Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Copyright 2009 Rockwell Collins, Inc. All rights reserved. Formal Methods for Critical Systems Dr. Steven P. Miller Midwest Verification Day September.

Published byStuart Henry Modified over 9 years ago

Similar presentations

Presentation on theme: "© Copyright 2009 Rockwell Collins, Inc. All rights reserved. Formal Methods for Critical Systems Dr. Steven P. Miller Midwest Verification Day September."— Presentation transcript:

1 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. Formal Methods for Critical Systems Dr. Steven P. Miller Midwest Verification Day September 12, 2009

2 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 2 Acknowledgements NASA Langley Research Center (Ricky Butler) Air Force Research Labs (RD Directorate) University of Minnesota (Dr. Mats P. E. Heimdahl) Dr. Michael Whalen (Rockwell Collins) Dr. Darren Cofer (Rockwell Collins)

3 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 3 Presentation Overview Who Are We? What Problem are We Solving? Overview of Our Approach Case Studies Challenges and Future Directions

4 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 4 Rockwell Collins  Headquartered in Cedar Rapids, Iowa  20,000 Employees Worldwide  2008 Sales of $4.77 Billion

5 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 5 Commercial/Military Avionics Systems Communications Navigation & Landing Systems Flight Control Displays Weapon Data Links “Working together creating the most trusted source of communication and aviation electronic solutions” Rockwell Collins’ core business is based on the delivery of High Assurance Systems

6 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 6 Advanced Technology Center Identify, acquire, develop and transition value-driven technologies to support the continued growth of Rockwell Collins. Technologists: 173 Administrators: 10 Technicians: 31 Automated Analysis Section Applies mathematical tools and reasoning to the production of high assurance systems. Technologists: 10 Administrators: 1

7 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 7 AAMP5 Microcode Verification (PVS) AAMP-FV Microcode Verification (PVS) AAMP5 Partitioning (PVS) JEM Java μProc (PVS) FGS Mode Confusion Study (PVS) FCP 2002 Microcode (ACL2) AAMP7 Separation Kernel (ACL2)l FGS Mode Confusion (RSML -e, PVS) FGS Safety Analysis (RSML -e, NuSMV) ADGS 2100 (Simulink, NuSMV) NASA Aviation Safety vFaat (ACL2, PVS) NSA SHADE (ACL2) Turnstile (SPARK) Guardol (ACL2, Prover) AFRL Greenhills Integrity RTOS (ACL2) CerTA FCS (NuSMV, Prover) Greenhills Integrity Gen4 (ACL2) Mixed Criticality Architectures 1994199619982000200220042006199220082010 Formal Methods at Rockwell Collins

8 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 8 Presentation Overview Who Are We? What Problem are We Solving? Overview of Our Approach Case Studies Challenges and Future Directions

9 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 9 J.P. Potocki De Montalk, Computer Software in Civil Aircraft, Sixth Annual Conference on Computer Assurance (COMPASS ’91), Gaithersberg, MD, June 24-27, 1991. Airborne Software Doubles Every Two Years

10 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 10 Complexity Size 1995 1970 No. of Signals Object Code (Mbytes) 230K 0 100 0 1995 1970 Year 747-200 757/767 747-400 777 747-200 757/767 747-400 777 Year Similar Growth Has Been Seen by Boeing

11 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 11 WPAFB 08-5183 RBO-08685 8/20/2008

12 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 12 Presentation Overview Who Are We? What Problem are We Solving? Overview of Our Approach Case Studies Challenges and Future Directions

13 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 13 Exploit the Convergence of Two Trends Model-Based Development –Domain specific graphical notations –MATLAB Simulink®, Esterel Technologies SCADE Suite™ –Enable early simulation and debugging –Automated generation of code and tests Model-Checking –Prove properties about a model –Explore all possible inputs and states –Highly automated –Generates a counterexample if a property is false –Explicit, implicit (BDD), SMT-Solver, … Reduce Costs and Improve Quality by Using Analysis to Find Errors During Early Design

14 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 14 Kind Rockwell Collins Translation Framework

15 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 15 Many small Lustre-to-Lustre translation passes Each pass refines closer to the target language Each pass deals with one change Pre/Post conditions define when a pass is valid A Product Family of Translators Last step pretty prints to the target language Extensive reuse of passes New translators can be developed quickly (usually in less than a week)

16 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 16 Model CPU Time (For NuSMV to Compute Reachable States) Improvement BeforeAfter Mode1> 2 hours11 sec > 650x Mode2> 6 hours169 sec> 125x Mode3> 2 hours14 sec> 500x Mode48 minutes< 1 sec480x Arch34 sec< 1 sec34x WBS29+ hours1 sec105,240x Translators Optimize for Specific Analysis Tools

17 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 17 Presentation Overview Who Are We? What Problem are We Solving? Overview of Our Approach Case Studies Challenges and Future Directions

18 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 18 ADGS-2100 Adaptive Display & Guidance System Example Requirement: The Cursor Shall Never be Positioned on an Inactive Display Counterexample Found in 5 Seconds Checked 563 Properties - Found and Corrected 98 Errors in Early Design Models Modeled in Simulink Translated to NuSMV 4,295 Subsystems 16,117 Simulink Blocks Over 10 37 Reachable States

19 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 19 Translation Time: 1-4 Hours Turnaround: 1 Day to 1 Week Iteration 1 Simulink R14 Model Simulink R13 Model SCADE Model NuSMV Model Translation Time: 10 Minutes Turnaround: 3 Hours to 2 Days Iteration 2 Simulink R14 Model Reactis Model NuSMV Model Translation Time: 10 Minutes Turnaround: 10 Minutes Iteration 3 Simulink R14 Model Reactis Model NuSMV Model ATC Group (Beige) Dev. Group (Blue) ADGS-2100 Technology Transfer

20 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 20 Sponsored by the Air Force Research Labs –Air Vehicles (RB) Directorate - Wright Patterson Investigate Roles of Testing and Formal Verification –Can formal verification complement or replace some testing? Example Model – Lockheed Martin Adaptive UAV Flight Control System –Redundancy Management Logic in the Operational Flight Program (OFP) –Well suited for verification using the NuSMV model-checker Lockheed Martin Aero Rockwell Collins Enhanced During CerTA FCS Based on Testing – Graphical Viewer of Test Cases – Support for XML/XSLT Test Cases – Added C++ Oracle Framework Developed Tests from Requirements Executed Tests Cases on Test Rig Developed Properties from Requirements – Support for Simulink blocks – Support for Stateflow – Support for Prover model-checker Enhanced During CerTA FCS Based on Model-Checking Proved Properties using Model-Checking CerTA FCS Phase I WPAFB 08-5183 RBO-08685 8/20/2008

21 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 21 For Each of Ten Control Surfaces Triplex Voter –Input monitor, sensor fusion, and failure isolation Failure Processing –Logs failures into a data store Reset Manager –Reset logic for sensors and control surfaces (not shown) CerTA FCS Phase I - OFP Redundancy Management Logic Input Monitor Failure Processing Failure Isolation Sensor Fusion WPAFB 08-5183 RBO-08685 8/20/2008

22 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 22 Errors Found in Redundancy Manager Model CheckingTesting Triplex Voter Failure Processing Reset Manager Total 3 5 4 12 0 0 0 0 Model-Checking Found 12 Errors that Testing Missed Spent More Time on Testing than Model-Checking – 60% of total on testing vs. 40% on model-checking Model-checking was more cost effective than testing at finding design errors. CerTA FCS Phase I – Errors Found WPAFB 08-5183 RBO-08685 8/20/2008

23 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 23 Sponsored by the Air Force Research Labs –Air Vehicles (RB) Directorate - Wright Patterson Can Model Checking be Used on Numerically Complex Systems? –Large, numerically intensive, non-linear systems CerTA FCS Phase II Example Model –Lockheed Martin Adaptive UAV Flight Control System –Effector Blender (EB) –Generates actuator commands for aircraft control surfaces –Matrix arithmetic of floating point numbers WPAFB 08-5183 RBO-08685 8/20/2008

24 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 24 Generates Actuator Commands –Six control surfaces –Adapts its behavior as aircraft state changes –Iterative algorithm that repeatedly manipulates a 3 x 6 matrix of floating point numbers Large Complex Model –Inputs 32 floating point inputs 3 x 6 matrix of floating point values –Outputs 1 x 6 vector of floating point values –166 Simulink subsystems –2000+ basic Simulink blocks –Huge reachable state space Completely Functional –No internal state Surf1left vertical tail surf2right vertical tail surf3left flap surf4right flap surf5left outboard spoiler surf6right outboard spoiler CerTA FCS Phase II – Effector Blender WPAFB 08-5183 RBO-08685 8/20/2008

25 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 25 No Explicit Requirements for the Effector Blender Model –Requirements defined for Effector Blender + aircraft model –Addition of aircraft model pushes verification beyond current tools Avoid Properties Verifiable by Other Means –Control theory – stability, tracking performance, feedback design … –Simulation – design validation –Implementation – code generation/compilation, scheduling, … Focus on the Consistency of the Effector Blender Model –Relationships the model should always maintain –Partial requirements specification Preservation of Control Surface Limits –EB computes upper and lower limits for each control surface command –Function of aircraft design, aircraft state, and max extension per cycle –Commanded extension should always be between these limits CerTA FCS Phase II – What to Verify? WPAFB 08-5183 RBO-08685 8/20/2008

26 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 26 Floating Point Numbers –Fixed number of bits with a movable decimal (radix) point –No decision procedures for floating point numbers available Real Numbers –Real numbers have unbounded size and precision –Would hide errors caused by limitations of floating point arithmetic –Control theory problems are inherently non-linear –Decision procedures for non-linear real numbers have exponential cost Solution - Translate Floating Point Numbers into Fixed Point –Extended translation framework to automate this translation –Convert floating point to fixed point (scaling provided by user) –Convert fixed point into integers (use bit shifting to preserve magnitude) –Shift from NuSMV (BDD-based) to Prover (SMT-solver) model checker Advantages & Issues –Use bit-level integer decision procedures for model checking –Results unsound due to loss of precision –Highly likely to find errors – very valuable tool for debugging CerTA FCS Phase II – Verification of Floating Point Numbers WPAFB 08-5183 RBO-08685 8/20/2008

27 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 27 Typical Specification –Models are typically organized in a hierarchy of subsystems –Subsystems are often nested several levels deep –Most of the complexity is in the leaf subsystems –Leaf subsystems can often be verified through model checking CerTA FCS Phase II – Compositional Verification 1 Out1 1 In1 2 In2 In_B1 In_B2 Out_B Subsystem B In_A1 In_A2 Out_A Subsystem A P2 & P3 -> Q1 Q2 P1 & Q1 -> Q2 Q1 Composition of Subsystems –Tends to be simple –Lends itself well to theorem proving P2 & P3 => Q1 P1 & Q1 => Q2 P1 & P2 & P3 => Q => Q P1 P2 & P3 Issues –Need to avoid circular reasoning to ensure soundness –Can be ensured by eliminating cyclic dependencies between atomic subsystems –Identifying the right leaf level invariants to support composition –Complexity of the proof obligations for the intermediate levels –Lack of a unified automated verification system WPAFB 08-5183 RBO-08685 8/20/2008

28 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 28 Can Model-Checking be Used on Numerically Complex Systems? –Large, numerically intensive, non-linear systems CerTA FCS Phase II - Results Effector Blender –Inputs 32 floating point inputs 3 x 6 matrix of floating point values –Outputs 1 x 6 vector of floating point values –166 Simulink subsystems –2000+ basic Simulink blocks Errors Found –Five previously unknown errors that would drive actuators past their limits –Several implementation errors were being masked by defensive programming WPAFB 08-5183 RBO-08685 8/20/2008

29 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 29 Presentation Overview Who Are We? What Problem are We Solving? Overview of Our Approach Case Studies Challenges and Future Directions

30 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 30 Theorem Provers Arbitrary Models Labor Intensive Non Linear Arithmetic Transcendental Functions Floating Point Decision Procedures Extending the Verification Domain Very Large or Infinite State Systems –SMT-Solvers –Large integers and reals –Limited to linear arithmetic –Ease of use is a concern SMT-Solvers Infinite State Models using k -Induction Implicit State < 10 200 Reachable States Model Checkers Non-Linear Arithmetic –Multiplication/division of real variables –Transcendental functions (trigonometric, …) –Essential to navigation systems Large Finite Systems (<10 200 States) –Implicit state (BDD) model checkers –Easy to use and very effective Theorem Provers –Deal with arbitrary models –Concerns are ease of use and labor cost Floating Point Arithmetic –Most modeling languages use floating point (not real) numbers

31 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 31 Composition of Subsystems –Tends to be simple –Well suited for theorem proving Typical Model-Based Specification –Models are organized in a hierarchy several levels deep –Most of the complexity is in the leaf models –Leaf models can often be verified through model checking What Should the User Interface Be? –Not emacs! –Integrated with the model –Simple theorem proving –Powerful model checking Combining Theorem Proving and Model Checking For Compositional Verification

32 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 32 How Many Properties Do I Need? –When am I done? –Are there coverage metrics like there are for testing? –How do I convince the certification authorities I’m done? Are Some Properties Better than Others? –Properties related to safety –Cross cutting properties find the most important errors –Simple, local properties find a surprising number of errors Is There a Process or Heuristics for Defining Properties? –Prove a property about each discontinuity in each output What is the Relationship Between Proof and Testing –Can proving replace some testing? –Can testing replace some proving? Finding the Right Properties

