Design and Safety Assessment of Critical Systems

Design and Safety Assessment of Critical Systems

Volumn , Issue , 2010, Pages 1-269

  Bozzano, Marco ^a   Villafiorita, Adolfo ^b  

^a FONDAZIONE BRUNO KESSLER   (Italy)

^b UNIVERSITY OF TRENTO   (Italy)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 85134933282     PISSN: None     EISSN: None     Source Type: Book    
DOI: 10.1201/b10094     Document Type: Book

References (357)

1. Air Force Safety Agency (2000). Air Force System Safety Handbook. Available at http://www.system-safety.org/Documents/AF_System-Safety-HNDBK.pdf. Last retrieved on November, 15, 2009.
2. Akerlund, O., P. Bieber, E. Böede, et al. (2006). ISAAC, a framework for integrated safety analysis of functional, geometrical and human aspects. In Proc. European Congress on Embedded Real Time Software (ERTS 2006).
3. Bowen, J.P. and V. Stavridou (1992). Safety-critical systems, formal methods and standards. BCS/IEE Software Engineering Journal 8(4), 189–209.
4. Bozzano, M., A. Cimatti, and F. Tapparo (2007). Symbolic fault tree analysis for reactive systems. In Proc. 5th International Symposium on Automated Technology for Verification and Analysis (ATVA 2007), Volume 4762 of LNCS, pp. 162–176. Berlin: Springer.
5. Bozzano, M. and A. Villafiorita (2007). The FSAP/NuSMV-SA safety analysis platform. Software Tools for Technology Transfer 9(1), 5–24.
6. Bozzano, M., A. Villafiorita, and O. Åkerlund et al. (2003). ESACS: An integrated methodology for design and safety analysis of complex systems. In Proc. European Safety and Reliability Conference (ESREL 2003), pp. 237–245. Leiden, The Netherlands: Balkema.
7. Brooks, F. P. (1995). No silver bullet—essence and accident. In The Mythical Man Month (Anniversary Edition with four new chapters), Chapter 16. Reading MA: Addison-Wesley.
8. Chen, Y.-R. (2006). Automatic Failure Analysis Using Extended Safecharts. Master’s thesis, Institute of Computer Science and Information Engineering College of Engineering, National Chung Cheng University.
9. Chiles, J.R. (2002). Inviting Disaster—Lessons from the Edge of Technology. New York: Harper Business.
10. Dvorak, D.L., Editor (2009). NASA Study on Flight Software Complexity. Available at http://www.nasa.gov/offices/oce/documents/FSWC.study.html.
11. Ebert, C. and C. Jones (2009). Embedded software: Facts, figures, and future. Computer 42(04), 42–52.
12. Ericson II C.A. (1999). Fault tree analysis—A history. In Proc. 17th International System Safety Conference.
13. Ericson II C.A. (2006). A short history of system safety. Journal of System Safety (eEdition) 42(3).
14. Fenelon, P., J.A. McDermid, M. Nicolson, and D. Pumfrey (1994). Towards integrated safety analysis and design. SIGAPP Applied Computing Review 2(1), 21–32.
15. Ferguson, J. (2001). Crouching dragon, hidden software: Software in DoD weapon systems. IEEE Software 18(4), 105–107.
16. Hammer, W. (2003). Product Safety Management and Engineering (2nd ed.). Des Plaines, IL: American Society of Safety Engineers.
17. History of the Elevator (Last retrieved on November 15, 2009). The History of the Elevator. Available at http://inventors.about.com/library/inventors/blelevator.htm.
18. Joshi, A., S. Miller, M. Whalen, and M. Heimdahl (2005). A proposal for model-based safety analysis. In Proc. 24th Digital Avionics Systems Conference (DASC 2005). Washington, D.C.: IEEE Computer Society.
19. Knief, R.A. (1992). Nuclear Engineering: Theory and Technology of Commercial Nuclear Power. London: Taylor & Francis.
20. Kruchten, P. (1995). Architectural blueprints—the “4+1” view model of software architecture. IEEE Software 12(6), 44–50.
21. Langer, D., J. Rauch, and M. Rössler (1992). Fly-by-wire systems for military high performance aircraft. In M. Schiebe and S. Pferrer (Eds.), Real-Time Systems Engineering and Applications, pp. 369–395. Dordrecht, The Netherlands. Kluwer Academic.
22. Leveson, N.G. (2003). White Paper on Approaches to Safety Engineering. Available at http://sunnyday.mit.edu/caib/concepts.pdf. Last retrieved on November 15, 2009.
23. Lyu, M.R. (Ed.) (1996). Handbook of Software Reliability Engineering. Washington, D.C.: IEEE Computer Society, and New York: McGraw-Hill.
24. Maisel, W., M. Sweeney, W. Stevenson, K. Ellison, and L. Epstein (2001). Recalls and safety alerts involving pacemakers and implantable cardioverter-defibrillator generators. Journal of the American Medical Association 286(7), 793–799.
25. Moore, G.E. (1965). Cramming more components onto integrated circuits. Electronics 38(8), 114–117.
26. NASA (Last retrieved on November, 15, 2009). F-8 digital fly-by-wire aircraft. Available at http://www.nasa.gov/centers/dryden/news/FactSheets/FS-024-DFRC.html.
27. O’Connor, P.D. (2003). Practical Reliability Engineering (4th ed.). New York: Wiley. Quantitative Software Management, Inc. (Last retrieved on November 15, 2009). Function Point Languages table. Available at http://www.qsm.com/?q=resources/function-point-languages-table/index.html.
28. Rogovin, M. and G.T. Frampton (1980). Three Mile Island. A Report to the Commissioners and to the Public, Volume I-II. NUREG/CR-1250.
29. SAE (1996). Certification Considerations for Highly-Integrated or Complex Aircraft Systems.Technical Report ARP4754, Warrendale, PA: Society of Automotive Engineers.
30. Smithsonian National Museum of American History, Behring Center (Last retrieved on November 15, 2009). Three Mile Island: The Inside Story. Available at http://americanhistory.si.edu/TMI/.
31. Sommerville, I. (2007). Software Engineering (8th ed.). Reading, PA: Addison-Wesley.
32. TMI (1979). Report of the President’s Commission on the Accident at Three Mile Island. Available at http://www.pddoc.com/tmi2/kemeny/index.html (Last retrieved on November 15, 2009).
33. U.S. Nuclear Regulatory Commission (Last retrieved on November 15, 2009). Backgrounder on the Three Mile Island Accident. Available at http://www.nrc.gov/readingrm/doc-collections/fact-sheets/3mile-isle.html.
34. Various Authors (2007). World Nuclear Industry Handbook. Kenf, United Kingdom: Nuclear Engineering International. Surrey, England: Business Press International.
35. Various Authors (Last retrieved on November, 15, 2009). Aircraft Flight Control System: Available at http://en.wikipedia.org/wiki/Aircraft_flight_control_systems.
36. Vesely, W.E., F.F. Goldberg, N.H. Roberts, and D.F. Haasl (1981). Fault Tree Handbook. Technical Report NUREG-0492, Systems and Reliability Research Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission.
37. Walker, J. Samuel (2004). Three Mile Island: A Nuclear Crisis in Historical Perspective. Berkeley, CA: University of California Press.
38. World Nuclear Association (Last retrieved on November 15, 2009). Nuclear Power Reactors. Available at http://www.world-nuclear.org/info/inf32.html.
39. Bozzano, M. and A. Villafiorita (2007). The FSAP/NuSMV-SA safety analysis platform. Software Tools for Technology Transfer 9(1), 5–24.
40. FSAP (Last retrieved on November 15, 2009). The FSAP/NuSMV-SA Platform. Available at https://es.fbk.eu/tools/FSAP.
41. Gonyeau, J. (2009). Chernobyl Event. Available at http://www.nucleartourist.com/. Last retrieved on November 15, 2009.
42. Griffin, S. (2009). Internet Pioneers. Available at http://www.ibiblio.org/pioneers/index.html. Last retrieved on November 15, 2009.
43. IBM (1964). Laboratory Maintanance Instructions—Saturn V Launch Vehicle Digital Computer. Available at http://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/19730063841_1973063841.pdf. Last retrieved on November 15, 2009.
44. Laprie, J. (1991). Dependability: Basic Concepts and Terminology. Berlin: Springer.
45. Lee, S., J.-il Jung, and I. Lee (2007). Voting structures for cascaded triple modular redundant modules. IEICE Electronics Express 4(21), 657.
46. Lee, S. and I. Lee (2001). Staggered voting for TMR shift register chains in poly-Si TFT-LCDs. Journal of Information Display 2(2), 22–26.
47. Leveson, N.G. (1995). Safeware: System Safety and Computers. Reading, MA: Addison-Wesley.
48. Miller, S.P. and M.W. Whalen (2005). A Methodology for the Design and Verification of Globally Asynchronous/Locally Synchronous Architectures. Technical Report CR-2005-213912, NASA.
49. Moore, E.F. and C.E. Shannon (1956). Reliable circuits using less reliable relays. Journal of the Franklin Institute 262, 191–208 and 281–297.
50. Rausand, M. and A. Høyland (2004). System Reliability Theory: Models, Statistical Methods, and Applications. New York: Wiley.
51. Siewiorek, D.P. and P. Narasimhan (2005). Fault tolerant architecture for space and avionics applications. In Proc. 1st International Forum on Integrated System Health Engineering and Management in Aerospace (ISHEM 2005).
52. Storey, N. (1996). Safety Critical Computer Systems. Reading, MA: Addison-Wesley.
53. Various Authors (1987). Report on the Accident at the Chernobyl Nuclear Power Station. Technical Report NUREG-1250, Nuclear Regulatory Commission.
54. Various Authors (2009a). Chernobyl disaster. Available at http://en.wikipedia.org/w/index.php?title=Chernobyl_disaster. Last retrieved on November 15, 2009.
55. Various Authors (2009b). The history of the internet. Available at http://en.wikipedia.org/wiki/History_of_the_Internet. Last retrieved on November 15, 2009.
56. Von Neumann, J. (1956). Probabilistic logics and the synthesis of reliable organisms from unreliable components. In C.E. Shannon and J. McCarthy (Eds.), Automata Studies, Number 34, pp. 43–98. Princeton, NJ: Princeton University Press.
57. Cojazzi, G., J.M. Izquierdo, E. Melèndez, and M.S. Perea (1992). The reliability and safety assessment of protection systems by the use of dynamic event trees. The DYLAM-TRETA package. In Proc. XVIII Annual Meeting Spanish Nuclear Society.
58. Dugan, J., S. Bavuso, and M. Boyd (1992). Dynamic fault-tree models for fault-tolerant computer systems. IEEE Transactions on Reliability 41(3), 363–377.
59. European Space Agency (2001). Space Products Assurance: Failure Modes, Effects and Criticality Analysis (FMECA). Technical Report ECSS-Q-30-02A, European Cooperation for Space Standardization (ECSS).
60. Manian, R., J. Dugan, D. Coppit, and K. Sullivan (1998). Combining various solution techniques for dynamic fault tree analysis of computer systems. In Proc. 3rd IEEE International Symposium on High-Assurance Systems Engineering (HASE ’98), pp. 21–28. Washington, D.C.: IEEE Computer Society.
61. Rausand, M. and A. Høyland (2004). System Reliability Theory: Models, Statistical Methods, and Applications. New York: Wiley.
62. SAE (1996). Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment. Technical Report ARP4761, Society of Automotive Engineers.
63. Sullivan, K.J., J.B. Dugan, and D. Coppit (1999). The Galileo fault tree analysis tool. In Proc. Symposium on Fault-Tolerant Computing (FTCS 1999), pp. 232–235. Washington, D.C.: IEEE Computer Society.
64. U.K. Ministry of Defence (2007). Defence Standard 00-56. Safety Management Requirements for Defence Systems. Part I: Requirements. II. Guidance on Establishing a Means of Complying with Part 1. U.K. Ministry of Defence.
65. Vesely, W., M. Stamatelatos, J. Dugan, J. Fragola, J. Minarick III, and J. Railsback (2002). Fault Tree Handbook with Aerospace Applications. Technical report, NASA.
66. Vesely, W.E., F.F. Goldberg, N.H. Roberts, and D.F. Haasl (1981). Fault Tree Handbook. Technical Report NUREG-0492, Systems and Reliability Research Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission.
67. AIA, GAMA, and FAA Aircraft Certification Service (2004). The FAA and Industry Guide to Product Certification. Available at http://www.faa.gov/aircraft/air_cert/design_approvals/media/CPI_guide_II.pdf. Last retrieved on November 15, 2009.
68. AIRBUS (Last retrieved on November 15, 2009). A380 Family. Available at http://www.airbus.com/en/aircraftfamilies/a380/.
69. Albrecht, A.J. (1979). Measuring application development productivity. In Proc. IBM Application Development Symposium, pp. 83–92. Indianapolis, IN: IBM Press.
70. Anschuetz, L. (1998). Managing geographically distributed teams. In A Contemporary Renaissance: Changing the Way We Communicate, Proc. International Professional Communication Conference (IPCC 98). Washington, D.C.: IEEE Computer Society.
71. BEA (2002). Accident on 25 July 2000 at La Patte d’Oie in Gonesse (95) to the Concorde Registered F-BTSC operated by Air France (Main Report). Available at http://www.bea-fr.org/docspa/2000/f-sc000725a/pdf/f-sc000725a.pdf. Last retrieved on November 15, 2009.
72. Bell Canada (1994). The Trillium Model. Available at http://www2.umassd.edu/swpi/BellCanada/trillium-html/trillium.html. Last retrieved on November 15, 2009.
73. Boehm, B.W. (1981). Software Engineering Economics (Prentice-Hall Advances in Computing Science & Technology Series). Upper Saddle River, NJ: Prentice Hall.
74. Boehm, B.W. (1988). A spiral model of software development and enhancement. IEEE Computer 21(5), 61–72.
75. Boehm, B.W., E. Horowitz, R. Madachy, D. Reifer, B.K. Clark, B. Steece, W.A. Brown, S. Chulani, and C. Abts (2000). Software Cost Estimation with Cocomo II (with CD-ROM). Upper Saddle River, NJ: Prentice Hall.
76. Booch, G., J. Rumbaugh, and I. Jacobson (2005). Unified Modeling Language User Guide (2nd ed.). Object Technology Series. Reading, MA: Addison-Wesley.
77. Burke, R. (2006). Project Management, Planning and Control Techniques (4th ed.). New York: Wiley.
78. Cai, X., M.R. Lyu, and M.A. Vouk (2005). An experimental evaluation on reliability features of n-version programming. In Proc. 16th IEEE International Symposium on Software Reliability Engineering (ISSRE’05), pp. 161–170. Washington, D.C.: IEEE Computer Society.
79. Clarke, E.M., O. Grumberg, and D.E. Long (1992). Model checking and abstraction. In POPL ’92: Proc. 19thACMSIGPLAN-SIGACT Symposium on Principles of Programming Languages, New York, pp. 343–354. ACM.
80. Clarke, E.M., O. Grumberg, and D.E. Long (1994). Model checking and abstraction. ACM Transactions on Programming Languages and Systems (TOPLAS) 16(5), 1512–1542.
81. CMMI Product Team (2009). Capability Maturity Model Integration. Technical Report CMU/SEI-2006-TR-008. Pittsburgh, PA: Software Engineering Institute.
82. COCOMO II (2000). COCOMO II Model Definition Manual. Available at http://csse.usc.edu/csse/research/COCOMOII/cocomo2000.0/CII_modelman2000.0.pdf. Last retrieved on November 15, 2009.
83. Conkey, C. and A. Pasztor (2009). U.S. Aviation Faces Surging Bird-Strike Threat. Available at http://online.wsj.com/article/SB124058077567352845.html. Last retrieved on November 15, 2009.
84. Dassault Systemes (Last retrieved on November 15, 2009). Catia - Virtual Design for Product Excellence. Available at http://www.3ds.com/products/catia/welcome/.
85. Defence Materiel Organisation, Australian Department of Defence (2007). +SAFE, V1.2: A Safety Extension to CMMI-DEV, V1.2. Technical Report CMU/SEI-2007-TN-006, Pittsburgh, PA: Software Engineering Institute.
86. Department of Defense (1993). Military Standard—System Safety Program Requirements. Technical Report MIL-STD-882C, Department of Defense.
87. Department of Defense (1998). Department of Defense Handbook—Work Breakdown Structure. Technical Report MIL-HDBK-881, Department of Defense.
88. Department of Defense (2000). Department of Defence, Standard Practice for System Safety. Technical Report MIL-STD-882D, Department of Defense.
89. Dörner, D. (1997). The Logic of Failure: Recognizing and Avoiding Error in Complex Situations. New York: Perseus Books.
90. Dvorak, D.L., Editor (2009). Nasa study on flight software complexity. Available at http://oceexternal.nasa.gov/OCE_LIB/pdf/1021608main_FSWC_Final_Report.pdf. Last retrieved on November 15, 2009.
91. Embry-Riddle Aeronautical University (Last retrieved on November 15, 2009). FAA National Wildlife Strike Database. Available at http://wildlife.pr.erau.edu/database/mapping_us_select.php.
92. European Space Agency (2008). Space Project Management: Project Planning and Implementation.Technical Report ECSS-M-ST-10C. Noordwijk, The Netherlands: European Cooperation for Space Standardization (ECSS).
93. FAA (Federal Aviation Administration) (2000). FAA System Safety Handbook. Available at http://www.faa.gov/library/manuals/aviation/risk_management/ss_handbook/. Last retrieved on November 15, 2009.
94. FAA (Federal Aviation Administration) (2007). Type Certification. Order 8110.4C, U.S. Deparment of Transportation.
95. FAA (Federal Aviation Administration) (Last retrieved on November 15, 2009). Airport Wildlife Hazard Mitigation Home Page. Available at http://wildlife-mitigation.tc.faa.gov/public_html/index.html.
96. Fowler, M. and K. Scott (2000). UML Distilled (2nd ed.): A Brief Guide to the Standard Object Modeling Language. Reading, MA: Addison-Wesley.
97. Giunchiglia, F., A. Villafiorita, and T. Walsh (1999). Theories of abstraction. AI Communications 10(3-4), 167–176.
98. Giunchiglia, F. and T. Walsh (1992). A theory of abstraction. Artificial Intelligence 57(2-3), 323–389.
99. Hinds, P.J. and M. Mortensen (2005). Understanding conflict in geographically distributed teams: The moderating effects of shared identity, shared context, and spontaneous communication. Organization Science, 16(3), 290–307.
100. INCOSE (Last retrieved on November 15, 2009). Requirements Management Tools Survey. Available at http://www.incose.org/ProductsPubs/Products/rmsurvey.aspx.
101. ISO/IEC 15504 (1998). ISO/IEC 15504 : Information Technology—Software Process Assessment—part 7: Guide for Use in Process Improvement.
102. Joint Software System Safety Committee (1999). Software System Safety Handbook—A Technical & Managerial Team Approach. Available at www.system-safety.org/Documents/Software_System_Safety_Handbook.pdf. Last retrieved on November 15, 2009.
103. Jones, C. (2007). Estimating Software Costs. New York: McGraw-Hill.
104. Knight, J.C. and N.G. Leveson (1986). An experimental evaluation of the assumption of independence in multiversion programming. IEEE Transactions on Software Engineering, 12(1), 96–109.
105. Kruchten, P. (2000). The Rational Unified Process: An Introduction (2nd ed.). Reading, MA: Addison-Wesley.
106. Kuvaja, P., J. Simila, L. Krzanik, A. Bicego, G. Koch, and S. Saukonen (1994). Software Process Assessment and Improvement: the BOOTSTRAP approach. New York: Blackwell.
107. Lann, G.L. (1997). An analysis of the Ariane 5 flight 501 failure—a system engineering perspective. In Proc. IEEE International Conference and Workshop on Engineering of Computer-Based Systems, pp. 339–346. Washington, D.C.: IEEE Computer Society.
108. Meyer, B. (1992). Applying “design by contract.” Computer 25, 40–51.
109. Meyer, B. (2009). Touch of Class: Learning to Program Well with Objects and Contracts. Berlin: Springer.
110. Miller, A. (2008). Distributed Agile Development at Microsoft Patterns & Practices. Available at http://download.microsoft.com/download/4/4/a/44a2cebd-63fb-4379-898d-9cf24822c6cc/distributed_agile_development_at_microsoft_patterns_and_practices.pdf. Last retrieved on November 15, 2009.
111. MRY/Reuters (2006). A380 hit by new production problems. Spiegel Online International . Last retrieved on November 15, 2009.
112. NASA (1999). Mars Climate Orbiter Mishap Investigation Board Phase I Report. Available at ftp://ftp.hq.nasa.gov/pub/pao/reports/1999/MCO_report.pdf. Last retrieved on November 15, 2009.
113. NASA (2004). NASA Software Safety Guidebook. Number NASA-GB-8719.13 in NASA Technical Standard. National Aeronautics and Space Administration.
114. NASA (2007). NASA Systems Engineering Handbook. Technical Report NASA/SP-2007-6105, Rev1, NASA.
115. NEi Software Inc. (Last retrieved on November 15, 2009). NEi Software Automotive Case Study. Available at http://www.nenastran.com/newnoran/chPDF/CASE_Chassis_Design.pdf.
116. O’Connor, P.D. (2003). Practical Reliability Engineering (4th ed.). New York: Wiley.
117. Office of Government Commerce (2005). Managing Successful Projects with PRINCE2 (5th revised ed.). Washington, DC: Stationery Office Books.
118. Perrow, C. (1984). Normal Accidents: Living with High-Risk Technologies. Basic Books. Updated by Princeton, NJ: Princeton University Press, 1999.
119. Pilone, D. and N. Pitman (2005). UML 2.0 in a Nutshell (In a Nutshell (O’Reilly)). Sebastopol, CA: O’Reilly Media, Inc.
120. Project Management Institute (2004). A Guide to the Project Management Body of Knowledge (PMBOK ® Guide) (3rd ed.). Newtown Square, PA: Project Management Institute.
121. Radu, G. and D. Mladin (2003). Common cause failure data collection and analysis for safetyrelated components of TRIGA SSR-14MW Pitesti, Romania. In Proc. International Conference Nuclear Energy for New Europe 2003.
122. Report by the Inquiry Board (1996). Ariane 5 Flight 501 Failure. Paris, France: European Space Agency.
123. Royce, W. (1998). Software Project Management: A Unified Framework. Reading, MA: Addison-Wesley.
124. Royce, W.W. (1970). Managing the development of large software systems. In Proc. Western Electronic Show and Convention (WESCON 1970), pp. 1–9. IEEE Computer Society. Reprinted in Proc. 9th International Conference on Software Engineering, Toronto, Ontario, Canada: ACM Press, 1989, pp. 328–338.
125. SAE (1996a). Certification Considerations for Highly-Integrated or Complex Aircraft Systems. Technical Report ARP4754. Warrendale, PA: Society of Automotive Engineers.
126. SAE (1996b). Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment. Technical Report ARP4761. Warrendale, PA: Society of Automotive Engineers.
127. Software Engineering Institute (1995). The Capability Maturity Model: Guidelines for Improving the Software Process. Reading, MA: Addison-Wesley.
128. Sommerville, I. (2007). Software Engineering (8th ed.). Reading, MA: Addison-Wesley. University of Southern California (1994). USC COCOMO Reference Manual. Los Angeles, CA: University of Southern California.
129. University of Southern California (2000). USC COCOMO II 2000 Software Reference Manual. Available at http://csse.usc.edu/csse/research/COCOMOII/cocomo2000.0/CII_manual2000.0.pdf. Last retrieved on November 15, 2009.
130. University of Southern California (Last retrieved on November 15, 2009). Center for Systems and Software Engineering of the University of Southern California. Available at http://csse.usc.edu/csse/index.html.
131. Various Authors (Last retrieved on November 15, 2009a). List of GUI Testing Tools. Available at http://en.wikipedia.org/wiki/List_of_GUI_testing_tools.
132. Various Authors (Last retrieved on November 15, 2009b). Revision Control. Available at http://en.wikipedia.org/wiki/Revision_control.
133. Abdulla, P.A., J. Deneux, G. Stålmarck, H. Ågren, and O. Åkerlund (2004). Designing safe, reliable systems using scade. In T. Margaria, B. Steffen, A. Philippou, and M. Reitenspieß (Eds.), Proc. 1st International Symposium on Leveraging Applications of Formal Methods (ISoLA 2004), Volume 4313 of LNCS, pp. 111–118. Springer.
134. Abrial, J.-R. (1996). The B-Book: Assigning Programs to Meanings. Cambridge U.K.: Cambridge University Press.
135. Abrial, J.-R., M. Lee, D.S. Neilson, P. Scharbach, and I.H. Sorensen (1991). The B-method. In S. Prehn and W. Toetenel (Eds.), Proc. 4th International Symposium of VDM Europe (VDM’91), Volume 552 of LNCS, pp. 398–405. Springer.
136. Accellera (Last retrieved on November 15, 2009). Accellera. http://www.accellera.org.
137. ACL2 (Last retrieved on November 15, 2009). ACL2: A Computational Logic for Applicative Common Lisp. http://www.cs.utexas.edu/users/moore/acl2.
138. Akerlund, O., P. Bieber, and E. Böede et al. (2006). ISAAC, a framework for integrated safety analysis of functional, geometrical and human aspects. In Proc. European Congress on Embedded Real Time Software (ERTS 2006).
139. Alur, R., C. Courcoubetis, N. Halbwachs, et al. (1995). The algorithmic analysis of hybrid systems. Theoretical Compututer Science 1, 3–34.
140. Alur, R., T.A. Henzinger, and P.-H. Ho (1996). Automatic symbolic verification of embedded systems. IEEE Transactions on Software Engineering 22(3), 181–201.
141. Baeten, J.C.M. (2005). A brief history of process algebra. Theoretical Computer Science 335(2-3), 131–146.
142. Baier, C. and J.-P. Katoen (2008). Principles of Model Checking. Cambridge, MA: MIT Press.
143. Ball, T., B. Cook, V. Levin, and S.K. Rajamani (2004). SLAM and Static Driver Verifier: technology transfer of formal methods inside microsoft. In E.A. Boiten, J. Derrick, and G. Smith (Eds.), Proc. 4th International Conference on Integrated Formal Methods (IFM 2004), Volume 2999 of LNCS, pp. 1–20. Berlin: Springer.
144. Banach, R. and M. Bozzano (2006). Retrenchment, and the generation of fault trees for static, dynamic and cyclic systems. In J.G´orski (Ed.), Proc. 25th International Conference on Computer Safety, Reliability, and Security (SAFECOMP 2006), Volume 4166 of LNCS, pp. 127–141. Springer.
145. Banach, R., M. Poppleton, C. Jeske, and S. Stepney (2005). Retrenching the purse: finite sequence numbers, and the tower pattern. In J. Fitzgerald, I. Hayes, and A. Tarlecki (Eds.), Proc. International Symposium of Formal Methods Europe (FM 2005), Volume 3582 of LNCS, pp. 382–398. Springer.
146. Barroca, L.M. and J.A. McDermid (1992). Formal methods: Use and relevance for the development of safety-critical systems. Computer Journal 35(6), 579–599.
147. Beizer, B. (1990). Software Testing Techniques. New York: Van Nostrand Reinhold Co.
148. Beizer, B. (1995). Black-Box Testing: Techniques for Functional Testing of Software and Systems. New York: Wiley.
149. Bergstra, J. and J. Klop (1984). Process algebra for synchronous communication. Information and Control 60(1-3), 109–137.
150. Bieber, P., C. Castel, and C. Seguin (2002). Combination of fault tree analysis and model checking for safety assessment of complex system. In F. Grandoni and P. Thèvenod-Fosse (Eds.), Proc. 4th European Dependable Computing Conference (EDCC-4), Volume 2485 of LNCS, pp. 19–31. Berlin: Springer.
151. Biere, A., A. Cimatti, E.M. Clarke, and Y. Zhu (1999). Symbolic model checking without bdds. In R. Cleaveland (Ed.), Proc. 5th International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS’99), Volume 1579 of LNCS, pp. 193–207. Berlin: Springer.
152. Bowen, J.P. and M.G. Hinchey (1995). Seven more myths of formal methods. IEEE Software 12(4), 34–41.
153. Bowen, J.P. and V. Stavridou (1992). Safety-critical systems, formal methods and standards. BCS/IEE Software Engineering Journal 8(4), 189–209.
154. Bozzano, M., A. Cimatti, and F. Tapparo (2007). Symbolic fault tree analysis for reactive systems. In Proc. 5th International Symposium on Automated Technology for Verification and Analysis (ATVA 2007), Volume 4762 of LNCS, pp. 162–176. Berlin: Springer.
155. Bozzano, M. and A. Villafiorita (2003). Integrating fault tree analysis with event ordering information. In Proc. European Safety and Reliability Conference (ESREL 2003), pp. 247–254. Leiden, The Netherlands: Balkema Publisher.
156. Bozzano, M. and A. Villafiorita (2007). The FSAP/NuSMV-SA safety analysis platform. Software Tools for Technology Transfer 9(1), 5–24.
157. Bozzano, M., A. Villafiorita, and O. Åkerlund et al. (2003). ESACS: An integrated methodology for design and safety analysis of complex systems. In Proc. European Safety and Reliability Conference (ESREL 2003), pp. 237–245. Leiden, The Netherlands: Balkema Publisher.
158. Bryant, R.E. (1992). Symbolic boolean manipulation with ordered binary decision diagrams. ACM Computing Surveys 24(3), 293–318.
159. Burch, J.R., E.M. Clarke, D. Long, K.L. McMillan, and D.L. Dill (1994). Symbolic model checking for sequential circuit verification. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 13(4), 401–424.
160. Burch, J.R., E.M. Clarke, K.L. McMillan, D.L. Dill, and L.J. Hwang (1992). Symbolic model checking: 1020 states and beyond. Information and Computation 98(2), 142–170.
161. Cardelli, L. and A. Gordon (2000). Mobile ambients. Theoretical Computer Science 240, 177– 213.
162. Chaochen, Z., C.A.R. Hoare, and A.P. Ravn (1991). A calculus of duration. Information Processing Letters 40(5), 269–276.
163. Cimatti, A., E.M. Clarke, F. Giunchiglia, and M. Roveri (2000). NuSMV: A new symbolic model checker. Software Tools for Technology Transfer 2(4), 410–425.
164. Cimatti, A., E.M. Clarke, and E. Giunchiglia et al. (2002). NuSMV2: An opensource tool for symbolic model checking. In E. Brinksma and K. Larsen (Eds.), Proc. 14th International Conference on Computer Aided Verification (CAV’02), Volume 2404 of LNCS, pp. 359–364. Berlin: Springer.
165. Clarke, E.M. and E.A. Emerson (1981). Synthesis of synchronization skeletons for branching time temporal logic. In D. Kozen (Ed.), Proc. Workshop on Logic of Programs, Volume 131 of LNCS, pp. 52–71. Berlin: Springer.
166. Clarke, E.M., E.A. Emerson, and A. Sistla (1986). Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM TOPLAS 8(2), 244–263.
167. Clarke, E.M., S.M. German, and X. Zhao (1996). Verifying the SRT division algorithm using theorem proving techniques. In R. Alur and T.A. Henzinger (Eds.), Proc. 8th International Conference on Computer Aided Verification(CAV’96), Volume 1102 of LNCS, pp. 111–122. Berlin: Springer.
168. Clarke, E.M., O. Grumberg, H. Hiraishi, S.K. Jha, D. Long, K.L. McMillan, and L. Ness (1993). Verification of the FUTUREBUS+ cache coherence protocol. In Proc. International Symposium on Computer Hardware Description Languages and their Applications (CHDL-93). Amsterdam: Elsevier.
169. Clarke, E.M., O. Grumberg, S. Jha, Y. Lua, and H. Veith (2003). Counterexample-guided abstraction refinement for symbolic model checking. Journal of the ACM 50(5), 752–794.
170. Clarke, E.M., O. Grumberg, and D.A. Peled (2000). Model Checking. Cambridge, MA: MIT Press.
171. Clarke, E.M. and J.M. Wing (1996). Formal methods: State of the art and future directions. ACM Computing Surveys 28, 626–643.
172. Coq (Last retrieved on November 15, 2009). The Coq proof assistant. http://coq.inria.fr.
173. Coudert, O. and J.C. Madre (1993). Fault tree analysis: 1020 prime implicants and beyond. In Proc. Annual Reliability and Maintainability Symposium (RAMS’93), pp. 240–245. Washington, D.C.: IEEE Computer Society.
174. Cullyer, W. (1988). Implementing safety critical systems: The VIPER microprocessor. In Proc. VLSI Specification, Verification and Synthesis, pp. 1–26. Dordrecht, The Netherlands: Kluwer Academic.
175. Craigen, D. and K. Summerskill (Ed.) (1989). Proc.FM89: A Workshop on the Assessment of Formal Methods for Trustworthy Computer Systems. Washington, D.C.: IEEE Computer Society.
176. Daws, C. and S. Yovine (1995). Two examples of verification of multirate timed automata with KRONOS. In Proc. 16th IEEE Real-Time Systems Symposium, pp. 66–75. Washington, D.C.: IEEE Computer Society.
177. Degani, A. and M. Heymann (2002). Formal verification of human-automation interaction. Human Factors 44(1), 28–43.
178. Deneux, J. and O. Åkerlund (2004). A common framework for design and safety analyses using formal methods. In Proc. International Conference on Probabilistic Safety Assessment and Management (PSAM7/ESREL’04).
179. Dijkstra, E.W. (1976). A Discipline of Programming. Upper Saddle River, NJ: Prentice Hall.
180. Dill, D.L., A.J. Drexler, A.J. Hu, and C.H. Yang (1992). Protocol verification as a hardware design aid. In Proc. IEEE 1992 International Conference on Computer Design, VLSI in Computers and Processors, pp. 522–525. Washington, D.C.: IEEE Computer Society.
181. Dugan, J., S. Bavuso, and M. Boyd (1992). Dynamic fault-tree models for fault-tolerant computer systems. IEEE Transactions on Reliability 41(3), 363–77.
182. E (Last retrieved on November 15, 2009). The E Equational Theorem Prover. http://www4.informatik.tu-muenchen.de/schulz/WORK/eprover.html.
183. Eèn, N. and N. Sörensson (2003). An extensible SAT solver. In E. Giunchiglia and A. Tacchella (Eds.), Proc. Conference on Theory and Applications of Satisfiability Testing (SAT 2003), Volume 2919 of LNCS, pp. 502–518. Berlin: Springer.
184. Emerson, E.A. (1990). Temporal and modal logic. In J. van Leeuwen (Ed.), Handbook of Theoretical Computer Science, Volume B, pp. 995–1072. Amsterdam: Elsevier Science.
185. ESACS (Last retrieved on November 15, 2009). The ESACS Project. http://www.esacs.org.
186. FSAP (Last retrieved on November 15, 2009). The FSAP/NuSMV-SA platform. https://es.fbk.eu/tools/FSAP.
187. Futatsugi, K., J. Goguen, J.-P. Jouannaud, and J. Meseguer (1985). Principles of OBJ2. In Proc. 12th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL’85), pp. 52–66. New York: ACM.
188. Gallier, J.H. (1986). Logic for Computer Science: Foundations of Automatic Theorem Proving. New York: Wiley.
189. Garavel, H. and R. Hautbois (1993). An experience with the LOTOS formal description technique on the flight warning computer of the Airbus A330/340 aircrafts. In 1st AMAST International Workshop on Real-Time Systems. Berlin: Springer.
190. Goguen, J., C. Kirchner, H. Kirchner, A. Megrelis, J. Meseguer, and T. Winkler (1988). An introduction to OBJ 3. In Proc. 1st International Workshop on Conditional Term Rewriting Systems, Volume 308 of LNCS, pp. 258–263. Berlin: Springer.
191. Grumberg, O. and H. Veith (Eds.) (2008). 25 Years of Model Checking: History, Achievements, Perspectives, Volume 5000 of LNCS. Berlin: Springer.
192. Guiho, G.D. and C. Hennebert (1990). SACEM software validation. In 12th International Conference on Software Engineering, pp. 186–191. Washington, D.C.: IEEE Computer Society.
193. Gupta, A., E.M. Clarke, and O. Strichman (2004). SAT based counterexample-guided abstraction refinement. IEEE Transactions on Computer Aided Design 23, 1113–1123.
194. Guttag, J.V. and J.J. Horning (1993). Larch: Languages and Tools for Formal Specification. Springer. Written with S.J. Garland, K.D. Jones, A. Modet, and J.M. Wing. New York: Springer- Verlag.
195. Hall, A. (1990). Seven myths of formal methods. IEEE Software 7(5), 11–19.
196. Hall, A. (1996). Using formal methods to develop an ATC information system. IEEE Software 13(2), 66–76.
197. Harel, D. (1987). Statecharts: A visual formalism for complex systems. Science of Computer Programming 8, 231–274.
198. Heimdahl, M. and N.G. Leveson (1996). Completeness and consistency in hierarchical state-based requirements. IEEE Transactions on Software Engineering 22(6), 363–377.
199. Heljanko, K., T. Junttila, and T. Latvala (2005). Incremental and complete bounded model checking for full PLTL. In K. Etessami and S.K. Rajamani (Eds.), Proc. 17th International Conference on Computer Aided Verification(CAV’05), Volume 3576 of LNCS, pp. 98–111. Berlin: Springer.
200. Henzinger, T.A. (1996). The theory of hybrid automata. In Proc. Symposium on Logic in Computer Science (LICS’96), pp. 278–292. Washington, D.C.: IEEE Computer Society.
201. Hoare, C.A.R. (1969). An axiomatic basis of computer programming. Communications of the ACM 12(10), 576–580.
202. Hoare, C.A.R. (1985). Communicating Sequential Processes. Upper Saddle River, NJ: Prentice Hall.
203. HOL (Last retrieved on November 15, 2009). The HOL Interactive Proof Assistant for Higher Order Logic. http://hol.sourceforge.net.
204. Houston, I. and S. King (1991). CICS project report: Experiences and results from the use of Z in IBM. In S. Prehn and W. Toetenel (Eds.), Proc. 4th International Symposium of VDM Europe (VDM’91), Volume 552 of LNCS, pp. 588–596. Berlin: Springer.
205. IEEE 1850 (Last retrieved on November 15, 2009). IEEE 1850. http://www.eda.org/ieee-1850.
206. ISAAC (Last retrieved on November 15, 2009). The ISAAC Project. http://www.cert.fr/isaac.
207. Jackson, D. (2006). Software Abstractions: Logic, Language, and Analysis. Cambridge, MA: MIT Press.
208. Javaux, D. and E. Olivier (2000). Assessing and Understanding Pilots’ Knowledge of Mode Transitions on the A340-200/300. In K. Abbott, J.-J. Speyer, and G. Boy (Eds.), Proc.International Conference on Human-Computer Interaction in Aeronautics (HCI-Aero 2000), pp. 163–168. Toulouse, France: Cèpadu`es-Ed.
209. Jones, C.B. (1990). Systematic Software Development UsingVDM. Upper Saddle River, NJ: Prentice Hall.
210. Joshi, A. and M. Heimdahl (2005). Model-based safety analysis of simulink models using SCADE design verifier. In R. Winther, B. Gran, and G. Dahll (Eds.), Proc. 24th International Conference on Computer Safety, Reliability and Security (SAFECOMP 2005), Volume 3688 of LNCS, pp. 122–135. Berlin: Springer.
211. Joshi, A., S. Miller, M. Whalen, and M. Heimdahl (2005). A proposal for model-based safety analysis. In Proc. 24th Digital Avionics Systems Conference (DASC 2005). Washington, D.C.: IEEE Computer Society.
212. Kaivola, R., R. Ghughal, and N. Narasimhan et al. (2009). Replacing testing with formal verification in Intel R _ CoreTM i7 processor execution engine validation. In A. Bouajjani and O. Maler (Eds.), Proc. 21st International Conference on Computer Aided Verification (CAV’09), Volume 5643 of LNCS, pp. 414–429. Berlin: Springer.
213. Kaner, C., H.Q. Nguyen, and J.L. Falk (1993). Testing Computer Software. New York: Wiley.
214. Leveson, N.G., L. Pinnell, S. Sandys, S. Koga, and J. Reese (1997). Analysing software specifications for mode confusion potential. In C.W. Johnson (Ed.), Proc. Workshop on Human Error and System Development, pp. 132–146.
215. LOTOS (1989). Information Processing Systems, Open Systems Interconnection, LOTOS—A Formal Description Technique Based on the Temporal Ordering of Observational Behaviour. Volume IS-8807 of International Standards. ISO.
216. Lüdtke, A. and L. Pfeiffer (2007). Human error analysis based on a semantically defined cognitive pilot model. In F. Saglietti and N. Oster (Eds.), Proc. 26th International Conference on Computer Safety, Reliability and Security (SAFECOMP 2007), Number 4680 in LNCS, pp. 134–147. Berlin: Springer.
217. Lynch, N.A., R. Segala, and F.W. Vaandrager (2003). Hybrid I/O automata. Information and Computation 185(1), 105–157.
218. Manian, R., J. Dugan, D. Coppit, and K. Sullivan (1998). Combining various solution techniques for dynamic fault tree analysis of computer systems. In Proc. 3rd IEEE InternationalSymposium on High-Assurance Systems Engineering (HASE ’98), pp. 21–28. Washington, D.C.: IEEE Computer Society.
219. McMillan, K.L. (1993). Symbolic Model Checking. Dordrecht, The Netherlands: Kluwer Academic.
220. Miller, S.P. and M. Srivas (1995). Formal verification of the AAMP5 microprocessor: A case study in the industrial use of formal methods. In Proc. Workshop on Industrial-Strength Formal Specification Techniques (WIFT’95), pp. 2–16. Washington, D.C.: IEEE Computer Society.
221. Milner, R. (1980). A calculus of communicating systems. Volume 92 of LNCS. Berlin: Springer.
222. Milner, R., J. Parrow, and D. Walker (1992). A calculus of mobile processes. Information and Computation 100, 1–77.
223. Mossakowski, T., A. Haxthausen, D. Sannella, and A. Tarlecki (2003). CASL—The Common Algebraic Specification Language: semantics and proof theory. Computing and Informatics 22, 285–321.
224. Mossakowski, T., A. Haxthausen, D. Sannella, and A. Tarlecki (2008). CASL, the Common Algebraic Specification Language. In D. Bjørner and M. Henson (Eds.), Logics of Formal Specification Languages, pp. 241–298. Berlin: Springer.
225. Moszkowski, B.C. and Z. Manna (1983). Reasoning in interval temporal logic. In Proc. Workshop on Logic of Programs, Volume 164 of LNCS, pp. 371–382. Berlin: Springer.
226. MRMC (Last retrieved on November, 15, 2009). MRMC: Markov Reward Model Checker. http://www.mrmc-tool.org.
227. Myers, G.J. (2004). The Art of Software Testing. New York: Wiley.
228. NuPRL (Last retrieved on November 15, 2009). The PRL Automated Reasoning Project.http://www.cs.cornell.edu/Info/Projects/NuPRL.
229. NuSMV (Last retrieved on November 15, 2009). NuSMV: A New Symbolic Model Checker.http://nusmv.fbk.eu.
230. Otter (Last retrieved on November 15, 2009). The Otter Theorem Prover. http://www.cs.unm.edu/mccune/otter.
231. Peikenkamp, T., E. Böede, I. Brückner, H. Spenke, M. Bretschneider, and H. J. Holberg (2004). Model-based safety analysis of a flap control system. In Proc. 14th Annual International Symposium INCOSE 2004.
232. Peterson, J. (1981). Petri Net Theory and the Modeling of Systems. Upper Saddle River, NJ: Prentice Hall.
233. Petri, C. (1966). Communication with Automata. DTIC Research Report AD0630125. Defense Technical Information Center, Fort Belvoir, VA.
234. Pill, I., S. Semprini, R. Cavada, M. Roveri, R. Bloem, and A. Cimatti (2006). Formal analysis of hardware requirements. In E. Sentovich (Ed.), Proc. 43rd Design Automation Conference (DAC’06), pp. 821–826. New York: ACM.
235. Pnueli, A. (1981). A temporal logic of concurrent programs. Theoretical Computer Science 13, 45–60.
236. Prasad, M.R., A. Biere, and A. Gupta (2005). A survey of recent advances in SAT-based formal verification. Software Tools for Technology Transfer 7(2), 156–173.
237. PRISM (Last retrieved on November 15, 2009). The PRISM Probabilistic Model Checker. http://www.prismmodelchecker.org.
238. Prover9 (Last retrieved on November 15, 2009). The Prover9 Theorem Prover. http://www.cs.unm.edu/mccune/prover9.
239. PSL (Last retrieved on November 15, 2009). The PSL/Sugar Consortium. http://www.pslsugar.org.
240. PVS (Last retrieved on November 15, 2009). The PVS Specification and Verification System. http://pvs.csl.sri.com.
241. Queille, J.-P. and J. Sifakis (1982). Specification and verification of concurrent systems in CÆSAR. In Proc. International Symposium on Programming: 5th Colloquium (ISP’82), Volume 137 of LNCS, pp. 337–351. Berlin: Springer.
242. RAT (Last retrieved on November 15, 2009). The RAT Requirements Analysis Tool. http://rat.fbk.eu.
243. Rauzy, A. (1993). New algorithms for fault trees analysis. Reliability Engineering and System Safety 40(3), 203–211.
244. Rue, H., N. Shankar, and M.K. Srivas (1996). Modular verification of SRT division. In R. Alur and T.A. Henzinger (Eds.), Proc. 8th International Conference on Computer Aided Verification (CAV’96), Volume 1102 of LNCS, pp. 123–134. Berlin: Springer.
245. Rushby, J. (1993). Formal Methods and the Certification of Critical Systems. Technical Report CSL-93-7, Menlo Park, CA: SRI.
246. Rushby, J. (2001a). Analyzing cockpit interfaces using formal methods. Electronic Notes in Theoretical Computer Science 43, 1–14.
247. Rushby, J. (2001b). Modelling the human in human factors. In U. Voges (Ed.), Proc. 20th International Conference on Computer Safety, Reliability, and Security (SAFECOMP 2001), Volume 2187 of LNCS, pp. 86–91. Berlin: Springer.
248. Rushby, J. (2002). Using model checking to help discover mode confusions and other automation surprises. Reliability Engineering and System Safety 75(2), 167–177.
249. Schubert, T. (2003). High level formal verification of next-generation microprocessors. In Proc. 40th Design Automation Conference (DAC’03), pp. 1–6. New York: ACM.
250. Setheo (Last retrieved on November 15, 2009). The Theorem Prover Setheo. http://www.tcs.informatik.uni-muenchen.de/letz/TU/setheo.
251. Sheeran, M., S. Singh, and G. Stalmarck (2000). Checking safety properties using induction and a SAT-solver. In W.A. Hunt Jr. and S.D. Johnson (Eds.), Proc. 3rd International Conference on Formal Methods in Computer-Aided Design (FMCAD 2000), Volume 1954 of LNCS, pp. 108–125. Berlin: Springer.
252. SLAM (Last retrieved on November 15, 2009). The SLAM Project. http://research.microsoft.com/en-us/projects/slam.
253. SPASS (Last retrieved on November 15, 2009). SPASS: An Automated Theorem Prover for First-Order Logic with Equality. http://www.spass-prover.org.
254. SPIN (Last retrieved on November 15, 2009). On-the-fly, LTL Model Checking with SPIN. http://spinroot.com.
255. Spivey, M.J. (1992). The Z Notation: A Reference Manual. Upper Saddle River, NJ: Prentice Hall.
256. STeP (Last retrieved on November 15, 2009). The Stanford Temporal Prover. http://wwwstep.stanford.edu.
257. Stepney, S., D. Cooper, and J. Woodcock (2000). An Electronic Purse: Specification, Refinement and Proof. Technical Report PRG-126, Oxford University Computing Laboratory.
258. Storey, N. (1996). Safety Critical Computer Systems. Reading, MA: Addison-Wesley.
259. Tretmans, J., K. Wijbrans, and M. Chaudron (2001). Software engineering with formal methods: The development of a storm surge barrier control system revisiting seven myths of formal methods. Formal Methods in System Design 19(2), 195–215.
260. UPPAAL (Last retrieved on November 15, 2009). UPPAAL. http://www.uppaal.com.
261. Vampire (Last retrieved on November 15, 2009). Vampire. http://www.voronkov.com/vampire.cgi.
262. Vardi, M.Y. (2001). Branching vs. linear time: final showdown. In T. Margaria and W. Yi (Eds.), Proc. 7th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’01), Volume 2031 of LNCS, pp. 1–22. Berlin: Springer.
263. Vardi, M.Y. and P. Wolper (1986). An automata-theoretic approach to automatic program verification. In Proc. Symposium on Logic in Computer Science (LICS ’86), pp. 332–344. Washington, D.C.: IEEE Computer Society.
264. Vesely, W., M. Stamatelatos, J. Dugan, J. Fragola, J. Minarick III, and J. Railsback (2002). Fault Tree Handbook with Aerospace Applications. Technical report, NASA.
265. Vesely, W.E., F.F. Goldberg, N.H. Roberts, and D.F. Haasl (1981). Fault Tree Handbook. Technical Report NUREG-0492, Systems and Reliability Research Office of Nuclear Regulatory Research, U.S. Nuclear Regulatory Commission.
266. VIS (Last retrieved on November 15, 2009). VIS: Verification Interacting with Synthesis. http://vlsi.colorado.edu/vis.
267. Wiegers, K. (2001). Inspecting requirements. StickyMinds Weekly Column.
268. Wing, J. (1998). A symbiotic relationship between formal methods and security. In Proc. Workshop on Computer Security, Dependability, and Assurance: From Needs to Solutions, pp. 26–38. Washington, D.C.: IEEE Computer Society.
269. AIA, GAMA, and FAA Aircraft Certification Service (2004). The FAA and Industry Guide to Product Certification. Available at http://www.faa.gov/aircraft/air_cert/design_approvals/media/CPI_guide_II.pdf. Last retrieved on November 15, 2009.
270. Certification Authorities Software Team (2004). Clarification of Structure Coverage Analyses of Data Coupling and Control Coupling. Position Paper CAST-19, Federal Aviation Administration. Last retrieved on November 15, 2009.
271. Department of Defense (2005). Airworthiness Certification Criteria. Technical Report MILHDBK-516B, Department of Defense.
272. Department of Defense (Last retrieved on November 15, 2009). Assist. Available at https://assist.daps.dla.mil/online/start/.
273. ECSS Secreteriat, ESA-ESTEC (2008). ECSS system—Description, Implementation, and General Requirements. ST ECSS-S-ST-00C, European Space Agency.
274. EUROCAE (1992). Software Considerations in Airborne Systems and Equipment Certification (DO-178B/ED-12B). Technical Report DO-178B/ED-12B, EUROCAE.
275. EUROCAE (Last retrieved on November 15, 2009). EUROCAE web site: http://www.eurocae.net.
276. EUROCONTROL (2006). Safety Case Development Manual. Technical Document DAP/SSH/091, European Union.
277. European Cooperation for Space Standardization (Last retrieved on November 15, 2009). European Cooperation for Space Standardization web site. Available at http://www.ecss.nl/.
278. Federal Aviation Administration (1993). RTCA/DO-178B, Software Considerations in Airborne Systems and Equipment Certification. AC 20-115B, Federal Aviation Administration. Last retrieved on November 15, 2009.
279. Federal Aviation Administration (1998). System Design and Analysis. Advisory Circular 25.1309-1A, U.S. Deparment of Transportation.
280. Federal Aviation Administration (2005). RTCA/DO-254, Design Assurance Guidance for Airborne Electronic Hardware. AC 20-152, Federal Aviation Administration. Last retrieved on November 15, 2009.
281. Federal Aviation Administration (2007). Type Certification. Order 8110.4C, U.S. Deparment of Transportation.
282. Hayhurst, K.J., D.S. Veerhusen, J.J. Chilenski, and L.K. Rierson (2001). A Practical Tutorial on Modified Condition/Decision Coverage. Technical Report TM-2001-210876, NASA.
283. John, T.K. and J. McDermid (2001). A systematic approach to safety case maintenance. In M. Felici, K. Kanoun, and A. Pasquini (Eds.), Proc. 18th International Conference on Computer Safety, Reliability and Security (SAFECOMP’99), Volume 1968 of LNCS, pp. 13–26. Springer.
284. Kelly, T. (2003). A Systematic Approach to Safety Case Management. Technical Report 04AE-149, SAE.
285. Kemmerer, R.A. (1990). Integrating formal methods into the development process. IEEE Software 7(5), 37–50.
286. Ministry of Defence (1997). Requirements for Safety Related Software in Defence Equipment.Technical Report 00-55, Ministry of Defence.
287. Ministry of Defence (Last retrieved on November 15, 2009). UK Defence Standardization website. Available at http://www.dstan.mod.uk/.
288. NASA (Last retrieved on November 15, 2009). Software Requirements Review (SRR) Checklist. Available at http://swassurance.gsfc.nasa.gov/disciplines/quality/checklists/pdf/software_requirements_review.pdf.
289. Papadopoulos, Y. and J.A. McDermid (1999). The potential for a generic approach to certification of safety-critical systems in the transportation sector. Journal of Reliability Engineering and System Safety 63(47–66).
290. RTCA (2000). Design Assurance Guidance for Airborne Electronic Hardware. Technical Report DO-254. Washington, D.C.: RTCA, Inc.
291. SAE (1996a). Certification Considerations for Highly-Integrated or Complex Aircraft Systems. Technical Report ARP4754, Society of Automotive Engineers.
292. SAE (1996b). Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment. Technical Report ARP4761. Warrendale, PA: Society of Automotive Engineers.
293. SAE (Last retrieved on November 15, 2009). Society for Automotive Engineers home page. http://www.sae.org.
294. Sheard, S.A. (2001). Evolution of the framework’s quagmire. Computer 34(7), 96–98.
295. Sommerville, I. (2007). Software engineering (8th ed.). Reading, MA: Addison-Wesley.
296. Spitzer, C.R. (Ed.) (2006). Digital Avionics Handbook—Avionics, Elements, Software, and Functions (2nd ed.). Boca Raton, FL: CRC. U.S. Government (Last retrieved on November 15, 2009). Code of Federal Regulations, Title 14—Aeronautics and Space. Available at http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=/ecfrbrowse/Title14/14tab_02.tpl.
297. Wilson, S.P., T. Kelly, J.A. McDermid, and Y. England (1997). Safety case development: Current practice, future prospects. In 12th Annual CSR Workshop on Safety and Reliability of Software Based Systems. Berlin: Springer.
298. Berezin, S., S. Campos, and E.M. Clarke (1998). Compositional reasoning in model checking. In W.P. de Roever, H. Langmaack, and A. Pnueli (Eds.), Proc. International Symposium on Compositionality: The Significant Difference (COMPOS’97), Volume 1536 of LNCS, pp. 81–102. Berlin: Springer.
299. Bertoli, P., M. Bozzano, and A. Cimatti (2007). A symbolic model checking framework for safety analysis, diagnosis, and synthesis. In Model Checking and Artificial Intelligence, Volume 4428 of LNCS, pp. 1–18. Berlin: Springer.
300. Bertoli, P., A. Cimatti, M. Pistore, M. Roveri, and P. Traverso (2001). MBP: A model based planner. In Proc. Workshop on Planning under Uncertainty and Incomplete Information.
301. Bozzano, M., G. Burte, A. Cimatti et al. (2008a). System and Software Co-Engineering: Performance and Verification. ESA Workshop on Avionics Data, Control and Software Systems (ADCSS).
302. Bozzano, M., A. Cimatti, and A. Guiotto et al. (2008b). On-Board Autonomy via Symbolic Model Based Reasoning. 10th ESA Workshop on Advanced Space Technologies for Robotics and Automation (ASTRA 2008).
303. Bozzano, M., A. Cimatti, J.-P. Katoen, V.Y. Nguyen, T. Noll, and M. Roveri (2009a). The COMPASS approach: correctness, modelling and performability of aerospace systems. In B. Buth, G. Rabe, and T. Seyfarth (Eds.). In Proc. 28th International Conference on Computer Safety, Reliability and Security (SAFECOMP 2009), Volume 5775 of LNCS, pp. 173–186. Berlin: Springer.
304. Bozzano, M., A. Cimatti, M. Roveri, and A. Tchaltsev (2009b). A comprehensive approach to on-board autonomy verification and validation. In Proc. ICAPS’09 Workshop on Verification and Validation of Planning and Scheduling Systems (VV&PS 2009).
305. Bryant, R.E. (1992). Symbolic Boolean manipulation with ordered binary decision diagrams. ACM Computing Surveys 24(3), 293–318.
306. Cavada, R., A. Cimatti, and C.A. Jochim et al. (Last retrieved on November 15, 2009a). NuSMV2.4 User Manual. Available at http://nusmv.fbk.eu/NuSMV/userman/v24/nusmv.pdf.
307. Cavada, R., A. Cimatti, G. Keighren, E. Olivetti, M. Pistore, and M. Roveri (Last retrieved on November 15, 2009b). NuSMV 2.2 Tutorial. Available at http://nusmv.fbk.eu/NuSMV/tutorial/v24/tutorial.pdf.
308. Cavada, R., A. Cimatti, A. Mariotti et al. (2009c). EuRailCheck: Tool support for requirements validation. In Proc. 24th IEEE/ACM International Conference on Automated Software Engineering (ASE 2009). Washington, D.C.: IEEE Computer Society.
309. Cimatti, A., E.M. Clarke, F. Giunchiglia, and M. Roveri (2000). NuSMV: a new symbolic model checker. Software Tools for Technology Transfer 2(4), 410–425.
310. Cimatti, A., E.M. Clarke, E. Giunchiglia et al. (2002). NuSMV2: An opensource tool for symbolic model checking. In E. Brinksma and K. Larsen (Eds.), Proc. 14th International Conference on Computer Aided Verification (CAV’02), Volume 2404 of LNCS, pp. 359–364. Springer.
311. Cimatti, A., C. Pecheur, and R. Cavada (2003a). Formal verification of diagnosability via symbolic model checking. InG. Gottlob and T. Walsh (Eds.), Proc. 18th International Joint Conference on Artificial Intelligence (IJCAI 2003), pp. 363–369. San Francisco, CA: Morgan Kaufmann.
312. Cimatti, A., M. Pistore, M. Roveri, and P. Traverso (2003b). Weak, strong, and strong cyclic planning via symbolic model checking. Artificial Intelligence 147(1-2), 35–84.
313. Clarke, E.M., O. Grumberg, and D.A. Peled (2000). Model Checking. Cambridge, MA: MIT Press.
314. CUDD (Last retrieved on November 15, 2009). CUDD: CU Decision Diagram Package. http://vlsi.colorado.edu/fabio/CUDD.
315. FBK (Last retrieved on November 15, 2009). Fondazione Bruno Kessler. http://www.fbk.eu.
316. FSAP (Last retrieved on November 15, 2009). The FSAP/NuSMV-SA platform. https://es.fbk.eu/tools/FSAP.
317. Fuxman, A., L. Liu, J. Mylopoulos, M. Pistore, M. Roveri, and P. Traverso (2004). Specifying and analyzing early requirements in Tropos. Requirements Engineering 9, 132–150.
318. LGPL (Last retrieved on November 15, 2009). The GNU Lesser General Public License. http://www.fsf.org/licensing/licenses/lgpl.html.
319. MBP (Last retrieved on November 15, 2009). The MBP Model Based Planner. http://mbp.fbk.eu.
320. McMillan, K.L. (1993). Symbolic Model Checking. Dordrecht, The Netherlands: Kluwer Academic.
321. MiniSat (Last retrieved on November 15, 2009). The MiniSat Page. http://minisat.se.
322. NuSMV (Last retrieved on November 15, 2009). NuSMV: A New Symbolic Model Checker. http://nusmv.fbk.eu.
323. OS (Last retrieved on November 15, 2009). The Open Source Initiative. http://www.opensource.org.
324. Pill, I., S. Semprini, R. Cavada, M. Roveri, R. Bloem, and A. Cimatti (2006). Formal analysis of hardware requirements. In E. Sentovich (Ed.), Proc. 43rd Design Automation Conference (DAC’06), pp. 821–826. New York: ACM.
325. RAT (Last retrieved on November 15, 2009). The RAT Requirements Analysis tool. http://rat.fbk.eu.zChaff (Last retrieved on November 15, 2009). ZChaff. http://www.princeton.edu/chaff/zchaff.html.
326. Akerlund, O., P. Bieber, E. Böede et al. (2006). ISAAC, a framework for integrated safety analysis of functional, geometrical and human aspects. In Proc. European Congress on Embedded Real Time Software (ERTS 2006).
327. Bozzano, M., G. Burte, A. Cimatti et al. (2008a). System and Software Co-Engineering: Performance and Verification. ESA Workshop on Avionics Data, Control and Software Systems (ADCSS).
328. Bozzano, M., A. Cavallo, M. Cifaldi, L. Valacca, and A. Villafiorita (2003a). Improving safety assessment of complex systems: An industrial case study. In K. Araki, S. Gnesi, and D. Mandrioli (Eds.), Proc. Formal Methods, International Symposium of Formal Methods Europe (FME 2003), Volume 2805 of LNCS, pp. 208–222. Berlin: Springer.
329. Bozzano, M., A. Cimatti, A. Guiotto et al. (2008b). On-Board Autonomy via Symbolic Model Based Reasoning. 10th ESA Workshop on Advanced Space Technologies for Robotics and Automation (ASTRA 2008).
330. Bozzano, M., A. Cimatti, J.-P. Katoen, V.Y. Nguyen, T. Noll, and M. Roveri (2009). The COMPASS approach: Correctness, modelling and performability of aerospace systems. In B. Buth, G. Rabe, and T. Seyfarth (Eds.), Proc. 28th International Conference on Computer Safety, Reliability and Security (SAFECOMP 2009), Volume 5775 of LNCS, pp. 173–186. Berlin: Springer.
331. Bozzano, M., A. Cimatti, and F. Tapparo (2007). Symbolic fault tree analysis for reactive systems. In Proc. 5th International Symposium on Automated Technology for Verification and Analysis (ATVA 2007), Volume 4762 of LNCS, pp. 162–176. Berlin: Springer.
332. Bozzano, M. and A. Villafiorita (2003). Integrating fault tree analysis with event ordering information. In Proc. European Safety and Reliability Conference (ESREL 2003), pp. 247–254. Leiden, The Netherlands: Balkema Publisher.
333. Bozzano, M. and A. Villafiorita (2007). The FSAP/NuSMV-SA safety analysis platform. Software Tools for Technology Transfer 9(1), 5–24.
334. Bozzano, M., A. Villafiorita, O. Åkerlund et al. (2003b). ESACS: An integrated methodology for design and safety analysis of complex systems. In Proc. European Safety and Reliability Conference (ESREL 2003), pp. 237–245. Leiden, The Netherlands: Balkema Publisher.
335. COMPASS (Last retrieved on November 15, 2009). The COMPASS Project. http://compass.informatik.rwth-aachen.de.
336. Coudert, O. and J.C. Madre (1992). Implicit and incremental computation of primes and essential primes of Boolean functions. In Proc. 29th Design Automation Conference (DAC’92), pp. 36–39. IEEE Computer Society.
337. Coudert, O. and J.C. Madre (1993). Fault tree analysis: 1020 prime implicants and beyond. In Proc.Annual Reliability and Maintainability Symposium (RAMS’93), pp. 240–245. Washington, D.C.: IEEE Computer Society.
338. CUDD (Last retrieved on November 15, 2009). CUDD: CU Decision Diagram Package. http://vlsi.colorado.edu/fabio/CUDD.
339. ESACS (Last retrieved on November 15, 2009). The ESACS Project. http://www.esacs.org.
340. Expat (Last retrieved on November 15, 2009). The Expat XML Parser. http://expat.sourceforge.net.
341. FBK (Last retrieved on November 15, 2009). Fondazione Bruno Kessler. http://www.fbk.eu.
342. FLTK (Last retrieved on November 15, 2009). FLTK: Fast Light Toolkit. http://www.fltk.org.
343. FSAP (Last retrieved on November 15, 2009). The FSAP/NuSMV-SA Platform. https://es.fbk.eu/tools/FSAP.
344. FSAP2 (Last retrieved on November 15, 2009). The FSAP Safety Analysis Platform: Commercial Pages. http://fsap.fbk.eu.
345. FT+ (Last retrieved on November 15, 2009). FaultTree+. http://www.isographsoftware.com/ftpover.htm.
346. ISAAC (Last retrieved on November 15, 2009). The ISAAC Project. http://www.cert.fr/isaac.
347. MiniSat (Last retrieved on November 15, 2009). The MiniSat Page. http://minisat.se.
348. MISSA (Last retrieved on November 15, 2009). The MISSA Project. http://www.missafp7.eu.
349. MRMC (Last retrieved on November 15, 2009). MRMC: Markov Reward Model Checker. http://www.mrmc-tool.org.
350. OMC-ARE (Last retrieved on November 15, 2009). The OMC-ARE Project. http://es.fbk.eu/projects/esa_omc-are.
351. Rauzy, A. (1993). New algorithms for fault trees analysis. Reliability Engineering and System Safety 40(3), 203–211.
352. Rauzy, A. and Y. Dutuit (1997). Exact and truncated computations of prime implicants of coherent and non-coherent fault trees within Aralia. Reliability Engineering and System Safety 58(2), 127–144.
353. zChaff (Last retrieved on November 15, 2009). zChaff. http://www.princeton.edu/chaff/zchaff.html.
354. FAA (Last retrieved on November 15, 2009a). FAA mission. Available at http://www.faa.gov/about/mission/.
355. FAA (Last retrieved on November 15, 2009b). The Federal Aviation Administration: A historical perspective, 1903–2008. Available at http://www.faa.gov/about/history/historical_perspective.
356. ISO (Last retrieved on November 15, 2009). Directory of iso-recognized international aerospace standards. Available at http://www.iso.org/iso/iso_catalogue/directory_of_aerospace:standards.htm.
357. Vesely, W.E., F.F. Goldberg, N.H. Roberts, and D.F. Haasl (1981). Fault Tree Handbook. Technical Report NUREG-0492, Systems and Reliability Research Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission.