J. Rushby. Formal Methods and the Certification of Critical Systems. Technical Report CSL-93-7, 1993. Available on line: http://www.csl.sri.com/papers/csl-93-7/  Home/Search   Document Details and Download   Summary   Related Articles   Check

....number of bugs in a delivered software product, although a similar effect was not observed before testing. The most likely reason for this is that the formal specification led into relatively simple and independent components, which allowed for straightforward unit testing. According to Rushby [102], the use of mathematics in design and construction to ensure product quality is common practice in established engineering disciplines, such as bridge or aircraft building, and even computer (hardware) construction, where one applies mathematically expressed physical and other natural laws to ....

....meaning of symbols is intentionally ignored and all computation is done using specified computational rules. In this thesis, we will distinguish these two meanings by reserving the word formal for the second meaning; when we speak of the first meaning, we use the term formalized . John Rushby [102] suggests a four level classification of the usage of formal methods in software development processes: Level 0 Formal methods are not used. Most software development is on Level 0, but this need not be a bad thing. Even if formal methods are not used at all, the development processes themselves ....

[Article contains additional citation context not shown here]

John Rushby. Formal Methods and the Certification of Critical Systems. Tech. Rep. SRI-CSL-93-7, Computer Science Laboratory, SRI International, Menlo Park, CA, Dec. 1993.

....This result holds for all of the relations defined in the semantics, and all possible pieces of syntax. An expression is lval safe if the RHS s of all assignment expressions within it are always either wrapped in a RVR construct, are values, Rushby calls these theorems formal challenges [Rus93]. 4.1. PRELIMINARIES 69 are undefined, or are binary operators. This property is preserved by expression evaluation. 24 lines) lval safe(e 0 ) lval safe(e) This result is useful because it reassures us that we will never get lvalues at the top level of the RHS of an assignment ....

John Rushby. Formal methods and the certification of critical systems. Technical Report CSL-93-7, Computer Science Laboratory, SRI International, Menlo Park, CA 94025, USA, November 1993.

....that formal techniques increase development time, that they require extensive personnel training, or that they are incompatible with other software packages. Experts in formal methods have analyzed this situation and provided useful insights into the reasons for this low level of acceptance [1, 4, 7, 10, 16, 17]. Although there are several reasons for this low level of acceptance, in this paper we address two important and related reasons in the area of formal specification. The first is the relative lack of effective tool support for the preparation and manipulation of formal specifications [13] and ....

John Rushby. Formal Methods and the Certification of Critical Systems. Technical Report CSL-93-7, SRI International, December 1993

.... domain descriptions closer to computer executed models, domain models can help (Figure 1) 1) Introduce computer support to design of computer programs at early stages of their development, from helping to precisely capture requirements within a specification, validating this specification [13] (to see if theorems we could deduce were indeed expected) to producing prototype software [4] 2) Provide formal semantics to domain specific languages [12] capturing the basic concept from the domain explicitly (well understood by the experts) 2] translation into the mathematics of the model ....

J. Rushby. Formal Methods and the Certification of Critical Systems. Technical report, SRI, 1993.

....of the valid inputs to the local application. This architecture is loosely coupled, 6] as each lane takes in available inputs and reaches an independent decision. The IFPCS system drives high gain actuators of a military fast jet, so even a small error on an output could represent a hazard [7]. The outputs that go to the systems environment are checked by the output cross monitor provided in the physical architecture. Table 3 shows how the functional architecture described above responds to each of the challenges to functional integration shown in table 1. To illustrate how this ....

....becoming the determining factor in system. For example, with reconfiguration, there are design principles still to be resolved: When is a reconfiguration deemed be necessary How large must the error be, and does the tolerance lead to unpredictable system behaviour in the presence of faults. [7] . How much spare capacity should be provided in the physical architecture To few may result in the safety critical applications thrashing amongst one another for resources, too many would impose a weight and maintenance penalty and increase life cycle costs. Other issues include the need to ....

Rushby J, "Formal Methods and the Certification of Critical Systems", SRI International Computer Science Laboratory, SRI-CSL-93-07, Menlo Park California, November 1993

....safety case is the accumulation of evidence from different sources that establishes the rational basis for the decision that a safety critical computer system is safe to deploy. The formal analysis of critical algorithms that are used in the system can form a convincing argument in the safety case [16]. The present formal validation technologies have already achieved a level of maturity that allows them to contribute to the validation of safety critical systems. In the future, the contributions of these formal methods are expected to increase. 7. CONCLUSION It is dangerous to write a ....

Rushby, J. (1993). Formal Methods and the Certification of Critical Systems. Computer Science Lab, SRI.

....proved complete ( GRIND) 73 Appendix E Further reading We give a brief overview, where the interested reader can find related literature. ffl On similar applications: Hal96, DS97, MPN 95] ffl On requirements engineering: LK95, Wie96, SS97, Zav97] ffl On formal methods: HB95, Rus93, Rus95, CW96] ffl On PVS: SSJ 96, ORSH95] ffl Other formalisms: Spi92, SBC92, Jon90, BBP87, MP92, Lam94, GP94, BB87, Lyn88, OSRSC98] ffl ORKEST publications: PHJ98, PHJ99] 74 ....

J. Rushby. Formal methods and the certification of critical systems. Technical Report SRI-CSL-93-7, SRI International, Menlo Park, CA, 1993.

.... is characterized by a formal specification language and a set of rules governing the manipulation of expressions in that language [5] While the advantages to using formal methods are significant, including the use of notations that are precise, verifiable, and facilitate automated processing [5, 6, 7, 8], attempting to construct a formal specification directly from an informal, high level requirements document can be challenging. Formal descriptions potentially involve considerable syntactic detail and require careful planning and organization on the part of the specifier in order to obtain ....

....or the interpretation thereof, can require significant and tedious reorganization of the formal description. Using formal specification languages facilitates the early evaluation of a software design and verification of its implementation through the use of formal reasoning techniques [5, 6, 9, 8] or static analysis techniques [10, 11, 12] A formal specification can be rigorously manipulated to allow the designer to assess the consistency, completeness, and robustness of a design before it is implemented. Each step in the development process can be supported by mathematical proof, thus ....

J. Rushby, "Formal methods and the certification of critical systems," Technical Report SRICSL -93-07, SRI International, Computer Science Laboratory, 333 Ravenswood Ave., Menlo Park, CA 94025-3493, November 1993. Available via anonymous ftp from ftp.csl.sri.com. 14

....as poor. Formal methods have been used with success in hardware development [Hei98] but in software development they have been used rarely, their use being restricted mainly to safety critical software. Many reasons have been suggested for this in the literature [Sai96, Hal90a, Hoa96, Str89, Rus93] some of the most common being: 1. Problems finding the right level of abstraction. 2. Lack of education (on the user s part) 3. Hard to write good specifications. 4. Difficult to understand (highly specialised) 5. Absence of structure and method. 1 CHAPTER 1. INTRODUCTION 2 6. Lack ....

J. Rushby. Formal methods and the certification of critical systems. Technical Report CSL-93-7, SRI International, 1993.

....frequently elicitate requirements for applications they do not understand. A trade off is mandatory. 2. A clear separation between people developing semi formal specifications and their formal counterparts. This is a direct consequence of the above constraint as well. As remarked by J. Rushby [8], developing a formal specification is a so specific job that it should be done only by a few specialised people. This clear separation is shown in the figure 1. Consequently we suggested to supersede the elicitation and specification phases by the following mini SLC. 1. The building of a ....

J. Rushby. Formal methods and the certification of critical systems. Technical Report CSL-93-7, SRI International, CSL, 1993.

.... of inconsistencies [EC97] For satisfactory validation, the theory needs to be able to stand up to critical 1 sometimes these are called requirements models to emphasise that they are used to investigate the behaviour of the hypothesised requirements 2 examination by the customer (or user) Rus93] One of the most useful techniques for validation is to test an animated form of the requirements [Muk95, WE92] Even when an animated version is available, however, it is not easy to pinpoint the causes of bugs and subsequently provide the correct revision that eliminates them. 1.1 Theory ....

J Rushby. Formal Methods and the Certification of Critical Systems. Technical Report CSL-93-7, Computer Science Laboratory, SRI International, Menlo Park CA 94025 USA, December 1993.

....of the problem 1. 1 Requirements specifications verification Formal Methods are the use of mathematical techniques in Computer Science; in particular, formal methods allow properties of a computer system to be predicted from a mathematical model of the system by a process akin to calculation[11]. Requirements engineering specifications can greatly benefit from formal methods when the correctness of specifications and proofs needs to be justified. Several formal specification languages were devised with this vision in mind; Albert II[4] is one of them. Albert II is based on an ontology ....

.... is less reliant on human intuition by using techniques based, mainly, on the axiomatic method of mathematics, and by requiring that all assumptions and all reasoning steps be made explicit, and furthermore that each reasoning step be an instance of a very small number of allowed rules of inference[11]. Specifications particularly requirements specifications need to be validated against informal expectations, which is generally done by human review and inspection. If we were programming, we might run a couple of test cases; some people advocate something similar, often called ....

[Article contains additional citation context not shown here]

John Rushby. Formal methods and the certification of critical systems. Technical Report CSL-93-7, Computer Science Laboratory, SRI International, Menlo Park CA 94025 USA, December 1993.

....aspects of the real system are primordial in this process. The third issue is one of logic. If subclaims and evidence components are properly formalised in some system, the former could be logically derived from the latter. The connection between valid and provable as clearly explained in [Rushby 1993] is of the same nature as between semantics and syntax. This connection, in model theory, is established by interpretations that associate a true or a false (informal) statement about some real world domain with each formula of a formal system. The purpose is to make the syntactical notions of ....

J. Rushby, "Formal Methods and the Certification of Critical Systems", Technical report CSL-93-7, SRI International, CA, December 1993.

....precise, and verifiable. A requirements specification that satisfies the packaging properties is modifiable, readable, and organized for reference and review. Rushby also provides an excellent list of criteria to consider when choosing a formal specification method in his report for NASA [Rus93]. 54 Related Work Department of Computer Science University of Virginia The list is divided into criteria for the notation and criteria for the utilities. The criteria suggested by these two authors are not systematically derived from a clearly defined basis for evaluation, but from their vast ....

Rushby, John. "Formal Methods and the Certification of Critical Systems." Technical Report CSL-93-7, SRI International, December 1993.

....Evaluation of Formal Methods Various authors have proposed evaluation criteria for formal methods and used them in a variety of ways. Rushby introduced some ideas intended to help practitioners select a verification system and also offered a set of evaluation criteria for specification notations [15]. Faulk also proposed a set of evaluation criteria for specification notations [5] A comprehensive approach to evaluation and some results were presented by Ardis et al. [1] In this work, a set of criteria was established for the evaluation of formal specification notations and the set was then ....

John Rushby. Formal Methods and the Certification of Critical Systems. Technical Report CSL-937, SRI International, December 1993.

....Using formal logic we eliminate the second cause of error, so that our conclusions are as good as our premises. Programming is dependent on a set of requirements that provide the premises of our formal specification. It is unfortunate that it is in this area that the most errors are to be found ( Rushby 1993, McIver 1995) However, by using a formal approach to programming, we can alleviate the potential for errors in specifications. The question Why use formal methods is controversial and could take up this whole report, but it begs some response. Program verification could be done by running ....

....as a result of accidents, is high. It is, of course, desirable to be able defend against such actions and to be able to state conclusively that a design is correct. However, as demonstrated in the British Viper microprocessor case, the question of what constitutes a formal proof is controversial (Rushby 1993, pp. 86 87) It is even more desirable to be able, to design a system that is not prone to system related accidents. A more formal approach to requirement writing is desirable, in this respect. Formal methods should be seen as an aid to program development, but to imply more is risky. The ....

[Article contains additional citation context not shown here]

Rushby, J. (1993), Formal methods and the certification of critical systems, Technical report, Computer Science Laboratory, SRI International, Menlo Park CA 94025 USA. CSL-93-7 and NASA CR 4551.

....techniques of mathematical proof can be applied to verify properties of system specifications. Although these proofs can be done by hand, that is an error prone and unconvincing approach, especially as the proofs tend to be shallow and many, rather than deep and few. Automated verification tools [10] can be built for Z [17, 18, 21] which help in several ways, and offer greater assurance in the correctness of proofs. Proof is cost effective whenever the value of the extra assurance that it gives exceeds the cost of doing it. Initial use of Z is consequently concentrated in critical ....

J. Rushby. Formal methods and the certification of critical systems. Technical Report SRI-CSL-93-07, SRI International, November 1993.

....formally verify that the given schedule (a guessed solution) for a particular problem instance indeed satisfies these criteria. Furthermore, we would like to permit changes in the given schedule, to achieve feasibility or to improve system performance (e.g. processor utilization) Formal methods [4, 10] provide extensive support for automated and exhaustive state exploration over the formal verification process, to systematically (and formally) analyze the operations of a given protocol. Formal methods facilitate us to precisely specify systems requirements, design assumptions, and the design, ....

J. Rushby, "Formal Methods and the Certification of Critical Systems," SRI-TR CSL93 -7, Dec. 1993.

....chosen value has the required properties and continues. In effect, this form of execution has the user act as an oracle where decision procedures would be infeasible. An interesting view on this issue is found in a recent report on formal methods and the certification of safety critical systems [16]. Rushby (page 68) considers there is a limit to what can be achieved by inspection. More effective scrutiny requires challenging the specification . This can be done, it is claimed, by posing questions such as does sort(sort(x ) sort(x) Such questions can be answered by theorem proving, ....

....It is therefore essential that execution be used in conjunction with other methods of validation. Certainly we do not expect that execution will bring to light deeper problems with specifications, except accidentally. For thorough examination of the consequences of definitions we support Rushby s [16] methodology of challenging the specification. These challenges can only be answered positively by proof, whether oral, on paper, or computer supported. We note however the powerful technique of automatically finding counter examples which is possible for model checking of finite state machines, ....

Rushby, J.: `Formal Methods and the Certification of Critical Systems', report SRI-CSL-93-07, (SRI International, 1993)

....implementation complies with the requirements to correctly deliver the desired services, i.e. verification and validation. Currently, verification techniques to establish the correctness of a protocol utilize analytical techniques such as hand proofs, Markovian, Petri Nets, etc. Formal methods [13], a family of mathematical and logical techniques used to reason about computer systems, are also seeing increasing usage in this verification process. Their main thrust, so far, has been for the verification of algorithms or protocols, and specifically, on finding design stage flaws in algorithms ....

Rushby, J., "Formal Methods and the Certification of Critical Systems," SRI-TR CSL-93-7, Dec. 1993.

....is limited only by the truth of the proposition being proven and the skill and effort of the analyst. Studies of the application of formal methods, and their associated proof techniques, suggests that even with automated assistance proof construction for realistic programs requires enormous effort [18, 67]. Efforts to automatically construct proofs are limited in generality by the halting problem. Mechanical proof assistants for limited domains have been developed [44] such an approach is pessimistic. When presented with a program that satisfies a specified property a proof assistant may fail to ....

Rushby, J. Formal methods and the certification of critical systems. Technical report, Computer Science Laboratory, SRI International, 1993.

No context found.

John Rushby. Formal methods and the certification of critical systems. Technical Report SRI-CSL-93-7, Computer Science Laboratory, SRI International, Menlo Park, CA, December 1993. Also issued under the title Formal Methods and Digital Systems Validation for Airborne Systems as NASA Contractor Report 4551, December 1993.

No context found.

Rushby, J.: "Formal Methods and the Certification of Critical Systems", Computer Science Lab. Of SRI Int'l Tech. Report CSL-93-7, Dec. 1993; also published as: "Formal Methods and Digital Systems Validation for Airborne Systems", NASA Contractor Report CR-4551

No context found.

J. Rushby, "Formal Methods and the Certification of Critical Systems," SRI-TR CSL-93-7, Dec. 1993.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC