Acknowledgments: Pvs Was Constructed by Our Colleagues Sam Owre and 3.1 Informal Proof: Sketch Omh(0)

Formal veriication of an algorithm for interactive consistency under a hybrid fault model. A formally veriied algorithm for interactive consistency under a hybrid fault model. Mechanical veriication of a generalized protocol for Byzan-tine fault-tolerant clock synchronization. 15 and veriication is not in getting a theorem prover to say proved, but rather in reening one's understanding through dialogue with a tirelessly skeptical theorem prover. The eeort required to perform this formal veriication was not particularly large and did not seem to us to demand special skill. We attribute some of this ease in performing formal veriication of a relatively tricky algorithm to the eeectiveness of the tools employed 8]. These tools (and others that may be of similar eeectiveness) are freely available, and in light of the aws we discovered in Thambidurai and Park's algorithm, and had previously found in the proofs for other fault-tolerant algorithms 9], we suggest that formal veriication should become a routine part of the social process of development and analysis of fault-tolerant algorithms intended for practical application in safety-critical systems. In future work, we hope to explore extensions to the OMH algorithm and its analysis. We also plan to formally verify a modiied version of the Interactive-Convergence Algorithm for clock synchronization using a hybrid fault model (we have already formally veriied the standard algorithm 12], and have an informal analysis of a hybrid version). We also plan to continue the development of PVS, improving the ground decision procedures and adding state exploration tools. Natarajan Shankar. We have had fruitful discussions with them and with Michelle McElvany-Hugue of Allied-Signal on related topics. References 1] William R. Bevier and William D. Young. Machine checked proofs of the design of a fault-tolerant circuit. 14 OMH is not amenable to state exploration: it has far too many states. But for debugging, it can be useful to examine highly simpliied versions of the problem 3]: for example, the cases m = 1, n 6, and a very small set of data values|E, R(E), and two distinct \good" values seem suucient to detect all the errors in all the variants we considered. Theorem proving and state exploration could be combined to prove that some cases are redundant: the case where the rst receiver is the only faulty processor is very similar to the case when receiver three is the only faulty processor. While state exploration might be more economical than conventional formal …