SlideShare une entreprise Scribd logo

Industrial use of formal methods

Jonathan Bowen
Jonathan Bowen

Formal methods aim to apply mathematically-based techniques to the development of computer-based systems, especially at the specification level, but also down to the implementation level. This aids early detection and avoidance of errors through increased understanding. It is also beneficial for more rigorous testing coverage. This talk presents the use of formal methods on a real project. The Z notation has been used to specify a large-scale high integrity system to aid in air traffic control. The system has been implemented directly from the Z specification using SPARK Ada, an annotated subset of the Ada programming language that includes assertions and tool support for proofs. The Z specification has been used to direct the testing of the software through additional test design documents using tables and fragments of Z. In addition, Mathematica has been used as a test oracle for algorithmic aspects of the system. In summary, formal methods can be used successfully in all phases of the lifecycle for a large software project with suitably trained engineers, despite limited tool support.

FormationTechnologieBusiness
1  sur  55
Télécharger pour lire hors ligne
The Industrial Use of Formal Methods: Experiences of an Optimist Prof. Jonathan P. Bowen London South Bank University University of Westminster Museophile Limited www.jpbowen.com jonathan.bowen@lsbu.ac.uk
Experiences of an Optimist http://en.wikipedia.org/wiki/John_Redcliffe-Maud
Background: Safety and reliability
Airbus A380 simulator Emirates Aviation College Dubai, 3 February 2011
Theory and Practice “It has long been my personal view that the separation of practical and theoretical work is artificial and injurious. Much of the practical work done in computing, both in software and in hardware design, is unsound and clumsy because the people who do it have not any clear understanding of the fundamental design principles of their work. Most of the abstract mathematical and theoretical work is sterile because it has no point of contact with real computing.” — Christopher Strachey (1916-1975)
Formal Methods • Term established by late 1970s – Next stage from structured design – Mathematical basis • Formal specification and (optionally) proof: – Validation (correct specification) – Verification (correct implementation wrt spec) • But engineers calculate rather than prove • Please contribute to the Formal Methods Wiki: – http://formalmethods.wikia.com
Z notation • Formal specification – predicate logic, set theory, and schema boxes – Courses (academia & industry) – Textbooks (reasonable choice) – Tools (type-checkers, provers, …) • Web resources – www.zuser.org • Google group – comp.specification.z • Z User Group (meetings) & Z standard
Z Standard • ISO/IEC 13568 – Long process (1990s) – Inconsistencies found! • Final Committee Draft – accepted in 2001 • Useful for tools and industrial application
Levels of Complexity – Abstraction • 25 lines of informal requirements • 250 lines of specification (e.g., Z) • 2,500 lines of design description • 25,000 lines of high-level program code • 250,000 machine instructions of object code • 2,500,000 CMOS transistors in hardware!
Technology transfer problems
Choosing a formal method – difficult
Tools – difficult to use
Applications of Formal Methods Examples: • Tektronix (Z) • STV algorithm (VDM) • IBM CICS (Z/B) • AAMP5 microproc. (PVS) • GEC Alsthom (B) • A300/340 (Z)
Industrial-Strength Formal Methods in Practice Examples: • Motorola CAP DSP (ACL2) • Radiation Therapy Machine (Z) • ATC system (VDM) • Railways (Prover Technology) And more recently: Microsoft
National Air Traffic Services • Handled 2.2 million flights (in 2009), covering the UK and eastern North Atlantic. • And carried more than 200 million passengers safely through some of the busiest and most complex airspace in the world. • Provides air traffic control from its centres at Swanwick, Hampshire and Prestwick, Ayrshire. • Also provides air traffic control services at 15 of the UK's major airports including Heathrow, Gatwick, Stansted, Birmingham, Manchester, Edinburgh, and Glasgow, together with air traffic services at Gibraltar Airport.
National Air Traffic Services, UK Swanwick southern England www.nats.co.uk
Flight strips on paper Last flight of Concorde
European airspace Source: Wikipedia London: England & Wales
National Air Traffic Services • Advertisement & leaflet at Heathrow Airport  • Air Traffic Management (ATM) • Single European Sky ATM Research (SESAR) • SESAR Joint Undertaking • www.sesarju.eu • SESAR project (2004–20)
Altran Praxis www.altran-praxis.com
Open-DO Formal Methods in Air Traffic Control Slides by Neil White www.slideshare.net/AdaCore/white-open-do www.youtube.com/watch?v=IQMWVqQfm5A Copyright © Altran Praxis
Agenda • A quick introduction – What is iFACTS? • Formal methods for Specification – Z, State machines. • Formal methods for Implementation – Implementation: SPARK. • Formal methods for Test – Verification: more Z, Mathematica. Copyright © Altran Praxis
Context • NATS, the UK’s leading air traffic services provider, has pioneered research and development of advanced air traffic control tools for several years from its simulator and research centre. The iFACTS project will deliver a subset of these tools onto the system at the company’s main en-route Control Centre at Swanwick. • Further information is available at: www.computerweekly.com/Articles/2007/03/07/222258/Nats- claims-the-biggest-air-traffic-control-innovation-since.htm Copyright © Altran Praxis
UK Air Traffic Control Copyright © Altran Praxis limited 2010
ATC team – The Notes of this slide and the previous slide give some guidance on style and usage. Planner Tactical Assistant (in/out) (controller) (flight strips) Copyright © Altran Praxis limited 2010
Why iFACTS? • iFACTS – Interim Future Area Control Tools Support – will further improve safety and provide Controllers with a set of advanced support tools, which will enable them to increase the amount of traffic they can comfortably handle. In trials, the system has delivered significant capacity increases. Copyright © Altran Praxis
What is iFACTS? • iFACTS provides tools to support the controllers – Electronic flight strips replace the paper flight strips. – Trajectory tools - including prediction, deviation alerts, and conflict detection – are added. • iFACTS is not an Air Traffic control system – Integrated with, but sits alongside, the existing system. Copyright © Altran Praxis
Medium Term Conflict Detection: Separation Monitor Separation Monitor Separation (NM) Cancel Alert Green Lines Labels 15 BAW225 UAL3 UAL2 10 SAA321 BAW028 ANZ001 AZA292 BAL547 DLH4695 AMM1077 5 SAS123 BAW43BE 0 0 5 10 15 Time to Interaction (mins) Copyright © Altran Praxis limited 2010
Agenda • A quick introduction – What is iFACTS? • Formal methods for Specification – Z, State machines. • Formal methods for Implementation – Implementation: SPARK. • Formal methods for Test – Verification: more Z, Mathematica. Copyright © Altran Praxis
The complete iFACTS specification • The functional specification – Z • The algorithm specification – Maths • The HMI specification – State tables • The rest of the specification! – English Copyright © Altran Praxis
The Z specification
Z training • Z reader training – 3 day course; fluency then comes after 1 week on the job. – We have trained 75 people to read Z. – Engineers, domain experts, ATCOs. • Z writer training – 3 day course, fluency then comes after 3 months on the job. – We have trained 11 people to write Z. – All engineers. Copyright © Altran Praxis
Z tools • Z written in Microsoft Word – To get acceptance, you need to work with what people know. – Supported by Word Add-ins. • A Z character set. • A simple interface to the fuzz type checker. • A graphical representation tool. Copyright © Altran Praxis
Z tools • Advantages – Easy to develop commentary and Z together. – Hyper linking of fuzz errors back to source. – Cross-referencing of Z names in final document. • Disadvantages – All the problems of large word documents. – Tools can be slow on 1000 page documents. – Merging branches is painful. • The Future – Open Office XML? Copyright © Altran Praxis
The state machine specification Button 1 Checkbox 1 State 1 State 2 N/A State 2 State 1 State 3 State 3 State 1 State 2 Transition Actions State 1 -> State 2 : De-select Checkbox 1 Copyright © Altran Praxis
State machine training & tools • Training – So trivial that we don’t train! – People “just get it”. • Tools – Err …. None. Copyright © Altran Praxis
Agenda • A quick introduction – What is iFACTS? • Formal methods for Specification – Z, State machines. • Formal methods for Implementation – Implementation: SPARK. • Formal methods for Test – Verification: more Z, Mathematica. Copyright © Altran Praxis
The SPARK Implementation • SPARK Ada – An annotated subset of Ada. • 150 KSLOC (Logical) • RTE (Run-Time Exception) Proof – Formal partial correctness proof against specification not considered cost-effective. Copyright © Altran Praxis
Code
SPARK Training • 57 people trained in SPARK – Mostly contractors and clients. – Diverse programming background. – All SPARK coders are also Z readers. • Effective as SPARK coders immediately • Picking up RTE proof takes longer. – About 2 months. • How long to pick up formal correctness proofs? – No data, but I suspect longer again. Copyright © Altran Praxis
SPARK Tools • The SPARK toolset – Examiner. – Proof Simplifier. – Proof Checker. • See me later! Copyright © Altran Praxis
Agenda • A quick introduction – What is iFACTS? • Formal methods for Specification – Z, State machines. • Formal methods for Implementation – Implementation: SPARK. • Formal methods for Test – Verification: more Z, Mathematica. Copyright © Altran Praxis
Test Design
The Challenge of Test Design How many potential tests for this fragment?
The Challenge of Test Design • If you just turn the handle there are 1134 conditions to test. • But if you work at it hard enough you can cover the required subset in just 6 test scripts. • Formal methods are not a substitute for initiative. Copyright © Altran Praxis
Test reference models • Algorithms are specified in pure mathematics. – Working out the expected answer for test cases is very difficult and error prone. • We generate test cases as usual. • We create a test reference implementation in Mathematica. • We do back-to-back testing of iFACTS against the reference. – Diverse tools and implementers reduce the possibility of a common failure. Copyright © Altran Praxis
Mathematica tools & training • Small team – only 5 trained. • Reference model has similar defect density to SPARK implementation. • Limited conclusions to draw from such a small activity. Copyright © Altran Praxis
Conclusions • Formal methods are applicable to all phases of the lifecycle. • Training engineers is not a barrier – It’s a one-off cost – Our data shows that training is easy and cheap. • Tool support is vital – The Achilles heel of formal methods •Except the SPARK Examiner! Copyright © Altran Praxis
Altran Praxis Altran Praxis Limited 20 Manvers Street Bath BA1 1PX United Kingdom Telephone: +44 (0) 1225 466991 Facsimile: +44 (0) 1225 469006 Website: www.altran-praxis.com Email: neil.white@altran-praxis.com Copyright © Altran Praxis
Tracing • Completeness of coverage – e.g., testing all parts of a Z specification • DOORS tool – Integrate Systems Engineering • Link all specification components with test case(s) or argument for safety case • Flag unlinked components • Also visualization of schema structure www.integrate.biz/casestudies/BusinessGoalAlignment.aspx
Future • Traffic Load Prediction Device (TLPD) • Forecast air traffic load up to 4 hours ahead • Plan workloads for optimum traffic flows www.altran-praxis.com/news/nats_control_system_21_Sep_10.aspxx
Reflection Oui, l'ouvre sort plus belle D'une forme au travail Rebelle, Vers, marbre, onyx, émail. [Yes, the work comes out more beautiful from a material that resists the process, verse, marble, onyx, or enamel.] — Théophile Gautier (1811–1872) L'Art
Beware Panaceas! Cf. Formal methods
Caviat Emptor! Cf. Software
The Industrial Use of Formal Methods: Experiences of an Optimist Prof. Jonathan P. Bowen London South Bank University University of Westminster Museophile Limited www.jpbowen.com jonathan.bowen@lsbu.ac.uk

Recommandé

The Use of Formal Methods on the iFACTS Air Traffic Control Project
The Use of Formal Methods on the iFACTS Air Traffic Control ProjectThe Use of Formal Methods on the iFACTS Air Traffic Control Project
The Use of Formal Methods on the iFACTS Air Traffic Control Project
AdaCore
 
An integrative solution towards SOTIF and AV safety
An integrative solution towards SOTIF and AV safetyAn integrative solution towards SOTIF and AV safety
An integrative solution towards SOTIF and AV safety
Bernhard Kaiser
 
Augmented Reality Testing Future Technology At Our Help! Iqnite 2010
Augmented Reality Testing Future Technology At Our Help! Iqnite 2010Augmented Reality Testing Future Technology At Our Help! Iqnite 2010
Augmented Reality Testing Future Technology At Our Help! Iqnite 2010
aandelkovic
 
Verification and Validation of Robotic Assistants
Verification and Validation of Robotic AssistantsVerification and Validation of Robotic Assistants
Verification and Validation of Robotic Assistants
AdaCore
 
ICIC2015_327
ICIC2015_327ICIC2015_327
ICIC2015_327
Natasha Jeppu
 
Experiences
ExperiencesExperiences
Experiences
Joydev Jana
 
Controlling interests editors
Controlling interests editorsControlling interests editors
Controlling interests editors
eldhoev
 
EMPhASIS - Work Organisation
EMPhASIS - Work OrganisationEMPhASIS - Work Organisation
EMPhASIS - Work Organisation
NECST Lab @ Politecnico di Milano
 

Recommandé

The Use of Formal Methods on the iFACTS Air Traffic Control Project
The Use of Formal Methods on the iFACTS Air Traffic Control ProjectThe Use of Formal Methods on the iFACTS Air Traffic Control Project
The Use of Formal Methods on the iFACTS Air Traffic Control Project
AdaCore
 
An integrative solution towards SOTIF and AV safety
An integrative solution towards SOTIF and AV safetyAn integrative solution towards SOTIF and AV safety
An integrative solution towards SOTIF and AV safety
Bernhard Kaiser
 
Augmented Reality Testing Future Technology At Our Help! Iqnite 2010
Augmented Reality Testing Future Technology At Our Help! Iqnite 2010Augmented Reality Testing Future Technology At Our Help! Iqnite 2010
Augmented Reality Testing Future Technology At Our Help! Iqnite 2010
aandelkovic
 
Verification and Validation of Robotic Assistants
Verification and Validation of Robotic AssistantsVerification and Validation of Robotic Assistants
Verification and Validation of Robotic Assistants
AdaCore
 
ICIC2015_327
ICIC2015_327ICIC2015_327
ICIC2015_327
Natasha Jeppu
 
Experiences
ExperiencesExperiences
Experiences
Joydev Jana
 
Controlling interests editors
Controlling interests editorsControlling interests editors
Controlling interests editors
eldhoev
 
EMPhASIS - Work Organisation
EMPhASIS - Work OrganisationEMPhASIS - Work Organisation
EMPhASIS - Work Organisation
NECST Lab @ Politecnico di Milano
 
19 Jun 2018 - Hazard Analysis and Functional Safety Compliance
19 Jun 2018 - Hazard Analysis and Functional Safety Compliance 19 Jun 2018 - Hazard Analysis and Functional Safety Compliance
19 Jun 2018 - Hazard Analysis and Functional Safety Compliance
Intland Software GmbH
 
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
Embitel Technologies (I) PVT LTD
 
Breakthrough in Quality Management
Breakthrough in Quality ManagementBreakthrough in Quality Management
Breakthrough in Quality Management
OptimalPlus
 
ITC 2015 - Marvell Present : "Improving Quality and Yield Through Optimal+ Bi...
ITC 2015 - Marvell Present : "Improving Quality and Yield Through Optimal+ Bi...ITC 2015 - Marvell Present : "Improving Quality and Yield Through Optimal+ Bi...
ITC 2015 - Marvell Present : "Improving Quality and Yield Through Optimal+ Bi...
OptimalPlus
 
Optimal+ GSA 2014
Optimal+ GSA 2014Optimal+ GSA 2014
Optimal+ GSA 2014
OptimalPlus
 
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Mike Boudreaux
 
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
AdaCore
 
Code Management Workshop
Code Management WorkshopCode Management Workshop
Code Management Workshop
Sameh El-Ashry
 
Leveraging Cross-Operational Test Data for Manufacturing Yield and DPPM/RMA I...
Leveraging Cross-Operational Test Data for Manufacturing Yield and DPPM/RMA I...Leveraging Cross-Operational Test Data for Manufacturing Yield and DPPM/RMA I...
Leveraging Cross-Operational Test Data for Manufacturing Yield and DPPM/RMA I...
OptimalPlus
 
Resume New
Resume NewResume New
Resume New
Shajee Jeyaraj
 
PyData Paris - Track 4.2 Vincent Feuillard
PyData Paris - Track 4.2 Vincent FeuillardPyData Paris - Track 4.2 Vincent Feuillard
PyData Paris - Track 4.2 Vincent Feuillard
Pôle Systematic Paris-Region
 
1330 anderson
1330 anderson1330 anderson
1330 anderson
Rising Media, Inc.
 
An Alternative Approach to DO-178B
An Alternative Approach to DO-178BAn Alternative Approach to DO-178B
An Alternative Approach to DO-178B
AdaCore
 
Bosch ConnectedWorld 2017: Striving for Zero DPPM
Bosch ConnectedWorld 2017: Striving for Zero DPPMBosch ConnectedWorld 2017: Striving for Zero DPPM
Bosch ConnectedWorld 2017: Striving for Zero DPPM
David Park
 
AMD at ITC 2014
AMD at ITC 2014AMD at ITC 2014
AMD at ITC 2014
OptimalPlus
 
Increasing Efficiency of ISO 26262 Verification and Validation by Combining F...
Increasing Efficiency of ISO 26262 Verification and Validation by Combining F...Increasing Efficiency of ISO 26262 Verification and Validation by Combining F...
Increasing Efficiency of ISO 26262 Verification and Validation by Combining F...
RAKESH RANA
 
shuja's cv for Instrumentation, DCS and Power plant.
shuja's cv for Instrumentation, DCS and Power plant.shuja's cv for Instrumentation, DCS and Power plant.
shuja's cv for Instrumentation, DCS and Power plant.
Shuja Khalid
 
Practical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related SystemsPractical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related Systems
AdaCore
 
Gunasekhar Karnatham_Profile_Continental
Gunasekhar Karnatham_Profile_ContinentalGunasekhar Karnatham_Profile_Continental
Gunasekhar Karnatham_Profile_Continental
Gunasekhar Karnatham
 
Digital Design With Systemc (with notes)
Digital Design With Systemc (with notes)Digital Design With Systemc (with notes)
Digital Design With Systemc (with notes)
Marc Engels
 
Formal Methods
Formal MethodsFormal Methods
Formal Methods
HendMuhammad
 
#1 formal methods – introduction for software engineering
#1 formal methods – introduction for software engineering#1 formal methods – introduction for software engineering
#1 formal methods – introduction for software engineering
Sharif Omar Salem
 

Contenu connexe

Tendances

Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Mike Boudreaux
 
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
AdaCore
 
shuja's cv for Instrumentation, DCS and Power plant.
shuja's cv for Instrumentation, DCS and Power plant.shuja's cv for Instrumentation, DCS and Power plant.
shuja's cv for Instrumentation, DCS and Power plant.
Shuja Khalid
 
Gunasekhar Karnatham_Profile_Continental
Gunasekhar Karnatham_Profile_ContinentalGunasekhar Karnatham_Profile_Continental
Gunasekhar Karnatham_Profile_Continental
Gunasekhar Karnatham
 

Tendances (20)

19 Jun 2018 - Hazard Analysis and Functional Safety Compliance
19 Jun 2018 - Hazard Analysis and Functional Safety Compliance 19 Jun 2018 - Hazard Analysis and Functional Safety Compliance
19 Jun 2018 - Hazard Analysis and Functional Safety Compliance
 
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
 
Breakthrough in Quality Management
Breakthrough in Quality ManagementBreakthrough in Quality Management
Breakthrough in Quality Management
 
ITC 2015 - Marvell Present : "Improving Quality and Yield Through Optimal+ Bi...
ITC 2015 - Marvell Present : "Improving Quality and Yield Through Optimal+ Bi...ITC 2015 - Marvell Present : "Improving Quality and Yield Through Optimal+ Bi...
ITC 2015 - Marvell Present : "Improving Quality and Yield Through Optimal+ Bi...
 
Optimal+ GSA 2014
Optimal+ GSA 2014Optimal+ GSA 2014
Optimal+ GSA 2014
 
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
 
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
 
Code Management Workshop
Code Management WorkshopCode Management Workshop
Code Management Workshop
 
Leveraging Cross-Operational Test Data for Manufacturing Yield and DPPM/RMA I...
Leveraging Cross-Operational Test Data for Manufacturing Yield and DPPM/RMA I...Leveraging Cross-Operational Test Data for Manufacturing Yield and DPPM/RMA I...
Leveraging Cross-Operational Test Data for Manufacturing Yield and DPPM/RMA I...
 
Resume New
Resume NewResume New
Resume New
 
PyData Paris - Track 4.2 Vincent Feuillard
PyData Paris - Track 4.2 Vincent FeuillardPyData Paris - Track 4.2 Vincent Feuillard
PyData Paris - Track 4.2 Vincent Feuillard
 
1330 anderson
1330 anderson1330 anderson
1330 anderson
 
An Alternative Approach to DO-178B
An Alternative Approach to DO-178BAn Alternative Approach to DO-178B
An Alternative Approach to DO-178B
 
Bosch ConnectedWorld 2017: Striving for Zero DPPM
Bosch ConnectedWorld 2017: Striving for Zero DPPMBosch ConnectedWorld 2017: Striving for Zero DPPM
Bosch ConnectedWorld 2017: Striving for Zero DPPM
 
AMD at ITC 2014
AMD at ITC 2014AMD at ITC 2014
AMD at ITC 2014
 
Increasing Efficiency of ISO 26262 Verification and Validation by Combining F...
Increasing Efficiency of ISO 26262 Verification and Validation by Combining F...Increasing Efficiency of ISO 26262 Verification and Validation by Combining F...
Increasing Efficiency of ISO 26262 Verification and Validation by Combining F...
 
shuja's cv for Instrumentation, DCS and Power plant.
shuja's cv for Instrumentation, DCS and Power plant.shuja's cv for Instrumentation, DCS and Power plant.
shuja's cv for Instrumentation, DCS and Power plant.
 
Practical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related SystemsPractical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related Systems
 
Gunasekhar Karnatham_Profile_Continental
Gunasekhar Karnatham_Profile_ContinentalGunasekhar Karnatham_Profile_Continental
Gunasekhar Karnatham_Profile_Continental
 
Digital Design With Systemc (with notes)
Digital Design With Systemc (with notes)Digital Design With Systemc (with notes)
Digital Design With Systemc (with notes)
 

En vedette

Formal Specification in Software Engineering SE9
Formal Specification in Software Engineering SE9Formal Specification in Software Engineering SE9
Formal Specification in Software Engineering SE9
koolkampus
 
The Brooklyn Visual Heritage Website: Brooklyn’s Museums and Libraries Collab...
The Brooklyn Visual Heritage Website: Brooklyn’s Museums and Libraries Collab...The Brooklyn Visual Heritage Website: Brooklyn’s Museums and Libraries Collab...
The Brooklyn Visual Heritage Website: Brooklyn’s Museums and Libraries Collab...
Jonathan Bowen
 
Online Academic Tools for Engagement
Online Academic Tools for EngagementOnline Academic Tools for Engagement
Online Academic Tools for Engagement
Jonathan Bowen
 
Visibility and visualisation of scholarly publications online: Erdős and beyond
Visibility and visualisation of scholarly publications online: Erdős and beyondVisibility and visualisation of scholarly publications online: Erdős and beyond
Visibility and visualisation of scholarly publications online: Erdős and beyond
Jonathan Bowen
 
Formal Methods lecture 01
Formal Methods lecture 01Formal Methods lecture 01
Formal Methods lecture 01
Sidra Ashraf
 

En vedette (13)

Formal Methods
Formal MethodsFormal Methods
Formal Methods
 
#1 formal methods – introduction for software engineering
#1 formal methods – introduction for software engineering#1 formal methods – introduction for software engineering
#1 formal methods – introduction for software engineering
 
Formal Specification in Software Engineering SE9
Formal Specification in Software Engineering SE9Formal Specification in Software Engineering SE9
Formal Specification in Software Engineering SE9
 
The Brooklyn Visual Heritage Website: Brooklyn’s Museums and Libraries Collab...
The Brooklyn Visual Heritage Website: Brooklyn’s Museums and Libraries Collab...The Brooklyn Visual Heritage Website: Brooklyn’s Museums and Libraries Collab...
The Brooklyn Visual Heritage Website: Brooklyn’s Museums and Libraries Collab...
 
Online Academic Tools for Engagement
Online Academic Tools for EngagementOnline Academic Tools for Engagement
Online Academic Tools for Engagement
 
Visibility and visualisation of scholarly publications online: Erdős and beyond
Visibility and visualisation of scholarly publications online: Erdős and beyondVisibility and visualisation of scholarly publications online: Erdős and beyond
Visibility and visualisation of scholarly publications online: Erdős and beyond
 
Ch10
Ch10Ch10
Ch10
 
Formal methods 1 - introduction
Formal methods 1 - introductionFormal methods 1 - introduction
Formal methods 1 - introduction
 
Using formal methods in Industrial Software Development
Using formal methods in Industrial Software DevelopmentUsing formal methods in Industrial Software Development
Using formal methods in Industrial Software Development
 
Formal Methods lecture 01
Formal Methods lecture 01Formal Methods lecture 01
Formal Methods lecture 01
 
Formal methods 4 - Z notation
Formal methods 4 - Z notationFormal methods 4 - Z notation
Formal methods 4 - Z notation
 
The Importance of System Software
The Importance of System SoftwareThe Importance of System Software
The Importance of System Software
 
Software quality
Software qualitySoftware quality
Software quality
 

Similaire à Industrial use of formal methods

GE_Bently_Nevada_3500_42_Manual_20171113133924.pdf
GE_Bently_Nevada_3500_42_Manual_20171113133924.pdfGE_Bently_Nevada_3500_42_Manual_20171113133924.pdf
GE_Bently_Nevada_3500_42_Manual_20171113133924.pdf
NelioMelendez1
 
Aircraft Finite Element Modelling for structure analysis using Altair Products
Aircraft Finite Element Modelling for structure analysis using Altair ProductsAircraft Finite Element Modelling for structure analysis using Altair Products
Aircraft Finite Element Modelling for structure analysis using Altair Products
Altair
 

Similaire à Industrial use of formal methods (20)

What is field bus
What is field busWhat is field bus
What is field bus
 
IRJET- FPGA Implementation of an Improved Watchdog Timer for Safety-Critical ...
IRJET- FPGA Implementation of an Improved Watchdog Timer for Safety-Critical ...IRJET- FPGA Implementation of an Improved Watchdog Timer for Safety-Critical ...
IRJET- FPGA Implementation of an Improved Watchdog Timer for Safety-Critical ...
 
Eng Ibrahim Omar
Eng Ibrahim OmarEng Ibrahim Omar
Eng Ibrahim Omar
 
GE_Bently_Nevada_3500_42_Manual_20171113133924.pdf
GE_Bently_Nevada_3500_42_Manual_20171113133924.pdfGE_Bently_Nevada_3500_42_Manual_20171113133924.pdf
GE_Bently_Nevada_3500_42_Manual_20171113133924.pdf
 
Resume
ResumeResume
Resume
 
Arizona State University Test Lecture
Arizona State University Test LectureArizona State University Test Lecture
Arizona State University Test Lecture
 
High-Tech Printed Circuit Boards Overview
High-Tech Printed Circuit Boards OverviewHigh-Tech Printed Circuit Boards Overview
High-Tech Printed Circuit Boards Overview
 
Cisco: Care and Feeding of Smart Licensing
Cisco: Care and Feeding of Smart LicensingCisco: Care and Feeding of Smart Licensing
Cisco: Care and Feeding of Smart Licensing
 
Introduction to TTCN-3 and AUTOSAR Conformance Testing
Introduction to TTCN-3 and AUTOSAR Conformance TestingIntroduction to TTCN-3 and AUTOSAR Conformance Testing
Introduction to TTCN-3 and AUTOSAR Conformance Testing
 
Manual licor 6200 condensado
Manual licor 6200 condensadoManual licor 6200 condensado
Manual licor 6200 condensado
 
Aircraft Finite Element Modelling for structure analysis using Altair Products
Aircraft Finite Element Modelling for structure analysis using Altair ProductsAircraft Finite Element Modelling for structure analysis using Altair Products
Aircraft Finite Element Modelling for structure analysis using Altair Products
 
Soc.pptx
Soc.pptxSoc.pptx
Soc.pptx
 
Industrial automation - Sensors and Transducers
Industrial automation - Sensors and TransducersIndustrial automation - Sensors and Transducers
Industrial automation - Sensors and Transducers
 
itu-t recommendation g671, g703
itu-t recommendation g671, g703itu-t recommendation g671, g703
itu-t recommendation g671, g703
 
Future Onshore Wind Energy Technology
Future Onshore Wind Energy TechnologyFuture Onshore Wind Energy Technology
Future Onshore Wind Energy Technology
 
AFL Fiber Optic Test and Inspection Solutions 2017
AFL Fiber Optic Test and Inspection Solutions 2017AFL Fiber Optic Test and Inspection Solutions 2017
AFL Fiber Optic Test and Inspection Solutions 2017
 
arc-flash-analysis-done-right.pdf
arc-flash-analysis-done-right.pdfarc-flash-analysis-done-right.pdf
arc-flash-analysis-done-right.pdf
 
ETAP - Arc flash analysis etap
ETAP - Arc flash analysis etapETAP - Arc flash analysis etap
ETAP - Arc flash analysis etap
 
ETAP - Arc flash analysis done Right
ETAP - Arc flash analysis done RightETAP - Arc flash analysis done Right
ETAP - Arc flash analysis done Right
 
AeroNDI presentation_ 09-2016_pluswpos
AeroNDI presentation_ 09-2016_pluswposAeroNDI presentation_ 09-2016_pluswpos
AeroNDI presentation_ 09-2016_pluswpos
 

Plus de Jonathan Bowen

Communities and Ancestors Associated with Egon Börger and ASM
Communities and Ancestors Associated with Egon Börger and ASMCommunities and Ancestors Associated with Egon Börger and ASM
Communities and Ancestors Associated with Egon Börger and ASM
Jonathan Bowen
 
Patterns in scholarly publications online: Erdős and beyond
Patterns in scholarly publications online: Erdős and beyondPatterns in scholarly publications online: Erdős and beyond
Patterns in scholarly publications online: Erdős and beyond
Jonathan Bowen
 
Online Communities: Visualization and Formalization.
Online Communities: Visualization and Formalization.Online Communities: Visualization and Formalization.
Online Communities: Visualization and Formalization.
Jonathan Bowen
 
Making scholarly publications accessible online
Making scholarly publications accessible onlineMaking scholarly publications accessible online
Making scholarly publications accessible online
Jonathan Bowen
 
From a Community of Practice to a Body of Knowledge: A case study of the form...
From a Community of Practice to a Body of Knowledge: A case study of the form...From a Community of Practice to a Body of Knowledge: A case study of the form...
From a Community of Practice to a Body of Knowledge: A case study of the form...
Jonathan Bowen
 
Ten Commandments of Formal Methods: A decade later
Ten Commandments of Formal Methods: A decade laterTen Commandments of Formal Methods: A decade later
Ten Commandments of Formal Methods: A decade later
Jonathan Bowen
 

Plus de Jonathan Bowen (11)

Communities and Ancestors Associated with Egon Börger and ASM
Communities and Ancestors Associated with Egon Börger and ASMCommunities and Ancestors Associated with Egon Börger and ASM
Communities and Ancestors Associated with Egon Börger and ASM
 
Alan Turing and Oxford
Alan Turing and OxfordAlan Turing and Oxford
Alan Turing and Oxford
 
The Digital Renaissance from da Vinci to Turing
The Digital Renaissance from da Vinci to TuringThe Digital Renaissance from da Vinci to Turing
The Digital Renaissance from da Vinci to Turing
 
Alan Turing: Founder of Computer Science
Alan Turing: Founder of Computer ScienceAlan Turing: Founder of Computer Science
Alan Turing: Founder of Computer Science
 
Patterns in scholarly publications online: Erdős and beyond
Patterns in scholarly publications online: Erdős and beyondPatterns in scholarly publications online: Erdős and beyond
Patterns in scholarly publications online: Erdős and beyond
 
Online Communities: Visualization and Formalization.
Online Communities: Visualization and Formalization.Online Communities: Visualization and Formalization.
Online Communities: Visualization and Formalization.
 
Computer science education in universities
Computer science education in universitiesComputer science education in universities
Computer science education in universities
 
Making scholarly publications accessible online
Making scholarly publications accessible onlineMaking scholarly publications accessible online
Making scholarly publications accessible online
 
From a Community of Practice to a Body of Knowledge: A case study of the form...
From a Community of Practice to a Body of Knowledge: A case study of the form...From a Community of Practice to a Body of Knowledge: A case study of the form...
From a Community of Practice to a Body of Knowledge: A case study of the form...
 
Wiki Software and Facilities for Museums
Wiki Software and Facilities for MuseumsWiki Software and Facilities for Museums
Wiki Software and Facilities for Museums
 
Ten Commandments of Formal Methods: A decade later
Ten Commandments of Formal Methods: A decade laterTen Commandments of Formal Methods: A decade later
Ten Commandments of Formal Methods: A decade later
 

Dernier

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
MateoGardella
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
SanaAli374401
 

Dernier (20)

Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
 

Industrial use of formal methods

  • 1. The Industrial Use of Formal Methods: Experiences of an Optimist Prof. Jonathan P. Bowen London South Bank University University of Westminster Museophile Limited www.jpbowen.com jonathan.bowen@lsbu.ac.uk
  • 2. Experiences of an Optimist http://en.wikipedia.org/wiki/John_Redcliffe-Maud
  • 4. Airbus A380 simulator Emirates Aviation College Dubai, 3 February 2011
  • 5. Theory and Practice “It has long been my personal view that the separation of practical and theoretical work is artificial and injurious. Much of the practical work done in computing, both in software and in hardware design, is unsound and clumsy because the people who do it have not any clear understanding of the fundamental design principles of their work. Most of the abstract mathematical and theoretical work is sterile because it has no point of contact with real computing.” — Christopher Strachey (1916-1975)
  • 6. Formal Methods • Term established by late 1970s – Next stage from structured design – Mathematical basis • Formal specification and (optionally) proof: – Validation (correct specification) – Verification (correct implementation wrt spec) • But engineers calculate rather than prove • Please contribute to the Formal Methods Wiki: – http://formalmethods.wikia.com
  • 7. Z notation • Formal specification – predicate logic, set theory, and schema boxes – Courses (academia & industry) – Textbooks (reasonable choice) – Tools (type-checkers, provers, …) • Web resources – www.zuser.org • Google group – comp.specification.z • Z User Group (meetings) & Z standard
  • 8. Z Standard • ISO/IEC 13568 – Long process (1990s) – Inconsistencies found! • Final Committee Draft – accepted in 2001 • Useful for tools and industrial application
  • 9. Levels of Complexity – Abstraction • 25 lines of informal requirements • 250 lines of specification (e.g., Z) • 2,500 lines of design description • 25,000 lines of high-level program code • 250,000 machine instructions of object code • 2,500,000 CMOS transistors in hardware!
  • 11. Choosing a formal method – difficult
  • 13. Applications of Formal Methods Examples: • Tektronix (Z) • STV algorithm (VDM) • IBM CICS (Z/B) • AAMP5 microproc. (PVS) • GEC Alsthom (B) • A300/340 (Z)
  • 14. Industrial-Strength Formal Methods in Practice Examples: • Motorola CAP DSP (ACL2) • Radiation Therapy Machine (Z) • ATC system (VDM) • Railways (Prover Technology) And more recently: Microsoft
  • 15. National Air Traffic Services • Handled 2.2 million flights (in 2009), covering the UK and eastern North Atlantic. • And carried more than 200 million passengers safely through some of the busiest and most complex airspace in the world. • Provides air traffic control from its centres at Swanwick, Hampshire and Prestwick, Ayrshire. • Also provides air traffic control services at 15 of the UK's major airports including Heathrow, Gatwick, Stansted, Birmingham, Manchester, Edinburgh, and Glasgow, together with air traffic services at Gibraltar Airport.
  • 16. National Air Traffic Services, UK Swanwick southern England www.nats.co.uk
  • 17. Flight strips on paper Last flight of Concorde
  • 19. National Air Traffic Services • Advertisement & leaflet at Heathrow Airport  • Air Traffic Management (ATM) • Single European Sky ATM Research (SESAR) • SESAR Joint Undertaking • www.sesarju.eu • SESAR project (2004–20)
  • 20. Altran Praxis www.altran-praxis.com
  • 21. Open-DO Formal Methods in Air Traffic Control Slides by Neil White www.slideshare.net/AdaCore/white-open-do www.youtube.com/watch?v=IQMWVqQfm5A Copyright © Altran Praxis
  • 22. Agenda • A quick introduction – What is iFACTS? • Formal methods for Specification – Z, State machines. • Formal methods for Implementation – Implementation: SPARK. • Formal methods for Test – Verification: more Z, Mathematica. Copyright © Altran Praxis
  • 23. Context • NATS, the UK’s leading air traffic services provider, has pioneered research and development of advanced air traffic control tools for several years from its simulator and research centre. The iFACTS project will deliver a subset of these tools onto the system at the company’s main en-route Control Centre at Swanwick. • Further information is available at: www.computerweekly.com/Articles/2007/03/07/222258/Nats- claims-the-biggest-air-traffic-control-innovation-since.htm Copyright © Altran Praxis
  • 24. UK Air Traffic Control Copyright © Altran Praxis limited 2010
  • 25. ATC team – The Notes of this slide and the previous slide give some guidance on style and usage. Planner Tactical Assistant (in/out) (controller) (flight strips) Copyright © Altran Praxis limited 2010
  • 26. Why iFACTS? • iFACTS – Interim Future Area Control Tools Support – will further improve safety and provide Controllers with a set of advanced support tools, which will enable them to increase the amount of traffic they can comfortably handle. In trials, the system has delivered significant capacity increases. Copyright © Altran Praxis
  • 27. What is iFACTS? • iFACTS provides tools to support the controllers – Electronic flight strips replace the paper flight strips. – Trajectory tools - including prediction, deviation alerts, and conflict detection – are added. • iFACTS is not an Air Traffic control system – Integrated with, but sits alongside, the existing system. Copyright © Altran Praxis
  • 28. Medium Term Conflict Detection: Separation Monitor Separation Monitor Separation (NM) Cancel Alert Green Lines Labels 15 BAW225 UAL3 UAL2 10 SAA321 BAW028 ANZ001 AZA292 BAL547 DLH4695 AMM1077 5 SAS123 BAW43BE 0 0 5 10 15 Time to Interaction (mins) Copyright © Altran Praxis limited 2010
  • 29. Agenda • A quick introduction – What is iFACTS? • Formal methods for Specification – Z, State machines. • Formal methods for Implementation – Implementation: SPARK. • Formal methods for Test – Verification: more Z, Mathematica. Copyright © Altran Praxis
  • 30. The complete iFACTS specification • The functional specification – Z • The algorithm specification – Maths • The HMI specification – State tables • The rest of the specification! – English Copyright © Altran Praxis
  • 32. Z training • Z reader training – 3 day course; fluency then comes after 1 week on the job. – We have trained 75 people to read Z. – Engineers, domain experts, ATCOs. • Z writer training – 3 day course, fluency then comes after 3 months on the job. – We have trained 11 people to write Z. – All engineers. Copyright © Altran Praxis
  • 33. Z tools • Z written in Microsoft Word – To get acceptance, you need to work with what people know. – Supported by Word Add-ins. • A Z character set. • A simple interface to the fuzz type checker. • A graphical representation tool. Copyright © Altran Praxis
  • 34. Z tools • Advantages – Easy to develop commentary and Z together. – Hyper linking of fuzz errors back to source. – Cross-referencing of Z names in final document. • Disadvantages – All the problems of large word documents. – Tools can be slow on 1000 page documents. – Merging branches is painful. • The Future – Open Office XML? Copyright © Altran Praxis
  • 35. The state machine specification Button 1 Checkbox 1 State 1 State 2 N/A State 2 State 1 State 3 State 3 State 1 State 2 Transition Actions State 1 -> State 2 : De-select Checkbox 1 Copyright © Altran Praxis
  • 36. State machine training & tools • Training – So trivial that we don’t train! – People “just get it”. • Tools – Err …. None. Copyright © Altran Praxis
  • 37. Agenda • A quick introduction – What is iFACTS? • Formal methods for Specification – Z, State machines. • Formal methods for Implementation – Implementation: SPARK. • Formal methods for Test – Verification: more Z, Mathematica. Copyright © Altran Praxis
  • 38. The SPARK Implementation • SPARK Ada – An annotated subset of Ada. • 150 KSLOC (Logical) • RTE (Run-Time Exception) Proof – Formal partial correctness proof against specification not considered cost-effective. Copyright © Altran Praxis
  • 39. Code
  • 40. SPARK Training • 57 people trained in SPARK – Mostly contractors and clients. – Diverse programming background. – All SPARK coders are also Z readers. • Effective as SPARK coders immediately • Picking up RTE proof takes longer. – About 2 months. • How long to pick up formal correctness proofs? – No data, but I suspect longer again. Copyright © Altran Praxis
  • 41. SPARK Tools • The SPARK toolset – Examiner. – Proof Simplifier. – Proof Checker. • See me later! Copyright © Altran Praxis
  • 42. Agenda • A quick introduction – What is iFACTS? • Formal methods for Specification – Z, State machines. • Formal methods for Implementation – Implementation: SPARK. • Formal methods for Test – Verification: more Z, Mathematica. Copyright © Altran Praxis
  • 44. The Challenge of Test Design How many potential tests for this fragment?
  • 45. The Challenge of Test Design • If you just turn the handle there are 1134 conditions to test. • But if you work at it hard enough you can cover the required subset in just 6 test scripts. • Formal methods are not a substitute for initiative. Copyright © Altran Praxis
  • 46. Test reference models • Algorithms are specified in pure mathematics. – Working out the expected answer for test cases is very difficult and error prone. • We generate test cases as usual. • We create a test reference implementation in Mathematica. • We do back-to-back testing of iFACTS against the reference. – Diverse tools and implementers reduce the possibility of a common failure. Copyright © Altran Praxis
  • 47. Mathematica tools & training • Small team – only 5 trained. • Reference model has similar defect density to SPARK implementation. • Limited conclusions to draw from such a small activity. Copyright © Altran Praxis
  • 48. Conclusions • Formal methods are applicable to all phases of the lifecycle. • Training engineers is not a barrier – It’s a one-off cost – Our data shows that training is easy and cheap. • Tool support is vital – The Achilles heel of formal methods •Except the SPARK Examiner! Copyright © Altran Praxis
  • 49. Altran Praxis Altran Praxis Limited 20 Manvers Street Bath BA1 1PX United Kingdom Telephone: +44 (0) 1225 466991 Facsimile: +44 (0) 1225 469006 Website: www.altran-praxis.com Email: neil.white@altran-praxis.com Copyright © Altran Praxis
  • 50. Tracing • Completeness of coverage – e.g., testing all parts of a Z specification • DOORS tool – Integrate Systems Engineering • Link all specification components with test case(s) or argument for safety case • Flag unlinked components • Also visualization of schema structure www.integrate.biz/casestudies/BusinessGoalAlignment.aspx
  • 51. Future • Traffic Load Prediction Device (TLPD) • Forecast air traffic load up to 4 hours ahead • Plan workloads for optimum traffic flows www.altran-praxis.com/news/nats_control_system_21_Sep_10.aspxx
  • 52. Reflection Oui, l'ouvre sort plus belle D'une forme au travail Rebelle, Vers, marbre, onyx, émail. [Yes, the work comes out more beautiful from a material that resists the process, verse, marble, onyx, or enamel.] — Théophile Gautier (1811–1872) L'Art
  • 55. The Industrial Use of Formal Methods: Experiences of an Optimist Prof. Jonathan P. Bowen London South Bank University University of Westminster Museophile Limited www.jpbowen.com jonathan.bowen@lsbu.ac.uk