William R. Bevier and William D. Young. Machine checked proofs of the design of a fault-tolerant circuit. Formal Aspects of Computing, 4(6A):755-- 775, 1992.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....Ehdm s speci ca 2 Some aspects of SIFT which was built for NASA Langley were subjected to formal veri cation [8] but the treatment was far from complete. 3 CLI Inc. and ORA Corporation also participate in the program, using their own tools. Descriptions of some of their work can be found in [9] and [10] respectively. The overall program is not large; it is equivalent to about three full time sta at NASA, and about one each at CLI, ORA, and SRI. FORMAL VERIFICATION FOR FAULT TOLERANT ARCHITECTURES AND THE DESIGN OF PVS 3 tion language is a higher order logic with a rather rich type ....

William R. Bevier and William D. Young, \Machine checked proofs of the design of a fault-tolerant circuit", Formal Aspects of Computing, vol. 4, no. 6A, pp. 755-775, 1992.

....has been used to build extremely reliable computer systems. Some examples of these involve compiled routines from the C string library targeted to the Motorola 68020 [5] microcode for the Motorola CAP processor [6] a stack of verified systems [3] verification of the oral messages algorithm [4, 10], code for some simple real time systems [18] floatingpoint microcode [6, 15] a verified Piton [13] program [17] floating point hardware [16] a simple scheduler [7] and partial microcode correctness of some Rockwell Collins microprocessors [11, 12] Broadly speaking, each of these projects ....

William R. Bevier and William D. Young. Machine checked proofs of the design of a fault-tolerant circuit. Formal Aspects of Computing, 4:755--775, 1992.

....specifica 2 Some aspects of SIFT which was built for NASA Langley were subjected to formal verification [8] but the treatment was far from complete. 3 CLI Inc. and ORA Corporation also participate in the program, using their own tools. Descriptions of some of their work can be found in [9] and [10] respectively. The overall program is not large; it is equivalent to about three full time staff at NASA, and about one each at CLI, ORA, and SRI. FORMAL VERIFICATION FOR FAULT TOLERANT ARCHITECTURES AND THE DESIGN OF PVS 3 tion language is a higher order logic with a rather rich type ....

William R. Bevier and William D. Young, "Machine checked proofs of the design of a fault-tolerant circuit", Formal Aspects of Computing, vol. 4, no. 6A, pp. 755--775, 1992.

....argue for the use of formal methods as a means of design assurance. A research program led by NASA Langley Research Center [4] has precisely this goal. So far the classical Byzantine fault tolerant clock synchronization algorithms [26,28] the Oral Messages Algorithm for Interactive Consistency [2,23], fault masking and transient recovery by majority voting [6, 24] extensions of clock synchronization to hybrid fault models [25] and transient recovery [20] extensions of the Oral Messages algorithm to the hybrid fault model [16,18] and several levels in the implementations of these algorithms ....

....earlier verifications of related algorithms. For our first step, we developed a formal specification and verification of the classical Oral Messages algorithm OM(m) for a symmetric architecture using the Ehdm verification system [23] The key insight here (due originally to Bevier and Young [2]) is that although the Oral Messages algorithm is conceived as a distributed algorithm to be executed on loosely synchronized processors using message based communications, its correctness and fault masking capabilities can be explored and verified in a model that represents the algorithm as a ....

William R. Bevier and William D. Young. Machine checked proofs of the design of a faulttolerant circuit. Formal Aspects of Computing, 4(6A):755--775, 1992.

....for formal methods because they involve detailed and sophisticated reasoning that is challenging even for a competent human mathematician. We believe that formal methods are already demonstrating that they can make a genuine contribution toward the clarity and correctness of these algorithms [11, 2]. One important algorithm in this field is the Interactive Convergence Clock Synchronization Algorithm (ICCSA) of Lamport and Melliar Smith [9] This algorithm maintains approximate synchronization among a number of clocks even when the clocks begin running at slightly different times, run at ....

....interpreter is available for the logic and permits reasoning about functions at the meta level. Also, it is possible to fake higher order properties in other ways. We have checked the proof, for example, that there is no algorithm that solves a certain version of the Byzantine General s problem. [2] This is inherently a second order property. 4. Aspects of the Proof 4.1 Restraining the Prover Our proof of ICCSA was somewhat atypical of most proofs using the Boyer Moore prover. Rushby and von Henke had done much of the difficult work of finding a sequence of lemmas leading up to the proofs ....

W. R. Bevier and W. D. Young. "Machine Checked Proofs of the Design of a Fault-Tolerant Circuit". To appear Formal Aspects of Computing, 1992.

....of faults. This problem, variously known as interactive consistency, Byzantine Agreement, or source congruence was first posed and solved in 1980 [4, 10] with the Oral Messages algorithm (abbreviated to OM) This algorithm has been formally specified and verified by Bevier and Young [1] and, subsequently, by us [11] Algorithm OM makes no assumptions about the possible kinds of faults. An alternative is to develop a detailed model of the kinds of faults expected and to construct an algorithm tuned to deliver maximum resilence to those particular fault modes. However, an ....

William R. Bevier and William D. Young. Machine checked proofs of the design of a fault-tolerant circuit. Formal Aspects of Computing, 4(6A):755--775, 1992.

.... correctness of this algorithm (i.e. that it achieves BG1 and BG2 under assumptions A1 to A3) and its optimality (i.e. that no algorithm can mask the same number of arbitrary faults with fewer processors) were proven in [3, page 390] These results have been formally verified by Bevier and Young [1]. 2.4 Algorithm Z Thambidurai and Park s Algorithm Z is a modification of OM intended to operate under their hybrid fault model described earlier. The difference between OM and Z is that the latter has a distinguished error value, E. Any processor that receives a missing or manifestly bad value ....

William R. Bevier and William D. Young. Machine checked proofs of the design of a fault-tolerant circuit. Formal Aspects of Computing, 4(6A):755--775, 1992.

....behavior of the system is determined by a series of sensor readings taken at discrete time intervals and resulting in a series of actuator commands. We have previously used such an operational model to reason about some simple fuzzy controllers[8] and about a Byzantine resilient control system[3]. The major proof effort involved identifying an appropriate system property and proving that our control algorithm maintained it invariantly. This is an inductive proof over the structure of legal train traces. Nqthm excels at just such tasks. Moreover, because of the number of possible ....

W.R. Bevier and W.D. Young. Machine checked proofs of the design of a fault-tolerant circuit. Formal Aspects of Computing, 4:755--775, 1992.

....an important problem in fault tolerant computing, first cleanly formulated by Lamport, Shostak, and Pease[14, 9] and solved in selected cases with their Oral Messages (OM) Algorithm. Several mechanically checked verifications of this algorithm have been presented, including one by Bevier and Young[2] using Nqthm[4] and a particularly elegant formulation by Rushby using EHDM[15, 19] and PVS[12, 13] 1 . Rushby draws some comparisons between his formulation and the earlier Bevier Young version and between the automated tools used in the proofs. In particular, he cites the strong typing and ....

....is optimal among its class of algorithms. That is, no algorithm relying solely on oral message passing for interprocess communication can achieve interactive consistency among a collection of processors if at least a third of the total are faulty. 3 Previous Formalizations of OM Bevier and Young[2] published a formalization and proof of the Oral Messages algorithm using the Boyer Moore Nqthm[4] theorem prover in the context of a larger project of building a verified circuit implementing interactive consistency [1, 10] They also mechanically checked the Lamport, et al. proof that the Oral ....

W.R. Bevier and W.D. Young. Machine checked proofs of the design of a fault-tolerant circuit. Formal Aspects of Computing, 4:755--775, 1992.

No context found.

William R. Bevier and William D. Young. Machine checked proofs of the design of a fault-tolerant circuit. Formal Aspects of Computing, 4(6A):755-- 775, 1992.

No context found.

William R. Bevier and William D. Young. Machine checked proofs of the design of a fault-tolerant circuit. Formal Aspects of Computing, 4(6A):755--775, 1992.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC