Issue No.02 - February (1995 vol.21)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/32.345827
PVS is the most recent in a series of verification systems developed at SRI. Its design was strongly influenced, and later refined, by our experiences in developing formal specifications and mechanically checked verifications for the fault-tolerant architecture, algorithms, and implementations of a model “reliable computing platform” (RCP) for life-critical digital flight-control applications, and by a collaborative project to formally verify the design of a commercial avionics processor called AAMP5. Several of the formal specifications and verifications performed in support of RCP and AAMP5 are individually of considerable complexity and difficulty. But in order to contribute to the overall goal, it has often been necessary to modify completed verifications to accommodate changed assumptions or requirements, and people other than the original developer have often needed to understand, review, build on, modify, or extract part of an intricate verification. In this paper, we outline the verifications performed, present the lessons learned, and describe some of the design decisions taken in PVS to better support these large, difficult, iterative, and collaborative verifications.
Byzantine agreement, clock synchronization, fault tolerance, flight control, formal methods, formal specification, hardware verification, theorem proving, verification systems, PVS
John Rushby, Natarajan Shankar, Friedrich von Henke, "Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS", IEEE Transactions on Software Engineering, vol.21, no. 2, pp. 107-125, February 1995, doi:10.1109/32.345827