P. Mukherjee and V. Stavridou. The Formal Specification of Safety Requirements for Storing Explosives. Formal Aspects of Computing, 5(4):299--336, 1993. 27  Home/Search   Document Not in Database   Summary   Related Articles   Check

....validation of the top level specification, an issue that we pay particular attention to. The use of model based languages like Z or VDM [27] in the area of system safety has been thoroughly investigated. Several case studies use VDM, e.g. the British government regulations for storing explosives [32], a railway interlocking system [15] and a water level monitoring system [44] Mukherjee s and Stavridou s as well as Hansen s work, however, focus on adequately modelling safety requirements, independently of the question of whether software is employed or not. Consequently, they do not discuss ....

Paul Mukherjee and Victoria Stavridou. The formal specification of safety requirements for storing explosives. Formal Aspects of Computing, 5:299--336, 1993.

....question of validation. Without empirical evidence, it is difficult to determine whether our models actually capture widely held attitudes towards the costs and benefits of requirements engineering. A number of surveys into industrial requirements engineering have been used to avoid this criticism [2, 9, 11, 20, 22]. Many of these sources adopt particular perspectives upon development. These viewpoints have also been characterised in terms of utility curves, for instance see figure 3. 2 3 Under Investment in Requirements Engineering Boehm argues that only 6 of project costs are allocated towards ....

....Executive that safety requirements have been identified. The U.K. Defence Standard 00 55 plays a similar role in the military acquisition process. A minimum level of requirements expenditure is enforced by the identification of approved development techniques, including the use of formal methods [22]. Regulation and legislation ensure that low levels of expenditure on requirements engineering result in very low levels of utility; proposed systems will be rejected as unsafe. Figure 6 illustrates the way in which regulatory authorities affect developers attitudes Resource Allocation On ....

P. Mukherjee and V. Stavridou. The formal specification of safety requirements for storing explosives. Formal Aspects Of Computing, 5:299--336, 1993.

....Related Work Our choice of Z for the specification of safety critical systems is not completely out of the way, as a look at the literature shows. Several case studies have been performed using the specification language VDM [Jon90] e.g. the British government regulations for storing explosives [MS93], a railway interlocking system [Han94] and a water level monitoring system [Wil94] VDM and Z are based on similar concepts and have the same expressive power (and weaknesses) Mukherjee s and Stavridou s as well as Hansen s work, however, place the focus on the adequate modeling of safety ....

Paul Mukherjee and Victoria Stavridou. The formal specification of safety requirements for storing explosives. Formal Aspects of Computing, 5:299--336, 1993.

....Aspects of Computing (1994) 3: 1 000 c fl 1994 BCS Response to The Formal Specification of Safety Requirements for Storing Explosives Peter Gorm Larsen The Institute of Applied Computer Science, Odense, Denmark Abstract. This short communication is a response to [MS93] investigating their ACS system specification. The main point in this paper is that executing specifications can be used as a feasible way of validating them. It is essential to have tool support which enables one to write a generally not executable specification, and then prototype (parts of) it ....

....way of validating them. It is essential to have tool support which enables one to write a generally not executable specification, and then prototype (parts of) it directly in the specification language, without translating it into some other prototyping language. 1. Introduction The emphasis in [MS93] on following the guidelines from the interim MOD defence standard 00 55 is very interesting. However, we would like to focus on the need for appropriate tool support to gain the full benefit from using formal specifications. In particular we would like to stress that we feel that for industrial ....

[Article contains additional citation context not shown here]

P. Mukherjee and V. Stavridou. The Formal Specification of Safety Requirements for Storing Explosives. Formal Aspects of Computing, 5(4):299--336, 1993.

....Related Work Our choice of Z for the specification of safety critical systems is not completely out of the way, as a look at the literature shows. Several case studies have been performed using the specification language VDM [Jon90] e.g. the British government regulations for storing explosives [MS93], a railway interlocking system [Han94] and a water level monitoring system similar to the one presented in the present paper, see [Wil94] VDM and Z are based on similar concepts and have the same expressive power (and weaknesses) Mukherjee s and Stavridou s as well as Hansen s work, however, ....

Paul Mukherjee and Victoria Stavridou. The formal specification of safety requirements for storing explosives. Formal Aspects of Computing, 5:299--336, 1993.

....could be satisfactory. However, in reality a software project always has time, budget and labour limits, and these limits are often beyond the tolerable range which formal development processes offer. This seems to be one of the serious elements to affect the widespread use of formal methods [Mukherjee, Stavridou 93] Cyrus et al. 91] PRAXIS 93] How to improve the efficiency of using formal methods is an important theme for research in order to promote the applications of formal methods in industry. 3.8 Discussion From the previous analysis we can now understand that formal methods cannot exclude software ....

Paul Mukherjee and Victoria Stavridou, "The Formal Specification of Safety Requirements for Storing Explosives", Formal Aspects of Computing, 5(4), pp. 299-336, 1993.

.... Tool support for proof in VDM is under development using a number of different general proof tools into which the proof theory for reasoning about VDM SL models [3] is being embedded [10, 1] In 1993 Paul Mukherjee and Victoria Stavridou published a formal model of an ammunition control system [13]. The model described in that paper was subjected to validation by inspection and by proof using the OBJ3 [7] proof tool. The process of formalisation of the model identified a number of discrepancies in the original storage regulations on which they were based. larsen s response to Mukherjee and ....

....auxiliary results used in Section 3 are discussed in detail in Section 4. Finally, Section 5 reviews the proof. 2 The Model of the ACS This section gives the model of the ACS, closely following the presentation given by Mukherjee in [12] Although a simplification of the specification given in [13], it is sufficient for this report s purposes. The model of the ACS system is based on the idea of a site: a place at which explosive objects may be stored. Within a given site, the ACS system is responsible for choosing a location at which an object may be stored safely. The choice of location ....

[Article contains additional citation context not shown here]

P. Mukherjee and V. Stavridou. The Formal Specification of Safety Requirements for Storing Explosives. Formal Aspects of Computing, 5(4):299--336, 1993. 27

....of Dangerous Goods ( Orange Book ) UN64] Similar arrangements operate in other NATO countries. The ammunition holdings of a number of MoD ranges in the UK are managed by an ammunition control software system (ACS) which has been subjected to extensivevalidation as well as formal specification [102]. Although ACS is not a real time system, it is nonetheless safety critical since incorrect storage combinations can lead to massive explosions. The ACS software became more safety critical as experienced technical staff were replaced by operators who needed to rely implicitly on the computer ....

....staff were replaced by operators who needed to rely implicitly on the computer output. It is therefore vital that the system correctly implements the appropriate MoD regulations since human intervention is not a feasible backup option. As an example of what can be done, Mukherjee and Stavridou [102]have produced a formal specification of the safety requirements in the Orange book and related it to the operations performed and controlled under ACS in VDM. In particular, they address additions of explosives to magazines and extensions to facilities by means of additional magazines. They have ....

[Article contains additional citation context not shown here]

MUKHERJEE, P., and STAVRIDOU, V.: `The formal specification of safety requirements for the storage of explosives'. Technical Report No. DITC 185/91, National Physical Laboratory, Teddington, Middlesex TW11 0LW, UK, August 1991 33

....of Dangerous Goods ( Orange Book ) UN64] Similar arrangements operate in other NATO countries. The ammunition holdings of a number of MoD ranges in the UK are managed by an ammunition control software system (ACS) which has been subjected to extensivevalidation as well as formal specification [87]. Although ACS is not a real time system, it is nonetheless safety critical since incorrect storage combinations can lead to massive explosions. The ACS software became more safety critical as experienced technical staff were replaced by operators who needed to rely implicitly on the computer ....

....staff were replaced by operators who needed to rely implicitly on the computer output. It is therefore vital that the system correctly implements the appropriate MoD regulations since human intervention is not a feasible backup option. As an example of what can be done, Mukherjee and Stavridou [87]have produced a formal specification of the safety requirements in the Orange book and related it to the operations performed and controlled under ACS in VDM. In particular, they address additions of explosives to magazines and extensions to facilities by means of additional magazines. They have ....

[Article contains additional citation context not shown here]

MUKHERJEE, P., and STAVRIDOU, V.: `The formal specification of safety requirements for the storage of explosives'. Technical Report No. DITC 185/91, National Physical Laboratory, Teddington, Middlesex TW11 0LW, UK, August 1991

....modification gives a more abstract representation of compatibility groups, allowing more easier maintenance if and when regulations for the safe storage of explosives are altered. 1 Introduction In this report we describe the use of proof on the specification of the Ammunition Control System [4] (ACS) The ACS is a system used throughout the UK for controlling the safe storage of explosives. This specification has previously been analysed using a number of different techniques such as animation in the algebraic language OBJ3 [3] and syntax and type analysis using the IFAD VDM SL Toolbox ....

....might be used. This report is organized as follows: first we describe the modification to the existing specification that we are making; then we present full formal proofs justifying the correctness of this modification. This report assumes familiarity with the ACS specification presented in [4]. The proof theory used is taken directly from [1] augmented by rules presented in the appendix. 2 Modification to the Specification We wish to make the treatment of compatibility more flexible. We do this by constructing a new module that deals exclusively with compatibility groups. For each ....

P. Mukherjee and V. Stavridou. The Formal Specification of Safety Requirements for Storing Explosives. Formal Aspects of Computing, 5(4):299--336, 1993.

.... Tool support for proof in VDM is under development using a number of different general proof tools into which the proof theory for reasoning about VDM SL models [3] is being embedded [10, 1] In 1993 Paul Mukherjee and Victoria Stavridou published a formal model of an ammunition control system [13]. The model described in that paper was subjected to validation by inspection and by proof using the OBJ3 [7] proof tool. The process of formalisation of the model identified a number of discrepancies in the original storage regulations on which they were based. larsen s response to Mukherjee and ....

....of auxiliary results used in Section 3 are discussed in detail in Section 4. Finally, Section 5 reviews the proof. 2 The Model of the ACS This section gives the model of the ACS, closely following the presentation given by Mukherjee in [12] Although a simplification of the specification given in [13], it is sufficient for this report s purposes. The model of the ACS system is based on the idea of a site: a place at which explosive objects may be stored. Within a given site, the ACS system is responsible for choosing a location at which an object may be stored safely. The choice of location ....

[Article contains additional citation context not shown here]

P. Mukherjee and V. Stavridou. The Formal Specification of Safety Requirements for Storing Explosives. Formal Aspects of Computing, 5(4):299--336, 1993.

....methods group at RHUL (Royal Holloway University of London) examined the ACS and the explosives regulations. They then con2 structed a formal model of the system and proceeded to formalise the associated safety requirements as well as to prove some properties of the specification using VDM [Mukherjee, Stavridou 1993b] The model reflects two main aspects of the specification which are the storage of explosives in a particular magazine (a magazine is a building in which explosives are stored) and the construction of new buildings. The safety requirements include storing objects, adding magazines and composing ....

Paul Mukherjee and Victoria Stavridou, "The Formal Specification of Safety Requirements for Storing Explosives", Formal Aspects of Computing, 5(4), pp. 299-336, 1993.

....of Dangerous Goods ( Orange Book ) UN64] Similar arrangements operate in other NATO countries. The ammunition holdings of a number of MoD ranges in the UK are managed by an ammunition control software system (ACS) which has been subjected to extensive validation as well as formal specification [87]. Although ACS is not a real time system, it is nonetheless safety critical since incorrect storage combinations can lead to massive explosions. The ACS software became more safety critical as experienced technical staff were replaced by operators who needed to rely implicitly on the computer ....

....staff were replaced by operators who needed to rely implicitly on the computer output. It is therefore vital that the system correctly implements the appropriate MoD regulations since human intervention is not a feasible backup option. As an example of what can be done, Mukherjee and Stavridou [87] have produced a formal specification of the safety requirements in the Orange book and related it to the operations performed and controlled under ACS in VDM. In particular, they address additions of explosives to magazines and extensions to facilities by means of additional magazines. They have ....

[Article contains additional citation context not shown here]

MUKHERJEE, P., and STAVRIDOU, V.: `The formal specification of safety requirements for the storage of explosives'. Technical Report No. DITC 185/91, National Physical Laboratory, Teddington, Middlesex TW11 0LW, UK, August 1991

....of Dangerous Goods ( Orange Book ) UN64] Similar arrangements operate in other NATO countries. The ammunition holdings of a number of MoD ranges in the UK are managed by an ammunition control software system (ACS) which has been subjected to extensive validation as well as formal specification [102]. Although ACS is not a real time system, it is nonetheless safety critical since incorrect storage combinations can lead to massive explosions. The ACS software became more safety critical as experienced technical staff were replaced by operators who needed to rely implicitly on the computer ....

....staff were replaced by operators who needed to rely implicitly on the computer output. It is therefore vital that the system correctly implements the appropriate MoD regulations since human intervention is not a feasible backup option. As an example of what can be done, Mukherjee and Stavridou [102] have produced a formal specification of the safety requirements in the Orange book and related it to the operations performed and controlled under ACS in VDM. In particular, they address additions of explosives to magazines and extensions to facilities by means of additional magazines. They have ....

[Article contains additional citation context not shown here]

MUKHERJEE, P., and STAVRIDOU, V.: `The formal specification of safety requirements for the storage of explosives'. Technical Report No. DITC 185/91, National Physical Laboratory, Teddington, Middlesex TW11 0LW, UK, August 1991

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC