Formal Methods in

Software Engineering
Formal Specification
lecture#3&4
 Objectives

To explain why formal specification
techniques help discover problems
in system requirements

To describe the use of algebraic
techniques for interface specification

To describe the use of model-based
techniques for behavioural
specification
 Topics covered

1. Formal specification in the

software process
2. Sub-system interface
specification
3. Behavioural specification
 Formal methods

Formal specification is part of a more
general collection of techniques that are
known as ‘formal methods’.

These are all based on mathematical
representation and analysis of software.

Formal methods include
• Formal specification;
• Specification analysis and proof;
• Transformational development;
• Program verification.
 Acceptance of formal methods

Formal methods have not become mainstream
software development techniques as was once
predicted
• Other software engineering techniques have been
successful at increasing system quality. Hence the
need for formal methods has been reduced;
• Market changes have made time-to-market rather
than software with a low error count the key factor.
Formal methods do not reduce time to market;
• The scope of formal methods is limited. They are
not well-suited to specifying and analysing user
interfaces and user interaction;
• Formal methods are still hard to extend to large
systems.
 Use of formal methods

The primary benefit of formal methods are in
reducing the number of faults in systems.

therefore, their main area of applicability is in
critical systems engineering. There have been
numerous successful projects where formal
methods have been used in this area.

In this area, the use of formal methods is most
likely to be cost-effective because high system
failure costs must be avoided.
 Specification in the software
processes

Specification and design are completely
intermingled (intermixed).

Architectural design is essential to
structure a specification and the
specification process.

Formal specifications are expressed in a
mathematical notation with precisely
defined vocabulary, syntax and
semantics.
 Specification and design

Increasing contractor involvement

Decreasing client involvement

User System
Architectural Formal High-level
requirements requirements
design specification design
definition specification

Specification

Design
Specification in the software process

System
Formal
requirements
specification
specification
User
High-level
requirements
design
definition

System Architectural
modelling design
 Use of formal specification

Formal specification involves investing
more effort in the early phases of
software development.

This reduces requirements errors as it
forces a detailed analysis of the
requirements.

Incompleteness and inconsistencies can
be discovered and resolved.

Hence, savings as made as the amount of
rework due to requirements problems is
reduced.
 Cost profile

The use of formal specification means
that the cost profile of a project changes
• There are greater up front costs as more
time and effort are spent developing the
specification;
• However, implementation and validation
costs should be reduced as the
specification process reduces errors and
ambiguities in the requirements.
Development costs with formal
specification

Cost
Validation

Design and
implementation Validation
Design and
implementation
Specification

Specification
 Specification techniques

Algebraic specification
• The system is specified in terms of its
operations and their relationships.

Model-based specification
• The system is specified in terms of a
state model that is constructed using
mathematical constructs such as sets
and sequences. Operations are defined
by modifications to the system’s state.
 Interface specification

Large systems are decomposed into subsystems
with well-defined interfaces between these
subsystems.

Specification of subsystem interfaces allows
independent development of the different
subsystems.

Interfaces may be defined as abstract data types
or object classes.

The algebraic approach to formal specification is
particularly well-suited to interface specification
as it is focused on the defined operations in an
object.
 Sub-system interfaces

Interface
objects

Sub-system Sub-system
A B
 Specification components

Introduction
• Defines the sort (the type name) and declares other
specifications that are used.

Description
• casually describes the operations on the type.

Signature
• Defines the syntax of the operations in the interface and
their parameters.

Axioms
• Defines the operation semantics by defining axioms
which characterise behaviour.
Systematic algebraic specification


Algebraic specifications of a system
may be developed in a systematic
way
• Specification structuring;
• Specification naming;
• Operation selection;
• Informal operation specification;
• Syntax definition;
• Axiom definition.
 Specification operations

Constructor operations. Operations
which create entities of the type being
specified.

Inspection operations. Operations which
evaluate entities of the type being
specified.

To specify behaviour, define the
inspector operations for each constructor
operation.
 Interface specification in critical systems


Consider an air traffic control system where
aircraft fly through managed sectors of
airspace.

Each sector may include a number of aircraft
but, for safety reasons, these must be
separated.

In this example, a simple vertical separation of
300m is proposed.

The system should warn the controller if
aircraft are instructed to move so that the
separation rule is breached.
 A sector object

Critical operations on an object
representing a controlled sector are
• Enter. Add an aircraft to the controlled
airspace;
• Leave. Remove an aircraft from the
controlled airspace;
• Move. Move an aircraft from one height
to another;
• Lookup. Given an aircraft identifier,
return its current height;
 Primitive operations

It is sometimes necessary to introduce
additional operations to simplify the
specification.

The other operations can then be defined
using these more primitive operations.

Primitive operations
• Create. Bring an instance of a sector into
existence;
• Put. Add an aircraft without safety checks;
Thank You

Q/A