L. E. Moser and P.M. Melliar-Smith. Formal Verification of Safety-Critical Systems. Software Practice and Ezperience, 20(8):799 821, August 1990.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....the failure rate of a program to about 10 ;4 perhour(approximately 1 failure per year) and faster more complex computers can only make matters worse. It has been suggested that only an improvement factor of about 10 maybeachievable using fault tolerance approaches such as N version programming [101]. In fact, the benefits of these techniques are still a matter of some contention [78] Combining these gives a figure of around 10 but most safety critical situations demand a figure of nearer 10 ;9 or even 10 (e.g. see [FAA82] This leaves us with an enormous gap between what is ....

.... of life threatening failure of less than 10 per hour during a ten hour flight[FAA82] Formal methods were used in the SIFT project in order to try and bridge the gap between this failure rate and the 10 which can be achieved with other techniques such as testing and fault tolerance [101]. SIFT is designed to operate safely in the presence of hardware faults by replication of processors and adaptive majorityvoting. In contrast to other majorityvoted systems, the voting mechanism that detects and masks hardware faults is implemented entirely in software. It is this software, or ....

[Article contains additional citation context not shown here]

MOSER, L.E., and MELLIAR-SMITH, P.M.: `Formal verification of safety-critical systems ', Software---Practice and Experience, August 1990, 20, (8), pp. 799--821

....the failure rate of a program to about 10 ;4 per hour (approximately 1 failure per year) and faster more complex computers can only make matters worse. It has been suggested that only an improvement factor of about 10 maybeachievable using fault tolerance approaches suchasN version programming [86]. In fact, the benefits of these techniques are still a matter of some contention [71] Combining these gives a figure of around 10 but most safety critical situations demand a figure of nearer 10 ;9 or even 10 (e.g. see [FAA82] This leaves us with an enormous gap between what is ....

.... of life threatening failure of less than 10 per hour during a ten hour flight[FAA82] Formal methods were used in the SIFT project in order to try and bridge the gap between this failure rate and the 10 which can be achieved with other techniques such as testing and fault tolerance [86]. SIFT is designed to operate safely in the presence of hardware faults by replication of processors and adaptivemajorityvoting. In contrast to other majorityvoted systems, the voting mechanism that detects and masks hardware faults is implemented entirely in software. It is this software, or ....

[Article contains additional citation context not shown here]

MOSER, L.E., and MELLIAR-SMITH, P.M.: `Formal verification of safety-critical systems ', Software---Practice and Experience, August 1990, 20, (8), pp. 799--821

....modelling techniques, the two approaches do not exclude but complement each other. The methods captured in agendas can only be worked out by highly competent individuals. 5. 2 Safety critical systems Moser s and Melliar Smith s approach to the formal verification of safety critical systems [31] comprises the specification, design and implementation phases. They use a reliability model for the processors that execute the program. This enables them to take computer failures into account, an aspect we do not address. On the other hand, their approach does not cover the validation of the ....

Louise E. Moser and P.M. Melliar-Smith. Formal verification of safety-critical systems. Software -- Practice and Experience, 20(8):799--821, August 1990.

.... injuries from massive overdoses of radiation between 1985 and 1987 before the problems were acknowledged and corrected [17] A safe system is one that is free from accidents or unacceptable losses [19] There is important research and development being done in providing intrinsically safe systems [12, 23, 24, 28, 29], systems incapable of evolving into a state that could lead to injury or loss of life. But the goal of an intrinsically safe system is difficult to achieve for some of today s complex, dynamic applications running in parallel or distributed environments. Adapting guidelines established by system ....

....system, so that safety critical actions do not occur without the consent of the safety kernel. The safety kernel is itself a system that must be rigorously safe and, thus, does not itself solve the safety problem, but perhaps reduces it to a size that can be tackled successfully by other methods [24]. Assertion Checking in Real Time Systems. Gerber s work [9] on guaranteeing end to end timing constraints is an automated design methodology that generates a solution for a set of tasks that keeps consistent a set of end to end timing constraints. Gerber s work is a prevention approach with the ....

Louise E. Moser and P.M. Melliar-Smith. Formal verification of safety-critical systems. Software - Practice and Experience, 20(8):799--821, August 1990.

....tool support available. Both of these formalisms are weaker than the ones we chose. Obj only allows to state conditional equations, and the Hoare calculus is a proper subset of dynamic logic. Like our work, Moser s and Melliar Smith s approach to the formal verification of safety critical systems, [MMS90], comprises the specification, design and implementation phases. The transition from an abstract top level specification to a detailed specification suitable as a basis for program development is done by stepwise refinement. This activity is covered by Step 4 of our approach. Moser and ....

Louise E. Moser and P.M. Melliar-Smith. Formal verification of safety-critical systems. Software -- Practice and Experience, 20(8):799--821, August 1990.

.... is a promising way of giving increased confidence in safety critical systems [23] From a theoretical point of view, the only techniques that can be shown to provide the level of safety required in many safetycritical applications are the formal methods, cf. for example, Moser Melliar Smith [94]. They potentially promise to eradicate design and implementation errors by proving mathematically that the resulting code conforms to the software specification. Another strong feature of formal specifications is their potential for improving system and software specifications [17] As a means of ....

L. E. Moser and P. M. Melliar-Smith. Formal verification of safety-critical systems. Software---Practice and Experience, 20(8):799--821, August 1990.

....to software. At the highest level of the hierarchy, and the most desirable to achieve, is a safe system. A safe system is one that is free from accidents or unacceptable losses [Lev95] There is important research and development being done in providing intrinsically safe systems [HL96, Lut93, MMS90, RPRL96, RL96] systems incapable of evolving into a state that could lead to injury or loss of life. But the goal of an intrinsically safe system is difficult to achieve for some of today s complex, dynamic applications running in parallel or distributed environments. In the hierarchy of safety ....

Louise E. Moser and P.M. Melliar-Smith. Formal verification of safety-critical systems. Software - Practice and Experience, 20(8):799--821, August 1990.

....by wire or the Space Shuttles guidance systems. Such systems often require (sometimes by law) extremely low failure rates, for example a figure 10 Gamma9 failures, i.e. deviations from their specifications per hour of operation, has been suggested for certain aerospace applications [aer82, MMS90] It has been argued [MMS90, Dun86, BS93] that conventional testing mechanisms employed to detect software defects cannot be relied upon to guarantee such low failure rates, suggesting that failure rates much lower than 10 Gamma4 or 10 Gamma5 failures per hour of operation cannot be ensured ....

....guidance systems. Such systems often require (sometimes by law) extremely low failure rates, for example a figure 10 Gamma9 failures, i.e. deviations from their specifications per hour of operation, has been suggested for certain aerospace applications [aer82, MMS90] It has been argued [MMS90, Dun86, BS93] that conventional testing mechanisms employed to detect software defects cannot be relied upon to guarantee such low failure rates, suggesting that failure rates much lower than 10 Gamma4 or 10 Gamma5 failures per hour of operation cannot be ensured by conventional means ....

[Article contains additional citation context not shown here]

L. E. Moser and P. M. Mellier-Smith. Formal verification of safety-critical systems. Software -- practice and experience, 20(8), 1990.

.... injuries from massive overdoses of radiation between 1985 and 1987 before the problems were acknowledged and corrected [11] A safe system is one that is free from accidents or unacceptable losses [17] There is important research and development being done in providing intrinsically safe systems [8, 15, 16, 20, 21], systems incapable of evolving into a state that could lead to injury or loss of life. But the goal of an intrinsically safe system is difficult to achieve for some of today s complex, dynamic applications running in parallel or distributed environments. Adopting guidelines established by system ....

Louise E. Moser and P.M. Melliar-Smith. Formal verification of safety-critical systems. Software - Practice and Experience, 20(8):799--821, August 1990.

....tool support available. Both of these formalisms are weaker than the ones we chose. Obj only allows to state conditional equations, and the Hoare calculus is a proper subset of dynamic logic. Like our work, Moser s and Melliar Smith s approach to the formal verification of safety critical systems, [MMS90], comprises the specification, design and implementation phases. The transition from an abstract top level specification to a detailed specification suitable as a basis for program development is done by stepwise refinement. This activity is covered by Step 4 of our approach. Moser and ....

Louise E. Moser and P.M. Melliar-Smith. Formal verification of safety-critical systems. Software -- Practice and Experience, 20(8):799--821, August 1990.

....rate of a program to about 10 Gamma4 per hour (approximately 1 failure per year) and faster more complex computers can only make matters worse. It has been suggested that only an improvement factor of about 10 may be achievable using fault tolerance approaches such as N version programming [86]. In fact, the benefits of these techniques are still a matter of some contention [71] Combining these gives a figure of around 10 Gamma5 but most safety critical situations demand a figure of nearer 10 Gamma9 or even 10 Gamma10 (e.g. see [FAA82] This leaves us with an enormous gap ....

.... failure of less than 10 Gamma10 per hour during a ten hour flight [FAA82] Formal methods were used in the SIFT project in order to try and bridge the gap between this failure rate and the 10 Gamma5 which can be achieved with other techniques such as testing and fault tolerance [86]. SIFT is designed to operate safely in the presence of hardware faults by replication of processors and adaptive majority voting. In contrast to other majority voted systems, the voting mechanism that detects and masks hardware faults is implemented entirely in software. It is this software, or ....

[Article contains additional citation context not shown here]

MOSER, L.E., and MELLIAR-SMITH, P.M.: `Formal verification of safety-critical systems ', Software --- Practice and Experience, August 1990, 20, (8), pp. 799--821

....rate of a program to about 10 Gamma4 per hour (approximately 1 failure per year) and faster more complex computers can only make matters worse. It has been suggested that only an improvement factor of about 10 may be achievable using fault tolerance approaches such as N version programming [101]. In fact, the benefits of these techniques are still a matter of some contention [78] Combining these gives a figure of around 10 Gamma5 but most safety critical situations demand a figure of nearer 10 Gamma9 or even 10 Gamma10 (e.g. see [FAA82] This leaves us with an enormous gap ....

.... failure of less than 10 Gamma10 per hour during a ten hour flight [FAA82] Formal methods were used in the SIFT project in order to try and bridge the gap between this failure rate and the 10 Gamma5 which can be achieved with other techniques such as testing and fault tolerance [101]. SIFT is designed to operate safely in the presence of hardware faults by replication of processors and adaptive majority voting. In contrast to other majority voted systems, the voting mechanism that detects and masks hardware faults is implemented entirely in software. It is this software, or ....

[Article contains additional citation context not shown here]

MOSER, L.E., and MELLIAR-SMITH, P.M.: `Formal verification of safety-critical systems ', Software --- Practice and Experience, August 1990, 20, (8), pp. 799--821

....is the approach to system verification. In SIFT and MAFT, serious consideration was given to the need to mathematically reason about the system. In FTMP and FTP, the verification concept was almost exclusively testing. Among previous efforts, only the SIFT project attempted to use formal methods [9]. Although the SIFT operating system was never completely verified [10] the concept of Byzantine Generals algorithms was developed [7] as was the first fault tolerant clock synchronization algorithm with a mathematical performance proof [6] Other theoretical investigations have also addressed ....

Louise E. Moser and P. M. Melliar-Smith. Formal verification of safety-critical systems. Software--Practice and Experience, 20(8):799-- 821, August 1990.

....we can demonstrate the theorem a b for the abstract specifications, using the RTGIL theorem prover. This allows the verification to begin with the demonstration of simple properties of small components of the system and to build up to the demonstration of complex properties of the entire system [Moser and Melliar Smith 1990]. 3. THE GRAPHICAL EDITOR The graphical editor of the RTGIL environment, shown in Figure 1, enables the user to construct and edit RTGIL formulas on a workstation display. It is a syntaxdirected editor that uses an attribute grammar definition of RTGIL for its implementation. Syntax directed ....

....the error or omission in the proof. 7. RELATED WORK The original idea of the graphical environment and the need for temporal reasoning with real time constraints arose from our experience with the EHDM specification and verification system [Crow et al. 1990] and the design verification of SIFT [Moser and Melliar Smith 1990]. RTGIL has evolved from the interval logic of Schwartz, Melliar Smith and Vogt [Schwartz et al. 1983] a textual interval logic for which formulas were illustrated with graphical depictions [Melliar Smith 1988] From that textual logic and its graphical depictions, we developed GIL [Dillon et al. ....

MOSER, L. E. and MELLIAR-SMITH, P. M. 1990. Formal verification of safety-critical systems. Softw. Pract. Exp. 20, 8 (Aug.), 799--821.

No context found.

L. E. Moser and P.M. Melliar-Smith. Formal Verification of Safety-Critical Systems. Software Practice and Ezperience, 20(8):799 821, August 1990.

No context found.

Louise Moser and Michael Melliar-Smith. "Formal Verification of Safety-Critical Systems. " Software Practice and Experience 20(8), August 1990.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC