# Peter Bernard LadkinBielefeld University · Faculty of Technology

Peter Bernard Ladkin

Doctor of Philosophy

## About

105

Publications

25,193

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

1,816

Citations

Introduction

## Publications

Publications (105)

For practical reasons, UK law contains a presumption that computers were working correctly when they produced data that is used in evidence in court. This presumption can be rebutted, but only by evidence that is unlikely to be available without access to the computer system and its documentation.
This briefing paper explains that all comuter syst...

Daniels and Tudor consider evaluating software statistically through modelling execution as a Bernoulli Process (Daniels and Tudor 2022). They give examples and adduce considerations which they claim show that such modelling is "flawed". However, neither the examples they give nor the considerations they adduce follow the constraints necessary for...

Industrial plants constituting a society's critical infrastructure, for example electricity-generation and water-supply, contain industrial automation and control systems (IACS). IACS nowadays contain increasingly many digital-electronic components whose behaviour is software-controlled. Amongst engineered artifacts, software and thus software-cont...

There exists widespread misunderstanding about the nature of computers and how and why they are liable to fail. The present approach to the disclosure or discovery and evaluation of evidence produced by computers in legal proceedings is unsatisfactory. The central problem is the evidential presumption that computers are reliable. This presumption i...

In the English civil court case Bates v Post Office Limited, the properties of the Post Office Horizon transaction-processing system were investigated and argued. Anthony de Garr Robinson QC for the Post Office defined “robustness” of the Horizon software-based system. The concept of robustness was at the core of the defendant’s argument, which was...

In this paper Peter Bernard Ladkin, Bev Littlewood, Harold Thimbleby and Martyn Thomas CBE consider the condition set out in section 69(1)(b) of the Police and Criminal Evidence Act 1984 (PACE 1984) that reliance on computer evidence should be subject to proof of its correctness, and compare it to the 1997 Law Commission recommendation that a commo...

The Quality of Software is an issue which is discussed and evaluated in forums from business risk assessment to courts of law. We collect observations from the literature as well as our own, in order to give a partial survey for those concerned with it.

This paper considers the interactions between engineering standards and legal principles, but its author is not a lawyer and the paper does not consider the position in English law in any detail. Its purpose is to try to foster a deeper awareness of the issues. Index words: automated systems, engineered systems, duty of care, health and safety law,...

Air Navigation Service Providers (ANSPs), and other critical service providers, are gradually replacing dedicated analogue and Digital Communications Infrastructures (DCI) by a public DCI, provided by a limited number of service providers. This cost-driven measure clashes with the need to assure the safety of ANSPs' operations by providing safety c...

I considered the existing formulation of cybersecurity considerations in the Hazard and Risk
Analysis part of [IEC61508-1] in [Lad17 Chapter 13] and found it inadequate. I consider here how cyber-insecurity manifests itself in the risk associated with hazards and safety functions . The qualitative phenomenology makes clear the options for dealing w...

The recently published IEC technical report IEC TR 63069 purports to give guidance on how to conduct cybersecurity-related analysis during the development of safety-related Industrial Automation and Control Systems (IACS). I propose that this guidance is significantly flawed. This paper explains why.

I address the question of what analysis is necessary to assure behaviour of an operation O along with a safety function SF conformant with IEC 61508, in the face of cyber-insecurities associated with O and SF. Both safety analysis and cybersecurity analysis of O+SF is needed.

The recently-published IEC guidance on safety and cybersecurity in IACS, IEC TR 63069, suggests a notion of "security environment", within which safety engineering can supposedly be conducted without paying (undue) attention to cybersecurity. Cybersecurity experts say there is probably no such beast. This article looks at various notions of "securi...

None of ED-153, IEC 61508-3:2010 and CAP 670 provide specific measures for assurance of information veridicality in ANSP-deployed VCS and ATCDS. We have suggested some here. We propose that any international standard governing safety in ANSP-deployed software-based systems such as VCS and ATCDS require specific measure for assurance of information...

In 2010, the author was approached with a query from industry concerning the application of IEC 61508-7:2010 Annex D, on the statistical evaluation of software. We realised that Annex D is not a helpful guide for a number of reasons. We discuss some common assessment scenarios and their quandaries and requirements for the application of statistical...

I recount the accident to the Fukushima Daiichi nuclear plant starting on 11 March 2011 and continuing. I highlight some system-safety aspects, and compare with an idealised 8-step process for assessing and ensuring engineeredsystem safety to see where it went wrong. Nuclear accidents such as this have political and social consequences in a way in...

We present two tests for analyzing deadlock for a class of communicating sequential processes. The tests can be used for deadlock
detection in parallel and distributed programs at compile time, or for debugging purposes at run time. They can also be used
in conjunction with an algorithm we have for constructing valid execution traces for this class...

Forty years ago, if you wanted to park your car, you had to control the speed, acceleration and manoeuvring yourself. Today, you can buy a car that parks itself. Forty years ago, if you wanted to remove dust from your house, you had to move around it with a suction device, pointing the opening here and there. Today, you turn a flat round object on...

Accurate risk assessment of safety-related systems involving software is a hard engineering problem for well-known reasons.
We present two case studies in the use of Ontological Hazard Analysis (OHA), a semi-formal method for hazard identification
and analysis aiding Correct-by-Construction (CbC) approaches to developing such systems. OHA controls...

We report on a symbolic approach to solving constraint problems, which uses relation algebra. The method gives good results for problems with constraints that are relations on intervals. Problems of up to 500 variables may be solved in expected cubic time. Strong evidence is presented that signi#cant backtracking on random problems occurs only in t...

Sociotechnical systems are those which rely not only on technology but on humans and social organisation for their adequate functioning. The analysis of sociotechnical systems poses the par- ticular challenge of synthesising methods appropriate to formerly separate scientic disciplines. One result is that prominent features of the systems are often...

Radio Frequency Identification (RFID) technology is cur- rently being tested and partially deployed for use in supply-chain and retail-shop management at the item level. It is seen as a means to en- hance efficiency and introduce new functionality in products suchas intelligent fridges or washing machines, who may query their contents. However, con...

We perform a Why-Because Analysis (WBA) starting from the infor-mation in the Executive Summary of the U. S. DoD Aircraft Accident Investigation Board report on the shootdown of two U. S. Army Black Hawk transport heli-copters by U. S. A. F. F-15 ghter aircraft over Northern Iraq on 14 April 1994, dur-ing Operation Provide Comfort. We com-pare with...

The cruise ship Royal Majesty left St. George's, Bernmuda bound for Boston at about midday on June 9, 1995.The ship was equipped with an Integrated Bridge System (IBS) consisting of a STN Atlas Elektronik NACOS 25 autopilot obtaining position data from a Raytheon RAYSTAR 920 GPS and a Raytheon RAYNAV 780 Loran-C navigation units. Shortly after depa...

We show how objective, rigorous causal reasoning in the analysis of air transportation accidents can improve our understanding of the factors involved in those accidents, by considering two high-profile digital-automation-related air transport accidents.

We show how to generate fault trees algorithmically from Causal Inuence Diagrams (CIDs), and report on the implementation of such a facility in the CID-drawing tool cid2dot. 1 Some Considerations on Fault Trees Fault trees are a widely-used method, standardised in many countries, of cataloguing in a structured manner the myriad ways that a system c...

We describe our ongoing work in accident analysis.

this report using the WB-Graph Method [19]. One can immediately observe from Figure 2 of [19], the upper portion of the WB-Graph, that node 3.1.2: earth bank in overrun path is a causally-necessary node: hitting the bank was a cause of the damage and re; the hit directly killed one person and rendered the other unconscious and therefore unable to p...

This document consists of parts of what is intended to be a longer work, in various dierent states of completion and maturity. Readers are kindly requested tolerate the unevenness of presentation

Quality program design has received considerable attention from the software engineering community.

We address the problem, proposed by Gerth, of verifying that a simplified version of the lazy caching algorithm of Afek, Brown, and Merritt is sequentially consistent. We specify the algorithm and sequential consistency in TLA + , a formal specification language based on TLA (the Temporal Logic of Actions). We then describe how to construct and che...

Constraint Satisfaction Problems (CSPs) are a form of non-Hornclause logic programming problems found in various areas of Artificial Intelligence and Operations Research. Binary CSPs have successfully been studied using algebraic logic, namely the relation algebra of Tarski. In this paper, we show that general CSPs are also amenable to a treatment...

We analyse the `probable cause' of the 1979 Chicago DC-10 accident
using a minimal formalism, and find an omission. The omission is
contained in the body of the report. This omission had consequences for
the public discussion of this accident, which we show. We conclude that
formalism helps in accident reporting by enabling simple consistency and
o...

The article focuses on risks. A car company that boasts its new product has more computational power than needed to take Apollo to the moon. However, programmers of a different generation would be embarrassed by that admission. One may infer that high performance, physical or digital, sells cars. Should crashworthiness, physical and digital?A safe...

It is well-known that general constraint satisfaction problems (CSPs) may be reduced to the binary case (BCSPs) [Pei92]. CSPs may be represented by binary constraint networks (BCNs), which can be represented by a graph with nodes for variables for which values are to be found in the domain of interest, and edges labelled with binary relations betwe...

As society becomes more and more dependent on the correct and
continuous functioning of communications and information
infrastructures, it becomes correspondingly more vulnerable to
disruptions in the services that they provide. While much of the
responsibility for the health of these infrastructures lies in the hands
of their operators, both publi...

A simple language is demonstrated that combines specifications and
manuals. This shows, firstly, that a user manual can be automatically
reconstructed from a logic specification that is effectively identical
to the original logic (up to ambiguities in natural language); and,
secondly, that such an automated process can help detect errors. The
proce...

We describe an effective generic method for solving constraint problems, based on Tarski’s relation algebra, using path-consistency
as a pruning technique. We investigate the performance of this method on interval constraint problems. Time performance is
affected strongly by the path-consistency calculations, which involve the calculation of compos...

. We discuss a translation of Message Sequence Charts (MSCs) into the language PROMELA (we call this translation an `implementation') that is consistent with the formal semantics we have previously defined for Message Flow Graphs and Message Sequence Charts, which handled the syntactic features with mathematical import from ITU-T recommendation Z.1...

A simple language is demonstrated that combines specifications and
manuals. This shows firstly that a user manual can be automatically
reconstructed from a logic specification that is effectively identical
to the original logic (up to ambiguities in natural language), and
secondly that such an automated process can help detect errors. The
process i...

In previous work we defined a finite state semantics for Message Sequence Charts (MSCs) and suggested a translation of MSC specifications into Promela. We call this translation an 'implementation'. In this paper we reconsider the implementation of MSCs and discuss what information needs to be added when implementing MSC specifications containing so...

this paper are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of Kestrel Institute, or any agency of the United States Government

Copyright c flPeter Ladkin and Roger Maddux 1986 1

The concepts of binary constraint satisfaction problems can be naturally generalized to the relation algebras of Tarski. The concept of path-consistency plays a central role. Algorithms for path-consistency can be implemented on matrices of relations and on matrices of elements from a relation algebra. We give an example of a 4-by-4 matrix of infin...

We give a semantics for Message Flow Graphs (MFGs), which play the role for interprocess communication that Program Dependence Graphs play for control flow in parallel processes. MFGs have been used to analyse parallel code, and are closely related to Message Sequence Charts and Time Sequence Diagrams in telecommunications systems. Our requirements...

We use the Predicate-Action Diagrams of Lamport to express the description of the operation of the Airbus A320 braking systems contained in the Flight Crew Operating Manual. This helps identify ambiguities and incompleteness. 1 Introduction On September 14th, 1993, a Lufthansa Airbus A320 landed at Warsaw Airport in Poland in a thunderstorm. It ove...

Quality program design has received considerable attention from the software engineering community. Quality user manual design has received considerable attention from the human computer interaction community. Yet manuals and systems are often independently conceived, and thus do not well complement each other. This paper shows one method of easily...

. We analyse the description of the operation of the Airbus A320 braking systems contained in the Flight Crew Operating Manual. We use the predicate-action diagrams of Lamport to express and to complete the description, and give reasons why such a more rigorous expression is preferable. 1. Introduction On September 14th, 1993, an Airbus A320 landed...

Simple practical reasoning with propositions whose truth depends on time is a matter of logical engi-neering. We s h o w that for Boolean logic a reiied logic is more appro-priate than its non-reiied equivalent when time references are interpreted as union-of-convex intervals (UoCI).

this paper we formalize Whitehead's construction for inducing point structures from region structures using a primitive relation of connection on regions [Whi79]. Our concern is to formulate a spatiotemporal analogue to the construction of temporal periods/points from events, and is reminiscent of the temporal constructions of Kamp [Kam79] and van...

We present an algorithm for statically analyzing the communications amongst distributed or concurrent processes that communicate using multiway synchronization, in which many processes may participate in an atomic communication action, such as in the ITU standard specification language LOTOS. This extends our previous work in which we provided an a...

We present a fast algorithm for solving qualitative interval constraint problems, which returns solutions of random problems in less than half a second on average, with the hardest problem taking only half a minute on a RISC workstation. This is a surprising result considering the problem is NP-complete. The fast solution time is attributed to the...

Message (or Time) Sequence Charts (MSCs) are used in telecommunications system specification. To investigate the meaning of an MSC specification, we found the need to connect MSC specifications with more precise methods such as temporal logic and Buchi automata. Based on an interpretation of a collection of MSCs as a global state automaton, we prov...

We give a precise semantics to Message Sequence Charts (MSCs), by interpreting MSC specifications by Buchi automata. The state transition graph is uniquely determined by the specification, but different automata may be defined to accept different sets of traces allowed by the specification. The precise automaton chosen therefore depends on reliabil...

Abstract We report on a symbolic approach to solving constraint problems, which uses relation algebra The method gives good results for problems with constraints that are relations on intervals Problems of up to 500 variables may be solved in expected cubic time Strong evidence is presented that signi cant backtracking on random problems occurs onl...

We present an algorithm for analyzing deadlock and for constructing sequentializations of a class of communicating sequential processes. The algorithm may be used for deadlock detection in parallel and distributed programs at compile time, or for debugging purposes at run time. The algorithm generates a data structure we call the flow graph, which...

A practical method of reasoning about intervals in a branching-time model which is dense, unbounded, future-branching, without rejoining branches is presented. The discussion is based on heuristic constraint- propagation techniques using the relation algebra of binary temporal relations among the intervals over the branching-time model. This techni...

James Allen defined a calculus of time intervals by iden tifying time intervals as pairs of real numbers, and con sidering binary relations that can hold between such pairs (Alll83). We call this the Interval Calculus. We consider the system of interval time units defined in (Lad86.2) (the TUS), which was intended for the natural representation o...

James Allen and Pat Hayes have considered axioms ex- pressed in first-order logic for relations between time in- tervals (AllHay85, AllHay87.1, AllHay87.2). One impor- tant consequence of the results in this paper is that their theory is decidable (Lad87.4). In this paper, we charac- terise all the models of the theory, and of an important subtheor...

There is a need to incorporate reasoning about time dependencies into program synthesis systems. Such dependencies have often been phrased in terms of temporal logic systems. We present an alternative method of specifying time dependencies, in a calculus of binary relations between time intervals [Lad86.1, Lad86.2]. We show how the interval calculu...

James Allen in (AZZ2) formulated a calculus of convex time in- tervals, which is being applied to commonsense reasoning by Allen, Pat Hayes, Henry Kautz and others (AZZKuu, AZZHay). For many purposes in AI, we need more general time intervals. We present a taxonomy of important binary relations between intervals which are unions of convex intervals...

This investigation concerns representations of time by means of intervals, stemming from work of Allen [All83] and van Benthem [vBen83]. Allen described an Interval Calculus of thirteen binary relations on convex intervals over a linear order (the real numbers). He gave a practical algorithm for checking the consistency of a subclass of Boolean con...

Contents 1 Introduction 1 1.1 The Problems : : : : : : : : : : : : : : : : : : : : : : : : : : : 2 1.2 Applications : : : : : : : : : : : : : : : : : : : : : : : : : : : : 4 1.3 The Message Flow Graph : : : : : : : : : : : : : : : : : : : : 5 1.3.1 What is a Message Flow Graph? : : : : : : : : : : : : 5 1.3.2 Loop Processes : : : : : : : : : : : :...

this paper we demonstrate how metric and Allen-style constraint networks be integrated in a constraint-based reasoning system. The highlights of the work include a simple but powerful logical language for expressing both quantitative and qualitative information; translations algorithms between the metric and Allen sublanguages that entail a minimal...

lved, tense logic (with the Kripke semantics) is an appropriate reasoning tool, given that the ontology has been declared suitable. We show that the ontology of TLA is sufficient for (A) description of machine behavior, (B) formulation of accident histories, and (C) determination of sequences of states leading to an accident. States are individuate...

Simple practical reasoning with propositions whose truth values depend on time is a matter of logical engineering. One needs an expressive language in which simple inferences are productive. Here's one approach, along with some algorithms for implementing it. We also consider reified and non-reified logics, and show that, contrary to a claim of Bac...

We refute Elaine Scarry's contentions, published in the New York Review of Books in September and October 2000, that external electromagnetic elds can have been major contributors to the accidents to TWA Flight 800 and Swissair Flight 111. The refutation for TWA 800 cites NASA research done in support of the investigation. The refutation for Swissa...

We discuss a procedure proposed by Voas, Payne and Cohen for detecting the existence of software corruption in real time. In particular, we discuss problems posed by the concurrent execution of programs. In the cases where the proposed method may work, corruption is unlikely to be a problem; but where corruption by viruses and Trojans is a problem,...

Buffer with Operations How does this fit together? The concrete buffer simulates the abstract buffer, and we shall prove that. Simulation means that ffl they start in `equivalent' states ffl every action of the concrete buffer corresponds either to an action or to a non-action of the abstract buffer ffl when the concrete buffer is sufficiently `liv...

I provide a formal proof in TLA that the Lazy Cache algorithm of Afek, Brown and Merritt implements an abstraction called a Complete Cache. This proof is part of a verification in TLA that the Lazy Cache is sequentially consistent. I explain how the invariant was chosen, and comment the proof to allow it more easily to be read. 1 What's the Problem...

I perform some rigorous verifications in TLA, by using simple examples which nevertheless illustrate TLA techniques, in particular liveness proofs. Since the method of invariants for safety proofs is well understood, our example needs only the trivial invariant, which is simply omitted. We specify in TLA a buffer implemented as an array, a double b...

We discuss a translation of Message Sequence Charts (MSCs) into the language Promela (we call this translation an `implementation') that is consistent with the formal semantics we have previously defined for Message Flow Graphs and Message Sequence Charts, which handled the syntactic features with mathematical import from ITUT recommendation Z.120....

. A philosopher has argued that there can be no such thing as a provably correct system. Some software reliability and safety experts believe that no system can have a software reliability of 1. These claims are related, and they are both mistaken, which we prove with a simple counterexample. But is this the only kind of counterexample? An interest...

This paper introduces five TLA

We propose a semantics for Message Sequence Charts (MSCs). Our requirements are: to determine unambiguously which executions traces are allowed by an MSC; and to use a finite-state interpretation. Our semantics handles both synchronous and asynchronous communication. We define a global state automaton from an MSC, by first defining a transition sys...

We discuss four issues concerning the semantics of Message Flow Graphs (MGFs). MFGs are extensively used as pictures of message-passing behavior. One type of MFG, Message Sequence Chart (MSC) is ITU Standard Z.120. We require that a system described by an MFG has global states with respect to its message-pasing behavior, with transitions between th...

We h a ve previously deened a formal semantics for Message Flow Graphs and Message Se-quence Charts, capturing most of the syntactic features contained in ITU-T recommendation Z.120. We discuss here a translation of MSCs into the language Promela, and report on exper-iments executing the Promela code using the SPIN simulator and validator.

A collision occurred on 2 December 1999 at Glenbrook in the Blue Mountains, west of Sydney, Australia, between two passenger trains travelling in the same direction. An inter-urban train from the Blue Mountains to Sydney collided with the rear of an interstate train, the Indian Pacific, designated WL2, which had been waiting at Signal 40.8 which wa...

Research in Artificial Intelligence on constraint-based representations for temporal reasoning has largely con- centrated on two kinds of formalisms: systems of simple linear inequalities to encode metric relations between time points, and systems of binary constraints in Allen's temporal calculus to encode qualitative relations be- tween time inte...

Human error in commercial aviation has recently come again to the fore in three accidents, all within a month of one another in February and March 2009. We focus on a take-off accident in Melbourne. Various tasks involved in pre-flight cockpit preparation are crucial, but vulnerable to error, which may be caused by such phenomena as third-party int...

## Projects

Projects (2)