33 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 33 System Architectural Modeling & Analysis System Architecture Development Software Component Development

34 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 34 Formal Methods Are Practical and Are Being Widely Used –Model Based Development is the industrial use of formal methods –The engineers get to pick the modeling tools! –Semantics of some of the commercial tools could be improved Formal Verification Tools Are Being Used in Industry –Key is to verify the models the engineers are already building –Large portions of existing systems can be verified with model checkers –Need to make model checking accessible to the average engineer Directions for the Future Work –Making verification tools more powerful and easier to use –Integration of theorem proving and model checking –Finding the right properties –Modeling and analysis of system architectural models Conclusions

35 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 35 http://shemesh.larc.nasa.gov/fm/fm-collins-intro.html Whalen, M., Cofer, D., Miller, S., Krogh, B., Storm, W.: Integration of Formal Analysis into a Model-Based Software Development Process. In 12th International Workshop on Formal Methods for Industrial Critical Systems (FMICS2007), Berlin, Germany (2007). Whalen, M., Innis, J., Miller, S., Wagner, L.: ADGS-2100 Adaptive Display & Guidance System Window Manager Analysis, CR-2006-213952, NASA (2006). Mats P.E. Heimdahl, Michael W. Whalen, Ajitha Rajan, and Steven P. Miller, Testing Strategies for Model-Based Development, NASA Contractor Report NASA-2006-CR214307, April 2006. Available at http://hdl.handle.net/2002/214307.http://hdl.handle.net/2002/214307 Miller, S., Tribble, A., Whalen, M., Heimdahl, M., Proving the Shalls, International Journal on Software Tools for Technology Transfer (STTT), Feb 2006. Michael W. Whalen, John D. Innis, Steven P. Miller, and Lucas G. Wagner, ADGS-2100 Adaptive Display & Guidance System, NASA Contractor Report NASA-2006-CR213952, Feb. 2006. Available at http://hdl.handle.net/2002/16162.http://hdl.handle.net/2002/16162 Steven P. Miller, Mike W. Whalen, Dan O’Brien, Mats P.E. Heimdahl, and Anjali Joshi, A Methodology for the Design and Verification of Globally Asynchronous/Locally Synchronous Architectures, NASA Contractor Report NASA/CR-2005-213912, Sept. 2005. Available at http://hdl.handle.net/2002/15934.http://hdl.handle.net/2002/15934 Miller, S., Anderson, E., Wagner, L., Whalen, M., Heimdahl, M.: Formal Verification of Flight Critical Software. In AIAA Guidance, Navigation and Control Conference and Exhibit, AIAA-2005-6431, American Institute of Aeronautics and Astronautics (2005). For More Information

36 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 36 Backup Slides

37 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 37 node Thrust_Required( FG_Mode : FG_Mode_Type ; Airborne : bool ; In_Flare : bool ; Emergency_Descent : bool; Windshear_Warning : bool ; In_Eng_Accel_Zone : bool ; On_Ground : bool) returns (IsTrue : bool) ; let IsTrue = (FG_Thrust_Mode(FG_Mode) and Airborne) or (Airborne and Emergency_Descent) or Windshear_Warning or ((FG_Mode = ThrottleRetard) and In_Flare) or (In_Eng_Accel_Zone and On_Ground) ; tel ; Textual (Z, VDM, PVS, Lustre, …) Tabular (RSML -e, SCR) Graphical (SCADE, Simulink) Evolution of Modeling Approaches

38 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 38 WPAFB 08-5183 RBO-08685 8/20/2008

39 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 39 FCS 5000 Flight Control Mode Logic Determines Armed and Active Modes of the Aircraft –Active mode enables a control law to move aircraft control surfaces –Armed mode can become active when the right conditions are met Five Mode Machines Analyzed in the FCS 5000 Mode Logic –36 modes, 172 events, 488 transitions –Transition in one mode machine can affect behavior of the others

40 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 40 6.8 x 10 21 Reachable States Mode Controller B Mode Controller A Counterexample Found in Less than Two Minutes Found 26 Errors in Early Requirements Models FCS 5000 Flight Control Mode Logic Example Requirement Mode A1 => Mode B1 Modeled in Simulink Translated to NuSMV

41 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 41 Summary of Errors Found Model-checking detected the majority of errors Model-checking detected the most serious errors Found early in the lifecycle during requirements analysis Detected By Likelihood of Being Found by Traditional Methods TrivialLikelyPossibleUnlikelyTotal Inspection 123 Modeling 516 Simulation Model Checking 21 13117 Total 26 15326 FCS 5000 Flight Control Mode Logic

42 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 42 Model-Based Development

43 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 43 Test: time to write the tests MC: time to write the properties and set up the models for analysis Test: time to run the tests. MC: running the tools, analyzing and explaining counter- examples to LM Aero, and creating a revised model. Test: time spent fixing errors in test cases. MC: time to repeat analysis. Testing Model-Checking CerTA FCS Phase I - Testing and Model Checking Recurring Costs Spent ~50% more time testing than model-checking. WPAFB 08-5183 RBO-08685 8/20/2008

44 © Copyright 2009 Rockwell Collins, Inc. All rights reserved. 44 Verifying Asynchronous Systems Occur Frequently in System Designs –Implement fault tolerance or meet performance requirements No Global Clock - Each Node Has Its Own Clock Quasi-Synchronous System –Clocks have similar (but not identical) periods, drift, jitter Interleaving Leads to State Space Explosion –Makes model checking difficult Need to Exploit the Constraints Imposed by Quasi-Synchrony

Download ppt "© Copyright 2009 Rockwell Collins, Inc. All rights reserved. Formal Methods for Critical Systems Dr. Steven P. Miller Midwest Verification Day September."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Undoing the Task: Moving Timing Analysis back to Functional Models Marco Di Natale, Haibo Zeng Scuola Superiore S. Anna – Pisa, Italy McGill University.

Undoing the Task: Moving Timing Analysis back to Functional Models Marco Di Natale, Haibo Zeng Scuola Superiore S. Anna – Pisa, Italy McGill University.
1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.

1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.
© Copyright 2013 Rockwell Collins All rights reserved. Company Official and Proprietary Rockwell Collins and Formal Methods September 20, 2013.

© Copyright 2013 Rockwell Collins All rights reserved. Company Official and Proprietary Rockwell Collins and Formal Methods September 20, 2013.
Timed Automata.

Timed Automata.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Dagstuhl Intro Mike Whalen Program Director University of Minnesota Software Engineering Center.

Dagstuhl Intro Mike Whalen Program Director University of Minnesota Software Engineering Center.
Dagstuhl Intro Mike Whalen. 2 Mike Whalen My main goal is to reduce software verification and validation (V&V) cost and increasing.

Dagstuhl Intro Mike Whalen. 2 Mike Whalen My main goal is to reduce software verification and validation (V&V) cost and increasing.
1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.
Copyright 2004 Prentice-Hall, Inc. Essentials of Systems Analysis and Design Second Edition Joseph S. Valacich Joey F. George Jeffrey A. Hoffer Appendix.

Copyright 2004 Prentice-Hall, Inc. Essentials of Systems Analysis and Design Second Edition Joseph S. Valacich Joey F. George Jeffrey A. Hoffer Appendix.
MotoHawk Training Model-Based Design of Embedded Systems.

MotoHawk Training Model-Based Design of Embedded Systems.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
Advanced Technology Center Slide 1 Formal Verification of Flight Critical Software Dr. Steven P. Miller Advanced Computing Systems Elise A. Anderson Commercial.

Advanced Technology Center Slide 1 Formal Verification of Flight Critical Software Dr. Steven P. Miller Advanced Computing Systems Elise A. Anderson Commercial.
Advanced Technology Center Slide 1 Formal Methods in Safety-Critical Systems Dr. Steven P. Miller Advanced Computing Systems Rockwell Collins 400 Collins.

Advanced Technology Center Slide 1 Formal Methods in Safety-Critical Systems Dr. Steven P. Miller Advanced Computing Systems Rockwell Collins 400 Collins.
Formal Model-Based Development in Aerospace Systems: Challenges to Adoption Mats P. E. Heimdahl University of Minnesota Software Engineering Center Critical.

Formal Model-Based Development in Aerospace Systems: Challenges to Adoption Mats P. E. Heimdahl University of Minnesota Software Engineering Center Critical.
Systems Engineering for Automating V&V of Dependable Systems John S. Baras Institute for Systems Research University of Maryland College Park 301-405-6606.

Systems Engineering for Automating V&V of Dependable Systems John S. Baras Institute for Systems Research University of Maryland College Park
Telescoping Languages: A Compiler Strategy for Implementation of High-Level Domain-Specific Programming Systems Ken Kennedy Rice University.

Telescoping Languages: A Compiler Strategy for Implementation of High-Level Domain-Specific Programming Systems Ken Kennedy Rice University.

Similar presentations

Ads by Google