Advertisement

Real-Time and Safety-Critical Systems

  • Jonathan Ostroff
  • Susan Gerhart
  • Dan Craigen
  • Ted Ralston
  • Nancy G. Leveson
  • Jonathan Bowen
  • Victoria Stavridou
Chapter
Part of the Formal Approaches to Computing and Information Technology (FACIT) book series (FACIT)

Abstract

A system is one in which the timing of the output is significant [195]. Such a system accepts inputs from the ‘real world’ and must respond with outputs in a timely manner (typically within milliseconds — a response time of the same order of magnitude as the time of computation — otherwise, for example, a payroll system could be considered ‘real-time’ since employees expect to be paid at the end of each month). Many real-time systems are embedded systems, where the fact that a computer is involved may not be immediately obvious (e.g., a washing machine). Real-time software often needs to be of high integrity [10].

Keywords

Formal Method Temporal Logic Proof System Branch Time Logic Metric Temporal Logic 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    B. Alpern and F.B. Schneider. Verifying temporal properties without temporal logic. ACM Transactions on Programming Language Systems, 11(1), 1989.Google Scholar
  2. 2.
    R. Alur. Techniques for Automatic Verification of Real-Time Systems. PhD Thesis, Dept. of Computer Science, Stanford University, CA 94305, 1991.Google Scholar
  3. 3.
    R. Alur, C. Courcoubetis, and D.L. Dill. Model checking for real-time systems. In Proceedings 5th Conference on Logic in Computer Science. IEEE, 1990.Google Scholar
  4. 4.
    R. Alur and D.L. Dill. Automata for modeling real-time systems. In M.S. Paterson, editor, ICALP 90: Automata, Languages and Programming, LNCS 443, pages 322–335. Springer-Verlag, 1990.Google Scholar
  5. 5.
    R. Alur, T. Feder, and T.A. Henzinger. The benefits of relaxing punctuality. In Proceedings of the 10th Annual ACM Symposium on Principles of Distributed Computing, 1991.Google Scholar
  6. 6.
    R. Alur and T.A. Henzinger. Logics and models of real-time: A survey. In J.W. de Bakker, C. Huizing, W.-P. de Roever, and G. Rozenberg, editors, Proceedings of the REX Workshop — Real-Time: Theory in Practice, LNCS 600. Springer-Verlag, 1991.Google Scholar
  7. 7.
    Rajeev Alur and Thomas Henzinger. Real-time logics: Complexity and expressiveness. In Proceedings of the 5th Annual IEEE Symposium on Logic in Computer Science, pages 390–401, June 1990.Google Scholar
  8. 8.
    J.C.M. Baeten and J.A. Bergstra. Real Time Process Algebra. Technical Report CS-R9053, Center for Mathematics and Computer Science, Amsterdam, 1990.Google Scholar
  9. 9.
    A. Benveniste and P. LeGuernic. Hybrid dynamical systems theory and the SIGNAL language. IEEE Trans. on Automatic Control, 35(5):535–546, May 1990.MathSciNetzbMATHGoogle Scholar
  10. 10.
    A. Bernstein and PK. Harter. Proving real-time properties of programs with temporal logic. In Proceedings of ACM SIGOPS 8th Annual ACM Symposium on Operating Systems Principles, pages 1–11, December 1981.Google Scholar
  11. 11.
    G. Berry and G. Gonthier, The Esterel Synchronous Programming Language: Design, semantics, implementation. Technical Report, Ecole Nationale Superieure des Mines de Paris, 1988.Google Scholar
  12. 12.
    B. Berthomieu and Michael Diaz. Modeling and verification of time dependent systems using time petri nets. IEEE Transactions on Software Engineering, 17(3):259–273, March 1991.MathSciNetGoogle Scholar
  13. 13.
    J. Billington, G.R. Wheeler, and M.C. Wilbur-Ham. PROTEAN: a high-level Petri net tool for the specification and verification of communication protocols. IEEE Transactions on Software Engineering, 14(3):301–316, March 1988.Google Scholar
  14. 14.
    T. Bolognesi and F. Lucidi. LOTOS- like process algebra with urgent or timed interactions. In J.W. de Bakker, C. Huizing, W.-P. de Roever, and G. Rozenberg, editors, Proceedings of the REX Workshop — Real-Time: Theory in Practice, LNCS 600. Springer-Verlag, 1991.Google Scholar
  15. 15.
    K.P. Brand and J. Kopainsky. Principles and engineering of process control with Petri nets. IEEE Transactions on Automatic Control, 33(2): 138–149, February 1988.zbMATHGoogle Scholar
  16. 16.
    P. Caspi, D. Pilaud, N. Halbwachs, and J. Plaice. LUSTRE: a declarative language for programming synchronous systems. In Proc. 14th ACM Symposium on Programming Languages, Jan. 1987.Google Scholar
  17. 17.
    J.F. Cassidy, T.Z. Chu, M. Kutcher, S.B. Gershwin, and Y. Ho. Research needs in manufacturing systems. IEEE Control Systems Magazine, 5(3): 11–13, August 1985.Google Scholar
  18. 18.
    CCIT CCIT High Level Language CHILL Recommendation z.200, CCIT, Geneva, 1980.Google Scholar
  19. 19.
    K.M. Chandy and J. Misra. Parallel Program Design. Addison-Wesley, Reading Massachusetts, 1988.zbMATHGoogle Scholar
  20. 20.
    E.M. Clarke, E.A. Emerson, and A.P. Sistla. Automatic verification of finite state concurrent systems using temporal logic. ACM Transactions on Programming Languages and Systems, 8(2):244–263, April 1986.zbMATHGoogle Scholar
  21. 21.
    J. Davis. Specification and Proof in Real-Time Systems. PhD Thesis, Oxford University Computing Laboratory, Oxford, UK, 1991.Google Scholar
  22. 22.
    W.-P. de Roever. Foundations of computer science: Leaving the ivory tower. In EATCS Bulletin. EATCS, June 1991.Google Scholar
  23. 23.
    E.W. Dijkstra. A Discipline of Programming. Prentice-Hall, Englewood Cliffs, New Jersey, 1976.zbMATHGoogle Scholar
  24. 24.
    E.A. Emerson and E.C. Clarke. Using branching time temporal logic to synthesize synchronization skeletons. Science of Computer Programming, 2:241–266, 1982.zbMATHGoogle Scholar
  25. 25.
    E.A. Emerson and J.Y. Halpern. ‘Sometimes’ and ‘not never’ revisited: on branching versus linear time temporal logic. Journal of the Association for Computing Machinery, 33(1):151–178, January 1986.MathSciNetzbMATHGoogle Scholar
  26. 26.
    E.A. Emerson, A.K. Mok, A.P. Sistla, and J. Srinisvan. Quantitative temporal reasoning. In E.M. Clarke, A. Pnueli, and J. Sifakis, editors, Proceedings of the Workshop on Automatic Verification Methods for Finite State Systems. Springer-Verlag, Lecture Notes in Computer Science, 1989.Google Scholar
  27. 27.
    F.S. Etessami and G.S. Hura. Rule based design methodology for solving control problems.IEEE Transactions on Software Engineering,17(3):274–282, March 1991MathSciNetGoogle Scholar
  28. 28.
    N. Francez. Fairness. Springer-Verlag, 1986.zbMATHGoogle Scholar
  29. 29.
    A. Gabrielian and M.K. Franklin. State-based specification of complex real-time systems. In Proceedings of the 9th Real-Time Systems Symposium, pages 2–11, December 1988.Google Scholar
  30. 30.
    A. Galton, editor. Temporal Logics and their Applications. Academic Press, 1987.Google Scholar
  31. 31.
    J.R. Garman. The bug heard round the world. ACM SIGSOFT Software Engineering Notes, 6(5), 1981.Google Scholar
  32. 32.
    R. Gerber and I. Lee. Ccsr: A calculus for communicating shared resources. In CONCUR’90, LNCS 458, pages 263–277. Springer-Verlag, August 1990.Google Scholar
  33. 33.
    R. Gerber and I. Lee. A proof system for communicating shared resources. In Proceedings of the Real-Time Systems Symposium, 1990.Google Scholar
  34. 34.
    C. Ghezzi, D. Mandrioli, and A. Morzenti. TRIO, a logic language for executable specifications of real-time systems. Journal of Systems and Software, 12(2): 107–123, May 1990.Google Scholar
  35. 35.
    D. Gries. The Science of Programming. Springer-Verlag, 1985.Google Scholar
  36. 36.
    R.W.S. Hale. Using temporal logic for prototyping: The design of a lift controller. In B. Banieqbal, H. Barringer, and A. Pnueli, editors, Temporal Logic in Specification, LNCS 398. Springer-Verlag, 1989.Google Scholar
  37. 37.
    H.A. Hansson. Time and Probability in Formal Design and Distributed Systems. PhD Thesis, Dept. of Computer Science, Uppsala University, S-751 20 Uppsala, Sweden, 1991.Google Scholar
  38. 38.
    D. Harel. Statecharts: A visual formalism for complex systems. Science of Computer Programming, 8:231–274, 1987.MathSciNetzbMATHGoogle Scholar
  39. 39.
    D. Harel. Biting the silver bullet: Towards a brighter future for systems development. Technical Report CS90–08, Weizmann Institute, 1990.Google Scholar
  40. 40.
    D. Harel. Biting the silver bullet: Towards a brighter future for system development. Computer, 25(1):8–20, January 1992.Google Scholar
  41. 41.
    D. Harel, H. Lachover, A. Naamad, A. Pnueli, M. Politi, R. Sherman, and M. Trachtenbrot. Statemate: a working environment for the development of complex reactive systems. IEEE Transactions on Software Engineering, 16:403–414, 1990.Google Scholar
  42. 42.
    D. Harel and A. Pnueli. On the development of reactive systems. In K.R Apt, editor, Logics and Models of Concurrent Systems, volume 13 of NATO ASI, pages 477–498. Springer-Verlag, 1985.Google Scholar
  43. 43.
    E. Harel, O. Lichtenstein, and A. Pnueli. Explicit clock temporal logic. In Proceedings of the 5th Annual Symposium on Logic in Computer Science, pages 402–413, June 1990.Google Scholar
  44. 44.
    Derek J. Hatley and Imitai A. Pirbhai. Strategies for Real-Time System Specification. Dorset House Publishing Co., New York, 1988.Google Scholar
  45. 45.
    M. Hennessy and T. Regan. A process algebra for timed systems. Technical Report 5/91, Dept. of Computer Science, University of Sussex, UK, 1991.Google Scholar
  46. 46.
    T.A. Henzinger. The Temporal Specification and Verification of Real-Time Systems. PhD Thesis, Dept. of Computer Science, Stanford University, CA, 1991.Google Scholar
  47. 47.
    T.A. Henzinger, Z. Manna, and A. Pnueli. Temporal proof methodologies for real-time systems. In Proceedings of the 18th ACM Symposium on Principles of Programming Languages, pages 353–366, January 1991.Google Scholar
  48. 48.
    C.A.R. Hoare. Communicating Sequential Processes. Prentice-Hall, 1985.zbMATHGoogle Scholar
  49. 49.
    C.A.R. Hoare. An axiomatic basis for computer programming. Communications of the ACM, 12(10), October 1969.Google Scholar
  50. 50.
    J. Hooman. Specification and Compositional Verification of Real-Time Systems. PhD Thesis, Eindhoven University of Technology, Dep. of Maths and Comp. Sc, Eindhoven, The Netherlands, 1991.Google Scholar
  51. 51.
    J. Hooman and W.-P. de Roever. Design and verification in real-time distributed computing: an introduction to compositional methods. In Proceedings of of the 9th International Symposium on Protocol Specification, Testing and Verification. North-Holland, 1989.Google Scholar
  52. 52.
    J. Hooman and J. Widom. A temporal logic based compositional proof system for realtime message passing. In Proceedings of PARLE89 vol. II, LNCS 366. Springer-Verlag, 1989.Google Scholar
  53. 53.
    C. Huizing. Semantics of Reactive Systems: Comparison and Full Abstraction. PhD Thesis, Technische Universiteit Eindhoven, March 1991.Google Scholar
  54. 54.
    K. Inan and P.P Varaiya. Finitely recursive process models for discrete event systems. IEEE Transactions on Automatic Control, 33(7):626–639, July 1988.MathSciNetzbMATHGoogle Scholar
  55. 55.
    M.S. Jaffe, N.G. Leveson, M.P.E. Heimdahl, and B.E. Melhart. Software requirements analysis for real-time process control systems. IEEE Transactions on Software Engineering, 17(3):241–258, 241 1991.Google Scholar
  56. 56.
    F. Jahanian and A.K. Mok. Safety analysis of timing properties in real-time systems. IEEE Transactions on Software Engineering, SE-12(9):890–904, September 1986.Google Scholar
  57. 57.
    F. Jahanian and A.K. Mok. A graph-theoretic approach for timing analysis and its implementation. IEEE Transactions on Computers, C36(8), 1987.Google Scholar
  58. 58.
    F. Jahanian and D. Stuart. A method for verifying properties of modechart specifications. In Proceedings 9th Real-time Systems Symposium, pages 12–21. IEEE Computer Society, December 1988.Google Scholar
  59. 59.
    C.B. Jones. Systematic Software Development using VDM. International Series in Computer Science. Prentice-Hall, 1986.zbMATHGoogle Scholar
  60. 60.
    M. Joseph and A. Goswami. Formal Description of Real-Time Systems: A Review. Technical Report RR129, Dep. of Computer Science, University of Warwick, UK,August 1988.Google Scholar
  61. 61.
    R. Koymans. (Real) time: A philosophical perspective. In J.W. de Bakker, C. Huizing, W.-P. de Roever, and G. Rozenberg, editors, Proceedings of the REX Workshop — Real-Time: Theory in Practice, LNCS 600. Springer-Verlag, 1991.Google Scholar
  62. 62.
    R. Koymans, R.K. Shyamasundar, W.-P. de Roever, R. Gerth, and S. Arun-Kumar. Compositional semantics for real-time distributed computing. In Proceedings of Logics of Programs (Brooklyn), LNCS 193, pages 167–190. Springer-Verlag, 1985.Google Scholar
  63. 63.
    R. Koymans, J. Vytopil, and W.-P. de Roever. Real-time programming and asynchronous message passing. In Proc. 2nd Annual Symposium on Principles of Distributed Computing, pages 187–197, Montreal, August 1983. (An extended version appeared in Information and Computation, Volume 79, Number3, December 1988).Google Scholar
  64. 64.
    Ron Koymans. Specifying real-time properties with metric temporal logic. Real-Time Systems, 2(4):255–299, November 1990.Google Scholar
  65. 65.
    J. Kramer and J. Magee. Dynamic configuration for distributed systems. IEEE Transactions on Software Engineering, SE-11(4):424–436, April 1985.Google Scholar
  66. 66.
    F. Kroger. Temporal Logics of Programs, volume 8 of EATCS Monographs on Theoretical Computer Science. Springer-Verlag, 1987.Google Scholar
  67. 67.
    L. Lamport. What good is temporal logic? In R.E. Mason, editor, Information Processing 83, pages 657–668. Elsevier Science Publishers, North Holland, 1983.Google Scholar
  68. 68.
    L. Lamport. The temporal logic of actions. Technical Report, DEC Systems Research Center, Palo Alto, CA, 1991.Google Scholar
  69. 69.
    L. Lamport. Specifying concurrent program modules. ACM Transactions on Programming Languages and Systems, 5(2): 190–222, April 1983.zbMATHGoogle Scholar
  70. 70.
    L. Lamport. ‘Sometime’ is sometimes ‘not never’. Proceedings of the 7th Annual ACM Symposium on Principles of Programming Languages, pages 174–185, Jan 1980.Google Scholar
  71. 71.
    M.S. Lawford. Transformational Equivalence of Timed Transition Models. Master’s Thesis, Dept. of Electrical Engineering, University of Toronto, Toronoto, Canada, 1992. (Available as Systems Control Group Report No. 9202, January 1992.)Google Scholar
  72. 72.
    N.G. Leveson and J.L Stolzy. Safety analysis using Petri nets. IEEE Transactions on Software Engineering, SE-13(3):386–397, March 1987.Google Scholar
  73. 73.
    S.-T Levi and A.K. Agrawala. Real Time System Design. McGraw-Hill Publishing Company, 1990.Google Scholar
  74. 74.
    A.H. Levis. Challenges to control: a collective view. IEEE Transactions on Automatic Control, AC-32(4), April 1987.Google Scholar
  75. 75.
    Y. Li. Control of Vector Discrete-Event Systems. PhD Thesis, Dept. of Electrical Engineering, University of Toronto, Toronto, Canada, 1991. (available as Systems Control Group Report No 9106, July 1991).Google Scholar
  76. 76.
    INMOS Limited. Occam Programming Manual. International Series in Computer Science. Prentice-Hall, Englewood Cliffs, New Jersey, 1984.Google Scholar
  77. 77.
    N. Lynch and F. Vaandrager. Forward and backward simulations for timing-based systems. In J.W. de Bakker, C. Huizing, W.-P. de Roever, and G. Rozenberg, editors, Proceedings of the REX Workshop — Real-Time: Theory in Practice, LNCS 600. Springer-Verlag, 1991.Google Scholar
  78. 78.
    G.H. MacEwen and D.B. Skillicorn. Using higher-order logic for modular specification of real-time distributed systems. In M. Joseph, editor, Symposium on Formal Techniques in Real-Time and Fault-Tolerant Systems, LNCS 331, pages 36–66. Springer-Verlag, 1988.Google Scholar
  79. 79.
    J. Magee, J. Kramer, and M. Sloman. Constructing distributed systems in Conic. IEEE Transactions on Software Engineering, 15(6):663–675, June 1989.Google Scholar
  80. 80.
    Z. Manna and A. Pnueli. Specification and verification of concurrent programs by ∀-automata. In Proceedings of the 14th ACM Symposium of Principles of Programming Languages, pages 1–12, 1987.Google Scholar
  81. 81.
    Z. Manna and A. Pnueli. The anchored version of the temporal framework. In J.W. de Bakker, W.-P. de Roever, and G. Rozenburg, editors, Models of Concurrency: Linear, Branching and Partial Orders, LNCS. Springer-Verlag, 1989.Google Scholar
  82. 82.
    Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems. Springer-Verlag, 1992.Google Scholar
  83. 83.
    Z. Manna and A. Pnueli. Verification of Concurrent Programs: A Temporal Proof System. Technical Report, Dept. of Computer Science, Stanford University, CA, June 1983. See also Foundations of Computer Science IV, Amsterdam, Mathematical Center Tracts, pages 163–225, 1983.Google Scholar
  84. 84.
    Z. Manna and P. Wolper. Synthesis of communicating processes from temporal logic specifications. ACM Transactions on Programming Languages and Systems, 6(1):68–93, January 1984.zbMATHGoogle Scholar
  85. 85.
    K. Marzullo, F.B. Schneider, and N. Budhiraja. Derivation of Sequential, Real-Time, Process-Control Programs. Technical Report 91–1217, Dept. of Computer Science, Cornell University, Ithaca, New York 14853, 1991.Google Scholar
  86. 86.
    B.E. Melhart, N.G. Leveson, and M.S. Jaffe. Analysis Capabilities for Requirements Specified in Statecharts. Technical Report, Dept. of Information and Computer Science, University of California, Irvine, California, September 1988.Google Scholar
  87. 87.
    M. Menasche. PAREDE: An automated tool for the analysis of time(d) Petri nets. In International Workshop on Timed Petri Nets, pages 162–169. IEEE Computer Society, June 1985.Google Scholar
  88. 88.
    P.M. Merlin and A. Segall. Recoverability of communication protocols — implications of a theoretical study. IEEE Transactions on Communications, pages 1036–1043, September 1976.Google Scholar
  89. 89.
    G.J. Milne. CIRCAL and the representation of communication, concurrency and time. ACM Transactions on Programming Languages and Systems, 7(2):270–298, April 1985.zbMATHGoogle Scholar
  90. 90.
    R. Milner. A Calculus of Communicating Systems. LNCS 92. Springer-Verlag, 1980.zbMATHGoogle Scholar
  91. 91.
    R. Milner. Some directions in concurrency theory (panel statement). In Proceedings of the International Conference on Fifth Generation Computer Systems. ICOT, 1988.Google Scholar
  92. 92.
    A.K. Mok. Towards mechanization of real-time system design. In Foundations of Real-Time Computing: Formal Specifications and Methods. Kluwer Press, 1991.Google Scholar
  93. 93.
    F. Moller and C. Tofts. A temporal calculus of communicating systems. In CONCUR 90, LNCS 458, pages 401–415. Springer-Verlag, 1990.Google Scholar
  94. 94.
    E.T. Morgan and R.R. Razouk. Interactive state-space analysis of concurrent systems. IEEE Transactions on Software Engineering, SE-13(10): 1080–1091, October 1987.Google Scholar
  95. 95.
    B. Moszkowski. A temporal logic for multilevel reasoning about hardware. Computer, 18(2): 10–19, February 1985.Google Scholar
  96. 96.
    K.T Narayana and A.A. Aaby. Specification of real-time systems in real-time temporal interval logic. In Proceedings Real-time Systems Symposium, pages 86–95. IEEE Computer Society, December 1988.Google Scholar
  97. 97.
    X. Nicollin, J.L. Richier, J. Sifakis, and J. Voiron. ATP: an algebra for timed processes. In Proceedings IFIP Working Group Conference on Programming Concepts and Methods, pages 402–429, 1990.Google Scholar
  98. 98.
    X. Nicollin and J. Sifakis. An overview and synthesis of timed process algebras. In J.W. de Bakker, C. Huizing, W.-P. de Roever, and G. Rozenberg, editors, Proceedings of the REX Workshop — Real-Time: Theory in Practice, LNCS 600. Springer-Verlag, 1991.Google Scholar
  99. 99.
    X. Nicollin, J. Sifakis, and S. Yovine. From ATP to timed graphs and hybrid semantics. In J.W. de Bakker, C. Huizing, W.-P. de Roever, and G. Rozenberg, editors, Proceedings of the REX Workshop — Real-Time: Theory in Practice, LNCS 600. Springer-Verlag, 1991.Google Scholar
  100. 100.
    E.R. Olderog and C.A.R. Hoare. Specification oriented semantics. ACTA Informatica, 23:9–66, 1986.MathSciNetzbMATHGoogle Scholar
  101. 101.
    O. Maler, Z. Manna, and A. Pnuelli. From timed to hybrid systems. In J.W. de Bakker, C. Huizing, W.-P. de Roever, and G. Rozenberg, editors, Proceedings of the REX Workshop — Real-Time: Theory in Practice, LNCS 600. Springer-Verlag, 1991.Google Scholar
  102. 102.
    J.S. Ostroff. Real-Time Computer Control of Discrete Event Systems Modelled by Extended State Machines: A Temporal Logic Approach. Technical Report 8618, Systems Control Group, Dept. of Electrical Engineering, University of Toronto, Toronto, Canada, September 1986. Revised January 1987.Google Scholar
  103. 103.
    J.S. Ostroff. Synthesis of controllers for real-time discrete event systems. In Proceedings of the 28th IEEE Conference on Decision and Control, December 1989.Google Scholar
  104. 104.
    J.S. Ostroff. Temporal Logic for Real-Time Systems. Advanced Software Development Series. Research Studies Press Limited (distributed by John Wiley and Sons), England, 1989.Google Scholar
  105. 105.
    J.S. Ostroff. Deciding properties of timed transition models. IEEE Transactions on Parallel and Distributed Systems, 1(2):170–183, April 1990.Google Scholar
  106. 106.
    J.S. Ostroff. Constraint logic programming for reasoning about discrete event processes. The Journal of Logic Programming, 11(3&4):243–270, October/November 1991.MathSciNetzbMATHGoogle Scholar
  107. 107.
    J.S. Ostroff. Systematic development of real-time discrete event systems. In Proceedings of the ECC91 European Control Conference, pages 522–533, Paris, France, July 1991. Hermes Press.Google Scholar
  108. 108.
    J.S. Ostroff. Verification of safety critical systems using TTM/RTTL. In J.W. de Bakker, C. Huizing, W.-P. de Roever, and G. Rozenberg, editors, Proceedings of the REX Workshop — Real-Time: Theory in Practice, LNCS 600. Springer-Verlag, 1991.Google Scholar
  109. 109.
    J.S. Ostroff. A verifier for real-time properties. Real-Time Journal, 4:5–35, 1992. (In press).Google Scholar
  110. 110.
    J.S. Ostroff and W.M. Wonham. A framework for real-time discrete event control. IEEE Transactions on Automatic Control, April 1990.Google Scholar
  111. 111.
    J.S. Ostroff and W.M. Wonham. A temporal logic approach to real time control. In Proceedings of the 24th IEEE Conference on Decision and Control, pages 656–657, Florida, December 1985.Google Scholar
  112. 112.
    S. Owicki and L. Lamport. Proving liveness properties of concurrent programs. ACM Transactions on Programming Languages and Systems, 4(3):455–495, Jul 1982.zbMATHGoogle Scholar
  113. 113.
    S.S. Owicki and D. Gries. Verifying properties of parallel programs: an axiomatic approach. Communications of the ACM, 19(5), May 1976.Google Scholar
  114. 114.
    D.L. Parnas and J. Madey. Functional Documentation for Computer Systems Engineering. Technical Report TR 90–287, TRIO, Queen’s University, Kingston, Ontario, Canada K7L3N6, 1990.Google Scholar
  115. 115.
    D.L. Parnas, A.J. van Schouwen, and S.P. Kwan. Evaluation standards for safety-critical software. Technical Report TR 88–220, Department of Computer Science, Queen’s University, Kingston, Ontario, Canada, May 1988.Google Scholar
  116. 116.
    J.L. Peterson. Petri Net Theory and the Modelling of Systems. Prentice-Hall, Englewood Cliffs, N.J., 1981.zbMATHGoogle Scholar
  117. 117.
    A. Pnueli. The temporal logic of programs. In Proceedings of the 18th IEEE Annual Symposium on the Foundations of Computer Science, pages 46–57, Providence, R.I., November 1977.Google Scholar
  118. 118.
    A. Pnueli and E. Harel. Applications of temporal logic to the specification of real-time systems. In Formal Techniques in Real-Time and Fault Tolerant Systems, LNCS 331. Springer-Verlag, 1988.Google Scholar
  119. 119.
    A. Pnueli and M. Shalev. What is in a step? In T. Ito and A.R. Meyer, editors, Theoretical Aspects of Computer Software, LNCS 298, pages 244–264. Springer-Verlag, 1991.Google Scholar
  120. 120.
    Amir Pnueli. Applications of temporal logic to the specification and verification of reactive systems: a survey of current trends. In J. de Bakker, W.-P. de Roever, and G. Rozenburg, editors, Current Trends in Concurrency, LNCS 244. Springer-Verlag, 1986.Google Scholar
  121. 121.
    W.J. Quirk. Verification and Validation of Real-Time Software. Springer-Verlag, Berlin, 1985.Google Scholar
  122. 122.
    P.J. Ramadge and W.M. Wonham. Modular feedback logic for discrete event systems. SIAM Journal of Control and Optimization, 25(5): 1202–1218, September 1987.MathSciNetGoogle Scholar
  123. 123.
    P.J. Ramadge and W.M. Wonham. Supervisory control of a class of discrete-event processes. SIAM Journal of Control and Optimization, 25(1):206–230, January 1987.MathSciNetzbMATHGoogle Scholar
  124. 124.
    C. Ramchandani. Analysis of asynchronous concurrent systems by timed Petri nets. Technical Report MAC TR 120, MIT, February 1974.Google Scholar
  125. 125.
    R.R. Razouk and C.V. Phelps. Performance analysis of timed Petri nets. In Proceedings of 4th International Workshop on Protocol Verification and Testing, June 1984.Google Scholar
  126. 126.
    G.M. Reed and A.W. Roscoe. A timed model for communicating sequential processes. In Proceedings ICALP 86, LNCS 226. Springer-Verlag, 1986.Google Scholar
  127. 127.
    G.M Reed and A.W. Roscoe. A timed model for communicating sequential processes. Theoretical Computer Science, 58:249–261, June 1988.MathSciNetzbMATHGoogle Scholar
  128. 128.
    G.M. Reed, A.W. Roscoe, et al. Timed CSP: Theory and practice. In J.W. de Bakker, C. Huizing, W.-P. de Roever, and G. Rozenberg, editors, Proceedings of the REX Workshop — Real-Time: Theory in Practice, LNCS 600. Springer-Verlag, 1991.Google Scholar
  129. 129.
    W. Reisig. Petri Nets: An Introduction. Springer-Verlag, Berlin, 1985.zbMATHGoogle Scholar
  130. 130.
    N. Rescher and A. Urquhart. Temporal Logic. Springer-Verlag, Library of Exact Philosophy, 1971.zbMATHGoogle Scholar
  131. 131.
    F.B. Schneider, B. Bloom, and K. Marzullo. Putting time into proof outlines. In J.W. de Bakker, C. Huizing, W.-P. de Roever, and G. Rozenberg, editors, Proceedings of the REX Workshop — Real-Time: Theory in Practice, LNCS 600. Springer-Verlag, 1991.Google Scholar
  132. 132.
    S. Schneider. Correctness and Communication in Real-Time Systems. PhD Thesis, Oxford University Computing Laboratory, Oxford, UK, 1990.Google Scholar
  133. 133.
    D.J. Scholefield. The Formal Development of Real-Time Systems. Technical Report, Dept. of Computer Science, University of York, UK, 1990.Google Scholar
  134. 134.
    R.L. Schwartz and P.M. Melliar-Smith. From state machines to temporal logic: Specification methods for protocol standards. IEEE Transactions on Communications, Com-30(12), Dec 1982.Google Scholar
  135. 135.
    A. Shaw. Reasoning about time in higher-level language software. IEEE Transactions on Software Engineering, SE-15(7):875–899, July 1989.Google Scholar
  136. 136.
    J.M. Spivey. The Z Notation: A Reference Manual. Prentice-Hall, Englewood Cillfs, N.J., 1989.zbMATHGoogle Scholar
  137. 137.
    J.A. Stankovic. Misconceptions about real-time computing: a serious problem for next generation systems. Computer, 21(10): 10–19, October 1988.Google Scholar
  138. 138.
    WM. Turski. Time considered irrelevant for real-time systems. BIT, 28:473–486, 1988.MathSciNetzbMATHGoogle Scholar
  139. 139.
    USDOD. Reference Manual for the Ada Programming Language. Springer-Verlag, New York, 1983.Google Scholar
  140. 140.
    W.M.P van der Aalst. Timed Coloured Petri Nets and their Application to Logistics. PhD Thesis, Eindhoven University of Technology, Eindhoven, The Netherlands, 1992.Google Scholar
  141. 141.
    P. Ward and S. Mellor. Structural Development for Real-Time Systems. Yourdon Press, New York, 1985.Google Scholar
  142. 142.
    N. Wirth. Towards a discipline of real-time programming. Communications of the ACM, 20(8), August 1977.Google Scholar
  143. 143.
    W.M. Wonham. Linear Multivariable Control: A Geometric Approach. Springer-Verlag, 3rd edition, 1985.zbMATHGoogle Scholar
  144. 144.
    Wang Yi. CCS + time = an interleaving model for real time systems. In Proceedings of ICALP’91, Madrid, Spain, 1991.Google Scholar
  145. 145.
    W.M. Zubrek. Timed Petri nets and preliminary performance evaluation. In Proceedings 7th Annual Symposium on Computer Architecture, La Baule, France, 1980.Google Scholar
  146. 1.
    Formal Methods for Trustworthy Computer Systems, D. Craigen and K. Summerskill, eds., Springer-Verlag, London, 1990.Google Scholar
  147. 2.
    D. Craigen, S. Gerhart, and T. Ralston, “An International Survey of Industrial Applications of Formal Methods, Volume 1 Study Methodology,” Tech. Report PB93–178556/AS, National Technical Information Service, Springfield, Va.; Tech. Report 5546–93–9581, US Naval Research Laboratory, Washington, DC; Tech. Report Info-0474–1, Atomic Energy Control Board of Canada, Ontario, 1993.Google Scholar
  148. 3.
    D. Craigen, S. Gerhart, and T. Ralston, “An International Survey of Industrial Applications of Formal Methods, Volume 2 Case Studies,” Tech. Report PB93–178564/AS, National Technical Information Service, Springfield, Va.; Tech. Report 5546–93–9582, US Naval Research Laboratory, Washington, DC; Tech. Report Info-0474–2, Atomic Energy Control Board of Canada, Ontario, 1993.Google Scholar
  149. 4.
    S. Gerhart, D. Craigen, and T. Ralston, “Observations on Industrial Applications of Formal Methods,” Proc 15th Intl. Conference on Software Engineering, IEEE CS Press, Los Alamitos, Calif., 1993, pp. 24–33.Google Scholar
  150. 5.
    D. Craigen, S. Gerhart, and T. Ralston, “Formal Methods Reality Check: Industrial Usage,” Proc. Formal Methods Europe, Springer-Verlag, Berlin, 1993, pp. 250–268.Google Scholar
  151. 6.
    The Procurement of Safety Critical Software in Defence Equipment (Part 1: Requirements, Part 2: Guidance), Interim Defence Standard 00–55, Issue 1, Ministry of Defence, Glasgow, Scotland, 1991.Google Scholar
  152. 7.
    C. Potts, “Software-Engineering Research Revisited,” IEEE Software, Sept. 1993, pp. 19–28.Google Scholar
  153. 1.
    Formal Methods for Trustworthy Computer Systems, D. Craigen and K. Summerskill, eds., Springer-Verlag, London, 1990.Google Scholar
  154. 2.
    S. Gerhart et al., Formal Methods Transition Study Final Report and Videotape, Tech. Report TR STP-FT-322/323–91, MCC Software Technology Program, Austin, Tex., 1991; available from RICIS, University of Houston at Clear Lake.Google Scholar
  155. 1.
    D. Brownbridge. “Using Z to Develop a CASE Toolset,” Proc. Z User Workshop, Springer-Verlag, London, 1989, pp. 142–149.Google Scholar
  156. 2.
    I. Houston and S. King, “CICS Project Report: Experiences and Results from the use of Z,” Proc. VDM 91, Volume 551, Springer-Verlag, Berlin, 1991, pp. 588–596.Google Scholar
  157. 3.
    R. Linger and H. Mills. “A Case Study in Cleanroom Software Engineering: the IBM COBOL Structuring Facility,” Proc. Compsac, IEEE CS Press, Los Alamitos, Calif., 1988, pp. 10–17.Google Scholar
  158. 4.
    D. Garlan and N. Delisle. “Formal Specifications as Reusable Frameworks,” Proc. VDM 92, Springer-Verlag, Berlin, 1990, pp. 150–163.Google Scholar
  159. 5.
    G. Barrett, “Formal Methods Applied to a Floating Point Number System,” IEEE Trans. Software Eng., 1989, pp. 611–621.Google Scholar
  160. 6.
    D.R. Kuhn and J.F. Dray. “Formal Specification and Verification of Control Software for Cryptographic Equipment,” Proc. Computer-Security Applications Conf., IEEE CS Press, Los Alamitos, Calif., 1990, pp. 32–43.Google Scholar
  161. 7.
    Hewlett-Packard Journal special issue on HP-SL, Dec. 1991, pp. 24–65.Google Scholar
  162. 1.
    G. Archinoff et al., “Verification of the Shutdown System Software at the Darlington Nuclear Generating Station,” Proc. Int’l Conf. Control and Instrumentation in Nuclear Installations, Inst. Nuclear Eng., London, 1990.Google Scholar
  163. 2.
    T. Alspough et al., “Software Requirements for the A-7E Aircraft,” Tech. Report NRL/FR/5530–92–9194, US Naval Research Laboratories, Washington, DC, 1992.Google Scholar
  164. 1.
    C.A.R. Hoare, “An Axiomatic Basis for Computer Programming,” Comm. ACM, Oct. 1969, pp. 576–580, 583.Google Scholar
  165. 2.
    J.-R. Abrial et al., “The B Method”, Proc. VDM ’91, Springer Verlag, Berlin, 1991, pp. 398–405.Google Scholar
  166. 3.
    M. Carnot et al., “Error-Free Software Development for Critical Systems using the B-methodology,” Proc. Int’l Symp. On Software Reliability Engineering, IEEE Press, New York, 1992.Google Scholar
  167. 4.
    G. Guiho and C. Hennebert, “SACEM Software Validation,” Proc. Int’l Conf. Software Eng., IEEE CS Press, Los Alamitos, Calif., 1990, pp. 186–191.Google Scholar
  168. 1.
    Introduction to TCAS II, Federal Aviation Administration, US Dept. of Transportation, Washington DC, 1990.Google Scholar
  169. 2.
    N. Leveson et al. “Requirements Specification for Process-Control Systems,” IEEE Trans. Software Eng., to appear.Google Scholar
  170. 3.
    D. Harel, “Statecharts: A Visual Formalism for Complex Systems”, Science of Computer Programming, Volume 8, M. Sintzoff, ed., North Holland, Amsterdam, 1987, pp. 231–274.Google Scholar
  171. 1.
    “Trusted Computer System Evaluation Criteria,” Tech. Report DoD 5200.28.-STD, US Department of Defense, Washington DC, 1985.Google Scholar
  172. 2.
    “Mechanical Proofs about Computer Programs,” in Mathematical Logic and Programming Languages, C.A.R. Hoare and J.C. Shepherdson, eds., Prentice-Hall, Englewood Cliffs, N.J., 1985.Google Scholar
  173. 3.
    D. Good, “Mechanical Proofs about Computer Programs,” in Mathematical Logic and Programming Languages, C.A.R. Hoare and J.C. Sheperdson, eds., Prentice-Hall, Englewood Cliffs, N.J., 1985.Google Scholar
  174. 1.
    C.A. Bowsher. Medical device recalls: Examination of selected cases. Technical Report GAO Report GAO/PEMD-90–6, U.S. Government Accounting Organization, October 1990.Google Scholar
  175. 2.
    C.A. Bowsher. Medical devices: The public health at risk. Technical Report GAO Report GAO/T-PEMD-90–2, U.S. Government Accounting Organization, 1990.Google Scholar
  176. 3.
    M. Kival, editor. Radiological Health Bulletin, volume XX:8. Center for Devices and Radiological Health, Food and Drug Administration, Rockville, Maryland, December 1986.Google Scholar
  177. 4.
    Nancy G. Leveson and Clark S. Turner. An investigation of the Therac-25 accidents, IEEE Computer, 26(7): 18–41, July 1993.Google Scholar
  178. 5.
    Ed Miller. The Therac-25 experience. In Conference of State Radiation Control Program Directors, 1987.Google Scholar
  179. 6.
    J.A. Rawlinson. Report on the Therac-25. In OCTRF/OCI Physicists Meeting, Kingston, Ontario, May 1987.Google Scholar
  180. 7.
    R. Saltos. Man killed by accident with medical radiation. Boston Globe, June 20, 1986.Google Scholar

Standards, draft standards and guidelines

  1. S1.
    ‘Proposed Standard for Software for Computers in the Safety Systems of Nuclear Power Stations’. Final Report for contract 2.117.1 for the Atomic Energy Control Board, Canada, March 1991 (By David L. Parnas, TRIO, Computing and Information Science, Queen’s University, Kingston, Ontario K7L 3N6, Canada. Based on IEC Standard 880 [S9].)Google Scholar
  2. S2.
    ‘VDM Specification Proto-Standard’. Draft, ISO/IEC JTC1/SC22/WG19 IN9, 1991Google Scholar
  3. S3.
    ‘Military Standard: System Safety Program Requirements’. MIL-STD-882B, Department of Defense, Washington DC 20301, USA, 30 March 1984Google Scholar
  4. S4.
    ‘ESA Software Engineering Standards’. ESA PSS-05–0 Issue 2, European Space Agency, 8–10 rue Mario-Nikis, 75738 Paris Codex, France, ESA PSS-05–0 Issue 2, February 1991Google Scholar
  5. S5.
    Redmill, F. (Ed.): ‘Dependability of Critical Computer Systems 1 & 2’. European Workshop on Industrial Computer Systems Technical Committee 7 (EWICS TC7), Elsevier Applied Science, London, 1988/1989Google Scholar
  6. S6.
    ‘System Design Analysis’. US Department of Transportation, Federal Aviation Administration, Washington DC, USA, Advisory Circular 25.1309–2, September 1982Google Scholar
  7. S7.
    ‘Programmable Electronic Systems in Safety Related Applications: 1. An Introductory Guide’. Health and Safety Executive, HMSO, Publications Centre, PO Box 276, London SW8 5DT, UK, 1987Google Scholar
  8. S8.
    ‘Programmable Electronic Systems in Safety Related Applications: 2. General Technical Guidelines’. Health and Safety Executive, HMSO, Publications Centre, PO Box 276, London SW8 5DT, UK, 1987Google Scholar
  9. S9.
    ‘Software for Computers in the Safety Systems of Nuclear Power Stations’. International Electrotechnical Commission, IEC 880, 1986Google Scholar
  10. S10.
    ‘Software for Computers in the Application of Industrial Safety Related Systems’. International Electrotechnical Commission, Technical Committee no. 65, Working Group 9 (WG9), IEC 65A (Secretariat) 122, Version 1.0, 1 August 1991Google Scholar
  11. S11.
    ‘Functional Safety of Programmable Electronic Systems: Generic Aspects’. International Electrotechnical Commission, Technical Committee no. 65, Working Group 10 (WG10), IEC 65A (Secretariat) 123, February 1992Google Scholar
  12. S12.
    ‘Standard for Software Safety Plans’. Draft P1228, Software Safety Plans Working Group, Software Engineering Standards Subcommittee, IEEE Computer Society, USA, Draft J, 11 February 1991Google Scholar
  13. S13.
    ‘JTC1 Statement of Policy on Formal Description Techniques’. ISO/IEC JTC1 N145 and ISO/IEC JTC1/SC18 N13333, International Standards Organization, Geneva, Switzerland, 1987Google Scholar
  14. S14.
    ‘ISO 8807: Information Processing Systems — Open Systems Interconnection — LOTOS — A Formal Description Technique Based on the Temporal Ordering of Observational Behaviour’. First edition, International Organization for Standardization, Geneva, Switzerland, 15 February 1989Google Scholar
  15. S15.
    ‘The Procurement of Safety Critical Software in Defence Equipment’ (Part 1: Requirements, Part 2: Guidance). Interim Defence Standard 00–55, Issue 1, Ministry of Defence, Directorate of Standardization, Kentigern House, 65 Brown Street, Glasgow G2 8EX, UK, 5 April 1991Google Scholar
  16. S16.
    ‘Hazard Analysis and Safety Classification of the Computer and Programmable Electronic System Elements of Defence Equipment’. Interim Defence Standard 00–56, Issue 1, Ministry of Defence, Directorate of Standardization, Kentigern House, 65 Brown Street, Glasgow G2 8EX, UK, 5 April 1991Google Scholar
  17. S17.
    ‘Standard for Software Engineering of Safety Critical Software’. 982 C-H 69002–0001, Ontario Hydro, 700 University Avenue, Toronto, Ontario M5G 1X6, Canada, 21 December 1990Google Scholar
  18. S18.
    ‘Safety Related Software for Railway Signalling’. BRB/LU Ltd/RIA technical specification no. 23, Consultative Document, Railway Industry Association, 6 Buckingham Gate, London SW1E 6JP, UK, 1991Google Scholar
  19. S19.
    ‘Software Considerations in Airborne Systems and Equipment Certification’. DO-178A, Radio Technical Commission for Aeronautics, One McPherson Square, 1425 K Street N.W., Suite 500, Washington DC 20005, USA, March 1985Google Scholar
  20. S20.
    ‘Minimum Operational Performance Standards for Traffic Alert and Collision Avoidance System (TCAS) Airborne Equipment — Consolidated Edition’. DO-185, Radio Technical Commission for Aeronautics, One McPher-son Square, 1425 K Street N.W., Suite 500, Washington DC 20005, USA, 6 September 1990Google Scholar
  21. S21.
    Bloomfield, R.E. (Ed.): ‘SafelTl — The Safety of Programmable Electronic Systems’. Safety-Related Working Group (SRS-WG), Interdepartmental Committee on Software Engineering (ICSE), Department of Trade and Industry, ITD7a — Room 840, Kingsgate House, 66–74 Victoria Street, London SW1E 6SW, UK, June 1990Google Scholar
  22. S22.
    Bloomfield, R.E., and Brazendale, J. (Eds.): ‘SafeIT2 — A Framework for Safety Standards’. Safety-Related Working Group (SRS-WG), Interdepartmental Committee on Software Engineering (ICSE), Department of Trade and Industry, ITD7a — Room 840, Kingsgate House, 66–74 Victoria Street, London SW1E 6SW, UK, June 1990Google Scholar
  23. S23.
    UN Committee for the Transport of Dangerous Goods, Technical Report, 1964Google Scholar
  24. S24.
    ‘Z Base Standard’. Draft ISO/IEC JTC1/SC22, 1993Google Scholar

Other references

  1. 1.
    ABRIAL, J.R.: ‘The B reference manual’, Edinburgh Portable Compilers, 17 Alva Street, Edinburgh EH2 4PH, UK, 1991Google Scholar
  2. 2.
    ABRIAL, J.R., LEE, M.K.O., NEILSON, D.S., SCHARBACH, P.N., and SØRENSEN, I.H.: ‘The B-method’, in PREHN, S., and TOETENEL, W.J. (Eds.): ‘VDM ’91, Formal Software Development Methods’, Volume 2: Tutorials (Springer-Verlag, Lecture Notes in Computer Science, 1991) 552, pp. 398–405Google Scholar
  3. 3.
    ANDERSON, S., and CLELAND, G.: ‘Adopting mathematically-based methods for safety-critical systems production’, in REDMILL, F. (Ed.): ‘Safety Systems: The Safety-Critical Systems Club Newsletter’, Centre for Software Reliability, University of Newcastle upon Tyne, UK, January 1992, 1, (2), p. 6Google Scholar
  4. 4.
    ARCHINOFF, G.H., HOHENDORF, R.J., WASSYNG, A., QUIGLEY, B. and BORSCH, M.R.: ‘Verification of the shutdown system software at the Darlington nuclear generating station’. International Conference on Control and Instrumentation in Nuclear Installations, The Institution of Nuclear Engineers, Glasgow, UK, May 1990Google Scholar
  5. 5.
    AUGARTEN, S.: The Whirlwind project’ in ‘Bit by Bit: An Illustrated History of Computers’, chapter 7 (Ticknor & Fields, New York, 1984) pp. 195–223Google Scholar
  6. 6.
    BABEL, P.S.: ‘Software integrity program’. Aeronautical Systems Division, Airforce, U.S., April 1987Google Scholar
  7. 7.
    BARROCA, L., and MCDERMID, J.: ‘Formal methods: use and relevance for the development of safety critical systems’, The Computer Journal, 35, (6), December 1992Google Scholar
  8. 8.
    BARDEN, R., STEPNEY, S., and COOPER, D.: ‘The use of Z’, in NICHOLLS, J.E. (Ed.): ‘Z User Workshop, York 1991’ (Springer-Verlag, Workshops in Computing, 1992) pp. 99–124Google Scholar
  9. 9.
    BEAR, S.: ‘An overview of HP-SL’, in PREHN, S., and TOETENEL, W.J. (Eds.): ‘VDM ’91, Formal Software Development Methods’ (Springer-Verlag, Lecture Notes in Computer Science, 1991) 551, pp. 571–587Google Scholar
  10. 10.
    BENNETT, P.A.: ‘Safety’, in MCDERMID, J.A. (Ed.): ‘Software Engineer’s Reference Book’, chapter 60 (Butterworth-Heinemann Ltd., Oxford, 1991)Google Scholar
  11. 11.
    BJØRNER, D. et al. ‘A ProCoS project description: ESPRIT BRA 3104’, Bulletin of the EATCS, 1989, 39, pp. 60–73Google Scholar
  12. 12.
    BLOOMFIELD, R.E., FROOME, P.K.D., and MONAHAN, B.Q.: ‘Formal methods in the production and assessment of safety critical software’, Reliability Engineering & System Safety, 32, (1), 1989, pp. 51–66 (Also in [89].)Google Scholar
  13. 13.
    BLYTH, D., BOLDDYREFF, C., RUGGLES, C., and TETTEH-LARTEY, N.: ‘The case for formal methods in standards’, IEEE Software, September 1990, 7, (5), pp. 65–67Google Scholar
  14. 14.
    BOEBERT, W.E.: ‘Formal verification of embedded software’, ACM SIG-SOFT Software Engineering Notes, July 1980, 5, (3), pp. 41–42Google Scholar
  15. 15.
    BOEHM, B.: ‘Software risk management tutorial’. TRW-ACM Seminar, April 1988Google Scholar
  16. 16.
    BOWEN, J.P., and BREUER, P.T.: ‘Decompilation’, in van ZUYLEN, H. (Ed.): ‘The REDO Compendium of Reverse Engineering for Software Maintenance’, chapter 10 (John Wiley, 1992) pp. 131–138Google Scholar
  17. 17.
    BOWEN, J.P., and STAVRIDOU, V.: ‘Formal methods and software safety’, in [47], 1992, pp. 93–98Google Scholar
  18. 18.
    BOWEN, J.P., and STAVRIDOU, V.: ‘The industrial take-up of formal methods in safety-critical and other areas: a perspective’, in WOODCOCK, J.C.P., and LARSEN, P.G. (Eds.): ‘FME’93: Industrial Strength Formal Methods’, 1st International Symposium of Formal Methods Europe, Odense, Denmark, 19–23 April 1993 (Springer-Verlag, Lecture Notes in Computer Science, 1993) 670, pp. 183–195Google Scholar
  19. 19.
    BOYER, R.S., and MOORE, J.S.: ‘A computational logic handbook’ (Academic Press, Boston, 1988)zbMATHGoogle Scholar
  20. 20.
    BROCK, B., and HUNT, W.A.: ‘Report on the formal specification and partial verification of the VIPER microprocessor’. Technical Report No. 46, Computational Logic Inc., Austin, Texas, USA, January 1990Google Scholar
  21. 21.
    BROWN, M.J.D.: ‘Rationale for the development of the UK defence standards for safety-critical computer software’. Proc. COMPASS ’90, Washington DC, USA, June 1990Google Scholar
  22. 22.
    BURNS, A.: ‘The HCI component of dependable real-time systems’, Software Engineering Journal, July 1991, 6, (4), pp. 168–174Google Scholar
  23. 23.
    BUTLER, R.W., and FINELLI, G.B.: ‘The infeasibility of experimental quantification of life-critical software reliability’. Proc. ACM SIGSOFT ’91 Conference on Software for Critical Systems, Software Engineering Notes, ACM Press, December 1991, 16, (5), pp. 66–76Google Scholar
  24. 24.
    BUTH, B., BUTH, K-H., FRÄNZLE, M., VON KARGER, B., LAKH-NECHE, Y., LANGMAACK, H., AND MÜLLER-OLM, M.: ‘Provably correct compiler development and implementation’, in ‘Compiler Construction ’92’, 4th International Conference, Paderborn, Germany (Springer-Verlag, Lecture Notes in Computer Science, 1992) 641 Google Scholar
  25. 25.
    BUXTON, J.N., and MALCOLM, R.: ‘Software technology transfer’, Software Engineering Journal, January 1991, 6, (1), pp. 17–23Google Scholar
  26. 26.
    CANNING, A.: ‘Assessment at the requirements stage of a project’. Presented at ‘2nd Safety Critical Systems Club Meeting’, Beaconsfield, UK, October 1991 (Available from Advanced Software Department, ERA Technology Ltd, Cleeve Rd, Leatherhead KT22 7SA, UK.)Google Scholar
  27. 27.
    CHAPRONT, P.: ‘Vital coded processor and safety related software design’, in [47], 1992, pp. 141–145Google Scholar
  28. 28.
    CHARETTE, R.N.: ‘Applications strategies for risk analysis’ (McGraw Hill, Software Engineering Series, 1990)Google Scholar
  29. 29.
    CLUTTERBUCK, D.L., and CARRÉ, B.A.: ‘The verification of low-level code’, Software Engineering Journal, May 1988, 3, (3), pp. 97–111Google Scholar
  30. 30.
    COHEN, B., AND PITT, D.H.: ‘The identification and discharge of proof obligations’ in ‘Testing Large Software Systems’, Wolverhampton Polytechnic, UK, 1990Google Scholar
  31. 31.
    COHN, A.J.: ‘A proof of correctness of the Viper microprocessor: the first level’ in ‘VLSI Specification, Verification and Synthesis’ (Kluwer Academic Publishers, 1988)Google Scholar
  32. 32.
    COHN, A.J.: ‘Correctness properties of the Viper block model: the second level’. Proc. 2nd Banff Workshop on Hardware Verification (Springer-Verlag, 1988)Google Scholar
  33. 33.
    COHN, A.J.: ‘The notion of proof in hardware verification’, Journal of Automated Reasoning, May 1989, 5, (2), pp. 127–139zbMATHGoogle Scholar
  34. 34.
    COLEMAN, D.: ‘The technology transfer of formal methods: what’s going wrong?’. Proc. 12th ICSE Workshop on Industrial Use of Formal Methods, Nice, France, March 1990Google Scholar
  35. 35.
    CRAIG, I.: ‘The formal specification of advanced AI architectures’ (Ellis Horwood, AI Series, 1991)Google Scholar
  36. 36.
    CRAIGEN, D. (Ed.): ‘Formal methods for trustworthy computer systems (FM89)’ (Springer-Verlag, Workshops in Computing, 1990)Google Scholar
  37. 37.
    CULLYER, W.J.: ‘Hardware integrity’, Aeronautical Journal of the Royal Aeronautical Society, September 1985, 89, pp. 263–268Google Scholar
  38. 38.
    CULLYER, W.J.: ‘High integrity computing’, in JOSEPH, M. (Ed.): ‘Formal Techniques in Real-time and Fault-tolerant Systems’ (Springer-Verlag, Lecture Notes in Computer Science, 1988) 331, pp. 1–35Google Scholar
  39. 39.
    CULLYER, W.J., and PYGOTT, C.H.: ‘Application of formal methods to the VIPER microprocessor’ in TEE Proceedings, Part E, Computers and Digital Techniques’ May 1987, 134, (3), pp. 133–141Google Scholar
  40. 40.
    CURZON, P.: ‘Of what use is a verified compiler specification?’, Technical Report No. 274, Computer Laboratory, University of Cambridge, UK, 1992Google Scholar
  41. 41.
    CYRUS, J.L., BLEDSOE, J.D., and HARRY, P.D.: ‘Formal specification and structured design in software development’, Hewlett-Packard Journal, December 1991, (6), pp. 51–58Google Scholar
  42. 42.
    DAVIES, J.: ‘Specification and proof in real-time systems’. Technical Monograph PRG-93, Programming Research Group, Oxford University Computing Laboratory, April 1991Google Scholar
  43. 43.
    DE CHAMPEAUX, D. et al. ‘Formal techniques for 00 software development’. OOPSLA’91 Conference in Object-Oriented Programming Systems, Languages, and Applications, SIGPLAN Notices, ACM Press, November 1991, 26, (11), pp. 166–170Google Scholar
  44. 44.
    ‘Safety related computer controlled systems market study’, Review for the Department of Trade and Industry by Coopers & Lybrand (HMSO, London, 1992)Google Scholar
  45. 45.
    DYER, M.: ‘The Cleanroom approach to quality software development’ (Wiley Series in Software Engineering Practice, 1992)zbMATHGoogle Scholar
  46. 46.
    FENTON, N., and LITTLEWOOD, B.: ‘Evaluating software engineering standards and methods’. Proc. 2èmes Rencontres Qualiteé Logiciel & Eu-rometrics ’91, March 1991, pp. 333–340Google Scholar
  47. 47.
    FREY, H.H. (Ed.).: ‘Safety of computer control systems 1992 (SAFE-COMP’92)’, Computer Systems in Safety-critical Applications, Proc. IFAC Symposium, Zürich, Switzerland, 28–30 October 1992 (Pergamon Press, 1992)Google Scholar
  48. 48.
    GLASS, R.L.: ‘Software vs. hardware errors’, IEEE Computer, December 1980, 23, (12)Google Scholar
  49. 49.
    GOGUEN, J., and WINKLER, T.: ‘Introducing OBJ3’. Technical Report SRI-CSL-88–9, SRI International, Menlo Park, California, USA, August 1988Google Scholar
  50. 50.
    GOLDSACK, S.J., and FINKELSTEIN, A.C.W.: ‘Requirements engineering for real-time systems’, Software Engineering Journal, May 1991, 6, (3), pp. 101–115Google Scholar
  51. 51.
    GOOD, D.I., and YOUNG, W.D.: ‘Mathematical methods for digital system development’, in PREHN, S., and TOETENEL, W.J. (Eds.): ‘VDM ’91, Formal Software Development Methods’, Volume 2: Tutorials (Springer-Verlag, Lecture Notes in Computer Science, 1991) 552, pp. 406–430Google Scholar
  52. 52.
    GORDON, M.J.C.: ‘HOL: A proof generating system for Higher-Order Logic’, in BIRTWISTLE, G., and SUBRAMANYAM, P.A. (Eds.): ‘VLSI Specification, Verification and Synthesis’ (Kluwer, 1988) pp. 73–128Google Scholar
  53. 53.
    GRIES, D.: ‘Influences (or lack thereof) of formalism in teaching programming and software engineering’, in DIJKSTRA, E.W. (Ed.): ‘Formal Development of Programs and Proofs’, chapter 18 (Addison Wesley, University of Texas at Austin Year of Programming Series, 1990) pp. 229–236Google Scholar
  54. 54.
    GUIHO, G., and HENNEBERT, C.: ‘SACEM software validation’. Proc. 12th International Conference on Software Engineering (IEEE Computer Society Press, March 1990) pp. 186–191Google Scholar
  55. 55.
    HALANG, W.A., and KRÄMER, B.: ‘Achieving high integrity of process control software by graphical design and formal verification’, Software Engineering Journal, January 1992, 7, (1), pp. 53–64Google Scholar
  56. 56.
    HALL, J.A.: ‘Seven myths of formal methods’, IEEE Software, September 1990, 7, (5), pp. 11–19Google Scholar
  57. 57.
    HALL, P.A.V.: ‘Software development standards’, Software Engineering Journal, May 1989, 4, (3), pp. 143–147Google Scholar
  58. 58.
    HAMMER, W.: ‘Handbook of system and product safety’ (Prentice-Hall Inc., Englewood Cliffs, New Jersey, USA, 1972)Google Scholar
  59. 59.
    HANSEN, K.M., RAVN, A.P., and RISCHEL, H.: ‘Specifying and verifying requirements of real-time systems’. Proc. ACM SIGSOFT ’91 Conference on Software for Critical Systems, Software Engineering Notes, ACM Press, December 1991, 16, (5), pp. 44–54Google Scholar
  60. 60.
    HARRISON, M.D.: ‘Engineering human error tolerant software’, in NICHOLLS, J.E. (Ed.): ‘Z User Workshop, York 1991’ (Springer-Verlag, Workshops in Computing, 1992) pp. 191–204Google Scholar
  61. 61.
    HELPS, K.A.: ‘Some verification tools and methods for airborne safety-critical software’, Software Engineering Journal, November 1986, 1, (6), pp. 248–253Google Scholar
  62. 62.
    HILL, J.V.: ‘The development of high reliability software — RR&A’s experience for safety critical systems’. Second IEE/BCS Conference, Software Engineering 88, Conference Publication No. 290, July 1988, pp. 169–172Google Scholar
  63. 63.
    HILL, J.V.: ‘Software development methods in practice’, in CHURCHLEY, A. (Ed.): Proc. 6th Annual Conference on Computer Assurance (COMPASS), ‘Microprocessor Based Protection Systems’ (Kluwer Academic Publishers B.V., 1991)Google Scholar
  64. 64.
    HOARE, C.A.R.: ‘Algebra and models’, in BJØRNER, D., LANGMAACK, H., and HOARE, C.A.R. (Eds.): ‘Provably Correct Systems’, ProCoS Project Report, January 1993, chapter 1, pp. 1–13 (Available from Department of Computer Science, Technical University of Denmark, Building 3440, DK-2800, Lyngby, Denmark.)Google Scholar
  65. 65.
    HOARE, C.A.R., and GORDON, M.J.C. (Eds.): ‘Mechanized reasoning and hardware design’ (Prentice Hall International Series in Computer Science, UK, 1992)Google Scholar
  66. 66.
    HOARE, C.A.R., HE JIFENG, BOWEN, J.P., and PANDYA, P.K.: ‘An algebraic approach to verifiable compiling specification and prototyping of the ProCoS level 0 programming language’, in DIRECTORATE-GENERAL OF THE COMMISSION OF THE EUROPEAN COMMUNITIES (Ed.): ‘ESPRIT ’90 Conference Proceedings’, Brussels (Kluwer Academic Publishers B.V., 1990) pp. 804–818Google Scholar
  67. 67.
    HOUSTON, I., and KING, S.: ‘CICS project report: experiences and results from the use of Z in IBM’, in PREHN, S., and TOETENEL, W.J. (Eds.): ‘VDM ’91, Formal Software Development Methods’ (Springer-Verlag, Lecture Notes in Computer Science, 1991) 551, pp. 588–603Google Scholar
  68. 68.
    HUMPHREY, W.S., KITSON, D.H., and CASSE, T.C.: ‘The state of software engineering practice: a preliminary report’. Proc. 11th International Conference on Software Engineering, Pittsburgh, USA, May 1989, pp. 277–288Google Scholar
  69. 69.
    ‘Safety-related systems: A professional brief for the engineer’. The Institution of Electrical Engineers, Savoy Place, London WB2R OBR, UK, January 1992Google Scholar
  70. 70.
    IYER, R.K., and VERLARDI, P.: ‘Hardware-related software errors: measurement and analysis’, IEEE Transactions on Software Engineering, February 1985, SE-11, (2)Google Scholar
  71. 71.
    JACKY, J.: ‘Formal specifications for a clinical cyclotron control system’, in MORICONI, M. (Ed.): ‘Proc. ACM SIGSOFT International Workshop on Formal Methods in Software Development’, Software Engineering Notes, ACM Press, September 1990, 15, (4), pp. 45–54Google Scholar
  72. 72.
    JACKY, J.: ‘Safety-critical computing: hazards, practices, standards and regulation’, in DUNLOP, C., and KLING, R. (Eds.): ‘Computerization and controversy’, chapter 5 (Academic Press, 1991) pp. 612–631Google Scholar
  73. 73.
    JACKY, J.: ‘Verification, analysis and synthesis of safety interlocks’. Technical Report 91–04–01, Department of Radiation Oncology RC-08, University of Washington, Seattle, WA 98195, USA, April 1991Google Scholar
  74. 74.
    JAFFE, M.S., LEVESON, N.G., HEIMDAHL, M.P., and MELHART, B.E.: ‘Software requirements analysis for real-time process-control systems’, IEEE Transactions on Software Engineering, March 1991, SE-17, (3), pp. 241–258Google Scholar
  75. 75.
    JOANNOU, P.K., HARAUZ, J., TREMAINE, D.R., ICHIYEN, N. and CLARK, A.B.: ‘The Canadian nuclear industry’s initiative in real-time software engineering’. Ontario Hydro, 700 University Avenue, Toronto, Ontario M5G 1X6, Canada, 1991Google Scholar
  76. 76.
    JONES, C.B.: ‘Systematic software development using VDM’, 2nd edition (Prentice Hall International Series in Computer Science, 1990)zbMATHGoogle Scholar
  77. 77.
    KANDEL, A., and AVNI, E.: ‘Engineering risk and hazard assessment’, Volume I (CRC Press, Boca Raton, Florida, USA, 1988)Google Scholar
  78. 78.
    KNIGHT, J.C., and LEVESON, N.G.: ‘A reply to the criticisms of the Knight & Leveson experiment’, ACM SIGSOFT Software Engineering Notes, January 1990, 15, (1), pp. 25–35Google Scholar
  79. 79.
    KNIGHT, J.C., and KIENZLE, D.M.: ‘Preliminary experience using Z to specify a safety-critical system’, in BOWEN, J.P. and NICHOLLS, J.E. (Eds.): in ‘Z User Workshop, London 1992’ (Springer-Verlag, Workshops in Computing, 1993) pp. 109–118Google Scholar
  80. 80.
    KOPETZ, H., ZAINLINGER, R., FOHLER, G., KANTZ, H., and PUSCHNER, P.: ‘The design of real-time systems: from specification to impiementation and verification’, Software Engineering Journal, May 1991, 6, (3), pp. 73–82Google Scholar
  81. 81.
    LADEAU, B.R., and FREEMAN, C.: ‘Using formal specification for product development’, Hewlett-Packard Journal, December 1991, (6), pp. 62–66Google Scholar
  82. 82.
    LAPRIE, J.C.: ‘Dependability: a unifying concept for reliable computing and fault tolerance’, in ANDERSON, T. (Ed.): ‘Dependability of Resilient Computers’, chapter 1 (Blackwell Scientific Publications, Oxford, 1989) pp. 1–28Google Scholar
  83. 83.
    LAPRIE, J.C. (Ed.): ‘Dependability: basic concepts and terminology’ (Springer-Verlag, 1991)Google Scholar
  84. 84.
    LEVESON, N.G.: ‘Software safety: why, what and how’, ACM Computing Surveys, June 1986, 18, (2), pp. 125–163Google Scholar
  85. 85.
    LEVESON, N.G.: ‘Software safety in embedded computer systems’, Communications of the ACM, February 1991, 34, (2), pp. 34–46Google Scholar
  86. 86.
    LEVESON, N.G., and TURNER, C.T.: ‘An investigation of the Therac-25 accidents’, UCI Technical Report #92–108 (& University of Washington TR #92–11–05), Information and Computer Science Dept., University of California, Irvine, CA 92717, USA, 1992Google Scholar
  87. 87.
    LINDSAY, P.A.: ‘A survey of mechanical support for formal reasoning’, Software Engineering Journal, 1988, 3, (1), pp. 3–27Google Scholar
  88. 88.
    LITTLEWOOD, B.: ‘The need for evidence from disparate sources to evaluate software safety’, in REDMILL, F. and ANDERSON, T. (Eds.): ‘Directions in Safety-Critical Systems’, Proc. Safety-critical Systems Symposium, Bristol, UK, February 1993 (Springer-Verlag, 1993)Google Scholar
  89. 89.
    LITTLEWOOD, B., and MILLER, D. (Eds.): ‘Software reliability and safety’ (Elsevier Applied Science, London and New York, 1991) (Reprinted from Reliability Engineering & System Safety, 32, (1)-2, 1989.)Google Scholar
  90. 90.
    LITTLEWOOD, B., and STRIGINI, L.: ‘The risks of software’, Scientific American, November 1992, 267, (5), pp. 38–43Google Scholar
  91. 91.
    MACKENZIE, D.: ‘The fangs of the VIPER’, Nature, 8 August 1991, 352, pp. 467–468Google Scholar
  92. 92.
    MACKENZIE, D.: ‘Negotiating arithmetic, constructing proof: the sociology of mathematics and information technology’, Programme on Information & Communication Technologies, Working Paper Series, No. 38, Research Centre for Social Sciences, University of Edinburgh, 56 George Square, Edinburgh EH8 9JU, UK, November 1991Google Scholar
  93. 93.
    MAHONY, B., and HAYES, I.J.: ‘A case-study in timed refinement: a mine pump’, IEEE Transactions on Software Engineering, September 1992, 18, (9), pp. 817–826Google Scholar
  94. 94.
    MALCOLM, R.: ‘Safety critical systems research programme: technical workplan for the second phase’, in REDMILL, F. (Ed.): ‘Safety Systems: The Safety-Critical Systems Club Newsletter’, Centre for Software Reliability, University of Newcastle upon Tyne, UK, January 1992, 1, (2), pp. 1–3Google Scholar
  95. 95.
    MALER, O, MANNA, Z., and PNUELI, A.: ‘From timed to hybrid systems’, in DE BAKKER, J.W., HUIZING, C., de ROEVER, W.-P., and ROZENBERG, W. (Eds.): ‘Real-Time: Theory in Practice, REX Workshop’ (Springer-Verlag, Lecture Notes in Computer Science, 1992) 600, pp. 447–484Google Scholar
  96. 96.
    MANNA, Z., and PNUELI, A.: ‘The temporal logic of reactive and concurrent systems: specification’ (Springer-Verlag, 1992)Google Scholar
  97. 97.
    MAY, D.: ‘Use of formal methods by a silicon manufacturer’, in HOARE, C.A.R. (Ed.): ‘Developments in Concurrency and Communication’, chapter 4 (Addison-Wesley, University of Texas at Austin Year of Programming Series, 1990) pp. 107–129Google Scholar
  98. 98.
    MAYGER, E.M., and FOURMAN, M.P.: ‘Integration of formal methods with system design’. Proc. Conference on Very Large Scale Integration (VLSI ’91), Edinburgh, UK, 1991, pp. 3a.2.1–3a.2.11Google Scholar
  99. 99.
    MCDERMID, J.A.: ‘Formal methods: use and relevance for the development of safety critical systems’, in BENNETT, P.A.: ‘Safety Aspects of Computer Control’ (Butterworth-Heinemann, 1991)Google Scholar
  100. 100.
    MOORE, J.S. et al., ‘Special issue on system verification’, Journal of Automated Reasoning, 1989, 5, (4), pp. 409–530Google Scholar
  101. 101.
    MOSER, L.E., and MELLIAR-SMITH, P.M.: ‘Formal verification of safetycritical systems’, SoftwarePractice and Experience, August 1990, 20, (8), pp. 799–821Google Scholar
  102. 102.
    MUKHERJEE, P., and STAVRIDOU, V: ‘The formal specification of safety requirements for the storage of explosives’. Technical Report No. DITC 185/91, National Physical Laboratory, Teddington, Middlesex TW11 0LW, UK, August 1991Google Scholar
  103. 103.
    MYERS, W.: ‘Can software for the strategic defense initiative ever be error-free?’, IEEE Computer, November 1986, 19, (11)Google Scholar
  104. 104.
    ‘Peer review of a formal verification/design proof methodology’. NASA Conference Publication 2377, July 1983Google Scholar
  105. 105.
    NATSUME, T., and HASEGAWA, Y.: ‘A view on computer systems and their safety in Japan’, in [47], 1992, pp. 45–49Google Scholar
  106. 106.
    NEESHAM, C.: ‘Safe conduct’, Computing, 12 November 1992, pp. 18–20Google Scholar
  107. 107.
    NEUMANN, P.G. (Ed.): ‘Subsection on certification of professionals’, ACM SIGSOFT Software Engineering Notes, January 1991, 16, (1), pp. 24–32Google Scholar
  108. 108.
    NEUMANN, P.G.: ‘Illustrative risks to the public in the use of computer systems and related technology’, ACM SIGSOFT Software Engineering Notes, January 1992, 16, (1), pp. 23–32Google Scholar
  109. 109.
    NORMINGTON, G.: ‘Cleanroom and Z’, in BOWEN, J.R and NICHOLLS, J.E. (Eds.): ‘Z User Workshop, London 1992’ (Springer-Verlag, Workshops in Computing, 1993) pp. 281–293Google Scholar
  110. 110.
    OSTROFF, J.S.: ‘Formal methods for the specification and design of realtime safety critical systems’, Journal of Systems and Software, 1992, 18, (1), pp. 33–60Google Scholar
  111. 111.
    PAGE, I., and LUK, W.: ‘Compiling Occam into field-programmable gate arrays’, in MOORE, W., and LUK, W. (Eds.): ‘FPGAs’, Oxford Workshop on Field Programmable Logic and Applications (Abingdon EE&CS Books, 15 Harcourt Way, Abingdon 0X14 1NV, UK, 1991) pp. 271–283Google Scholar
  112. 112.
    PALFREMAN, J., and SWADE, D.: The dream machine’ (BBC Books, London, 1991)Google Scholar
  113. 113.
    PARNAS, D.L., VON SCHOUWEN, A.J., and SHU PO KWAN ‘Evaluation of safety-critical software’, Communications of the ACM, June 1990, 33, (6), pp. 636–648Google Scholar
  114. 114.
    PARNAS, D.L., ASMIS, G.J.K., and MADEY, J.: ‘Assessment of safety-critical software in nuclear power plants’, Nuclear Safety, April-June 1991, 32, (2), pp. 189–198Google Scholar
  115. 115.
    PARNAS, D.L., and MADEY, J.: ‘Functional documentation for computer systems engineering’. Version 2, CRL Report No. 237, TRIO, Communications Research Laboratory, Faculty of Engineering, McMaster University, Hamilton, Ontario, Canada L8S 4K1, September 1991Google Scholar
  116. 116.
    PASQUINE, A., and RIZZO, A.: ‘Risk perceptions and acceptance of computers in critical applications’, in [47], 1992, pp. 293–298Google Scholar
  117. 117.
    PELAEZ, E.: ‘A gift from Pandora’s box: the software crisis’. PhD Thesis, Edinburgh University, UK, 1988Google Scholar
  118. 118.
    PROBERT, P.J., DJIAN, D., and Huosheng Hu: ‘Transputer architectures for sensing in a robot controller: formal methods for design’, Concurrency: Practice and Experience, August 1991, 3, (4), pp. 283–292Google Scholar
  119. 119.
    PYLE, I.: ‘Software engineers and the IEE’, Software Engineering Journal, March 1986, 1, (2), pp. 66–68Google Scholar
  120. 120.
    RALSTON, T.J.: ‘Preliminary report on the international study on industrial experience with formal methods’, in ‘COMPASS ’92: 7th Annual Conference on Computer Assurance’, Gaithersburg, Maryland, USA, 15–18 June 1992.Google Scholar
  121. 121.
    RAVN, A.P., and RISCHEL, H.: ‘Requirements capture for embedded realtime systems’. Proc. IMACS-MCTS Symposium, Lille, France, Volume 2, May 1991, pp. 147–152Google Scholar
  122. 122.
    RAVN, A.P., and STAVRIDOU, V.: ‘Project organisation’, in BJØRNER, D., LANGMAACK, H., and HOARE, C.A.R. (Eds.): ‘Provably Correct Systems’, ProCoS Project Report, January 1993, chapter 9, pp. 109–112 (Available from Department of Computer Science, Technical University of Denmark, Building 3440, DK-2800, Lyngby, Denmark.)Google Scholar
  123. 123.
    READE, C., and FROOME, P.: ‘Formal methods for reliability’, in ROOK, P. (Ed.): ‘Software Reliability Handbook’, chapter 3 (Elsevier Applied Science, 1990) pp. 51–81Google Scholar
  124. 124.
    REASON, J.: ‘Human error’ (Cambridge University Press, UK, 1990)Google Scholar
  125. 125.
    ‘Risk: analysis, perception and management’. The Royal Society, 6 Carlton House Terrace, London SW1Y 5AG, UK, 1992Google Scholar
  126. 126.
    RUSHBY, J., and WHITEHURST, R.A.: ‘Formal verification of AI software’. Contractor Report 181827, NASA Langley Research Center, Hampton, Virginia, USA, February 1989Google Scholar
  127. 127.
    RUSHBY, J.: ‘Formal specification and verification of a fault-masking and transient-recovery model for digital flight control systems’. Technical Report SRI-CSL-91-3, SRI International, Menlo Park, California, USA, January 1991 (Also available as NASA Contractor Report 4384.)Google Scholar
  128. 128.
    RUSHBY, J., VON HENKE, F., and OWRE, S.: ‘An introduction to formal specification and verification using EHDM’. Technical Report SRJ-CSL-91–02, SRI International, Menlo Park, California, USA, February 1991Google Scholar
  129. 129.
    RUSHBY, J., and VON HENKE, F.: ‘Formal verification of algorithms for critical systems’. Proc. ACM SIGSOFT 91 Conference on Software for Critical Systems, Software Engineering Notes, ACM Press, December 1991, 16, (5), pp. 1–15Google Scholar
  130. 130.
    SCHOLEFIELD, D.J.: ‘The formal development of real-time systems: a review’. Technical Report YCS 145, Dept. of Computer Science, University of York, UK, 1990Google Scholar
  131. 131.
    SELBY, R.W., BASILI, V.R., and BAKER, F.T.: ‘Cleanroom software development: an empirical evaluation’, IEEE Transactions on Software Engineering, September 1987, SE-13, (9), pp. 1027–1037Google Scholar
  132. 132.
    SENNETT, C.T.: ‘High-integrity software’ (Pitman Computer Systems Series, 1989)zbMATHGoogle Scholar
  133. 133.
    SHOSTAK, R.E., SCHWARTZ, R., MELLIAR-SMITH, P.M.: ‘STP: a mechanized logic for specification and verification’ in ‘6th International Conference on Automated Deduction (CADE-6)’ (Springer-Verlag, Lecture Notes in Computer Science, 1982) 138 Google Scholar
  134. 134.
    SMITH, C.L.: ‘Digital control of industrial processes’, ACM Computing Surveys, 1970, 2, (3), pp. 211–241Google Scholar
  135. 135.
    SMITH, D.J., and WOOD, K.B.: ‘Engineering Quality Software: a review of current practices, standards and guidelines including new methods and development tools’, 2nd edition (Elsevier Applied Science, 1989)Google Scholar
  136. 136.
    SOMMERVILLE, L.: ‘Software engineering’, 3rd edition (Addison Wesley, 1989)zbMATHGoogle Scholar
  137. 137.
    ‘Special issue on reliability’, IEEE Spectrum, October 1981, 18, (10)Google Scholar
  138. 138.
    SPIVEY, J.M.: ‘Specifying a real-time kernel’, IEEE Software, September 1990, 7, (5), pp. 21–28Google Scholar
  139. 139.
    SPIVEY, J.M.: ‘The Z notation: a reference manual’, 2nd edition (Prentice Hall International Series in Computer Science, 1992)Google Scholar
  140. 140.
    SRIVAS, M., and BICKFORD, M.: ‘Verification of the FtCayuga fault-tolerant microprocessor system, vol 1: a case study in theorem prover-based verification’. Contractor Report 4381, NASA Langley Research Centre, Hampton, Virginia, USA, July 1991 (Work performed by ORA corporation.)Google Scholar
  141. 141.
    STEIN, R.M.: ‘Safety by formal design’, BYTE, August 1992, (8), p. 157Google Scholar
  142. 142.
    STEIN, R.M.: ‘Software safety’ in ‘Real-time Multicomputer Software Systems’, chapter 5 (Ellis-Horwood, 1992) pp. 109–133Google Scholar
  143. 143.
    STEPNEY, S., BARDEN, R., and COOPER, D. (Eds.): ‘Object orientation in Z’ (Springer-Verlag, Workshops in Computing, 1992)Google Scholar
  144. 144.
    SWADE, D.: ‘Charles Babbage and his calculating engines’ (Science Museum, London, UK, 1991)Google Scholar
  145. 145.
    THOMAS, M.C.: ‘The future of formal methods’, in BOWEN, J.P. (Ed.): ‘Proc. 3rd Annual Z Users Meeting’, Oxford University Computing Laboratory, UK, December 1988, pp. 1–3Google Scholar
  146. 146.
    THOMAS, M.C.: ‘Development methods for trusted computer systems’, Formal Aspects of Computing, 1989, 1, pp. 5–18Google Scholar
  147. 147.
    TIERNEY, M.: ‘The evolution of Def Stan 00–55 and 00–56: an intensification of the “formal methods debate” in the UK’. Proc. Workshop on Policy Issues in Systems and Software Development, Science Policy Research Unit, Brighton, UK, July 1991Google Scholar
  148. 148.
    TIERNEY, M.: ‘Some implications of Def Stan 00–55 on the software engineering labour process in safety critical developments’. Research Centre for Social Sciences, Edinburgh University, 1991Google Scholar
  149. 149.
    VON NEUMANN, J.: ‘Probabilistic logics and synthesis of reliable organisms from unreliable components’ in ‘Collected Works’, Volume 5 (Pergamon Press, 1961)Google Scholar
  150. 150.
    WALDINGER, R.J., and STICKEL, M.E.: ‘Proving properties of rule-based systems’. Proc. 7th Conference on Artificial Intelligence Applications, IEEE Computer Society, February 1991, pp. 81–88Google Scholar
  151. 151.
    WALLACE, D.R., KUHN, D.R., and CHERNIAVSKY, J.C.: ‘Report of the NIST workshop of standards for the assurance of high integrity software’. NIST Special Publication 500–190, Computer Systems Laboratory, National Institute of Standards and Technology, Gaithersburg, MD 20899, USA, August 1991 (Available from the Superintendent of Documents, Government, U.S. Printing Office, Washington, DC 20402, USA.)Google Scholar
  152. 152.
    WALLACE, D.R., KUHN, D.R., and IPPOLITO, L.M.: ‘An analysis of selected software safety standards’, IEEE AES Magazine, August 1992, (8), pp. 3–14Google Scholar
  153. 153.
    WARD, W.T.: ‘Calculating the real cost of software defects’, Hewlett-Packard Journal, October 1991, pp. 55–58Google Scholar
  154. 154.
    WEBB, J.T.: ‘The role of verification and validation tools in the production of critical software’, in INCE, D. (Ed.): ‘Software Quality and Reliability: Tools and Methods’, Unicorn Applied Info Technology Report 6, chapter 4 (Chapman & Hall, London, 1991) pp. 33–41.Google Scholar
  155. 155.
    WENSLEY, J. et al. ‘SIFT: design and analysis of a fault-tolerant computer for aircraft control’, Proc. IEEE, 1978, 60, (10), pp. 1240–1254Google Scholar
  156. 156.
    WIRTH, N.: ‘Towards a discipline of real-time programming’, Communications of the ACM, August 1977, 20, (8), pp. 577–583zbMATHGoogle Scholar
  157. 157.
    WICHMANN, B.A. (Ed.): ‘Software in safety-related systems’ (Wiley, 1992) Also published by BCSGoogle Scholar
  158. 158.
    WRIGHT, C.L., and ZAWILSKI, A.J.: ‘Existing and emerging standards for software safety’. The MITRE Corporation, Center for Advanced Aviation System Development, 7525 Colshire Drive, McLean, Virginia 22102–3481, USA, MP-91W00028, June 1991 (Presented at the IEEE Fourth Software Engineering Standards Application Workshop, San Diego, California, USA, 20–24 May 1991.)Google Scholar
  159. 159.
    XILINX, Inc.: ‘The programmable gate array data book’. San Jose, California, USA, 1991Google Scholar
  160. 160.
    YOULL, D.P.: ‘Study of the training and education needed in support of Def Stan 00–55’. Cranfield IT Institute Ltd, UK, September 1988 (Can also be found as an appendix of the April 1989 00–55 draft.)Google Scholar
  161. 161.
    ZHOU CHAOCHEN, HOARE, C.A.R., and RAVN, A.P.: ‘A calculus of durations’, Information Processing Letters, 1991, 40, (5), pp. 269–276MathSciNetzbMATHGoogle Scholar

Copyright information

© Springer-Verlag London Limited 1999

Authors and Affiliations

  • Jonathan Ostroff
  • Susan Gerhart
  • Dan Craigen
  • Ted Ralston
  • Nancy G. Leveson
  • Jonathan Bowen
  • Victoria Stavridou

There are no affiliations available

Personalised recommendations

Cite chapter

Buy options