CSCI 265 notes: software specifications

The product specifications are derived through extensive consultation with all people who are impacted by the software: the consultation might include interviews, fill-in forms, direct observation of existing system in action, trials on prototypes, etc.

The final specifications document for any mid-sized project should at least cover:

An abstract of the project
The tasks the project must carry out from a user perspective
Detailed description of the data which is to be manipulated by the system, including the required input and output formats
The actions the system is to take (from a user perspective) given predictable errors in the data, and predictable environmental conditions.
Acceptable forms of program behavior in the event of unforeseen data and environmental conditions.
Performance standards for the system under specified operating conditions.
Probable future revisions or extensions of the system.

Note that the specifications must be as detailed and complete as possible - think of the specifications as a contract you are agreeing to fulfill, if they aren't precise then there can be major arguments later as to whether or not your software is acceptable and complete.

Performance and reliability specifications should also be expressed in a measurable form: e.g.

Don't say "the software must be reliable", say something like "Except in the event of external power interruptions, no more than one transaction in ten thousand should fail to process correctly and completely."
Don't say "The design process must follow good software engineering standards.", say something like "The design process, including produced documentation, must adhere to the standards and formats laid out in KDIEL 3.92k4", where the document referred to is a readily obtainable standard.

Requirements and specifications

Software requirements

This is the process of establishing what services a system should provide and the constraints under which it must operate.
It is important for the requirements analyst to fully understand the existing software project plan, the scope of the project, and the context of the project within the both the client organization and the development organization
Identifying system requirements is a matter of determining what the product should do, but not how.
This involves extensive interaction with the clients to gather information about the proposed product, and careful formulation of documents describing the proposed product
When writing requirements you must consider the different audiences who will use them: client managers, client engineers, end users, software developers, etc.
This implies a need for requirements descriptions at different levels of detail.
Typical distinctions between levels of documents:
- requirements definition: a high-level description, probably aimed to be readable by everyone associated with the project in any context
- requirements specification: detailed description, precise, possibly the contractual basis for the project, probably aimed at the primary system users and the system designers/developers
- software specification: abstract descriptions to serve as the basis for design and implementation, thus aimed at developers and designers

A typical requirements engineering process

feasibility study (concept exploration), determining cost effectiveness of one or more approaches to the problem
requirements analysis: observation of existing systems, discussion with potential users and procurers, task analysis etc, may include system modelling
requirements definition (high level description)
requirements specification (detailed description)
validate the requirements, and repeat as necessary, with a detailed document produced at the end

Complicating factors in formulating the requirements

because the new system is being designed to improve upon the status quo, it is usually difficult to anticipate all the effects it will have on the organization
diverse user communities lead to differing requirements and priorities, hence final system requirements are likely to be a compromise
similar contrasts/conflicts are also likely to exist between the end-users of the product and those who pay for the system, further complicating the development of universally acceptable specifications

Requirements analysis and modeling

Involves extensive interaction with customers and end users.
Anyone with influence or who can be affected by the system is a stakeholder.
Problems:
- Stakeholders don't know precisely what they want.
- Stakeholders make unrealistic requests.
- Use of domain-specific terminology.
- Conflicts between requirements from different stakeholders.
- Political factors divorced from end users.
- Changing business environment affecting requirements.
Initiating discussions: one of the key difficulties is starting the information gathering process - here are some "icebreaker" questions, to get the process rolling:
- what problems will/should this product address?
- can you show me the environment the product will be used in?
- how would you characterize good output, as provided by a successful solution?
- can you think of any special issues (e.g. performance) that may affect the way the solution is approached?
- are you the right person to answer these questions, and can I consider your answers "official"?
- is there anyone else I should also be talking to, or anything else you think I should be aware of?
Processes: the actual process is going to be highly dependent on the organization you are collecting requirements from, but here are some of the common features:
- analysts refine their understanding of the problem domain (e.g. supermarket, hospital, factory, whatever)
- collect requirements - interacting with the users: observation, surveys, interviews, meetings, run-throughs, etc
- classification - trying to structure the requirements into some form of coherent clusters
- prioritization - intereacting with users to identify priorities of different requirements
- conflict resolution - identifying and mediating conflicts between different collected requirements
- validation - checking to determine if requirements are complete, consistent, realistic, etc
Viewpoint-oriented analysis: trying to analyze a system from multiple perspectives, with the goal of capturing all possible requirements.
For example, in developing a bank ATM system, viewpoints might include:
- current bank customers
- tellers
- branch managers
- database administrators
- bank security managers
- other banks with cooperating ATM systems
- network engineers
- marketing department representatives
- etc

