NASA Conference Publication 10176



#### Third NASA Langley Formal Methods Workshop

Compiled by C. Michael Holloway Langley Research Center • Hampton, Virginia

(NASA-CP-10176)THIRD NASA LANGLEYN96-10026FORMAL METHODS WORKSHOP(NASA.--THRU--Langley Research Center)239 pN96-10037UnclasUnclas--

G3/59 0059510

Proceedings of a workshop sponsored by the National Aeronautics and Space Administration, Washington, D.C., and held at Langley Research Center, Hampton, Virginia May 10–12, 1995

#### TABLE OF CONTENTS

| Introduction                                                                                                                                                                                                                                                                                               | 3                               |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------|
| Final Agenda                                                                                                                                                                                                                                                                                               | 5 -0                            |
|                                                                                                                                                                                                                                                                                                            | 11 -0<br>13-0<br>15 -6<br>25 -6 |
| Overview of NASA Langley's Formal Methods Program, Ricky W. Butler                                                                                                                                                                                                                                         | 53 -0                           |
| <ul> <li>Session 2: LaRC-sponsored Industrial Applications</li> <li>The AAMP5/AAMP-FV Project, Steve Miller</li> <li>Union Switch &amp; Signal Project, Joe Profeta and Doug Hoover</li> <li>Honeywell Software Development Project, Lance Sherry and Doug Hoover</li> </ul>                               | 59 <sup>/</sup><br>65~          |
|                                                                                                                                                                                                                                                                                                            |                                 |
| <ul> <li>Session 3: Industry Perspectives on Formal Methods</li> <li>Session 4: Software Systems (1)</li> <li>Formal Verification for Fault-Tolerant Architectures/PVS Design, John Rushby</li> <li>Formal Methods Demonstration Project for Space Applications, John Kelly<br/>and Ben DiVito.</li> </ul> | . 89>                           |
| <ul> <li>Session 5: Software Systems (2)</li> <li>Ada 9X Language Precision Team, David Guaspari</li> <li>Introduction to Penelope and Its Applications, David Guaspari</li> </ul>                                                                                                                         |                                 |
| <ul> <li>Session 6: Hardware Systems</li></ul>                                                                                                                                                                                                                                                             | 141-5<br>1490m / T              |
| Session 7: Researcher Perspectives on Formal Methods                                                                                                                                                                                                                                                       | 165 - crri                      |
| <ul> <li>Session 8: Research Issues (1)</li> <li>Safety Analysis, John Knight.</li> <li>Non-standard Analysis and Embedded Software, Richard Platek</li> </ul>                                                                                                                                             | 173-7                           |
| <ul> <li>Session 9: Research Issues (2)</li> <li>Hybrid Fault Algorithms, Pat Lincoln</li> <li>Model Checking, David Dill</li> </ul>                                                                                                                                                                       | 191ーマ<br>193ーロ<br>211ータ         |
| <ul> <li>Session 10: Research Issues (3)</li> <li>The DDD Scheme Machine, Steve Johnson</li> <li>Formal Development of a Clock Synchronization Circuit, Paul Miner</li> </ul>                                                                                                                              | 219-10                          |
| Appendix A: List of Attendees                                                                                                                                                                                                                                                                              | 233                             |
| Appendix B: Comments from Attendees                                                                                                                                                                                                                                                                        | 243                             |
| Appendix C: Overview of NASA Langley's Formal Methods Program                                                                                                                                                                                                                                              | 245                             |

#### INTRODUCTION

On May 10-12, 1995, the formal methods team at the NASA Langley Research Center sponsored their third workshop<sup>1</sup> on the application of formal methods to the design and verification of life-critical systems. This workshop brought together formal methods researchers, industry engineers, and academicians to discuss the potential of NASA-sponsored formal methods and to investigate new opportunities for applying these methods to industry problems.

This publication constitutes the proceedings of the workshop. It contains copies of the material presented at the workshop, summaries of many of the presentations, a complete list of attendees, and a detailed summary of the Langley formal methods program. Much of the material contained herein is available electronically through the World-Wide Web via the following URL: http://atb-www.larc.nasa.gov/WS95/proceedings.html.

On behalf of the formal methods team, we thank all of the presenters and attendees for their contributions to making this workshop a great success. We look forward to seeing all of you again at our next workshop.

C. Michael Holloway, Workshop Co-chairman Ricky W. Butler, Workshop Co-chairman

<sup>&</sup>lt;sup>1</sup> Previous workshops were held in 1990 (see NASA Conference Publication 10052) and 1992 (see NASA Conference Publication 10110).

#### **Final Agenda**

PRECEDING PAGE BLANK NOT FILMED

#### Third NASA Langley

#### Formal Methods Workshop



NASA Langley

#### May 10-12, 1995 H. J. E. Reid Conference Center NASA Langley Research Center Hampton, Virginia

Sponsored by Formal Methods Team Assessment Technology Branch Information & Electromagnetic Technology Division Research and Technology Group

Proceedings available on the World-WideWeb at http://atb-www.larc.nasa.gov/WS95/proceedings.html

#### Wednesday, May 10, 1995

| 8:00 – 8:45   | Late Registration                                                                                                                           |
|---------------|---------------------------------------------------------------------------------------------------------------------------------------------|
|               | Session 1: Introduction to Formal Methods<br>Chaired by Ricky Butler                                                                        |
| 8:45 - 9:00   | Welcome<br>Milton Holt, Chief, Information & Electromagnetic Technology Division                                                            |
| 9:00 – 9:30   | Rationale for Formal Methods<br>Ricky Butler, NASA Langley Research Center                                                                  |
| 9:30 - 10:30  | An Informal Introduction to Formal Methods<br>Michael Holloway, Ricky Butler, and Paul Miner<br>NASA Langley Research Center                |
| 10:30 – 11:00 | Break                                                                                                                                       |
| 11:00 – 12:00 | An Informal Introduction to Formal Methods (continued)                                                                                      |
| 12:00 – 12:30 | Overview of NASA Langley's Formal Methods Program<br>Ricky Butler, NASA Langley Research Center                                             |
| 12:30 – 1:30  | Lunch in NASA Cafeteria                                                                                                                     |
|               | Session 2: LaRC-sponsored Industrial Applications<br>Chaired by Ricky Butler                                                                |
| 1:30 – 2:00   | The AAMP5/AAMP-FV Project<br>Steve Miller, Rockwell-Collins<br>Mandayam Srivas, SRI International                                           |
| 2:00 - 2:30   | Union Switch & Signal Project<br>Joe Profeta, Union Switch & Signal<br>Doug Hoover, Odyssey Research Associates                             |
| 2:30 – 3:00   | Honeywell Software Development Project<br>Lance Sherry, Honeywell<br>Doug Hoover, Odyssey Research Associates                               |
| 3:00 - 3:30   | Break                                                                                                                                       |
|               | Session 3: Industry Perspectives on Formal Methods<br>Chaired by Michael Holloway                                                           |
| 3:30 – 5:00   | Panel Session<br>Scott French, Loral ATC<br>Steve Miller, Rockwell-Collins<br>Joe Profeta, Union Switch & Signal<br>Lance Sherry, Honeywell |
| 5:00 - 6:00   | Cash Bar Social in Reid Conference Center                                                                                                   |

#### Thursday, May 11, 1995

|       |     |      | Session 4: Software Systems (1)<br>Chaired by Ricky Butler                                                                                                                |
|-------|-----|------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 8:30  | -   | 9:30 | Formal Verification for Fault-Tolerant Architectures/PVS Design<br>John Rushby, SRI International                                                                         |
| 9:30  | - 1 | 0:30 | Formal Methods Demonstration Project for Space Applications<br>Ben DiVito, VÍGYAN, Inc.<br>John Kelly, Jet Propulsion Laboratory                                          |
| 10:30 | - 1 | 0:45 | Break                                                                                                                                                                     |
|       |     |      | Session 5: Software Systems (2)<br>Chaired by Michael Holloway                                                                                                            |
| 10:45 | - 1 | 1:45 | Ada 9X Language Precision Team<br>David Guaspari, Odyssey Research Associates                                                                                             |
| 11:45 | - 1 | 2:30 | Introduction to Penelope and Its Applications<br>David Guaspari, Odyssey Research Associates                                                                              |
| 12:30 | -   | 1:30 | Lunch in NASA Cafeteria                                                                                                                                                   |
|       |     |      | Session 6: Hardware Systems<br>Chaired by Paul Miner                                                                                                                      |
| 1:30  | -   | 2:00 | The Formal Verification Technology Used on AAMP5<br>Mandayam Srivas, SRI International                                                                                    |
| 2:00  | -   | 2:30 | Specification and Verification of VHDL Designs<br>Damir Jamsek, Odyssey Research Associates                                                                               |
| 2:30  | - : | 3:15 | Derivational Reasoning System<br>Bhaskar Bose, Derivation Systems Inc.                                                                                                    |
| 3:15  | -   | 3:30 | Break                                                                                                                                                                     |
|       |     |      | Session 7: Researcher Perspectives on Formal Methods<br>Chaired by Jim Caldwell                                                                                           |
| 3:30  | -   | 5:00 | Panel Session<br>David Dill, Stanford University<br>Doug Hoover, Odyssey Research Associates<br>Steve Johnson, Indiana University<br>Natarajan Shankar, SRI International |
| 6:30  | -   | 8:00 | Dinner at Captain George's Seafood Restaurant                                                                                                                             |

in the second se

#### Friday, May 12, 1995

|               | Session 8: Research Issues (1)<br>Chaired by Michael Holloway                                     |
|---------------|---------------------------------------------------------------------------------------------------|
| 8:30 - 9:15   | Safety Analysis<br>John Knight, University of Virginia                                            |
| 9:15 – 10:00  | Non-standard Analysis and Software<br>Richard Platek, Odyssey Research Associates                 |
| 10:00 - 10:30 | Break                                                                                             |
|               | Session 9: Research Issues (2)<br>Chaired by Victor Carreño                                       |
| 10:30 – 11:15 | Hybrid Fault Algorithms<br>Pat Lincoln, SRI International                                         |
| 11:15 – 12:00 | Model Checking<br>David Dill, Stanford University                                                 |
| 12:00 – 1:30  | Lunch in NASA Cafeteria                                                                           |
|               | Session 10: Research Issues (3)<br>Chaired by Ricky Butler                                        |
| 1:30 – 2:00   | The DDD Scheme Machine<br>Steve Johnson, Indiana University                                       |
| 2:00 – 2:30   | Formal Development of a Clock Synchronization Circuit<br>Paul Miner, NASA Langley Research Center |
| 2:30 – 2:40   | Closing Remarks<br>Ricky Butler, NASA Langley Research Center                                     |

#### **Session 1: Introduction to Formal Methods**

Ricky W. Butler, Chair

• Welcome, by H. Milton Holt, Chief, Information & Electromagnetic Technology Division

\* Rationale for Formal Methods, by Ricky W. Butler

• An Informal Introduction to Formal Methods, by C. Michael Holloway, Paul S. Miner, and Ricky W. Butler

• Overview of NASA Langley's Formal Methods Program, by Ricky W. Butler

TO ESTABLISH IN COOPERATION WITH U.S. INDUSTRY, TECHNOLOGICAL PRECEDENTS IN SELECTED INFORMATION AND ELECTROMAGNETIC SYSTEMS AREAS. SYSTEM TO TRANSFER BENEFICIAL ELEMENTS OF THIS RESEARCH WITHIN NASA AND TO U.S. INDUSTRY AND OTHER-GOVERNMENT AGENDIES TO CONDUCT THIRD-GENERATION RESEARCH FOCUSED ON NATIONAL NEEDS AT ALL LEVELS OF INFORMATION AND ELECTROMAGNETIC SYSTEM TECHNOLOGIES. LaRC TECHNOLOGY OPTIONS/ TRANSFER THEORY MISSION SYSTEM INTEGRATION 1 ASSESSMENT RIG L Ì



PRECEDING PAGE BLANK NOT FILMED PAGE 12 INTENTIONALLY DLANK

Ricky W. Butler

NASA Langley Research Center

May 10, 1995

1. The Problem

2. Why Formal Methods Is Needed (i.e. Why Standard Practice Won't Work)

3. What is Formal Methods

A Small Sample of Notorious Design Errors

14

PAGE

Saturation of AT&T metwork on 15 January 1990 caused by a timing problem in a fault-recovery mechanism.

Failure to launch STS-1 (synchronization of backup computer)

• Therac 25 medical radiation-treatment machine responsible for the death of two people.

• Loss of data from Voyager at Jupiter (loss of clock sync)

• Patriot failure at Dharan (clock drift)

INTENTIONALLY BLANK

• In flight tests of the X31, the control system went into a reversionary mode four times in the first nine flights usually due to a disagreement between the two air data sources.

• AFTI-F16-Asynchronous operation, skew, and sensor noise led each channel to declare others failed in flight test 44. Flown home on a single channel. Other potentially disastrous bugs detected in flight tests 15 and 36. • X29 bug detected by simulation after 162 "at-risk" flights. Analysis showed that the bug could have led to instability and consequent loss-of-aircraft.

Pentium floating point division bug

Software Systems Are Unpredictable and Unreliable

Gibbs, W. Wayt: "Software's Chronic Crisis", Scientific American, Sept. 1994, pp. 86-95.

Studies have shown that for every six new large-scale software systems that are put into operation, two others are cancelled. The average software development project overshoots its schedule by half; larger projects generally do worse. And three quarters of all large systems are "operating failures" that either do not function as intended or are not used at all.

Despite 50 years of progress, the software industry remains years-perhaps decades-short of the mature engineering discipline needed to meet the demands of an information-age society

Software Systems Are Unpredictable and Unreliable (cont.)

Wiener, Lauren Ruth Digital Woes: Why We Should Not Depend Upon Software

Software products—even programs of modest size—are among the most complex artifacts that humans produce, and software development projects are among our most complex undertakings. They soak up however much time or money, however many people we throw at them.

The results are only modestly reliable. Even after the most thorough and rigorous testing some bugs remain. We can never test all threads through the system with all possible inputs.

Hardware Designs Are Unpredictable and Unreliable

Intel's President, Andy Grove, on comp.sys.intel Internet bulletin board:

After almost 25 years in the microprocessor business, I have come to the conclusion that no microprocessor is ever perfect; they just come closer to perfection with each stepping. In the life of a typical microprocessor, we go thru [sic] half a dozen or more such steppings....

# Michael Schrage, Washington Post Article (Dec 16, 1994)

Pentium type problems will prove to be the rule—rather than the isolated, aberrant exceptions—as new generations of complex hardware and software hit the market. More insidious errors and harmful bugs are inevitable. That is the new reality.

On the brink?

ŝ

Commercial aviation has an excellent safety record BUT

- There are some signs that we are near the threshold where traditional approaches will no longer be able to deliver safe systems.
- The industry is rapidly adopting more and more complicated software systems, e.g. Integrated Modular Avionics (SC-182).

A340 Incident (Near Heathrow on September 19, 1994)

- The commander's EFIS<sup>1</sup> map display symbology froze and lost all computed data [..].
- His MDCU<sup>2</sup> displayed the message 'PLEASE WAIT' and a *preflight* data load page. He was unable to obtain any other display.
- At roughly the same time, the copilot's EFIS and MCDU exhibited identical behavior.
- They 'dialed in' the ILS<sup>3</sup> using a back-up method,
- Then discovered they had some 2000 kgs of fuel less than expected (an erroneous indication).
- The autopilot's attempt to follow the glidepath resulted in unusually high pitch rates and so the autopilot was disconnected.
- The commander informed the tower they were having problems with the glideslope and requested an SRA (Surveillance Radar Approach)
- They landed without further incident; after taxiing in and shutting down, the fuel indications recovered.

<sup>1</sup>Electronic Flight Instrument System <sup>2</sup>Multi-function Control and Display Unit <sup>2</sup>Instrument Landing System

| ŝ   |
|-----|
| 03  |
| ā   |
| iag |
| σ   |
| ₽,  |
| 7   |
| 1   |

The reason for the wrong response of the autopilot and one flight director to the left turn demand was a *software crive* ... This error was known to Airbus Industrie and corrective measures for this and several other software deficiencies ... have been issued ...

### Post-flight analysis:

- The BITE data dump showed that the No 2 FMGEC had detected a CLASS 1 HARD failure within itself and a simultaneous fault within FMGEC No 1, but no hardware fault could be found.
- Airbus Industrie was aware of the double FMGS failure mode which had first emerged on the A320 series aircraft.
- According to Airbus Industrie, there are several ways in which the exchange of data and/or a problem in one computer can affect the other computer.
- Airbus Industrie has succeeded in radically reducing the frequency of double FMGS failures on the A320 series aircraft; they are also addressing the problem on the A330 and A340 series. [...]

"Air Accidents Investigation Branch of the UK Ministry of Thansportation

Radical Change In Digital Avionics for Commerical Aircraft

- Digital systems for commerical aircraft about to undergo a radical change
- The fundamental architecture of the avionics systems will move from "federated" to "integrated":
- <u>federated</u>: Each aircraft function resides on its own computer. Aircraft functions are certified.
- integrated: There is a shared computing resource on which multiple functions execute.

2

# The Motivation for this Change

According to ARINC 651, this approach [i.e. Integrated Modular Avionics (IMA)] will:

Reduce life-cycle cost through

- Reduced weight, power, and EE bay volume
- Reduced unscheduled maintenance, reduced spares and increase parts commonality
- Reduce first cost and cost of service life support through
- Reduced development, certification and production costs
- Reduced avionics weight and increased payload volume
   Flexibility to efficiently meet customer requirements and im-
  - riexibility to efficiently meet customer requirements and plement improvements



| • Task partitioning becomes life-critical.<br>IMA needs formal methods technology | to manage complexity However, the FAA has not developed<br>any supportable criteria for establishing a partition. Although<br>partitioning has been part of the certifications of the Gulf-<br>stream 4, Airbus A320, Boeing 747-400, Douglas MD-11 and<br>is being used extensively in the certification of the Boeing 777<br>and the ongoing certification of the 412CF helicopter, <i>the assur-</i><br><i>tance of the common has here non standardized and suce hered here here and the base non standardized and suce hered here base non standardized and suce hered here base non standardized and suce hered hered here as a standardized and suce hered here</i> | project almed at applying Formal Methods to the partitioning prob-<br>lem:<br>RTCA D0-178B recognizes partitioning as a crucial element<br>to manage complexity However, the FAA has not developed<br>any supportable criteria for establishing a partition. Although<br>partitioning has been part of the certifications of the Gulf-<br>stream 4, Airbus A320, Boeing 747-400, Douglas MD-11 and<br>is being used extensively in the certification of the Boeing 777<br>and the ongoing certification of the duce and<br>once of the commont has been non standardized and use lowely housed<br>parts of the commont has been and the and and use lowely housed |
|-----------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| e<br>E                                                                            | unce of unce approvation was seen non sumartuized and was largely asso<br>on individual engineering judgement. There is a critical need to establish<br>supportable criteria for approving partitioning in avionics applications.<br><sup>14</sup>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | indurated and was largely oused<br>here is a critical need to establish<br>ioning in avionics applications.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| Why is Digital Design (SW and HW) so Hard to get Right?                           | Classical vs. Computer Systems                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | uter Systems                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| • There's nothing to go wrong but the design                                      | Classical Systems                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | Computer Systems                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| • Our intuition and experience is with continuous systems—but in                  | continuous state space                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | discrete state space                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| digital system's the behavior is discontinuous                                    | smooth transitions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | abrupt transitions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| • Have to separately reason about or test millions of sequences of                | finite testing                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | finite testing inadequate,                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| discrete state transitions                                                        | and interpolation OK                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | interpolation unsound                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
|                                                                                   | build to withstand additional stress build to specific assumptions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | build to specific assumptions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| • Complexity exceeds our (unaided) intellectual grasp                             | mathematical modeling                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | prototyping and testing                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
|                                                                                   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |

15

IMA Issues

FAA Interest

ł

.

Ì

Ì

i

ļ

i

| Three Basic Approaches to Overcoming the Design<br>Error Problem | <ul> <li>Testing (Lots of it)</li> <li>Design Diversity (i.e. Software Fault-Tolerance: N-version programming, recovery blocks, etc.)</li> <li>Fault Avoidance:</li> </ul> | - Formal Specification/Verification | – Automatic Program Synthesis<br>– Reusable Modules | 8 | Design Diversity (i.e. Software Fault Tolerance) | • Use different versions of a program developed by dif-<br>ferent teams.                    | • Vote the outputs of the different versions. | • Hope that the redundant programs will fail independently or nearly so. |                                                |  |
|------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------|-----------------------------------------------------|---|--------------------------------------------------|---------------------------------------------------------------------------------------------|-----------------------------------------------|--------------------------------------------------------------------------|------------------------------------------------|--|
| Why Formal Methods is Needed:                                    |                                                                                                                                                                            |                                     |                                                     | 5 | Life Testing                                     | Basic Observation:<br>10 <sup>-9</sup> probability of failure estimate for a 1 hour mission | Requires                                      | $> 10^9$ hours of testing                                                | $(10^9 \text{ hours} = 114,000 \text{ years})$ |  |

| Can We Assume Independence for Multi-version Software?             | • Unlike physical failures governed by the laws of physics, software errors are the products of human reasoning. | <ul> <li>Subjective arguments have been offered for and against<br/>the independence assumption.</li> </ul> | • Subjective arguments for independence are not com-<br>pelling enough to assume it as an axiom.                                                                             | 2  | A More General Coincident Error Model? | Validating a general coincident error model would require<br>more time than life testing a single system:               | <ul> <li>Coincident errors must be observed</li> </ul> | <ul> <li>Coincident errors be shown to correspond to the general model</li> <li>Extremely rare coincident errors must be observed to show model applies in ultra-reliable region</li> </ul> | CONCLUSION:                                                   | For ultrareliable software, experiments cannot<br>demonstrate that a general coincident error model is<br>accurate. |
|--------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
| What Enables Ultra-Reliability Quantification For Physical Failure | 10-9                                                                                                             |                                                                                                             | • The only thing that enables quantification of ultra-<br>reliability for hardware systems with respect to physi-<br>cal failure is the:<br><i>INDEPENDENCE ASSUMPTION</i> . | 12 | Independence Model                     | Experiments on Low Reliability Software (Kunght and Leveson)<br>• 27 versions of a program subjected to 1,000,000 input | cases.                                                 | • Observed average failure rate per input was 0.0007.                                                                                                                                       | • Independence model was rejected at 99% confidence<br>level. | • Other researchers have confirmed Knight-Leveson re-<br>sult.                                                      |

FM Versus Traditional Engineering of Digital Systems

| Method            | Approach                                                                                     | Confidence |
|-------------------|----------------------------------------------------------------------------------------------|------------|
| traditional       | Build according to engineering judge- Empirical<br>ment, test and measure failure rate       | Empirical  |
| formal<br>methods | Design according to fundamental Rational principles (axoms) and use deduction for refinement | Rational   |

Although testing methods will be used in conjunction with formal methods the *primary confidence* in this system is *not* derived from the empirical data.

52

26

**Digital System Modeling and Prediction** 

- One way to predict behavior of a system is to construct a mathematical model and calculate it.
- For this to be effective, the model must be reasonably accurate and the calculations must be performed without error.
- For many continuous systems of traditional engineering, well-developed mathematical theories (e.g., Navier-Stokes equations for aerodynamics) are available.
- For computer systems, we must use discrete mathematics (logic, set theory) and build our own theories. Proofs of theorems take the place of numerical calculation.

# This is the essence of formal methods.

What is Formal Methods

Formal Methods

- Formal Specification: Use of notations derived from formal logic to describe
- assumptions about the world in which a system will operate
  - requirements that the system is to achieve
- a design to accomplish those requirements

Formal Verification: Use of methods from formal logic to

- analyze specifications for certain forms of consistency, completeness
- prove that the design will satisfy the requirements, given the assumptions
- prove that a more detailed design implements a more abstract one

| Formal Methods: Specification                                                                                                                                                                                                                                                                                                                                                                                                                                        | Formal Methods: Verification                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <ul> <li>Instead of differential equations, the properties and behaviors are described using concepts from discrete mathematics: sets, graphs, partial orders, finite-state machines, and so on.</li> <li>The specification may be in traditional mathematical notation or in a computer-processable language: <ul> <li>enables typechecking</li> <li>some automatic consistency checks</li> </ul> </li> <li>Provides a clear, unambiguous specification.</li> </ul> | <ul> <li>Formal Verification is more akin to proving theorems in geometry than to ordinary numerical calculation,</li> <li>but like calculation it is performed according to strict rules</li> <li>so one person can check the work of another</li> <li>and computers can be used to automate some of the steps.</li> <li>The particular importance of formal methods to safety-critical systems is that they uniquely permit analysis of all the logical behaviors of a digital system [subject to some caveats].</li> <li>Total exploration is the only way to provide assurance that catastrophic failure does not lie hidden among the vast number of possible behaviors.</li> </ul> |
| R                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | 8                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| How Is Total Exploration Possible?                                                                                                                                                                                                                                                                                                                                                                                                                                   | The Advantages of Formal Methods                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| Mathematical logic provides ways to reason about the properties of<br>large or infinite collections of related things in a finite manner:<br>• <i>skolemization</i> allows us to draw conclusions for all values of a given<br>variable by reasoning about a single representative symbolic con-                                                                                                                                                                     | • Enable faults in assumptions, requirements, design to be detected<br>earlier than otherwise due to greater precision and explicitness<br>early in the lifecycle.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | • Enable faults to be detected with greater certainty than otherwise,<br>by augmenting reviews with analysis.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| of some ordered domain (e.g., the natural numbers, 0, 1, 2, ) by<br>showing                                                                                                                                                                                                                                                                                                                                                                                          | • Can provide total coverage of selected, modeled properties.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| (a) that the property is true for the least element (e.g., 0)<br>(b) that when it is true for all members up to some point (e.g., n),<br>then it is also true for the next point<br>(e.g., $n + 1$ )                                                                                                                                                                                                                                                                 | • Guarantee absence of specified faults (subject to accuracy of mod-<br>eling employed), because the calculations (proofs) can be checked<br>mechanically (by a theorem prover)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |

31

Conclusions

- 1. Formal methods offers the most intellectually defensible means of producing life-critical systems
- 2. Formal methods is the application of mathematical logic to digital system design and verification

g

.

| <section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><text></text></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | <ul> <li>Here presentations are <u>not</u> intended to</li> <li>These presentations are <u>not</u> intended to</li> <li>These presentations are <u>not</u> intended to</li> <li>Frable you to carry on a meaningful conversation with mathematical logicians</li> <li>Present a balanced view of the relative capabilities of existing formal methods tools and techniques</li> <li>Discuss all of the domains in which formal methods may be applied</li> <li>Discuss all of the domains in which formal methods may be applied</li> <li>Tell you all you need to know to become a formal methods expent</li> <li>Put you to steep</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |  |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| <section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><text></text></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header> | <b>Purposes</b><br>The five main purposes of these presentations are to<br>The five main purposes of these presentations are to<br>Provide a high-level overview of some of the foundations<br>of formal methods<br>The foundations<br>of formal methods may be applied<br>in various domains<br>Set the context for the remaining presentations at this<br>workshop<br>The foundations<br>The foundat |  |

East 24 ... Werner an worth

Comt

| What Does "Formal" Mean?                                                                                                                                                                                                     | What Does "Formal" Mean?                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| When many people think of the word "formal", they think of something like this:                                                                                                                                              | <ul> <li>Others think "formal" means one or more of the following<br/>things:</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|                                                                                                                                                                                                                              | boring, uninteresting<br>difficult to understand, complicated                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|                                                                                                                                                                                                                              | filled with many odd symbols and foreign letters<br>$\forall \exists \supset \lambda \otimes \land \lor                                $                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|                                                                                                                                                                                                                              | <ul> <li>One of the goals of this workshop is to convince you that<br/>none of these perceptions is necessarily true</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| What Does "Formal" Mean?                                                                                                                                                                                                     | What Does "Formal" Mean?                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| <ul> <li>Webster's dictionary gives the following as one of the<br/>definitions of "formal":<br/>relating to, concerned with, or constituting the outward form of something as<br/>distinguished from its content</li> </ul> | International Printing Printing International Printing PrintigePrinting Printing Pri |
| <ul> <li>A method is formal if its rules for manipulation are based on<br/>form (syntax) and not on content (semantics)</li> </ul>                                                                                           | there are a set of the |

R

Validity of addition rests on its form alone — as fong as like objects are added, it doesn't matter what those objects are.

-- 2 mice + 2 mice = 4 mice -- 2 cats + 2 cats = 4 cats

-- 2x + 2x = 4x

2 cats + 2 mice = 7777

. Simple arithmetic is an example of such a method:

Ð

Is this table "formal" ?

| Symbolic Logic           | <ul> <li>The majority of existing formal techniques are based on<br/>some flavor of symbolic logic</li> </ul> | <ul> <li>Remainder of my talk will provide brief informal introduction<br/>to each of the following:</li> <li>Propositional Logic</li> <li>Predicate Logic</li> <li>Other Logics</li> </ul>                                                                                                                                            | <ul> <li>Along the way, we'll also discuss some of the difficulties in<br/>translating natural language into a logic</li> </ul> |  | Propositional Logic | <ul> <li>Propositions may be combined using the following<br/>connectives:</li> </ul>                      | and (<): $P \wedge Q$ is true when both P and Q are true | or (v): $P \lor Q$ is true when either P or Q is true | <b>not</b> (–): –P is true when P is false                        | <b>if-then</b> (⇒, ⊃): $P \supset Q$ is true except when P is true and Q is false                                    | <b>If-and-only-if</b> (≡): $P \equiv Q$ is true when P and Q have the same truth value |  |
|--------------------------|---------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------|--|---------------------|------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|-------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------|--|
| What Does "Formal" Mean? | [Operational Procedures (possible actional                                                                    | And     Intervent     Intervent     Intervent     Intervent     Intervent       Three     Intervent     Intervent     Intervent     Intervent     Intervent       Three     Intervent     Intervent     Intervent     Intervent     Intervent       Muschyl     were intervent     Intervent     Intervent     Intervent     Intervent | ather = sunny) and no                                                                                                           |  | Propositional Logic | <ul> <li>A proposition is a statement that is either true or false</li> <li> Today is Wednesday</li> </ul> | I have a son named David<br>2 + 2 = 5                    | Fermat's last theorem is true                         | This workshop is the most valuable workshop I've ever<br>attended | . The possibility of assigning a truth value is all that is required: actual determination of the truth value is not |                                                                                        |  |

| Propositional Logic                                       | <ul> <li>Some properties (axioms &amp; theorems) of propositional logic</li> <li>commutativity: P ∧ Q = Q ∧ P, P ∨ Q = Q ∨ P</li> <li>associativity: P ∧ (Q ∧ R) = P ∧ (Q ∧ R), same for ∨</li> <li>distributivity: P ∧ (Q ∧ R) = (P ∧ Q) ∧ (P ∧ R)</li> <li>P ∨ (Q ∧ R) = (P ∧ Q) ∧ (P ∧ R)</li> <li>P ∧ (Q ∧ R) = (P ∧ Q) ∧ (P ∧ R)</li> <li>C B Morgan's laws: ¬(P ∧ Q) = ¬P ∨ ¬Q</li> <li>double negation: ¬P = P</li> <li>double negation: ¬P = P</li> <li>double negation: P ⊃ Q = ¬P ∨ Q</li> </ul> | Propositional Logic | <ul> <li>A proof of a given proposition establishes the truth of the<br/>proposition based only on axioms, theorems, and inference<br/>rules</li> </ul> | <ul> <li>For propositional logic, truth tables provide a means of defining truth</li> </ul> | Propositional logic is     | complete: everything that is true may be proven | consistent (sound): nothing that is false may be proven | decidable: there exists a mechanical procedure for deciding whether any proposition is true or false |  |
|-----------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------|----------------------------|-------------------------------------------------|---------------------------------------------------------|------------------------------------------------------------------------------------------------------|--|
| Propositional Logic<br>(connectives vs. natural language) | Please note that each connective has a precisely defined meaning<br>This meaning does not always correspond to the natural language meaning<br>The definition of <b>If-then</b> especially tends to confuse many people, because it does not require cause and effect<br>$2+2=4 \supset 2\times 2=4$<br>$2+2=5 \supset 2\times 2=6$<br>$2+2=5 \supset 2\times 2=5$<br>$2+2=5 \supset 2\times 2=5$<br>$2+2=5 \supset 2\times 2=5$ is false                                                                  | Propositional Logic | <ul> <li>Inference rules permit reasoning (deducing conclusions<br/>based on the truth of certain premises)</li> </ul>                                  | Some inference rules of propositional logic include                                         | modus ponens modus tollens | P_Q P_Q                                         | D_L<br>D_L                                              |                                                                                                      |  |

| Logic         | )               |
|---------------|-----------------|
| Propositional | (proof example) |

. Show that  $P \supset (Q \supset S) \equiv (P \land Q) \supset S$ 

. Proof

| by implication definition | by implication definition | by associativity | by De Morgan   | by implication definition | QED |
|---------------------------|---------------------------|------------------|----------------|---------------------------|-----|
| ≡ ⊸P ∨ (Q ⊃ S)            | ≡ ¬P ∨ (¬Q ∨ S)           | ≡ (–Pv–Q)vS      | ≡ ⊣(P ∧ Q) ∨ S | ≡ (P ∧ Q) ⊃ S             |     |
| $P \supset (Q \supset S)$ |                           |                  |                |                           |     |

Ð

# **Predicate Logic**

- Propositional logic only permits reasoning about (true or false) complete sentences
- · There is no way to reason about individual objects
- -- There is a number n where  $n \times n = n + n$
- -- All cats have whiskers
- Predicate logic extends the formal language to permit reasoning about objects and the relationships between them
- --- 3n: n × n = n + n
- -- Va: Cat(a) > Whiskers(a)



# Predicate Logic

- Objects in predicate logic are denoted by expressions called *terms*.
- -- Constants a, b, c, ... are terms
- -- Variables u, v, w, ... are terms
- -- If t<sub>1</sub>, t<sub>2</sub>, ..., t<sub>n</sub> are terms and f is a symbol that denotes a function of n arguments, then f(t<sub>1</sub>, t<sub>2</sub>, ..., t<sub>n</sub>) is a term
- In predicate logic, propositions are defined as follows:
- -- true and false are propositions
- -- If t<sub>1</sub>, t<sub>2</sub>, ..., t<sub>n</sub> are terms and *p* is a symbol that denotes a predicate of n arguments, then *p*(t<sub>1</sub>, t<sub>2</sub>, ..., t<sub>n</sub>) is a

proposition

### Predicate Logic (sentences & connectives)

- Every proposition is also a sentence (or formula)
- . Santances may also he constructed rising the conner
- . Sentences may also be constructed using the connectives from propositional logic; if S and T are sentences, so are  $S \wedge T$ ,  $S \vee T$ ,  $\neg S$ ,  $S \supset T$ ,  $S \equiv T$
- the meaning of each of these is as expected
- If x is a variable and S is a sentence, then the following are also sentences:
- -- Vx: S true if S is true for all possible values of x
- -- 3x: S true if S is true for at least one value of x

| Predicate Logic<br>(translating from English) | Translating natural language centenges into predicete logic | is sometimes fairly simple    | <ul> <li>Consider the following sentence:</li> <li>All humans are mortal</li> </ul> |                                                                      | • Osling the predicates human(x) and mortal(x), we have<br>∀x: human(x) ⊃ mortal(x)                                                                                                                | Predicate Logic<br>(transtating from English correctly)   | <ul> <li>This sentence does not have the intended meaning: it<br/>requires that an object be both an apple and an orange</li> <li>The following is what we really want:</li> </ul> | $\forall x: (apple(x) \lor orange(x)) \supset (delicious(x) \land nutritious(x))$                        | <ul> <li>Here are a few more sentences for you to try at your leisure</li> <li>Government workers are not always lazy</li> <li>Testing never reveals the absence of errors</li> <li>Only early registrants can attend the dinner at Captain George's</li> <li>Nothing of importance was said at the workshop</li> <li>A company creates good software if and only if it uses formal methods</li> </ul> |
|-----------------------------------------------|-------------------------------------------------------------|-------------------------------|-------------------------------------------------------------------------------------|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Predicate Logic                               | · Some properties of predicate logic                        | צר :אל ≡ S:אבר Sר :אE ≡ S:אלר | Vx: S ≡ ¬∃x: ¬S = ¬∀x: ¬S<br>Vx: Vy: S ≡ Vy: Vx: S = ∃y: ∃y: S = ∃y: ∃x: S          | . The following are true if $\mathbf{x}$ is not a free variable in S | $S \lor \forall x: T \equiv \forall x: (S \lor T)$ $S \lor \exists x: S \lor T \equiv \exists x: (S \lor T)$ $S \land \forall x: T \equiv \forall x: (S \land T)$ $S \land \exists x: (S \land T)$ | Predicate Logic<br>(translating from English incorrectly) | · Translating natural language sentences into predicate logic is sometimes a little tricky                                                                                         | <ul> <li>Consider the following sentence:<br/>Apples and oranges are delicious and nutritious</li> </ul> | . Using the predicates apple(x), orange(x), delicious(x), and nutritious(x), we might try the following:<br>$\forall x$ : (apple(x) $\land$ orange(x)) $\supset$ (delicious(x) $\land$ nutritious(x))<br>. Is this what we want?                                                                                                                                                                       |

R

N

| <u>0</u> | ers)     |
|----------|----------|
| ō        | ŝ        |
| Q        | <u>a</u> |
|          | lish     |
| e        | <u> </u> |
| ā        | Ē        |
| <u>.</u> | Ę        |
| D        | ting     |
| Ð        | sla      |
| Ē        | trar     |
| _        | <u> </u> |

Government workers are not always lazy

Only early registrants can attend the dinner at Captain George's  $\exists x: government-worker(x) \land \neg lazy(x)$  $\forall x: testing(x) \supset \neg reveal-absence(x)$  $\forall x$ : dinner(x)  $\supset$  early-registrant(x) Testing never reveals the absence of errors

Nothing of importance was said at the workshop

∀x: important(x) ⊃ ¬said-at-workshop(x)

A company creates good software if and only if it is uses FM

 $\forall x: company(x) \supset (good-software(x) \equiv uses-formal-methods(x))$ 

Ð

# **Predicate Logic**

- · A key concept in developing proofs in predicate logic is skolemization
- -- Provides procedure for reducing a sentence into a propositional sentence that is true if the original sentence is true
  - -- Based on appropriate elimination of quantifiers
- Predicate logic is complete and consistent, but is only semidecidable:
- -- There is a mechanical procedure that will terminate for all true sentences
- -- This procedure may not terminate for all false sentences, but it will identify the sentence as false if it does terminate

N

# Predicate Logic

. Consider the sentence

 $\forall x: \exists y: y = x + 7$ 

. We first replace the universally quantified variable x by the arbitrary constant a

Higher order logic (or type theory) allows functions to take functions as arguments and to return functions as values,

Constructive logic requires that a proof of existence of an

object provides a procedure for constructing the object

and permits quantification over functions and predicates

reasoning about imperative programs and program state

Programming logics provide rules for specifying and

Modal logics, temporal logics, logics for partial functions

Many-sorted logic extends predicate logic by dividing the

**Other Logics** 

universe from which variables and constants are chosen

into several sorts (e.g., integers, reals, characters)

 $\exists y: y = a + 7$ 

. We may now remove the existential quantifier, giving the Skolem form for the sentence

y = a + 7

. This is easily satisfied by letting y = a + 7

a + 7 = a + 7

QED

31

R

R

| Higher Order Logic | <ul> <li>What does<br/>list(i) = g<br/>mean?</li> </ul>                                                                                                                                                      | <ul> <li>Two functions are defined to be equal if for every possible argument value, they return the same result</li> <li>This can be expressed in our notation as <ul> <li>V(x : nat)</li> <li>list(i)(x) = g(x)</li> </ul> </li> </ul> |                           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Higher Order Logic | <ul> <li>Consider the following statement:</li> <li>There does not exist a list of all the possible functions that take a natural number as an argument and return a natural number as the result</li> </ul> | <ul> <li>In a higher order logic, we might express this as follows:        ∃(list : function[nat → function[nat → nat]))         V(g : function[nat → nat])         ∃(i : nat)         list(i) = g</li> </ul>                            | <b>Concluding Remarks</b> | <ul> <li>Of the five main purposes mentioned at the beginning, I hope that my presentation has</li> <li> Provided a high-level overview of some of the foundations of formal methods</li> <li> Begun to set the context for the remaining presentations at this workshop</li> <li> Perhaps motivated future in-depth study of formal methods</li> <li> Perhaps motivated future in-depth study of formal methods</li> <li> Perhaps motivated future in-depth study of formal methods</li> <li> Pennaining presentations should continue to motivate and to set context, and should also</li> <li> Demonstrate the variety of formal methods may be applied in various domains</li> </ul> |

Application of Logic to Digital System Design

Paul S. Miner May 10, 1995

#### Supporting text

The purpose of this talk is to illustrate what activities comprise the application of formal methods to digital system design. The examples given in this presentation are all drawn from real applications of formal methods.

A much better introduction to the issues involved is: John Rushby: Formal Methods and their Role in the Certification of Critical Systems, Technical Report CSL-95-1, Computer Science Laboratory, SRI International, March 1995. http://www.csl.sri.com/csl-95-1.html

### Outline

---

- Formal Specification
- Formal Proof Activities
- Degree of Rigor
- Obstacles to Getting Started

### Supporting text

- The first part of the talk will address some of the issues involved in developing a formal speci-fication. This will include illustrations of different styles of specification using examples drawn from real applications.
- The next section of the talk will address some of the different styles of refinement and proof in a formal development process.
- Formal methods can be applied with varying degrees of rigor. A taxonomy of levels of rigor will be presented.
- There are a number of obstacles for first time users to overcome. This section of the talk will
  enumerate some of the obstacles; hopefully, the remainder of this workshop will provide insights for overcoming them.

~

## Formal Specification

Formal Specification: Use of notations derived from formal logic to describe

- assumptions about the world in which a system will operate
- requirements that the system is to achieve
- the intended behavior of the system

Styles of Specification Different approaches are used for these descriptions:

- Properties-enumeration of assumptions and requirements
- Functions-express desired behavior or design descriptions
- State-machines—express desired behavior or design descriptions

•

Assumptions at one level become requirements at a lower level.

~

## Example of Property-Based Specification (Fault-tolerant clock synchronization)

1. There is a  $\rho \ll 1$  such that for any clock  $C_p$  that is non-faulty during the interval from  $t_1$  to  $t_2$ :

 $(1ho)(t_2-t_1) \leq C_p(t_2) - C_p(t_1) \leq (1+
ho)(t_2-t_1)$ 

2. There is a  $\delta$  such that if clocks  $C_p$  and  $C_q$  are non-faulty at time t, then:

 $|C_p(t) - C_q(t)| < \delta$ 

### Supporting text

There are a number of different forms a formal specification can take. Often the style of specification will reflect the problem domain. Specifications describe some combination of *assumptions*, *requirements*, and *intended behavior* of the system. The description of the behavior can be high-level and abstract, or it may reflect a level in a design heirarchy.

#### Supporting text

The first property states that the function  $C_{\mu}$  is a clock, that is, it provides a reasonable measure of the passage of time. The second states that any two non-faulty clocks in the collection are synchronized.

~

### Example of Functional Specification (Floating-point Operations)

IEEE floating-point arithmetic requires that each arithmetic operation be performed as if it first produced a result correct to infinite precision and unbounded range, and then coerced this result to fit in the destination's precision. [ANSI/IEEE STD 854-1987]

#### Supporting text

This is an example of an informal requirement. The easiest way to define arithmetic operations is to use a function based specification. With a sufficiently expressive specification language, this is a rather straightforward exercise.

### Floating-Point Operations (DECLARATIONS)

FP = the set of floating-point numbers

Fin~=~ the set of finitely valued floating-point numbers,  $Fin \subset FP$ 

M = the set of rounding modes

 ${f R}~=~$  the set of real numbers

fin1, fin2  $\in$  Fin

 $mode \in M$ 

 $fp\_to\_real: Fin \rightarrow \mathbf{R}$ real\_to\_fp:  $R \times M \rightarrow FP$ 

### Supporting text

The definition of floating-point operations assume that we have the following:

ŝ

ŝ

• A set of objects that represent the floating-point numbers

 A proper subset of the floating point numbers that represents the finitely valued floating point numbers

A finite set of rounding modes

Real Numbers

 Function fp\_to\_real is defined to convert any finitely valued floating-point number to a real number.

 Function real\_to\_fp takes two arguments: a real number and a rounding mode. It coerces the real into a floating-point representation in accordance with the rounding mode.

Floating-Point Addition (Partial Specification) For floating-point addition of two finitely valued arguments, fin1 and fin2, the expression

fp\_to\_real(fin1) + fp\_to\_real(fin2)

defines the infinitely precise result.

Supporting text

We can then define arithmetic operations correct to infinite precision and unbounded range using the corresponding operator in real arithmetic.

Floating-Point Addition (CONTINUED) The formal specification of floating-point addition for finitely valued arguments is:

Supporting text

This specification states precisely what a realization of floating-point addition for finite arguments must compute. It does not in any way determine how this function may be implemented. This definition also formally captures, in a natural way, the informally stated requirements of the standard.

~

+-

.

Ì

# State-machine Specification

Design layers formalized as state machines

- State represents memory contents and hardware status
- Transition function defines state transitions

Interpretation maps lower level states into higher level states



Need to show that diagram "commutes" to establish that layer i+1 correctly implements layer  $\dot{z}_i$ 

 $Map(N_{i+1}(s_{i+1})) = N_i(Map(s_{i+1}))$ 

6



### Supporting text

State-machine based specifications are useful for describing the behavior of digital systems. Systems are specified as a collection of states and a transition function. Different levels in a design hierarchy are related by abstraction mappings. Verification consists of showing that diagrams commute.

### Supporting text

This slide illustrates a data abstraction similar to what would be used in a verification of a microprocessor. The macro-level defines the programmers view of the state; this include the accumulator, program counter, stack pointer and memory. The micro-level introduces some additional storage locations necessary for a correct realization of the macro-level specification; this includes the memory address register, memory data register, the instruction register, and microprogram counter.

2

**Temporal Abstraction** 

Supporting text

This diagram illustrate a simple temoral abstraction. The high-level state transition function is realized using a sequence of lower level state transitions.



# Formal Proof Activities

Use of methods from formal logic to

1. analyze specifications for certain forms of consistency, completeness

2. prove that specified behavior will satisfy the requirements, given the assumptions

3. prove that a more detailed design implements a more abstract one

### Supporting text

Ξ

Ξ

.

A verification effort can consist of a number of different proof activities. There are a number of formal techniques for analyzing specifications. These help provide assurance that the specification describes what we intend. Proof techniques are useful for showing that specified behavior exhibits desired properties. Similarly, proof can be used to relate different levels in a design hierarchy.

Formal Analysis of a Specification (1)

One property we might want to prove about the functions real.to fp and fp\_to\_real from the floating-point addition specification is that for every finitely valued floating-point number and every rounding mode:

real\_to\_fp(fp\_to\_real(fin),mode) = fin

Supporting text

In order to ensure that the specification captures what we intend, we postulate certain properties that should be true of the specification. Formal techniques allow us to prove a spcification posseses these properties. This is sometimes referred to as formal validation.

The example presented here states that the function converting real numbers to floating-point representations should invert  $f_p$ -to\_real, invespective of the rounding mode. As stated, the property is not true. Additional restrictions are required, because the IEEE-854 floating-point stadard allows redundant encodings.

Verification of Fault-Tolerant Algorithms (2)

Top-level: Properties that algorithm should possess Lower-level: Abstract description of the algorithm and underlying assumptions Prove: The algorithm satisfies desired properties given the assumptions

Supporting text

As an example, the top-level requirement for fault-tolerant clock synchronization is an enumeration of properties. The verification of an algorithm consists of showing that the algorithm, given certain assumptions about the environment, ensures all the properties.

2

n

Σ

Σ

**Design Verification (3)** 

Top-level: Abstract description of system (and assumptions)

Lower-level: Detailed description of system (and assumptions)

Prove: The detailed system description has the same behavior as the abstract description given the assumptions and an abstraction function relating the two systems.

Supporting text

The next example will give a high-level overview of design verification.

Design Refinement and Proof (Example: Reliable Computing Platform)

Single-frame state transition divided into four phases



#### Supporting text

This diagram illustrates four levels in the design hierarcy of the Reliable Computing Platform. The top-level specification provides the applications programmer a high-level view of a single. ultra-reliable computer. Lower levels in the diagram introduce the necessary replication and redundancy management to mask physical failures. These levels all use the state-machine approach.

2

# Hierarchical Specification of the Reliable Computing Platform



5

5

# **Correctness of Specification**

How do we know that a specification is what we intend?

- At intermediate levels in the design hierarchy, the specification is a refinement of higher-level requirements
- If the higher levels are related by proof, then the requirements at this level are sufficient to ensure the high level requirements
- At the top-level, we must resort to review.
- The presence of a formal specification enables formal challenges. A review can identify additional properties that a design must possess. Formal verification techniques can then be used to either prove the design already possesses the property or reveal its absence.
- At the bottom levels in a design hierarchy, we must show that the assumptions are consistent.

2

2

#### Supporting text

This slide shows all the levels in the RCP design verification effort. The top four levels are the same step prvious slide. This slide also illustrates how the clock synchronization is addressed. The top four levels assume the clock synchronization properties. At a lower level, a proof is given showing that an algorithm guarantees the properties. This hierarchy illustrates how different techniques may be employed in one large verification effort.

### Supporting text

Formal techniques can ensure that intermediate steps in the design process are carried out correctly. but we are still faced with the problem of correctly stating the top-level specification. Formal specification techniques enable us to analyze the top level specification in a more rigorous fashion, thus providing confidence that the specification is what we intend. However, it is still necessary to review the top-level to ensure that it matches expectations.

# Levels of Rigor

Level 1: Specification (and proof) using conventional mathematical notation.

Level 2: Specification using a formal specification language with manual proofs.

Level 3: Specification in a formal language with automatically checked or generated prools.

Supporting text

- Level 1 formal techniques allow freedom of expressiveness, but very little potential for mechanized support. The logical system need not be precisely defined and proofs need not explicitly address all the details.
- In Level 2, the specification language has a well defined syntactic structure and proofs proceed
  according to well defined rules. There is potential for some mechanized support to ensure that
  specifications adhere to syntactic rules and that some proof rules are applied correctly.
- In Level 3. the language and proof system have tightly integrated mechanized support. Sometimes, expressiveness of logic is restricted to allow more efficient/automatic mechanized support. Makes it feasible to formally analyze systems with greater precision than is possible with paperand-pencil approaches.

61

5

# Mechanized Support for Formal Methods

General Purpose Theorem Provers: Specification and Proof using the logic supported by theorem prover. Proofs are semi-automatic. Many of the steps are automated, but some require insight.

Examples include: PVS, HOL, Nuprl, Nqthm/Acl2, IMPS, ...

Specialized Approaches:

- Model Checking: Fully automatic proofs that state machine description of hardware possess specified properties. Specifications given in a decidable temporal logic. An example system is SMV. Tools employing related techniques include COSPAN and Murdo.
- Design Derivation: Design proceeds from a behavioral level description to a hardware design via a series of *correctness prescrving refinements*. Example systems include DDD and DRS.
  - Software: Machine checked verification of Ada code (Penelope). Decision tables for specification of software requirements (TableWise).

Supporting text

There are a number of chioces for level 3 application of formal methods. Specialized tools are useful for addressing some areas of the design space, but general purpose systems allow for addressing a number of different verification techniques within a single framework. Current research efforts a number of different verification tegeneral purpose theorem provers with the more specialized techniques.

# Obstacles to getting started

# Diversity of tools

- Choice of proper tool is difficult
- -- Over 50 notations, methods, and tool listed on WWW Formal Methods Virtual
  - http://www.comlab.ox.ac.uk/archive/formal-methods.html Library
    - Many domain specific tools and techniques
- Little support for combining results from different tools
  - Some efforts currently in progress
    - Immaturity of Tools
- Most tools are research prototypes Lack of sufficient Libraries

  - Education

Supporting text

The diversity of tools and techniques is both a blessing and a curse. There are a number of domain specific approaches that are appealing, but a significant amount of expertise is required to make an intelligent choice.

5

OPMIL

,

| Flight Schedule Example<br>Requirements for an Airport Flight Schedule Database | <ul> <li>The flight schedule database shall store the scheduling information associated with all departing and arriving flights. In particular the database shall contain: <ul> <li>departure time and gate number</li> <li>arrival time and gate number</li> <li>arrival time and gate number</li> <li>noute (i.e. navigation way points)</li> <li>for each arriving and departing flight.</li> </ul> </li> <li>There shall be a way to retrieve the scheduling information given a flight number.</li> <li>It shall be possible to add and delete flights from the database.</li> </ul> | 2<br>Getting Started                   | Let's start with approach 2:<br>function whose domain is all possible flight numbers and range is all possible<br>schedules. Adding and deleting entries via modification of function values. | In traditional mathematical notation, we would write:<br>Let $N = \text{set}$ of flight numbers<br>S = set of schedules                                               | $D: N \longrightarrow S$ where $D$ represents the database and $S$ represents all of the schedule information.                                                                          | Note that the details have been <i>abstracted away.</i> This is one of the most important steps in producing a good formal specification. |
|---------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|
| Flight Schedule Database Example                                                | by<br>Ricky W. Butler<br>NASA, Langley Research Center<br>May 19, 1995                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | 1<br>Formal Requirements Specification | • How do we represent the flight schedule database mathematically?<br>1. a set of ordered pairs of flight numbers and schedules. Adding<br>and deleting entries via set addition and deletion | 2. function whose domain is all possible flight numbers and range<br>is all possible schedules. Adding and deleting entries via mod-<br>ification of function values. | 3. function whose domain is only flight numbers currently in database<br>and range is the schedules. Adding and deleting entries via<br>modification of the function domain and values. | Note: The choice between these is strongly influenced by the ver-<br>ification system used.                                               |

. .

| Accessing an Entry                      | Let $N = \text{set of flight numbers}$<br>S = set of schedules<br>$D = \text{set of functions} : N \longrightarrow S$<br>$\forall d \in D \text{ and } ftt \in N.$                                                                                   | find_schedule : $D \times N \longrightarrow S$<br>find_schedule(d, flt) = $d(flt)$<br>Note that find_schedule is a higher-order function since its first argument is a function.   | The WITH Notation<br>sin(x):<br>$\operatorname{sin}(x)$ $\operatorname{sin}(x)$ $sin$ |
|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Specifying the Flight Schedule Database | $D: N \longrightarrow S$<br>How do we indicate that we do not have a flight schedule for all possible flight numbers?<br>We declare a constant of type $S$ , say " $u_o$ ", that indicates that there is no flight scheduled for this flight number. | Now can define an empty database. In traditional notation, we would<br>write:<br>$empty_database : N \longrightarrow S$<br>$empty_database(fit) \equiv u_o$<br>$\forall fit \in N$ | Specifying Adding/Deleting an Entry<br>Let $N = \text{set of flight numbers}$<br>S = set of schedules<br>$D: N \to S$<br>$u_o \in S$<br>$u_o \in S$<br>$u_o \in S$<br>$D = \text{set of functions} : N \to S$<br>$\forall d \in D, \forall f u \in N, \forall \text{sched} \in S$<br>$add_f \text{light} : D \times N \times S \to D$<br>$add_f \text{light} : D \times N \times S \to D$<br>$add_f \text{light} : D \times N \to D$<br>$delete_f \text{light} (d, f \text{lit})(x) = \begin{cases} d(x) & \text{if } x \neq f \text{lit} \\ u_o & \text{if } x = f \text{lit} \end{cases}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |

r+

œ

| Complete Spec (Omitting Function Signatures)                                                                                                         | Attempted Verification Of Putative 2 Reveals a Problem                                             |
|------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|
| Let $N = \text{set of flight numbers}$<br>S = set of schedules<br>$D = \text{set of functions} : N \longrightarrow S$                                | LEMMA (putative 2): delete-flight(add-flight(d, flt, schcd), flt) = d<br>Proof:                    |
| $\forall d \in D, \forall f \\ u \in S, \forall schcd \in S$                                                                                         | delete_flight(add_flight(d, flt, sched), flt) =                                                    |
| $f$ ind_schedule( $d$ , $f$ lt) = $d(f$ lt)                                                                                                          | delete_flight(d WITH [/it := sched]) =                                                             |
| add-flight(d, flt, sched)(x) = d WITH [flt := sched]                                                                                                 | $d \text{ WITH } [fit := sched] \text{ WITH } [fit := u_0] =$                                      |
| $dclctc-flight(d, flt)(x) = d $ WITH $[flt := u_o]$                                                                                                  | $d \text{ WITH } [Jit := u_0] = ??$                                                                |
|                                                                                                                                                      | But there is no way to reach d, because                                                            |
| Can test spec with some putative theorems:                                                                                                           | $\alpha \text{ WITH }  f(t) = u_0,$ unless $d(f(t) = u_0,$                                         |
| LBMMA (putative 1) : find_schedule(add_flight(d, flt, sched), flt) = sched<br>LBMMA (putative 2) : delete_flight(add_flight(d, flt, sched), flt) = d | This is only true if the $/lt$ is currently not scheduled in the flight database.                  |
| 5                                                                                                                                                    | 9                                                                                                  |
| Verification Reveals Oversight                                                                                                                       | Verification Reveals Oversight (Cont.)                                                             |
|                                                                                                                                                      | Let $N = \text{set of flight numbers}$                                                             |
| • We realize that we only want to add a flight with flight number $flt$ , if one is not already in the database.                                     | S = set of schedules<br>$D = \text{set of functions} : N \longrightarrow S$                        |
| • If $flt$ is already in the database, we probably need the capability to change it.                                                                 | $\forall d \in D, \forall f \mid t \in N, \forall sched \in S$                                     |
| Thus, we modify add-flight and create a new function change_flight:                                                                                  | scheduled?(d, flt) : boolean = $d(flt) \neq u_o$                                                   |
|                                                                                                                                                      | add-flight(d, flt, sched) =<br>IF scheduled?(d, flt) THEN d<br>ELSE d WITH {flt := sched] ENDIF    |
|                                                                                                                                                      | change_flight(d, flt, sched) =<br>IF scheduled?(d, flt) THBN d WITH [flt := sched]<br>BLSB d BNDIF |

| A Minor Problem                   | To check our new function schedule? we postulate the following putative theorem:<br>SchedAdd: LEMMA schedule?(add.flight(d, flt, sched).flt) | Proof:                                        | scheduled?(add_flight(d, flt, sched)) =<br>scheduled?( IF scheduled?(d, flt) THEN d<br>ELSE d WITH [flt := sched] ENDIF = | IF $d(f(t) \neq u_0$ THEN $d(f(t) \neq u_0$<br>BLSE $d$ WITH $[f(t) := sched](f(t) \neq u_0$ ENDIF = | $d \text{ WITH } [fit := sched](fit) \neq u_0$                | $sched  eq n_o$      | which is not provable because nothing prevents $sched = u_o$ .     | Another Example of a Putative Theorem | $\langle Ai:fit_i \neq fit_i \rangle$                                                                                       | $find$ -schedule( $d_0, flt$ ) = sched $\wedge$ | $d_1 = add_f(lght(d_0, flt_1, sched_1)) \land$ | $d_2 = add_f light(d_1, flt_2, sched_2) \wedge$ |                                                    |                                                               | $d_n = add_f light(d_{n-1}, flt_n, sched_n)$       |                                                        | $\int md_s chedule(d_n, flt) = sched$                     |                                               | • Formal methods can establish that even in the presence of an <i>arbitrary</i> number of operations a property holds. |
|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------|---------------------------------------------------------------|----------------------|--------------------------------------------------------------------|---------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------|------------------------------------------------|-------------------------------------------------|----------------------------------------------------|---------------------------------------------------------------|----------------------------------------------------|--------------------------------------------------------|-----------------------------------------------------------|-----------------------------------------------|------------------------------------------------------------------------------------------------------------------------|
| Putative 2 Proof After Correction | LEMMA (putative 2): NOT schedvled?(d, flt) )<br>delete_flight(add_flight(d, flt, sched), flt) = d<br>Proof:                                  | delete_flight(add-flight(d, flt, sched), flt) | = delete_flight( IF scheduled?(d, flt) THEN d<br>ELSE d WITH [flt := sched] BNDIF )                                       | $= delete_flight(d WITH {flt := sched})$                                                             | $= d \text{ WITH } [flt := schcd] \text{ WITH } [flt := u_o]$ | [on =: til] HTTW b = | $= d \qquad (because NOT scheduled?(d, flt) \supset d(flt) = u_o)$ | A Minor Problem Repaired              | We then realize that our specification does not rule out the possibility of assigning a " $u_0$ " schedule to a real flight | Let $N = \text{set of flight numbers}$          | S = set of schedules                           | $S^* =$ set of schedules not including $u_o$    | $D = \text{set of functions}: N \longrightarrow S$ | $\forall d \in D, \forall f   t \in N, \forall sched \in S^*$ | $f$ ind. schedule : $D \times N \longrightarrow S$ | add-flight : $D \times N \times S^* \longrightarrow D$ | change_flight : $D \times N \times S^* \longrightarrow D$ | $delete_flight: D \times N \longrightarrow D$ | This type of trivial problem is usually not manifested until when one attempts a                                       |

.

9

| PVS Spec          | flight_sched3: THEORY<br>BEGIN                                                    | M : TYPE X flight numbers<br>S : TYPE X schedules<br>D : TYPE = [N -> S] X flight database                                                                                  | u0: S X unscheduled                                                            | S-good : TYPE = {sched: S   sched /= u0}<br>flt : VAR N<br>d : VAR D<br>sched : VAR S_good | exptydb(flt): S = u0 | $find_schedule(d, flt): S = d(flt)$ | scheduled?(d.flt): boolean = d(flt) /= u0 | 8 | Introduction to a PVS Proof                                   | <ul> <li>Illustrative proof</li> </ul> | • The single command GRIND proves it automatically<br>putative2 :                                    | <pre> {1} (FORALL (d: D, flt: M, sched: S_good):</pre> | INTLIES GOLOGACTINGUCTAGG_IIIGNCTA, IIV, SCAGG), IIV) = G)<br>Rule? (SKOSIMP*) | Repeatedly Skolemizing and flattening,<br>this simplifies to:<br>putative2 : | <br>{1} scheduled?(d!1, flt!1)<br>{2} delete_flight(add_flight(d!1, flt!1, sched!1), flt!1) = d!1 | Rule? (EXPAND "add_flight" ) |
|-------------------|-----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|----------------------|-------------------------------------|-------------------------------------------|---|---------------------------------------------------------------|----------------------------------------|------------------------------------------------------------------------------------------------------|--------------------------------------------------------|--------------------------------------------------------------------------------|------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|------------------------------|
| Some Observations | • Our specification is abstract. The functions are defined over infinite domains. | <ul> <li>As one translates the requirements into mathematics, many things<br/>that are usually left out of English specifications are explicitly<br/>enumerated.</li> </ul> | • The formal process exposes ambiguities and deficiencies in the requirements. | • Putative theorem proving and scrutiny reveals deficiencies in the formal specification.  |                      |                                     |                                           | 1 | add_flight(d, flt, sched): D =<br>IF scheduled?(d,flt) THEN d | ELSE d WITH [flt := sched] ENDIF       | change_flight(d, flt, sched): D =<br>IF scheduled?(d,flt) THEM d WITH [flt := sched]<br>ELSE d EWDIF | delete_flight(d, flt): D = d WITH [flt := u0]          | <pre>putative2 : LEMMA NOT scheduled?(d,flt) IHPLIES</pre>                     | SchedAdd : LEMMA scheduled?(add_flight(d,flt,sched),flt)                     | EWD flight_sched3                                                                                 |                              |

this simplifies to: putative2 :

-----

- Ξŝ
- scheduled?(d!!, flt!!) delete\_flight(IF scheduled?(d!!, flt!!) THEN d!1 ELSE d!1 NITH [flt!! := sched!!]

ENDIF, flt!1)

lib =

Rule? (LIFT-IF )

Lifting IF-conditions to the top level, this simplifies to:

putative2 :

-----

- scheduled?(d!1, flt!1) Ξŝ
- IF scheduled?(di1, flti1) THEW delete\_flight(di1, flti1) = di1 ELSE delete\_flight(di1 WITH [flti1 := schedi1], flti1) = di1 ENDIF

Rule? (ASSERT)

Simplifying, rewriting, and recording with decision procedures,

21

Simplifying, rewriting, and recording with decision procedures, Q.E.D. Rule? (assert)

Real time = 61.49 secs. Run time = 1.16 secs.

Wrote proof file /airlab/home/rwb/fm/wkshp/pvs/flight\_sched3.prf NIL

~

this simplifies to: putative2 :

-----

- [J] scheduled?(d!1, flt!1)
  {2} delete\_flight(d!1 WITH [flt!1 := sched!1], flt!1) = d!1

Expanding the definition of delete\_flight, Rule? (EXPAND "delete\_flight" ) this simplifies to: putative2 :

-----

dil WITH [flt]l := schedil] WITH [flt]l := u0] = dil scheduled?(d!1, flt!1) Ξŝ

Expanding the definition of scheduled?, Rule? (EXPAND "scheduled?" ) this simplifies to: putative2 :

-----

- {1} di1(flt1) /= u0
  [2] di1 WITH [flt11 := schedi1] WITH [flt11 := u0] = di1

22

New Requirement

"Two flights are not to be scheduled at the same gate at the same time!"

Introduce refinement of schedule:

A\_or\_D: TYPE = (arriving,departing) Date\_and\_time: TYPE Gate\_nums: TYPE Way: TYPE N : TYPE

departure\_tm: Date\_and\_time, arrival\_tm: Date\_and\_time, dep\_gate: Gate\_nums, arr\_gate: Gate\_nums, arr\_or\_dep: A\_or\_D, nav\_route: Way #] X END RECORD S: TYPE = [# % RECORD

| New Requirement Continued | e big problem.<br>time":                                                                                                          | overlapped(schedi,sched2): boolean = dep_gate(schedi) = dep_gate(sched2)<br>AMD same_time(schedi,sched2) | We would like to establish that the operations on the database will never result in<br>an overlapped situation. | In other words, we want to establish an invariant:              | <pre>is_valid(d: D): boolean = (FORALL (flt1,flt2: W): flt1 /= flt2 AWD scheduled?(d,flt1) AND scheduled?(d,flt2) IHPLIES the same gate NOT overlapped(find_schedule(d,flt1), find_schedule(d,flt2)))</pre> |                                    | 38 | Add flight Modified To Maintain Invariant | gate_in_use_at_time(d,sched): boolean =<br>(EXISTS flt: scheduled?(d,flt) AND overlapped(sched,d(flt))) | add_flight(d, flt, sched): D =<br>IF schedulad?(d,flt) OR gate_in_use_at_time(d,sched) THEM d<br>ELSE d WITH [flt := sched]<br>ENDIF | Thus, we have modeled the database as a finite state machine and the functions<br>add_flight, change_flight, and delete_flight are operations on the state machine. |
|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|----|-------------------------------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Simplified Problem        | Often it is useful to solve a simplified problem before you tackle the big problem.<br>So let's only work with departing flights: | N : TYPE<br>Date_and_time: TYPE<br>Gate numms: TYPE                                                      | S: TYPE = (# % RECORD<br>datarture fm: Data and time                                                            | der_gate: Gate_nums,<br>der_gate: Rate_nums,<br>si Y FNU RECORD | "two flights are not to be scheduled at                                                                                                                                                                     | same_time(sched1, sched2): boolean | 52 | Database System as a State Machine        | Rs.valid Add. fight                                                                                     | change dight<br>del dight                                                                                                            | (ex-raided                                                                                                                                                          |

Of course, add\_flight must be modified to insure that this is true:

add\_flight\_is\_valid: LEDMA (FORALL (d: D, flt: N, sched: S\_good): is\_valid(d) IMPLIES is\_valid(add\_flight(d,flt,sched)));

| <ul> <li>With formal methods a clear, unambiguous, abstract specification can be constructed.</li> <li>Mechanized formal methods allows you can CALCULATE (prove) whether the specification has certain properties.</li> <li>These calculations can be done early in the lifecycle on abstract descriptions.</li> <li>And they can cover ALL the case,</li> </ul>                                                                                                                                                                                                                                                                                         |   |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|
| By creating a predicate subtype of the type D:<br>Valid_db: TYPE = {d: D   is_valid(d)}<br>and modifying the signatures of add_flight, change_flight, and delete_flight, e.g.<br>add_flight(vd: Yalid_db, flt, sched): Valid_db =<br>If scheduled?(vd,flt) OR gate_in_use_at_time(vd, sched) THEN vd<br>ELSE vd NTH [flt := sched]<br>BNDIF<br>PVS will automatically generate the "invariant" lemmas that must<br>proved (called TCC's).<br>• is just a particular case of the more general TCC mechanism<br>• illustrates how a mechanized specification language can provide<br>much stronger typechecking than traditional programming lan-<br>guages | · |

Conclusions

State Machines and PVS Type System

| Overview of NASA Langley's Formal Methods                                                                                                                 | Goals Of Our Formal Methods Program                                                                                                                                                       |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Program                                                                                                                                                   | • To make formal methods practical for use on life critical systems developed in the United States.                                                                                       |
| by                                                                                                                                                        | • To orchestrate the transfer of this technology to indus-                                                                                                                                |
| Ricky W. Butler                                                                                                                                           | try through use of carefully designed<br>demonstration projects.                                                                                                                          |
| NASA Langley Research Center                                                                                                                              |                                                                                                                                                                                           |
| May 10, 1995                                                                                                                                              |                                                                                                                                                                                           |
| -                                                                                                                                                         | N                                                                                                                                                                                         |
| NASA Langley's Research Strategy                                                                                                                          | Although Tool Development Has Not Been Emphasized                                                                                                                                         |
| • Build strong team at LaRC.                                                                                                                              | • NASA Langley has not sponsored the development of any general-                                                                                                                          |
| • Leverage huge investment of ARPA and National Security Agency<br>through use of FM technology that they nurtured.                                       | purpose theorem provers.                                                                                                                                                                  |
| • Use contracts with the leading U.S. formal methods research teams.                                                                                      | • However, the technology transfer projects have lead to significant<br>improvements in the Prototype Verification System (PVS) theo-<br>rem prover that SRI International is developing. |
| • Establish joint projects with FM researchers and established aerospace engineering teams (e.g. Rockwell Collins, Honeywell, Boeing).                    | • Some domain-specific tools are being sponsored:                                                                                                                                         |
| • Concentrate on the technically challenging areas of digital design<br>(especially in avionics) that are currently beyond the state-of-the-<br>practice. | – VHDL-analysis tool [ORA]<br>– Tablewise [ORA]<br>– Derivational Reasoning System (DRS) [Derivation Systems Inc.]                                                                        |
| <ul> <li>Initiate demonstration projects in problem domains where current<br/>formal methods are adequate.</li> </ul>                                     |                                                                                                                                                                                           |
|                                                                                                                                                           | -<br>-                                                                                                                                                                                    |
|                                                                                                                                                           |                                                                                                                                                                                           |

Goals Of Our Formal Methods Program

| Technology Transfer Strategy | <ul> <li>Get involved with (i.e. influence) standards<br/>activities (e.g. NIST, D0178B).</li> <li>Work with/influence FAA.</li> </ul>                                                                                                                                                                                                                                                            | <ul> <li>Demonstrate techniques on realistic designs.</li> <li>Sponsor joint research projects using both formal methods contractors and aerospace contractors.</li> </ul>                                                                                                                                                                                                                                                                                                           | Transfer of Formal Methods to Industry Has Been Slow in the Past | Why?                         | <ul> <li>Long learning curve:         <ul> <li>FM not part of traditional engineering curriculum</li> <li>the tools are not production-quality</li> <li>the tools have few or no examples for specific problem domains.</li> </ul> </li> </ul> | <ul> <li>Many competing methods: the best are now only beginning to<br/>stand out.</li> </ul>     | <ul> <li>Cost/benefit relationship not favorable for many applications: sit-<br/>uation has improved considerably over last 5-10 years, and improv-<br/>ing this relationship is the major goal of our research program.</li> </ul> | • Large investment by DARPA and NSA in tool development but did not fund technology transfer projects. |
|------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|
| Scope of Program is Large    | <ul> <li>Formal Methods appropriate for one problem domain may be totally inappropriate for other problem.</li> <li>Specific domains in which our program has concentrated: <ul> <li>architectural-level fault tolerance,</li> <li>clock-synchronization,</li> <li>interactive consistency,</li> <li>design of hardware devices such as microprocessors, memory management</li> </ul> </li> </ul> | units, DMA controllers,<br>- asynchronous communication protocols,<br>- design and verification of application-specific integrated circuits (ASICS),<br>- Space Shuttle software,<br>- navigation software,<br>- decision tables,<br>- railroad signaling systems.<br>• We are also interested in applying formal methods to many different portions<br>of the life-cycle, such as (1) requirements analysis, (2) high-level design, (3)<br>detailed design, and (4) implementation. |                                                                  | Technology Transfer Projects | <ol> <li>Rockwell Collins AAMP5</li> <li>Boeing PIU Project</li> <li>Space Shuttle Jet-Select Project</li> <li>Honevwell Naviration</li> </ol>                                                                                                 | 5. Charles Stark Draper FTPP Scoreboard Project<br>6. Honeywell Software Development (Tinkerbell) | <ol> <li>Union Switch and Signal</li> <li>Rockwell Collins AAMP-FV</li> <li>Honeywell SafeBus Project</li> </ol>                                                                                                                    |                                                                                                        |

æ

r-

Also Libraries Are Needed

There is a sizable effort associated with the development of the background mathematical theories needed for a particular problem domain.

• Libraries would be reusable and in the long run "cost-effective"

• But, initial costs are a deterrent for industry.

Therefore, one of the goals of the NASA Langley program is to build a large body of background theories needed for aerospace applications. Langley has helped develop PVS libraries:

• bitvectors library for hardware verification

• IEEE floating point standard

• finite sets

majority

summations

6

**RTCA** committees

Currently, members of the Langley staff are involved in:

• SC-180 (Airborne Electronic Hardware)

• SC-182 (Minimal Operating Performance Standard for an Airborne Computer Resource)

Finelli/Di Vito Inject Formal Methods Into D0178B

George Finelli, a member of the verification subcommittee of the RTCA group that developed the DO-178B standard and Ben Di Vito wrote a section on formal methods that was included in DO-178B:

12.4.1. Formal Methode: Formal methods involve the use of formal logic, disrette mathematics, and computer-readable languages to import the specification and verification of Science. These methods to dip Pouleus an implementations above operational behaviors in theorem viti confidence to be whitin a defined domain. In their most theoremgh application, formal methods could be equivalent to exhaustive analysis of a system with respect to its requirements. Such analysis could provide: · Evidence that the system is complete and correct with respect to its requirements.

• Determination of which code, software requirements or ... satisfy the next higher level of software requirements.

... The goal of applying formal methods is to prevent and eliminate requirements, design and code errors throughout the software development processes. Thus, formal methods are complementary to testing.... Formal methods may be applied to software development processes with consideration of these factors:

Loroel of the design refluencest : The use of formal methods begins by specifying software high-herd requirements in a formal specification language and verifying by formal fronds that they and/py particip synthese representation on a screenfactor short of the Source Code providence state. The shown to satisfy the high-berd requirements. Performing this process down to the Source Code providence that the software subset syntem requirements. Applications formal models can start and stop with any consective beets .....

Coverage of coftware requirements and coftware architecture : Formal methods may be applied to software require meau that: (1) the safety-related; (2) Can be defined by distarts mathematica; (3) involve complex behavior, und an concurrent, distributed processing, redundary management, and synchronization. Degroo of rigor : Formal methods include these increasingly rigorous levels: The use of formal specifications above focces requirements to be unambiguous. Murual proof in a well-understood process that can be used when there is little detail. Muranakially teketed or generated proofs can aid the human proof process and offer a higher degree of dependability specially for more complicated proof.

2

# Some Lessons Learned

port higher order logic and a rich type system) provide a means of • Modern formal specification languages such as PVS (which supwriting specifications that can be read and understood by engineers.

rors and provide increased confidence in the correctness of the V&V techniques. Formal Verification can uncover additional er- Formal specification alone can reveal bugs not found by traditional system design.

methods into a commercial company. The two major components • There is a sizable up-front cost associated with transferring formal of this cost are: 1. Training the industrial experts to use the formal techniques (especially in verification).

2. The formal methods experts must learn the problem domain in detail (to develop effective formal methods).

2

=

| NASA Langley's Formal Methods (FM) Program | <ul> <li>The tremendous scientific potential of formal methods has been recognized by theoreticians for a long time, BUT</li> <li>The formal techniques had remained the province of a few academians with only a few exceptions such as the Transputer and CICS.</li> <li>Starting in 1991, NASA Langley initiated several aggressive projects designed</li> </ul> | to move FM into productive use in the aerospace community:<br>- Boeing P1U Project (1991)<br>- Charles Stark Draper FTPP Scoreboard Project (1991)<br>- Allied Signal Hybrid Fault Models (1992)<br>- Shuttle The Project (1992)<br>- Shuttle The Project (1992) | - space snutter servicer tradet<br>- 110ney well Navigation (1983)<br>- Rockwell Sollware 1985 (1983)<br>- 110ney well Software Development: Tinkerbell (1994)<br>- Union Switch and Signal (1994) | <ul> <li>Rockwell Collins AAMP-FV (1995)</li> <li>Honeywell SafeDus Project (1995)</li> <li>NASA's program has advanced FM in the United States to the point where commercial exploitation of FM is imminent.</li> </ul> | 2  |
|--------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| Some Lessons Learned (Continued)           | • Finding a person inside the company who is knowledgeable of the problem domain, is a proponent of formal methods, and is an active participant in the project is essential.                                                                                                                                                                                       | • The formal methods researchers must be willing to adapt their methods to the problem domain rather than fight to change the existing methodologies to conform to their needs.                                                                                  | • Without the significant increases in hardware speed, level 3 formal methods would still be impractical.                                                                                          | • Efficient automatic deduction can greatly facilitate the useability<br>of a theorem prover.                                                                                                                            | 13 |

# Session 2: LaRC-sponsored Industrial Applications

Ricky W. Butler, Chair

The AAMP5/AAMP-FV Project by Steve Miller, Rockwell-Collins

• Union Switch & Signal Project, by *Joe Profeta*, Union Switch & Signal; and *Doug Hoover*, Odyssey Research Associates

• Honeywell Software Development Project, by Lance Sherry, Honeywell; and Doug Hoover, Odyssey Research Associates

CMIT 7

## The AAMP5/AAMP-FV Project

Steven P. Miller **Collins Commercial Avionics Rockwell International** Cedar Rapids, IA 52498 USA spmiller@pobox.cca.rockwell.com N96-10027 6/ Project Science Laboratory P-6 SRI International Menlo Park, CA 94025 USA srivas@csl.sri.com

Software and digital hardware are increasingly being used in situations where failure could be life threatening, such as aircraft, nuclear power plants, weapon systems, and medical instrumentation. Several authors have demonstrated the infeasibility of showing that such systems meet ultra-high reliability requirements through testing alone [1,2]. Formal methods are a promising approach for increasing our confidence in digital systems, but many questions remain on how it can be used effectively in an industrial setting.

This presentation describes a project, formal verification of the microcode in the AAMP5 microprocessor, conducted to explore how formal techniques for specification and verification could be introduced into an industrial process. Sponsored by the Systems Validation Branch of NASA Langley and by Collins Commercial Avionics, a division of Rockwell International, it was conducted by Collins and the SRI International Computer Science Laboratory. The project consisted of specifying in the PVS language developed by SRI [3] a portion of a Rockwell proprietary microprocessor, the AAMP5, at both the instruction set and register-transfer levels and using the PVS theorem prover to prove the microcode correct for a representative subset of instructions.

While this presentation includes a brief technical overview (see [4,5] for a detailed technical discussion), its emphasis is on the lessons learned in using PVS for an example of this size and the implications for using formal methods in an industrial setting. The central result of this project was to demonstrate the feasibility of formally specifying a commercial microprocessor and the use of mechanical proofs of correctness to verify microcode. This is particularly significant since the AAMP5 was not designed for formal verification, but to provide a more than three fold performance improvement, by pipelining instruction execution, while remaining object code compatible with the earlier AAMP2. As a consequence, the AAMP5 is one of the most complex microprocessors to which formal methods have been applied.

Another key result was the discovery of both actual and seeded errors. Two actual microcode errors were discovered and corrected during development of the formal specification, illustrating the value of simply creating a precise specification. Two seeded errors were systematically uncovered while doing correctness proofs. One of these was an actual error that had been discovered after first fabrication but left in the microcode provided to SRI. The other error was designed to be unlikely to be detected by walkthroughs, testing, or simulation.

Several other results emerged during the project, including the ease with which practicing engineers became comfortable with PVS, the need for libraries of general purpose theories, the usefulness of formal specification in revealing errors, the natural fit between formal specification and inspections, the difficulty of selecting the best style of specification for a new problem domain, the high level of assurance provided by proofs of correctness, and the need to engineer proof strategies for reuse.

Many of the costs of the AAMP5 project can be attributed to the overhead of applying an experimental method for the first time. To determine how much these costs can be reduced through reuse of the AAMP5 expertise. Collins, SRI, and NASA are conducting a follow-on project to verify the microcode in the AAMP-FV, a smaller microprocessor design similar to those actually used in autoland systems. A report on the status of this project is also presented.

- [1] Butler, R. and G. Finelli, The Infeasibility of Experimental Quantification of Life-Critical Software Reliability, Software Engineering Notes, Vol. 16, No.5, pg. 66-76, December 1991.
- [2] Littlewood, B. and L. Strigini, Validation of Ultra-High Dependability for Software-based Systems, Communications of the ACM, Vol. 36, No. 11, pg. 69-80, November 1993.
- [3] Owre, S., J. Rushby, and N. Shankar, PVS: A Prototype Verification System, In Deepak Kapur, Editor, 11th International Conference on Automated Deduction, (CADE), pg. 748-752, Saratoga, NY, June 1992, Vol. 607 of Lecture Notes in Artificial Intelligence, Springer-Verlag.
- [4] Srivas, M. and S. Miller, Formal Verification of the AAMP5: A Case Study in the Verification of a Commercial Microprocessor, to appear in Applications of Formal Methods, Michael G. Hinchey and Jonathan P. Bowen, Editors, Prentice-Hall International Series in Computer Science.
- [5] Srivas, M. and S. Miller, Formal Verification of an Avionics Microprocessor, to be submitted as a NASA Contractor Report.

PAGE 18 INTENTIONALLY BLANK

PRECEDING PAGE BLANK NOT FILMED

| Formal Verification of the AAMP5 Microprocessor<br>Introduction | <ul> <li>Assess the Feastbillty of Formal VerIfication for Industrial Use</li> <li>Participated in the MCC Formal Methods Transition Study (1990–91)</li> <li>Pilots using RAISE for Formal Specification (1992–93)</li> </ul> | Collaborative Effort<br>• Funded by NASA Langley and Collins | <ul> <li>Performed by SRI International and Collins (with Assistance from NASA)</li> <li>Formal Verification of the AAMPS Microcode</li> </ul> | <ul> <li>O Specified Instruction Set (macro) Architecture in PVS (108 of 209 Instructions)</li> <li>O Specified Register Transfer (micro) Architecture in PVS</li> <li>O Proved Microcode for 11 Instructions Correct using the PVS Theorem Prover</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | Shadow Project<br>O Independent of Traditional Development and Verification Process of the AAMP5 | C. Rockwell Monta |
|-----------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------|-------------------|
|                                                                 |                                                                                                                                                                                                                                |                                                              |                                                                                                                                                | SA                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |                                                                                                  |                   |
| <b>rell</b> Avionics                                            | ins                                                                                                                                                                                                                            | -FV Project                                                  | Mandayam Srivas                                                                                                                                | Marting and Action and | srivas@csl.sri.com                                                                               |                   |

ŝ



|              |      | The AAMP Family of Microprocessors                                                                                                                                                                            |
|--------------|------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CAPS-4       | 1974 | Global Postitioning System, General Development Model (GPS GDM)                                                                                                                                               |
| CAPS-6       | 1161 | Bocing 757, 767 Autopilot Filght Director System (AFDS),<br>Lockheed L-1011 Active Control System (ACS),<br>Lockheed L-1011 Digital Fight Control System (DFCS),<br>(ASA Fault Tolerant Multiprocessor (FTMP) |
| CAPS-8       | 1979 | Boeing 757, 767 Electronic Filght Instrumentation System (EFIS),<br>Boeing 757, 767 Engine Instrumentation/Crew Alerting System (EICAS)                                                                       |
| CAPS-7       | 6/61 | Navstar Global Positioning System (GPS),<br>Bocing 747–400 Integrated Display System (IDS),                                                                                                                   |
| CAPS-10 1979 | 1979 | 1 Beeing 747–400 Central Maintenance Computer (CMC),<br>Beeing 727–300 Electronic Flight Instrumentation System (EFIS),<br>Enclose 77–300 Electronic Lenstrumentation System (EFIS),                          |
| Idwy         | 1861 | - bocing (27-200 cargine international conditions)<br>Air Transport TCAS Verticial Speed Indicator (TCAS),                                                                                                    |
| AAMP2        | 1987 | Boeing 777 Flight Control Backdrive,<br>Commercial GPS: Navcore I, Navcore V                                                                                                                                  |
| AAMP3        | 1992 | Boeing 777 Standby Instruments                                                                                                                                                                                |
| AAMPS I      | 1993 | Global Positioning Systems, Upgrade for AAMP2                                                                                                                                                                 |



















# Conclusions

- Demonstrated the Tychnical Feasibility of
- O Formally Specifying the AAMP5 at Instruction Set and Register Transfer Levels O Formally Verifying the Microcode in the AAMP5
- Benefits of Formal Specification
- O Encourages Clean Abstractions and Interfaces
  - O Encourages "Looking in Corners"
- PVS Specifications Successfully Used by Practicing Engineers
- O Synergy between Specifications and Inspections was Key
  - O Acceptance of PVS by Engineers Varies Widely
- <sup>O</sup> Difficult to Enforce the Discipline Needed to Ensure Quality Specifications
  - Could Achieve Dramatic Galns in Acceptance Through O Notations that Fit a Specific Problem Domain

P Rockmoll Annia Colline

| Conclusions                                                                      |                                                                      |
|----------------------------------------------------------------------------------|----------------------------------------------------------------------|
| Formal Verlfication, Done Correctly, Provides Very High Levels of Assurance      | <ul> <li>Collaborative Effor</li> </ul>                              |
| <sup>O</sup> Dres not Eliminate Good Process, Peer Reviews, Testing, Simulation, | O Funded by NASA                                                     |
| O May Facilitate or Lessen the Need for Some Traditional Practices               | O Conducted by Col                                                   |
| Expect Costs to be High the First Time in a New Problem Domain                   | O Initiated in Januar                                                |
| O Expertise                                                                      | Smaller Microproce                                                   |
| O Reusahle Theories and Proofs                                                   | O Paper and Pencil I                                                 |
| How Much Will Costs Drop on Subsequent Projects?                                 | <ul> <li>O Similar to What V</li> <li>O ~100,000 Transist</li> </ul> |
|                                                                                  | Repeat AAMPS Ext                                                     |
|                                                                                  | O Rcuse Expertise a                                                  |
|                                                                                  | O Demonstrate Cost                                                   |
|                                                                                  |                                                                      |
|                                                                                  | O Specified Microar                                                  |
|                                                                                  | O Nearly Completed                                                   |
| Accitocal minis                                                                  | T Rockwell Annie                                                     |
| Colling Andread Party 244 16                                                     | Cottine                                                              |

| Collaborative Effort                                  |                |
|-------------------------------------------------------|----------------|
| O Funded by NASA and Collins                          |                |
| O Conducted by Collins and SRI                        |                |
| O Initiated in January, 1995                          |                |
| Smaller Microprocessor                                |                |
| O Paper and Pencil Design                             |                |
| O Similar to What We Would Use in an Autoland System  | utoland System |
| O ~100,000 Transistors                                |                |
| Repeat AAMPS Experiment                               |                |
| O Rcuse Expertise and Theories                        |                |
| O Demonstrate Cost Effectiveness                      |                |
| Current Status                                        |                |
| O Specified Microarchitecture (50 Hours)              | (              |
| O Nearly Completed the Proof of the First Instruction | t Instruction  |

# +0 +0 P 109

# No slides are available for

Joe Profeta's portion of this presentation

# APPLYING FORMAL METHODS TO RAILWAY CONTROL

## Doug N. Hoover

## Odyssey Research Associates, Inc.

In collaboration with Union Switch and Signal, ORA has been carrying on research into applying formal methods to system-level railway control modeling and to verification of parts of VFRAME++, a railway control CAD system under development by US&S.

The railway modeling work has produced modeling methods powerful enough to prove safety of the conventional block control system. We hope to apply it to newer systems for which safety is more problematic.

The VFRAME++ work centers around correctness of translation from graphical representations of circuits to hardware implementing them. Work so far carried out consists of design verification of a translation algorithm in PVS. Currently planned is an a posteriori checker to show that a particular translation has been done correctly. Such a checker would have the advantage of being simple and stand-alone, hence easy to demonstrate to be correct.



Odyssey Research Associates, Inc.

301 Dates Dr.

D. N. Hoover

Railway Control

Internet: hoove@oracorp.com

01995 Odyney Roeard Austriates, Inc. 51-95-0016 D. N. Honne

Ithaca NY 14850-1326





| DAB                                                                | -to- | DAB-to-GEM Translation         |
|--------------------------------------------------------------------|------|--------------------------------|
| assignments                                                        |      | assertion                      |
| v1 := u2                                                           | %    | v1 = u2                        |
| v2 := NOT v1                                                       | *    | v2 = NOT u2                    |
| v3 := TRUE                                                         | %    | v3 = TRUE                      |
| v4 := u3                                                           | *    | v4 = u3                        |
| v5 := v3 OR v4                                                     | %    | v5 = TRUE OR u3                |
| v6 := v2 AND v5                                                    | %    | v6 = (NOT u2) AND (TRUE OR u3) |
| v7 := u1                                                           | %    | v7 = u1                        |
| v8 := v1 OR v4                                                     | %    | v8 = u2 OR u3                  |
| v9 := v7 AND v8                                                    | %    | v9 = u1 AND (u2 OR u3)         |
| w2 := v6                                                           | %    | w2 = (NOT u2) AND (TRUE OR u3) |
| w1 := v9                                                           | %    | w1 = u1 AND (u2 OR u3)         |
|                                                                    |      |                                |
| el 1995 Odyney Reventh Asociates, Inc.<br>St. 95-0016 D. N. Honvet |      | . ORM                          |

|       | DAB-to-GEM Translation                                                                                             |
|-------|--------------------------------------------------------------------------------------------------------------------|
| ٦     | DAB (Design Application Builder) representation — assignment com-<br>plex Boolean expressions to output variables. |
|       | w1 := u1 AND (u2 OR u3)<br>w2 := (NOT u2) AND (TRUE OR u3)                                                         |
|       | (Full language would also have some arithmetic and control struc-<br>tures.)                                       |
| ۵     | GEM (Generic Entity Model) representation — simple assignments only.                                               |
|       |                                                                                                                    |
|       |                                                                                                                    |
|       |                                                                                                                    |
| ) 55  | Austrian, le:                                                                                                      |
| 51-95 | 8. 43-0016 D. N. Houve                                                                                             |





| A posteriori checking | <ul> <li>A simple checker checks translation and produces a log.</li> <li>A really simple checker checks correctness of the log.</li> </ul> | O Need to justify only the correctness of the log checker. | O Note: the a posteriori check seems to be simpler than the translation in this case. | 0193 Odyman Reament Austriants, Int. 9 |
|-----------------------|---------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------|---------------------------------------------------------------------------------------|----------------------------------------|



| w1 = u1 AND (u2 OR u3)         | w1 := v9 %                                                 |
|--------------------------------|------------------------------------------------------------|
|                                | w2 := v6 %                                                 |
|                                | v9 := v7 AND v8 %                                          |
| v8 = u2 OR u3                  | v8 := v1 OR v4 %                                           |
| v7 = u1                        | v7 := u1 %                                                 |
| v6 = (NOT u2) AND (TRUE OR u3) | v6 := v2 AND v5 %                                          |
| v5 = TRUE OR u3                | v5 := v3 OR v4 %                                           |
| v4 = u3                        | v4 := u3 %                                                 |
| v3 = TRUE                      | v3 := TRUE %                                               |
| v2 = NOT u2                    | v2 := NOT v1 %                                             |
| v1 = u2                        | v1 := u2 %                                                 |
| assertion                      | assignments                                                |
| R u3)<br>3 (TRUE OR u3)        | w1 := u1 AND (u2 OR u3)<br>w2 := (NOT u2) AND (TRUE OR u3) |
| Example                        |                                                            |

| IPD 2000 | IV Characteristics Of The Avionics Information-Model |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | <ul> <li>Capture reactive nature of systems</li> <li>Provide means for rapid formulation and adaptation of<br/>"mental-models" of the system</li> </ul> | <ul> <li>Provide means for rapid formulation and adaptation of<br/>"implementation-models" of the system<br/>(see definitions next three pages)</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Honeywell - Air Transport Systems  | It Arion Carlon Strate Systems                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Honeywell - Air Transport Systems |
|----------|------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------|
| 000 2000 | III Model-Based System Development                   | Occumentation<br>Define<br>Posteriore<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constant<br>Constan | Spatial Shared Contraction                                                                                                                              | Product Transmission of the State of St | Hinneywell - Air Transport Systems | In the second                                | *                                 |
|          | PRE                                                  | ECEDING P                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | AGE BLA                                                                                                                                                 | NK NOT FR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | MED                                | $(2^{n+1})^{-1} = (2^{n+1})^{-1} = (2^{$ |                                   |

|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | IPD 2000                                                                                            |                 | IPD 2000                                          |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|-----------------|---------------------------------------------------|
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                                                     |                 | Table Of Contents                                 |
| Model-based Dev                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | elopment of Softwa                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | Model-based Development of Software-based Systems:                                                  |                 |                                                   |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | A Research Agenda                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | ē                                                                                                   | -               | <b>Overview: Integrated Cockpit Avionics</b>      |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | May 1994                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                     | II              | Documentation-based Process                       |
| <u>NASA-Langley</u>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | ORA                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Honeywell                                                                                           | III             | Model-based Process                               |
| Michael Holloway                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Doug Hoover<br>Zwei Chen                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Lance Sherry<br>Dave Youssefl                                                                       | IV              | Characteristics Of The Avionics Information-Model |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | David Guaspari                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | Matt Michaels<br>Christine Mixon                                                                    | >               | Current Research                                  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Jack Janene (and team)<br>Dave Ciruili<br>Joei Thornton (and team)                                  | Ν               | Summary/Roadmap                                   |
| Honeywell - Air Transport Systems                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | John Krueger                                                                                        | Honeywell - Air | tioneyweit - Air Transport Systems                |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | IPD 2000                                                                                            |                 | IPD 2000                                          |
| I Overview                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | <b>Overview: Integrated Cockpit Avionics</b>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | it Avionics                                                                                         | Π               | II Documentation-Based System Development         |
| Rialicity Latel<br>Frequences<br>Requestions<br>Requestions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions<br>Reactions | I dalkad L terd<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein<br>Arwein | Plat Bill Level<br>Votin generation<br>Votin generation<br>Votin generation<br>Control<br>Mark Mark |                 |                                                   |
| Parallel AL Dea                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Faytoph control<br>Nu subpationa<br>Guiddan Coa                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Display<br>Rec.                                                                                     |                 |                                                   |

Honeywell - Air Transport Systems

Honeywell - Air Transport Systems

| IV Characteristics Of The Avionics Information-Model | <ul> <li>Capture <i>operationally embedded</i> nature of systems</li> <li>Capture <i>reactive</i> nature of systems</li> <li>Provide means for rapid formulation and adaptation of <i>"mental-models"</i> of the system</li> <li>Provide means for rapid formulation and adaptation of</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | " <i>implementation-models</i> " of the system<br>(see definitions next three pages) | Honeywelt - Air Traursport Systems 6<br>IPD 2000 | It Arionics Into-Models: Reactive Systems<br>Decision-making<br>hputs<br>Transformation<br>beration (80%)<br>Transformation<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts<br>bruts |
|------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------|--------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| III Model-Based System Development                   | And Bill Flore<br>Comments<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Participants<br>Part | Propulsion, Bearfordinks, Wolfma and Orthon                                          | Henrywell - Air Transport Systems 6<br>IPD 2000  | In a constrained with the second se                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |

IPD 2000

IPD 2000



| VI Roadmap        | Model-based development (single user)                                                                                   | Model-based development (multi-user)<br>- shared specification, dictionaries, Config Management | Model-based development (multi-user)                                                               | Model-based development (multi-user) - includes customers and vendors | Certification credit for automated analysis/verification     |                                                                                                              | Dot Systems 14                       |
|-------------------|-------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------|--------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------|
|                   | 1995                                                                                                                    | 1996                                                                                            | 1997                                                                                               | 1998                                                                  | 1999                                                         | :                                                                                                            | Honeywell - Air Transport Systems    |
| VI <u>Summary</u> | <ul> <li>Economic pressures driving change in industry<br/>(reduce cost, reduce cycle-time, improve quality)</li> </ul> | <ul> <li>Paradigm shift from documentation-based to model-based development process</li> </ul>  | <ul> <li>Model-based development process requires<br/>definition of "Information-model"</li> </ul> | Characteristics Of Avionics Info-model:                               | <ul> <li>operationally embedded</li> <li>reactive</li> </ul> | <ul> <li>easy-to-read for "mental-modelling"</li> <li>easy-to-code for "implementation-modelling"</li> </ul> | Honuywell - Air Transport Systems 13 |

IPD 2000

1PD 2000

# FORMAL TOOLS AND METHODS FOR DECISION TABLES

## Doug N. Hoover

### **Odyssey Research Associates, Inc**

This work began with a problem from Honeywell: how to tell whether a specification or code involving a complex choice of alternatives is complete (always designates a choice) and is consistent (always designates only one choice). It turned out that Honeywell used decision tables informally to specify this kind of code. Now, decision tables are a kind of formal specification, so we decided that the best solution was to build a specialized tool, TableWise, to deal with the problem.

TableWise checks completeness and consistency of decision tables, as well as generating Ada code and documentation from them. It has an original form of structural analysis that localizes flaws that prevent decision tables from being complete and consistent. TableWise is available from NASA Langley by anonymous ftp (air16.larc.nasa.gov). A paper on Table-Wise will appear in COMPASS '95.

Continuing work related to TableWise includes generating tests from decision tables, improving code generation, structuring decision tables to compress information, and making decision tables part of a more all-encompassing specification methodologies.

|     | TableWise, a Dé                                                                | TableWise, a Decision Table Tool                                                                         |
|-----|--------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|
| Aft | After preliminary experimentation wit<br>ized tool for the problem.            | After preliminary experimentation with PVS, we decided to build a special-<br>ized tool for the problem. |
|     | Check completeness and consistency of decision tables                          | stency of decision tables                                                                                |
| D   | J Generate Ada code                                                            |                                                                                                          |
| D   | <ol> <li>Generate English language specs like Honeywell's.</li> </ol>          | cs like Honeywell's.                                                                                     |
|     | J Best of all, it is available by anonymous ftp from                           | tymous the from                                                                                          |
| į   | airl6.larc.nasa.gov<br>directory                                               |                                                                                                          |
|     | fm/ora                                                                         |                                                                                                          |
|     |                                                                                |                                                                                                          |
|     |                                                                                |                                                                                                          |
| 8 1 | 01995 Odywyr Reserva Asecciaes, Inc. Formal Toole a<br>11-95-0027 D. N. Moover | formul Totis and Methods for Decision Takes                                                              |



|                                  | Analysis Results               |                              |
|----------------------------------|--------------------------------|------------------------------|
| Overlapping scenarios            | Takcoff.2<br>Climb_Int_Level.1 | Climb.2<br>Climb_Int_Level.1 |
| Input Variabics St               | States                         |                              |
| Flightphase cl                   | climb climb<br>cruise          | climb                        |
| AC_Alt > 400 TT<br>FA            | TRUE TRUE<br>FALSE             | •                            |
| compare(AC_Alt, LI<br>ACC-ALT) ( | LT BQ LT<br>GT                 | EQGT                         |
| Alt_Capt_Hold T1<br>FA           | TRUE TRUE<br>FALSE             | TRUE                         |
| compare(Alt_Target, L1           | LT EQ GT GT GT                 | 5                            |



| Operational Procedure<br>Input Variables States |              | diways  |       | 5     | table.          |        |
|-------------------------------------------------|--------------|---------|-------|-------|-----------------|--------|
|                                                 | Tak          | Takcoff | Ci    | Ctimb | Climb_Int_Level | Creise |
|                                                 | s            |         |       |       |                 |        |
| Flightphase climb cruise                        | o climb<br>e | climb   | climb | climb | climb           | cruisc |
| AC_All > 400 TRUE<br>FALSE                      | E TRUE<br>E  | TRUE    | •     | •     | •               | •      |
| comparc(AC_Alt, LT EQ<br>ACC-ALT) GT            | 5            | E       | то ра | EQ GT | •               | GT     |
| Ait_Capi_Hold TRUE<br>FALSE                     | E FALSE      | TRUE    | FALSE | TRUE  | TRUE            | TRUE   |
| comparc(Alt_Target, LT EQ<br>prev_Alt-Target GT | •            | đ       | •     | 5     | •               | È      |



|                                    |                 |       | ərrucıu |        |        |
|------------------------------------|-----------------|-------|---------|--------|--------|
| 5 variable_structural flaws        | 5               | 0     | -       | 2      | 3      |
| Input Variables Sta                | States          |       |         |        |        |
| Flightphase cli                    | climb<br>cruise | •     | •       | cruise | cruise |
| AC_Alt > 400 TRI                   | TRUE<br>FALSE   | FALSE | •       | •      | •      |
| compare(AC_Alt, LT ]<br>ACC-ALT) G | LT EQ<br>GT     | •     | •       | LT EQ  | •      |
| Alt_Capi_Hold TRI                  | TRUE<br>FALSE   | •     | •       | •      | FALSE  |
| compare(Alt_Target, LT)            | LT EQ           | •     | ы       | •      | •      |

|    | Continuing Work                                                                                           |
|----|-----------------------------------------------------------------------------------------------------------|
|    | Assertions about decision tables.                                                                         |
| D  | Decision tables including "behaviors," i.e. code implementing the action chosen.                          |
|    | Generating tests from decision tables.                                                                    |
|    | Better code generation.                                                                                   |
|    | Generating traceability information.                                                                      |
| D  | Incorporate some of Parnas's ideas about tabular specifications.                                          |
|    | Tables as specification of a state transition (cf. Leveson's RSML).                                       |
| C  | Structuring decision tables to compress information.                                                      |
|    | Incorporate support for linear arithmetic in the checking.                                                |
| D  | Solve the "industrial inference problem." (See Parnas, "Some Theo-<br>rems We should Prove."              |
|    |                                                                                                           |
| 82 | 01950 Otjanay Razarah Ausoritatu, Inc. Ferand Tooli and Matuoni for Doddon Takia<br>31.95-00370 N. Maoner |

# **Session 3: Industry Perspectives on Formal Methods**

# C. Michael Holloway, Chair

- Scott French, Loral ATC (No slides available)
- Steve Miller, Rockwell-Collins
- Joe Profeta, Union Switch & Signal (No slides available)
- Lance Sherry, Honeywell



|                                                                                                                                                    | Who We Are                                                                                                                                        |
|----------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------|
| Y ROCKWEII Avionics                                                                                                                                | Rockwell International                                                                                                                            |
| Collins                                                                                                                                            | <ul> <li>75,000 Employecs</li> <li>Approximately 70% Sales are Commercial (Non-Government)</li> <li>Collins Commercial Avionics (CCA)</li> </ul>  |
| Panel Discussion:<br>Industry Perspectives on Formal Methods                                                                                       |                                                                                                                                                   |
| Dr. Steven P. Miller<br>Advanced Technology & Engineering<br>Conlins Commercial Atoolics, MS 124–211<br>Cedar Rapids, Iowa 52498<br>(319) 395–8008 | <ul> <li>O Cedar Rapids, Iowa</li> <li>O Defense and Government Systems (DOD and NASA)</li> </ul>                                                 |
| A Rockweel Akris<br>Collins Redeal Intrates (Acted Intration 2005)                                                                                 | The Rocchewood Adria                                                                                                                              |
| What We Do                                                                                                                                         | Requirements Analysis                                                                                                                             |
| <ul> <li>Collins Commercial Avionics (CCA)</li> </ul>                                                                                              | Needs & Opportunities                                                                                                                             |
| <ul> <li>Autopilot and Autoland Systems</li> <li>Avionics Displays (EFIS, EICAS, PFD)</li> </ul>                                                   | Better Methods for Requirements Analysis is Our Single Greatest Need                                                                              |
| <ul> <li>Traffic Alert and Collision Avoidance Systems (TCAS)</li> <li>Communications Systems (Satellite)</li> </ul>                               | Requirements are incomplete, misunderstood, poorly defined, and change in ways<br>that are difficult to manage – Software Productlyity Consortium |
| <ul> <li>Satellite Navigation Systems</li> <li>Colline Communication and Avianics Division (CACD)</li> </ul>                                       | A Methodology for Requirements Analysis Must                                                                                                      |
| O Global Positioning Systems (GPS)                                                                                                                 | <ul> <li>O Accommodate Frequent Change</li> <li>O Secontrovate Frequent Change</li> </ul>                                                         |
| <ul> <li>Joint Tactical Information Display System (JTIDS)</li> <li>Mission Management Cockpit Display Systems (F-22)</li> </ul>                   | O Be Precise Enough to Support Formal Analysis and Development of Toxols                                                                          |
| O Communication Systems                                                                                                                            | <ul> <li>O Support Generation of Test Cases</li> <li>O Support Traceability</li> <li>O Tell You When You're Done</li> </ul>                       |
|                                                                                                                                                    |                                                                                                                                                   |
| Colfins<br>Colfins<br>Rocheel International 0,195                                                                                                  | The Continue Admin                                                                                                                                |
|                                                                                                                                                    | ١                                                                                                                                                 |

Collaborate with Other Groups Working on Requirements Engineering Need Methods for Formally Specifying Requirements and Designs Need Methods for Generating Tests from Formal Specifications Emphasize Industry/Academic/Government Collaboration O Will Test Generation Differ for Each Specification Method? **Requirements Analysis** What Should NASA Do? **State of Formal Methods** Software Testing Establish Program in Requirements Engineering O Use Pilot Projects to Validate Methods and ToxIs O Help to Complete the Formalization of Models Rockwell International @1995 Kuchwell International O What Distinguishes a "Useful" Test? Need Tools to Animate Specifications O Support Development of Tools **A Rockmell** Arimica **Rockmoll** Aviation Collins Collins Structural Unit Testing of Software on a Level A (Highest Criticality) System <sup>O</sup> Can Consume Over 50% of Total Project Budget (Hardware & Software) O User Must Select Appropriate Approach for Each Problem Domain <sup>O</sup> CoRE - Consortium Requirements Engineering Method (SPC) There are a Few Formal or Semi-Formal Methods Emerging <sup>O</sup> Create Tests from Requirements and Design Specifications O RSML - Requirements State Machine Language (Irvine) **Requirements Analysis** O Determine Structural Coverage of Code as a Byproduct Rapidly Moving Towards Requirements Based Testing **State of Formal Methods** Needs & Opportunities Software Testing is Our Single Most Costly Activity **Software Testing** O SCR - Software Cost Reduction Method (NRL) O Automatically Generate Tests from Specifications O Success <u>Very</u> Dependent on the Skill of the User Ruchwell Interactional ©1995 intinal CIVIS B "Traditional" Formal Methods Lack Methods O Execute Tests Against the Specifications - Facilitate Early Development of Test Suites **Nix buck Inte** Underlying Formalism is Still Evolving O Yct Finds Remarkably Few Errors - Validate Requirements and Designs O Few "How To" Books Need More Tools A Rockmel Antonia Rockmell Arimis Collins Collins Needs



|                                                              | Fault Tolerant Computing                                                                  | / |
|--------------------------------------------------------------|-------------------------------------------------------------------------------------------|---|
| B Most Avionics S                                            | Most Avionics Systems are Fault Tolerant                                                  |   |
| B Extensive Work                                             | Extensive Work by Formal Methods Community in Fault Tolerant Computing                    |   |
| <ul> <li>O Software Impl</li> <li>O Reliable Comp</li> </ul> | O Software Implemented Fault-Tolerant Computer (SIFT) O Reliable Computing Platform (RCP) |   |
| I.Ittle Affect on (                                          | Little Affect on Commercial Avionics Industry                                             |   |
| Why Aren't The                                               | Why Aren't These Approaches being Used?                                                   |   |
| <b>a</b> Are There Lesso                                     | Are There Lessons to be Learned Here?                                                     |   |
|                                                              |                                                                                           |   |
|                                                              |                                                                                           |   |
| A Rockmol Annis<br>Collins                                   | (1947)<br>(1947)                                                                          |   |
|                                                              |                                                                                           |   |



87

Honeywell - Air Transport Systems

Honeywell - Air Transport Systems

IPD 2000

IPD 2000

#### **Session 4: Software Systems (1)**

#### Ricky W. Butler, Chair

• Formal Verification for Fault-Tolerant Architectures/PVS Design, by John M. Rushby, SRI International

• Formal Methods Demonstration Project for Space Applications, by *John Kelly*, Jet Propulsion Laboratory; and *Ben DiVito*, VÍGYAN, Inc.

#### FAULT-TOLERANT ALGORITHMS AND THE DESIGN OF PVS

#### John Rushby

#### SRI International

PVS is the most recent in a series of verification systems developed at SRI. Its design was strongly influenced, and later refined, by our experiences in developing formal specifications and mechanically checked verifications for the fault-tolerant architecture, algorithms, and implementations of a model "reliable computing platform" (RCP) for life-critical digital flight-control applications.

Several of the formal specifications and verifications performed in support of RCP are individually of considerable complexity and difficulty. But in order to contribute to the overall goal, it has often been necessary to modify completed verifications to accomodate changed assumptions or requirements, and people other than the original developer have often needed to understand, review, build on, modify, or extract part of an intricate verification.

In this talk, I will outline the verifications performed, present the lessons learned, and describe some of the design decisions taken in PVS to better support these large, difficult, iterative, and collaborative verifications.

The following article covers this material in more detail:

"Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS" by Sam Owre, John Rushby, Natarajan Shankar, and Friedrich von Henke (*IEEE Transactions on Software Engineering*, Vol 21., No. 2, pp. 107-125).

This article is available on the World-Wide Web at the following URL:

http://www.csl.sri.com/tse95.html

PAGE 91 INTENHOMALLY GLANK 91

FT Algorithms & Desigi

- Formal mether notations, an documentatio
- But the prim that they allo answered by
- Thus some at
- Processes
- can be replac

.

FT Algorithms & Design of PVS

e

**Reliable Computing Platform** 

### Context

- implementations for a reliable computing platform for digital Goal: develop a formally verified architecture, algorithms, and flight control based on state machine replication
- management so that to an application task, it all looks like a "operating system" providing fault tolerance and redundancy processors, with associated sensors and actuators, and an Reliable Computing Platform: a distributed collection of single computer that never fails

## FT Algorithms & Design of PVS

## Context (ctd. 1)

- system and its environment and prove a theorem of the form Formally Verified: Construct a mathematical model of the
- if certain assumptions are true
- and there are enough nonfaulty processors then overall system masks all faults
- nonfaulty processors can read each other's clocks with error Assumptions: must be validated in the real world (e.g., at most ∈)
- Enough nonfaulty processors: must collect empirical data on individual failure rates, then use (Markov) modeling

# FT Algorithms & Design of PVS





actuators (provides fault masking)  $\checkmark$ 

- majority-voted versions (provides transient recovery)  $\sqrt{}$ Optionally, diagnose faulty processors and reconfigure Incrementally refresh state of all processors with
  - (increases number of faults that can be tolerated)  $\checkmark$

œ



FT Algorithms & Design of PVS

ø

Perform exact-match majority voting on values sent to

 $\bullet$  Distribute identical sensor data to all processors  $\checkmark$ 

 $\bullet$  Keep processors synchronized  $\checkmark$ 

State machine replication:

Context (ctd. 2)

Run identical workloads on all processors

| Formal Verifications Performed: Clock Synchronization | Interactive Convergence Byzantine-fault-tolerant clock<br>synchronization algorithm                             | <ul> <li>At the time (1988), one of the hardest computer-science<br/>verifications completed</li> </ul>              | <ul> <li>Over 200 lemmas (small theorems), 1700 lines of specification<br/>and proof commands (in EHDM)</li> </ul> | • Found that in the journal presentation by Lamport and Melliar<br>Smith (JACM), proof of the main theorem is flawed and 4 of<br>the 5 lemmas are false | <ul> <li>Corrections required adjustment to assumptions</li> </ul> | <ul> <li>Also eliminated approximations</li> <li>And developed more uniform proofs</li> </ul>                                                                            | FT Algorithms & Design of PVS |                                | Clock Synchronization (ctd. 2)                          | • Erwin Liu designed and formally verified a circuit to perform part of the algorithm | <ul> <li>Found the assumption that initial clock adjustments are all<br/>zero is unrealistic</li> </ul>             | <ul> <li>Deleted this assumption from the original verification and reran<br/>all proofs</li> </ul>           | <ul> <li>Found that proofs of some internal lemmas need adjusting, but<br/>main argument is unchanged</li> </ul>                                                                                            |
|-------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------|--------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Context (ctd. 3)                                      | Why do this?<br>Because redundancy management is among the most difficult<br>problems in digital flight control | <ul> <li>Historically the <i>primary</i> source of system failure</li> <li>Why state machine replication?</li> </ul> | Because it has a rational justification<br>And because it can withstand arbitrary (aka. Byzantine) faults          | Why does that matter?<br>Because then you don't have to provide evidence that faults<br>outside your assumed class cannot occur                         | Why do formal verification if system is fault tolerant?            | Because it's fault tolerant wrt. <i>hardwar</i> e faults; the algorithms<br>and implementations of fault tolerance are single points of<br>failure: they must be correct | FT Algorithms & Design of PVS | Clock Synchronization (ctd. 1) | Our proof was subsequently repeated by Bill Young using | Boyer-Moore prover<br>• He noted that our characterization of a good clock            | $ c(T_1)-c(T_2)-(T_1-T_2) <rac{ ho}{2} T_1-T_2 $ is unsatisfiable when $T_1=T_2,$ and also excludes perfect clocks | (those for which $c(T) = T$ ) [< should be $\leq$ ]<br>• Shows that modeling must be validated very carefully | <ul> <li>Mechanization can help: show that defined predicates can be<br/>both satisfied and falsified, and that axioms are satisfied by<br/>intended models (also establishes their consistency)</li> </ul> |

94

FT Algorithms & Design of PVS

11

|                                | Formal Verifications Performed: Distributed Consensus               | Oral Messages algorithm for distributed consensus (aka. Byzantine<br>Agreement—distribution of consistent sensor values in the |                                                              | • First verified by Bevier and Young using Boyer-Moore prover | (they also verified its optimality and an implementation)      | <ul> <li>We found a rather simular treatment and used it as a test rase</li> </ul> | in developing PVS (it's an order of magnitude simpler than clock synchronization)                                                                                         | • Then studied important variation (developed at Allied Signal for MAFT flight control computer) that uses "Hybrid" fault model |                                                                  | FT Algorithms & Design of PVS | Distributed Consensus (ctd. 1) | <ul> <li>Algorithm Z, published with detailed proof of correctness by<br/>Thambidurai and Park, performs distributed consensus under<br/>hybrid fault model</li> </ul>                  | <ul> <li>Lincoln and Rushby found a bug in the algorithm while<br/>attempting formal verification (implementation in MAFT is<br/>slightly different, and is OK)</li> </ul>              | <ul> <li>Developed modified algorithm and verified its correctness<br/>(Verified an incorrect variant on the wav—blue was masked by</li> </ul>                                                     | an incorrect axiomatization of "hybrid majority vote" )         | • Subsequently adapted this algorithm to Draper FTP architecture and verified it in a couple of days | FT Algorithms & Design of PVS |
|--------------------------------|---------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|---------------------------------------------------------------|----------------------------------------------------------------|------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------|-------------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|------------------------------------------------------------------------------------------------------|-------------------------------|
| Clock Synchronization (ctd. 3) | <ul> <li>There are many clock synchronization algorithms</li> </ul> | <ul> <li>Shankar verified general treatment due to Fred Schneider that<br/>includes almost of them (using EHDM)</li> </ul>     | Establishes correctness of all algorithms in a certain class | satisfying 11 assumptions                                     | • Found and corrected several small errors during verification | <ul> <li>And showed interactive convergence satisfies the assumptions</li> </ul>   | <ul> <li>Paul Miner argued that one of the assumptions is very difficult<br/>to establish of a given algorithm (almost as hard as proving<br/>synchronization)</li> </ul> | • He showed that this assumption could be discharged once and for all from suitably modified versions of the other 10           | <ul> <li>And did it for the Lundelius-Lynch algorithm</li> </ul> | FT Algorithms & Design of PVS | Hybrid Fault Models            | <ul> <li>Classically, algorithms for state-machine replication consider<br/>components to be either faulty or nonfaulty</li> <li>No assumptions made about faulty components</li> </ul> | <ul> <li>Tolerates any <i>kind</i> of fault, but requires a lot of redundancy, so<br/>cannot tolerate a large <i>number</i> of faults<br/>(for a given level of replication)</li> </ul> | <ul> <li>"Hybrid" fault models include "arbitrary" fault mode, but also<br/>consider some common, simple kinds of fault ("manifest" and<br/>"symmetric") and can tolerate more of these</li> </ul> | • "Hybrid" algorithms are strictly superior to pure "Byzantine" | ones (e.g., $n > 3a + 2s + m$ rather than $n > 3f$ )<br>• But their analysis is much more complex    | FT Algorithms & Design of PVS |

5

| Clock Synchronization (Again)                                                                                            |                                                                                                                                 |
|--------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------|
| Returned to clock synchronization to extend benefits of hybrid fault model to that problem                               | Distributed Consensus (Again)                                                                                                   |
| <ul> <li>Original verification had taken a couple of months, has over</li> </ul>                                         | <ul> <li>Hybrid oral messages algorithm doesn't do well against link<br/>faults</li> </ul>                                      |
| 200 lemmas <ul> <li>Extension to hybrid case requires several small adjustments</li> </ul>                               | • There is another class of distributed consensus algorithms that use authenticated communications: "lieutenants" cannot lie    |
|                                                                                                                          | <ul> <li>But they break if authentication is flawed</li> </ul>                                                                  |
| <ul> <li>Consideration of additional cases in Lemma 5</li> </ul>                                                         | <ul> <li>Can also add authentication to Oral Message algorithms</li> </ul>                                                      |
| • And a more complicated counting argument in the main theorem                                                           | • Simple worst-case analyses do not distinguish between the various candidate algorithms                                        |
| <ul> <li>Overall, a couple of day's work</li> </ul>                                                                      | • Cannot find good characterizations of behavior in presence of                                                                 |
| <ul> <li>Algorithm is about the best known; also does well against link faults</li> </ul>                                | link faults                                                                                                                     |
| FT Algorithms & Design of PVS                                                                                            | FT Algorithms & Design of PVS                                                                                                   |
| Exploring Design Alternatives with Formal Methods                                                                        | Formal Verifications Performed                                                                                                  |
|                                                                                                                          | Insufficient time to describe others:                                                                                           |
| • Murø is an explicit state exploration tool developed by David                                                          | <ul> <li>Verification of overall architecture and transient recovery</li> </ul>                                                 |
| Dill at Stanford                                                                                                         | <ul> <li>Done by Rick Butler, Ben DiVito and others at LaRC</li> </ul>                                                          |
| <ul> <li>Given a specification of a finite-state concurrent system,<br/>explores all behaviors by brute-force</li> </ul> | <ul> <li>The biggest verification done with EHDM (and probably the<br/>biggest by anyone using someone else's tools)</li> </ul> |
| <ul> <li>Used Murø to do exhaustive "symbolic fault injection" for</li> </ul>                                            | • Further properties of clock synchronization                                                                                   |
| five-processor configuration                                                                                             | <ul> <li>Initial synchronization and transient recovery</li> </ul>                                                              |
|                                                                                                                          | <ul> <li>Done by Paul Miner</li> </ul>                                                                                          |
| <ul> <li>Rediscovered the bug in Algorithm Z</li> </ul>                                                                  | <ul> <li>Circuit for clock synchronization</li> </ul>                                                                           |
| <ul> <li>But found that ZA works very well</li> </ul>                                                                    | <ul> <li>Verification used a combination of PVS, DDD, and a<br/>BDD-based tautology checker</li> </ul>                          |
| <ul> <li>Seems a generally useful way to evaluate fault-tolerant</li> </ul>                                              | <ul> <li>Done by Paul Miner</li> </ul>                                                                                          |
| algorithms                                                                                                               | • Diagnosis algorithms (done by Pat Lincoln in PVS)                                                                             |

FT Algorithms & Design of PVS

20

FT Algorithms & Design of PVS

19

96

| Lessons Learned (in this domain)                                                                                                                               | Lessons Learned (ctd. 1)                                                                                                      |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
| <ul> <li>None of what we have done is "program verification" (i.e.,<br/>proving a program correct wrt. its detailed specifications)</li> </ul>                 | For intrinsically difficult problems and where systems can exhibit huge numbers of different behaviors                        |
| <ul> <li>In this domain, concern centers on the hardest and most<br/>difficult problems of design: the redundancy management</li> </ul>                        | • Formal methods can add a lot of value: assurance through testing is totally infeasible, hand proofs are unreliable          |
| architecture and algorithms that ensure continued safe<br>operation despite hardware failures                                                                  | <ul> <li>Need to understand quite a lot about the problem domain to<br/>apply formal methods usefully</li> </ul>              |
| <ul> <li>Intrinsically difficult problems: reasoning about distributed,<br/>concurrent, real-time systems operating in the presence of<br/>faults</li> </ul>   | <ul> <li>Need to be skilled at abstraction to apply formal methods<br/>effectively</li> </ul>                                 |
| <ul> <li>Number of possible behaviors is vast</li> </ul>                                                                                                       | • Can be accomplished by a few highly skilled people: don't need to train every programmer                                    |
| FT Algorithms & Design of PVS                                                                                                                                  | FT Algorithms & Design of PVS                                                                                                 |
| Lessons Learned (ctd. 2)                                                                                                                                       | Lessons Learned (ctd. 3)                                                                                                      |
| Mechanized formal methods provide much value in addition to proofs of correctness                                                                              | To achieve these benefits, mechanizations of formal methods must have certain attributes                                      |
| <ul> <li>Reveal errors in published proofs and algorithms—i.e.,<br/>discovery of <i>incorrectness</i></li> </ul>                                               | A civilized specification language                                                                                            |
| • Expose all assumptions and assist in eliminating them and in                                                                                                 | <ul> <li>Mechanisms for early error detection</li> </ul>                                                                      |
| sharpening their statements                                                                                                                                    | <ul> <li>A lot of theorem-proving horsepower</li> </ul>                                                                       |
| <ul> <li>Support development of streamlined arguments and enhanced<br/>understanding that can lead to improvements in algorithm or<br/>architecture</li> </ul> | <ul> <li>That can be kept under control</li> <li>And that provides more information than just "proved" and silence</li> </ul> |
| • Allow inexpensive and reliable exploration of alternative designs                                                                                            | <ul> <li>Mechanized deductive support in addition to theorem proving</li> </ul>                                               |
| <ul> <li>And adaptation to changed requirements or assumptions</li> </ul>                                                                                      | <ul> <li>Support for changes and exploration</li> </ul>                                                                       |
| FT Algorithms & Design of PVS                                                                                                                                  | FT Algorithms & Design of PVS                                                                                                 |

.

| A Civilized Specification Language | • A specification language provides some of the features and<br>conveniences of a programming language (e.g., declarations, | <ul> <li>packaging in modules, parameterization)</li> <li>And computer-science data types (e.g., numbers, tuples, records. functions. sets. lists. trees)</li> </ul> | <ul> <li>And should use a reasonably familiar syntax</li> </ul>           | • But it must also support deductioni.e., it must be a logic         | <ul> <li>We want that logic to be expressive, and we also want<br/>deduction to be automated very effectively</li> </ul> | <ul> <li>Conflict: expressiveness and effectively automated deduction<br/>are usually inversely related</li> </ul> | • Reconciling these disparate requirements is the fundamental challenge in building tools for formal methods | FT Algorithms & Design of PVS | And A Fourth                                                                                                            |                                                 | State<br>Exploration                      |
|------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------|----------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|-------------------------------|-------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------|-------------------------------------------|
| The Design of PVS                  | sides these exampl                                                                                                          | <ul> <li>Hardware (Saxe pipeline, Tamarack, Cantu ALU, and AAMP5 examples)</li> </ul>                                                                                | <ul> <li>Requirements (Jet-Select example, A7 and SCR methods)</li> </ul> | <ul> <li>Real-time (railroad crossing and other examples)</li> </ul> | • Embeddings of other logics (Duration Calculus)                                                                         | • Our previous systems (Еном, Muse)                                                                                | <ul> <li>Other systems (principally HOL, Boyer-Moore, and SMV)</li> </ul>                                    | FT Algorithms & Design of PVS | The Three Traditions<br>E<br>Systems<br>P<br>Notations<br>C<br>C<br>C<br>C<br>C<br>C<br>C<br>C<br>C<br>C<br>C<br>C<br>C | s<br>s<br>integrated<br>Verification<br>Systems | s Systems Theorem Provers Theorem Theorem |

FT Algorithms & Design of PVS

FT Algorithms & Design of PVS

27

28

|                                                                                                                                                                                                                            | <b>Reconciling the Conflicts: Pragmatics</b>                                                                                      |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|
| <ul> <li>Traditional foundation for mathematics is first-order set theory</li> <li>And Hilbert-style presentation</li> <li>Designed by Indicians for studying formal systems, not for</li> </ul>                           | <ul> <li>You cannot design a specification language and then hope to<br/>add effective mechanization</li> </ul>                   |
| <ul> <li>Designed by regulation of submy regulation systems, not not on actually doing formalization</li> <li>Requires metamathematical assistance (schema) to specify many important concents (e.g. induction)</li> </ul> | • And you cannot build a theorem prover and hope to persuade very many people that its logic is a specification language          |
| <ul> <li>And functions are inherently partial: inimical to efficient</li> <li>theorem proving</li> </ul>                                                                                                                   | <ul> <li>The formal method, its specification language, and its tools<br/>have to be designed together</li> </ul>                 |
| <ul> <li>For mechanized formal methods, we have different needs, and<br/>should therefore make different choices</li> </ul>                                                                                                | <ul> <li>Tradeoffs and compromises are necessary</li> <li>But new opportunities arise, too</li> </ul>                             |
| <ul> <li>Frameworks (LF, Calculus of Constructions etc.)</li> <li>Higher-Order Logic (Simple Theory of Types)</li> </ul>                                                                                                   | • Example: Enhancing the error-detection of typechecking                                                                          |
| FT Algorithms & Design of PVS                                                                                                                                                                                              | FT Algorithms & Design of PVS                                                                                                     |
| Errors in Formal Specifications                                                                                                                                                                                            |                                                                                                                                   |
| <ul> <li>Most of the time spent with a formal methods tool goes in</li> </ul>                                                                                                                                              | Typechecking Formal Specifications                                                                                                |
| discovering and correcting errors <ul> <li>Misunderstanding the requirements</li> </ul>                                                                                                                                    | <ul> <li>Many errors in specifications can be found by strict<br/>typechecking—just as in programming languages</li> </ul>        |
| <ul> <li>Flawed assumptions</li> <li>Faulty design</li> </ul>                                                                                                                                                              | • But unlike programming languages, type systems of specification languages need not be restricted to those that are              |
| <ul> <li>Bugs in the formal specification</li> </ul>                                                                                                                                                                       | trivially decidable                                                                                                               |
| <ul> <li>Writing correct formal specifications is no easier than writing<br/>correct programs (for most people it's harder)</li> </ul>                                                                                     | • Can assume a theorem prover is available and allow typechecking to become undecidable                                           |
| <ul> <li>Most formal specifications have errors; many are full of errors;<br/>a large number are meaningless (e.g., inconsistent)</li> </ul>                                                                               | • This eliminates many of the criticisms of those who consider strict typing too restrictive                                      |
| <ul> <li>May be difficult to believe this, until you've experienced the<br/>personal shock of finding errors in your own specifications</li> </ul>                                                                         | • Allows a lot of the specification to be expressed in the types, so that typechecking becomes a very strong check on consistency |
| <ul> <li>Tools should help you find errors early and cheaply</li> </ul>                                                                                                                                                    |                                                                                                                                   |
| FT Algorithms & Design of PVS                                                                                                                                                                                              | FT Algorithms & Design of PVS                                                                                                     |

**Reconciling the Conflicts: Foundations** 

| Example: Predicate Subtypes (Higher-Order) | • It often contributes clarity and precision to a specification if functions are identified as injections, surjections, etc. | • But how do we ensure that a purported surjection really has that property? | <ul> <li>Predicate subtypes! The surjections are a subtype of the<br/>functions associated with the following predicate</li> </ul> | function_props[dom, rng: TYPE]: THEORY<br>surjective?(f): bool = V (r: rng): ∃ (d: dom): f(d) = r                                                 | So that<br>half: (suriactiva?[aven nat. nat]) = λ (e: even nat): e/2 | even nat): half(e)                                                                                    |                               | Definitional Forms                   | <ul> <li>Can increase the variety and richness of definitional forms if<br/>prepared to use theorem proving to check them</li> <li>For example, recursive function definitions</li> </ul> | • Without theorem proving, may be restricted to the syntactic | form of primitive recursion <ul> <li>With theorem proving, can accept definitions if arguments</li> <li>And to come well-founded</li> </ul> | out be proved to decrease according to some weir pointed the ordering across recursive calls (note, system may need the sub- $\epsilon_0$ ordinals if lexicographic orderings are to be accepted) | <ul> <li>Other desirable forms</li> <li>Recursively defined abstract data types ("free types")</li> <li>Inductively defined functions</li> </ul>      | • These structured definitional forms also help theorem proving<br>FT Algorithms & Design of PVS 36                       |
|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------|-------------------------------|--------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
| Example: Predicate Subtypes                | • These are subtypes that are associated with a predicate Example (in PVS):                                                  | even_mat: TYPE = {i: mat   ∃ (j: mat): i = 2×j}<br>half: [even_mat → mat]    | half halves: AXIOM V (e: even.nat): 2×half(e) = e                                                                                  | • Expressions of the supertype allowed where the subtype is expected, provided defining predicate can be discharged in that context. For example, | half_twice: LEMMA V (i: nat): half(2×i) = i                          | • Generates the type-correctness condition (TCC)<br>TCC1: OBLIGATION V (i: nat): 3 (j:nat): 2×i = 2×j | FT Algorithms & Design of PVS | Consistency of Formal Specifications | <ul> <li>It is disturbingly easy to write inconsistent axioms</li> <li>So some specification languages forbid (or strongly discourage)</li> </ul>                                         |                                                               | <ul> <li>But this is often too restrictive</li> <li>Eliminates property-oriented specifications</li> </ul>                                  | <ul> <li>And sometimes inappropriate</li> <li>Want to describe the assumed environment,</li> </ul>                                                                                                | <ul> <li>Formal methods tools should enable the consistency of<br/>axiomatic specifications to be demonstrated<br/>(e.g., exhibit a model)</li> </ul> | <ul> <li>But should also provide a rich collection of definitional forms<br/>FT Algorithms &amp; Design of PVS</li> </ul> |

| <pre>Example: Recursive Definition • Here's the familiar factorial function factorial(n: nat): RECURSIVE nat =</pre>                                             | <ul> <li>Design Choices in PVS Specification Language</li> <li>Specification language is a higher-order logic</li> <li>With parameterized theories</li> </ul>                                                                                                 |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| IF n=0 THEN 1 ELSE n×factorial(n-1) ENDIF MEASURE n<br>The termination TCC is what we expect:<br>TCC3: OBLIGATION $\forall$ (n: nat): n $\neq$ 0 IMPLIES n-1 < n | <ul> <li>Computer-science type-constructors (records, lists etc.)<br/>Also tables with checks on row/column well-formedness</li> <li>Predicate subtypes and dependent types</li> <li>Definitional forms include recursive functions, abstract data</li> </ul> |
| • We also have a subtype TCC for nat from n-1:<br>TCC4: OBLIGATION V (n: nat): $n\neq 0$ IMPLIES n-1 $\geq 0$                                                    | types, inductive definitions <ul> <li>Built-in "prelude" and loadable "libraries" of domain-specific theories</li> </ul>                                                                                                                                      |
| (The natural numbers are nat: TYPE = { n: int   $n \ge 0$ })<br>• Note how, together, these would identify the faulty termination<br>condition n=1               | <ul> <li>Emacs interface and extensive browsing and reporting<br/>capabilities</li> <li>IgT<sub>E</sub>X-prettyprinter</li> </ul>                                                                                                                             |
| FT Algorithms & Design of PVS<br>Theorem Proving                                                                                                                 | FT Algorithms & Design of PVS 38<br>Automatic Theorem Proving: The Downside                                                                                                                                                                                   |
| Tools for formal methods are built on theorem proving<br>It is essential to make use of the insights and state-of-the-art<br>techniques of that field            | <ul> <li>There are no fully automatic theorem provers</li> <li>All require human guidance in indirect forms, such as</li> </ul>                                                                                                                               |
| Bit must recognize that the goals and assumptions of the theorem-proving community are not perfectly aligned with the needs of formal methods tools              | <ul> <li>Weighting of literals, function symbols</li> <li>Strategy selection</li> <li>Orientation of equations</li> </ul>                                                                                                                                     |
| <ul> <li>Their goal is unassisted automation</li> <li>They focus on proving true theorems</li> </ul>                                                             | <ul> <li>Invention and ordering of lemmas</li> <li>Induction hints</li> </ul>                                                                                                                                                                                 |
| <ul> <li>They automate raw logics, not specification languages</li> </ul>                                                                                        | These have more to do with the prover than the proof                                                                                                                                                                                                          |
| Pure theorem provers are like dragsters; automating formal methods is more like Formula 1many more challenges                                                    | <ul> <li>User has to experiment to get them right</li> <li>Little feedback; little help discovering falsehoods</li> </ul>                                                                                                                                     |
| <ul> <li>But must go really fast when it's flat and straight<br/>Major choice: automatic or interactive theorem proving?</li> </ul>                              | <ul> <li>And when proof is done, neither man nor machine is any wiser</li> </ul>                                                                                                                                                                              |
| FT Algorithms & Design of PVS                                                                                                                                    | FT Algorithms & Design of PVS                                                                                                                                                                                                                                 |

!

| Automatic Theorem Proving: The Upside                                                                                      | Interactive Proof Checking: The Downside                                                                                 |
|----------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
| There are a number of proven ideas and techniques that work                                                                | <ul> <li>Interactive guidance is an alternative to heroic automation</li> </ul>                                          |
| remarkably well on specialized problem domains                                                                             | <ul> <li>Many interactive proof checkers are all interaction and no</li> </ul>                                           |
| <ul> <li>Propositional logic: BDDs (ordered binary decision diagrams)</li> </ul>                                           | automation                                                                                                               |
| <ul> <li>Pure equality: congruence closure</li> </ul>                                                                      | • Enormous human investment to prove small theorems                                                                      |
| <ul> <li>Linear arithmetic: integer/linear programming<br/>(loop residue, SUP-INF)</li> </ul>                              | <ul> <li>Infeasible to prove large or hard theorems</li> </ul>                                                           |
| <ul> <li>Datatypes, algebra: rewriting</li> </ul>                                                                          | <ul> <li>Use many lemmas, large numbers of commands</li> </ul>                                                           |
| <ul> <li>Modal/Temporal logics: model checking (μ-calculus)</li> </ul>                                                     | <ul> <li>Hard for user to focus on the big picture during the proof</li> </ul>                                           |
| <ul> <li>Predicate calculus: resolution, unification</li> </ul>                                                            | <ul> <li>Essence of the proof is lost in the details</li> </ul>                                                          |
| <ul> <li>Induction: Boyer-Moore heuristics</li> </ul>                                                                      | <ul> <li>Proofs are not robust in the face of even small changes</li> </ul>                                              |
| • Higher-Order: restricted forms of higher-order unification                                                               | • The users's concentration is the most precious resource: no                                                            |
| Seldom encounter pure problems in practice: the engineering challenge is integrating these methods to solve mixed problems | excuse for wasting human time on trivial details if they can be blown away by automation                                 |
| FT Algorithms & Design of PVS                                                                                              | FT Algorithms & Design of PVS                                                                                            |
|                                                                                                                            | LCF-Style Tactics                                                                                                        |
| Interactive Proof Checking: The Upside                                                                                     | <ul> <li>Given a repertoire of primitive inference steps</li> </ul>                                                      |
| • Interaction sustains the illusion of progress                                                                            | <ul> <li>Construct more powerful steps by writing programs (tactics)<br/>that use the primitive ones</li> </ul>          |
| <ul> <li>And puts the user in control</li> </ul>                                                                           | <ul> <li>Soundness depends only on the primitive inferences</li> </ul>                                                   |
| • Escier to learn and to macter                                                                                            | "Pure" interpretation (HOL)                                                                                              |
| <ul> <li>Laster to team and to make any different proof commands</li> </ul>                                                | <ul> <li>Basic steps should correspond to elementary rules of logic</li> </ul>                                           |
| <ul> <li>Can provide helinful feedback from failed proofs</li> </ul>                                                       | <ul> <li>Tactics use a general programming language (ML), reduce<br/>to large numbers of primitive inferences</li> </ul> |
|                                                                                                                            | <ul> <li>"Impure" interpretation (PVS)</li> </ul>                                                                        |
| • Can be customized with tactics (programs or macros that build larger proofs steps from the basic ones)                   | <ul> <li>Primitive steps should be chosen to provide the foundation<br/>for an efficient and powerful system</li> </ul>  |
|                                                                                                                            | <ul> <li>Tactics are simple combinations of primitive ones</li> </ul>                                                    |

FT Algorithms & Design of PVS

| The "Pure/Impure" Tradeoff With Tactics: 1  Raw speed and power:                                                                                                                                                           | The "Pure/Impure" Tradeoff With Tactics: 2 • Soundness:                                                                                                                                                                                                      |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| The pure systems must synthesize decision procedures from<br>primitive inferences: much slower in practice than the<br>built-in procedures of impure systems<br>And less powerful, because do not retain state, share data | <ul> <li>Admittedly more challenging to gain confidence in the<br/>soundness of powerful inferences, but not exactly hard<br/>(most of what they do is search: affects completeness and<br/>termination, not soundness)</li> </ul>                           |
| structures                                                                                                                                                                                                                 | Overall:                                                                                                                                                                                                                                                     |
| Effectiveness:<br>• The pure systems have large numbers of higher-level tactics,<br>hard to remember what they do, tend to be either very<br>specialized or not very powerful                                              | <ul> <li>Impure systems considerably more effective in practice</li> <li>Can always find better uses for machine cycles during interactive proof development than grinding out primitive inferences</li> <li>Use a "pure" second pass if paranoid</li> </ul> |
| FT Algorithms & Design of PVS                                                                                                                                                                                              | FT Algorithms & Design of PVS                                                                                                                                                                                                                                |
| The Theorem Proving Lifecycle During Formal Development                                                                                                                                                                    | Design Choices in PVS Prover                                                                                                                                                                                                                                 |
| There is a lifecycle to theorem proving during formal development                                                                                                                                                          | <ul> <li>Theorem prover is interactive</li> </ul>                                                                                                                                                                                                            |
| Need different capabilities for each stage                                                                                                                                                                                 | <ul> <li>Uses sequent calculus presentation</li> <li>Decision procedures for ground linear arithmetic and equality</li> </ul>                                                                                                                                |
| Exploration: must fail quickly, be able to stay in the loop<br>Specialized methods are very useful                                                                                                                         | <ul> <li>Hashing conditional rewriter integrated with these</li> <li>Strategy language for defining higher-level proof procedures</li> </ul>                                                                                                                 |
| <ul> <li>Animation (direct execution/simulation)</li> </ul>                                                                                                                                                                |                                                                                                                                                                                                                                                              |
| <ul> <li>State exploration (reachability analysis)</li> <li>"Backwards execution" (fault-tree analysis)</li> <li>Efficient methods for specialized cases (model checking)</li> </ul>                                       | <ul> <li>For simplification of large propositional structures</li> <li>And to decide formulas in</li></ul>                                                                                                                                                   |
| Development: efficiency!<br>Plus ability to comprehend overall structure                                                                                                                                                   | <ul> <li>Lemmas can be proved in any order<br/>(and introduced and modified on the fly)</li> </ul>                                                                                                                                                           |
| Presentation: want a real proof                                                                                                                                                                                            | <ul> <li>Proof dependency analysis keeps you honest</li> </ul>                                                                                                                                                                                               |
| Maintenance and Generalization: robustness     Algorithms & Design of PVS                                                                                                                                                  | <ul> <li>Graphical displays of proof trees help comprehend big picture<br/>FT Algorithms &amp; Design of PVS</li> </ul>                                                                                                                                      |

| To Learn More | <ul> <li>Browse papers and technical reports in /pub/reports on ftp.csl.sri.com (start with readme.txt and abstracts.dvi.Z), or use Mosaic or other WWW viewer on http://ww.csl.sri.com/sri-csl-fm.html</li> <li>CSL-95-1 is a chapter for the FAA Digital Systems Validation Handbook that discusses issues in formal methods and assurance</li> <li>CSL-93-7 is a much longer and more technical treatment</li> <li>You can get PVS by anonymous FTP from ftp.csl.sri.com in /pub/pvs (also from WWW link at URL above)</li> <li>Allegro Lisp for SunOS 4.1.3 (Solaris 2 available soon); Need 32M memory, 100M swap space, Sparc 2 or better</li> <li>PVS2 is available for testing by current users; General release awaits completion of documentation</li> </ul> | FT Algorithms & Design of PVS |
|---------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------|
| Conclusions   | <ul> <li>Verifications described were once <i>tours de force</i>, now routine</li> <li>Provided benefits over and above verification: debugging, exploration, adaptation</li> <li>Startup costs of applying formal methods to a new application area can be quite high <ul> <li>Challenge is usually in the modeling and abstraction, not the mechanization</li> <li>Requires skilled people</li> <li>Subsequent exploitation inexpensive, with very high added value</li> <li>Exploration of design alternatives, adapting to changes</li> <li>Reuse in subsequent designs</li> </ul> </li> <li>Mechanized formal methods are ready for industrial exploitation in suitable circumstances</li> </ul>                                                                  | FT Algorithms & Design of PVS |

**.**...





Note: The word "inspection" is used differently in solivate than in manufacturing or hardware context. In software the term in manufacturing or hardware context, in software the detect the entit of the structure of peer review in this uses a check stand much subport the statistics. In software development inspections are an upstream quality enhancement technics which support the principles of TOM (refer to NASA Standerd 2202-93 or the two JPL Professional Development courses on this fold).

And A straight for Special And

**Baseline Review** 

High-Level Test Plan

Structure Modeling

> Description ("shalls")

Textual

Inspections\*

Inspections

SAU DREPARTS



Alumni

•

1471 JHE L. MITH

Summer and

Fall '92

October '93

December

FY94

FY95

Winter '93

Spring 1992





analysis leverage is nontrivial

**Formal Methods** 

 Automated Integration Hazards Analysis, etc.)

fertile ground")



#### Key Issues for Next Steps (FY 96 and beyond) Be focal point for the maturation of applying Formal Methods Act as a catalyst to transfer Formal Methods techniques to Act as advisors to NASA projects on the effective use Formal Train starter groups of additional Formal Methods analysts validation, modeling, and design techniques for critical Integrate Formal Methods into a full set of verification. Developing a NASA technology transfer training package software subsystems of space applications from various NASA projects and centers to NASA Space Application projects critical NASA Space projects Methods

MUN Aster

108

2-2

Project for Space Appl

#### FORMAL METHODS DEMONSTRATION PROJECT FOR SPACE APPLICATIONS

#### Ben L. DiVito

P. 7

52-61

N96- 10028

#### VÍGYAN, Inc

The Space Shuttle program is cooperating in a pilot project to apply formal methods to live requirements analysis activities. As one of the larger ongoing Shuttle Change Requests (CRs), the Global Positioning System (GPS) CR involves a significant upgrade to the Shuttle's navigation capability. Shuttles are to be outfitted with GPS receivers and the primary avionics software will be enhanced to accept GPS-provided positions and integrate them into navigation calculations. Prior to implementing the CR, requirements analysts at Loral Space Information Systems, the Shuttle software contractor, must scrutinize the CR to identify and resolve any requirements issues.

We describe an ongoing task of the Formal Methods Demonstration Project for Space Applications whose goal is to find an effective way to use formal methods in the GPS CR requirements analysis phase. This phase is currently under way and a small team from NASA Langley, ViGYAN Inc. and Loral is now engaged in this task. Background on the GPS CR is provided and an overview of the hardware/software architecture is presented. We outline the approach being taken to formalize the requirements, only a subset of which is being attempted. The approach features the use of the PVS specification language to model "principal functions," which are major units of Shuttle software. Conventional state machine techniques form the basis of our approach.

Given this background, we present interim results based on a snapshot of work in progress. Samples of requirements specifications rendered in PVS are offered for illustration. We walk through a specification sketch for the principal function known as GPS Receiver State Processing. Results to date are summarized and feedback from Loral requirements analysts is highlighted. Preliminary data is shown comparing issues detected by the formal methods team versus those detected using existing requirements analysis methods. We conclude by discussing our plan to complete the remaining activities of this task.

| Shuttle Program Background | <ul> <li>Contractor organization</li> <li>Rockwell International - Shuttle prime contractor</li> <li>Loral Space Info. Sys. (was IBM) - Software contractor</li> <li>Loral Space Info. Sys. (was IBM) - Software contractor</li> <li>Draper Lab - Experts in Guidance, Navigation and Control</li> <li>Boftware modifications are packaged as Change Requests (CRs)</li> <li>Usually modest in scope, localized in function</li> <li>Provide capabilities to meet specific mission needs</li> <li>Software releases are called Operational Increments (OIs)</li> <li>Include one or more CRs - issued around once per year</li> <li>Requirements Analysis</li> <li>Conducted by Loral Requirements Analysts (RAs) prior to turning CR over to development team</li> <li>Once in development, problems are more costly to fix</li> </ul> | GPS Change Request         Shuttle Program is undertaking a large and complex CR to add         GPS navigation capabilities to the Shuttle fleet         GPS navigation capabilities to the Shuttle fleet         GPS navigation system         - Motivation: loss of TACAN navigation system         - Need equivalent navigation aid during entry and landing         - Need equivalent navigation aid during entry and landing         - Neo-phase integration plan         - Full-up implementation (one receiver)         - Full-up implementation (one receivers)         - Full-up implementation (and receivers)         - GPS receivers provide navigation data to General Purpose         - Many smaller changes made to existing navigation software         - GPS C |
|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                            | Using Formal Methods to Analyze the<br>Space Shuttle's GPS Change Request<br>Ben L. Di Vito<br>ViGYAN, Inc.<br>30 Research Drive<br>Hampton, VA 23666<br>Mampton, VA 23666<br>11 May 1995                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Global Positioning System (GPS)<br>GPS is a satellite-based navigation system operated by DoD<br>• Constellation of 24 satellites in high orbits<br>• Receive-only system requires dedicated hardware<br>• Need to track 4 or more satellites simultaneously<br>• Need to track 4 or more satellites simultaneously<br>• Separate signals need to be recovered after undergoing code<br>division multiplexing<br>• Receivers solve for position and velocity (and time)<br>• Standard Positioning Service gives 100m accuracy<br>• Precise Positioning Service gives 10m accuracy<br>• DoD phasing out TACAN navigation system by 2000                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |

ł

| Approach to Applying Formal Methods | We are pursuing a selective application of formal methods<br>• Focus on core subset involving new principal functions<br>- GPS Receiver State Processing<br>- GPS Reference State Processing<br>- GPS to model principal function requirements<br>- Use PVS to model principal function requirements<br>- Derive stylized specification approach tailored to Shuttle<br>software<br>- Derive stylized specification approach tailored to Shuttle<br>software<br>- Derive stylized specification approach tailored to Shuttle<br>- Derive stylized specification approach tailored to Shuttle<br>- Derive stylized specification approach tailored to Shuttle<br>- Maintain traceability to existing requirements<br>- Emphasize readability by nonexperts<br>- Emphasize readability by nonexperts<br>- Possible candidate is feedback loop from receivers to Re-<br>ceiver State Processing and back                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | æ | PVS Modeling of Principal Functions | Principal functions are regularly scheduled software entities<br>• Execution environment provides a large variable space that is<br>read from and written into<br>• Interface is defined by explicit inputs and outputs enumerated<br>in tables<br>• Principal functions are composed of several subfunctions in-<br>voked sequentially<br>– Inputs are "passed down" to subfunctions<br>– Outputs are "passed up" from subfunctions<br>– Outputs are "passed up" from subfunctions<br>– Cutputs are "passed up" from subfunctions<br>– Principal function is represented as a single state-transition<br>function<br>$M: I \times S \to [O \times S]$ |
|-------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|-------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <b>GPS Integrated Architecture</b>  | MNV     Garral Purpose Computer       Sentose     MNV       Sentose     MNV       Sentose     MNV       Sentose     Low Rate Navigation       Pincipal Functiona     Pincipal Functiona       Receiver     Basekina       Anote     GPS Receiver       Receiver     Navigation       Pincipal Functiona     Displays, Low       MU     Navigation       Intu     Crew, |   | Description of GPS CR Subset        | Principal functions are decomposed into subfunctions<br>• Receiver State Processing<br>- GPS IMU Assign<br>- GPS IMU Assign<br>- GPS State Vector Quality Assessment<br>- GPS State Vector Selection<br>- GPS Reference State Announced Reset<br>- GPS External Data Announced Reset<br>• Reference State Processing<br>- GPS External Data Snap<br>- IMU GPS Selection<br>- GPS Reference State Initialization and Reset<br>- GPS Reference State Propagation                                                                                                                                                                                         |

I

| Requirements for Receiver State Processing   | <ul> <li>2.0 Sep 2.1 is performed for each prociver up to the achiverse designed maximum, whether or not the receiver has been sensibly installed on the vehicles.</li> <li>2.0 FOR 1 = 1 to OFFS_SULCAR</li> <li>2.1 Py the care (CERFU_DESELECT_ACVR_n = OFF), perform the following:</li> <li>2.1 Py the care (CERFU_DESELECT_ACVR_n = OFF), perform the following:</li> <li>2.1 Py the care (CERFU_DESELECT_ACVR_n = OFF), perform the following:</li> <li>2.1 Py the care (CERFU_DESELECT_ACVR_n = OFF), perform the following:</li> <li>2.2 Py the care (CERFU_DESELECT_ACVR_n = OFF), perform the following:</li> <li>2.3 Py the care (CERFU_DESELECT_ACVR_n = OFF), perform the following:</li> <li>2.4 Py the care (CERFU_DESELECT_ACVR_n = OFF), perform the following:</li> <li>2.5 Py the care (CERFU_DESELECT_ACVR_n = OFF), perform the following:</li> <li>2.6 (CFF_DAL) of the other quality measurement that we if the quality measurement that we will find the care of the performant of quality measurement that we if the quality measurement that we will the quality quantum of the tare offset on the other of quality measurement that we if the quality quantum of the tare offset on the other of quality measurement that we will the quality measurement that we will the quality quantum of the tare offset on the other of quality measurement that we will the quality quantum of the tare offset on the other othe</li></ul> | 3.0 If the number of CPS states identified as candidates is greater than 0, NUM, CPS_SEL.<br>30, than the relevand CPS states are formed from the signifie candidate as described.<br>R_CPS_SEL. = R_COPS_                    | Modeling of Receiver State ProcessingSelected data types rendered in PVSmajor_mode_code:TYPE = natmajor_mode_code:TYPE = natmission_time:TYPE = natmsison_time:TYPE = natmsison_time:TYPE = natmsison_time:TYPE = natmsison_time:TYPE = natmsison_time:TYPE = (a: nat   1 <= n & n <= 3)receiver_mode:TYPE = (auto, inhibit, force)Ms0_axis:TYPE = (auto, inhibit, force)Ms0_axis:TYPE = (As0_axis -> real)velocity_vector:TYPE = (Ms0_axis -> real)velocity_vector:TYPE = (GPS_id -> position_vector)GPS_predicate:TYPE = (GPS_id -> bool]GPS_fimes:TYPE = (GPS_id -> GPS_id                                                                                                                                                                                                                                                                  | x: TYPE |
|----------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
| PVS Modeling of Principal Functions (Cont'd) | <pre>Abstract structure in PVS notation:<br/>pf_result: TYPE = [# output: pf_outputs, state: pf_state #]<br/>principal_function (pf_inputs, pf_state,</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | loads, K-loads, constants)<br>• Executing a principal function produces output values and next-<br>state values<br>• All side effects are to be captured by this model<br>• All side effects are to be captured by this model | Requirements for Receiver State Processing (Cont'd)         Tak 4.1.3.1 (F3 Nurphine Number) (Cont'd)         Tak 4.1.3.1 (F3 Number) (Cont'd)         Tak 4.1.3 (F3 Number) (Cont'd)         Tak 1.1.1 (F3 Number) (F3 | Ξ       |

112

ļ

| Principal Function Interface Types              | <pre>rec_sp_inputs: TYPE = [#</pre>                                                                                                                                                                                                                                                                                                 | <pre>V_last_GPS_sel: velocity_vector *] rec_sp_I_loads: TYPE = [# acc_prop_min: real,</pre> | ہ<br>Principal Function Specification                        | <pre>GPS_receiver_state_processing((rec_sp_inputs: rec_sp_inputs),</pre> | <pre>nav_state_prop_out =     nav_state_propagation(</pre>                                                                                                                                                                                |
|-------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------|--------------------------------------------------------------|--------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Sample Subfunction of Receiver State Processing | <pre>ref_state_anncd_reset_out: TYPE = [#<br/>GPS_anncd_reset_avail: GPS_predicate,<br/>GPS_anncd_reset: GPS_predicate,<br/>R_ref_anncd_reset: GPS_positions,<br/>T_anncd_reset: dPS_positions,<br/>T_ref_anncd_reset: mission_time,<br/>V_IMU_ref_anncd_reset: velocity_vector,<br/>V_ref_anncd_reset: GPS_velocities<br/>#]</pre> | <pre>ref_state_announced_reset (DT_anncd_reset,</pre>                                       | <sup>13</sup><br>Principal Function Interface Types (Cont'd) | <pre>rec_sp_K_loads: TYPE = [#</pre>                                     | <pre>rec_sp_outputs: TYPE = [#<br/>corr_coeff_GPS: real,<br/>DELR_ratio_QA2_display: GPS_ratios,<br/><br/>V_ref_anncd_reset: GPS_velocities<br/>#]<br/>rec_sp_result: TYPE = [# output: rec_sp_outputs, state: rec_sp_state #]<br/></pre> |

Principal Function Specification (Cont'd)

(rec\_sp\_inputs), state\_vector\_quality\_assessment( SV\_qual\_assess\_out = GPS\_DG V\_GPS

(nav\_state\_prop\_out) ),

state\_vector\_selection( state\_vect\_sel\_out =

(rec\_sp\_I\_loads), corr\_coeff\_GPS\_nom

. . . (nav\_state\_prop\_out) ), V\_GPS\_sel

ref\_state\_announced\_reset( ref\_st\_ann\_reset\_out =

(nav\_state\_prop\_out) ) (rec\_sp\_l\_loads), DT\_anncd\_reset V\_GPS

2

Results (In Progress)

Experience with effort so far:

• Outlook is promising, but it's still early

• CR requirements are still converging

-- Another revision cycle is likely

- After next cycle, FM results should be more meaningful

• FM-based review is helping requirements analysis

-- Many interface errors being detected

• PVS can be used effectively to formalize this application

- Custom specification approach should be easy to duplicate

- Good prospects for continuation by nonexperts

Specification activity assisted by tools, but doing manual specification is also feasible here

61

# Principal Function Specification (Cont'd)

(# output := (#

NI

| (state_vect_sel_out), | <pre><br/>(SV_qual_assess_out),<br/>(state_vect_sel_out),<br/>(state_vect_sel_out),</pre> | <br>(ref_st_ann_reset_out)                               | (SV_qual_assess_out),<br>(state_vect_sel_out),            | <br>(state_vect_sel_out),<br>(nav_state_prop_out) |
|-----------------------|-------------------------------------------------------------------------------------------|----------------------------------------------------------|-----------------------------------------------------------|---------------------------------------------------|
| corr_coeff_GPS        | · · ·<br>GPS_fail_QA4<br>GPS_lat<br>GPS_lon                                               | v_ref_anncd_reset                                        | GPS_DG_prev<br>GPS_SV_sel_avail                           | <br>V_GPS_sel<br>V_last_GPS_sel                   |
| corr_coeff_GPS ;=     | GPS_fail_QA4 :=<br>GPS_lat :=<br>GPS_lon :=                                               | · · · ·<br>V_ref_anncd_reset := V_ref_anncd_reset<br>#), | <pre>state := (# GPS_DG_prev := GPS_SV_sel_avail :=</pre> |                                                   |

÷

18

Feedback from Requirements Analysts

Some RAs are optimistic about potential impact of FM

• Approach used is helpful in detecting two classes of errors:

"Requirements meet the CR author's intent; CR will work"

"Interfaces Documented and Consistent"

Preliminary comparison with conventional process

-- Errors detected in Reference State Processing versus those also found by current process

| Error Severity With FM Existing | With FM | Existing |
|---------------------------------|---------|----------|
| High Major                      | 2       | 0        |
| Low Major                       | ŝ       | 1        |
| High Minor                      | 17      | ~        |
| Low Minor                       | 9       | •        |
| Totals                          | 90      | 4        |

114

## **Continuation Plans**

# Plan for near term CR analysis

- Continue elaborating formal specifications using current style
- Complete two principal functions under way
- Consider adding other functions as resources allow
- --- Collect feedback and data from RAs
- Go down to moderate level of detail
- Incorporate enough detail to capture branching conditions
- Evaluate tradeoffs of formalizing subsystem properties
- Properties based on sequences of state vectors
- Limited proving may be worthwhile

5

## Summary

- Formal methods aiding requirements analysis on a significant Shuttle CR
- Specification techniques customized for Shuttle software
- So far, keeping up with requirements analysis process
- Enables meaningful comparisons
- Early results are encouraging
- Remains to be seen whether techniques can be transferred to and adopted by RAs

#### **Session 5: Software Systems (2)**

#### C. Michael Holloway, Chair

• Ada 9X Language Precision Team, by David Guaspari, Odyssey Research Associates

\* Introduction to Penelope and Its Applications, by David Guaspari, Odyssey Research Associates

PRECEDING PAGE BLANK NOT FRIMED



N96- 10029

#### FORMAL METHODS IN THE DESIGN OF ADA 95

#### David Guaspari

27513 P\_ 10

#### **Odyssey Research Associates**

Formal, mathematical methods are most useful when applied early in the design and implementation of a software system---that, at least, is the familiar refrain. I will report on a modest effort to apply formal methods at the earliest possible stage, namely, in the design of the Ada 95 programming language itself. This talk is an ``experience report" that provides brief case studies illustrating the kinds of problems we worked on, how we approached them, and the extent (if any) to which the results proved useful. It also derives some lessons and suggestions for those undertaking future projects of this kind

Ada 95 is the first revision of the standard for the Ada programming language. The revision began in 1988, when the Ada Joint Programming Office first asked the Ada Board to recommend a plan for revising the Ada standard. The first step in the revision was to solicit criticisms of Ada 83. A set of requirements for the new language standard, based on those criticisms, was published in 1990. A small design team, the Mapping Revision Team (MRT), became exclusively responsible for revising the language standard to satisfy those requirements. The MRT, from Intermetrics, is led by S. Tucker Taft.

The work of the MRT was regularly subject to independent review and criticism by a committee of Distinguished Reviewers and by several advisory teams---for example, by two User/Implementor teams, each consisting of an industrial user (attempting to make significant use of the new language on a realistic application) and a compiler vendor (undertaking, experimentally, to modify its current implementation in order to provide the necessary new features). One novel decision established the Language Precision Team (LPT), which investigated language proposals from a mathematical point of view.

The LPT applied formal mathematical analysis to help improve the design of Ada 95 (e.g., by clarifying the language proposals) and to help promote its acceptance (e.g., by identifying a verifiable subset that would meet the needs of safety-critical applications). The first LPT project, which ran from the fall of 1990 until the end of 1992, produced studies of several language issues: optimization, sharing and storage, tasking and protected records, overload resolution, the floating point model, distribution, program errors, and object-oriented programming. The second LPT project, in 1994, formally modeled the dynamic semantics of a large part of the (almost) final language definition, looking especially for interactions between language features.

PRECEDING PAGE BLANK NOT FILMED

PAGE 118 INTENTIONALLY BLANK

|                       | Revising Ada                                                                                                                                                                                                                                                                                                                                                                           |            |
|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|
| of Ada95<br>hop<br>es | <ul> <li>Requirements solicited, published in 1990</li> <li>Mapping Revision Team (MRT)</li> <li>Small design team (as with Ada83)</li> <li>Led by S. Tucker Taft (Intermetrics)</li> <li>Led by S. Tucker Taft (Intermetrics)</li> <li>Advisory groups</li> <li>Distinguished Reviewers</li> <li>User/Implementor Teams</li> <li>Language Precision Team (1991-1992, 1994)</li> </ul> |            |
|                       | 01995 Odymay Rezuch Associates, Inc. Formal Methods in the design of Adah5                                                                                                                                                                                                                                                                                                             | <b>Mar</b> |
| ٩                     | Goals of the Language Precision Project         Improve design and promote acceptance of Ada9X       Improve design and promote acceptance of Ada9X         O       Clarify problems         O       State and/or prove properties of the design         O       Identity verifiable subset         O       Provide basis for future formal work                                       |            |
|                       | ology Goynery Research Associates, Inc. Formul Methods in the design of AdaOS                                                                                                                                                                                                                                                                                                          |            |



#### Establishment of Rapporteur Group for critical softwar Object oriented programming (single inheritance) O More predictable semantics in the face of errors Consideration of formal methods in the design **Revisions include** Formal Methods in the design of Ada95 3 Real-time programming (protected records) Of concern for reliable computing Safety and security annex D Hierarchical library Fixing infelicities ©1995 Odyney Research Associates, Inc. SL-95-0024 D D D D D

|

| This talk is an experience report | <ul> <li>Previous formal work on Ada</li> <li>Strategies</li> <li>Phase 1 case studies</li> <li>Phase 2 summary</li> <li>Conclusions</li> </ul>                                                                                                                                                                   | 61993 Odyney Research Amerikes, Inc. Fermul Methods in the design of Add95<br>51.95-0024      | Phase 1: targets of opportunity | <ul> <li>Ignore well-understand parts of language</li> <li>Econolism and another shore "one particular</li> </ul> |                                                         | Advantages                                                                                                         |                                                  | Disadvantages                 | <ul> <li>Axiomatic method makes assumptions – how justified?</li> <li>Disregards interactions of features</li> </ul> |  |
|-----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|---------------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------|----------------------------------------------------------------------------------------------------------------------|--|
| Technical reports                 | Phase 1: language issues<br>O optimization<br>O sharing and storage<br>O protected records<br>O overload resolution<br>O the floating point model<br>O distribution<br>O program errors<br>O object-oriented programming<br>Phase 2: descriptive<br>O "hatural semantics" model<br>O sequential dynamic semantics | 01995 Colymery Research Americates, Inc. Itemat Methodd in die design of Add5<br>51-593-00024 | Previous formal work on Ada     | Eormal definition proiocte                                                                                        | na deminion projects<br>INRIA (official. little effect) | Dansk Datamatik (led to DDC compiler)<br>NYU (led to first validated compiler)<br>DDC/CRAI (almost whole language) | Formal definitions of subsets, reasoning systems | Penelope (ORA)<br>AVA (CLInc) | Aerospace Corporation<br>SPARK (Program Validation Ltd.)<br>ProSpecTra<br>RAISE(Computer Resources International)    |  |

į

L

|

| Case studies         | <ul> <li>Opportunism in action (default values)</li> <li>Overload resolution</li> <li>Object-oriented features</li> </ul>                                                                | 0001 Objers? Research Americaes, Inc. Formal Methoda in the design of A4095 | <pre>Default values and out parameters is nit; u : out init_rec) is u.comp initialized? Freedwise design of Adds</pre>                                                                                                                                |                                                                                               |
|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|
| Phase 2: Descriptive | <ul> <li>Describe (almost) final definition of sequential Ada 95</li> <li>Look for interactions between features</li> <li>Improve presentation of underlying conceptual model</li> </ul> | 0.000 Objects Associates, lac. Formal Methods in the design of Add95        | <b>tunism in action: default values</b><br>mit default values for subtypes<br>t is integer range 1 100 := x+6;<br>initialized to 3;<br>3; initialized to 3;<br>umably is the following invariant:<br>of subtype init will always have a defined value | 1095 Colymany Ruseworth Associater, Inc. Formul Methodul is the design of Add95<br>SL 95 C024 |

| 01993 Colynery Research Ausocluses, Inc. Formul Methods in the design of Ada95                                                 | Turmal Methods in the design of Addo                                                                                                                       |
|--------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                                                                                                                                |                                                                                                                                                            |
|                                                                                                                                | C covers x iff every object in defaults(x) is a subobject of some object in C                                                                              |
|                                                                                                                                | A set of objects covers another object:                                                                                                                    |
| <ul> <li>Creation and initialization: create x: c := v</li> <li>Where C covers x and V assigns to the objects in C.</li> </ul> | x is good iff every atomic object in defaults(x) has a defined value<br>The desired invariant says that all objects are good in all reach-<br>able states. |
|                                                                                                                                | Good object (in a given state):                                                                                                                            |
| O Assignment: x ∶= e                                                                                                           | defaults(x) = all those subobjects y of x such that subtype(y) has a default value                                                                         |
| Execution is modeled by sequences of two atomic state-changing                                                                 | s an object<br>sultivna(x) is the sultivne of x                                                                                                            |
| Model of defaults, execution                                                                                                   | Model of defaults, terminology                                                                                                                             |
| 0 (1951 Odyaary Research Associated, lac. Framal Methods in the design of Ad493<br>S1,493-0024                                 | Itemat Machada in the design of Add95                                                                                                                      |
|                                                                                                                                |                                                                                                                                                            |
|                                                                                                                                |                                                                                                                                                            |
| <ul> <li>Execution consists of atomic acts creating objects and assigning values to them.</li> </ul>                           | a2 : init_array := init_array(a1);<br>Invariant fails for components of a2.                                                                                |
| D Op, a set of object-returning, side-effect-free operations.                                                                  |                                                                                                                                                            |
|                                                                                                                                | type not_init_array is array(boolean) of not_init;<br>type init_array is array(boolean) of init;                                                           |
|                                                                                                                                | subtype not_init is integer range 1100;                                                                                                                    |
| Model of defaults, elements                                                                                                    | Example 2: Default values and subtype conversions                                                                                                          |

| Model of defaults, example axioms                                                                                                              | To apply the model:                                                                                                                                                                          |
|------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Axioms describe how state-changers affect the goodness of objects $\Box  Y := e$                                                               | Can the proposed language rules be described within the given model of defaults? If so, the invariant holds.                                                                                 |
| O If y is a subobject of x, x is good, and e is good, then after this exe-<br>cution x is still good.                                          | <ul> <li>Revisit example 1 (out parameters): How is an out parameter created?</li> <li>Revisit example 2 (subtype conversions): Is subtype conversion a non-decreasing operation?</li> </ul> |
| O If the values assigned by V are good then, after this execution, x is good.                                                                  |                                                                                                                                                                                              |
| D Etc.                                                                                                                                         |                                                                                                                                                                                              |
| The invariant is guaranteed if the operations in <i>Op</i> are non-decreasing:<br>good arguments yield a good result under normal termination. |                                                                                                                                                                                              |
|                                                                                                                                                |                                                                                                                                                                                              |
| 01995 Objews Reservit Americes. Inc. Formal Michaelu in the davige of Addr9 13. 495 0024                                                       | O1995 Odynary Research American. Formul Methods in the design of Add5 18, 195-0024                                                                                                           |
| Default subtypes, concluded                                                                                                                    | Overload resolution                                                                                                                                                                          |
| Proposal dropped<br>Not a "point change"                                                                                                       | <ul> <li>Ada83 rules are complex</li> <li>Unpleasant surprises</li> <li>Fine points not consistently interpreted by compilers</li> </ul>                                                     |
|                                                                                                                                                | <ul> <li>Proposed changes add complexity (in some ways)</li> <li>Problems describing proposed changes</li> <li>Incompatibilities between old rules and proposed changes unclear</li> </ul>   |
|                                                                                                                                                |                                                                                                                                                                                              |
| 01955 Colymery Research Americaes, Inc. Formal Methods in the design of Address<br>31.953 CO264                                                | O 1995 Odynary Resurch Associater, lac. Formal Methoda is de design of A4495<br>51.553-0024                                                                                                  |

. .

| Hierarchical names and "use" clauses |                                                                        | package p is                 | function a return foo: | function "+"(x,y: foo) return bar; | end package:    |                       | Compare                            | A : 100 .≇ r.g,<br>D : bar := P.*+"(e1. e2): |           | with .                                                                | Lise D:                           |   | b : bar := e1+e2;                                                     | <br>O 1995 Orysawy Research Ausociater, Inc. Itamul Methoda in the design of A4495<br>S1-85-0024 | Abstract formal model of overload resolution |              | D Written in Z                             |        | O The environment (what declarations apply)<br>O Which interpretations are preferred                          | D Hides irrelevant detail | O Makes concrete syntax abstract (e.g., all expressions become<br>applications) |
|--------------------------------------|------------------------------------------------------------------------|------------------------------|------------------------|------------------------------------|-----------------|-----------------------|------------------------------------|----------------------------------------------|-----------|-----------------------------------------------------------------------|-----------------------------------|---|-----------------------------------------------------------------------|--------------------------------------------------------------------------------------------------|----------------------------------------------|--------------|--------------------------------------------|--------|---------------------------------------------------------------------------------------------------------------|---------------------------|---------------------------------------------------------------------------------|
| Problems                             | <ul> <li>Finding satisfactory rules for overload resolution</li> </ul> | C Interactions of foot iros. |                        |                                    | i strona tvoina | l overload resolution | O Special role of operator symbols | O Blemishes in proposals                     | non-local | <ul> <li>upward inconsistent</li> <li>"Beaujolais effects"</li> </ul> | Describing the rules you've found | , | O Descriptions of proposals (both declarative and algorithmic) flawed | 0.995 Objerry Research Associated, Inc. Formal Methods in the design of A4495<br>31-95 0024      | Beaujolais effect                            | package P is | function f(a: boolean) return boolean; F#1 | end P; | <pre>function f(a: integer) return boolean; F#2 function "&lt;"(a: integer; b: integer) return integer;</pre> | [ use P;]                 | x : boolean := $f(1 < 2)$ ; $F#1$ or $F#2$ ?                                    |

|                  |              |                      | ations apply)<br>arred                                                           |                         | Makes concrete syntax abstract (e.g., all expressions become applications) | Omits specs of irrelevant operations (e.g., the check that actuals match formals) | Applies to one expression at one point in program (environment is not a state variable) |                                                                                         |
|------------------|--------------|----------------------|----------------------------------------------------------------------------------|-------------------------|----------------------------------------------------------------------------|-----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
| (by Bill Easton) | Written in Z | Parameters to model: | The environment (what declarations apply)<br>Which interpretations are preferred | Hides irrelevant detail |                                                                            | Omits specs of irrelevant opera<br>match formals)                                 | Applies to one expression at or not a state variable)                                   | 1995 Odyasy Ruseuth Autocitich, Inc.<br>1995 Odyasy Ruseuth Autocitich, Inc.<br>1945 24 |
| (by Bill         | ž            | D<br>Pa              | 00                                                                               | Ť                       | 0                                                                          | 0                                                                                 | 0                                                                                       | 01995 Odyney 1<br>st95-0024                                                             |

Formal Methods in the design of Ada95 23

©1995 Odyssey Research Associates, Inc. SL-95-0024

| Using the formal model of overload resolution                                                      | n Results of work on overload resolution                                                           |
|----------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|
| Different rules correspond to different choices of parameters                                      |                                                                                                    |
| For particular rules, we may ask                                                                   | <ul> <li>Received with enthusiasm</li> <li>Shed light on complex problem</li> </ul>                |
| Are the rules "local"?<br>Are there Beaujolais effects?                                            | Suggested modifications adopted by MRT                                                             |
| Are there upward inconsistencies?                                                                  | Successful because                                                                                 |
| What are the upward incompatibilities?                                                             | <ul> <li>Addresses acknowledged difficulty</li> </ul>                                              |
|                                                                                                    | D Suitable problem (isolatable)                                                                    |
|                                                                                                    | <ul> <li>Right abstraction</li> <li>Right problem solver (mathematician and Ada lawyer)</li> </ul> |
| ltermal Methods in the decign of Ad495<br>25                                                       | OR Super Resurb Austice, let. Famil Methods in the design of AddS<br>SL954 0024                    |
| <b>Object oriented programming</b>                                                                 | Classwide types:                                                                                   |
| Ada9X inheritance: generalizes type derivation                                                     | The type Alert'class                                                                               |
| with Calendar;<br>package alert_system is                                                          | <ul> <li>like a variant record type</li> <li>tag acts as discriminant</li> </ul>                   |
| type alert is tagged<br>record<br>Time_Of_Arrival: Calendar.Time;<br>Message: Text;<br>end record; |                                                                                                    |
| <pre>procedure Display(A: in Alert;); procedure Handle(A: in out alert);</pre>                     |                                                                                                    |
| type medium_alert is new alert with<br>record<br>Action_Officer: Person;<br>end record;            |                                                                                                    |
|                                                                                                    |                                                                                                    |
| kthods in the decign of Ada05<br>27                                                                | 01995 Objecty Rezearch Associates, Inc. Formal McFedda in the design of Add55<br>51,59:0024        |
| Formal Methods in the design of Ads95<br>27                                                        |                                                                                                    |

©1995 Odymey Research Associates, Inc. SI.-95-0024

©1995 Odynecy Research Associates. Inc. SL-95-0024

126

Ì

i

| Ada9X runtime binding:                                                                                                                                                                       | Goal of work on OOP:                                                                                                                                                                                                                           |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <pre>procedure Process_Alerts(AC: in out Alert'Class) is begin</pre>                                                                                                                         | <ul> <li>Proof formalism for a significant subset of the OOP constructs</li> <li>Extend existing formalism (Penelope) for Ada83</li> </ul>                                                                                                     |
| <pre><br/>Handle(AC); dispatch according to tag<br/></pre>                                                                                                                                   | Interacting with the WH.I<br>D is the model right?<br>Does the model cover enough?                                                                                                                                                             |
|                                                                                                                                                                                              | Ű.                                                                                                                                                                                                                                             |
|                                                                                                                                                                                              | <ul> <li>Ada9X OOP proposals very volatile</li> <li>Many non-semantic issues (syntax, static semantics, efficiency)</li> </ul>                                                                                                                 |
|                                                                                                                                                                                              | D LPT is an add-on                                                                                                                                                                                                                             |
| 0195 Okymery Research Ameriae L Inc. Formal Methods in the datage of A40% Science Ameriae L Inc. Formal Methods in the datage of A40% A40% A40% A40% A40% A40% A40% A40%                     | O1993 Obymay Research Americana, Inc. I'umul Methoda in the design of A4495<br>51.95-0024                                                                                                                                                      |
| Conclusions of OOP report                                                                                                                                                                    | Phase 2, approach                                                                                                                                                                                                                              |
| <ul> <li>Proof formalism and specification notation for basic OOP mechanisms</li> <li>Justifies claim that semantics is clean</li> <li>Practical? Only applied to simple examples</li> </ul> | <ul> <li>Ignore static semantics</li> <li>Define dynamic semantics in "natural semantics" formalism</li> <li>Written in notation of Typed Prolog</li> <li>static semantic checking</li> <li>definition executable on small examples</li> </ul> |
| o (1955 Odywery Research Amordues, Inc. Tarmal Mediades in the design of Add95                                                                                                               | 2 0000 Obyery Research Associated, loc. Formal Mechods in the design of Add91                                                                                                                                                                  |
|                                                                                                                                                                                              |                                                                                                                                                                                                                                                |

| Phase 2, summary                                                              |      |   | <b>Conclusions: the Language Precision Project</b>                                                                                              |
|-------------------------------------------------------------------------------|------|---|-------------------------------------------------------------------------------------------------------------------------------------------------|
| Several problems found, corrected in final reference manual                   | iual |   | Opportunistic approach achieved some influence on the MRT                                                                                       |
| Surprises: difficulties in seemingly "trivial" areas                          |      |   | O Some results unlikely to come from a different source                                                                                         |
|                                                                               |      | 0 | Begun to identify a verifiable subset                                                                                                           |
|                                                                               |      | D | Limited by not being part of the MRT                                                                                                            |
|                                                                               |      |   | <ul> <li>Hard to find the best assignments</li> <li>Not always in the loop</li> <li>Contractual requirement for "products" not ideal</li> </ul> |
|                                                                               |      | Ē | Widely scattered LPT manageable, but awkward                                                                                                    |
|                                                                               |      | 0 | Differences in culture                                                                                                                          |
|                                                                               |      |   | <ul> <li>LPT, semantics; MRT, implementation</li> <li>Key demand on members of LPT – bridge the gap</li> </ul>                                  |
|                                                                               |      | £ | Hope: work like this will become standard operating procedure                                                                                   |
|                                                                               |      |   |                                                                                                                                                 |
| 01993 Odymery Reneurch Americated, Inc. Itomal Michoda in the decign of Add95 | 6    |   | 01993 Odyawy Rizearch Associates, Inc. Fromal Methoda in the dealgy of Ad495<br>SL-95-0074                                                      |

----

i

ļ

## N96-10030

## **INTRODUCTION TO PENELOPE**

## David Guaspari

59514 p.9

## **Odyssey Research Associates**

A formal program verification is a (mathematical) proof that a program executed according to its intended model meets some specification. This proves that the algorithm defined by the program is *correct* in the precise technical sense of being consistent with a particular specification. A program correct in this sense is free from a large and important class of errors, even though its behavior may still produce unintended results---either because the implementation of the programming language itself does not match the model of execution, or because the specification does not correctly express the user's intentions.

Penelope is a prototype system for interactively developing and verifying programs that are written in a rich subset of sequential Ada. Penelope can be used to develop a program and its correctness proof incrementally, and in concert with one another. Incrementality is used in a number of ways to help make verification more tractable and more productive. For example, if an already-verified program is modified, one can attempt to prove the modified version by replaying and modifying the original verification.

Penelope's specification language, Larch/Ada, belongs to the family of Larch interface languages. Larch/Ada scales up properly, in the sense that it is demonstrably sound to decompose a system hierarchically and reason locally about the implementation of each piece.

Penelope has been applied in various demonstration projects---for specification (guidance control, distributed operating system), verification (of off-the-shelf code), and formal development (by non-expert as well as expert users). Some features of Penelope have been embodied in AdaWise, a lint-like non-interactive tool that warns of the potential for certain dynamic semantic errors in Ada programs.

| <b>Goals of the Penelope project</b><br>Define the semantics of a large Ada subset<br>Define an Ada specification language (Larch/Ada)<br>Implement automated support for reasoning about specifications and<br>implementation (Penelope)<br>Apply Penelope<br>Apply Penelope |                         |                            | ifications and                                                      |                  | ORM                                                              |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|----------------------------|---------------------------------------------------------------------|------------------|------------------------------------------------------------------|
| Goals c<br>Define the semantics c<br>Define an Ada specific<br>Implement automated<br>implementation (Penel<br>Apply Penelope<br>Apply Penelope                                                                                                                               | of the Penelope project | ation language (Larch/Ada) | support for reasoning about spec<br>ope)                            |                  | latradaction lo Penelope<br>2                                    |
|                                                                                                                                                                                                                                                                               | Define the s            |                            | <ul> <li>Implement automated i<br/>implementation (Penel</li> </ul> | C Apply Penelope | 01995 Odynery Reword Amociates, Inc.<br>SI95 0023 David Gustpari |



| Introduction to Penelope | David Guaspari<br>NASA Formal Methods Workshop<br>May 10 - 12, 1995 | Odyssey Research Associates<br>301 Dates Drive<br>Ithaca, NY 14850-1326<br>(607) 277-2020<br>davidg@oracorp.com | .k. konkrine in Preside                                            | <b>Results</b><br>Mathematical goals met<br>Penelope supports a non-trivial subset of our model<br>Applications have been demonstrations<br>Spin-offs<br>O "Lightweight" Ada tools (AdaWise)<br>O "Lightweight" Ada tools (AdaWise)<br>O Carryover to Ada95 work (LPT)<br>O Penelope as a teaching tool | lik. Larodaction to Practope                                       |
|--------------------------|---------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
| Intro                    | NASA                                                                | Ody                                                                                                             | 01931 Odmany Raneech Associates, lec.<br>81.953 0023 David Gaugari | <ul> <li>Mathematical goals met</li> <li>Penelope supports a no</li> <li>Applications have been</li> <li>Spin-offs</li> <li>Spin-offs</li> <li>Carryover to Ada95</li> <li>Penelope as a teac</li> </ul>                                                                                                | 01995 Odyney Rosanth Associator, lac.<br>SL-95-0023 David Guttpari |

| Complicated narts                                                                                                                                                                              | Definitions of Ada                                                                                                                                                                                                             |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| static semantics<br>concurrency                                                                                                                                                                | <ul> <li>In the Ada culture</li> <li>O Officially: LRM + AI's</li> </ul>                                                                                                                                                       |
| Dynamic semantics of sequential Ada is clean                                                                                                                                                   |                                                                                                                                                                                                                                |
| strong typing<br>run-time constraint checking<br>disciplined use pointers<br>disciplined use of exceptions<br>information hiding<br>standardizes semantics often left implementation-dependent | <ul> <li>Formal definitions</li> <li>Formal definition of sequential Ada80</li> <li>AdaEd interpreter (in SetL)</li> <li>DDC + CRAI definition of Ada83 (virtually complete)</li> <li>Formal definitions of subsets</li> </ul> |
| Dark corners of sequential Ada:                                                                                                                                                                |                                                                                                                                                                                                                                |
| arbitrary choices left underdetermined<br>interactions of optimization and exceptions                                                                                                          | <ul> <li>O CLInc</li> <li>O Aerospace Corporation</li> <li>O Program Validation, Ltd.</li> <li>O ProSpectra</li> </ul>                                                                                                         |
| 01993 Optimery Research Associates, Inc. Introduction to Prestope<br>31, 93 0023 David Caupteri                                                                                                | 01995 Otymery Rate areth Amociates, Inc. Introduction to Prentipee                                                                                                                                                             |
| Modeling our Ada subset                                                                                                                                                                        | Subset covered by the model                                                                                                                                                                                                    |
| Eliminate almost all dark corners by static semantic checks<br>O for "improper" aliasing<br>O for "undisciplined" side effects                                                                 | <ul> <li>Nearly all non-pathological uses of the following:</li> <li>All sequential types (including floating point)</li> <li>All sequential statement floating point)</li> </ul>                                              |
| Disallow optimizations sanctioned by RM 11.6.<br>Ignore resource limitations (storage error, numeric overflow).                                                                                | <ul> <li>Exception reasing and remaining</li> <li>Subprograms (including side-effects, recursion, global variables)</li> <li>Packages</li> <li>Generics</li> </ul>                                                             |
| Definitional technique: denotational semantics, predicate<br>transformers.                                                                                                                     |                                                                                                                                                                                                                                |
|                                                                                                                                                                                                |                                                                                                                                                                                                                                |
| 01995 Obymery Research Autociates, Inc. Introduction to Practope<br>31.93.0023 Davied Gauspari                                                                                                 | 01995 Objawy Research Associates, Inc. Interchercian to Principae St. 93-0023 David Guagear                                                                                                                                    |

ļ

I

| Predicate transformer semantics: a "logical" form of symbolic execution                                                      | : a "logical" form of<br>tion      |
|------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
| $\begin{vmatrix} & 2 &(1) \\ x & \vdots & x+1; \\ & \begin{vmatrix} & y & < x &(2) \\ & postcondition (given) \end{vmatrix}$ | sought)<br>(given)                 |
| Question: What must be true at (1) to guarantee " $y < x$ " will be true at (2)? Answer: " $y < x+1$ "                       | e " $y < x$ " will be true at (2)? |
| Answer obtainable by symbolic manipulation: substitute "x+1" for "x" in "y $< x$                                             | ubstitute "x+1" for "x" in " $y <$ |
|                                                                                                                              |                                    |
| Olyss Odynery Rear unch Associates, Inc.     Istroduction to Practope     St 95 0073 David Guarpai     10                    |                                    |

| intities, e.g.:                                                               |                                                  | for the corre-                                                                                             | ORM                                                                           |
|-------------------------------------------------------------------------------|--------------------------------------------------|------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------|
| entities with symbolic e                                                      | Symbolic<br>term<br>{true, false}<br>predicate   | ss can be proven sound                                                                                     | heoderchine in Previlope<br>12                                                |
| Systematically associate computational entities with symbolic entities, e.g.: | Computational<br>value<br>answer<br>continuation | Derived predicate transformer semantics can be proven sound for the corre-<br>sponding denotational model. | 0 1995 Cotynery Ree arch Ameridea. Inc. Introduct<br>81:55 2023 David Guegeri |
| Syster                                                                        |                                                  | Derive                                                                                                     | © 1995 Codyn<br>S195-0023                                                     |

| What a Penelope proof proves | nizations                                                                         | 5                                            |                                                                   |                     | ns on theories                       | For allowed executions on allowed compilers: if initial conditions satisfied then termination implies exit conditions satisfied. | hurdherian is Presiden                                                |
|------------------------------|-----------------------------------------------------------------------------------|----------------------------------------------|-------------------------------------------------------------------|---------------------|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------|
| What a Penelope proof prove  | <ul> <li>Hypotheses on compiler</li> <li>No section 11.6 optimizations</li> </ul> | <ul> <li>Hypotheses on executions</li> </ul> | <ul> <li>No storage error</li> <li>No numeric overflow</li> </ul> | Currently unchecked | O Consistency conditions on theories | For allowed executions on allowed compiler termination implies exit conditions satisfied.                                        | 01995 Odynery Research Associated, Inc.<br>81,-95 0023 David Guesperi |

|         | Introduction to Peaclope<br>11                                       | 01995 Odyssey Research Associates, Inc.<br>51,-95-0023 David Gusspari |
|---------|----------------------------------------------------------------------|-----------------------------------------------------------------------|
|         |                                                                      |                                                                       |
|         |                                                                      |                                                                       |
|         | tion to (pre)continuation.                                           | which takes (post)continuation to (pre)continuation.                  |
|         | <b>M</b> [[S]]: continuation -> continuation                         | M[[S]]: continua                                                      |
| mantics | which take postcondition to precondition, and continuation semantics | which take postcondition to                                           |
|         | ≿ate->predicate                                                      | wlp(S,): predicate->predicate                                         |
|         | transformers                                                         | Analogy between predicate transformers                                |
|         |                                                                      |                                                                       |

. .

| <ul> <li>Larch/Ada</li> <li>Specifies sequential Ada</li> </ul> | <ul> <li>Assertional (entry-exit, invariants,)</li> <li>Partial correctness</li> <li>Unit of specification is the compilation unit</li> <li>Annotations of bodies hidden from clients</li> <li>"Two-tlered" semantics</li> </ul>                                                                               | OISS Colymers Rearent American La Labolación la Panelop<br>31.43:000 David Osupert<br>31.43:000 David Osupert | Informal example of a two-tiered specification | <pre>function plus(x,y: integer) return integer;</pre>            | <ul> <li>Mathematical component</li> <li>Defines sort Int, the infinite collection of mathematical integers</li> <li>Defines the basic mathematical operations on Int (+, *, &lt;,)</li> <li>Interface component</li> </ul> | 01993 Odyary Ruz weh Associates, Inc. Introducion to Prostope<br>SL 95 2023 David Gaugani |
|-----------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|------------------------------------------------|-------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|
| ototic" floating                                                | racy improves<br>berations – approxi-<br>with discontinuous                                                                                                                                                                                                                                                    | 6                                                                                                             |                                                |                                                                   |                                                                                                                                                                                                                             | <b>D</b> 2M                                                                               |
| Penelope supports a special "asymptoti<br>point semantics       | Models computation in the limit as machine accuracy improves<br>Purely algebraic reasoning about approximate operations – approxi-<br>mate equality, etc. (no epsilons and deltas)<br>Highlights logical errors in specifying and coding with discontinuous<br>operations (such as floating point comparisons) | la (coduction lo Proctogo<br>13                                                                               | Two-tiered specifications:                     | hematical component<br>An environment of mathematical definitions | rface component<br>Describes behavior in terms of environment                                                                                                                                                               | letrochection to Penelope<br>15                                                           |
| vddns edojeué                                                   | lodels computation<br>urely algebraic res<br>ate equality, etc. (<br>ighlights logical er<br>berations (such as                                                                                                                                                                                                | 01995 Odynary Rasaurth Ausociate, Ioc.<br>S1,99:0023 David Guangar                                            | Тис                                            | Mathematical component<br>O An environment of ma                  | Interface component<br>O Describes behav                                                                                                                                                                                    | © 1995 Odynery Rose arch Associates, Inc.<br>SI.955 0073 David Guspard                    |











proofs

D

D

D



| <b>D</b><br>S<br>M | Introduction to Penelope<br>26                  | 01995 Odysey Research Associates, Inc.<br>SL-95-0023 David Gusspari | 0199.<br>SL-95 |
|--------------------|-------------------------------------------------|---------------------------------------------------------------------|----------------|
|                    |                                                 |                                                                     |                |
|                    |                                                 |                                                                     |                |
|                    |                                                 |                                                                     |                |
|                    |                                                 |                                                                     |                |
|                    | Access to undefined scalars (under development) |                                                                     | ٥              |
|                    | ndence                                          | Incorrect order dependence                                          | ۵              |
|                    |                                                 | Improper aliasing                                                   | D              |
|                    | Properties checked                              | ď                                                                   |                |
|                    |                                                 |                                                                     |                |





Elaboration order dependences are common (mostly a portability problem)
 Obscure aliasing problems fairly common
 False warnings often point to doubtful coding practices
 Size of individual examples: up to 50-60 modules, 18,000 SLOC
 Size of individual examples: up to 50-60 modules, 18,000 SLOC

| Alias Warning: N<br>procedure GET_FIELD_INFO<br>begin<br><br>WODE := FIELD.VALUE;<br>WODE := FIELD.MODE;<br>exception<br><br>end GET_FIELD_INFO; | Alias Warning: Non-Scalar Parameters (cont'd)<br>procedure GET_FIELD_INFO( ;<br>INIT_VALUE ; out FIELD_VALUE;<br>VALUE ; out FIELD_VALUE;<br>) is<br>begin<br>) is<br>) is<br>) is<br>) is<br>erebtion<br><br>end GET_FIELD_INFO; | Further         Tractability of constraint checking,         Packages with state         Specification of termination proofs         Improved modularity         Full support for generics         Concurrency | Further Work<br>Tractability of constraint checking, definedness checking<br>Packages with state<br>Specification of termination proofs<br>Improved modularity<br>Full support for generics<br>Concurrency |  |
|--------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| 01993 Odynery Research Associates, Inc.<br>51,95-0023 Divid Guappari                                                                             | Incoduction to Practope                                                                                                                                                                                                           | 01993 Odyney Rezerreth Amerikka, Inc.<br>31.932 0021 Divid Gaugud                                                                                                                                              | l atrobation to Prestope<br>30                                                                                                                                                                             |  |

## Session 6: Hardware Systems

## Paul Miner, Chair

- The Formal Verification Technology Used on AAMP5, by Mandayam Srivas, SRI International
- \* Specification and Verification of VHDL Designs, by Damir Jamsek, Odyssey Research Associates
- Derivational Reasoning System, by Bhaskar Bose, Derivation Systems Inc.

PRECEDING PAGE BLANK NOT FILMED PAGE 138 INTENTIONALLY PLANK

## N96-10031

59515

### The Formal Verification Used for the AAMP5 and AAMP-FV

It is becoming increasingly evident within the VLSI design industry that the complexity of many current hardware designs is outstripping the capability of traditional simulation-based tools to adequately verify them. This situation was well-illustrated by the recent floating point bug discovered in Intel's Pentium processor. The industry is beginning to look at formal verification as a technological alternative to simulation for obtaining higher assurance than is currently possible.

Recently, SRI International and Collins Commercial Avionics, a division of Rockwell International, undertook a project to explore how formal techniques for specification and verification could be introduced into an industrial process. The project, sponsored by the Systems Validation Branch of NASA Langley and Collins Commercial Avionics, consisted of specifying in the PVS language a portion of a Rockwell proprietary microprocessor, the AAMP5, at both the instruction set and register-transfer levels and using the PVS interactive proof-checker to show that the microcode correctly implemented the specified behavior for a representative subset of instructions.

The main goal of the project was two-fold: First, to investigate the feasibility of formally specifying and verifying a complex commercial microprocessor that was not expressly designed for formal verification. Second, to explore effective ways to transfer the technology to an industrial setting. The choice of the AAMP5 satisfied the first goal since the AAMP5 was not designed for formal verification, but to provide a more than threefold performance improvement while remaining object-code-compatible with the earlier AAMP2, which is used in numerous avionics applications, including the Boeing 737, 747, 757, and 767.

To satisfy the technology transfer objective, we had to develop a suitable verification methodology and a formal infrastructure to make the technology usable by practicing engineers. This infrastructure includes techniques for decomposing the microprocessor verification problem into a set of verification conditions that the engineers can formulate and strategies to automate the proof of the verification conditions. The development of the infrastructure was one of the key accomplishments of the project. Most of the infrastructure and methodology are general enough to be reused for other microprocessors, certainly in the verification of another member of the AAMP family. This methodology was used to formally specify the entire microarchitecture and more than half of the instruction set and to verify a core set of eleven AAMP5 instructions representative of several instruction classes. However, the methodology and the formal machinery developed are adequate to cover most of the remaining AAMP5 instructions. Although PVS was the vehicle of the experiment, the methodology is applicable to other sufficiently powerful theorem provers.

Another key result of the project was the discovery of both actual and seeded errors. Two actual microcode errors were discovered during development of the formal specification, illustrating the value of simply creating a precise specification. Both were specific to the AAMP5 and were corrected before first fabrication. Two additional errors seeded by Collins in the microcode were systematically uncovered by SRI, who knew that bugs had been seeded, but not their location or identity, while doing correctness proofs. One of these was an actual error that had been discovered by Collins after first fabrication but left in the microcode provided to SRI. The other error was designed to be unlikely to be detected by walk-throughs, testing, or simulation.

Steve Miller's talk earlier in the workshop, gave an overview of the AAMP5 project emphasizing the technology transfer process with its administrative and managerial aspects. This talk describes the technical approach used in verifying the AAMP5. Please refer to Steve Miller's slides for the AAMP5 design figures.

PRECEDING PAGE BLANK NOT FILMED

INTENTIONALLY BLANK

The Formal Verification Technology Used for the AAMP5 and AAMP-FV\*

Mandayam Srivas

**Computer Science Laboratory** 333 Ravenswood Avenue (http://www.csl.sri.com) Menlo Park, CA 94025 (srivas@csl.sri.com) SRI International

\*Joint work with Steve Miller, Rockwell International, Collins Commercial Avionics, Cedar Rapids, Iowa 52498

-

2

**Organization of the Talk** 

- Overview of AAMP5 Processor
- What did we verify?
- How did we manage complexity of verification?
- Mechanization of proofs
- Conclusions

Macromachine Specfication

ADD\_lemma\_1: LEMMA

LET X = current\_data\_env(st)(tos(st)+1),

Y = current\_data\_env(st)(tos(st))

IN current\_opcode(st) = ADD & NOT arith\_update.exception(st) => normal\_macro\_machine.next\_macro\_state(st) =

st WITH [(dmem)(word2denv(denv(st)))(tos(st)+1) := X + Y,

(tos) := tos(st) + 1]

1

(pc) := pc(st) + 1,

The Stack Memory Model

|                                                                                                                                | DPU Environment Assumptions                                                                                |
|--------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------|
| DPU Environment Assumptions                                                                                                    | <ul> <li>"If RDY is true then decoded outputs presented by the I FU</li> </ul>                             |
| <ul> <li>"If RDY is false then RDY will eventually become true provided<br/>the DPU obeys its end of the protocol."</li> </ul> | correspond to the instruction stored at the PC presented by the LFU."                                      |
| CLR_RDY_wait: AXIOM                                                                                                            |                                                                                                            |
| NOT RDY(t) & normal_fetching(t) & CLR_RDY?(NCO(t)) =>                                                                          |                                                                                                            |
| (EXISTS (t1   t1 > t)):                                                                                                        | % Invariant constraints on the outputs when LFU is RDY                                                     |
| <pre>stays_same(NCO(t))(t, t1) =&gt;</pre>                                                                                     | RDYinv: AXIOM                                                                                              |
| stays_same(RDY)(t, t1-1) & RDY(t1) &                                                                                           | RDY(t) =>                                                                                                  |
| normal_fetching(t1) &                                                                                                          | <pre>LET opcode = opcode_at(CENV(t), DP(t), CODE_MEMORY(t))</pre>                                          |
| DP(t1) = DP(t)+length_of_instruction(opcode) )                                                                                 | IN EP(t) = EP_ROM(opcode) & (has_imm_data(opcode)                                                          |
|                                                                                                                                | => IM(t) = first_unit_of_imm_data(t))                                                                      |
|                                                                                                                                |                                                                                                            |
| ل<br>ک                                                                                                                         | v                                                                                                          |
|                                                                                                                                |                                                                                                            |
|                                                                                                                                |                                                                                                            |
|                                                                                                                                |                                                                                                            |
| Sample Register-Transfer Level Specification                                                                                   | Other Microprocessor Verification Efforts                                                                  |
| $SVax$ : AXIOM $SV(t+1) = IF DHLD(t) THEN SV(t) ELSE NEXT_SV(t) ENDIF$                                                         | <ul> <li>FM8501 [Hunt: 1986]</li> </ul>                                                                    |
| SV1ax: AXIOM SV1(t+1) = IF DHLD(t) THEN SV1(t) ELSE SV(t) ENDIF                                                                | <ul> <li>Viper [Cohn: 1988]</li> <li>Tamarack [Joyce: 1988]</li> </ul>                                     |
| TVax: AXIOM TV(t+1) = IF DHLD(t) THEN TV(t) ELSE NEXT_TV(t) ENDIF                                                              | <ul> <li>MiniCayuga [Srivas &amp; Bickford: 1990]</li> <li>Saxe's Pipeline [Saxe, et. al. 1991]</li> </ul> |
| TV1ax: AXIOM TV1(t+1) = IF DHLD(t) THEN TV1(t) ELSE TV(t) ENDIF                                                                | DLX pipeline [Burch & Dill: 1993]     INITA [Windley: 1994]                                                |
| END SVTVpipeline_axioms                                                                                                        |                                                                                                            |
|                                                                                                                                |                                                                                                            |
|                                                                                                                                |                                                                                                            |

~



- Abstraction function (ABS)
- Visible state

## Complications posed by AAMP5

- Pipelining
- Autonomous prefetch and data transfers
- The "stack cache" abstraction

# **Pipelined Microprocessor Correctness**



- Abstraction function must be suitably "skewed"
- Length of instruction cycle can be idefinite not necessarily a function of the current visible state



10

6



T

| Formal Correctness Statement                    | <pre>commuting_property: LEMMA visible_state(t) &amp; proper_instrns_in_pipe(t)     &amp; no_logical_stack_overflow(t)     =&gt; EXISTS (tp: time   tp &gt; t):     stays_low(t+1, tp-1)(visible_state) &amp;     visible_state(tp) &amp; ABS(tp) = next_macro_state(ABS(t)) visible_state(t): bool =     NOT(th_cert_op(t))(t)) &amp;     * NOT(DHLD(t)) &amp; NOT(nextDJMP(t))     &amp; entry_cond_met(current_op(t))(t)) (t) </pre>                                                                                   | 5        | General Verification Conditions<br>• dhld.lemma:<br>"NOT DHLD ⇒<br>> (DHLD & macrostate unchanged)"<br>> (DHLD & macrostate unchanged)"<br>• [FU.not.rdy.lemma:<br>"NOT RDY ⇒<br>> (RDY & next instruction moves in)"<br>• (entry.condition.met & macrostate unchanged"                                                                                                                                                                                                                    | 16 |
|-------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| Specializing Correctness Criterion to the AAMP5 | <ul> <li>Visible state:</li> <li>The first microinstruction of the <i>current</i> macroinstruction is loaded into MC0 (microregister)</li> <li>The current (compute-stage) instruction is guaranteed to advance</li> <li>The previous (write-stage) instruction in the pipeline is guaranteed to complete in the next cycle</li> <li>Abstraction function</li> <li>A projection function except for data memory</li> <li>The data memory at the macro level is real memory with the overlaid "stack registers"</li> </ul> | 51<br>12 | <ul> <li>Our Approach to the Verification Task</li> <li>Incremental verification: Structure it so as to <ul> <li>get early feedback</li> <li>Collins staff can participate in the proof process</li> <li>Collins staff can participate in the proof process</li> <li>Abstract the DPU environment: A set of "rely-guarantee" assertions characterizing the interactions for the DPU with the other units.</li> </ul> </li> <li>Decompose the proof into <ul> <li>an automatic part: instruction-specific verification conditions</li> <li>interactive part: general verification conditions</li> </ul> </li> </ul> | 15 |

TO\_correctness: LEMMA

visible\_state\_with(ADD)(t) & SysInv(t) =>
T0(t+2) =
(sign\_extend[16](48)(ith\_top\_of\_scache(t+1)(1))
+ sign\_extend[16](48)(ith\_top\_of\_scache(t+1)(0)))^((15,0))

i: VAR below[10]
REG\_correctness: LEMMA
visible\_state\_with(ADD)(t) & SysInv(t) =>

REG(t + 2)(i) = REG(t + 1)(i)

17

18

## The Core Startegy Used

For proving theorems of the form:

"Precond(s0)  $\Rightarrow f(s0) = g(E^i(s0))$ , for some constant i"

- Rewrite expressions in the theorem using the functions in the design specification as auto-rewrite rules. ((repeat (do-rewrite)))
- "Lift" all the if-then-else structures to the topmost level ((repeat (lift-if)))
- Simplify using a BDD simplifier, arithmetic, and other decision procedures along with using a library of bit-vector properties as auto-rewrite rules.

((then\* (bddsimp) (assert)))

Mechanization of proofs of Verification Conditions

Overview of PVS

Our core hardware strategy

## Mechanization overview

- Instruction-specific VCs: Core hardware strategy
- General VCs: Inductions with core strategy for the base and inductive steps.
- Main correctness theorem: Chaining of VCs with intructionspecific VCs, definition of abstraction function, and macro specification used as rewrite rules.

## Conclusions

- Is commercial processor verification technically feasible? Yes, if carefully planned and executed.

  - Can practicing engineers use this technology? Yes, with appropriate training and expert help.
    - Is it "cost-effective" ?

Odyssey Research Associates May 11, 1995 Specification and Hardware Specification and Verification Verification of **VHDL Designs** Damir Jamsek @1995 Odyssey Research Associates, Inc. SL/95 0025

Om IT



technology

D

D

D D D D

00

D

|                     | HADDWAR Specification and Verification                                                                                                                       | 101995 00155 KCCC BICH ASSOCIATES, (BC:                                                                                        | 2 2      |
|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|----------|
|                     |                                                                                                                                                              |                                                                                                                                | )        |
| supported.          | Concurrent signal assignments with (transport) delay are supported.                                                                                          | Concurrent signal assignation                                                                                                  | <u> </u> |
|                     | e supported.                                                                                                                                                 |                                                                                                                                | <u> </u> |
|                     | The declarations in package standard are supported.                                                                                                          |                                                                                                                                | U        |
|                     | ire supported.                                                                                                                                               | Constrained subtypes are supported.                                                                                            | <u> </u> |
|                     | Array types and enumeration types are supported.                                                                                                             | Array types and enume                                                                                                          | <u>u</u> |
|                     | assignments<br>ures                                                                                                                                          | <ul> <li>Concurrent signal assignments</li> <li>Structural architectures</li> </ul>                                            |          |
|                     | All phase I VHDL constructs are still supported                                                                                                              | All phase I VHDL const                                                                                                         | <u>u</u> |
| so far              | VHDL language constructs supported so far                                                                                                                    | VHDL language                                                                                                                  |          |
| 0220                | Hudwure Specification and Verification                                                                                                                       | 01993 Oxforeay Rize and Associated, Inc.<br>51, 93-0025                                                                        | 9 Ø      |
| VILL                | Hudware Specification and Verification                                                                                                                       | 1)1955 Odyawy Rezench Amociated, Inc.<br>1980 005                                                                              | ) •¤     |
|                     | A theorem prover allows formal vérification to be done                                                                                                       | D A theorem prover allow                                                                                                       |          |
| esign and the ation | lace to Designs<br>Specifies the relationship between the actual design and the<br>mathematical model<br>Allows analysis of the actual system implementation | <ul> <li>Interface to Designs</li> <li>Specifies the relation<br/>mathematical model</li> <li>Allows analysis of th</li> </ul> |          |
| t of system         | lematics<br>Expresses the basic model of the system<br>Allows analysis of system features independent of system<br>implementation                            | - Wath                                                                                                                         |          |
|                     | system specification                                                                                                                                         | Two-tiered approach to system specification                                                                                    |          |
|                     | Larch/VHDL                                                                                                                                                   |                                                                                                                                | <b>.</b> |
|                     |                                                                                                                                                              |                                                                                                                                |          |



| <ul> <li>a specification that defines maximum delay as a function (1/4/0g(n) +3) 'del) of n and del.</li> <li>(1/4/0g(n) +3) 'del) of n and del.</li> <li>(1/4/0g(n) +3) 'del) of n and del.</li> </ul> |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|

Hardware Specification and Verification 13

> ©1995 Odyssey Research Associates, Inc. S1.:95-0025



| DES Specifica                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | DES Specification in Larch (Components)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |             |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| <ul> <li>De: Des</li> <li>Des: Freik</li> <li>Tachudes (P. Jaf, K. Jaf, S. Jaf, P. Ja</li> <li>Opennicen canuncration of encode, decode introduces</li> <li>R. Ha, Neuco - Mi, Pieren</li> <li>R. Mi, Neuco - Mi, Neuco</li> <li>B. Mi, Neuco - Mi, Neuco</li> <li>B. Mi, Neuco - Mi, Neuco</li> <li>B. Mi, Neuco - Mi, Neuco</li> <li>M. Mi, Neuco - Mi, Neuco</li> <li>M. Mi, Neuco - Mi, Neuco</li> <li>B. Mi, Neuco - Mi, Neuco</li> <li>M. Mi, Neuco&lt;</li></ul> | <ul> <li>2.1 Det</li> <li>2.4 Not traits</li> <li>2.5 And, K.Jady, K.Jady, K.Jady, K.Jady, S.Jady, M. Sondon, Annola and the second material structure of the second structure of the second</li></ul> |             |
| ©1993 Odynery Rire anth Americana, Inc.<br>5155 0025                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Hurbwer Specificultur and Verlificulien<br>13                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | <b>O</b> RM |
| Hardware Design Implen<br>A VHDL fragment is annotated with a s<br>use work.DesTypes.all;<br>entity bescipher is<br>port(x: in Bit64);<br>end cipher;<br>end ty DEScipher<br>include DES<br>guarantees if op='0' then y = encode(x,key)<br>end                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Hardware Design implementing the DES<br>A VHDL fragment is annotated with a specification<br>work. DestTypes.all;<br>ty DEScipher is<br>rt(x : in Bit64, key : in Bit64, op : in Bit;<br>yout Bit64);<br>cipher is<br>differs<br>de DES<br>antees if op=0' then y = encode(x,key)<br>else y = decode(x,key)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |             |
| 01993 Odynery Renewech Ameriates, Inc.<br>S1-99 0029                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Hardware Specification and Verification                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | ORM         |









Ì



©1995 Odyssey Research Associates, Inc. SL-95-0025

etc. for all 16 cases

with i select begin , ×

155

© 1995 Odyssey Research Associates, Inc. S1.-95-0025

. .







## DRS - Derivational Reasoning System

Bhaskar Bose

Derivation Systems, Inc. 5963 La Place Court, Suite 208 Carlsbad, California 92008 Tel: (619) 431-1400 bose@dvsi.com

May 11, 1995

### Abstract

The high reliability requirements for airborne systems requires fault-tolerant architectures to address failures in the presence of physical faults, and the elimination of design flaws during the specification and validation phase of the design cycle. Although much progress has been made in developing methods to address physical faults, design flaws remain a serious problem. Formal methods provides a mathematical basis for removing design flaws from digital systems.

DRS (Derivational Reasoning System) is a formal design tool based on advanced research in mathematical modeling and formal synthesis. The system implements a basic design algebra for synthesizing digital circuit descriptions from high level functional specifications. DRS incorporates an executable specification language, a set of correctness preserving transformations, verification interface, and a logic synthesis interface, making it a powerful tool for realizing hardware from abstract specifications. DRS integrates recent advances in transformational reasoning, automated theorem proving and high-level CAD synthesis systems in order to provide enhanced reliability in designs with reduced time and cost.

Copyright (c) 1995 Derivation Systems, Inc.

| Overview | <ul> <li>The Problem Domain</li> <li>Derivation and Verification</li> <li>DRS - Derivational Reasoning System</li> <li>An Example</li> </ul> | ◆ Conclusions                                                                                                        | Ceptright (c) 1995 Derivation Systems, Inc.<br>MASA Tormal Methoda Wortshop, May 10.12, 1995 | Derivation Systems, Inc. | <ul> <li>Corporate Mission</li> <li>Advanced research for the development of computer engineering tools for the <u>mathematical</u> <u>modeling</u> and <u>formal synthesis</u> of digital hardware systems.</li> </ul>                                                                                 |
|----------|----------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|--------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|          | DRS - Derivational Reasoning System<br>Bhaskar Bose                                                                                          | Derivation Systems, Inc.<br>5963 La Place Court, Suite 208<br>Carlsbad, CA 92008<br>(619) 3131-1400<br>bose@dvsi.com | Gegyright (c) 1995 Derivation Systems, Inc.<br>NASA Formal Methoda Workshop, May 10 12, 1995 | The Problem Domain       | <ul> <li>Computers are being used with increasing frequency where the correct implementation is critical.</li> <li>complex systems</li> <li>reduced time to market</li> <li>safety-critical applications</li> <li>Establish a rigorous framework for reasoning about complex design process.</li> </ul> |

NASA Formal Methods Workukup, May 10-12, 1995

Capyright (c) 1995 Derivation Systems, Inc.

Copyright (c) 1995 Derivation Systems, Inc.

NASA Formal Methods Workshop, May 10-12, 1995

| Integrating Derivation and Verification                               | <ul> <li>Alternate modes of formal reasoning must be<br/>integrated if formal methods are to support the<br/>natural analytical and generative reasoning that takes<br/>place in engineering practice.</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Copyright (c) 1993 Derivation System, Inc.    | Derivation Examples         • DDD-FM9001 [Bose'94]         • DDD-FM9001 [Bose'94]         • Scheme Machine [Burger et.al '94]         • Fault-tolock Synchronization Circuit [Miner '94]         • FM8502 [Bose '90]         • FM8502 [Bose '90]         • FM8502 [Bose '90]         • Schonage Collector [Boyer '86]         • Schonage Collector [Boyer '86] |
|-----------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Derivation and Verification:<br>"Alternate" Modes of Formal Reasoning | ification<br>Constructing a post factum<br>"proof of correctness" for a design.<br>ivation<br>Deriving a "correct by construction"<br>design.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | NASA Termal Methoda Workshop, May 10 12, 1995 | kground<br>• "Synthesis of Digital Designs from Recursion<br>Equations" (Johnson '84)<br>• DDD - Digital Design Derivation System<br>(Bose, et.al. '87-94)<br>(Bose, et.al. '87-94)                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| Derivation and Verification:<br>"Alternate" Modes of Forma            | <ul> <li>Verification</li> <li>Construc</li> <li>"proof of "proof of "proof of "proof of "proof of of "prove" prove "prove" prove" prove "prove" prove "prove" prove "prove" prove "prove" prove "prove" prove" prove "prove" prove" prove "prove" prove "prove" prove" prove" prove "prove" prove" prove</li></ul> | Copyright (c) 1993 Derivation Systems, Inc.   | Background<br>• "Synthesis of Digital Desig<br>Equations" (Johnson '84)<br>• DDD - Digital Design Deri<br>(Bose                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |

| An Initial Architecture |                                                                                                                                           | Correction (1995 Farturan System. Inc. MAA Farma Markes, Marke | The next step is to fold the call, $g(dec(x), z, add(y, z))$ , in<br>g into the definition of h resulting in<br>g(x, y, z) = lt?(x, 2) -> y, $h(dec(x), y, z)h(x, y, z) = g(x, z, add(y, z))This has the effect of splitting the dec and add operationsbetween two separate definitions.$                                                                                              | From this transformed specification, we derive the following structural description:                                              |
|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|
| An Example: Fibonacci   | the recursive Fibonacci sp<br>denotes the conditional op<br>= lt?(x, 2) -> y, g(dec(x)<br>(x, 1, 1)<br>recursive definition, we ca<br>re: | State Introduction                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | The first phase in the derivation is to apply a series of transformations at the behavioral level. In this phase the dec and add operations are serialized so that they may be combined into a single logic unit later in the derivation. The first step is to introduce a function h, such that the call to g will fold within the definition of h. Introducing a definition h yields | g(x, y, z) = lt?(x, 2) -> y, g(dec(x), z, add(y, z))<br>h(x, y, z) = g(x, z, add(y, z))<br>стран (с) 1095 Inclinitian Spierm, Mz. |

| The Initial Structural Specification (contd.) | In this phase of the derivation, transformations are applied<br>to refine the structural specification to an architecture. The<br>goal is to encapsulate the dec and add operations<br>(highlighted by the dotted circle) into a single abstract<br>component.<br>An algebraic transformation, called <u>factorization</u> ,<br>encapsulates the dec and add operations into a single<br>component and synthesizes a behavioral description<br>denoting the abstraction. | Capridua (o) 1993 Derivation System, Inc.   | <ul> <li>Further Stages of the Derivation</li> <li>Implement the abstract component with either</li> <li>continued derivation of the abstract component</li> <li>mapping to a verified library component</li> <li>use of verification to replace with a particular implementation.</li> <li>Control and architecture are directly synthesized in hardware.</li> </ul> |
|-----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| The Initial Structural Specification          |                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Cupyright (c) 1993 Derivation Systems, Inc. | Factoring: dec and add                                                                                                                                                                                                                                                                                                                                                |

162

Cripyright (c) 1995 Derivation Systems, Inc.

Copyright (c) 1995 Derivation Systems, Inc.

NASA Permal Methods Workshop, May 10.12, 1995

NASA Pismudi Mechada Wantahap. May 10.12, 1999

| <ul> <li>Continued development of DRS through Phase II<br/>SBIR Contract.</li> </ul> | <ul> <li>Integration with high-level theorem provers.</li> </ul>  | <ul> <li>Develop tacticals and analysis tools.</li> </ul> | <ul> <li>Application of DRS to a practical design problem.</li> </ul> | NASA fiormal Michael Workshop, May 10.12, 1995 |  |  |
|--------------------------------------------------------------------------------------|-------------------------------------------------------------------|-----------------------------------------------------------|-----------------------------------------------------------------------|------------------------------------------------|--|--|
| <ul> <li>Continued deve<br/>SBIR Contract.</li> </ul>                                | <ul> <li>Integration will</li> </ul>                              | <ul> <li>Develop tactic</li> </ul>                        | <ul> <li>Application of</li> </ul>                                    | Capright (c) 1995 Derivation Systems, Inc.     |  |  |
|                                                                                      | generative reasoning that takes place in engineering<br>practice. | The DRS System, is a reflection of this ideal.            |                                                                       | NASA Farmul Methods Workshop, May 10.12, 1995  |  |  |
| <ul> <li>Derivation meth-<br/>of verification an<br/>powerful tool to</li> </ul>     | generative reaso<br>practice.                                     | <ul> <li>The DRS Syster</li> </ul>                        |                                                                       | Capright (o) 1995 Derivation Systems, Inc.     |  |  |

-

Future Directions

Conclusion

ļ

## Session 7: Researcher Perspectives on Formal Methods

Jim Caldwell, Chair

- David Dill, Stanford University (No slides available)
- Doug Hoover, Odyssey Research Associates
- Steve Johnson, Indiana University
- Natarajan Shankar, SRI International (No slides available)

PRECEDING PAGE BLANK NOT FRIMED

PAGE 164 INTENTIONALLY BLANK

| Static Appets of Object Orientation       OO     FM       OI     FM       class     abstract data type, logical theory subclass       subclass     theory extension       object     state machine       .     . | Odyssey Research Astroviater, Inc. | FM Support for Object Orientation            | • I don't know of any FM Spec or Proof tool that supports the "decentralized" OO definition. | <ul> <li>Perlaps new ideas in logic are needed to properly support reasoning about dynamic sub-<br/>typing.</li> </ul> | <ul> <li>There are some related problems regarding formal development of concurrent programs.</li> <li>What is the right meaning of "compositional?"</li> </ul> |                      |                                         |                 |                                       |                 |                                                         |   |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|----------------------------------------------|----------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|-----------------------------------------|-----------------|---------------------------------------|-----------------|---------------------------------------------------------|---|
| D. N. Hover<br>Odyses fleesed Ansoriates, Int.<br>301 Dates D. V. 1880-1355<br>Intract: boweBosacep.com<br>May 24, 1995                                                                                          | Odyssey Research Associates, fac.  | Dynamic Aspects of OO (Function Dispatching) | R.g. constructed type definitions can be given in pieces.                                    | "Normal" code<br>BDDL_ETP ::● V   Mot BDDL_ETP   And BODL_EXP BODL_EXP                                                 | value essa (Vble v) - assa v<br>  (dot e) - not (value assa e)<br>  (and el e2) - (value assa el) and (value assa e2)                                           | Object-oriented code | Class Type BODL_EXP with Function value | 800L_EXP Clause | Vble V<br>viue assn (Vble v) - assn v | 800L_EXP Clause | Not BODL.EXP<br>value mann (Mot w) = not (value aman w) | ં |

PRECEDING PAGE BLANK NOT FILMED

~

Object Orientation is a complex collection of concepts, some of which are already part of FM (come from FM), some of which have yet to be incorporated in FM.

Formal Methods — Panel Discussion D. N. Hoover

FM Challenges--Object Orientation

Odyssey Research Associates, Inc.

PAGE 166 INTENTIONALLY BLANK

| Oulyses Research Associates, loc.                                                                                                                                                                                                        | Odyssey Research Associates, lac.                                                                                                                                   |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| FM and Program Methodology                                                                                                                                                                                                               | Assorted Theses                                                                                                                                                     |
| Structural/Punctional Specification/Denign                                                                                                                                                                                               | 1. FM is very powerful and should be used for more things than telling people their spees/code                                                                      |
| • Less "Black box" nature than FM.                                                                                                                                                                                                       | are wrong.                                                                                                                                                          |
| <ul> <li>Not entirely formal.</li> </ul>                                                                                                                                                                                                 | <ul> <li>Generate code, tests, docs.</li> </ul>                                                                                                                     |
| <ul> <li>Nevertheless a good start for an FM application (e.g. Statemate).</li> </ul>                                                                                                                                                    | 2. For example, HOL or PVS as an ML code generator.                                                                                                                 |
| • It also includes heuristics for trying to figure out what the spec should be.                                                                                                                                                          | <ol> <li>FM tools should be usually automatic and should give helpful information about errors as<br/></li></ol>                                                    |
| 00 Specification/Design                                                                                                                                                                                                                  |                                                                                                                                                                     |
| • In practice (e.g. Booch), seems to say a lot about how modules are related, not much about                                                                                                                                             | <ol> <li>Proving in general is hard, but in most applications it is not hard, unless induction is<br/>involved.</li> </ol>                                          |
| uata representations, or what the modules actually do.<br>• Is this a problem or an opportunity?                                                                                                                                         | <ol><li>Ceneral purpose spec languages and theorem provers are not for everybody.<br/>But they are very useful for developing specialized tools.</li></ol>          |
|                                                                                                                                                                                                                                          | 6. In many settings, very simple concepts and tools are helpful.                                                                                                    |
|                                                                                                                                                                                                                                          | <ol><li>The idea that you can establish something by proving it instead of testing all possible cases<br/>is inconceivable to most programmers/engineers.</li></ol> |
|                                                                                                                                                                                                                                          | 8. Most programmers have no idea of what has to be in a useful spec. Learning this is probably the most valuable product of FM experience.                          |
|                                                                                                                                                                                                                                          | 9. God bless the FAA.                                                                                                                                               |
|                                                                                                                                                                                                                                          | • Better "informal" spees to start from.                                                                                                                            |
|                                                                                                                                                                                                                                          |                                                                                                                                                                     |
|                                                                                                                                                                                                                                          |                                                                                                                                                                     |
| Odysacy Research Associates, Inc.                                                                                                                                                                                                        |                                                                                                                                                                     |
| <ul> <li>Requirements for critical software reasonably well-defined.</li> <li>There are a number of reasonable places for FM to contribute.</li> <li>Ok to start by automating existing processes, later try to replace them.</li> </ul> |                                                                                                                                                                     |
| 10. Tool qualification is the main obstacle to use of FM in critical systems.                                                                                                                                                            |                                                                                                                                                                     |
| 11. If you use FM, you can program fancier and still be safe.                                                                                                                                                                            |                                                                                                                                                                     |
|                                                                                                                                                                                                                                          |                                                                                                                                                                     |

ļ

!

. -

**168** 

|

ļ

i

|



Issues raised in formal methods

#### Steve Johnson's Panel Slides

O Is horizon receding faster?

# Next 5-10 years

- Focus on reusable technology (algorithms, theories, clock sync, floating point)
  - Develop verification/consulting industry
- $\bullet$  Consumers must make demand known, and reward FM skills.
- Industry must assume some of the cost (short and long term)

-

# Speculation on research

- ullet FM is like CAD was 25 years ago, but without the \$ to integrate.
- Integration is very challenging for both engineering and academic reasons.
- General recognition of the need for a diverse tool set is leading to preliminary experience "in the lab."
- There will continue to be a gap (gulch) between research focus and applied interest.

# **Session 8: Research Issues (1)**

#### C. Michael Holloway, Chair

Safety Analysis, by John C. Knight, University of Virginia

\* Non-standard Analysis and Embedded Software, by Richard Platek, Odyssey Research Associates

N96-10033 59511

#### SAFETY ANALYSIS

John C. Knight

Department of Computer Science, University of Virginia Charlottesville, VA 22903

# P 9

#### **Case Studies**

We are engaged in a research program in safety-critical computing that is based on two case studies. We use these case studies to provide application-specific details of the various research issues, and as targets for evaluation of research ideas.

The first case study is the *Magnetic Stereotaxis System* (MSS), an investigational device for performing human neurosurgery being developed in a joint effort between the Department of Physics at the University of Virginia and the Department of Neurosurgery at the University of Iowa.

The system operates by manipulating a small permanent magnet (known as a "seed") within the brain using an externally applied magnetic field. By varying the magnitude and gradient of the external magnetic field, the seed can be moved along a non-linear path and positioned at a site requiring therapy, e.g., a tumor. The magnetic field required for movement through brain tissue is extremely high, and is generated by a set of six superconducting magnets located in a housing surrounding the patient's head. The system uses two X-ray cameras positioned at right angles to detect in real time the locations of the seed and of X-ray opaque markers affixed to the patient's skull. The X-ray images are used to locate the objects of interest in a canonical frame of reference.

The second case study is the University of Virginia Research Nuclear Reactor (UVAR). It is a 2 MW thermal, concrete-walled pool reactor. The system operates using 20 to 25 plate-type fuel assemblies placed on a rectangular grid plate. There are three scramable safety rods, and one nonscramable regulating rod that can be put in automatic mode. It was originally constructed in 1959 as a 1 MW system, and it was upgraded to 2 MW in 1973. Though only a research reactor rather than a power reactor, the issues raised are significant and can be related to the problems faced by full-scale reactor systems.

#### Safety Kernel

The software in systems like those in our case studies is very large and complex. We assume that, because of this size and complexity, faults will remain in the software for an application after development. An approach we are pursuing to deal with this is a software architecture termed a *safety kernel*, a concept directly analogous to the security kernel used in security applications. A security kernel provides assurance that a set of security policies is enforced independently of the application program. Verification of the security kernel is sufficient to ensure enforcement of those policies encapsulated within the security kernel. The application program need not enforce the security policies, and it can, in fact, undertake actions that would normally lead to violation of the security policies with no danger of actual violations taking place. The similarity between security concerns and safety concerns is considerable and the concept of a safety kernel is appealing. If the concept were feasible, a safety kernel would enforce a set of safety policies by monitoring requests to devices, device actions, device status, application software status, and so on.

We have developed an enforcement safety kernel and integrated it into our MSS implementation. The safety kernel is generated automatically from a formal specification of the safety policies, and tests of the MSS instantiation show excellent performance.

#### Testing

Systems of this complexity pose significant challenges in the area of testing, especially in the large number of possible test cases. We are using a technique that we call *specification limitation* to permit demonstration of useful properties by exhaustive testing. By specification limitation we mean that the specification for the application is deliberately limited in several areas to restrict the total number of test cases. For example, in the MSS the angles entered by the operator for the required direction of motion are rounded to 1/10 of a degree. In practice, this is not a significant functional restriction but it permits exhaustive testing of the angles used for setting direction. The same approach is used with distance.

A second significant problem in testing complex systems is correctness determination, i.e., determining whether the outputs are correct. In our MSS implementation, we have addressed this problem by the use of *reversal checks* on the entire system. A reversal check computes a program's input from its output and compares this with the actual input. The current calculations for the superconducting coils, for example, begin with a required force and are very complex. Computing the force resulting from the coil currents, however, is simple and provides the exact inverse of the current calculations. Thus the input can be computed and compared. A variation on the idea of a reversal check is also used by the MSS imaging subsystem.



#### PRECEDING PAGE BLANK NOT FILMED













UVA Department of Computer Science

it thoth Workshop - Slide 8 (0 John C. Knight

Department of Computer Science

(ASA Farmel Methods Wartshop - Slide 7 (O John C. Knight 199

















- · Concept Is That Security Kernel Controls Access To All Information
- Kernel Enforces A Set Of Security Policies Irrespective Of Application Software's Actions:



| If the seed moves faster than 2.0 mulsec., the coil currents must<br>be set to zero.<br>The coil currents must be within 5.0 amps of the predicted value.<br>The coil current requested by the application must be within the<br>range -100 amps to 100 amps.<br>An X-ray source must be "off" for 0.2 seconds before an "on"<br>An X-ray dose during an operation must be less than 100<br>millirem.<br>Before moving the seed, a reversal check must be ess than 100<br>millirem.<br>And so on | SOME OF THE MSS SAFETY POLICIES                                                                                                                |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|
| The coil currents must be within 5.0 amps of the predicted value.<br>The coil current requested by the application must be within the range -100 amps to 100 amps.<br>An X-ray source must be "off" for 0.2 seconds before an "on" command is executed.<br>The total X-ray dose during an operation must be less than 100 millirem.<br>Before moving the seed, a reversal check must be executed on the requested currents to compare the predicted force with the desired force.<br>And so on   | If the seed moves faster than 2.0 mm/sec., the coil currents mus<br>be set to zero.                                                            |
| The coil current requested by the application must be within the range -100 amps to 100 amps.<br>An X-ray source must be "off" for 0.2 seconds before an "on" command is executed.<br>The total X-ray dose during an operation must be less than 100 millirem.<br>Before moving the seed, a reversal check must be executed on the tequested currents to compare the predicted force with the desired force.<br>And so on                                                                        | The coil currents must be within 5.0 amps of the predicted value                                                                               |
| An X-ray source must be "off" for 0.2 seconds before an "on"<br>command is executed.<br>The total X-ray dose during an operation must be less than 100<br>millirem.<br>Before moving the seed, a reversal check must be executed on the<br>requested currents to compare the predicted force with the<br>desired force.<br>And so on                                                                                                                                                             | The coil current requested by the application must be within th<br>range -100 amps to 100 amps.                                                |
| X-ray dose during an operation mus<br>vving the seed, a reversal check must<br>l currents to compare the predicte<br>orce.<br>And so on                                                                                                                                                                                                                                                                                                                                                          | An X-ray source must be "off" for 0.2 seconds before an "on'<br>command is executed.                                                           |
| Before moving the seed, a reversal check must be executed on the requested currents to compare the predicted force with the desired force.<br>And so on                                                                                                                                                                                                                                                                                                                                          | The total X-ray dose during an operation must be less than 10<br>millirem.                                                                     |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | Before moving the seed, a reversal check must be executed on th<br>requested currents to compare the predicted force with th<br>desired force. |
| MU 🕅                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | And so on                                                                                                                                      |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | NVA                                                                                                                                            |

















Operator Display

Magnetic Field Visualization

**Control** Scripts Test

Test Harness

Fake Devices

1ASA Rumat Matheds Wortshop - Slide 25 (© Julas C. Knight 1993





180

ļ



ļ

1

ļ

Į.

l





2/0/0

A.7

NON-STANDARD ANALYSIS AND EMBEDDED SOFTWARE

#### **Richard Platek**

#### ah Associates

#### **Odyssey Research Associates**

#### richard@oracorp.com

One model for computing in the future is ubiquitous, embedded computational devices analagous to embedded electrical motors. Many of these computers will control physical objects and processes. Such hidden computerized environments introduce new safety and correctness concerns whose treatment go beyond present Formal Methods. In particular, one has to begin to speak about Real Space software in analogy with Real Time software. By this we mean, computerized systems which have to meet requirements expressed in the real geometry of space. How to translate such requirements into ordinary software specifications and how to carry out proofs is a major challenge.

In this talk we propose a research program based on the use of non-standard analysis. Much detail remains to be carried out. The purpose of the talk is to inform the Formal Methods community that Non-Standard Analysis provides a possible avenue of attack which we believe will be fruitful.

PRECEDING PAGE BLANK NOT FILMED

FOF IST PATENET AND A AND

| Outline of Talk | D Embedded software | Need for formal methods to include continuous mathematics | A proposed research program based on non-standard analysis |  |  |
|-----------------|---------------------|-----------------------------------------------------------|------------------------------------------------------------|--|--|
|-----------------|---------------------|-----------------------------------------------------------|------------------------------------------------------------|--|--|







| Basic Stumbling Block         The discrete/continuous dichotomy         Traditional formal methods only exploited discrete mathematics (logic, set theory, algebra)         This is also true of computer science which might add combinato number theory, etc.         Traditional physical and engineering disciplines rely on continuo. math (e.g., calculus, analysis, topology).         Very few technical people are comfortable in both cultures. |                                                                                                                                    |                       |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------|-----------------------|
|                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Challenge to the Formal Methods Community                                                                                          | Basic Stumbling Block |
| <ul> <li>Traditional formal methods only exploited discrete mathematics (logic, set theory, algebra)</li> <li>This is also true of computer science which might add combinato number theory, etc.</li> <li>Traditional physical and engineering disciplines rely on continuoumath (e.g., calculus, analysis, topology).</li> <li>Very few technical people are comfortable in both cultures.</li> </ul>                                                   |                                                                                                                                    |                       |
| <ul> <li>This is also true of computer science which might add combinato number theory, etc.</li> <li>Traditional physical and engineering disciplines rely on continuoumath (e.g., calculus, analysis, topology).</li> <li>Very few technical people are comfortable in both cultures.</li> </ul>                                                                                                                                                        | Construct the necessary logical infrastructure to support the develop-<br>ment and evaluation of such software                     |                       |
| e necessary logical infrastructure to support the devel-<br>evaluation of such systems<br>analysis, topology).<br>Traditional physical and engineering disciplines rely on continuou<br>math (e.g., calculus, analysis, topology).<br>Traditional physical and engineering disciplines rely on continuou<br>math (e.g., calculus, analysis, topology).                                                                                                    | More accurately:                                                                                                                   |                       |
| <ul> <li>Very few technical people are comfortable in both cultures.</li> <li>Very few technical people are comfortable in both cultures.</li> </ul>                                                                                                                                                                                                                                                                                                      | <ul> <li>Construct the necessary logical infrastructure to support the devel-<br/>opment and evaluation of such systems</li> </ul> |                       |
| 5 OVER Strength American late 1                                                                                                                                                                                                                                                                                                                                                                                                                           |                                                                                                                                    |                       |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                           | 'n                                                                                                                                 |                       |

D

۵

©1995 Odyssey Research Associates, Inc SL-95-0029 Richard Platek



|       | Quotations                                                                                                                                                              |
|-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| D     | "No continuum can not be made up out of indivisibles, as for instance a line out of points, granting that the line is continuous and the point indivisible. " Aristotte |
| ۵     | "A point may not be a constituent part of a line" Leibniz                                                                                                               |
| ۵     | "A true continuum has no points" _ Rene Thom                                                                                                                            |
|       |                                                                                                                                                                         |
| St 95 | 000 Operation Rearest Americans, let 10                                                                                                                                 |

| L    |                                                                                   |
|------|-----------------------------------------------------------------------------------|
|      | Leibniz' Infinitesimals                                                           |
| ٦    | Positive quantities smaller than all positive reals.                              |
| ٦    | They are not indivisible! If dx is an infinitesimal so is $\frac{dx}{2}$ .        |
|      | The extended real numbers satisfy "all" the algebraic laws of the ordinary reals. |
| D    | Solves the paradoxes.                                                             |
|      | Basis for an explosive development of new mathematics.                            |
|      |                                                                                   |
| 96 S | 00000 Operation American here 12 OPE                                              |





. .









 $\cos n\theta + i \sin n\theta = (\cos\theta + i \sin\theta)^n$ 

 $-\sum_{k=0}^{n}\binom{n}{k}^{k}sin^{k}\theta \ cos^{n-k}\theta$ 

 $\sum_{k=0}^{n} \frac{n!}{k! (n-k)!} i^{k} \sin^{k} \theta \cos^{n-k} \theta$ 

R

5

© 1995 Odynery Research Associates, Inc SL 95-0029 Richard Platek



D

D

D

D



8

188

Examples

Series

D

|                  | Basic Computer Science Question                                                                                                                                                                                                                                                                                                                                                                |
|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| D                | In the extended programming language described above what func-<br>tions over 'R and 'Z are computable? Can one give a description of<br>these functions independent of the starting programming language? Is<br>there a natural recursion theory over 'R? Currently being worked on<br>using results of generalized recursion theory introduced 30 years ago<br>by Kleene, Gandy, and Platek, |
| 0 1995<br>S1-954 | 01995 Odynery Research Annolutes. Jac                                                                                                                                                                                                                                                                                                                                                          |

### **Session 9: Research Issues (2)**

Victor Carreno, Chair

• Hybrid Fault Algorithms, by Pat Lincoln, SRI International

Model Checking, by David Dill, Stanford University

PRECEDING PAGE BLANK NOT FEMED

#### Hybrid Fault Algorithms

#### Patrick Lincoln, SRI International

In Association With:

- J. Rushby SRI
- N. Suri Allied Signal
- C. Walter (then) Allied Signal

Sponsored by the NASA Langley Research Center under contract NAS1 18969

#### **Application: Digital Flight Control**

- Extreme Reliability  $(10^{-9} \text{ system failures/hour})$
- Synchronous Systems
- NASA RCP

#### **Byzantine Fault Tolerant Machine Designs**

1

- SRI's SIFT (early 80's) was the first; used 70% CPU cycles on overhead for voting etc.
- Allied-Signal's MAFT (late 80's) used hardware assistance; numerous innovations
- Draper Lab's Asymmetric FTP: less hardware
- Others: TU Vienna MARS, AIPS, FTTP...

The Algorithms Used are Complex Single Points of Failure

#### **General Points About Verification**

2

- Informal Proofs are Unreliable: In the past, have Found and Corrected Flaws in Published Algorithms and Proofs.
- PVS is an Effective Tool: Emphasis on Minimizing Human Effort
- Proof Reuse Reduces Cost
- Still Expensive to Prove Anything Interesting

#### **General Points About Algorithms**

#### • Slight Modifications to Traditional Algorithms

- Can Provide Much Greater Reliability
- Can Destroy Correctness
- Hybrid Approach Widely Applicable
  - Clock Synchronization
  - Byzantine Agreement
  - Diagnosis

#### **Byzantine Agreement**

Set of n Generals (Processors)

m of them are Traitors (faulty)

All Good Generals Must Agree on Plan of Attack All Good Processors Must Agree on Sensor Value

Make NO Assumptions about Behavior of Traitors Make NO Assumptions about Behavior of Faults

Assume One Commander, Others Are Lieutenants Assume One Transmitter, Others Are Receivers

#### The Byzantine Generals Problem: Requirements

5

- Agreement: Nonfaulty Lieutenants Agree on the Value Received from the Commander
- Validity: If the Commander is Nonfaulty, the Value Received by Nonfaulty Lieutenants is the Value Actually Sent

7

#### The Oral Messages Algorithm (OM) (Lamport, Shostak, Pease 1982)

- The Commander Sends Value to Each Lieutenant
- If r = 0, Each Lieutenant Accepts A Value Otherwise, each lieutenant plays the part of the general in OM(r-1) to send value received to other lieutenants
- Each Lieutenant Takes Majority Vote of the Values Received



#### **Properties of OM**

- For Agreement and Validity Requires n > 3a (Best Possible Bound)
- r + 1 rounds of message exchange
- Exponential Number of Messages (Moses 93)
- Need Four Channels to Withstand a Single Fault
- Formally verified (Bevier & Young '92, Rushby '92, Shankar '93)

#### Hybrid Fault Models

- Extreme Positions:
  - Byzantine Approach: Components are Perfect or Failed in Unknown Manner
  - FMEA Approach: Components Fail in (many) Known Ways; Design Countermeasures for each (and combinations)
- Allied Signal's Hybrid Fault-Models: Include Byzantine Case, Plus a Few Common Cases (Fail-Stop, Stuck-At, ...)

Formalizing Hybrid Fault Models: Motivation

- Maximum Assurance
- Maximum Reliability
- Minimum Hardware

#### Algorithms for Hybrid Fault Models

10

- Extend Byzantine Fault-Tolerant Algorithms to Deal Better With NonByzantine Faults
- Survive a Few Bad Faults or a Lot of Simple Faults with the Same Protocol

12

• Allied Signal's Reliability Analysis: This Provides Superior Reliability (McElvany-Hugue '93)

#### A Hybrid Fault Model

#### **Requirements for Hybrid Agreement**

- Allied Signal (Thambidurai and Park '88)
  - (a) Arbitrary (Byzantine, Asymmetric)
  - -(s) Symmetric (Value, Stuck-At)
  - (c) Crash (Manifest, Stopped, Out-of-Bounds)
  - -(g) Good (Nonfaulty, OK)

- Agreement: All nonfaulty receivers agree on the value ascribed to the transmitter.
- Validity: If receiver q is nonfaulty, the value it ascribes to the transmitter is
  - The correct value if the transmitter is nonfaulty.
  - The value actually sent to all receivers if the transmitter is symmetric-faulty.
  - The distinguished value E if the transmitter is manifest-faulty.

Allied Signal's Algorithm Z (Thambidurai and Park 1988)

13

• Like OM

• When Manifestly Bad Value Received, Record E

15

• Lieutenants Pass on E When Receive E

• Ignore E in majority vote

14

#### Algorithm Z: Flawed

- n = 5, r = 1, the Commander has a Crash Fault, one Lieutenant is a Traitor
- Good Lieutenants will believe whatever they receive from the Traitor: Protocol Fails
- MAFT Implementation Correct



#### **Importance of Validation**

- Lincoln & Rushby Specified Incorrect Algorithm
- Like Z, But Lieutenants Pass on RE "Reported Error"
- With Incorrect Axiom "Hybrid\_Majority\_Vote\_1"
  - "Ignore Votes of Crashed Processors"
  - 1-Round Case: OK
  - 2-Round Case: Impossible
  - Should Have Been: "Ignore E Values"
- With Axiom, "Verified" Incorrect Algorithm
- Should Validate Axioms With Implementation

#### Algorithm OMH (Lincoln & Rushby '93)

- Like OM, but
- Add m + 1 kinds of error value: E, RE, R<sup>2</sup>E etc.
- If receive  $\mathbf{R}^{i}\mathbf{E}$ , pass on as  $\mathbf{R}^{i+1}\mathbf{E}$
- Ignore E in majority vote
- If vote yields  $\mathbf{R}^{j}\mathbf{E}$ , selected value is  $\mathbf{R}^{j-1}\mathbf{E}$
- Formally Specified and Verified in PVS (Lincoln & Rushby '93) Validated Axioms With MJRTY Implementation

Doubt Anyone Could Get This Right Without Formal Verification

Algorithm OMH

17

n = 5, r = 1



#### Algorithm OMH

18

• If  $r \ge a$ , then OMH(r) Tolerates

n > 2a + 2s + c + r

If r = a, and s = c = 0, Then n > 3a(Same as Traditional Bound)

- (a) Arbitrary (Byzantine, Asymmetric)
- (s) Symmetric (Value, Stuck-At)
- (c) Crash (Manifest, Stopped, Out-of-Bounds)

20

• (g) Good (Nonfaulty, OK)

#### Fault Combinations Tolerated

|     | Nu                       | mber of Fau          | lts                 |
|-----|--------------------------|----------------------|---------------------|
| 0)( | Arbitrary<br>(byzantine) | Symmetric<br>(value) | Crash<br>(manifest) |
| ом  | 1                        | 0                    | 0                   |
|     | 0                        | 1                    | 0                   |
|     | 0                        | 0                    | 1                   |

|     | Number of Faults         |                      |                     |  |  |
|-----|--------------------------|----------------------|---------------------|--|--|
| омн | Arbitrary<br>(byzantine) | Symmetric<br>(value) | Crash<br>(manifest) |  |  |
|     | 1                        | I                    | 0                   |  |  |
|     | 1                        | 0                    | 2                   |  |  |
|     | 0                        | 2                    | 0                   |  |  |
|     | 0                        | 1                    | 2                   |  |  |
|     | 0                        | 0                    | 5                   |  |  |

#### Achieved Reliability: 6 Processor OMH

- McElvany-Hugue's Reliability Analysis
- Reliability Goal: 10<sup>-9</sup> System Failures/Hour

- 6 Processor OM:  $1.5 \times 10^{-7}$ 

- 6 Processor OMH:  $1.5 \times 10^{-11}$ 

21

#### Formal Specification of OMH in PVS

 $omh[m:nat, n:posnat, T:TYPE, error:T, R, UnR:[T \rightarrow T]]:THEORY$ REGIN BEGIN assuming  $bct_{ax}$ : assumption ( $\forall$  (t : T) : R(t)  $\neq$  erfor)  $ubact_{ax}$ : assumption ( $\forall$  (t : T) : UbR(R(t)) = t) ENDASSUMING ENDASSIMING rounds: TYPE = upto[m]t: var Tfcu: type = below[n]fcuset: type = setof[cu]fcuset: type = setof[cu]fcuvector: type = [fcu - T]G, p, q, :: var fcuv, v1, v2 : VAR fcuvector caucus : VAR fcuset r : VAR rounds IMPORTING finite\_cardinality [fcu, s, identity [fcu]], filters[fcu], card\_set[fcu, n, identity[fcu]],  $hybrid_mirty[T, n, error]$ statuses : TYPE = {arbitrary, symmetric, manifest, nonfaulty} statuse: ITYPE = {arbitrary,symme status: [fcu -> statuses] a(z): bool = arbitrary(status(z)) a(z): bool = symmetric(status(z)) a(z): bool = manifest(status(z)) g(z): bool = manifest(status(z)) as(caucus): fcuset = filter(caucus, a) ss(caucus): fcuset = filter(caucus, a) cs(caucus): fcuset = filter(caucus, a) cs(caucus): fcuset = filter(caucus, a) gs(caucus): fcuset = filter(caucus, g) fincard\_all : LEMMA |caucus| = |as(caucus)| + |ss(caucus)| + |cs(caucus)| + |gs(caucus)| $HMajority(caucus, v): T = proj l(hybrid_njrty(caucus, v, n))$ HMajorityl : LEMMA 

```
OMH(G, \tau, t, cancus) : RECURSIVE forvector =
     IF r = 0
THEN (\lambda p: \text{ send}(t, G, p))
    THEN (\lambda p: vp = G)

ELSE (\lambda p: vp = G)

THEN send(t, G, p)

ELSE UnR(H.Majority(cancus - {G}, (\lambda q: OMH(q, r-1, R(send(t, G, q)), caucus - {G})(p))))
   MEASURE (\lambda G, r, t, caucus \rightarrow mat : r)
 Validity_Prop(r) : bool =
 \begin{array}{l} & \neg (q) \land p \in (ancus \land q \in (ancus) \\ \land (aatcus) > 2 \times (|as(cancus)| + |ss(cancus)|) + |cs(cancus)| + r \\ \supset OMH(q,r,t,cancus)(p) = send(t,q,p) \end{array}
 Validity : LEMMA Validity_Prop(r)
 Validity_Final : TREOREM
  \begin{array}{l} g(p) \wedge \neg a(G) \wedge 2 \times |a| + 2 \times |s| + |c| + m < n \\ \supset \text{OMH}(G, r, t, \text{fallset}[\text{fca}])(p) = \text{send}(t, G, p) \end{array}
 Agreement_Prop(\tau) : bool =
  \begin{array}{l} & \left| g(p) \land g(q) \land p \in caucus \land q \in caucus \land z \in caucus \\ \land |caucus| > 2 \times (|as(caucus)| + |ss(caucus)|) + |cs(caucus)| + r \end{array} \right|
              > ias(caucus)i
   \supset OMH(z, r, t, caucus)(p) = OMH(z, r, t, caucus)(q)
 Agreement : LEMMA Agreement_Prop(r)
Agreement Final : THEOREM

g(p) \land g(q) \land |a| \le m \land 2 \times |a| + 2 \times |a| + |c| + m < n

\supset OMH(G, m, t, fullset[fcz])(p) = OMH(G, m, t, fullset[fcz])(q)

END OID
```

24

- -

#### Axioms (Assumptions)

| send1 : | AXIOM $g(p)$ | С         | $\operatorname{send}(t,p,q)$   | = | t                            |
|---------|--------------|-----------|--------------------------------|---|------------------------------|
| send2:  | AXIOM $c(p)$ | $\supset$ | $\operatorname{send}(t,p,q)$   | Ξ | error                        |
| send3:  | AXIOM $s(p)$ | С         | $\operatorname{send}(t, p, q)$ | = | $\operatorname{send}(t,p,z)$ |

send\_lemma : LEMMA  $\neg a(p) \supset send(t, p, q) = send(t, p, z)$ 

#### Theorem 1

Validity\_Final : THEOREM  $(g(p) \land \neg a(G)$   $\land 2 \times |a| + 2 \times |s| + |c| + r < n)$  $mbox \supset OMH(G, r, t, fullset[fcu])(p) = send(t, G, p)$ 

Algorithm  $OMH(\tau)$  satisfies Validity if there are more than  $2(a + s) + c + \tau$  processors.

Validity: If The Commander Is not Byzantine-Faulty, The Value Received By Nonfaulty Lieutenants Is The Value Actually Sent

25

Style of Proof Bevier & Young, Rushby, Shankar

- Inductive Property Definition
- Induction Property Assertion (Lemma)
- Theorem in Final Form

 $\begin{array}{l} \text{Validity}\_\operatorname{Prop}(r): \text{bool} = \\ \neg \ a(q) \ \land \ p \in \text{caucus} \ \land \ q \in \text{caucus} \\ \land \ |\text{caucus}| \ > \ 2 \ \times \ (|\text{as}(\text{caucus})| \ + \ |\text{ss}(\text{caucus})|) \\ + \ |\text{cs}(\text{caucus})| \ + \ r \\ \supset \ \text{OMH}(q, r, t, \text{caucus})(p) \ = \ \text{send}(t, q, p) \end{array}$ 

Validity : LEMMA Validity\_Prop(r)

Validity\_Final : THEOREM  $(g(p) \land \neg a(G)$   $\land 2 \times |a| + 2 \times |s| + |c| + r < n)$  $\supset \text{OMH}(G, r, t, \text{fullset}[\text{fcu}])(p) = \text{send}(t, G, p)$ 

#### While ReRunning Proof, We Noticed

26

Lemma If c = 0 (No Crash Faults), OMH  $\approx$  OM

OM Is Better Than Earlier Claimed:

Corollary 1 For any r, Algorithm OM(r) satisfies Validity if there are more than 2(a + s) + r processors.

Corollary 2 For any r, Algorithm OM(r) satisfies Agreement if there are more than 2(a+s)+r processors and  $r \ge a$ .

OMH = OM + Diagnosis of Manifest Faults

#### More Corollaries

More Theorems Derived from our New Improved Understanding

Corollary 3: No Good Processors Are Confused By Crash Faults: If a = s = 0 (No Byzantine, No Symmetric Faults), OMH is optimal.

Corollary 4: Error Values (RE,  $\mathbb{R}^2 \mathbb{E}, \cdots$ ) Can Overlap With Real Values.

**Corollary 5:** (Slightly Modified) OMH(r) Allows Implementations With Only r + 1 Error Values.

30

FTP Architecture

29



31

#### Algorithm OM-FTP

#### • Lala 1986

- Similar to one-round OM with symmetric voters
- Formally specified in EHDM (Harper, Alger, & Lala '91) No proofs
- Formally specified in PVS (Lincoln & Rushby '94) Full formal proofs completed in PVS Couple of days

**FTP** Architecture

- Less Total Hardware
- Only need 3 voters to mask 1 Byzantine fault (!)
- Technology used in AIPS, FTTP, etc.

#### Hybrid Faults in FTP

- Integrate OMH and OM-FTP
- Resist more (simple) faults with less hardware

#### Algorithm OMH-FTP (Lincoln & Rushby 1994)

- Combine OMH and OM-FTP
- Voters pass on E as RE
- Interstages pass on E as E
- Voters use value reflected from interstage, NOT original value

33

#### Formal Verification in PVS

- Proof Reuse
- Copy-and-Edit Proof of OM-FTP
- Grab parts of Proof of OMH
- M-x Edit Proof
- Rerunning Edited Proofs
- Couple of Days Effort

#### Copy-and-Edit a Proof

36

- Emacs Interface to Edit Proof Commands
- Kill and Yank
- Mix-And-Match Partial Proofs
- Rerun Until Proof Fails

#### Authenticated Agreement

- Use Cryptographically Secure Signatures
- Can Tolerate Many More Faults

However

- Questionable Cryptographic Assumptions (Key Distribution, Complexity Questions)
- Traitor May Simply GUESS Generals Key Possible, Though Very Unlikely

#### Agreement Using Signed Messages (SM) (Lamport, Shostak, & Pease 1982)

- r + 1 Rounds Of Message Exchange
- If 1 Properly Signed Message At End, Adopt It Else General Is Faulty, Adopt Default
- Requires Only  $n \ge r$  For Agreement and Validity (Best Possible Bound)
- If Signatures Broken, Protocol Fails Horribly One Traitor with Key breaks Agreement and Validity for Any Number of Rounds, Any Number of Processors

37

Use Signatures In OMH (OMHA) (Gong, Lincoln, Rushby 1995)

- Same as OMH, But at Every Step Check Signatures
- Symmetric, Arbitrary Lieutenants  $\Rightarrow$  Manifest
- Except: Bad Lieutenants Could Send R(E)
- Worst Case With Secure Signatures Same As OMH (Worse Than SM)
- If Signatures Broken, Same Tolerance as OMH (Much Better Than SM)

39

It Would Be Nice to Disallow R(E)

#### 38

#### Algorithm OMHA: Signatures Secure



## Algorithm OMHA: Broken Signatures

- n = 5, r = 1, the Commander has a Crash Fault, one Lieutenant is a Traitor with Crypto Key
- Good Lieutenants Not Fooled: Protocol Succeeds



## Use Signatures In Z (ZA) (Gong, Lincoln, Rushby 1995)

- Same as Z, But at Every Step Check Signatures
- Symmetric, Arbitrary Lieutenants  $\Rightarrow$  Manifest
- Bad Lieutenants Cannot Send  $\mathbf{R}(\mathbf{E})$
- With Secure Signatures, ZA is Optimal (Same as SM, Better than OMH)
- If Signatures Broken, Same Tolerance as Z (Better Than SM, Worse Than OMH)

Algorithm ZA: Broken Signatures

- n = 5, r = 1, the Commander has a Crash Fault, one Lieutenant is a Traitor with Crypto Key
- Good Lieutenants will believe whatever they receive from the Traitor: Protocol Fails



Symbolic Fault Injection (Gong, Lincoln, Rushby 1995)

42

- Using Dill's Mur Tool (Stanford)
- Specified OM, OMH, OMHA, SM, Z, ZA
- Complete, Exhaustive State Exploration 5 Processors, 4 Values

44

• All Above Bounds Correct Rediscovered Flaw in Z

## Symbolic Fault Injection: Beyond The Worst Case Bound

> 20,000 Fault Configurations (Most Beyond Above Bounds)

## **Clock Synchronization**

- All Above Protocols Require Synchronization
- Byzantine Processors May Lie About Clock Value
- Assume Bounded Clock Drift For Good Clocks
- Goal: Maintain Bounded Clock Skew Within  $\delta$

Interactive Convergence Algorithm: ICA (Lamport & Melliar-Smith '85)

45

• Broadcast Current Clock Value

• Compute Egocentric Mean

- Ignore Values Too Far Off

n > 3a

- Algorithm Correct
- All But One Lemma Incorrect
- Proof of Main Theorem Incorrect
- Corrected Versions Formally Verified in EHDM (Rushby & VonHenke 93) Couple of Months Effort
- Young Formally Verified in NQTHM Noted Perfect Clocks Excluded By Rushby
   < should be ≤ in Axiom</li>

47

Other Clock Synchronization Algorithms

46

- Fred Schneider's General Treatment
- Natarajan Shankar Formally Specified and Verified in EHDM Corrected Several Small Flaws
- Verified That ICA Satisfies Corrected Properties
- Paul Miner Found Better, Weaker Assumption Set Example Lundelius-Lynch Algorithm

## Hybrid Interactive Convergence: ICAH (Rushby 94)

• Ignore E Values In Egocentric Mean

n > 3a + 2s + c

- Extend Hybrid Fault Model to Link Faults:
  - Model Links Separate From Processors
  - Links Only Introduce Manifestly Bad Values
  - Two Links Between Each Pair
  - (In, Out)
  - Asymmetric: Good or Manifest Value
    - n > 3a + 2s + c + l
- Formally Specified and Verified in EHDM (Rushby 94) Couple of Days Effort

## Diagnosis

• Key Part of FDIR: Detection, Identification, and Reconfiguration

### • Off-Line: After/Between Missions

- Requires Record Keeping/Testing Harnesses
- Few Additional Mechanisms In-Flight
- May Miss Intermittent Faults
- Use Test Injection Sequences
- On-Line: During Mission
  - Requires Additional Safety-Critical Mechanisms
  - Consumes Mission Resources
  - Survives More Faults During Mission

Benefits of On-Line Diagnosis

49

OMH Masks Crashes Already: Why Diagnose?

- Diagnose ALL Symmetric Faults Greater Reliability
- Diagnose SOME Byzantine Faults Greater Reliability
- Manifest Faults May Become Worse
- Stop Progression: Manifest ⇒ Symmetric ⇒ Byzantine
- Restart Crashed Processor

## **On-Line Diagnosis**

50

- Easy Without Byzantine Faults
- All Faults Are Symmetric Private Accusations Correct
- Impossible To Perfectly Diagnose Byzantine Faults

## **Desirable Properties**

Correctness (Fairness, Soundness): Every Processor Diagnosed Faulty IS Faulty

Completeness:

Every Faulty Processor is Diagnosed Faulty

## **On-Line Byzantine Diagnosis**

- PMC, Comparison Testing Inappropriate
- Shin & Ramanathan '87 (Requires Authentication)
- Ramarao & Adams '88 (Optimal, NP-hard) Extreme Cost
- Walter '90, Walter, Suri & Hugue '94: Spectrum of Algorithms PP, PLP, DD, HD

53

## Algorithm PP: Walter '90

55

- Assume Symmetric Faults
- Correctness and Completeness
- Formally Specified and Verified in PVS (Lincoln 95) Couple Weeks Effort

54

## Algorithm PP

- Monitor All Incoming Messages
- For Incorrect Messages, Record Accusation
- At End of Period, Broadcast Accusations
- If  $\geq \lceil N/2 \rceil$  Accusations, Declare Faulty - Accuse All Non-Accusing Processors
- If < [N/2] Accusations, Declare NonFaulty - Accuse All Accusing Processors

56

• Iterate

## Algorithm PLP: Walter '90

- PP with Link Faults
- Correctness and Partial Completeness
- Formally Specified and Verified in PVS (Lincoln 95)
- Heavy Reuse of Lemmas/Proofs from PP Couple Days Effort

## Algorithm PLP

## • Like PP

- Except, two kinds of Error: Symmetric/Asymmetric
- Based on Kind of Erroneous Message
- Asymmetric Errors Assumed to Be Manifest as Asymmetric-Looking Values

57

## Algorithm DD: Walter, Suri, & Hugue '94

- True Byzantine Fault Diagnosis
  - Local Detection
  - Byzantine Agreement on Detection: OMH
  - Combine into Diagnosis
- Correctness and Partial Completeness
- Formally Specified and Verified in PVS (Lincoln 95)
- Heavy Reuse of Lemmas/Proofs from OMH & PLP Couple Hours Effort

## Algorithm DD

58

- Monitor All Incoming Messages
- For Incorrect Messages, Record Accusation
- Use OMH to Agree on Accusations
- If  $\geq \lceil N/2 \rceil$  Accusations, Declare Faulty
- If  $< \lceil N/2 \rceil$  Accusations, Declare NonFaulty

60

• Iterate

## Algorithm HD: Walter, Suri, & Hugue '90

- True Byzantine Fault Diagnosis
- DD with Penalties, Accumulation, Decay
- Correctness and Partial Completeness
- Formally Specified and Verified in PVS (Special Case) (Lincoln 95)
- Heavy Reuse of Lemmas/Proofs From DD Couple Hours Effort

## Algorithm HD

- Like DD
- Except, Different Penalty Weights for Different Errors
- Decay of Accusations
- Cumulative Penalty > K, Declare Faulty

62

## **Benefits of Formal Verification**

61

- Identify Exact Assumptions
- Explore Alternatives
- Extremely High Assurance - Diagnosis Is Safety-Critical
- Documentation

## **Important Properties of User**

64

- Mathematical Sophistication
- Application-Area Knowledge
- Experience

208

## **Important Properties of Proof Checker**

- Cite Previous Lemmas and Theorems
- Library Mechanism
- Reuse Parts of Proofs
- Fast Cycle Time (Human-Computer-Human)
- Understandable Output in the Loop
- Heavy Controllable Automation (Rewriting, Decision Procedures)
- Exploration Tools (Mur $\phi$ )

## **Bottom Line**

Exploration of Algorithms, Assumptions

- Assurance: Formal Verification
- Little Hardware: FTP
- Cheap Reliability: Hybrid Algorithms
  - Byzantine Case Ensures Coverage
  - Simple Cases Handled Cheaper
  - More Reliability With Same Hardware

66

- Widely Applicable Paradigm Clocks, Agreement, Diagnosis

"The virtue of a logical proof is not that it compels belief but that it suggests doubts" (Lakatos)

65

## Summary

- Good Hybrid Fault-Tolerant Algorithms
- Informal Proofs are Unreliable
- Real Theorem Proving Still Expensive
- Interesting Examples Now Feasible
- Human-Computer Interaction A Key Element
- Proof Reuse Lowers Cost of Formal Verification

(-3,

## N96- 10035

59519 P. 6

## **MODEL CHECKING**

David L. Dill

## Stanford University

Formal methods have not had the kind of impact we might have hoped. I suggest that the reason is economic: the cost/benefit ratio is unacceptable in many cases, and unproven in most. Hence, research should examine the question of reducing costs, in the form of labor and time.

Automatic formal verification methods for finite-state systems, also known as model-checking, successfully reduce labor costs since they are mostly automatic. Model checkers explicitly or implicitly enumerate the reachable state space of a system, whose behavior is described implicitly, perhaps by a program or a collection of finite automata. Simple properties, such as mutual exclusion or absence of deadlock, can be checked by inspecting individual states. More complex properties, such as lack of starvation, require search for cycles in the state graph with particular properties.

Specifications to be checked may consist of built-in properties, such as deadlock or "unspecified receptions" of messages, another program or implicit description, to be compared with a simulation, bisimulation, or language inclusion relation, or an assertion in one of several temporal logics.

Finite-state verification tools are beginning to have a significant impact in commercial designs. There are many success stories of verification tools finding bugs in protocols or hardware controllers. In some cases, these tools have been incorporated into design methodology.

Research in finite-state verification has been advancing rapidly, and is showing no signs of slowing down. Recent results include probabilistic algorithms for verification, exploitation of symmetry and independent events, and the use symbolic representations for Boolean functions and systems of linear inequalities.

One of the most exciting areas for further research is the combination of model-checking with theorem-proving methods. I will briefly describe some initial forays into this area.

PRECEDING PAGE KLANK NOT FRIMED

PAGE \$10 INTENTIONALLY BLANK

|   | ξ | 5 |
|---|---|---|
|   | 2 |   |
|   | 5 | 2 |
|   | C | 3 |
|   | 0 | D |
|   | 2 | - |
| 1 | C | ) |
|   | - |   |
|   | 9 | 2 |
|   | 3 | 2 |
|   | - | 2 |
|   | 2 | 2 |
|   |   |   |

David L. Dill Computer Systems Laboratory Stanford University

Why isn't formal verification used routinely?

- Engineers don't know enough math/logic
- People aren't properly trained
- Bad notation and user interfaces
- -
- Inertia design methodologies are not easily changed
- Managers don't require it
- Blind stupidity

## The main reason

## Economics!

- In most cases, cost vs. benefit is unfavorable, or unproven.
- "Conventional" methods are extremely labor-intensive.
- Furthermore, the labor must be highly skilled.
- In many cases, use of formal methods would delay completion of the design.

Design time is often crucial for safety- and life-critical applications.

Most designs are "time-to-market" critical (e.g. cost of delay for an microprocessor release \$10 million/week).

# Model checking (finite-state methods)

Most NASA work focusses on very general theorem-proving methods. Alternative: Use less general, but more automatic, methods. In the finite-state domain, most verification problems become decidable. Verification can be done automatically by implicit or explicit state enumeration.

N

| Tradeoffs                     | Advantages of model-checking over theorem-proving:                      | <ul> <li>Highly automated</li> <li>Excellent at diagnosing design errors</li> </ul> | Disadvantages of finite-state methods: | <ul> <li>Computational complexity</li> </ul> | Abrupt failure when problem grows         | Limited expressiveness                                                      | In reality, model-checking and theorem-proving are complementary tech-<br>niques.           | Explicit state search      | Behavioral description of the system must give <i>start states</i> , and a <i>next-state generator</i> , which maps a state to a set of next states. | Generators can be derived from almost any reasonable operational de-<br>scription.                               | Basic search procedure maintains | <ul> <li>a queue of states to be searched</li> </ul> | <ul> <li>a table of states already searched</li> </ul> | 2 |
|-------------------------------|-------------------------------------------------------------------------|-------------------------------------------------------------------------------------|----------------------------------------|----------------------------------------------|-------------------------------------------|-----------------------------------------------------------------------------|---------------------------------------------------------------------------------------------|----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------|----------------------------------|------------------------------------------------------|--------------------------------------------------------|---|
| Model-checking — applications | Finite-state methods have been applied successfully in several domains: | <ul> <li>Protocols (communication, network, cache coherence)</li> </ul>             | Hardware state machine comparison      | Hardware controllers                         | <ul> <li>Asynchronous circuits</li> </ul> | There are many success stories about using finite-state verification tools. | In some cases, they have been incorporated into commercial product de-<br>sign methodology. | Explicit state enumeration | Basic idea: Generate reachable states "on-the-fly," searching for "bad" states.                                                                      | "bad states" could be <i>deadlock</i> , or could violate a <i>per-state property</i> (e.g.<br>mutual-exclusion). |                                  |                                                      |                                                        | 6 |

## While queue is not empty, remove a state s from it. Let Q be the set of next states of s. For each $s' \in Q$ If s' is not in the state table If it is bad, report error and halt else enter s' in table and insert in the queue.

It is important to stop when error occurs (to avoid generating all states).

When an error occurs, a "counterexample" (path from start state to bad state) can be printed.

Search can be in any order, although breadth-first gives the shortest counterexamples. æ

თ

# State explosion problem

Of course, a small behavioral description may give rise a large state space.

This is known as the "state explosion problem." It is the central problem in finite-state verification.

Most problems are at least PSPACE-complete, so a general worst-case solution is probably not available.

There are many methods that have been used to extend the practical boundaries of this method.

## Specifications

- Fixed properties (e.g. deadlock, "unspecified reception")
- Comparison with another description (simulation, bisimulation, language inclusion)
- Temporal logic model checking (especially CTL)

## Simple methods

- Omit irrelevant implementation details
- Reduce size of system ("down scaling")
- Focus on finding bugs, not proving correctness
- Use modular/compositional verification

| BDD-based verification | <ul> <li>BDD-based verification has been so successful that it deserves special attention.</li> <li>A BDD is a data structure for representing Boolean functions.</li> <li>Every state is represented as a bit-vector</li> <li>Every state is represented as a bit-vector</li> <li>State is in set iff Boolean function is true.</li> <li>Breadth-first search can be done using BDD operations.</li> <li>Sometimes, astronomically large state spaces can be checked with BDDs (Clarke: 10<sup>1300</sup> states).</li> <li>Sometimes, BDD-based verifiers are worse than explicit methods.</li> </ul> | Future directions         Future directions         There are many exciting research topics in this area:         • New ideas for avoiding the state explosion         • New ideas for avoiding the state explosion         • Alternative symbolic representations         • Verification of real-time and hybrid systems.         • Methods supporting abstraction and refinement         • Extension to infinite-state systems.    | ~ |
|------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|
| Advanced methods       | A number of sophisticated techniques for coping with the state explosion<br>have emerged in the last few years.<br><i>Hash compaction</i> — Verify probabilistically by storing a certificate for each<br>state (down to 1 bit), to minimize table size.<br><i>Partial-order methods</i> — Exploit independent events to reduce number of<br>interleavings that must be modelled.<br><i>Symmetry reduction</i> — Avoid redundancy from symmetry in the system.<br><i>Symbolic state exploration</i> — Represent state space symbolically (using<br>Boolean functions, linear inequalities).             | <b>Verification systems based on state enumeration have been around at least since 1981.</b><br>Some existing systems: SPIN (Holzmann et al. AT&T), COSPAN (Kurshan et al., AT&T), Mur¢ (Dill, et al. Stanford), SMV (Clarke and McMillan, Carnegie-Mellon U.)<br>There are many success stories of using these systems to verify parts of protocols and hardware designs.<br>All of these systems are currently in use in industry. | £ |

| Model checking + theorem proving | In some cases, tools can be complementary.<br>Example: We described the Sparc International's multiprocessor memory<br>consistency models in Mur <i>φ</i> .<br>Mur <i>φ</i> model can be used to verify synchronization routines.<br>PVS used to verify consistency with a logical specification of the same<br>memory model.                                                                                                                                                                                                                                                                                                                  | 17 | Conclusions | Economics are crucial.                                                                           | <ul> <li>Use of verification for finding bugs may be more important than correct-<br/>ness proofs.</li> </ul> | <ul> <li>Formal verification based on finite-state techniques is already success-<br/>ful, and is improving rapidly.</li> </ul> | <ul> <li>Combining model-checking and theorem-proving may lead to necessary<br/>breakthroughs in verification productivity.</li> </ul>                                                                                                                  |                                                                       |
|----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|-------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------|
| Model checking + theorem proving | One of the most exciting research areas is finding ways to combine finite-<br>state and theorem-proving methods.<br>A simple idea is to use model-checking first to debug the problem and verify<br>for small systems, then use theorem-proving for the general case.<br>Example: We described and verified a <i>distributed list protocol</i> (central part<br>of a multiprocessor cache consistency algorithm) in Mur <i>\u03e6</i> for 3 processes.<br>This helped us to debug the protocol <i>and verification conditions</i> .<br>Automatically translated Mur <i>\u03e6</i> program to PVS, and verified for <i>n</i> process<br>in PVS. | 9  | Integration | More ambitiously, finite-state methods can be incorporated into a theorem-<br>proving framework. | Practical use of model-checkers already requires reasoning outside of the finite-state domain.                | This reasoning can be a source of errors and omissions, and should be formalized.                                               | Example: A $\mu$ -calculus model checker has been embedded in PVS.<br>When a user generates a lemma in $\mu$ -calculus, the model-checker can be<br>called to check it automatically, much more efficiently than general decision<br>procedures of PVS. | There are many opportunities for developing new reduction strategies. |

## Session 10: Research Issues (3)

**Ricky W. Butler, Chair** 

\* The DDD Scheme Machine, by Steve Johnson, Indiana University

• Formal Development of a Clock Synchronization Circuit, by Paul Miner, NASA Langley Research Center

## N96-10036

59520

## THE SCHEME MACHINE:

## A CASE STUDY IN PROGRESS IN DESIGN DERIVATION AT SYSTEM LEVELS

## Steven D. Johnson

## Indiana University

The Scheme Machine is one of several design projects of the Digital Design Derivation group at Indiana University. It differs from the other projects in its focus on issues of system design and its connection to surrounding research in programming language semantics, compiler construction, and programming methodology underway at Indiana and elsewhere. The genesis of the project dates to the early 1980s, when digital design derivation research branched from the surrounding research effort in programming languages. Both branches have continued to develop in parallel, with this particular project serving as a bridge. However, by 1990 there remained little real interaction between the branches and recently we have undertaken to reintegrate them.

On the software side, researchers have refined a mathematically rigorous (but not mechanized) treatment starting with the fully abstract semantic definition of Scheme and resulting in an efficient implementation consisting of a compiler and virtual machine model, the latter typically realized with a general purpose microprocessor. The derivation includes a number of sophisticated factorizations and representations and is also deep example of the underlying engineering methodology.

The hardware research has created a mechanized algebra supporting the tedious and massive transformations often seen at lower levels of design. This work has progressed to the point that large scale devices, such as processors, can be derived from first-order finite state machine specifications. This is roughly where the language oriented research stops; thus, together, the two efforts establish a thread from the highest levels of abstract specification to detailed digital implementation.

The Scheme Machine project challenges hardware derivation research in several ways, although the individual components of the system are of a similar scale to those we have worked with before. The machine has a custom dual-ported memory to support garbage collection. It consists of four tightly coupled processes---processor, collector, allocator, memory---with a very non-trivial synchronization relationship. Finally, there are deep issues of representation for the run-time objects of a symbolic processing language.

The research centers on verification through integrated formal reasoning systems, but is also involved with modeling and prototyping environments. Since the derivation algebra is based on an executable modeling language, there is opportunity to incorporate design animation in the design process. We are looking for ways to move smoothly and incrementally from executable specifications into hardware realization. For example, we can run the garbage collector specification, a Scheme program, directly against the physical memory prototype, and similarly, the instruction processor model against the heap implementation.

PRECEDING PAGE BLANK NOT FILMED

NTENTIONALLY DESIGN



Steven D. Johnson DDD Project, Hardware Methods Laboratory Computer Science Department Indiana University sjohnson@cs.indiana.edu
http://www.cs.indiana.edu/hmg/hmg.html

# Thanks: NSF/MIP92 08745, NASA / NGT-50861

## Outline

- The Scheme Machine Prototype
- Context, Motivation, and Goals of the Research
  - Components of the Scheme Machine
- Issues in Verification
- Incremental Construction of Hardware
- Summary and Status





Emulator in Actel FPGAs, PLDs and standard DRAM simms.



| <ul> <li>Context of the Research</li> <li>1982 M. Wand, Semutics-directed machine architecture (TOPL-92)</li> <li>1983 S.D. Johnson, Synthesis of Digital Designs from Recursion Equations, Ch. 5 (FDM dissertation)</li> <li>1984 W. Clinger, The Scheme 311 Compiler (L&amp;FP 84)</li> <li>1987 S.D. Johnson, et al. A Tactical Framework for Digital Design (WG10.2 FM/VLSI).</li> <li>1988 R. Wehrmeister, Derivation of an SECD Machine (IU/CS TR WG10.2 FM/VLSI).</li> <li>1999 D. Bayer and K. Rath derive boolean system for a Scheme machine.</li> <li>1990 D. Bayer and K. Rath derive boolean system for a Scheme machine.</li> <li>1991 D. Bayer and K. Rath derive boolean system for a Scheme machine.</li> <li>1992 D. Bayer and K. Rath derive boolean system for a Scheme machine.</li> <li>1992 D. Bayer and K. Rath derive boolean system for a Scheme machine.</li> <li>1993 D. Buyer, The Scheme Andrine (IU/CS TR #413).</li> <li>1993 B. Burger, The Scheme (IU/CS TR #413).</li> <li>1994 D. Mand, J. Guttman, J. Ramsdell, et al. VLISP: A Verified Implementation of Scheme (J. Lisp and Symbolic Computation).</li> <li>1994 D. Scheme Machine Project</li> </ul> | Complete Heap Model<br>Machine Model<br>Memory Cannage Collector |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------|
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------|

Π

Scheme Machine Memory: 2 × 4 × 1, 000, 000 bytes Design Size: 20,000 gates (?) Speed: 2 MHz+ ( or 1.25 × DRAM)

-

Γ

.

-----



# **Digital Design Derivation Project**





# Scheme Machine Architecture



# **Components of the Scheme Machine**



 manual design, unverified (one bug so far) Dual-ported semispaces, multiplexed bus
 typical case: 2 opns. per 1.25 cycles
 refresh inhibits clock



 synchronization with CPU not verified
 algorithm not verified (VLISP?) collector, allocator, invalidator
 derived from XFSM.



**Issues in Verification** 



Higher level behavior specification

- Memory model
- Process synchronization
- Data abstraction hierarchy Multiple views



Incremental Construction of Hardware



# Incremental Construction of Hardware

- The software specification of the processor runs directly against both the software specification of the heap and (with functional test points exposed) the hardware prototype.
- The software specification of the processor, allocator, and collector, run directly against both the modeling environment's heap image and the hardware realization.
- We are seeking to develop an environment where modeling, simulation, emulation, and realization are closely integrated with verification.
- We are seeking to integrate multiple reasoning tools to apply to the verification problem.

## Summary and Status

- Design derivation extends and adapts programming methodology to hardware targets
- Language implementation, Scheme in this case, is a standard example,
- exposes hard (higher order) modeling issues
- a form of closure/completeness (Scheme Machine derivation & emulation could be run on the Scheme Machine).
- the Scheme Machine system specification exposes new verification problems in process coordination, algorithmic correctness, ....
  - the design environment explores the gap between modeling and implementation.
- components of the Scheme Machine, or their variations are viable products.

511-33 N96-10037

/

## Formal Development of a Clock Synchronization Circuit

Paul S. Miner

This talk presents the latest stage in a formal development of a fault-tolerant clock synchronization circuit. The development spans from a high level specification of the required properties to a circuit realizing the core function of the system.

An abstract description of an algorithm has been verified to satisfy the high-level properties using the mechanical verification system EHDM [2]. This abstract description is recast as a behavioral specification input to the Digital Design Derivation system (DDD) developed at Indiana University [1]. DDD provides a formal design algebra for developing correct digital hardware. Using DDD as the principle design environment, a core circuit implementing the clock synchronization algorithm was developed [3]. The design process consisted of standard DDD transformations augmented with an ad hoc refinement justified using the Prototype Verification System (PVS) from SRI International [4].

Subsequent to the above development, Wilfredo Torres-Pomales discovered an area-efficient realization of the same function [5]. Establishing correctness of this optimization requires reasoning in arithmetic, so a general verification is outside the domain of both DDD transformations and model-checking techniques.

DDD represents digital hardware by systems of mutually recursive stream equations. A collection of PVS theories was developed to aid in reasoning about DDD-style streams. These theories include a combinator for defining streams that satisfy stream equations, and a means for proving stream equivalence by exhibiting a stream bisimulation.

DDD was used to isolate the sub-system involved in Torres-Pomales' optimization. The equivalence between the original design and the optimized verified was verified in PVS by exhibiting a suitable bisimulation. The verification depended upon type constraints on the input streams and made extensive use of the PVS type system. The dependent types in PVS provided a useful mechanism for defining an appropriate bisimulation.

## References

- Bhaskar Bose. DDD A Transformation System for Digital Design Derivation. Technical Report 331, Computer Science Dept. Indiana University, May 1991.
- [2] Paul S. Miner. Verification of fault-tolerant clock synchronization systems. Technical Paper 3349, NASA, Langley Research Center, Hampton, VA, November 1993.
- [3] Paul S. Miner, Shyamsundar Pullela, and Steven D. Johnson. Interaction of formal design systems in the development of a fault-tolerant clock synchronization circuit. In *Proceedings 13th Symposium on Reliable Distributed Systems*, pages 128-137, Dana Point, CA, October 1994.
- [4] Sam Owre, John Rushby, Natarajan Shankar, and Friedrich von Henke. Formal verification for faulttolerant architectures: Prolegomena to the design of PVS. IEEE Transactions on Software Engineering, 21(2):107-125, February 1995.
- [5] Wilfredo Torres-Pomales. An optimized implementation of a fault-tolerant clock synchronization circuit. Technical Memorandum 109176, NASA, Langley Research Center, Hampton, VA, February 1995.

## Outline

# Formal Development of a Fault-Tolerant Clock Synchronization Circuit

Paul S. Miner May 12, 1995

- Summary of Prior work
- Description of Torres-Pomales' Optimization
- Verification of Optimization
- Definition of Streams in PVS

  - Proof by Co-Induction

# **Prior Verification**

- Developed verified design of clock synchronization circuit using a combination of formal techniques.
- Mechanized Proof System (EHDM, PVS)
  - Digital Design Derivation
- OBDD-based tautology checking

Design Hierarchy-Old



| Informal Description of Algorithm | <ul> <li>Welch &amp; Lynch Algorithm</li> <li>System of N clocks designed to tolerate F arbitrary faults</li> <li>Completely connected network</li> <li>Each Clock periodically</li> <li>Gathers estimates of readings of all other clocks in the system</li> <li>Discards the F largest and F smallest readings</li> <li>Sets self to mid-point of the range of the remaining readings</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 7 | Intermediate Stage                        | <ul> <li>Circuit implements core function of algorithm <ul> <li>Network interconnect in different partition of design</li> <li>Independent of number of clocks in the system</li> <li>Independent of number of clocks in the system</li> </ul> </li> <li>This stage was reached via a combination of standard DDD transformations and an ad hoc refinement verified using PVS</li> </ul> |
|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Design Hierarchy—New              | Cost Browniedon Preparit<br>Cost Browniedon Preparit<br>Contra Browniedon<br>Contra Browniedon<br>Doto bechteaton<br>Doto bechteaton<br>Doto bechteaton<br>Doto bechteaton<br>Doto bechteaton<br>Annel Annolut<br>Doto bechteaton<br>Annel Annolut<br>Annel Annolut<br>Annel Annolut<br>Annel Annolut<br>Annel Annolut<br>Annolut<br>Annel Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Annolut<br>Ann |   | Intermediate Stage of Previous Derivation | strans<br>strans<br>strans<br>strans<br>strans<br>strans<br>strans                                                                                                                                                                                                                                                                                                                       |



Ξ

Streams in **PVS** 

AXIOMS

Stream\_eq: AXIOM  $X = Y \leq FORALL n: nth(X, n) = nth(Y, n)$ Stream\_cs\_eta: AXIOM cs(hd(S), tl(S)) = S Stream\_tl\_cs: AXIOM tl(cs(a, S)) = S Stream\_hd\_cs: AXIOM hd(cs(a, S)) = Stream\_inclusive: AXIOM cs?(S) END Stream\_adt

**Proof by Co-Induction** 

2

Stream\_coinduct[alpha: TYPE]: THEORY BEGIN

IMPORTING Stream\_adt

X, Y: VAR Stream[alpha]

R: VAR PRED[[Stream[alpha], Stream[alpha]]]

{R | FORALL X, Y: R(X, Y) = hd(X) = hd(Y) & R(tl(X), tl(Y))} Bisimulation: TYPE =

co\_induct: THEOREM (EXISTS (R: Bisimulation): R(X, Y)) => X = Y

END Stream\_coinduct

2

**Defining Streams** 

Stream\_corec[alpha, beta: TYPE]: THEORY IMPORTING Stream\_adt[beta] BEGIN

f: VAR [alpha -> beta] g: VAR [alpha -> alpha] a: VAR alpha corec(f, g, a): Stream[beta]

corec\_def: AXIOM corec(f, g, a) = cs(f(a), corec(f, g, g(a)))

[...]

END Stream\_corec

Ξ

**Stream Equations for Original Sub-Circuit** 

THETA-NF = cs(i, MUX(NF, RD, THETA-NF))THETA-F1 + THETA-NF THETA-F1 = cs(i, MUX(F1, RD, THETA-F1))2 CFN =9



| <b>PVS Definitions for Circuit Verification</b> | A, B, C, R: VAR Stream[bool]<br>a, b, c, r: VAR bool<br>I, J, K: VAR Stream[int]<br>i, j, k: VAR int      | THETA( $A, I, i$ ): Stream[int] %defined using corec | <pre>CFN(A, B, I, i, j): Stream[int] = DIV2(THETA(A, I, i) + THETA(B, I, j))</pre> | HOLD $(A, a)$ : Stream[bool] %defined using corec | CIN(A, B): Stream[bool] = A AND NOT B | OPT(A, C, I, i): Stream[int] %defined using corec | 8  | Type Declarations for Assumptions on Input<br>Signals | $S(R): \text{ TYPE} = \\ \{A \mid \text{Invariant(IF } R \\ \text{THEN NOT tl(A)} \\ \text{ELSE } A \Rightarrow \text{tl(A)} \\ \text{ENDIF} \}$                                 | C(R): TYPE =<br>{I   Invariant(NOT $R \Rightarrow Eq(tl(I), INC(I))$ } |
|-------------------------------------------------|-----------------------------------------------------------------------------------------------------------|------------------------------------------------------|------------------------------------------------------------------------------------|---------------------------------------------------|---------------------------------------|---------------------------------------------------|----|-------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|
| Stream Equations for Optimized Sub-Circuit      | HOLD = $cs(false, F1 \& \neg HOLD)$<br>$cin = HOLD \& \neg NF$<br>OPT = cs(i, WUX(F1, RD, INC(OPT, CIN))) | FI CIN                                               |                                                                                    |                                                   |                                       | -                                                 | 13 | Recursive Stream Definitions                          | THETA $(A, I, i) = cs(i, MUX(A, I, THETA(A, I, i)))$<br>HOLD $(A, a) = cs(a, A \not k \rightarrow HOLD(A, a))$<br>OPT $(A, C, I, i) = cs(i, MUX(A, I, INC(OPT(A, C, I, i), C)))$ |                                                                        |

| Correctness Theorem Proof of Optimize_correct by co-induction | $\begin{array}{llllllllllllllllllllllllllllllllllll$                                                                       | 3 | Proof—B is a Bisimulation | Heads: For any $(X, Y) \in B$ , $hd(X) = hd(Y) = [(i + j)/2]$ .• Proof by co-induction effective technique for verifying circuit refinements.Tails: For any $(X, Y) \in B$ , show $(t1(X), t1(Y)) \in B$ .• Proof by co-induction effective technique for verifying circuit refinements.Tails: For any $(X, Y) \in B$ , show $(t1(X), t1(RD), t1(RD), t1(RD), t1(RD), t1(RD))$ .• Proof by co-induction effective technique for verifying circuit refinements.t1(CFN(F1, NF, RD, i, j))= CFN(t1(F1), t1(RF), t1(RD), t1(R | D(tl(F1), (hd(F1) $\land \neg b$ )),tl(NF)),<br>1) THEN ([ $(i + j)/2$ ]) + [ $b \land \neg$ hd(NF)]<br>(RD) |
|---------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|---|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|
| Correctness                                                   | Optimize_correct: THEOREM<br>W $R_i(RD : C(R)), (F1 : S(R))$<br>(NF : S(R) Invariant(NF)<br>CFN(F1,NF,RD, $i, i) = OPT(I)$ | 5 | Proof—B is a              | Heads: For any $(X, Y) \in B$ , $hd(X) = hd(Y)$<br>Tails: For any $(X, Y) \in B$ , show $(tl(X), tl(I)$<br>tl(CFN(F1, NF, RD, i, j))<br>= CFN(tl(F1), tl(NF), tl(RD),<br>IF hd(F1) THEN i ELSE hd<br>IF hd(NF) THEN j ELSE hd<br>tl(OPT(F1, CIN(HOLD(F1, b), NF), RD, [(i + LOPT(F1, CA))]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | - ULICITION CINCLUCTION,<br>CINCHOLD(t1(F1),<br>t1(RD),<br>IF hd(F1) THEN ( <br>ELSE hd(RD)<br>ENDIF)        |

## Const 70 EnD

## **Appendix A:**

## List of Attendees

PRECEDING PAGE BLANK NOT FILMED

PAGE 237 INTENTIONALLY BLANK

## **ATTENDEE LIST**

## Third NASA Langley Formal Methods Workshop May 10-12, 1995

Abernethy, Ken Furman University Dept. of Computer Science Greenville, SC 29613 Email: aberneth@furman.edu Phone: 803-294-3219 Fax: 803-294-2058

Aboulhamid, El Mostapha Universite de Montreal, Dept. IRO C.P. 6128, Suc. Centre Ville Montreal, QC H3C3J7 Email: aboulham@iro.umontreal.ca Phone: 514-343-6822 Fax: 514-343-5834

Abraham, Jacob A. University of Texas at Austin Comp. Eng. Research Ctr. ENS 424, MC C8800 Austin, TX 78712 Email: jaa@cerc.utexas.edu Phone: 512-471-8983 Fax: 512-471-8967

Andrianos, Nikos P. Union Switch and Signal, Inc. 1000 Technology Drive Pittsburgh, PA 15219-3120 Email: npa@switch.com Phone: 412-934-2138 Fax: 412-934-2190

Baraona, Phillip University of Cincinnati Elect. & Comp. Eng. Cincinnati, OH 45221-0030 Email: pbaraona@ece.uc.edu Phone: 513-579-0614 Fax: none given

Bettis, Robert N. Harmon Electronics, Inc. PO Box 600 Grain Valley, MO 64029 Email: rbettis@tyrell.net Phone: 816-650-6171 ext. 616 Fax: 816-650-3383 Bose, Bhaskar Derivation Systems, Inc. 5963 La Place Ct. Suite 208 Carlsbad, CA 92008 Email: bose@dvsi.com Phone: 619-431-1400 Fax: 619-431-1484

Boxer, Alan Department of Defense, Attn: C75 9800 Savage Rd. Ft. Meade, MD 20755-6000 Email: boxer@aztech.ba.md.us Phone: 301-688-4229 Fax: 301-688-2080

Brill, Robert NRC, T-10-E33 11545 Rockville Pike Rockville, MD 20852-2738 Email: rwb2@nrc.gov Phone: 301-415-6760 Fax: 301-415-5160

Brock, Bishop Computational Logic, Inc. 1717 West 6th St., Suite 290 Austin, TX 78703 Email: brock@cli.com Phone: 512-322-9951 Fax: 512-322-0656

Butler, Ricky W. NASA Langley Research Ctr. Mail Stop 130 Hampton, VA 23681-0001 Email: r.w.butler@larc.nasa.gov Phone: 804-864-6198 Fax: 804-864-4234

Caldwell, James L. NASA Langley Research Center Mail Stop 130 Hampton, VA 23681-0001 Email: jlc@air16.larc.nasa.gov Phone: 804-864-6214 Fax: 804-864-4234

PAGE # 3 4 ... INTENTIONALLY BLAMS.

Carreno, Victor A. NASA Langley Research Center Mail Stop 130 Hampton, VA 23681-0001 Email: vac@air16.larc.nasa.gov Phone: 804-864-6184 Fax: 804-864-4234

Charlesworth, Art University of Richmond Mathematics & Computer Science Richmond, VA 23173 Email: charlesworth@mathcs.urich.edu Phone: 804-289-8636 Fax: 804-287-6444

Chin, Shiu-Kai Rome Laboratory, C3AB 525 Brooks Rd. Griffiss AFB, NY 13441 Email: chin@cliff.rl.af.mil Phone: 315-330-3241 Fax: 315-330-2807

Danner, Bonnie P. TRW SIG, WDC9/7S184 One Federal Systems Park Drive Fairfax, VA 22033-4416 Email: Bonnie\_Danner\_at\_SETA.@mail.hq.faa.gov Phone: 202-651-2254 Fax: none given

Delisle, Norman Raytheon Company, MS 3-2-3925 1001 Boston Post Rd. Marlborough, MA 01752 Email: normd@sud.ed.ray.com Phone: 508-490-2771 Fax: 508-490-1103

Di Vito, Ben L. Vigyan, Inc.; NASA-LaRC Mail Stop 130 Hampton, VA 23681-0001 Email: b.l.divito@larc.nasa.gov Phone: 804-864-4883 Fax: 804-864-4234

Dill, David L. Stanford University, CIS 135 Stanford, CA 94305-4070 Email: dill@cs.stanford.edu Phone: 415-725-3642 Fax: 415-725-6278 Eckhardt, Dave E. NASA Langley Research Center Mail Stop 152D Hampton, VA 23681-0001 Email: d.e.eckhardt@larc.nasa.gov Phone: 804-864-1698 Fax: 804-864-8672

El-Agamawi, Mohsen M. Union Switch and Signal, Inc. 1000 Technology Drive Pittsburgh, PA 15219-3120 Email: mme@switch.com Phone: 412-934-2112 Fax: 412-934-2190

Elks, Carl R. US Army CECOM Mail Stop 152D Hampton, VA 23681-0001 Email: cre@air16.larc.nasa.gov Phone: 804-864-4882 Fax: 804-864-8672

Fisler, Kathi Indiana University Dept. of Computer Science Lindley Hall 215 Bloomington, IN 47405 Email: kfisler@cs.indiana.edu Phone: 812-855-3652 Fax: 812-855-4829

Fleming, David West Virginia University Dept. of Statistics & CS Morgantown, WV 26505 Email: fleming@cs.wvu.edu Phone: 304-293-3607 Fax: none given

Fletcher, Sharon K. Sandia National Laboratories Org. 9411 (MS-0777) PO Box 5800 Albuquerque, NM 87185-0777 Email: skfletc@sandia.gov Phone: 505-844-2251 Fax: 505-844-9641 French, Scott W. LORAL--Air Traffic Control 9231 Corporate Blvd. Bldg. 861/4C08 Rockville, MD 20850 Email: none given Phone: 301-640-2685 Fax: none given

Goddard, Peter Hughes Aircraft Company PO Box 3310 M/S 618/P311 Fullerton, CA 92634 Email: pgoddard@msmail2.hac.com Phone: 714-732-7754 Fax: 714-732-2613

Goel, Amrit L. Syracuse University 5011 Woodside Rd. Fayetteville, NY 13066 Email: goel@cat.sys.edu Phone: 315-443-4350 Fax: 315-443-2583

Guaspari, David Odyssey Research Associates 301 Dates Drive Ithaca, NY 14850 Email: davidg@oracorp.com Phone: 607-277-2020 Fax: 607-277-3206

Hayhurst, Kelly J. NASA Langley Research Center Mail Stop 159 Hampton, VA 23681-0001 Email: k.j.hayhurst@larc.nasa.gov Phone: 804-864-6215 Fax: 804-864-9713

Holloway, C. Michael NASA Langley Research Center Mail Stop 130 Hampton, VA 23681-0001 Email: c.m.holloway@larc.nasa.gov Phone: 804-864-1701 Fax: 804-864-4234

Holt, H. Milton NASA Langley Research Center Mail Stop 130 Hampton, VA 23681-0001 Email: h.m.holt@larc.nasa.gov Phone: 804-864-1596 Fax: 804-864-8821

Hoover, Doug Odyssey Research Associates 301 Dates Drive Ithaca, NY 14850 Email: hoove@oracorp.com Phone: 607-277-2020 Fax: 607-277-3206

Huggins, James K. Univ. of Michigan--EECS Dept. 3114 EECS Bldg. 1301 Beal Ave. Ann Arbor, MI 48109-2122 Email: huggins@umich.edu Phone: 313-763-4526 Fax: 313-763-1503

Hugue, Michelle McElvany Opsimath Research 2521 Kitmore Lane Bowie, MD 20715-2751 Email: meesh@cs.umd.edu Phone: 301-262-5140 Fax: 301-262-5988

Hurst, Sandra C. NASA Langley Research Center Mail Stop 131 Hampton, VA 23681-0001 Email: s.c.hurst@larc.nasa.gov Phone: 804-864-6219 Fax: 804-864-7794

Jackson, Paul Cornell University Dept. of Computer Science Upson Hall Ithaca, NY 14853 Email: jackson@cs.cornell.edu Phone: 607-255-6046 Fax: 607-255-4428

Jamsek, Damir Odyssey Research Associates 301 Dates Drive Ithaca, NY 14850 Email: damir@oracomp.com Phone: 607-277-2020 Fax: 607-277-3206 Janeri, John Underwriters Laboratories, Inc. 12 Laboratory Drive PO Box 13995 Research Triangle Park, NC 27709-3995 Email: janeri@ul-rtp.interpath.net Phone: 919-549-1902 Fax: 919-549-1452

Johnson, Sally C. NASA Langley Research Center Mail Stop 248 Hampton, VA 23681-0001 Email: sally.c.johnson@larc.nasa.gov Phone: 804-864-6204 Fax: 804-864-3553

Johnson, Steven D. Indiana University, Computer Science Dept. Lindley Hall 215 Bloomington, IN 47405 Email: sjohnson@cs.indiana.edu Phone: 812-855-4510 Fax: 812-855-4829

Kelly, John NASA JPL 4800 Oak Grove Drive Pasadena, CA 91109 Email: jkelly@spa1.jpl.nasa.gov Phone: 818-354-4495 Fax: 818-393-1362

Knight, John C. University of Virginia Dept. of Computer Science Thornton Hall Charlottesville, VA 22903 Email: knight@virginia.edu Phone: 804-982-2216 Fax: 804-982-2214

Krishnamurthi, Shriram Rice University Dept. of Computer Science MS 132, 6100 S. Main Houston, TX 77005-1892 Email: shriram@cs.rice.edu Phone: 713-523-7964 Fax: 713-285-5930

Kuhn, Rick Nat'l Inst. of Standards & Technology Technology Bldg. B266 Gaithersburg, MD 20899 Email: kuhn@nist.gov Phone: 301-975-4601 Fax: 801-948-7242

Leathrum, James Old Dominion University Dept. of Electrical & Comp. Eng. 231 Kaufman-Duckworth Hall Norfolk, VA 23529 Email: leathrum@ee.odu.edu Phone: 804-683-3741 Fax: 804-683-3220

Legato, Wilfred Department of Defense, Attn: C6 9800 Savage Rd. Ft. Meade, MD 20755-6000 Email: legato@romulus.ncsc.mil Phone: 301-688-4229 Fax: none given

Lincoln, Patrick SRI International 333 Ravenswood Ave Menlo Park, CA 94025 Email: lincoln@csl.sri.com Phone: 415-859-5454 Fax: 415-859-2844

Madhav, Neel State University of New York at Binghamton T20 Watson School Binghamton, NY 13902 Email: madhav@cs.binghamton.edu Phone: 607-777-4880 Fax: 607-777-4000

Malekpour, Mahyar Lockheed/NASA-LaRC Mail Stop 152D Hampton, VA 23681-0001 Email: m.r.malekpour@larc.nasa.gov Phone: 804-864-1513 Fax: 804-864-4234

Miller, Steven P. Collins Commercial Avionics Rockwell International 400 Collins Rd. NE Cedar Rapids, IA 52498 Email: spmiller@pobox.cca.rockwell.com Phone: 319-395-8008 Fax: 319-395-4068 Miner, Paul S. NASA Langley Research Center Mail Stop 130 Hampton, VA 23681-0001 Email: p.s.miner@larc.nasa.gov Phone: 804-864-6201 Fax: 804-864-4234

Nassif, Michael P. Rome Laboratory IERDD 525 Brooks Rd. Griffiss AFB, NY 13441-4505 Email: nassifm@rl.af.mil Phone: 315-330-3342 Fax: 315-330-2885

Neumann, Peter G. SRI International Computer Science Lab; EL-243 Menlo Park, CA 94025-3493 Email: neumann@csl.sri.com Phone: 415-859-2375 Fax: 415-859-2844

Peckham, Lisa F. NASA Langley Research Center Mail Stop 130 Hampton, VA 23681-0001 Email: l.f.peckham@larc.nasa.gov Phone: 804-864-6220 Fax: 804-864-4234

Penix, John University of Cincinnati Electrical & Comp. Eng. Mail Location #30 Cincinnati, OH 45219 Email: jpenix@ece.uc.edu Phone: 513-531-8525 Fax: none given

Platek, Richard Odyssey Research Associates 301 Dates Drive Ithaca, NY 14850 Email: richard@oracorp.com Phone: 607-277-2020 Fax: 607-277-3206

Profeta, Joseph A. Union Switch and Signal, Inc. 1000 Technology Drive Pittsburgh, PA 15219-3120 Email: jap@switch.com Phone: 412-934-2186 Fax: 412-934-2190

Quach, Patrick Lockheed/NASA-LaRC Mail Stop 130 Hampton, VA 23681-0001 Email: c.c.quach@larc.nasa.gov Phone: 804-864-7641 Fax: 804-864-4234

Radley, Charles F. Raytheon Corp. 2001 Aerospace Parkway Brookpark, OH 44142 Email: rqcfr@lims01.lerc.nasa.gov Phone: 216-977-1492 Fax: 216-977-1495

Raheja, Dev G. Technology Management, Inc. 9811 Mallard Drive Suite 213 Laurel, MD 20708 Email: none given Phone: 410-792-0710 Fax: 301-953-2213

Reesman, Leslie Hernandez Eng., Inc; NASA-LaRC Mail Stop 467 Hampton, VA 23681-0001 Email: none given Phone: 804-864-9409 Fax: 804-864-8574

Roediger, Paul A. US Army ARDEC AMSTA-AR-QAW-P Picatinny Arsenal, NJ 07806-5000 Email: fuzzy@qa.pica.army.mil Phone: 201-724-3008 Fax: 201-724-4026

Rushby, John M. SRI International 333 Ravenswood Ave. Menlo Park, CA 94025 Email: rushby@csi.sri.com Phone: 415-859-5456 Fax: 415-859-2844 Saraceni, Pete FAA Technical Center AAR-421 Bldg. 210 Atlantic City Int'l. Airport, NJ 08405 Email: saracenp@admin.tc.faa.gov Phone: 609-485-5577 Fax: 609-485-4005

Saydjari, Fay F. Dept. of Defense 309 Eagle Hill Road Pasadena, MD 21122 Email: ffs@tycho.ncsc.mil Phone: 410-360-4116 Fax: 301-688-0255

Shankar, Natarajan SRI International 333 Ravenswood Ave. Menlo Park, CA 94025 Email: shankar@csl.sri.com Phone: 415-859-5272 Fax: 415-859-2844

Sheldon, Rick Univ. of Texas at Arlington Computer Sci. & Eng. 916 Yates Ave, Box 19015 Arlington, TX 76019-0015 Email: sheldon@cse.uta.edu Phone: 817-273-3629 Fax: 817-273-3784

Sherry, Lance Honeywell--Air Transport Systems PO Box 21111 Phoenix, AZ 85036 Email: sherry@p15.az75.az.honeywell.com Phone: 602-436-1274 Fax: 602-436-5151

Shipman, Floyd NASA Langley Research Center Mail Stop 130 Hampton, VA 23681-0001 Email: f.s.shipman@larc.nasa.gov Phone: 804-864-1706 Fax: 804-864-4234

Smith, Kathryn A. NASA Langley Research Center Mail Stop 130 Hampton, VA 23681-0001 Email: k.a.smith@larc.nasa.gov Phone: 804-864-1699 Fax: 804-864-4234

Sreerama, Sethuram West Virginia Univ.; Dept. of Stat. & C.S. B4, Knapp Hall PO Box 6330 Morgantown, WV 26506 Email: sethu@cs.wvu.edu Phone: 304-293-3607 Fax: 304-293-2272

Srivas, Mandayam SRI International 333 Ravenswood Ave. Menlo Park, CA 94025 Email: srivas@csl.sri.com Phone: 415-859-6136 Fax: 415-859-2844

Stoughton, Jack Old Dominion University ECE Dept. Norfolk, VA 23529 Email: jws100f@eefs01.ee.odu.edu Phone: 804-683-3741 Fax: 804-683-3220

Suri, Neeraj Allied Signal Research Center 9140 Old Annapolis Rd. Columbia, MD 21045 Email: suri@batc.allied.com Phone: 410-964-4157 Fax: 410-992-5813

Tougas, Lyne Atomic Energy Control Board 280 Slater St. Ottawa, Ontario, CANADA KIP 559 Email: none given Phone: 613-995-6345 Fax: 613-943-1292

Tuna, M. Esen Derivation Systems, Inc. 5963 La Place Court Suite 208 Carlsbad, CA 92008 Email: none given Phone: 619-431-1400 Fax: 619-431-1484 Van Tassel, John National Security Agency 9800 Savage Rd. Ft. Meade, MD 20755-6000 Email: jvt@tycho.ncsc.mil Phone: 301-688-0748 Fax: 301-688-0255

Walter, Chris J. WW Technology Group 4519 Mustering Drum Ellicott City, MD 21042-5949 Email: cwalter@blaze.cs.jhu.edu Phone: 410-418-4353 Fax: 410-418-5355

Watson, James F. NASA Langley Research Center Mail Stop 421 Hampton, VA 23681-0001 Email: j.f.watson@larc.nasa.gov Phone: 804-864-6985 Fax: 804-864-6327

Weinstock, Charles B. CMU/Software Engineering Inst. 4500 Fifth Ave. Pittsburgh, PA 15213-3890 Email: weinstoc@sei.cmu.edu Phone: 412-268-7719 Fax: 412-268-5758

Yang, Jeffrey The Mitre Corporation 7525 Colshire Dr. McLean, VA 22102 Email: yang@cyclone.mitre.org Phone: 703-883-6253 Fax: 703-883-1364

Yen, Mike Boeing Defense & Space Group PO Box 3707 MS 4C-63 Seattle, WA 98124-2207 Email: yen@xavier.ds.boeing.com Phone: 206-662-0210 Fax: 206-662-0115

Young, William D. Computational Logic, Inc. 1717 W. 6th Street #290 Austin, TX 78703 Email: young@cli.com Phone: 512-322-9951 Fax: 512-322-0656

Youssefi, David Hadi Honeywell, Inc. Air Transport Systems Div. Box 21111 Phoenix, AZ 85036-1111 Email: none given Phone: 602-436-6655 Fax: 602-436-5151

Zamfirescu, Alex Intergraph Electronics 381 East Evelyn Ave. Mountain View, CA 94041 Email: azamfirescu@ieee.org Phone: 415-691-6426 Fax: 415-691-9016

## **Appendix B:**

## **Comments from Attendees on the Workshop**

- That was one of the best conferences I've attended. Not only were most of the talks good but there was a particularly good mix of people at the workshop who were eager to talk about their work and related ideas.
- This workshop was much more valuable than FM Europe, at a fraction of the cost.
- This was the most well organized workshop I've ever attended at Langley.
- Thanks for the conference. I picked up a lot of useful information.
- There is no regular meeting for the formal methods community. How about expanding your meetings to be yearly with an agenda set up like the GSFC SEL? Just thought I would ask.
- ... thanks again for this year's meeting. It was great fun.
- You all did a super job! Keep up the good work.
- I thoroughly enjoyed the chance to interact with people at FMWS95.
- When will the proceedings be ready? I'm looking forward to studying them.

PAGE 242 INTENTIONALLY BLANK 243

PRECEDING PAGE BLANK NOT FRANC

# **Appendix C:**

## **Detailed Overview of NASA Langley's Formal Methods Program**

This paper is an expanded version of a paper presented at COMPASS 95.

PRECEDENC FRANK BLANK BER FRANK

FARE 244 with water and its : 245

## NASA Langley's Research and Technology-Transfer Program in Formal Methods

Ricky W. Butler James L. Caldwell Victor A. Carreño C. Michael Holloway Paul S. Miner

Assessment Technology Branch NASA Langley Research Center Hampton, Virginia

Ben L. Di Vito

### VíGYAN Inc. Hampton, Virginia

May 19, 1995

#### Abstract

This paper presents an overview of NASA Langley's research program in formal methods. The major goals of this work are to make formal methods practical for use on life critical systems, and to orchestrate the transfer of this technology to U.S. industry through use of carefully designed demonstration projects. Several direct technology transfer efforts have been initiated that apply formal methods to critical subsystems of real aerospace computer systems. The research team consists of five NASA civil servants and contractors from Odyssey Research Associates, SRI International, and VíGYAN Inc.

PUTTING PART PLANK NOT PRIME

PAGE 246 INTENTIONALLY BLANK

247

### 1 Rationale For a Formal Methods Research Program

NASA Langley Research Center has been developing techniques for the design and validation of flight critical systems for over two decades. Although much progress has been made in developing methods to accommodate physical failures, design flaws remain a serious problem [52, 67, 35, 1, 44, 30, 74].

A 1991 report by the National Center For Advanced Technologies<sup>1</sup> identified "Provably Correct System Specification" and "Verification Formalism For Error-Free Specification" as key areas of research for future avionics software and ultrareliable electronics systems [2]. Aerospace engineers who attended the NASA-LaRC Flight Critical Digital Systems Technology Workshop listed techniques for the validation of concurrent and fault-tolerant computer systems high on the list of research priorities for NASA [58].

### 1.1 Why Formal Methods Is Necessary

Digital systems (both hardware and software) are notorious for their unpredictable and unreliable behavior:

Studies have shown that for every six new large-scale software systems that are put into operation, two others are cancelled. The average software development project overshoots its schedule by half; larger projects generally do worse. And three quarters of all large systems are "operating failures" that either do not function as intended or are not used at all.

Despite 50 years of progress, the software industry remains years-perhaps decades-short of the mature engineering discipline needed to meet the demands of an information-age society[31].

Lauren Ruth Wiener describes the software problem in her book, Digital Woes: Why We Should Not Depend Upon Software:

Software products—even programs of modest size—are among the most complex artifacts that humans produce, and software development projects are among our most complex undertakings. They soak up however much time or money, however many people we throw at them.

The results are only modestly reliable. Even after the most thorough and rigorous testing some bugs remain. We can never test all threads through the system with all possible inputs[95].

The hardware industry also faces serious difficulties, as evidenced by the recent design error in the Pentium floating-point unit. In response to an outcry over the design flaw in the Pentium floating point unit, Intel's President, Andy Grove, wrote on the comp.sys.intel Internet bulletin board:

After almost 25 years in the microprocessor business, I have come to the conclusion that no microprocessor is ever perfect; they just come closer to perfection with each stepping. In the life of a typical microprocessor, we go thru [sic] half a dozen or more such steppings....

In a recent Washington Post article, Michael Schrage wrote:

Pentium type problems will prove to be the rule—rather than the isolated, aberrant exceptions as new generations of complex hardware and software hit the market. More insidious errors and harmful bugs are inevitable. That is the new reality[82].

For life critical systems, errors may mean disaster. The potential for errors is high, because these systems must not only perform their functions correctly, but also must be able to recover from the effects of failing components (in order to meet stringent ultrareliability requirements.) Often the physical fault-tolerance features of these systems are more complex and susceptible to design error than any of the basic functions of the system. John Rushby writes:

Organization of redundancy and fault-tolerance for ultra-high reliability is a challenging problem: redundancy management can account for half the software in a flight control system and, if less than perfect can itself become the primary source of system failure [70].

 $<sup>^{1}</sup>$ A technical council funded by the Aerospace Industries Association of America (AIA) that represents the major U.S. aerospace companies engaged in the research, development and manufacture of aircraft, missiles and space systems, and related propulsion, guidance, control and other equipment.

In a comprehensive assessment of formal methods [77], John Rushby discusses several notorious examples of such failures. These include the following:

- The asynchronous operation of the AFTI-F16 and sensor noise led each channel to declare the other channels failed in flight test 44. The plane was flown home on a single channel. Other potentially disastrous bugs were detected in flight tests 15 and 36.
- The HiMAT crash landed without its landing gear due to a design flaw. The problem was traced to a timing change in the software that had survived extensive testing.
- A bug in the YC-14 redundancy management was found during flight test. The bug caused a large mistracking between redundant channels.
- In flight tests of the X31, the control system went into a reversionary mode four times in the first nine flights, usually due to a disagreement between the two air data sources.
- The nationwide saturation of the AT&T switching systems on January 15, 1990 was caused by a timing problem in a fault-recovery mechanism.
- The first Shuttle mission (STS-1) was scrubbed because the fifth backup computer could not be synchronized with the other four.

Three basic strategies are advocated for dealing with the design fault problem for the life-critical system:

- 1. Testing (Lots of it)
- 2. Design Diversity (i.e. software fault tolerance: N-version programming, recovery blocks, etc.)
- 3. Fault Avoidance (i.e. formal specification/verification, automatic program synthesis, reusable modules)

The problem with life testing is that in order to measure ultrareliability one must test for exorbitant amounts of time. For example, to measure a  $10^{-9}$  probability of failure for a 1 hour mission one must test for more than  $10^9$  hours (114,000 years).

The basic idea is to use separate design and implementation teams to produce multiple versions from the same specification. At runtime, non-exact threshold voters are used to mask the effect of a design error in one of the versions. The hope is that the design flaws will manifest errors independently or nearly so. By assuming independence, one can obtain ultrareliable-level estimates of reliability, even with failure rates for the individual versions on the order of  $10^{-4}$ /hour. Unfortunately, the independence assumption has been rejected at the 99% confidence level in several experiments for low reliability software [47, 48].

Furthermore, the independence assumption cannot be validated for high reliability software because of the exorbitant test times required. If one cannot assume independence then one must measure correlations. This is infeasible as well; it requires as much testing time as life-testing the system, because the correlations must be in the ultrareliable region in order for the system to be ultrareliable. Therefore, it is not possible, within feasible amounts of testing time, to establish that design diversity achieves ultrareliability. Consequently, design diversity can create an "illusion" of ultrareliability without actually providing it. For a more detailed discussion, see [15, 14].

We believe that formal methods offer the only intellectually defensible method for handling design faults. Since the often quoted  $1-10^{-9}$  reliability is clearly beyond the range of quantification, we have no choice but to develop life critical systems in the most rigorous manner available to us, which is use of formal methods.

### 1.2 What is Formal Methods

Engineering relies heavily on mathematical models and calculation to make judgments about designs. This is in stark contrast to the way in which software systems are designed—with *ad hoc* technique and afterimplementation testing. Formal methods bring to software and hardware design the same advantages that other engineering endeavors have exploited: mathematical analysis based on models. Formal methods are used to specify and model the behavior of a system and to formally verify that the system design and implementation satisfy functional and safety properties. In principle, these techniques can produce errorfree design; however, this requires a complete verification from the requirements down to the implementation, which is rarely done in practice.

Thus, formal methods is the applied mathematics of computer systems engineering. It serves a similar role in computer design as Computational Fluid Dynamics (CFD) plays in aeronautical design, providing a means of calculating and hence predicting what the behavior of a digital system will be prior to its implementation.

The tremendous scientific potential of formal methods has been recognized by theoreticians for a long time, but the formal techniques have remained the province of a few academicians, with only a few exceptions such as the Transputer [3] and the IBM CICS project [38]. The first five years of NASA Langley's program have advanced the capabilities of formal methods to the point where commercial exploitation is near.

There are many different types of formal methods with various degrees of rigor. The following is a useful (first-order) taxonomy of the degrees of rigor in formal methods:

Level-1: Formal specification of all or part of the system.

Level-2: Formal specification at two or more levels of abstraction and paper and pencil proofs that the detailed specification implies the more abstract specification.

Level-3: Formal proofs checked by a mechanical theorem prover.

Level 1 represents the use of mathematical logic, or a specification language that has a formal semantics, to specify the system. This can be done at several levels of abstraction. For example, one level might enumerate the required abstract properties of the system, while another level describes an implementation that is algorithmic in style.

Level 2 formal methods goes beyond Level 1 by developing pencil-and-paper proofs that the concrete levels logically imply the abstract, property-oriented levels. Level 3 is the most rigorous application of formal methods. Here one uses a semi-automatic theorem prover to make sure that all of the proofs are valid. The Level 3 process of convincing a mechanical prover is really a process of developing an argument for an ultimate skeptic who must be shown every detail.

It is important to realize that formal methods is not an all-or-nothing approach. The application of formal methods to the most critical portions of a system is a pragmatic and useful strategy. Although a complete formal verification of a large complex system is impractical at this time, a great increase in confidence in the system can be obtained by the use of formal methods at key locations in the system. For more information on the basic principles of formal methods, see [16].

### 2 Goals of Our Program, Strategy, and Research Team

The major goals of the NASA Langley research program are to make formal methods practical for use on life critical systems developed in the United States, and to orchestrate the transfer of this technology to industry through use of carefully designed demonstration projects. Our intention is to concentrate our research efforts on the technically challenging areas of digital flight-control systems design that are currently beyond the state-of-the-art, while initiating demonstration projects in problem domains where current formal methods are adequate. The challenge of the demonstration projects should not be underestimated. That which is feasible for experts that have developed the tools and methods is often difficult for practitioners in the aerospace industry. There is often a long "learning curve" associated with the tools, the tools are not production-quality, and the tools have few or no examples for specific problem domains. Therefore, we are setting up cooperative efforts between industry and the developers of the formal methods to facilitate the technology transfer process.

This strategy leverages the huge investment of ARPA and the National Security Agency in development of tools and concentrates on the problems specific to the aerospace problem domain. NASA Langley has not sponsored the development of any general-purpose theorem provers. However, the technology transfer projects have lead to significant improvements in the Prototype Verification System (PVS) theorem prover[70] that SRI International (SRI) is developing. Several domain-specific tools are being sponsored: (1) Tablewise, (2) VHDL-analysis tool, and (3) DRS. These tools are discussed in later sections.

It is also important to realize that formal methods include a large class of mathematical techniques and tools. Methods appropriate for one problem domain may be totally inappropriate for other problem domains.

The following are some of the specific domains in which our program has concentrated: (1) architectural-level fault tolerance, (2) clock-synchronization, (3) interactive consistency, (4) design of hardware devices such as microprocessors, memory management units, DMA controllers, (5) asynchronous communication protocols, (6) design and verification of application-specific integrated circuits (ASICS), (7) Space Shuttle software, (8) navigation software, (9) decision tables, (10) railroad signaling systems.

We are also interested in applying formal methods to many different portions of the life-cycle, such as (1) requirements analysis, (2) high-level design, (3) detailed design, and (4) implementation.

Often, there is a sizable effort associated with the development of the background mathematical theories needed for a particular problem domain. Although such theories are reusable and in the long run can become "cost-effective", the initial costs can be a deterrent for industry. Therefore, one of the goals of the NASA Langley program is to build a large body of background theories needed for aerospace applications.

We also have been involved with standards activities in order to strengthen the United States commitment to safety.

### 2.1 Technology Transfer

The key to successful technology transfer is building a cooperative partnership with a customer. In order for this partnership to work, NASA Langley must become directly involved in specific problem domains of the aerospace industry<sup>2</sup>. NASA must also effectively communicate its basic research accomplishments in a manner that reveals a significant potential benefit to the aerospace community. Equally important is the need for industry to make an investment to work together with NASA on joint projects to devise demonstration projects that are realistic and practical. The ultimate goal of our technology transfer process is for formal methods to become the "state-of-the-practice" for U.S. industry development of ultrareliable digital avionics systems. However, before we can develop new tools and techniques suitable for adoption by industry, we must work with the system developers in industry to understand their needs. We must also overcome the natural skepticism that industry has of any new technology.

Our basic approach to technology transfer is as follows. The first step is to find an industry representative who has become interested in formal methods, believes that there is a potential benefit of such methods, and is willing to work with us. The next step is to fund our formal methods research team to apply formal methods to an appropriate example application. This process allows the industry representative to see what formal methods are and what they have to offer, and it allows us (the formal methods team) to learn the design and implementation details of state-of-the-practice components so we can better tailor our tools and techniques to industry's needs. If the demonstration project reveals a significant potential benefit, the next stage of the technology transfer process is for the industry representative to initiate an internal formal methods program, and begin a true cooperative partnership with us.

Another important part of our technology transfer strategy is working with the Federal Aviation Administration (FAA) to update certification technology with respect to formal methods. If the certification process can be redefined in a manner that awards credit for the use of formal methods, a significant step towards the transfer of this technology to the commercial aircraft industry will have been accomplished.

Langley has also been sponsoring a series of workshops on formal methods. The first workshop, held in August 1990, focused on building cooperation and communication between U.S. formal methods researchers[18]. The second, held in August 1992, focused on education of the U.S. aerospace industry about formal methods[43]. A third workshop will be held in May 1995.

Another component of our technology transfer strategy, is to use the NASA's Small Business Innovative Research (SBIR) program to assist small businesses in the development of commercially viable formal methods tools and techniques. The first contracts under the program began in early 1994.

Finally, to facilitate technology transfer, much information on NASA Langley's formal methods research is available on the Internet via either anonymous FTP or World Wide Web. PostScript and DVI versions of many research papers are available through anonymous FTP on machine deduction.larc.nasa.gov (IP address: 128.155.18.16) in directory pub/fm. This directory, and much more information, is also available through World Wide Web, using the following Uniform Resource Locator:

 $<sup>^{2}</sup>$  To date, our efforts have concentrated on the aerospace industry, but we are actively seeking partners from other industries also.

### 2.2 FAA/RTCA Involvement

As the federal agency responsible for certification of civil air transports, the FAA shares our interest in promising approaches to engineering and validating ultrareliable flight-control systems. Additionally, because the FAA must approve any new methodologies for developing life-critical digital systems for civil air transports, their acceptance of formal methods is a necessary precursor to its adoption by industry system designers. We are working with Pete Saraceni of the FAA Technical Center and Mike DeWalt, FAA National Resource Specialist for Software, to insure that our program is relevant to the certification process. The FAA has co-sponsored some of our work. John Rushby of SRI gave a tutorial on formal methods at an FAA Software Advisory Team (SWAT) meeting at their request. The SWAT team suggested that we include an assessment of formal methods in an ongoing Guidance Control Software (GCS) experiment in our branch; Odyssey Research Associates (ORA) developed a formal specification of the GCS application.

John Rushby has written a chapter for the FAA Digital Systems Validation Handbook Volume III on formal methods[20]. The handbook provides detailed information about digital system design and validation and is used by the FAA certifiers. In preparation for this chapter, Rushby produced a comprehensive analysis of formal methods [77].

George Finelli, the former assistant Branch Head of the System Validation Methods Branch (the Branch in which the formal methods team worked before NASA Langley's reorganization in 1994) and a member of the RTCA committee formed to develop DO-178B, together with Ben Di Vito (ViGYAN Inc.), was instrumental in including formal methods as an alternate means of compliance in the DO-178B standard.

Currently, members of the Langley staff are involved in RTCA committees SC-180 (Airborne Electronic Hardware) and SC-182 (Minimal Operating Performance Standard for an Airborne Computer Resource).

### 2.3 Team

The Langley formal methods program involves both local researchers and industrial / academic researchers working under contract to NASA Langley. Currently the local team consists of five civil servants and one contractor (ViGYAN Inc.). The lead NASA Langley formal methods researcher, Ricky W. Butler, may be contacted through electronic mail to R.W.Butler@LaRC.NASA.GOV.

NASA Langley has recently awarded two five-year task-assignment contracts specifically devoted to formal methods (from the competitive NASA RFP 1-132-DIC.1021). The selected contractors were SRI International (SRI) and Odyssey Research Associates (ORA). This was a follow-on contract from the previous competitive contract that had awarded three contracts to SRI, ORA, and Computational Logic Inc. (CLI).

### 3 Current Technology Development and Transfer Projects

### 3.1 AAMP5/AAMP-FV Project

In 1993, NASA Langley initiated a joint project involving Collins Commercial Avionics and SRI International. The goal was to investigate the application of formal techniques to a commercial microprocessor design, the Collins AAMP5 microprocessor. The AAMP5 is the latest member of the CAPS/AAMP family of microprocessors and is object code compatible with the AAMP2 processor [4]. The CAPS/AAMP family of microprocessors has been widely used by the commercial and military aerospace industries. Some examples of use of earlier members of the family include:

- 1. Boeing 747-400 Integrated Display System (IDS)
- 2. Boeing 737-300 Electronic Flight Instrumentation System (EFIS)
- 3. Boeing 777 Flight Control Backdrive
- 4. Boeing 757,767 Autopilot Flight Director System (AFDS)

5. military and commercial Global Positioning (GPS) Systems.

The first phase of the project consisted of the formal specification of the AAMP5 instruction set and microarchitecture using SRI's PVS [90, 91, 11, 69, 68, 87]. While formally specifying the microprocessor, two design errors were discovered in the microcode. These errors were uncovered as a result of questions raised by the formal methods researchers at Collins and SRI while seeking to formally specify the behavior of the microprocessor[59]. The Collins formal methods team believes that this effort has prevented two significant errors from going into the first fabrication of the microprocessor.

The second phase of the project consisted of formally verifying the microcode of a representative subset of the AAMP5 instructions. Collins seeded two errors in the microcode provided to SRI in an attempt to assess the effectiveness of formal verification. Both of these errors (and suggested corrections) were discovered while proving the microcode correct[59]. It is noteworthy that both the level 2 and level 3 applications of formal methods were successful in finding bugs. Based on the success of the AAMP5 project, a new effort has been initiated with Rockwell-Collins to apply formal methods in the design level verification of a microprocessor, currently designated as AAMP-FV.

### 3.2 Tablewise Project

Under NASA funding, Odyssey Research Associates is working with Honeywell Air Transport Systems Division (Phoenix) to study the incorporation of formal methods into the company's software development processes. Because Honeywell uses decision tables to specify the requirements and designs for much of their software<sup>3</sup>, ORA is developing a prototype tool, called Tablewise<sup>4</sup>, to analyze the characteristics of decision tables. Tablewise uses a generalization of Binary Decision Diagrams to determine if a particular table is exclusive (for every combination of parameter values, at most one action can be chosen) and exhaustive (for every combination of parameter values, at least one action can be chosen). The tool is also capable of automatically generating documentation and Ada code from a decision table [37]. We consider this a level 3 application of formal methods: although a general purpose prover is not used, the analysis is mechanized in a computer program.

In 1995, ORA will develop algorithms to handle advanced analysis of decision tables. Two particular areas of analysis that will be considered are testing of additional properties of tables and techniques for efficiently handling partitioned tables. The Honeywell personnel involved in the project hope that the concepts developed in the Tablewise project can be incorporated into an industrial-strength tool that will significantly reduce the effort required to develop new software.

### 3.3 Union Switch and Signal

As part of a joint research agreement, NASA Langley formal methods researchers are collaborating with engineers at Union Switch and Signal (US&S) to use formal methods in the design of railway switching and control applications. Railway switching control systems, like digital flight control systems, are safety critical systems. US&S is the leading U.S. supplier of railway switching control systems. Their Advanced Technology Group, lead by Dr. Joseph Profeta, has applied formal methods in past efforts and turned to NASA for expertise in integrating these techniques into their next generation products.

The initial project, started in 1993, was a cooperative effort between NASA, US&S, and Odyssey Research Associates. The result of this first year's work was a formal mathematical model of a railway switching network, defined in two levels. The top level of the model provides the mechanisms for defining the basic concepts: track, switches, trains and their positions and control liners of a train (i.e. how far down the track it has clearance to travel.) The second level is a formalization of the standard scheme used in railroad control, the block model control system. A level 2 proof that the fixed block control system is "safe" with respect to the top level model has been completed. Models of US&S proprietary control schemes were also formulated.

 $<sup>^{3}</sup>$ A decision table is a tabular format for defining the rules that choose a particular action to perform based on the values of certain parameters.

<sup>&</sup>lt;sup>4</sup> previously called Tbell•

The European formal methods community has addressed safety properties of certain components of railroad control systems, but the work there has typically been at lower levels. The cooperative work with US&S is unique in that a high level model of a railroad system has been described and used to analyze the safety of various control schemes.

The next phase of the collaborative effort will concentrate on formal modeling and analysis of the faulttolerant core of US&S's next generation fail-stop control architecture.

### 3.4 Space Applications

A team spread across three NASA centers has been formed to study the application and technology transfer of formal methods to NASA space programs. A consortium of researchers and practitioners from LaRC, JSC, and JPL, together with support from Loral Space Information Systems, SRI International, and ViGYAN Inc., has been actively pursuing this objective since late 1992. The near term goal is to define and carry out pilot projects using portions of existing large-scale space programs. The long term goal is to enable organizations such as Loral to reduce formal methods to practice on programs of national importance.

The NASA Formal Methods Demonstration Project for Space Applications focuses on the use of formal methods for requirements analysis because the team believes that formal methods are more practically applied to requirements analysis than to late-lifecycle development phases [40]. A series of trial projects was conducted and cost effectiveness data were collected. The team's efforts in 1993 were concentrated on a single pilot project, while later efforts in 1994 have been more diffuse.

The 1993 project was the formal specification of a very mature piece of the Space Shuttle flight control requirements called Jet Select. Initial specifications were written to capture an existing, low-level statement of the requirements. Few proofs were produced for the first specification, but 46 issues were identified and several minor errors were found in the requirements. A second specification was produced for an abstract (i.e., high level) representation of the Jet Select requirements. This abstraction, along with the 24 proofs of key properties, was accomplished in under 2 work months, and although it only uncovered 6 issues, several of these issues were significant.

NASA Langley's primary role in 1994 included support for two Space Shuttle software change requests (CR). One CR concerns the integration of new Global Positioning System (GPS) functions while the other concerns a new function to control contingency aborts known as Three Engine Out (3 E/O). Both of these tasks involve close cooperation among formal methods researchers at NASA Langley, ViGYAN Inc., and SRI International with requirements analysts from Loral Space Information Systems.

The Space Shuttle is to be retrofitted with GPS receivers in anticipation of the TACAN navigation system being phased out by the DoD. Additional navigation software will be incorporated to process the position and velocity vectors generated by these receivers. A decision was made to focus the trial formal methods task on just a few key areas because the CR itself is very large and complex. A set of preliminary formal specifications was developed for the new Shuttle navigation principal functions known as GPS Receiver State Processing and GPS Reference State Processing, using the language of SRI's Prototype Verification System (PVS). While writing the formal specifications, 43 minor discrepancies were detected in the CR and these have been reported to Loral requirements analysts.

The Three Engine Out (3 E/O) Task is executed each cycle during powered flight until either a contingency abort maneuver is required or progress along the powered flight trajectory is sufficient to preclude a contingency abort even if three main engines fail. The 3 E/O task consists of two parts: 3 E/O Region Selection and 3 E/O Guidance. 3 E/O Region Selection is responsible for selecting the type of external tank (ET) separation maneuver and assigning the corresponding region index. 3 E/O guidance monitors ascent parameters and determines if an abort maneuver is necessary.

We have developed and analyzed a formal model of the series of sequential maneuvers that comprise the 3 E/O algorithm. To date, 20 potential issues have been found, including undocumented assumptions, logical errors, and inconsistent and imprecise terminology. These findings are listed as potential issues pending review by the 3 E/O requirements analyst.

The GPS and 3 E/O tasks has continued into 1995. We hope to get formal methods incorporated as a requirements analysis technique for Space Shuttle software. In addition, NASA Langley contributed to a NASA guidebook under development by the inter-center team. The first volume of the guidebook is intended for managers of NASA projects who will be using formal methods in requirements analysis activities. A second volume is planned that will be aimed at practitioners. NASA will publish the first volume early in 1995, with the second volume expected by early 1996.

### 3.5 Requirements Analysis

Better methods for writing and analyzing requirements is one of the greatest needs that commercial industry faces today. Requirements are usually incomplete, poorly defined, and change rapidly as a system is developed. Errors introduced in requirements are often the most serious because they manifest themselves as major design errors and are often very expensive to correct when they are discovered, usually late in the life-cycle during implementation testing.

NASA Langley is sponsoring work to develop special interfaces to PVS, a formal specification language and theorem proving environment developed by SRI. The goal of this work is to develop an interface that (1) is readable by Domain.Experts and typical customers, (2) is precise enough to support formal analysis, (3) supports concurrent development by many individuals, and (4) discourages overspecification.

### 3.6 NASA Small Business Innovative Research Program

In 1993, a formal methods subtopic was a part of the NASA Small Business Innovative Research (SBIR) solicitation. Two proposals were selected for 6-month Phase I funding for 1994: VHDL Lightweight Tools, by Odyssey Research Associates, and DRS — Derivation Reasoning System, A Digital Design Derivation System for Hardware Synthesis, by Derivation Systems, Inc. of Bloomington, Indiana. After the completion of the Phase I efforts, Derivation Systems' proposal for Phase II funding was accepted, and contract negotiations are currently underway to initiate a 2-year effort. Contracts for these efforts just recently began.

### 4 Past Efforts

This section describes previous work in each of the following four focus areas: fault-tolerant systems, verification of software, verification of hardware devices, and civil air transport requirements specification.

### 4.1 Fault-tolerant Systems

The goal of this focus area was to create a formalized theory of fault tolerance including redundancy management, clock synchronization, Byzantine agreement, voting, etc. Much of the theory developed here is applicable to future fault-tolerant systems designs. A detailed design of a fault-tolerant reliable computing base, the Reliable Computing Platform (RCP), has been developed and proven correct. It is hoped that the RCP will serve as a demonstration of the formal methods process and provide a foundation that can be expanded and used for future aerospace applications. It is one of the largest formal verifications ever performed.

The RCP architecture was designed in accordance with a system-design philosophy called "Design For Validation" [42, 41]. The basic tenets of this design philosophy are as follows:

- 1. A system is designed in such a manner that complete and accurate models can be constructed to estimate critical properties such as reliability and performance. All parameters of the model that cannot be deduced from the logical design must be measured. All such parameters must be measurable within a feasible amount of time.
- 2. The design process makes tradeoffs in favor of designs that minimize the number of parameters that must be measured in order to reduce the validation cost. A design that has exceptional performance properties yet requires the measurement of hundreds of parameters (for example, by time-consuming fault-injection experiments) would be rejected over a less capable system that requires minimal experimentation.

- 3. The system is designed and verified using rigorous mathematical techniques, usually referred to as a formal verification. It is assumed that the formal verification makes system failure due to design faults negligible so the reliability model does not include transitions representing design errors.
- 4. The reliability (or performance) model is shown to be accurate with respect to the system implementation. This is accomplished analytically not experimentally.

Thus, a major objective of this approach is to minimize the amount of experimental testing required and maximize the ability to reason mathematically about correctness of the design. Although testing cannot be eliminated from the design/validation process, the primary basis of belief in the dependability of the system must come from analysis rather than from testing.

### 4.1.1 The Reliable Computing Platform

The Reliable Computing Platform dispatches control-law application tasks and executes them on redundant processors as illustrated in figure 1. The intended applications are safety critical with reliability requirements



Figure 1: Intended Application of RCP

on the order of  $1 - 10^{-9}$ . The reliable computing platform performs the necessary fault-tolerant functions and provides an interface to the network of sensors and actuators.

The RCP operating system provides the applications software developer with a reliable mechanism for dispatching periodic tasks on a fault-tolerant computing base that *appears* to him as a single ultrareliable processor. A multi-level hierarchical specification of the RCP is shown in figure 2.

The top level of the hierarchy describes the operating system as a function that sequentially invokes application tasks. This view of the operating system will be referred to as the *uniprocessor specification* (US), which is formalized as a state transition system and forms the basis of the specification for the RCP. Fault tolerance is achieved by voting results computed by the replicated processors operating on the same inputs. Interactive consistency checks on sensor inputs and voting of actuator outputs require synchronization of the replicated processors. The second level in the hierarchy (RS) describes the operating system as a synchronous system where each replicated processor executes the same application tasks. The existence of a global time base, an interactive consistency mechanism and a reliable voting mechanism are assumed at this level.

Level 3 of the hierarchy (DS) breaks a frame into four sequential phases. This allows a more explicit modeling of interprocessor communication and the time phasing of computation, communication, and voting. At the fourth level (DA), the assumptions of the synchronous model must be discharged. Rushby and von Henke [79] report on the formal verification of Lamport and Melliar-Smith's [50] interactive-convergence clock synchronization algorithm. This algorithm can serve as a foundation for the implementation of the replicated system by bounding the amount of asynchrony in the system so that it can duplicate the functionality of the DS model. Dedicated hardware implementations of the clock synchronization function are a long-term goal.

In the LE model, a more detailed specification of the activities on a local processor are presented. In particular, three areas of activity are elaborated in detail: (1) task dispatching and execution, (2) minimal voting, and (3) interprocessor communication via mailboxes. An intermediate model, DA\_minv, that simplified the construction of the LE model was used. Some of the refinements occur in the DA\_minv model and some in the LE model. For example, the concept of minimal voting is addressed in considerable detail



Figure 2: Hierarchical Specification of the Reliable Computing Platform.

in the DA\_minv model. Of primary importance in the LE specification is the use of a memory management unit by the local executive in order to prevent the overwriting of incorrect memory locations while recovering from the effects of a transient fault.

Figure 3 depicts the generic hardware architecture assumed for implementing the replicated system. The hardware architecture is a classic N-modular redundant (NMR) system with a small number, N, of processors. Single-source sensor inputs are distributed by special purpose hardware executing a Byzantine agreement algorithm. Replicated actuator outputs are all delivered in parallel to the actuators, where force-sum voting occurs. Interprocessor communication links allow replicated processors to exchange and vote on the results of task computations.

The top two levels of the RCP were originally formally specified in standard mathematical notation and connected via mathematical (i.e. level 2 formal methods) proof [25, 24, 22]. Under the assumption that a majority of processors is working in each frame, the proof establishes that the replicated system computes the same results as a single processor system not subject to failures. Sufficient conditions were developed that guarantee that the replicated system recovers from transient faults within a bounded amount of time. SRI subsequently generalized the models and constructed a mechanical proof in EHDM [75]. Next, the local team developed the third and fourth level models. The top two levels and the two new models (i.e. DS and DA) were then specified in EHDM and all of the proofs were done mechanically using the EHDM 5.2 prover [12, 23].

Both the DA\_minv model and the LE model were specified formally and have been verified using the EHDM verification system[13]. All RCP specifications and proofs are available electronically via the Internet using anonymous FTP or World Wide Web (WWW) access. Anonymous FTP access is available through the host deduction.larc.nasa.gov using the path pub/fm/larc/RCP-specs. WWW access to the FTP directory is provided through the NASA Langley Formal Methods Program home page: http://atb-www.larc.nasa.gov/fm-top.html

#### 4.1.2 Clock Synchronization

The redundancy management strategies of virtually all fault-tolerant systems depend on some form of voting, which in turn depends on synchronization. Although in many systems the clock synchronization function has not been decoupled from the applications (e.g. the redundant versions of the applications synchronize by messages), research and experience have led us to believe that solving the synchronization problem independently from the applications design can provide significant simplification of the system [49, 32]. The operating system is built on top of this clock-synchronization foundation. Of course, the correctness of



Figure 3: Generic hardware architecture.

this foundation is essential. Thus, the clock synchronization algorithm and its implementation are prime candidates for formal methods. The verification strategy shown in figure 4 is being explored.



Figure 4: Hierarchical Verification of Clock Synchronization

The top-level in the hierarchy is an abstract property of the form:

 $\forall$  non-faulty  $p, q: |C_p(t) - C_q(t)| < \delta$ 

where  $\delta$  is the maximum clock skew guaranteed by the algorithm as long as a sufficient number of clocks (and the processors they are attached to) are working. The function  $C_p(t)$  gives the value of clock p at real time t. The middle level in the hierarchy is a mathematical definition of the synchronization algorithm. The bottom level is a detailed digital design of a circuit that implements the algorithm. The bottom level is sufficiently detailed to make translation into silicon straight forward.

The verification process involves two important steps: (1) verification that the algorithm satisfies the maximum skew property and (2) verification that the digital circuitry correctly implements the algorithm. The first step was completed by SRI International. The first such proof was accomplished during the design and verification of SIFT [50]. The proof was done by hand in the style of journal proofs. More recently this proof step was mechanically verified using the EHDM theorem prover[79, 80]. In addition, SRI mechanically verified Schneider's clock synchronization paradigm [81] using EHDM[88, 89]. A further generalization was

found at NASA Langley [60]<sup>5</sup>. The design of a digital circuit to distribute clock values in support of fault-tolerant synchronization was completed by SRI and was partially verified.<sup>6</sup> CLI reproduced the SRI verification of the interactive convergence algorithm using the Boyer-Moore theorem prover [100].

NASA Langley researchers designed and implemented a fault-tolerant clock synchronization circuit capable of recovery from transient faults [62, 61, 60]. The top-level specification for the design is the EHDM verification of Schneider's paradigm. The circuit was implemented with programmable logic devices (PLDs) and FOXI fiber optic communications chips [63].

Using a combination of formal techniques, a verified clock synchronization circuit design has also been developed[64]. The principal design tool was the Digital Design Derivation system (DDD) developed by Indiana University[8]. Some design optimizations that were not possible within DDD were verified using PVS.

#### 4.1.3 Byzantine Agreement Algorithms

Fault-tolerant systems, although internally redundant, must deal with single-source information from the external world. For example, a flight control system is built around the notion of feedback from physical sensors such as accelerometers, position sensors, and pressure sensors. Although these can be replicated (and they usually are), the replicates do not produce identical results. To use bit-by-bit majority voting, all of the computational replicates must operate on identical input data. Thus, the sensor values (the complete redundant suite) must be distributed to each processor in a manner which guarantees that all working processors receive exactly the same value even in the presence of some faulty processors. This is the classic Byzantine Generals problem [51]; algorithms to solve the problem are called Byzantine agreement algorithms. CLI investigated the formal verification and implementation of such algorithms. They formally verified the original Marshall, Shostak, and Lamport version of this algorithm using the Boyer Moore theorem prover [5]. They also implemented this algorithm down to the register-transfer level and demonstrated that it implements the mathematical algorithm [6], and then subsequently verified the design down to a hardware description language HDL developed at CLI [66]. A more efficient mechanical proof of the oral messages algorithm was also developed by SRI[76].

ORA also investigated the formal verification of Byzantine Generals algorithms. They focused on the practical implementation of a Byzantine-resilient communications mechanism between Mini-Cayuga microprocessors [92, 7]. The Mini-Cayuga is a small but formally verified microprocessor developed by ORA. It is a research prototype and has not been fabricated. The communications circuitry would serve as a foundation for a fault-tolerant architecture. It was designed assuming that the underlying processors were synchronized (say by a clock synchronization circuit). The issues involved with connecting the Byzantine communications circuit with a clock synchronization circuit and verifying the combination has not yet been explored.

Thambidurai and Park [94] introduced a fault model that classified faults into three categories: asymmetric, symmetric, and benign. They further suggested the need for and developed an algorithm that had capabilities beyond that of the earlier Byzantine generals algorithms. In particular, their algorithm can mask the effects of a less severe class of faults, in a more effective way. SRI has formally verified an improved version of this algorithm [55, 54, 56]

The newly developed hybrid-fault theory was then applied to the analysis of the Charles Stark Draper Labs "Fault-Tolerant Processor" (FTP). A unique feature of this architecture is its use of "interstages" to relay messages between processors. These are significantly smaller than a processor and lead to an asymmetric architecture that is far more efficient than the traditional Byzantine agreement architectures. The SRI work not only formalized the existing informal analysis but extended it to cover a wider range of faulty behavior[57].

Also SRI subsequently generalized their clock synchronization work to encompass the hybrid fault model [78].

### 4.2 Verification of Software

Our past software verification projects are described in this section.

<sup>&</sup>lt;sup>5</sup>The bounded delay assumption was shown to follow from the other assumptions of the theory.

<sup>&</sup>lt;sup>6</sup>Unlike the NASA circuit, the SRI intent is that the convergence algorithm be implemented in software.

### 4.2.1 Formal Specification of Space Shuttle Jet Select

NASA Langley worked with NASA Johnson Space Center and the Jet Propulsion Laboratory (JPL) in a study to explore the feasibility and utility of applying mechanically-supported formal methods to requirements analysis for space applications. The team worked jointly to develop a formal specification of the Jet Select function of the NASA Space Shuttle, which is a portion of the Shuttle's Orbit Digital Auto-Pilot (DAP). Specifications were written at three different levels of abstraction. The highest level specifications were proved to meet a set of critical properties. This formal analysis uncovered hidden problems in a highly critical and mature FSSR specification for Shuttle. This project impressed several key members of the Shuttle software community that the benefits of formal methods are concrete and economically realizable. A very favorable reaction was received from the IBM (now Loral) requirements analysts and senior JSC personnel (Bob Hinson, in particular). They would like to work with us "to build a different paradigm where engineers write requirements like this before passing the requirements to software development."

This demonstration project was funded by the Office of Safety and Mission Quality at NASA Headquarters, which controls funding for verification and validation of all major NASA space projects.

### 4.2.2 Honeywell Navigation Specification

A cooperative research effort was initiated in 1993 with Honeywell Air Transport Systems Division (Phoenix) to study the incorporation of formal methods into the company's software development processes. In the initial project in this effort, NASA Langley funded ORA to identify a component of the Boeing 777 system to which formal specification techniques could be applied, and to develop the formal specifications for that component. ORA, in collaboration with personnel from Langley and Honeywell, chose the navigation subsystem as a suitable application.

Using documents supplied to them by Honeywell, ORA developed a specification that addressed the following aspects of navigation:

- basic mathematical concepts such as functions over the reals, and physical units such as distance, velocity, and acceleration
- definition of objects such as aircraft, radios, sensors, navigation aids, and the navigation database
- definition of algorithms such as complementary filter processing, navigation aid selection, navigation mode selection, and position determination
- relating the mathematical model to Ada by partitioning the system in Ada package specifications, and annotating individual Ada functions and procedures with formal specifications

The specification was done using ORA's Penelope tool.

### 4.2.3 Verification of Existing Ada Applications Software

Odyssey Research Associates completed two tasks applying their Ada verification tools to aerospace applications. The first task was to verify some utility routines obtained from the NASA Goddard Space Flight Center and the NASA Lewis Research Center using their Ada Verification Tool named Penelope [33]. This task was accomplished in two steps: (1) formal specification of the routines and (2) formal verification of the routines. Both steps uncovered errors [26]. The second task was to formally specify the mode-control panel logic of a Boeing 737 experimental aircraft system using Larch (the specification language used by Penelope) [34].

### 4.3 Verification of Hardware Devices

Our past research and technology transfer efforts in the area of formal verification of hardware devices are described below.

#### 4.3.1 Boeing Hardware Devices

The Boeing Company was contracted by NASA Langley to develop advanced validation and verification techniques for fly-by-wire systems. As part of the project, Boeing explored the use of formal methods. The goal of this work was two-fold: (1) technology transfer of formal methods to Boeing, and (2) assessment of formal methods technology maturity.

The first phase of this project focused on the formal verification of "real" hardware devices using the HOL hardware verification methodology. With the assistance of a subcontract with U. C. Davis, Boeing partially verified a set of hardware devices, including a microprocessor[98], a floating-point coprocessor similar to the Intel 8087 but smaller[72, 71], a direct memory access (DMA) controller similar to the Intel 8237A but smaller[46], and a set of memory-management units[86, 83]. U. C. Davis also developed the generic-interpreter theory to aid in the formal specification and verification of hardware devices[99, 97, 96], and a horizontal-integration theory for composing verified devices into a system[85, 84, 73, 45]. After demonstrating the feasibility of verifying standard hardware devices, Boeing applied the methodology to a proprietary hardware device called the Processor Interface Unit (PIU) that is being developed for aeronautics and space applications[29].

Boeing and U.C. Davis also performed an assessment of the U.K. Royal Signals and Radar Establishment's (RSRE) VIPER chip [53]. This was part of a now-completed 3 year Memorandum of Understanding (MOU) with RSRE. CLI and Langley researchers also performed assessments of the VIPER project[10, 19, 17].

Application of formal methods to the suite of Intel-like devices and the PIU demonstrated that formal methods can be practically applied to the digital hardware devices being developed by Boeing today and provided insight on how to make the process more cost effective.

#### 4.3.2 CSDL Scoreboard Hardware

A joint project between ORA and Charles Stark Draper Laboratory (CSDL) was completed in 1993. NASA Langley and the Army had been funding CSDL to build fault-tolerant computer systems for over two decades. During this project, CSDL became interested in the use of formal methods to increase confidence in their designs. ORA was given the task of formally specifying and verifying a key circuit (called the scoreboard) of the Fault-Tolerant Parallel Processor (FTPP) [36] in Clio [93]. The formal verification uncovered previously unknown design errors. When the scoreboard chip was fabricated, it worked without any error manifestation. It was the first time that CSDL produced a chip that worked "perfectly" on a first fabrication. CSDL credits VHDL-development tools and formal methods for the success.

#### 4.3.3 Asynchronous Communication

CLI developed a formal model of asynchronous communication and demonstrated its utility by formally verifying a widely used protocol for asynchronous communication called the bi-phase mark protocol, also known as "Bi- $\Phi$ -M," "FM" or "single density" [65]. It is one of several protocols implemented by microcontrollers such as the Intel 82530 and is used in the Intel 82C501AD Ethernet Serial Interface.

#### 4.3.4 Digital Design Derivation

Funded in part by a NASA Langley Graduate Student Research Program fellowship, Bhaskar Bose developed the Digital Design Derivation system (DDD) and used it to design a verified microprocessor. DDD implements a formal design algebra that allows a designer to transform a formal specification into a correct implementation[8]. Bose formally derived the DDD-FM9001[9] microprocessor from Hunt's top-level specification of the FM9001 microprocessor[39].

### 4.4 Civil Air Transport Requirements Specification

Work with Boeing to develop a prototype interface for formal requirements analysis of a civil air transport was completed in 1992[27, 28]. This work, performed under a subcontract to California Polytechnic State University, included development of a Wide-Spectrum Requirements Specification Language (WSRSL) and prototype tools to support the language. Portions of a set of requirements for an Advanced Subsonic Civil Transport (ASCT) developed by a Boeing engineer under previous NASA funding were rewritten in WSRSL to demonstrate the use of the language and toolset. Since WSRSL is a formal language, the specifications can be formally analyzed for syntactic correctness, completeness, and consistency.

### 5 Summary

The NASA Langley program in formal methods has two major goals: (1) develop formal methods technology suitable for a wide range of aerospace designs and (2) facilitate technology transfer by initiating joint projects between formal methods researchers and aerospace industries to apply the results of the research to real systems. Starting in 1991, NASA Langley initiated several aggressive projects designed to move FM into productive use in the aerospace community:

- Boeing PIU Project (1991)
- Charles Stark Draper FTPP Scoreboard Project (1991)
- Allied Signal Hybrid Fault Models (1992)
- Shuttle Tile Project (1992)
- Space Shuttle Jet Select Project (1993)<sup>7</sup>
- Honeywell Navigation (1993)
- Rockwell Collins AAMP5 (1993)
- Honeywell Tablewise (1994)
- Union Switch and Signal (1994)
- Rockwell Collins AAMP-FV (1995)

NASA's program has advanced aerospace-related formal methods in the United States to the point where commercial exploitation of formal methods is near. Our program has driven the development of PVS, the most advanced general-purpose theorem prover in the world [70], and the Odyssey Research Associates VHDL-verification tool. Commercial industry has been anxious to work with our team, although we have not had sufficient resources to work with as many as we would have liked. Nevertheless, we have helped lay the necessary foundation for productive use of formal methods in several companies.

Fundamental research has been performed in the design and verification of a fault-tolerant reliable computing platform that can support real-time control applications. Also much progress has been made in developing and demonstrating formal methods for critical subsystems of the RCP such as clock synchronization, Byzantine agreement, and voting.

### References

- [1] Saab Blames Gripen Crash on Software. Aviation Week & Space Technology, Feb. 1989.
- [2] Key Technologies For the Year 2000. National Center for Advanced Technologies, 1250 Eye Street N.W., Washington, D.C. 20005, June 1991.
- [3] Barrett, Geoff: Formal Methods Applied to a Floating-Point Number System. IEEE Transactions on Software Engineering, vol. 15, no. 5, May 1989, pp. 611-621.
- [4] Best, David W.; Charles E. Kress, Nick M. Mykris; Russell, Jeffrey D.; and Smith, William J.: An advanced-architecture CMOS/SOS microprocessor. *IEEE Micro*, vol. 2, no. 4, Aug. 1982, pp. 11-26.

<sup>&</sup>lt;sup>7</sup>This project was not initiated by Langley, but Langley has been a major participant in it.

- [5] Bevier, William R.; and Young, William D.: Machine Checked Proofs of the Design and Implementation of a Fault-Tolerant Circuit. NASA Contractor Report 182099, Nov. 1990.
- [6] Bevier, William R.; and Young, William D.: The Proof of Correctness of a Fault-Tolerant Circuit Design. In Second IFIP Conference on Dependable Computing For Critical Applications, Tucson, Arizona, Feb. 1991, pp. 107-114.
- Bickford, Mark; and Srivas, Mandayam: Verification of the FtCayuga Fault-Tolerant Microprocessor System (Volume 2: Formal Specification and Correctness Theorems). NASA Contractor Report 187574, July 1991.
- [8] Bose, Bhaskar: DDD A Transformation System for Digital Design Derivation. Indiana University, Technical Report 331, Computer Science Department, May 1991.
- [9] Bose, Bhaskar; and Johnson, Steven D.: DDD-FM9001: Derivation of a Verified Microprocessor. An Exercise in Integrating Verification with Formal Derivation. In Milne, G.; and Pierre, L., editors 1993:, Proceedings of IFIP Conference on Correct Hardware Design and Verification Methods. Springer, LNCS 683, 1993, pp. 191-202. also published as Tech Report # 380, Computer Science Department, Indiana University.
- [10] Brock, Bishop; and Hunt, Jr., Warren A.: Report on the Formal Specification and Partial Verification of the VIPER Microprocessor. NASA Contractor Report 187540, July 1991.
- [11] Butler, Ricky W.: An Elementary Tutorial on Formal Specification and Verification Using PVS. NASA Technical Memorandum 108991, Sept. 1993.
- [12] Butler, Ricky W.; and Di Vito, Ben L.: Formal Design and Verification of a Reliable Computing Platform For Real-Time Control (Phase 2 Results). NASA Technical Memorandum 104196, Jan. 1992.
- [13] Butler, Ricky W.; Di Vito, Ben L.; and Holloway, C. Michael: Formal Design and Verification of a Reliable Computing Platform For Real-Time Control (Phase 3 Results). NASA Technical Memorandum 109140, Aug. 1994.
- [14] Butler, Ricky W.; and Finelli, George B.: The Infeasibility of Experimental Quantification of Life-Critical Software Reliability. In Proceedings of the ACM SIGSOFT '91 Conference on Software for Critical Systems, New Orleans, Louisiana, Dec. 1991, pp. 66-76.
- [15] Butler, Ricky W.; and Finelli, George B.: The Infeasibility of Quantifying the Reliability of Life-Critical Real-Time Software. *IEEE Transactions on Software Engineering*, vol. 19, no. 1, Jan. 1993, pp. 3-12.
- [16] Butler, Ricky W.; and Johnson, Sally C.: Formal Methods For Life-Critical Software. In Computing in Aerospace 9 Conference, San Diego, CA, Oct. 1993, pp. 319-329.
- [17] Butler, Ricky W.; and Sjogren, Jon A.: Hardware Proofs Using EHDM and the RSRE Verification Methodology. NASA Technical Memorandum 100669, Dec. 1988.
- [18] Butler, Ricky W., (ed.): NASA Formal Methods Workshop 1990. NASA Conference Publication 10052, Nov. 1990.
- [19] Carreño, Victor A.; and Angellatta, Rob K.: A Case Study for the Real-Time Experimental Evaluation of the VIPER Microprocessor. NASA Technical Memorandum 104098, Sept. 1991.
- [20] Computer Resource Management, Inc.: In Digital Systems Validation Handbook volume III, no. DOT/FAA/CT-88/10. FAA.
- [21] Courcoubetis, Costas, editor 1993: Computer Aided Verification, CAV '93, vol. 697 of Lecture Notes in Computer Science, Elounda, Greece, June/July 1993. Springer Verlag.

- [22] Di Vito, Ben L.; and Butler, Ricky W.: Provable Transient Recovery for Frame-Based, Fault-Tolerant Computing Systems. In *Real-Time Systems Symposium*, Phoenix, Az, Dec. 1992.
- [23] Di Vito, Ben L.; and Butler, Ricky W.: Formal Techniques for Synchronized Fault-Tolerant Systems. In Dependable Computing for Critical Applications 3, Dependable Computing and Fault-Tolerant Systems, pp. 279-306. Springer Verlag, Wien New York, 1993. Also presented at 3rd IFIP Working Conference on Dependable Computing for Critical Applications, Mondello, Sicily, Italy, Sept. 14-16, 1992.
- [24] Di Vito, Ben L.; Butler, Ricky W.; and Caldwell, James L.: High Level Design Proof of a Reliable Computing Platform. In *Dependable Computing for Critical Applications 2*, Dependable Computing and Fault-Tolerant Systems, pp. 279-306. Springer Verlag, Wien New York, 1992. Also presented at 2nd IFIP Working Conference on Dependable Computing for Critical Applications, Tucson, AZ, Feb. 18-20, 1991, pp. 124-136.
- [25] Di Vito, Ben L.; Butler, Ricky W.; and Caldwell, James L., II: Formal Design and Verification of a Reliable Computing Platform For Real-Time Control (Phase 1 Results). NASA Technical Memorandum 102716, Oct. 1990.
- [26] Eichenlaub, Carl T.; Harper, C. Douglas; and Hird, Geoffrey: Using Penelope to Assess the Correctness of NASA Ada Software: A Demonstration of Formal Methods as a Counterpart to Testing. NASA Contractor Report 4509, May 1993.
- [27] Fisher, Gene; Frincke, Deborah; Wolber, Dave; and Cohen, Gerald C.: Structured Representation for Requirements and Specifications. NASA Contractor Report 187522, July 1991.
- [28] Frincke, Deborah; Wolber, Dave; Fisher, Gene; and Cohen, Gerald: Requirements Specification Language (RSL) and Supporting Tools. Nov. 1992.
- [29] Fura, David A.; Windley, Phillip J.; and Cohen, Gerald C.: Formal Design Specification of a Processor Interface Unit. NASA Contractor Report 189698, Nov. 1992.
- [30] Garmen, John R.: The Bug Heard 'Round The World. ACM Software Engineering Notes, vol. 6, no. 5, Oct. 1981, pp. 3-10.
- [31] Gibbs, W. Wayt: Software's Chronic Crisis. Scientific American, Sept. 1994, pp. 86-95.
- [32] Goldberg, Jack; et al.: Development and Analysis of the Software Implemented Fault-Tolerance (SIFT) Computer. NASA Contractor Report 172146, 1984.
- [33] Guaspari, David: Penelope, an Ada Verification System. In Proceedings of Tri-Ada '89, Pittsburgh, PA, Oct. 1989, pp. 216-224.
- [34] Guaspari, David: Formally Specifying the Logic of an Automatic Guidance Controller. In Ada-Europe Conference, Athens, Greece, May 1991.
- [35] Hamilton, Margaret: Zero-defect software: the elusive goal. IEEE Spectrum, Mar. 1986.
- [36] Harper, Richard E.; Lala, Jay H.; and Deyst, John J.: Fault Tolerant Parallel Processor Architecture Overview. In Proceedings of the 18th Symposium on Fault Tolerant Computing, 1988, pp. 252-257.
- [37] Hoover, Doug; and Chen, Zewei: TBell: A Mathematical Tool for Analyzing Decision Tables. NASA Contractor Report 195027, Nov. 1994.
- [38] Houston, Iain; and King, Steve: CICS Project Report: Experiences and Results from the Use of Z in IBM. In Prehn, S.; and Toetenel, W.J., editors 1991:, VDM '91: Formal Software Development Methods, Noordwijkerhout, The Netherlands, Oct. 1991, Springer Verlag, pp. 588-596. Volume 1: Conference Contributions.

- [39] Hunt, Warren A.: A Formal HDL and its use in the FM9001 Verification. In Hoare, C.A.R.; and Gordon, M.J., editors 1992:, Mechanized Reasoning in Hardware Design. Prentice-Hall, 1992.
- [40] John Kelly, et. al.: Formal Methods Demonstration Project for Space Applications Phase I Case Study: Space Shuttle Orbit DAP Jet. Dec. 1993.
- [41] Johnson, Sally C.; and Butler, Ricky W.: Design For Validation. In AIAA/IEEE 10th Digital Avionics Systems Conference, Los Angeles, California, Oct. 1991, pp. 487-492.
- [42] Johnson, Sally C.; and Butler, Ricky W.: Design For Validation. IEEE Aerospace and Electronics Systems, Jan. 1992, pp. 38-43.
- [43] Johnson, Sally C.; Holloway, C. Michael; and Butler, Ricky W.: Second NASA Formal Methods Workshop 1992. NASA Conference Publication 10110, Nov. 1992.
- [44] Joyce, Ed: Software Bugs: A Matter of Life and Liability. Datamation, May 1987.
- [45] Kalvala, Sara; Archer, Myla; and Levitt, Karl: A Methodology for Integrating Hardware Design and Verification. In ACM International Workshop on Formal Methods in VLSI Design, Miami, FL, Jan. 1991.
- [46] Kalvala, Sara; Levitt, Karl; and Cohen, Gerald C.: Design and Verification of a DMA Processor. NASA contractor report, 1992. Unpublished.
- [47] Knight, John C.; and Leveson, Nancy G.: An experimental evaluation of the assumptions of independence in multiversion programming. *IEEE Transactions on Software Engineering*, vol. SE-12, no. 1, Jan. 1986, pp. 96-109.
- [48] Knight, John. C.; and Leveson, Nancy. G.: A Reply To the Criticisms Of The Knight & Leveson Experiment. ACM SIGSOFT Software Engineering Notes, Jan. 1990.
- [49] Lamport, Leslie: Using Time Instead of Timeout for Fault-Tolerant Distributed Systems. ACM Transactions on Programming Languages and Systems, vol. 6, no. 2, Apr. 1984, pp. 254-280.
- [50] Lamport, Leslie; and Melliar-Smith, P. M.: Synchronizing Clocks in the Presence of Faults. Journal Of The ACM, vol. 32, no. 1, Jan. 1985, pp. 52-78.
- [51] Lamport, Leslie; Shostak, Robert; and Pease, Marshall: The Byzantine Generals Problem. ACM Transactions on Programming Languages and Systems, vol. 4, no. 3, July 1982, pp. 382-401.
- [52] Leveson, Nancy G.: Software Safety: What, Why, and How. Computing Surveys, vol. 18, no. 2, June 1986.
- [53] Levitt, Karl; and et. al.: Formal Verification of a Microcoded VIPER Microprocessor using HOL. NASA Contractor Report 4489, Feb. 1993.
- [54] Lincoln, Patrick; and Rushby, John: Formal Verification of an Algorithm for Interactive Consistency under a Hybrid Fault Model. In Courcoubetis [21], pp. 292-304.
- [55] Lincoln, Patrick; and Rushby, John: A Formally Verified Algorithm For Interactice Consistency Under a Hybrid Fault Model. NASA Contractor Report 4527, July 1993.
- [56] Lincoln, Patrick; and Rushby, John: A Formally Verified Algorithm for Interactive Consistency under a Hybrid Fault Model. In Fault Tolerant Computing Symposium 23, Toulouse, France, June 1993, IEEE Computer Society, pp. 402-411.
- [57] Lincoln, Patrick; and Rushby, John: Formal Verification of an Interactive Consistency Algorithm for the Draper FTP Architecture under a Hybrid Fault Model. In 1994 Computer Assurance (COMPASS) Conference, June 1994.

- [58] Meissner, Charles W., Jr.; Dunham, Janet R.; and (eds.), C. Crim: Proceedings of the NASA-LaRC Flight-Critical Digital Systems Technology Workshop. NASA Conference Publication 10028, Apr. 1989.
- [59] Miller, Steve; and Srivas, Mandayam: Formal Verification of the AAMP5 Microprocessor: A Case Study in the Industrial Use of Formal Methods. In WIFT'95 Workshop on Industrial-strength Formal Specification Techniques, Boca Raton, Florida USA, Apr. 1995. To appear.
- [60] Miner, Paul S.: An Extension to Schneider's General Paradigm for Fault-Tolerant Clock Synchronization. NASA Technical Memorandum 107634, Langley Research Center, Hampton, VA, 1992.
- [61] Miner, Paul S.: A Verified Design of a Fault-Tolerant Clock Synchronization Circuit: Preliminary Investigations. NASA Technical Memorandum 107568, Mar. 1992.
- [62] Miner, Paul S.: Verification of Fault-Tolerant Clock Synchronization Systems. NASA Technical Paper 3349, Nov. 1993.
- [63] Miner, Paul S.; Padilla, Peter A.; and Torres, Wilfredo: A Provably Correct Design of a Fault-Tolerant Clock Synchronization Circuit. In 11th Digital Avionics Systems Conference, Seattle, WA, Oct. 1992, pp. 341-346.
- [64] Miner, Paul S.; Pullela, Shyamsundar; and Johnson, Steven D.: Interaction of Formal Design Systems in the Development of a Fault-Tolerant Clock Synchronization Circuit. In 13th Symposium on Reliable Distributed Systems. IEEE Computer Society Press, 1994, pp. 128-137. Proceedings of SRDS 94 held at Dana Point, California, October 1994.
- [65] Moore, J Strother: A Formal Model of Asynchronous Communication and Its Use in Mechanically Verifying a Biphase Mark Protocol. NASA Contractor Report 4433, June 1992.
- [66] Moore, J Strother: Mechanically Verified Hardware Implementing an 8-bit Parallel IO Byzantine Agreement Processor. NASA Contractor Report 189588, Apr. 1992.
- [67] Neumann, Peter G.: Some Computer-Related Disasters and Other Egregious Horrors. ACM Software Engineering Notes, vol. 10, no. 1, Jan. 1985, pp. 6–12.
- [68] Owre, S.; Shankar, N.; and Rushby, J. M.: The PVS Specification Language (Beta Release). Computer Science Laboratory, SRI International, Menlo Park, CA, Feb. 1993.
- [69] Owre, S.; Shankar, N.; and Rushby, J. M.: User Guide for the PVS Specification and Verification System (Beta Release). Computer Science Laboratory, SRI International, Menlo Park, CA, Feb. 1993.
- [70] Owre, Sam; Rushby, John; ; Shankar, Natarajan; and von Henke, Friedrich: Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS. IEEE Transactions on Software Engineering, 1995. To appear.
- [71] Pan, Jing; and Levitt, Karl: Towards a Formal Specification of the IEEE Floating-Point Standard with Application to the Verification of Floating-Point Coprocessors. In 24th Asilomar Conference on Signals, Systems & Computers, Monterrey, CA., Nov. 1990.
- [72] Pan, Jing; Levitt, Karl; and Cohen, Gerald C.: Toward a Formal Verification of a Floating-Point Coprocessor and its Composition with a Central Processing Unit. NASA Contractor Report 187547, Aug. 1991.
- [73] Pan, Jing; Levitt, Karl; and Schubert, E. Thomas: Toward a Formal Verification of a Floating-Point Coprocessor and its Composition with a Central Processing Unit. In ACM International Workshop on Formal Methods in VLSI Design, Miami, FL, Jan. 1991.
- [74] Rogers, Michael; and Gonzalez, David L.: Can We Trust Our Software? Newsweek, Jan. 1990.
- [75] Rushby, John: Formal Specification and Verification of a Fault-Masking and Transient-Recovery Model for Digital Flight-Control Systems. NASA Contractor Report 4384, July 1991.

- [76] Rushby, John: Formal verification of an Oral Messages algorithm for interactive consistency. NASA Contractor Report 189704, Oct. 1992.
- [77] Rushby, John: Formal Methods and Digital Systems Validation for Airborne Systems. NASA Contractor Report 4551, 1993.
- [78] Rushby, John: A Formally Verified Algorithm Clock Sychronization Under a Hybrid Fault Model. In ACM Principles of Distributed Computing '94, Aug. 1994.
- [79] Rushby, John; and von Henke, Friedrich: Formal Verification of a Fault-Tolerant Clock Synchronization Algorithm. NASA Contractor Report 4239, June 1989.
- [80] Rushby, John; and von Henke, Friedrich: Formal Verification of Algorithms for Critical Systems. IEEE Transactions on Software Engineering, vol. 19, no. 1, Jan. 1993, pp. 13-23.
- [81] Schneider, Fred B.: Understanding Protocols for Byzantine Clock Synchronization. Cornell University, Ithaca, NY, Technical Report 87-859, Aug. 1987.
- [82] Schrage, Michael: 'When the Chips Are Down' Will Likely Be Heard More Often in Computing. The Washington Post, pp. B3. December 16, 1994.
- [83] Schubert, Thomas; and Levitt, Karl: Verification of Memory Management Units. In Second IFIP Conference on Dependable Computing For Critical Applications, Tucson, Arizona, Feb. 1991, pp. 115– 123.
- [84] Schubert, Thomas; Levitt, Karl; and Cohen, Gerald C.: Towards Composition of Verified Hardware Devices. NASA Contractor Report 187504, Nov. 1991.
- [85] Schubert, Thomas; Levitt, Karl; and Cohen, Gerald C.: Formal Mechanization of Device Interactions With a Process Algebra. NASA Contractor Report 189644, Nov. 1992.
- [86] Schubert, Thomas; Levitt, Karl; and Cohen, Gerald C.: Formal Verification of a Set of Memory Management Units. NASA Contractor Report 189566, 1992.
- [87] Shankar, N.; Owre, S.; and Rushby, J. M.: The PVS Proof Checker: A Reference Manual (Beta Release). Computer Science Laboratory, SRI International, Menlo Park, CA, Feb. 1993.
- [88] Shankar, Natarajan: Mechanical Verification of a Schematic Byzantine Clock Synchronization Algorithm. NASA Contractor Report 4386, July 1991.
- [89] Shankar, Natarajan: Mechanical Verification of a Generalized Protocol for Byzantine Fault-Tolerant Clock Synchronization. In Second International Symposium on Formal Techniques in Real Time and Fault Tolerant Systems, vol. 571 of Lecture Notes in Computer Science, pp. 217-236. Springer Verlag, Nijmegen, The Netherlands, Jan. 1992.
- [90] Shankar, Natarajan: Verification of Real-Time Systems Using PVS. In Courcoubetis [21], pp. 280-291.
- [91] Shankar, Natarajan; Owre, Sam; and Rushby, John: PVS Tutorial. Computer Science Laboratory, SRI International, Menlo Park, CA, Feb. 1993. Also appears in Tutorial Notes, Formal Methods Europe '93: Industrial-Strength Formal Methods, pages 357-406, Odense, Denmark, April 1993.
- [92] Srivas, Mandayam; and Bickford, Mark: Verification of the FtCayuga Fault-Tolerant Microprocessor System (Volume 1: A Case Study in Theorem Prover-Based Verification). NASA Contractor Report 4381, July 1991.
- [93] Srivas, Mandayam; and Bickford, Mark: Moving Formal Methods Into Practice: Verifying the FTPP Scoreboard: Phase 1 Results. NASA Contractor Report 189607, May 1992.
- [94] Thambidurai, Philip; and Park, You-Keun: Interactive Consistency With Multiple Failure Modes. In 7th Symposium on Reliable Distributed Systems, Columbus, OH, Oct. 1988, pp. 93-100.

- [95] Wiener, Lauren Ruth: Digital Woes. Addison-Wesley Publishing Company, 1993. ISBN 0-201-62609-8.
- [96] Windley, Phillip J.: Abstract Hardware. In ACM International Workshop on Formal Methods in VLSI Design, Miami, FL, Jan. 1991.
- [97] Windley, Phillip J.: The Formal Verification of Generic Interpreters. In 28th Design Automation Conference, San Franciso, CA, June 1991.
- [98] Windley, Phillip J.; Levitt, Karl; and Cohen, Gerald C.: Formal Proof of the AVM-1 Microprocessor Using the Concept of Generic Interpreters. NASA Contractor Report 187491, Mar. 1991.
- [99] Windley, Phillip J.; Levitt, Karl; and Cohen, Gerald C.: The Formal Verification of Generic Interpreters. NASA Contractor Report 4403, Oct. 1991.
- [100] Young, William D.: Verifying the Interactive Convergence Clock Synchronization Algorithm Using the Boyer-Moore Theorem Prover. NASA Contractor Report 189649, Apr. 1992.

| REPORT DOCUMENTATION PAGE                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                               |                                                                                                  |                                                                 |                                                                        | Form Approved<br>OMB No. 0704-0188                                                                                                                              |  |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503. |                                                                                                               |                                                                                                  |                                                                 |                                                                        |                                                                                                                                                                 |  |
| I. AGENOT OGE ONET (Leave blank                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                               | Ine 1995                                                                                         |                                                                 |                                                                        | E AND DATES COVERED                                                                                                                                             |  |
| 4. TITLE AND SUBTITLE                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                                                                                               | 116 1995                                                                                         |                                                                 | Conference                                                             |                                                                                                                                                                 |  |
| Third NASA Langley Formal Methods Workshop                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                                                                               |                                                                                                  |                                                                 |                                                                        | 5. FUNDING NUMBERS<br>WU 505-64-50-03                                                                                                                           |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                               |                                                                                                  |                                                                 |                                                                        | 100 303-04-30-03                                                                                                                                                |  |
| 6. AUTHOR(S)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                                                                                                               |                                                                                                  |                                                                 |                                                                        | WU 505-64-10-13                                                                                                                                                 |  |
| C. Michael Holloway, Comp                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                               |                                                                                                  |                                                                 |                                                                        |                                                                                                                                                                 |  |
| 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                               |                                                                                                  |                                                                 |                                                                        | 8. PERFORMING ORGANIZATION                                                                                                                                      |  |
| NASA Langley Research Center<br>Hampton, VA 23681-0001                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                                                               |                                                                                                  |                                                                 |                                                                        | REPORT NUMBER                                                                                                                                                   |  |
| 9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                               |                                                                                                  |                                                                 |                                                                        | 10. SPONSORING / MONITORING                                                                                                                                     |  |
| National Aeronautics and Space Administration                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                               |                                                                                                  |                                                                 |                                                                        | AGENCY REPORT NUMBER                                                                                                                                            |  |
| Washington, DC 20546-0001                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                               |                                                                                                  |                                                                 |                                                                        | NASA CP-10176                                                                                                                                                   |  |
| 11. SUPPLEMENTARY NOTES                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                                                                               |                                                                                                  |                                                                 |                                                                        |                                                                                                                                                                 |  |
| Administrative chair was Lis                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | a F. Peckham                                                                                                  | Butler and C.<br>, also of NAS                                                                   | Michael H<br>SA Langle                                          | Iolloway of Na<br>y Research C                                         | ASA Langley Research Center.<br>Center.                                                                                                                         |  |
| 12a. DISTRIBUTION / AVAILABILITY STATEMENT<br>Unclassified-Unlimited                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                               |                                                                                                  |                                                                 |                                                                        | 12b. DISTRIBUTION CODE                                                                                                                                          |  |
| Subject Category 59                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                                                               |                                                                                                  |                                                                 |                                                                        |                                                                                                                                                                 |  |
| 13. ABSTRACT (Maximum 200 words)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |                                                                                                               |                                                                                                  |                                                                 |                                                                        | · · · · · · · · · · · · · · · · · · ·                                                                                                                           |  |
| NASA-sponsored formal me<br>problems. Contained herein                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | is to the design<br>earchers, indu-<br>thods and to in<br>are copies of<br>at of attendees<br>able electronic | n and verifica<br>ustry enginee<br>nvestigate ne<br>the material<br>and a detai<br>cally through | ation of lif<br>ers, and a<br>ew opport<br>presente<br>led summ | e-critical syste<br>cademicians t<br>unities for app<br>d at the works | ems. This workshop brought<br>to discuss the potential of<br>blying these methods to industry<br>shop, summaries of many of the<br>poley formal methods program |  |
| 14. SUBJECT TERMS                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                                                                                                               |                                                                                                  |                                                                 | <u> </u>                                                               |                                                                                                                                                                 |  |
| formal methods; specification; design; verification; mathematical modeling; technology transfer; formal logic                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                               |                                                                                                  |                                                                 |                                                                        | 15. NUMBER OF PAGES<br>269                                                                                                                                      |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                               |                                                                                                  |                                                                 |                                                                        | 16. PRICE CODE<br>A12                                                                                                                                           |  |
| 7. SECURITY CLASSIFICATION 1<br>OF REPORT                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | 8. SECURITY CLA                                                                                               | SSIFICATION                                                                                      |                                                                 | RITY CLASSIFICAT                                                       | ION 20. LIMITATION OF ABSTRACT                                                                                                                                  |  |
| Unclassified                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | OF THIS PAGE<br>Unclassified                                                                                  |                                                                                                  | OF AB                                                           | STRACT                                                                 |                                                                                                                                                                 |  |
| VSN 7540-01-280-5500                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                                                               |                                                                                                  | L                                                               | ·····                                                                  | Standard Form 298 (Rev. 2-89)                                                                                                                                   |  |

| Standard Form 298       | (Rev. 2-89 |
|-------------------------|------------|
| Prescribed by ANSI Std. | Z39-18     |
| 298-102                 |            |