A Formal Model of Partitioning for Integrated Modular Avionics

The aviation industry is gradually moving toward the use of integrated modular avionics (IMA) for civilian transport aircraft. An important concern for IMA is ensuring that applications are safely partitioned so they cannot interfere with one another. We have investigated the problem of ensuring safe partitioning and logical non-interference among separate applications running on a shared Avionics Computer Resource (ACR). This research was performed in the context of ongoing standardization efforts, in particular, the work of RTCA committee SC-182, and the recently completed ARINC 653 application executive (APEX) interface standard. We have developed a formal model of partitioning suitable for evaluating the design of an ACR. The model draws from the mathematical modeling techniques developed by the computer security community. This report presents a formulation of partitioning requirements expressed first using conventional mathematical notation, then formalized using the language of SRI'S Prototype Verification System (PVS). The approach is demonstrated on three candidate designs, each an abstraction of features found in real systems

Software Certification for Temporal Properties With Affordable Tool Qualification

It has been recognized that a framework based on proof-carrying code (also called semantic-based software certification in its community) could be used as a candidate software certification process for the avionics industry. To meet this goal, tools in the "trust base" of a proof-carrying code system must be qualified by regulatory authorities. A family of semantic-based software certification approaches is described, each different in expressive power, level of automation and trust base. Of particular interest is the so-called abstraction-carrying code, which can certify temporal properties. When a pure abstraction-carrying code method is used in the context of industrial software certification, the fact that the trust base includes a model checker would incur a high qualification cost. This position paper proposes a hybrid of abstraction-based and proof-based certification methods so that the model checker used by a client can be significantly simplified, thereby leading to lower cost in tool qualification

Using Formal Methods to Assist in the Requirements Analysis of the Space Shuttle GPS Change Request

We describe a recent NASA-sponsored pilot project intended to gauge the effectiveness of using formal methods in Space Shuttle software requirements analysis. Several Change Requests (CR's) were selected as promising targets to demonstrate the utility of formal methods in this application domain. A CR to add new navigation capabilities to the Shuttle, based on Global Positioning System (GPS) technology, is the focus of this report. Carried out in parallel with the Shuttle program's conventional requirements analysis process was a limited form of analysis based on formalized requirements. Portions of the GPS CR were modeled using the language of SRI's Prototype Verification System (PVS). During the formal methods-based analysis, numerous requirements issues were discovered and submitted as official issues through the normal requirements inspection process. Shuttle analysts felt that many of these issues were uncovered earlier than would have occurred with conventional methods. We present a summary of these encouraging results and conclusions we have drawn from the pilot project

Critical Acceleration Levels for Free Standing Bridge Abutments

An analytic procedure for predicting threshold accelerations for movement of gravity wall bridge abutments due to earthquake loading is described. The method draws on previous work related to the sliding mode of failure, and a newly developed theory on seismic reduction of bearing capacity. The main contribution of this paper is to present laboratory observations verifying mode of failure and critical acceleration levels predicted by this procedure for model retaining wall bridge abutments subjected to seismic excitation on a shaking table. Three different test series were performed with different interface conditions between the wall, and the bridge deck, soil foundation, and backfill resulting in a variety of modes of wall deformation

High level design proof of a reliable computing platform

The main objectives are: to establish hardware/software platform for ultra-reliable computing; to use fault tolerant computer architecture; to use formal methods to prevent design and implementation errors; and to construct reliability model to quantify reliability estimate. The results show that: ultra-reliable control systems are hard to achieve; simple fault tolerant design is postulated; formal specification of design is constructed; and preliminary correctness proofs are obtained

Formal design and verification of a reliable computing platform for real-time control (phase 3 results)

In this paper the design and formal verification of the lower levels of the Reliable Computing Platform (RCP), a fault-tolerant computing system for digital flight control applications, are presented. The RCP uses NMR-style redundancy to mask faults and internal majority voting to flush the effects of transient faults. Two new layers of the RCP hierarchy are introduced: the Minimal Voting refinement (DA_minv) of the Distributed Asynchronous (DA) model and the Local Executive (LE) Model. Both the DA_minv model and the LE model are specified formally and have been verified using the Ehdm verification system. All specifications and proofs are available electronically via the Internet using anonymous FTP or World Wide Web (WWW) access

Baseline Assessment and Prioritization Framework for IVHM Integrity Assurance Enabling Capabilities

Fundamental to vehicle health management is the deployment of systems incorporating advanced technologies for predicting and detecting anomalous conditions in highly complex and integrated environments. Integrated structural integrity health monitoring, statistical algorithms for detection, estimation, prediction, and fusion, and diagnosis supporting adaptive control are examples of advanced technologies that present considerable verification and validation challenges. These systems necessitate interactions between physical and software-based systems that are highly networked with sensing and actuation subsystems, and incorporate technologies that are, in many respects, different from those employed in civil aviation today. A formidable barrier to deploying these advanced technologies in civil aviation is the lack of enabling verification and validation tools, methods, and technologies. The development of new verification and validation capabilities will not only enable the fielding of advanced vehicle health management systems, but will also provide new assurance capabilities for verification and validation of current generation aviation software which has been implicated in anomalous in-flight behavior. This paper describes the research focused on enabling capabilities for verification and validation underway within NASA s Integrated Vehicle Health Management project, discusses the state of the art of these capabilities, and includes a framework for prioritizing activities

Regulation of pancreatic cancer cell migration and invasion by RhoC GTPase and Caveolin-1

Abstract Background In the current study we investigated the role of caveolin-1 (cav-1) in pancreatic adenocarcinoma (PC) cell migration and invasion; initial steps in metastasis. Cav-1 is the major structural protein in caveolae; small Ω-shaped invaginations within the plasma membrane. Caveolae are involved in signal transduction, wherein cav-1 acts as a scaffolding protein to organize multiple molecular complexes regulating a variety of cellular events. Recent evidence suggests a role for cav-1 in promoting cancer cell migration, invasion and metastasis; however, the molecular mechanisms have not been described. The small monomeric GTPases are among several molecules which associate with cav-1. Classically, the Rho GTPases control actin cytoskeletal reorganization during cell migration and invasion. RhoC GTPase is overexpressed in aggressive cancers that metastasize and is the predominant GTPase in PC. Like several GTPases, RhoC contains a putative cav-1 binding motif. Results Analysis of 10 PC cell lines revealed high levels of cav-1 expression in lines derived from primary tumors and low expression in those derived from metastases. Comparison of the BxPC-3 (derived from a primary tumor) and HPAF-II (derived from a metastasis) demonstrates a reciprocal relationship between cav-1 expression and p42/p44 Erk activation with PC cell migration, invasion, RhoC GTPase and p38 MAPK activation. Furthermore, inhibition of RhoC or p38 activity in HPAF-II cells leads to partial restoration of cav-1 expression. Conclusion Cav-1 expression inhibits RhoC GTPase activation and subsequent activation of the p38 MAPK pathway in primary PC cells thus restricting migration and invasion. In contrast, loss of cav-1 expression leads to RhoC-mediated migration and invasion in metastatic PC cells.http://deepblue.lib.umich.edu/bitstream/2027.42/112733/1/12943_2005_Article_110.pd

Clinical practice guidelines on the management of status epilepticus in adults: A systematic review

Objective: Status epilepticus (SE) is the second most common neurological emergency in adults. Despite improvements in the management of acute neurological conditions over the last decade, mortality is still durably high. Because a gap has emerged between SE management based on clinical practice guidelines (CPGs) and actual clinical practice, we conducted a systematic review of CPGs, assessing their quality, outlining commonalities and discrepancies in recommendations, and highlighting research gaps. Methods: We searched the PubMed and EMBASE databases and other gray literature sources (nine among guideline registries, evidence-based medicine databases, point-of-care tools; seven websites of governmental organizations and international neurologic societies) in December 2021 (updated in November 2023). The units of analysis were CPGs that included recommendations on the diagnostic and/or therapeutic management of SE in adults. The quality of the CPGs was assessed using the AGREE II tool. Results: Fifteen CPGs were included. The “Applicability” domain was assigned the lowest median score of 10%. The domains “Stakeholder Involvement”, “Rigor of Development,” and “Editorial Independence” were as well generally underrated. Recommendations on general and diagnostic management and on organizational interventions were fragmented and scattered. Recommendations on pre-hospital and hospital treatment of early-onset and refractory SE were broadly agreed, whereas there was less agreement on the treatment model and medications for established SE and super-refractory SE. Significance: The CPGs for the management of SE developed in recent years are flawed by several methodological issues and discrepancies in the coverage of important topics. The gap between CPG-based management of SE and actual clinical practice may be due in part to the inherent limitations of the CPGs produced so far

The new molecular markers DDIT3, STT3A, ARG2 and FAM129A are not useful in diagnosing thyroid follicular tumors

Preoperative characterization of thyroid follicular lesions is challenging. Fine-needle aspiration specimens cannot differentiate follicular carcinomas from benign follicular neoplasias. Recently, promising markers have been detected using modern molecular techniques. We conducted a retrospective study to confirm the usefulness of immunohistochemical staining for the protein markers, DDIT3, STT3A (ITM1), ARG2 and FAM129A (C1orf24) in separating benign and malignant thyroid follicular lesions. Formalin-fixed, paraffin-embedded thyroid tissue from 30 in-house cases (15 follicular carcinomas and 15 follicular adenomas), as well as 8 follicular carcinomas and 21 follicular adenomas on tissue microarray slides were stained immunohistochemically for DDIT3, STT3A, ARG2 and FAM129A expression. Control tissue consisted of thyroid parenchyma adjacent to the tumors and 11 separate cases of normal thyroid parenchyma. All in-house cases of follicular adenomas, follicular carcinomas and adjacent normal thyroid tissue showed positive immunostaining with anti-DDIT3 and anti-STT3A. Anti-ARG2 and anti-FAM129A polyclonal antibodies showed positive staining in 20 and 60% of in-house follicular adenomas, and 40 and 87% of in-house follicular carcinomas, respectively. Monoclonal anti-FAM129A demonstrated positive staining in 13 and 33% of in-house follicular adenomas and follicular carcinomas, respectively. Polyclonal anti-DDIT3, -STT3A and -FAM129A antibodies showed positive staining in all tissue microarray slides of follicular carcinoma and in 76, 85 and 81% of the follicular adenomas, respectively. Monoclonal anti-STT3A stained 81% of the follicular adenoma cores. Anti-ARG2 stained positive in 13% of follicular carcinomas and 10% of follicular adenomas on the tissue microarray slides. In conclusion, DDIT3, STT3A, ARG2 and FAM129A immunohistochemistry does not appear to be useful in the diagnosis of thyroid follicular neoplasias, as they do not reliably distinguish follicular thyroid carcinoma from follicular thyroid adenoma