©2011

2011 7 4

SEC

1

©2011

• –

• –

–

• –

–

•

• 2

©2011

•

–

–

–

–

–

–

–

– etc. 3

©2011

(2002 4 )

•

etc.

• ATM

•

–

–

–

•4

©2011

• 2007 3 2 au 3

– 64

• 2007 5 23 NTT

– 318 3

• 2007 5 27

– 130 4 4.5

• 2007 10 12 18 PASMO-Suica

– IC

• 2008 3 15 FG ATM

–

• 2008 7 22

– 5

©2011

• 2008 9 14 – 63 277 6 8 2 –

• 2009 3 9

– web

–

• 2009 5 18 2010 1 25 au

– MNP

– (2009) (2010)

• 2010 1 14

– 24 177

– • 2010 3 5 MDIS

– – – MDIS 6

©2011

• 2010 7 12 – ATM 26,000 1

–

• 2011 1 – 30 8

–

• 2011 3 – 3 ATM 440

–

• 2011 4 ATM

– 1

–

• 2011 4

– ATM 1000

– 7

©2011

• Safety Critical System

Mission Critical System –

–

–

–

• –

–

• (dependability) –

8

©2011

ISO/IEC15408 (JIS X 5070)

• IEC:

International Electrotechnical Commission

•

–

–

•

•

• ISO/IEC15408 1999 6

• JIS X 5070 2000 79

©2011

•

–

–

–

–

– –

–

–

–

– – /

•

–(PP)

–

(ST)

–

– –

–

–

–

– – 10

©2011

EAL (Evaluation Assurance Level)

• EAL1:

• EAL2:

• EAL3:

• EAL4:

• EAL5:

• EAL6:

• EAL7: – EAL1 3

– EAL4

– EAL5 711

©2011

IEC61508 (JIS C 0508)

•

•

• IEC61508 2000

– Functional safety of electrical/electronic/

programmable electronic safety-related systems

• JIS C 0508 2000

–

12

©2011

13

©2011

SIL (Safety Integrity Level)

SIL

1

1 90% 10-6 10-5

2 99% 10-7 10-6

3 99.9% 10-8 10-7

4 99.99% 10-9 10-8

14

©2011

15

©2011

16

©2011

(Formal Methods)

•

–

• 30

•

J. Bowen web 100

17

©2011

• – J. A. Hall:

Seven Myths of Formal Methods,

IEEE Software, Vol.7, No.5, pp.11-19, 1990.

– J.P. Bowen and M.G. Hinchey:

Seven More Myths of Formal Methods, IEEE Software, Vol.12, No.4, pp.34-41, 1995.

• – /

–

–

–

Formal Methods

18

©2011

• – Pre-Myths : [Araki, 1995]

• Formal Methods: – ?( )

• –

– e-Japan 2003

–

–

– ISO 26262

• – 19

©2011

( )

•

•

•

–

–

•

•

•20

©2011

• – (13.1%)

– (12.4%)

– (10.6%)

– (9.9%)

– (9.3%) – (8.7%)

– (8.1%)

– (7.5%)

• –

1 : 5 : 10 : 20 : 200

• 30 50% 21

©2011

[ , 2011 5 ]

22 [NIST: Planning Report 02-3, May 2002]

©2011

vs. [ , 2011 5 ]

Req.

Analysis

Pre. Design Detailed

Design

Coding &

Unit Testing

Integration

& Test

System Test

9.8% 14.5% 15.8% 33.3% 15.1% 11.5%

[IPA/SEC: 2010 2011. pp.204 205 ]

23

[NIST: Planning Report 02-3, May 2002]

©2011

[ , 2011 5 ]

24 [NIST: Planning Report 02-3, May 2002]

©2011

• 1960

• 1970

• / / – VDL(Vienna Description Language)

VDM(Vienna Development Method)

– Z Notation

– B Method

–

– etc.

•

25

©2011

[Hall, 1990]

•

•

•

•

•

•

•

26

©2011

•

•

•

•

•

•

•

[Hall, 1990]

27

©2011

•

•

•

•

•

•

•

[Bowen & Hinchey, 1995]

28

©2011

• Specification

–

–

–What • Implementation

–

–

–How 29

©2011

• CICS: IBM Hursley Lab. & Oxford Univ.(Z)

• Rolls-Royce (VDM)

(SCR/Darlington Method)

• (B method)

& UNU/IIST (RAISE)

• NASA (theorem provers)

• A330/340 (Z)

• (Z) HP

• Tektronix (Z)

• Inmos (Z, CSP, ML)

FM8501, FM9001(Boyer-Moore) 30

©2011

CICS: Customer Information Control System

• IBM Hursley Lab. & Oxford Univ.

• 800,000 300,000

– 37000 Z

– 11000 Z ( )

• 2000

• 9%

31

©2011

• Correct by Construction –

–

–

• –

–

• – B Ada

– 14 (1998 )

– (2006 )

[Jean-Raymond Abrial: Formal Methods in Industry: Achievements, Problems, Future, Proc. ICSE 2006]

32

©2011

(Stepwise Refinement)

S0

S1

S2

Si

Sn(Prog)

…

S0 Sn(Prog)

33

©2011

34

©2011

35

©2011

FeliCa IC [ FeliCa IC

, , Vol.49, No.5, pp.506-513, 2008 5 ]

•

– 2004 1

• VDM++ : 10

•

– 677

– 383

• C/C++ : 11

• 1 2 [2009.7]36

©2011

FeliCa

37

[ FeliCa

, , Vol.1, No.3, pp.148-157, 2010 7 ]

©2011

38

FeliCa

©2011

[Miller, et al., Commun. ACM, Vol.53, No.2, Feb. 2010]

• Rockwell Collins & Univ. Minnesota

•

• – MATLAB, Simulink, SCADE, ...

– NuSMV, SAL, PVS, ...

– C, Ada

• – 10**120

– 10**37; 563 , 98

– 10**13; 62 , 12 39

©2011

•

–

•

•

•

–

–

–

–

40

©2011

• –

• –

–

• –

• –

41

©2011

• –

– (OJT)

•

– (syntax)

– (semantics)

– (pragmatics)

• /

– multi-lingual

– multi-aspect 42

©2011

•

•

•

• /

• /

• / /

•

43

©2011

• –

–

• –

–

–

–

• –

– guru 44

©2011

• –

• v.s.

•

•

•

• v.s.

•

•

•45

©2011

Ten Commandments of Formal Methods [J. P. Bowen & M. G. Hinchey: Ten Commandments of Formal

Methods, IEEE Computer, Vol.28, No.4, pp.56-63, 1995]

#1: Thou shalt choose an appropriate notation.

#2: Thou shalt formalize but not overformalize.

#3: Thou shalt estimate costs.

#4: Thou shalt have a formal methods guru on call.

#5: Thou shalt not abandon thy traditional

development methods.

#6: Thou shalt document sufficiently.

#7: Thou shalt not compromise thy quality standards.

#8: Thou shalt not be dogmatic.

#9: Thou shalt test, test, and test again.

#10: Thou shalt reuse. 46

©2011

[Bowen & Hinchey: Ten Commandments of Formal

Methods, IEEE Computer, Vol.12, No.4, pp.34-41, 1995] •

•

•

•

•

•

•

•

•

•47

©2011

FeliCa

• –

• –

–

–

• FeliCa vs. –

–

– •

, (FOSE2009)

, , 2009 11 . 48

©2011

•

–

•

–

–

•

–

•

• 49

©2011

•

–

• etc.

•

• VDM SPIN

–

–

– 50

©2011

:-)

• 1

• –

– –

• – –

–

–

• –

51

©2011

• – FeliCa K

•

•

•

•

•

•

52

©2011

• FM Wiki (Jonathan Bowen)

– http://formalmethods.wikia.com/wiki/

Formal_methods

– 100

• Formal Methods Europe

– Choosing a Formal Method

http://www.fmeurope.org/?page_id=264

–

53

©2011

[FME: http://www.fmeurope.org/?page_id=264]

•

•

•

•

•

•

•

•

•

•54

©2011

• 0

–

• 1

–

• 2

–

55

©2011

•

–

•

•

•

–

–

–

–

56

©2011

• –

–

• –

–

• –

• web

•

– 57

©2011

• IPA/SEC – WG WG

–

• etc.

•

• NII

• –

2008-2010 •

• 58

©2011

• , , 2002 11

– http://dontaku.csce.kyushu-u.ac.jp/books/ProgramSpecification/

•

, , 2003 2

[John Fitzgerald and Peter Larsen: Modelling Systems : Practical Tools

and Techniques in Software Development, Cambridge University Press,

1998]

• VDM++

, , 2010 8

[John Fitzgerald, Peter Larsen, Peter Gorm Larsen, Paul Mukherjee and

Nico Plat : Modelling Systems : Validated Designs for Object-oriented

Systems, Springer-Verlag, 2004]

• VDM++ ,

, 2011 59

©2011

• B , , 2007

• SPIN , , 2008

• , , , SPIN, , 2008

•

, , 2008

• [

] 4 , , , 2009 11

•

, , , 2010 2

•

, , 2010 3 60

©2011

• J. A. Hall: Seven Myths of Formal Methods, IEEE Software, Vol.7, No.5, pp.11-19, 1990.

• J.P. Bowen and M.G. Hinchey: Seven More Myths of Formal Methods, IEEE Software, Vol.12, No.4, pp.34-41, 1995.

• J. P. Bowen & M. G. Hinchey: Ten Commandments of Formal Methods, IEEE Computer, Vol.28, No.4, pp.56-63, 1995.

• J. P. Bowen & M. G. Hinchey: Ten Commandments of Formal Methods ... Ten Years Later, IEEE Computer, Vol.39, No.1, pp.40-48, 2006.

• Keijiro Araki: Are Formal Methods Relevant? – How to Explode the Seven Myths in Japan -, Proc. APSEC ‘95, pp.514-515, 1995.

• Keijiro Araki and Han-Myung Chang: Formal Methods in Japan – Current State, Problems and Challenges -, Proc. VDM 2002, Third VDM Workshop, 2002.

61

©2011

62

©2011

• , , no.915, 2005 12 19

• , , no.933,

2006 8 28

• FeliCa

, , 2007 2 12, pp.133-152, 2007 2

• VDM+

+ VDMTools, , Vol.24, No.2,

pp.14-20, 2007 4 .

• 2007

, 2008

http://sec.ipa.go.jp/reports/20080904.html 63

©2011

•, , Vol.49, No.5, pp.493-498, 2008 5

• FeliCa IC , , , Vol.49,

No.5, pp.506-513, 2008 5

• VDMVDM++ ,

, Vol.31, No.6, pp.394-403, 2009 9

• IPA/SEC

, 2010 3 http://sec.ipa.go.jp/reports/20100331c.html

•, SEC journal, No.20, 2010 3

•, SEC journal, No.21, 2010

6 64