Learn More
unexpected ways. If the software in question is security-or safety-critical, this uncertainty is unacceptable. We must build software that is correct by construction, not software whose behavior is uncertain until after delivery. Correctness by construction is possible and practical. It demands a development process that builds correctness into every step.(More)
This paper describes work in progress at the University of York on worst-case timing analysis of software for hard real-time and safety-critical systems. We are pursuing a programming environment that combines the technologies of program proof and timing analysis. In short, the analytical power afforded by a classical program proof tool is ideal for the(More)
ÐThis paper describes the use of formal development methods on an industrial safety-critical application. The Z notation was used for documenting the system specification and part of the design, and the SPARK 1 subset of Ada was used for coding. However, perhaps the most distinctive nature of the project lies in the amount of proof that was carried out:(More)
Existing security models require that information of a given security level be prevented from ``leaking'' into lower-security information. High-security applications must be demonstrably free of such leaks, but such demonstration may require substantial manual analysis. Other authors have argued that the natural way to enforce these models automatically is(More)
This paper considers a number of large, real-world projects that are using SPARK---an annotated sublauguage of Ada that is appropriate for the development of high-integrity systems. Three projects are considered in some detail where SPARK has made a contribution to meeting the most stringent software engineering standards. The projects are the(More)