A Formal Verification Environment for Use in the Certification of Safety-Related C Programs

In this thesis the design of an environment for the formal verification of functional properties of safety-related software written in the programming language C is described. The focus lies on the verification of (primarily) geometric computations. We give an overview of the applicable regulations for safety-related software systems. We define a combination of higher-order logic as formalised in the theorem prover Isabelle and a specification language syntactically based on C expressions. The language retains the mathematical character of higher-level specifications in code specifications. A memory model for C is formalised which is appropriate to model low-level memory operations while keeping the entailed verification overhead in tolerable bounds. Finally, a Hoare style proof calculus is devised so that correctness proofs can be performed in one integrated framework. The applicability of the approach is demonstrated by describing its use in an industrial project

Formal certification and compliance for run-time service environments

With the increased awareness of security and safety of services in on-demand distributed service provisioning (such as the recent adoption of Cloud infrastructures), certification and compliance checking of services is becoming a key element for service engineering. Existing certification techniques tend to support mainly design-time checking of service properties and tend not to support the run-time monitoring and progressive certification in the service execution environment. In this paper we discuss an approach which provides both design-time and runtime behavioural compliance checking for a services architecture, through enabling a progressive event-driven model-checking technique. Providing an integrated approach to certification and compliance is a challenge however using analysis and monitoring techniques we present such an approach for on-going compliance checking

Verifying the Safety of a Flight-Critical System

This paper describes our work on demonstrating verification technologies on a flight-critical system of realistic functionality, size, and complexity. Our work targeted a commercial aircraft control system named Transport Class Model (TCM), and involved several stages: formalizing and disambiguating requirements in collaboration with do- main experts; processing models for their use by formal verification tools; applying compositional techniques at the architectural and component level to scale verification. Performed in the context of a major NASA milestone, this study of formal verification in practice is one of the most challenging that our group has performed, and it took several person months to complete it. This paper describes the methodology that we followed and the lessons that we learned.Comment: 17 pages, 5 figure

Hubble Space Telescope: SRM/QA observations and lessons learned

The Hubble Space Telescope (HST) Optical Systems Board of Investigation was established on July 2, 1990 to review, analyze, and evaluate the facts and circumstances regarding the manufacture, development, and testing of the HST Optical Telescope Assembly (OTA). Specifically, the board was tasked to ascertain what caused the spherical aberration and how it escaped notice until on-orbit operation. The error that caused the on-orbit spherical aberration in the primary mirror was traced to the assembly process of the Reflective Null Corrector, one of the three Null Correctors developed as special test equipment (STE) to measure and test the primary mirror. Therefore, the safety, reliability, maintainability, and quality assurance (SRM&QA) investigation covers the events and the overall product assurance environment during the manufacturing phase of the primary mirror and Null Correctors (from 1978 through 1981). The SRM&QA issues that were identified during the HST investigation are summarized. The crucial product assurance requirements (including nonconformance processing) for the HST are examined. The history of Quality Assurance (QA) practices at Perkin-Elmer (P-E) for the period under investigation are reviewed. The importance of the information management function is discussed relative to data retention/control issues. Metrology and other critical technical issues also are discussed. The SRM&QA lessons learned from the investigation are presented along with specific recommendations. Appendix A provides the MSFC SRM&QA report. Appendix B provides supplemental reference materials. Appendix C presents the findings of the independent optical consultants, Optical Research Associates (ORA). Appendix D provides further details of the fault-tree analysis portion of the investigation process

Assessing the Risk due to Software Faults: Estimates of Failure Rate versus Evidence of Perfection.

In the debate over the assessment of software reliability (or safety), as applied to critical software, two extreme positions can be discerned: the ‘statistical’ position, which requires that the claims of reliability be supported by statistical inference from realistic testing or operation, and the ‘perfectionist’ position, which requires convincing indications that the software is free from defects. These two positions naturally lead to requiring different kinds of supporting evidence, and actually to stating the dependability requirements in different ways, not allowing any direct comparison. There is often confusion about the relationship between statements about software failure rates and about software correctness, and about which evidence can support either kind of statement. This note clarifies the meaning of the two kinds of statement and how they relate to the probability of failure-free operation, and discusses their practical merits, especially for high required reliability or safety