Experiences in the Industrial use of Formal Methods

Altran Praxis has used formal methods within its high integrity development approach, Correctness by Construction (CbyC), for a number of years. The Tokeneer ID Station (TIS) developed for the US National Security Agency (NSA) is one example of a development using formal methods and the CbyC approach. This project used a number of rigorous techniques including formalisation of the specification using the Z Notation, refinement of the specification to a formal design, software development in SPARK with proof of absence of run-time errors of the software and proof of system properties. The project has stood up well to the intense scrutiny it has been subject to since it became available to the wider community in 2008, with only five errors being found. Despite the general success of the approach there are challenges to using formal methods in an industrial context. By looking at a number of key properties that affect the success of deployment of tools and techniques in industry we attempt to put the challenges of industrial deployment of formal methods into perspective

E-SPARK: Automated Generation of Provably Correct Code from Formally Verified Designs

An approach to generating provably correct sequential code from formallydeveloped algorithmic designs is presented. Given an algorithm modelledin the Event-B formalism, we automatically translate the design into the SPARKprogramming language. Our translation builds upon Abrial’s approach to the developmentof sequential programs from Event-B models. However, as well as generatingcode, our approach also automatically generates code level specifications, i.e.SPARK pre- and post-conditions, along with loop invariants. In terms of the SPARKproof tools, having the loop invariants increases verification automation. A prototype,known as E-SPARK, has been implemented as a plugin for the Rodin Platform(Event-B toolkit), and tested on a range of examples, i.e. searching, sorting andnumeric calculations

Encapsulating Formal Methods within Domain Specific Languages: A Solution for Verifying Railway Scheme Plans

Abstract The development and application of formal methods is a long standing research topic within the field of computer science. One particular challenge that remains is the uptake of formal methods into industrial practices. This paper introduces a methodology for developing domain specific languages for modelling and verification to aid in the uptake of formal methods within industry. It illustrates the successful application of this methodology within the railway domain. The presented methodology addresses issues surrounding faithful modelling, scalability of verification and accessibility to modelling and verification processes for practitioners within the domain