Formal Methods in Software

Engineering

Credit Hours: 3+0

Formal Specification
 Objectives

To explain why formal specification
techniques help discover problems in system
requirements

To describe the use of algebraic techniques
for interface specification

To describe the use of model-based
techniques for behavioural specification
 Topics covered

Formal specification in the software process

Sub-system interface specification

Behavioural specification
 Formal methods

Formal specification is part of a more general
collection of techniques that are known as ‘formal
methods’.

These are all based on mathematical representation
and analysis of software.

Formal methods include
• Formal specification;
• Specification analysis and proof;
• Transformational development;
• Program verification.
Acceptance of formal methods

Formal methods have not become mainstream
software development techniques as was once
predicted
• Other software engineering techniques have been
successful at increasing system quality. Hence the need
for formal methods has been reduced;
• Market changes have made time-to-market rather than
software with a low error count the key factor. Formal
methods do not reduce time to market;
• The scope of formal methods is limited. They are not well-
suited to specifying and analysing user interfaces and
user interaction;
• Formal methods are still hard to scale up to large systems.
 Use of formal methods

The principal benefits of formal methods are
in reducing the number of faults in systems.

Consequently, their main area of applicability
is in critical systems engineering. There have
been several successful projects where
formal methods have been used in this area.

In this area, the use of formal methods is
most likely to be cost-effective because high
system failure costs must be avoided.
Specification in the software process

Specification and design are inextricably
intermingled.

Architectural design is essential to structure
a specification and the specification process.

Formal specifications are expressed in a
mathematical notation with precisely defined
vocabulary, syntax and semantics.
 Specification and design

Increasing contractor involvement

Decreasing client involvement

User System
requirements requirements Architectural Formal High-level
design specification design
definition specification

Specification

Design
Specification in the software process

System
Formal
requirements
specification
specification
User
High-level
requirements
design
definition

System Architectural
modelling design
 Use of formal specification

Formal specification involves investing more
effort in the early phases of software
development.

This reduces requirements errors as it forces
a detailed analysis of the requirements.

Incompleteness and inconsistencies can be
discovered and resolved.

Hence, savings as made as the amount of
rework due to requirements problems is
reduced.
 Cost profile

The use of formal specification means that
the cost profile of a project changes
• There are greater up front costs as more time
and effort are spent developing the
specification;
• However, implementation and validation costs
should be reduced as the specification process
reduces errors and ambiguities in the
requirements.
Development costs with formal specification

Cost
Validation

Design and
implementation Validation
Design and
implementation
Specification

Specification
 Specification techniques

Algebraic specification
• The system is specified in terms of its
operations and their relationships.

Model-based specification
• The system is specified in terms of a state
model that is constructed using mathematical
constructs such as sets and sequences.
Operations are defined by modifications to the
system’s state.
Formal specification languages
 Interface specification

Large systems are decomposed into subsystems
with well-defined interfaces between these
subsystems.

Specification of subsystem interfaces allows
independent development of the different
subsystems.

Interfaces may be defined as abstract data types or
object classes.

The algebraic approach to formal specification is
particularly well-suited to interface specification as it
is focused on the defined operations in an object.
 Sub-system interfaces

Interface
objects

Sub-system Sub-system
A B
The structure of an algebraic specification

< SPECIFICATION NAME >

sort < name >
imports < LIST OF SPECIFICATION NAMES >

Informal descr
iption of the sor
t and its oper
ations

Operation signatures setting out the names and the type

the parameters to the operations defined over the
t sor

Axioms defining the oper

ations over the sor
t
 Specification components

Introduction
• Defines the sort (the type name) and declares other
specifications that are used.

Description
• Informally describes the operations on the type.

Signature
• Defines the syntax of the operations in the interface and
their parameters.

Axioms
• Defines the operation semantics by defining axioms
which characterise behaviour.
Systematic algebraic specification

Algebraic specifications of a system may be
developed in a systematic way
• Specification structuring;
• Specification naming;
• Operation selection;
• Informal operation specification;
• Syntax definition;
• Axiom definition.
 Specification operations

Constructor operations. Operations which
create entities of the type being specified.

Inspection operations. Operations which
evaluate entities of the type being specified.

To specify behaviour, define the inspector
operations for each constructor operation.
 Operations on a list ADT

Constructor operations which evaluate to
sort List
• Create, Cons and Tail.

Inspection operations which take sort list as
a parameter and return some other sort
• Head and Length.

Tail can be defined using the simpler
constructors Create and Cons. No need to
define Head and Length with Tail.
List specification
 Recursion in specifications

Operations are often specified recursively.

Tail (Cons (L, v)) = if L = Create then Create
else Cons (Tail (L), v).
• Cons ([5, 7], 9) = [5, 7, 9]
• Tail ([5, 7, 9]) = Tail (Cons ( [5, 7], 9)) =
• Cons (Tail ([5, 7]), 9) = Cons (Tail (Cons ([5], 7)), 9) =
• Cons (Cons (Tail ([5]), 7), 9) =
• Cons (Cons (Tail (Cons ([], 5)), 7), 9) =
• Cons (Cons ([Create], 7), 9) = Cons ([7], 9) = [7, 9]
Interface specification in critical systems


Consider an air traffic control system where aircraft
fly through managed sectors of airspace.

Each sector may include a number of aircraft but, for
safety reasons, these must be separated.

In this example, a simple vertical separation of 300m
is proposed.

The system should warn the controller if aircraft are
instructed to move so that the separation rule is
breached.
 A sector object

Critical operations on an object representing
a controlled sector are
• Enter. Add an aircraft to the controlled airspace;
• Leave. Remove an aircraft from the controlled
airspace;
• Move. Move an aircraft from one height to
another;
• Lookup. Given an aircraft identifier, return its
current height;
 Primitive operations

It is sometimes necessary to introduce additional
operations to simplify the specification.

The other operations can then be defined using
these more primitive operations.

Primitive operations
• Create. Bring an instance of a sector into existence;
• Put. Add an aircraft without safety checks;
• In-space. Determine if a given aircraft is in the sector;
• Occupied. Given a height, determine if there is an aircraft
within 300m of that height.
 Sector specification (1)
SECTOR
sort Sector
imports INTEGER, BOOLEAN

Enter - adds an aircraft to the sector if safety conditions are satisfed

Leave - removes an aircraft from the sector
Move - moves an aircraft from one height to another if safe to do so
Lookup - Finds the height of an aircraft in the sector

Create - creates an empty sector

Put - adds an aircraft to a sector with no constraint checks
In-space - checks if an aircraft is already in a sector
Occupied - checks if a specified height is available

Enter (Sector
, Call-sign, Height)
 Sector
Leave (Sector, Call-sign) Sector
Move (Sector, Call-sign, Height)
 Sector
Lookup (Sector , Call-sign) Height
Create  Sector
Put (Sector
, Call-sign, Height)
 Sector
In-space (Sector
, Call-sign) Boolean
Occupied (Sector, Height)  Boolean
Enter (S, CS, H) =
if In-space (S, CSthen
) Sexception (Aircraft already in sector)
elsif Occupied (S, H)then S exception (Height conflict)
else Put (S, CS, H)