle: Requirement Engineering, Specification, Architecture, Design Implementation, testing Maintenance and evolution.
Formal method in Partice: Current Status
During the last decades, researchers have proposed numerous formal methods, such has model checkers & mechanical theorem, proves , for developing computer system .The major footprint of this formal method in the hardware .this formal hardware are rarely used in software because of the Notation and designing of technique are difficult. There are two reasons why the formal method has minimal impact on the hardware rather than software ( Kurshan,R June 1997).
- First, Hardware designers routinely use one of a small group of languages eg:- Verilog or VHDL ,to specify their design .In contrast ,precise specification and design languages are rarely used in the software development.
- Secondly, integrating a formal method, such as model checkers into a hardware design process is relatively easy because other tools, such as simulators and code synthesis tools are already a standard part of the design process at many standard companies.
In disparity, the software development, no standard software development environments exist. In recent years Object -Oriented design has gained its popularity & the "Object -Oriented Design" Various from one site to the another . Moreover, While a number of commercial Computer Aided Software Engineering (CASE) tools have become available in the market, so the developer of the software making use of these tools.
Formal Methods in Industry
There are two main methods that are commonly used in the industry , that is outside the communication sector are VDM(Jones 1990) and Z (Spivey 1992).VDM was the first , or one of the first formal methods to be used for reasonably in large scale project, but at the same time Z seems to have gained it's popularity recently.
These two methods are closely related, even if their syntax is different, and both based primarily on mathematical set theory .There are number of another approach to this formal specification, but these are used frequently.
These are methods which are explicitly allow concurrency, and the modeling of process which need to communicate with another. A major application area for this approach is the handling of the protocols. The most well know of these I is CSP or Communication Sequential Process ( Hoare ,1985) ,which is similar to the mathematical basis Z .Lotos (Language of Temporal Ordering Specification ) is an another type of an method which make use of CSP.
There are methods that are based on the algebra rather than set theory. The easiest example of this type is the use of Algebraic Specification for Abstract Data types, where the behavior of the operation on an abstract data type is governed by the set of rules expressed as equation. This type of specification tends to be a lot closer to the implementation but also fits very well with the ideas behind Object -Oriented design and Object Oriented programming. The best known formal language for this type of approach is OBJ ((Goguen, J.A., and Winkler, T. 1988 )
This is the use of a functional programming language for the writing Specification, and also possibly a prototype implementation of the software. This is still more at the research stage as a viable specification technique and is slightly different from the other, in that there seems to be a strong emphasis in this approach that the specification should be executable, which is in many ways desirable, but it conflicts with the desire for abstraction. At present, the only main language for this approach seems to be Haskell (Hudak, 1993) or a partial implementation of Haskell called Gopher (Jones,M.P. etal 1994).
There are other formal techniques, but they are rarely taught and very rarely used in the industry for more than one specific type of application.
Formal Method in Software development
Defence standard need the use of formal methods in the specification and subsequent analysis, of safety critical control software. to date ,however there has been reluctance from industry to adopt these method. this has been due in the part to the high cost of producing a formal specification compared with conventional specifications and the need for specially have generally only been used for small scale project as academic such has library or for critical system such has nuclear plant protection.
In an attempt to redress this doing by making the formal methods more accessible to control system engineers, the practical formal specification(PFS) technique was developed .It is been funded by the U.K Ministry of Defence it aims to provide the technology for formal development of engine control software. The work is been supported by the Rolls-Royce Aero engines group who, as a supplier to the Ministry of defence ,can be required to use the formal technique for the safety critical components of the software they provide ( U.K ministry of defense 1997). The PFS projects also focus on the flight control avionics system and is additionally supported by BAe System(BAE Systems is a global company engaged in the development, delivery and support of advanced defense, security and aerospace systems)
Domain specific Formal Notation for Engine Control software
The discrete formal methods are been used in the past but now they used in the development process for engine control software.
Control software is developed within a multi-level concurrent engineering process where airframe requirement give rise to propulsion system level requirement, which in turn give rise to control system requirement. The control system itself is made of many engineered components, including sensors, actuators, hydraulics, digital hardware and software. Software requirements hail from, and are affected by , the requirements and design of all the components in the engineering hierarchy. (A.J Vickers,A.J-1996)
Domain Specific Language
The PFS approach to solve these problems has been to construct a Domain Specific Language. By Domain specific Language (DSL) we mean a language with a syntax ideally tailored to expressing the basic concept and structuring mechanism of a particular application area. Thus , rather than being limited only by the bounds of what one can be described in , sat , set theory, the practitioner is limited by the kinds of requirements concept and structures of control software. The most important feature of a DSL is an Intuitive concrete representation, a layered formal semantic construction and a set of reasoning goals.
In PFS, the domain specific language is based heavily on hierarchical state machines .The DSL organises requirement as state based component, reactive components and aggregation thereof. The formal semantics is inspired by work on the formalization of graphical notation and enables the formulation of proof obligation .proof obligation may then be generated for model "healthiness" thus increasing confidence in the validity of specification. Additional reasoning obligation may be generated in the light of a design artifact of demonstrate compliance to a specification given appropriate refinement relationships.
Domain Specific Abstraction:-
Domain specific notations permit domain specific abstraction. By Giving the relative importance or criticality of the functional components that makes up am application in a particular domain , a specifies can employ structural abstraction to manage the introduction of detail .for example ,in PFS then emphasis is on specifying core control requirements and working 'outwards' ,through signal validation and failure management ,towards the sensor and actuators interfaces.
In PFS the use of hierarchical state machine permits the specifier to intuitively describe the desired behaviour, rather than stating behaviour in the terms of the control variables that will eventually be used in the implementation. Also, the PFS approach focuses on the discrete aspect of the engine control requirements. The notation prompts the specifier to provide 'place holder' information for the transformations being developed using continuous mathematics. Such requirements will be validated independently by their own mathematically 'formal method.
A major consideration is how different levels of abstraction can be related formally. Again this can be domain specific, although PFS relies heavily on the abstraction mechanism of stating assumption and specifying within those assumptions. The emphasis is on explicitly in its context. (Galloway,JAndy., Cockram,J Trevor.,Mc Drmid John A.; 1998) and (McDermid,Jhon.,Galloway,Andy.,Burton,Simon.
The process of validating a set of requirement is formally supported by composing requirement together to form aggregates and propagating assumption outward to the environment. Formal composition is based on the concept of guarding and governing of requirement .of these governing is the most straight forward, analogous to the concept of weakest pre-condition derivation in programming language semantics eg:- generalized substitution language. Guarding takes into account requirement independence. In general, given requirement composition in term of guarding and governing the usual 'Weakening of the pre-condition' refinement relation holds. The relationship support 'ideal' to 'real' refinement in PFS. When an engineer initially describes a requirement, they assume an ideal context, eg:-no noise on signals, no failures, hardware responds as quickly as software , signals will not induce arithmetic saturation. Such simplification result in strong assumption being documented for each requirement -assumption that could not usually be guaranteed by the environment. Alternatively, additional behaviour may be introduced to guard and govern the requirement and thus guarantee its assumption.
The PFS project has made steady progress. After spending a considerable amount of time to understand the domain, a hypothesis was developed which iteratively evolved into the strategy outlined above. This is the first time that the requirement notation has been used on a large scale case study. Previously, the notation has been applied to a small case study based on the engine starting requirement of a helicopter engine controller, while the use of the notation with formal analysis was the subject of a case studying involving flight control requirement.
The PFS is a part of a Technical Demonstrator Program for a Gas turbine engine controller and is based upon the software requirements taken originally from a control law modeling. The Model tool was generated by a control engineer and the requirement simulated against an engine model. Thus , the original requirement are mathematically - based specification is of higher quality than would expected of an informal natural language specification .The informal software specification is a document based representation for a tool based model.. This makes it difficult for the programmer to easily identify assumption on the use of part of the model, which in turn could lead to the use of a requirement or portion of the model out of the context.
Engineer has gained a greater understanding and more knowledge about the system by the introduction of PFS System. Establishment of formal specification technique and method for software are often generated separately from the system specification and by software engineer with little appreciation of the wider system. This creates a link between them and it removes the discontinuity between them.
The errors in the program are been removed by using PFS specification. The software testing or ring testing are proved to be expensive when compared to PFS.
The software practitioners who are not formal method experts can be benefited from formal method researcher's .To enjoy the benefits of formal methods; user does not need to mathematically sophisticated nor need be capable of proving deep Light weight technique offer software developers a good Violin. A user need not be a talent violinist to be benefited. This in contrast to heavy duty technique where the user needs to be good violinist theorems.
Issue concerning defence standard 00-55 also need addressing. The full application of the standard as written is not possible in an industrial setting and in opinion ,is not desirable. The standard mandates or implies the use of certain formal technique that we have found are not practical or useful in the generation of this specification. we have found ,however that it is possible to maintain sufficient mathematical rigour through the use of the PFS method to ensure that safety properties can be maintained from the specification to implementation. changes to defence standard 00-55 are recommended particularly in the of the formal specification and with subsequent refinement of requirements. We feel this would provide same intent but more practical approach.
Without the code the formal specification are not complete and next is tools are needed to support the healthiness consistency, completeness etc for developing a completeness theory of composition. The whole issue could not be implemented with formal specification alone we need to combine PFS specification leads to a great success
- CCITT Blue Book. 1988. Functional Specification and description Language (SDL). (http://www.iec.org/online/tutorials/acrobat/sdl.pdf)
- Galloway,JAndy., Cockram,J Trevor.,Mc Drmid John A.; 1998 - Experience with the application of discrete formal methods to the development: distributed computer control system
- Goguen, J.A., and Winkler, T. 1988 .Introducing OBj3, SRI International. ([http://126.96.36.199/search?q=cache:mXEHLgODAjYJ:pvs.csl.sri.com/papers/procos/kiel-khb-5-1.ps.gz+Introducing+OBj3,+SRI+International. &cd=1&hl=en&ct=clnk&gl=uk)
- Hoare, C.A.R. 1985.Communicating sequential process, Prentice -hall
- Hudak ,P. et al.1993 information processing system-Open System interconnection - LOTOS.
- Jones, M.P 1994. The implementation of the Gofer functional programming system .Tech .Rep.Yaleu/dcs/rr-1030,yale university U.S.A.
- J-R Abrial-1998 The B Book Assignment programs to meaning',J-R Abrial , Cambridge university press.1996
- Kurshan,R. Formal verification in commercial setting .Proc.Design Automation conference, june 1997.
- McDermid,Jhon.,Galloway,Andy.,Burton,Simon.,Clark,Jhon.,Tracey,Nigel.,Valentine,Sam; 1998 Towards Industrially applicable formal methods: Three small steps and one giant leap- International conference on formal engineering methods
- Spivey, J.M 1992 .The Z notation: A Reference Manual, Prentice - Hall. (http://spivey.oriel.ox.ac.uk/mike/zrm/zrm.pdf )
- U.K ministry of defense .1997 - The procurement of safety critical software in defence equipment', Defense standard 00-55
- Vickers.,A.J; The concert approach to requirement specification version 2 University of york rolls-Royce Utc technical report no.yutc/tr/96.1.1996.