What is Formal Methods?

Main -> FAQ -> G-HM-1


 * Theme: General Information on FM (G)
 * Role: HM

Answer
We give here a short definition of what formal methods and then detail of some important dimensions related to the scope of their application, their level of rigor and their visibility.

Definition
Formal Methods (FM) refers to mathematically rigorous techniques and tools for the specification, design and verification of software and hardware systems.

The phrase mathematically rigorous means that the specifications used in formal methods are well-formed statements in a mathematical logic and that the formal verifications are rigorous deductions in that logic (i.e. each step follows from a rule of inference and hence can be checked by a mechanical process.)

A formal method is only a method, rather than an isolated mathematical entity in itself, because of a number of pragmatic considerations: who uses it, what it is used for, when it is used, and how it is used.

Scope of application
There are different type of scope, formal methods can be applied to:
 * to selected, rather than to all, stages of the lifecycle. FM can be used to analyse and verify these models at any part of the program life-cycle: requirements engineering, specification, architecture, design, implementation, testing, maintenance.
 * to all, or only to selected, components of the system. More generally, we can vary the level to which formal methods are applied according to the component.
 * some or all of the components and properties of the system. Typically, FM will focus on critical function (mission/business/safety critical depending on the context).

A detailled discussion on each of these dimension can be found in. The introduction of the survey by Woodcock and al for a good overview of the specific benefits of FM at each development phase.

Making a good choice of those scope is the key for the successful deployment of FM and this decision is to be made on a case by case basis as it depends on many factors such as the size of the software/system, the kind of properties, the level of assurance to reach, the organisation culture, the existing processes and tools.

Level of rigors
Formal methods can be used at a number of levels of rigor defined by Rushby in and commonly referenced such as in wikipedia
 * Level 0: Formal specification may be undertaken and then a program developed from this informally. This has been dubbed formal methods lite. This may be the most cost-effective option in many cases.
 * Level 1: Formal development and formal verification may be used to produce a program in a more formal manner. For example, proofs of properties or refinement from the specification to a program may be undertaken. This may be most appropriate in high-integrity systems involving safety or security.
 * Level 2: Theorem provers may be used to undertake fully formal machine-checked proofs. This can be very expensive and is only practically worthwhile if the cost of mistakes is extremely high (e.g., in critical parts of microprocessor design).

Level of visibility
Formal Methods might be more or less visible to the end user. There are two extremes:
 * hidden: the user not really aware of using a FM as it is directly reporting to him a non-mathematical or domain-specific notations. For example, compiler can now make powerfull static analysis and tell the developer that some piece of code is not reachable, that some variables are not initialised, or infer the type of a variable.
 * fully visible: hard the user has to fully master the notation to express the property being verified and to be able to interpret or even to guide the related tool used to make the verification. This is the case of theorem proving, where the user has sometimes to help the prover in some manual proofs.

The visibility is of course related to the level of automation and of reasoning power: hidding FM only works for specific classes of properties which might not be enough. The effort to master is directly related to the expression/reasoning power supported. The FAQ about what important system concepts can be handled "elegantly" with a selected formal method five more advise on making a good choice.