Viewpoint and service templates: the analysis stage might include filling out a seperate form to represent each different user's viewpoint, and a seperate form to represent each different service provided:

Viewpoint template

Reference:  the viewpoint name
Attributes: relevant viewpoint information
            (e.g. PIN number, account number)
Events:     describing how the system reacts
            in terms of events as seen from
            the current viewpoint
            (e.g.  start transaction
                   select service
                   cancel transaction)
Services:   list of services available
            from this viewpoint
            (e.g. cash withdrawal,
                  balance inquiry)

Service template

Reference:      the service name
Rationale:      why the service is provided
Specification:  list of service specifications
Viewpoints:     list of viewpoints which access
                this service
NF requirements: non-functional requirements
                (performance and constraints)
Provider:       which system objects are
                responsible for providing 
                the service

Techniques for modeling and formulating the data gathered are discussed in detail in the specifications section below

Requirements validation

Make sure requirements define the system the client wants.
Avoids propagating problems into design and implementation.
Aspects of overall requirements to be checked:
- validity (sometimes going beyond the users' initial thoughts on system functionality)
- consistency (across different users' views of the system)
- completeness (all functions and constraints required)
- realism (requirements must be achievable using the allowable project resources)
- verifiability (is it realistically testable)
- comprehensibility (will the designers be able to understand the entire document)
- trace-ability (the origin of each requirement should be described)
- adaptability (e.g, low degree of dependence between requirements)
Prototyping can be used as an aid to confirm or change user opinions on the requirements
requirements reviews with different client and developer groups can help to ensure the above characteristics
using formal or structured languages to state the requirements makes it easier to confirm that the final design meets the requirements, but it is more difficult for the clients to confirm that the statement of requirements matches their needs

Requirements evolution:

some requirements are likely to remain constant throughout the lifetime of the project
however, user needs will change, the environment for the system will change so many requirements must be described in such a way to allow for this inevitable evolution (e.g., well-separated, independent requirements)
Requirements which are not expected to change are enduring, those which are likely to change are volatile
One possible way of categorizing the volatile requirements
- mutable requirements: change because of changes in the environment external to the organization
- compatibility requirements: change because of changes in the internal organization environment
- emergent requirements: changes in requirements that result from changes in customer awareness during the design/development process
- consequential requirements: changes resulting from changes in customer awareness once the new system is in use

Software Specifications

The specifications document

Contains requirements definitions and specifications, either combined or presented separately. May also include software specification if necessary.
Heninger suggests six requirements for the document:
- it should specify external behavior only
- it should specify constraints on the implementation
- it should be easy to change
- it should serve as a reference tol for maintenance
- it should record motivation/forethought on the system life cycle
- it should characterize acceptable behavior for undesired events
One possible structure for the document is:
- Introduction: describing the need for the system, its functions, and how it interacts with other systems. This should include how the system fits into the overall objectives of the organization it is being designed for.
- System models: one or more models clearly showing the relationship between the system components, and the relationship between the system and its environment. The models are likely to include:
  - object models: dividing the problem into objects and the services they provide
  - dataflow models: showing the movement and manipulation of information through the system
  - semantic models: describing the system as entities and the relationships between them
  - data dictionaries: defining each kind of information used in the system and all pertinent facts associated with it (where it originates, what type it is, what it is used for, where it is modified, etc)
- Functional requirements: the services provided for the user; may be in multiple formats (e.g. filled-in forms, diagrams, plain text, etc) to provide complete and concise information for everyone associated with the project
- Non-functional requirements: constraints on the software and restrictions on design: should include efficiency issues, data representation constraints, documentation requirements, etc.
- Motivation and assumptions: assumptions about the system and its environment, anticipated future changes, the reasons for design decisions, etc.
- Detailed requirements specifications: for every task/function required for the system, might include interfaces for many parts of the process
- Glossary: defining all technical terms used in the document. No assumptions should be made about the reader having expertise or experience either in the problem domain or in aspects of computer design/development.

System Modelling

A result of requirements analysis may be one or more system models that abstract certain properties of the system to assist understanding.
A series of different models may be included in the specifications document, as different models are superior for capturing key information about different aspects of the system
Data-flow models
- Models the way in which data is processed by the system as a whole.
- Contrasted with the way software processes data internally which might also be modelled using a data flow diagram.
- May be used at different levels of detail (high level showing movement and manipulation of major data blocks within the system, then lower level views showing detailed handling of data within specific services or from particular viewpoints)
Example for ATM:
```
               DISPLAY INTRUCTIONS
               AND GET USER ID/PIN 
                      |
                      |id,pin
                      |
               DISPLAY INSTRUCTIONS
               AND GET REQUEST
                      |
                      |id,pin,request-type
                      |
                 ANALYZE REQUEST
                /     |        \
id,pin,withdraw/      |error    \id,pin,balance-request

etc.
```
Object models
- Based on object-oriented techniques.
- Useful for defining the capabilities of data processing and the relationships between different kinds of data.
- Essentially describe the entire system as a collection of ADTs and the interfaces to them
- very effective at modelling objects which can be clearly defined, but sometimes the division of an entire system into objects is somewhat arbitrary/unclear
- if applied successfully, object-oriented modelling can lead to a product which is very amenable to software re-use.
- Some major organizations now focus on object-oriented modelling as a primary analysis technique
Semantic data models
- Defines the logical form of data used by the system.
- Uses techniques from database modelling: relational model, entity-relation diagrams, etc.
- Possible example using visual chart:
  - show entitites (data objects) as squares
  - show attributes of those entities as ovals attached to the entity
  - show relationships between entities in triangles attached to both entities
Data dictionaries: for every data item used in a project fill in a form, possibly including information such as:
- the unique name for the data itme
- the data type (high/abstract level)
- where the data is generated and/or altered
- where the data is used
- a brief description of the data

Formats for description:

Must be precise so it can form the basis for design
Natural language problems: ambiguity, different ways to say the same thing (over-flexible)
Alternatives:
- structured natural languages (e.g, forms or tables)
- design description languages
- graphical notations (e.g., data flow diagrams)
- mathematical specifications (see later)
Usually a combination of techniques used: high level overviews are provided in natural language, then the details are fleshed out using a combination of forms, diagrams, and supporting text descriptions.

Example of a forms-based approach to describing a particular action that must take place:

Action name:

Plain text description:

Inputs for action:

Outputs from action:

Source of input data:

Destination of output data:

Requirements/pre-requisites to action:

Side-effects of action:

Non-functional requirements and specifications

Functional requirements: statements of services the system should provide, how the system should react to particular inputs and how the system should behave in particular situations.
Non-functional requirements: constraints on the services or functions offered by the system.
These are constraints on the system itself, i.e. performance specifications
Verifiability is very important for non-functional requirements so wording must be very precise
- e.g., speed requirements "fast" vs. timing constraints that must be satisfied like ">100 requests per hour"
Examples of ways to state non-functional requirements:
- speed: transactions/second, user/event response time, screen refresh time
- size: bytes, number of devices
- ease of use: training time, number of help frames, frequency of reference to help
- reliability/robustness: mean time to failure, probability of unavailability, rate of failed transactions, time to restart after failure, precent of events causing failure, probability of data corruption on failure
- portability: number of target systems (list), percentage of code statements which are target-dependent

Formal Specifications

Formal specification techniques are used for the unambiguous specification of software. Ideally we seek to eliminate contradictions, ambiguities, vagueness, and incompleteness from our specifications through the use of formal specifications.
They are usually expressed in a mathematical notation with precisely defined vocabulary, syntax and semantics.
Advantages:
- The development of formal specifications requires structured thinking about the precise product behavior, often leading to insights into the software requirements and the design.
- The formal specifications be analysed mathematically and the absences of some classes of error can be demonstrated - i.e. to an extent we can determine the correctness/completeness of the specifications even before design is begun.
- Formal specifications are essential if a program is to be formally verified - if the specifications are given formally, and the design/implementation behavior can be expressed formally, then proofs of design/implementation correctness may be developed (and possibly even automated)
- Formal specifications may be processed by tools more easily than informal specifications. In some cases specification animation can be used to construct a prototype.
Formal specifications are not widely used for a number of reasons:
- Inherent management conservatism; the benefits of formal specifications are hard to demonstrate in an objective way.
- Many software engineers lack the training in discrete mathematics necessary for many formal specification techniques.
- System procurers may be unwilling to fund formal specification activities in the hope that long term benefits will result.
- Some classes of system are hard to specify formally with current techniques (e.g., interactive systems and concurrent systems).
- There is little tool support for formal specification (compared to other software development tools, and especially compared to the complexity of the formal specification problem)
- Formal techniques have been oversold by some people with lack of knowledge of real world problems, the failure of their claims leads to pessimistic attitudes regarding the field in general
Seven myths of formal methods:
- Perfect software results from the use of formal methods.
  Nonsense: formal methods are abstractions or models of behavior, and if the underlying models are incorrect then the resulting software will be incorrect (though it may perfectly carry out the faulty behavior...)
- Formal methods mean program proving.
  Proving an implementation correct is one possible use or application of formal methods, it is not required or even desirable in many cases. Just the effort of producing the formal specification can substantially aid in the specification (and hence design) process
- Formal methods are only justified for use on safety-critical systems.
  While safety-critical systems are by far the most common application domain for formal methods, there are many classes of system for which formal specifications might reduce long term develpment costs
- Formal methods are for mathematicians.
  Only simple math skills are needed for many methods (although extensive practice is required before the methods seem "natural").
- Applying formal methods increases development costs.
  This is not proven one way or the other. Certainly the development of formal methods results in a high cost very early in the product life cycle, it is unclear how substantial the benefits are in later stages (few organizations can afford to try out both methods on a large project simply to compare the results)
- Clients cannot understand formal specifications.
  Most formal specifications are accompanied by natural language descriptions - the problem is that guaranteeing the natural language description matches the formal specification is not something the client can usually do.
- Formal methods only been used for trivial systems.
  Many examples for non-trivial systems have been published at the research level (but large practical examples and applications ... ?).

We consider three different techniques for formal specifications:

Pre- and Post-conditions: expressing what a function does by stating conditions before the function executes and conditions after the function executes - the difference between the two states effectively describes what the function has done
Algebraic specifications: describing systems in terms of abstract data types and operations on them
Model-based specifications: modeling systems using mathematical entities such as sets and functions

Pre- and Post-Conditions

A simple formal specification method, this involves formally stating what must be true before a function is invoked and what must be true after it completes.
The behavior of the function must create the difference between the two.
This works at the function level - we are trying to formally describe the effect that a function should have.
In the consideration of this method we make a simplifying assumption, namely that functions do not have side-effects on global data. (All observable behavior is expressed in terms of the pre and post conditions.)
The formal specification consists of a set of input predicates (pre-conditions) and a set of output predicate (post-conditions) for the functions.
Predicates are just logical (Boolean) expressions which evaluate to true or false - you may also encounter the term invariants in this context
Predicate operators include the usual logical operators (and, or, not), mathematical operators (+, -, *, /, etc) plus the quantifiers (forall, exists). Arrays with integer indexes are also commonly used.
Some predicate examples, first expressed in natural language and then given in mathematical notation:
- The value of variable A is greater than the value of B and the value of C is less than the value of D.
```
(A > B) and (C < D)
```
- There exist values i, j, and k in the range M to N such that the square of i equals the sum of the squares of j and k.
```
                         2    2    2
exists i, j, k in M..N: i  = j  + k
```
- A is an array of integers whose contents are, in ascending order, all the squares of the integer values 1 to 10
```
                            2
forall i in 1..10 : A[i] = i
```
Function specification using pre- and post-conditions
- A pre-condition is a predicate involving the function parameters and stating what can be assumed to hold (i.e. what we assume is true) before the function is executed.
- A post-condition is a predicate involving the function parameters and stating what must hold after the funtion has executed if the pre-condition was true before the function execution.
- Together, these two predicates formally specify the effect that the function has on its parameters.
- If it is necessary to differentiate between the value of a parameter before the function executes and its value after execution we use the name of the parameter for the former and the name with a quote for the latter.
  One common method for this is through the ' symbol, e.g.: when we use parameter i in a predicate, i' represents the value of i after the function has completed, whereas i represents the value of i before the function has been started
- The return value of the function is considered a parameter in this context and can be used in the predicates.
Examples, each giving the parameters, pre- and post-conditions:
- Function Halve returns the result of dividing its integer parameter by two, but only works if n is bigger than 0.
```
function Halve (N : integer) : real;

Pre-condition:  N > 0
Post-condition: Halve (N) = N / 2
```
- Procedure Init takes an integer array as a parameter and makes all of its elements be the same as their indexes (i.e., the first element in the array is one, the second is two, and so on).
```
procedure Init (var A : array [1..100] of integer);

Pre-condition:  true
Post-condition: forall i in 1..100: A'[i] = i
```
- Procedure SquareNeg takes an integer array parameter containing at least one negative value and squares each negative value in the array. No other elements of the array are changed.
```
procedure SquareNeg (var A : array [5..10] of integer);

Pre-condition: exists i in 5..10: A[i] < 0
Post-condition: forall i in 5..10: ((A[i] >= 0) and (A'[i] = A[i])) or
                                   ((A[i] < 0) and (A'[i] = A[i] * A[i]))
```
- A function Search that searches an array for a key value and returns the index where it was found. Assumes that the key is there somewhere.
```
function Search (A : array [1..100] of integer; K : integer) : integer;

Pre-condition:  exists i in 1..100: A[i] = K
Post-condition: (A'[Search (A, K)] = K) and (A' = A)
```
Sometimes we also specify error predicates that say what should happen in a situation when the pre-condition does not hold but the function is called anyway.
```
Error: (Search (A, K) = 0) and (A' = A)
```

Algebraic Specification

Here we specify the abstract data types to be modeled, and the associated operations

Specifying an abstract data type is carried out in terms of the relationships between operations on the type.
- We specify all the previously-described data types that we will make use of
- We provide an informal (natural language) description of the behavior of the new ADT
- We provide interface descriptions to show the types of data each operation acts on and returns
- We classify all operations on the data as constructors or inspectors (the former create or modify data - i.e. change the state of the object somehow, while the latter merely report on some aspect of the current state of the object)
- We create a set of axioms describing the effects of the constructors through applications of the inspectors
- If all of these are complete and correct, we have precisely specified the desired object's behavior
General form of specification:

Examples (from Sommerville chapter 10):

An array abstract data type

imports Integer

Arrays are collections of elements of generic type Elem.
They have a lower and upper bound (see operations First, Last)
Individual elements are accessed by their numeric index.
Create takes the array bounds as parameters and creates
the array, initializing the values to Undefined.
Assign creates a new array which is the same as its input.
Eval reveals the value of a specified element (Undefined
 if the access is outside the array bounds)

Create(Integer,Integer)->Array
Assign(Array,Integer,Elem)->Array
First(Array)->Integer
Last(Array)->Integer
Eval(Array,Integer)->Elem

First(Create(x,y)) = x
First(Assign(a, n, v)) = First(a)
Last(Create(x,y)) = y
Last(Assign(a, n, v)) = Last(a)
Eval(Create(x,y), n) = Undefined
Eval(Assign(a, n, v), m) =
    Undefined if First(a) > m or Last(a) < m
    v if m == n
    Eval(a, m) otherwise

An ADT to represent coordinates in a Cartesian plane

imports: Integer, Boolean

Defines an adt representing a Cartesian coordinate.
Operations defined on Coord are X and Y, which evaluate
the x and y attributes of an entity and Eq which
compares two entities for equality.

Create(Integer,Integer)->Coord
X(Coord)->Integer
Y(Coord)->Integer
Eq(Coord,Coord)->Boolean

X(Create(x,y)) = x
Y(Create(x,y)) = y
Eq(Create(x1,y1),Create(x2,y2)) = ((x1==x2) and (y1 == y2))

An ADT to represent a list of elements

imports Integer

Defines a list where elements are added at the end
and removed from the front.
Create brings an empty list into existence
Cons creates a new list with an added member
Length evaluates the list size
Head removes the front element of the list
Tail creates a list by removing the head from its input list

Create->List
Cons(List,Elem)->List
Tail(List)->List
Head(List)->Elem
Length(List)->Integer

Head(Create)=Undefined
Head(Cons(L,v)) = 
    v if L == Create
    Head(L) otherwise
Length(Create) = 0
Length(Cons(L,v)) = Length(L) + 1
Tail(Create) = Create
Tail(Cons(L,v)) =
    Create if L == Create
    Cons(Tail(L),v) otherwise

Enriching an ADT - similar to the concept of inheritance in OO
- Sometimes we wish to extending, or enrich, the specifications for an existing ADT to create a new ADT with more complex specifications
- This is not the same as simply importing a specification.
- The names of generic parameters of the base sort (ADT type) are inherited when an ADT is enriched.
- This can be continued to any level.

Example of enriching: creating a New_List from a base List ADT

New_List enriches List
imports Integer, Boolean

New_List defines an extended form of list, inheriting the 
operations and properties of List and adding two new operations:
   - Add adds an element to the front of the list
   - Member determines if an element is present in the list

Add(New_List,Elem)->New_List
Member(New_List,Elem)->Boolean

Add(Create,v) = Cons(Create, v)
Member(Create,v) = False
Member(Add(L,v),v1) =
      True if (v == v1) or Member(L,v1) == True
      False otherwise
Member(Cons(L,v),v1) =
      True if (v == v1) or Member(L,v1) == True
      False otherwise
Head(Add(L,v)) == v
Tail(Add(L,v)) == L
Length(Add(L,v)) = Length(L) + 1

Multi-value operations
- Operations can return more than one value.
- This makes it easier and more natural to specify some types, e.g., a stack where pop should return both the popped value and the modified stack.
- This is also good for including error values to be returned by operations.

Model-based Specification

Yet another formal specification system is model-based - this requires using mathematical models (sets, functions, etc) to represent the system under study

Model-based specification is the most ambitious of the techniques we study
The state of the system is not hidden - we can directly consider data within an object (unlike algebraic specification, where we consider the interaction of operations).
State changes are easy to define.
VDM and X are two model-based specification languages. We will use a third: Z.
Schemas
- Schemas are the building blocks of Z specifications.
- Schemas introduce the specification entities and define the invariant predicates over these entities.
  i.e. we specify the data associated with a schema, and define the set of rules the data must obey
- A schema includes:
  - A name identifying the schema.
  - A signature introducing entities and their types.
  - A predicate part defining invariants over these entities.
- Schemas can be included in other schemas.
Examples (from Sommerville chapter 11, and assuming N denotes a natural number):
- Schema to represent a container with fixed capacity
```
contents: N 
capacity: N

contents <= capacity
```
  I.e. the container can never hold more than it's capacity
- Schema to represent an indicator light tied to some level reading and pre-defined danger level
```
light: {off, on}
reading: N
danger_level: N

light == on iff reading <= danger_level
```
  i.e. the light is a low-level warning, it comes on when the "reading" drops below the critical level
Schema combinations: effectively we can perform a union of two or more schemas to create a new, more complex, schema
Operation definitions
- So far we've only defined data and properties of that data.
- Operations are defined as schemas where the predicate is in essence a post-condition of the operation. Pre-conditions are implicit in the schemas used in the operation definition.
- ? signifies an input, ! an output.
- D schemas are used when entities are modified by an operation. Introduces the defined entity names and primed versions of these names which represent their values after the operation.
- X schemas are used when entities are used but not modified by an operation. Define the entities and their primed versions and also axioms that equate the before and after values.

Operation examples:
Fill_OK: operation when a valid amount is added to a tank

DStorage_Tank
amount?: N

contents + amount? <= capacity
contents' = contents + amount?

Overfill: operation when too large an amount is entered (an error message is printed out)

XStorage_Tank
amount?: N
r!: seq Char

capacity < contents + amount?
r! = "Insufficient tank capacity: Fill cancelled"

Fill: the fill operation, covering both possible cases

Fill_OK V Overfill

Z functions and data structure modelling
- Allow more sophisticated modelling (Z has a lot more...).
- Functions are mappings from input values to output values.
- The domain of a function is the set of inputs for which the function has a defined output value.
- The range of a function is the set of results which the function can produce.

Guidelines for formal methods

In Pressman quotes the "ten commandments of formal methods":

choose appropriate notation - different formal methods and notations are appropriate for different types of design, choose wisely
formalize, but do not overformalize - identify the parts of the system where you genuinely need formal specifications, as opposed to formalizing every part
estimate the costs of using formal methods - don't proceed without knowing what kind of costs this might incur
have a formal methods expert on call
do not abandon traditional methods - i.e. use formal methods in addition to what you already do
document sufficiently - natural language backup for your specifications helps tremendously when reviewing and maintaining the system
do not compromise quality standards - using formal methods is not a substitute for other aspects of quality control
do not be dogmatic - formal methods can still have errors, don't be unreasonable in your assumptions or expectations
test, test, and test again - again, formal methods are not a substitute for testing your program once implemented
reuse is critical to controlling the cost of formal methods