A Formal Model of Partitioning for Integrated Modular Avionics

The aviation industry is gradually moving toward the use of integrated modular avionics (IMA) for civilian transport aircraft. An important concern for IMA is ensuring that applications are safely partitioned so they cannot interfere with one another. We have investigated the problem of ensuring safe partitioning and logical non-interference among separate applications running on a shared Avionics Computer Resource (ACR). This research was performed in the context of ongoing standardization efforts, in particular, the work of RTCA committee SC-182, and the recently completed ARINC 653 application executive (APEX) interface standard. We have developed a formal model of partitioning suitable for evaluating the design of an ACR. The model draws from the mathematical modeling techniques developed by the computer security community. This report presents a formulation of partitioning requirements expressed first using conventional mathematical notation, then formalized using the language of SRI'S Prototype Verification System (PVS). The approach is demonstrated on three candidate designs, each an abstraction of features found in real systems

Using Formal Methods to Assist in the Requirements Analysis of the Space Shuttle GPS Change Request

We describe a recent NASA-sponsored pilot project intended to gauge the effectiveness of using formal methods in Space Shuttle software requirements analysis. Several Change Requests (CR's) were selected as promising targets to demonstrate the utility of formal methods in this application domain. A CR to add new navigation capabilities to the Shuttle, based on Global Positioning System (GPS) technology, is the focus of this report. Carried out in parallel with the Shuttle program's conventional requirements analysis process was a limited form of analysis based on formalized requirements. Portions of the GPS CR were modeled using the language of SRI's Prototype Verification System (PVS). During the formal methods-based analysis, numerous requirements issues were discovered and submitted as official issues through the normal requirements inspection process. Shuttle analysts felt that many of these issues were uncovered earlier than would have occurred with conventional methods. We present a summary of these encouraging results and conclusions we have drawn from the pilot project

High level design proof of a reliable computing platform

The main objectives are: to establish hardware/software platform for ultra-reliable computing; to use fault tolerant computer architecture; to use formal methods to prevent design and implementation errors; and to construct reliability model to quantify reliability estimate. The results show that: ultra-reliable control systems are hard to achieve; simple fault tolerant design is postulated; formal specification of design is constructed; and preliminary correctness proofs are obtained

Formal design and verification of a reliable computing platform for real-time control (phase 3 results)

In this paper the design and formal verification of the lower levels of the Reliable Computing Platform (RCP), a fault-tolerant computing system for digital flight control applications, are presented. The RCP uses NMR-style redundancy to mask faults and internal majority voting to flush the effects of transient faults. Two new layers of the RCP hierarchy are introduced: the Minimal Voting refinement (DA_minv) of the Distributed Asynchronous (DA) model and the Local Executive (LE) Model. Both the DA_minv model and the LE model are specified formally and have been verified using the Ehdm verification system. All specifications and proofs are available electronically via the Internet using anonymous FTP or World Wide Web (WWW) access

Formalizing New Navigation Requirements for NASA's Space Shuttle

We describe a recent NASA-sponsored pilot project intended to gauge the effectiveness of using formal methods in Space Shuttle software requirements analysis. Several Change Requests (CRs) were selected as promising targets to demonstrate the utility of formal methods in this demanding application domain. A CR to add new navigation capabilities to the Shuttle, based on Global Positioning System (GPS) technology, is the focus of this industrial usage report. Portions of the GPS CR were modeled using the language of SRI's Prototype Verification System (PVS). During a limited analysis conducted on the formal specifications, numerous requirements issues were discovered. We present a summary of these encouraging results and conclusions we have drawn from the pilot project

Strategy-Enhanced Interactive Proving and Arithmetic Simplification for PVS

We describe an approach to strategy-based proving for improved interactive deduction in specialized domains. An experimental package of strategies (tactics) and support functions called Manip has been developed for PVS to reduce the tedium of arithmetic manipulation. Included are strategies aimed at algebraic simplification of real-valued expressions. A general deduction architecture is described in which domain-specific strategies, such as those for algebraic manipulation, are supported by more generic features, such as term-access techniques applicable in arbitrary settings. An extended expression language provides access to subterms within a sequent

NASA Langley Research and Technology-Transfer Program in Formal Methods

This paper presents an overview of NASA Langley research program in formal methods. The major goals of this work are to make formal methods practical for use on life critical systems, and to orchestrate the transfer of this technology to U.S. industry through use of carefully designed demonstration projects. Several direct technology transfer efforts have been initiated that apply formal methods to critical subsystems of real aerospace computer systems. The research team consists of five NASA civil servants and contractors from Odyssey Research Associates, SRI International, and VIGYAN Inc

Tissue Biomarkers for Prognosis in Cutaneous Melanoma: A Systematic Review and Meta-analysis

In the clinical management of early-stage cutaneous melanoma, it is critical to determine which patients are cured by surgery alone and which should be treated with adjuvant therapy. To assist in this decision, many groups have made an effort to use molecular information. However, although there are hundreds of studies that have sought to assess the potential prognostic value of molecular markers in predicting the course of cutaneous melanoma, at this time, no molecular method to improve risk stratification is part of recommended clinical practice. To help understand this disconnect, we conducted a systematic review and meta-analysis of the published literature that reported immunohistochemistry-based protein biomarkers of melanoma outcome. Three parallel search strategies were applied to the PubMed database through January 15, 2008, to identify cohort studies that reported associations between immunohistochemical expression and survival outcomes in melanoma that conformed to the REMARK criteria. Of the 102 cohort studies, we identified only 37 manuscripts, collectively describing 87 assays on 62 distinct proteins, which met all inclusion criteria. Promising markers that emerged included melanoma cell adhesion molecule (MCAM)/MUC18 (all-cause mortality [ACM] hazard ratio [HR] = 16.34; 95% confidence interval [CI] = 3.80 to 70.28), matrix metalloproteinase-2 (melanoma-specific mortality [MSM] HR = 2.6; 95% CI = 1.32 to 5.07), Ki-67 (combined ACM HR = 2.66; 95% CI = 1.41 to 5.01), proliferating cell nuclear antigen (ACM HR = 2.27; 95% CI = 1.56 to 3.31), and p16/INK4A (ACM HR = 0.29; 95% CI = 0.10 to 0.83, MSM HR = 0.4; 95% CI = 0.24 to 0.67). We further noted incomplete adherence to the REMARK guidelines: 14 of 27 cohort studies that failed to adequately report their methods and nine studies that failed to either perform multivariable analyses or report their risk estimates were published since 2005

Ezetimibe added to statin therapy after acute coronary syndromes

BACKGROUND: Statin therapy reduces low-density lipoprotein (LDL) cholesterol levels and the risk of cardiovascular events, but whether the addition of ezetimibe, a nonstatin drug that reduces intestinal cholesterol absorption, can reduce the rate of cardiovascular events further is not known. METHODS: We conducted a double-blind, randomized trial involving 18,144 patients who had been hospitalized for an acute coronary syndrome within the preceding 10 days and had LDL cholesterol levels of 50 to 100 mg per deciliter (1.3 to 2.6 mmol per liter) if they were receiving lipid-lowering therapy or 50 to 125 mg per deciliter (1.3 to 3.2 mmol per liter) if they were not receiving lipid-lowering therapy. The combination of simvastatin (40 mg) and ezetimibe (10 mg) (simvastatin-ezetimibe) was compared with simvastatin (40 mg) and placebo (simvastatin monotherapy). The primary end point was a composite of cardiovascular death, nonfatal myocardial infarction, unstable angina requiring rehospitalization, coronary revascularization ( 6530 days after randomization), or nonfatal stroke. The median follow-up was 6 years. RESULTS: The median time-weighted average LDL cholesterol level during the study was 53.7 mg per deciliter (1.4 mmol per liter) in the simvastatin-ezetimibe group, as compared with 69.5 mg per deciliter (1.8 mmol per liter) in the simvastatin-monotherapy group (P<0.001). The Kaplan-Meier event rate for the primary end point at 7 years was 32.7% in the simvastatin-ezetimibe group, as compared with 34.7% in the simvastatin-monotherapy group (absolute risk difference, 2.0 percentage points; hazard ratio, 0.936; 95% confidence interval, 0.89 to 0.99; P = 0.016). Rates of pre-specified muscle, gallbladder, and hepatic adverse effects and cancer were similar in the two groups. CONCLUSIONS: When added to statin therapy, ezetimibe resulted in incremental lowering of LDL cholesterol levels and improved cardiovascular outcomes. Moreover, lowering LDL cholesterol to levels below previous targets provided additional benefit