Paul S. Miner

Verification of IEEE Compliant Subtractive Division Algorithms

A parameterized definition of subtractive floating point division algorithms is presented and verified using PVS. The general algorithm is proven to satisfy a formal definition of an IEEE standard for floating point arithmetic. The utility of the general specification is illustrated using a number of different instances of the general algorithm.

A Unified Fault-Tolerance Protocol

Davies and Wakerly show that Byzantine fault tolerance can be achieved by a cascade of broadcasts and middle value select functions. We present an extension of the Davies and Wakerly protocol, the unified protocol, and its proof of correctness. We prove that it satisfies validity and agreement properties for communication of exact values. We then introduce bounded communication error into the model. Inexact communication is inherent for clock synchronization protocols. We prove that validity and agreement properties hold for inexact communication, and that exact communication is a special case. As a running example, we illustrate the unified protocol using the SPIDER family of fault-tolerant architectures. In particular we demonstrate that the SPIDER interactive consistency, distributed diagnosis, and clock synchronization protocols are instances of the unified protocol.

A conceptual design for a Reliable Optical Bus (ROBUS)

The Scalable Processor-Independent Design for Electromagnetic Resilience (SPIDER) is a new family of fault-tolerant architectures under development at NASA Langley Research Center (LaRC). The SPIDER is a general-purpose computational platform suitable for use in ultrareliable embedded control applications. The design scales from a small configuration supporting a single aircraft function to a large distributed configuration capable of supporting several functions simultaneously. SPIDER consists of a collection of simplex processing elements communicating via a Reliable Optical Bus (ROBUS). The ROBUS is an ultra-reliable, time-division multiple access broadcast bus with strictly enforced write access providing basic fault-tolerant services using formally verified fault-tolerance protocols including Interactive Consistency (Byzantine Agreement), Internal Clock Synchronization, and Distributed Diagnosis. The conceptual design of the ROBUS is presented in this paper including requirements, topology, protocols, and the block-level design. Verification activities, including the use of formal methods, are also discussed.

Abstractions for Fault-Tolerant Distributed System Verification

Four kinds of abstraction for the design and analysis of fault–tolerant distributed systems are discussed. These abstractions concern system messages, faults, fault–masking voting, and communication. The abstractions are formalized in higher–order logic, and are intended to facilitate specifying and verifying such systems in higher–order theorem–provers.

Unmanned Aircraft Hazards and their Implications for Regulation

Use of unmanned aircraft systems (UASs) has been characterized as the next great step forward in the evolution of civil aviation. Indeed, UASs are in limited civil use in the United States today, and many believe that the time is rapidly approaching when they will move into the commercial marketplace, too. To make this a reality, a number of challenges must be overcome to develop the necessary regulatory framework for assuring safe operation of this special class of aircraft. This paper discusses some of what must be done to establish that framework. In particular, we examine hazards specific to the design, operation, and flight crew of UASs, and discuss implications of these hazards for existing policy and guidance. Understanding unique characteristics of UASs that pose new hazards is essential to developing a cogent argument, and the corresponding regulatory framework, for safely integrating these aircraft into civil airspace

Studies of the Single Pulser in Various Reasoning Systems

The single pulser is a clocked sequential device which generates a unit-time pulse on its output for every pulse on its input. This paper explores how a single-pulser implementation is verified by various formal reasoning tools, including the PVS theorem prover for higher-order logic, the SMV model checker for computation tree logic, the DDD design derivation system, and the Oct Tools design environment. By fixing a single, simple example, the study attempts to contrast how the underlying formalisms influence ones perspective on design and verification.

A case-study application of RTCA DO-254: design assurance guidance for airborne electronic hardware

In a joint project with the FAA, NASA Langley is developing a hardware design in accordance with RTCA DO-254: Design Assurance Guidance for Airborne Electronic Hardware. The purpose of the case study is to gain understanding of the new guidance document and generate an example suitable for use in training. For the case study, we have selected a core subsystem of the Scalable Processor-Independent Design for Electromagnetic Resilience (SPIDER). SPIDER is a new fault-tolerant architecture under development at NASA Langley Research Center.

Quantifying the reliability of proven SPIDER group membership service guarantees

For safety-critical systems, it is essential to quantify the reliability of the assumptions that underlie proven guarantees. We investigate the reliability of the assumptions of the SPIDER group membership service with respect to transient and permanent faults. Modeling 12,600 possible system configurations, the probability that SPIDERs maximum fault assumption does not hold for an hour mission varies from less likely than l0/sup -11/ to more likely than 10/sup -3/. In most cases examined, a transient fault tolerance strategy was superior to the permanent fault tolerance strategy previously in use for the range of transient fault arrival rates expected in aerospace systems. Reliability of the maximum fault assumption (upon which the proofs are based) differs greatly when subjected to asymmetric, symmetric, and benign faults. This case study demonstrates the benefits of quantifying the reliability of assumptions for proven properties.

Interaction of formal design systems in the development of a fault-tolerant clock synchronization circuit

We propose a design strategy that exploits the strengths of different formal approaches to establish a reliable path from a mechanically verified high-level description to a concrete gate-level realization. We demonstrate the use of this approach in the realization of a fault-tolerant clock synchronization circuit. We used the Digital Design Derivation system (DDD) to derive a major portion of the design leaving relatively small portions to be verified either by use of a mechanical theorem prover (PVS) or by demonstrating boolean equivalence using Ordered Binary Decision Diagrams. The interface between the different formal systems has not yet been completely formalized but we believe our approach will provide an effective formal design path from high-level specifications to concrete realizations.<<ETX>>

Integrated reasoning support in system design: design derivation and theorem proving

Practical applications of formal methods research require the integrated use of distinct tools for reasoning and design. Many approaches to this problem involve embedding specialized verification procedures in a theorem prover or logical framework. In fact, some theorem provers are promoted as frameworks of just this kind. We discuss some of the problems inherent to such monolithic treatments, illustrating with studies we have done in ad hoc heterogeneous reasoning. For both technical and pragmatic reasons we conclude that shallow embedding, that is, integration through superficial syntax translation, is a reasonable and even necessary approach.