## DERIVING SAFETY CASES FROM AUTOMATICALLY CONSTRUCTED PROOFS

Citations: | 5 - 0 self |

### BibTeX

@MISC{Basir_derivingsafety,

author = {Nurlida Basir and Ewen Denney and Bernd Fischer},

title = {DERIVING SAFETY CASES FROM AUTOMATICALLY CONSTRUCTED PROOFS},

year = {}

}

### OpenURL

### Abstract

automated theorem provers. Formal proofs provide detailed justification for the validity of claims and are widely used in formal software development methods. However, they are often complex and difficult to understand, because the formalism in which they are constructed and encoded is usually machine-oriented, and they may also be based on assumptions that are not justified. This causes concerns about the trustworthiness of using formal proofs as arguments in safety-critical applications. Here, we present an approach to develop safety cases that correspond to formal proofs found by automated theorem provers and reveal the underlying argumentation structure and top-level assumptions. We concentrate on natural deduction style proofs, which are closer to human reasoning than resolution proofs, and show how to construct the safety cases by covering the natural deduction proof tree with corresponding safety case fragments. We also abstract away logical book-keeping steps, which reduces the size of the constructed safety cases. We show how the approach can be applied to the proofs found by the Muscadet prover. 1

### Citations

360 | Formal methods: State of the art and future directions
- Clarke, Wing
- 1996
(Show Context)
Citation Context ...and the argument itself depends on any external assumptions. However, many tools commonly applied to ensure software safety rely on black-box techniques such as static analysis [22] or model checking =-=[7]-=- that produce only opaque claims about the safety of the software but not enough evidence to justify their claim. They can thus not provide any further insights or arguments. In contrast, in formal so... |

241 | M.: Logic in Computer Science: Modelling and Reasoning about Systems
- Huth, Ryan
- 2004
(Show Context)
Citation Context ...and replacement rules (which are derived rules for equivalence and equality handling). Here, we focus on some of the basic rules; a full exposition of natural deduction can be found in the literature =-=[17]-=-. Natural deduction uses two sets of rules for each logical connective or quantifier (�,�,…,�, …), where one introduces the symbol, while the other eliminates it. In the introduction rules, the connec... |

153 |
Entailment: The Logic of Relevance and Necessity
- Anderson, Belnap, et al.
- 1975
(Show Context)
Citation Context ...s is only a simplification of the presentation and does not change the structure of the underlying proof, nor the validity of the original goal. It is thus different from using a relevant implication =-=[2]-=- under which A => B is only valid if the hypothesis A is actually used. Figure 4: Safety Case Templates for �-Rules. 4 Safety Case Generation Process To automatically construct the ND proof safety cas... |

143 |
High Integrity Software: The SPARK Approach to Safety and Security
- Barnes, Barnes
- 2003
(Show Context)
Citation Context ...evidence to justify their claim. They can thus not provide any further insights or arguments. In contrast, in formal software safety certification [8], as in other formal software development methods =-=[3, 5]-=-, formal proofs can in principle be used as evidence. Such proofs use mathematical and logical reasoning to show that the software satisfies certain requirements, which typically include program execu... |

76 | Arguing Safety – A Systematic Approach to Managing Safety Cases
- Kelly
- 1998
(Show Context)
Citation Context ...ence rule applied in this proof step. The proof tree structure is thus a representation of the underlying argumentation structure. We can use this interpretation to present the proofs as safety cases =-=[18]-=-, which are structured arguments as well and represent the linkage between evidence (i.e., the deductive reasoning of the proofs from the assumptions to the derived conclusions) and claims (i.e., the ... |

44 | Proof verbalization as an application of nlg
- Huang, Huang, et al.
- 1997
(Show Context)
Citation Context ...man reasoning, to aid with their understanding. Proof visualization tools (e.g., [23]) present the proof in a graphical form, but quickly get overwhelmed by the proof size. Proof verbalization (e.g., =-=[6, 16]-=-) transforms the proofs into natural language but the explanations are often too detailed. Proof abstraction groups multiple low-level steps that represent recurring argumentation patterns into indivi... |

32 | Correctness of Source-level Safety Policies
- Denney, Fischer
- 2003
(Show Context)
Citation Context ...aims about the safety of the software but not enough evidence to justify their claim. They can thus not provide any further insights or arguments. In contrast, in formal software safety certification =-=[8]-=-, as in other formal software development methods [3, 5], formal proofs can in principle be used as evidence. Such proofs use mathematical and logical reasoning to show that the software satisfies cer... |

30 |
Investigations into logical deduction. In The Collected Papers of Gerhard Gentzen
- Gentzen
- 1969
(Show Context)
Citation Context ... of a need to trust the certification tools, and in particular, the manually constructed artifacts. 3 Converting Natural Deduction Proofs into Safety Arguments 3.1 Natural Deduction Natural deduction =-=[14, 15]-=- is a form of proof that attempts to provide a foundational yet intuitive system to construct formal proofs. It consists of a collection of proof rules that manipulate logical formulas and transform p... |

28 |
The translation of formal proofs into English
- Chester
- 1976
(Show Context)
Citation Context ...man reasoning, to aid with their understanding. Proof visualization tools (e.g., [23]) present the proof in a graphical form, but quickly get overwhelmed by the proof size. Proof verbalization (e.g., =-=[6, 16]-=-) transforms the proofs into natural language but the explanations are often too detailed. Proof abstraction groups multiple low-level steps that represent recurring argumentation patterns into indivi... |

19 |
The Use of Multilegged Arguments to Increase Confidence in Safety Claims for Software-Based Systems: A Study Based on a BBN Analysis of an Idealized Example
- Littlewood, Wright
(Show Context)
Citation Context ...ere the proofs depend on top-level assumptions. Greater confidence in the assurance claim can be placed if the rationale behind validity of the proof can be shown. As pointed out by Littlewood et al. =-=[19]-=-, the probability of a claim, which has been shown by a formal proof, being false, is very low, when the assumptions and evidence are valid. However, there is a non-zero probability that these are not... |

12 | An interactive derivation viewer
- Trac, Puzis, et al.
- 2006
(Show Context)
Citation Context ...ess concerns with using proofs for assurance purposes. Many of them try to bring formal proofs into a form closer to human reasoning, to aid with their understanding. Proof visualization tools (e.g., =-=[23]-=-) present the proof in a graphical form, but quickly get overwhelmed by the proof size. Proof verbalization (e.g., [6, 16]) transforms the proofs into natural language but the explanations are often t... |

11 | S.: A Software Safety Certification Tool for Automatically Generated Guidance
- Denney, Trac
(Show Context)
Citation Context ... However, not all premises will actually be used as Figure 7: External Hypothesis. 6 Application to Muscadet We illustrate our approach by converting proofs created by the AutoCert certification tool =-=[12]-=-, which takes a set of requirements, and a domain theory consisting of logical axioms and so-called annotation schemas. These are used to infer logical annotations and construct proof tasks which are ... |

11 | Translating machine-generated resolution proofs into ND-proofs at the assertion level
- Huang
- 1996
(Show Context)
Citation Context ... of a need to trust the certification tools, and in particular, the manually constructed artifacts. 3 Converting Natural Deduction Proofs into Safety Arguments 3.1 Natural Deduction Natural deduction =-=[14, 15]-=- is a form of proof that attempts to provide a foundational yet intuitive system to construct formal proofs. It consists of a collection of proof rules that manipulate logical formulas and transform p... |

10 |
Hiproofs: A hierarchical notion of proof tree
- Denney, Power, et al.
(Show Context)
Citation Context ...detailed. Proof abstraction groups multiple low-level steps that represent recurring argumentation patterns into individual abstract steps and thus accentuates the hierarchical structure of the proof =-=[11]-=- but has so far only been applied to interactively constructed proofs. Our work combines abstraction, verbalization and visualization to reveal and present the proof’s underlying argumentation structu... |

10 | Semantic Derivation Verification
- Sutcliffe
(Show Context)
Citation Context ...ed proofs. Our work combines abstraction, verbalization and visualization to reveal and present the proof’s underlying argumentation structure and top-level assumptions. Alternatively, proof checkers =-=[20, 24]-=- have been used to increase trust in formal proofs, by demonstrating that every individual step in the proof is correct. However, proof checking does not address the real problem: while errors in the ... |

7 |
Muscadet2.3 : A knowledge-based theorem prover based on natural deduction
- Pastre
(Show Context)
Citation Context ...ral deduction (ND) style proofs, which are goal-directed and thus closer to human reasoning than resolution proofs, and we show how the approach can be applied to the proofs found by the Muscadet ATP =-=[21]-=-. We explain how to construct the safety cases by covering the ND proof tree with corresponding safety case fragments. The argument is built in the same top-down way as the proof: it starts with the o... |

6 | B.: Constructing a Safety Case for Automatically Generated Code from Formal Program Verification Information
- Basir, Denney, et al.
- 2008
(Show Context)
Citation Context ... the technical details of the formal proof machinery. This paper is a continuation of our previous work to construct safety cases from information collected during the formal verification of the code =-=[4]-=-, but here we concentrate on the certification components, i.e., the domain theory and the ATP used to support the software safety assurance process.2 Formal Software Safety Certification Our work is... |

6 | Software Certification and Software Certification Management Systems
- Denney, Fischer
- 2005
(Show Context)
Citation Context ... of annotation inference to explicate the top-level structure of such software safety cases. We consider the safety cases as a first step towards a fullyfledged software certificate management system =-=[9]-=- which will provide storage and reporting capabilities for all artifacts. We also believe that the result of our research will be a comprehensive safety case (i.e., for the program being certified, as... |

2 | A verification-driven approach to traceability and documentation for auto-generated mathematical software
- Denney, Fischer
- 2009
(Show Context)
Citation Context ...luding models, code, specifications, mathematical equations and formulas, and tables of engineering constants. Tools supported by automated analyses can be used to produce a traceable safety argument =-=[10]-=- that shows in particular where the code, verification artifacts and the argument itself depends on any external assumptions. However, many tools commonly applied to ensure software safety rely on bla... |

2 |
A Preprocessor and Proof Checker for First-order Logic”. Computer-Aided Reasoning: ACL2 Case Studies (edited by
- “Ivy
(Show Context)
Citation Context ...ed proofs. Our work combines abstraction, verbalization and visualization to reveal and present the proof’s underlying argumentation structure and top-level assumptions. Alternatively, proof checkers =-=[20, 24]-=- have been used to increase trust in formal proofs, by demonstrating that every individual step in the proof is correct. However, proof checking does not address the real problem: while errors in the ... |

1 |
Convincing Proofs for Program Certification
- Garnacho, Prin
- 2008
(Show Context)
Citation Context ...emonstrating that every individual step in the proof is correct. However, proof checking does not address the real problem: while errors in the implementations of provers do occur, they are very rare =-=[13]-=-; errors and inconsistencies in the formalization of the domain theory in contrast are much more common, but these are not detected by the standard proof checking techniques. 9 Conclusions 7 Proof Abs... |