Skip to main content
SpringerLink
Log in

Verification by Way of Refinement: A Case Study in the Use of Coq and TLA in the Design of a Safety Critical System

  • Conference paper
  • First Online:
Book cover Critical Systems: Formal Methods and Automated Verification (AVoCS 2016, FMICS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 9933))

  • 777 Accesses

Abstract

Sandia engineers use the Temporal Logic of Actions (TLA) early in the design process for digital systems where safety considerations are critical. TLA allows us to easily build models of interactive systems and prove (in the mathematical sense) that those models can never violate safety requirements, all in a single formal language. TLA models can also be refined, that is, extended by adding details in a carefully prescribed way, such that the additional details do not break the original model. Our experience suggests that engineers using refinement can build, maintain, and prove safety for designs that are significantly more complex than they otherwise could. We illustrate the way in which we have used TLA, including refinement, with a case study drawn from a real safety-critical system. This case exposes a need for refinement by composition, which is not currently provided by TLA. We have extended TLA to support this kind of refinement by building a specialized version of it in the Coq theorem prover. Taking advantage of Coq’s features, our version of TLA exhibits other benefits over stock TLA: we can prove certain difficult kinds of safety properties using mathematical induction, and we can certify the correctness of our proofs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The full code is available at https://github.com/philipjf/AWG-AVOCS-2016. Note that while we have typeset \(\text {TLA}^{+}\) in this paper the original source are in ASCII format.

References

  1. Abadi, M., Lamport, L.: The existence of refinement mappings. Theoret. Comput. Sci. 82(2), 253–284 (1991)

    Article  MathSciNet  MATH  Google Scholar 

  2. Abadi, M., Lamport, L.: Conjoining specifications. ACM Trans. Program. Lang. Syst. 17(3), 507–535 (1995)

    Article  Google Scholar 

  3. Abadi, M., Merz, S.: On TLA as a logic. In: Proceedings of the NATO Advanced Study Institute on Deductive Program Design, pp. 235–271 (1996)

    Google Scholar 

  4. Chaudhuri, K., Doligez, D., Lamport, L., Merz, S.: The TLA\(^ \text{+ } \) proof system: building a heterogeneous verification platform. In: Cavalcanti, A., Deharbe, D., Gaudel, M.-C., Woodcock, J. (eds.) ICTAC 2010. LNCS, vol. 6255, pp. 44–44. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  5. Cohen, E., Lamport, L.: Reduction in TLA. In: Sangiorgi, D., de Simone, R. (eds.) CONCUR 1998. LNCS, vol. 1466, pp. 317–331. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  6. The Coq Development Team: The Coq proof assistant reference manual. LogiCal Project, Version 8.0 (2004)

    Google Scholar 

  7. Lamport, L.: The temporal logic of actions. ACM Trans. Program. Lang. Syst. 16(3), 872–923 (1994)

    Article  Google Scholar 

  8. Lamport, L.: Refinement in state-based formalisms. Technical report, DEC Systems Research Center (1996)

    Google Scholar 

  9. Lamport, L.: Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley Longman Publishing Co. Inc., Boston (2002)

    Google Scholar 

  10. Ricketts, D., Malecha, G., Alvarez, M.M., Gowda, V., Lerner, S. Towards verification of hybrid systems in a foundational proof assistant. In: MEMOCODE 2015, pp. 248–257. IEEE (2015)

    Google Scholar 

  11. Svenningsson, J., Axelsson, E.: Combining deep and shallow embedding for EDSL. In: Loidl, H.-W., Peña, R. (eds.) TFP 2012. LNCS, vol. 7829, pp. 21–36. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  12. Wan, H., He, A., You, Z., Zhao, X.: Formal proof of a machine closed theorem in Coq. J. Appl. Math. 2014, 8 (2014). Article ID 892832, Hindawi Publishing Corporation, Cairo

    MathSciNet  Google Scholar 

  13. Wenzel, M.: The Isabelle/Isar Reference Manual (2012)

    Google Scholar 

  14. Yu, Y., Manolios, P., Lamport, L.: Model checking TLA\(^{+}\) specifications. In: Pierre, L., Kropf, T. (eds.) CHARME 1999. LNCS, vol. 1703, pp. 54–66. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

Download references

Acknowledgement

Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration (NNSA) under contract DE-AC04-94AL85000. This work was funded by NNSA’s Advanced Simulation and Computing (ASC) Program.

Author information

Authors and Affiliations

  1. University of Oregon, Eugene, OR, USA

    Philip Johnson-Freyd & Zena M. Ariola

  2. Sandia National Laboratories, Livermore, CA, USA

    Geoffrey C. Hulette

Authors
  1. Philip Johnson-Freyd
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Geoffrey C. Hulette
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zena M. Ariola
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Philip Johnson-Freyd .

Editor information

Editors and Affiliations

  1. ISTI-CNR , Pisa, Italy

    Maurice H. ter Beek

  2. ISTI-CNR , Pisa, Italy

    Stefania Gnesi

  3. Universität Augsburg, Augsburg, Germany

    Alexander Knapp

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Johnson-Freyd, P., Hulette, G.C., Ariola, Z.M. (2016). Verification by Way of Refinement: A Case Study in the Use of Coq and TLA in the Design of a Safety Critical System. In: ter Beek, M., Gnesi, S., Knapp, A. (eds) Critical Systems: Formal Methods and Automated Verification. AVoCS FMICS 2016 2016. Lecture Notes in Computer Science(), vol 9933. Springer, Cham. https://doi.org/10.1007/978-3-319-45943-1_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45943-1_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45942-4

  • Online ISBN: 978-3-319-45943-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation