Formal Methods in System Design

, Volume 19, Issue 2, pp 195–215 | Cite as

Software Engineering with Formal Methods: The Development of a Storm Surge Barrier Control System Revisiting Seven Myths of Formal Methods

  • Jan Tretmans
  • Klaas Wijbrans
  • Michel Chaudron


This paper discusses the use of formal methods in the development of the control system for the Maeslant Kering. The Maeslant Kering is the movable dam which has to protect Rotterdam from floodings while, at (almost) the same time, not restricting ship traffic to the port of Rotterdam. The control system, called BOS, completely autonomously decides about closing and opening of the barrier and, when necessary, also performs these tasks without human intervention. BOS is a safety-critical software system of the highest Safety Integrity Level according to IEC 61508. One of the reliability increasing techniques used during its development is formal methods. This paper reports experiences obtained from using formal methods in the development of BOS. These experiences are presented in the context of Hall's famous “Seven Myths of Formal Methods”.

industrial application of formal methods 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    L. Bass, P. Clements, and R. Kazman, Software Architecture in Practice, SEI Series in Software Engineering, Addison Wesley, Amsterdam, 1998.Google Scholar
  2. 2.
    A. Belinfante, J. Feenstra, R. de Vries, J. Tretmans, N. Goga, L. Feijs, S. Mauw, and L. Heerink, “Formal test automation: A simple experiment,” in G. Csopaki, S. Dibuz, and K. Tarnay (Eds.), Int. Workshop on Testing of Communicating Systems 12, Kluwer Acadmic Publishers, Norwell, MA, 1999, pp. 179–196.Google Scholar
  3. 3.
    J. Bowen and M. Hinchey, “Seven more myths of formal methods,” IEEE Software, Vol. 12, No. 4, pp. 34–41, 1995.Google Scholar
  4. 4.
    Cap Volmac (Cap Gemini Sogeti group), “SDW—System development workbench,” 1993.Google Scholar
  5. 5.
    M. Chaudron, J. Tretmans, and K. Wijbrans, “Lessons from the application of formal methods to the design of a storm surge barrier control system,” in J. Wing, J. Woodcock, and J. Davies (Eds.), FM'99—World Congress on Formal Methods in the Development of Computing Systems II, Vol. 1709 of Lecture Notes in Computer Science, 1999, pp. 1511–1526.Google Scholar
  6. 6.
    Dutch Ministry of Transport, Public Works and Water Management, “New waterway storm surge barrier—Innovative final element of delta project,” URL: engels/index.html.Google Scholar
  7. 7.
    W. Geurts, K. Wijbrans, and J. Tretmans, “Testing and formal methods—BOS project case Study,” in EuroSTAR'98: 6th European Int. Conference on Software Testing, Analysis & Review, Munich, Germany, 1998, pp. 215–229.Google Scholar
  8. 8.
    A. Hall, “Seven myths of formal methods,” IEEE Software, Vol. 6, No. 9, pp. 11–19, 1990.Google Scholar
  9. 9.
    D. Hatley and I. Pirbhai, Strategies for Real-Time System Specification, Dorset House, New York, 1990.Google Scholar
  10. 10.
    G. Holzmann, Design and Validation of Computer Protocols, Prentice-Hall Inc., Englewood Cliffs, NJ, 1991.Google Scholar
  11. 11.
    G. Holzmann, “The model checker SPIN,” IEEE Transactions on Software Engineering, Vol. 23, No. 5, pp. 279–295, 1997.Google Scholar
  12. 12.
    IEC, Functional Safety: Safety Related Systems, International Standard IEC 61508, International Electrotechnical Commission, Geneva, Switzerland, 1996.Google Scholar
  13. 13.
    X. Jia, “ZTC: A Type Checker for Z—User's Guide,” DePaul University, Chicago, USA, 1995.Google Scholar
  14. 14.
    P. Kars, “The application of PROMELA and SPIN in the BOS project,” in J.-C. Grégoire, G. Holzmann, and D. Peled (Eds.), The SPIN Verification System: The SecondWorkshop on the SPIN Verification System; Proceedings of a DIMACS Workshop, August 5, 1996, Vol. 32 of DIMACS Series in Discrete Mathematics and Theoretical Computer Science, 1997, pp. 51–63.Google Scholar
  15. 15.
    P. Kars, “Formal methods in the design of a storm surge barrier control system,” in G. Rozenberg and F. Vaandrager (Eds.), Lectures on Embedded Systems, Vol. 1494 of Lecture Notes in Computer Science, 1998, pp. 353–367.Google Scholar
  16. 16.
    J. Martin and P. Welch, “Adesign strategy for deadlock-free concurrent systems,” Transputer Communications Vol. 3, No. 4, pp. 215–232, 1997.Google Scholar
  17. 17.
    Spin, “On-the-Fly, LTL Model Checking with SPIN,” URL: netlib/spin/whatispin.html.Google Scholar
  18. 18.
    J. Spivey, The Z Notation: a Reference Manual (2nd edition), Prentice Hall, New York, 1992.Google Scholar
  19. 19.
    J. Tretmans, K. Wijbrans, and M. Chaudron, “Software engineering with formal methods: The development of a storm surge barrier control system—Seven myths of formal methods revisited,” in S. Gnesi and D. Latella (Eds.), Fourth Int. ERCIM Workshop on Formal Methods for Industrial Critical Systems (FMICS'99)— Proceedings of the FLoC Workshop, Pisa, Italy, 1999, Vol. II, pp. 225–237. ISBN 88-7958-009-4.Google Scholar
  20. 20.
    R. de Vries and J. Tretmans, “On-the-fly conformance testing using SPIN,” Software Tools for Technology Transfer, Vol. 2, No.4, pp. 382–393, 2000.Google Scholar
  21. 21.
    P. Ward and S. Mellor, Structured Development for Real-Time Systems, Yourdon Press Computing Series, Introduction & Tools, Prentice-Hall, Inc., Englewood Cliffs, NJ, 1985, Vol. 1.Google Scholar
  22. 22.
    K. Wijbrans, F. Buve, and W. Geurts, “Practical experiences in the BOS project,” in Proceedings of the Embedded Systems Symposium, Eindhoven,The Netherlands, 1998.Google Scholar
  23. 23.
    K. Wijbrans and R. Buve, “Software bestuurt de stormvloedkering,” Software Release Magazine, Vol. 50, No. 5, 1998. In Dutch.Google Scholar

Copyright information

© Kluwer Academic Publishers 2001

Authors and Affiliations

  • Jan Tretmans
    • 1
  • Klaas Wijbrans
    • 2
  • Michel Chaudron
    • 3
  1. 1.Department of Computer Science, Formal Methods and Tools Research GroupUniversity of TwenteEnschedeThe Netherlands
  2. 2.Division Advanced TechnologyCMG Public Sector B.V.The HagueThe Netherlands
  3. 3.Division Advanced TechnologyCMG Public Sector B.V.The HagueThe Netherlands

Personalised recommendations