The rigorous specification and verification of the safety aspects of a real-time system

Three main concepts concerning safety and the use of formal specification and rule techniques are described. They are safety analysis leading to a list of safety requirements, deriving a formal specification from a list of safety requirements, and formally proving that an implementation satisfies its specification. All three must be covered satisfactorily before a system can be considered safe. It is shown how these techniques have been used in the verification of the implementation of a sophisticated torpedo system containing onboard computing for target acquisition and approach. The specification of the most safety-critical features is written in an object-oriented process specification format which is a variant of the Z notation. The MALPAS static analysis tool is introduced and used to verify that the functionality of the implementation of the safety features formally satisfies its specification and hence safety requirements. Verifying the MALPAS-logic-derived specification against the original implementation indicated that a problem existed in the hardware check section of the design. As a result the implementation was modified.<>