B. Dutertre and V. Stavridou, "Formal requirements analysis of an avionics control system," IEEE Transactions on Software Engineering, vol. 23, pp. 267--278, May 1997.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....timing blocks would therefore significantly aid the design and verification process. This paper considers a discrete time setting where a supervisory controller periodically samples its inputs and updates its outputs. We use the PVS Clocks theory originally developed by Dutertre and Stavridou [2] as the basis for the model of the system real time dataflows. We have added a Held For operator that maps a predicate on data flows and a timeout value to a boolean dataflow that is TRUE when the input predicate dataflow is TRUE for the duration of the timeout. It is used at the requirements ....

....be able to understand the basic concepts with the examples we provide. 1.1 Related Work While there has been much work in the area of formal verification of real time system, this work has generally focused on high level requirements validation rather than lower level implementation issues. In [2] Dutertre and Stavridou develop PVS theories to formally specify and verify an avionics control systems, modelling the continuous dynamics of the plant as functions from time, modelled as positive real numbers, to appropriate types of state values and the discrete time dataflows of the digital ....

[Article contains additional citation context not shown here]

B. Dutertre and V. Stavridou, "Formal requirements analysis of an avionics control system," IEEE Transactions on Software Engineering, vol. 23, pp. 267--278, May 1997.

....( y Margin2 ) GRIND) spec3.IMPORTING1TCC2: proved complete ( GRIND) spec3.IMPORTING1TCC3: proved complete ( GRIND) 73 Appendix E Further reading We give a brief overview, where the interested reader can find related literature. ffl On similar applications: Hal96, DS97, MPN 95] ffl On requirements engineering: LK95, Wie96, SS97, Zav97] ffl On formal methods: HB95, Rus93, Rus95, CW96] ffl On PVS: SSJ 96, ORSH95] ffl Other formalisms: Spi92, SBC92, Jon90, BBP87, MP92, Lam94, GP94, BB87, Lyn88, OSRSC98] ffl ORKEST publications: PHJ98, PHJ99] 74 ....

B. Dutertre and V. Stavridou. Formal requirements analysis of an avionics control system. IEEE Trans. on SE, 23(5):267--278, 1997.

....in the nal testing phases or even at operation time, is order of magnitudes higher than that of xing design or coding errors. For this reason, relevant research e orts are being devoted to the above described preliminary analysis, which is often called System Requirements Analysis [KHKS81, DS97] to emphasize that requirements (and hence speci cations) are analyzed and validated, and that not only the DUC is analyzed, but also the other system components and the environment as well. SRA is a typical cooperative, interdisciplinary work, since it is performed jointly by experts of the ....

....(even though, using ADT and introducing AXIOMS, syntactic encodings are still possible) Furthermore it has very powerful decision procedures over arithmetic and a very powerful prover. The semantic approach (with a dedicated pretty printer) was adopted for Duration Calculus in [SS94] and also in [DS97] See Section 5 and the web page of PVS (http: pvs.csl.sri.com) for further reference. Some approaches try to combine the most valuable features of syntactic and semantic encodings: among these we mention Timed Automata [AH97b] in a previous, preliminary work [AGM97] we adopted a so called ....

[Article contains additional citation context not shown here]

Bruno Dutertre and Victoria Stavridou. Formal requirements analysis of an avionics control system. IEEE Transactions on Software Engineering, 23(5):267278, May 1997.

....in addition to constants. The system uses ML [20, 44] as the user interface. The basic HOL theory supports reasoning with arithmetic expressions, lists and trees. HOL has been used to verify a number of systems. However, it does not lend itself completely to automatic theorem proving [55] PVS [21, 22, 27, 49] is a veri cation system developed at SRI. The design of PVS has been strongly in uenced by other veri ers such as Nqthm and HOL. PVS is based on a strongly typed higher order logic with a rich type system, and consists of a speci cation language and a theorem prover. The goal of the 11 theorem ....

B. Dutertre and V. Stavridou. Formal Requirements Analysis of an Avionics Control System. IEEE Transactions on Software Engineering, 23(5):267-278, May 1997.

....cation and examined by theorem proving or model checking. PVS has been used by multiple NASA centers to analyze requirements for the Cassini Spacecraft [13] and for the Space Shuttle [9] and by the SafeFM project (University of London) in the analysis of requirements for avionics control systems [12]. 4 Hardware Veri cation Applications of PVS to hardware veri cation fall into two broad classes. One class is concerned with veri cation of the complete microarchitecture against 2 the instruction set architecture seen by machine code programmers. While the presence of pipelining and other ....

Bruno Dutertre and Victoria Stavridou. Formal requirements analysis of an avionics control system. IEEE Transactions on Software Engineering, 23(5):267-278, May 1997.

....dynamic analyses on actual implementations. 2.1 Analysis of Abstract Models An abstract model is analyzed to prove the correctness of the design using various formal methods. 1 In negative perspective, formal methods are hopeless, because the notations are hard to learn and use [Bow95, MM96, DS97] required computation power is too huge, tools are not sophisticated enough for practical usage [GCGD97, DS97] etc. In positive perspective, formal methods are promising, because of rapidly increasing computational power, increasing effort to develop sophisticated tools and many successful ....

....to prove the correctness of the design using various formal methods. 1 In negative perspective, formal methods are hopeless, because the notations are hard to learn and use [Bow95, MM96, DS97] required computation power is too huge, tools are not sophisticated enough for practical usage [GCGD97, DS97] etc. In positive perspective, formal methods are promising, because of rapidly increasing computational power, increasing effort to develop sophisticated tools and many successful industrial case studies. However, even when a design is proved 1 For resources on formal methods, see [FMP95] 9 ....

Bruno Dutertre and Victoria Stavridou. Formal requirements analysis of an avionics control system. IEEE Transaction on Software Engineering, 23(5), May 1997.

....is that it allows formal analysis to investigate whether certain safety properties are preserved. For example, Dutertre and Stavridou specify an avionics system and verify such safety requirements as, If the backup channel is in control and is in a safe state, it will stay in a safe state [Dutertre and Stavridou 1997]. Automated checks that the requirements are internally consistent and complete (i.e. all data are used, all states are reachable) is often then available. Executable specifications allow the user to exercise the safety requirements to make sure that they match the intent and the reality. ....

Dutertre, B. and Stavridou, V. 1997. Formal requirements analysis of an avionics control system. IEEE Trans on Software Eng 23, 5, 267--278.

....domain independent methods and heuristics to generate resolutions of these conflicts. His approach differs from ours in that the sole focus is on conflict resolution, rather than more general inconsistency analysis and change management. Finally, recent work on formal requirements analysis [3] recognises the need to devise practical ways of structuring the V V process in order to make it methodologically suitable for large scale analysis. The work described in this paper is a first step in this direction. The use of lightweight formal modeling [15] has also been proposed as a ....

Dutertre, B. and Stavridou, V.: `Formal Requirements Analysis of an Avionics Control System', IEEE Transactions on Software Engineering, May 1997, 23, (5), pp. 267-278.

.... system, synchronous languages, theorem proving, hybrid system, proof methodology 1 Introduction Many applications of formal methods in system development are in the requirements specification phase often formalising a subset of requirements corresponding to functional behaviour of the system [9, 6]. In embedded systems, these requirements commonly refer to the component which is under design typically the controller for some physical devices (realised either as software or electronics) However, there is a class of properties arising as a result of interaction between the controller and ....

....as feasible. 6 Related works The work we have reported is at a too early stage for making definitive remarks about feasibility of combining push botton theorem provers and simulation environments. More work is also needed to compare the method with heavy duty theorem proving in the spirit of [6]. However, some preliminary points for discussion have already emerged. Some of the shortcomings are reminiscent of those reported in [5] the limitation to interger arithmetic, for example, means that the counter proofs presented by the system are more informative than the safety proofs holding ....

B. Dutertre and V. Stavridou. Formal Requirements Analysis of an Avionics Control System. IEEE Transactions on Software Engineering, 25(5):267--278, May 1997.

....etc. and to obtain suitable interfaces accessible to non formal method experts. The key to success is to get a good synergy between both of these tracks of research. The first phase of the reported project started along the second track. Our work confirms conclusions reported in similar projects [8], that analysis by deductive techniques requires a great deal of user knowledge and interaction. We note that this is also true with algorithmic approaches. When applying model checking in our example, the bulk of the work was in justifying the time linearity assumption by the physical modelling ....

B. Dutertre and V. Stavridou. Formal Requirements Analysis of an Avionics Control System. IEEE Transactions on Software Engineering, 25(5):267--278, May 1997. 36

.... after it has been enabled (0 l; u 1) The work on case studies suggests the use of time deterministic control programs in many applications, and the need for deductive reasoning about cases where models of the physical environment is non trivial (eliminating the possibility of model checking) [9]. We therefore propose to restrict the model to time deterministic transitions while keeping the expressiveness with regard to dynamic continuous systems. Each discrete transition is thus required to be taken within a fixed period of time from the time at which it was enabled. However, in a ....

B. Dutertre and V. Stavridou. Formal Requirements Analysis of an Avionics Control System. IEEE Transactions on Software Engineering, 25(5):267--278, May 1997.

....in the proof, in Section 4. 3 PVS PVS (Prototype Verification System) is a powerful specification and verification environment [6, 13] It provides tools to create and analyse formal specifications, and to prove theorems interactively. It has been used in various domains such as avionics [7], verification of reactive systems [10, 14] and program design [9] The PVS specification language is based on typed higher order logic; it has a rich type system including constructors, dependent types, abstract data types and a subtyping mechanism. These features allow us to express powerful ....

Bruno Dutertre and Victoria Stavridou. Formal requirements analysis of an avionics control system. IEEE Transactions on Software Engineering, 23(5):267--278, May 1997.

....Putting on another pair of spectacles, this paper can therefore be viewed as an attempt to integrate structured and object oriented software design. An important reason to attempt such an integration is that major defects can arise if software design is not properly embedded into systems design [6, 12]. Since system engineers routinely think in terms of functional decomposition [16] we must be able to trace software designs back to functional designs at the system level. The presentation of the integrated structured object oriented design approach in this paper focusses on the issues of ....

B. Duterte and V. Stavridou. Formal requirements analysis of an avionics control system. IEEE Transactions on Software Engineering, 23(5), 1997.

....approaches provide powerful (and automated) tools to analyse formal specifications, they are not suitable for analysing informal specifications that may deploy multiple representation schemes, such as the ones we have described in this paper. Finally, recent work on formal requirements analysis [3] recognises the need to devise practical ways of structuring the V V process in order to make it methodologically suitable for large scale analysis. The work described in this paper is a first step in this direction. The use of lightweight formal modelling [14] has also been proposed as a ....

B. Dutertre and V Stavridou, "Formal Requirements Analysis of an Avionics Control System", IEEE Trans. on Soft. Eng., 23(5):267-278, May 1997.

....Lustre. The case study treats temperature and flow control in a climatic chamber. 1 Introduction Many applications of formal methods in system development are in the requirements specification phase often formalising a subset of requirements corresponding to functional behaviour of the system [11, 7]. In embedded systems, these requirements commonly refer to the component which is under design typically the controller for some physical devices (realised either as software or electronics) One approach to verification of embedded systems concentrates on the design. This approach while ....

....9 Concluding remarks The work we have reported is at a too early stage for making definitive remarks about feasibility of combining push botton theorem provers and simulation environments. More work is also needed to compare the method with heavy duty theorem proving in the spirit of [7]. However, some preliminary points for discussion have already emerged. Some of the shortcomings are reminiscent of those reported in [4] the limitation to interger arithmetic, for example, means that the counter proofs presented by the system are more informative than the safety proofs holding ....

B. Dutertre and V. Stavridou. Formal Requirements Analysis of an Avionics Control System. IEEE Transactions on Software Engineering, 25(5):267--278, May 1997.

....approaches provide powerful (and automated) tools to analyse formal specifications, they are not suitable for analysing informal specifications that may deploy multiple representation schemes, such as the ones we have described in this paper. Finally, recent work on formal requirements analysis [20] recognises the need to devise practical ways of structuring the V V process in order to make it methodologically suitable for large scale analysis. The work described in this paper is a first step in this direction. 6 Conclusions and Future Work This paper has described our experiences in ....

B. Dutertre and V Stavridou. Formal Requirements Analysis of an Avionics Control System. In IEEE Transactions on Software Engineering, 23(5):267-278, May 1997.

....applied a formal method based on the mechanical prover PVS [26] to a practical system. In the first project, Dutertre and Stavridou used PVS to specify and analyze the requirements of an Air Data Computer (ADC) The specification and analysis of the ADC required approximately 18 person months [9] and detected a single error (a case in which a minimum exceeded a maximum) In a second project, Crow and Di Vito used PVS to specify and analyze the requirements of the Global Positioning System (GPS) This project required two staff months spread over a four month period [8] and detected many ....

B. Dutertre and V. Stavridou. Formal requirements analysis of an avionics control system. IEEE Transactions on Software Engineering, 23(5):267-- 278, May 1997.

....ER diagrams and dataflow diagrams are translated into state and operationspecifications in VDM [5] Concurrency requirements are modeled separately. We share many of the author s findings concerning specification. A formal requirements analysis for an avionics control system can be found in [2]. PVS is used there to formulate functional and safety requirements. It is formally verified whether the functional requirements satisfy the safety requirements. Acknowledgments. We like to thank Dieter Hammer for his stimulating contribution to our project discussions and his comments on this ....

B. Dutertre and V. Stavridou. Formal requirements analysis of an avionics control system. IEEE Trans. on SE, 23(5):267--278, 1997.

....experience with systems similar to the case study and were inspired from a large subset of an existing air data computer. The remainder of this section gives an overview of the air data computer and of its formalization and verification. A more detailed description of the case study appears in [7]. 4.1 Architecture The architecture of the controller is shown in Fig. 1. The system includes two channels with different clocks, each channel being composed of up to four functional modules. A primary channel performs all the controller s function during normal operation and a backup channel ....

B. Dutertre and V. Stavridou. Formal requirements analysis of an avionics control system. IEEE Transactions on Software Engineering, 23(5), May 1997.

No context found.

Bruno Dutertre and Victoria Stavridou. Formal requirements analysis of an avionics control system. IEEE Transactions on Software Engineering, 23(5):267--278, May 1997.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC