NASA Langley's research and technology-transfer program in formal methods

This paper presents an overview of NASA Langley's research program in formal methods. The major goals of this work are to make formal methods practical for use on life critical systems, and to orchestrate the transfer of this technology to U.S. industry through use of carefully designed demonstration projects. Several direct technology transfer efforts have been initiated that apply formal methods to critical subsystems of real aerospace computer systems. The research team consists of five NASA civil servants and contractors from Odyssey Research Associates, SRI International, and ViGYAN Inc.

[1]  Ricky W. Butler,et al.  The infeasibility of experimental quantification of life-critical software reliability , 1991 .

[2]  Ben L. Di Vito,et al.  Formal Techniques for Synchronized Fault-Tolerant Systems , 1992 .

[3]  Steven D. Johnson,et al.  An Exercise in Integrating Veri cation with Formal Derivation , 1993 .

[4]  W. Hunt,et al.  A formal HDL and its use in the FM9001 verification , 1992, Philosophical Transactions of the Royal Society of London. Series A: Physical and Engineering Sciences.

[5]  John M. Rushby,et al.  Formal Specification and Verification of a Fault-Masking and Transient-Recovery Model for Digital Flight-Control Systems , 1992, FTRTFT.

[6]  Konrad Slind,et al.  A Formal Hdl and Its Use in the Fm9001 Verication a Formal Hdl and Its Use in the Fm9001 Verication Technical Report #79 16 References a Formal Hdl and Its Use in the Fm9001 Verication Technical Report #79 , 2007 .

[7]  Paul S. Miner An extension to Schneider's general paradigm for fault-tolerant clock synchronization , 1992 .

[8]  Ricky W. Butler,et al.  Design for validation (digital avionics) , 1991, IEEE/AIAA 10th Digital Avionics Systems Conference.

[9]  M. H. Hamilton Zero-defect software: The elusive goal: It is theoretically possible but difficult to achieve; logic and interface errors are most common, but errors in user intent may also occur , 1986, IEEE Spectrum.

[10]  Natarajan Shankar,et al.  Verification of Real-Time Systems Using PVS , 1993, CAV.

[11]  John Rushby A formally verified algorithm for clock synchronization under a hybrid fault model , 1994, PODC '94.

[12]  Martyn Thomas The industrial use of formal methods , 1993, Microprocess. Microsystems.

[13]  Nancy G Leveson,et al.  Software safety: why, what, and how , 1986, CSUR.

[14]  W. Wayt Gibbs,et al.  Software's Chronic Crisis , 1994 .

[15]  A Carreno Victor Interpretation of IEEE-854 Floating-Point Standard and Definition in the HOL System , 1995 .

[16]  John Rushby,et al.  User guide for the pvs specification and verification system (beta release) , 1991 .

[17]  David Guaspari Formally Specifying the Logic of an Automatic Guidance Controller , 1991, Ada-Europe.

[18]  D. Guaspari Penelope, an Ada verification system , 1989, TRI-Ada '89.

[19]  Bhaskar Bose DRS - Derivational Reasoning System: A Digital Design Derivation System for Hardware Synthesis* , 1995 .

[20]  Shankar Natarajan,et al.  Analyzing Tabular and State-Transition Requirements Specifications in PVS , 1997 .

[21]  R. W. Butler NASA Langley's research program in formal methods , 1991, COMPASS '91, Proceedings of the Sixth Annual Conference on Computer Assurance.

[22]  Mark Bickford,et al.  NASA Contractor Report 189607 r MOVING FORMAL METHODS INTO PRACTICE : VERIFYING THE FTPP SCOREBOARD : PHASE 1 RESULTS , 1992 .

[23]  John Rushby,et al.  Formal Verification of a Fault Tolerant Clock Synchronization Algorithm , 1989 .

[24]  IEEE standard for radix-independent floating-point arithmetic - IEEE standard 854-1987 , 1987 .

[25]  S Miner Paul,et al.  Defining the IEEE-854 Floating-Point Standard in PVS , 1995 .

[26]  Kelly J. Hayhurst,et al.  Fourth NASA Langley Formal Methods Workshop , 1997 .

[27]  G. B. Finelli,et al.  The infeasibility of experimental quantification of life-critical software reliability , 1991, SIGSOFT '91.

[28]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[29]  R.W. Butler,et al.  Design for validation , 1992, IEEE Aerospace and Electronic Systems Magazine.

[30]  Moore J. Strother A Formal Model of Asynchronous Communication and Its Use in Mechanically Verifying a Biphase Mark Protocol , 1992 .

[31]  J Crow,et al.  Finite-State Analysis of Space Shuttle Contingency Guidance Requirements , 1996 .

[32]  Bishop C. Brock,et al.  Report on the formal specification and partial verification of the VIPER microprocessor , 1991, COMPASS '91, Proceedings of the Sixth Annual Conference on Computer Assurance.

[33]  R GarmanJohn The "BUG" heard 'round the world , 1981 .

[34]  J. Rushby,et al.  Formal verification of algorithms for critical systems , 1991, SIGSOFT '91.

[35]  Natarajan Shankar Mechanical Verification of a Generalized Protocol for Byzantine Fault Tolerant Clock Synchronization , 1992, FTRTFT.

[36]  Victor Carreño Verification in Higher Order Logic of Mutual Exclusion Algorithm , 1993, HUG.

[37]  W Butler Ricky,et al.  Formal Design and Verification of a Reliable Computing Platform For Real-Time Control (Phase 3 Results) , 1990 .

[38]  Alan J. Hu,et al.  Protocol verification as a hardware design aid , 1992, Proceedings 1992 IEEE International Conference on Computer Design: VLSI in Computers & Processors.

[39]  Natarajan Shankar,et al.  An Integration of Model Checking with Automated Proof Checking , 1995, CAV.

[40]  Nancy G. Leveson,et al.  A reply to the criticisms of the Knight & Leveson experiment , 1990, SOEN.

[41]  Jaynarayan H. Lala,et al.  Fault tolerant parallel processor architecture overview , 1988, [1988] The Eighteenth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[42]  Peter G. Neumann,et al.  Some Computer-Related Disasters and Other Egregious Horrors , 1986, IEEE Aerospace and Electronic Systems Magazine.

[43]  Gerald C. Cohen,et al.  Requirements Specification Language (RSL) and supporting tools , 1992 .

[44]  Ben L. Divito Formal methods demonstration project for space applications , 1995 .

[45]  Paul S. Miner,et al.  Verification of IEEE Compliant Subtractive Division Algorithms , 1996, FMCAD.

[46]  Peter G. Neumann Illustrative risks to the public in the use of computer systems and related technology , 1992, SOEN.

[47]  Leslie Lamport,et al.  Using Time Instead of Timeout for Fault-Tolerant Distributed Systems. , 1984, TOPL.

[48]  Friedrich W. von Henke,et al.  Formal Verification of Algorithms for Critical Systems , 1993, IEEE Trans. Software Eng..

[49]  Steven D. Johnson,et al.  Interaction of formal design systems in the development of a fault-tolerant clock synchronization circuit , 1994, Proceedings of IEEE 13th Symposium on Reliable Distributed Systems.

[50]  Carl T. Eichenlaub,et al.  Using Penelope to assess the correctness of NASA Ada software: A demonstration of formal methods as a counterpart to testing , 1993 .

[51]  David W. Best,et al.  An Advanced-Architectur CMOS/SOS Microprocessor , 1982, IEEE Micro.

[52]  Karl N. Levitt,et al.  Formal proof of the AVM-1 microprocessor using the concept of generic interpreters , 1991 .

[53]  Mandayam K. Srivas,et al.  Theorem proving: not an esoteric diversion, but the unifying framework for industrial verification , 1995, Proceedings of ICCD '95 International Conference on Computer Design. VLSI in Computers and Processors.

[54]  Jing Pan,et al.  Towards a Formal Verification of a Floating Point Coprocessor and its Composition with a Central Processing Unit , 1992, TPHOLs.

[55]  Steven D. Johnson,et al.  Verification of an optimized fault-tolerant clock synchronization circuit , 1996 .

[56]  Paul S. Miner A verified design of a fault-tolerant clock synchronization circuit: Preliminary investigations , 1992 .

[57]  JoyceEd Software bugs: a matter of life and liability , 1987 .

[58]  Phillip John Windley The formal verification of generic interpreters , 1990 .

[59]  Steve King,et al.  CICS Project Report: Experiences and Results from the use of Z in IBM , 1991, VDM Europe.

[60]  Natarajan Shankar,et al.  A Tutorial on Using PVS for Hardware Verification , 1994, TPCD.

[61]  Mark Bickford,et al.  Moving formal methods into practice. Verifying the FTPP Scoreboard: Results, phase 1 , 1992 .

[62]  Karl N. Levitt,et al.  Verification of Memory Management Units , 1992 .

[63]  Judith Crow,et al.  Formalizing Space Shuttle Software Requirements , 1996 .

[64]  Ricky W. Butler,et al.  Hardware proofs using EHDM and the RSRE verification methodology , 1988 .

[65]  Vito B. L. Di,et al.  Using Formal Methods to Assist in the Requirements Analysis of the Space Shuttle GPS Change Request , 1996 .

[66]  Chris J. Walter,et al.  MAFT: A Multicomputer Architecture for Fault-Tolerance in Real-Time Control Systems , 1989, RTSS.

[67]  William R. Bevier,et al.  Machine-Checked Proofs of the Design and Implementation of a Fault-Tolerant Circuit , 1990 .

[68]  Geoff Barrett,et al.  Formal Methods Applied to a Floating-Point Number System , 1989, IEEE Trans. Software Eng..

[69]  Mark Bickford,et al.  Verification of the FtCayuga fault-tolerant microprocessor system. Volume 1: A case study in theorem prover-based verification , 1991 .

[70]  Ricky W. Butler NASA Formal Methods Workshop, 1990 , 1990 .

[71]  Victor A. Carreno,et al.  A case study for the real-time experimental evaluation of the VIPER microprocessor , 1991 .

[72]  Mandayam K. Srivas,et al.  Formal verification of the AAMP5 microprocessor: a case study in the industrial use of formal methods , 1995, Proceedings of 1995 IEEE Workshop on Industrial-Strength Formal Specification Techniques.

[73]  Patrick Lincoln,et al.  A Formally Verified Algorithm for Interactive Consistency Under a Hybrid Fault Model , 1993, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[74]  G. B. Finelli,et al.  The Infeasibility of Quantifying the Reliability of Life-Critical Real-Time Software , 1993, IEEE Trans. Software Eng..

[75]  Natarajan Shankar,et al.  Effective Theorem Proving for Hardware Verification , 1994, TPCD.

[76]  Philip M. Thambidurai,et al.  Interactive consistency with multiple failure modes , 1988, Proceedings [1988] Seventh Symposium on Reliable Distributed Systems.

[77]  Ben L. Di Vito,et al.  Provable transient recovery for frame-based, fault-tolerant computing systems , 1992, [1992] Proceedings Real-Time Systems Symposium.

[78]  J. Rushby,et al.  Formal verification of an interactive consistency algorithm for the Draper FTP architecture under a hybrid fault model , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[79]  W Butler Ricky,et al.  Formal Methods for Life-Critical Software , 1993 .

[80]  Karl N. Levitt,et al.  Formal verification of a microcoded VIPER microprocessor using HOL , 1993 .

[81]  De Volson Wood,et al.  Reply to "Criticisms" , 1881 .

[82]  William H. Sanders,et al.  Dependable Computing for Critical Applications 6 , 1997 .

[83]  P. M. Melliar-Smith,et al.  Synchronizing clocks in the presence of faults , 1985, JACM.

[84]  John Rushby,et al.  Formal methods and their role in digital systems validation for airborne systems , 1995 .

[85]  John M. Rushby Reconfiguration and transient recovery in state machine architectures , 1996, Proceedings of Annual Symposium on Fault Tolerant Computing.

[86]  David Guaspari,et al.  Applications of Formal Methods to Specification and Safety of Avionics Software , 1996 .

[87]  P. M. Melliar-Smith,et al.  Development and analysis of the Software Implemented Fault-Tolerance (SIFT) computer , 1984 .

[88]  Ricky W Butler An Elementary Tutorial on Formal Specification and Verification Using PVS , 1993 .

[89]  Steven D. Johnson,et al.  DDD-FM9001: Derivation of a Verified Microprocessor , 1993, CHARME.

[90]  Moore J. Strother Mechanically Verified Hardware Implementing an 8-Bit Parallel IO Byzantine Agreement Processor , 1992 .

[91]  K Srivas Mandayam,et al.  Formal Verification of an Avionics Microprocessor , 1995 .

[92]  Gerald C. Cohen,et al.  Structured representation for requirements and specifications , 1991 .

[93]  Natarajan Shankar,et al.  Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS , 1995, IEEE Trans. Software Eng..

[94]  Natarajan Shankar Mechanical Verification of a Schematic Byzantine Clock Synchronization Algorithm , 1991 .

[95]  David A. Fura,et al.  Formal design specification of a Processor Interface Unit , 1992 .

[96]  Ed Joyce,et al.  Software bugs: a matter of life and liability , 1987 .

[97]  Nancy G. Leveson,et al.  An experimental evaluation of the assumption of independence in multiversion programming , 1986, IEEE Transactions on Software Engineering.

[98]  D. N. Hoover A Mathematical Model for Railway Control Systems , 1996 .

[99]  William R. Bevier,et al.  The Proof of Correctness of a Fault-Tolerant Circuit Design , 1992 .

[100]  W. D. Young,et al.  Verifying the Interactive Convergence Clock Synchronization algorithm Using the Boyer-Moore Theorem Prover , 1992 .

[101]  Jing Pan,et al.  A Formal Specification of the HEEE Floating-P with Application to the Verification of Floating-point Coprocessors , 1990 .

[102]  Karl N. Levitt,et al.  Formal mechanization of device interactions with a process algebra , 1992 .

[103]  Fred B. Schneider,et al.  Understanding Protocols for Byzantine Clock Synchronization , 1987 .

[104]  Jean-Marc Jézéquel,et al.  Design by Contract: The Lessons of Ariane , 1997, Computer.

[105]  Paul S. Miner,et al.  A provably correct design of a fault-tolerant clock synchronization circuit , 1992, [1992] Proceedings IEEE/AIAA 11th Digital Avionics Systems Conference.

[106]  Mark Bickford,et al.  Verification of the FtCayuga fault-tolerant microprocessor system. Volume 2: Formal specification and correctness theorems , 1991 .

[107]  Zewei Chen,et al.  TBell: A mathematical tool for analyzing decision tables , 1994 .

[108]  P. Lincoln,et al.  Byzantine Agreement with Authentication : Observations andApplications in Tolerating Hybrid and Link Faults , 1995 .

[109]  Karl N. Levitt,et al.  Formal verification of a set of memory management units , 1992 .

[110]  Paul S. Miner,et al.  Specification of the ieee-854 floating-point standard in hol and pvs , 1995 .

[111]  Ben L. Di Vito Formalizing New Navigation Requirements for NASA's Space Shuttle , 1996, FME.

[112]  Karl N. Levitt,et al.  Towards composition of verified hardware devices , 1991 .

[113]  Patrick Lincoln,et al.  The Formal Verification of an Algorithm for Interactive Consistency under a Hybrid Fault Model , 1993, CAV.

[114]  Owre Sam,et al.  Abstract Datatypes in PVS , 1997 .