Glenn Bruns

Validating Safety Models with Fault Trees

In verifying a safety-critical system, one usually begins by building a model of the basic system and of its safety mechanisms. If the basic system model does not reflect reality, the verification results are misleading. We show how a model of a system can be compared with the system’s fault trees to help validate the failure behaviour of the model. To do this, the meaning of fault trees are formalised in temporal logic and a consistency relation between models and fault trees is defined. An important practical feature of the technique is that it allows models and fault trees to be compared even if some events in the fault tree are not found in the system model.

A Practical Technique for Process Abstraction

With algebraic laws a process can be simplified before verifying its equivalence with another process. Also needed are laws to allow a process to be simplified before verifying that it satisfies a temporal logic formula. Most previous work on this problem is based on property-preserving mappings between transition systems. The results presented here allow direct simplification of process terms for some important classes of temporal properties.

A Case Study in Safety-Critical Design

We have modelled the design of a safety-critical railway system in the process calculus CCS, described important properties of the design in temporal logic, and verified with the Concurrency Workbench that some of the properties hold of the model. Verifying properties of a design, rather than an implementation, presented special problems, particularly in capturing in the formal model the kinds of abstraction found in the design, and in showing that the verified properties would also hold in all implementations of the design.

Trapping mutual exclusion in the box calculus

Abstract The box calculus is a process algebra with a simple Petri net semantics. We show that it provides for the concise translation of parallel programs and for the combination of verification techniques from process algebra and Petri nets. This is done by proving some properties of mutual exclusion algorithms.

The formalization and analysis of a communications protocol

The MSMIE protocol [SBC89] allows processors in a distributed system to communicate via shared memory. It was designed to meet the reliability and efficiency needs of applications such as nuclear safety systems. We present a formal model of the MSMIE protocol expressed in the notation CCS. Desirable properties of the protocol are expressed in the modal mu-calculus, an expressive modal logic. We show that the protocol lacks an important liveness property. In actual operation, additional operating constraints are checked to avoid potential problems. We present a modified protocol and show that it possesses the liveness property even without checking operating constraints. We also show how parts of the analysis were automated with the Concurrency Workbench.

An industrial application of modal process logic

Abstract Modal process logic is an extension of CCS that allows for more expressive specifications. We show how modal process logic was successfully applied in the development of a failure recovery protocol for an air-traffic information system now in service at Heathrow airport. Two example systems are used to show that CCS itself was not suitable for this application.

The Formalization and Analysis of a Communications Protocol

Abstract The MSMIE protocol (Santoline et al., 1989) was designed to allow processors in a nuclear safety system to communicate efficiently and reliably via shared memory. Our formalization and analysis shows that the protocol lacks an important liveness property. In actual operation, timing constraints are checked to avoid potential problems. We present a modified protocol that possesses the liveness property even without such constraints. We also show how parts of the analysis were automated with the Concurrency Workbench.

Using Data Consistency Assumptions to Show System Safety

Systems cannot usually be proved safe unless some failure assumptions are made. Here we prove that the water level in a generic boiler system is always within its safe range by assuming that device failures result in inconsistent readings. Key parts of our approach are a failure-reporting strategy that determines failures from consistency conditions, and a level-calculation strategy that gives a best estimate of boiler level in light of the reported failures. These strategies are generic and could be used in other safety-critical applications.