Results 1 
9 of
9
Systematic formal verification for faulttolerant timetriggered algorithms
 IEEE Transactions on Software Engineering
, 1999
"... Abstract—Many critical realtime applications are implemented as timetriggered systems. We present a systematic way to derive such timetriggered implementations from algorithms specified as functional programs (in which form their correctness and faulttolerance properties can be formally and mech ..."
Abstract

Cited by 45 (2 self)
 Add to MetaCart
Abstract—Many critical realtime applications are implemented as timetriggered systems. We present a systematic way to derive such timetriggered implementations from algorithms specified as functional programs (in which form their correctness and faulttolerance properties can be formally and mechanically verified with relative ease). The functional program is first transformed into an untimed synchronous system, and then to its timetriggered implementation. The first step is specific to the algorithm concerned, but the second is generic and we prove its correctness. This proof has been formalized and mechanically checked with the PVS verification system. The approach provides a methodology that can ease the formal specification and assurance of critical faulttolerant systems. Keywords—Formal methods, formal verification, timetriggered algorithms, synchronous systems, PVS. I.
A Coiterative Characterization of Synchronous Stream Functions
, 1997
"... This paper presents an attempt to characterize synchronous stream functions within the framework of coiteration and to use this characterization in building a compiler for (higher order and recursive) synchronous dataflow programs. First lengthpreserving functions are considered and we show that ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
This paper presents an attempt to characterize synchronous stream functions within the framework of coiteration and to use this characterization in building a compiler for (higher order and recursive) synchronous dataflow programs. First lengthpreserving functions are considered and we show that streams equipped with such functions form a Cartesianclosed category. Then this point of view is extended toward non lengthpreserving ones and we stress the use of "empty" values in handling this case. Finally, the implementation we did of this material in a synchronous stream package built on top of an MLlike language is briefly described.
A methodology for proving control systems with Lustre and PVS
, 1999
"... In this paper, we intend to show how to use the synchronous dataflow language Lustre, combined with the PVS proof system in deriving provablycorrect (distributed) control programs. We hopefully illustrate, based on a railway emergency braking system example, the features of our approach  asynchr ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
In this paper, we intend to show how to use the synchronous dataflow language Lustre, combined with the PVS proof system in deriving provablycorrect (distributed) control programs. We hopefully illustrate, based on a railway emergency braking system example, the features of our approach  asynchronous periodic programs with nearly the same period, communicating by sampling  equational reasoning which leaves to the Lustre compiler the task of scheduling computations  no distinction between control programs and physical environments which are sampled in the same way. This allows us to provide "elementary " proofs based on difference equations instead of differential ones which require more involved PVS formalization. 1 Introduction Control systems form an important class of critical computer systems: it is in this domain that some of the most critical applications can be found, for instance in civil aircrafts, ground transportation, nuclear power etc. Thus, a lot of activity ha...
Formal Verification of TimeTriggered Systems
, 2005
"... Faulttolerant realtime distributed control systems are being developed for nextgeneration aircraft and automobiles. They employ numerous complex protocols; because their uses are safetycritical, the design and implementation of these protocols must be errorfree. The following modeling considera ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Faulttolerant realtime distributed control systems are being developed for nextgeneration aircraft and automobiles. They employ numerous complex protocols; because their uses are safetycritical, the design and implementation of these protocols must be errorfree. The following modeling considerations make the formal verification of these protocols difficult: faults, realtime constraints, distributed control, nonfunctional behavioral requirements, and intricate protocol interactions. We describe a methodology for the formal verification of timetriggered systems, a class of synchronized faulttolerant control and communication architectures. The methodology
Hardware Verification using coinduction in COQ
 In Proceedings of the International Conference on Theorem Proving in HigherOrder Logics
, 1999
"... . This paper presents a toolbox implemented in Coq and dedicated to the specification and verification of synchronous sequential devices. The use of Coq coinductive types underpins our methodology and leads to elegant and uniform descriptions of the circuits and their behaviours as well as clea ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
. This paper presents a toolbox implemented in Coq and dedicated to the specification and verification of synchronous sequential devices. The use of Coq coinductive types underpins our methodology and leads to elegant and uniform descriptions of the circuits and their behaviours as well as clear and short proofs. An application to a non trivial circuit is given as an illustration. 1 Introduction Coinduction is a powerful tool for dealing with infinite structures. It is especially well suited to prove properties about circuits where one has to cope with infinitely long temporal sequences. This work presents a general methodology to specifying and proving synchronous sequential circuits in the Calculus of Inductive Constructions (enriched with Coinductive types) implemented in the Coq proof assistant [1]. It is a continuation of [5], where we made heavy use of dependent types. We go deeply into this direction, introducing dependent types systematically whenever this leads to m...
Handling dataflow programs in PVS
, 1996
"... This paper investigates the use of the PVS tool for handling dataflow programs. In particular, we show how to express the constructs of the Lustre synchronous dataflow language. We then provide examples of program derivation and proofs within this framework, which hopefully illustrate the inter ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
This paper investigates the use of the PVS tool for handling dataflow programs. In particular, we show how to express the constructs of the Lustre synchronous dataflow language. We then provide examples of program derivation and proofs within this framework, which hopefully illustrate the interest of the approach. 1 Introduction Recently, several toolboxes for program formal derivation and proof have been proposed, among which we can cite B [1], Coq [5], and PVS [10]. Clearly this growing interest is due to the also growing involvement of software in critical systems, and the consequent concern about software errors. These critical systems can arise from many fields, but one field which yields some of the most critical ones is the field of automatic control and monitoring systems; this can be easily illustrated by examples drawn from civil aircraft, nuclear plants and automatic ground transportation systems. In these domains, synchronous dataflow programming has become a popula...
Specifications of the ATM Switch Fabric in Coq
, 1997
"... this report, we consider digital circuits. Describing circuits as mathematical objects corresponds to construct accurate formal specifications of these circuits on which it becomes possible to prove correctness properties. From this point of view, formal verification of circuits amounts to develop a ..."
Abstract
 Add to MetaCart
this report, we consider digital circuits. Describing circuits as mathematical objects corresponds to construct accurate formal specifications of these circuits on which it becomes possible to prove correctness properties. From this point of view, formal verification of circuits amounts to develop a proof which states that the representation of the circuit under consideration (structural specification) satisfies the representation of its intended behaviour (behavioural specification) that is to say what one expects from the circuit to be correct. In other words, establishing the correctness of a circuit is proving that its implementation is equivalent (or at least implies) its specification.
A PVS Proof Obligation Generator for Lustre Programs
 Universite ParisSud
, 2000
"... . This paper presents a tool for proving safety properties of ..."
Deductive Proofs of Dataflow Programs 1
"... Introduction This deliverable is intended to present the current year achievements with respect to task 3.4. This task aimed at exploring both the need of theorem proving for synchronous dataflow programs and ways to achieve it. As an example, the chosen dataflow language was Lustre and the theore ..."
Abstract
 Add to MetaCart
Introduction This deliverable is intended to present the current year achievements with respect to task 3.4. This task aimed at exploring both the need of theorem proving for synchronous dataflow programs and ways to achieve it. As an example, the chosen dataflow language was Lustre and the theorem proving tool was PVS. According to the proposal, we had in mind the following schedule: ffl deliverable 3.4.1 (12 months) : Comparative study of dataflow to PVS translations. ffl deliverable 3.4.2 (24 months) : Case studies on checking dataflow programs with PVS. ffl deliverable 3.4.3 (36 months) : Frontend prototype. Yet this schedule was rather theoretical: for instance, in order to compare translations, we needed some case studies. Similarly, in order to have thorough comparisons we also needed some assistance from automated tools. This led us to progress in each direction at the same time: ffl<F13.3