R. John. Formal methods and digital systems validation for airborne systems. Technical report, 2003.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....: different problem domains lend themselves to different types of diagrams or tables : a formal specification method built around a particular diagrammatic or tabular notation may have rather restricted application, and limited mechanized support for general forms of analysis. [72] Rushby s argument misses a key point regarding how diagrams are used in practice: they are rarely used in isolation. As the examples above demonstrate, different diagrammatic representations are used to exploit different features of a particular problem domain. Similarly, diagrams are often used ....

....reasoning systems. Such movement echos Rushby s apprehension as quoted in the introduction: a formal specification method built around a particular diagrammatic or tabular notation may have rather restricted application, and limited mechanized support for general forms of analysis [72]. This is true. Although heterogeneous logics could theoretically circumvent this problem, tools supporting diagrammatic representations would likely be used for applications suited to those diagrams. Specializing tools, however, supports practice because reasoning tends to be domainspecific: as ....

John Rushby. Formal methods and digital systems validation for airborne systems. Contractor Report 4551, NASA, December 1993.

.... its use has been well documented since the 1970 s (see, e.g. 10, 33] and, more recently, the System Safety Society s 1993 System Safety Analysis Handbook [43] SFTA is likewise an extension of hardware or system FTA (Fault Tree Analysis) which has been used extensively since the 1960 s [16, 36]. Fault tree analysis methods use Boolean logic to break down an undesirable event or situation into the preconditions that led to the root event. Software fault tree analysis [2, 16] adapted the FTA technique to software, using events in the code or detailed design to verify the software logic. ....

....[16] The goals of the backward analysis and SFTA are very similar, though. As Rushby puts it, The goal of SFTA is to show that a specific software design will not produce system safety failures or, failing that, to determine the environmental conditions that could lead it to cause such a failure [36]. The backward step of the BDA traces the causes of the root node (e.g. Obsolete Input Data ) backward in time to the contributing circumstances, with each successive level of the fault tree expanding the previous level s nodes. The process ends when further analysis of the bottom level nodes ....

Rushby, J. (1993), Formal Methods and Digital Systems Validation for Airborne Systems, SRI-CSL-9307.

....Level 1: Formal specification of all or part of the system. Level 2: Paper and pencil proof of correctness. Level 3: Formal proof checked by mechanical theorem prover. A mechanical theorem prover provides a high level of assurance that mistakes have not been introduced in a proof. Rushby [Rus93, page 82] describes a mechanised theorem prover as an implacable skeptic that insists on its human user providing justification for every significant step of the argument. In addition to a high level of rigour, a mechanical theorem prover provides other benefits including: record keeping which aids in ....

John Rushby, Formal Methods and Digital Systems Validation for Airborne Systems, NASA Contract Report 4551, December 1993. BIBLIOGRAPHY 159

....from SRI. Our work was performed in the context of a broad program of applied formal methods activity at NASA s Langley Research Center (LaRC) 2] Additional background and overview material on the use of formal methods in aerospace applications can be found in Rushby s formal methods handbooks [18,19], and in the previously mentioned guidebook volumes [14,15] 2 Overview of SAFER SAFER is a small, self contained, backpack propulsion system enabling free flying mobility for a crew member engaged in extravehicular activity (EVA) SAFER is a single string system designed for contingency use ....

John Rushby. Formal methods and digital systems validation for airborne systems. NASA Contractor Report 4551, December 1993.

.... uses a similar method to analyze software code or detailed design [8] Rushby identifies as the goal of SFTA, to show that a specific software design will not produce system safety failures or, failing that, to determine the environmental conditions that could lead it to cause such a failure [18]. Figure 1 is a high level excerpt from a SFTA that investigates possible software causes for an antenna failure. Some researchers have performed SFMECA as a preparatory activity to fault tree construction [15] Others have recommmended first performing a search for causes (as in a FTA) and then ....

Rushby, J., Formal Methods and Digital Systems Validation for Airborne Systems, SRI-CSL-93-07, 1993.

....original informal descriptions. With increasing complexity of programming languages it would be desirable if they were developed in conjunction with a fully formal semantics so that this problem may be averted. This post formalism problem is not specific to this domain there is much evidence[33] to support the claim that the most productive and cost effective time to apply any formal approach is as early as possible in the project life cycle. The semantics of low level languages (assemblers) are just as problematical as those for high level languages. In many cases the published ....

.... formal methods . There is a wide spectrum of formal methods and some include only a subset of those features in this definition. For further discussion of this diversity and its implications on those choosing a formal method for a particular application the reader is referred to Rushby s survey[33]. A formal method is something which: ffl employs concepts and sometimes notation from discrete mathematics; ffl allows the presentation of an unambiguous specification of the behaviour of a system; ffl provides the necessary logical infrastructure to reason about its specification notation; ....

[Article contains additional citation context not shown here]

John Rushby. Formal methods and digital systems validation for airborne systems. Technical Report CSL-93-07, Computer Science Laboratory, SRI International, November 1993.

....this problem. Assessing the dependability of a software component that will operate in many different environments is extremely difficult. Our research addresses this issue. The last twenty years have produced a series of papers stating why traditional software reliability models are flawed [1, 2, 8, 7, 9, 3]. The underlying problem is that software reliability models are based on reliability models of physical systems, not logical systems. Physical systems decay over time, logical systems do not. If a program is correct today with respect to a given specification, it will be correct tomorrow for ....

J. RUSHBY. Formal Methods and Digital Systems Validation for Airborne Systems. Technical Report NASA Contractor Report 4551, SRI International, Meno Park, CA., 1993.

....RATIONALE To begin to answer this question, let us consider a typical rationale for formal methods. The rationale given here is based on the arguments given previously by NASA Langley formal methods team members (myself included) 8] augmented by arguments from other Langley sponsored work [9, 10]. Software is notorious for being late in delivery and unpredictable and unreliable in operation. According to a 1994 article by Wayt Gibbs, Studies have shown that for every six new large scale software systems that are put into operation, two others are cancelled. The average software ....

....As a result, I presented a simple revised rationale, which I believe shows conclusively why engineers should consider formal methods. The ideas in this revised rationale are not original. Rushby includes the basic concepts, although his other detailed discussions tend to distract from them [9, 10]; and Parnas states them succinctly [20] The contribution of this paper is in presenting the ideas in the context of an analysis of other approaches, and in a forum likely to be populated by engineers. I believe that engineers will consider formal methods, and that, as one industry engineer says, ....

John Rushby. Formal Methods and Digital Systems Validation for Airborne Systems. NASA Contractor Report 4551, December 1993.

....this work has significance for formal methods because SRI was able to effectively reuse the artifacts of their earlier verifications. Under FAA sponsorship through the Langley program, Rushby of SRI wrote an extended report on the application of formal methods to validation of digital systems [51]. This huge document was condensed into a chapter on formal methods [54] for the FAA Digital Systems Validation Handbook[16] Also, in 1992, a team was formed to study applications and transfer of formal methods into NASA space programs. The team consists of researchers and practitioners from ....

John Rushby. Formal methods and digital systems validation for airborne systems. NASA Contractor Report 4551, December 1993.

....of the problems in software and hardware design are due to imprecision, ambiguity, incompleteness, misunderstanding, and just plain mistakes in the statement of top level requirements, in the description of intermediate designs, or in the specification of components and interfaces. John Rushby [16] Desire for proofs of correctness of systems spawned the research area known as formal methods . Today s systems are of sufficient complexity that testing is infeasible, both computationally and financially. As an alternative, formal methods promotes mathematical analysis of a system as a means ....

....system as a means of locating inconsistencies and other design errors. Techniques used can range from writing system descriptions in a formal notation to verification that the designed system satisfies a particular behavioral specification. A good general introduction to formal methods appears in [16]. Ideally, using formal methods increases our assurance in and understanding of our designs. Assurance results from proof, while understanding results from the process of producing the proof. Successful use of formal methods therefore requires powerful proof techniques and clear logical notations. ....

John Rushby. Formal Methods and Digital Systems Validation for Airborne Systems. NASA Langley Contractor Report 4551, December 1993.

....from SRI. Our work was performed in the context of a broad program of applied formal methods activity at NASA s Langley Research Center (LaRC) 2] Additional background and overview material on the use of formal methods in aerospace applications can be found in Rushby s formal methods handbooks [16,17], and in the previously mentioned guidebook volumes [12,13] 2 Overview of SAFER SAFER is a small, self contained, backpack propulsion system enabling free flying mobility for a crew member engaged in extravehicular activity (EVA) SAFER is a single string system designed for contingency use only. ....

John Rushby. Formal methods and digital systems validation for airborne systems. NASA Contractor Report 4551, December 1993.

....ffl Added confidence in the adequacy of the requirements that had been analyzed using formal methods. Rushby s recent study of formal methods for airborne systems reached the similar but even stronger conclusion that formal methods can be most effectively applied early in the lifecycle [7]. 3. Using formal methods for safety critical software. For a safety analysis it is important to ensure that a hazardous situation does not occur, as well as that the correct behavior does occur [5] Fault Tree Analysis, which backtracks from a hazard to its possible causes, is one method used ....

J. Rushby, Formal Methods and Digital Systems Validation for Airborne Systems , SRI-CSL93 -07, Nov 1993.

.... constraints on that system is a focus of much recent work [Franklin and Gabrelian 1989, Jahanian and Mok 1986, Leveson 1991] Similarly, the capability to analyze specifications by proving theorems regarding them allows verification of the safety critical functions of a system [Cullyer 1991, Rushby 1993] The Safety Checklist provides a possible bridge mechanism from manual or CASE analysis of requirements to the formal specification and verification of safety related software requirements. As formulated here, the checklist can provide a first step towards specifying safety constraints formally. ....

....specifications describe the required behavior in all possible contingencies. Rushby, in his discussion of validating formal specifications, concludes that the contribution of Jaffe et al. is to offer a good starting point that can be modified or extended as needed for particular applications [Rushby 1993]. The Safety Checklist was developed as a translation of the criteria into an informal, natural language format. Sometimes the translation is extracted from the text that accompanies the formal description in [Jaffe et al. 1991] Other times the checklist item is a rewording of a mathematical ....

J. Rushby, Formal Methods and Digital Systems Validation for Airborne Systems, SRI-CSL-93-07, Nov 1993.

.... and faulttolerance for ultra high reliability is a challenging problem: redundancy management can account for half the software in a flight control system and, if less than perfect can itself become the primary source of system failure [10] In a comprehensive assessment of formal methods [11], John Rushby discusses several notorious examples of such failures. These include the following: ffl The asynchronous operation of the AFTI F16 and sensor noise led each channel to declare the other channels failed in flight test 44. The plane was flown home on a single channel. Other ....

....for the FAA Digital Systems Validation Handbook Volume III on formal methods[20] The handbook provides detailed information about digital system design and validation and is used by the FAA certifiers. In preparation for this chapter, Rushby produced a comprehensive analysis of formal methods [11]. George Finelli, the former assistant Branch Head of the System Validation Methods Branch (the Branch in which the formal methods team worked before NASA Langley s reorganization in 1994) and a member of the RTCA committee formed to develop DO 178B, together with Ben Di Vito (V iGYAN Inc. was ....

John Rushby, "Formal methods and digital systems validation for airborne systems", NASA CR-4551, 1993.

....philosophy that motivated the choice of approximate agreement hence, there is a good chance of doing them wrong. There are numerous examples that justify this concern; several that were discovered in flight tests are documented by Mackall and colleagues [IRM84,Mac85,Mac88] and summarized in [Rus93b, Section 3.3] The essential points of Mackall s data is that all the failures observed in flight test were due to bugs in the design of the fault tolerance mechanisms themselves, and all these bugs could be traced to difficulties in organizing and coordinating systems based on approximate ....

John Rushby. Formal methods and digital systems validation for airborne systems. Technical Report SRI-CSL-93-7, Computer Science Laboratory, SRI International, Menlo Park, CA, December

.... because we have concentrated on verifying algorithms and architectural designs, rather than programs; we have chosen to do so because the available evidence points to these and other early lifecycle concerns (particularly requirements) as the principle sources of failure in safety critical systems [60]. 5 Ehdm does provide a notion of state that allows systems to be modeled using state dependent objects and procedural state transformations; it also provides direct support for reasoning about them in a Hoare logic. We have used this capability in other applications, but even then we have ....

....uncluttered and typechecking can provide a very e ective consistency check. E ectively automated and user guided theorem proving also assists the early detection of errors, and the productive development of proofs whose information content can assist in the certi cation of safety critical systems [60]. We found that formal veri cation provides many bene ts besides proof of correctness. These include debugging (i.e. discovery of incorrectness) complete enumeration of assumptions, sharpened statements of assumptions and lemmas, streamlined arguments, and an enhanced understanding that can ....

John Rushby, \Formal methods and digital systems validation for airborne systems", Tech. Rep. SRI-CSL-93-7, Computer Science Laboratory, SRI International, Menlo Park, CA, Dec.

.... because we have concentrated on verifying algorithms and architectural designs, rather than programs; we have chosen to do so because the available evidence points to these and other early lifecycle concerns (particularly requirements) as the principle sources of failure in safety critical systems [60]. 5 Ehdm does provide a notion of state that allows systems to be modeled using state dependent objects and procedural state transformations; it also provides direct support for reasoning about them in a Hoare logic. We have used this capability in other applications, but even then we have ....

....and typechecking can provide a very effective consistency check. Effectively automated and user guided theorem proving also assists the early detection of errors, and the productive development of proofs whose information content can assist in the certification of safety critical systems [60]. We found that formal verification provides many benefits besides proof of correctness. These include debugging (i.e. discovery of incorrectness) complete enumeration of assumptions, sharpened statements of assumptions and lemmas, streamlined arguments, and an enhanced understanding that can ....

John Rushby, "Formal methods and digital systems validation for airborne systems", Tech. Rep. SRI-CSL-93-7, Computer Science Laboratory, SRI International, Menlo Park, CA, Dec. 1993, Also available as NASA Contractor Report 4551, December 1993.

No context found.

R. John. Formal methods and digital systems validation for airborne systems. Technical report, 2003.

No context found.

John Rushby. Formal methods and digital systems validation for airborne systems. Technical Report CR--4551, NASA, December 1993.

No context found.

John Rushby. Formal methods and digital systems validation for airborne systems. Technical Report CR--4551, NASA, December 1993.

No context found.

John Rushby. Formal methods and digital systems validation for airborne systems. Technical Report CR--4551, NASA, December 1993.

No context found.

RTCA, Inc. #36# Rushby, J. #1993#, Formal Methods and Digital Systems Validation for Airborne Systems, SRI-CSL-9307.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC