Embed Size (px)
DESCRIPTION
Formal Methods. Module Leader Dr Aaron Kans ([email protected]). What is this module about?. Developing software like an ENGINEER. High Integrity Software Development. By the end of this lecture you should be able to:. define the term high integrity softwar e; - PowerPoint PPT Presentation
Citation preview
What is this module about?
Developing software like an ENGINEER
High Integrity Software Development
By the end of this lecture you should be able to:
• define the term high integrity software;
• distinguish between different types of critical software;
• identify the weaknesses of testing as an approach to software verification;
• identify the weaknesses of natural language specifications;
• distinguish between formal and informal methods of software development;
• describe what is meant by the term lightweight formal methods.
Introduction
Often software is integrated into a mechanical or electronic system
Such software is known as embedded software
Costs of software failure in these systems can be dangerously high
Require a higher degree of confidence in the correctness of the software.
Such software is known as HIGH INTEGRITY SOFTWARE.
Critical Software
business critical software
mission critical software
safety critical software
Integrity Levels
Integrity level 5Integrity level 1
Some high profile examples of high integrity software failures
The loss of NASA’s Mars Climate Orbitor in November 1999
The crash of the European space agencies Ariane5 rocket in July 1996
Radiation overdoses administered by the Therac-25 machine in the USA during the 1980’s.
CLIENTDEVELOPER
FINAL APPLICATION
TESTING
SPECIFICATION
The importance of the specification
Limitations of Testing
1. Testing cannot take place until some implementation is available.
2. Testing can only help to uncover errors - it cannot guarantee the absence of them.
3. Testing is always carried out with respect to requirements as laid down in the specification.
UML: a review
The Unified Modelling Language (UML) notation is used to specify and design systems according to the principles of object-oriented development
BankAccount
accountNumber: StringaccountName: Stringbalance: Real
deposit (Real)withdraw (Real) : BooleancurrentBalance(): Real
Weakness of natural language specifications
Withdraw:
“Receives a requested amount to withdraw from the bank account and, if there are sufficient funds in the account, meets the request.
Returns a boolean value indicating success or failure of the attempt to withdraw money from the account.”
Natural language descriptions do not have a fixed meaning, they are ambiguous.
These notations do not have a fixed semantics
Incomplete specifications
A specification can be considered incomplete when the behaviour is not completely defined.
Withdraw:
“Receives a requested amount to withdraw from the bank account and, if there are sufficient funds in the account, meets the request.
Returns a boolean value indicating success or failure of the attempt to withdraw money from the account.”
Inconsistent specifications
A specification is inconsistent when it contains within it contradictions.
Withdraw:
“Receives a requested amount to withdraw from the bank account and, if there are sufficient funds in the account, meets the request.
Returns a boolean value indicating success or failure of the attempt to withdraw money from the account.”
OVERDRAFT?
Formal languages
It is desirable to use a specification notation with a fixed, unambiguous, semantics.
Notations that have a fixed semantics are known as formal notations, or formal languages.
A fixed semantics is achieved by defining a language in a completely unambiguous way using a mathematical framework.
Formal Methods
initial formal specification
1st transformation
2nd transformation
nth transformation
final program
A formal method includes a proof system for demonstrating that each transformation preserves the formal meaning captured in the previous step.
Advantages of formal methods
• formal specifications can help considerably in generating suitable test cases;
• the discipline required in producing a formal specification allows for feedback on system specifications at early development stages, increasing confidence that the specification accurately captures the real system requirements;
• important properties of the initial specification can be checked mathematically and incorporated as run-time checks in the final program;
• proofs can help uncover design errors as soon as they are made, rather than having to wait for testing of the final implementation;
• a proof of program correctness can be constructed that is a much more robust method of achieving program correctness than is testing alone.
Classifying formal methods
Algebraic Model-based
Sequential systems
Larch Vienna Development Method (VDM)
Z
B
Concurrent Systems
Calculus of Communicating Systems (CCS) OBJ
Prototype Verification System (PVS) Concurrent Sequential Processes (CSP)
![Formal Methods: Practice and Experience · \myths" about formal methods [Hall 1990]. Wing explained the underlying con-cepts and principles for formal methods to newcomers [Wing 1990]](https://img.pdfslide.net/doc/110x75/5f49cb43b1bfd721822c123f/formal-methods-practice-and-experience-myths-about-formal-methods-hall.jpg)