Formal Methods: Use and Relevance for the Development of Safety-Critical Systems

We now are starting to see the first applications of formal methods to the development of safety critical based systems. However, discussion on what are appropriate methods and tools is still intense and there is no standard approach that presents a complete solution for the formal development of such systems. Some of the protagonists claim (or at least are said to claim by their detractors) that formal methods offer a complete solution to the problems of safety critical software development. Others claim (or at least are said to claim by the formal methods protagonists!) that formal methods are of little or no use — or at least that their utility is severely limited by the cost of applying the techniques. The aim of this paper is to try to cast some light on this debate and to discuss from a technico-philosophical viewpoint the benefits and limitations of formal methods in this context. It is, perhaps, useful however to expose our prejudices now by summarising our view — formal methods are both over-sold and under-used. In order to provide justification for this view it is necessary first to lay some terminological groundwork and to consider current practices. The term formal method is widely used, but with differing meanings. In this paper we use the term to refer to methods with a sound basis in mathematics. We use the term structured method to refer to methods which are well defined but which do not have a sound basis in mathematics for (completely) describing functionality. Technically the most significant difference between the two classes of techniques is that formal methods permit functionality to be specified precisely whereas structured methods only allow system structure to be specified precisely. (Interestingly many formal techniques are weak at describing system structure and boundaries.) In practice some formal techniques also explicitly address other, non-functional, aspects of systems eg their timing behaviour. It is possible to distinguish five types, or classes, of formal methods which can be roughly characterised as follows: