NASA Langley's research and technology-transfer program in formal methods

Butler, Ricky W.; Caldwell, James L.; Carreno, Victor A.; Holloway, C. Michael; Miner, Paul S.; Vito, Ben L. Di

doi:10.1109/cmpass.1995.521893

Cited by 19 publications

(16 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Yet, a number of barriers exist to more widespread industrial use of formal techniques such as PVS. Although Miller notes in 25] that engineers at Collins Aviation learned to use PVS, the authors of each of 25,8,9,10] concede that in general practitioners themselves may b e u n willing or unable to create formal speci cations or to perform analysis of the speci cations using the PVS proof checker. Further, Butler et al .…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Using TAME to prove invariants of automata models

Archer

Heitmeyer

Riccobene

2000

Proceedings of the Third Workshop on Formal Methods in Software Practice

View full text Add to dashboard Cite

TAME is a special-purpose interface to PVS designed to support developers of software systems in proving properties of automata models. One of TAME's major goals is to allow a software developer who has basic knowledge of standard logic, and can do hand proofs, to use PVS to represent and to prove properties about an automaton model without rst becoming a PVS expert. A second goal is for a human to be able to read and understand the content of saved TAME proofs without running them through the PVS proof checker. A third goal is to make p r o ving properties of automata with TAME less costly in human time than proving such properties using PVS directly. Recent work by Romijn and Devillers et al., based on the I/O automata model, has provided the basis for two case studies on how w ell TAME achieves these goals. Romijn speci ed the RPC-Memory Problem and its solution, while Devillers et al. speci ed a tree identify protocol. Hand proofs of specication properties were provided by the authors. In addition, Devillers et al. used PVS directly to mechanize the specications and proofs of the tree identify protocol. In one case study, the third author, a new TA M E u s e r w i t h n o p r e v i o u s PVS experience, used TAME to create PVS speci cations of the I/O automata presented by Romijn and Devillers et al. and to check the hand proofs of invariant properties. The PVS speci cations and proofs of Devillers et al. provide the basis for the other case study, which compares the TAME approach to an alternate approach w h i c h uses PVS directly.

show abstract

Section: Introductionmentioning

confidence: 99%

“…Several authors 25,8,9,7] have found that the PVS speci cation language and similar strongly typed, higher-order logic languages are well suited to the formalization of system speci cations. All report that appropriately structured PVS speci cations can be understood by practitioners, such as design engineers and requirements analysts.…”

Section: Introductionmentioning

confidence: 99%

Using TAME to prove invariants of automata models

Archer

Heitmeyer

Riccobene

2000

Proceedings of the Third Workshop on Formal Methods in Software Practice

View full text Add to dashboard Cite

show abstract

“…However, the National Aeronautics and Space Administration has applied formal methods in several research projects (vid. [22]). …”

Section: Previous Workmentioning

confidence: 93%

Formal Methods in a System-of-Systems Development

Caffall

Michael²

2005 IEEE International Conference on Systems, Man and Cybernetics

View full text Add to dashboard Cite

Formal methods can complement traditional techniques such as testing and can help developers improve the degree of trustworthiness in defense acquisitions. In this paper, we demonstrate an application of formal methods to a system-of-systems development by specifying and verifying part of the controlling software for a ballistic missile defense system. While there is much work to do to institutionalize formal methods in the development of system-of-systems, we believe that this paper represents a point of departure towards that objective.

show abstract

“…If, however, the policy or its enforcement is flawed in some way, one or more of the trace pairs above will differ, signaling a failure to achieve partitioning. 2 The term "purge" was retained because of its historical use in noninterference models, although we now complement its selection semantics. This scheme works to describe uses of memory and some devices.…”

Section: Requirementmentioning

confidence: 99%

“…A more detailed account of the model is available in report form [4]. This work was performed in the context of a broad program of applied formal methods activity at LaRC [2].…”

Section: Introductionmentioning

confidence: 99%