Formal methods are mathematically-based techniques, often supported by reasoning tools, that can offer a rigorous and effective way to model, design and analyze computer systems. The purpose of this study is to evaluate international industrial experience in using formal methods. The cases selected are, we believe, representative of industrial-grade… (More)
Although there are indisputable benefits to society from the introduction of computers into everyday life, some applications are inherently risky. Worldwide, regulatory agencies are examining how to assure safety and security. This study reveals the applicability and limitations of formal methods.<<ETX>>
" Formal Methoak " refers to the use of mathematically based techniques in so~are and system engineering. This pa~r summarizes observations on their use in a dozen applications in industrial settings. Application goals rangedfiom re-engineering to ~stem certification. Code scale rangesfiom 1000 LOC for a complex safety-critical application) through 10, 000s… (More)
The developers of this signaling system sought to reduce the separation between trains in the Paris rapid-transit system by 30 seconds, to two minutes. Its developers used formal methods extensively for verification and validation. They were required to convince the RATP (the Paris rapid-transit authority) that the system met safety requirements. This was… (More)
EVALUATION Although the techniques used are based on a state-machine representation, there are several research issues pertaining to scalability, presentation style, and modifications to the Statecharts language.
when they were writing the specification, but that was late in the process. RATP would have liked direct simulation of the specification. UK government groups. GEC Alsthom has used B in two subsequent applica tions: a transportation system in Calcutta, India, and a safety net to protect against driver failure on all the electrified lines operated by the… (More)
Darlington is a four-reactor nuclear plant east of Toronto. It is operated by Ontario Hydro. Each reactor has two independent shutdown systems: SDS1 drops neutron-absorbing rods into the core, while SDS2 injects liquid poison into the moderator. Both are safety-critical and require high levels of confidence. In 1982, Ontario Hydro, with the concurrence of… (More)