Supporting Formal Reasoning for Safety Critical Systems

Formal methods can signiicantly assist in the design and modelling of safety-critical systems. However, formal methods are frequently criticised as being unusable through being too complex and requiring expert knowledge to use. We assert that to make formal methods usable they must be able to be presented in a manner which is readily interpretable. However, we must ensure that the inferences which may be drawn from such a presentation are correct with respect to the formal semantics. Concurrent systems in which communicationoccurs between asynchronously operating agents are widely used in safety-critical applications. Unfortunately designing and understanding such systems is made diicult by the interactions between the various concurrent agents. We present an exercise in the speciication and modelling of a safety-critical multiprocessing system fragment. This serves to illustrate three issues which are crucial to the design and modelling of a safety-critical system. These are the advantage of a formal approach, particularly for concurrent systems, the importance of ensuring that a formal model correctly represents the real system and the need to provide a user with a clear understanding (or visualisation) of the formal model. For this latter point we propose, with examples, the eecacy of a well-founded graphical representation in supporting such an understanding.