Industrial use of formal methods

The Industrial Use of Formal Methods:
Experiences of an Optimist

Prof. Jonathan P. Bowen
London South Bank University
University of Westminster
Museophile Limited
www.jpbowen.com
jonathan.bowen@lsbu.ac.uk

Experiences of an Optimist

http://en.wikipedia.org/wiki/John_Redcliffe-Maud

Background: Safety and reliability

Airbus A380
simulator

Emirates Aviation College
Dubai, 3 February 2011

Theory and Practice

“It has long been my personal view that the
separation of practical and theoretical work is
artificial and injurious. Much of the practical work
done in computing, both in software and in hardware
design, is unsound and clumsy because the
people who do it have not any clear understanding
of the fundamental design principles of their work.
Most of the abstract mathematical and theoretical
work is sterile because it has no point of contact
with real computing.”
— Christopher Strachey (1916-1975)

Formal Methods

• Term established by late 1970s
– Next stage from structured design
– Mathematical basis
• Formal specification and (optionally) proof:
– Validation (correct specification)
– Verification (correct implementation wrt spec)
• But engineers calculate rather than prove
• Please contribute to the Formal Methods Wiki:
– http://formalmethods.wikia.com

Z notation
• Formal specification – predicate logic, set
theory, and schema boxes
– Courses (academia & industry)

– Textbooks (reasonable choice)

– Tools (type-checkers, provers, …)

• Web resources – www.zuser.org

• Google group – comp.specification.z

• Z User Group (meetings) & Z standard

Z Standard

• ISO/IEC 13568
– Long process (1990s)
– Inconsistencies found!

• Final Committee Draft
– accepted in 2001
• Useful for tools and
industrial application

Levels of Complexity – Abstraction

• 25 lines of informal requirements
• 250 lines of specification (e.g., Z)
• 2,500 lines of design description
• 25,000 lines of high-level program code
• 250,000 machine instructions of object code
• 2,500,000 CMOS transistors in hardware!

Choosing a formal method – difficult

Applications of Formal Methods
Examples:
• Tektronix (Z)
• STV algorithm (VDM)
• IBM CICS (Z/B)
• AAMP5 microproc. (PVS)
• GEC Alsthom (B)
• A300/340 (Z)

Industrial-Strength Formal Methods in Practice
Examples:
• Motorola CAP DSP
(ACL2)
• Radiation Therapy
Machine (Z)
• ATC system (VDM)
• Railways (Prover
Technology)
And more recently:
Microsoft

National Air Traffic Services

• Handled 2.2 million flights (in 2009), covering
the UK and eastern North Atlantic.
• And carried more than 200 million passengers
safely through some of the busiest and most
complex airspace in the world.
• Provides air traffic control from its centres at
Swanwick, Hampshire and Prestwick, Ayrshire.
• Also provides air traffic control services at 15 of the UK's
major airports including Heathrow, Gatwick, Stansted,
Birmingham, Manchester, Edinburgh, and Glasgow,
together with air traffic services at Gibraltar Airport.

National Air Traffic Services, UK

Swanwick
southern England

www.nats.co.uk

Flight strips
on paper

Last flight of Concorde

European airspace
Source: Wikipedia

London:
England
& Wales

National Air Traffic Services

• Advertisement & leaflet at
Heathrow Airport 
• Air Traffic Management
(ATM)
• Single European Sky
ATM Research (SESAR)
• SESAR Joint Undertaking
• www.sesarju.eu
• SESAR project (2004–20)

Altran Praxis

www.altran-praxis.com

Open-DO

Formal Methods in Air Traffic Control

Slides by Neil White

www.slideshare.net/AdaCore/white-open-do
www.youtube.com/watch?v=IQMWVqQfm5A
Copyright © Altran Praxis

Agenda
• A quick introduction
– What is iFACTS?

• Formal methods for Specification
– Z, State machines.

• Formal methods for Implementation
– Implementation: SPARK.

• Formal methods for Test
– Verification: more Z, Mathematica.


Context

• NATS, the UK’s leading air traffic services
provider, has pioneered research and
development of advanced air traffic control tools
for several years from its simulator and research
centre. The iFACTS project will deliver a subset of
these tools onto the system at the company’s
main en-route Control Centre at Swanwick.
• Further information is available at:
www.computerweekly.com/Articles/2007/03/07/222258/Nats-
claims-the-biggest-air-traffic-control-innovation-since.htm


UK Air Traffic Control

Copyright © Altran Praxis limited 2010

ATC team

– The Notes of this slide and the previous slide give some
guidance on style and usage.

Planner Tactical Assistant
(in/out) (controller) (flight strips)

Why iFACTS?

• iFACTS – Interim Future Area Control Tools
Support – will further improve safety and provide
Controllers with a set of advanced support tools,
which will enable them to increase the amount of
traffic they can comfortably handle. In trials, the
system has delivered significant capacity
increases.


What is iFACTS?

• iFACTS provides tools to support the controllers
– Electronic flight strips replace the paper flight
strips.
– Trajectory tools - including prediction, deviation
alerts, and conflict detection – are added.
• iFACTS is not an Air Traffic control system
– Integrated with, but sits alongside, the existing
system.


Medium Term Conflict Detection:
Separation Monitor
Separation Monitor
Separation (NM) Cancel Alert Green Lines Labels
15

BAW225
UAL3

UAL2
10 SAA321

BAW028
ANZ001
AZA292
BAL547
DLH4695
AMM1077
5
SAS123
BAW43BE

0

0 5 10 15
Time to Interaction (mins)


The complete iFACTS specification

• The functional specification
– Z
• The algorithm specification
– Maths
• The HMI specification
– State tables
• The rest of the specification!
– English


Z training

• Z reader training
– 3 day course; fluency then comes after 1 week on
the job.
– We have trained 75 people to read Z.
– Engineers, domain experts, ATCOs.
• Z writer training
– 3 day course, fluency then comes after 3 months
on the job.
– We have trained 11 people to write Z.
– All engineers.


Z tools

• Z written in Microsoft Word
– To get acceptance, you need to work with what
people know.
– Supported by Word Add-ins.
• A Z character set.
• A simple interface to the fuzz type checker.
• A graphical representation tool.


Z tools

• Advantages
– Easy to develop commentary and Z together.
– Hyper linking of fuzz errors back to source.
– Cross-referencing of Z names in final document.
• Disadvantages
– All the problems of large word documents.
– Tools can be slow on 1000 page documents.
– Merging branches is painful.
• The Future
– Open Office XML?


The state machine specification

Button 1 Checkbox 1

State 1 State 2 N/A
State 2 State 1 State 3
State 3 State 1 State 2

Transition Actions
State 1 -> State 2 : De-select Checkbox 1


State machine training & tools

• Training
– So trivial that we don’t train!
– People “just get it”.
• Tools
– Err …. None.


The SPARK Implementation

• SPARK Ada
– An annotated subset of Ada.
• 150 KSLOC (Logical)
• RTE (Run-Time Exception) Proof
– Formal partial correctness proof against
specification not considered cost-effective.


SPARK Training

• 57 people trained in SPARK
– Mostly contractors and clients.
– Diverse programming background.
– All SPARK coders are also Z readers.
• Effective as SPARK coders immediately
• Picking up RTE proof takes longer.
– About 2 months.
• How long to pick up formal correctness proofs?
– No data, but I suspect longer again.


SPARK Tools

• The SPARK toolset
– Examiner.
– Proof Simplifier.
– Proof Checker.
• See me later!


The Challenge of Test Design

How many potential tests for this fragment?

The Challenge of Test Design

• If you just turn the handle there are 1134
conditions to test.
• But if you work at it hard enough you can cover
the required subset in just 6 test scripts.
• Formal methods are not a substitute for
initiative.


Test reference models

• Algorithms are specified in pure mathematics.
– Working out the expected answer for test cases is
very difficult and error prone.
• We generate test cases as usual.
• We create a test reference implementation in
Mathematica.
• We do back-to-back testing of iFACTS against the
reference.
– Diverse tools and implementers reduce the
possibility of a common failure.


Mathematica tools & training

• Small team – only 5 trained.
• Reference model has similar defect density to
SPARK implementation.
• Limited conclusions to draw from such a small
activity.


Conclusions

• Formal methods are applicable to all phases of
the lifecycle.

• Training engineers is not a barrier
– It’s a one-off cost
– Our data shows that training is easy and cheap.

• Tool support is vital
– The Achilles heel of formal methods
•Except the SPARK Examiner!


Altran Praxis

Altran Praxis Limited
20 Manvers Street
Bath BA1 1PX
United Kingdom
Telephone: +44 (0) 1225 466991
Facsimile: +44 (0) 1225 469006
Website: www.altran-praxis.com

Email: neil.white@altran-praxis.com


Tracing
• Completeness of coverage
– e.g., testing all parts of a Z specification
• DOORS tool
– Integrate Systems Engineering
• Link all specification components with test
case(s) or argument for safety case
• Flag unlinked components
• Also visualization of schema structure
www.integrate.biz/casestudies/BusinessGoalAlignment.aspx

Future
• Traffic Load Prediction Device (TLPD)
• Forecast air traffic load up to 4 hours ahead
• Plan workloads for optimum traffic flows
www.altran-praxis.com/news/nats_control_system_21_Sep_10.aspxx

Reflection

Oui, l'ouvre sort plus belle
D'une forme au travail
Rebelle,
Vers, marbre, onyx, émail.

[Yes, the work comes out more beautiful from a
material that resists the process, verse, marble,
onyx, or enamel.]
— Théophile Gautier (1811–1872) L'Art

Beware
Panaceas!

Cf. Formal
methods

Industrial use of formal methods

More Related Content

What's hot (20)

Viewers also liked (13)

Similar to Industrial use of formal methods (20)

More from Jonathan Bowen (13)

Recently uploaded (20)

Industrial use of formal methods