Can FM tools manage large industrial problems?

(that follow proven software development processes and that can provide quality user support)

Main -> FAQ -> TOOL-HM-2


 * Theme: Known Strengths and Weaknesses of Tools and Tool Providers (TOOL)
 * Role: HM

Some Records
There are good records of tools that were able to cope with industrial size problems. For example:
 * the AtelierB tool for the verification of automated metro-lines
 * the SLAM static driver verifier from Microsoft
 * static analysis tools based on abstract interpretation are know to scale and are commonly used on large aerospace software.
 * since the Pentium bugs in the 90's, CPU are now undergoing formal verification, especially the scheduler, floating-point units (ACL2), and the cache.

Within DEPLOY, we can cite:
 * the ProB model-checker was successfully applied for the fully automated verification of assumptions about the actual rail network topology see our related success story
 * the Rodin platform was successfull to prove automotive control systems from Bosch.

Limitations
However, the ability to scale up depends on different factors. It can be related to limitations of:
 * the complexity of the considered problem and properties
 * the modelling formalism itself (e.g. lack of modularity)
 * the underlying formal technology (model checker, theorem prover...)
 * implementations problems such as some bottleneck in a processing chain, as resource leaks
 * usability: difficulty to navigate into large projects, to manage large pieces of models,...

For example, within DEPLOY:
 * ProB could scale on Siemens data validation but not on SSF models
 * Event-B failed to model real)time properties in the automotive domain (hybrid control system) but could for the transportation domain (discretised system running at 300ms)

How to assess then ?
The first limitation should discourage the use of that formalism while the others should be assessed in more details.
 * a natural first step is to have access to feedback and reviews which can help rule out inadequate tools.
 * a second step is to try challenge tools on a realistic case study from their own domain as the way the model are build can also impact on the ability to scale up.

Open Source tools might have higher risk of not scaling up, especially if they are still at the R&D stage. However there are also highly scalable Open Source tools (e.g. apache webserver in the area of server infrastructure, nuSMV as model-checker in the area of formal tools).