NASA Conference Publication 10052

### **NASA Formal** Methods Workshop 1990

(NASA-UP-10057) NASA FORMAL METHODS NORKSHUP, 1990 (NASA) 504 P LSCL 093 N91-17557 --THRU--N91-17570 Unclas 0319031

Compiled by Ricky W. Butler NASA Langley Research Center Hampton, Virginia

Proceedings of a workshop sponsored by the National Aeronautics and Space Administration, Washington, D.C., and held at Langley Research Center Hampton, Virginia August 20-23, 1990

63/01

November 1990



Langley Research Center Hampton, Virginia 23665-5225 •

.

### Contents

-

.

| Introduction                                                                                                     |
|------------------------------------------------------------------------------------------------------------------|
| Workshop Agenda                                                                                                  |
| List of Attendees                                                                                                |
| Digital Avionics a Cornerstone of Avionics<br>by Chuck Meissner for Cary Spitzer (NASA)                          |
| Life Critical Digital Flight Control Systems<br>by James McWha (Boeing Military)                                 |
| Advanced Embedded Processing: Present and Future<br>by Jerry Cohen (Boeing Military)                             |
| MAFT: The Multicomputer Architecture for Fault Tolerance<br>by Roger Kieckhafer (U. Nebraska, Lincoln)           |
| Design For Validation<br>by Rick Butler (NASA)                                                                   |
| What FM can offer to DFCS design<br>by John Rushby (SRI International)                                           |
| What FM can offer to DFCS design<br>by Don Good (Computational Logic, Inc)                                       |
| High Level Design Proof of a Reliable Computing Platform<br>Ben DiVito (Vigyan)                                  |
| A Verified Model of Fault Tolerance<br>John Rushby (SRI International)                                           |
| The Design and Verification of a Fault-tolerant Circuit<br>Bill Bevier and Bill Young (Computational Logic, Inc) |
| Verifying an Interactive Consistency Circuit                                                                     |

| by Mandayam Srivas (Odyssey Research Associates) $\dots \dots \dots \dots \dots \dots \dots \dots \dots 295_{\leq d}$ | ×11                |
|-----------------------------------------------------------------------------------------------------------------------|--------------------|
| Hardware Verification at Computational Logic Inc.<br>by Warren Hunt (Computational Logic, Inc) 325                    | مديز               |
| Generic Interpreters and Microprocessor Verification<br>by Phil Windley (Univ. California, Davis)                     | × 2                |
| VIPER Project<br>by Clive Pygott and John Kershaw (Royal Signals and Radar Establishment) 380                         | 1514               |
| Mechanical Proofs of Fault-Tolerant Clock Synchronization<br>by N. Shankar and John Rushby (SRI International)        | 515                |
| An HOL Theory For Voting<br>by Paul Miner and Jim Caldwell (NASA) 442                                                 | 5/6                |
| Formally Specifying the Logic Of Automatic Guidance Control (Ada)<br>by David Guaspari (Odyssey Research Associates)  |                    |
| Verification of Floating-point Software<br>by Doug Hoover (Odyssey Research Associates)                               | 7 <sub>518</sub>   |
| C Formal Verification with Unix Communication and Concurrency<br>by Doug Hoover (Odyssey Research Associates)         | 95) <sub>[</sub> / |

\_\_\_\_

•

-

### Introduction

This publication contains copies of the material presented at the NASA Formal Methods Workshop held at Langley Research Center on August 20-23, 1990. The purpose of the workshop was to bring together the researchers involved in the NASA formal methods research effort for detailed technical interchange and to provide a chance for interaction with representatives from the U.S. government and the aerospace industry. The goals of the workshop were:

- Introduce the formal methods research teams to a broader view of the aerospace problem domain by industry presentations.
- Detailed technical exchange between formal methods research teams to define and characterize the verification problem for ultra-reliable life-critical flight control systems.
- Identification of aerospace problems which can benefit from formal methods and can serve as the basis of future research efforts.

The NASA effort in formal methods includes researchers at NASA LaRC, Computational Logic Inc., Odyssey Research Associates, SRI International, Boeing Military, Vigyan and the University of California at Davis and Irvine. Also NASA Langley is involved in a joint research effort with the UK Royal Signals and Radar Establishment as formalized in a Memorandum of Understanding between the two organizations.

Attendees at the workshop included NASA personnel, researchers from the four supporting contract organizations, RSRE personnel, invited speakers, and representatives from other government research organizations with interests in formal methods. Attendance was by invitation only.

### NASA Formal Methods Workshop Agenda (Aug 20-23, 1990)

### Day 1

| 8:00 - 8:20 am<br>8:20 - 8:30 am<br>8:30 - 8:45 am<br>8:45 - 9:30 am | Milt Holt<br>Ricky W. Butler<br>Chuck Meissner | Late Registration<br>Greeting by Chief of ISD<br>Workshop Objectives<br>Digital Avionics: A Cornerstone<br>of Aviation |
|----------------------------------------------------------------------|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|
| 9:30 - 10:15 am                                                      | James McWha                                    | Life Critical Digital<br>Flight Control Systems (DFCS)                                                                 |
| 10:15 - 10:30 am                                                     | BREAK                                          |                                                                                                                        |
| 10:30 - 11:30 am                                                     | Jerry Cohen                                    | Advanced Embedded Processing:<br>Present and Future                                                                    |
| 11:30 - 12:30 am                                                     | LUNCH                                          |                                                                                                                        |
| 12:30 - 1:30 pm                                                      | Roger                                          | MAFT: The Multicomputer Architecture                                                                                   |
| 1:30 - 2:00 pm                                                       | Kieckhafer<br>Rick Butler                      | for Fault Tolerance<br>Design For Validation                                                                           |
| 2:00 - 2:30 pm                                                       | BREAK                                          |                                                                                                                        |
|                                                                      | DILLAIN                                        |                                                                                                                        |
| 2:30 - 3:00 pm<br>3:00 - 3:30 pm<br>3:30 - 4:00 pm                   | Richard Platek<br>John Rushby<br>Don Good      | What FM can offer to DFCS design<br>What FM can offer to DFCS design<br>What FM can offer to DFCS design               |

Day 2

÷

-

.

---- OS verification ------

| 8:30 - 9:30 am<br>9:30 - 10:15 am | DiVito<br>Rushby | High Level Design Proof<br>of a Reliable Computing Platform<br>A Verified Model of Fault Tolerance |
|-----------------------------------|------------------|----------------------------------------------------------------------------------------------------|
| 10:15 - 10: <b>3</b> 0 am         | BREAK            |                                                                                                    |
|                                   |                  | Byzantine Generals                                                                                 |
| 10:30 - 11:30 pm                  | Bevier & Young   | The Design and Verification of<br>a Fault-tolerant Circuit                                         |
| 11:30 - 12:30 am                  | LUNCH            |                                                                                                    |
| 12:30 - 1:30 am                   | Srivas           | Verifying an Interactive<br>Consistency Circuit                                                    |
|                                   |                  | Microprocessor                                                                                     |
| 1:30 - 2:00 pm                    | Hunt             | Hardware Verification at<br>Computational Logic Inc.                                               |
| 2:00 - 2:30 pm                    | Windley          | Generic Interpreters and<br>Microprocessor Verification                                            |
| 2:30 - 3:00 pm                    | BREAK            |                                                                                                    |
| 3:00 - 4:00 pm<br>4:00 - 4:30 pm  |                  | w VIPER 2 & NODEN                                                                                  |

-----ks#c

.....

|                  |                              | Clock Synchronization                                                       |
|------------------|------------------------------|-----------------------------------------------------------------------------|
| 8:30 - 10:00 ai  | m Shankar/Rushby             | Mechanical Proofs of Fault                                                  |
| 10:00 - 10:30 a  | m Discussion                 | Tolerant Clock Synchronization                                              |
|                  |                              | Commercial Chips                                                            |
| 10:30 - 11:30 p  | m Levitt                     | Floating-pt. Coprocessor (Intel 8087)<br>DMA controller (Intel 8237A), etc. |
| 11:30 - 12:00 pr | n Caldwell/Carreno/<br>Miner | (rot in roceedings)                                                         |
|                  |                              | An HOL Theory For Voting                                                    |
| 12:00 - 1:00 pm  | LUNCH                        |                                                                             |
|                  |                              | — Code Verification ——-                                                     |
| 1:00 - 1:45 pm   | Guaspari                     | Formally Specifying the Logic Of                                            |
| 1:45 - 2:30 pm   | Hoover                       | Automatic Guidance Control (Ada)<br>Verification of Floating-point          |
| 2:30 - 3:00 pm   | Hoover                       | Software<br>C Formal Verification with Unix                                 |
|                  |                              | Communication and Concurrency                                               |
| 3:00 - 3:30 pm   | BREAK                        | · ·                                                                         |
| 3:30 - 5:00 pm   | Planning                     |                                                                             |

### Day 4

8:30 - 12:00 pm Discussion

### NASA FM Workshop Attendees

-

| Deepak Kapur<br>Dale Johnson<br>Andy Moore<br>Karl Levitt<br>Sally Johnson<br>Richard Platek<br>Bill Young<br>Don Good<br>Warren Hunt<br>Jim Caldwell<br>Mark Bickford<br>Mark Saaltink<br>Bill Legato<br>Kang Shin<br>Chuck Meissner<br>Pete Saraceni<br>Roger Kieckhafer<br>Doug Hoover<br>David Guaspari<br>Tom Schubert<br>Mark Ardis<br>Clive Pygott<br>John Kershaw<br>David Musser<br>Phil Windley<br>John Knight<br>Rick Kuhn<br>Dave Eckhardt<br>John McHugh<br>Milt Holt<br>Ben DiVito | ORA<br>ORA<br>UC Davis<br>SEI<br>RSRE, Malvern<br>RSRE, Malvern<br>RPI<br>U. Idaho<br>U. Va.<br>NIST<br>NASA, LaRC<br>CLI<br>NASA, LaRC<br>Vigyan/NASA | (512)322-9951         bevier@cli.com           (518)442-4281         kapur@albanycs.albany.edu           (617)271-8894         (202)767-6698           (202)767-6698         moore@itd.nrl.navy.mil           (916)752-0832         levitt@ucdavis.edu           (804)864-6204         scj@air16.larc.nasa.gov           (607)277-2020         richard%oravax.uucp@cu-arpa.cs.cornell.edu           (512)322-9951         young@cli.com           (512)322-9951         hunt@cli.com           (804)864-6214         jlc@air16.larc.nasa.gov,caldwell@cs.cornell.edu           (607)277-2020         ??? %oravax.uucp@cu-arpa.cs.cornell.edu           (613)238-7900         mark@ora.on.ca           (301)688-4229         (313)763-0391           (313)763-0391         kgshin@eecs.umich.edu           (607)277-2020         rogerk@fergvax.unl.edu           (607)277-2020         rogerk@fergvax.uucp@cu-arpa.cs.cornell.edu           (607)277-2020         rogerk@fergvax.uucp@cu-arpa.cs.cornell.edu           (607)277-2020         rogerk@fergvax.uucp@cu-arpa.cs.cornell.edu           (607)277-2020         rogerk@fergvax.uucp@cu-arpa.cs.cornell.edu           (607)277-2020         rogerk@fergvax.uucp@cu-arpa.cs.cornell.edu           (607)277-2020         rogerk@fergvax.uucp@cu-arpa.cs.cornell.edu           (607) |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| John McHugh                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | CLI                                                                                                                                                    | (804)864-1596                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| Milt Holt                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | NASA, LaRC                                                                                                                                             | (804)864-4883 bld@air16.larc.nasa.gov                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |

5,-06 P-24 4.30 × 1 Ó

### **DIGITAL AVIONICS**

## A CORNERSTONE OF AVIATION

by Cary R. Spitzer NASA Langley Research Center Presented to the NASA Formal Methods Workshop by

Charles W. Meissner, Jr.

# DIGITAL AVIONICS - A CORNERSTONE OF AVIATION

INTRODUCTION: Avionics Roles

Communication

. HF and VHF

Satellite

. Data Links

Navigation

.

Ground-based systems

.

- systems Inertial and satellite-based .
- Goal: <u>Autonomous operation!!!</u>

L

# DIGITAL AVIONICS - A CORNERSTONE OF AVIATION

INTRODUCTION

**CURRENT EXAMPLES** 

**CURRENT ISSUES** 

FUTURE TRENDS

INTERNATIONAL SCENE

SUMMARY

### FIGHTER INSTALLED AVIONICS WEIGHT



| DIGITAL AVIONICS - A CORNERSTONE OF AVIATION<br>INTRODUCTION: Avionics Roles<br>- Fly-by-wire flight controls<br>- Historically used for stability & control augmentation<br>- Not flight critical | <ul> <li>Emerging as a flight critical system</li> <li>Driven by performance and economic demands</li> <li>F-16, A-320, B-777</li> </ul> |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|

## TOTAL ON BOARD COMPUTER CAPACITY (OFP)



## TRENDS IN AVIONICS ABOARD FIGHTER/ATTACK AIRCRAFT



Years



-----







Pitch Control



System Architecture Control Electronic Flight

DIGITAL AVIONICS - A CORNERSTONE OF AVIATION Rudder Hydraulic / æ υ 7 Yellow system Green system Artificial Blue system feel Mech.stop CURRENT EXAMPLES: A-320 Hydraulic × لالح U Σ Σ mΩ≻ Travel limitation Flight augmentation computer Rudder trim Yaw damper Motor actuator FACS FAC Rudder trim Σ yaw commands Autopilot ELAC Rudder pedals J

Yaw Control



### DIGITAL AVIONICS - A CORNERSTONE OF AVIATION CURRENT ISSUES: Hardware

. Proof of fault tolerance, high reliability Modeling of complex systems

.

Growing concern due to composite aircraft, interference Electromagnetic

.

increased emission of RF, and smaller electronic element sizes





Vehicle Mgmt Interfaces/<

| TION                                                                     | ivil                                                                                                                | & design                                                                                                                              |
|--------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
| DIGITAL AVIONICS - A CORNERSTONE OF AVIATION<br>CURRENT ISSUES: Software | <ul> <li>Developing competency in Ada</li> <li>Mandated for DoD, Space Station Freedom, civil transports</li> </ul> | Computer-Aided Software Engineering (CASE) Tools - Capabilities for real-time software analysis { - Tool validation - Tool validation |

.

٢

.

.

DIGITAL AVIONICS - A CORNERSTONE OF AVIATION FUTURE TRENDS: INTEGRATED MODULAR AVIONICS



URIGINAL PAGE IS OF POOR QUALITY



ORIGINAL PAGE IS OF POOR QUALITY DIGITAL AVIONICS - A CORNERSTONE OF AVIATION FUTURE TRENDS: Supporting Technologies

Flat panel, full color, liquid crystal displays

- Replacing CRTs
- Advanced formats; not electronic steam gauges ŧ

Higher speed data buses

programs pioneer Artificial intelligence

- Faultfinder
- Diverter 1
- Pilot's Associate 8



COMPONENTS OF TYPICAL LRU

DIGITAL AVIONICS - A CORNERSTONE OF AVIATION

INTERNATIONAL SCENE: Japan

- An emerging competitor in the world market
- displays, Historically has been component oriented: t

microprocessors, etc.

- Lack system design and analysis, & software capabilities 1
  - FS-X program will help to build a foundation for

military & civil avionics

an avionics has established a committee to define MITI

technology development plan

| DIGITAL AVIONICS - A CORNERSTONE OF AVIATION | Leading firms are GEC Avionics, Smiths Industries, Sextant, & | Extremely capable; serious competition for U.S. firms | GEC Avionics will build the B-777 flight control system | European Community 92 will strengthen competitive threat |
|----------------------------------------------|---------------------------------------------------------------|-------------------------------------------------------|---------------------------------------------------------|----------------------------------------------------------|
| INTERNATIONAL SCENE: Europe                  | Aerospatiale                                                  | - Build most of the Airbus avionics                   | - Build flight controls for Jaguar and YC-14            |                                                          |

\_\_\_\_

----

# DIGITAL AVIONICS - A CORNERSTONE OF AVIATION

### SUMMARY

- Continually expanding role for avionics 1
- . Flight critical avionics are here
- Strong emphasis on Ada
- architectures emerging Module-based I
- developed being Artificial intelligence applications
- Significant competitive threat to U.S. firms from ł

Europe & Japan

52 -08 P-9.4 580815

# LIFE-CRITICAL DIGITAL FLIGHT CONTROL SYSTEMS

### **JIM McWHA**

CHIEF ENGINEER - FLIGHT CONTROLS BOEING COMMERCIAL AIRPLANE GROUP N91-17561

AUGUST 20, 1990

# LIFE-CRITICAL DIGITAL FLIGHT CONTROL SYSTEMS

### INDUSTRY STATUS

DIGITAL AUTOPILOT SYSTEMS WERE FIRST CERTIFICATED FOR USE ON COMMERCIAL

AIRPLANES IN THE LATE 1970'S

THE A-320 AIRPLANE WAS THE FIRST COMMERCIAL AIR TRANSPORT AIRPLANE TO BE CERTIFICATED WITH A FLY BY WIRE PRIMARY FLIGHT CONTROL SYSTEM

BOEING WILL HAVE ALL FLY BY WIRE FLIGHT CONTROLS ON THE 767-X (777) AIRPLANE

# LIFE-CRITICAL DIGITAL FLIGHT CONTROL SYSTEMS

- o DEFINITION
- o SAFETY
- O INDUSTRY STATUS
- **o PROGRAM PHASES**



۳

767-X PRIMARY FLIGHT CONTROL SURFACES

ţ

#### DEFINITION

A CONTROL SYSTEM IMPLEMENTED IN DIGITAL COMPUTER TECHNOLOGY WHICH Has a function which if not performed as intended is life threatening

AN AUTOPILOT USED FOR AUTOMATIC LANDING IN LOW VISIBILITY CONDITIONS EXAMPLES:

AN AIRPLANE CONTROL SYSTEM IMPLEMENTED WITHOUT **CONTROL CABLES:** 

FLY BY WIRE

FLY BY LIGHT



LEFT PFC

.

DISSIMILAR CHANNELS - LEFT, CENTER, RIGHT



PRIMARY FLIGHT COMPUTER ARCHITECTURE

767-X ELECTRICAL POWER SYSTEM FLIGHT CRITICAL DC





767-X PRIMARY FLIGHT CONTROLS HYDRAULIC / ACE DISTRIBUTION

#### SAFETY

FEDERAL AVIATION ADMINISTRATION (FAA) REGULATIONS DEFINE THE BASIC SAFETY

**CRITERIA:** 

NO SINGLE FAILURE OR COMBINATION OF FAILURES WHICH ARE NOT CONTINUED SAFE FLIGHT AND LANDING OF THE AIRPLANE SHOWN TO BE EXTREMELY IMPROBABLE SHALL PREVENT FAR 25.1309

EXTREMELY IMPROBABLE - PROBABILITY OF 1 × 10<sup>-9</sup> OR LESS PER FLIGHT HOUR OR

EVENT

#### SAFETY

FEDERAL AVIATION ADMINISTRATION (FAA) REGULATIONS DEFINE THE BASIC SAFETY **CRITERIA:** 

NO SINGLE FAILURE OR COMBINATION OF FAILURES WHICH ARE NOT CONTINUED SAFE FLIGHT AND LANDING OF THE AIRPLANE SHOWN TO BE EXTREMELY IMPROBABLE SHALL PREVENT FAR 25.1309

EXTREMELY IMPROBABLE - PROBABILITY OF 1 × 10<sup>-9</sup> or less per flight hour or

EVENT



\_\_\_\_\_

## **PROGRAM PHASES - REQUIREMENTS DEFINITION**

TOP DOWN STRUCTURED PROCESS:

AIRPLANE LEVEL REQUIREMENTS TOP LEVEL DESIGN REQUIREMENTS AND OBJECTIVES

| CERTIFICATION REQUIREMENTS<br>FUNCTIONAL REQUIREMENTS<br>INTEGRITY REQUIREMENTS<br>ARCHITECTURAL CONSIDERATIONS | EXPANSION OF SYSTEM REQUIREMENTS TO A<br>LEVEL WHICH CAN BE IMPLEMENTED IN A TARGET<br>DIGITAL COMPUTER OR COMPUTERS |
|-----------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
| SYSTEM REQUIREMENTS                                                                                             | SOFTWARE REQUIREMENTS                                                                                                |

## PROGRAM PHASES - REQUIREMENTS DEFINITION (CONT)

SPECIFIC HARDWARE/SOFTWARE TO IMPLEMENT THE REQUIREMENTS WHICH EVOLVE OUT OF THE USE OF SOFTWARE REQUIREMENTS **DETAILED DESIGN** REQUIREMENTS

### **PROGRAM PHASES - DESIGN AND DEVELOPMENT**

| vo requirements<br>processing speed<br>memory size<br>etc | INDUSTRY/COMPANY STANDARD<br>SUPPORT SOFTWARE AVAILABILITY AND MATURITY<br>LONG TERM MAINTENANCE<br>ETC | TYPICALLY AN INCREMENTAL BUILD PROCESS<br>HARDWARE - QUALIFICATION TESTING - RTCA DO-160<br>INCREMENTAL SOFTWARE LOADS - VENDOR AND AIRFRAME<br>SYSTEMS INTEGRATION / IRON BIRD<br>AIRPLANE - GROUND AND FLIGHT |
|-----------------------------------------------------------|---------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HARDWARE SELECTION                                        | PROGRAMMING LANGUAGE                                                                                    | CODE GENERATION<br>TESTING                                                                                                                                                                                      |

### **PROGRAM PHASES - VERIFICATION**

GUIDELINE DOCUMENT

**RTCA DOCUMENT DO-178A** 

VERIFICATION PROCESSES ARE A FUNCTION OF SYSTEM CRITICALITY

**CRITICAL SYSTEM** 

REQUIREMENTS HAVE BEEN IMPLEMENTED COMPLETELY A FORMAL PROCESS OF ASSURING THAT ALL SOFTWARE

AND EXCLUSIVELY

### **PROGRAM PHASES - VALIDATION**

A PROCESS OF ASSURING THAT ALL SYSTEM REQUIREMENTS HAVE BEEN IMPLEMENTED CORRECTLY

O ANALYSES

| HAZARD ASSESSMENT AND FAILURE<br>ANALYSIS TO ASSURE THAT REQUIREMENTS<br>OF FAR 25.1309 ARE SATISFIED | ASSURANCE THAT SYSTEM PERFORMS<br>INTENDED FUNCTION WITHIN ACCEPTABLE<br>LIMITS UNDER ALL ALLOWABLE<br>ENVIRONMENTAL AND TOLERANCE<br>CONDITIONS |
|-------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|
| SAFETY ANALYSIS                                                                                       | PERFORMANCE<br>ANALYSIS                                                                                                                          |

| LIFE-CRITICAL DIGITAL FLIGHT CONTROL SYSTEMS | ON (CONT)                          | TEST TO ISOLATE ERRORS AND PROBLEMS<br>BEFORE FLIGHT TEST. TEST UNDER NORMAL AND<br>FAILURE CONDITIONS | TEST WITH AS MANY INTERFACING SYSTEMS AS<br>POSSIBLE TO ENSURE COMPATIBILITY | CHECK OF SYSTEMS INSTALLED IN AN AIRPLANE<br>INCLUDING EMI/HIRF TESTS | COMPREHENSIVE TEST OF PERFORMANCE IN<br>FLIGHT UNDER A VARIETY OF CONDITIONS USED<br>TO CROSS CHECK SIMULATION RESULTS -<br>AUTOLAND SYSTEM COULD REQUIRE 200-300<br>LANDINGS OVER AN 8 MONTH PERIOD |
|----------------------------------------------|------------------------------------|--------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|-----------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| LIFE-CRITICAL DIG                            | PROGRAM PHASES - VALIDATION (CONT) | LABORATORY TESTING                                                                                     | SYSTEMS INTEGRATION<br>TESTING                                               | AIRPLANE GROUND<br>TESTING                                            | AIRPLANE FLIGHT<br>TESTING                                                                                                                                                                           |
|                                              | PROG                               | 0                                                                                                      | 0                                                                            | 0                                                                     | 0                                                                                                                                                                                                    |

### **PROGRAM PHASES - CERTIFICATION**

THE PROCESS OF DEMONSTRATING TO THE REGULATORY AUTHORITIES THAT ALL SAFETY AND PERFORMANCE REQUIREMENTS ARE SATISFIED

STARTS WITH A CERTIFICATION PLAN WHICH:

IDENTIFIES REGULATIONS AND ACCEPTABLE MEANS OF COMPLIANCE METHODS

DESCRIBES PROPOSED METHODS OF ESTABLISHING COMPLIANCE

DESCRIBES THE METHODS AND PROCESSES TO BE USED TO ASSURE AN ORDERLY AND CONTROLLED DESIGN AND DEVELOPMENT PROCESS

FOLLOW ON SPECIALIST MEETINGS

PERFORMANCE AND INTEGRITY DEMONSTRATIONS

### **PROGRAM PHASES - CERTIFICATION (CONT)**

**CERTIFICATION SUMMARY** 

CONFIRMS COMPLETE IMPLEMENTATION OF THE PROCESSES IDENTIFIED IN THE **CERTIFICATION PLAN** 

PROVIDES A MEANS FOR ESTABLISHING VERIFICATION AND VALIDATION COVERAGE

| ſ           |           |                           |                                    |                               |                                 |
|-------------|-----------|---------------------------|------------------------------------|-------------------------------|---------------------------------|
|             | 1995      | Type Cert.                | Final Cert.<br>Data                |                               | 767-X<br>FLIGHT<br>TEST         |
|             | 1994      | Rollout                   | Fail/Safety,<br>System Des.        |                               | Iron<br>Bird<br>Test            |
|             | 1993      | FAA Interim<br>Type Board | Fa<br>Syst                         | 757 Flight<br>Test            | gn<br>Build<br>767-X<br>Units   |
| -<br>-<br>- | 1992      | FAA Interim<br>Type Board | FAA Cert Plan<br>Approval<br>11/29 | Iron Bird<br>Test             | Production Design<br>Validation |
| -           | 1990 1991 | Type Cert. Appl.          | Plan<br>4/1                        | PRE-PRODUCTION<br>DEVELOPMENT |                                 |
|             | 19        | т <sub>ур</sub>           | Certification<br>Documentation     | 757 PFCS                      | 767-X<br>PFCS                   |

### 767-X PFCS Schedule

,

BRD8/10/90

#### K

52 53-05 RHD 319684

. 17 7

## Advanced Embedded Processing Present and Future

The Boeing Company G.C. Cohen

N91-17562

# Integrated Airframe/Propulsion Control System Architecture (IAPSA II)

Began: July 26, 1985 Ended: April 1, 1990

### Goals of the Program

- Design and validation methodology for systems architecture
- 2. Critical validation issues simulated in Airlab 3. System design
  - System specification 4.
- Small-scale system testing <u></u>.

ł

.

#### Methodology

----

C0006-01.01 L7130 D34 Slide 6

### Why a Methodology



C0006-01.02 L7130 D35 ai

#### Problem

 Interrelationships difficult to specify in terms of meaningful requirements

- Normal mode
- Failure mode
- Unless contractor/vendor team takes a systems approach, system will be overdesigned and still may not meet the requirements

### Methodology Elements

- Requirements
- Specifications
  - Design
- Automation
  - Guidelines
- Building blocks
  - Reliability
- Performance
- Design for validation
  - Design for cost
- Proof of correctness
  - Testing
- Traceability

- Availability
- Survivability
- Maintainability



**IAPSA II Prevalidation Methodology** 

Boeing Military Airplanes

C0006-10.04 L7130 D35 md2

### **Prevalidation Methodology**

- Early evaluation exposes system weaknesses
  - Reliability and performance analysis versus staffing level unresolved
- Methodology allows assessment of cost and technical risk
- Seems to mirror Japanese staffing concept



C0006-01.03 L7130 D35 pp



00041-1558

### Building-Block Considerations Contractor/Subcontractor Relationships

- Requires different approach to subcontractors •
  - Need to develop:
- Functional specification
  - · Reliability attributes
- Performance attributes
- · Requirements only will not suffice
- Subtleties of building-block interrelationships important

C0006-01.01 L7130 D34 Silde 8

#### Building-Block Considerations Contractor/Subcontractor Relationships (continued)

- Enforcement of rigor on the vendors
- Do we need a two-step procedure with vendors—
  - During building-block definition
- During hardware/software bid on system

#### Methodology

Incomplete

- Additional tools
- Maintainability
- Availability
- Survivability
- Cost
- Software
- Tie in to top-level system design
- Relationship between full nonlinear simulation and performance model •
  - Hardware and software build—subsystem validation and verification
    - Lab testing
- Flight testing

C00006-01.01 L7130 D34 Slide 10

#### Tools

 Model development—candidate architecture definition Major effort on

- - How system works
- Brief, concise, easy to generate
- Must include redundancy management operation
  - Output data interpretation
    - Complex
- Very time consuming

### Performance Modeling

- Difficult to simulate
- Conceptual problem
- Difficult to implement
- Detail of simulation is based upon judgement
  - Simulation can validate system architecture
- Verification of model with architecture description
  - Simulation used through life cycle
- Unexpected insight via performance simulation

C0006-01.01 L7130 D34 Slide 1

### **Reliability Modeling**

Methodology goal: rapid evaluation of architecture alternatives

- Current evaluation cycle too slow
- Tools available for ultrareliable systems
  - Short-duration safety
- Long-duration reliability also important
  - **Operation with failures**
- Common evaluation tool and similar models (safety, mission, etc.) desirable (mandatory?)
  - Level of detail and model simplification currently an art
- Strong pressure toward small and simple models
- ASSIST/SURE supports techniques for short-duration problems (long-duration?)

## Advanced Information Processing System

(AIPS)

Designed B y Charles Stark Draper Laboratory

Z 0/1 z z Z AIPS Proof-of-Concept Configuration 0/1 z z ADD-ON z FTP PROCESSOR (1) FTP (3) z z z 0/1 MULTIPRO-CESSOR Ŗ + Z z Z GATEWAY z z Π FТР (3) FТР (2) = TO ALL PROCESSORS z z z z z FROM: CSDL MASS 0/1 0/1

BOEING ADVANCED SYSTEMS

# FTP HW And SW Provide Failure Protection



C8158-C4.006-L7130 D4 ai





BOEING ADVANCED SYSTEMS

# Flight Control Computer With I/O Connections



C8224-04.001-L7130 D7

-

### Architecture

C0006-01.01 L7130 D34 Slide 18



# Reference Configuration Overview



~

# **Testing Experience**

- Application was quickly integrated into complex fault-tolerant AIPS system
  - AIPS simplex application programming model
    - CSDL staff assistance
- Impossible to meet goal of testing system with real time performance demands
- Slow time testing focused on system level interactions
  - Nonintrusive measurements likely requirement for
    - validation
- During real-time operation with full workload
- System services or operating system functions critical
  - Not provided for in original AIPS testing/validation concept

### General Observations Architecture

### AIPS

C0008-01.01-L7130 D35ppS9

ž

### General Observations Architecture

Integrated flight control/propulsion control—feasible

- Obstacles—mind set problem
- Minimum use of sensors/activators
  - Allows for optimum control
- Allows for function migration
  - Growth potential
- Subset of Vehicle Management System

## General Observations (Cont) AIPS

Very innovative for its time

- Supports true distributed system
- System redundancy transparent to user
- General set of building blocks-user selected
  - Fault containment regions

C0006-05.01 L7130 D35 S1de 2

## General Observations (Cont) AIPS

- Advantages
- Building blocks allow expansion with minimum change
  - Building block concept supports common
- hardware/software throughout the airplane
- Prevalidated building blocks for both hardware and
  - Ability to mix elements with different reliability software
    - requirements
- Distributed computing possible
- Minimizes maintenance and logistic issues Function migration possible

## General Observations (Cont) AIPS

- Advantages (cont)
- System redundancy is inherent in AIPS design
- Fault containment region is inherent in AIPS design
- Communications protocol allows design for minimum Pre-emptive priority allows application flexibility
  - Concept supports dispatch with failures (need faster sensor/actuator time skew
    - network repair time)
- Variation of components within FTP channel (CP/IOP or CP)

CC006-05.01 L7130 D35 Silde 4

## General Observations (Cont) AIPS

- Concepts needing attention
- Insufficient documentation
- IOP/Data Exchange bottleneck
- IC network traffic uncertain (not modeled)
- No discernable difference between network and bus for IAPSA requirements

## General Observations (Cont) AIPS

- Concepts needing attention (cont)
  - Complex validation issues
- Resynchronization of channel during flight not possible with present design
  - System design guidelines not established
- If IC modeled—it appears system would not work with present timing and loading requirements

C0006-05.01 L7130 D35 Slide 6

•

.

# Future Systems

.

# Vehicle Management System

- All flight critical functions
- Failure causes loss of aircraft
- Near term military
- · Long term commercial



- ----

Generic VMS Architecture

## Photonics used for

- Bus
- Sensors
- I/0
- Actuators
- Computers (20 years)

•

## **Benefits of VMS**

- Performance
- Unified environment coordination of all tasks
- Growth capability
- Additional nodes minimum impact Life cycle replacement minimum topology
- impact
- Reliability
- Minimum set of building blocks
  - Minimum part count Common I/O
- Sharing of sensor data
- Common redundancy management







ORIGINAL PAGE IS OF POOR QUALITY



ORIGINAL PAGE IS OF POOR QUALITY

# What does all this mean in terms of validation and verification?

- Design for validation is a critical technology
- Need indepth V&V concurrent with design analysis

# Solution to V&V

- Formal Verification viable solution to the V&V problem for
  - Requirements/Specifications •
- Hardware •
- Software •
- System •

# Where are we in Formal Verification?

ŕ

the following 3 days should tell us!! 1

Č,

94 P-57 54-60

317685

### N91-17563 1

### MAFT:

### The Multicomputer Architecture for Fault-Tolerance

### R. M. KIECKHAFER

Computer Science and Engineering University of Nebraska – Lincoln Lincoln, NE 68588–0115 (402) 472–2402

rogerk@fergvax.unl.edu

MAFT is a product of the Allied-Signal Aerospace Company, Columbia MD.

UNL/CSE/RMK/August 14, 1990

NASA FM W-SHOP

### Abstract

This presentation discusses several design decisions made and lessons learned in the design of the Multicomputer Architecture for Fault-Tolerance (MAFT). MAFT is a loosely coupled multiprocessor system designed to achieve an unreliability of less than  $10^{-10}/hr$  in flight-critical real-time applications.

The presentation begins with an overview of the MAFT design objectives and architecture. It then addresses the fault-tolerant implemention of major system functions in MAFT, including Communication, Task Scheduling, Reconfiguration, Clock Synchronization, Data Handling and Voting, and Error Handling and Recovery.

Special attention is given to the need for Byzantine Agreement or Approximate Agreement in various functions. Different methods were selected to achieve agreement in various subsystems. These methods are illustrated by a more detailed description of the Task Scheduling and Error Handling subsystems.

UNL/CSE/RMK/August 20, 1990

- INTRODUCTION
- SYSTEM FUNCTIONS
  - Communication
  - Task Scheduling
  - Task Reconfiguration
  - Clock Synchronization
  - Data Handling and Voting
  - Error Handling and Recovery
- SUMMARY

- RELIABILITY  $1.0 \times 10^{-9}$  over 10 hours.
- PERFORMANCE
  - 200 Hz. Max Task Iteration Rate
    5.5 MIPS Max Computational Capacity
    1.0 MBPS Max I/O Transfer Rate
    5.0 ms. Min Transport Lag (Input → Output)
  - REUSABLE
    - Functional Partitioning
      - Application Specific Functions
      - Standard Executive Functions
    - LOW EXECUTIVE OVERHEAD
      - Physical Partitioning
        - · Separate Executive Processor
        - · Hardware Intensive

### Loosely-Coupled Multiprocessor



- Node ⇒ Processor and Private Memory
- No Shared Memory

.

Message-Based Inter-Node Communication

-21

5

Common Operating System

### MAFT System Architecture



### • OC $\Rightarrow$ Operations Controller:

Special Purpose Device Common to All MAFT Systems

### • $AP \Rightarrow$ Application Processor:

General Purpose Application-Specific Processor.



UNL/CSE/RMK/August 15, 1990

NASA FM W-SHOP

### COMMUNICATION

UNL/CSE/RMK/August 16, 1989

12

CS-6

INTER-PROCESSOR COMMUNICATIONS

· ------



- INTRA-NETWORK COMMUNICATION
  - MESSAGES TRANSMITTED ON PRIVATE SERIAL BROADCAST BUSSES
  - ALL NODES RECEIVE, CHECK AND PROCESS ALL MESSAGES
  - MESSAGE TYPES
    - DATA (8/16/32B INT OR BOOL, IEEE STD 32B FLOAT)
    - TASK COMPLETED / STARTED / BRANCH
    - SYNCHRONIZATION / BRANCH INTERACTIVE CONSISTENCY
    - ERROR REPORT

### - OC / AP COMMUNICATION

- 16 BIT ASYNCHRONOUS P.I.O. INTERFACE
- LOOKS LIKE "JUST ANOTHER 1/0 PORT" TO AP
- COMPATIBLE W/ EXISTING UNIPROCESSOR OPER SYST

FEBRUARY 28, 1986

Ś

TRANSMITTER

- Format Msg NID, Msg Type, Framing, ECC
- Broadcast Msg
- RECEIVERS 1 per incoming link
  - Accept Emperly Framed Bytes
  - Buffer Byte for Message Checker
- MESSAGE CHECKER
  - Poll Receivers 6.4  $\mu s$  cycle
  - Physical and Logical Checks
  - Steer Good Messages to Other Subsystems
  - Dump Bad Messages into "Bit-Bucket"

### NASA FM W-SHOP

UNL/CSE/RMK/August 14, 1990

### LOCAL AP/OC INTERFACE OPERATIONS

\_\_\_\_

- 1. TASK SWITCHING PROCESS
  - AP: DONE WITH LAST TASK, WHAT IS THE TASK IDENTIFICATION (TID) NUMBER OF THE NEXT TASK.
  - OC: HERE IT IS
- 2. TRANSFER DATA FROM OC TO AP
  - AP: GIVE ME THE NEXT INPUT DATA VALUE
  - OC: HERE IT IS
- 3. TRANSFER DATA FROM AP TO OC
  - AP: HERE'S THE NEXT OUTPUT DATA VALUE

-44

- OC: I GOT IT

+ ATC/RMK FEBRUARY 28, 1986

+

\_\_\_\_



.

### PERFORMANCE ISSUES

# • STRICTLY PERIODIC SCHEDULER

- Fast Freq Well Above Spec 500 Hz. vs. 200 Hz.
- Simple Binary Freq Dist  $(f_i = 2^{-i}f_0)$
- Flexible Conditional Branching
- Efficient Don't Keep AP Waiting
- NON-PREEMPTIVE
  - Scheduler Complexity
  - Context Switching Time Unknown Funct of AP
  - High Frequencies Short Tasks
- NO OC INTERRUPTS I/O
  - Scheduler Complexity
  - Predictability
  - High Frequencies Polling
  - DMA or IOP access to AP Memory

- INTERNAL FUNCTION IS BLACK BOX
- VISIBLE PROPERTIES OF A TASK
  - Priority (static, unique)
  - Iteration Period
  - Precedence Constraints
  - Min and Max duration Limits
  - Fixed Input and Output Shared Data Sets
  - Branch Condition (asserted at completion)

# FAULT-TOLERANCE ISSUES - I

- VARIABLE MODULAR REDUNDANCY
  - Specify Redundancy of Each Individual Task
  - Redundancy Matches Criticality
  - No More Copies Than Necessary
- GLOBAL VERIFICATION
  - Consensus Defines Correctness
  - All Functions Observable and Predictable
  - Replicated Global Scheduler
  - Completed/Started (CS) Message:
    - Node I.D.
    - Started Task I.D.
    - Branch Condition

- Delivery NOT GUARANTEED
- Single Msg Error Detect. NOT GUARANTEED - ECC coverage  $\geq (1 - 1 \times 10^{-6})$  per msg
- Repeated Undet. Errors PROBABILISTICALLY PRE-CLUDED

# TASK SCHEDULING

### FAULT-TOLERANCE ISSUES – II

### DISSIMILARITY BETWEEN COPIES

- Dissimilar Software and Hardware

- Guards Against Generic Faults
- No Guarantee Knight, Levenson, St. Jean
- Best Chance of Detecting Error
- Only Chance of Masking Error
- Implications
  - Different Numerical Results
  - Different Execution Times
- Impact on Scheduler
  - Min and Max Execution Time Limits

10

- Vote on Branch Conditions in CS Messages

# FAULT-TOLERANCE ISSUES – III

# • BYZANTINE AGREEMENT

#### - Definition

- Agreement on All Messages
- Validity of Agreement

- Necessity in MAFT

- Consensus Defines Correctness
- Must Have Single Consensus
- Preconditions for Disagreement

  - Initial Disagreement Enhanced by Dissimilarity
  - Assymetric Communication Minimized by Busses
- Solution Interactive Consistency (Pease et al.)
  - Global Receipt of All Messages
  - Periodic Synchronized Re-Broadcast Rounds
  - Vote on Received Re-Broadcasts
  - Use Voted Values For All Scheduling Decisions

### IMPACT OF FAULT-TOLERANCE

- ALL COPIES DONE BEFORE SUCCESSORS RELEASED
- MAX EXECUTION TIMERS ASSURE PROGRESS
- CONFIRMATION DELAY MEAN 2.5 SUB.
  - Only Affects Successors
  - Efficiency Requires Parallel Paths
- FAULT-TOLERANCE LEVELS
  - Single Asymmetric (Byzantine) Fault
  - Double Symmetric Fault
  - Reliability Modelling  $-10^{-10}/hr$  with 5 Nodes

# **MAFT Timing Hierarchy**

| PERIOD               | SPEC                         | DEFINITION                                   | BOUNDARY                           |
|----------------------|------------------------------|----------------------------------------------|------------------------------------|
| SUB-ATOMI            | C Min<br>400μ <i>s</i>       | I.C. Rebroadcast<br>Period<br>Min Guaranteed | Task Inter. Cons.<br>(TIC) Message |
|                      |                              | Task Duration                                |                                    |
| ΑΤΟΜΙϹ               | Min<br>2–2.8 <i>ms</i>       | Highest<br>Freq. Task                        | System State<br>(SS) Message       |
|                      |                              | Clock Sync.<br>Period                        |                                    |
| GENERAL<br>ITERATION | 2 <sup>i</sup><br>Atom. Per. | Intermed.<br>Freq.Tasks                      | System State<br>(SS) Message       |
| MASTER               | Max 1 <i>K</i><br>Atom. Per. | Lowest<br>Freq. Task                         | System State<br>(SS) Message       |

UNL/CSE/RMK/August 15, 1990

8

- SCHEDULING INSTABILITY Anomalous or unpredictable variations in total execution time (Makespan) due to variations in system parameters.
- MULTIPROCESSOR ANOMALIES Observation that Makespan can be *increased* by:
  - Increasing Number of Processors,
  - Relaxing Precedence Constraints,
  - Decreasing Individual Task Durations.
  - DYNAMIC FAILURE Condition where all tasks execute properly *except* that deadlines are missed.
    - Can occur in a fault-free system,
    - Can be induced by instability.



STANDARD GANTT CHART (max task durations)



• NON-STANDARD GANTT CHART (shorten  $T_3$  by  $\epsilon$ )



WHAT HAPPENED?

- $T_3$  finished before  $T_2$ ,
- $T_6$  "ready" before  $T_5$ ,
- $T_5$  displaced by  $T_6 \Rightarrow$  Priority Inversion,
- Critical path  $(T_2 
  ightarrow T_7)$  impeded.

• GRAHAM (1969) – Bound Magnitude of Instability

$$rac{\omega'}{\omega}=2-rac{1}{N}$$

- $\omega$  = Makespan of Standard Gantt Chart,
- $\omega' =$  Makespan of worst-case schedule,
- N = Number of Processors.
- MANACHER (1967) Stabilization Algorithm
  - Necessary Pre-conditions
    - i. ∃ "fork" in Precedence Graph,
    - ii. Successors of forking task run in parallel on Standard Gantt Chart,
  - iii. Possible priority inversion around fork.
  - Solution Impose Artificial Dependency around fork.

• MANACHER ARTIFICIAL DEPENDENCY  $(T_2 \rightarrow T_6)$ 



• EFFECT

- $T_2$  is common parent for both  $T_5$  and  $T_6$ ,
- $T_6$  will be "ready" no earlier than  $T_5$ ,
- $T_5$  precedes  $T_6$  in priority list,
- $T_6$  can not be selected before  $T_5$ .

- Sufficient, but not always necessary
- Adds Scheduling Overhead (resolve edge)
- Unrealistic System Model
  - Assumes no scheduler overhead,
  - Assumes dynamic allocation,
  - Allows for no Confirmation Delay,
  - Ignores minimum duration bounds,
  - Does not predict magnitude of instability.

- Find Necessary and Sufficient Stability Conditions.
- Develop Stabilization Strategies
  - Task System Stabilization
    - Edge Stabilization (Manacher)
    - · Vertex Stabilization
    - Hybrid Stabilization
  - Run-Time Scheduler Stabilization
    - · Limited Scan Depth
  - Scheduling Algorithm Stabilization
    - · Sched. Algorithm Assigns Priorities
    - · Constrain to Preclude Necessary Conditions
  - Extend System Environment
    - Scheduler Overhead
    - Static Allocation
    - Confirmation Delay
    - Minimum Duration Bounds

# SYNCHRONIZATION

X

- Periodically Exchange System State (SS) Msgs
  - SS Msg  $\Rightarrow$  "Atomic Period" Boundary
  - Synchronization Period = 2 Atomic Periods
  - Loosely Synchronized Individual Clocks
    - Msg Exchange  $\Rightarrow$  No Separate Clock Lines
    - Physical Separation  $\Rightarrow$  Damage Tolerance
    - Robustness to "Common Upset" events
  - Synchronization Modes
  - Steady State Maintain Existing Synchronization
  - Warm Start Converge to Existing Operating Set
  - Cold Start Form Initial Operating Set
    - Interactive Convergence to synchronize
    - $\cdot$  Interactive Consistency  $\Rightarrow$  Steady State
    - · Origin of Two-phase algorithm

# DATA HANDLING AND VOTING

K

\_ \_

UNL/CSE/RMK/August 16, 1989

٠

- $\epsilon = 7 \ \mu sec 600$  ft. separation
- $ho=5\cdot10^{-5}$
- $R = 20 \ msec \Rightarrow 10 \ msec$  Atomic Pd.  $\Rightarrow 100 \ Hz$ .
- $\rho R = 1 \ \mu sec$
- No Faults: Max  $\delta = 8.5 \mu \ sec$
- With Faults: Max  $\delta = 16.5 \mu \; sec$

### Data Management

- DATA GENERATED BY AP
- BROADCAST IN DATA MESSAGE
- RECEIVED AND PROCESSED BY ALL NDOES
  - Static Limit Check
  - On-The-Fly Vote
  - Dynamic Deviance Check

### On-The-Fly Voting I

- TRIGGERED BY DATA MESSAGE ARRIVAL
- DATA ID ACTS AS UNIQUE VARIABLE NAME
- USE ALL PREVIOUS COPIES OF SAME DATA ID
  - MS or MME (programmer selectable)
    - Sort Serially High-Order-Bit First
    - · Select 2 "Medial" Values
    - Average (Add and Shift)
  - No I.C. Vote for Boolean Types
    - · Difficult to implelement round 2
    - · Usually Control Data for Mode Switch
    - ∃ Better Way for Mode Switch

### • DEVIANCE CHECK

- Compare Each Copy to Voted Value
- Excessive Difference  $\Rightarrow$  error
- Programmer Sets Limits
- Generate Error Vector  $\Rightarrow$  Source Nodes

### • TERMINATE

- Scheduler Says All Copies Done
- Send Error Vector to Fault-Tolerator
- Send Voted Value to Data Memory
- Swap On-line/Off-line Buffers in Data Memory
- Clear Previously Received Copies from Voter

# ERROR HANDLING AND RECOCVERY

UNL/CSE/RMK/August 16, 1989

1

CS-990

• BYZANTINE (MALICIOUS)

Pease et al. (1982)

- $N \ge 3t + 1$
- $r \geq t$
- MALICIOUS U BENIGN (self-evident)

Meyer and Pradhan (1987)

• (ASYMMETRIC U SYMMETRIC) U BENIGN

Thambidurai and Park (1989)

$$t = a + s + b$$
  
-  $N \ge 3a + 2s + b + r + 1$   
-  $r \ge a$ 

UNL/CSE/RMK/August 17, 1990

NASA FM W-SHOP



• Can Estimate Separate  $\lambda$ 's

- 
$$\lambda_{asym} \approx 10^{-6}$$
  
-  $\lambda_{sym} \approx 10^{-3} \dots 10^{-4}$ 

• Generic Fault = Multiple Symmetric

- 
$$\lambda_{gen} \approx 10^{-5}$$
 ?

NASA FM W-SHO

- Errors Are Manifested In Messages
  - Physical: ECC, framing, length
  - Contents: values
  - Timing or sequencing
  - Existence or non-existence
- Log Errors Over One Atomic Period
  - Errors reported by all subsystems
  - Fault-Tolerator records errors
  - -∃ 31 separate error "flags"
  - $\exists$  Unique "Penalty Weight" PW for each flag
  - $\exists$  "Incremental Penalty Count" *IPC* for each node
  - FOR each flag f reported against node i:
    - $\cdot IPC(i) := IPC(i) + PW(f)$

- Broadcast ERR(i) Message
  - At beginning of next Atomic Period
  - Contents:
    - $\cdot IPC(i)$
    - $\cdot BPC(i)$  Base (current) penalty count
    - $\cdot$  All Error Flags for node i
- No ERR Message  $\Rightarrow$  No Detections

- BPC  $\Rightarrow$  Health Of Node
- Increasing BPC ERR Message Vote
  - Vote on BPC(i)
  - Vote on IPC(i)
  - BPC(i) := BPC(i) + IPC(i)
- Decreasing BPC Fixed decrement
  - $\exists$  Penalty Decrement value PD
  - At New Master Period
  - -BPC(\*) := BPC(\*) PD
  - Allows For Eventual Readmission

CS-990

4

- Recommend Exclusion/Readmission
  - $\exists$  Exclusion Threshold  $T_{excl}$
  - $\exists$  Admission Threshold  $T_{adm}$
  - Recommend in next SS message:
    - $\cdot BPC(i) \geq T_{excl} \Rightarrow \mathsf{Exclude} i$
    - $\cdot BPC(i) \leq T_{adm} \Rightarrow \text{Readmit } i$
    - $T_{adm} < BPC(i) < T_{excl} \Rightarrow$  No Change
- I.C. Vote on Recommendations
  - Consistent System State is Critical
  - Free (needed for cold-start)
  - Highly Degraded Systems
  - Common Mode Upset Recovery

time



ERROR HANDLING (SIMPLEX I.C.)

- AP Diagnostics in Workload
- OC System Level Self-Test
  - Errors Very Rare
  - Inject Faults to Excercise Error Detection
    - · Special self-test Task ID
    - · Suspend normal Transmitter Ops
    - Tranmsit string from self-test ROM
    - · Can transmit ANY test scenario
    - Test Results Based On
      - · False/Missed Accusations
      - · Cyclic Link Check
    - Independent of Actual Bit-Stream
    - Rotate "Originator" Duty
    - Complete Coverage If ANY One Node Correct

# Version Management

- SSV = System State Vec eg (2,1,1)
- VMV = Version Management Vec eg (1,1,1)
- WMV = Workload Management Vec (SSV) or (VMV)
- Vectors Used By Different Subsystems

Data VoterVMVInactive Copy Ignored For VoteDev CheckerSSVInactive Copy Still MonitoredSchedulerWMVInactive Copy May Not Run

- WMV = SSV
  - Inactive Copy Still Executing
  - Actual Tasks Being Monitored
  - Best for Generic Fault Detection
- WMV = VMV
  - Inactive Copy Doing Something Else
  - Will Not Be Affected By Generic
  - Can Activate To Replace Sibling
  - Best For Generic Recovery

- MAFT error detection is by consensus
  - Each node reports errors on all nodes.
  - Majority vote confirms or denies accusations.
  - Disagreement with majority may itself be an error.
- Faulty node must be detected by majority of nodes
  - Must be "far enough" out of sync
  - There exists a region of ambiguity
  - Defines size of "Sync Window"



- $W_s = \text{SOFT ERROR WINDOW}$ 
  - Spans Range of Receipts from Non-Faulty Nodes
  - Error May Not Be Confirmed
  - Inherent Ambiguity
  - Must Suspend Error Disagreement Penalties
- $W_h = HARD ERROR WINDOW$ 
  - IF Any non-faulty node detects a Hard-Error THEN All non-faulty nodes detect an Error
  - Can demand Corroboration

- $\epsilon = 7 \ \mu sec 600$  ft. separation
- $ho=5\cdot10^{-5}$
- $R = 20 \ msec \Rightarrow 10 \ msec$  Atomic Pd.  $\Rightarrow 100 \ Hz$ .

• 
$$\rho R = 1 \ \mu sec$$

- No Faults: Max  $\delta = 8.5 \mu$  sec
- With Faults: Max  $\delta = 16.5 \mu$  sec

• 
$$W_s = 40\mu \ sec$$

•  $W_h = 87\mu \ sec$ 

UNL/CSE/RMK/August 16, 1990

## SUMMARY

UNL/CSE/RMK/August 16, 1989

SUMMARY COMMENTS ON THE APPLICATION OF MAFT TECHNOLOGY

## 1. CAPABILITIES

----

- BASIS OF A GENERIC REAL-TIME MULTICOMPUTER SYSTEM
- REMOVES F.T. OVERHEAD FROM APPLICATION PROCESSOR
- HANDLES ALL REDUNDANCY MANAGEMENT WITHIN COMPUTER
- ASSISTS IN REDUNDANCY MANAGEMENT OF 1/0 SYSTEM

### 2. FLEXIBILITY

- INDEPENDENT OF I/O ARCHITECTURE
- HIGHLY RECONFIGURABLE AND GRACEFULLY DEGRADABLE
- PROVIDES MECHANISMS, NOT POLICIES

### 3. USABILITY

## ADVANTAGES OF APPROACH

- PARTITIONED APPROACH SIGNIFICANTLY REDUCES PROCESSOR OVERHEAD
- DATA DRIVEN ARCHITECTURE MUCH FASTER THAN SOFTWARE IMPLEMENTATION
- NOT DEPENDENT UPON ARCHITECTURE OF APPLICATION PROCESSOR
- REDUNDANCY IS "TASK-BASED" AND FLEXIBLE
- SUITABLE FOR HIGH RELIABILITY AND HIGH PERFORMANCE APPLICATIONS

## MAFT Bibliography

## References

.

| [Dar88]   | Darwiche, A.A., and F.M. Doerenberg, "Application of the Bendix/King Multicom-<br>puter Architecture for Fault-Tolerance in a Digital Fly-By-Wire Control System", <i>Mid-</i><br>con, Aug 1988. |
|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [Glu86]   | Gluch, D.P., and M.J. Paul, "Fault-Tolerance in Distributed Digital Fly-by-Wire<br>Flight Control Systems", AIAA/IEEE Seventh Digital Avionics Systems Conference,<br>Oct 1986.                  |
| [Kie87]   | Kieckhafer, R.M., "Task Reconfiguration in a Distributed Real-Time System," Eighth<br>IEEE Real-Time Systems Symposium, Dec 1987.                                                                |
| [Kie88]   | Kieckhafer, R.M., et al, "The MAFT Architecture for Distributed Fault-Tolerance",<br>IEEE Trans. Computers, V. C-37, No. 4, pp. 398-405, Apr 1988.                                               |
| [Kie89]   | Kieckhafer, R.M., "Fault-Tolerant Real-Time Task Scheduling in the MAFT Dis-<br>tributed System," Proc, Twenty-Second Hawaii International Conference on System<br>Sciences, Jan 1989.           |
| [McE88]   | McElvany, M.C., "Guaranteeing Deadlines in MAFT," Proc. IEEE Real-Time Systems<br>Symp., pp. 130-139, Dec 1988.                                                                                  |
| [Tha88]   | Thambidurai, P.M., and Y.K. Park, "Interactive Consistency with Multiple Failure<br>Modes", Proc. Seventh Reliable Dist Systems Symp., Oct 1988.                                                 |
| ['Tha88a] | Thambidurai, P.M. Critical Issues in the Design of Distributed, Fault-Tolerant, Hard<br>Real-Time Systems, Ph.D. Dissertation, Dept. of Electrical Engineering, Duke Univer-<br>sity, 1988.      |
| [Tha89]   | Thambidurai, P.M., et al., "Clock Synchronization in MAFT", Nineteenth Fault-<br>Tolerant Computing Symposium, pp. 142-151, Jun 1989.                                                            |
| [Wal88]   | C.J. Walter, "MAFT: An Architecture for Reliable Fly-by-Wire Flight Control," Proc.<br>AIAA/IEEE Eighth Digital Avionics Systems Conference, pp. 415-421, Oct 1988.                              |

35-61 P19 いたってい 146

Design For Validation Based on Formal Methods

Ricky W. Butler

NASA Langley Research Center Hampton, VA 23665 N91-17564

# VALIDATION OF ULTRA-RELIABLE SYSTEMS

DECOMPOSES INTO TWO SUBPROBLEMS

1. Quantification of probability of system failure due to physical failure

2. Establishing that **DESIGN ERRORS** are not present<sup>1</sup>.

 $^{1}(note. Quantification of 2 is infeasible)$ 

## Achieving Ultra-Reliable Software (Approaches)

- Testing (Lots of it)
- Design Diversity (e.g. N-version programming)
- Fault Avoidance:
- Formal Specification/Verification
- Automatic Program Synthesis
- Reusable Modules

## Life-Testing

Basic Observation:

 $10^{-9}$  Probability of failure estimate for a 1 hour mission

REQUIRES

 $> 10^9$  hours of testing

 $(10^9 \text{ hours} = 114,000 \text{ years})$ 

## Design Diversity

- 1. Separate Design/Implementation Teams
  - 2. Same Specification
    - 3. Multiple Versions
- 4. Non-exact Threshold Voters

5. Hope design flaws manifest errors independently or nearly so.

!

•

The Big Problem For Design Diversity Advocates

- experiments in the low-nominal reliability region have shown that the number of near-coincident failures far exceeds the number predicted by an independence model.
- Certainly independence cannot be assumed axiomatically for ultrareliable regime
- If cannot assume independence must measure correlations.

Quantification of N-version programs not feasible in the ultrareliable

regime

- Since one cannot assume independence, it must be treated as black box
- Back to life-testing problem again
- Any alternative model would have to be validated. But How?

| THE DEMONSTRAT             |
|----------------------------|
| INDEPENDENCE ASSUMPTION !! |
|                            |

- THE INDEPENDENCE ASSUMPTION CANNOT BE DEMONS FOR MULTI-VERSION S/W IN THE ULTRA-RELIABLE RE-GION The Danger of Design Diversity (N-version Programming, Recovery Blocks, etc.)

- dence, the advocators of S/W fault-tolerance generate ultra-high creates an "illusion" of ultra-reliability. By assuming indepenestimates of reliability.
- As long as industry/certification agencies believe that S/W faulttolerance will solve the problem, formal methods will not be pursued. 1

# Design For Validation

- 1. Designing a system in a manner that a complete and accurate reliability model can be must be measured. All such parameters must be measurable within a feasible amount of constructed. All parameters of the model which cannot be deduced from the logical design time.
- performance properties yet requires the measurement of hundreds of parameters (e.g say by time-consuming fault-injection experiments) would be rejected over a less capable system surable parameters in order to reduce the validation cost. A design which has exceptional 2. The design process makes tradeoffs in favor of designs which minimize the number of meathat requires minimal expermimentation.
- 3. The system is designed in a manner that enables a proof of correctness of its logical structure. Thus, the reliability model does not include transitions representing design errors.
- 4. The reliability model is shown to be accurate with respect to the system implementation. This is accomplished analytically.

| ustration |
|-----------|
|           |

Suppose we must design a simple fault-tolerant system with a probability of failure no greater than  $2 \times 10^{-6}$  whose maximum mission time is 10 hours.

- We quickly eliminate the use of a simplex processor since there is no technology which can produce a processor with this low of a failure rate.
- Thus, we begin to explore the notion of fault-tolerance. We next consider the use of redundancy-how about a dual? When the first processor fails, we will automatically switch to the other processor.



Unfortunately, our design suffers from one major problem. It is **impossible** to *prove* that any implementation behaves in accordance with this model. The problem is that one cannot design a dual system which can detect the failure of the first processor and switch to the second 100% of the time. Thus, we must accept the fact that there is a single-point failure in our system an include it in our reliability model

## SURE Run

Now we have a parameter in our model which must be measured—C. It represents the fraction of single faults from which the system successfully recovers. Can this parameter can be measured in a feasible amount of time (i.e. say less than year) with statistical significance?

## \$ sure

SURE V7.5 MASA Langley Research Center

17 read dualspf 2:

|                                                                                       | RB0        | ٠           | -           | 1.609200-04 | 1.40930-04  | Ĩ           | 1.009508-04 | -           | -00700. | 4.098000-05 | •       |           | •           |
|---------------------------------------------------------------------------------------|------------|-------------|-------------|-------------|-------------|-------------|-------------|-------------|---------|-------------|---------|-----------|-------------|
| = 1E-4;<br>TO 1 BY 0.01;<br>+LAMBDA+C;<br>AMBDA:<br>+(1-C)+LAMBDA;                    | LOVERBOUND | 2.00699e-04 | 1.80729e-04 | 1.60759e-04 | 1.407890-04 | 1.208190-04 | 1.00849e-04 | 8.08790e-05 | •       | -093906-    | -006960 |           |             |
| 2: LAMBDA =<br>4: C = .9 TO<br>5: 1,2 = 2*L<br>6: 2,3 = LAM<br>7: 1,4 = 2*(<br>8? run | υ          | Ē           | -00001      | •           |             | •           | •           | •           | •       |             |         | 0-20000e. | 1.000000+00 |



From this run we know that C must be between 9.9 and 1.0 in order to meet our reliability goal. We rerun the model to get a closer value:

## 2nd Run

## \$ sure

9? read dualspf

LAMBDA = 1E-4; C = .999 T0 1 BY 0.0001; 1.2 = 2\*LAMBDA\*C; 10040 101

2,3 = LAMBDA; 1,4 = 2\*(1-C)\*LAMBDA;

0.02 SECS. TO READ MODEL FILE 16? run

RUN #2 COMMENTS UPPERBOUND 2.99900e-06 2.79910e-06 .39930e-06 .999500-06 .59920-06 2.19940e-06 1.79960e-06 . 59970e-06 .39980-06 .19990e-06 1.00000-06 LOWERBOUND 2.99600e-06 2.79630e-06 2.39690e-06 2.19720e-06 1.997500-06 .79780e-06 .59810e-06 2.59660e-06 .39840e-06 .19870e-06 9.990008-07 9.99100-01 9.99200-01 9.99300-01 9.99400-01 9.99500-01 9.99500-01 9.99800-01 9.99800-01 9.99800-01 9.99800-01 .990006-01 1.00000+00 υ

• Now, we can see that we must demonstrate that C is greater than 0.9995.

• it can shown that 20000 observations are necessary to estimate this parameter to a reasonable level of statistical significance.

• If we optimistically assume that each fault injection requires 1 minute, then this validation exercise would require 330 hours (i.e. 14 days).

In this case, we decide we can live with this amount of testing and proceed to develop our system.

÷ į

; į

: . .

Designing System with Much Higher Reliability

Now suppose we want to meet the reliability goal of  $1 - 10^{-9}$ .

We decide to use a nonreconfigurable 5-plex (5MR) and build a processor with a failure rate of  $10^{-5}/hour$ . The probability of system failure is plotted as a function of 1-C:



- The value of C must now be greater than 0.9999982.
- It can be shown that over a million fault injections would be required to measure this parameter even if we are very optimistic about the testing process
  - If each injection required 1 minute, this would require almost 1.9 years of non-stop fault injections.

A better Way—via Design For Validation

It would be nice if we could design our system so that such an experiment is unnecessary.

- The system is designed so that a single point failure **cannot** cause system failure (i.e. C = 1).
  - This is demonstrated to be true by formal proof. 1
- Thus, one uses the power of analysis to eliminate fault-injection style testing. I

# WHY FORMAL METHODS?

The successful engineering of complex computing systems will require the application of mathematically based analysis analogous to the structural analysis performed before a bridge or airplane wing is built.

# Draft Interim Defence Standard 00-55

Quote from the foreward to the Draft Standard:

the long-term, become cumbersome and inefficient for the assurance The Steering Group "has determined that the current approach which is based on system testing and oversight of the design process will, in of the safety of increasingly sophisticated software". "The Steering Group therefore proposes the adoption of Formal Design Methods, based on rigorous mathematical principles, for the implementation of safety-critical computer software". Levels of Formal Methods

Static Code Analysis (i.e. no semantic analysis) Level 0:

Level 1: Specification using mathematical logic or language with a formal semantics (i.e. meaning expressible in logic)

Formal Specification + Hand Proofs Level 2:

Formal Specification + Mechanical Proofs Level 3:

## Summary

- Testing and design-diversity techniques inadequate.
- A design-for-validation based on formal methods is needed for the digital flight control systems problem.
- Formal methods will play a major role in the development of future high reliability digital systems. 1



## What FM can offer DFCS Design

John Rushby

Computer Science Laboratory SRI International

## Overview

-----

- What has actually gone wrong in practice?
- What is the pattern?
- What is the solution?

## Advanced Fighter Technology Integration (AFTI) F16

- Triplex DFCS to provide two-fail operative design
- Analog backup
- Digital computers were not synchronized
- "General Dynamics believed synchronization would introduce a single-point failure caused by EMI and lightning effects"

## AFTI F16 DFCS Redundancy Management

- Each computer samples sensors independently, uses average of the good channels, with wide threshold
- Single output channel selected from among the good channels
- Output threshold 15% plus rate of change
- Four bad values in a row and the channel is voted out

## AFTI F16 Flight Test, Flight 15

- Stores Management System (SMS) relays pilot requests for mode changes to DFCS
- An unknown failure in the SMS caused it to request mode changes 50 times a second
- DFCS responded at a rate of 5 mode changes per second
- Pilot said aircraft felt like it was in turbulence
- Analysis showed that if aircraft had been maneuvering at the time, DFCS would have failed

## AFTI F16 Flight Test, Flight 36

- Control law problem led to "departure" of three seconds duration
- Sideslip exceeded 20°, normal acceleration exceeded -4g, then +7g, angle of attack went to -10°, then +20°, aircraft rolled 360°, vertical tail exceeded design load, failure indications from canard hydraulics, and air data sensor
- Side air data probe blanked by canard at high AOA
- Wide threshold passed error, different channels took different paths through control laws
- Analysis showed this would cause complete failure of DFCS and reversion to analog backup for several areas of flight envelope

## AFTI F16 Flight Test, Flight 44

- Asynchronous operation, skew, and sensor noise led each channel to declare the others failed
- Analog backup not selected (simultaneous failure of two channels not anticipated)
- Aircraft flown home on a single digital channel
- No hardware failures had occurred

## AFTI F16 Flight Test

- Repeated channel failure indication in flight was traced to roll-axis software switch
- Sensor noise and asynchronous operation caused one channel to take a different path through the control laws
- Decided to vote the software switch
- Extensive simulation and testing performed
- Next flight, same problem still there
- Found that although switch value was voted, the unvoted value was used

## X29 Flight Test

- Three sources of air data on X29A: nose and two side probes
- If value from nose is within threshold of both side probes, use nose probe value
- Threshold is large due to position errors in certain flight modes
- If nose probe failed to zero at low speed it would still be within threshold of correct readings
- Aircraft would become unstable and "depart"
- Caught in simulation but 162 flights had been at risk

## HiMAT Flight Test

- Single failure in redundant uplink hardware
- Software detected this, and continued operation
- But would not allow the landing skids to be deployed
- Aircraft landed with skid retracted, sustained little damage
- Traced to timing change in the software that had survived extensive testing

## Gripen Fight Test, Flight 6

- Unstable aircraft
- Triplex DFCS with Triplex analog backup
- Yaw oscillations observed on several flights
- Final flight had uncontrollable pitch oscillations
- Crashed on landing, broke left main gear, flipped
- Traced to control laws

## Space

- Voyager computer clocks skipped 8 seconds at Jupiter due to high radiation levels (AW&ST Aug 7, 1989)
- So "continuous resynchronization" provided at Neptune
- Also, remember STS-1: "The bug heard round the world" (SEN Oct 1981)

#### **FDIR** and Crew Interface

- Imaginary crash scenario
- Broken fan blade on port engine
- Port vibration sensor saturates, limiter cuts in
- Vibration travels down wing, shakes starboard engine
- Starboard vibration sensor reports the attenuated vibration
- Only starboard vibration warning light comes on in cockpit
- Pilot shuts down the good engine, crashes short of runway
- Similar to British Midland 737 crash in 1989

#### **Complexity and Integration**

- "The FMS of the A320 'was still revealing software bugs until mid-January,' according to Gérard Guyot (Airbus test and development director). There was no particular type of bug in any particular function, he says. 'We just had a lot of flying to do in order to check it all out. Then suddenly it was working,' he says with a grin" (Flight International, 27 Feb 1989)
- The ATF hardware is ready to go, but cannot be flown because the software engineers "can't get all the 0's and 1's in the right order" (Northrop Engineer, 7 Aug, 1990)

### **Complexity and Integration**

| As of early 1988  | A300   | A310       | A320    |
|-------------------|--------|------------|---------|
| Put in service    | 1982   | 1983       | 1988    |
| Number in service | 16     | 149        | 3       |
| Flight Hours      | 16,000 | 810,000    | 2,000   |
| - ingite mound    |        | Computers  |         |
| Autopilot         | 2 FCC  | 2 FCC      | 2 FMGC  |
| Rudder            | 2 FAC  | 2 FAC      | 2 FAC   |
| Autothrottle      | 1  TCC | 1 or 2 TCC |         |
|                   | 1100   | 2 SFCC     | 2 SFCC  |
| Slats and flaps   |        | 2 EFCU     | 2 ELAC  |
| Elevator/aileron  |        | 2 FLC      | 3 SEC   |
| Spoilers          |        | 2 CGCC     | 0020    |
| Fuel management   |        | 3 SGU      | 3 DMC   |
| Instruments       |        | 3 300      | 2 BSCU  |
| Brakes            |        |            | 2 FADEC |
| Engines           |        | 2 FADEC    | 2 FADEC |

#### Analog, Mechanical Backups

- Do mechanical and analog backups reduce the requirement for ultra-reliability in DFCS?
- Not if the DFCS is providing stability augmentation or envelope protection
- Similar problem in ATC—potential to move traffic at higher rates than the backup can handle
- No FAA certification credit for mechanical rudder and trim-tab on A320

### Analysis: Dale Mackall, NASA Engineer AFTI F16 Flight Test

- Nearly all failure indications were not due to actual hardware failures, but to design oversights concerning asynchronous computer operation
- Failures due to lack of understanding of interactions among
  - Air data system
  - Redundancy management software
  - Flight control laws



### Analysis: NASA-LaRC 1988 FCDS Technology Workshop

- Lack of fully effective design and validation methods with support tools to enable engineering of highly-integrated, flight-critical digital systems
- Complexity of failure containment, test coverage, FMEA, redundancy management, especially in the face of increased integration of flight-critical functions
- Sources of failure:
  - Multiple independent faults (never observed)
  - Single point failures (observed sometimes)
  - Domino failures (most common?)

#### **Analysis: Scientific Foundations**

- It is time to place the development of real-time systems on a firm scientific basis. Real-time systems are built one way or another because that was the way the last one was built. And, since the last one worked, we hope that the next one will. (Fred Schneider)
- "Not far from there (CNRS-LAAS), Airbus Industries builds the Airbus A320s. These are the first commercial aircraft controlled solely by a fault-tolerant, diverse computing system. Strangely enough this development owes little to academia. (IEEE Micro, April 1989, p6)

#### Analysis

- The problems of DFCS are the problems of systems whose complexity has exceeded the reach of the intellectual tools employed
- Intuition, experience, and techniques derived from mechanical and analog systems are insufficient for complex, integrated, digital systems

#### Synthesis

- Computer science has been addressing issues of systematic design, fault tolerance, and the mastery of complexity with some (limited) success for the last 20 years
- But there has been little interest in learning about, and applying this knowledge to, real-time control systems in general (and little opportunity to apply it to DFCS)
- And little of the lore and wisdom of practical real-time control system design has been captured and analyzed

# What Computer Science Can Offer DFCS

- Systematic techniques for the construction
- of trustworthy software, including:
  - $\circ$  Techniques for the precise specification of requirements and the development of

designs

- $_{\circ}$  Systematic approaches to the design and structuring of distributed and concurrent systems
  - Fault tolerant algorithms
  - $_{
    m o}$  Systematic methods of testing and
  - analytic methods of verification
- Where do formal methods come in?

# **Applied Mathematics and Engineering**

- Established engineering disciplines use applied mathematics
  - As a notation for describing systems
  - As an analytical tool for calculating and predicting the behavior of systems
- Computers can provide speed and accuracy for the calculations

### Applied Mathematics and Software Engineering

- The applied mathematics of software is formal logic
- Formal Logic can provide
  - A notation for describing software designs—formal specification
  - A calculus for analyzing and predicting the behavior of systems—formal verification
  - Computers can provide speed and accuracy for the calculations
  - Calculating the behavior of software is an exercise in formal reasoning—i.e., theorem proving

#### **Formal Methods**

- Methodologies for using mathematics in software engineering
- Can be applied at many different levels, for both description and analysis
  - 0. No application of formal methods
  - 1. Quasi-formal pencil and paper techniques
  - 2. Mechanized quasi-formal methods
  - 3. Fully formal pencil and paper techniques
  - 4. Mechanically checked fully formal techniques

# **Benefits of Formal Specification**

- Unambiguous description facilitates communication among engineers
- Early detection of certain errors
- Encourages systematic, thoughtful approach, reuse of well-understood concepts
- As documentation, reduces some of the difficulties in maintenance and modification

#### **Benefits of Formal Verification**

- Subjects the system to extreme scrutiny, increasing designers' understanding of their own creation
- Helps identify assumptions, increases confidence
- Encourages simple, direct designs, austere requirements—better systems
- Encourages and supports a systematic, derivational approach to system design
- Complements testing and allows it to focus on fundamentals

### Conclusion: What FM Can Offer DFCS

- Precise notations for specifying requirements and designs
- Concepts and structure for systematic design
- Intellectual tools for *analyzing* the consistency of specifications and the conformance of designs
- A way to regain *intellectual mastery* of complex systems and their interactions

#### Recommendations

- Just adding formal methods to existing practice is inappropriate
- Capture and analyze lore and wisdom (and mistakes) of actual DFCS designs
- Apply modern Computer Science (including Formal Methods) to develop building blocks for principled DFCS design
- Ultimately, build one and fly it!

195 57-08 N**91-17566**633

### What Can Formal Methods Offer to Digital Flight Control Systems Design?

Formal Methods Workshop NASA Langley Research Center Hampton, VA.

August 20-23, 1990

Donald I. Good Computational Logic, Inc.

#### Abstract

Formal methods research is beginning to produce methods which will enable mathematical modeling of the physical behavior of digital hardware and software systems. The development of these methods directly supports the NASA mission of increasing the scope and effectiveness of flight system modeling capabilities.

The conventional, continuous mathematics that is used extensively in modeling flight systems is not adequate for accurate modeling of digital systems. Therefore, the current practice of digital flight control system design has not had the benefits of extensive mathematical modeling which are common in other parts of flight system

Formal methods research is showing that by using discrete mathematics, very accurate modeling of digital systems is possible. These discrete modeling methods are still in an embryonic stage. But when they are fully developed, they will bring the traditional benefits of modeling to digital hardware and software design. Sound reasoning about accurate mathematical models of flight control systems can be an important part of reducing the

# What Can Formal Methods Offer to Digital Flight Control Systems Design?

Donald I. Good

Computational Logic, Inc. 1717 West Sixth, Suite 290 Austin, Texas 78703

512-322-9951

good@cli.com

08/27/90



# Why Model?

For either <u>design</u> of a new system or <u>operation</u> of an old one, <u>modeling</u> provides...

Benefits: early error detection

- Saves time
- Saves money
- Saves operational disruption
- Saves operational mishaps

Risks: model misrepresents system

- Inaccurate
- Incomplete

Kinds of models: physical, analog, schematic, mathematical.

Blanchard and Fabrycky. <u>Systems Engineering</u> and Analysis, Prentice Hall, 1990.

# Why a Mathematical Model?

- High abstraction
- High precision
- Simulate by manipulating symbols
- Represent large classes of system states
- Use mathematical deduction

Get a lot of system simulation for a little symbol manipulation.

### **Operational Safety**

Operating a system <u>safely</u> requires

accurate predictions

of how it will behave.

Accurate predictions can be obtained from

- sound deductions about
- <u>accurate</u> mathematical models

of system behavior.

# A Classic Model

```
Free Fall Distance:
  f(b,t) = [g(b) * t**2] / 2
  g(b) = if b = "earth" then 32
     else if b="moon" then ...
   t is time (sec)
   f(b,t) is distance (ft)
 Simulation:
    f("earth", .7) = [32 * .7**2] / 2
                     = 16 * .49
                     = 7.84 \, \text{ft}
```

```
Power of Mathematical Deduction
  Suppose 0 le t0 le t1.
          t in [t0..t1]
 f("earth", t) in (32 * [t0..t1]**2) / 2
 f("earth", t) in 16 * [t0..t1]**2
f("earth", t) in 16 * [t0**2..t1**2]
                        (** is monotonic)
Physical simulation of this result is impossible
because [t0..t1] contains an infinite number of
values.
```



Hardware Model Observables

A hardware system

## is composed

of physical switches.

Nancy Stern. From ENIAC to UNIVAC: An Appraisal of the Eckert-Mauchly Computers. Digital Equipment Corporation, 1981.

Next page.



The switches of Eurotion Table A are being set by Pic. Homer Spence and Opt. Irwin Goldstein. Three manually set function tables served as read only memory units. Courtesy Moore School of Electrical Engineering. Environment of Pennsylvama.

#### ORIGINAL PAGE BLACK AND WHITE PHOTOGRAPH

ORIGINAL PAGE IS OF POOR QUALITY



# An MC68020 Machine Model

Yuan Yu. <u>PhD Thesis (in progress)</u>. University of Texas.

# The VIPER Machine

A 32-bit microprocessor "whose functions are totally predictable."

Accumulator

2 index registers

Program counter

Comparison register

16 instructions

Avra Cohn. <u>A Proof of Correctness of the VIPER</u> <u>Microprocessor: The First Level</u>. Technical Report 104, University of Cambridge Computer Laboratory, January, 1987.

W. J. Cullyer. Implementing High Integrity Systems: The VIPER Microprocessor. In Computer Assurance, COMPASS 88. IEEE, June, 1988.

# A VIPER Machine Model

```
where
```

| WIIELC             | a hit words                                                                                                                                          |
|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
| р<br>а<br>х,у<br>b | <br>a memory of 32-bit words<br>20-bit program counter<br>32-bit accumulator<br>32-bit index registers<br>1 bit compare result register<br>stop flag |
| stop               |                                                                                                                                                      |

# The FM8502 Machine

- A 32-bit microprocessor.
- 2 address architecture
- 4 addressing modes
- 8 general purpose registers
- 2<sup>19</sup> 20-bit instructions

Warren A. Hunt, Jr. <u>FM8501: A Verified</u> <u>Microprocessor</u>, Ph.D. Thesis, The University of Texas at Austin, 1985.

-----, <u>Microprocessor Design Verification</u>. Journal of Automated Reasoning. Vol. 5, No. 4, Dec 1989.

### An FM8502 Machine Model

```
NEXT(ms) =
    list(next_memory (ms),
        next_register_file(ms),
        next_carry_flag (ms),
        next_overflow_flag(ms),
        next_zero_flag (ms),
        next_negative_flag(ms) )
```

... [about 10 pages] ...

# An FM8502 Register Transfer Model

```
GATES(gs, gn) =
    if not(listp(gn))
    then gs
   else GATES(COMB_LOGIC(gs,car(gn)),
               cdr(\bar{q}n))
 COMB_LOGIC(gs,gn) =
 ... [on bit operators, e.g., b_xor] ...
where
gs
          - [regs, flags, mem, int-regs]
regs
        - 8 32-bit vectors
flags
        - 4 Booleans
mem
        - 2<sup>32</sup> 32-bit vectors
int-regs - 32-bit vectors for internal
           registers, flags, latches
```



### Software Model Observables Programming languages provide a wide variety of ways of describing them, but the observables are still switches, and so are programs!





#### A Program Description, p0

0888 000D 0002 0888 000E 0003 0048 0003 008F 000E 0CD0 004D 0002 0009 0041 0002 000F 10CB 0002 0000 31CB 0002 0000 12CB 0002 000D 13CB 0002 000E 0CCB 0002 0004 ODCB 0002 0005 OECB 0002 0006 OFCB 0002 0007 0041 0002 0008 50CB 0002 0000 104B 0002 000D 104B 0003 000E 0000 084B 0003 0002 004D 0002 0009 0041 0002 000F 004D 0003 0002 0041 0003 009F 00DA 0003 01DE 0003 0848 0003 0002 0041 0003 0008 1888 0000 0002 396B 0000 0002 1A8B 0000 0003 F84B 0007 0002 D84B 0006 0002 B84B 0005 0002 9848 0004 0002 7848 0003 0002 5848 0002 0002 0000 000E 09F3 0048 0003 00BF 000E 0CD0 000E 0CCA 000E 0CA8 0002 0C86 000E 09F3 004B 0003 00BF 000E 0CD0 000E OCCA 004D 0002 0002 0041 0002 00D3 00CB 0002 0001 01CB 0002 0000 0002 0C86 000E OFT3 0089 0008 0004 0083 0008 0000 000A 0A98 0083 0008 0001 000A 0AFD 0083 0008 0002 000A 086A 0002 08A5 0848 0006 0002 0049 0006 0010 0848 0007 0003 0048 0003 00ar 000z 0CD0 0888 000C 0002 0848 0004 0006 004D 0004 0008 0848 0003 0002 004D 0003 0080 0841 0003 0004 0041 0003 01F3 000E 0CE1 000A 0AE7 084B 0002 0007 000E OCA8 084B 0003 0006 004D 0003 0002 0041 0003 00D3 00C3 0003 0003 0006 0C96 11C3 0003 000C 0006 0C96 00CB 0003 0000 01CB 0003 0000 084B 0002 0006 004B 0003 00BF 000E 0CA8 0002 0C96 004B 0003 00BF 000E 0CCA 104B 0003 000C 004D 0003 0002 0041 0003 00D3 00CB 0003 0002 09CB 0003 0006 0002 0C86 0848 0006 0002 0049 0006 0010 0048 0003 00BF 0002 0CD0 088B 000C 0002 084B 0004 0002 004D 0004 0008 084B 0003 0006 004D 0003 0080 0841 0003 0004 0041 0003 01F3 000E 0CDD 000A 0854 000E 0CD0 COOE OCCA 104B 0003 000C 004D 0003 0009 0041 0003 000F 0BCB 0003 0002 084B 0003 0006 004D 0003 0002 0041 0003 00D3 00C3 0003 0002 0006 0C96 11C3 0003 000C 0006 0C96 00CB 0003 0000 01CB 0003 0000 084B 0002 0006 004B 0003 00BF 000E 0CA8 0002 0C96 004B 0003 00BF 000Z 0CCA 104B 0003 000C 004D 0003 0002 0041 0003 00D3 00CB 0003 0003 09CB 0003 0006 0002 0C86 084B 0007 0003 004B 0003 00BF 000E 0CD0 088B 000C 0002 084B 0003 0002 004D 0003 0008 0041 0003 0173 000E 0CE1 000A 0B8F 084B 0002 0007 000E 0CA8 00B6 000C 0006 0C96 00A6 000C 0002 0C96 004B 0003 00BF 000E OCCA 104B 0003 000C 004D 0003 0002 0041 0003 00D3 00CB 0003 0004 01CB 0003 0000 0002 0C86 004B 0003 00BF 000E 0CD0 088B 000C 0002 084B 0003 0002 004D 0003 0008 0041 0003 00F3 000E 0CDD 000A OBCC 000E 0CD0 000E 0CCA 1048 0003 000C 004D 0003 0009 0041 0003 000F 0BCB 0003 0002 0002 0096 004B 0003 00BF 000E 0CCA 104B 0003 000C 004D 0003 0002 0041 0003 00D3 00CB 0003 0005 01CB 0003 0000 0002 0C86 008B 000A 0C86 0888 000E 0003 0048 0003 008F 000E 0CDD 000A 08F7 0088 000A 0C9F 1048 0003 000E 000E 09F3 104B 0005 0008 004D 0005 0002 0041 0005 00D3 00C3 0005 0005 0006 0C13 104B 0002 0008 004B 0003 00BF 000E 0CA8 00CB 0005 0000 01CB 0005 0000 104B 0003 0008 004D 0003 0008 0041 0003 00F3 000E 0CE1 0006 0C2A 104B 0002 0009 0041 0002 0100 000E 0CBA 0082 000A 00B2 0008 0006 0C38 104B 0002 0009 0041 0002 0100 000E 0CA8 0082 000A 104B 0002 0009 000E 0CA8 0082 000A 008B 000A 0C86 088B 000E 0003 004B 0003 00BF 000E 0CDD 000A 0C54 008B 000A 0C9F 104B 0003 000E 000E 09F3 104B 0005 0009 004D 0005 0002 0041 0005 00D3 00C3 0005 0004 0006 0C70 104B 0002 0009 0048 0003 00BF 000E 0CA8 00CB 0005 0000 01CB 0005 0000 1048 0003 0009 004D 0003 0008 0041 0003 0173 000E 0CDD 008A 000A 000E 0CD0 088F 0009 0002 000E OCCA 0082 000A 004B 0003 00BF 000E 0CDD 000A 0C95 000E 0CD0 000E 0A29 00BA 000B 00A2 0000 0004 004B 0003 00BF 000E 0CD0 000E 0A29 00AE 0000 004B 0003 00BF 000E OCDO 000E 0A29 00A2 0000 0848 0004 0003 0041 0004 0004 3841 0004 0003 08CB 0004 0002 02D6 0003 79C7 0003 0003 0000 384B 0004 0003 7845 0004 0003 0841 0004 0003 0041 0004 0004 08CB 0004 0002 0000 02D2 0003 78C7 0003 0003 0000 084B 0002 0003 0041 0002 0004 1841 0002 0003 184B 0002 0002 0000 02C3 0003 0000 0000 7AC3 0003

#### [752 16-bit words]

#### The Kit Separation Kernel

- Uses a modified FM8501 (ms,mn) machine
- Interrupts for timer and I/O
- Process management
  - fixed number of processes
  - process scheduling (round robin)
  - process communication (message passing)
  - response to error conditions
  - Device management for character I/O to asynchronous devices
  - Memory management uses hardware protection

William R. Bevier. <u>Kit: A Study in Operating</u> <u>System Verification</u>. IEEE Transactions on Software Engineering. November 1989.





#### The Piton Language

The Piton language has

- execute-only program space
- read/write global arrays
- recursive subroutine calls
- formal parameters
- user-visible stack
- stack-based instructions
- flow-of-control instructions.

The cross assembler produces an FM8502 binary core image.

### The Micro Gypsy Language

The Micro Gypsy subset of Gypsy has

- types integer, boolean, character
- one dimensional arrays
- procedure calls with pass by reference parameters
- sequential control structures if, loop,
- condition handling signal..when.

The compiler produces Piton.

#### The Stack Theorem

Proof: Mechanically checked.

Under the conditions H',

- the uGypsy model is just as accurate as gates
- but with many details suppressed by  $\upsilon'$ .

#### **Boyer-Moore Logic**

Robert S. Boyer, J Strother Moore II. <u>A</u> <u>Computational Logic Handbook</u>, Academic Press, 1988.

Matt Kaufmann. <u>A User's Manual for an Interactive</u> <u>Enhancement to the Boyer-Moore Theorem</u> <u>Prover</u>. TR 19, Computational Logic, Inc., 1988.

#### A Hierarchy of Models of a Programmed Machine

R(yx0,yp0,yd0, ydk)

uGypsy(yx0,yp0,yd0, yk(yx0,yp0,yd0))

piton(ps0, pk(ps0))

fm8502(ms0, mk(ms0))

gates (gs0,

gk (gs0) )

Corresponding to these is a hierarchy of program descriptions....

#### **Operating Requirement**

```
procedure mult(var ans:fm8502_int;
                   i, j:fm8502 int) =
begin
ENTRY j ge 0;
EXIT ans = NTIMES(i, j);
  pending;
end;
type fm8502 int =
     integer[-(2**31)..(2**31)-1];
{A Simple Problem Domain Theory}
function NTIMES(x,y:integer):integer =
begin
exit (assume result =
       if y = 0 then 0
      else if y = 1 then x
            else x + NTIMES(x,y-1)
       fi fi);
end;
```

#### **Gypsy Program Description**

```
procedure mult(var ans:fm8502 int;
                     i,j:fm8502 int) =
begin
ENTRY j ge 0;
EXIT ans = NTIMES(i,j);
  var k:fm8502 int := 0;
    \mathbf{k} := \mathbf{j};
  ans := 0;
  loop
    ASSERT j ge 0 & k in [0..j]
          & ans = NTIMES(i, j-k);
    if k le 0 then leave end;
    ans := ans + i;
      k := k - 1;
  end;
end:
```

### **Piton Program Description**

```
(K ZERO ONE B ANS I J) ; formals
(MG-MULT
                        ;locals
 (PUSH-LOCAL ANS) ;ans := 0;
NIL
 (PUSH-CONSTANT (INT 0))
 (CALL MG-SIMPLE-CONSTANT-ASSIGNMENT)
                         ;k := j;
 (PUSH-LOCAL K)
 (PUSH-LOCAL J)
 (CALL MG-SIMPLE-VARIABLE-ASSIGNMENT)
  (DL L-1 NIL (NO-OP)) ;loop
                         ; b := k le 0
  (PUSH-LOCAL B)
  (PUSH-LOCAL K)
  (PUSH-LOCAL ZERO)
  (CALL MG-INTEGER-LE)
                         ; if b then leave
  (PUSH-LOCAL B)
  (FETCH-TEMP-STK)
  (TEST-BOOL-AND-JUMP FALSE L-3)
   (PUSH-CONSTANT (NAT 0))
   (POP-GLOBAL C-C)
   (JUMP L-2)
   (JUMP L-4)
   (DL L-3 NIL (NO-OP))
   (DL L-4 NIL (NO-OP))
                       ; ans := ans + i;
   (PUSH-LOCAL ANS)
   (PUSH-LOCAL ANS)
   (PUSH-LOCAL I)
    (CALL MG-INTEGER-ADD)
    (PUSH-GLOBAL C-C)
    ... [14 more support routines] ...
```

### FM8502 Program Description

(M-STATE

F F F F ' (B000000

| (B000000000001111000001001000001 B00000000         |
|----------------------------------------------------|
| B00000000001111000001001000001 B00000000           |
| B0000000000011110000001001011011 B00000000         |
| B0000000000000000000000000000000000000             |
| B0000000000000000000000000000000000000             |
| B000000000001111000000001011011 B00000000          |
| B000000000001111000000010111011 B00000000          |
|                                                    |
|                                                    |
| B0000000000000000000000000000000000000             |
|                                                    |
| B0000000000000000000000000000000000000             |
|                                                    |
|                                                    |
|                                                    |
|                                                    |
|                                                    |
| B000000000001111000000000010010 B00000000          |
|                                                    |
| B0000000000000000000000000000000000000             |
| B000000000011110000000000000000 B00000000          |
| B0000000000000000000000000000000000000             |
| B00000000001111000000000000000 B00000000           |
| B0000000000000000000000000000000000000             |
| B0000000000000000000000000000000000000             |
| B00000000000111100000000000101 B00000000           |
| B0000000000011110000000000000000000000             |
| B0000000000011110000000000001 B000000000           |
| B0000000000011110000000001010 B000000000           |
| B000000000001111100000000100010 B00000000          |
| B000000000001111000001001011011 B00000000          |
| B0000000000001100000001001000 B000000000           |
| B00000000001111000000010000010 B00000000           |
| B0000000000011111000000010111011 B00000000         |
|                                                    |
|                                                    |
|                                                    |
| B000000000011111000001001001000000000<br>B00000000 |
| B0000000000000000000000000000000000000             |
| B0000000000000000000000000000000000000             |
| B0000000000011100000000100101101 B00000000         |
| B00000000000111110000000100101 B00000000           |
| B0000000000011110000000101011 B000000000           |
| B0000000000000000000000000000000000000             |
| B0000000000000000000000000000000000000             |
| B0000000000000000000000000000000000000             |
| B0000000000000000000000000000000000000             |
| [10 more pages] ))                                 |
|                                                    |

#### **Mathematical Requirements**

- Unambiguous: Requirements have a welldefined interpretation that tells exactly what they <u>do</u> say.
- Analyzable: Do the requirements say the "right" thing?

```
R(x, y) \rightarrow good_thing(x, y)
```

- Consistency: Requirements contain no contradictions.
- Enable <u>modeling</u> a program component <u>before</u> <u>building</u> it (and thereby save the time and cost of designing a poor program.)

To get these benefits, the requirements notation must have a rigorous mathematical foundation (semantics).

#### **Design >> Requirements**

- There is more to designing a digital system than just stating and refining mathematical requirements.
- One must still construct a program for some machine.
- Mathematical models of commonly used languages and machines are still very scarce.

#### Summary

For either <u>design</u> of a new system or <u>operation</u> of an old one, <u>mathematical modeling</u> of digital flight control systems offers

Benefits: early error detection

- Saves time
- Saves money
- Saves operational disruption
- Saves operational mishaps

Risks: model misrepresents system

- Inaccurate
- Incomplete

#### **Conventional Non-Wisdom**

Use "formal methods" (mathematical modeling)

- only after a system is built to certify it
- only before a system is built to design it
- to guarantee perfect system behavior
- to eliminate the need for testing

High Level Design Proof of a Reliable Computing Platform

Ben L. Di Vito Ricky W. Butler James L. Caldwell NASA Langley Research Center Hampton, VA 23665

232 58-60 319687 N91-17567

### Outline

- Research Objectives
- Reliable Computing Platform
- High-Level Design Specifications
- Correctness Proofs
- Voting Patterns

Digital Flight Control Systems



**Reliable Computing Platform** 



## Research Objectives

- Establish hardware/software platform for ultra-reliable computing
- Use fault-tolerant computer architecture
- Use formal methods to prevent design and implementation errors
- first specify in conventional mathematical notation
- then specify and mechanically verify in EHDM
- Construct reliability model to quantify reliability estimate

Operating System for Control Applications



# Application Task Characteristics

- 1. Fixed set of tasks
- 2. Hard deadlines
- 3. Multi-rate cyclic scheduling
- 4. Minimal jitter
- 5. Upper bound on task execution time
- 6. Precedence constraints

# Architectural Concept



### **Design Decisions**

- 1. the system is non-reconfigurable
- 2. the system is frame-synchronous
- 3. the scheduling is static, non-preemptive
- 4. internal voting is used which can recover the state of a processor affected by a transient fault within a bounded time

# **Reliability Modeling**

Reliability model of quadruplex version of system



 $\rho$  = rate of recovery from transient fault (design-dependent)  $\lambda_P = \text{permanent fault rate} (\sim 10^{-4}/\text{hr})$  $\lambda_T = \text{transient fault rate} (\sim 10^{-3}/\text{hr})$ 





Note inflection point on the order of one minute

# Application Definition



M frames = 1 cycle

 $M_{\rm i} > 0$  subframes per frame

K tasks

(i, j) = cell (frame,subframe)

ST: scheduled task for cell (i, j)

TI: task inputs for cell (i, j) {tasks have no permanent state}

AO: actuator output tasks

IR: initial task inputs

Task Schedule



.

## Uniprocessor Model

State of abstract machine given by:

$$OS\_state = (frame: \{0..M-1\}, results: \{0..M-1\} imes nat 
ightarrow D)$$

The OS state transition is defined by the function OS.

$$OS: Sin \times OS\_state \rightarrow OS\_state$$

$$S(s,u) = (u.frame \oplus 1, \lambda i, j. new\_results(s, u, i, j))$$

where

$$x \oplus y = (x + y) \mod M$$
  
 $x \ominus y = (x + M - y) \mod M$ 

$$new\_results(s, u, i, j) = ext{if } i = u.frame$$
  
then  $exec(s, u, i, j)$   
 $else u.results(i, j)$ 

Uniprocessor Model (Cont'd.)

$$exec: Sin \times OS\_state \times \{0..M-1\} \times nat \rightarrow D$$
  
$$exec(s, u, i, j) = f_{ST(i,j)}(arg(TI(i, j)[1], s, u, i, j), \dots, arg(TI(i, j)[n], s, u, i, j)$$
  
$$arg: triple \times Sin \times OS\_state \times \{0..M-1\} \times nat \rightarrow D$$
  
$$arg(t, s, u, i, j) = \text{if } t.type = sensor$$

 $\widehat{}$ 

$$rg(t, s, u, i, j) = \text{if } t.type = sensor$$
  
then  $s[t.i]$   
else if  $t.i = i \wedge t.j < j$   
then  $exec(s, u, i, t.j)$   
else  $u.results(t.i, t.j)$ 

Actuator output is a function of the OS state:

$$UA(u) = \left[ egin{matrix} q & t \ k = 1 \end{bmatrix} Act(u,k) 
ight]$$

$$Act(u,k) = \left\{egin{array}{ll} u.results(u.frame \ominus 1,j) \ if \exists j: AO(u.frame \ominus 1,j) = k \ \phi & ext{otherwise} \end{array}
ight.$$

# **Replicated Processor Model**

The replicated processor model is based on a replicated state and transitions that allow for faults in the replicates

$$\begin{aligned} Repl: ICin \times Repl\_state \times fault\_status \rightarrow Repl\_state \\ Repl(c, r, \Phi) = \begin{bmatrix} R \\ k=1 \end{bmatrix} RT(c, r, k, \Phi) \end{bmatrix}$$

 $RT(c,r,k,\Phi) = \text{if } \Phi[k] \text{ then } \bot \text{ else } (frame\_vote(r,\Phi), Repl\_results(c,r,k,\Phi))$ 

$$frame\_vote(r, \Phi) = maj([_{l=1}^{R} FV_{l}])$$
  
where  $FV_{l} = \text{if } \Phi[l]$  then  $\bot$  else  $r[l]$ . $frame \oplus 1$   
 $maj : sequence(D \cup \{\bot\}) \to D \cup \{\bot\}$ 

.

# Replicated Processor Model (Cont<sup>:</sup>d.)

$$VP: \{0..M-1\} \times nat \times \{0..M-1\} \rightarrow \{T,F\}$$

Q VP(i, j, n) = T iff we are to vote OS.results(i, j)

$$Repl_results(c, r, k, \Phi) = \\\lambda i, j. \text{ if } VP(i, j. r[k].frame) \\\text{then } results_vote(c, r, i, j, \Phi) \\\text{else } new_results(c[k], r[k], i, j)$$

results\_vote(c, r, i, j, 
$$\Phi$$
) = maj([ $_{l=1}^{R} RV_{l}$ ])  
where  $RV_{l}$  = if  $\Phi[l]$  then  $\perp$  else new\_results(c[l], r[l], i, j).

Replicated actuator output considers fault status indicators:

$$RA: Repl_state \times fault_status \rightarrow RAout$$

RA: Repl-state 
$$\times$$
 Junction of  $RA_k$   
 $RA(r, \Phi) = \begin{bmatrix} R \\ k=1 \end{bmatrix} RA_k$   
where  $RA_k = \text{if } \Phi[k]$  then  $\perp$  else  $UA(r[k])$ 

A Simple Fault Model



The results we seek must hold for all  $\mathcal{F}:\{1..R\} imes nat o \{T.F\}$  that satisfy a condition for maximally unfortunate fault behavior. Define a *working* processor as follows.

$$\mathcal{W}: \{1..R\} imes nat imes fault\_fn 
ightarrow \{T, F\}$$
  
 $\mathcal{W}(k, n, \mathcal{F}) = orall j: \ 0 \leq j \leq min(n, N_R) \supset \sim \mathcal{F}(k, n-1)$ 

*..* 

A processor that is nonfaulty, but not yet working, is considered to be *recovering*. The number of working processors is given by:

$$\omega(n,\mathcal{F}) = |\{k \mid \mathcal{W}(k,n,\mathcal{F})\}|$$

**Definition 1** The Maximum Fault Assumption for a given fault function  $\mathcal{F}$  is that  $\omega(n, \mathcal{F}) >$ R/2 for every frame n.

All theorems about state machine correctness are predicated on this assumption.

# Framework For Proving State Machine Correctness

Functions needed to bridge the gap between the two machines are those that do the fellowing:

2. Map replicated actuator outputs from RM into actuator outputs for UM. 1. Map sensor inputs for UM into replicated sensor inputs for RM.

3. Map replicated OS states of RM into uniprocessor OS states of UM.



## Correctness Criteria

# **Definition 2** RM correctly implements UM under assumption $\mathcal{P}$ iff the following formula

$$\forall \mathcal{F} : \mathcal{P}(\mathcal{F}) = \{\mathcal{S}, \mathcal{P}_{n} \setminus \mathcal{O}\}$$

where 
$$a_n$$
 and  $b_n$  can be characterized as functions of  $(1)$  (1)

al state and all prior inputs.

We parameterize the concept of necessary assumptions using the predicate  $\mathcal{P}$ . For the replicated system. it will be instantiated by the Maximum Fault Assumption:

$$\mathcal{P}(\mathcal{F}) = (\forall m: \ \omega(m,\mathcal{F}) > R/2).$$

Derived Correctness Criteria

Definition 3 (Replicated OS Correctness Criteria) RM correctly implements UM if the following conditions hold:

-

(1)  $u_0 = maj(r_0)$ 

(2) 
$$\forall \mathcal{F}, (\forall m : \omega(m, \mathcal{F}) > R/2) \supset$$
  
 $\forall S, \forall n > 0: OS(s_n, maj(r_{n-1}) = maj(Repl(IC(s_n), r_{n-1}, \mathcal{F}_n^R))$   
(3)  $\forall \mathcal{F}, (\forall m : \omega(m, \mathcal{F}) > R/2) \supset$ 

$$\begin{array}{ll} (3) \ \ \tau \mathcal{F}, \ (\forall m : \ \boldsymbol{\omega}(m, \mathcal{F}) > R/2) \supset \\ \forall S. \ \forall n > 0: \ UA(maj(r_n)) = maj(RA(r_n, \mathcal{F}_n^R)) \end{array}$$

## Sufficient Conditions for Correctness

## Intermediate Assertions

**Definition 4** (Consensus Property) For  $\mathcal{F}$  satisfying the Maximum Fault Assumption, the assertion

$$\mathcal{V}(p,n-1,\mathcal{F}) \supset r_{n-1}[p] = maj(r_{n-1}) \wedge r_n[p] = maj(r_n)$$

holds for all p and all n > 0.

**Definition 5** (Replicated State Invariant) For fault function  $\mathcal{F}$  satisfying the Maximum Fault Assumption, the following assertion is true for every frame n:

$$egin{aligned} &n=0\,\lor\sim\mathcal{F}(p,n-1))\supset\ &r_n[p].frame=maj(r_n).frame=negin{aligned} &mod\ M\land\ &(orall i,\, i:\ rec(i,\, j,\mathcal{L}(p,n,\mathcal{F}),\mathcal{H}(p,n,\mathcal{F}),T)\supset\ &r_n[p].results(i,\, j)=maj(r_n).results(i,\, j)). \end{aligned}$$

## **Recovery Concepts**

Recovery of state element (i, j) where last faulty frame was f and processor has been healthy for h frames:

$$\begin{split} \operatorname{rec}(i,j,f,h,e) &= \operatorname{if} \ h \leq 1 \ \operatorname{then} \ F \\ &= \operatorname{lese} \ (VP(i,j,f\oplus h) \land e) \lor \\ &= \operatorname{lese} \ (VP(i,j,f\oplus h) \land e) \lor \\ &= \operatorname{lese} \ (VP(i,j,f\oplus h) \land e) \lor \\ &= \operatorname{lese} \ (VP(i,j,f,h)) \\ &= \operatorname{lese} \ \operatorname{rec}(i,j,f,h-1,T) \\ &= \operatorname{lese} \ \operatorname{rec}(i,j,f,h,F) \\ &= \operatorname{lese} \ \operatorname{rec}(t,i,t,j,f,h,F) \\ &= \operatorname{lese} \ \operatorname{rec}(t,i,t,j,f,h,F) \\ &= \operatorname{lese} \ \operatorname{rec}(t,i,t,j,f,h-1,T) \end{split}$$

**Definition 6 (Full Recovery Property)** The predicate 
$$rec(i, j, f, N_R, T)$$
 holds for all  $i, j, f$ .

## Continuous Voting

 $VP(i,j,k) = T \quad \forall i,j,k$ 

(Actual  $N_R = 1$ )  $N_R = 2$  • Specifies that the entire state will be voted every frame

- Not very practical
- But proof is simple

#### Cyclic Voting

$$VP(i, j, k) = (i = k) \quad \forall i, j, k$$
$$N_R = M + 1.$$

- Only results just computed will be voted in a frame More practical
  - Proof almost as simple

#### Frame



Portion voted



#### Summary

- Ultra-reliable control systems hard to achieve
  - Simple fault-tolerant design postulated
- Formal specification of design constructed
  - Preliminary correctness proofs obtained
    - Will extend from here
- more sophisticated designs
- mechanical verification

A Verified Model of Fault-Tolerance

John Rushby

Computer Science Laboratory SRI International

54-41 -17:90 -N91-17568 - 90

| l Important          |
|----------------------|
| and                  |
| aults are Common and |
| are                  |
| Faults               |
| Transient Faults     |

NASA-LaRC 1988 FCDS Technology Workshop:

- energy (composite materials provide less shielding, densely A number of DFCS are highly susceptible to radiated EM packed VLSI more susceptible to SEU)
- Designers must prove that their design will always recover from any and all non-hard faults reasonably quickly

 $\sim$ 

#### Goal

A model of a replicated system with exact-match voting

- A fault model that includes transients
- A theorem that establishes the conditions under which the
  - system provides fault tolerance
- checked verification of the theorem that is consonant with A formal specification of the model and a mechanically the journal-level presentation

#### Model based closely on that developed by Butler, Caldwell, Does not model sensor failure or loss of frame counter Model and theorem described in draft journal-level report and DeVito at LaRC, but simplified and more abstract Specification and verification in Ehdm completed (Jim Caldwell provided stimulation and help in the proof) Next step is to address the (over) simplifications Does not model frames and cycles Currently reconciling the two 0 0

Status

#### General Idea



ഹ

| sets: MODULE [T: TYPE]<br>EXPORTING ALL<br>THEORY                                                   |
|-----------------------------------------------------------------------------------------------------|
| <pre>set: TYPE IS function[T -&gt; bool]</pre>                                                      |
| x, y, z: VAR T<br>a, b, c: VAR set                                                                  |
| union: function[set, set -> set] ==<br>(LAMBDA a, b : (LAMBDA x : a(x) OR b(x)))                    |
| <pre>subset: function[set, set -&gt; bool] =   (LAMBDA a, b : (FORALL z : a(z) IMPLIES b(z)))</pre> |
| <pre>member: function[T, set -&gt; bool] == (LAMBDA x, b : b(x))</pre>                              |
| <pre>empty: function[set -&gt; bool] = (LAMBDA a : (FORALL x : NOT a(x)))</pre>                     |
| <pre>emptyset: set == (LAMBDA x : false)</pre>                                                      |
| <pre>fullset: set == (LAMBDA x : true)</pre>                                                        |
| <pre>extensionality: AXIOM (FORALL x : member(x, a) = member(x, b)) IMPLIES (a = b)</pre>           |

Sets

----

r

#### Cardinality

m, n, p: VAR nat

card: function[set -> nat]

card(union(a, b)) + card(intersection(a, b)) = card(a) + card(b) card\_ax: AXIOM

card\_subset: AXIOM subset(a, b) IMPLIES card(a) <= card(b)</pre>

card\_empty: AXIOM card(a) = 0 IFF empty(a)

empty\_prop: LEMMA card(a) > 0 IMPLIES (EXISTS x : member(x, a))

AND 2 \* card(a) > card(c) AND 2 \* card(b) > card(c) IMPLIES card(intersection(a, b)) > 0 AND subset(b, c) card\_prop: LEMMA subset(a, c)

ω

Sensors etc.

C: TYPE

a, c: VAR C

actuators: TYPE FROM C WITH (LAMBDA c : cell\_type(c) = actuator\_cell) sensors: TYPE FROM C WITH (LAMBDA c : cell\_type(c) = sensor\_cell) cell\_types: TYPE = (sensor\_cell, actuator\_cell, task\_cell) AND (c IN voted IMPLIES NOT (c IN sensors)) (LAMBDA c : cell\_type(c) /= sensor\_cell) (c IN actuators IMPLIES c IN voted) cell\_type: function[C -> cell\_types] active\_tasks: TYPE FROM C WITH Gbar: function[C, C -> bool] voted: TYPE FROM C voted\_ax: AXIOM

sensor\_ax: AXIOM (EXISTS a : Gbar(a, c)) IFF NOT (c IN sensors)

თ

## Simple Machine

 $step(\sigma, c, n) = \sigma$  with  $[c := if c \in C_S$  then sensor(c)(n) else  $task(c)(\sigma)]$ 

$$run(0) = (\lambda c: \bot)$$
  
$$run(n+1) = step(run(n), sched(n+1), n+1).$$

IF c IN sensors THEN sensor(c)(m) ELSE task(c)(s) END IF]) identity: function[M -> nat] == (LAMBDA m : m) 11 run: RECURSIVE function[M -> state] = step: function[state, C, M -> state] (LAMBDA s, c, m : s WITH [c :=

IF m = 0 THEN undef ELSE step(run(m - 1), sched(m), m) END IF) BY identity (LAMBDA m :

TCC's

(\* Subtype TCC generated for the first argument to task in dependency \*)

(c IN active\_tasks AND (FORALL a : Gbar(a, c) IMPLIES s(a) = t(a))) IMPLIES (cell\_type(c) /= sensor\_cell) dependency\_TCC1: FORMULA

(\* Subtype TCC generated for the first argument to sensor in step \*)

step\_TCC1: FORMULA (c IN sensors) IMPLIES (cell\_type(c) = sensor\_cell)

(\* Subtype TCC generated for the first argument to task in step \*)

(\* Subtype TCC generated for the first argument to run in run \*) (NOT (c IN sensors)) IMPLIES (cell\_type(c) /= sensor\_cell) step\_TCC2: FORMULA

run\_TCC1: FORMULA (m >= 0) IMPLIES (NOT (m = 0)) IMPLIES (m - 1 >= 0)

(\* Termination TCC generated for run \*)

(m >= 0) IMPLIES (NOT (m = 0)) IMPLIES identity(m) > identity(m - 1) run\_TCC2: FORMULA

## **Replicated Machine**

 $\neg \mathcal{F}(i)(n) \supset sstep(\rho, c, n)(i) = step(\rho(i), c, n),$ 

 $\neg \mathcal{F}(i)(n) \supset vote(\rho, c, n)(i) = \text{if } c \in C_{-}V \text{ then } \rho(i) \text{ with } [c := maj\{\rho(j)(c)|j \in R\}]$ else  $\rho(i)$ 

 $rstep(\rho, c, n) = vote(sstep(\rho, c, n), c, n).$ 

## Replicated Machine

```
NOT (F(i)(m)) IMPLIES sstep(rs, c, m)(i) = step(rs(i), c, m)
                                                                               AND (FORALL i : member(i, A) IMPLIES rs(i)(c) = x))
                                                                                                                                                                                                                                                                                                                                                                   ELSE rstep(rrun(m - 1), sched(m), m) END IF)
                                                                                                                                                                                                                                                                     (LAMBDA rs, c, m : vote(sstep(rs, c, m), c, m))
                                                                                                                                                                                                     THEN rs WITH [(i)(c) := maj(rs, c)]
                                                                                                                                                                                                                                                      rstep: function[rstate, C, M -> rstate] ==
                                                                                                                                                                                                                                                                                                            II
                                                                                                                                                                                                                                                                                                         rrun: RECURSIVE function[M -> rstate]
                                                                         2 * card(A) > card(fullset[R])
                                                                                                                                                                                                                                                                                                                                                            THEN (LAMBDA i : undef)
                                                                                                               IMPLIES maj(rs, c) = x
                                                                                                                                                                                IMPLIES vote(rs, c, m)
                                                                                                                                                                                                                               ELSE rs END IF
                                                                                                                                                                                                    = IF c IN voted
                                                                                                                                                                  NOT (F(i)(m))
                                                                                                                                                                                                                                                                                                                                                                                                       BY identity
                                                                                                                                                                                                                                                                                                                                                      IF m = 0
                                                                                                                                                                                                                                                                                                                                      (LAMBDA m :
                                                                                                                                                     vote_ax: AXIOM
    sstep_ax: AXIOM
                                                     maj_ax: AXIOM
                                                                      (EXISTS A :
```

## Foundation etc.

$$foundation(c) = \begin{cases} \{c\} & \text{if } c \in (C\_S \cup C\_V) \\ \{c\} \cup \bigcup_{(a,c) \in \overline{G}} foundation(a) \text{ otherwise} \end{cases}$$

$$support(c) = \begin{cases} \{c\} \cup \bigcup_{(a,c) \in \overline{G}} foundation(a) & \text{if } c \in C_{-}V \\ foundation(c) & \text{otherwise.} \end{cases}$$

committed-to(c) = 
$$min\{when(a)|a \in support(c)\}$$
.

## Foundation etc.

```
committed_to: function[C -> M] == (LAMBDA c : min(critical_times(c)))
                                                                                                                                                                                                                                                                                                                                                                     (EXISTS b : Gbar(b, c) AND member(a, foundation(b))))
                                                                                                                                                                                      Gbar(b, c) AND member(a, foundation(b)))))
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   (LAMBDA c : (LAMBDA t : member(sched(t), support(c))))
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          OR (c IN voted AND member(a, backup(c))))
                                                                                                                         OR (NOT (c IN voted OR c IN sensors)
foundation: RECURSIVE function[C -> set[C]] =
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     critical_times: function[C -> set[M]] ==
                                                                                                                                                                                                                                                                                                                                                                                                                                support: function[C -> set[C]] =
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            member(a, foundation(c))
                                                                                                                                                                                                                                                                             backup: function[C -> set[C]] =
                                                                                                                                                   AND (EXISTS b :
                                                              (LAMBDA a :
                                                                                                                                                                                                                                                                                                                                     (LAMBDA a :
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             (LAMBDA a :
                                                                                                 ອ
ແ
ບ
                              (LAMBDA c :
                                                                                                                                                                                                                                                                                                           (LAMBDA c :
                                                                                                                                                                                                                                                                                                                                                                                                                                                              (LAMBDA c :
                                                                                                                                                                                                                 BY dowhen
```

#### OK and MOK

 $OK(i)(c) = (\forall n : committed-to(c) \le n \le when(c) \supset \neg \mathcal{F}(i)(n)).$ 

 $MOK(c) = \exists \Theta \subseteq R, |\Theta| > r/2, i \in \Theta \supset OK(i)(c).$ 

```
working: function[C -> set[R]] == (LAMBDA c : (LAMBDA i : OK(i)(c)))
                                                                                                       committed_to(c) <= m AND m <= dowhen(c)
IMPLIES NOT F(i)(m)))</pre>
OK: function[R -> set[C]] =
                                                                                 (FORALL m :
                                                      (LAMBDA c :
                               (LAMBDA i :
```

```
(LAMBDA c : 2 * card(working(c)) > card(fullset[R]))
MOK: function[C -> bool] =
```

#### Theorem

If

 $\forall a: when(a) \leq when(c) \supset MOK(a),$ 

then

 $\forall_j : OK(j)(c) \supset rrunto(c)(j)(c) = runto(c)(c).$ 

(FORALL j : OK(j)(c) IMPLIES rrunto(c)(j)(c) = runto(c)(c))) (LAMBDA c : MOK(c) AND (FORALL a : Gbar(a, c) IMPLIES safe(a))) safe: RECURSIVE function[C -> bool] = correct: function[C -> bool] = (LAMBDA c : BY dowhen

the\_result: THEOREM safe(c) IMPLIES correct(c)

## **Noetherian Induction**

(FORALL d1 : (FORALL d2 : d2 < d1 IMPLIES p(d2)) IMPLIES p(d1)) mod\_proof: PROVE mod\_induction d1 <- d1@p1, d3 <- d1@p1, d4 <- d2
FROM general\_induction p <- (LAMBDA d : A(d) IMPLIES B(d))</pre> noetherian: MODULE [dom: TYPE, <: function[dom, dom -> bool]] (EXISTS measure : a < b IMPLIES measure(a) < measure(b)) (FORALL d2 : d2 < d1 IMPLIES (A(d1) AND B(d2)))(FORALL d3, d4 : d4 < d3 IMPLIES A(d3) IMPLIES A(d4)) IMPLIES (FORALL d : A(d) IMPLIES B(d)) p, A, B: VAR function[dom -> bool]
d, d1, d2, d3, d4: VAR dom measure: VAR function[dom -> nat] IMPLIES (FORALL d : p(d)) IMPLIES B(d1)) general\_induction: AXIOM AND (FORALL d1 : mod\_induction: THEOREM well\_founded: FORMULA a, b: VAR dom END noetherian ASSUMING THEORY PROOF

#### The Proof

```
sensor_inductive_step, voted_inductive_step, nonvoted_inductive_step,
                                                                                                                                                                                                                                         discharge_well_founded: PROVE well_founded measure <- dowhen FROM
                                                                                                                                                                                                                                                                                                                                                                                                        (FORALL a : Gbar(a, c) IMPLIES safe(c) AND correct(a))
                                         USING correctness, voted_step, nonvoted_step, sensor_step,
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                almost_final_proof: PROVE inductive_step a <- a@p7 FROM
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                induction_body a <- a@p1, induction_body a <- a@p2,
induction_body a <- a@p3, induction_body</pre>
correctness_proof: MODULE
                                                                                                                                                                                                                                                                                                                                                                                                                                                     IMPLIES correct(c)
                                                                                                                                                                                                                                                                                                                                                                     inductive_step: LEMMA
                                                                            noetherian[C, Gbar]
                                                                                                                                                                                                                                                                                             Gbar_when c <- b
                                                                                                                                                            a, c: VAR C
                                                                                                                           PROOF
```

```
mod_induction A <- safe, B <- correct, d <- c, d2 <- a@p3,</pre>
final_proof: PROVE the_result FROM
                                                                                  safe a <- d4@p1, c <- d3@p1,
                                                                                                                                inductive_step c <- d1@p1
```

END correctness\_proof

| $\geq$  |
|---------|
| <b></b> |
| σ       |
| Ξ       |
| Ē       |
| n.      |
| S       |

- Formal specification and verification revealed typos in the original report
- Exposed omission in original proof
- Led to stronger theorem and more elegant proof (using Noetherian rather than ordinary induction)
- Confirmed that Ehdm has the capability to specify interesting and useful properties in a direct, natural, and readable manner
- Proofs were hard (three intensive man-weeks, 92 lemmas); haven't yet gone back to see why that was so
- We have the beginnings of a formally verified model for a fault tolerant operating system

#### The Design and Proof of Correctness of a Fault-Tolerant Circuit N91-17569

William R. Bevier William D. Young

Computational Logic, Inc. 1717 W. 6th Street Austin, Texas 30

310-22 319671

#### What We Accomplished

- A formal statement of Interactive Consistency Conditions<sup>1</sup> in the Boyer-Moore logic.
- A formal statement of the Oral Messages algorithm *OM* in the Boyer-Moore logic.
- A mechanically checked proof that *OM* satisfies the Interactive Consistency conditions.
- A mechanically checked proof of the optimality result: no algorithm can tolerate fewer faults than *OM* yet still achieve Interactive Consistency.
- The use of OM in a functional specification for a fault-tolerant device.
- A formal description of the design of the device.
- A mechanically checked proof that the device design satisfies the specification.
- An implementation of the design in programmable logic arrays.

<sup>&</sup>lt;sup>1</sup>See "The Byzantine Generals Problem", Lamport, Shostak and Pease, ACM Toplas, Vol 4, No 3, July 1982.

#### A Stack of Related Machines



#### The Specification

The specification is a function that describes a finite state machine.

At every step, each of N processes

- 1. reads its sensor input,
- 2. exchanges its sensor value with all other processes,
- 3. produces an *interactive consistency vector* (ICV) that contains what it concludes is each other process's value, and
- 4. applies a filter function to the ICV to produce an output.

# **Properties of the Specification Function**

The exchange of sensor values is accomplished by an algorithm called OM.

OM achieves interactive consistency. That is,

A process sends a message to n-1 destination processes.

- 1. All non-faulty destination processes agree on the same received value.
  - 2. If the sending process is non-faulty, then every non-faulty destination process receives the message sent.

OM has been defined as a function in the Boyer-Moore logic, and a proof that

interactive consistency is achieved has been mechanically checked.

## Formal Statement of Correctness of OM

Let

- *n* be the number of processes,
- *L* be the set  $\{0, ..., n-1\}$ ,
- $g, i, j \in L$  be process names,
- x be g's local value, and
- *m* give the number of rounds of information exchange.

The interactive consistency conditions are stated as follows.

$$\neg faulty(i)$$

$$\& \neg faulty(j)$$

$$\& 3:faults(L) < n$$

$$\& faults(L) \le m$$

$$\rightarrow$$

$$OM(n, g, x, m)[i] = OM(n, g, x, m)[j],$$

$$\neg faulty(g)$$

$$\& \neg faulty(i)$$

$$\& 3:faults(L) < n$$

$$\& faults(L) \le m$$

$$\rightarrow$$

$$OM(n, g, x, m)[i] = x$$

# Specification Abstraction

The following aspects of the specification are not constrained:

1. The number of processes.

.

-

- 2. The types of the input and output values.
- 3. The nature of the filter function.

# What Interactive Consistency Guarantees

The specification can be thought of as a function which

- receives a sequence of N-tuples of input values, and
- produces a sequence of N-tuples of output values.

Because of Interactive Consistency, we can conclude:

At each step, all non-faulty processes agree on their output iff the total number of processors exceeds three times the number of faulty processors.

### The Device Design

Goal: Design 4 identical circuits which, when operating synchronously, achieve Byzantine agreement.



#### **A Process Internal State**



18 August 1990

#### **Process Steps**

```
0: data_out[i] \leftarrow sense, i \in \{0, 1, 2\}
                      ← sense
    icv[\overline{3}]
                      \leftarrow clock+1
    clock
                      \leftarrow \text{ input [i], } i \in \{0, 1, 2\}
1: m[0,i]
    data_out[0] \leftarrow input[1]
    data out[1] \leftarrow input[0]
     data out[2] \leftarrow input[0]
                      \leftarrow clock+1
     clock
                      \leftarrow \text{ input[i], } i \in \{0, 1, 2\}
2: m[1,i]
     data_out[0] \leftarrow m[0,2]
     data_out[1] \leftarrow m[0,2]
     data_out[2] \leftarrow m[0,1]
                       \leftarrow clock+1
     clock
                       \leftarrow \text{ input[i], } i \in \{0, 1, 2\}
 3: m[2,i]
                       \leftarrow clock+1
      clock
                 ← majority(m[0,0], m[1,2], m[2,1])
  4: icv[0]
                 ← majority(m[0,1], m[1,0], m[2,2])
      icv[1]
                  ← majority(m[0,2], m[1,1], m[2,0])
      icv[2]
                  \leftarrow clock+1
      clock
                        ← filter(icv)
  5: Actuator
                        \leftarrow clock+1
      clock
                        \leftarrow clock+1
  6: clock
                        \leftarrow clock+1
  7: clock
```

## Summary of Device Design

- 1. Four identical devices.
- 2. Only internal and external data flow specified, data width not.
- 3. Filter function constrained to tolerate ICV rotations.

# **Correctness of Device Design**

-



### **Device Implementation**

#### by Larry Smith



N91-17570

2:5 511-61

319072

Verifying an Interactive Consistency Circuit: A Case Study in the Reuse of a Verification Technology

> Mark Bickford Mandayam Srivas

Odyssey Research Associates, Inc. 301A Harris B. Dates Drive Ithaca, NY 14850.

This talk presented the work done at ORA for NASA-LRC in the design and formal verification of a hardware implementation of a scheme for attaining interactive consistency (byzantine agreement) among four microprocessors. The microprocessors used in the design are an updated version of a formally verified 32-bit, instruction-pipelined, RISC processor, MiniCayuga. The 4-processor system, which is designed under the assumption that the clocks of all the processors are synchronized, provides ``software control'' over the interactive consistency operation. Interactive consistency computation is supported as an explicit instruction on each of the microprocessors. An identical user program executing on each of the processors decides when and on what data interactive consistency must be performed.

This exercise also served as a case study to investigate the effectiveness of reusing the technology which had been developed during the MiniCayuga effort for verifying synchronous hardware designs. MiniCayuga was verified using the verification system Clio which was also developed at ORA. To assist in reusing this technology a computer-aided specification and verification tool was developed. This tool specializes Clio to synchronous hardware designs and significantly reduces the tedium involved in verifying such designs. The talk presented the tool and described how it was used to specify and verify the interactive consistency circuit.

#### Summary

Achievements

1. Formalization of abstract Byzantine agreement algorithm.

2. Use of this algorithm to specify a hardware device.

3. A mechanically checked proof that the device design is correct.

4. The implementation of the device form the low-level design.

Limitations

1. Assumes synchronized behavior of the processes.

# Verifying an Interactive Consistency Circuit:

A Case Study in the Reuse of a Verification Technology

> Mark Bickford Mandayam Srivas

Odyssey Research Associates, Inc. 301A Harris B. Dates Drive Ithaca, NY 14850.

### **Objectives** of the Work

- Design an efficient hardware implementation for a 4-processor architecture
- Use verified MiniCayuga's in the design
- Verify the design
- Reuse MiniCayuga verification technology
  - A method of modeling synchronous hardware designs in the Clio verification system
  - Formalizing a class of properties most commonly encountered in verifying designs
  - A "standard" proof strategy

Clio: A functional Language Based Verification System

- Catiban: A modern functional language eg., higher order functions, flats hypes, lary, etc. least  $P \propto = \propto, P \propto$ least  $P \propto +1$ 
  - Assertion Lovel : Full FOPC with equality on Caliban terms Prop := (?)(x) ~ [`!(least ? x)` = `True`] V`P(least ? x)`=`True`]
    - Interactive Theorem Proves
      - rewriting
        - Induction
          - structural
            - Fixed point
      - Other FORC proof Atrategies

# **Presentation Outline**

.....

- IC circuit design
- The computer-aided hardware verification tool
- How we verified it
- General observations about the effort



· • :

Two new instructions:

ICOP REG - initiates and co-orinates IC computation MOVE SREG REG - moves special REG to general REG

|| check if voter is free

- Notfree MOVE STATUS REG1 JIF REG1 Notfree ICOP REG2
- || check if IC computation is complete

Notready MOVE STATUS REG1

JIF REG1 Notready

- || move the results of IC to general registers MOVE SREGO REG3 MOVE SREG1 REG4 MOVE SREC2 REC5
  - MOVE SREG2 REG5

5



É,

- voter separate from processor: modularity
- point-to-point connection: electrical isolation
- serialize data transfers: number of pins
   Vs. time
- Fault region: processor, voter, and the connections they feed

6 A.

- no absolute indexing scheme for processors/voters

   relative indexing scheme: succ, succ<sup>2</sup>, succ<sup>3</sup>
  - IC vectors will be stored in the processors in the order of their successors
  - Underlying assumption: clocks are synchronized with at most a bounded skew
    - hold sender's signal stable for one phase longer than needed



# IC System Design Behavior

- *Initiate*: draw the attention of voter (1)
- Load: transfer private values (2)
- Exchange: exchange received values (6)
- Compute: compute and store IC vector (3)





Conseque FT Conserver

Controller State Machine

 $\langle \rangle$ 

### MiniCayuga Processor: Summary

- Inspired by Cayuga (Cornell University)
- 32-bit RISC processor
- Design characteristics
  - 32 general purpose registers
  - small and simple instruction set
  - 3-stage instruction pipeline: fetch, compute, writeback
  - delayed jump, pipeline stalling, internal forwarding
  - interrupt

### What do we prove ?

### Assuming

- every Cayuga-FT is about to execute an ICOP,
- every Voter is ready to vote, and
- there is at most one faulty region,

then, 12 cycles later the system state will satisfy the following conditions:

- The IC vectors in the processors are identical "up to rotation."
- The IC vectors are correct w.r.t. to the processor private values 12 cycles earlier.

# A Computer-Aided Verification Tool

- Specializes Clio to the domain of *finite* state controller systems
- Design specification generation
- Verification condition formulation
- Automatic proof support



Controller State Machine

## Finite State Controller Systems (FSCS)

- Central Controller + Data Path components
- Component behavior is specified as a set of *actions*
- Controller is specified as an FSM which schedules a set of *actions* on the components.
- Timing Model
  - Every transition corresponds to a clock cycle (with multiple phases)
  - An action may have zero or more units (phases) of delay
  - Actions are synchronized with state transitions

# Specification technology reused

 a method of formalizing the intended operational model of an FSCS in Caliban/Clio

designspecgen :: data-path-structure -> controller-structure -> controller-schedule -> actions-behavior -> design-spec

Execute :: STATE -> STATE

"single clock cycle behavior of design"

### Proof technology shared

• Form of the most commonly proved conditions

Invariant conditions



Advance conditions



• Proof strategy: "controlled symbolic evaluation (rewriting) with selective case-splits" The Specification Hierarchy



## Rationale for the hierarchy

- Decompose proofs into manageable units
- Need for the black level
  - introduce "error" actions
  - type of Execute is different from that of action
- Implication of intermediate levels
  - pro: proof can take "bigger" steps
  - con: must come up with intermediate abstract specification

### **Top Level Specification**

. . .

```
||IcNetState :: <<(INDEX -> FTCstate),
                   (INDEX -> Voterstate), Interrupts>>
11
IcNetStep <<ftc,vtr, int:rest>> =
     <<newftc,newvtr ,rest>>
     where newftc index
            = fault_ftc_step index ftc (ftcinput index)
           newvtr index
            = fault_vtr_step index vtr (vtrinput index)
           ftcinput index
            = make_ftc_in (select_int index int)
                           (fault_to_proc index ftc vtr)
           vtrinput index
             = Voterinput index ftc vtr
                                       (ftcinput index )
fault_ftc_step index s in =
    FtCayugaStep (s index) in , ~(faulty index)
    byzCayugaStep (s index) in
fault_vtr_step index s =
    voterstep (s index) , ~(faulty index)
    byzstep (s index)
```

#### **Formal Statement of Correctness**

```
Preconditions 's' :=
Proper_icnet 's' & Sync 'LDP1' 's' & All_go 's'
```

```
Sync 'cs' '<<ftc,vtr,inlist>>' :=
   ('faulty ONE' = 'False' =>
        'control (vtr ONE)'='cs')
& ('faulty TWO' = 'False' =>
        'control (vtr TWO)'='cs')
& ('faulty THREE' = 'False' =>
        'control (vtr THREE)'='cs')
& ('faulty FOUR' = 'False' =>
        'control (vtr FOUR)'='cs')
```

```
Preconditions 's' :=
   Proper_icnet 's' & Sync 'LDP1' 's' & All_go 's'
Sync 'cs' '<<ftc,vtr,inlist>>' :=
    ('faulty ONE' = 'False' =>
            'control (vtr ONE)'='cs')
 & ('faulty TWO' = 'False' =>
            'control (vtr TWO)'='cs')
 & ('faulty THREE' = 'False' =>
            'control (vtr THREE)'='cs')
 & ('faulty FOUR' = 'False' =>
            'control (vtr FOUR)'='cs')
All_go 's' :=
 ('faulty ONE'='False' =>
   ('go_of (vtr s ONE)'='False' & 'go_signal s ONE'='GO'))
& ('faulty TWO'='False' =>
   ('go_of (vtr s TWO)'='False' & 'go_signal s TWO'='GO'))
& ('faulty THREE'='False' =>
   ('go_of (vtr s THREE)'='False'
                            & 'go_signal s THREE'='GO'))
& ('faulty FOUR'='False' =>
   ('go_of (vtr s FOUR)'='False'
                            & 'go_signal s FOUR'='GO'))
```

## **The proof strategy reused** "controlled symbolic execution of design"

- 1. Instantiate the states of components and inputs with appropriate symbolic constants.
- Add all the conditions on the constants implied by the preconditions of the theorem as hypothesis.
- 3. Symbolically evaluate design.
- 4. Try case-splitting on all the conditionals automatically.
- 5. If either of the previous two steps seem to take too long, then case-spilt on the controller states and inputs before symbolic evaluation (step 3).

### New technology needed

- Modeling faulty behavior
- Specification
  - determining the right hierarchy
  - writing intermediate "abstract" spec
  - defining abstraction function (ABS)
- Proof: "design level properness" implies "abstract level properness"

#### **General Observations**

- An engineering-oriented verification experience
   Lilith → MiniCayuga → IC circuit
- Methodology: top-down + bottom-up
- Level of effort: 1 man year
  - building the tool
  - developing designs
  - verification

### **Verification Effort Milestones**

- formulated a top level correctness statement
- designed and verified a simple voter circuit
- specified voter and processor for a continuous voting scheme
- designed and verified second voter design

- discovered continuous voting scheme was "hard to synchronize"
- respecified voter and processor for a votingon-demand scheme
- redesign and reverify voter
- verified overall system
- verified processor

- To integrate theorem proving based verification technology into the design process we need:
  - more machine assistance
  - domain specialization
  - The next step ?
    - A useful way of reporting failed proof attempts
    - Interaction with motivated and patient engineering design teams and projects



512-1

319613

# Hardware Verification at Computational Logic, Inc.

Bishop C. Brock Warren A. Hunt, Jr.

Computational Logic Incorporated 1717 West Sixth Street, Suite 290 Austin, Texas 78703-4776

+1 512 322 9951 Brock@CLI.COM, Hunt@CLI.COM

3 August 1990

#### **Talk Topics**

- Hardware Verification: What Is It?
- Formal Methods: What Good Are They?
- Verification Methodology
- Present Accomplishments
- Expected Near Term Results
- Present Trends
- Future Directions
- Collaborations and Technology Transfer
- Technology Enablers
- Conclusions

#### Hardware Verification: What Is It?

The mathematical formalization of the specification of any (all) aspects of hardware design.

We specifically are interested in the design of hardware for digital computing.

#### Goals:

- Completely replace programmer's manuals, timing diagrams, interface specifications, power requirements, etc. with clear precise formulas.
- Provide a perfectly clear foundation upon which systems can be built.

### Formal Methods: What Good Are They?

Formal methods in the U.S. have a bad credit rating.

Over the years, good mechanized software verification systems have been constructed.

Good software verification tools are being extended to include hardware verification, thus providing good systems verification tools.

Hardware verification seems more tractable than software verification:

- few, repeatedly-used, low-level constructs;
- specification domain is less abstract (fairly concrete); and
- formal methods can be used incrementally.

Last point is critical, note Bryant's work.

#### **Our Verification Methodology**

We employ the Boyer-Moore logic to:

- write design specifications;
- write behavioral specifications; and
- record relations.

The Boyer-Moore theorem prover

- insures that definitions are well formed;
- checks that proofs are correct; and
- manages our evolving database of facts.

#### **Present Accomplishments**

Our application of formal methods to hardware specification and verification include:

- Core RISC specification;
- FM8502 microprocessor verification;
- verification of circuits using standard TTL components;
- a formalization of a simple HDL; and
- verified synthesis of combinational circuits.

Let us consider several in more detail.

#### Core RISC

Bill Bevier has formally specified a set of instructions that characterize a Core RISC-complient processor. This formalization includes:

- byte, half-word, and long-word memory accesses;
- Boolean, natural number, and integer ALU operations;
- a minimum register set; and
- an exception mechanism.

The emphasis here has been on mathmatically modeling the instruction set.

Our study of RISC architectures indicates that we need to be able to model multi-phase clocking schemes before we attempt to design a build a verified Core RISC processor. This effort is ongoing.

### The FM8502 Fabrication

Currently, our primary effort involves the fabrication of the FM8502 microprocessor.

This fabrication effort is a test-of-concept; that is, can we manufacture formally modeled circuits and get them working?

The FM8502 microprocessor is a 32-bit general purpose microprocessor with:

- 32-bit addressing;
- 16 general-purpose registers;
- two-address architecture;
- 5 addressing modes;
- a 16-function ALU
- extensive flag support; and
- little else.

| 31 29                                                                                        | 28 25 24                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 21 20 19 18 17 16 15 14                                                                                                                                                                                                                         | 11109 6543 0                                                                                                                                                                                                                                                                                                                                                             |
|----------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                          |
| UNUSED                                                                                       | OP-CODE STORE                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | CC C V N Z MODEB REC                                                                                                                                                                                                                            | B O UNUSED MODEA REGA                                                                                                                                                                                                                                                                                                                                                    |
| Choole                                                                                       |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                          |
|                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                          |
|                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                          |
|                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                                                                                                                                 | · · · · · · · · · · · · · · · · · · ·                                                                                                                                                                                                                                                                                                                                    |
| 31 29                                                                                        | 9 28 25 24                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 21 20 19 18 17 16 15 14                                                                                                                                                                                                                         |                                                                                                                                                                                                                                                                                                                                                                          |
|                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                          |
| UNUSED                                                                                       | OP-CODE STOR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | B-CC C V N Z MODER REC                                                                                                                                                                                                                          | DB I IMMEDIATE                                                                                                                                                                                                                                                                                                                                                           |
|                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                          |
|                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                          |
|                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                          |
|                                                                                              | MODE                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | C OPERAND DESCRIP                                                                                                                                                                                                                               | TION                                                                                                                                                                                                                                                                                                                                                                     |
|                                                                                              | 00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Rn Register                                                                                                                                                                                                                                     | Direct                                                                                                                                                                                                                                                                                                                                                                   |
|                                                                                              | 01                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | (Rn) Register                                                                                                                                                                                                                                   |                                                                                                                                                                                                                                                                                                                                                                          |
|                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                          |
|                                                                                              | 10                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                          |
|                                                                                              | 10<br>11                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | -(Rn) Register                                                                                                                                                                                                                                  | Indirect Pre-decrement<br>Indirect Post-increment                                                                                                                                                                                                                                                                                                                        |
| R CODE                                                                                       | 11                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | -(Rn) Register<br>(Rn)+ Register                                                                                                                                                                                                                | Indirect Pre-decrement<br>Indirect Post-increment                                                                                                                                                                                                                                                                                                                        |
|                                                                                              | 11<br>OPERATION                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | -(Rn) Register<br>(Rn)+ Register<br>DESCRIPTION                                                                                                                                                                                                 | Indirect Pre-decrement<br>Indirect Post-increment<br>STORE-CC CONDITIO!                                                                                                                                                                                                                                                                                                  |
| 0000                                                                                         | 11<br>OPERATION<br>b <- a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | -(Rn) Register<br>(Rn)+ Register<br>DESCRIPTION<br>Move                                                                                                                                                                                         | Indirect Pre-decrement<br>Indirect Post-increment<br>STORE-CC CONDITION<br>0000 Carry clear                                                                                                                                                                                                                                                                              |
| 0000<br>0001                                                                                 | 11<br>OPERATION<br>b <- a<br>b <- a + 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | -(Rn) Register<br>(Rn)+ Register<br>DESCRIPTION<br>Move<br>Increment                                                                                                                                                                            | Indirect Pre-decrement<br>Indirect Post-increment<br>STORE-CC CONDITION<br>0000 Carry clear                                                                                                                                                                                                                                                                              |
| 0000<br>0001<br>0010                                                                         | 11<br>OPERATION<br>b <- a<br>b <- a + 1<br>b <- a + b + c                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | -(Rn) Register<br>(Rn)+ Register<br>DESCRIPTION<br>Move<br>Increment<br>Add with carry                                                                                                                                                          | Indirect Pre-decrement<br>Indirect Post-increment<br>STORE-CC CONDITION<br>0000 Carry clear<br>0001 Carry set                                                                                                                                                                                                                                                            |
| 0000<br>0001<br>0010<br>0011                                                                 | 11<br><b>OPERATION</b><br>b <- a<br>b <- a + 1<br>b <- a + b + c<br>b <- b + a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | -(Rn) Register<br>(Rn)+ Register<br>DESCRIPTION<br>Move<br>Increment<br>Add with carry<br>Add                                                                                                                                                   | Indirect Pre-decrement<br>Indirect Post-increment<br>STORE-CC CONDITION<br>0000 Carry clear<br>0001 Carry set<br>0010 Overflow clea                                                                                                                                                                                                                                      |
| 0000<br>0001<br>0010<br>0011<br>0100                                                         | 11<br><b>OPERATION</b><br>b <- a<br>b <- a + 1<br>b <- a + b + c<br>b <- b + a<br>b <- 0 - a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | -(Rn) Register<br>(Rn)+ Register<br>DESCRIPTION<br>Move<br>Increment<br>Add with carry                                                                                                                                                          | Indirect Pre-decrement<br>Indirect Post-increment<br>STORE-CC CONDITION<br>0000 Carry clear<br>0001 Carry set<br>0010 Overflow clea<br>0011 Overflow set                                                                                                                                                                                                                 |
| 0000<br>0001<br>0010<br>0011<br>0100<br>0101                                                 | 11<br><b>OPERATION</b><br>b <- a<br>b <- a + 1<br>b <- a + b + c<br>b <- b + a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | -(Rn) Register<br>(Rn)+ Register<br>DESCRIPTION<br>Move<br>Increment<br>Add with carry<br>Add<br>Negation                                                                                                                                       | Indirect Pre-decrement<br>Indirect Post-increment<br>STORE-CC CONDITION<br>0000 Carry clear<br>0001 Carry set<br>0010 Overflow clea<br>0011 Overflow set<br>0100 Not negative                                                                                                                                                                                            |
| 0000<br>0001<br>0010<br>0011<br>0100                                                         | 11<br><b>OPERATION</b><br>b <- a<br>b <- a+1<br>b <- a+b+c<br>b <- b+a<br>b <- 0 - a<br>b <- a - 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | -(Rn) Register<br>(Rn)+ Register<br>DESCRIPTION<br>Move<br>Increment<br>Add with carry<br>Add<br>Negation<br>Decrement                                                                                                                          | Indirect Pre-decrement<br>Indirect Post-increment<br>STORE-CC CONDITION<br>0000 Carry clear<br>0001 Carry set<br>0010 Overflow clea<br>0011 Overflow set<br>0100 Not negative<br>0101 Negative                                                                                                                                                                           |
| 0000<br>0001<br>0010<br>0011<br>0100<br>0101<br>0101                                         | 11<br><b>OPERATION</b><br>b <- a<br>b <- a + 1<br>b <- a + b + c<br>b <- b + a<br>b <- 0 - a<br>b <- a - 1<br>b <- b - a - c                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | -(Rn) Register<br>(Rn)+ Register<br>DESCRIPTION<br>Move<br>Increment<br>Add with carry<br>Add<br>Negation<br>Decrement<br>Subtract with borrow                                                                                                  | Indirect Pre-decrement<br>Indirect Post-increment<br>STORE-CC CONDITION<br>0000 Carry clear<br>0001 Carry set<br>0010 Overflow clear<br>0011 Overflow set<br>0100 Not negative<br>0101 Negative<br>0110 Not zero<br>0111 Zero                                                                                                                                            |
| 0000<br>0001<br>0010<br>0011<br>0100<br>0101<br>0110<br>0111                                 | 11<br><b>OPERATION</b><br>b <-a<br>b <-a+1<br>b <-a+b+c<br>b <-b+a<br>b <-0-a<br>b <-a-1<br>b <-b-a-c<br>b <-b-a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | -(Rn) Register<br>(Rn)+ Register<br>DESCRIPTION<br>Move<br>Increment<br>Add with carry<br>Add<br>Negation<br>Decrement<br>Subtract with borrow<br>Subtract                                                                                      | Indirect Pre-decrement<br>Indirect Post-increment<br>STORE-CC CONDITION<br>0000 Carry clear<br>0001 Carry set<br>0010 Overflow clear<br>0011 Overflow set<br>0100 Not negative<br>0101 Negative<br>0110 Not zero<br>0111 Zero                                                                                                                                            |
| 0000<br>0001<br>0010<br>0011<br>0100<br>0101<br>0110<br>0111<br>1000                         | 11<br><b>OPERATION</b><br>b <-a<br>b <-a+1<br>b <-a+b+c<br>b <-b+a<br>b <-0-a<br>b <-a-1<br>b <-b-a-c<br>b <-b-a<br>b <-a>1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | -(Rn) Register<br>(Rn)+ Register<br>DESCRIPTION<br>Move<br>Increment<br>Add with carry<br>Add<br>Negation<br>Decrement<br>Subtract with borrow<br>Subtract<br>Rotate right through carr                                                         | Indirect Pre-decrement<br>Indirect Post-increment<br>STORE-CC CONDITION<br>0000 Carry clear<br>0001 Carry set<br>0010 Overflow clear<br>0011 Overflow set<br>0100 Not negative<br>0101 Negative<br>0110 Not zero<br>0111 Zero<br>ry 1000 Higher                                                                                                                          |
| 0000<br>0001<br>0010<br>0011<br>0100<br>0101<br>0110<br>0111<br>1000<br>1001                 | 11<br>OPERATION<br>b <- a<br>b <- a + 1<br>b <- a + b + c<br>b <- b + a<br>b <- 0 - a<br>b <- a - 1<br>b <- b - a - c<br>b <- b - a<br>b <- a > 1<br>b <- a > 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | -(Rn) Register<br>(Rn)+ Register<br>DESCRIPTION<br>Move<br>Increment<br>Add with carry<br>Add<br>Negation<br>Decrement<br>Subtract with borrow<br>Subtract<br>Rotate right through carr<br>Arithmetic shift right                               | Indirect Pre-decrement<br>Indirect Post-increment<br>STORE-CC CONDITION<br>0000 Carry clear<br>0001 Carry set<br>0010 Overflow clea<br>0011 Overflow set<br>0100 Not negative<br>0101 Negative<br>0110 Not zero<br>0111 Zero<br>ry 1000 Higher<br>1001 Lower or san                                                                                                      |
| 0000<br>0001<br>0010<br>0011<br>0100<br>0101<br>0110<br>0111<br>1000<br>1001<br>1010         | 11<br>OPERATION<br>b <- a<br>b <- a + 1<br>b <- a + b + c<br>b <- b + a<br>b <- 0 - a<br>b <- b - a<br>b <- a - 1<br>b <- b - a - c<br>b <- b - a<br>b <- a >> 1<br>b <- a -> 1<br>b <- a >> 1<br>b <- a > | -(Rn) Register<br>(Rn)+ Register                                                                                                                                                                                                                | Indirect Pre-decrement<br>Indirect Post-increment<br>STORE-CC CONDITION<br>0000 Carry clear<br>0001 Carry set<br>0010 Overflow clea<br>0011 Overflow set<br>0100 Not negative<br>0101 Negative<br>0101 Negative<br>0111 Zero<br>0111 Zero<br>0111 Zero<br>0111 Lower or san<br>1000 Greater or eq                                                                        |
| 0000<br>0001<br>0010<br>0011<br>0100<br>0101<br>0110<br>0111<br>1000<br>1001<br>1010<br>1011 | 11<br><b>OPERATION</b><br>b <- a<br>b <- a+1<br>b <- a+b+c<br>b <- b+a<br>b <- 0-a<br>b <- a-1<br>b <- b-a-c<br>b <- b-a<br>b <- a>>1<br>b <- a>>1<br>b <- bXOR a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | -(Rn) Register<br>(Rn)+ Register<br>DESCRIPTION<br>Move<br>Increment<br>Add with carry<br>Add<br>Negation<br>Decrement<br>Subtract with borrow<br>Subtract<br>Rotate right through carr<br>Arithmetic shift right<br>Logical shift right<br>XOR | Indirect Pre-decrement<br>Indirect Post-increment<br>STORE-CC CONDITION<br>0000 Carry clear<br>0001 Carry set<br>0010 Overflow clea<br>0011 Overflow set<br>0100 Not negative<br>0101 Negative<br>0101 Negative<br>0111 Zero<br>1000 Higher<br>1001 Lower or san<br>1010 Greater or eq<br>1011 Less                                                                      |
| 0001<br>0010<br>0011<br>0100<br>0101<br>0110<br>0111<br>1000<br>1001<br>1010<br>1011<br>1100 | 11<br><b>OPERATION</b><br>b <- a<br>b <- a+1<br>b <- a+b+c<br>b <- b+a<br>b <- 0-a<br>b <- a-1<br>b <- b-a-c<br>b <- b-a<br>b <- a>>1<br>b <- bXOR a<br>b <- bOR a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | -(Rn) Register<br>(Rn)+ Register                                                                                                                                                                                                                | Indirect Pre-decrement<br>Indirect Post-increment<br>More Post-increment<br>STORE-CC CONDITION<br>0000 Carry clear<br>0001 Carry set<br>0010 Overflow clea<br>0011 Overflow set<br>0100 Not negative<br>0101 Negative<br>0101 Negative<br>0110 Not zero<br>0111 Zero<br>0111 Zero<br>1000 Higher<br>1001 Lower or san<br>1010 Greater or eq<br>1011 Less<br>1100 Greater |

· · · · ·

# The FM8502 Implementation Specification

To be able to manufacture the FM8502 with some precision, we have been working on the formalization of an HDL.

We will prove the correctness of our HDL description of the FM8502, and then translate our HDL description into a commercial HDL.

Our HDL provides our lowest-level model for the FM8502 implementation:

- every internal gate and register is described;
- every I/O pad is defined; and
- we expect to validate our test vectors directly on our HDL description.

Our HDL specification also includes all of the internal test logic.



## **A Formal HDL**

Our HDL is structured like commercial HDL's:

- netlist based;
- heirarchicaly structured;
- occurence-oriented; and
- allows multiple views of circuits.

We have a formal specification of our HDL:

- a predicate recognizes well-formed circuits; and
- several interpreters define the semantics.



### **Verified Synthesis**

We perform synthesis by

- writing circuit generator programs;
- verifying the circuit generator programs; and
- then running the generators to produce provably correct circuits.

In other words, after a circuit has been generated we need not inspect it for the Boolean correctness.

#### **An ALU Generator**

We have an arbitrary size, 16-function ALU generator which is:

- programmable -- ALUs with different internal structure can be produced;
- "intelligent" -- internal buffers are only added when needed; and
- has been verified to generate correct *n*-bit, gatelevel ALU descriptions.

Simple translators can convert the ALU descriptions into conventional CAD languages (e.g., VHDL).

To replay the proof only takes about 20 (Sun 3) minutes.

#### **ALU Generator Output Summary**

Summarized below are some characteristics of the ALUs generated by our verified ALU generator.

| ALU Characteristics |            |        |       |  |  |
|---------------------|------------|--------|-------|--|--|
| Size                | Gate Count | Fanout | Delay |  |  |
| 1 bit               | 126        | 8      | 12    |  |  |
| 2 bits              | 149        | 8      | 14    |  |  |
| 4 bits              | 196        | 8      | 17    |  |  |
| 8 bits              | 297        | 8      | 22    |  |  |
| 16 bits             | 491        | 8      | 26    |  |  |
| 32 bits             | 880        | 8      | 30    |  |  |
| 64 bits             | 1665       | 8      | 35    |  |  |
| 128 bits            | 3227       | 8      | 39    |  |  |

**Payoff:** It only takes 0.6 seconds to generate a correct 32-bit ALU, 1.3 seconds for a 64-bit ALU, and 3.1 seconds for a 128-bit ALU.

#### **Expected Near Term Results**

Several projects underway which will conclude this year are:

- an ability to verify sequential circuits generators; and
- the fabrication of the FM8502 microprocessor.

We are using both combinational and sequential logic synthesis techniques in the fabrication of the FM8502.

We will be able to generate a correct *n*-bit microprocessor (so long as the word size is large enough to contain FM8502 instructions.)

We will generate a gate-array specification directly.

We are generating our test-vectors directly from our formal circuit specifications.

#### **Present Trends**

There is increasing interest in:

- boolean comparison -- which should lead the way to more general purpose techniques;
- register-transfer specifications with circuit verification;
- formalization of self-timed circuits;
- formalization of timing behavior; and
- transformational systems.

These trends are all indicative of increased use of formal techniques for hardware specification and verification.

And these techniques are being applied incrementally.



#### **Industrial Collaborations**

We have been working with DEC for two years.

Motorola may attempt the specification (and possibly the verification) of one of their microcontrollers.

#### **Technology Transfer**

We highly value interactions with industry; we all profit.

Our formal techniques may be used incrementally, i.e., "creeping formalization."

Industry first employs our techniques for (unambiguous) specification, later for verification.

Specification is a big problem for industry -- formal specification allows analysis without exhaustive testing.

#### **Technology Enablers**

Is the state-of-the-art separating further from the state-of-the-practice?

To enable the use of formal techniques in hardware design we need to:

- train more engineers with formal methods (not train mathematicians to be engineers);
- make existing tools and techniques more accessible to engineers; and
- make formal techniques the most economical method of hardware validation.

A big success or two would help us get industry's attention.

#### Conclusions

Formal methods can be used to provide accurate specifications.

Hardware verification provides increased assurance of circuit correctness.

Formal techniques provide a good growth path; they scale up well.

The credit rating of formal techniques is improving.

Goals:

- Completely replace programmer's manuals, timing diagrams, interface specifications, power requirements, etc. with clear precise formulas.
- Provide a perfectly clear foundation upon which systems can be built.

# N91-17572 Generic Interpreters and Microprocessor Verification

#### Phillip J. Windley

Department of Computer Science University of Idaho

August, 1990

This work was sponsored under Boeing Contract NAS1-18586, Task Assignment No. 3, with NASA-Langley Research Center.

341

319684

5/3 -...)

#### Outline

• Introduction

• Generic interpreters

Microprocessor Verification

•

• Future Work

# Microprocessor Verification

٢

- VIPER, the first commercially available, "verified" microprocessor, has never been formally verified.
  - The proof was not completed even though
     2 years were spent on the verification.

# Microprocessor Verification (continued)

- Our research is aimed at making the verification of large microprocessors tractable.
- Our objective is to provide a framework in which a masters—level student can verify VIPER in 6 person—months.

#### Determining Correctness

In VIPER (and most other microprocessors), the correctness theorem was shown by proving that the electronic block model implies the macro-level specification.



#### The Problem

(continued)

- Microprocessor verification is done through case analysis on the instructions in the macro level.
- The goal is to show that when the conditions for an instruction's selection are right, the electronic block model implies that it operates correctly.
- A lemma that the EBM correctly implements each instruction can be used to prove the top-level correctness result.

#### The Problem

Unfortunately, the one-step method doesn't scale well because

- The number of cases gets large.
- The description of the electronic block model is very large.

#### Hierarchical Decomposition



• A microprocessor specification can be decomposed hierarchically.

:

• The abstract levels are represented explicitly.

## Interpreters

An abstract model of the different layers in the hierarchy provides a methodological approach to microprocessor verification.

• The model drives the specification.

The model drives the verification.

## Interpreters (top level)



## Specifying an Interpreter (overview)

We specify an interpreter by:

- Choosing a *n*-tuple to represent the state,
  S.
- Defining a set of functions denoting individual interpreter instructions, **J**.
- Defining a next state function, N.
- Defining a predicate denoting the behavior of the interpreter, **I**.

### Verifying an Interpreter (overview)

We verify an interpreter, I with respect to its implementation M by showing

#### $\mathsf{M}\Rightarrow\mathsf{I}.$

To do this, we will show that every instruction in  $\mathbf{J}$  can be correctly implemented by  $\mathbf{M}$ :

 $\forall j \in \mathbf{J}.$   $\mathbf{M} \Rightarrow (\forall t: \text{time.})$  $\mathcal{C}(t) \Rightarrow s(t+n) = j(s(t)))$ 

where C represents the conditions for instruction j's selection.

### AVM-1

We have designed and are verifying a microcomputer with interrupts, supervisory modes and support for asynchronous memory.

- The datapath is loosely based on the AMD 2903 bit-sliced datapath.
- The instruction format is very simple.
- The control unit is microprogrammed.

## AVM-1's Instruction Set (subset)

| Opcode | Mnemonic | Operation                       |
|--------|----------|---------------------------------|
| 000000 | JMP      | jump on 16 conditions           |
| 000001 | CALL     | call subroutine                 |
| 000010 | INT      | user interrupt                  |
| 000110 | LD       | load                            |
| 000111 | ST       | store                           |
| 010000 | ADD      | add (3-operands)                |
| 011011 | SUBI     | subtract immediate (2-operands) |
| 011111 | NOOP     | no operation                    |

- The architecture is load-store.
- The instruction set is RISC-like.
- There is a large register file.

i



-

•

Figure 5.2: The AVM-1 Datapath

#### The Phase–Level Specification

The *n*-tuple representing the state:

 $\mathbf{S}_{phase} = (mir, mpc, reg,$  alatch, blatch, mar, mbr,clk, mem, urom, ireq, iack)

#### The Phase–Level Specification

•

A typical function specifying an instruction's behavior from  $J_{phase}$ :

#### The Electronic Block Model

The electronic block model is not specified as an interpreter.

- EBM is a *structural* specification.
- The specification
  - is in terms of smaller blocks.
  - uses existential quantification to hide internal lines.

#### Objects

There are several abstract classes of objects that we will use to define and verify an abstract interpreter.

- :\**state* An object representing system state.
- : \**key* The identifying tokens for instructions.
- : time A stream of natural numbers.

We will prime class names to indicate that the objects are from the implementing level.

## Operations

| Operation | Туре                                              |
|-----------|---------------------------------------------------|
| inst_list | : $(*key \times (*state \rightarrow *state))list$ |
| key       | $: *key \rightarrow num$                          |
| select    | : $*state \rightarrow *key$                       |
| cycles    | $: *key \rightarrow num$                          |
| substate  | : $*state' \rightarrow *state$                    |
| Impl      | : $(time \rightarrow *state') \rightarrow bool$   |
| clock     | $: *state' \rightarrow *key'$                     |
| begin     | : *key'                                           |

## Interpreter Theory (obligations)

The *instruction correctness lemma* is important in the generic interpreter verification.

Here is the generic version of that lemma for a *single* instruction:

Interpreter Theory (obligations)

Using the predicate INST\_CORRECT, we can define the theory obligations:

1. The instruction correctness lemma:

EVERY (INST\_CORRECT s') inst\_list

2. Every key selects an instruction:

 $\forall k : *key. (key k) < (LENGTH inst_list)$ 

3. The instruction list is ordered correctly:

 $\forall k : *key. \ k = (FST (EL (key k) inst_list))$ 





# *Interpreter Theory* (temporal abstraction)

We need to show a relationship between the state stream at the implementation level and the state stream at the top level.



The function f is a temporal abstraction function for streams.

ł

## Interpreter Theory (definition)

An interpreter's behavior is specified as a predicate over a state stream.

 $\begin{array}{l} \vdash_{def} \text{ INTERP } s = \\ \forall t: time. \\ \text{ let } n = (\text{key}(\text{select}(s \ t))) \text{ in} \\ s(t+1) = (\text{SND } (\text{EL } n \ \text{inst\_list}))(s \ t) \end{array} \end{array}$ 

## Interpreter Theory (correctness result)

Our goal is to verify an interpreter, I with respect to its implementation M by showing

#### $\mathsf{M}\Rightarrow\mathsf{I}.$

Here is the abstract result:  

$$\vdash$$
 Impl  $s' \land (clock(s' \ 0) = begin) \Rightarrow$   
INTERP  $(s \circ f)$ 

where

$$s = (\lambda t : time. substate(s' t))$$
 and

$$f = (time_abs (cycles \circ select)s)$$

## Instantiating a Theory

Instantiating the abstract interpreter theory requires:

- Defining the abstract constants.
- Proving the theory obligations.

1

• Running a tool in the formal theorem prover.

### Definitions

We wish to instantiate the abstract interpreter theory for the phase-level. The electronic block model will be the implementing level.

|    | Operation | Instantiation          |
|----|-----------|------------------------|
|    | inst_list | a list of instructions |
| :: | key       | bt2_val                |
| •• | select    | GetPhaseClock          |
|    | cycles    | PhaseLevelCycles       |
|    | substate  | PhaseSubstate          |
|    | Impl      | EBM                    |
|    | clock     | GetEBMClock            |
|    | begin     | EBM_Start              |

#### An Example

After proving the theory obligations, we can perform the instantiation.

```
let theorem_list =
    instantiate_abstract_theorems
        'gen_I'
        [Phase_I_EVERY_LEMMA;
         Phase_I_LENGTH_LEMMA;
         Phase_I_KEY_LEMMA]
        Γ
         "([(F,F),phase_one;
            (F,T),phase_two
            (T,F),phase_three
            (T,T),phase_four],
           bt2_val, GetPhaseClock,
           PhaseLevelCycles, PhaseSubstate,
           EBM, GetEBMClock, EBM_Start)";
         "(\lambda t:time. (mir t, mpc t, reg_list t,
                        alatch t, blatch t,
                        mbr_reg t, mar_reg t,
                        clk t, mem t, urom))"
       ٦
```

C.6.

'PHASE';;

73

#### The Electronic Block Model

 $\vdash$  EBM rep ( $\lambda$  t. (mir t, mpc t, reg t, alatch t, blatch t, mbr t, mar t, clk t, mem t, urom, ireq t, iack t)) = ∃ opc ie\_s sm\_s iack\_s amux\_s alu\_s sh\_s mbr\_s mar\_s rd\_s wr\_s cselect bselect aselect neg\_f zero\_f (float:time->bool). DATAPATH rep amux\_s alu\_s sh\_s mbr\_s mar\_s rd\_s wr\_s cselect bselect aselect neg\_f zero\_f float float ireq iack\_s iack opc ie\_s sm\_s clk mem reg alatch blatch mar\_reg mbr\_reg reset\_e ireq\_e A CONTROL\_UNIT rep mpc mir clk amux\_s alu\_s sh\_s mbr\_s mar\_s rd\_s wr\_s cselect bselect aselect neg\_f zero\_f ireq iack\_s opc ie\_s sm\_s urom reset\_e ireq\_e

Fully expanded, the electronic block model specification fills about six pages.

### Future Work

- New architectural features.
- Composing verified blocks.
- Verifying operating systems.
- Gate-level verification.
- Byte-code interpreter verification.
- Other classes of computer systems.

## An Example (continued)

After some minor manipulation, the final result becomes:

⊢ EBM

(λ t. (mir t,mpc t,reg\_list t,alatch t,blatch t, mbr\_reg t,mar\_reg t, clk t,mem t,urom)) ==> Phase\_I (λ t. (mir t,mpc t,reg\_list t,alatch t,blatch t,

mbr\_reg t,mar\_reg t, clk t,mem t,urom))

## Conclusions

The generic proof

-

- Cleared away all the irrelevant detail.
- Formalized the notion of interpreter proofs which has been used in several microprocessor verifications.
- Provided a structure for future microprocessor verifications.

VIPER Project

N91-17573

John Kershaw

Royal Signals Radar Establishment Malvern, England

The VIPER project has so far produced a formal specification of a 32 bit RISC microprocessor, an implementation of that chip in radiation-hard SOS technology, a partial proof of correctness of the implementation which is still being extended, and a large body of supporting software. The time has now come to consider what has been achieved and what directions should be pursued in future.

The most obvious lesson from the VIPER project has been the time and effort needed to use formal methods properly. Most of the problems arose in the interfaces between different formalisms e.g. between the (informal) English description and the HOL spec, between the block-level spec in HOL and the equivalent in ELLA needed by the low-level CAD tools. These interfaces need to be made rigorous or (better) eliminated.

VIPER 1A (the latest chip) is designed to operate in pairs, to give protection against breakdowns in service as well as design faults. We have come to regard redundancy and formal design methods as complementary, the one to guard against normal component failures and the other to provide insurance against the risk of the common-cause failures which bedevil reliability predictions.

Any future VIPER chips will certainly need improved performance to keep up with increasingly demanding applications. We have a prototype design (not yet specified formally) which includes 32 and 64 bit multiply, instruction pre-fetch, more efficient interface timing, and a new instruction to allow a quick response to peripheral requests. Work is under way to specify this device in MIRANDA, and then to refine the spec into a block-level design by top-down transformations. When the refinement is complete, a relatively simple proof checker should be able to demonstrate its correctness.

319695 AN

314-60

A.

#### Example of NODEN output

The NODEN analysis suite provides automatic comparison between the specification and design of moderately complex blocks of logic. The following example is taken from the VIPER design. MINOR is the simplest block in the chip, essentially consisting of a three bit counter. Following this paragraph is its specification in NODEN-HDL, whilst on the following pages are a correct and incorrect implementation. The final page shows the output of the comparison program when presented with the erroneous circuit.

```
\ ** MINOR STATE LOGIC in NODEN ** \
FN INCWORD3 = (word3: minor) -> word3:
    IF (VAL3 minor) = 7
    THEN WORD3 0
    ELSE WORD3((VAL3 minor)+1)
    FI.
```

```
BLOCK MINOR = (bool: nextmainbar advance
reset intresetbar)
-> (^word3: minor):
IF reset OR (NOT intresetbar) OR
(advance AND (NOT nextmainbar))
THEN WORD3 O
ELIF advance
THEN INCWORD3 minor
ELSE minor
FI.
```

```
\ **** 'Library' of primitive gate functions **** \
                        ) -> bool: NOT a.
FN INV =(bool: a
                      ) -> bool: NAND(a,b).
FN NAND2=(bool: a b
                        ) -> bool: a = b.
FN EXNOR=(bool: a b
FN ORNAND=(bool: a b c d) -> bool: NAND(a OR b, c OR d).
\ NB. NAND3 & NAND4 are built-in functions \
\ **** Correct gate level implementation **** \
BLOCK MINOR = (bool: nextmnbar advance reset intrstbar)
            -> (^word3: minor):
 BEGIN
     LET qbar_1 := NOT (minor[1]),
         qbar_2 := NOT (minor[2]),
         qbar_3 := NOT (minor[3]).
     LET gb2 := INV(advance).
     LET gb4 := INV(reset).
     LET gb1 := NAND4(nextmnbar,advance,gb4,intrstbar).
     LET gb3 := NAND3(gb2, gb4, intrstbar).
                   INV(qbar_1).
     LET gb7 :=
     LET gb8 := EXNOR(qbar_1, qbar_2).
                    INV(qbar_2).
      LET gb11 :=
      LET gb12 := NAND2(gb7, gb11).
      LET gb13 := EXNOR(gb12, qbar_3).
  OUTPUT (ORNAND(gb7, gb1, gb3, qbar_1),
          ORNAND(gb8, gb1, gb3, qbar_2),
          ORNAND(gb13, gb1, gb3, qbar_3)
         )
  END.
```

```
2
```

```
\ **** Wrong gate level implementation **** \
BLOCK M_ERR = (bool: nextmnbar advance reset intrstbar)
           -> (^word3: minor):
BEGIN
    LET qbar_1 := NOT (minor[1]),
        qbar_2 := NOT (minor[2]),
        qbar_3 := NOT (minor[3]).
    LET gb2 := INV(advance).
    LET gb4 := INV(reset).
    LET gb1 := NAND4(nextmnbar,advance,gb4,intrstbar).
    LET gb3 := NAND3(gb2, gb4, intrstbar).
                  INV(qbar_1).
    LET gb7 :=
        \ ** Inverted qbar_2 ** \
    LET gb8 := EXNOR(qbar_1, NOT qbar_2).
                  INV(qbar_2).
    LET gb11 :=
         \ ** Missing NAND with gb7 ** \
     LET gb12 := gb11.
     LET gb13 := EXNOR(gb12, qbar_3).
        \ ** Inverted first output ** \
 OUTPUT (NOT(ORNAND(gb7, gb1, gb3, qbar_1)),
             ORNAND(gb8, gb1, gb3, qbar_2),
             ORNAND(gb13, gb1, gb3, qbar_3)
        )
 END.
```

Specification: 'MINOR' Implementation: 'M\_ERR'

COMPARISON ERROR: Implementation output 'minor[1]' is always incompatible with the specification of 'minor[1]', output inverted?

COMPARISON ERROR: Implementation output 'minor[2]' is incompatible with the specification of 'minor[2] under the following circumstances:-

nextmainbar = t
 advance = t
 reset = f
intresetbar = t

indrebeedal

For specification output 'minor[3]' - implementation output 'minor[3]' :-

WARNING: Specification depends on minor[1] and implementation doesn't

COMPARISON ERROR: Implementation output 'minor[3]' is incompatible with the specification of 'minor[3] under the following circumstances:-

- nextmainbar = t
  - advance = t
    - reset = f
- intresetbar = t

minor[2] = f

\*\*\* Comparison fails, invalid implementation \*\*\*

## NODEN changes

Negative integer subranges allowed
 E.g. TYPE i8 = INT[-128..127].

+

+

- Automatic casts between types
   E.g. (t,t,f) + bool3\_val + i8\_val
- 2's compliment []bool to integer ops.
- Explicit legal value, !bool
- Compiler about four times faster.
- Analyer about twice as fast.

#### Old NODEN\_HDL

```
FN INCWORD3 = (word3: minor) -> word3:
IF (VAL3 minor) == 7
THEN WORD3 0
ELSE WORD3 ((VAL3 minor) + 1)
FI.
```

\_\_\_\_\_

#### New NODEN\_HDL

FN INCWORD3 = (word3: minor) -> word3: IF minor == 7 THEN 0 ELSE minor + 1 FI.

+

+

#### Bibliography

Cullyer W.J. and Pygott C.H. 1987: "Application of Formal Methods to the VIPER Microprocessor", Proc.IEE, 134, 133-141.

Kershaw J. 1987, "The VIPER Microprocessor": RSRE Report 87014.

Pygott C.H. 1988: "NODEN: An Engineering Approach to Hardware Verification", Froc. Workshop on the fusion of hardware design and verification, ed. Milne. North Holland.

Morison J D, Peeling N E, Thorp T L, 1985: "The design rationale of ELLA, a hardware design and description language", Proceedings of the Conference on Hardware Description Languages and their applications, Tokyo, Japan.

Halbert M.P. 1987: "A self-checking computer module based on the VIPER microprocessor", Proc. Safety & Reliability Society Symposium, Altrincham, UK.

Camilleri A, Gordon M, and Melham T. 1986: "Hardware Verification using Higher Order Logic", Proc. IFIP International WG10.2 Working Conference, North Holland.

Cohn A. 1987: "A Proof of Correctness of the VIPER Microprocessor: the First Level", Proc. Workshop on the Verification of Hardware, Calgary, Canada. Kluwer Academic Publishers 1988.

Brumfitt P.J. et al. 1987: "A Hardware Synthesis Methodology", IEE Colloquium on VLSI System Design: Specification and Synthesis, London, October 1987.

Currie 1.F. 1984: "Orwellian Programming in Safety-Critical Systems", Proc. Conference on System Implementation Languages - Practice and Experience, University of Kent at Canterbury.

Kershaw J: "The VIPER Microprocessor and its use in critical systems" Software Engineering Journal special issue on Safety Critical Systems (to be published)."

#### Why VIPER2?

• Faster, 32 and 64 bit multiply

+

+

- Improved interface to outside world
- New design methods now available

-1

+



• Instruction pre-fetch

+

+

- Dedicated adders for P and indexing
- Half-cycle overlaps rather than full cycle

Speed more than 3x at same clock frequency

1 A.

#### **On-board Multiply Instructions**

 $\ddot{\mathbb{C}}$ 

+

1

Three separate instructions, F = 13, 14, 15

- Signed, 32 bit product, stop on OVF
- Unsigned, LS 32 bits of product
- Unsigned, MS 32 bits of product

+

#### Improved interface

- "Call on signal" instruction
- "Frame restart" input
- Longer setup and hold times on memory and I/O cycles

+

Ś

4

+



+

+

Top-down synthesis by correctness-preserving transformations

- Starts from specification in MIRANDA
- Generates proof as part of design process
- May scale up better than *post hoc* proof

+

# VIPER 1A perspective

+

+

The present chip falls in between the main application areas:

- Automotive and comms: too expensive, minimum system too big (5 memory chips)
  - Avionics: not fast enough, no multiply
  - Space: about right, tiny market

(,

+





-







# Dependable

Error

Reporting

L







.



Mil 1553/STANAG 3838

. •

.

215-60 219-276 A N91-17574

405

## Mechanical Proofs of Fault-tolerant Clock Synchronization

N. Shankar

Computer Science Laboratory SRI International

#### Overview

Introduction to clock synchronization protocols?

A schematic formulation of clock synchronization (Schneider).

The Interactive Convergence Algorithm (Lamport/Melliar-Smith).

Verification of Schneider's formulation (Shankar).

Verification of Interactive Convergence (Rushby/von Henke).

A hardware-oriented clock synchronization protocol (Infis/Moore).

Verification of Infis/Moore's protocol (Rushby/Shankar).

The EHDM Specification/Verification Environment.

Conclusions.

#### Main Observations

- Fault-tolerant clock synchronization is a critical component of a real-time control system.
- Proofs of the correctness of clock synchronization are complex and subtle.
- Informal proofs tend to be tenuous in these domains.
- Formal verification is a useful way to reduce errors and achieve reliable designs.
- Specification/Verification could contribute to the scientific foundations of reliable engineering.

#### Fault-tolerant systems

- Critical real-time control systems such as "fly-by-wire" digital avionics.
- Replicated processors are used to provide hardware fault-tolerance.
- Results are periodically voted.
- Clocks must be synchronized to ensure approximately synchronous behaviour across nonfaulty processors.

#### **Clock Synchronization**

•

- Clocks start synchronized.
- Over time, the clocks drift apart.
- The clocks are periodically synchronized by
  - an exchange of clock values
  - computation of a mutually agreeable clock value
  - adjustment of the logical clock

#### **Byzantine Clocks**

Three clocks A, B, C.

Suppose clocks drift away from real time by upto a minute an hour.

C is faulty.

Clocks resynchronize around noon and exchange clock values.

A reads 12:00 and B reads 11:59

A transmits 12:00 to B and C.

B transmits 11:59 to A and C.

C maliciously transmits 12:01 to A; 11:58 to B.



6

#### **Byzantine Clocks**

Three clocks A, B, C.

Clocks drift from real time by upto a minute an hour.

C is faulty.

Clocks resynchronize around noon and exchange clock values.

A reads 12 : 00 and B reads 11 : 59

A resets its clock to the mean of the acceptable clock values, i.e., 12:00. B similarly resets itself to 11:59.

A and B are not any closer following resynchronization.



.....

#### **Clock Generalities**

No global clocks — single point of failure, therefore not fault-tolerant.

Synchronization is with respect to other clocks, not *real time*, though such protocols do exist.

Clocks drift at rate  $\rho$  with respect to real time.

Period of drift *R* between resynchronization rounds.

 $\epsilon$  bounds the error in reading clock values.

To keep clocks synchronized to within  $\delta$ , clocks should be within  $\delta_s$  following resynchronization, and

$$\delta > \delta_s + 2\rho R$$

Each clock uses the same convergence function to synchronize to within  $\delta_s$ .

# Typical numbers (from Rushby/von Henke)

| Parameter                                                    | Value                  | Explanation   |
|--------------------------------------------------------------|------------------------|---------------|
|                                                              | 6                      | No. of Clocks |
| $egin{array}{c} N \ R \end{array}$                           | 0<br>104.8 msec.       | Period        |
| $\begin{bmatrix} n \\ \delta_0 \end{bmatrix}$                | 132 μsec.              | Initial skew  |
| $\epsilon$                                                   | 66.1 $\mu$ sec.        | Reading error |
|                                                              | $15 \times 10^{-6}$    | Drift rate    |
| $\left  \begin{array}{c} \rho \\ \delta \end{array} \right $ | 271 $\mu$ sec. (F = 1) | Maximum skew  |

#### **Clock Requirements**

- R1: At any instant, two nonfaulty clock readings should be no further than  $\delta$  apart.
- R2: There should be a small bound on the adjustment needed to resynchronize a clock.

#### Schneider's Schema

A generalization of various protocols consisting of:

- Assumptions on the behavior of nonfaulty physical clocks.
- Constraints on the computation of nonfaulty logical clocks.

These assumptions and constraints are used to derive a bound on the *skew* between two nonfaulty logical clocks, i.e.

$$|LC_p(t) - LC_q(t)| \le \delta$$

#### **Physical Clock Assumptions**

N clocks with at most F faulty.

 $t_p^i$  is the time at which p resets its clock for the i'th time.

Interval between resets is bounded:

$$r_{min} \le t_p^{i+1} - t_p^i \le r_{max}$$

Skew between resets is bounded:  $|t_p^i - t_q^i| \leq \beta$ 

Bounded drift rate w.r.t. real time: for s > t

$$(s-t)(1-\rho) \le C_p(s) - C_p(t) \le (s-t)(1+\rho)$$

14

# Logical Clock Assumptions

A Convergence function Cfn is used to compute the adjusted logical clock.

Let  $\Theta_p^i(q)$  be p's reading (estimate) of q's logical clock at time  $t_p^i$ .

Then 
$$LC_p(t_p^i) = Cfn(p, \Theta_p^i)$$

The i'th adjustment to be applied to the physical clock to derive the logical clock is

$$Adj_p^i = Cfn(p,\Theta_p^i) - C_p(t_p^i)$$

In general the logical clock is defined to be

$$LC_p(t) = C_p(t) + Adj_p^i$$

for  $t_p^i \leq t < t_p^{i+1}$ 

 $\epsilon$  bounds error with which clocks are read.

Additionally, certain assumptions on behavior of a satisfactory convergence function.

#### **Translation Invariance**

Adding X to each clock reading, adds X to the value of the convergence function.

For any X and  $\theta$  mapping clock numbers to clock readings

 $Cfn(p, (\lambda q: \theta(q) + X)) = Cfn(p, \theta) + X$ 

Translation invariance is used to compare the values of convergence functions at  $t_p^i$  and  $t_q^i$ .

#### **Precision Enhancement**

Formalizes the intuition that

- the closer the good clocks are to each other
- the closer the different readings of the same good clock
- then the closer the resulting convergence function values

#### **Precision Enhancement (contd.)**

Given any predicate P on clocks 0 to N - 1 that holds of at least N - F clocks.

Given p, q, such that P(p) and P(q).

Given  $\theta_p$  and  $\theta_q$  such that

- If P(l) and P(m), then  $|\theta_p(l) \theta_p(m)| \le Y$
- If P(l) and P(m), then  $|\theta_q(l) \theta_q(m)| \le Y$
- If P(l), then  $|\theta_p(l) \theta_q(l)| \le X$

Then there exists a bound  $\pi(X, Y)$  such that  $|Cfn(p, \theta_p) - Cfn(q, \theta_q)| \le \pi(X, Y)$ 

Illustrative example to follow.

#### **Accuracy Preservation**

Bounds the adjustment away from a good clock reading.

Given any predicate P on clocks 0 to N - 1 that holds of at least N - F clocks.

Given that P holds of p and q.

Given  $\theta_p$  such that whenever P(l) and P(m) for any two clocks l and m, then

$$|\theta_p(l) - \theta_p(m)| \le Z$$

Then

$$|Cfn(p, \theta_p) - \theta_p(q)| \le \alpha(Z)$$

That is, if the good clock readings are within Z, the adjustment away from a good clock reading is no more than  $\alpha(Z)$ .

#### The Final Result: Agreement

- A1:  $\beta \leq r_{min}$ Synchronization rounds are distinct
- A2:  $\delta_0 \leq \delta_s$ Initial skew no greater than skew immediately following synchronization.
- A3:  $\delta_s + 2\rho r_{max} \leq \delta$ Drift between synchronization rounds is below  $\delta$ .
- A4:  $\pi(2\epsilon + 2\rho\beta, \delta_s + 2\rho(r_{max} + \beta) + 2\epsilon) \le \delta_s$ Skew between just synchronized clocks below  $\delta_s$ .
- A5:  $\alpha(\delta_s + 2\rho(r_{max} + \beta) + 2\epsilon) \leq \delta$ Skew between synchronized and yet to be synchronized clocks below  $\delta$ .

• Conclusion:

.

$$t \ge 0$$

$$\land \text{ correct}(p, t)$$

$$\land \text{ correct}(q, t)$$

$$\Rightarrow |LC(p, t) - LC(q, t)| \le \delta$$

Skew between nonfaulty logical clocks bounded by  $\delta$ .

## Verification of Schneider's Schema using EHDM

Proof consists of:

- 30 axioms involving multiplication, division, and clocks.
- 12 definitions
- 95 lemmas.

Proof took about two man-months using EHDM.

Machine verification takes 1000 to 3500 CPU secs on SUNs.

Numerous inaccuracies in Schneider's original presentation were corrected.

The machine proof adds enormous clarity to Schneider's insightful, but imprecise descriptions and definitions.

Instantiation of Schneider's schema in progress.  $21 \frac{1}{21}$ 

### Lamport/Melliar-Smith's Interactive Convergence (ICA)

3F + 1 clocks needed to tolerate F Byzantine faults.

p records (relative discrepancies of) other clock values when its clock reads iR

"Ignores" clock readings further than  $\Delta$  away.

Adjusts its clock by the 'egocentric' mean of the acceptable clock differences.

## Instantiating Schneider's protocol with ICA

Convergence function:

$$ica(p,\theta) = \sum_{l=0}^{N-1} \frac{fix_p(\theta(l),\theta)}{N}$$

where

$$fix_p(x,\theta) = \begin{cases} x & \text{if } |x-\theta(p)| \leq \Delta\\ \theta(p) & \text{otherwise} \end{cases}$$

Translation Invariance: Note that  $\begin{array}{c} \Theta & \text{inv} \\ fix_p((\lambda l: \theta(l) + t)(q)) &= & \theta(q) \end{pmatrix} + t
\end{array}$ 

### **Precision Enhancement of ICA**

Given that for all correct l, m

- $|\theta_p(l) \theta_q(l)| \le X$
- $|\theta_p(l) \theta_p(m)| \le Y$
- $|\theta_q(l) \theta_q(m)| \le Y$

We have

$$|ica(p, \theta_p) - ica(q, \theta_q)|$$

$$\leq X + \frac{FY + 2F\Delta}{\pi(X, Y)}$$

X is negligible, but  $Y\approx\Delta,$  so  $\pi(X,Y)\approx\frac{3F\Delta}{N}$ 

Since  $\Delta \geq \delta + \epsilon$ , we get N > 3F + 1.

24

#### **Accuracy Preservation of ICA**

If nonfaulty clock readings are Z apart, then F faulty clocks can contribute a further skew of  $F\Delta/N$  to the egocentric mean.

So

$$\alpha(Z) \le Z + \frac{F\Delta}{N}$$

25

# Rushby/von Henke's verification of ICA using EHDM

Around 1–2 man month effort

20 modules

1,550 lines of specification

166 proofs

1 hour elapsed to prove them all on Sun 3/75-8

Verification revealed several minor flaws in a five year old journal proof.

#### Flaws in Lamport/Melliar-Smith

Main induction incorrect (bad approximations)

Proof of Lemma 4 incorrect (bad approximations); also typographical error in statement

Lemma 1 false in absence of additional constraints in A2

Lemma 2 similarly, also typographical error in statement

Lemma 3 similarly, and unnecessarily general

Missing requirement for S2 in Lemmas 1, 3, 4, and (when repaired) 2

## Original Constraints on parameters

C1:

C2:

C3:  $\Sigma = \Delta$ 

**C4:**  $\Delta \gtrsim \delta + \epsilon$ 

**C5:**  $\delta \gtrsim \delta_0 + \rho R$ 

**C6:**  $\delta \ge 2(\epsilon + \rho S) + \frac{2m\Delta}{n-m} + \frac{n\rho R}{n-m}$ 

## New Constraints on parameters

- **C1:**  $R \ge 3S$
- C2:  $S \ge \Sigma$
- C3:  $\Sigma \ge \Delta$
- **C4:**  $\Delta \ge \delta + \epsilon + \frac{\rho}{2}S$
- **C5:**  $\delta \geq \delta_0 + \rho R$

C6:

$$\delta \ge 2(\epsilon + \rho S) + \frac{2m\Delta}{n-m} + \frac{n\rho R}{n-m} + \frac{n\rho \Sigma}{n-m} + \rho\Delta$$

29

#### Infis/Moore's economic approach

Tolerates F < N/2 omission failures for N clocks.

At clock reading iR, p broadcasts a pulse on its private line.

Say p receives and validates N - f pulses

(N - F)'th pulse bounded from above and below by a good pulse.

Ditto for (F - f + 1)'th pulse.

p starts new clock at earlier of pulse N - F with delay D, or pulse F - f + 1 with delay 2D.

Skew  $\delta_s \stackrel{<}{\sim} D$ , and  $\delta \stackrel{<}{\sim} 2D$ .

Verification nearly complete using EHDM. Elaborates significantly on informal proof.

# Schemata for Infis/Moore's protocol



31

#### Extract from Infis/Moore

(a)  $T_{n-i}^{k} \ge T_{n-i}$  because the  $T_{i}^{k}$  are a subset of the  $T_{i}^{k}$ (b)  $T_{n-i}^{k} \le T_{n-m}$  because at least one of the times  $T_{n}^{k}$ ...  $T_{n-f}^{k}$  must be a message from a processor which is actually fault-free (and synchronised) and  $T_{n-m}$  is either the time of the message from the last fault-free processor or later

(c)  $T_{n-f}^k \ge T_{n-m}$  because the  $T_{n-m}$  is validated by all fault-free processors and must be included in the  $T_i^k$ 

(d)  $T_{n-f}^k \leq T_{n-g}$  because the  $T_i^k$  are a subset of the  $T_i$ .

From these inequalities we have that

 $\min \{T_{n-1} + d, T_{n-m}\} \leq W \leq \min \{T_{n-m} + d, T_{n-g}\}$ (1)Now  $T_{i-f+1}^k \leq T_{n-i}$  for all k and  $T_{n-f}^k = T_{n-g}$  for some k, so the validity tests  $T_{n-f}^k - T_{i-f+1}^k < 2d$  imply that  $T_{n-g}^k - T_{n-i}^k < 2d$ . Therefore  $T_{n-m} - T_{n-i} < d$  or  $T_{n-g}$  $- \tilde{T}_{n-m} < d$  (or both). If  $T_{n-m} - T_{n-1} < d$ , eqn. 1 reduces to  $T_{n-m} \leq W \leq \min \{T_{n-m} + d, T_{n-g}\}$ 

implying that W has a range of at most d. If  $T_{n-g} - T_{n-m} < d$ , then, using also that  $T_{n-g} - T_{n-i} < d$ 2d, eqn. 1 yields

$$T_{n-g} - d < W \leq T_{n-g}$$

implying that W has a range less than d.

4

## Verification of Infis/Moore's protocol

Formalization is fairly close to hardware realization.

Main induction over synchronization rounds completed, as well as all of the important lemmas.

Machine proof is remarkably involved and complex.

Proof took two man-months of effort and covers about 70 dense pages.

### **Common Errors**

Ignoring failures.

Distinguishing real and clock time, and relative versus absolute measurements.

Ignoring small but significant quantities.

Proving one statement but using another.

Imprecise definitions.

Erroneous algebraic manipulations.

Implicit assumptions.

Incorrect assumptions.

## Difficulties in verification

Dealing simultaneously with failures, temporal ordering, relative measurements, drift.

Have to be careful not to assume anything about failed clocks.

"Circular definitions" need to be avoided.

E.g., A round ends when various events have taken place.

Various events take place as scheduled if the clock is correct at the end of the round.

Mentally retaining all the relevant facts is difficult.

### EHDM specification/verification system

Based on a simply typed higher-order logic with subtyping.

Parametric modules used to structure specifications.

Specifications can be proved to implement other specifications.

Components include parser, typechecker, theorem prover, Hoare sentence prover, and MLS tool.

Theorem prover contains powerful decision procedures for integer and rational inequalities.

New implementation should be ready by end of 1990.

## Concluding Observations

Reasoning about fault-tolerant clock synchronization is extremely difficult.

Proofs involve heavy use of inequalities, algebraic manipulations, finite set theory, and induction.

Protocol designers themselves feel the need for mechanized verification tools.

Benefits of such tools are:

- Design discipline
- Efficient location/correction of design errors
- Design library for future reuse
- Standardized language for communicating designs and proofs

Specification and verification technology could contribute effectively to the foundations of reliable engineering.

442 516-61 319677 Dit

# N91-17575

#### A HOL Theory for Voting

Paul S. Miner James L. Caldwell

#### Outline

- Introduction
- Proofs Comparing Majority and Plurality
- Proofs of Simple Reconfiguration Strategies
- Future directions

#### Introduction

- Central to fault-tolerant computing is redundancy mangement.
- Common to proofs of fault-tolerance is a maximum fault assumption.

If there are m or fewer faults in the system, then ...

- Typically a maximum fault assumption is rather restrictive. Usually, this is necessary to avoid assumptions about the behavior of faulty channels.
  - For Interactive consistency, in order to tolerate m faults, 3m + 1 nodes are required.
  - For a majority vote, 2m + 1 channels are required.
- A maximum fault assumption is useful because it allows us to reason about fault tolerance in the presence of arbitrarily malicious fault behavior. However, analysis of the architecture may establish certain scenarios in which the assumption may be weakened.

- Should fault-tolerant systems incorporate features which attempt to recover from failure combinations which exceed the maximum fault assumption?
- If so, what is the proof obligation?
- At the very least, it is necessary to show that existing proofs which depend upon the maximum fault assumption still hold.

#### **Hypothetical Scenario**

Imagine that plurality voting circuit has been developed for use in a a four channel fault-tolerant computing system. Suppose that a designer is considering using this circuit in a system which depends upon a majority vote in order to maintain correct system state.

Can this voting circuit be used in this system?

First we define existence predicates for majority and plurality as follows:

$$\forall B.majority\_exists \ B \equiv \text{FINITE} \ B \land \exists x. |B| < 2|B|_x$$

 $\forall B. plurality\_exists \ B \equiv \exists x. \forall x'. (x \neq x') \supset |B|_{x'} < |B|_{x}$ 

Where B is a  $\operatorname{bag}_{j}^{1}|B|$  represents its cardinality, and  $|B|_{x}$  represents the count of x in B.

<sup>&</sup>lt;sup>1</sup>Essentially a bag is a set without absorption. [a, a, b] = [b, a, a], but  $[a, b] \neq [a, a, b]$ 

From these we define the following functions:

- -----

 $\forall B.majority \ B = \epsilon \ x.|B| < 2|B|_x$  $\forall B.plurality \ B = \epsilon \ x.\forall x'.(x \neq x') \supset |B|_{x'} < |B|_x$  The property we need to prove is  $\forall B.majority\_exists B \supset (majority B = plurality B).$ 

The first step was to show that

 $\forall B.majority\_exists \ B \supset plurality\_exists \ B$ 

For this, we needed to prove the following lemma:

 $\forall B. \text{FINITE } B \supset (\forall x \ y. (x \neq y) \supset |B|_y \leq (|B| - |B|_x))$ 

From this lemma, coupled with rewriting the right conjunct of *majority\_exists* to

 $\exists x.(|B|-|B|_x) < |B|_x,$ 

and then using transitivity of '<' and ' $\leq$ ' we can establish the existence of plurality from the existence of majority.

In order to show the equivalence between *majority* and *plu*rality we needed to establish uniqueness from existence (i.e. if it exists then its unique). This allowed us to substitute in one side of the equation and then show that the chosen value satisfied the predicate embedded in the other.<sup>2</sup>

<sup>&</sup>lt;sup>2</sup>Thanks to Brian Graham of the University of Calgary for submitting his methods of dealing with the HOL choice operator (' $\varepsilon$ ' or 'O') to the info-hol mailing list.

Once this was done we looked at proving some other simple facts about voting which may be useful in the analysis of faulttolerant architectures. Specifically, we proved the preservation of majority for a few common reconfiguration schemes.

- Graceful Degradation
- Perfect Spares
- Imperfect Spares

Of course, we neglected one of the more difficult aspects of reconfiguration, namely that of correctly identifying the faulty channel. All that we have done is prove a little bit of common sense.

#### **Graceful** Degradation

The simplest reconfiguration strategy is graceful degradation. This consists of removing a faulty channel and continuing processing with one less channel of redundancy. The proof for this case showed that a majority is preserved if a non-majority element is removed from consideration.

First we show existence

 $\forall B. \forall x. majority\_exists B \supset$  $(x \in B) \supset$  $(x \neq majority B) \supset$ majority\\_exists (B - x)

This essentially reduces to showing

 $|B| < 2|B|_{x'} \supset (|B| - 1) < 2|B|_{x'}.$ 

From existence we get uniqueness so we can then show

$$\forall B. \forall x. majority\_exists B \supset$$
  
 $(x \in B) \supset$   
 $(x \neq majority B) \supset$   
 $(majority B = majority (B - x))$ 

#### **Perfect Spares**

Sometimes, in addition to removing a faulty channel, a good channel is added to the configuration. To capture this scenario, we showed that the insertion of the majority element to a bag preserved both existence and value of the majority.

- $\forall B. majority\_exists B \supset majority\_exists ((majority B) \odot B)$
- $\forall B. majority\_exists B \supset$ (majority ((majority B)  $\odot$  B) = majority B)

#### **Imperfect Spares**

Finally, recognizing that it is possible for spares to fail, it was shown that the removal of a non-majority (e.g.failed) element coupled with the addition of an arbitrary element (of the proper type) also preserves both existence and the value of majority.

$$\forall B. majority\_exists B \supset \\ \forall x x'. (x \in B) \supset \\ (x \neq majority B) \supset \\ majority\_exists (x' \odot (B - x)) \\ \forall B. majority\_exists B \supset \\ \forall x x'. (x \in B) \supset \\ \forall x x'. (x \in B) \supset \\ \forall x x'. (x \in B) \supset \\ \hline \end{tabular}$$

$$(x \neq majority \ B) \supset$$
  
 $((majority \ (x' \odot (B - x))) = (majority \ B))$ 

#### **Future Efforts**

• Establish a base for reasoning about error manifestations in order to reason about Fault Detection and Isolation.

When can you conclude that a redundant channel is faulty?

• Explore the effects that incorporating a plurality voter would have on the OS proofs.

This would require adding assumptions concerning the behavior of faulty channels.

• Explore possible ways to incorporate reconfiguration strategies into the OS effort.

How do you differentiate between a permanent and a transient fault?

431 517-61 319678 N N91-17576

# Formally specifying the logic of an automatic guidance controller

David Guaspari Odyssey Research Associates

-----

Truth arises more readily from error than from confusion.

Francis Bacon Novum Organum The Penelope project:

- Interactive, incremental, tool for formal verification of Ada programs (Larch/Ada specifications).
  - Structure or ordinary text editor
  - Permits development of program and proof in concert, "reuse by replay"
- Covers large subset of sequential Ada.
- Mathematically based.

Problem: specify "logic" of experimental Automatic Guidance Control System for a 737

- Pilot requests kind and degrees of automatic assistance
- Requests may be honored, disallowed, "put on hold
- Responses must be displayed

.

Work-in-progress: Larch/Ada specification

- Formal specification of Ada code
- Goals: precise; intelligible to designers and implementors
- Currently wrong, but clear

Related work

- Original code (CSC)
- Experiment in redesign (NASA)



4

·

.



,

Some failures of informal description

1. Ambiguous: "Select" a switch vs. "select" a mode.

2. Incomplete: "CAS ENG may be engaged independent of all other AGCS modes except TIME PATH."

- 3. Contradictory:
  - FPA ... cannot be deselected directly.
  - [if] ... appropriate selection of the FPA SEL ... switch returns the mode to the off state ...

Larch/Ada specifications: "two-tiered"

- Mathematical part (Larch Shared Language): defines vocabulary
- Interface part (Larch/Ada): uses vocabulary to specify code

Example: specifying executable addition

Mathematical part: defines mathematical + on *Int*, the (infinite) domain of mathematical integers

Interface part: Specifying evaluation of x+y

- Type integer is "based on" Int.
- Return value (x + y) if

$$min \leq (x + y) \leq max.$$

No side effects.

• Otherwise, raise numeric\_error. No side effects.

The mathematical part

States: AGCS\_state, Sensor\_state, etc.

Actions:

{alt\_eng\_switch,...,alt\_eng\_knob(i),..., alt\_capture,...}

Modes:

{alt\_eng,fpa\_sel,vert\_path,...}

Transition operation:

AGCS\_state, Action,  $\ldots \rightarrow$  AGCS\_state

Observers: active2d, display, ...

Building mathematical part (the AGCS states)

AgcsStructure : trait AGCS\_state record of (on: Bool, modes: Set\_of\_modes, engaged: Engagement\_status, setting: Value\_settings, window: Window\_array) includes Set(Mode,Set\_of\_modes)

introduces

transition:

AGCS\_state, Action, Sensor\_state,

Flight\_plan → AGCS\_state

initial\_on\_state: → AGCS\_state asserts

• • •

Description of mode changes caused by switches:

- Is the mode directly deselectable?
- What mode changes result?
- Under what conditions is the mode directly selectable?
- What mode changes result?

Building mathematical part (mode changes)

HorPathSwitch : trait

includes SwitchShell{hor\_path}

#### asserts for all

[agcsmodes: Set\_of\_modes, pl: Flight\_plan,

sens: Sensor\_state]

hor\_path\_deselectable
hor\_path\_selectable(agcsmodes,pl) =
 (auto ∈ agcsmodes) ∧ active2d(pl)
hor\_path\_selection\_result(agcsmodes,sens,pl) =
 [hor\_path] ∪ [[cas]]
hor\_path\_deselection\_result(agcsmodes) =
 [tka\_sel] ∪ [[cas]]

Intuitive description of window status (*chosen* vs. *current*):

- The  $w_{\rm knob}$  makes the corresponding  $w_{\rm knob}$  window chosen.
- Any action selecting the *w* mode makes the *w*-window chosen.
- Any action deselecting the *w* mode makes the *w*-window current.
- Any other action leaves the status of the w-window unchanged.

Building the mathematical part (window changes)

StatusShell : trait imports AgcsStructure introduces #.component : Window\_array → Window\_status md:  $\rightarrow$  Mode knob : Value  $\rightarrow$  Action asserts for all [agcs:AGCS\_state, ...] abbreviation agcs' == transition(agcs,act,sensor,plan) agcs'.window.component = if md ∈ agcs'.modes - acgs.modes then chosen elsif md  $\in$  agcs.mode – agcs'.modes then current elsif act = knob(i) then chosen else agcs.window.component Example: StatusShell{alt,alt\_eng,Airspeed}

14

C.6.

Design of the code:

- Packages panel\_logic, display\_manager, sensor\_data, flight\_plan, flight\_control.
- State of panel\_logic based on AGCS\_state, etc.
- Actions → procedures of panel\_logic:
  - read state of panel\_logic, sensor\_data, flight\_plan
  - modify states of panel\_logic,
     display\_manager, flight\_control
- Consistent with polling, interrupts, etc.

end panel\_logic;

. . .

with sensor\_data\_types; use sensor\_data\_types; package panel\_logic --| BASED ON AGCS\_state --| INVARIANT --| panel\_logic.on -> good(panel\_logic) --| INITIALLY not panel\_logic.on

--| WITH TRAIT AgcsLogic, AgcsProperties,
 --| LogicalDisplay
 --| WITH sensor\_data, flight\_plan,
 display\_manager, flight\_control

Specifying the code:

```
procedure att_cws_switch;
--| WHERE
--| GLOBALS IN panel_logic
--| GLOBALS OUT display_manager,
--| flight_control,
--| panel_logic
--| IN panel_logic.on
--| OUT panel_logic =
--| transition(IN panel_logic,
--| att_cws_switch,*,*)
--| OUT FORALL ss: Sensor_state::
```

- --| look(display\_manager,ss) =
- --| display(panel\_logic,ss)
- --| OUT FORALL md:mode ::
- --| fc\_engaged(md,flight\_control) =
- --| engaged(md,panel\_logic)
- --| END WHERE;

procedure turn\_on\_agcs

5

. . .

. . .

--| END WHERE;

--| OUT panel\_logic = initial\_on\_state

--| WHERE

477 513-61 314677 N91-17577

#### Verification of Floating-Point Software

#### D. N. Hoover

Odyssey Research Associates, Ithaca NY

#### Abstract

Floating point computation presents a number of problems for formal verification. Should one treat the actual details of floating point operations, or accept them as imprecisely defined? or should one ignore round-off error altogether, and behave as if floating point operations are perfectly accurate? There is the further problem that a numerical algorithm usually only approximately computes some mathematical function, and we often do not know just how good the approximation is, even in the absence of round-off error.

ORA has developed a theory of asymptotic correctness which allows one to verify floating point software with a minimum entanglement in these problems. We describe this theory and its implementation in the Ariel C verification system, also developed at ORA. We illustrate the theory using a simple program which finds a zero of a given function by bisection.

## **Verification of Floating–Point Software**

## Douglas Hoover

Odyssey Research Associates, Inc.

## Difficulties

- Machine real arithmetic does not have nice mathematical properties
- Doesn't match ideal arithmetic (overflow, roundoff, underflow)
- Programs don't satisfy the specification we'd like them to

## **Asymptotic Correctness**

- Specify "ideal behavior" of the program (e.g. "program computes the square root of its input")
- Verify that if program is run on a sequence of machines converging to perfect accuracy, then program's behavior converges to ideal behavior ior

## Advantages of the Asymptotic Approach

- Machine real arithmetic can be specified loosely
- Specifications can be written in terms of ideal behavior
- Verification does not require roundoff error analysis
- Verifies *logical* correctness absence of "bugs" from inaccuracy of machine arithmetic that are not related to error *magnitude*.

#### Nonstandard analysis

$$\mathbf{R} \subseteq {}^*\mathbf{R}$$

Standard part map

$$st: {}^{*}\mathbf{R} \to \mathbf{R}$$

rounds off a finite nonstandard real to an infinitely close standard real.

#### Continuity

f is continuous at  $(a_1, \ldots, a_n)$  if

$$st(f(a_1,\ldots,a_n)) = f(st(a_1),\ldots,st(a_n))$$

#### Differentiation by algebraic manipulation

Let  $st(\epsilon) = 0$ ,  $\epsilon \neq 0$ . For all standard x,

$$\frac{d(x^2)}{dx} = st\left(\frac{(x+\epsilon)^2 - x^2}{\epsilon}\right)$$
$$= st\left(\frac{2\epsilon x + \epsilon^2}{\epsilon}\right)$$
$$= st(2x+\epsilon)$$
$$= 2x$$



## Nonstandard Analysis

- Asymptotic approach can be formalized naturally in nonstandard analysis using infinitesimals
- Primitive operations are assumed to return values which are infinitely close to the ideal values when the arguments and ideal answers are finite
- Programs are specified to have behaviors infinitely close to ideal behavior when inputs are finite

. . . .

## Finding Roots of a Continuous Function

- find\_zero searchs for a root of a user-supplied function F by bisection.
- At each iteration, it tests to see if the values of F at the left endpoint and the midpoint are of opposite sign, and changes one of the endpoints to the midpoint so as to keep a root between the two endpoints.
- The program terminates when it finds a root or when it reachs a user-supplied bound on the number of iterations.

```
float find_zero(left0,right0,maxit)
float left0,right0;
int maxit;
ſ
    float left,right,center;
    float cval,lval0,rval0;
    int numit;
    numit = 0;
    lval0 = F(left0);
    rval0 = F(right0);
    left = left0;
    right = right0;
    center = (left + right)/2.0;
    cval = F(center);
   while(cval != 0.0 && numit < maxit) {</pre>
        if (1val0 * cval < 0)
            right = center;
        else
            left = center;
        center = (left + right)/2.0;
        cval = F(center);
        lval0 = F(left);
        numit = numit + 1;
    }
   return(center);
}
```

Odyssey Research Associates, Inc.

## Specification of find\_zero

IF F is continuous and find\_zero is started up with

- left0 and right0 not "large";
- maxit "large";
- F(left0) and F(right0) of opposite sign

THEN find\_zero terminates normally (i.e. without an exception) and the value output is "close to" some zero of F.

### **Attempted Verification**

- Proof of termination is easy.
- Proof that termination is normal is a bit harder. Must prove that no overflow happens. To prove this, must prove that the values of the endpoints stay in some range of numbers which are not "large".

How would we prove that the program returns an approximation to a root?

- Prove when the program terminates, the endpoints are "close". This follows from the fact that the program halves the interval a "large" number of times.
- Prove there's always a root between the endpoints. This should follow from the way the program decides whether to move the left endpoint or the right. From this we'd get center "close to" a root.

Unfortunately, it's not true that there's always a root between the endpoints.

#### The Bug

- In the test statement, can have lval0 and cval of opposite sign, but have the product underflow to 0. This causes the program to move the wrong endpoint.
- Tests bear out this bug.

## **Possible Fixes**

Several ways to fix this bug

• Change test to

```
(lval0 < 0 && cval >= 0) ||
(lval0 >= 0 && cval < 0)
```

- Change test so instead of always testing left endpoint against midpoint, it always tests the endpoint with the larger value of F against the midpoint.
  - This doesn't necessarily keep a root between the endpoints, but it delivers an approximation to a root anyway.

### Ariel

- Verification system for subset of C including real arithmetic and some UNIX system calls.
- Implements nonstandard formalization of the asymptotic approach.

# Semantic Verification

- Ariel verifies programs by generating a description of the program's denotation in a higherorder language (the *Clio metalanguage*)
- Specifications are statements about the denotation in the Clio metalanguage
- Verification is a proof of the specification directly from the description of the denotation in Clio theorem prover
- Specifications can be any statement about the program's denotation which can be expressed in the Clio, including termination

## **C** Semantics

- A "run" of the program is modeled as a sequence of *events*
- Events are:
  - the event of going into a certain state
  - terminating and returning a value
  - terminating and returning no value
  - raising an exception
  - an "unknown" event
- The semantics of the program is expressed as a collection of axioms saying which sequences of events can happen in the course of executing the program.

## Sample Verifications

- ZBRENT a program which finds zeros of a continuous function by bisection
- SWAP a very simple program to swap the contents of 2 locations which contains a surprising bug
- HOSTILE BOOSTER a suite of programs, developed by Applied Technology Associates for SDIO, that estimate hostile booster trajectories. This verification is currently in progress.
- SECURE DEVICE DRIVER specification and verification of security for an Ethernet device driver. Currently in progress.

495 519-61 319 700 N91-17578

## C Formal Verification with Unix Communication and Concurrency

D. N. Hoover Odyssey Research Associates, Ithaca NY

#### Abstract

This talk reports the results of a NASA SBIR project in which we developed CSP-Ariel, a verification system for C programs which use Unix system calls for concurrent programming, interprocess communication, and file input and output. This project builds on ORA's Ariel C verification system by using the system of Hoare's book *Communicating Sequential Processes* to model concurrency and communication. The system runs in ORA's Clio theorem proving environment. We outline how we use CSP to model Unix concurrency, and sketch the CSP semantics of a simple concurrent program. We discuss plans for further development of CSP-Ariel.

# C Formal Verification with Unix communication and concurrency (NASA SBIR)

Aim: Verification system for

- C programs
- Unix system calls
- concurrent programming (fork, wait, exit, pipe)
- file and device i/o (read, write, open, close).

1 A.

```
void producer();
void consumer();
int pipedes[2];
void main()
{
 int id;
 if (pipe(pipedes) == -1) return;
 id = fork();
 if (id == -1) return;
 if (id == 0) consumer();
 else producer();
return;
}
void producer()
 char c;
 int status;
while (read(0, &c, 1) != 0) /* 0 = standard input filedes */
       write(pipedes[1], &c, 1);
close(pipedes[1]);
exit(wait(&status));
}
void consumer()
{
char c;
close(pipedes[1]); /* so that pipe read will fail when producer
                         closes its write end of pipe */
while (read(pipedes[0], &c, 1) != 0)
       write(1, &c, 1); /* 1 = standard output filedes */
exit(0);
}
```

# Example Program Schematic



Technical Approach

- C semantics via Ariel operational semantics (preexisting)
- Unix communication and concurrency semantics via Hoare's CSP

## CSP (Communicating Sequential Processes)

- See Hoare's book, Communicating Sequential Processes.
- An algebraic language for describing systems of processes with synchronous communication.
- Objects of the language are processes and events.
- Processes resemble state machines, events the input alphabet. Deterministic and nondeterministic processes.
- Processes participate in events and are transformed by them.
- Synchronous communication by participation in shared events.

Unix modeling

- Unix processes, files, pipes, and certain system tables are modeled as deterministic CSP-processes.
- Forking, pipe creation, file opening and closing, I/O, waiting, and exiting are modeled as events.

Example: Asynchonous pipe communication

Sending process A, pipe P, receiving process B.



## Processes transformed by events

,





Verification method

- C program given
- Ariel front end generates Caliban expression for abstract syntax tree of program.
- Ariel C semantics plus Unix system call semantics define denotation of a C program and associated files inside operating system as a CSP process.
- Internal operations of systems of processes hidden by CSP concealment operation.
- We reason about the resulting CSP process in Clio. Main tools are induction on traces (event sequences) of processes, and algebraic laws of CSP. Clio is a very general theorem prover, and we are not limited in the kinds of properties we can prove about processes.

## Producer as a CSP process

.

÷



Hiding events:

Overall process with non-I/O events hidden.



**CSP-Ariel** Development Plan

- C semantics via Ariel symbolic interpreter (existing)
- Unix communication and concurrency semantics via deterministic CSP (initial work completed).
- Extensions to support network communication planned (sockets).
- Nondeterministic CSP and event concealment for specification and modularity (planned)
- Graphic specification support using Romulus interface (planned)

Clio, Caliban, and, Ariel

- Ariel is a semantic verification system for a subset of C, written in Caliban and the Clio metalanguage. Floating point, overflow support via asymptotic correctness.
- Caliban is a lazy, purely functional language based on recursive equations and pattern matching.
- Clio is a higher-order logic theorem prover. Caliban is its term definition language. Clio's main proof methods are induction on Caliban definitions, term rewriting, and case splitting.

X

--.

-

-

-----

| nsn                                                                                                                                                                                                                                                                                                                                                                                                    | Report Documentation Pa                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | ige                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| араман алаан тоолоон тоон тоо<br>Адариян ал Асариян<br>                                                                                                                                                                                                                                                                                                                                                | 2. Government Accession No.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 3. Recipient's Catalog No.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| ort No.                                                                                                                                                                                                                                                                                                                                                                                                | 2. 000000000                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| ASA CP-10052                                                                                                                                                                                                                                                                                                                                                                                           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 5. Report Date                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| le and Subtitle                                                                                                                                                                                                                                                                                                                                                                                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| ASA Formal Method                                                                                                                                                                                                                                                                                                                                                                                      | s Workshop - 1990                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | November 1990                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
|                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 6. Performing Organization Code                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 8. Performing Organization Report No.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| uthor(s)                                                                                                                                                                                                                                                                                                                                                                                               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| icky W. Butler, C                                                                                                                                                                                                                                                                                                                                                                                      | ompiler                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| -                                                                                                                                                                                                                                                                                                                                                                                                      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 10. Work Unit No.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|                                                                                                                                                                                                                                                                                                                                                                                                        | 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 505-66-21-01                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| erforming Organization Nam                                                                                                                                                                                                                                                                                                                                                                             | e and Address                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 11. Contract or Grant No.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| ASA Langley Rese                                                                                                                                                                                                                                                                                                                                                                                       | arch Center                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| lampton, VA 2366                                                                                                                                                                                                                                                                                                                                                                                       | 5-5225                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | 13. Type of Report and Period Covered                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
|                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 13. Type of Heport and Ferror Coverso                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| Sponsoring Agency Name an                                                                                                                                                                                                                                                                                                                                                                              | nd Address                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Conference Publication                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| Vational Aeronaut                                                                                                                                                                                                                                                                                                                                                                                      | ics and Space Administration                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 14. Sponsoring Agency Code                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| Washington, DC 2                                                                                                                                                                                                                                                                                                                                                                                       | .0546-0001                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| Supplementary Notes<br>This workshop was<br>Research Center.<br>Abstract                                                                                                                                                                                                                                                                                                                               | s organized and chaired by Ricky W<br>ts a workshop in Formal Methods held at the<br>The workshop brought together researchers                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | OF PCO<br>NASA Langley Research Center on                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| Supplementary Notes<br>This workshop was<br>Research Center.<br>Abstract<br>This report documen<br>August 20-24, 1990.<br>research effort for de<br>representatives from<br>industry to debrief th<br>design, verification,<br>The goals of the wor<br>critical flight control                                                                                                                         | ts a workshop in Formal Methods held at the<br>The workshop brought together researcher<br>etailed technical interchange and provided a n<br>the FAA and the aerospace industry. The w<br>le formal methods researchers on current stat<br>and certification.<br>rkshop were: (1) Define and characterize the<br>systems and the current state of the practice is<br>the state of the practice is                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | ORIGINA<br>OF PCO<br>NASA Langley Research Center on<br>s involved in the NASA formal methods<br>nechanism for interaction with<br>orkshop also included speakers from<br>e of practice in flight critical system<br>verification problem for ultra-reliable life-                                                                                                                                                                                                                                                                 |
| Supplementary Notes<br>This workshop was<br>Research Center.<br>Abstract<br>This report documen<br>August 20-24, 1990.<br>research effort for de<br>representatives from<br>industry to debrief th<br>design, verification,<br>The goals of the wor<br>critical flight control<br>proper role of forma                                                                                                 | ts a workshop in Formal Methods held at the<br>The workshop brought together researchers<br>etailed technical interchange and provided a n<br>in the FAA and the aerospace industry. The w<br>he formal methods researchers on current stat<br>and certification.<br>rkshop were: (1) Define and characterize the<br>systems and the current state of the practice is<br>il methods in addressing these problems, and<br>plying formal methods to this area.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | OF PCO<br>NASA Langley Research Center on<br>s involved in the NASA formal methods<br>nechanism for interaction with<br>orkshop also included speakers from<br>e of practice in flight critical system<br>verification problem for ultra-reliable life-<br>in industry today, (2) Determine the<br>(3) Assess the state of the art and recent                                                                                                                                                                                      |
| Supplementary Notes<br>This workshop was<br>Research Center.<br>Abstract<br>This report documen<br>August 20-24, 1990.<br>research effort for de<br>representatives from<br>industry to debrief th<br>design, verification,<br>The goals of the wor<br>critical flight control<br>proper role of forma<br>progress toward ap                                                                           | ts a workshop in Formal Methods held at the<br>The workshop brought together researchers<br>tailed technical interchange and provided a n<br>the FAA and the aerospace industry. The w<br>te formal methods researchers on current stat<br>and certification.<br>rkshop were: (1) Define and characterize the<br>systems and the current state of the practice is<br>a methods in addressing these problems, and<br>plying formal methods to this area.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | OF PCO<br>NASA Langley Research Center on<br>s involved in the NASA formal methods<br>nechanism for interaction with<br>orkshop also included speakers from<br>e of practice in flight critical system<br>verification problem for ultra-reliable life-<br>in industry today, (2) Determine the<br>(3) Assess the state of the art and recent                                                                                                                                                                                      |
| Supplementary Notes<br>This workshop was<br>Research Center.<br>Abstract<br>This report document<br>August 20-24, 1990.<br>research effort for de<br>representatives from<br>industry to debrief th<br>design, verification,<br>The goals of the wor<br>critical flight control<br>proper role of forma<br>progress toward ap                                                                          | tts a workshop in Formal Methods held at the<br>The workshop brought together researchern<br>tailed technical interchange and provided a n<br>the FAA and the aerospace industry. The w<br>le formal methods researchers on current stat<br>and certification.<br>rkshop were: (1) Define and characterize the<br>systems and the current state of the practice in<br>a methods in addressing these problems, and<br>plying formal methods to this area.<br>HASA personnel, researchers from the four<br>speakers, and representatives from other gov                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | OF PCO<br>NASA Langley Research Center on<br>s involved in the NASA formal methods<br>nechanism for interaction with<br>orkshop also included speakers from<br>e of practice in flight critical system<br>verification problem for ultra-reliable life-<br>in industry today, (2) Determine the<br>(3) Assess the state of the art and recent<br>supporting contract organizations, RSRE<br>emment research organizations with<br>MN                                                                                               |
| Supplementary Notes<br>This workshop was<br>Research Center.<br>Abstract<br>This report documen<br>August 20-24, 1990.<br>research effort for de<br>representatives from<br>industry to debrief th<br>design, verification,<br>The goals of the wor<br>critical flight control<br>proper role of forma<br>progress toward ap                                                                           | ts a workshop in Formal Methods held at the<br>The workshop brought together researchern<br>tailed technical interchange and provided a n<br>in the FAA and the aerospace industry. The w<br>te formal methods researchers on current state<br>and certification.<br>It shop were: (1) Define and characterize the<br>systems and the current state of the practice in<br>a methods in addressing these problems, and<br>plying formal methods to this area.<br>HASA personnel, researchers from the four-<br>speakers, and representatives from other gover<br>methods                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | OF PCO<br>NASA Langley Research Center on<br>s involved in the NASA formal methods<br>nechanism for interaction with<br>orkshop also included speakers from<br>e of practice in flight critical system<br>verification problem for ultra-reliable life-<br>in industry today, (2) Determine the<br>(3) Assess the state of the art and recent<br>supporting contract organizations, RSRE<br>emment research organizations with<br>NN                                                                                               |
| Supplementary Notes<br>This workshop was<br>Research Center.<br>Abstract<br>This report document<br>August 20-24, 1990.<br>research effort for de<br>representatives from<br>industry to debrief th<br>design, verification,<br>The goals of the wor<br>critical flight control<br>proper role of forma<br>progress toward ap                                                                          | ts a workshop in Formal Methods held at the<br>The workshop brought together researchers<br>bailed technical interchange and provided a n<br>in the FAA and the aerospace industry. The w<br>he formal methods researchers on current stat<br>and certification.<br>rkshop were: (1) Define and characterize the<br>systems and the current state of the practice in<br>a methods in addressing these problems, and<br>plying formal methods to this area.<br>HASA personnel, researchers from the four-<br>speakers, and representatives from other gov<br>methods.<br>Fl.oht (andre)<br>(Entrol Systems)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | OF PCO<br>NASA Langley Research Center on<br>s involved in the NASA formal methods<br>nechanism for interaction with<br>orkshop also included speakers from<br>e of practice in flight critical system<br>verification problem for ultra-reliable life-<br>in industry today, (2) Determine the<br>(3) Assess the state of the art and recent<br>supporting contract organizations, RSRE<br>emment research organizations with<br>NN                                                                                               |
| Supplementary Notes<br>This workshop was<br>Research Center.<br>Abstract<br>This report document<br>August 20-24, 1990.<br>research effort for de<br>representatives from<br>industry to debrief th<br>design, verification,<br>The goals of the wor<br>critical flight control<br>proper role of forma<br>progress toward ap                                                                          | ts a workshop in Formal Methods held at the<br>The workshop brought together researchern<br>tailed technical interchange and provided a n<br>in the FAA and the aerospace industry. The w<br>le formal methods researchers on current state<br>and certification.<br>It is hop were: (1) Define and characterize the<br>systems and the current state of the practice in<br>a methods in addressing these problems, and<br>plying formal methods to this area.<br>INASA personnel, researchers from the four<br>speakers, and representatives from other gov<br>methods. HS Flort Control<br>Control Systems<br>Logic design                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | OF PCO<br>NASA Langley Research Center on<br>s involved in the NASA formal methods<br>nechanism for interaction with<br>orkshop also included speakers from<br>e of practice in flight critical system<br>verification problem for ultra-reliable life-<br>in industry today, (2) Determine the<br>(3) Assess the state of the art and recent<br>supporting contract organizations, RSRE<br>emment research organizations with<br>AVIONICS<br>LOGIC CIRCUITS                                                                       |
| Supplementary Notes<br>This workshop was<br>Research Center.<br>Abstract<br>This report document<br>August 20-24, 1990.<br>research effort for de<br>representatives from<br>industry to debrief th<br>design, verification,<br>The goals of the wor<br>critical flight control<br>proper role of forma<br>progress toward ap<br>Attendees included<br>personnel, invited s<br>interests in formal r   | ts a workshop in Formal Methods held at the<br>The workshop brought together researchers<br>bailed technical interchange and provided a n<br>in the FAA and the aerospace industry. The w<br>he formal methods researchers on current stat<br>and certification.<br>It shop were: (1) Define and characterize the<br>systems and the current state of the practice in<br>a methods in addressing these problems, and<br>plying formal methods to this area.<br>INASA personnel, researchers from the four-<br>speakers, and representatives from other gov<br>methods. HS Flight Control<br>Control Systems<br>Logic design<br>Fault Toleran<br>Mathematical                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | OF PCO<br>NASA Langley Research Center on<br>s involved in the NASA formal methods<br>nechanism for interaction with<br>orkshop also included speakers from<br>e of practice in flight critical system<br>verification problem for ultra-reliable life-<br>in industry today, (2) Determine the<br>(3) Assess the state of the art and recent<br>supporting contract organizations, RSRE<br>emment research organizations with<br>Design<br>ANN<br>AVIONICS<br>LOGIC CITCUITS<br>LOGIC CITCUITS<br>CL                              |
| Supplementary Notes<br>This workshop was<br>Research Center.<br>Abstract<br>This report document<br>August 20-24, 1990.<br>research effort for de<br>representatives from<br>industry to debrief th<br>design, verification,<br>The goals of the wor<br>critical flight control<br>proper role of forma<br>progress toward ap<br>Attendees included<br>personnel, invited s<br>interests in formal r   | ts a workshop in Formal Methods held at the<br>The workshop brought together researchers<br>bailed technical interchange and provided a n<br>in the FAA and the aerospace industry. The w<br>he formal methods researchers on current stat<br>and certification.<br>It shop were: (1) Define and characterize the<br>systems and the current state of the practice in<br>a methods in addressing these problems, and<br>plying formal methods to this area.<br>INASA personnel, researchers from the four-<br>speakers, and representatives from other gov<br>methods. HS Flight Control<br>Control Systems<br>Logic design<br>Fault Toleran<br>Mathematical                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | OF PCO<br>NASA Langley Research Center on<br>s involved in the NASA formal methods<br>nechanism for interaction with<br>orkshop also included speakers from<br>e of practice in flight critical system<br>verification problem for ultra-reliable life-<br>in industry today, (2) Determine the<br>(3) Assess the state of the art and recent<br>supporting contract organizations, RSRE<br>emment research organizations with<br>Design<br>ANN<br>AVIONICS<br>LOGIC CITCUITS<br>LOGIC CITCUITS<br>CL                              |
| Supplementary Notes<br>This workshop was<br>Research Center.<br>Abstract<br>This report document<br>August 20-24, 1990.<br>research effort for de<br>representatives from<br>industry to debrief th<br>design, verification,<br>The goals of the wor<br>critical flight control<br>proper role of forma<br>progress toward ap<br>Attendees included<br>personnel, invited s<br>interests in formal r   | ts a workshop in Formal Methods held at the<br>The workshop brought together researchers<br>bailed technical interchange and provided a n<br>in the FAA and the aerospace industry. The w<br>he formal methods researchers on current stat<br>and certification.<br>It shop were: (1) Define and characterize the<br>systems and the current state of the practice in<br>a methods in addressing these problems, and<br>plying formal methods to this area.<br>INASA personnel, researchers from the four-<br>speakers, and representatives from other gov<br>methods. HS Flight Control<br>Control Systems<br>Logic design<br>Fault Toleran<br>Mathematical                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | OF PCO<br>NASA Langley Research Center on<br>s involved in the NASA formal methods<br>nechanism for interaction with<br>orkshop also included speakers from<br>e of practice in flight critical system<br>verification problem for ultra-reliable life-<br>in industry today, (2) Determine the<br>(3) Assess the state of the art and recent<br>supporting contract organizations, RSRE<br>emment research organizations with<br>Design<br>ANN<br>AVIONICS<br>LOGIC CITCUITS<br>LOGIC CITCUITS<br>CL                              |
| Supplementary Notes<br>This workshop was<br>Research Center.<br>Abstract<br>This report document<br>August 20-24, 1990.<br>research effort for de<br>representatives from<br>industry to debrief th<br>design, verification,<br>The goals of the wor<br>critical flight control<br>proper role of formal<br>progress toward app<br>Attendees included<br>personnel, invited s<br>interests in formal r | ts a workshop in Formal Methods held at the<br>The workshop brought together researchers<br>bailed technical interchange and provided a n<br>in the FAA and the aerospace industry. The w<br>he formal methods researchers on current stat<br>and certification.<br>It shop were: (1) Define and characterize the<br>systems and the current state of the practice in<br>a methods in addressing these problems, and<br>plying formal methods to this area.<br>INASA personnel, researchers from the four-<br>speakers, and representatives from other gov<br>methods. HS Flight Control<br>Control Systems<br>Logic design<br>Fault Toleran<br>Mathematical                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | OF PCO<br>NASA Langley Research Center on<br>s involved in the NASA formal methods<br>nechanism for interaction with<br>orkshop also included speakers from<br>e of practice in flight critical system<br>verification problem for ultra-reliable life-<br>in industry today, (2) Determine the<br>(3) Assess the state of the art and recent<br>supporting contract organizations, RSRE<br>emment research organizations with<br>Design<br>ANN<br>AVIONICS<br>LOGIC CITCUITS<br>LOGIC CITCUITS<br>CL                              |
| Supplementary Notes<br>This workshop was<br>Research Center.<br>Abstract<br>This report document<br>August 20-24, 1990.<br>research effort for de<br>representatives from<br>industry to debrief th<br>design, verification,<br>The goals of the wor<br>critical flight control<br>proper role of forma<br>progress toward ap<br>Attendees included<br>personnel, invited s<br>interests in formal r   | ts a workshop in Formal Methods held at the<br>The workshop brought together researchers<br>bailed technical interchange and provided a magnetic technical interchange and certification.<br>Figure 1 (1) Define and characterize the systems and the current state of the practice is a magnetic technical interchange and provided and provided and provide technical interchange and provide | OF PCO<br>NASA Langley Research Center on<br>s involved in the NASA formal methods<br>nechanism for interaction with<br>orkshop also included speakers from<br>e of practice in flight critical system<br>verification problem for ultra-reliable life-<br>in industry today, (2) Determine the<br>(3) Assess the state of the art and recent<br>supporting contract organizations, RSRE<br>emment research organizations with<br>Design<br>ANN<br>AVIONICS<br>LOGIC CITCUITS<br>LOGIC CITCUITS<br>CL                              |
| Supplementary Notes<br>This workshop was<br>Research Center.<br>Abstract<br>This report document<br>August 20-24, 1990.<br>research effort for de<br>representatives from<br>industry to debrief th<br>design, verification,<br>The goals of the wor<br>critical flight control<br>proper role of format<br>progress toward ap<br>Attendees included<br>personnel, invited s<br>interests in formal r  | tts a workshop in Formal Methods held at the<br>The workshop brought together researchers<br>tailed technical interchange and provided a main<br>the FAA and the aerospace industry. The workshop were industry is the formal methods researchers on current state<br>and certification.<br>The workshop were: (1) Define and characterize the<br>systems and the current state of the practice in<br>a methods in addressing these problems, and<br>plying formal methods to this area.<br>INASA personnel, researchers from the four<br>speakers, and representatives from other gov<br>methods.<br>NASA personnel, researchers from the four<br>speakers, and representatives from other gov<br>methods.<br>NASA personnel, researchers from the four<br>speakers, and representatives from other gov<br>format a systems<br>Logic design<br>Fault Toteran<br>Uncl.<br>Subj                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | OF PCO<br>NASA Langley Research Center on<br>s involved in the NASA formal methods<br>nechanism for interaction with<br>orkshop also included speakers from<br>e of practice in flight critical system<br>verification problem for ultra-reliable life-<br>in industry today, (2) Determine the<br>(3) Assess the state of the art and recent<br>supporting contract organizations, RSRE<br>emment research organizations with<br>AVIONICS<br>LOGIC CIRCUITS<br>LOGIC CIRCUITS<br>ICC<br>ATOUTATION Statement<br>ATOUTATION (LOMP) |

.\_\_\_\_.