Jonathan C. Rowanhill

• Doctor of Philosophy
• Dependable Computing

Recent advances in artificial intelligence and machine learning may soon yield paradigm-shifting benefits for aerospace systems. However, complexity and possible continued on-line learning makes neural network control systems (NNCS) difficult or impossible to certify under the United States Military Airworthiness Certification Criteria defined in M...

This research considers the problem of identifying safety constraints and developing Run Time Assurance (RTA) for Deep Reinforcement Learning (RL) Tactical Autopilots that use neural network control systems (NNCS). This research studies a specific use case of an NNCS performing autonomous formation flight while an RTA system provides collision avoi...

This report details research into the construction of rationalized microstandards to guide and assure adequate reverse and reengineering of software modules for improved correctness. The microstandards included cover informal reverse engineering of a software module used by multiple systems, assurance through formal specification and proof, and ass...

Unit lemmas and a checklist of questions used to generate them can identify flaws in formal requirements and specifications early in the design process, reducing the overall cost and increasing confidence in the final product. We demonstrate how we can apply unit lemmas and the checklist to a tri-valued logic system.

To address the problem of assuring complex modern systems, we propose assurance driven development where the inferences of assurance are themselves directly tested. We refer to this as test-driven-assurance-based development, or TDABD. TDABD focuses development on continuously testable argument reasoning with incremental and improving delivery of i...

SPARK Ada's support for proofs of correctness make the programming language ideal for implementing a PVS specification. Algorithmically implementing a PVS specification in SPARK Ada allows users to maintain the rigor of PVS in executable code. The goal of such an implementation is to maintain the validity of the proofs showing the specification imp...

The kinds of systems we are building, and the ways we are building them, are evolving. This evolution is invalidating analyses and assumptions upon which we have relied as bases for design assurance, imposing a need for new criteria and means of compliance for many autonomy-enabling technologies. While significant investigation activity into assura...

In this paper, we argue that standards, especially those intended to support critical applications, should define explicitly both the properties expected to accrue from use of the standard and an explicit rationale that justifies the contents of the standard. Current standards do not include an explicit, comprehensive rationale. Without a rationale...

CLASS is a novel approach to the safety engineering and management of safety-critical systems in which the system safety case becomes the focus of safety engineering throughout the system lifecycle. CLASS expands the role of the safety case across all phases of the system’s lifetime, from concept formation and problem definition to decommissioning....

In any safety argument, belief in the top-level goal depends upon a variety of assumptions that derive from the system development process, the operating context, and the system itself. If an assumption is false or becomes false at any point during the lifecycle, the rationale for belief in the safety goal might be invalidated and the safety of the...

SCT is a safety case toolkit designed to support the development and maintenance of safety cases for large, safety-critical systems. SCT supports safety case development by providing facilities to manage the file structure associated with the safety case, editors for various notations including GSN, and a build system that creates a custom web site...

Large scale distributed systems—including human and software organizations—benefit from top-down command and control in order to survive threats and damage. Yet achieving top-down management organi-zation over millions of components is a significant challenge. This raises the question: is top down control a valid approach to the survival management...

In order for Grids to become relied upon for critical infrastructure and scientific computing, Grid-wide management must be automated so that it is possible in quickly and comprehensively respond to or anticipate specific environmental changes and requirements. That is, due to the disjoint administration of Grids which results in high communication...

As Grids become increasingly relied upon as critical infrastructure, it is imperative to ensure the highly-available and secure day-to-day operation of the Grid infrastructure. The current approach for Grid management is generally to have geographically-distributed system administrators contact each other by phone or email to debug Grid behavior an...

One of the most common forms of security attacks involves exploiting a vulnerability to inject malicious code into an executing application and then cause the injected code to be executed. A theoretically strong approach to defending against any type of code-injection attack is to create and use a process-specific instruction set that is created by...

We present an architectural framework for systematically using automated diversity to provide high assurance detec- tion and disruption for large classes of attacks. The framework executes a set of automatically diversified variants on the same inputs, and monitors their behavior to detect divergences. The benefit of this approach is that it requir...

Grids should not just be facilitating advances in science and engi- neering; rather they should also be making an impact on our daily lives by ena- bling sophisticated applications such as new consumer services and support for homeland defense. This is not possible today because the poor grid dependabil- ity—which is tolerated by scientific users—w...

The management of modern distributed systems is complicated by scale and dynamics. Scalable, decoupled communication establishes flexible, loosely coupled component relationships, and these relationships help meet the present demands on management. However, traditional decoupled addressing mechanisms tend to focus the addressing on only one of the...

Large scale distributed systems—including human and software organizations—benefit from top-down command and control in order to survive threats and damage. Yet achieving top-down management organi-zation over millions of components is a significant challenge. This raises the question: is top down control a valid approach to the survival management...

Thesis (Ph. D.)--University of Virginia, 2004. Includes bibliographical references (leaves 291-297).