Wilson Ifill

The use of B to specify, design and verify hardware

We have demonstrated that clocked synchronous logic can be developed within a formal software framework. The advantage of this approach is that it allows abstraction, animation and proof of refinement. The B-Toolkit supports these activities and has a VHDL generator. The validation tests can be agreed and carried out during animation early in the development cycle (a common technique in software). Proof of refinement may be important for critical applications. The AWE plans to explore the proof of their Arming System Processor with the techniques over-viewed in this paper.

A step towards merging xUML and CSP

Much research work has been done on linking UML and formal methods but few have focused on using formal methods to check the integrity of the UML models so that the models can be verified. In this paper we focus on executable UML and on the issues related to concurrent state machines. We show that one integrated formal methods approach, CSP B, has the potential to be tailored to support reasoning about concurrent state machines and in turn expose any weaknesses in the UML model. We identify future avenues of research so that a system methodology based on executable UML can be enhanced by formal reasoning. has the potential to be tailored to support reasoning about concurrent state machines and in turn expose any weaknesses in the UML model. We identify future avenues of research so that a system methodology based on executable UML can be enhanced by formal reasoning.

Towards tool support for design and safety analysis of high consequence arming systems using matlab

High consequence arming systems are designed to prevent unwanted external (or potentially internal) energy flowing to a critical component without intention. The hazard analysis of such systems can be a slow and difficult manual process, potentially repeated in various life-cycle phases or on multiple design options. This paper details a simulation tool under development at AWE to provide a fast and repeatable analysis process. The simulation generates a set of possible paths along which different energy types could potentially propagate through the system. Behaviour identified by the tool can support the design of the system and selection of an architecture providing assurance of safety whilst still providing reliability. We present an outline of the model development process, results from its use with a case study and demonstrate the advantages over manual analysis. A number of limitations of the current implementation are discussed, we then propose future work aimed at alleviating some of these issues.

Modelling and analysing Defence-in-Depth in arming systems

Safety analysis of high consequence arming systems is complex, many arguments about the behaviour of a design are required to validate that the system fulfils its safety requirements. Manual analysis of such systems can miss potential paths of energy flow and this process becomes increasingly difficult when the concept of defence in depth is incorporated into the design. Utilising the process algebra Communicating Sequential Processes allows component specifications and system level safety specifications to be formalised. Model checking techniques can then be applied to ensure the design of each component meets their individual specifications and that when composed together achieve the required system level behaviour, demonstrating both system level safety and meeting the requirements of defence in depth. We present validation of the technique through the use of a small example representative of the systems of interest we are analysing. The approach is then demonstrated to identify potential problems in this example through various scenarios.