From windley@iris  Fri Jul 27 10:11:27 1990
Received: by iris.ucdavis.edu (5.57/UCD.EECS.2.0)
        id AA28003; Fri, 27 Jul 90 10:11:27 PDT
Received: from iris.ucdavis.edu by clover.ucdavis.edu (5.59/UCD.EECS.1.11)
        id AA15400; Fri, 27 Jul 90 10:15:18 PDT
Received: by iris.ucdavis.edu (5.57/UCD.EECS.2.0)
        id AA27996; Fri, 27 Jul 90 10:11:16 PDT
Message-Id: <9007271711.AA27996@iris.ucdavis.edu>
To: info-hol@clover.ucdavis.edu
Subject: VIPER info from COMP.RISKS
Date: Fri, 27 Jul 90 10:11:08 PDT
From: Phil Windley <windley@iris>


Miriam eeser alerted me to the following article from COMP.RISKS
concerning VIPER.

--phil--

___________________________________________________________________________
RISKS-LIST: RISKS-FORUM Digest  Thursday 26 July 1990   Volume 10 : Issue 15

From: Brian Randell <Brian.Randell@newcastle.ac.uk>
Subject: Viper and its Formal Verification
Date: Mon, 9 Jul 90 9:37:15 BST

The RSRE Viper microprocessor and Avra Cohn's report on its formal
verification, have been discussed earlier in RISKs. Readers may therefore be
interested in the following article, by Simon Hill, which appeared on p.3 of
the (UK) Computer Weekly for July 5, 1990. It is reprinted here in its
entirety, without permission.
Brian Randell, Computing Laboratory, University of Newcastle upon Tyne, UK

::              USER THREATENS COURT ACTION OVER MoD CHIP
::
::  The first commercial user of the Viper safety-critical chip developed
::  by the Ministry of Defence is threatening legal action for alleged
::  misrepresentation.
::
::  Teknis International Railroad Systems of Adelaide, Australia, is
::  seeking assurances that the Viper technology can meet the claims that
::  the MoD and its commercial partners make for it.
::
::  Teknis, which is developing a signal and railway crossing control
::  system using Viper for the Australian National Railway Commission, is
::  also threatening action against the MoD's commercial licensee, Charter
::  Technologies.
::
::  Worcester-based Charter was licensed in january 1988 to exploit
::  commercially the fruits of the Viper work carried out at the Royal
::  Signals and Radar Establishment at Malvern.
::
::  Ron Davison, Teknis' business development manager, says, *We are
::  looking for every comfort we can get from the development and
::  suppliers of Viper:.
::
::  Davison says the A$12m Australian railways project "is a world first"
::  in the safety-critical market, making the first time that Viper has
::  found a user outside the military and defence communities.
::
::  Teknis' concern has been inspired by a series of reports in UK and US
::  academic circles about RSRE and Charter's claims that Viper is
::  formally verified for use in safety-critical applications where lives
::  may be put at risk if the technology fails.
::
::  Davison says he is "surprised at the sudden rash of reports about
::  Viper coming out of the woodwork" 18 months after Teknis began work
::  with the chip.
::
::  But the report that is most critical of Viper, written by Avra Cohn of
::  Cambridge University's computer laboratory, is two years old.  It was
::  published in May 1988 and delivered to RSRE, but Charter technologies
::  claims it was not shown Cohn's findings until mid-1989.
::
::  RSRE and Charter claim that Viper is formally specified, with a chip
::  design which conforms to this specification.  Cohn says in the report
::  that this is misleading.
::
::  "Such assertations, taken as assurances of the impossibility of design
::  failure in safety-critical applications, could have catastrophic
::  results," Cohn says in the report.
::
::  The MoD says "It is a matter of interpretation of the words used to
::  describe the dependabiliity of Viper.  Nothing can be described as
::  absolutely fail safe."
::
::  This year a report by US consultants Computational Logic for US space
::  agency Nasa says "Viper has not been formally verified" and lists four
::  deficiences in RSRE's specification.  In a draft copy of the same
::  report dated June 1989, obtained by Computer Weekly, the former chief
::  RSRE scientist on the Viper projects, John Cullyer, has indicated his
::  agreement with Nasa's conclusions.  Cullyer is now Professor of
::  Electronics at Warwick University.
::
::  The MoD cannot say whether the Nasa and Cohn reports have been looked
::  at by RSRE staff, but a spokesman says, "Work is continuing to
::  reinforce verification techniques and if a relevant report has been
::  produced then it will be studied by scientists at RSRE."
::
::  Marconi Electronic Devices of Lincoln, sub-contracted by the MoD to
::  manufacture Viper hardware circuitry, is reining back on its
::  commitment to the project while it waits for replies from the MoD.
::
::  Tony Smith, Marconi Electronic Devices' integrated circuits contract
::  manager, says the company "wanted a discussion with MoD and RSRE about
::  what could be guaranteed for Viper.  That meeting was due to take
::  place this year, but the MoD cancelled it.  We have still not had that
::  meeting".
::
::  Marconi has asked the MoD to respond to the Cohn and Nasa reports, but
::  has not yet received a reply and has not been shown either of the
::  reports, Smith says.  The company is making prototype Viper circuits,
::  but has no commercial orders.
::
::  The Ministry of Defence would not comment on "confidential or
::  commercial correspondence between it and third parties".
::
::  The MoD says, "No Viper chip is known to have failed, but work is
::  continuing to reinforce and improve verification techniques: on Viper,
::  and that *although there are not known faults in the Viper design, an
::  unremitting search for weakness must continue".
::
::



------- End of Forwarded Message


