SEGURIDAD DEL PACIENTE

[1] Alfred V. Aho, John E. Hopcroft, and Jeffrey D. Ullman. The Design and Analysis of Computer Algorithms. Addison-Wesley, 1974.

[2] K. Akita, T. Watanabe, and H. Nakamura. Solid-state interlocking in railway

signalling, SMILE. In Proceedings of the International Conference on Electric Railway Systems for a New Century, pages 294-298. IEE, September 1987. [3] P. B. Andrews. An Introduction to Mathematical Logic and Type Theory: To

Truth through Proof. Computer Science and Applied Mathematics Series. Aca­ demic Press, 1986.

[4] W. R. Bevier. Kit and the short stack. Journal o f Automated Reasoning, 5(4), November 1989.

[5] W. R. Bevier, W. A. Hunt, J. S. Moore, and W.D.Young. An approach to

systems verification. Journal o f Automated Reasoning, 5(4), November 1989. [6] D. Bjoerner and Cliff B. Jones. Formal Specification and Software Development.

Prentice-Hall International, 1982.

[7] D. Bjorner, C.A.R.Hoare, and H. Langmaack, editors. VDM ’90, VDM and Z — Formal Methods in Software Development. Lecture Notes in Computer Science, No. 428. Springer-Verlag, 1990.

BIBLIOGRAPHY 162 [8] Robert S. Boyer and J Strother Moore. A Computational Logic. Perspectives

in Computing. Academic Press, Inc., San Diego, CA, U.S.A, 1979.

[9] Robert S. Boyer and J Strother Moore. A Computational Logic Handbook. Perspectives in Computing. Academic Press, Inc., San Diego, CA, U.S.A, 1988.

[10] Robert S. Boyer and J Strother Moore. A theorem prover for a computational

logic. In M. E. Stickel, editor. Proceedings o f IOth International Conference on Automated Deduction, Lecture Notes in Artificial Intelligence, pages 1-15, Kaiserslautern, FRG, July 1990. Springer-Verlag.

[11] B. A. Carré. SPADE Staic Code Analysis Manual. Program verification Ltd., April 1985.

[12] B. A. Carre and T. J. Jennings. SPARK—the SPADE Ada kernel. Technical

report, University of Southampton, 1988.

[13] K. Celinski. Microcomputer controllers introduce modern technology in fail-safe

signalling. In Proceedings o f the International Conference on Electric Railway Systems for a New Century, pages 310-314. IEE, September 1987. [14] A. Church. A formulation of the simple theory of types. Journal o f Symbolic

Logic, 5:56-68, 1940.

[15] A. Cohn. A proof of correctness of the viper microprocessor: the first level.

Technical report, Unviersity of Cambridge Computer Laboratory, 1988.

[16] A. Cohn. A proof of correctness of the viper microprocessor: the second level.

BIBLIOGRAPHY 163 [17] Computer Laboratory, University of Cambridge. The HOL System : Descrip­

tion, 1990.

[18] Computer Laboratory, University of Cambridge. The HOL System : Tutorial, 1990.

[19] D. Craigen and K. Summerskill, editors. Formal Methods for Trustworthy Com­ puter Systems(FM89), Workshops in Computing. Springer-Verlag, 1990. [20] Alan Cribbens. The solid state interlocking. In Proceedings o f the Interna­

tional Conference on Railway Safety, Control and Automation towards the 21st Century, pages 24 - 29, Sept. 1984.

[21] Alan Cribbens. A solid state interlocking (ssi): an integrated electronic sig­

nalling system for mainline railways. In IE E Proceedings, Part B, volume 134, pages 148 - 158, MAY 1987.

[22] Alan H. Cribbens, M. J. Furniss, and H. A. Ryland. The solid state interlocking

project. In Proceedings o f the International Conference on Railways in the Electronic Age, pages 1 - 5, Nov. 1981.

[23] W. J. Cullyer. Implementing Safety Critical Systems: The VIPER micropro­ cessor, pages 1-26. Kluwer Academic Publishers, 1987.

[24] W. J. Cullyer. Safety-critical control systems. Computing & Control Engineer­ ing Journal, 2(5):202-210, September 1991.

[25] W. J. Cullyer and Wong W. Application of formal methods to railway

signalling—a case study. IEE Computer and Control Engineering journal, 1992. Submitted to IEE CCEJ.

BIBLIOGRAPHY 164 [26] W. J. Cullyer and W. Wong. A mathematical approach to the protection of

grade crossing. In Proceedings o f international symposium on railing-highway grade crossing research and safety, Knoxville, Tennessee, USA, 31st Oct - 3rd Nov 1990.

[27] Norman Delisle and David Garlan. A formal specification of an oscilloscope.

IEEE Software, September 1990.

[28] Antoni Diller. Z—An Introduction to Formal Methods. Jonh Wiley & Sons, 1990.

[29] Alan Gibbon. Algorithmic Graph Theory. Cambridge University press, Cam­ bridge England, 1985.

[30] J. Goguen, C. Kirchner, H. Kirchner, A. Megrelis, J. Meseguer, and T. Winkler.

An introduction to OBJ3. In S. Kaplan and J. P. Jouannuad, editors, Con­ ditional Term Rewriting Systems. — 1st International workshop proceedings. Springer-Verlag, 1988.

[31] J. A. Goguen. OBJ as a theorem prover with applications to hardware veri­

fication. In G. Birtwistle and P. A. Subrahmanyam, editors. Current Traends in Hardware Verification and Automated Theorem Proving, chapter 5, pages 218-267. Springer-Verlag, 1989.

[32] J. A. Goguen, J. W. Thatcher, and E. G. Wagner. An initial algebra approach

to the specification, correntness and implementation of abstract d ata types. In

R. T. Yeh, editor, Current Trends in programming Methodology, Vol. IV — Data Structuring. Prentice-Hall, 1977.

BIBLIOGRAPHY 165 [33] Michael. C. Gordon. Mechanizing programming logics in higher order logic.

In Current Trends in Hardware Verification and Automated Theorem Proving, chapter 10, pages 387-439. Springer-Verlag, 1989.

[34] Michael J. Gordon. HOL: A Proof Generating System for Higher-Order Logic, pages 73-128. Kluwer Academic Publishers, 1987.

[35] Michael J. Gordon, Arthur J. Milner, and Christopher P. Wadsworth. Edin­ burgh LCF. Lecture Notes in Computer Science, No. 78. Springer-Verlag, 1979. [36] F. K. Hanna and N. Daeche. Specification and verification using higher-order

logic: A case study. In G. J. Milne and P. A. Subrahmanyan, editors. Formal Aspects o f VLSI Design, pages 179-213. Springer-Verlag, 1986.

[37] Health and Safety Executive. Guidance on the Use o f Programmable Electronic Systems »'n Safety-related Applications, 1986.

[38] W. A. Hunt. Microprocessor design verification. Journal o f Automated Rea­ soning, 5(4), November 1989.

[39] Warren A. Hunt. FM8501: A Verified Microprocessor. PhD thesis. The Uni­ versity of Texas a t Austin, 1985.

[40] IEC. Functional Safety o f Programmable Electronic Systems. IEC SC65A/WG10 3rd Draft, June 1989.

[41] IEC. Software for Computers in the Application o f Industrial Safety Related Sofware. IEC SC65A/WG9 3rd Draft, June 1989.

[42] Cliff B. Jones. Systematic Software Development Using VDM. Prentice-Hall, London, 1986.

BIBLIOGRAPHY 166 [43] J. J. Joyce. Formal specification and verification of asynchronous processes in

higher-order logic. In Specification and Verification o f Concurrent Systems — Proceedings o f B C S-FA CS Workshop (TR45), 1988.

[44] J. J. Joyce. Totally verified systems: Linking verified software to verified hard­

ware. Technical rep o rt, Unviersity of Cambridge Computer Laboratory, 1989.

[45] J.S.Moore. A mechanically verified language implementation. Journal o f Au­ tomated Reasoning, 5(4), November 1989.

[46] P. Loewenstein. Formal verificattion of state-machines using higher-order logic.

In Proceedings o f 1989 IEEE International Conference on Computer Design: VLSI in computers and processors. IEEE, IEEE Computer Society Press, 1989. [47] P. Loewenstein. Reasoning about state machines in higher-order logic. In

M. Leeser and G . Brown, editors, HardwareSpecification, Verification and Syn­ thesis: Mathematical Aspect, Lecture Notes in Computer Science No. 408, pages 67-89. Springer-Verlag, 1989.

[48] T. F. Melham. Autom ating recursive type definition in higher-order logic. In

Graham Birtwistle and P. A. Subrahmanyam, editors, Current Trends in Hard­ ware Verification and Automated Theorem Proving, pages 341-386. Springer- Verlag, 1989.

[49] Robin Milner, M ads Tofte, and Robert Harper. The Definition o f Standard ML. The MIT Press, 1990.

[50] I. H. Mitchell. T h e design and testing of application database for a railway

signalling system. In Proceedings o f International Conference on Software En­ gineering for Real-time Systems, pages 159 - 164, September 1987.

BIBLIOGRAPHY 167 [51] MOD. Requirements fo r Hazard Analysis o f Safety-related Computer Systems.

Draft UK DefStan 00-56, April 1991.

[52] MOD. Requirements fo r the procurment o f safety-critical software in defence equipment. Draft UK DefStan 00-55, April 1991.

[53] J. D. Murchland. A new method for finding all elementary paths in a complete

directed graph. Technical Report LSE-TNT-22, London School of Economics,

1965.

[54] O. S. Nock, editor. Railway Signalling: A treatise on the recent practice of British Railways. A and C Black, London, 1980.

[55] L. C. Paulson. ML for the Working Progammer. Cambridge university press, 1991.

[56] W. L. Price. Graphs and Networks: An Introduction. Butterworth Co (Pub­ lishers) Ltd., London, 1971.

[57] RCTS. Software Considerations in Airborne Systems and Equipment Certifi­ cation. RCTS-178A, May 1985.

[58] J. Rushby. Formal methods and critical systems in the real world. In D. Craigen

and K. Summerskill, editors, Formal Methods for Trustworthy Computer Sys- tems(FM89), Workshops in Computing, pages 121-125. Springer-Verlag, 1990. [59] Roger Shaw and Cliff B. Jones. Case Studies in System Software Development. Prentice-Hall International series in Computer Science. Prentice-Hall Interna­

tional, September 1989.

BIBLIOGRAPHY 168 In Proceedings o f the International Conference on Electric Railway Systems for a New Century, pages 315-319. IEE, September 1987.

[61] Frances Singer. IECC — a new era in british rail signalling. Modem Railways, pages 533-535, October 1989.

[62] J . M. Spivey. The Z Notation — A Reference Manual. Prentice Hall Interna­ tional Series in Computer Science. Prentice-Hall, 1989.

[63] B. A. Sufrin. Formal specification of a display editer. Science o f Computer Programming, 1:157-202, 1982.

[64] Open University. Graphs, Networks and Design— Unit 2: Graphs and Di­ graphs. Open University press, 1981.

[65] O pen University. Graphs, Networks and Design— Unit 5: Paths and Cycles. O pen University press, 1981.

[66] W.D.Young. A mechanically verified code generator. Journal o f Automated Reasoning, 5(4), November 1989.

[67] W . Wong. Formatting hoi text: the library la t« x - h o l. HOL system library

Manual, May 1991. '

[68] W . Wong. A simple graph theory and its application in railway signalling. In

Proceedings o f the 1991 international Workshop on Higher Order Logic Theorem Proving System and Its Application. IEEE, 1991.