J. Rushby. Formal methods and their role in the certification of critical systems. Technical Report SRI-CSL-95-1, Computer Science Laboratory, SRI, Menlo Park, CA, 1995.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....in the end of this chapter. 2.1 Formal Method Most of the current approaches being used to analyze a system or an infrastructure would be using formal method. Which means Methods that use ideas and techniques from mathematical or formal logic to specify and reason about computational systems [6] the person wants to use formal method for analysis has to transform the whole system into formal specification (e.g. a set of symbols) formal logic and then deduct the result from the specification and the logic with deduction rules. After you can construct your system by these symbols and ....

John Rushby. "Formal Methods and their Role in the Certification of Critical Systems". Tech- nical Report CSL-95-1, Computer Science Laboratory, SRI International, Mar 1995.

....example, a simple sequential list of 20 if then else statements may, in the worst case, yield 2 different behaviors due to 2 possible execution paths. A small change in the input can have a severe effect on which execution path is taken, which in turn may yield an enormous change in output [93]. That is, software behavior is discontinuous and has no inertia like physical systems do. In order to achieve complete confidence in program correctness we must thus explore all behaviors of the program. But, for a program that takes two 32 bit integers as input, we must cover 2 possible ....

.... of sequential programs can be achieved by controlling the sequence of inputs and the start conditions [78] That is, given the same initial state and inputs, the sequential program will deterministically produce the same output on repeated executions, even in the presence of systematic faults [93]. Reproducibility is essential when performing regression testing or cyclic debugging, where the same test cases are run repeatedly with the intent to validate that either an error correction had the desired effect, or simply to make it possible to find the error when a failure has been observed ....

Rushby J. Formal methods and their Role in the Certification of Critical Systems. Proc. 12 Annual Center for Software Reliability Workshop, Bruges 12-15 Sept. 1995, pp. 2-42. Springer Verlag. ISBN 3-540-76034-2. 123

.... of sequential programs can be achieved by controlling the sequence of inputs and the start conditions [14] That is, given the same initial state and inputs, the sequential program will deterministically produce the same output on repeated executions, even in the presence of systematic faults [15]. Reproducibility is essential when performing regression testing or cyclic debugging, where the same test cases are run repeatedly with the intent to validate that either an TASK Read(X) Write(X) error correction had the desired effect, or simply to make it possible to find the error when a ....

Rushby J. Formal methods and their Role in the Certification of Critical Systems. Proc. 12 Annual Center for Software Reliability Workshop, Bruges 12-15 Sept. 1995, pp. 2-42. Springer Verlag. ISBN 3-540-76034-2.

....tool itself. Similarly, no proof should be taken as definitive. Hand proofs are notorious in not only introducing errors at each proof step, but also at making assumptions which may be unfounded. From experience of machine checking proofs, most theorems are correct, but most hand proofs are wrong [32]. Even the use of a proof checker does not guarantee the correctness of a proof. While it does aid in highlighting unsubstantiated reasoning, and avoidable errors, proof should never be considered an alternative to testing, although it may reduce the amount of testing required. 4. Oligarchy ....

J. Rushby. Formal methods and their role in the certification of critical systems. Technical Report SRI-CSL-95-1, SRI International, Menlo Park, California, USA, March

.... complete ( GRIND) 73 Appendix E Further reading We give a brief overview, where the interested reader can find related literature. ffl On similar applications: Hal96, DS97, MPN 95] ffl On requirements engineering: LK95, Wie96, SS97, Zav97] ffl On formal methods: HB95, Rus93, Rus95, CW96] ffl On PVS: SSJ 96, ORSH95] ffl Other formalisms: Spi92, SBC92, Jon90, BBP87, MP92, Lam94, GP94, BB87, Lyn88, OSRSC98] ffl ORKEST publications: PHJ98, PHJ99] 74 ....

J.M. Rushby. Formal methods and their role in the certification of critical systems. Technical Report CSL-95-01, CSL, 1995.

....goals [Mea94a] Cost and time constraints have made the application of formality harder to cost justify. Even the formal methods community is recognizing that in order to be practical, formal methods must be limited to the problem elements where they provide the greatest return on investment [Rus95]. 2.3.5 Summary In spite of their shortcomings, formal methods can be extremely useful. For example, cryptography and protocol analysis are both aspects of security that have proven quite amenable to the application of formal 15 mathematical modeling. Even the least formal commercial software ....

....are best suited to addressing the risks at hand. It constantly reminds the user that the pupose of a specification (formal or informal) is to reduce risks, and the most appropriate notation is the one that maximizes the ratio of risks reduced to costs incurred. 3.2. 3 Selective Application Rushby [Rus95] recognizes that the complete application of formal methods to a large project is both prohibitively expensive, and of dubious value. He argues that formal methods should be applied selectively. He identifies five axes along which the application of formal methods can be controlled: Degree of ....

Rushby, J., Formal Methods and their Role in the Certification of Critical Systems, SRICSL -95-01, January 1995. http://www.csl.sri.com/csl-95-1.html

.... Concepts and Terminology [Lapr] Dictionary of Algorithms, Data Structures and Problems [Black99] compiled by Paul Black for CRC Dictionary of Computer Science, Engineering and Technology; and Rushby s technical report on Formal Methods and Their Role in the Certification of Critical Systems [Rush93, Rush95]. Various formal methods terminology is scattered throughout the published literature, such as [ClWi96] Effort is needed to collect the terminology as is used today and converge it into a common terminology, i.e. formal methods lingua franca. 4 Project Activity The immediate goals for this ....

John Rushby, "Formal Methods and Their Role in the Certification of Critical Systems", SRI International Technical Report CSL-95-1, March 1995. http://csl.sri.com/csl-95-1.html.

.... Concepts and Terminology [Lapr] Dictionary of Algorithms, Data Structures and Problems [Black99] compiled by Paul Black for CRC Dictionary of Computer Science, Engineering and Technology; and Rushby s technical report on Formal Methods and Their Role in the Certification of Critical Systems [Rush93, Rush95]. Various formal methods terminology is scattered throughout the published literature, such as [ClWi96] Effort is needed to collect the terminology as is used today and converge it into a common terminology, i.e. formal methods lingua franca. 4 Project Activity The immediate goals for this ....

John Rushby, "Formal Methods and Their Role in the Certification of Critical Systems", SRI International Technical Report CSL-93-7, March 1993. http://csl.sri.com/csl-93-7.html.

....the aspects that pose the greatest risk to the verifiability of system security need to be explored early in the process, when changes are most possible and least expensive. This is consistent with Rushby s assertion that formal methods should be applied selectively to the hard problems [Rus95]. A risk driven approach permits formal methods to be made more cost effective, by only expending the costs in the area where the expected returns are greatest. It is true that such an approach is theoretically inferior to the total application of formality areas that might have benefited from ....

....formality may be overlooked. But a total application of formality to even reasonably sized systems has proven to be practically infeasible [CGR95] Selective application of formality is the only practical way in which the appropriate formal techniques can be applied where they can be of most use [Rus95]. It is unrealistic to believe that any system can be completely secure. Even if a completely secure system was theoretically possible, the very nature of verification limits the confidence that we can have in it [DLP79, Fet88] There will always be something we can do to increase our confidence ....

[Article contains additional citation context not shown here]

Rushby, J., "Formal Methods and their Role in the Certification of Critical Systems", SRI-CSL-95-01, January 1995. http://www.csl.sri.com/csl-95-1.html

....runs: because we have not yet learned to make sensible use of it. Albert Einstein Formal methods have been around for a number of years and there has been much written about their usefulness in obtaining unambiguous specifications and in the verification of software properties [Kel95, Kel97, Rus95] However, the industrial take up of formal methods can be described at its best as poor. Formal methods have been used with success in hardware development [Hei98] but in software development they have been used rarely, their use being restricted mainly to safety critical software. Many ....

....verification) and also that they have no well founded semantics for the structures they employ. These being two of the main attributes that formal methods are specifically designed to have. 1. 2 Formal Methods There are a number of different definitions of the term formal method : Rushby [Rus95] definition: methods that use ideas and techniques from mathematical or formal logic to specify and reason about computational systems (both hardware and software) Hinchey [HB95] definition: a set of tools and a notation (with a formal semantics) used to specify unambiguously the requirements ....

[Article contains additional citation context not shown here]

J. Rushby. Formal methods and their role in the certification of critical systems. Technical Report CSL-95-1, Computer Science Laboratory, SRI international, Menlo Park CA 94025 USA, March 1995.

....lightweight application of formal methods can offer a cost effective way of improving the quality of software specifications. There is an emerging consensus that formal methods seem to find their most effective application early in the lifecycle, where conventional methods are apparently weakest. [3]. Studies of change requests to the Space Shuttle flight software have demonstrated that formal methods are particularly good at improving the clarity and precision of requirements specifications, and in finding important and subtle errors [4 6] This benefit coincides with a serious, unmet need ....

....this validation in a number of ways. The process of formalising a specification provides a simple validation check, in that it forces a level of precision and explicitness far beyond that needed for informal representations. Once a formal specification is available, it can be formal challenged [3], by defining properties that should hold, and proving that they do indeed hold. Formal challenges may be achieved both through the use of mathematical proofs, and through state exploration or model checking . Rushby [3] points out that there is considerable scope for selective application of ....

[Article contains additional citation context not shown here]

J. Rushby, "Formal Methods and Their Role in the Certification of Critical Systems," Computer Science Laboratory, SRI International, Menlo Park, CA, Technical Report CSL-95-1, March 1995.

....needed[DO178B,sub. 2.2.3] There are limits to the extent that experimental statistical methods allow us to gain confidence in computer based systems. The smallest failure rates that practically can be asserted are several magnitudes off the 10 9 that is required in safety critical systems[Rus95b]. It is difficult to construct good test profiles. Test scenarios used to evaluate reliability must be good approximations of the operational profile, i.e. the types, frequencies and distributions of inputs that a system receives during operation. To evaluate systems with, for example a 10 ....

..... The difficulty to reproduce the operational profile for rare events, and the time required to perform fault injection and all up tests, limits the failure rates that can be verified empirically to about 10 4 . This is several magnitudes off the 10 9 required for safety critical systems [Rus95b]. The problem of assessing the quality of software has lead people to believe in approved processes, i.e. processes producing correct software. The problem however, is how to assess the process. It might be harder to verify that the process always produces the correct software than to verify the ....

J Rushby. Formal methods and their Role in the Certification of Critical Systems. 12 th Annual CSR Workshop, Bruges 12-15 September 1995. Proceedings, pp. 2-42. Springer. ISBN 3-540-76034-2.

.... mechanical backup, so called bywire systems such as those for automotive steering, braking, and suspension control [15] It has been argued that the kind of reliability required in such situations cannot be achieved without a careful formal analysis of the mechanisms and algorithms involved [3, 12]. The Time Triggered Protocol (TTP) 7] is the core of the communication level of TTA. Group membership is central service of TTP as it provides to all non faulty processors a consistent view of which nodes are operational and which are not at any given moment. Distributed fault tolerant ....

J. Rushby. Formal Methods and their Role in the Certification of Critical Systems. In R. Shaw, editor, Safety and Reliability of Software Based Systems (Twelfth Annual CSR Workshop). Springer-Verlag, 1995.

....scrutiny via formal methods. 2.2 Safety requirements specification and analysis Extensive investigation into the specification and analysis of requirements for safetycritical systems has been performed in the last decade. This is especially true in the area of formal methods [Clarke et al. 1996; Rushby 1995]. Formal specification is described by van Lamsweerde elsewhere in this volume, so only highlights of its use for safety critical systems are given here. One motivation for specifying requirements formally is that some notations make review, design, implementation, and development of test cases ....

Rushby, J. 1995. Formal methods and their role in the certification of critical systems. In R. Shaw Ed., Safety and Reliability of Software Based Systems, pp. 1--42. Springer.

....a specification does not, strictly speaking, fall within the realms of restructuring, there are advantages that may be accrued from such a translation process. Some even argues that the most significant benefits gained from using formal methods are the result of the formalisation process itself [23]. The second stage of our approach therefore allows the representation of the different viewpoint specifications in different notations, which may include the original notation in which they were expressed. The choice of representation scheme for different viewpoints also involves the expression ....

Rushby, J.: `Formal Methods and their role in certification of critical systems'. Computer Science Laboratory, SRI International, Menlo Park, CA, Technical Report CSL-95, 1995.

....an oracle. In DisCo [7] the concept of external functions is used to extend the notations. Of course, animation should not be thought of as a panacea; it certainly does not exclude formal proofs. Rather, proofs and tests are complementary and should be used in conjunction. As an example, Rushby [26] considers the problem of sorting a sequence. The question whether a sorting function is idempotent can be addressed by proof or by animation. The latter can examine the property for a few representative values. Most importantly, animation can help us to ask the right questions. As with ....

J. Rushby. Formal Methods and their Role in the Certification of Critical Systems. SRI Technical Report CSL-95-1, March 1995.

....changing specifications [35] A first step towards developing fault tolerant real time intelligent systems is to have precise requirement specifications. Fault tolerant system design is a mature subdiscipline of Computer Science with a large body of theoretical research and system implementations [2, 13, 16, 17, 26, 33, 36]. On the other hand, incorporating fault tolerance and improving dependability of AI systems is gaining attention of researchers only recently (see [1] Recent work in this area is about calculating reliability of embedded AI planning programs in real time systems [7] implementing failure ....

J. Rushby. Formal Methods and their Role in Certification of Critical Systems. Technical Report CSL-95-1, Computer Science Laboratory, SRI International, Menlo Park, CA, Mar. 1995.

....A DM also records the rationale for the choices made [15, 23] 3.2. Activities on models In general, we can perform various activities on the models of the model set mentioned above, as illustrated in Figure 1. Models can be transformed into each other, they can be verified against each other [18], they can be revised and modified, or they can be validated against some external requirements. It is also possible to trace the changes made in one model to an other model. validation modification M = requirements transformation revision verification M2 M1 = trace Figure 1. The different ....

....safety critical applications, such as airplanes, chemical process industries, space missions, nuclear power plants, etc. reliability is an essential features, as well as correctness and consistency. To guarantee that the final KBS exhibits those quality criteria, formal verification is required [18] and a specific step through an intermediate formal model appears in the transition path. Evolutionary systems KBSs that evolve considerably over time need to be easily maintainable. This means that the consequences of modifications and revisions of one model need to be clear for the other models. ....

J. Rushby. Formal methods and their role in the certification of critical systems. Technical Report CSL-95-1, SRI, 1995.

....EHDM. Of course, in a very real sense a machine checked formalization does not need to be as compelling as a journal version, if the prover is sound. It is sufficient for the problem formulation to be clear and accurate, assuming we trust the machine checked proof. Rushby himself argues strongly[16] that machine checked proofs are required for fault tolerant algorithms, such as OM, precisely because of their extreme subtlety and the tendency to get informal proofs wrong. However, the cleaner the formulation of the algorithm, the higher the likelihood that it will be scrutinized carefully and ....

J. Rushby. Formal methods and their role in certification of critical systems. Technical Report CSL-95-1, SRI International, Computer Science Laboratory, March 1995.

....systems often require safety and reliability guarantees. They must be scalable and adaptable. They also require security properties such as secrecy, anonymity, and non repudiation. It s also commonly agreed that formal specification and verification are needed to provide solutions of this kind [15] [8] 10] Many hand checked protocols are found to be flawed via formal methods after they are proposed[5] 9] 6] But there is still a lack of instructive experience and a systematic way of combining system building blocks and formal specification and verification techniques to provide a real ....

John Rushby. Formal methods and their role in the certification of critical systems. Technical Report SRI-CSL-95-1, Computer Science Laboratory, SRI International, Menlo Park, CA, March 1995.

.... a specification does not, strictly speaking, fall within the realms of restructuring, there are advantages that may be accrued from such a translation process (some even argue that the most significant benefits gained from using formal methods are the result of the formalisation process itself [21]) The second stage of our approach therefore allows the representation of the different viewpoint specifications in different notations which may include the original notation in which they were expressed. The choice of representation scheme for different viewpoints also involves the expression ....

J. Rushby, "Formal Methods and their role in certification of critical systems", Computer Science Laboratory, SRI International, USA, Techn. Report CSL-95, 1995.

....fit for the purpose. Assurance will include massive testing and fault injection of the actual implementation, and extensive reviews and analysis of its design and assumptions. Some of the analysis may employ formal methods, supported by mechanized tools such as model checkers and theorem provers [Rus95] Industry or government guidelines for certification may apply in certain fields (e.g. RTC92, RTC00] for airborne software and hardware, respectively, and [MIS94] for cars) These topics are considered in more detail in Section 2.8. The comparison between the four bus architectures is ....

John Rushby. Formal methods and their role in the certification of critical systems. In Roger Shaw, editor, Safety and Reliability of Software Based Systems (Twelfth Annual CSR Workshop), pages 1--42, Bruges, Belgium, September 1995. Springer. Also issued as part of the FAA Digital Systems Validation Handbook (the guide for aircraft certification).

No context found.

J. Rushby. Formal methods and their role in the certification of critical systems. Technical Report SRI-CSL-95-1, Computer Science Laboratory, SRI, Menlo Park, CA, 1995.

No context found.

J. Rushby. Formal Methods and their Role in the Certification of Critical Systems. In R. Shaw, editor, Safety and Reliability of Software Based Systems (Twelfth Annual CSR Workshop). Springer-Verlag, 1995.

No context found.

J. Rushby. Formal methods and their role in the certification of critical systems. Technical Report SRI-CSL-95-1, Computer Science Laboratory, SRI International, Menlo Park, CA, mar 1995. Also available as NASA Contractor Report 4673, August 1995, and to be issued as part of the FAA Digital Systems Validation Handbook (the guide for aircraft certification).

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC