The Second NASA Formal Methods Workshop 1992 by Butler, Ricky W. et al.
NASA Conference Publication 10110
Second NASA
Formal Methods
Workshop
1992
p,- cO
o_ i 0 •,
N "_ P,j u_
,..4 c_ ,-4 R
t 2:1"-
Z I Z_
Z
O0"
L.)
Lu¢I.
u_Q
uJ vl
0
J
,-_ O C1.
,.-,0
I _J-JP'J
_J
I -.J ""
<_ cx: <C
ZC_Z
rr_
,,t"
oO
N
,-4
0
,,0
Compiled by
Sally C. Johnson
C. Michael Holloway
and Ricky W. Butler
NASA Langley Research Center
Hampton, Virginia
Proceedings of a workshop sponsored by the
National Aeronautics and Space Administration,
Washington, D.C., and held at
Langley Research Center
Hampton, Virginia
August 11-13, 1992
NOVEMBER 1992
National Aeronautics and
Space Administration
Langley Research Center
Hampton, Virginia 23665-5225
https://ntrs.nasa.gov/search.jsp?R=19930003769 2020-03-17T10:32:50+00:00Z
_m
z
E
mr
z_
IL
L
_R
Contents
Introduction ......................................................................... 3
Workshop Agenda .................................................................... 5
A Brief Overview of NASA Langley's Research Program in Formal Methods ........... 9
Welcome and Introduction
by Chuck Meissner, Jr. (NASA Langley Research Center) .......................... 23
Why Formal Methods?
by Ricky Butler (NASA Langley Research Center) ................................. 27
Tutorial: Design Specification Techniques
by Ben DiVito (ViGYAN) ......................................................... 43
Tutorial: Code Verification Techniques
by Michael Holloway (NASA Langley Research Center) ............................ 49
The FAA DFCS Handbook Formal Methods Chapter
by John Rushby (SRI International) ............................................... 55
Survey of State-of-Practice: Formal Methods in Industry
by Dan Craigan (ORA Canada) ................................................... 61
Formal Modelisation
by Susan Gerhart (National Science Foundation) .................................. 71
Formal Methods Technology Insertion Into FTPP
by Rick Harper (Charles Stark Draper Labs) ....................................... 75
Formal Methods at IBM Federal Systems
by David Hamilton (IBM Federal Systems) ........................................ 83
Reliable Computing Platform
by Ben DiVito (ViGYAN) ......................................................... 89
Clock Synchronization: Verification and Implementation
by Paul Miner (NASA Langley Research Center) ................................. 101
NASA's Strategy for Technology Transfer
by Sally Johnson (NASA Langley Research Center) ............................... 107
Verification of FTPP Scoreboard and Spectool
by Mark Bickford (Odyssey Research Associates, Inc.) ............................ 111
Boeing's Work in Formal Methods
by Dave Fura (The Boeing Company) ............................................ 127
DO-178B and Formal Methods
by George Finelli (NASA Langley Research Center) ............................... 133
Introduction to the Boyer-Moore Theorem Prover
by Warren Hunt (Computational Logic, Inc.) ..................................... 137
Introduction to PVS
by Natarajan Shankar (SRI International) ........................................ 149
Logical Foundations of Computing over the Floating Point Reals
by Richard Platek (Odyssey Research Associates, Inc.) ........................... 161
Formal Safety Analysis
by Nancy Leveson (University of California at Irvine) ............................ 175
The FM9001
by Warren Hunt (Computational Logic, Inc.) ..................................... 199
Derivational Techniques for Itardware
by Steve Johnson (Indiana University) ........................................... 215
Results of Workshop Survey ................... ,... ................................. 223
List of Attendees .................................................................. 237
2
Introduction
This publication contains copies of the material presented at the Second NASA Langley
Formal Methods Workshop held at the NASA Langley Research Center August 11-13, 1992.
The purpose of the workshop was to bring together formal methods researchers and aerospace
industry engineers to investigate new opportunities for applying formal methods to aerospace
problems. The first part of the workshop was tutorial in nature. The second part of the
workshop explored the potentia_ of formal methods to solve current aerospace design and
verification problems. The third part of the workshop involved on-line demonstrations of
state-of-the-art formal verification tools. Finally, a detailed survey was filled in by the
attendees; the results of the survey are compiled in this report.
The workshop was attended by aerospace industry engineers and managers, interested
government representatives from FAA, NSA, NCSC, and DARPA, NASA Langley formal-
methods contractors, university professors, and NASA personnel. A list of attendees is
included in this publication.
3
iE
!
i
4
Second NASA Langley Formal Methods Workshop
H. J. E. Reid Conference Center
Tuesday, Auoust 11. 1992
7:30 Bus Leaves Radisson Hotel/or Reid Conference Center
8:00 - 8:30 Late Reglatmtlon
8:30 - 8:45 Welcome end Introduction
Charles Melssner, Jr., Head, System Validation Methods Branch
5:45 - 9:30 Why Formal Methods?
Ricky Butler, NASA Langley Research Center
9:30 - 10:45 Tutorlah Formal Methods
Ben DiVito, V[GYAN
Michael Holioway, NASA Langley Research Center
10:45 - 11:00 Break
11:00 - 11:30 The FAA DFC$ Handbook m Formal Methods Chapter
John Rushby, SRI International
- 12:30 Survey of State-of-Practice Formal Methods In Industry
Dan Craigan, ORA Canada
11:30
12:30- 1:30 Lunch in NASA Cafeteria
1:30
2:00
2:30
3:00
3:40
4:40
5:00
- 2:00
- 2:30
- 3:00
- 3:40
- 4:40
- 5:00
Formal Modellaatlon
Susan Gerhart, National Science Foundation
Formal Methods TechnOlogy Insertion Into FTPP
Rick Harper, Charles Stark Draper Labs
Break
Formal Methods at 1BMFederal Systems
David Hamilton, IBM Federal Systems
Reliable Computing Platform
Ben DiVito, V[GYAN
Clock Synchronization Verification and Implementation
Paul Miner, NASA Langley Research Center
Bus Leaves Reid Conference Center for Rodisson Hotel
6:30 - 9:00 Workshop Dinner at the Radlsson Hotel
PRECEDING PAGE. BLANK NOT FILMED
Final Agenda - 1
5
NASA Langley Formal Methods Workshop, H. J. E. Reid Conference Center
Wednesdav. Auoust 12. 1992
8:00 Bus LeavesRadissonHotelforReidConferenceCenter
8:30 - 8:45
8:45 - 9:15
9:115 - 9:45
9:45 - 10:00
10:00 - 10:30
10:30 - 11:10
11:10 - 11:50
11:50 - 12:30
NASA's Strategy for Technology Transfer
Sally Johnson, NASA Langley Research Center
Verification of FTPP Scoreboard and Spectool
Mark Bickford, Odyssey Research Associates, Inc.
Boelng'8 Work In Formal Methods _
Dave Fura, The Boeing Company
DO-178B and Formal Methods
George Finelli, NASA Langley Research Center
Break
introduction to the Boyer-Moore Theorem Prover
David Russinoff, Computational Logic, Inc.
Introduction to PVS
Natarajan Shankar, SRi International .....
Logical Foundations of Computing over the Floating Point Reals
Richard Platek, Odyssey Research Associates, Inc.
12:30
1:30
2:10
2:45
3:00
4:00
5:00
6:00
- 1:30
- 2:10
- 2:45
- 3:00
- 4:00
- 6:00
- 6:00
Lunch In NASA Cafeteria
Formal Safety Analysis
Nancy Leveson, University of California at Irvine
The FMg001
Warren Hunt, Computational Logic, Inc.
Break
Panel: Degree of Mechanization In Formal Methods
Paul Miner, NASA Langley Research Center, Moderator
Nancy Leveson, university of California at Irvine
Richard Piatek, Odyssey Researc_hAss_)ciates, Inc.
John Rushby, SRI International :_ _ - _ _
Exhibits of Formal Methods Tools and Tec-hi_|ques
Cash Bar Social
Bus Leaves Reid Conference Center[or RodL_son Hotel
Final Agenda - 2
6
Thursday, Auoust 13, 1992
- 9:00
8:00
8:3O
9.'00 - 10:00
10:00 - 10:15
10:15 - 11:15
Bus LeavesRadissonHotelforReidConferenceCenter
Derlvatlonal Techniques for Hardware
Steven Johnson, Indiana University
Panel: Issues In Hardware Verification
Wctor Carreno, NASA Langley Research Center. Moderator
Mark Bickford, Odyssey Research Associates, Inc.
Warren Hunt, Computational Logic, Inc.
Steven Johnson, Indiana University
Phi/lip Windley, University of Idaho
Break
Panel: Issues In Design/Code Verification
Michael Holloway, NASA Langley Research Center, Moderator
Ben DiVito, V(GYAN
Damir Jamsek, Odyssey Research Associates, Inc.
Miriam Lesser, Corneli University
John Rushby, SRI International
11:15 - 11:45
11:45 - 12:00
12:00
Formal Methods Survey Completion
Closing Remarks
Ricky Butler, NASA Langley Research Center
Bus Leaves Reid Conference Center for Radisson Hotel
(for those not attending the technical review)
Final Agenda - 3
7
13
N93-12958
A Brief Overview of NASA Langley's
Research Program in Formal Methods
System Validation Methods Branch
NASA Langley Research Center
Hampton, Virginia
September 21, 1992'
Abstract
This paper presents an overview of NASA Langley's research program in formal methods.
The major goal of this work is to bring formal methods technology to a sufficiently mature
level for use by the United States aerospace industry, Towards this goal, work is under-
way to design and formally verify a fault-tolerant computing platform suitable for advanced
flight control applications. Also several direct technology transfer efforts have been initiated
that apply formal methods to critical subsystems of real aerospace computer systems. The
research team consists of six NASA civil servants and contractors from Boeing Military Air-
craft Company, Computational Logic Inc., Odyssey Research Associates, SRI International,
University of California at Davis, and Vigyan Inc.
Motivation
NASA Langley Research Center has been developing techniques for the design and validation
of flight critical systems for over two decades. Although much progress has been made in
developing methods which can accommodate physical failures, the design flaw remains a
serious problem [2, 3, 4, 5, 6, 7, 8].
A recent report by the National Center For Advanced Technologies i has identified "Prov-
ably Correct System Specification" and "Verification Formalism For Error-Free Specifica-
tion" as key areas of research for future avionics software and ultrareliable electronics systems
[9]. Aerospace engineers attending the NASA-LaRC Flight Critical Digital Systems Tech-
nology Workshop [10] listed techniques for the validation of concurrent and fault-tolerant
computer systems high on the list of research priorities for NASA.
*This is an updated version of the a paper entitled "NASA Langley's Research Program in Formal
Methods" presented at COMPASS 91 [1].
1A technical council funded by the Aerospace Industries A,sociation of America (AIA) that represents the
major U.S. aerospace companies engaged in the research, development and manufacture of aircraft, missiles
and space systems and related propulsion, guidance, control and other equipment.
PR_GEDING PAGE. BLANK NOT FILMED
9
A further motivation for the use of formal methods is the practical limitations of life-
testing methods to quantify reliability in the ultrareliable domain. Unfortunately, the quan-
tification of reliability in the presence of design faults has been found to be infeasible whether
applied to hardware or software (standard or fault-tolerant) [11]. Therefore the use of non-
statistical method is necessary.
Formal Methods
Formal methods are the applied mathematics of computer systems engineering. There are
many different types of formal methods with various degrees of rigor. The following is a
useful (first-order) taxonomy of the degrees of rigor in formal methods:
Level-l: Formal specification of all or part of the system.
Level-_: Formal specification at two or more levels of abstraction and paper and
pencil proofs that the detailed specification implies the more abstract spec-
ification.
Level-8: Formal proofs checked by a mechanical theorem prover.
Level I represents the use of mathematical logic or a specification language that has a
formal semantics to specify the system. This can be done at several levels of abstraction.
For example, one level might enumerate the required abstract properties of the system,
while another level describes an implementation Which is algorithmlc in styie? LeVde forma!
methods goes beyond level 1 by developing pencii-and paper proofs that the more C0ncret:e
levels logically imply the more abstract-property 0riented ievel-s. Le-vd _is_e most rigorous
application of formal methods. Here one uses a semi-automatic theorem prover to make sure
that all of the proofs are valid. The Level 3 process of convincin# a mechanical prover i s
really a process of developing an argument for an ultimate skeptic who must be shown every
detail.
It is also important to realize that formal methods is not an all-or-nothing approach.
The application of formal methods to the most critical portions of a system is a pragmatic
and useful strategy. Although a complete formal verification of a large complex systemis
impractical at this time, a great increase in confidence in the system can be obtained by the
use of formal methods at key locations in the system.
Research Team
The Langley formal methods program involves both in-house researchers and industrial/academic
researchers working under contract to NASA Langley. Currently the in-house team consists
of six civil servants and one in-house contractor (Vigyan Inc.). NASA Langley has awarded
three contracts specifically devoted to formal methods (from the competitive NASA RFP
1-22-9130.0238). The selected contractors were SRI International, Computational Logic
Inc., and Odyssey Research Associates. The three contracts are five-year, task assignment
contracts with total spending authority at approximately $2.5M per contract. Another
task-assignment contract with Boeing Military Aircraft Company (BMAC) is being used to
10
explore formal methods as well. Through this contract BMAC is funding research at the
University of California at Davis and California Polytechnic State University to assist them
in the use of formal methods in aerospace applications.
NASA Langley's Research Strategy
The basic strategy of the research effort is to apply existing formal methods to challenging
aerospace designs. This strategy leverages the huge investment of DARPA and National
Security Agency in development of tools and concentrates on the problems specific to the
aerospace problem domain. We have sought = to build a strong inhouse research program
as well as use contracts with the leading U.S. formal methods research teams (i.e. SRI,
CLI, ORA) and aerospace industrial teams (BMAC, Draper Labs). In the short term we
are seeking to apply formal methods to critical subsystems. In the medium term we are
designing and verifying a reliable computing platform. Only in the long-term will we seek to
make production-quality verification tools that are easily used by design engineers without
overly specialized, detailed knowledge of formal methods.
The design of a digital flight control system involves two dissimilar activities:
1. design and implementation of control laws
2. design of the fault-tolerant computing platform which executes the control laws
Although these design activities are intimately connected, they require uniquely different
skills. The first activity requires knowledge of feedback control theory and aerodynamics as
well as numerical methods. The second activity requires knowledge of fault-tolerance theory
and computer architecture. Although both activities are essential, we are concentrating at
this time on the second activity. To facilitate the development and demonstration of tools
and techniques to support the second activity, a reliable computing platform (RCP) is being
developed. Also, several tasks are underway to facilitate the transfer of formal methods
technology to aerospace industry.
The Reliable Computing Platform
The Reliable Computing Platform (RCP) dispatches tile control-law application tasks and
executes them on redundant processors. The reliable computing platform performs the
necessary fault-tolerant functions and provides an interface to the network of sensors and
actuators.
The RCP consists of both hardware and software components. A real-time operating sys-
tem provides the applications software developer with a reliable mechanism for dispatching
periodic tasks on a fault-tolerant computing base that appears to him as a single ultra-
reliable processor. Traditionally, an operating system has been implemented as an ezecutive
(or main program) that invokes subroutines implementing the application tasks. Commu-
nication between the tasks has been accpmplished by use of shared memory. This strategy
is effective for systems with nominal reliability rcquirements where a simplex processor can
11
be used. For ultra-reliable systems, the additional responsibility of providing fault tolerance
makes this approach untenable.
For these reasons, the operating system and replicated computer architecture must be
designed together so they mutually support the goals of the RCP. A multi-level hierarchical
specification of the RCP is shown in figure 1.
Uniprocessor System Model (US)]
IFault-tolerant Replicated Synchronous Model (RS) I
[Fault-tolerant Distributed Synchronous Model (DS) I
I
[ra lt-tolerantDistributed Asynchronous Model (DA} ]
I
ILocalE ecutioegodd (LE)I
I
[ tIardware/Software Implementation]
Figur e 1: Hierarchical Specification of the Reliable Computing Platform (RCP)
The top level of the hierarchy describes the operating system as a function that sequen-
tiflly invokes applicatio n tasks. This view of the operating system will be referred to as the
uniprocessor specification (US), which is formalized as a state transition system and for-m_
the basis of the specification for the RCP. Fault tolerance is achieved by voting results com-
puted by the replicated processors operating on the same inputs. Interactive consistency
checks on sensor inputs and voting of actuator outputs require synchronization of the repli-
cated processors. The second level in the hierarchy (RS) describes the operating system as
a synchronous system where each replicated processor executes the same application tasks.
The existence of a global time base, an interactive consistency mechanism and a reliable
voting mechanism are assumed at this level. Level 3 of the hierarchy breaks a frame into
four sequential phases. This allows a more explicit modeling of interprocessor communica-
tion and the time phasing of computation, communication, and voting. At the fourth level,
the assumptions of the synchronous model must be discharged. Rushby and yon Henke [12]
report on the formal verification of Lamport and Melliar-Smith's [13] interactive-convergence
ci0ck-synchronization algorithm. This/dg0ridam-can-serve as a foundation for th e i-mplemen--
tatioli-of fhe replicated system by bounding the amount of asynchrony inthe system so that
it can dupi_icate the functionality of the DS model. Dedicated hardware implementations of
the clock synchronization function are a long-term goal. The LE model is currently under
development. Th_is model describes the actions on each local processor delineating how each
processor schedules tasks, votes results and rewrites its own local memory with voted val-
ues. Of primary importance in this specification is the utilization of a memory management
12
unit by the local executive in order to prevent the overwriting of incorrect memory loca-
tions while recovering from the effects of a transient, fault. There will probably be another
level of specification introduced before the final implementation in hardware and software is
reached. The research activity will culminate in a detailed design and prototype implemen-
tation. Figure 2 depicts the generic hardware architecture assumed for implementing the
replicated system. Single-source sensor inputs are distributed by special purpose hardware
executing a Byzantine agreement algorithm. Replicated actuator outputs are all delivered
in parallel to the actuators, where force-sum voting occurs. Interprocessor communication
links allow replicated processors to exchange and vote on the results of task computations.
As previously suggested, clock synchronization hardware may be added to the architecture
as well.
The hardware architecture is a classic N-modular redundant (NMR) system with a small
number N of processors. Single-source sensor inputs are distributed by special purpose
hardware executing a Byzantine agreement algorithm. Replicated actuator outputs are all
delivered in parallel to the actuators, where force-sum voting occurs. Interprocessor com-
munication links allow replicated processors to exchange and vote on the results of task
computations. This is illustrated in figure 2.
Proc(:ss o r
Replicate
I
Sensors I
L
I I
Ilnteraclivc Consislencyl
Distribution Network
Interprocessor
Communication Link
l'n t¢_1"p_'ocessor
(._)rnmunicalion Link
Processor
Replicate
R
L I
l,'igure 2: Generic lmrdware architecture.
The Division of Labor
The in-house team at NASA has been orchesJ4"ating the effort to apply formal methods to
the RCP. The design I)rol)lem has been decomposed into several separate activities, some of
13
which are being investigated by contractual teams and others by the in-house team.
efforts are roughly divided as follows:
in-house:
SRI:
CLI:
ORA:
BMAC:
system architecture, clock synchronization
Clock synchronization, fault-tolerance
Byzantine Agreement Circuits, clock synchronization
Byzantine Agreement Circuits, applications
Hardware Verification, formal requirements analysis
The
NASA In-house Work
The in-house team has concentrated on the system architecture for the RCP. The top two
levels of the RCP were originally formally specified in standard mathematical notation and
connected via mathematical (i.e. level 2 formal methods) proof[14, 15]. Under the assump-
tion that a majority of processors are working in each frame, the proof establishes that the
replicated system computes the same results as a single processor system not subject to fail-
ures. Sufficient conditions were developed that guarantee that the replicated system recovers
from transient faults within a bounded amount of time. SRI subsequently generalized the
models and constructed a mechanical proof in Ehdm [16]. Next, the NASA inhouse team
developed the third and fourth level models. The top two levels and the two new models
were then specified in Ehdm and all of the proofs were done mechanically using the Ehdm
5.2 prover [17, 18]
Inhouse work is underway to design and implement a fault-tolerant clock synchronization
circuit capable of recovery from transient faults [19, 20]. The circuit is being implemented
using programmable logic devices (PLDs) and FOXI fiber optic communications chips [21].
Contractual Efforts
SRI International
The redundancy management strategies of virtually all fault-tolerant systems depend upon
some form of voting which in turn depends upon synchronization. Although in many systems
the clock synchronization function has not been decoupled from the applications (e.g. the
redundant versions of the applications synchronize by messages), research and experience
have led us to believe that solving the synchron!zation problem independently from the ap-
plications design can provide significant simplification of the system [22, 23]. The operating
system is built on top of this clock-synchronization foundation. Of course, the correctness
of this foundation is essential. Thus, the clock synchronization algorithm and its implemen-
tation are prime candidates for formal methods. The verification strategy shown in figure 3
is being explored. The top-level in the hierarchy is an abstract property of the form:
_/non-faulty p,q: IG(/) - G(t)l </_
where $ is the maximum clock skew guaranteed by the algorithm as long as a sufficient
number of clocks (and the processors they are attached to) are working. The function Cp(t)
R
14
IMaximum Clock Skew Property I
T
I
[Synchronization Algorithm]
T
I
[Digital Circuit ImplementationJ
Figure 3: Hierarchical Verification of Clock Synchronization
gives the value of clock p at real time t. The middle level in the hierarchy is a mathematical
definition of the synchronization algorithm. The bottom level is a detailed digital design of
a circuit that implements the algorithm. The bottom level is sufficiently detailed to make
translation into silicon straight forward.
The verification process involves two important steps: (1) verification that the algorithm
satisfies the maximum skew property and (2) verification that the digital circuitry correctly
implements the algorithm. The first step has already been completed by SRI International.
The first such proof was accomplished during the design and verification of SIFT [13]. The
proof was done by hand in the style of most journal proofs. More recently this proof step
has been mechanically verified using the Ehdm theorem prover [12]. In addition, SRI has
mechanically verified Schneider's clock synchronization paradigm [24] using Ehdm[25]. A
further generalization was found at NASA Langley [20] 2. The design of a digital circuit to
distribute clock values in support of fault-tolerant synchronization has been completed by
SRI International and is currently being formally verified?
SRI is currently writing a chapter for the FAA Digital Systems Validation Handbook
Volume III on formal methods[26]. The handbook provides detailed information about digital
system design and validation and is used by the FAA certifiers.
Computational Logic Inc.
Fault-tolerant systems, although internaJly redundant, must deal with single-source informa-
tion from the external world. For example, a flight control system is built around the notion
of feedback from physical sensors such as accelerometers, position sensors, pressure sensors,
etc. Although these can be replicated (and they usually are), the replicates do not produce
identical results. In order to use bit-by-bit majority voting all of the computational repli-
cates must operate on identical input data. Thus, the sensor values (the complete redundant
suite) must be distributed to each processor in a manner which guarantees that all working
processors receive exactly the same value even in the presence of some faulty processors.
This is the classic Byzantine Generals problem [27]. CLI is investigating the formal verifica-
2The bounded delay assumption was shown to follow from the other assumptions of the theory.
3Unlike the NASA inhouse circuit, the Sttl intent is that the convergence algorithm be implemented in
software.
15
tion of such algorithms and their implementation. They have formally verified the original
Marshall, Shostak, and Lamport version of this algorithm using the Boyer Moore theorem
prover [28]. They have also implemented this algorithm down to the register-transfer level
and demonstrated that it implements the mathematical algorithm [29] and then subsequently
verified the design down to a hardware description language (HDL) developed at CLI [30].
CLI has reproduced the SRI verification of the interactive convergence algorithm using the
Boyer-Moore theorem prover [31]. CLI has also developed a formal model of asynchronous
communication and demonstrated its utility by formally verifying a widely used protocol for
asynchronous communication called the bi-phase mark protocol, also known as "Bi-O-M,"
"FM" or "single density" [32]. It is one of several protocols implemented by microcontrollers
such as the Intel 82530 and is used in the Intel 82C501AD Ethernet Serial Interface.
Odyssey Research Associates
ORA has also been investigating the formal verification of Byzantine Generals algorithrris.
They have focused on the practical implementation of a Byzantine-resilient communications
mechanism between Mini-Cayuga micro-processors [33, 34, 35]. The Mini-Cayuga is a small
but formally verified microprocessor developed by ORA. It is a research prototype and
has not been fabricated. The communications circuitry would serve as a foundation for a
fault-tolerant architecture. It was designed assuming that the underlyi_ag processors were
synchronized (say by a clock synchronization circuit). The issues involved with connecting
the Byzantine communications circuit with a clock synchronization circuit and verifying the
combination - not - _has yet been explored.
Another task that has been startedwith ORA isto apply theirAda verificationtoolsto
aerospace applications. This effortconsistsof two subtasks. The firstsubtask is to verlfy
some utilityroutines obtained from the NASA Goddard Space FlightCenter and the NASA
Lewis Research Center using theirAda VerificationTool named Penelope [36].This subtask
was accomplished in two steps: (I) a formal specificationof the routines and (2) formal
verificationof the routines. Both steps uncovered errorsin the routines [37].The second
subtask was to formally specifythe mode-control panel logicof a Boeing-737 experimental
aircraftsystem using Larch (the specificationlanguage used by Penelope) [38].
A joint project between ORA and Charles Stark Draper Laboratory (CSDL) has been
initiated.The CSDL has been funded by NASA Langley to build fault-tolerantcomputer
systems for over two decades. They have recently become interestedin the use of formal
methods to increase confidence in theirdesigns. ORA has formally specifiedan important
circuit (called the scoreboard) of the Fault-Tolerant Parallel Processor (FTPP) [39] in Cal-
iban [40]. Work is currently underway to formally verify the circuit.
Boeing Military Aircraft Co. ::
The Boeing company has been sponsored by NASA Langley to develop advanced validation
and verification techniques for fly-by-wire systems. As part of the project, Boeing is exploring
the use of formal methods. The goal of this work is two-fold: 1) technology transfer of formal
methods to Boeing, and 2) assessment of formal methods technology maturity.
=
• =
=-
z
16
NASA Langley has been involved in a cooperative research partnership with Boeing to
facilitate the acceptance and adoption of this high-risk, high-payoff technology by Boeing.
The first step was to demonstrate that formal verification of "real" hardware devices is, in
fact, feasible. The first Boeing tasks concentrated on applying the HOL hardware verification
methodology to a set of hardware devices. With the assistance of a subcontract with U. C.
Davis, Boeing verified a set of hardware devices, including a microprocessor[41], a floating-
point coprocesBor similar to the Inte18087 but smaller[42, 43], a direct memory access (DMA)
controller similar to the Intel 8237A but smaller[44], and a set of memory-management
units[45, 46]. U. C. Davis also developed the generic-interpreter theory to aid in the formal
specification and verification of hardware devices[47, 48, 49], and a horizontal-integration
theory for composing verified devices into a system[50, 51, 52, 53].
After demonstrating the feasibility of verifying standard hardware devices, Boeing was
ready to apply the methodology to a set of proprietary hardware devices being developed
inhouse for use in a number of aeronautics and space applications. NASA sponsored a Boeing
engineer to work with the Processor Interface Unit (PIU) design team to formally specify
and verify the device. Although the NASA contract with Boeing will end in FY93, Boeing
has already capitalized on the NASA program and has started their own IR&D effort to
continue applying formal methods to the set of devices.
The cooperative research effort with Boeing has helped NASA Langley to assess the
maturity of formal methods technology with respect to state-of-the-practice digital fiight-
control systems. First, Boeing was tasked to analyze the suitability of the VIPER chip for
application to digital flight controls and to assess the design/verification methodology used
on the VIPER[54] 4. The generic-interpreter and horizontal-integration theories developed at
U. C. Davis provide models to guide the specification and verification of hardware devices.
Application of formal methods to the PIU has demonstrated that formal methods can be
practically applied to the digital hardware devices being developed by Boeing today and has
given NASA insight on how to make the process more cost effective.
Work is also progressing on a methodology for formal requirements analysis for aircraft
systems[58, 59]. This work, being performed under a subcontract to California Polytechnic
State University, includes development of a Wide-Spectrum Requirements Specification Lan-
guage (WSRSL) and prototype tools to support the language. A set of requirements for an
Advanced Subsonic Civil Transport (ASCT) developed by a Boeing engineer under previous
NASA funding is being rewritten in WSRSL to demonstrate the use of the language and
toolset. Since WSRSL is a formal language, the specification can be formally analyzed for
syntactic correctness, completeness, and consistency. NASA Langley is currently evaluat-
ing WSRSL as a candidate requirements specification tool for the fly-by-light/power-by-wire
project. Future plans include possible development of an automatic translator to Ehdm (SRI
International's theorem prover) to facilitate verification of functional correctness as well.
4NASA Langley has just completed a 3 year Memorandum of Understanding (MOU) with the U.K.
Royal Signals and Radar Establishment (RSRE) in formal methods. The MOU focused on the VIPER
microprocessor and the verification methodology used in its development. Computational Logic Inc. and
Langley inhouse researchers also performed assessments of the VIPER project[55, 56, 57].
17
NASA FM Repository
An anonymous FTP account has been set up at Langley to make the research results readily
available. Formal specifications, research papers, and other useful information will be stored
in machine-readable form. To access this repository, one must issue the following command:
"ftp airl6.1arc.nasa.gov". One then supplies "anonymous" as the user name and his FTP
address as the password.
Summary
Although the NASA program covers a wide:spectrum o_ theoretical and practical problem
domains, it is strongly focused on the goal of designing a fault-tolerant reliable computing
base which can support real-time control applications. Much progress has already been made
in applying formal methods to critical subsystems Such as clock synchronization, Byzantine
agreement, voting, etc. The challen-g-e_a-he_d is to integrgte-_ese actlvit]est0 accom-
plish a complete verification of the total RCP system and to continue the transfer of this
technology to the aerospace industry:
[1]
References
Butler, Ricky W.: NASA Langley's Research Program in Formal Methods. In 6th
Annual Conference on Computer Assurance (COMPASS 9I), Gaithershurg, MD, June
1991. : "
[2] Leveson, Nancy G.: Software Safety: What, Why, and How. Computing Surveys,
vol. 18, no. 2, June 1986.
[3] Neumann, Peter G.: Some Computer-Related Disasters and Other Egregious Horrors.
ACM SIGSOFT Software Engineering Notes, vol. 10, no. 1, Jan. 1985, pp. 6-12.
[4] Hamilton, Margaret: Zero-defect softwarc: the elusive goal. IEEE Spectrum, Mar. 1986.
[5] Saab Blames (3ripen Crash on Software. Aviation Week _ Space Technology, Feb. 1989_
[6] Joyce, Ed: Software Bugs: A Matter of Life ant[Liability. Datamation, May 1987.
[7] Garmen, John R.: The Bug Heard 'Round The World. ACM SIGSOFT Software
Engineering Notes, vol. 6, no. 5, Oct. 1981, pp. 3-10.
[8] Rogers, Michael; and Gonzalez, David L.: Can We Trust Our Software? Newsweek,
Jan. i990.
[9] Key Technologies For the Year _000. National Center for Advanced Technologies, 1250
Eye Street N.W., Washington, D.C. 20005, June 1991.
18
[1o]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
Meissner, Charles W., Jr.; Dunham, Janet R.; and (eds.), C. Crim: Proceedings of the
NASA-LaRC Flight-Critical Digital Systems Technology Workshop. NASA Conference
Publication 10028, Apr. 1989.
Butler, Ricky W.; and Finelli, George B.: The Infeasibility of Experimental Quantifi-
cation of Life-Critical Software Reliability. In Proceedings of the ACM SIGSOFT '91
Conference on Software for Critical Systems, New Orleans, Louisiana, Dec. 1991, pp.
66-76.
Rushby, John; and yon Henke, Friedrich: Formal Verification of a Fault-Tolerant Clock
Synchronization Algorithm. NASA Contractor Report 4239, June 1989.
Lamport, Leslie; and Melliar-Smith, P. M.: Synchronizing Clocks in the Presence of
Faults. Journal of the ACM, vol. 32, no. 1, Jan. 1985, pp. 52-78.
Di Vito, Ben L.; Butler, Ricky W.; and Caldwell, James L., II: Formal Design and
Verification of a Reliable Computing Platform For Real-Time Control (Phase 1 Results).
NASA Technical Memorandum 102716, Oct. 1990.
Di Vito, Ben L.; Butler, Ricky W.; and Caldwell, James L.: High Level Design Proof
of a Reliable Computing Platform. In Dependable Computing for Critical Applications
_, Dependable Computing and Fault-Tolerant Systems, pp. 279-306. Springer Verlag,
Wien New York, 1992. Also presented at 2nd IFIP Working Conference on Dependable
Computing for Critical Applications, Tucson, AZ, Feb. 18-20, 1991, pp. 124-136.
Rushby, John: Formal Specification and Verification of a Fault-Masking and Transient-
Recovery Model for Digital Flight-Control Systems. NASA Contractor Report 4384, July
1991.
Butler, Ricky W.; and Di Vito, Ben L.: Formal Design and Verification of a Reli-
able Computing Platform For Real-Time Control (Phase P Results). NASA Technical
Memorandum 104196, Jan. 1992.
Di Vito, Ben L.; and Butler, Ricky W.: Formal Techniques for Synchronized Fault-
Tolerant Systems. In 3rd IFIP Working Conference on Dependable Computing for Crit-
ical Applications, Mondello, Sicily, Italy, Sept. 1992.
Miner, Paul S.: A Verified Design of a Fault-Tolerant Clock Synchronization Circuit:
Preliminary Investigations. NASA Technical Memorandum 107568, Mar. 1992.
Miner, Paul S.: An Extension to Schneider's General Paradigm for Fault-Tolerant Clock
Synchronization. NASA Technical Memorandum 107634, Langley Research Center,
Hampton, VA, 1992. To be published.
Miner, Paul S.; Padilla, Peter A.; and Torres, Wilfredo: A Provably Correct Design of
a Fault-Tolerant Clock Synchronization Circuit. To appear in the 1 lth Digital Avionics
Systems Conference, Seattle, WA., Oct. 1992.
19
[22] Lamport, Leslie: Using Time Instead of Timeout for Fault-Tolerant Distributed Sys-
tems. ACM Transactions on Programming Languages and Systems, vol. 6, no. 2, Apr.
1984, pp. 254-280.
[23] Goldberg, Jack; et al.: Development and Analysis of the Software Implemented Fault-
Tolerance (SIFT) Computer. NASA Contractor Report 172146, 1984.
[24] Schneider, Red B.: Understanding Protocols for Byzantine Clock Synchronization.
Cornell University, Ithaca, NY, Technical Report 87-859, Aug. 1987.
[25] Shankax, Natarajan: Mechanical Verification of a Schematic Byzantine Clock Synchro-
nization Algorithm. NASA Contractor Report 4386, July 1991.
[26] Computer Resource Management, Inc.: In Digital Systems Validation Handbook - vol-
ume III, no. DOT/FAA/CT'88/10. FAA.
[27] Lamport, Leslie; Shostak, Robert; and Pease, Marshall: The Byzantine Generals Prob-
lem. ACM Transactions on Programming Languages and Systems, vol. 4, no. 3, July
1982, pp. 382-401.
[28] Bevier, William R.; and Young, W_qliam D.: Machine Checked Proofs of the Design and
Implementation of a Fault-Tolerant Circuit. NASA Contractor Report 182099, Nov.
1990. _ =
[29] Bevier, William R.; and Young, William D.: The Proof of Correctness Of a Fault-
Tolerant Circuit Design. In Second IFIP Conference on Dependable Computing For
Critical Applications, Tucson, Arizona, Feb. 1991, pp. 107-114.
[30] Moore, J Strother: Mechanically Verified Hardware Implementing an 8-bit Parallel I0
Byzantine Agreement Processor. NASA Contractor Report 189588, Apr. 1992.
[31] Young, William D.: Verifying the Interactive Convergence Clock Synchronization al-
gorithm Using the Boyer-Moore Theorem Prover. to be published as a NASA CR,
1992.
[32] Moore, J Strother: A Formal Model of Asynchronous Communication and Its Use in
Mechanically Verifying a Biphase Mark Protocol. NASA Contractor Report 4433, June
1992. :....
[33] Srivas, Mandayam; and Bickford, Mark: Verification of the FtCayuga Fault-Tolerant
Microprocessor System (Volume 1: A Case Study in Theorem Prover-Based Verifica-
tion). NASA Contractor Report 4381, July 1991.
[34] Bickford, Mark; and Srivas, Mandayam: Verification of the FtCayuga Fault-Tolerant
Microprocessor System (Volume 2: Formal Specification and Correctness Theorems).
NASA Contractor Report 187574, July 1991.
|
--__
m
=
_=
2
20
[35] Srivas, Mandayam; and Bickford, Mark: Verification of a Fault-Tolerant Property of a
Multiprocessor System. in Theorem Provers in Circuit Design: Theory, Practice and
Ezperience, Nijmegen, The Netherlands, June 1992. To appear.
[36] Guaspari, David: Penelope, an Ada Verification System. In Proceedings of Tri-Ada '89,
Pittsburgh, PA, Oct. 1989, pp. 216-224.
[37] Eichenlaub, Carl T.; and Harper, C. Douglas: Using Penelope to Assess the Correctness
of NASA Ada Software: A Demonstration of Formal Methods as a Counterpart to
Testing. To be published as a NASA Contractor Report, 1991.
[38] Guaspari, David: Formally Specifying the Logic of an Automatic Guidance Controller.
In Ada-Europe Conference, Athens, Greece, May 1991.
[39] Harper, Richard E.; Lala, Jay H.; and Deyst, John J.: Fault Tolerant Parallel Pro-
cessor Architecture Overview. In Proceedings of the 18th Symposium on Fault Tolerant
Computing, 1988, pp. 252-257.
[40] Srivas, Mandayam; and Bickford, Mark: Moving Formal Methods Into Practice: Veri-
fying the FTPP Scoreboard: Phase i Results. NASA Contractor Report 189607, May
1992.
[41] Windley, Phil J.; Levitt, Karl; and Cohen, Gerald C.: Formal Proof of the AVM-I
Microprocessor Using the Concept of Generic Interpreters. NASA Contractor Report
187491, Mar. 1991.
[42] Pan, Jing; Levitt, Karl; and Cohen, Gerald C.: Toward a Formal Verification of a
Floating-Point Coprocessor and its Composition with a Central Processing Unit. NASA
Contractor Report 187547, Aug. 1991.
[43] Pan, Jing; and Levitt, Karl: Towards a Formal Specification of the IEEE Floating-Point
Standard with Application to the Verification of Floating-Point Coprocessors. In _4th
Asilomar Conference on Signals, Systems _ Computers, Monterrey, CA., Nov. 1990.
[44] Kalvala, Sara; Levitt, Karl; and Cohen, Gerald C.: Design and Verification of a DMA
Processor. To be published as a NASA Contractor Report, 1992.
[45] Schubert, Thomas; Levitt, Karl; and Cohen, Gerald C.: Formal Verification of a Set of
Memory Management Units. NASA Contractor Report 189566, 1992.
[46] Schubert, Thomas; and Levitt, Karl: Verification of Memory Management Units. In
Second IFIP Conference on Dependable Computing For Critical Applications, Tucson,
Arizona, Feb. 1991, pp. 115-123.
[47] Windley, Phil J.; Levitt, Karl; and Cohen, Gerald C.: The Formal Ve_fication of
Generic Interpreters. NASA Contractor Report 4403, Oct. 1991.
[48] Windley, Phil J.: The Formal Verification of Generic Interpreters. In 28th Desi#n
Automation Conference, San Franciso, CA, June 1991.
21
[54]
[49] Windley, Phil J.: Abstract Hardware. In ACM International Workshop on Formal
Methods in VLSI Design, Miami, FL, Jan. 1991.
[50] Schubert, Thomas; Levitt, Karl; and Cohen, Gerald C.: Formal Mechanization of
Device Interactions With a Process Algebra. to be published as a NASA CR, 1992.
[51] Schubert, Thomas; Levitt, Karl; and Cohen, Gerald C.: Towards Composition of Veri-
fied Hardware Devices. NASA Contractor Report 187504, Nov. 1991.
[52] Pan, Jing; Levitt, Karl; and Schubert, E. Thomas: Toward a Formal Verification of
a Floating-Point Coprocessor and its Composition with a Central Processing Unit. In
A CM International Workshop on Formal Methods in VLSI Design, Miami, FL, Jan.
1991.
[53] Kalvala, Sara; Archer, Myla; and Levitt, Karl: A Methodology for Integrating Hardware
Design and Verification. in ArcM International Workshop on Formal Methods in VLSI
Design, Miami, FL, Jan. 1991.
Levitt, Karl; and et. al.: Formal Verification of a Microcoded VIPER using HOL. to
be published as a NASA CR, 1992.
[55] Brock, Bishop; and Hunt, Jr., Warren A.: Report on the Formal Specification and
Partial Verification of the VIPER Microprocessor. NASA Contractor Rep0rt 187540-;
July 1991.
[56] Carrefio, Victor A.; and Angellatta, Rob K.: A Case Study for the Real-Time Ex-
perimental Evaluation of the VIPER Microprocessor. NASA Technical Memorandum
104098, Sept. 1991.
[57] Butler, _cky W.; and Sjogr_en, Jon_ A.! /Iardware Proofs Using EHDM and the RSRE
Verification Methodology. NASA Technical Memorandum 100669, Dec. 19881 _
: . _ y _ 7
[58] Fisher, Gene; Frincke, Deborah; Wolber, Dave; and Cohen, Gerald C.: Structured
Representation for Requirements and Specifications. NASA Contractor Report 187522,
July 1991.
[59] Frincke, Deborah; Wolber, Dave; Fisher, Gene; and Cohen, Gerald: Requirements
Specfication Language (RSL) and Supporting Tools. to be published as a NASA CR,
1992.
22
Welcome and Introduction
Charles Meissner, Jr.
Head, System Validation Methods Branch
NASA Langley Research Center
23
WELCOME
AND
INTRODUCTION
FORMAL METHODS WORKSHOP
NASA LANGLEY RESEARCH CENTER
AUGUST 11-13, 1992
Charles W. Meissner. Jr.
NASA Langley Research Center
L
NASA ORGANIZATION
VERTICAL CUT TO SVMB
l CODE ANASA ADMINISTRATOR
II.
AERONAUTICSAND SPACE I
TECHI_IOLOGY ]
I LANGLEY
RESEARCH
CENTER
FLIGHT I
SYSTEMS
DIRECTORATE
,.._
INFORMATION I
I SYSTEM Ig
VALIDATION II
METHODS
24
LANGLEY FAULT-TOLERANT DIGITAL SYSTEMS
HISTORICAL PERSPECTIVE
CA. 1972 ARCS
CARSRA
SIFT
FTMP
CARE III
LIC SOFTWARE
IAPSA
SURE/ASSIST
CA. 1992 AIPS
F-T SYSTEM DESIGN
RELIABILITY ANALYSIS
F-T COMPUTER
F-T COMPUTER
RELIABILITY
S/W ERROR ANALYSIS
F-T DFCS DESIGN
RELIABILITY ANALYSIS
DISTRIBUTED F-T SYSTEM
ULTRARELIABLE DIGITAL AVIONICS
CONTROL SYSTEMS BECOMING THE PRACTICAL EQUIVALENT OF PRIMARY
STRUCTURE
• U.S. FAR 1309-1 Requires P(fail)<lOgfor statistical compliance
• Reliability can't be estimated to this level
• Experienced engineering and operational judgement used for compliance
FAULT-TOLERANT DIGITAL SYSTEMS ARE NECESSARY FOR PRACTICAL
REALIZATION OF ADVANCED CONTROL
• Analog functionality insufficient for advanced control
• Analog too high in size, weight, power
• Digital system components not adequately reliable - use redundancy to
Increase reliability
25
FORMAL METHODS FOR
FLIGHT-CRITICAL SYSTEMS
• The only scientifically satisfactory approach to aspects of the
digital validation process is through reasoning
Formal methods may become Important sooner than is
commonly supposed in the aerospace community
SVMB has put an emphasis on formal methods
Industry/FAA focus is essential feature of our formal methods
work
i
_ =_
:1
26
Why Formal Methods?
Ricky Butler
System Validation Methods Branch
NASA Langley Research Center
27
_ i _ _, :
28
i !i
! i
J
i '
i
i
29
]_o
]
i _'° ! _" _ _
]
_E
• •
"_ o
._o - = _
.o_ g
.-_
_-_ _
30
_o ._
[
1
]
]
¢
i
k_
{.°
"£:
__ _
_,, _
31
32
JI=
!
,_. ,=
__
_4
|
33
- i,
I _'_<_'._";_! i.;iII+_
34
0
o_
o,m
IJ
a
fl
i
:R
II
vl +.
E
_u
| T
v! v_
i
v- ;; __
v _''_' v _r _.
% % % %
H n.
]
t
3S
.j
0
M !
-r r
J
)
iTI
_= |,_ II
.|
_ mlmgm_m
4
.r
b
J
36
L
-_ ___ x
-_ z • _ -_-
I1|
ff
.j
2
I
"" V
II .,..[
%-
v_Z
...r_
, V
Ul III
--,2
/,
!
I
_II _ II
1 ,
II II _J II
pIl
Z
I_ II
= :g
i
i
_. ?. _o._
,_ __ "_._'_ rr_
.|
i _
°_ _I
z_
_L
lJ E
x × _ _
r_
38
i!
i
t=1 l!II
!1
il "H.. II
"i I,i It
"G
0 ",--,..--+
iJ
•,_. _ II
<', i_
I:1
x
! ]i _--II
<_le x
+:+,!i.-+!
o,
i
/
i !
"l+. II
tt It
T
x I!
39
*It_
I
I w!
o
.I
"_i"_ _
•' i!Ii"
_.._ _
• • • D
!
ii
II
"i
I
.|_ _ _
1_ _. =_ _ .
_1._.__*: •
_ :.
| ,_: -_.
40
I!
oiI
_a
_ o go
o_
_ _ _ ..
J_
il!_
._1_._
_-::':--"
4t
or _
0
_,1"i ° ° ° °
E
ii °|
*_!o_1 o _ _ _
_ _i _ _!_
B • • •
42
Design
Tutorial
Specification Techniques
Ben DiVito
ViG_\4.N
43
@i
• • • • Q • • •
O
0
"..4
II
U
i::
-N
i!i0 
• • Q
]
,II
ii
|
'!
=
I=
r_
o
-e.
o
=
44
x)<xX××
XXXX
X×XX
.I
i
N
,.-,_
|:,
.a.
,,,|
i
IIi
I
45
0@
c_
0%
i
g
I ]I +
O"
i +
'_ :'i.
i 'g g__ _. .
• ._ _ _
+ +'+
N
+; |+ l++mm+
I,, , <+
1++
|
•_ _ _.
• m' _r+
k N
o. + ti+lit ++1,
_ _ _.. ! _
+ii100'"_ • +I
o
0
|i°[
-t
II
_J
_2
.+ ._ .| .j
] "
i + + +
" + + I
] +i_ "_°_ .i
._ _ J
+
0 g
+_ ++=
"" ,S _+
IP
+.'_ J +
I_ +."
I_ ++++
_++ .+l
| .++.+o:l
_J r_
+
46
47
o8
]
!
's
_i_. _ _B;..
° !1
< "_'E _ °
II _ II _ • 0 11 11
!
. 3. _ o. ii
, ,.-., _ _ u_
.i; _,_.
_ _"-., _ _. _ _.- ,_
- ,L',I
.i n _ n _,
°_[._ ._
! *
_ _ .__
._ _ _
<_ • • • • •
i! ]
_'_
= _ _,_ i _
• e ap • 4p •
48
Code
Tutorial
Verification Techniques
C. Michael Holloway
System Validation Methods Branch
NASA Langley Research Center
49
,m
u
0
C
.Q
u 0
b.
• e-
E
u_ h- < -r
0
0
0
0
e-
c
>_
o== o_
_.__ _
E _ e
_ ._ ._
N I *"
•= "_g
U C t-
_ "_
_ _o
.___=_ _ _=
== _= _.-
_._o .,.= o.., Eo "-_
_ _ <N
,m
e'-
e-
0
.u
IJ
_m
,!
>
0
t-
O
e-
, _j
<
ffl
<
z
0
,u
0
w
E
0
U.
,
_'6 _
E= ,_°
LI.
i__
50
J_
U
tO
U'l
c-
O
o_
e-. to
°_ I,,,,,)
_1 _..
,m
E _
tO e-
X ._
uJ -_
i-
_ w
0
m
o_
.E_o o..o
_ C
8_$o 0m
e- _ ._
u _
iiX _i
0
ffl
M
:"
• _
_ ._
c
0 U
o ._
0 _
_ ,".,
I_ "E._g
°_
°_,t-
e-
00
(/1
e-
_- 0
om
m
E u_
X
I1) 0
0
ffl
tt.
N
V
V_ _"
_ n
0 _
._ ,_ Vl
AI II VI
Q;
_, _ _ <
._ _ _ vl II
51
ol
1
tO
e"
<
O.
c
0
om,
X
W
1
o w _ £
_ o _ ._ ._o
'_ C ,i
_n .r- 0 r_
E _ -
z c uJ <:
- T ! _ T T
"_ < < m m m
Q;
F-
O A V!
_
+ -I-
0 l_ "_
-a_ ,--" h r't
"(3 < - & <
', _ •,,,., ,,¢ "l"
.-_ -- V _ -- V
-'2
•-- r_ v'l "_
.i
= _ ._ v _,
_' _ _ < Vl .._ v
-- Vl <
0 Vl < _- v _ _-U c o
, T _" _" v,
c: _ o - _ -
0 < < +
1 VI
U Vl v! .
_,- ._ VI In Vl O
I,u
p.
Vl
<
0
, 0
_U..
%
=_
.y
5%
,/
Vl
g
,'3 II
."2. _
v @ ":
.- _, --i-- a ".,-_
- t
VI
52
U')
U')(_
0
n
o_
(..
e_
N
o_
(,..
53
ul
L
t_
E
ty
C
u
0
_J
Jm
.o
¢2
"0
0
b/
o'l
"0
O
I
E
e_
gl
I
0
"0
0
o
E
E o
A
0
L
n
E
0
e-
f_
U
°_
e-
.__ c-
o
= _ ,-_
¢. ---
.i
=
54 _
The FAA DFCS Handbook
Formal Methods Chapter
John Rushby
SIII hlterm_tional
55
o
o
_.J e-
.0
4a
E u_
u.
r_
<
(N
0_
<
G
O
C
@o
n,
Q;
a.
<
th
<
Z
e-
n,
t--
_s <
__.o<
_" E _
E
0
U
u
56
o(Y
A
Q;
,8..1 t--
a _
•_ _ .-
0
u
_')
_g g
I- 8 u
• •
0
_ E
,_. ,--
I-
= E
E _
g_
_ O
m U
E •
a_
f13
U
O
e-
E
u.
U3
E
r_
O
_o
_g
E
_J
C
f13
<
_J
C
e-
c2
_C
"O
c-
O
a
U9
@
_0
"O
O
OJ
E
E
m_
u_
.O
u
e-
ft3
c_
x
uJ
"O
e-
_u O
_E
o_
U "O
_g
_'_
t-- -_
0
._E
g_
_ '-_
•_- _
i,-
_5
_f
e-
e-
e-
E,-,
_ 111
e6
ga
C
o_,
_ U
8_
_._-
un o
c
e,.
f-
E
0 _
°--
E
t_
v _
o
_ E
_._- _
.___ _ -_
u "l- _ _ _
O O O O O
U
6
in
CO
6
E
e_
I.iJ
e-
E
E
O
e
o--
c-
O :
O
_0
O
r_
o
.o
Ch
_J
c-
O
L_
.__
t'N
g6
g_
lg w
_._
_'_
o
0
e-
E
g.
e-
"0
_E
_ c-
O _
¢0
>_
0
t-
E
E
tO
O
E
"0
0
e'-
E
¢11
e-
U
'O
O
e-
_a
e-
6
0
v
w _
E _
O O O O
_J
q_
F-
E
O
O
t.J
.__ e-
u_
"O
O u
_o
o o
57
e,,-
o
e_
E
o
U
E
u_
"0
,u
U
"0
CZ
>
u')
E
e-"
t_
N @
m >
. = _ _5 ,,, 2
o ,_ ,__
_ m u
_ _ ,_. _ E,-- CZ
. .0 m _- .. 0
_ _ ._E o8
•-° °
• • • •
E
e,-,
E
U
e-
g
0 0 o ._"
<
@
-_ b-o o
,9.0 -
_ .5 E
"_, _ 0
-- _ .,3 _.. 0
Q. .--
_, 2 g o,.,
°,
_.. ,-
• •
IJ
m
W
e
£
og
_ _ 0
_E _
o
_- E
° _
.0_ __
_ 0
< ,-
_ m
iLl v
e"
e-
>
_._ _ o
oi:'0
0 .-- @
i? 0 0 0 0
k_t
l)
m
4a
o
E
,ka
@
o
E
E
o
_ 0
O_ r-
r- M:
2 E
--- k._
_ o
_m _.
o
'0 U
OJ
o_
• •
O_ 0
¢-
-_E
_- E _
_ "-
:EN_ _E
e
58
CU
c
D.
o
,o
>
r=
¢n
C
O
m
('D
O.
o
U
C
Q;
"O
O
U
o
O
"O
o
-I-
r-
t-
O
U
e-
o.
_8,_ _
0 0
m
0 0 0 0
e-
1-
1=
Iz ,<
o o
U
0
1
E
o
i1
0
z
0
n
e-
e-
_1
Q/
e_
C
,_o
o
J=
U
0
.J
"0
0
e-
E
E
0
Z
d
v
m
O
U
O '0
._ m 0
_ '_-
o __
=3 e-
_o_ E
e" t=
_.-_
"O
Q;
e.-
,N
C= e-
E_
8; r,
t,..
"O
N
e..
O
E
e-
t_
E
o
t_
r-
e-
0
°w
N
J:
U
'o
o
J=
:E
E
LL
0
¢:
Q;
_B
o
C
0Ol
4_
r'-
4_
Q_
u
o
e..
.o
"0
Q;
¢h
o
:)
E
_m
U
C
°c
,- 0
z _ I1.
• • •
.o_
>
,0 _
_ E
u _
r-
,_l _ _:
._- fl
e-
O u
5g
)
o
C
0
U
O,
U
_J
E
0
U
.x
W
U
E
U
D
E
E
0
E
E
o
U
e
C
z
o w
o
m
o
C U
_._
.m_
t_
e-
0
e-
e_
f_
e-
C
)
o _
0 '_
0
u
C=
,i
)
o
?.
)
o
_.m
o
0
0
t-.
--1
U
°-
E
£
ffl U
80
c-
O
u
U
t,-
"o
0
i
E
t-
o-
e_
E
oI
¢,,
h
Q
_ 0
• I1_ t-
ILl =
0
o
_ E
_ E
x _ r_ EQ;
i " °
• @ t
Survey of State-of-Practice
Formal Methods in Industry
Dan Craigan
ORA Canada
61
Overview of Presentation
Survey of State-of-Practice:
Formal Methods in Industry
. Purpose, sponsors and researchers.
• Method for conducting survey.
Dan Craigen
ORA Canada
dan_ora.on.ca
NASA Langley, Virginia
11 August 1992
• Cases: An overview.
• Example case: TCAS.
• Example feature: Tools.
=
• Observations.
Purpose, sponsors and researchers
• To provide an authoritative record on the prac-
tical experience to date. Purpose, sponsors and researchers
• To better inform industry and government
bodies developing standards and regulations.
• To provide pointers to future research and
technology transfer needs.
• AECB, NIST, NRL.
• Dan Craigen, Susan Gerhart, Ted Ralston.
• Value added: Case studies and anaiysis.
62
Method for Conducting Survey Process
• Initial questionnaire.
• Literature review.
• Structured interviews (Second questionnaire),
I Raw notes, case report, review.
• Review committee.
Method for Conducting Survey
Questionnaires
• Initial questionnaire and structured interview
• Organizational context.
• Project content and history.
• Application goals.
• Formal metl_ods factors.
• Formal methods and tool usage.
• Results.
Method for Conducting Survey
Analytic framework
• Product features.
• Process features.
• FM R&D summary.
• Key events and timing.
Method for Conducting Survey
Product Features
• Client satisfaction.
• Cost.
• lmpact of product.
• Quality.
• Time-to-market.
63
Method for Conducting Survey
Method for Conducting Survey Process Features
Process Features • Design.
• Cost. • Developing reusable components.
• Impact of process. • Using existing reusable components.
• Pedagogical.
• Tools.
• Maintainability.
• Requirements capture.
• V&V.
IO
Method for Conducting Survey
FM RtzD Summary
• Methods: specification; design and implemen-
tation; validation and verification. [uses]
• Tools: language processors; automated rea-
soning; other tools. [tools]
" • Recommendations to FM community. [needs]
Method for Conducting Survey
Key Events and Timing
• Starter.
• Booster.
• Status.
=
I]
64
12
=
Cases: An Ovetvh'w
• CASE
- SSADM toolset; commercial; Z.
-- 340pgs Z/English; 550 scl_emas;
37KLOC obj. C; 16.5 lino.c,/day
• CICS
- Transaction processing; commercial; Z;
PS/2 tools.
268KLOC new/modified code;
50KLOC traced to Z specs;
9% improvement in cOSt;
60% reduction in APARS.
13
cases: An uvervlew
I Cle_lllrOOll]
COBOl_ structuring and Attitude control;
conlmercial and government;
functional specs, and testing. [Method]
- 80K[_OC; (20KLOC reused; 18KLOC
cllanged; 34KLOC new)
-- 34 lines/day; error rate of 3.4/KLOC
(]/20th industry average).
t Darlington
-- Sllutdown system; regulatory; A-7 style and
progranl function tables.
- SDS1- 1362LOC Fortran; 1185LOC As-
sembler
SDS2: ]3KLOC Pascal (??).
14
Cases: An Overview
• LaCoS
- Engine management and a distributed con-
troller; ESPRIT and commercial;
Raise [Method].
• Multinet Gateway
- Network security; NCSC; GVE, etc.
- ]Opgs math; 80pgs Gypsy; 6KI.OC OS.
• SACEM
- Automatic train protection system; safety
critical and RER; 13, Hoare triples; [3 tool.
- 9KLOC verified code; Total of 315,000 per-
son hours.
15
65
Cases: An Overview
• I-BACS
- Smartcard security application; security; FDM.
- 300 lines of FDM; 25001ines of C.
• Tektronix (oscilloscope)
- Reusable software architecture', commercial;
Z; Fuzz.
- 200KLOC of code; 15pgs of Z specs (twice).
• TCAS
- CAS Logic and surveillance; regulatory; state
charts with DNF tables.
-?KLOC of pseudocode; specs about the
same size.
16
Cases: An Overview
• Transputer
-T-800 FPU, VCP; commercial; Z, HOL,
mathematics.
- FPU: 100pgs Z; 4KLOC Occam; VCP about
106 states.
Example case: TCAS
• Traffic Alert and Collision Avoidance System.
• TCAS I, IIo III.
• Congressional fiat (1993).
• HP-AIB
- real-time data-base; commercial; HP-SL.
55pgs HP-SL; 1290 lines of Spec and design;
. 4390 lines of code.
17
• Grand Canyon collision.
• Time span from early 80s. Leveson in June
1990.
18
TCAS
• Players: RTCA Inc. (SC 147), FAA, UC lrvine,
Mitre, Lincoln Labs.
• Interview profile:
White.
Leveson, Nivert, Lubkowski,
• CAS Logic and surveillance system.
• 7 KLOC pseudocode.
• 700 pages English description. [Terminated]
• LOSS of intellectual control. _.
19
66
TCAS
• FM for safety analysis. [model checking and
automated deduction]
• Statecharts.
• DNF tables for conditions.
• Iteration on notation.
• Strong support from SC 14Tand industry.
• Currently at IV&V [15 pys over 8 months].
20
Product real tares
Client satisfaction t
Cost n/a
Impact of product n/a
Quality n/a
Time to market I1/;.I
General process fe_|tures
Cost n/a
Impact of process -t-
Pedagogical -l-
Tools n/a
Specific process features
Design +
Developing r. comp. n/a
Reusing r. comp. n/a
Maintainability n/a
Reqts. capture +
V&V n/a
TCAS (Key Events)
• Starter: FAA seeking better rqts. for deployed
and troublesome system; Leveson looking for
demo project.
• Booster: SC 147 willing to accept new ap-
proach; Readable notation.
i
• Status: CAS Logic formalism and pseudocode
in IVV. Surveillance logic current.
?] 22
TCAS ( R_f_.D)
TCAS (R&D)
• Tools: LaTeX.
• Uses: Mod. to Statecharts
- Concurrency as parallel state macl_ines.
- -[abular notation.
- Specs. reviewable and IV&V.
- CAS Logic from pseudocode and Englisl_.
• Needs:
- Safety analysis tool.
- Automated deduction and model checking.
- Well-formedness checker.
-- Foundational issues.
• Conclusions: successful transition and applica-
tion.
23
67
24
Tools (Usage) Tools (Usage)
• CASE (SSADM): Prototype Z parser and type-
checker.
• C]CS: PS/2 based toolsuite w/ editor, type-
checker, semantic analyser (Z).
• Cleanroom: Editors, waste paper basket.
• SACEM: B.
• TBACS: FDM, scrolling, pencil and paper X-
ref.
• Tektronix: Fuzz editor, typechecker and pretty
printer.
• Darlington: Microsoft Excel.
• TCAS: LaTeX.
• LaCoS: Raise toolset.
• Transputer: Occam transformation system, in-
house refinement checker.
• Multtnet: GVE, Extractor.
• HP: HP-SL syntax checker.
25 26
TOolS (Needs)
( C _;--: --___ ,.
• CASE (SSADM): schema expander, enhanced
editor, browsing and X-ref.
• ClCS: schema expander, semantic analyzer (for
all Z), configuration management.
• Cleanroom: Extracting and tracking verifica-
tion events.
• Darlington: automated deduction, POG, book-
keeping.
• LaCoS: Experience with automated reas0nlng
tools.
TOOLS (Needs)
• Multinet: Better automated deduction, improve-
ments for industrial scale, soundness, better
notation.
• SACEM: Better integration with other V&V.
• TBACS: Better interface; large expressions and
many proof steps.
27 28
68
Tools (Analysis)
Tools (Needs)
• Tektronix: schema expander, refinement proof
tool, pre-condition calculator.
• TCAS: safety analysis tool, automated deduc-
tion, language checker, soundnesS.
Did the formal methods tools help or
hinder the development of the product?
Were the tools reliable?
CA CI CL DA LA MG SA TB TE TC TB, HP
- + 0 n/a 0 0 + + - n/a + 0
• Not a large role (lack of tool support).
• Transputer: reflnernent clleck('r [c)r large slate
spaces.
• HP: Language checker and belier notation (not
ambitious!).
• Problems due to newness and primitiveness.
• Need for language clleckers, bookkeeping.
• Don't be too ambitious.
2g
• Automated deduction in critical applications.
30
Observations
Feat ures:
Observations
Formal methods
• Definite positive influence on design, require-
ments, V&V, and pedagogical.
• Positive influence on 'impact on process' and
quality.
• Neutral on cost.
• Metl_ods: state machine; 1st-order predicate
calculus; reviewability; complete refinement.
• Tools: Language processors; bookkeeping;
browsing; x- ref.
• Needs: Integration with other V&V; concur-
rency and timing; lower barriers of entry.
31
69
32
Availability of Report
• Availability within 2-3 months.
• Send email to dan(_ora.on.ca, or mail to:
Dan Craigen
ORA Canada
265 Carling Avenue, Suite 506
Ottawa, Ontario K1S 2E1
Canada
33
|
l
|
|
!
=
=
£
7O
Formal Modelisation
Susan Gerhart
National Sciencr Foundation
71
Model|sat|on
Sure you've proved it correct,
but what does the system REALLY do?
Susan L. Gerhart
sgerhart@nsf.gov
Subjects:
The SACEM Case
(continued from Dan Craigen's presentation)-
how FM was embedded in an industrial process
Issues of "modelisation"
Software Engineering for a
"Formal Methodist"
Requirements ............. Mall_emalx:al model of tho system ihat alk.-ws
Wop_ exp_oratlOn
SpecificaliOn ................."the system" expressod JnmWhum_l
nolalions
Design .................... Operatle_ndecomposi|_o_lsand da|a
refinements
implementation ..............Code * Asse_Ons * AssurnplJons
Validation ..........................Spec, E=ecuaon or prools ol properzms
VerilY.salon ................ |dentil|ca|ion and discharge o/cor,eclnass
obligations
[:_::_r_n_x:x_ ............... Prose and dia_'ams _ go will) the
mathematical nolalion
Lile Cyde ................... Gel lhs specIhG._ionr_t &_l aojeed upon
Background Point o/View
SACee:
Train control for the Paris Metro
The Job:
Shorlen the train inlmvals to 2 minu|es fo avoid a new Paris line
o¢1
_onvincs the Pa.s TransH Authority the systsm was safe
_luJU_up an intemadonaJ;:)usirlesS_ safe train control systems
Who:
GEC _|ra,'CSEE • Pans Transit Autho_
The Process:
f97os ...............................Decided had to go with new soltwa_e and
hardware
Explo_sd fault tolerance, discovered woof Of correctness lechnk_,
_id safely studies
19BOS ..............................bu'lt prolotypes.
vorif_<Jcode onc wF.y.
found new way to specify and v_,,
worked with a!Jthott|;a$ to demonslrata safety,
brouOhl on-llne
ICJ"JOS................. dentonsltated capability on other systems.
commorcializ_,g |oo_s used in theWOCeSS
The Results:
Vuhhcallon was demonstrated as an addilion to simulation, withOul
excess cos! and wdh s_n:he_nl added assurance
Specification and modefisalion maluled and an industn_ process
was defined
72
SACEM System
SafelyCue,I
I t I i i
Tra_.l"k" Tram"B"
I
Challenges:
• Oitforenl kinds o( "rollingstock" to detocl,
i)mtoCled and some not
• Vwiations in _ack-beacon technology, tunnels & rivers,
• Getting the train "home" when it's system does lad
• Encoded sin_e-processor (rather than complex sync,h,omznd
mul_.l_ocessor) -- as (_-sale as poss_e
SACEM lessons for Formal Methods
An industrial process has been put in'place that is evolving
toward
UlldecslOod end documented
Measured and predictable
Regarded as cost _lloctive
Tool sopporlud
Pmbal_y co_,_'a_e eoMoO 0055
Many techniques can play together.
(although not in concert yet)
SADT lot gr=p_,cal system decomposition and analysis
FSM (Graphcof) simulator
Haza,d analym
(_e_alional scanarioe (600 el them)
Real-lime design simulalion
PromCyped system
Coda verdicaliOn & spoQftcalmh refinement
Technology Transfer problems could be overcome
A manager understoed and stuck with it
The cuslon_r was oducoled (and did Ihe_r own ihmg)
Prov_g could t_ credibly compromised
ModulisalK)n will l_Ip sy,'dizesize their rosulls
SACEM Background
mainl_ _ ouletmosl gu_ed by des_oj_
VWV refined down vvvv
unbl Ioo deladod
until too SOphistK:aled
•"*_abs_acled up "*"
mmntpn.ed code mnermosl I,ol_n 9 heado, s, ,.)t Ix_
Tolal: 315,000 hours (V&V = 1.5 x Development)
formal proof 32.4%
module lusting 20 I%
_ncflonal lusting 25.9°/,
te-specification 2t 6%
Valldsllon Ellorf I
I
Numb_ el procedures proven formaJJy: I I ! 21 I
Nund;_h"at procedures covered m semi global feels t20 33 I
Number of proceduces reeled selr_ globally 79 67 I
Modellsation
The process of getting all the stakeholders to understand
and agree that the working description conveys the
intended system. Subsumes requirements analysis.
mathematical modeling, etc.
In SACEM,
T,KJcI, it&ins+boaconl, encoded mwoc, ,
SaJe_ p_noplas
The desoriplion nc_aion ill,If
The process _ u_Jng II_ descr_¢km
Problems encountered with modelisation in 8ACEM:
Laborious code desodptlon dilcO_nocfed from '*lhe theorem"
Concurrency c_/l_cu, Io express In lop level nKx_
Ddterenf reprosentallo, n=, dlt(_rant analyses _u used _r
assurance (see _ I1,111
Many kinds oi system yMWI: _ raJwoy swtlcl_ng
• _¢rOI_'OCuSs_ de_Mopef, _m,al vu, Him
Relmemenls were OK. but there was a rx_ Oap {.ow
gene_atedl
Carry-over from Requirements
Analysis
Given a language and tools, how do you express the
requirements and mode/the system.
Translate English and diagrams to sets, logic, etc.
and translate back and forth, but
how do yOU read and cl_ck Ibex?
w4"_aldmg_ammatk: technques _m,lt¢ FMs?
CORE. JSD, GIST. SADT etc. provide:
slaodan:l syelem mpmsental_ons
ways Io gel d_/Im_t v,_,wp,_ils
dommn mode_ng tech_.ques
Software process modeling offers:
GuKIolinus Io4"use
Bas_e for debl COPa_IK_)a/_ _vemual nmlnCS
Opporlurdfios for .'tlu<.Futv+_1,U0 w_lfl le:,,l.l<'J
Basic _O_'DII1C@ Of tll;.In;+Ig++t,.Ibdlly
73
Modelisation Process
Identification
Enlitles
ConstramEs among entities
Opara|iOfls atld their parameters
Representation
Eniities become values of a t_oe
Types must be defined Io consllucl, mod_y, and exam.s fllek"
COfltenls
RP._eSenlatton issues am coraedered, e s. ocdem_l, d_oiic-at k>n,
primitive types, agntbutes
Addi.enal properties ol the data types flora requwemenL_
Operations defined with their parameters
Restnctloes are expressed a_ pre-conditiOClS
its effr_ls are defined in terms Of parameter v_s be|ole
a_et execution
System mvar_rtts are formulated from propetlies that the syldem
ts reo_ed or eKpectod to have
lnverianls are proved by induction:
(And a collection of definitions is built up)
Summary
SACEM Case
"Complete" application of formal methods
Shows us potential for integration of FM into broader
system engineering
Displays interaction of problem domain and fo_afiza_on
Process aspect toadd toFMs as languages S tools
Integration of standard computer science with application
domains
Cha#enge to _endors:
write down your process mode/
and
show how modelisation is performed
74
The limitations of the model are identified, e.g.
Omilled o_oeratlons or data dalails
Im¢_iol darinJltons
Amsuffll:_OtlS about _s operating environmun!
(IP/_tem and users)
Degree of concurrency expressed
Reflab/_ of cornmur_,_fion rnerf_
Perler_. r_, and SeCurity req_remenls It_t mu_ be
me by the m',plementation
A plan for using the model is developed, e.g,
k_ntftying the riskiest or leasl us_erslood pad tot further
an,Idyll ar reF_iemenl
iteration towerd more extensive models
Formal proof of ptopetlJes Of the model
Valk_,at_n. e._ by
Prolotyping from Ihe model
Reviews, Inspections, and O_her peer analyses
Antn'l_tien of We mode_
Scenanos tO s(imulate response from cue[omens
.k
Formal Methods Technology
Into FTPP
Insertion
Rick Harper
Charles Stark Dral,cr Labs
75
Formal Methods Technology
Insertion
into
The Fault Tolerant Parallel
Processor
presented at the
Second NASA Langley Formal Methods
Workshop
11-13 August 1992
presented by
Rick Harper
Advanced Computer Architectures Group
The Charles Stark Draper Laboratory, Inc.
Cambridge, MA 02139
NA ¢=& Fozmil Methods Wor kSJtOp 11-t3 AWUti 1992
J
i' iil
m
i
i | -p
A
I I
lj .
!
l
-T-
! ]J" -
NA_K_'-_Orm_ Methods Worked'cop 11-13 August Igg2
i
Formal Methods Technology
Insertion into the FTPP
Objective:
Use formal sppeciftcatlon and verification of
critical FTPP hardware and soP,ware
componentsT_uce t_e incidence of
comm0n-mocTeTra_ures_due 10 specification
and Implementation errors
Formal methods do not help avoid many sources
of common-mode fattures
environmentally-induced faults: EMI,
radiation, heat, water, corrosives, sand (!)
Formal methods are not the only solution to
cbmmon-mode= fau|tavoidance, removal, and
tolerance
Mature componenls, standards compliance,
design automation tools, ruthless per_ecution
of complexity, conservative design practices,
simulation, testing, various CMF
detection/recovery mechanisms
- ;! 3_ _i;_,T_ IS0_----_
76
Fault Tolerant Parallel Processor
(FTPP)
High-throughput high-reliablllty/availabillty
computer for hard real-time applications
Uses many Processing Elements {PEs) in
parallel for high throughput
Uses redundant PEs tor high reliability
Tolerates arbitrary failure manitestatlons
("Byzantine Resilient")
Designed primarily to tolerate uncorrelaled
hardware faults
Programmed in Ada
Fault Tolerant Parallel Processor
(FTPP)
Can trade throughput (parallelism) for
reliability (redundancy) In real-lime
Can be dynaml.Uy reconflgurad to optimize
mission rellablUty and availability
Supports mixed simplex, triplex, and
quadruplex redundancy
Allows heterogeneous processing resources
Parallelism : transparent to programmer
Fault tolerance - transparent to programmer
Current FTPP Applications
"The Army Fault Tolerant Architecture (AFTA)
Program"
Funded by: Army Electronics Integration
Directorate / NASA
Appllcat|on: Helicopter TF/TAJNOE/FCS
"Heterogeneous FTPP"
Funded by: Army Strategic Defense
Command
Application: Battle Management
"Fault Tolerant IMU Processor"
Funded by: a commercial aerospace company
Application: IMU processing
_A_mll UIIhodl Wg_klll_p i 1-13 AulJu _ l/'_2------(
-NA-S'[Forml Methods Wo(klhop _Ull 11)92 G
Cluster 3 (C3) FTPP
Third-generation FTPP
Processing Elements
Support 3 to 40 PEs per cluster
680x0s, 80960s, MIPS R300Os, 1860s, or
DSP32C signal processors
Network Elements
100 Mbil/sec fiber opllc interchannel links
facilitate fault containment end physical
dispersion
Standard bus Interface to Processing
Elements
Software
XDAdaTM-b.ed operating system with
CSDL extensions
FTPP C3 Architecture
NASA F_rn_d Methods WOo'klltOp 11-13 August I1_:1 i
NASA Fomlll Melllocl! Wor-_-_--_------_'_l_l_|
77
Layered View of FTPP
NASA Fo/'f'/_l MOthOd$ Wotk-_t_op 1 t-13 AuguSt 1_
Processing Element:
Formally specified / verified microprocessor can
be used in FTPP
Processors Interface to FTPP over standard bus
(e.g., VMEbus)
Not all processors in FTPP need be formally_: _.
verified
Could use small number of formally verified
processors to form quad or triplex Byzantine
resilient core VG which runs a simple verified
kernel ........
Core VG responsible for motoring other :
VGs (including CMFs) and resetting offenders
using voted_=eset: capability of NE
Throug_ core V_; not an-[SSUe'.cen get
desired throughput adding higher-throughput
VGs in a heterogeneous parallel processing
configuratlon _ i :: :
All VGs communlcaie-usin_ BRVC . -
78
Components of FTPP Suitable for
Formal Methods Insertion
Processing Element
Network Element
FCR Backplane Bus
VG Synchronization Soflware
Task Scheduling Software
Inler-VG Communication Soflware
FDIR Software
NASA Fot-md_l Met/_dl Workshop 11-13 Augu_l 1992
= : :
Network Ejemeh!_ .......
Executes performance- critT_yza_l_,_
resilience algorithms _:: _ _ ..........
Provides BRVC abstraction
Generates vote, FTC,//nk, andother syndromes
Ail components execute specifiableand Wriflable
algorithm_ .......
Bus Interface
Voter / syndrome accumulator
FTC
Global Controller
Scoreboard
Substantial body of related work from formal
methods community Is relevant to these funclions
Network Element Architecture
Vllllm4
__----___.
,I "In
w •
,I '--+-)
.._._=._.__J,__
FCR Backplane Bus
Backplane bus used for PE-NE communlcalion
NE partllloned Into bus-dependent and bus-
Independent sections
Can retrofit NE Io formally specified/verified
backplane bus by modifying bus-dependent
section
Formal model of backplane bus needed
Beckplanes are a common component of
many syslems
A formally specified and verified backplane
could find wide use in critical systems
Powerful building block for ultrareliable syslems:
Formally specified and verified processor
resident on formally specified and verified
backplane bus card
Byzantine Resilient Virtual Circuit
Inter-VG Communication Abstraction
do, ,+wi
.lrs_=lcl
.m
lm,.,.k 1=_
_L ' --'.._-_
M=ml= I I--- --• .U'+U_I_,.+ -- ----
t--t_. I " -- _,
MIISllgll sent by non-foully mlmbsrl el • lourCt VG ere
corrlmlly delivered 1o Ihs non+feully members of roclp|enls
Non-faulty memberl Ol recipient VOI receive messages In the
order lenl by Ihe non-laulty members of the source VG
Non-Ilutty members of rsciplent VOs receive messages In
Identical order
The lbsoIole limes of arrival of corresponding messages st the
memberl el rsclplenl VGS dtller by a known upper bound
The llr_l belwsen a valid millage transmission roquesl end
RNIISIOI delivery pOliCiSeS a known upper bound l
The BRVC pbstractlon Is supported by the NEs
VG Synchronization
VGs are synchronized upon periodic timer
Interrupts (e.g., at 100 Hz)
Timer interrupts occur '_ithin a bounded skew on
all members of VG
Upon timer Inferrupt a VG performs a
synchronizing act (i.e., message passing using
BRVC)
Send message to self
Await reception
I .m_¢ ,m
IKIG M_mlx'_
I......-'-_-'t
_, .... __ .
-
--4_,. + , '4-----0 --_ "4-J--_)
79
Rate Group Scheduler
FTPP C3 uses I_-_ preemptive rate group
scheduler
Vmlont of rata-monotonic echecluling optlmixed
iof ll_raflve task suites having hMmoN¢ Itafstion
rMes
THks _rect only M frame boundaries
L_ _ I" I; i' l° I' ,,1: I' I
im , + _'mr . 144 + ml_mm
| I | I I I I I I
FTPP 0S Khedu4el ilp_oprieie tasks at eKh
_..e boonc_
F.m.o..*_ Ic+,m++,.+.o, sw.<_m;,
] +.s,z,i 4.3.2. w
2 4,3 4,3
4,3.2 4.3.2
14-s I 4 4
IS4 14.3 4.3
...... L4 .......... 4
_ _U_lh&_-#_-1 _" "--Ti'.1-=-_fm -'----'-"-1_"
Inter-VG Communication
FTPP tasks communicate using message passing
clueue_aenage 0'3 call places massage onto
outgoing queue to NE
FTPP O5 determines destination VG from task-to-
VG mapping table
OS transmtta message queue to destination VG
using BRVC
Recipient VG'a 05 reade message from NE and
places Into destination task Input message queue
_etrLeve meeesge OS call accesses aPtMOP<tata
task Input queue and degvers message to task
All :chedulina and Inter-VG communication
asserllonl Irl l_deDendent o! YG redundancy
"_i_E'--Imm_ Methodl W_kllholp 1 I-13 Aug_s111112 ll
FDIR
FOIR p_rtltioned kx vMIdatabtilty
Local FDIR runs on each VG
System FDiR runs on deslgnatad VG (e.g.,
lom._ verlltadVO)
Alg_Itm:
Local FDIR
Execuies self iesta
Scrubs RAM (independent of
charactariatlcs of application task suite)
Peciodicxily trt_4Mntts self test resulta to
syst4mt FDtR via "presence message"
8yslem FDIR
Examines contents end syndromes of
presence messages to diagnose senders
F_lure to receive presence message withIn
bounded time Impllel common-mode failure
ol sender
8O
-+ +.......
Many recovery pollcles possible In FTPP
Reduce redundancy level
Reintegrate taulted component
Rept_ Multad Component wilh spare
System FOIR determines epproprtata recovery
ectlon and etiher .............
Irensmits recovery commands+ _ FDI I_-
localized recovery or
performs global system-level recovery
Must show Ihat system FDIR determines correct
recovery action as s function of diagnosed
component
= _
Mull show _l local or system FDIR correctly
ce_rbs old spe_fled recovery
Heterogeneous Kernels on FTPP
Not all kernels in FTPP need be Identical as
long as they can communicate using BRVC
FTPP can host rate group scheduler on
productlon VGs end small formally varlflad
kernel on formally verlfled VGs
]__oaasln_o throuah BRVC subaumaJ
synchronl,zatlon soJl_Lf_)rmelly verified
kernel would not exDIjr.JU_
synchronization of redundant ,,)lies
The formally verified VG would execute the
system FDIR function
Work in Progress: Scoreboard
Specification and Verification
Currently collaborating with eRA to formally
speclly Scoreboard
Scoreboard Is a crltlcal component of FTPP
Comprises approximately 50% of NE circuitry
Enforces BRVC abslractlon
Business Model:
FM experts working closely with englneerlng
staff having little exposure to formal methods
Separate funding (Draper not specifically
funded to collaborate)
Scoreboard described in VHDL and constructed
using automated synthesis (Synopsys)
VHDL used as common language belween Draper
and eRA
]_,SA F_i_--M_hocls WolkShop 11-13 A.gust t992 2_
Conclusions from Scoreboard
._Specification and Verification
Formalization of Scoreboard requirements
uncovered several specification omissions and
ambiguities
Collaboration would have been closer and Impecl
on design greater If Draper had been specifically
funded to participate
incremental cost on a $2.4M brassboard
development program Is small
Benefit to cost ratio Is very high during the
conceptual study and detailed design phases
Work Planned and Critical Needs
Components similar Io remainder of NE (i.e., FTC,
voter) have been formally specified/verified
Would like to adapt this work to FTPP
Actively seeking FV processor to design into
FTPP
Planning to develop selected subset of RCP
software for FI"PP
Viable processor
Formal subset el VHDL, with nonemply
intersection of synthesizeable and formal subsets
Continued formalization of FTPP NE
Formal model for FCR backplane bus
Formalization of critical OS functionality
Business model for format methods insertion
NASA Fomtal Methods Woqkshop II-t i u_"_'_S)_ .... 2.t
81
|£
132
r
Formal Methods at
IBM Federal Systems
David Hamilton
IBM Federal Systenls
PRECEDING PAGE BLAr,IK ROT FILMED
83
Formal Methods
Technology Transfer
Some Lessons Learned
David Hamilton
IBM Federal Sector Corporation
Second NASA Langley Formal Methods Workshop
Aug/92
Introduction and Purpose
• To cover
1. Some IBM Involvement in Formal Methods (FM)
projects
2. A perspective on difficulties of technology transfer
(beyond a single project)
Purpose is not to
- sell the "IBM approach"
- argue against feasibility of FM
Purpose is to
- learn from other FM technology transfer projects
- suggest some possible future directions
A_ t
Contents
Introducfion and Purpole ............................................ t
Nmrlan Mille _ SEW ............................................... 2
C _el,_v'oom ....................................................... •
SEOL ........................................................
S|el_v tie V_' f ca( cm ............................................... !
c,cs ................................................... :::::::;o=TOI) (V_r;r;catlen =! E$e) ....................................
Olher ProjeCltl and A_lm'oachml ....................................... 11
tloqe on Ou=l;_ En_phasie ........................................... I_
Summary ..... 13
C o_:tuslw'.= .................................................. t4
Auql_J_ i
Harlan Mills and SEW
Mills led massive software engineering education
program
- Software Engineering Workshop was cornerstone
I 2 w.k course
I Taught to all programmers
I Required to pass final exam
SEW centered on mathematically-based verification
- Functional instead of axiomatic
I model oriented instead of property oriented
I designed to scale up (stepwise refinement)
I easier for programmers to understand
- 2 pieces
1. Deriving program functions
I Trace tables (basically manual symbolic
execution)
I Recurson instead of loop lnvariants
2. Module-oriented
I abstract data types
I constraints/closure on state data (abstract
state machine)
• i
84 _=
Harlan Mllls and SEW ... Cleanroom
• SEW designed to be practical
- relatively informal
- scaled up via abstraction/refinement
- lots of examples and exercises
- final test : pass fail
• Advocated for all programming, not just critical parts
• no support beyond education
• Named after silicon chip manufacturing environment
• Built on SEW foundation, adding
- Continuous inspections (SEW style verification)
- Statisical testing (MI"rF prediction)
• Advertised through case studies, not classes
- no tools
- no consulting
• General reaction was that it was impractical
- too tedious
- seemed only for toy problems
• Dld not galn widespread use
Demonstration projects using highly skilled
develope_
To demonstrate benefits
To show it can be done, it is practical
• Demonstrations projects were success stories
AujAB 3 A._n 4
Cleanroom ... SEDL
Showcase project was COBOUSF
- Transforms unstructured COBOL into structured
COBOL
- 52,000 SLOCS developed using Cleanroom
- Results
II 740 SLOCS / labor month
II 3.4 errors / KSLOC (before first execution) (70
avg incl. UT)
II no error ever found during operational use
Advocacy of Cleanroom continues
- Widespread use not yet attained
- But there is a lot of interest in Cleanroom
Intended to support SEWlCleanroom verlflcaUon
concepts
Built as an extension to Ada
SEDL compiler generates Ada
Supports design execution
- though SEDL generated code my be inefficient
Includes
- Abstract data types (set, list, map, etc.)
- User defined data models
II model vs. representation
II constraints
- Supports mathematical notation
II (X in CHARACTER : x/= 'Q'}
II exists X in S : P(X) and exists Y in T : P(Y)
II P>I and not (exists Q in 2..P-1 : P ram Q = O)
• Use of SEDL is not widespread
85
.... 7 ........ _ - -7-" --
._ - Z_j •
. • 7.= =_'_ --7 -
: =
=
=
=
Z
=
=
B
I
Other Projects and Approaches Note on Quality Emphasis
Application above the code level
- Development of a "Box Structures" design
language
- Development of a "Box Structures" approach to
requirements
- Results
II SA/SD approach to design most popular new
approach
II Requirements still written in English
Emphasis on SEW concepts
- Concepts generally well accepted
- Loss of rigor reduces mathematical basis
• Software quality has extreme emphasis
Great emphasis on process improvement
Serious attention given to quality goals and
measurement
Quality motivation programs
II awards and recognition
II Manned Flight Awareness program
• There is willingness to work hard and invest for quality
The question is not what or how much but how
- FM is generally perceived as not helping
A._yn 1_ A,_J_ t2
Summary Conclusions
A,WW
Goal was to increase the use of formal mathematical
approaches to software development (beyond a single
project)
1. First through education
2. Then through demonstration projects
3. Then through tool support
4. Then by making methods more practical
5. Finally through direct support (consulting)
There have been successes
- not nearly as widespread as desired
This story Is not unique to FM
- The problem Is with technology transfer, not with
technology
t3
pI_(;c.u_'NG PAGE, _LA_'_iK ;',iO'
Conclusion: Technology Transfer is very hard, even
with
- extensive education
- tools support
- demonstrated successes
Possible future directions
- More consulting ('hand holding') (product
champions)
- Use only a core group (FM may Just not be for
everybody)
- Require use of FM (selected groups)
- Success story close to home
II technology transfer diminishes rapidly as a
function of distance
II long term committment is required (success
story requires continued follow-up)
- Different formal method(s)
- Different toots (e.g., theorem prover)
' _i..iviED
87
14
=i
=
i
138
Reliable Computing Platform
Ben DiVito
ViG'I\_N
pREOEDtNG PAGE BLANK PlOT FILMED
89
0I • • • • 9
1
L
V
• g •
! i o
o
90
91
o,._
,m
&
j • j
!
j
I
M
J
'_ 1
!
8_
• • B B
G
=_
92
Jii J
ii i
_I_I
l,
.I J
J
._I
g.
J
i
::
m J
}-[]w
|
m
g3
.|
@.
*s
)
el
's
|]
_ r.. It
i 11i ,
b_
'S
<P
,_ _.'_ :,.
oo,_ =- i
_,_ _ _
_'_ t.._ _ 'j
_._ _'_ _ _ _
m
_-.
_.J..
- t
.11
Z
|
J
'd
.S
L
J
qP •
o_
g4
i
J
t
J.
l
I'!.i
:_ .|
j-
95
!!
i
.! t.1
ilI
1
.1
g
'J .I
ii
8 n
_J
Z
cg i
n
..o .1
II
|
i
°i
w II
I°
i'
,1
te
-i
•-_ | i
_ _
_!!.-
r_
|
t
i J li
ii
96
.!
r_
!
.I
,!
I
_-o_ )
I
oI
.!i
It
|
i
m
z
I
J!il
i !!
1 I!!
tim
r_
_ 97
d
0
,i,q
.|
a _
_ ,
o
.|
g8
.|
_r
-7
T _
_. <
gl _ <:
1t
J_
j _
"_"j i'_ "1+ _-
In u T _
=
i
i
!|
=
2.
=
z
=
• _'_
i:
t_
N
_ _,,_
_. ._-__
_._ -. tl,
t
Z
99
r/)
o
° !
• Q
T
I=
.o
(I,1
• • • 41
k
o
.o
.|
-_ t " _ _'__-_
.,:_= if _ __ ,,: :.¢_'_'-._ _ _ _ :
"_ _ _ ._ _J = II _ = ]5. ] II II 11
•.=_ ._ c ..8
_ ,.,= _-.,< << ,_"
100
=
=
= .
=
=
=
@
Clock Synchronization
Verification and Implementation
Paul Miner
S),stems \.Llidation Methods Branch
NASA Langley Research Center
- 101
!
i !I
_J
r_
=.
--
L
102
O0
FT;_;;;:;
i, is
=1!
6,..¢
• w .--
-_ N " °_'_
• -- 0 "_
E_
i,'i C
_ _ .-
_ _. .
'_ _ E _
i
_ N
_i _ __ ,,,,
103
bJj,_
t..E -_
.c: O_ _ _
"0 E e o--
0
$
.- _,. _ 8
• • • • • • • •
=
0
_ E
_. ¢_ _ '._
u _ e-
_o_ __
.-_ , __ _,o
__g_
"-- .I= _ _'I
_._o
'*" '_ _- ! ! uJ ,_ _:'_ L_
104
C_
u
0
m

=106
NASA's Strategy for Technology Transfer
Sally Johnson
Systems Validation Methods Branch
NASA Langley Research Center
PREOEDING PAC._ BLANK t',iOT FILMED
107
NASA'S STRATEGY FOR
TECHNOLOGY TRANSFER
by
Sally C. Johnson
NASA Langley Research Center
GOAL
Technology Transfer to Industry
One o[ NASA's major goals is to l)rovide the U.S. aerospace indus-
try with tile tools and techniques they will need to be worhl-class
competitors in tile coming decades.
108
L
"rech**oh)gy 'rralls l'c'r
rxI.g'l'lN(;
I:OI_MAI. M F.'I'I I( )l )S INI)I IS'I'RY
TO()I 3 & "rl-('l INI(.)[ I1-."; NI,].l).g
SYSTI,'.M I:AA
I )l':.gl( ;NI':RS
FORMAl, MI':TII()I)S
"STA'II': ()F TI lit Iq_A('I'ICI-"
W_.'killg wil.h l,l(lli._t, ry
• ih)_i*lg I)ll ! I,;.',lwarl,, v(_rilir;lli(.,
• ih)l,ill_ SVM har_lwar(, v(.'rili('ati_.l
• (LNI)I,/()I{ A Sl'l)l'l_l)lllll'll Ilill'llwlll't_ w_i'ilical, i_Jll
* ()IIA Vi,rilical.iu** o1" A_hl llllliil('_ll, illll ._llfI,W;ll'l_ I'rlllll NASA (lod-
(l;ll'll llllli .h)llllSllll
l"l)l'lllill .I)(;cilic"Lil"l llllll vl,rilic;_li(.I o1" ¢:ill()ll(lllr I,I, ilities
Mo_l(_-(,q.li, rqd I)an_d I._.ic _1" IIo(-'i.t_ 737 eXl_erimeill,al sysl,_,m
Sl)l..cilil_(I i,l I,arcll
. (',lwrt;mll, ly I)lH'silillg I'1_1m'l' I)r_Li_,cl,._
109
Working with tile FAA
• Digital Systems Validation IIandbook Chapter
• Tutorial presentation to SWAT (SoftWare Advisory Teatn)
• Formal specification of GCS application
• RTCA comtnittee DO 17813 standard
110
Verification of FTPP Scoreboard
and Spectool
Mark Bickford
()dyssey 1Research Associa.tes, Inc.
111
I,,0
112
0t-
O
0
0 0
'_
o
j_ 0
o
U rJ) c
F:
CL J3 _ C
E _ >"" 0
C _ >
',_ _0 .- _ --
(D O)
,,_ j::: ¢) _ t-
Z 0 c _ ._
,IT o o< m (.9 u_ n
n n n _ n o
r-
13_
o-
0
E
c
"I0
r-
fib..
>
El
113
114
J
=
=
0115
00
T-
J
116
@
:>
o o
q_l Clv
c_ o" m "-
,..I o cE_ _ _ _ o
• o _
c _0 II .--
• -- C-
•-_ _ ® .c m
•d g m
_ -_ o
t./) ° :] _ I:l
._o _> x<_ ,< c_ 27 w
n n n n
J
T-
O_
J
0_0
i LU Wz zrn 11 rn0 z 0m m u_"> _ _ Z
C_ _ 0
,,e-...0 CI 0 _.. _., 0
_ C_ _ L_o o =5 o
• '_ q) Q-
o c_ c
.,_, o E
0 • :>., _])
•,..- ,.,- 70 O- .,-,
0 0 "- _>" "--
-.-. .*-.. :> E
"_- '_ - I--o o _ c "_
•_, '_ .c _ 00c w o
o
Q_
J
117
..,C::
q.)
2"
H
I-,-
C3
Q..
rr"
ILl
b"J
co
118
r,
u)
{J,
A d) (_
([) U) f,l,
-- (b
(_ lJ
l-J .,I U}
_'J 1.4
{++G lJ ,I "_
.-'I ._ _j uj
f= l-J t } (n f;I,
O' ¢ I , +I
U) _O 'CJ
II _. ,1 .,t
,! I "'!
+, I _4
0 _-'
-M _ (_ t_ . _ ""
P.) P tY, (n 7(/)
_1 0 (t) • *_J
• _ _ II
,-I b c.o
II_ V 0 -4
::3 v _-+ _ .,t
_J (2, I.i :J
L) it"},-, I $i
(D .-.
R o
I.
II + J "
;] <: ,1
• +. C) V)
FJ
:'0 oo 0
I
U) tl t II )4
-,4 0
0 _?J I 0 -,+1
,-- I_ _ E _
_-_ +- • ,, i-J I_ i,
II U_ (n
II " _J "" II
P- _t C ,r-I
_"+ _ _ • _ _--, ""
%-J I ] I } {/_ 4 }
00 0 .... 0 (_ r_
t_ O_ _,+ P..T, f-: E:
(/) _ _ t/) -+l -+1
J
119
|
Z
_W
J
w
$
!
v
w
: _._
4 _W_
_ \
, ?,__a
J
120
8
a_
8
121
m122
(/)
0
-" "u)
{J}" U_ (tj
• (1) O, I J _:
II t ) - | ) ' I U)
Ill I: (/) ,_I in :>
(]) ";'_ , I U) .,I
- 1) C) () I ... _:1
() () (1) u) .,-I
ul ;> ;_ ,(: cl'l _ _ ,6
.... (/3 II () ,x: II _
• _- _._ l)
(1) , I ....
_ 1) " I,i ."1 .,I EJ
:| W, :_ "- , 1 :S I (LI' II
I) ¢} 0 l) _l (tl I) fll uJ _01
_- ,t (fl -- 0 I. _ ,r', _tl .(j
_1 ILl _'O _1 :) () 1.1 (_
() ,l: _lS C) (LI , . () b3 •
•,1 (I) l} ,I ,{: "' -,t _: (/)
nl i_ Ix'l u} II :" (1) li :" 0
..... cql if} .. nl () (/)
• I |: ,L: - .L: .-, .,
ill _1) _d • _d _) "
(1) (]1 LI)
, I , I . I
,,. ( ) (sj
I;o
0
II
i _}, E
o
.__ (,,o () ,.,,-'_
o m E s: d.
_:_ _ _ -u 0 I _ (_ E
X .e--,
0
.--. _ _ 0
"0 (- O9 (n -_
-- o) _ I v)
o T T T T c E
E b_ ,,- _ ,.- _- o _l_ m
n- E o o o o o• • 0 • C _, ,-I
".._
._ o 0 0 0 0 o • m
• _ :3 C
_) 0
ORiGiNAL _:v'_E _S
123 OF POOR QU,2,LKTY
124
=
125
=126
Boeing's Work in Formal Methods
Dave Fura
The Boeing Company
P_NG PAGE BLANK r',_OT,FILMED
127
m
41
>
41
i /
i' \I Ji
" i{!
2
"ill i
"!'JJ'
if! i -"
z
128
A"10
C
0
(.1
v
_P
.>
JD
0
:_ JA
.. _ - _i_
129
r-
U
L-
.o
C
0
m
4_
u
.w
u
o
"0
0
Z"
0
E
0
f/)
U
2
G.
W
® !li!!,,!i
I
1
jli_i
n
0
I,I.I
• =.|
n
_.___i °0
m
130
i"o
Oc
d=c
E_
Oo
u.. 4-.
,<
131
z132
DO-178B and Formal Methods
George Finelli
Assistant Head, System Validation Methods Branch
NASA Langley Research Center
PRECEDING PAGE _i..ANK rIOT FILMED
133
a
z
0
n-
O
(J
,<
m
<
0
I--
rr
a
0
I--
W
1
<
rr
0
u.
a
Z
m
CO
!
0
m
_ _ ;_
t--
"_ < -._ 'T, ;
134
uJ
I-.-
(n
C]
0
-r
=E
-I
,<
=S
n-
O
IL
U)
n-
i,i
Z
0
0
o
o
(n
i_ oI-
u .,>_ <{
c._ u.
woo ._ 3: .u
z3"_= Z
re_m _ I_) C
j oS
f I
_.'.:
N -
e_
o ._
°i
_f
. _ _,:
._. ®6 _o
.OE _"E
0
-I _5 c o_
- _ __
0 _-= _=,,tL _"
"°°i!
°_
° : i
5
135
z136 --
Introduction to
the Boyer-Moore Theorem Prover
Warren Hunt
Computational Logic, Inc.
PREC_NG PAGE Bt.ANK NOT FILMF,D
137
138
!
t
139
| |
ii +
! j+"i i itl
+
140
i
t
J
!
t
I
i
|
141
II
t
!
i
I
!
i
142
i I
J!
l I
,-: w r-m_ o o
N orl . sD .rl .w4PI *-. II "H I_k
"i• _ _ 0 .-'. 0_4.1 ¢_1
,|, i III
143
! ,,i
d
_ ......... J
!ii!i!i!iiiiiii!ili!_n+ _
_r_:_ ::" _ _ _
Ii,+,,lu++++l +t+_ :+++++++++++++i+++
I I
I
I
I
I)
144
145
146
rO_ =
_,,,_ ............_._
L_.._
_- ill
Z
0
- )!
_ _) __
1
!
)
147
mE
148
Introduction to PVS
Natarajan Shankar
SRI International
149
Specification and Verification using PVS
N. Shankar
shankar_csl.srl.com
Computer Science Laboratory
SR] International
Outline
This talk Is a short tutorial on specification and
verification, using PVS as an illustrative example.
• Background to PVS
• Overview of PVS
• Some Examples
Background: Past Experience
Considerable accumulated experience on
verification at SRI
Systems developed at SRI include: Boyer-Moore
Prover, HDM, OBJ, STP, EHDM, etc.
Other Systems used include: Affirm, RRL,
Gypsy, Muse, etc.
Verifications include: Byzantine fault-tolerant
clock synchronization, Byzantine Agreement,
G6del's first incompleteness theorem, and many
others.
Background: EHDM
Designed at SR] around 1984.
A specification environment based on
higher-order logic with parametric modules,
Implementation mappings, Hoare logic prover,
etc.
Theorem Drover based on skolemization, manual
instantiatlon, and Shostak's decision procedures.
Example verifications include: Byzantine
fault-tolerant clock synchronization, Ramsey
theorem, Byzantine Agreement, Fault-masking
and Transient recovery, etc.
150
Background: Lessons Learnt
Decision procedures are extremely useful but
only a small part of what is needed.
Highly automatic theorem Drovers are
inappropriate: difficult to control, and provide
very little useful feedback.
Low-level proof checkers are inefficient (both in
machine and human terms), and also fail to yield
a satisfactory proof.
Logics with limited expressibility are easily
mechanizable, but place a large burden on the
specifier.
Some highly expressive notations are nice for
pencil-and-paper work, but might be difficult to
adequately mechanize.
PVS
Started In mid-1990.
The goal was to combine clear notation with a
productive proof development environment to
produce machine-checked, yet "humanly
readable" proofs.
PVS was primarily Influenced by EHDM, but also
adapts ideas on language and inference from
IMPLY, Boyer-Moore Drover, LCF, HOL, ML,
Nuprl, Vedtas, OBJ, and many other systems,
PVS consists of a core language definition,
parser, typechecker, and proof checker.
Contributors to PVS include Sam Owre, John
Rushby, Frledrich von Henke, David Cyrluk, Judy
Crow. Carl Witty. and Steven Phillips.
PVS: Overview
PVS has been used to check proofs of
• the Boyer-Moore majority algorithm
• ordered binary tree insertion
• a version of the Schr_ler-Bernstein theorem
• Byzantine Agreement
• a pipelined processor (due to Saxe), and
other hardware examples.
These proofs can typically be completed in less
than a day.
Overview: Decision Procedures
PVS proofs make heavy use of arithmetic
decision procedures. Any TflE01LF_J_below is
automatically proved.. CONJECTUEEsare either
false or unproved by decision procedures.
trithueti¢ : 7111E01L¥
1.7.V: TAR m_nbor
aritk : TNFJ)ltEN
I • 2"y IWD y • Sev INPLIES Set • 18,v
bedtrttk ; COEJECTbT.E
z • 2* 7 &liD 7 ( Sev ZRPLIES $*z • 17QT
badarlth2 : O_IIJF._TUIUt
=<0 JID 7¢0 II(PLII_S loy>O
beddiv : _3ECT_ItE
(x/y) • • ]XFLIES z • (1,v)
|oo4dlv : CGgJI_FUBE
y/,,O Itl_ (x/y) • • II_LIF.S x • (yev)
anotherd|v; TNEoRBq
y /- 0 lED (z/y) • (v/y) IRPLII_ ((x-v)/y) > 0
|, J, k: TAB tat|mtlur_th : T]IF._It I_R
2*i • S AWM i • t IMPLIES i - 2
bedulth3: C_IIJ_TUP_
2*x < S AID • • i INPLIES x • 2
END arithuotic
151
Type Correctness Conditions
Denominator for division must be non-zero.
Typechecking the previous theory generates type
correctness conditions, baddlv_TCCt IS not
provable, hence a type error.
arlthMtl¢ : THEDRY
BEOIII
r, y, •: VAR number
arlth : THEOREII
x < 2 • 7 il_ y < S * v IIIPLIU $ * n < 18 * •
badarlth : COWJECTURE
z < 2 • y AJiD Y _ $ * • TNPL] INt $ * z < 17 * •
badarlth2 : COJ J_T_RE
x • 0 LID y • 0 ]NPLIU n * y • 0
baddiv : CONJECTURE
(x / y) • • |NPLIF_ z • (Y " v)
Subtype TCC |ensratod for y
baddiv.T¢Cl: OBL|OAT|OII (FOULL (Y: number): 7 /= O)
gooddlv : C_3 ECTURE
y I= 0 II_ (n / 7) • • INPLIES n • (7 * v)
tnotherdiv: TBEON_q
y /- O An (x / 7) • (v / Y) |MFLIU ((x - v) / 7) • 0
t, J, k: VAR lnt
intarltb: TRF_R_ 2 * I • S _ i > I IRPLIES i - 2
badarlth_: COWJECTURZ 2 * z • 5 AIID x • i |NPLI_S x :
END arl'chmet t c
Example: Binary Trees
Binary trees can be defined as abstract
datatypes.
The following datatype declaration introduces
the constructor leaf with recognizer leaf?, and
constructor node with accessors val, left, and
rlght, and recognizer node?.
Typechecking this datatype declaration
generates the theories binary_tree_adt and
binary_tree_rec-mod (shown below).
5{nary._ : "rYP_ : BITFI2rP_ _ _ _ =
_EGII
lent : leaf? = _'÷ :
node(eel .* T, left : binary.tree, right : blnary.tre*) : node?
binary.tree
I0
Abstract datatype theory
blnary.tree.adt[T: TYPE) : 'TREOR¥
BF_I|
binary.tree: TYPE .......
leafY, node?: PRig(binary.tree]
leaf: (leafY)
node: IT, binary.at;e, binary.tree -> (node?)]
val: [(node?) -> Y]
left: [(node?) -> blnary.tree]
rtJbt: [(node?) -> blnary.tree)
leaf.extensionality: iliON
(FOULL (leafY_war: (leafY)): leaf • leef?_var)
node.exteustonaltty: Alien
(FORALL (u_e?.var: (n_de?)):
node(val(node?.var), left(node?.vLz), rigbt(node?_var))
= nodo?_var)
van.node: AXIOM
(FORALL (nodal.ear: ?), (node2.vtr: binary_tree),
(nodeS.war: blnary.tree):
val(node(nodei.var, node2.vnr, node$_rar))
m nodal.vat)
left.node: AXI_q
(FI_ALL (nodal.war: I), (node2.uar: blnary.tree),
(nodeS.v_r: blnary.tree):
left(node(nodal_vat, node2.var, nodeS_ear)) - node2_var)
right.node: AXIOM
(FORALL (nodal_yarn T), (node2_var: binary_tree),
(nodeS_vat: binary.tree):
right(node(nodal.vat , nede2.var, node$.var)) - nodeS.rat)
blnary.tree.disjolnt: AIIO_
lOT (leaf?(binary.tree.•ar) _1_ node?(blnary_tree.var)))
binary.tree.inclusive: ALTON
(FORALL (binary.tree_ear: binary.tree):
leaf?(blnary_tree.var) OR node?(biaary.tree.var))
binary.tree.induction: iliUM
(FORALL (p: I_[biuery.tree]):
p(leaf)
tn
(IrORALL (nodal.vat: T), (node2.var_ blnary.tree),
(nodeS_vet: blnary_tre*):
p(node2.var) _HD p(node$_var)
INPLI£S p_node_nodel_var, node2_var, nodeb_var)))
II_LIES (FORALL (blnery.tree_var: binary_tree)
p(binary_tree.var)))
11
152
b lnary.t me.nat .ran ((lnaf7 .f_n : mat),
(mode%fun IT, nat, nat -) nat])):
[biztry.tree -> n&t] =
LIBDA (binnry_tree.var: bimeJry.tree)=
CISES binary.tree.vat O(r
leaf: leLt?.hn,
node(nodal_vat, nodn2.var, nodeS_vet):
noda?_fes(nodei.var 0
binnry_t ms_nat _re¢ (leaf ?_f us,
aode?.fun) (nnds2.var),
binnt_/_t rnnooat .roe (lnaf ?.fun,
aode?_fnn) (nndeS.var))
ENDCISES
binary_tren.nrdinnl_rec((lnnf?.fu: nrdtntl),
(nodn?.fnn: [T, nrdintl, ordinal
-> ordinal])):
[binary.tree -> ordinal] =
LJRBDA (binsryotree_var: binary.tree):
CISES binary.tren.var OF
lnaf: lnaf?.fun j
nods(nodal.vat, nodn2°vnro node$.var):
aodn?.tun(nodei_var,
binary_tree_ordinal_me (letf?./un j
node?.fu) (nndn2.vnr),
biaary.t rae.nrdinalornC (leaf?. fun,
node?.fu ) (nodeS.vet) )
SNDCISU
EI_ binnry.tren.ldt
Recursion combinator
binnry.tree_ren.nod[T: TYPE, flap: TYPe]: THEORY
9_lJ
USIJG binary.tree.odt[T]
binary.trnn.rec((lnaf?_fun: tense) ,
(nodo?_fun: [T, ru_e, rL,_o -> rnnte])):
[biniry.ttno -> ran|el •
LJUBDA (binary_tree_vat: binary_tree):
CISES binary_tree.vat OF
leaf: leaf?.fnn°
node(nodal_vat, nodal.war, nodeS_war):
node?_fnn(nndei.var,
binnry.trnn_rnc(leaf?_fu° node?.fnn)(nodni.var),
bianry.trnn.rnc(lenf?.fun, aodn?.fnn)(zode$.eer))
ENDCASee
END binary.trnn.rec.wd
12
Ordered Binary Trees
nbt IT : TYPE, <- : (total.ardor?IT])] : TNEORY
SSOII
OSlJ_ btnnry.trne.ndt, binary.tree_me.nod
1, |, C: Vdlt binary.trnn[T]
x, y, z: ¥1R T
pp: VIE FRED[T]
chnckall((pp : PEED[T]), 1): 1_ol •
b|nnry.trno.rnc(TRUE,
(LANBDA s° (n, b : bool):
(n An b ZND pp(z))))(A)
i. J, k: VItR nat
sine(A) : nat -
binnry.tron.roc(O, (LANDS1 z, i, J: i + J + 1))(1)
orderod?(A) : J_.COISlV_ ban1 •
(IF node?(1) 7NI_I (chncknll((LAHBDA y: y<=val(A)), Ieft(1)) Al_
checknlI((LIKBDI y: vnl(l)<-y), riKht(1)) AND
orderod?(left(A)) AND ordernd?(risht(A)))
ELSE TRUE FJIDIF)
BY size
insert(z, A): RP.CURSIVE binary.trnn[T] =
(CASES I OF
leaf: node(n° lee_, leaf),
node(y° D, C): (|F z<ay TREE nnde(y, |nnert(n, B), C)
ELSE node(y, D, insnrt(n, C))
ESDIF)
E]IDCiSES)
BY (LJJqNDA n, A: slze(A))
orderod?.lneert.step: FORNULI
pp(z) IND chnckall(pp, i) INPtIE3
¢hncknll(pp, insnrt(z° 1))
ordered?.lnsert : FORMULA
ordernd?(A) IJaPLISS nrdernd?(inenrt(s, A))
END obt
13
Example Proof
nrdnred?.inenrt :
J.......
41} (FORJLL (x: T), (1: binary.tree):
erdnrod?(A) INPLI me o_dered?(insert(x, 1)))
Rule? (induct "A")
lnductin| nn i,
this yields 2 subsoals:
ardnrod?_tnonrt. I :
i .......
_1) (FOPJLL (n: 7): nrderod?(lenf) INPLIES ordnrod?(tneert(x, leaf)))
Rule? (skolemi)
Far the top quantifier tn i, nn introduce Sknlen constants: (xf3)
thin simplifies to:
ordnrod?.insnrt.l :
| .......
41) orderod?(Innf) IMPLIES nrdnrod?(insnrt(st3, leaf))
Rule? (dslmp)
Ipplyin 8 dlsJunctlve slupllfi¢atinn,
this siuplifiee to:
ordnrod?.inenrt.l :
{-t) ordnred?(leaf)
| .......
_I} erderod?(lnsnrt(z_$, leaf))
Rule? (rewflte "Insert" )
Rewrltin| using insert,
this simplifies to:
14
153
ordsred?.tnsert.l :
I-i] ordsrod?(]oal)
| .......
_l} ordered?(nodo(zf$, leaf, leaf))
_aleY (rewrite "ordered?" +)
Reoritlng using ordoredY,
this 8implifio8 to:
orderedY.tnsort,l :
i-i] ordersd?(loof)
J .......
_1} (ckeckall((LAHlJDl (y: T): 7 <" x!5), leaf)
ABD ¢hscklll((Lfd(BDl (y: T): x!5 <e y), lso_)
AND ordsred?(loaf) UD ordored?(loof))
_ol*? (assert)
Invokin_ decision procodurom,
this si_plilies tel
ordoredToinsert.l :
[-1] ordorsd?(loaf)
| .......
_I) ¢hockall{(L_qBDA (y: T): y <= X_S). leaf)
AND ¢hockoll((LAMBDA (y: T): x_$ <= y), leaf)
R.I*? (auto-rewrite "blnory-tree-rec|T, booq')
Installing autosatic zevrito8:
binary.tree-zoo[T, boo1],
this simplifies to!
ordored?.inoert.1 z
[-I] ordsrod?(loaf)
| .......
it] ch*ckall((LAMBDA (y: T): y <= s!3), loaf)
ARD ¢hsckall((LAMRDA (yz T): x!3 (= y), loaf)
ordered?.iuort .2 :
| .......
41) (F_iLL (nodeS_vet: T), (nodol.ror: b/neff.tree),
(nedo$.vnr: bleary_tree) : _
(FOPALL (x : 7) :
ordered?(nodel_var) _NPLI_S ordorod?(insert(x, nodal.rot)))
AgD
(FORA tl (s: T):
ordered? (nodeS_vat)
IIqPLIE_ ordered?(lasert(n, nodeS.vat)))
]NPLIES
(YOJUILL (s: T):
ordsred?(node(neds|_var, nods2_var, nodal_mr))
I_qPLIES ordorodY(tnsort(z, nods(nodal_tar,
l_ods2_vnr,
aodsl_rnr)))))
]tul*? (skoJem_)
For the top que_tiftor in |, we introduce _rolme constants:
(nodal_vet!4 mods2.vnr!8 nodal_vat+el
this simplifies to:
ordsredT.inanrt .2 :
| .......
{1} (I"_AL[. (s: T):
ordorsdT(nodsl.var:S) ]NPLIES otderodT(insort(x, n_el_=Vt_S)))
AID
(FORJ.LL (x : T) ._
ordered? (aode$.var ! 6)
|J(PLI_ ordered?(insert(s, nods3-vnr!6)))
INPLIES
(F_LL (r: T):
srdsred?(nods{nodsi.vsr!4, nodal_vat:5, nodal_vat!6))
INPLIF3 ordsredT(insert(n, nodo(nodel.vor!4,
nodel_ve_r !6,
nodol_var ! 8))))
his? (then (sptlt)(rewrlte "checknfl'))
Splittlng ¢onJonctlons,
this yields 2 sabgoals:
t-i] ordered?(lsed)
_!} rkorkoll((LAIq_A (y: T): y <- x+3), loaf)
Rewriting ultng checkoll,
This completes the proof Of ordsred__t_sort.l.l.
ordered?.tnsert.l.2 :
[-1] orderedT(leat)
J .......
(i} chockol1((LANB_ _fi T): s_ <= 7), ls_)
This coupletem the proof of ordsredT_tnsert.l.2.
This couplotos the proof Of ordsrsd_-insert._1. --
ltuZ*? (dMmp)
&pplyfn 8 disJanrtivo simplification, -
this simplifies to:
srdored?.lassrt .2
,(-i) (t_tlL_.(s_ T):
ordered+ (nodal.vat, r,)
INPLI_3 ordsredT(insert(z, nedo2.v_r!S)))
ordered? (nods$.vnr _8) 1
INPLI I°e ordored?(insort(z, n edsl.var!8)))
41} (FOP.ALL ( X : i _ _ 1 "
ord*red!(nodo(nodsl_r_r'4o nodel-vnr(6, aode$.rar!6))
INPLTE,q ordered?(inssrt(n, node(nodei.vnr!4,
nodo2-vtr ! 8,
nodal_vat !6))))
Ruts? (skolem_)
For the top quantifier in 1, go introduce Skoleu constants: (x!7)
this stmpllfian tO:
ordered?_insert.2 :
[-13 (FO_ALL (x: T): .............
order ed? (nodal.vat ! 6) ....
IMPLIrq order!dr(insert(x, nodal.vat!S)))
[-23 O"OlULL (s: ?)_ ......
order ed ? (no_do3-vnlr !6) _
INP[.I_ ordsred?(Insert(n, nede3.var!e)))
J ....... T_ T T
_1} ordsred?(nods(nedsl_var!4, aods2.rar!S, nodsl_v_ri6))
|NPL|ES ordsrod?(_esrt(x!?, neds(nodsJ_var!4,
nsdol.rtr !S,
nede3.var !8)))
=
-2
m
154
ItslsT (rewrite "ordered?" -i-)
h_ritiq ueiq ordered?,
this slmpllfios to:
ordsred?.lnsrt .2 :
[-i] (F_tALL (x: T):
orderod?(node2.v_r _ 6)
IMPLIES ordered?(insert(So nodel-ve_rtS)))
[-2] [FOBILL (x: 7):
erder ed? (modeS_war t 6)
IIIPLTQ srdsred?(lussrt(z, andeS-raftS)))
| .... n.
{i) [chscknII((LABD& (7: T): 7 "= nodsl.eart4), nods2.ver_$)
AND chscksll([L/MBDi (7: T): nodeS_rare4 <= 7), nodeS_verSe)
IIlD srdsred?(node2-v_rt6) /JJD ordsred?(sods$_vartS))
INPL|ES srdered?(issert(rt?, node(nodeS.yarn4,
his? (d_mp)
ipplyin| disjunctive siupll|lcitton,
this simplifies to:
srdsrod?.tnsert.2 :
node2-vut6,
node$.wrte)))
[-i] (FQRALL {z: T):
ordsred?(nods2_vulS)
IMPLIZ-q orderod?(tnssrt(z, node2_vtrtS)))
[-2] {FOgtdLL {X: T):
ordsred?(node$_vsr;6)
ZNPLII_ orderod?(insert(s, nods$_vnr_6)))
_-$} checknl]((LAl_JDl (y: 7): y (= aodsi-vsrt4), sode_.var!6)
(-4) chscktll((LllmDA (7: T): nodel.vsr;4 (= 7), nodeS-vet!8)
l-S] oresred?(ueds2-v_r;S)
_-S ordsred?(_eds$_var_O)
| .......
41} ordsred?(insert(st?, nods(sodsl.verte,
seds2.vsr;6,
sedeS_vsrtS)))
lisle? (rewdte "insert" +)
|ssrrittn| units| insert,
this 81npllfiss to:
srdered?.inssrt. _ :
t-i] (I_P.AT.L (z: ?):
ordsred?(msdel.vLr ! S)
|NPLIES ordsred?(inssrt(s, nods2.var;6)))
[-2] (YOItiLL (x: 7):
ordered? (t_odel_vtr t S)
IMPLIES ordsred_(inser_(So nodeS.war;S)))
[-3] chscksll((LilqBDi (7: 7)_ 7 <= nodel_vtrt4), _ode2.vsr!S)
[-4] checksll((LIKBDA (7: T): nodel.vart4 (- y), nodeS_yarnS)
I-S] ordered? (node2.var ! h)
[-8] ordsrod?(node$.vu _6)
| ......
{1} ordered?((|F st? <= uodel.vsrt4
Tram
node(nodal_rat t4,
insert(s!7, nodsl.vsr _S),
nodeS.tar t 8)
ELSE
mode (nodei.var t 4,
node,_vat _6,
insert{s!?, sodeS.vsr :S))
Es_Ir))
RsZs? (lift-if)
Lt/tin(; IF-conditions to the top level,
this s/spittles is:
ordsrod?.lnsert .2 :
[-1] (FORALL (as T):
or dot ed?(node2_vnr; 6)
|NPLII_ orderod?(lnsert(s, nsdsl_var!S)))
(-2] (FOAALL (Z: T]:
ordered? (nodsLvu ;e)
INPL|I_ ordered?(tssort(s, node$-var;e)))
[-3] ¢hecke/I((LIKBDI {y: Y): y (a sodei.vmr:4), node2.vsr_S)
[-4] chsckalI((LAI(BDA (y: 7): nodeS.re, r;4 <- 7), nodeS.rut6)
I-S] ordered? (neds2-vlur; S)
I-S] ordered? (node$.vtr; S)
| .......
_1} IF st? <- aodel_wr14 . .
111111
order ed?(nods (nodel_var 14,
Insert (xt 7, neds_.var t S),
nede$_var ! S))
ELSE
order od? (l_ode (Iodel -vast t 4,
nodel_vs:r t S,
insert(st ?, node$.vert 6)) )
ESDIF
lisle? (propS)
By propositions] simplificstisn,
this yields 2 subsoals: " _
ordered?.tnssrt.2.f t
_-i} r;? <- nodei.vLrt4
[-2] (FOItALL (x: T):
ordored?(sode2-vsr;S)
INPL| _e oTdsrodT(insert(s, nods2-vsrgS)))
[-S] (FOtALL (r: _):
orderodT(node$.vtr;8)
IMPLIES ordered?(tusert(s, sedeS.vsr16)))
[-4] checksll((LdESDl (y: T): y <- nodei.vlcr;4), node2_vnr;S)
[-6] ¢hecksll((LiNl!lDA (y: T): sodei.vnrt4 (= y), nodeS_vet;S)
[-6] ordersdT(seds2.vnrl$)
[-73 ordsred?_ods$.wrt4)
J .......
_i) orderedT(nods(sedei.vtrt4, insert(st7, sodel.vartS), sodeS.vsr_6))
_nls? (rewrite "ordered?" _-)
Re.finis 8 ssinj ordered?,
thls sinpllties to:
oz_JeredT.isssrt.2.1 :
[-1] st? <e nodei.vart4
[-2] (FORALL (s: T):
ordered?(_ode2.vtr;S)
IMPLIES srdered?(Isssrt(r, node2.var_S)))
[-$3 (FOP.ILL (x: ?):
ordoredT(sode$.ve_r;_)
IMPLIES srdered?(lsssrt(r, nodeS-yarnS)))
[-4] chockslI((LANSDt (Y: 7): 7 (0 nodei.vtr;4), nods2.vsr!$)
[-6] chsckaZl((LINIDl (y: 7): nodst.vtr!4 <- 7), sode$_vnr!e)
[-S] srdsrsd?(sod_.vart$)
(-7] orderedT(nedsS.vtr!6)
| .......
_i} (checksll((LANBDa (y: 7): y <= nodei.vnr!4),
insert(st7, sodo2.v&re6))
ASD ckockall((LIMBDA (y: T): uodel-vsr!4 <= y), nodeS.vat!S)
ilrP ordsred?(t_ssrt(st?, nods2.vsr!$))
_ES srdsred?{nodsl.nr!e))
155
Xul.? (quint?)
Found substitution:
• lets •;7,
Instontiatiu| quutifted variables,
this 8iIplltieo to:
ordered?-inunrt.2.1 :
(-I] z!? <= nodei_vlr;4
{-2) orderedY(mode$_ror;S) INPLII_S erdered?(tnsert(s!7o node2_vmr!S))
[-3] (FOJIILL (x: T):
ordered?(nodeS_vtr;6)
INPL|E-S ordsred?(insert(•, nodeS_varY4)))
[-4] chsckIll((LAKBDA (y: T)I y <= model_vat!4), node2.var!_)
[-el chsckelI((LAMDDA (7: T): model.per!4 <8 y), nodeS_vat!el
[-6] ordered?(oods2.varlS)
[-7] ordered?(node$-vor!6)
i .......
[1] (checkall((LANBDA {7: 7): 7 <= model.vat;4)+ - .....
insert(t!7, nods$_vtr;$))
AiD checknll((LANBDA (y: ?): nods|.vnr'4 <= y), nodsq_ver!6)
AND orderod?(lnsert(x!7, •ode2_rer!5))
AND o:dered?(node$-vnr!$))
Rule? (propS)
By propositional sislplificltion,
this siuplifies to:
ordsred?.insert.2.1 :
_-1) ordered?(imnert(x;7, mods2.var!S))
[-2] •;7 <= nods|.var!4
[-3] (FORALL (•: T):
ordersd?(nodeq.vtr!e)
IMPLIES ordsred?(insert(x, sideS_vet;6)))
[-4] checkolI((LANBDI (7: T): y <- model.par!4), node$_ver;S)
[-6] chsckell{(LiNBDA (7: 7): model_vat!4 <= y), •edoq.v_r_6)
[*el ordered?(node$.vLr!S)
[-7] ordered?(nods$.vzr;6)
| .......
_1} chscktll((LANBDA (7: T): 7 <, nodsl_vtr!4),::
insert(s!7, node2_ver!6))
R.Ie? (rewrite "ordered?insert_step")
RsmTttin 8 gsin G ordered?.insert_step,
T_iJ completes the proof of ordered?_innrt.2.i.
ordored?_inssrt,2.2 :
[-s] (POIIiLL (s: Y)_
ordered?(node2-ver!5) + "
IMPLIES ordored?(inssrt(•, node2_var!G)))
[-2] (FORALL (z: T):
ordsred?(node$.ver!6)
IMPLIES ordered?(inssrt(s, noqsB.v&r'8)))
[-33 checks11((LAlqBDi (y: T): y <- nodlS.Vu!4), uc_Se2-var!8)
[-4] checkeIlf(LAKBDA (y: 1): model_tar!4 <= 7), nodeq_rer!8)
[-8] ordered?(nodo$.var;S) _: :
[-8] ordered?(node$.vmr!8)
!...... . _=+_,-_y _,_...... __......
41} x!7 <" model.vat!4 ..........
<2} ordsrod?(nods(nedll-vir;4,
uode$_Vtr;S, __
insert(x!7, nodeS.vet!el))
hie? (rewrite "ordered?" +)
Rsvrltin G nlin| ordered?,
this simplifies to:
ordered?.lnsert.2.2 :
[-i] (FORALL (x: Y);
ordered?(node$.vmr!8)
IMPLIES ordered?(insert(x, node2_var!S)))
[-2] (PORALL (z: T): .....
ordsred?(nodoq-vtr!8)
]1qPLIES ordered?(insert(x, nodeS_vat!el))
[-$] checkaII((LA|IBDA (y: 7): y <" model_err;4), •ods$.var!8)
[-4] checkall((LINDDA (7: T): model.vat;4 <- y), nede$.var!8)
[-6] ordsred?(node2_vo_r!S)
[-6] ordered?(mode$_vtr!4)
| .......
[!] • ;7 <- nodeS_varY4
(chsckalI((UMBDA (y: T): 7 <= nodsi_vmr!4)0 node$_rtr!S)
lid
chsckoll((LAMBDA (7: T): nodel_vez;4 <= y).
insert(x;7, node$.vnr !8))
tND order ed ? (node$-var !S)
AND ordered?(insert(s;7, nodeS-vat!el))
Rule? (quartO? -2)
Pound substitution:
S _et8 X!7,
Instentlmti_ q_utified varieblss,
this simplifies to:
156
erdersd?_inssrt.2.2 :
[-1] (PORALL (x: 1):
ordered?(nodo$.vor!S)
IMPLIES ordered?(inssrtCs, node2_vnr!5)))
{-2} ordered?(nodeS.var!8) INPL|ES ordered?(insort(x!7, nodsq_vtr!8))
[-3] checksll((LANBOi (y: T):y <= midSt.Tar!4), nods$_var;6)
[-4] checkeIl((LAMBDA (y: T): nodet-ve:;4 <- y), nedo$-vnr!d)
[-8] ordersdY(nods$_vsr!6)
[-8] ordered?(oodeS_eLr!@)
| .......
(1] x!7 <- nedsi:_r!4
[2] (checke11((LAHliDA (7: T): y <= modsl.varl4), node2.ver!8)
ASP
chIckniI((LAHBDA (7:7):nodl|.vir+4 <' _).
tnunz_(x!7, nedeq.ver!8))
AgD ordered?(node$.var!6)
111) ordered?(inssr_(x!7, neds$.var!6)))
Rule? (propS)
By propositional limplificttion,
this simpliliss to:
ordered?_iunert.2+2 :
_-1} ordered?(insert(•!7, node3_var!6))
[-2] (FORALL (x: T):
ordsred?(node2-rtr!$)
|HPLIES Orderod?(iulert(•, nede2_ver!S)))
[-33 chocRaII((LAI(SDI (y: T): y <- model.err!4), node$_rer!6)
[-4] checkaII((LAHBDA (y: T): nodsi._mr!4 <= y), noqeq-ver!8)
[-6] ordered?(nodo2.var!_]
[4] ordered? (nodeq_vtr _8) ..........
| .......
{1) checkoll((L_4BDI (y: ?): model.vat!4 <- y),
inser_(x;7, nodeq.ver!8))
[2] x!7 <- model-vat!4
r
%
I•1•? (rewflte "ordered?JnsertJtep" )
Rewritin 6 glll_ urdsrod?.|o••rtJtop,
thin stnplifio• to:
ord•rod?.luort .2.2 :
[-1] •rdered?(lm••rt(• !7, •od•$.vor ! 6) )
[-21 (F'OItA',,L (u: T):
ord•r od?(ne_o2-v_r ! S)
INPL|tm •rd•red?Eins•rt(•, aod•2.verg6)))
[-$] ckockall((LJKBDA (Y: T): y <" model.wart4), nods2.var_S)
(-4] ck•ckslI((LAHBDi (y: 7): •od•l.vu!4 <- y), •odeS.ratiO)
I-S] ordered? E•o45e_.ve_r ! S)
[-6] ordered? {nod•$_vtr ! $)
| .......
t_ •od, l.v•r,4 ,- •17ch•cktlI((LINI_A (y: 7): •od•i_vor!4 <-y),
l•••rt (n !7, nOd•_-VU !g))
[3J •_7<= •od•l.var 14
R,I•? (typepred "obt.<=')
Addin| tlqpe con•trot•to for •bt.(e,
this si_pllfi•• to:
orderod?.Ins•rz .2.2 :
i" i) total.oral•r? El3 (•bt.(=)
[-2] ordersd?(tn•ort(•_7, •od•$-vtr 18))
E-3] (rORALL (n: 7):
ordarod? (nodo2oV•r ! 6)
INPLIES ordarod?(i•sert(•, •od•2_var!6)))
[-4] chock•ll((LANBD& (7: T): 7 <" •od•l.var_4), •odu2_var!6)
E-S] ch•ckell((LAKBDI (7: 7): •odoi.var!4 <= 7), nodeS.wit!e)
[-6] ord•r•d? (Bod•2-v•r ! S)
[07] ord•r•d? (•od•S-v•r ! 8)
| .......
(1] nodei_vor!4 <" •_7
[2] ckeck•ll((L/lfllDk (y: 7): nod•l_var14 <- 7),
in•ors (x !?, nud•3_war t 8))
[3] s!7 <= •odoi.vtr!4
hie? (rewdte "total_order?')
Ruwritl•| osiris total.oral•r?,
this stmplifi•• to:
ord•red?.in••rt._. 2 :
t-l) VO_r..L(•, 7:7): •_-yae$,<-x
[-2] urd•red? (in•or t(• ! ?, nodeS_wit 98))
E-S] (FOtlLL (z: ?):
• _l•r ed? (•od•:.var ! S)
INPL|ES urd•red?(inssrt(z, •odo2.var_6)))
(-43 ch•ckoll((LiNBDi (y: T): 7 <= •odel.vur!4), uods2.vu!S)
[-6] checknU((LANBDA (7: 7): •odor.war!4 <- 7), node3.vur!8)
E-e] ordered? (uod•2.var _ $)
[-7] ordered? E•od•S.vu !8)
| .......
[l] nodeS-war!4 <= sit
E2] check_IEELAI(BDI (7: 7): •oriel.war!4 <- y),
tan•r• (• !7, nod•$.vur! 4))
E$] n!7 <= nod•l.war!4
h•l•? (quest?)
Fo_d substitution;
y (st• n17,
• 8ere •oriel_war!4,
=•stontittll_ qaantlfled variables,
this simplifies to:
orderod?.losort .2.2 :
t-l} •odo/.var!4 <_ sit DiS z!7 <= nodel.vor!4
E-23 ordersd?(lusort(• !7, •odo$_vtr ! 8))
E-S] (FOIt&LL (x: 7):
urd•redY(•od•2-wtr ! S)
ZNPL|Im ordered?(tx•ort(z, node2_varI6)))
[04] ckeckall({LdlmD4 (y: 7): 7 _" nodut_vezt4), node2_vart6)
[-63 checkalI((LANBDI (7: ?): aerieS.rat!4 <- y), nodeS.war!e)
[-4] urdored? (nodo2.vtr I 6)
[-7] ordered? (nodoS.ve_r ! 8)
| .......
Ell nodel.var!4 <= •f7
[2] chockull((LIRBDA (7: 7): •odoi-var!4 <= y),
tnsort(nl?, node$-rar ! 8))
E$] st7 <0 nodeS_yarn4
Rule? (propS)
By pToposltio•ol stmpltfic&t|ou,
This coq_letos the proof of orderodY_i•sort.2.2.
This completes the proo_ of orderod?_tneert.2.
q.z.n.
Sun the new proof? (Yes or lie) 7*•
gould 7on like a brief prixto•t of the proof? (Yes or go) yes
orderod?.ixsert :
| .......
_1} (FORALL (x: 7), (A: binary.tree):
ordered?(A) IliPLIES orderod?(tnsart(z, l)))
|nducttn| on I,
which yields 2 subgools:
orderod?.insort.l :
| .......
tl) (FO_tALL (x: 7): ordurod?(|ea/) INPLIB ordured?(lnsert(z, lout)))
For the top quantifier in i, •• introduce Skoleu constants: (xt$)
Applyin 8 dlsJuoct/vo simplification,
neuritis| •aim 8 insert,
Rouritiq •sin_j ordered?,
Iuuokinj decisio• procedures,
lantslllu 8 automatic roarltss:
blnary_trse_roc[7, buell,
Split•in| conjunctions,
which yields 2 sobtools:
ardarod?.insort.i.t :
l-l) ordored?(lusf)
| .......
it) chschtll(ELARBDI (y: T): 7 <" x_$), leaf)
lewrtttn| •in 8 checht)l,
This cot_pletes the proof of erderod?.insert.i.i.
orderod?_insart.12 :
t-1} orderod?(lnf)
| ......
li) ckeckal)((Lf_q|Dl (y: 7): z!3 <= Y), leaf)
lewritin 8 •sin 8 checktll,
This couple••• the proof of orderod?-tns•rt.l.2.
157
orderod?_lnssrt.2 I
| .......
{i} (F(NULL (neded_var: T), (nede2_var: binary_tree),
(nedeS_var: binary_tree):
(FORALL (z: T):
orderod?(nedo2-var) IHPLIES ordered?(lnsert(a, nodo2_var)))
_8D
(FOULL (at Y):
ordered?triodeS.vat)
INPLIES orderedY(laeort(r, nodeS.vet)))
IRPL1fl_ .....
(F(_ALL (n: T):
ordored?(nodo(ao4ol.var, nede2_vsr, nodeSoTar))
TNPL|ES
ordered?(insert(r, nods(nodoi-var,
node,-Tar,
nedS3oTar)))))
For the top quantifier in i, ge introduce Skoleu conotute: ==:
(nodelovnrf4 node2.var!S nodeS_Tar!e)
lpp]ytn S disjunctive eispltficetion,
For the top quantifier in i, we introdnce Sko]eu con|taste: (s!?)
Revrttta| asin$ ordered?,
Applyin S disjunctive eimpllficatios,
Revrlti_|bJln S insert,
Ltfttn| IF-conditions to the top level,
By propositional sinpllficatlnn,
vhich yields 2 8=btoalsx ! _ _ _i_ _*
erdered?.insnrt.2.i =
4-I} a!7 <= nodal_vat|4
{-2} (FCaALL (s: T):
ordered?(nodo2-var!6)
|NPLIES ordered?(insort(a, aode2.var!S)))
{-s} (F_qALL (st T): ....
_-6} chack_ll((Lil_bi (7: T): nodei.var!4 <- 7), nodeS_vat,e)
{-?} ordored?(nodqS.var!8) _: _ _ " :
{i} ordere_?(nods(nodol.var!4,
ineort(=!?, node2.var!6),
node3.var!e))
RoTritin$ asia| ordered?,
|netentlatin| quantified variable|,
By propositional simplification,
Revritin_ uetn_ erdered?.insert_otep,
Thlo ¢onpletes the proo_ o_ ordo_od_inqort.2.1 .... !._
ordsrod?.iaH_.2.2 :
{-l} (FORALL (x: T):
ordored?(node2_vnr_S)
IMPLIES ordered?(inssrt(r, node2_rar!6)))
4-2} (F_I_ALL (x: T)t
ordsred?(node$-ve_r!_)
IMPLIES ordered?(iassrt(z, noda$_vtr!e))) .
4-3} checkall((LA_DA (y: T)= 7 <= no4sl_var!4), no_e2.v_r!S)
4-4} chsckall((LANlSDl (y: T): sodei.varf4 (= y), nodo$.rtr!e)
{-S} ordored?(neds2-va:|S)
_-8} ordered?(node$_vartd) _
J .......
{2} ordorod?(nodo(aodol-vnr!4, _ _ _
nodo2-vsr_S,
insert(at?, node,.retie)))
ZeTritin| usin_ ordered?_
I_stentiatin_ q_a_tifted variables,
By propositional sinplificstion,
ltevritin K ustn K ordered?_inssrtJtep,
Adding type constraints for obt.4_ _ : : _ _:_
Rogritin| uoin_ total-ordsrY,
Instsntiattn| quantified Tartablee, ._
BY propositional elupltflcati6t,
This completes the proof of ordsred?.inos_t.2._.
Q.E.D.
Notes on the Language
The core logic is a simply typed hi_gher-_order
logic.
Specifications are structured into parametric
theories.
Types can be parameters ..... _,,
Assumptions can be used to constrain the
parameters.
Set-like predicate subtypes can be defined.
These make the domains and ranges of
operations explicit.
Theorem proving Is employed to carry out
typechecking. = =_ -
Automatic facilitiy for generating abstract
datatype theories.
15
158
Notes on the Proof checker
Sequent representation for proof goals.
Backwards proof construction by applying
red uctions.
Heavy use of powerful decision procedures for
equality and lnecluality.
Powerful primitive inference steps.
Roughly twenty such steps.
Strategy mechanism for encapsulating proof
patterns.
Ability to save and rerun proofs and partial
proofs, and display proofs.
Conclusions
PVS exploits the synergy between language and
inference.
The combination of powerful inference steps:
decision procedures, rewriting, propositional
simplification, etc., makes it effective to develop
proofs that are both certified and convincing.
Future goals:
• To enhance the language to further exploit
the inference capabilities
• To generate readable proof outlines
• To make proofs robust and easier to
maintain
16 17
159
160 z
Logical Foundations of Computing
over the Floating Point Reals
Richard Platek
Odyssey Research Associates, Inc.
PREGEI_]3 pA_ BLa.NK NOT FILMED
161
bLogical Foundations of
Computations over the Reals
Richard Platek
Odyssey Research Associates
ORA
12 August 1992
NASA FM Workshop
© ORA Corp, 1992 _"_/'A"I
SL-0046 1
162
Two ORA Technical Reports
"Verification of Numerical Programs Using Penelope"
"Denotational Semantics of Numerical Programs"
00RA Corp, 1992 _1_/_
SL-0046 2
Basic Problem
What does it mean to say that a given program "computes" a real valued
x
function such as sine x or e when it never really does?
Classical answer:
The program computes an approximation which is "sufficiently accurate"
But what does that mean?
O ORA Corp, 1992 _ll_")j,_
SL-O046 3
163
Two Fundamental Problem Areas
£3 Scientific Computations
simulations, cacluation of engineering solutions, numerical experiments to
explore theories, "number crunching" as part of experiments
correctness is vital for decision making
£3 Embedded Computations
computers as part of coninuous systems
sense-compute-activate
O ORA Corp, 1992 ,_--"_/'_
SL-0046 4
Botton Up Interpretation
We reason at the level of the CPU and Floating Point processor so that we can
calculate tight error bounds and we use numerical analysis techniques to
estimate the accuracy of the computation.
Perfectly fine, but too concrete
Numerical Programs are not written in machine language or assembler.
They are written in higher order languages like Fortran, C, Ada. The
concrete analysis is not portable across CPU's.
B. The concrete analysis is not portable across FPP's. We should reason in
terms of the IEEE floating point standard or the Brown model.
In particular, our specs and proofs should be independent of the word length of
the machine reals except in so far as the word length is knowable at the
programming language level (e.g., Ada's float'small)
z
© ORA Corp. 1992
SL-0046
164
Verifying floating point computations
O Algebraic properties of floating point operations are a mess; and detailed
descriptions are highly implementation dependent.
O Little automated support exists.
O We are incorporating support for both quantitative and qualitative error
analysis into Penelope.
This talk concerns qualitative error analysis.
© ORA Corp, lgg2 _"'_/_
SL-0046 6 Ij v'LV_,_
fr
Sources of error
Roundoff error
O (Mathematical) Truncation error
D Implementation strategies (modeled by non-determinism)
© ORA Corp, 1992
SL+0046
165
Example of Compiler Implementation Strategies
In both C and Ada the statements
X := y '_
if x = y
may set w to either 0 or 1 !!!
z;
z then w := 0 else
w := I end;
O ORA Corp, 1992SL-0046 8
Quafitative error analysis
intuitively: prove programs under the assumption that various sources of error
are present but "negligible"
Not equivalent to assuming that error is non-existent
O ORA Corp, 1992
SL-0046
Z
=
166
Qualitative analysis of roundoff error: asymptotic
correctness
Mathematical model via limits
If a program is run on increasingly accurate machines, then its answer
approaches the specified result in the limit.
Mathematical model via algebra
Use a model of "approximate reasoning."
The algebraic model is easier to use
00RA Corp, 1992
SL-0046 10
Algebra for approximate reasoning
Introduce additional predicates on the
numbers"
x is close to y
x is not close to y
x<y or x is close to y
x < y and x is not close to y
Relations to standard operations
00RA Corp, 1992
SL-0046 11
167
Substitution in Approximate Reasoning
If f is continuous, x _ y =_ f(x) ,._ f(y)
Therefore,
X '_ X 1 and y _ yl =_ x T y _ xl + Yl
But comparisons are not continous
x _ y and x < z does not imply y _< z
© ORA Corp, _g92 _l_"_/_
SL-0046 12
f
Algebra of approximate reasoning
Mechanical translation of (many) facts of ordinary algebra to facts of
approximate algebra.
For example:
(x Jr 1) 2 > x
translates to
',_ J =
O ORA Corp, 1992 _111_/'_" I -
SL-0046 13
=
=
£
z
168
N
Modeling Ada floating point operations
Introduce specification predicate for each basic operation
rplus( =, y, z )"
z Is a possible result of evaluating = + y
Sample property:
fplus(=, y, z) =_ z _ x Jr y
fie(=, y, b):
b is a possible result of evaluating x <= y
Sample properties:
fle(_,, y, true) -_ x < 7j
fie(x, y,,falsc) _ x _ y
O ORA Corp. 1992
SL-0046 14
Example specification and proof
function mysqrt (a, small: in float) return float;
should compute the square root of a to within small
© ORA Corp, 1992 AII_F_/' _
SL-0046 15
169
Naive specification of mysqrt
IN a > O.0 and small > O.O
RETURN z SUCH THAT Iz 2 -- aI _< small
© ORA Corp. 1992 _/'_1
SL-0046 16
= . - ....
III I III i -
Amended specification of my s q r t
IN a >_ O.O and small _ 0.O
RETURN z SUCH THAT Iz2 - aI_ small
@ ORA Corp, 1992 _i5") 7_
,_L-0046 .- - 17 _lur\u_ i
170
Calculation will use Newton's method
For any a>O,
v/a -- limiti__ooZi
where
O ORA Corp, 1992 _1_-'_/_
SL-0046 18
Code for mysqrt
function mysqrt (...) is
x : float;
begin
if (a <= small) then
return 0.0;
end if;
x:=a+l.O;
while (x*x-a >= small) loop
x := (x+(a/x))/2.0;
end loop;
return x;
end mysqrt;
Loop invariant annotation:
small, x, a, (x 2 -- a) _ 0.0
J
O ORA Corp, 1992
SL-0046 19
171
Proving termination of the loop
Proving termination of the loop
Loop bound annotation
loop bound x 2- a
contraction I/4
lower bound small
© ORA Corp, 1992
SL-0046 20
Accurate Square Root
function sqrt (a: = in float) return float
is
i
begin
return mysqrt (a, float'small);
end;
© ORA Corp, 1992
S1_-0046 21
,/ 172
=
=
Embedded Systems
Want to be able to reason about computer controlled real world systems.
Want to know what the system does in real space/time.
The total syste can be described by Iogico-differential equations.
@ ORA Corp, 1992 _')/_
SL-0046 22
Example
State variables
x(t : Real) : Real
y(k : Int) : Int
Transition Relations
= f(x(t), Y(ta))
y(k+l) = g (x(1),
ttJ= max integer _< t
y(k))
@ ORA Corp, 1992
SL-0046 23
173
I_
r
z
i
174
Formal Safety Analysis
Nancy Leveson
University of California at Irvine
PREC£DING PAt.._.- BLAN_ _JOT FIL_K'D
175
<II
ij !i
0
/%
do
z_ _
=
=
176
Jr,j
177
i
=
r
z
178
d2: =
t,4
>:,
o -"
o
rat)
C._
z_
_z
_z
0_
179
JIJ
i
j ! m.
• • • & •
180
m
o181
.,,.,
]:
°_
,-, _ _ _ -_
}
=
£
=
z
182
0 *
._ ,!_.
_ _ _."_ _.._ _._._ _
183
I i
Z__ __ _: V_
!j '"
el
=, .
184
°_
185
_ _- o
o
4b _
_-- e ":_ .-
, :
!
' i!
', t1_1 ,'
I
, ,,
!
. !
$
' i|
' J
,",_ I_l_i_
, j!
!
!
|
|
!
!
!
| • -
|
|
', _ -
!
,,
!
J
186
°:il
v_.<
II 11 II II
.. _
_e
187
• J
g
.,!_ _
¢3
o
.r,
,eJ
°_
L
r,.)
•- !
.=J
4
_= I! =.
O_ _..
13
o
"r.,
L.
•i !i
..=_
=1 ¢:_E_
I=
o
"i::
r_
=" _1
,3= .= .<
•_ o
oo=_
¢.==._,
,qp
==
o
188

a a
0 0
,_ tli
o_ _o_
o
.i
a_
!i
._ _ _,
.,.,._.__.__ _,.-q
l
190 o
I>,
• _ 8 sa
o__. ,_.,._i_.._._].._. _.
191
eo
i,-,4
=
192
193
I
!
I
i_] i _! il
.............................ii•.
I lib
I'I
I"........."I.....
I I
I I
I !
I I
• "I, I
l I
! I
! I . ..,
1,4
U
o
,--4
IV
Id
194
E
II
o_l._l.j.j . .,,
.i
H
.o
.o _ _ z
_ _ oo _
• _,
_ ,.-._ ,., _
r.,,b:'_ _ .
_ __
_- _ _ _,_--"_
• .._ _ "'= ,_
.._'_ _.
_o = _ ..= _ v .,o _'_._
_.:_ "_ _ '='--
U3
195
196
•"= !
i ==
197
198
The FM9001
Warren Hunt
Computational Logic, Inc.
PRF.GEDING PAGE BL.Cd'_K_'-JO*TF|Lr_cD
199
ff
m
a,
o
I-,
u
I-
¢II
J
i-m
200
201
202
0 II_J --
-t- - -
-- p, --
EEIE+ _-.-_-
.+-I-- .,-__ -
o_ o o,I -
-!- -l-
+-a- il_e---
i,i
]J
Jlltltit
-__L__ _1___1__
_i +i
-- _t . _+-=
-- rs -- -- P+ --
__.-o_s._.|i|__= -
ill, ++l.++_+m.,
i++ ++.+ ++ i
J
i
d
im
203
fI.-
 T!I!rT!!o _o
llrlllTllll
.i
J_
J
f
_ _,. z t_ I _ i
|[
2o4 _ _
J
i|
fI!I
E I
° I !I
o .
J
f
OJOl O' O_,OIO1010_ C),O_ 0,0_
O_OIO_OiOIOlO_OlOIO|O_Ol!O_
O_OlO, 0,010|01010,0,010_0,
01010, 0,01!011
O|OlOI r- 0t010_
ololo, i _ o,o.o,olo_oI o_o_o_010101 _ O'OlO,
010101 _ C_OeO_
010|01 0 010101
01010_ O_ 0_01101_010_C)IIOIOiOl
0101f0_ O_ O_O_OIfOIC_ C_ O_0110,
0_01010_ O"OIO_.OIC_ C_ Ol O 0
i 1!,_iilIi
"h
J
i
1!
205
f9
J
i
J
!
0
f
|
Im
206
f_ ._ _ _. _ ®
o _ 9_; .N _) _ =-U. _®_ 8 ______'_
._.N I- 3 _ ,_ C "OO
_:_ • , o o • Effi
_o _ _
_ E
_.@ z I"13 "O
-" 2_- 2
i:: =E _ O _ _._
J
207
208
f=i 15
|
i
o II I
=0" J
L-
N
J
i ' ii
J
209
ff
'< _ _
_j m=
u) _.N "
J
I.
210
IIm
I
!
Im
211
Im
212
213
=F
eI •
oo _
"- -_E -_=_ E=
o-_ ®o _
_ _.
_ ll _ _ _ _ "_
J
Im
214
Derivational Techniques for Hardware
Steve Johnson
Indiana University
215
Design Derivation*
Steven D. Johnson
and
Tthrmlmr ][]me
Conq_tter Science Department
Indi.'ma University
I)*dgn derivat i_B
deduction, _ivatlea, tic.
The DDD eystpm
Syntaz
A.pectt ddedp sirra
Experlmentai-!oa
FMASnx &.dv.ti_m
F Mgi101 d_i_tlom
Comc|tt _lonn
Ma|timodAI ee*_i_4g
Ilcteqtemecme feemal _*teeem
TlmakJ I_ gSg IIII'II*IIIHt, NOT Mill
216
Design derivation
formal system
• a lanquage, r.h'_ of Ry.tax
• tran.*fi, rmalions, nd_.'_,)f rc:t_ming
[ormalimtion
• wp_*ting design,_ an expre_iorm
• representi.g designing u an inference process
For example, verification
• proof of an implementation, E [= I D S
• derivation of an implementation, S =_ I
rA(.,,,O *-- (,,e) ]
L _'..k + _. ÷ ._-, akJ
,q_;
(,,',O = (,,_) [
d =.+,k I
J =o|+it [
I aistr_li_n
tdke_
(,,_) = xA(,, _)
d = _'4 J. ]
(q,.) = HA(.,_)]
._(., t) ¢:(,, 0 I
'#'' I
" = "['+ _' I
c = e_ J
,,a+ {.3+ u_. _ ,,,.+{., ;.,:)
] _,+ (.i +u)c
'11! ! ¢2 ak
p_l.k +._
3 _
3 elk- +- el_
s/e+z
T let+ +el+
e_.J",K', i,0
3 ,,A_ =.j(.,k_)
I_I-k
I._ m.i(.,t,.)
sI .;=,"X'.t',+)
sI] i,,t,
11 lie
r Im _ m*j(e,ke)
;J .._..6,0
s (.l + _4_ :_ ,,_j(..t,,O
s m..i(s, kO
ulmme
ilw
Ulall_
vl, =1, =.at
AI. _1.t ._1
'::} I, _i.2.1, | 23
IIlllOlml,t'
VI, 2.1, 2.4.1
^I, t.4
:)I, 24.1, 2.43
exd middle
A/I, 1.6, I,S, ] 3
hI, 1.T
_, i, 2, 23
VI, 41
V_o 4,1
iimmB
V[o 43, 44.1
A/, 442
_I, 44.1, 4.43
illume
vi, 43,46,1
AI, 4(12
_i, 46.l, 4.8.3
^£, 4.1, 4.5, 4.3'
_J', 4.1, 4.8
AI_. l, 3, S
Deduction and Derivation...
o have a lot in common
o reflect common modes of rea.qoning
o involve "proof en_neerin K"
o diould be integrated
$ ,_ S, (¢,)
-_ S+ (C,)
$, (¢,)
• I
1. E
2. !
3. 11
4. t;
k.
S
Illllfl.
41/l|m.
_z
tell. I
Digital Design Derivation system
(DI)D)
• An interactive transformation system based on
first-order* functional exprt_sions
* Specialized for digital system derivation
DI)D a.q a formal system
• A core of secure algebra
o Extensibility
o Derivation management
Modes of expression
P
D
S
_m¢lum
217
Single Pulser
"Sl'generates a _nit p_Ise for every pulse _cei_ed"
A
1/o _ o/1
1/o
define (SO In Out) m
(if (- o (? ZnD
(SO (> In) (! 0 3ut))
(SI (> In) (! 0 Out)))
define (SI In Out) -
(if (- o (7 In))
(so (> In) (_ t Out))
(sl (> In) (! 0 Out)))
A
define ($P In) " Out
.vhoro
X " (cone 0 In)
Out u (ande I (note In))
In = (o,o, 1, 1, n, o, O,o.... )
x = (o, o, o, i, _, 1, o, o,...)
out = (o, o, o, o, o, 1, o, o,...)
218
B
Behavior to structure:
define (FAC n) - (F n 1)
where
(F u v) " (if (zero? u)
V
(F (dcr u) (mpy u v)))
define (FACeyetem n) - (list V R)
where
u - (cone n (DCAU))
V - (cons 1 (MPY U V))
n = (ZERO? U)
............. i
FM8501 specification [Hunt]
(defn SO_ (very-fire roBl-_ z-flq ,ofllI |-faq ioYlq tiq)
{if {.llstp I=q)
fll.t rq-Ylle _l-UW ¢-_lee ,-flee I-flee =-flee1
lgorr (r ee.tllc- af t oy - op_-t-pecs- !lcrweet
ree-ftl* rNl_neo ¢-_lee v-flee t-ilee n-Yle¢)
(_e | -Ne-citer- slI-_Yl_e
tee-file reel-m c-flee v-flee =-flee R-,lell
f_-¢¢-6ol (_t-lwct_ctlee ree-,lle Hi-=m))
c-flee
(c (bv-iIl-CV-reeult. re_-fltB re•l-Ha ¢-fleel))
(=ld.t.-v
(b-e¢-Ill IcmTrNl-Jutrvctlm tee-file recl-Ne)l
voylee
(v (h_-iIl-cv-reemlt. reeoflle reel-i ¢-f1.11)1
(b-t¢-6et (cxwut-lumt_ctlcm ree-_tle feet-metal)
I-llq I
(=.vop (t_-_O-HS (bY {t_r-811-CV-TeNlte
ree-fl|c r_l-_eR z-fiee))))l '
(qpdlt.-v
(b-cO-See (c_n_-I=etv_¢tion reS-llle reei-xco))
i-flee
(uee=llvep [bY-SO-SO (iv (tq-all-cv-renlta
yq-ftll yoQl-me e-flee)))})
(cdr ill])))
B
Serialization
define (FACeyoton n) - (list V R)
vhere
O - Ccon* n (DCR U))
V - (cons ! (HPY U V))
It - (ZERO? U)
define (FAC n) = (FOn 1)
vhere
(FO u v) - (if (zero? u)
V
(F1 u (mpy U V)))
(FIu v) - (FO (dcr u) v)
FM8501 implementation [Hunt]
(dofn Ila-II_llgK (tit fend gTigo d_ _ t_J t I_-|_or4 41ti-_gl
tee-file _Mf-_i c-fiB S v-flbl I-fl_4_ m-fill
t-re• b-rq l°vee vlolll-m rlel-_l
i_-vatth-dee-kttt OTI creole)
(if [Itl Ittp rffItli)
{lltt ur TsN vrite _icb r_oet le-ttore dltl-_t yeeoflle
_r-o_ _-_lq v-_lq I-flee s-fl_ i-rq b-ree |-tee
_[nel-iN _•ml_ pee_-ntct-dee-hletury)
{lll-nACStlm (_r .,¢r i-_ee 4tect r•eeS _o-_z_r.1
(reid Nr I-_ee)
{e_ile ur l-r_J a_-_6r_)
(drift (tit oYl¢ll))
(reeo_ (c_r oracle))
(_o-lteT4 _o-ltoFi c=fliC_ v-fle_{ i-flt_ _-_'lq
i-re• _r)
(rq-_lll rq-flle dItt-o_t t-rq mar tO-liege
(_Ir-_t _4_-_t _ee-file |-r_ i uaY rust)
(c-ft_ 8 c-flee e-zee I-r_ i-ree _er)
(v-flee v-flq |-tee t_ee c-flee I-vee _r)
(t-flee t-flee s-tee t-tee c-fl_ l-rq Hr)
(_oflee i-flee t-tee t-_eS c-flei t-iq _r)
(i-ro_ i-re• vliU_l-m_ ree-fllc J-r_g _ir ruet_
{_rq b-re$ vl_l-i_ Ice-file I-rt I may fete•)
[I-rq i-tel vllul-mm tit)
(_Ie_sI-NO reeltc_ r_ed gvlte _ddr-ivl
(tt_4_lt [¢1I _lc|i)))
(re•l-_m I.NI "He r*ed _ I_ • _r-o_t deta-_
_4_ -_t ¢¢h-_ee-hl I_C3_Jr
(d_ic_ (tit orecle))
(reeel (cer _ylcle)))
(ettck-d_ yetd _lti (dqeck fear oylcl•))
(¢d_ llillt I c )
Ill
219
Block diagram of BIGmaehine
L
Architecture derived from SOFT
Superimposed architectures
_ml-tit
220
Detail of a local factorization
=
Physical organization of FM8501
o
u rrJG
• I fn_v i#1
!
o
Structural manipulation
Experiments with FM8501/2
I*-I
[ m/_,,_-c_u, ct,.o I ?
Lallc Slmlkuis J
Ir-- l
9
D
aot/m A.,o*,4 i_
Procedural abstraction
define (FAC n) - (F n 1)
vhere
(F u v) - (i! (zero? u)
v
(F (dcr n) (HPY u v)))
define (/4PY n e) = (H n n O)
vhere
(H v x 7) = (if (zero? v)
7
(if (even? v)
(N (12 v) x (*2 y))
(H (12 v) x (÷ (*2 y) x))))
221
gD
u,lrmAq_ ua,_,_
Incorporating procedures
define {FAc n) - (F n i O)
vhere
(F u v v z) " (if (zero? u)
v
(N u v u u))
{M u v v z) = (if (zero? u)
(F (dcr z) v 0 #)
(if (even? u)
(s (/2 u) v (.2 v) x)
(M (/2 u) v (+ (.2 v) v) z))i
D
. Sequential Decomposition
_,, rl_____
(FO u v w d_) =
(i_ (zero.* u)
v
(cons (list ! u v)
(rl +u v C> n) (> d=))))
(F_ u v m d,,,) =
(cons (list 0 u v)
(if (hi? (? dm))
(FO (dcr u) (? n) (> n) (> _a))
(FIu v (> n) (> d_))))
Design derivation
Construction of an implementation by equi,_lenvs
pre_rving t rans/'ormaLions.
maintain!rig the global view
(D making local transformations
mundane design
0 no =complete" algebra
0 fixes "equi_alence"
0 inhibit.q cleverness
ml/tu,l+.,w.l+i+.ml
Interactive verification
222
Results of Workshop Survey
Each participant at the workshop was asked to complete a detailed survey. I Fifty-three people returned
the survey; this section presents the results.
For each question asked on the survey, the specific question is reproduced and the answers to the question
are tabulated below. If a person circled multiple answers to a question for which only one answer was
expected, the results were weighted. For example, in response to question 2, one Formal methods developer
circled both b and c. This was tabulated as 0.5 for b and 0.5 for ¢.
Totals or averages are given where appropriate. Not every person answered every question on the survey,
so the totals for different questions may vary.
I. What is the nature of your organization?
a. University b. Formal methods developer
c. Govsrmnent d. Aerospace industry
Question 1
a b c d e
Industry 0 0 0 22 6
Government 0 0 14 0 0
University 2 0 0 0 0
FM Developers 0 9 0 0 0
Note: Six people did not believe that the four listed choices accurately described the nature of their
organization. The specific answers given were: transportation, railway transportation, non-profit
R&D org, industry/coaaarcia2, other, and don't know. For the purpose of recording the answers, these
6 surveys are grouped with Industry.
21 W'aat is your primary job function?
a. Basic research b. Applied research
d. Xanagenent
c. Product development
e. Other
Question 2
a b c d e
Industry 1 17 5 2 3
Government 1 5 0 4 3
University 1 1 0 0 0
FM Developers 3 1.5 0.5 4 0
Totals 6 24.5 5.5 10 6
a. lovice
d. Considerable
3. Please rats your understanding of formal methods theory and practice:
b. Somewhat familiax c. Knoelodgable
o. Expert
Question 3
a b c d e
Industry 8 10 6 4 0
Government 6 4 3 0 1
University 0 0 0 I I
FM Developers 0 0 0 I 8
Totals 14 14 9 6 10
1NASA Langley personnel involved in planning and conducting the workshop did not _ out a survey.
223
Note" One of the goals of the workshop was to attract people with widely varying understanding of
formal methods. These numbers suggest that this goal was met.
4. What is the general level of awareness of formal methods within your organization?
a. Bone b. Minimal c. Sparse
d. Moderate e. Considerable
Question 4
a b c d e
Industry 7 13 4 1 3
Government 4 8 1 0 1
University 0 0 0 2 0
FM Developers 0 0 1 0 8
Totals 11 21 6 3 12
5. Before attending this workshop, how would you have rated the 8tats-of-the-art of
formal methods in terms of its potential for immediate application?
a. Bet usable
d. Ready now
b. Needs more time
e. Has boon ready
Question 5
c:_ Nearly ready
a b c d e
Industry 4 16 4 3 1
Government 2 5 4 1 1
University 0 1 1 0 0
FM Developers 0 0 6 1 1
Totals 6 22 15 5 3
Note: Three FMdevelopers, one who answered d and
with the comment "for some applications."
two who answered c augmented their responses
Now that you've attended this workshop, how would you rate the state-of-the-art of
formal methods in terms of its potential for immediate application?
a. Not usable b. Needs more time c. Nearly ready
d. Ready now e. Has been ready
Question 6
a b c d e
Industry 1 16 8 3 0
Government 0 4 6 2 0
University 0 0 2 0 0
FM Developers 0 0 7 1 1
Totals 1 20 23 6 1
Note 1: See note for Question 5.
Note _: The results to this question demonstrate that the workshop did alter some people's perceptions
of the state-of-thwart. Particularly interesting is that before the workshop, the perception of the state of
the art by nine people was at one or the other extreme, but after the workshop, the number of people at one
or the other extreme was reduced to two.
224
7° Please rate the extent to ehich fornalnothods is practiced today eithin your
organization:
a. lever b. Seldom c. Sporadically
d. Occasionally e. Often
Question 7
a h c d e
Industry 15 9 2 1 1
Government 9 3 0 2 0
University 0 0 0 1 1
FM Developers 1 0 2 1 5
Totals 25 12 4 5 7
Note: One FM developer answered a, and _ided the comment "on our ova systems."
8° When do you think that formal methods gill be used often in your company?
a. 0-2 years b. 2-5 years ¢. 5-10 years
d. 10-20 years o. lever
Question 8
a b c d e
Industry 5 7 12 3 1
Government 4 3 3 2 0
University 1 0 1 0 0
FM Developers 5 2 1 0 0
Totals 15 12 17 5 1
Note: An individual from industry answered c with the comment "unless required by customers
earlier."
9. Hoe difficult do you feel it is to put formal methods into practice?
a. Sxtronely
d. Somoehat
b. Very
e. None at all
c. Moderately
Question 9
a h c d e
Industry 7 9 12 0 0
Government 2 7 4 1 0
University 0 1 1 0 0
FM Developers 2 3 4 0 0
Totals II 20 21 I O
I0. &re you personally inclined to apply formal methods on a design project in the near
future?
a. Strongly inclined b. Koderately inclined c. Indifferent
d. Not inclined o. Would quit first
225
Question 10
a b c d e
Industry 13 9 1 5 0
Government 8 6 0 0 0
University 2 0 0 0 0
FM Developers 6 3 0 0 0
Totals 29 18 1 5 0
11. Hoe well prepared are the professionals in your organization through education and
previous training to absorb the technology of formal methods?
a. Minimally b. Somewhat c. Adequately
d. Receptive s. Well prepamed
Question 11
a h c d e
Industry 15 8 3 0 2
Government 7 7 0 0 0
University 0 l i 0 0
FM Developers 1 0 0 1 7
Totals 23 16 4 1 9
12. In your organization, which of the follosing obstacles exist that inhibit or
prevent the use Of form_nethod'? (chec_alith_t_i_i_ )
___ Managenont believes it is inpractical
___ Engineering staff believes it is inpractical
___ Lack of sufficient knoeledge about formal nethods
___ Lack of required skills
___ Up-front cost too high
___ Have had negative experiences Luthe past
.__ Do not believe it is useful
___ |o obstacles exist
(Mgrnt)
(Eng.)
(Kno )
(sk u)
(Co,t)
CNeg}
CNot)
CNo.e ._
Question 12
Mgmt Eng Know Skill Cost Neg Not None
Industry 10 13 24 20 10 4 6 2
Government 5 4 13 11 6 1 4 0
University 0 0 1 0 0 2 0 0
FM Developers 1 2 1 1 3 0 0 4
Totals 16 19 39 32 19 7 10 6
Note: An industry representative checked |o obstacles exist, but added the comment "except
funding."
13. Hoe vould you rate the potential benefits of using formal methods?
a. Negligible b. Somoehat useful c. Moderately useful
d. Helpful o. Signlficant ....
226
Question 13
s b c d e
Industry 0 5 1 4 18
Government 0 0 1 4 9
University 0 0 0 1 1
FM Developers 0 0 1 3 5
Totals 0 5 3 12 33
Note: A person from industry circled e, but added the caveat, "if it does all that is advertised."
14. How would you rate the costs of foraal methods technology relative to the costs of
current practice?
a. Excessively higher
d. Somewhat lower
b. Sonewhat higher
e. Much lower
¢. Equivalent
Question 14
a b c d e
Industry 4 13 5 4 2
Government 2 8 0 0.5 1.5
University 0 2 0 0 0
FM Developers 0 2 5 0 0
Totals 6 25 10 4.5 3.5
Note 1: A government representative circled • and added "over system life cycle."
Note _: An industry person circled a, with the additional comment "don't see FM replacing anything
--- it only adds confidence and cost to date."
16. Bow a_eesivoly would you recommend your nanagenent pursue the use of formal
nothods technology?
a. Forget it
b. Keep up with developments
c. attenpt shall pilot projects
d. attempt larger applications
o. Full speed ahead
Question 15
a b c d e
Industry 0 6 20 2 0
Government 0 0.5 10.5 2 1
University 0 0 2 0 0
FM Developers 0 0.5 2 4.5 1
Totals 0 7 3415 8.5 2
Note: One industry representative answered c and added the comment "to conpletiont"
16. How nuch empirical evidence on the benefits of formal methods do you feel is
available for nanagers to make informed decisions regarding its use?
a. Insufficient b. Nearly sufficient c. adequate
d. More than adequate e. Plentiful
227
Question 16
a b ¢ d e
Industry 22 2 3 0 1
Government 8 2 3 0 0
University 1 0 1 0 0
FM Developers 4 3 0 0 2
Totals 35 7 7 0 3
17. Rate the importance of reusable formal verifications such as verified clock
synchronization circuits and verified softgare modules.
a. Ions at all b. $oneehat c. Moderately
d. Very e. Extremely
Question 17
a b c d e
Industry 2 2 7 6 10
Government 0 5 4 3 0
University 0 0 0 1 1
FM Developers 0 0 0 4 4
Totals 2 7 11 14 15
18. Rats the importance of generic tools (such as, semi-automatic theorem provers,
specification language typecheckers) that can be applied to softeare/hardeare
developmen__
a. None at all b. Soaevhat : c. Moderately
d. Very e. Extrmely
Question 18
a b c d e
Industry 0 2 5 11 10
Government 0 1 4 6 3
University 0 0 0 0 2
FM Developers 0 0 2 2 5
Totals 0 3 11 19 20
19. R_te the iaportance of the capability of formal methods to produce trustworthy
solutions of difficult problems i_ computer science.
a. lone at all b. $omeehat c. Moderately
d. Very e. Extremely
Question 19
a b c d e
Industry 1 3 5 12 7
Government 0 1 4 4 5
University 0 1 0 1 0
FM Developers 0 0 1 2 6
Totals 1 5 10 19 18
228
Note: An industry person wrote: "(a) who cares (practically) about CS? (c) for real problems.
We need trustworthy solutions to real problems!"
20. Where in the life-cycle do you feel formal methods can be applied most cost-
effectively?
a. Requirements
d. Implementation
b. High-level design
e. Maintenance
c. Detailed design
Question 20
a b c d e
Industry 15.5 8 3.5 0.5 0.5
Government 9.33 2.83 1.33 0.5 0
University 0.45 0.45 0.45 0.45 0.20
FM Developers 1.67 5.67 0.33 0 0.33
Totals 26.95 16.95 5.61 1.45 1.03
21. Where in the life'cycle do you feel formal methods can yield the most significant
benefits, irrespective of cost?
a. Requirements b. High-level design c. Detailed design
d. Implementation e. Haint enance
Question 21
a b c d e
Industry 20.33 2.83 3.33 0 0.5
Government 9.33 1.83 0.83 0 0
University 1.33 0.33 0.33 0 0
FM Developers 1.5 1.5 3 1 1
Totals 32.5 6.5 4.5 1 1.5
22.
d. 6 months to ! year
How long does it take to become proficient in formal methods?
a. Less than 2 weeks b. 2 weeks to I month c. i to 6 months
e. 1 to 5 years
Question 22
a b c d e
Industry 0 0 2 16 9
Government 0 0 1 5 6
University 0 0 0 0 2
FM Developers 0 0 1 7 0
Totals 0 0 4 28 17
Note I: Two people, one from government and one from industry, said that the answer to this question
was "dependent on background."
Note g: A person from a university circ]ed e, and annotated the answer with "or more."
23. What is your opinion of the following statement: "Proficiency in formal methods
requires a high degree of mathematical sophistication.'' ?
a. agree strongly b. Agree c. He opinion
d. Disagree e. Disagree strongly
229
-Question 23
a b c d e
Industry 9 i4 1 2 2
Government 5 6 1 1 0
University 0 1 0 1 0
FM Developers 0 6 0 2 0
Totals 14 27 2 6 2
Note: An industry representative circled a, but added, "but it shouldn't be the caso!"
24. To each of the folloging areas assign a number from 1 to 8 to denote the importance
of the area. Use 1 to denote that the area i8 extremely important, and 8 to denote
that the area is not important at a11. Please assign a 0 to any area about which
you have no opinion.
___ Basic Rodeling techniques
.__ Code verification (especially for £da)
.__ Education and training
___ Integrated verification systems _
___ Mechanical theorem provers
___ Reusable deductive theories (libraries of definitions and theories)
.__ Reusable, verified softgare libraries
___ Special purpose verification tools (such as Spectool, DDD, t Penelope)
___ Specification languages
.__ Worked examples
Question 24: Industry
0 1 2 3 4 5 I Avg.
Model. Tech. 3 11 8 4 2 0 I 1.9
Code Verif. 4 10 5 6 3 0 2.1
Education 2 15 10 0 0 1 1.5
Int.Vet. Sys. 4 I0 6 5 3 0 2.0
Mech. T. Prov. 4 2 11 7 4 0 2.5
R. Ded. Theo. 5 5 11 3 4 0 2.3
R. Soft.Lib. 2 7 II 3 5 0 2.2
Sp. Purp. Tool 5 0 7 14 2 0 2.8
Spec. Langs. 1 14 8 3 I 1 1.8
Examples 2 11 9 4 2 0 1.9
Question 24: Government
0 1 2 3 4 5 [ Avg.
Model. Teeh. 2 5 4 0 0 2 2.1
CodeVerif. 2 4 2 5 0 1 2.3
Education 0 6 0 5 0 2 2.4
Int. Ver. Sys. 3 0 2 4 2 1 3.2
Mech. T. Prov. I 3 2 3 I 2 2.7
R. Ded. Theo. 2 1 2 4 3 1 3.1
R. Soft.Lib. 1 2 2 4 3 1 2.9
Sp. Purp. Tool 4 I 2 4 1 1 2.9
Spec. Langs. 1 4 3 2 I 2 2.5
Examples 1 6 2 2 0 2 2.2
230
Question'24: university
_, _ ........ 0 1 2_ 3 4 5[Avg.
Model. Tech. 1 1 0 0 0 0 1.0
CodeVerif. 0 0 0 0 0 0 -
Education 0 0 0 0 0 0 -
Int.Ver, Sys. 0 0 0 0 0 0 -
Mech. T. Prov. 0 0 0 0 0 0 -
R. Ded. Theo. 0 0 0 0 0 0 -
R. Soft. Lib. 0 0 0 0 0 0 -
Sp. Purp. Tool 0 0 0 0 0 0 -
Spec. Langs. 0 0 0 0 0 0 -
Examples 0 0 0 0 0 0 -
Question 24: FM Developers
0 1 2 3 4 5 Avg.
Modei. Tech. 0 6 2 1 0 0 1.4
CodeVerif. 0 3 2 2 1 1 2.4
Education 0 6 2 1 0 0 1.4
Int.Ver. Sys. 0 5 1 2 1 0 1.9
Mech. T. Prov. 0 3 3 2 1 0 2,1
R. Ded. Theo. 0 3 6 0 0 0 1.7
R. Soft. Lib. 0 4 2 4 0 0 2.0
Sp. Purp. Tool 0 3 2 1 3 0 2.4
Spec. Langs. 0 3 6 0 0 0 1.7
Examples 0 5 2 1 1 0 1.8
Note I: Answers of 0 were ignored in calculating the averages.
Note _: For a few respondents, the answers to this question seemed inconsistent with answers to other
questions. We suspect that some people may have failed to read the question carefully, and as a result reversed
the ordering (that is, used 5 to denote extreme importance and I to denote no importance); however, we
recorded their responses as given.
25. To each of the following tools and techniques assign a nwaber from 1 to
$ to denote your perception of the usefulness of the tool/technique. Use
1 to denote that you believe the tool/technique may be extrwaely uJeful,
and 5 to denote that you believe the tool/technique is useless. Please
assign a 0 to any tool/teclmiqueabout which you have no opinion.
___ Boyer-Moore ___ DDD ___ EVES
___ H0L .__ Modelisation ___ luprl
___ Penelope ___ PVS/EhdR ___ Safety analysis
___ Spectool
231
Question 25: Industry
0 1 2 3 4 5 I Avg.
Boyer-Moore
HOL
Penelope
Spectool
DDD
Modelisation
PVS/Ehdm
EVES
Nuprl
9 1 4 10 3 1 2.9
8 1 7 6 5 1 2.9
12 0 9 4 3 0 2.6
16 0 6 4 2 0 2.7
19 0 2 4 3 0 3.1
14 5 2 3 2 2 2.6
5 6 10 5 1 1 2.2
20 0 3 3 i 1 3.0
23 0 3 0 1 1 3.0
1.5Safety Analysis 8 14 3 2 1 0
Question 25: Government
0 1 2 3 4 5 ] Avg.
Boyer-Moore 7 1 3 2 0' 0 2.2
HOL
Penelope
Spectool
DDD
Modelisation
PVS/Ehdm
EVES
Nuprl
8 2 0 3 0 0
11 1 1 0 0 0
13 0 0 0 0 0
12 0 1 0 0 0
8 1 2 0 0 0
7 3 1 2 0 0
12 0 0 1 0 0
12 0 0 1 0 0
2.2
1.5
w
2.0
1.7
1.8
3.0
3.0
Safety Analysis 5 5 1 1 0 1 1.9
Question 25: University
0 1 2 3 4 5 Avg.
Boyer-Moore 0 I 1 0 0 0 1.7
HOL
Penelope
Spectool
DDD
Modelisation
PVS/Ehdm
EVES
Nuprl
0 0 2 0 0 0 2.0
1 0 1 0 0 0 2.0
1 0 1 0 0 0 2.0
1 0 1 0 0 0 2.0
2 0 0 0 0 0 -
0 2 0 0 0 0 1.0
0 0 1 1 0 0 2.5
0 0 2 0 0 0 2.0
Safety Analysis 1 0 0 0 1 0 4.0
Question 25: FM Developers
0 1 2 3 4 5 [ Avg.
Boyer-Moore
HOL
Penelope
Spectool
DDD
Modelisation
PVS/Ehdm
EVES
Nuprl
0 0 5 1 0 0
0 0 3 2 2 0
0 3 0 2 2 0
1 3 0 3 0 0
2 0 1 3 0 1
3 1 1 1 1 0
0 1 5 1 0 0
1 1 3 2 0 0
0 0 0 1 4 2
Safety Analysis 2 1 2 1 1 0
2.2
2.9
2.4
2.0
3.2
2.5
2.0
2.2
4.1
2.4
232
Note: See the notes for Question 24.
26. How expressive should a formal language be?
a. Very expressive (such as Z and VDN)
c. To the level of 1st order logic
e. To the level of propositional calculus
b. To the level of higher-order logic
d. To the level of Prolog
Question 26
s b c d e
Industry 14 6 2 1 0
Government 2 4 0 0 1
University 1 0.5 0.5 0 0
FM Developers 3 4 2 0 0
Totals 20 14.5 4.5 1 1
Note: Four people, one _omindustry and three_omgovernment, did not answer this question, but
wrote the followingcommentsinstesd: "depends on application," "to understanding of user," "this
needs to be decided on the basis of the domain of application requirements," and "depends on
ehen it is used."
27. Hog important is it to have a specification language that can mimic the notation
typically employed in the problem domain?
a. None at all b. Somewhat c. Moderately
d. Very e. Extremely
Question 27
a b c d e
Industry 0 3 5 12 6
Government 0 2 3 2 5
University 0 0 0 1 1
FM Developers 0 0 3 4 2
Totals 0 5 11 19 14
Note I: A member ofthe government answered e, and included thecomment: "to be accepted by
the engineers and progrmananagers."
Note g: Another governmentrepresentative did notcirc_ an answer, but wrote "It must not necessarily
mimic but must be readable by experts in the problem domain."
28. How important is the availability of powerful decision procedures in a theorem
prover (for example, decision procedures for linear arithmetic and propositional
calculus)?
a. None at all b. Somewhat c. Moderately
d. Very e. Extremely
Question 28
s b c d e
Industry 0 3 8 ? 5
Government 0 1 3 3 2
University 0 0 1 I 0
FM Developers 0 0 1 2 6
Totals 0 4 13 13 13
=
233
29. To each of the following areas assign a number from I to 5 to denote your opinion
as to the importance of NASA sponsoring work in the area. Use I to denote that you
believe it is extremely important for NASA to sponsor work in the area, and 8 to
denote that you believe NASA should not sponsor any work in the area,
__- Theoretical research (for example, developing theorem provers)
___ Applied research (for example, pilot projects applying formal methods)
___ Joint projects between traditional engineering groups and formal methods experts
I 2 3 4 5|Avg_
8 5 7 3 5
19 6 0 0 3 | 1.6
23 2 2 I 0 [ !.317 7 2 1 6
___ Workshops such as this one
Question 29: Industry
0
Theoretical Research 0
Applied Ih'search 0
Joint I)rojecl,s 0
Workshops 0
Qu,_stion 29: G(_v¢',|'lll||_:nt I
0 1 2 3 4 5[.
I heoreti_ tl Research 0 3 5 l 4 0 [
Applied [{e_arch 0 10 1 1 0 1 | 1.5 [
Joint Projects 0 9 3 0 1 O| 1.5 [
Workshops 0 11 I 0 0 I ] 1.4 ]
Question 29: University
0 1 2 3 4 5 [ Avg;
Theoretical Research 0 0 i l 0 0 ] 2.5
Applied Research 0 2 0 0 0 0 ] 1.0
Joint Projects (} 1 1 0 0 0 ] 1.5Workshops (} 1 ! 0 0 0 1.5
Theoretical Research 0 4 2 2 1 0
Applied Research 0 5 4 0 0 0
Joint Projects 0 5 4 0 00] 1:4 ]
Workshops 0 2 4 2 I 0 ] 2.2 I
Note: See the notes for Question 24.
Questions 30-32 were not multiple choice. Only a fi_w representative comments from each organizational
category are included below. These comments are presented exactly as given; no editing has been done. For
these questions, Government and University participants haw_ been grouped together.
30. Wnat formal methods have you used?
Ind.stry: lloyer-Moore, cleanroom, Clio, EIII)M, IlOl,, ,_l.'ctool, tomp,)ral logic, VDM, Z
Gov & Univ: Boyer-Moore, cleanroom, DDD, FAll)M, IIO1., VI)M
234
FM Developers: Boyer-Moore, Clio, EHDM, EVES, HOL, PVS, Penelope, SDVS, Spectool, temporal
logic, Z
31. In what applications and parts of the life-cycle have you used formal methods?
Industry: requirements modeling, design, and testing, conceptual study, detailed design, verification of
algorithms, implementation
Gov _ Unlv: software requirements, high level requirements, avionics software, missile systems, electronic
message systems, design, implementation, academic research projects
FM Developers: hardware designs, microcode, detailed design, algorithms, high-level HW design
32. Any additional comments?
Industry:
• ''Workshops of this type where interested industries can attend and participate are
excellent opportunities for technology transfer, l would encourage NASA to continue
this type of interaction. ' '
• ''I would very much like to see a survey of (1) methods (2) languages it (3) tools
presenting PROs it COils of each. As a novice wanting to enter the field, where do
I start?' '
• ''Tools are very important to this effort. Paper and pencil will not spread to industry. ''
• ''It would have been nice to actually solve some simple problems using a formal technique
rather than seeing lots of talks about proofs. ''
• ''Suitable applications of FMs uas not elaborated on. I still cannot say 'where'
one should apply 'what' FM. ''
• ''Need ¢o separate HW FM's from SW FN's."
• ''This is one of the only forums I have attended that has had equal representation
from the software and hardware community sharing roughly e_ual concerns and a common
interest in a technology of equal value and benefit to each community. ''
• ' 'You are overcautious about overselling .... ' '
Gov _ Univ:
• ''We must find a way to better find errors in Reqm'ts"
• ' 'It is important for NASA to take a leadership position in Formal Methods for civilian
aerospace applications. _'
• ' 'FM appears to be currently the most feasible means of adding rigor and consistency
to the software development process. ''
• ' 'Keep holding this workshop! ' '
• ''I really wish copies of slides had been available at the conference. It would greatly
simplify notstaking. ' '
FM Developers:
• "There is no 'royal road' to FN for industry.''
• ''FM is powerful for educating designers. ''
• ''Formal methods are no panacea''
235
_236
NASA Formal Methods Workshop Attendees
Jorgen B. Andersen
Honeywell, Inc.
Box 21111
Phoenix, AZ 85036-1111
Bob Baker
Research Triangle Institute
PO Box 12194
Research Triangle Park, NC 27709-2194
rlb@rti.rti.org
Mark Blckford
Odyssey Research Associates, Inc.
301 Dates Drive
Ithaca. NY 14850
emall: mark@oraeorp.eom
Bhaskar Bose
Indiana University
215 Lindley Hall
Bloomington, IN 47405
Danlele Bozzolo
Union Switch and Signal, Inc.
5800 Corporate Drive
Pittsburgh, PA 15237
Rlcky W. Butler
NASA Langley Research Ctr.
Mall Stop 130
Hampton, VA 23681-0001
emall: rwb@air 16.1arc.nasa.gov
Jim Caldwell
NASA Langley Research Center
Mail Stop 130
Hampton, VA 23681-0001
email: caldwell@cs.cornell.edu
Victor Carreno
NASA Langley Research Center
Mail Stop 130
Hampton, VA 23681-0001
email: vac@air 16.1arc.nasa.gov
Jerome F. Coffel
I toneywell, Inc.
3660 Technology Drive
MN65-3240
Minneapolis, MN 55418
emall: Jcoffel@src.honeywell.com
Richard Covington
NASA Jet Propulsion Laboratory
MS 125-233
4800 Oak Grove Drive
Pasadena, CA 91109
Dan Cralgen
ORA Canada
265 Carling Avenue
Suite 506
Ottawa, Ontario KIS 2E1
CANADA
email: dan@ora.on.ca
Ronald T. Crocker
Motorola, Inc.
1501 West Shure Drive
Arlington Heights, IL 60004
email: crocker@mot.com
Mark Crosland
Boeing
MS 88-12
P.O. Box 3707
Seattle, WA 98124
Jim Dabney
lntermetrics, Inc.
1100 tlercules
Suite 300
Houston, TX 77058
Mike DeWalt
FAA
ANM- 106N
1601 Lind Avenue, S.W.
Renton, WA 98055-4056
PRECEDqNG PA_ BLANK NOT RLME_
237
iBen DI Vito
Vigyan, Inc
NASA Langley Research Center
Mail Stop 130
Hampton, VA 23681-0001
email: bld@air 16.1arc.nasa.gov
Audrey Dorfman
Vitro Corporation
600 Maryland Ave., SW
Suite 300, West Wing
Washington, DC 20024
George FineUi
NASA Langley Research Center
Mail Stop 130
Hampton, VA 23681-0001
email: gbf@air 16.1arc.nasa.gov
Gene Fisher
California Polytechnic State Univ.
Dept. of Computer Science
San Luis Obispo, CA 93405
Scott French
IBM Corporation
3700 Bay Area Blvd.
Houston, TX 77058-1199
David Fura
Boeing Defense and Space Group
P.O. Box 3999
Seattle, WA 98124
Jane Gaby
Martin Marietta Energy Systems
MS 8203, Bldg. 9112
P.O. Box 2009
Oak Ridge, TN 37831-8203
Susan Gerhart
National Science Foundation
1800 G. Street, N.W.
Room 304
Washington, DC 20550
email: sgerhart@nsf.g0v
Holly Gibbons
Intermetrics, Inc.
I 100 Hercules
Suite 300
Houston, TX 77058
email: gibbons@inbox.hous.inmet.com
Allen Goldberg
Kestrel Institute
3260 llillrich Ave.
Palo Alto, CA 94304
email: goldgerg@kestrel.edu
David Goldschlag
National Security Agency
9800 Savage Road
M352 (D. Goldschlag)
Ft. Meade, MD 20755-6000
David Hamilton
IBM Corporation
3700 Bay Area Blvd.
Houston, TX 77058-1199
Charles Hardwick
University of Houston-CL
2700 Bay Area Blvd.
Houston, TX 77058
email: hardwick@cl.uh.edu
Rick Harper
C. S. Draper Laboratory
555 Technology Square
Cambridge, MA 02139
email: harper@draper.com
Paul Hayes
NASA Langley Research Center
MS 473
IIampton, VA 23681-0001
Connie Heitmeyer
Naval Research Laboratory
Code 5546
Washington, DC 20375
0
238
C. Michael Holloway
NASA Langley Research Ctr.
Hampton, VA
email: c.m.hoUoway@larc.nasa.gov
Michelle McElvany Hugue
Allied-Signal Aerospace Co.
Aerospace Technology Center
9140 Old Annapolis Road
MD 108
Columbia, MD 21045-1998
email: michelle@batc.allied.com
Warren Hunt
Computational Logic, Inc.
1717 West Sixth Street
Suite 290
Austin, TX 78703-4776
email: hunt@cli.com
Larry Hyatt
NASA Goddard Space Flight Center
Code 302
Greenbelt, MD 20771
Charles Hynes
Ames Research Center
Mail Stop 211-2
Moffett Field, CA 94035-1000
Ramu lyer
Motorola, Inc.
3701 Algonquin Road
Suite 601
Rolling Meadows, IL 60008
email: ramu@mot.com
Willliam Jackson
Martin Marietta Corporation
P.O. Box 179
MS 7330
Denver, CO 80201
John James
P.O. Box 7372
Fairfax Station, VA 22039-7372
Damlr Jamsek
Odyssey Research Associates, Inc.
301 Dates Drive
Ithaca, NY 14850
Jack Janelle
Honeywell, lnc.
21111Northl9thAve.
Phoen_,AZ 85027-!111
Jim Jenkins
NASA Headquarters
Code RJ
Washington, DC 20546
Sally Johnson
NASA Langley Research Ctr.
Mail Stop 130
Hampton, VA 23681-0001
email: scJ @air 16.1arc.nasa.gov
Steve Johnson
Indiana University
Computer Science Dept.
Bloomington, IN 47405
John Kel_
NASA JetPropulsionLaboratory
MS 125-233
4800 Oak Grove Drive
Pasadena, CA 91109-8099
Kathryn Kemp
NASA Headquarters
Code QT
Washington, DC 20546
John Knight
University of Virginia
Dept. of Computer Science
Charlottesville, VA 22903-2442
emall: knlght@virginla.edu
Robert Kovach
NASA Headquarters
Code DO
Washington, DC 20546
239
Larry Lacy
Rockwell lnternaUonal Corp.
Collins Flight Control
400 Collins Road NE
Cedar Rapids, IA 52498
Jay Lala _
C. S. Draper Laboratory, Inc,
555 Technology Square
Cambridge, MA 02139
emall: lala@draper.com
H. Grady Lee
Vitro Corporation
400 Virginia Ave., SW
Suite 825
Washington, DC 20024
Miriam Leeser
Cornell University
School of Electrical Engineering
Phillips Hall
Ithaca, NY 14853-5401 ....
email: mel@ee.comell.edu
Nancy Leveson
University of California at Irvine
ICS Dept.
Orvome. CA 92717
Beth Levy
The Aerospace Corporation .........
Mail Station M 1/099
PO Box 92957
Los Angeles, CA 90009-2957
email: blevy@aero.org
Patrick Lincoln
SRI International
333 Ravenswood Ave.
Menlo Park, CA 94025
Charles W. Melssner, Jr.
NASA Langley Research Ctr,
Mail Stop 130
Hampton, VA 23681-0001
email: c.w.meissner@larc.nasa.gov
Sleven Miller
Rockwell InternaUonal
Collins Commercial Avionics
400 Collins Road NE
Cedar Rapids, IA 52498
Paul Miner
NASA Langley Research Ctr. -_
Mail Stop 130 _ _ -
Hampton, VA 23681-0001
email: psm@air 16.1arc.nasa.gov
John Munro
Martin Marietta Energy Systems, Inc.
Oak Ridge National Laboratory
P.O. Box 2008
Oak Ridge, TN 3783!;6008
Philip Newcomb
Boeing Computer Services
P.O. Box 24346
MS 7L-64
Seattle, WA 98124-0346
email: philu@atc.boelng.com
Stephen Nicoud
Boeing Computer Services
P.O. Box 24346
MS 7L-64
Seattle, WA 98124-0346
email: stephen@boeing.com
Eric Peterson
Honeywell, Inc.
Air Transport Systems Div.
Box 21111
Phoenix, AZ 85036-1111
Richard Platek
Odyssey Research Associates, Inc.
301A Dates Drive
Ithaca, NY 14850
Joseph Profeta
Union Switch and Signal, Inc.
5800 Corp0rate Drive
Pittsburgh, PA 15237
=_
zt
T
w:
240
Patricia Remacle
NASA Langley Research Center
Mail Stop 125A
Hampton, VA 23681-0001
Alice B. Robinson
NASA Headquarters
Code QR
Washington, DC 20546
John Rushby
SRI International
333 Ravenswood Ave.
Menlo Park, CA 94025
email: rushby@csl.srl.com
David Russinoff
Computational Logic, Inc.
1717 West Sixth Street
Suite 290
Austin, TX 78703-4776
email: russ@cli.com
Mark Saaltink
ORA Canada
265 Carling Ave., Suite 506
Ottawa, Ontario KIS 2E l
CANADA
email: mark@ora.on.ca
Peter Saraceni
FAA Technical Center
ACD-230, Bldg. 201
Atlantic City Airport, NJ 08405
Carl Schaefer
MITRE Corporation
Washington Software Engineering Center
7525 Colshire Drive
McLean, VA 22102-348 l
email: schaefer@mitre.org
Frank Schneider
Jet Propulsion Laboratory
4800 Oak Grove Drive
Pasadena, CA 91109-8099
Philllp Shaffer
GE Aircraft Engines
One Neumann Way
MD A320
Cincinnati, OH 45215-6301
shaffer@athena.crd.ge.com
K. S. (Doc} Shankar
IBM Corporation
3700 Bay Area Blvd.
Houston, TX 77058-1199
NataraJan Shankar
SR[ International
333 Ravenswood Ave.
Menlo Park, CA 94025
email: shankar@csl.sri.com
Subash Shankar
Honeywell, Inc.
MN65-2100
3660 Technology Drive
Minneapolis, MN 55418
Greg Shea
Software Productivity Consortium
2214 Rock Hill Road
Hemdon, VA 22070
email: shea@software.org
Mandayam Srivas
SRI International
333 Ravenswood Ave.
Menlo Park, CA 94025
Richard Taylor
Atomic Energy Control Board
C.P. 1046, succursale B
270, rue Albert
Ottawa, Canada KIP 5S9
Susan Voigt
NASA Langley Research Center
Mail Stop 288
Hampton, VA 23681-0001
email: suev@csab.larc.nasa.gov
241
Chris Walter
Allied Signal Aerospace Company
Aerospace Technology Center
9140 Old Annapolis Road
MD 108
Columbia, MD 21045-1998
email: chris@batc.allled.com
Robert E. Waterman
NASA Goddard Space Fit. Center
Code 302
Bldg. 6, Rm. 5-229
Greenbelt, MD 20771
Isaiah White
Boeing Defense & Space Group
P.O. Box 3999, MS 8H-09
Seattle, WA 98124-2499
Lloyd Williams ....
Software Engineering Research
264 _dgevie_W:_e =_ - : _=:_'
Boulder, CO: 80302 ....... "
Phil Wlndley
University of Idaho
computer ScienceDep_ent
Moscow, ID 83843'
emall: windley@cs.uidaho.edu
Robert Wyman
Lawrence Livermore National Lab.
P.O. Box 808
Livermore, CK g4550 [=
F
242

J
¥
REPORT DOCUMENTATION PAGE Fo,mApprovedOMB No. 0704-0188
t PudbN_o,_i_ I=_d_"Jo_r thb oo_le,_ion el i_om"mllon |. a4tln-_leJ ,; .v.,_ ! hO_l' _ .i$_Km., indu¢lli_ Ih_ time |or ,e_l_ _,uc_tol_, I_td_i_ .kmting _ Bourc4m,
0_tt_ _ maJnlgdn|ng the _ _,eoclod. m',_d ooml_ing and rovtev,4ng the ¢otlooll_ el inlo,rnatlon. 9Am¢l oommlnto re,_ding Ihil burden gltlmlte or Imy o11_1_ a_olmt o4 Ih_
ndedlon d Wc_m_Jon. bok_qeg mugg_flone _, nBduo_,/th_ I_den. w W_.hlngten H_u_lwe _wvk_e./)k_o,,_ k)¢ Worm_ta_ Ol_¢_k_m _ .q_. t215 Je_fenme Dm,_
HillhW_t. Sub 120_. A_g_e. VA gg_0_-4302, and to the Ofl_, o_ M,,,_pm_e,t and Budgee. Pq_w*od_ Redu_loe Pmj_ (0704 Ot_). WNhlngme. DC 2O6O3.
1. AOENCvuSE_'LV (L,,v,_,,,k_ =.R_'6_
November 1992
|,,
4. 11'rLEANO_JB111"LE
Second NASA Formal Methods Workshop 1992
3. REPORTTYPE AND DATESCOVIERED "Conference Publication
,,,, ,, ,,
s. AUTHOR(S)
Sally C. Johnson, C. Michael ] h)lloway, and Ricky W. Butler, Compik'rs
7. PERFORMINGORGANIZATIONNAMF_S)ANDADDRESS(ESi
NASA Langley Research Center
Hampton, VA 23681-0001
S. SPONSORING / MONITORINO AGENCY NAME(Si A'ND ADDRESS(ES) ..........
National Aeronautics and Space Administration
Washington, DC 20546-0001
8. FUNDING NUMBERS
WU 505-64-10-05
S. PERFORMINGORGANIZATION
REPORTNUMBER
10. SPONSORING1M_ITO_ING
AGENCY REPORTNUMBER
NASA CP-t0110
11. SUPPLEMENTARYNOTES
This workshop was chaired by Ricky W. Butler and Sally C. Johnson of NASA Langley Research Center.
lb. owrRisu'no_AV_U_BILITVm'*_%NT
Unclassified - Unlimited
Subject Category 61
12b. DISTRIBUTk_ CODE
15. ABSTRACT (Max_mum200 we,d=)
This report documents the Second NASA Langley Formal Methods Workshop held at the NASA Langley Reseamh Center,
August 11-13, 1992. The primary goal of the workshop was to bring together formal methods researchers and aerospace
industry engineers to investigate new opportunities for applying formal methods to aerospace problems. The first part of the
workshop was tutorial in nature. The second pad of the workshop explored the potential of formal methods to address
current aerospace design and verification problems. The third pad of the workshop involved on-line demonstrations of
state-of-the-art formal verification tools. Also a detailed survey was filled in by the attendees; the results of the survey are
compiled in this report.
14. SUBJECTTERMS
Formal methods; Digital flight control; Verification; Specification; Design proof
t?. SECURffY CLA_Fk_T_N
OF REPORT
Unclassified
NSN 7640-01-280-5500
18. SECURITYCLASSIFICATION
OF THIS PAGE
Unclassified
19/SECURITY CLASSIFICATION
OF ABSTRACT
15. NUMBER OF PAGER
243
_s. '_RCECODE
All
20. UMITATION OF ABSTRACT
StandardForm'2gS (Rev. 2-89)
I_m,¢_:l by AI_I Std. Z30- la
E
=
