Formal methods

We give a formal account of a calculus for modeling service-based systems, suitable to describe both service composition (orchestration) and the protocol that services run when invoked (conversation). The calculus includes primitives for defining and invoking services, for isolating conversations between clients and servers, and for orchestrating services. The calculus is equipped with a reduction and a labeled transition semantics related by an equivalence result. To hint how the structuring mechanisms of the language can be exploited for static analysis we present a simple type system guaranteeing the compatibility between client and server protocols, an application of bisimilarity to prove equivalence among services, and we discuss deadlock-avoidance.

OO Big O 80 Joan Krone (Denison University) and W. F. Ogden (The Ohio State University) Ontology-based Description and Reasoning for Component-based Development on the Web 84 Claus Pahl (Dublin City University) Modeling Multiple Aspects of Software Components 88 Roshanak Roshandel and Nenad Medvidovic (University of Southern California, Los Angeles) Reasoning About Parameterized Components with Dynamic Binding 92 Nigamanth Sridhar and Bruce W. Weide (The Ohio State University) DEMONSTRATIONS 96 Specifications in the Development Process: An AsmL Demonstration 97 Mike Barnett (Microsoft Research) Mae: An Architectural Evolution Environment 99 Roshanak Roshandel (University of Southern California, Los Angeles) Runtime Assertion Checking Using JML 101 Roy Patrick Tan (Virginia Tech)

We report on a case study to assess the use of an advanced knowledge-based software design technique with programmers who have not participatedin the technique's development. We use the KIDS approach to algorithm design to construct two global search algorithms that route baggage through a transportation net. Construction of the second algorithm involves extending the KIDS knowledge base. Experience with the case study leads us to integrate the approach with the spiral and prototyping models of software engineering, and to discuss ways to deal with incomplete design knowledge.

This paper deals with systems verification techniques, using Bounded Model Checking (BMC). We present a new approach that combines BMC with symmetry reduction techniques. Our goal is to reduce the number of transition sequences, which can be handled by a SAT solver, used in the resolution of verification problems. In this paper, we generate a reduced model by exploiting the symmetry of the original model,which contains only transition sequences that represent the equivalence classes of the symmetric transition sequences. We consider the construction of a new Boolean formula that manipulates only representative transition sequences. In our technique, we present a method that combines the symmetry reduction technique with BMC for the reduction of the space and time of Model Checking.

Achieving a proper understanding of the problem space before providing the design in the solution space is one of the basic tenets in requirements engineering. The Problem Frames approach provides a way for people to understand and solve software problems. Recently, a denotational semantics for Problem Frames was defined to relate the various elements of Problem Frames together. One of the problems of the semantics is that, as denotation, a problem has the set of all satisfying solution specifications. Whereas this is a sensible initial choice, it does not lend itself easily to the construction of solution specifications. The contribution of this paper is to provide a formal technique which in the context of the given semantics allows for the systematic derivation of software specifications from requirements.

Ensuring the correctness of a given software component has become a crucial aspect in Software Engineering and the Model Checking technique provides a fully automated way to achieve this goal. In particular, the usage of Model Checking in formal languages has been reinforced in the last decades given the fact that specifications provide an abstraction of the problem under study, supplying a model of the system of tractable size given the state explosion problem faced by the Model Checking technique. In this paper we focus on the main issues for adding Model Checking functionalities to the RAISE specification language and present the semantic foundations of our current approach for doing so. An outline of the main problems faced in the process and of the solutions to solve them are also presented.

Hardware and software systems are growing everyday in scale and functionality. This increase in complexity increases the number of subtle errors. Moreover, some of these errors may cause catastrophic loss of money, time, or even in many cases human life. A major goal of ...

In Mobile communications age, the IT environment and IT technology update rapidly. The requirements change is the software project must face challenge. Able to overcome the impact of requirements change, software development risks can be effectively reduced. Agile software development uses the Iterative and Incremental Development (IID) process and focuses on the workable software and client communication. Agile software development is a very suitable development method for handling the requirements change in software development process. In agile development, user stories are the important documents for the client communication and criteria of acceptance test. However, the agile development doesn't pay attention to the formal requirements analysis and artifacts tracability to cause the potential risks of software change management. In this paper, analyzing and collecting the critical quality factors of user stories, and proposes the User Story Quality Measurement (USQM) model. Applied USQM model, the requirements quality of agile development can be enhanced and risks of requirement changes can be reduced.

This report gives an overview of the work performed by the Programming Research Group as part of the European collaborative ESPRIT II REDO project (no. 2487). This work covered the areas of reverse-engineering: redocumentation and re-engineering; validation: post-hoc verification and generation of correct code from specifications; maintenance: new languages and methods to support maintenance. Research in areas of concurrent programming and decompilation were also performed.

The Raise Specification Language (RSL) is a modeling language which supports various specification styles. To apply model checking to RSL concurrent descriptions, we translate RSL specifications into the input language CSPM of FDR. FDR is the model checker for the process algebra CSP. First, we define a syntactic and semantic translation from the concurrent applicative subset of RSL to CSPM, and show that this translation is a strong bisimulation which preserves properties such as traces and deadlock. Consequently, results obtained by refinement checks in FDR are sound for the original RSL descriptions. Second, RSL uses Linear Temporal Logic (LTL) to specify desired properties, but FDR does not support LTL. LTL formulas may be translated to CSP test processes in order to check them with FDR. We build a tool which automates the translation of RSL specifications into CSPM and translates LTL formulas to CSP processes, enabling the model checking of LTL formulas over RSL descriptions with FDR.

The formal analysis described here detects two so far undetected real deadlock situations per thousand C source files or million lines of code in the open source Linux operating system kernel, and three undetected accesses to freed memory, at a few seconds per file. That is notable because the code has been continuously under scrutiny from thousands of developers' pairs of eyes. In distinction to model-checking techniques, which also use symbolic logic, the analysis uses a "3-phase" compositional Hoare-style programming logic combined with abstract interpretation. The result is a customisable post-hoc semantic analysis of C code that is capable of several different analyses at once.

We introduce a logical verification methodology for checking behavioral properties of service-oriented computing systems. Service properties are described by means of SocL, a branching-time temporal logic that we have specifically designed for expressing in an effective way distinctive aspects of services, such as, acceptance of a request, provision of a response, correlation among service requests and responses, etc. Our approach allows service properties to be expressed in such a way that they can be independent of service domains and specifications. We show an instantiation of our general methodology that uses the formal language COWS to conveniently specify services and the expressly developed software tool CMC to assist the user in the task of verifying SocL formulas over service specifications. We demonstrate the feasibility and effectiveness of our methodology by means of the specification and analysis of a case study in the automotive domain.

In this paper we introduce a model as a foundation for het-erogeneous services, therefore unifying web services tech-nologies in SOA (Service Oriented Architecture), specif-ically, SOAP/WS * and RESTful models. This model ab-stracts away from service implementations, in order to verify and to enforce some important security properties.

"Formal methods aim to apply mathematically-based techniques to the development of computer-based systems, especially at the specification level, but also down to the implementation level. This aids early detection and avoidance of errors through increased understanding. It is also beneficial for more rigorous testing coverage. This talk presents the use of formal methods on a real project. The Z notation has been used to specify a large-scale high integrity system to aid in air traffic control. The system has been implemented directly from the Z specification using SPARK Ada, an annotated subset of the Ada programming language that includes assertions and tool support for proofs. The Z specification has been used to direct the testing of the software through additional test design documents using tables and fragments of Z. In addition, Mathematica has been used as a test oracle for algorithmic aspects of the system. In summary, formal methods can be used successfully in all phases of the lifecycle for a large software project with suitably trained engineers, despite limited tool support.
"

Formal methods have traditionally been used for specification and development of software. However there are potential benefits for the testing stage as well. The panel session associated with this paper explores the usefulness or otherwise of formal methods in various contexts for improving software testing. A number of different possibilities for the use of formal methods are explored and questions raised. The contributors are all members of the UK FORTEST Network on formal methods and testing. Although the authors generally believe that formal methods are useful in aiding the testing process, this paper is intended to provoke discussion. Dissenters are encouraged to put their views to the panel or individually to the authors.

The formal analysis described here detects two so far undetected real deadlock situations per thousand C source files or million lines of code in the open source Linux operating system kernel, and three undetected accesses to freed memory, at a few seconds per file.  That is notable because the code has been continuously under scrutiny from thousands of developers' pairs of eyes.  In distinction to model-checking techniques, which also use symbolic logic, the analysis uses a ``3-phase" compositional Hoare-style programming logic combined with abstract interpretation.  The result is a customisable post-hoc semantic analysis of C code that is capable of several different analyses at once.

The autonomic computing paradigm has been proposed to cope with size, complexity, and dynamism of contemporary software-intensive systems. The challenge for language designers is to devise appropriate abstractions and linguistic primitives to deal with the large dimension of systems and with their need to adapt to the changes of the working environment and to the evolving requirements. We propose a set of programming abstractions that permit us to represent behaviors, knowledge, and aggregations according to specific policies and to support programming context-awareness, self-awareness, and adaptation. Based on these abstractions, we define SCEL (Software Component Ensemble Language), a kernel language whose solid semantic foundations lay also the basis for formal reasoning on autonomic systems behavior. To show expressiveness and effectiveness of SCEL;’s design, we present a Java implementation of the proposed abstractions and show how it can be exploited for programming a robotics...

Abstract. In the last three years or so we at Enterprise Platforms Group at Intel Corporation have been applying formal methods to various problems that arose during the process of defining platform architectures for Intel’s processor families. In this paper we give an overview of some of the problems we have worked on, the results we have obtained, and the lessons we have learned. The last topic is addressed mainly from the perspective of platform architects. 1. Problems and Results Modern computer systems are highly complex distributed systems with many interacting components. Architecturally they are often organized like a computer network into multiple layers: physical layer, link layer, protocol layer, etc. Most of the problems to which we applied formal methods are the formal verification (FV) of intricate protocols in the protocol and link layers. In addition, we also found several novel uses of binary decision diagrams (BDDs) [3] that are worth mentioning. 1.1. Directory-bas...

7th International Conference on Software Engineering (SOFT 2021) will provide an excellent
international forum for sharing knowledge and results in theory, methodology and applications of
Software Engineering and Applications. The goal of this Conference is to bring together researchers
and practitioners from academia and industry to focus on understanding Modern software
engineering concepts and establishing new collaborations in these areas.

We describe methods and software tools which aid in reverse-engineering COBOL application programs back to the specification stage (and in validating them against the specification). The aim is to create object-oriented abstractions from the implementation which capture the design concepts accurately, and the central process which the tools support is `transformation from formalism to formalism', first from COBOL to the intermediate language UNIFORM, then from UNIFORM to a functional  description language, and then  to the specification language Z. In the process data-flow diagrams, entity-relationship diagrams and call-graph, and other types of information, are extracted from the code.

Formal methods and testing are two important approaches that assist in the development of high-quality software. While traditionally these approaches have been seen as rivals, in recent years a new consensus has developed in which they are seen as complementary. This article reviews the state of the art regarding ways in which the presence of a formal specification can be used to assist testing.

The preoccupation of this study is to investigate whether women are financially excluded from formal financial services in Lagos State. Four local government areas (Ikeja, Ifako- Ijaiye, Somolu-Bariga and Agege) were selected for the empirical enquiry. Perceptions of women about formal financial services were collected by means of questionnaires. Of the 280 questionnaires sent out, 202 were recovered and the data was analyzed using descriptive analyses techniques. Two major findings are reported:(i) women are excluded from financial services mostly because of their lower level of education which thus exclude them from being able to utilize financial products such as mobile and internet banking; and (ii)the older the respondents get, the lower their willingness to make use of internet or mobile banking, as the emergence of new products in that line is too sophisticated for them to understand, thus, they experience technical exclusion from financial services. The study
recommends that: (i) there is need for specialized financial product for women and increased awareness of beneficial products by the financial institutions; and (ii) financial institutions should design specialized financial products for women and to embark on road shows in markets where women are mostly aggregated in order to create efficient awareness of these financial products.

Property specifications are often used in requirements engineering to concisely describe a single aspect of system behavior. Although each property has a narrow focus, it can still be difficult to specify a property correctly. There are often subtle, but important, details in desired system behavior that can easily be overlooked, and there is little guidance available for how to avoid such mistakes. In addition to capturing these details correctly, property specifications should be (a) precise enough to support automated analyses that can be used to check that actual system behavior is consistent with the specifications, and (b) understandable enough to be readily comprehended by all system developers. Property specifications can be written in a mathematical formalism, which provides precision, but such formalisms are often difficult to understand. Thus, in practice, property specifications tend to be written in natural language. Property specifications written with such informality are often ambiguous, however, and usually cannot be used in many types of automated analyses.

To address these challenges, our approach supports elicitation and specification of properties by providing templates that build on commonly-occurring property patterns. These templates offer guidance by explicitly indicating the variations that must be considered, thereby ensuring that important subtle details are not overlooked. To support the use of this approach, we developed PROPEL, for “PROPerty ELucidator.” PROPEL provides three alternative views that users can work with to specify properties: graphical finite-state automata, which offer precision; “disciplined” natural language, which offers understandability; and question trees, which offer guidance for selecting a template.

To evaluate this approach, we used PROPEL to specify properties in five case studies in the medical domain. The case studies showed that our approach was effective at specifying the vast majority of the properties we encountered. We also undertook a small empirical study that showed that the disciplined natural language view of the properties was usually understood. These results indicate that our approach to property elicitation and specification is a promising one.

If you are confused by the title above you are in the same boat as the vast majority of software producers when confronted with
a display of formal methods. The easiest option when dealing with an activity whose benefits are doubtful and which looks impenetrable is to ignore it and do without. This is precisely what most software developers do and not necessarily to the detriment of their business (unless this business has safety implications); witness Microsoft, which makes millions of dollars selling MS-DOS and Windows without a single quantifier in sight. Even a successful mathematical product such as Mathematica, which supports the interactive computer-based use of mathematics, consists of the order of a million lines of C-based code produced with no formal development.

Computer programming is difficult and error-prone. In critical and large-scale computing systems, such as real-time systems and clouds, the errors are hazardous and expensive. An example of such errors was reported by Mars Orbiter Mishap Investigation Board in September 1999, when the Mars Climate Orbiter crashed because of a ‘silly mistake’ caused by the incorrect distance units in a program. The distance unit miscalculation caused the aircraft to go too close to Mars, which eventually caused the crash.

This report describes a formal approach to verification and validation of safety requirements for embedded software, by application to a simple control-logic case study. The logic is formally specified in Z. System safety properties are formalised by defining an abstract model of the system’s physical behaviour in Z, including its hazardous states and dominant sensor failures. The Possum specification-animation tool is then used to check that the logic meets its safety requirements. Finally, the logic is implemented in SPARK Ada and SPARK Examiner is used to formally verify the implementation meets its specification. Design safety validation and source code verification are completely automated, removing the need for

In this paper there is an attempt to descript a logic basis and general way to design safe and dependable systems. The notion ‘diverse axiomatic bases’ had been introduced. It is shown that the safe and dependable software and hardware development, which is based on diverse axiomatic bases, allow formalizing terms of diversity and common cause failure. Examples are given of such diverse axiomatic bases and ways how to use for proof of correctness for microprocessor systems. Finally, it is argued that possible important advantages, both theoretical and practical, which may follow from these topics.

org/seas/index Call for Papers 11 th International Conference on Software Engineering and Applications (SEAS 2022) will provide an excellent international forum for sharing knowledge and results in theory, methodology and applications of Software Engineering and Applications. The goal of this conference is to bring together researchers and practitioners from academia and industry to focus on understanding Modern software engineering concepts and establishing new collaborations in these areas.

Standards concerned with the development of safety-critical systems, and the software in such systems in particular, abound today as the software crisis increasingly affects the world of embedded computer-based systems. The use of formal methods is often advocated as a way of increasing confidence in such systems. This paper examines the industrial use of these techniques, the recommendations concerning formal methods in a number of current and draft standards, and comments on the applicability and problems of using formal methods for the development of safety-critical systems of an industrial scale. Some possible future directions are suggested.

Winner of the IEE Charles Babbage Premium award, 1994. Other versions issued as a Oxford University Computing Laboratory Technical Report PRG-TR-5-92, and Chapter 1 in Towards Verified Systems.

Service-oriented applications are frequently used in highly dynamic contexts: ser- vice compositions may change dynamically, in particular, because new services are discovered at runtime. Moreover, subtyping has recently been identified as a strong requirement for service dis- covery. Correctness guarantees over service compositions, provided in particular by type systems, are highly desirable in this context. However, while service oriented applications can be built using various technologies and protocols, none of them provides decent support ensuring that well-typed services cannot go wrong. An emitted message, for instance, may be dangling and remain as a ghost message in the network if there is no agent to receive it. In this article, we introduce a formal model for service compositions and define a type system with subtyping that ensures type soundness by combining static and dynamic checks. We also demonstrate how to preserve type soundness in presence of malicious agents and...

Formal methods are being applied to the development of software of various applications at Philips Healthcare. In particular, the Analytical Software Design (ASD) method is being used as a formal technology for developing defect-free control software of highly sophisticated X-ray machines. In this paper we analyze the effects of applying ASD in the development of various control software units. We compare the quality of these units with other units developed in traditional development methods. The results indicate that applying ASD as a formal technology for developing control software results in better quality code.

In this paper a concept will be proposed about a hypergraph-based formalism for representing enterprise architecture. The paper presents a formal model using TOGAF and hypergraph theory. Hypergraphs provide a flexible mathematical structure to describe complex relationships in an enterprise architecture , mirroring the dependencies among components, and exploring integrity and consistency issues. The proposed approach extends the analytical potential for discrepancy checking in complex enterprise architecture structures. The approach can be utilized for EAM-based analysis of information systems.

1972. Weak and Strong Completeness in Sentential Logic, Logique et Analyse 59/60, 429–34.  MR0337476 (49 #2245)

This is another study illustrating the fruitfulness of thinking of “logics” as three-part systems composed of a language, a semantics [or model theory] and a deductive system [or proof theory]. For simplicity we take a fixed language for sentential logic [or propositional logics] with a fixed standard two-valued semantics, but we “vary” deductive systems. In the 1960s when this paper was written, it was still widely assumed that a “logic” was “determined” by its theorems, by what it could “prove”. The vague assumption was that once the theorems were fixed, it was somehow automatic which conclusions were derivable from given premises.
The purpose of this paper is to give a method which weakens deriving power of a sentential logic while leaving proving power unchanged. In particular if the method is applied to a strongly complete logic the resultant will not have strong completeness but it will retain weak completeness. Moreover, because of the nature of the method two added facts obtain.
First, weak completeness of the resultant is always an obvious corollary to weak completeness of the operand, so that no new completeness proof need be constructed. Second, failure of strong completeness in the resultant is always obvious, so no multi-valued matrices need be constructed. The method applies to all sentential logics formulated using only axiom schemes and schematically statable rules. These results reaffirm, generalize, and simplify a result of Hiz [Journal of Symbolic Logic, 24 (1959), pp. 193-202].

Formal methods have yet to achieve wide industrial acceptance for several reasons. They are not well integrated into established industrial software processes, their application requires significant abstraction and mathematical skills, and existing tools do not satisfactorily support the entire formal software development process. We have proposed a language called SOFL (Structured-Object-based-formal Language) and a SOFL methodology for system development that attempts to address these problems using an ...

The International Journal of Software Engineering & Applications (IJSEA) is a bi-monthly open access peer-reviewed journal that publishes articles which contribute new results in all areas of the Software Engineering & Applications. The goal of this journal is to bring together researchers and practitioners from academia and industry to focus on understanding Modern software engineering concepts & establishing new collaborations in these areas.

Ad hoc networks are dynamic networks of mobile nodes with wireless network interfaces forming an instant network without fixed topology. Destination-sequenced distance vector (DSDV) is a proactive routing protocol, which continuously maintains the topological information and whenever communication is needed such route information is available immediately. DSDV is a modification of the conventional Bellman-Ford routing algorithm to make it suitable for ad hoc networks. For any routing algorithm route discovery is an important task. In Ad hoc networks, broadcasting is the basic mechanism by which route discovery and propagation of routing is done. Therefore, routing algorithms must be robust and free from erratic behaviors. Hence formal specifications are needed to ensure correctness of routing protocols that are used Ad hoc networks.

Formal methods can be used at any stage of product development process to improve the software quality and efficiency using mathematical models for analysis and verification. From last decade, researchers and practitioners are trying to establish successful transfer of practices of formal methods into industrial process development. In the last couple of years, numerous analysis ap-proaches and formal methods have been applied in different settings to improve software quality. In today’s highly competitive software development industry, companies are striving to deliver fast with low cost and improve quality solutions and agile methodologies have proved their effi-ciency in acquiring these. Here, we will present an integration of formal methods, specifications and verification practices in the most renowned process development methodology of agile i.e. extreme programming with a conceptual solution. That leads towards the development of a com-plete formalized XP process in future. T...

H.264, a state-of-the-art video compression standard, is used across a range of products from cellphones to HDTV. These products have vastly different performance, power and cost requirements, necessitating different hardware-software solutions for H.264 decoding. We show that a design methodology and associated tools which support synthesis from high-level descriptions and which allow modular refinement throughout the design cycle, can share the majority of design effort across multiple design points. Using Bluespec SystemVerilog, we have created a variety of designs for the H.264 decoder tuned to support decoding at resolutions ranging from QCIF video (176 times 144 @ 15 frames/second) to 1080p video ((1280 times 1080)p @60 frames/second) in a 180 nm process. Some of these design points require major transformations of pipelining to increase performance or to reduce area. We also explore several common design issues surrounding memory structures, such as caches and on-chip vs. off...

Model-driven development (MDD) has become a key technique in systems and software engineering, including the aeronautic domain. It facilitates on systematic use of models from a very early phase of the design process and through various model transformation steps (semi-)automatically generates source code and documentation. However, on one hand, the use of model-driven approaches for the development of configuration data is not as widely used as for source code synthesis. On the other hand, we believe that, particular systems that make heavy use of configuration tables like the ARINC 653 standard can benefit from model-driven design by (i) automating error-prone configuration file editing and (ii) using model based validation for early error detection. In this paper, we will present the results of the European project DIANA that investigated the use of MDD in the context of Integrated Modular Avionics (IMA) and the ARINC 653 standard. In the scope of the project, a tool chain was implemented that generates ARINC 653 configuration tables from high-level architecture models. The tool chain was integrated with different target systems (VxWorks 653, SIMA) and evaluated during case studies with real-world and real-sized avionics applications.

A detailed generic model of the control design process is introduced and discussed. It is used for surveying different formal approaches in the context of PLC programming. The survey focuses on formal methods for verification and validation (V&V). The varying works in this area are categorized using three criteria: the general approach (A) to the task (model based, constraint based or without a model), the formalism (F) (Petri net, automata, etc.,) used to state the formal description, and the method (M) (model-checking, reachability analysis, etc.,) used to analyze the properties. Based on these three criteria (A-F-M) a three letter code for V&V approaches is introduced. Some works from the multitude of V&V research are presented and categorized using this new system

Compiler compilers are in widespread use, but decompiler compilers are a more novel concept. This paper presents an approach for the decompilation of object code back to source code using a decompiler generator. An example decompilation is presented. Potential applications include reverse engineering, quality assessment, debugging and safety-critical code validation or verification.

Safety-critical systems require the utmost care in their specification and design to avoid errors in their implementation, using state of the art techniques in a responsible manner. To do otherwise is at best unprofessional and at worst can lead to disastrous consequences. An inappropriate approach could lead to loss of life, and will almost certainly result in financial penalties in the long run, whether because of loss of business or because of the imposition of fines. Legislation and standards impose external pressures, but education and ethical considerations should help provide more self-imposed guidelines for all those involved in the production of safety-critical systems. This paper considers some of the issues involved, with pointers to material providing greater depth in particular areas, especially with respect to the use of formal methods.

Outlier detection is an important branch in data mining, which is the discovery of data that deviate a lot from other data patterns. Outlier identification can be classified in to formal and informal methods. This paper deals the informal methods also called as labeling methods. Identification of outliers in real time medical data using outlier labeling methods was studied. There are several labeling methods applying in practical situation in the dataset are computed. Finally the estimated results of the outliers are more appropriate way to resolving the large populations.

The safety aspects of computer-based systems as increasingly important as the use of software escalates because of its convenience and flexibility. However the complexity of even modestly sized programs is such that the elimination of errors with a high degree of confidence is extremely difficult. There are a number of approaches to enhancing safety in safety-critical control systems. These are surveyed and compared with particular emphasis on systems with software in the controlling system. A glossary of terms and an extensive bibliography for further reading are included.

Space syntax is a significant theory / tool, describing buildings and cities as evolutionary processes and offering valuable support to architectural and urban design. However, theory and analytical research are different from the processes that characterise the generation of ideas in design practice. This chapter elaborates first, on the differences and intersections of analytical knowledge and intentional design; second, on some projects charged with integrating space syntax analysis in the studio. Considering design as a propositional field manipulating elements and relations through intuition and logical order, we argue that classification forms a crucial concept in design thinking, serving as a tool for design generation and invention. We propose a 'bisociative' approach as the intellectual synthesis of relations in two domains, the 'form-of-a-class' and the 'syntax-of-a-class'. The former refers to conceptual relations of similarity and difference in design, while the latter describes topological properties among elements of built space. Based on the membership of elements in the same or different domains, we identify two fundamental modes of design operation, the 'convergent' and 'divergent' modes. Bisociation can be used in the design studio to generate ideas while maintaining intellectual synthesis and rigour. 6.1 Introduction Doing architecture involves intuition, imagination and virtuosity. Equally important is engaging deeply with a design through intellectual thinking. When we do architecture, we deal with making and reflecting on what we make at the same time. How do we interface designing and reflecting, action and reasoning, evaluation and formulation? How do designs employ analytic understanding and design experimentation? Bill Hillier suggests that architects use quasi-theoretical ideas derived from a wide range of forms which are intuitively evaluated in the design process. He argues for an analytic theory, underpinning his proposition that architecture involves comparative theoretical knowledge about a wide range of configurations in the field of possibility, aiming at innovation rather than cultural reduplication (Hillier