Experience with mural in formalising Dust-Expert

The mural system was an outcome of a significant effort to develop a support tool for the effective use of a full formal methods development cycle. Experience with it, however, has been limited to a small number of illustrative examples that have been carried out by those closely associated with its development and implementation. This paper aims to remedy this situation by describing the experience of using mural for specifying Dust-Expert, an expert system for the relief venting of dust explosions in chemical processes. The paper begins by summarising the main requirements for Dust-Expert, and then gives a ¯avour of the VDM speci®cation that was formalised using mural. The experience of using mural is described with respect to users' expectations that a formal methods tool should: (i) spot any inconsistencies; (ii) help manage and organise the specifications and allow one to easily add, access, update and delete specifications; (iii) help manage and carry out the refinement process; (iv) help manage and organise theories; (v) help manage and carry out proofs. The paper concludes by highlighting the strengths and weaknesses of mural that could be of interest to those developing the next generation of formal methods development tools

Applying an Operational Formal Method to Safety-Critical Systems

Despite thirty years of study by the academic community, industry has not embraced the systematic usage of formal methods. To address this concern, a formal method is proposed which possesses many of the qualities that practitioners have listed as lacking from current formal methods: inclusion of both a specification and verification model, a tabular notation that only requires knowledge of first-order logic, support for both composition and decomposition, application throughout the software life-cycle, and tool support. The presentation includes several applications to safety-critical software systems. Keywords and Phrases Formal methods, specification, trace-based systems, software development, concurrency, verification

Using Formal Methods for Autonomous Systems: Five Recipes for Formal Verification

Formal Methods are mathematically-based techniques for software design and engineering, which enable the unambiguous description of and reasoning about a system's behaviour. Autonomous systems use software to make decisions without human control, are often embedded in a robotic system, are often safety-critical, and are increasingly being introduced into everyday settings. Autonomous systems need robust development and verification methods, but formal methods practitioners are often asked: Why use Formal Methods for Autonomous Systems? To answer this question, this position paper describes five recipes for formally verifying aspects of an autonomous system, collected from the literature. The recipes are examples of how Formal Methods can be an effective tool for the development and verification of autonomous systems. During design, they enable unambiguous description of requirements; in development, formal specifications can be verified against requirements; software components may be synthesised from verified specifications; and behaviour can be monitored at runtime and compared to its original specification. Modern Formal Methods often include highly automated tool support, which enables exhaustive checking of a system's state space. This paper argues that Formal Methods are a powerful tool for the repertoire of development techniques for safe autonomous systems, alongside other robust software engineering techniques.Comment: Accepted at Journal of Risk and Reliabilit

Rodin: an open toolset for modelling and reasoning in Event-B

Event-B is a formal method for system-level modelling and analysis. Key features of Event-B are the use of set theory as a modelling notation, the use of refinement to represent systems at different abstraction levels and the use of mathematical proof to verify consistency between refinement levels. In this article we present the Rodin modelling tool that seamlessly integrates modelling and proving. We outline how the Event-B language was designed to facilitate proof and how the tool has been designed to support changes to models while minimising the impact of changes on existing proofs. We outline the important features of the prover architecture and explain how well-definedness is treated. The tool is extensible and configurable so that it can be adapted more easily to different application domains and development methods

Numerical radiative transfer with state-of-the-art iterative methods made easy

This article presents an on-line tool (rttools.irap.omp.eu) and its accompanying software ressources for the numerical solution of basic radiation transfer out of local thermodynamic equilibrium (LTE). State-of-the-art stationary iterative methods such as Accelerated $\Lambda$-Iteration and Gauss-Seidel schemes, using a short characteristics-based formal solver are used. We also comment on typical numerical experiments associated to the basic non-LTE radiation problem. These ressources are intended for the largest use and benefit, in support to more classical radiation transfer lectures usually given at the Master level.Comment: 8 pages, 5 figures, accepted for Eur. J. Phys. - see also (and use!) http://rttools.irap.omp.e

Cybersecurity Education and Formal Methods

Formal methods have been largely thought of in the context of safety-critical systems, where they have achieved major acceptance. Tens of millions of people trust their lives every day to such systems, based on formal proofs rather than "we haven’t found a bug" (yet!); but why is "we haven’t found a bug" an acceptable basis for systems trusted with hundreds of millions of people’s personal data?This paper looks at some of these issues in cybersecurity, and the extent to which formal methods, ranging from "fully verified" to better tool support, could help. More importantly, recent policy reports and curricula initiatives appear to recommended formal methods in the limited context of "safety critical applications"; we suggest this is too limited in scope and ambition. Not only are formal methods needed in cybersecurity, the repeated and very public weaknesses of the cybersecurity industry provide a powerful motivation for formal methods

Design of formal languages and interfaces: "formal" does not mean "unreadable".

This chapter provides an introduction to a work that aims to apply the achievements of engineering psychology to the area of formal methods, focusing on the specification phase of a system development process. Formal methods often assume that only two factors should be satisfied: the method must be sound and give such a representation, which is concise and beautiful from the mathematical point of view, without taking into account any question of readability, usability, or tool support. This leads to the fact that formal methods are treated by most engineers as something that is theoretically important but practically too hard to understand and to use, where even some small changes of a formal method can make it more understandable and usable for an average engineer

An integrated MCDA software application for forest planning : a case study in southwestern Sweden

Forest planning in Sweden today translates not only into planning of timber production, but also for the provision of other functions and services. Multi-criteria decision analysis (MCDA) methods provide a way to take also non-monetary values into account in planning. The purpose of this study was to gain experience on how to use a forest decision support system combined with an MCDA tool in practical forestry. We used a new forest planning tool, PlanWise, which includes an integrated MCDA module, PlanEval. Using the software, the decision maker can compare different forest plans and evaluate them against his/her objectives in a structured and analytical manner. The analysis thus provides a ranking of the alternatives based on the individual preferences of the decision maker. PlanEval and the MCDA planning process are described in a case study, where the manager of a forest estate in southwestern Sweden used the program to compare different forest plans made for the estate. In the paper, we analyze possibilities and challenges of this approach and identify problems such as the adherence to formal requirements of MCDA techniques and the difficulty of comparing maps. Possibilities to expedite an MCDA planning process further are also discussed. The findings confirm that integration of an MCDA tool with a forest decision support system is valuable, but requires expert assistance to be successful