1 Introduction.- 1.1 What Are Formal Methods?.- 1.2 Formal Methods and Mathematics.- 1.3 What Good Are Formal Methods?.- 1.4 The Myth of Control.- 1.5 Hyperprogramming.- 1.6 Recommendations.- 2 Formal Methods of Software Development: Painted into the Corner of High-Integrity Computing?.- 2.1 The Dominant Rationale for Formal Methods.- 2.2 Some Pragmatic Objections to Formal Methods.- 2.3 Dissolving Resistance to Formal Methods?.- 2.4 A Brief Sketch of Formal Methods in High-Integrity Computing.- 2.5 The Projects.- 2.6 The Formal Methods Community in High-Integrity Computing.- 2.6.1 The Clients.- 2.6.2 The Developers.- 2.7 The Information Networks.- 2.8 Does the Use of Formal Methods Within High-Integrity Computing Perpetuate its "Myths"?.- 3 The Social Negotiation of Proof: An Analysis and a Further Prediction.- 3.1 Background.- 3.2 VIPER.- 3.3 Disputing "Proof".- 3.4 Formal Proof and Rigorous Argument.- 3.5 A Further Prediction.- 3.6 Conclusion.- 4 On Constructing Large Software Systems.- 4.1 Introduction.- 4.2 People.- 4.3 Frames.- 4.4 Sets.- 4.5 Programs.- 4.6 Proof.- 4.7 Tools.- 4.8 Conclusion.- 4.9 Acknowledgments.- 5 Composition of Descriptions: A Progress Report.- 5.1 Introduction.- 5.2 Why Compose Descriptions ?.- 5.3 What is Described?.- 5.4 What is a Description?.- 5.5 What is Composition?.- 5.6 Description Reuse.- 5.7 Conclusion.- 6 Integrating Methods in Practice.- 6.1 Introduction.- 6.2 Development and Development Methods.- 6.3 Aspects of Specification.- 6.4 Aspects of Design.- 6.4.1 Detail and Structure.- 6.4.2 Reification and Algorithm Design.- 6.4.3 Summary.- 6.5 Implications for Research and Development.- 7 Formal Methods and Product Documentation.- 7.1 Introduction.- 7.2 The Fully Formalised Software Product.- 7.3 The Elements of Product Documentation.- 7.4 Product Documentation and the Product Range.- 7.5 Product Documentation and Product Development.- 7.6 Product Documentation and Customers.- 7.7 Developing from a Fully Formalised Base.- 7.8 New Requirements.- 7.9 Errors Detected Before Release.- 7.10 Errors Detected After Release.- 7.11 How to Get There.- 7.12 Summary.- 7.13 Acknowledgments.- 8 Software Quality: A Modelling and Measurement View.- 8.1 Software Quality Needs.- 8.2 Modelling Software Experiences.- 8.3 Model Evolution.- 8.4 An Organization for Packaging Experience Models for Reuse.- 8.5 Conclusions.- 9 Modelling Working Group Summary.- 9.1 Description.- 9.2 Discussion Topics.- 9.3 Discussion.- 9.3.1 Why and to What End Formal Methods?.- 9.3.2 What is a Formal Method?.- 9.4 How Does Mathematical Modelling Help to Increase our Understanding of Digital Systems?.- 9.4.1 What Are the Limits of Mathematical Modelling?.- 9.5 What is Required to Validate that a Mathematical Model Describes a Digital System Accurately?.- 9.5.1 What Insights do Other Fields of Engineering Provide?.- 9.5.2 What Can we Do by 1995 with the Mathematical Modelling Capabilities we Have Now?.- 9.5.3 What Is our Target for the Year 2000?.- 9.5.4 Formal Methods and Safety Standards.- 9.6 Conclusions.- 10 Quality Assurance Working Group.- 10.1 Group Description.- 10.2 Quality Assurance vs. Quality Control.- 10.3 What Is a Formal Method?.- 10.4 Integration of Formal Methods and Quality Control.- 10.5 A Plan to Integrate Formal Methods into QC/QA.- 10.5.1 Phase 1.- 10.5.2 Phase 2.- 10.5.3 Phase 3.- 10.5.4 Phase 4.- 11 Design Methods Working Group.- 11.1 Description.- 11.2 The Context of Formal Methods.- 11.3 The Role of Proof in Assurance.- 11.4 Analytical Capabilities of Formal Methods.- 11.5 Foundational Capabilities of Formal Methods.- 11.6 The Role of Formal Methods with Respect to the Software Development Process.- 11.7 Formal Methods During Development and Implementation.- 11.8 Education.- 11.9 Tools.- 12 Conclusions.- A Survey of Formal Methods Tools.- B Survey of Formal Methods Applications.- C Acronyms and Trademarks.- List of Contributors.