Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS

IEEE Transactions on Software Engineering

Volumn 21, Issue 2, 1995, Pages 107-125

  Owre, Sam ^a   Rushby, John ^a   Shankar, Natarajan ^a   von Henke, Friedrich ^a,b  

^a SRI INTERNATIONAL   (United States)

^b UNIVERSITY OF ULM   (Germany)

Author keywords

Byzantine agreement; clock synchronization; fault tolerance; flight control; formal methods; formal specification; hardware verification; PVS; theorem proving; verification systems

Indexed keywords

ALGORITHMS; AVIONICS; COMPUTER ARCHITECTURE; COMPUTER HARDWARE; COMPUTER SELECTION AND EVALUATION; CONTROL SYSTEMS; FAULT TOLERANT COMPUTER SYSTEMS; SYNCHRONIZATION; THEOREM PROVING; TIMING CIRCUITS;

BYZANTINE AGREEMENT; CLOCK SYNCHRONIZATION; FLIGHT CONTROL; FORMAL METHODS; FORMAL SPECIFICATION; HARDWARE VERIFICATION; PVS; VERIFICATION SYSTEMS;

FORMAL LANGUAGES;

EID: 0029251055     PISSN: 00985589     EISSN: None     Source Type: Journal    
DOI: 10.1109/32.345827     Document Type: Article

References (84)

1. Federal Aviation Administration, “System Design and Analysis,” Advisory Circular 25.1309-1 A, June 21, 1988
2. R. W. Dennis and A. D. Hills, “A fault tolerant fly by wire system for maintenance free applications,” in 9th AIAA/IEEE Digital Avionics Syst. Conf. Virginia Beach, VA, Oct. 1990, pp. 11-20.
3. D. A. Mackall, “Development and flight test experiences with a flight-crucial digital control system,” NASA Tech. Paper 2857, NASA Ames Res. Ctr., Dryden Flight Res. Facility, Edwards, CA, 1988.
4. J. H. Wensley et al., “SIFT: Design and analysis of a fault-tolerant computer for aircraft control,” in Proc. IEEE, vol. 66, Oct. 1978, pp. 1240-1255.
5. M. Pease, R. Shostak, and L. Lamport, “Reaching agreement in the presence of faults,” J. ACM, vol. 27, no. 2, pp. 228-234, Apr. 1980.
6. R. M. Kieckhafer, C. J. Walter, A. M. Finn, and P. M. Thambidurai, “The MAFT architecture for distributed fault tolerance,” IEEE Trans. Comput., vol. 37, pp. 398-05, Apr. 1988.
7. P. Thambidurai and Y.-K. Park, “Interactive consistency with multiple failure modes,” in IEEE 7th Symp. Reliable Distribut. Syst., Columbus, OH, Oct. 1988, pp. 93-100.
8. P. M. Melliar-Smith and R. L. Schwartz, “Formal specification and verification of SIFT: A fault-tolerant flight control system,” IEEE Trans. Comput., vol. C-31, pp. 616-630, July 1982.
9. W. R. Bevier and W. D. Young, “Machine checked proofs of the design of a fault-tolerant circuit,” Formal Aspects of Computing, vol. 4, no. 6A, pp. 755-775, 1992.
10. M. Srivas and M. Bickford, “Verification of the Ft.-Cayuga fault-tolerant microprocessor system, Vol. 1: A case-study in theorem prover-based verification,” NASA Langley Res. Ctr., Hampton, VA, Contractor Rep. 4381, July 1991.
11. P. M. Melliar-Smith and J. Rushby, “The Enhanced HDM system for specification and verification,” in Proc. VerkShop III, pp. 41-43, published as ACM Software Engineering Notes, vol. 10, no. 4, Aug. 85.
12. J. M. Spitzen, K. N. Levitt, and L. Robinson, “An example of hierarchical design and proof,” Commun. ACM, vol. 21, no. 12, pp. 1064-1075, Dec. 1978.
13. R. E. Shostak, “Deciding combinations of theories,” J. ACM, vol. 31, no. 1, pp. 1-12, Jan. 1984.
14. J. Rushby, F. von Henke, and S. Owre, “An introduction to formal specification and verification using EHDM,” Computer Sci. Lab., SRI International, Menlo Park, CA, Tech. Rep. SRI-CSL-91-2, Feb. 1991.
15. S. Owre, J. M. Rushby, and N. Shankar, “PVS: A prototype verification system,” in 11th Int. Conf. Automated Deduction (CADE), vol. 607 of Lecture Notes in Artificial Intelligence, D. Kapur, Ed. New York: Springer-Verlag, pp. 748-752.
16. M. Gordon, R. Milner, and C. Wadsworth, “Edinburgh LCF: A mechanized logic of computation,” in Lecture Notes in Computer Sci. New York: Springer-Verlag, vol. 78, 1979.
17. N. Shankar, “Verification of real-time systems using PVS,” in Courcoubetis [80], pp. 280-291.
18. J. U. Skakkebæk and N. Shankar, “Towards a duration calculus proof assistant in PVS,” in Langmaack et al. [81], pp. 660-679.
19. J. Hooman, “Correctness of real time systems by construction,” in Langmaack et al. [81], pp. 19-40.
20. L. Lamport and P. M. Melliar-Smith, “Synchronizing clocks in the presence of faults,” J. ACM, vol. 32, no. 1, pp. 52-78, Jan. 1985.
21. J. Rushby and F. von Henke, “Formal verification of the Interactive Convergence clock synchronization algorithm using EHDM,” Computer Sci. Lab., SRI International, Menlo Park, CA, Feb. 1989 (Rev. Aug. 1991); original version also available as NASA Contractor Rep. 4239, June 1989.
22. J. Rushby and F. von Henke, “Formal verification of algorithms for critical systems,” IEEE Trans. Software Eng., vol. 19, pp. 13-23, Jan. 1993.
23. William D. Young, “Verifying the Interactive Convergence clock-synchronization algorithm using the Boyer-Moore prover,” NASA Langley Res. Ctr., Hampton, VA, NASA Contractor Rep. 189649, Apr. 1992.
24. E. Liu and J. Rushby, “A formally verified module to support Byzantine fault-tolerant clock synchronization,” Computer Sci. Lab., SRI International, Menlo Park, CA, Project rep. 8200-130, Dec. 1993.
25. D. L. Palumbo and R. Lynn Graham, “Experimental validation of clock synchronization algorithms,” NASA Langley Res. Ctr., Hampton, VA, NASA Tech. Paper 2857, July 1992.
26. J. Rushby, “A formally verified algorithm for clock synchronization under a hybrid fault model,” in 13th ACM Symp. Principles of Distrib. Comput., Los Angeles, CA, Aug. 1994, pp. 304-313.
27. F. B. Schneider, “Understanding protocols for Byzantine clock synchronization,” Dep. of Computer Sci., Cornell Univ., Ithaca, NY, Tech. Rep. 87-859, Aug. 1987.
28. N. Shankar, “Mechanical verification of a generalized protocol for Byzantine fault-tolerant clock synchronization,” in Vytopil [82], pp. 217-236.
29. P. S. Miner, “Verification of fault-tolerant clock synchronization systems,” NASA Langley Res. Ctr., Hampton, VA, NASA Tech. Paper 3349, Nov. 1993.
30. J. L. Welch and N. Lynch, “A new fault-tolerant algorithm for clock synchronization,” Information and Computation, vol. 77, no. 1, pp. 1-36, Apr. 1988.
31. P. S. Miner, S. Pullela, and S. D. Johnson, “Interaction of formal design systems in the development of a fault-tolerant clock synchronization circuit,” in IEEE 13th Symp. Reliable Distribut. Syst., Dana Point, CA, Oct. 1994, pp. 128-137.
32. B. Bose, “DDD—a transformation system for Digital Design Deriviation,” Computer Sci. Dep., Indiana Univ., Bloomington, IN, Tech. Rep. 331, May 1991.
33. L. Lamport, R. Shostak, and M. Pease, “The Byzantine generals problem,” ACM Trans. Programming Languages and Syst., vol. 4, no. 3, pp. 382-401, July 1982.
34. W. R. Bevier and W. D. Young, “Machine-checked proofs of a Byzantine agreement algorithm,” Computational Logic Inc., Austin, TX, Tech. Rep. 55, June 1990.
35. J. Rushby, “Formal verification of an Oral Messages algorithm for interactive consistency,” Computer Sci. Lab., SRI International, Menlo Park, CA, Tech. Rep. SRI-CSL-92-1, July 1992; also available as NASA Contractor Rep. 189704, Oct. 1992.
36. P. Lincoln and J. Rushby, “Formal verification of an algorithm for interactive consistency under a hybrid fault model,” in Courcoubetis [80], pp. 292-304.
37. P. Lincoln and J. Rushby, “A formally verified algorithm for interactive consistency under a hybrid fault model,” in IEEE Fault Tolerant Computing Symp. 23, Toulouse, France, June 1993, pp. 402-411.
38. R. S. Boyer and J. S. Moore, “MJRTY—a fast majority vote algorithm,” in Automated Reasoning: Essays in Honor of Woody Bledsoe, of Automated Reasoning Series, R. S. Boyer, Ed. Dordrecht, The Netherlands: Kluwer, vol. 1, pp. 105-117, 1991.
39. P. Lincoln and J. Rushby, “Formal verification of an algorithm for interactive consistency under a hybrid fault model,” Computer Sci. Lab., SRI International, Menlo Park, CA, Tech. Rep. SRI-CSL-93-2, Mar. 1993; also available as NASA Contractor Rep. 4527, July 1993.
40. A. L. Hopkins, Jr., J. H. Lala, and T. B. Smith III, “The evolution of fault tolerant computing at the Charles Stark Draper Laboratory, 1955-85,” in The Evolution of Fault-Tolerant Computing, vol. 1 of Dependable Computing and Fault-Tolerant Systems, A. Aviznienis, H. Kopetz, and J. C. Laprie, Eds. Vienna, Austria: Springer-Verlag, 1987, pp. 121-140.
41. J. H. Lala, “A Byzantine resilient fault tolerant computer for nuclear power application,” in IEEE Fault Tolerant Computing Symp. 16, Vienna, Austria, July 1986, pp. 338-343.
42. P. Lincoln and J. Rushby, “Formal verification of an interactive consistency algorithm for the Draper FTP architecture under a hybrid fault model,” in IEEE COMPASS '94 (Proc. 9th Annual Conf. Comput. Assurance), Gaithersburg, MD, June 1994,, pp. 107-120.
43. B. L. Di Vito, R. W. Butler, and J. L. Caldwell, “High level design proof of a reliable computing platform,” in Meyer and Schlichting [83], pp. 279-306.
44. J. Rushby, “A fault-masking and transient-recovery model for digital flight-control systems,” in Formal Techniques in Real-Time and Fault-Tolerant Systems, J. Vytopil, Ed. Norwell, MA: Kluwer, ch. 5, pp. 109-136, 1993.
45. R. W. Butler, B. L. Di Vito, and C. M. Holloway, “Formal design and verification of a reliable computing platform for real-time control: Phase 3 results,” NASA Langley Res. Ctr., Hampton, VA, NASA Tech. Memo. 109140, Aug. 1994.
46. B. L. Di Vito and R. W. Butler, “Formal techniques for synchronized fault-tolerant systems,” in Dependable Computing for Critical Applications—3, in Dependable Computing and Fault-Tolerant Systems. C. E. Landwehr, B. Randell, and L. Simoncini, Eds. Vienna, Austria: Springer-Verlag, vol. 8, pp. 163-188, Sept. 1992.
47. S. P. Miller and M. Srivas, “Formal verification of the AAMP5 microprocessor: A case study in the industrial use of formal methods,” to be presented at WIFT'95: Workshop on Industrial-Strength Formal Specification Techniques, Boca Raton, FL, Apr. 5-8, 1995.
48. D. W. Best, C. E. Kress, N. M. Mykris, J. D. Russell, and W. J. Smith, “An advanced-architecture CMOS/SOS microprocessor,” IEEE Micro vol. 2, pp. 11-26, Aug. 1982.
49. W. C. Carter, W. H. Joyner, Jr., and D. Brand, “Microprogram verification considered necessary,” in Nat. Comput. Conf., AFIPS Conf. Proc., 1978, vol. 48, pp. 657-664.
50. J. V. Cook, “Verification of the C/30 microcode using the State Delta Verification System (SDVS),” in Proc. 13th Nat. Comput. Security Conf., Washington, DC, Oct. 1990, pp. 20-31.
51. D. May, G. Barrett, and D. Shepherd, “Designing chips that work,” in Hoare and Gordon [84], pp. 3-19.
52. W. A. Hunt, Jr., FM8501: A Verified Microprocessor, vol. 795 of Lecture Notes in Artificial Intelligence. Berlin: Springer-Verlag, 1994.
53. W. A. Hunt, Jr. and B. C. Brock, “A formal HDL and its use in the FM9001 verification,” in Hoare and Gordon [84], pp. 35-47.
54. J. Rushby, “Formal methods and digital systems validation for airborne systems,” Computer Sci. Lab., SRI International, Menlo Park, CA, Tech. Rep. SRI-CSL-93-7, Dec. 1993; also available as NASA Contractor Rep. 4551, Dec. 1993.
55. R. R. Lutz, “Analyzing software requirements errors in safety-critical embedded systems,” in IEEE Int. Symp. Requirements Eng., San Diego, CA, Jan. 1993, pp. 126-133.
56. J. Guttag and J. J. Horning, “Formal specification as a design tool,” in 7th ACM Symp. on Principles of Programming Languages, Las Vegas, NV, Jan. 1980, pp. 251-261.
57. N. Shankar, “Abstract datatypes in PVS,” Computer Sci. Lab., SRI International, Menlo Park, CA, Tech. Rep. SRI-CSL-93-9, Dec. 1993.
58. J. H. Cheng and C. B. Jones, “On the usability of logics which handle partial functions,” in Proc. 3rd Refinement Workshop, in Springer-Verlag Workshops in Computing. C. Morgan and J. C. P. Woodcock, Eds., 1990, pp. 51-69.
59. J. R. Shoenfield, Mathematical Logic. Reading, MA: Addison-Wesley, 1967.
60. J. K. Ousterhout, “Tcl and the TK Toolkit,” in Professional Computing Series. Reading, MA: Addison-Wesley, 1994.
61. I. Lakatos, Proofs and Refutations. Cambridge, England: Cambridge University Press, 1976.
62. I. Kleiner, “Rigor and proof in mathematics: A historical perspective,” in Mathematics Magazine, vol. 64, no. 5, pp. 291-314, Dec. 1991.
63. R. E. Shostak, “On the SUP-INF method for proving Presburger formulas,” J. ACM, vol. 24, no. 4, pp. 529-543, Oct. 1977.
64. R. E. Shostak, “Deciding linear inequalities by computing loop residues,” J. ACM, vol. 28, no. 4, pp. 769-779, Oct. 1981.
65. R. S. Boyer and J. S. Moore, “Integrating decision procedures into heuristic theorem provers: A case study with linear arithmetic,” in Machine Intelligence, vol. 11. London: Oxford University Press, 1986.
66. M. J. C. Gordon and T. F. Melham, Eds., Introduction to HOL: A Theorem Proving Environment for Higher-Order Logic. Cambridge, UK: Cambridge University Press, 1993.
67. G. L. J. M. Janssen, ROBDD Software, Dep. of Elec. Eng., Eindhoven Univ. of Technology, Oct. 1993.
68. D. Cyrluk, S. Rajan, N. Shankar, and M. K. Srivas, “Effective theorem proving for hardware verification,” in Preliminary Proc. 2nd Conf. Theorem Provers in Circuit Design. (Germany: Bad Herrenalb), Sept. 1994, pp. 287-305.
69. R. L. Constable et al., Implementing Mathematics with the Nuprl Proof Development System. Englewood Cliffs, NJ: Prentice-Hall, 1986.
70. F. K. Hanna, N. Daeche, and M. Longley, “Specification and verification using dependent types,” IEEE Trans. Software Eng., vol. 16, pp. 949-964, Sept. 1989.
71. T. Yuasa and R. Nakajima, “IOTA: A modular programming system,” IEEE Trans. Software Eng., vol. SE-11, pp. 179-187, Feb. 1985.
72. R. S. Boyer and J. S. Moore, A Computational Logic. New York: Academic, 1979.
73. R. S. Boyer and J. S. Moore, A Computational Logic Handbook. New York: Academic, 1988.
74. R. Melton and D. L. Dill, Murø Annotated Reference Manual. Stanford, CA: Computer Sci. Dep., Stanford Univ., Mar. 1993.
75. K. L. McMillan, Symbolic Model Checking. Boston, MA: Kluwer, 1993.
76. J. R. Burch and D. L. Dill, “Automatic verification of pipelined microprocessor control,” in Computer-Aided Verification, CAV'94, vol. 818 of Lecture Notes in Computer Science, D. Dill, Ed. New York: Springer-Verlag, pp. 68-80.
77. D. Cyrluk and P. Narendran, “Ground temporal logic—a logic for hardware verification,” in Computer-Aided Verification, CAV '94, vol. 818 of Lecture Notes in Computer Science, D. Dill, Ed. New York: Springer-Verlag, pp. 247-259.
78. K. L. Heninger, “Specifying software requirements for complex systems: New techniques and their application,” IEEE Trans. Software Eng., vol. SE-6, pp. 2-13, Jan. 1980.
79. J. Rushby and M. Srivas, “Using PVS to prove some theorems of David Parnas,” in Higher Order Logic Theorem Proving and its Applications' (6th Int. Workshop, HUG '93), no. 780 in Lecture Notes in Computer Science, J. J. Joyce and C.-J. H. Seger, Eds. New York: Springer-Verlag, pp. 163-173.
80. C. Courcoubetis, Ed., Computer-Aided Verification, CAV '93, vol. 697 of Lecture Notes in Computer Science. New York: Springer-Verlag, June/July 1993.
81. H. Langmaack, W.-P. de Roever, and J. Vytopil, Eds., Formal Techniques in Real-Time and Fault-Tolerant Systems, vol. 863 of Lecture Notes in Computer Science. New York: Springer-Verlag, Sept. 1994.
82. J. Vytopil, Ed., Formal Techniques in Real-Time and Fault-Tolerant Systems, vol. 571 of Lecture Notes in Computer Science. New York: Springer-Verlag, Jan. 1992.
83. J. F. Meyer and R. D. Schlichting, Eds., Dependable Computing for Critical Applications—2, vol. 6 of Dependable Computing and Fault-Tolerant Systems. Vienna, Austria: Springer-Verlag, Feb. 1991.
84. C. A. R. Hoare and M. J. C. Gordon, Eds., Mechanized Reasoning and Hardware Design. Prentice Hall International Series in Computer Science, Hemel Hempstead, UK, 1992.