Design verification of SIFT

Abstract A SIFT reliable aircraft control computer svstem, designed to meet the ultrahigh reliability required for safety critical flight control applications by use of processor replication and voting, was constructed by the Bendix Corporation for SRI, and was delivered to NASA Langley for evaluation in the AIRLAB. To increase our confidence in the reliability projections for SIFT, produced by a Markov reliability model, SRI constructed a formal specification for SIFT, defining the meaning of reliability in the context of flight control. A further series of specifications defined, in increasing detail, the design of SIFT down to pre and post conditions on Pascal code procedures. Mechanically checked mathematical proofs were constructed to demonstrate that the more detailed design specifica- tions for SIFT do indeed imply the formal reliability requirement. An additional specification defined some of the assumptions made about SIFT by the Markov model, and further proofs were constructed to show that these assumptions, as expressed by that specification, did indeed follow from the more detailed design specifications for SIFT. This report provides an outline of the methodology used for this hierarchical Specification and proof, and describes the various specifi- cations and proofs performed. Specification Veri € icat ion Subject Category 62