Peter A. Lindsay

The University of Queensland | UQ · School of Information Technology and Electrical Engineering

Behavior Trees (BTs) are a graphical notation for requirements capture that is easier to read than other formal notations, with direct traceability between individual functional requirements and their representation in the BT model. This paper investigates whether this relationship can be extended to generation of test cases, using a symbolic model...

A cut set is a collection of component failure modes that could lead to a system failure. Cut Set Analysis (CSA) is applied to critical systems to identify and rank system vulnerabilities at design time. Model checking tools have been used to automate the generation of minimal cut sets but are generally based on checking reachability of system fail...

Defense Experimentation (DE) using modeling and simulation (M&S) is increasingly being adopted as a means to better understand complex defense capability problems. This is being given added impetus by the amplified focus on Network Enabled Capability (NEC) and the rising use of advanced information and communications technology within military oper...

Safety analysis can be labour intensive and error prone for system designers. Moreover, even a relatively minor change to a system’s design can necessitate a complete reworking of the system safety analysis. This paper proposes the use of Behavior Trees and model checking to automate Cut Set Analysis (CSA) : that is, the identification of combinati...

Failure Modes and Effects Analysis (FMEA) is a widely used system and software safety analysis technique that systematically identifies failure modes of system components and explores whether these failure modes might lead to potential hazards. In practice, FMEA is typically a labor-intensive team-based exercise, with little tool support. This arti...

To complement standard fitness functions, we propose "Fitness Importance" (FI) as a novel meta-heuristic for online learning systems. We define FI and show how it can be used to dynamically bias the population composition in order to vary the instantaneous system performance at a tradeoff to learning capability. The effect of FI is demonstrated on...

This paper demonstrates the use of Behavior Trees and model checking to assess system safety requirements for a system containing substantial redundancy. The case study concerns the hydraulics systems for the Airbus A320 aircraft, which are critical for aircraft control. The system design is supposed to be able to handle up to 3 different component...

Geoff Dromey's Behavior Engineering method provides a vital link between systems engineering processes and software engineering processes. It has proven particularly effective in industry when applied to large complex systems, to help understand the problem space and clarify system and software requirements. In this paper we compare the method with...

Wireless Sensor Actuator Networks (WSANs) extend wireless sensor networks through actuation capability. Designing robust logic for WSANs however is challenging since nodes can affect their environment which is already inherently complex and dynamic. Fixed (offline) logic does not have the ability to adapt to significant environmental changes and ca...

Wilson [13] showed how delayed reward feedback can be used to solve many multi-step problems for the widely used XCS learning classifier system. However, Wilson’s method – based on back-propagation with discounting from Q-learning – runs into difficulties in environments with aliasing states, since the local reward function often does not converge....

Prioritisation is an important technique for resolving planning conflicts between agents with shared resources, such as robots moving through a shared space. This paper explores the use of genetic-based machine learning to assign priority dynamically, to improve performance of a team of agents without unduly impacting individual agents' performance...

Deregulation of the electric power industry has introduced new uncertainties for market participants and made planning of transmission expansion more difficult. More flexible transmission expansion plans are needed, to cope with the increased risks. In this paper, a novel planning approach is proposed to meet the above challenge. In our approach, t...

An important area of Human Reliability Assessment in interactive systems is the ability to understand the causes of human error and to model their occurrence. This paper investigates a new approach to analysis of task failures based on patterns of operator behaviour, in contrast with more traditional event-based approaches. It considers, as a case...

Healthcare is a complex adaptive system. This paper discusses, healthcare in the context of complex systems architecture and an agent based modeling framework. The paper demonstrates complications of healthcare system improvement and it's impact on patient safety, economics and workloads. Further an application of safety dynamics model proposed by...

With the increased interest in multi-user systems with distributed decision making tasks, such as network centric warfare and free-flight air traffic control, the concept of shared situation awareness (SSA) has become more important. SSA relates to the awareness that different operators have of the system state and the information needs of their te...

Free flight is a new concept in air traffic management, where pilots are given more freedom in making decisions in the cockpit. This allows air traffic controllers to manage more flights. One of the concepts under investigation in the Australian airspace is moving sectors, where an air traffic controller becomes responsible of a moving volume of th...

The paper discusses the use of modeling and simulation to explore concepts of autonomous control for UAVs operating in the vicinity of an airstrip. A state-based algorithm is developed for autonomous collision detection and avoidance, and for developing flight plans that respect the NASA SATS (Small Aircraft Transportation System) concept. The resu...

Dependability requirements such as safety and availability often conflict with one another making the development of dependable systems challenging. It is not always possible to design a system that fulfils all of its dependability requirements and consequently, it is necessary to identify conflicts early in the development process and to optimize...

This paper is concerned with the shift in concept from the current distance-based separation management paradigm of Air Traffic Control towards a timing-based approach to trajectory management. We propose a way of thinking about the sector controller’s task, and the interventions they choose, which represents a small change from their current view...

The continuing growth of air traffic worldwide motivates the need for new approaches to air traffic management that are more flexible both in terms of traffic volume and weather. Free Flight is one such approach seriously considered by the aviation community. However the benefits of Free Flight are severely curtailed in the convective weather seaso...

Experiments with simulators allow psychologists to better understand the causes of human errors and build models of cognitive processes to be used in human reliability assessment (HRA). This paper investigates an approach to task failure analysis based on patterns of behaviour, by contrast to more traditional event-based approaches. It considers, a...

The use of formal verification to prove the correctness of software is increasingly being mandated by international standards for the development of safety critical systems. While formal development environments exist to assist in formal software development, formal verification is still an extremely difficult and time-consuming task, requiring exp...

Software configuration management is the discipline of managing large collections of software development artefacts from which software products are built. Software configuration management tools typically deal with artefacts at fine levels of granularity - such as individual source code files - and assist with coordination of changes to such artef...

Industry is increasingly adopting software and system safety standards that mandate the use of hazard logs in the develop- ment and operation of safety critical systems. Hazard logs are used to record and track the results of hazard analysis and risk assessment throughout the lifecycle of the system. Even rela- tively simple systems give rise to la...

+SAFE, a safety extension to the Capability Maturity Model - Integrated (CMMI) has been developed and trialed in Australia, for use in assessing suppliers of safety-related systems. This paper describes the latest version of the safety extension and also reports on the results of seven trials.

This paper describes recently developed policy and procedures for safety management during system acquisition within the Australian government's Defence Materiel Organisation (DMO). The thrust of the safety policy is that: all systems are considered safety-critical until shown otherwise; and any project acquiring or upgrading a system involving saf...

The increased reliance on software in critical applications suggests a greater need for formal methods to be used in the development of such software. A number of formal languages and toolsets exist for developing formally specified and verified software; however experience tells us that the development of formally verified software, even with the...

This paper describes a tool that manages a hierarchical, "is a subsystem of"-structure on a set of software development artefacts and that provides configuration management (CM) for subsystems by interacting with an existing CM tool. The tool is based on a recently proposed framework for subsystem-based configuration management. The tool demonstrat...

This paper introduces a new approach to formalising analysis of human errors in human-computer interaction. The approach takes account of the cognitive processes involved in a task, and how mistakes arise and how errors propagate through the task. It argues for modelling errors as behaviours rather than as events (the usual approach), at least for...

The recently released CMMI offers a Capability Maturity Model integrated for software and systems engineering. The Australian Defence Force intends to use CMMI to assess suppliers of software intensive systems. A key aim is to identify the strengths and weaknesses of system and software suppliers, and to address identified weaknesses early in the a...

This paper reports on an industrial pilot project that introduces systematic, automated module testing for embedded software in distributed, real-time, control systems. The systems are used in safety-related applications, are complex in nature, and hence have strong requirements for test coverage, auditability and repeatability. This paper explores...

Existing software configuration management (CM) tools are limited in the support they provide for configuration and change management of hierarchically structured software systems. This paper describes a framework for CM of subsystems-logically coherent collections of software development artefacts, including code, documentation and test sets. The...

Formal specifications have been proposed as a basis for accessing reusable components from libraries, and various fine-grained specification-matching approaches have been developed to assist in searching libraries. Typically, however, the granularity of matching has been too fine for reuse to be effective. Compounding the problem is the fact that c...

Growing use of computers in safety-critical systems increases the need for Human Computer Interfaces (HCIs) to be both smarter — to detect human errors — and better designed — to reduce likelihood of errors. We are developing methods for determining the likelihood of operator errors which combine current theory on the psychological causes of human...

A variety of hazard analysis techniques have been proposed for software-based systems but individually the techniques are limited in their ability to cope with system complexity, or to derive and prioritise component safety requirements. There is also confusion in practice about whether the techniques are being used to assess risk or to assign targ...

Describes a rigorous approach to safety validation of embedded control software by specification animation. The software control logic is specified in Z and systematically animated together with a model of the equipment under control. All reachable equipment states under software control are systematically identified and compared with known hazardo...

Some surgeons consider hand held surgical keratometers unreliable. This may be due to incorrect use through not realising that the distance that the keratometer is held from the cornea influences the shape of the image. When a keratometer is held closer to the astigmatic cornea, the elliptical image will appear more circular, particularly for large...

The CARE project investigated integration of well understood formal development principles into an industrial organisation's software development methodology. The result was a method for construction and verification of programs from formal specifications, using libraries of pre proven, formally specified components. Tools help the user build produ...

First Page of the Article

This paper describes the implementation of a prototype system that supports fine-grained configuration and version management. The development has been undertaken in the context of providing trusted support for high-integrity software development. The starting point of this paper is a formal specification of the consistency and completeness criteri...

An approach to the formal specification of task management models for interactive systems is presented. The approach is well suited to data-intensive applications where the system is being used to manage complex collections of interrelated objects. The approach consists of annotating objects with status information, and relating status back to prop...

Reports on a collaborative project to pilot the use of formal methods in the development of safety-related software. Using the SVRC's Cogito methodology, staff from CSC Australia undertook: formal specification; validation of the specification by mathematical consistency checks; hazard analysis; and validation of the specification against the safet...

The CARE method is a new approach to constructing and formally verifying programs. CARE has been developed in response to identified industrial needs for a formal software development method which does not require the user to be an expert in formal proof. Software engineers use CARE to develop compilable code from formal program specifications usin...

Intraoperative keratometry enables the surgeon to set an appropriate amount of corneal astigmatism with the suture tension. Errors in estimating or measuring the astigmatism can occur with hand-held keratometers because the distance an object is held from an astigmatic cornea influences the shape of the elliptical image. Thus hand-held instruments...

This paper discusses some of the necessary prerequisites for transferring specification analysis and verification techniques from VDM to Z. It starts by comparing Z and VDM in terms of the mathematical and specification notations they use. It then explains the VDM approach to reasoning about specifications, as supported by the mural tool-set, and c...

For large software developments, process modelling can be used to guide and monitor the use of development tools. This paper explores the addition of behavioural properties to process models as a means for reasoning about the status of a software development as it evolves under a given process model. In this way, the behaviour of the process model...

The Hyde astigmatic ruler is an inexpensive, semiquantitative, hand-held, surgical keratometer that we modified by geometrically calculating the correct shape of its ellipses. The Barrett keratoscope is a cheap, disposable, qualitative keratometer that, unlike the Hyde ruler, produces a bright corneal image. We designed a transparent overlay, or "a...

An abstract is not available.

This Technical Report presents a series of case studies in the formal, mathematical verification of formal specifications of sequential software systems. Each of the five case studies is formally specified in Z and VDM, and various issues in formal specification are discussed. Analysis and verification techniques from the two methods are applied to...

For large software developments projects, process modelling is an important technique for guiding and monitoring the use of development tools. This paper explores the addition of "behavioural properties" to process models as a mechanism for reasoning about the status of a software development as it evolves. The process model is translated into VDM...

Configuration Management is an integral requirement of the Software Engineering process. This paper outlines an approach to Configuration Management specifically tailored to support formal development of software. A model of VDM developments is defined in which each development is provided as a configuration of its low level components, such as ope...

The functional programming language Miranda has been used as a first programming language at the University of NSW since the beginning of 1989, when a new computer engineering course and a revised computer science course were introduced. This paper explains the reasons for choosing the language, and describes the subject in which Miranda is introdu...

By allowing the surgeon to measure and modify corneal curvature during wound closure, intraoperative keratometry can reduce postoperative astigmatic errors. A number of keratometric devices have been developed over the last 10 years, each offering a compromise between cost, accuracy and ease of use. The Barrett keratoscope is a simple, inexpensive...

This chapter presents the concepts of formal software development as a basis for the description of the VDM Support Tool in the following chapter.

This chapter attempts to give a general overview of the whole of the mural system by working through the development described in Chapter 1. It should be noted, however, that, whilst most of what’s contained herein is the truth (and where it’s not the appropriate confession appears), it is by no means the whole truth — not only has much detail been...

One major problem in producing software (both using formal and informal methods) is the capture of the user’s requirements. Although one can (at least in theory) prove the correctness of an implementation with respect to a specification, this is no help at all if the specification itself is not correct, i.e. does not match the user’s requirements.

The mural proof assistant is generic in that it can be instantiated with many different logics and theories. The user is provided with a logical frame which can be configured to support reasoning in any number of different logics. The purpose of this chapter is to illustrate how to instantiate mural for some common logics. It can be used to gain fa...

Previous chapters describe the mural proof assistant, both at the abstract level and in terms of the specification of the system. We should not forget that this abstraction has been realized as a working piece of software. This chapter discusses the process of implementation and points out some of the things we learned along the way that we believe...

This chapter describes the context in which the scientific work reported in later chapters was undertaken. After a general description of formal methods, VDM is used as an example to make the sort of tasks involved in formal development more precise. Section 1.3 outlines the overall project in which the work on formal methods was undertaken. The la...

It is perfectly possible to conduct all proofs in the mural proof assistant using only the single-step-at-a-time strategy provided by the justification tool; this can, however, become tedious. It was therefore felt advantageous to provide an additional layer of functionality whereby the user can interact with the system using ‘large scale’ operatio...

The PA (‘proof assistant’) has been instantiated with a hierarchy of theories with rules for VDM. These cover rules for inferring the well-definedness and the dynamic properties of VDM specifications. This chapter contains two case studies highlighting some of the capabilities of this special instantiation of the mural system. To prepare for the ca...

This chapter describes the support tool for VDM which has been built to integrate with the proof assistant. Through reference to the formal specification of the tool, it introduces the notions of specification, reification and development, and describes some of the operations upon the components of a development, including the generation of proof o...

This chapter presents the formal foundations of the mural proof assistant, in the form of a ‘walk’ into the mural specification (Appendix C). To understand the need for a separate chapter, a little of the history of the development of mural should be explained. As would be expected, our concept of mural evolved as the project progressed and as we e...

Without Abstract