Michael Balser

Formal System Development with KIV

KIV is a tool for formal systems development. It can be employed, e.g., — for the development of safety critical systems from formal requirements specifications to executable code, including the verification of safety requirements and the correctness of implementations, — for semantical foundations of programming languages from a specification of the semantics to a verified compiler, — for building security models and architectural models as they are needed for high level ITSEC [7] or CC [1] evaluations.

Structured Specifications and Interactive Proofs with KIV

The aim of this chapter is to describe the integrated specification- and theorem proving environment of KIV. KIV is an advanced tool for developing high assurance systems. It supports: hierarchical formal specification of software and system designs specification of safety/security models proving properties of specifications modular implementation of specification components modular verification of implementations incremental verification and error correction reuse of specifications, proofs, and verified components

Verification of medical guidelines by model checking – a case study

This paper presents a case study on how to apply formal modeling and verification in the context of quality improvement in medical healthcare. The aim is to verify quality requirements of medical guidelines and clinical treatment protocols that are used to standardize patient care both for general practitioners and hospitals. This research is supported by the European Commissions IST program and brings together experts from computer science, artificial intelligence in medicine, hospitals, and the Dutch Institute for Healthcare Improvement (CBO). We present the process of formal modeling and verification of guidelines using the modeling language Asbru, temporal logic for expressing the quality requirements, and model checking for proof and error detection. The approach is illustrated with a case study on a guideline from the American Association for Pediatrics on “Jaundice in healthy Newborns”.

Interactive Verification of UML State Machines

We propose a new technique for interactive formal verification of temporal properties of UML state machines. We introduce a formal, operational semantics of UML state machines and give an overview of the proof method which is based on symbolic execution with induction. Usefulness of the approach is demonstrated by example of an automatic teller machine. The approach is implemented in the KIV system.

Interactive verification of concurrent systems using symbolic execution

This paper presents an interactive proof method for the verification of temporal properties of concurrent systems based on symbolic execution. Symbolic execution is a well known and very intuitive strategy for the verification of sequential programs. We have carried over this approach to the interactive verification of arbitrary linear temporal logic properties of (infinite state) parallel programs. The resulting proof method is very intuitive to apply and can be automated to a large extent. It smoothly combines first-order reasoning with reasoning in temporal logic. The proof method has been implemented in the interactive verification environment KIV and has been used in several case studies.

Verifying Concurrent Systems with Symbolic Execution

Current techniques for interactively proving temporal properties of concurrent systems translate transition systems into temporal formulas by introducing program counter variables. Proofs are not intuitive, because control flow is not explicitly considered. For sequential programs symbolic execution is a very intuitive, interactive proof strategy. In this paper we will adopt this technique for parallel programs. Properties are formulated in interval temporal logic. An inplementation in the interactive theorem prover KIV has shown that this technique offers a high degree of automation and allows simple, local invariants.

VSE: Controlling the Complexity in Formal Software Developments

We give an overview of the enhanced VSE system which is a tool to formally specify and verify systems. It provides means for structuring specifications and it supports the development process from the specification of a system to the code generation. Formal developments following this method are stored and maintained in an administration system that guides the user and maintains a consistent state. An integrated deduction system provides proof support for the deduction problems arising during the development process.

KIV 3.0 for Provably Correct Systems

KIV 3.0 is an advanced tool for engineering high assurance systems. It provides an economically applicable verification technology, and supports the entire design process from formal specifications to executable verified code. In KIV the design process for high assurance systems proceeds as follows. 1. KIV supports both functional and state based software/system design using algebraic specifications or Abstract State Machines (ASMs), respectively. As a first step, predefined theories from a library can be imported. New specifications are added to the hierarchically structured specification graph which is graphically visualized. 2. In addition to the specification, a formal safety/security model is defined. The formulation of extra validation properties helps to detect gross specification errors before it is attempted to prove the main safety/security properties. 3. It has to be shown that the validation and safety/security properties are satisfied by the specification. The necessary formal proofs are done in an interactive graphical proof environment. Proof search is automated to a large extent. Proof engineering facilities help to reveal specification errors. After correcting the specification, invalid proofs can be reused automatically. 4. The components of the hierarchical system specification can be implemented independently (modular) using an imperative programming language. Proof obligations for the correctness of the implementation are generated automatically and have to be verified by the proof component. Again, corrected errors lead to invalidated proofs which can be reused automatically. 5. The whole specification and verification process is guarded by an elaborate correctness management. If, finally, every specification and implementation is in “proved state”, it guarantees that there are no inconsistencies and all proof obligations and used lemmas are proved. 6. For use in future projects, specifications and implementations can be added to a library.

Meta-level Verification of the Quality of Medical Guidelines Using Interactive Theorem Proving

Requirements about the quality of medical guidelines can be represented using schemata borrowed from the theory of abductive diagnosis, using temporal logic to model the time-oriented aspects expressed in a guideline. In this paper, we investigate how this approach can be mapped to the facilities offered by a theorem proving system for program verification, KIV. It is shown that the reasoning that is required for checking the quality of a guideline can be mapped to such theorem-proving facilities. The medical quality of an actual guideline concerning diabetes mellitus 2 is investigated in this way, and some problems discovered are discussed.

Experiences in the formalisation and verification of medical protocols

Medical practice protocols or guidelines are statements to assist practitioners and patient decisions about appropriate health care for specific circumstances. In order to reach their potential benefits, protocols must fulfill strong quality requirements. Medical bodies worldwide have made efforts in this direction, mostly using informal methods such as peer review of protocols. We are concerned with a different approach, namely the quality improvement of medical protocols by formal methods. In this paper we report on our experiences in the formalisation and verification of a real-world medical protocol. We have fully formalised a medical protocol in a two-stage formalisation process. Then, we have used a theorem prover to confirm whether the protocol formalisation complies with certain protocol properties. As a result, we have shown that formal verification can be used to analyse, and eventually improve, medical protocols.