54 research outputs found

    Formal Methods Case Studies for DO-333

    Get PDF
    RTCA DO-333, Formal Methods Supplement to DO-178C and DO-278A provides guidance for software developers wishing to use formal methods in the certification of airborne systems and air traffic management systems. The supplement identifies the modifications and additions to DO-178C and DO-278A objectives, activities, and software life cycle data that should be addressed when formal methods are used as part of the software development process. This report presents three case studies describing the use of different classes of formal methods to satisfy certification objectives for a common avionics example - a dual-channel Flight Guidance System. The three case studies illustrate the use of theorem proving, model checking, and abstract interpretation. The material presented is not intended to represent a complete certification effort. Rather, the purpose is to illustrate how formal methods can be used in a realistic avionics software development project, with a focus on the evidence produced that could be used to satisfy the verification objectives found in Section 6 of DO-178C

    Testing Strategies for Model-Based Development

    Get PDF
    This report presents an approach for testing artifacts generated in a model-based development process. This approach divides the traditional testing process into two parts: requirements-based testing (validation testing) which determines whether the model implements the high-level requirements and model-based testing (conformance testing) which determines whether the code generated from a model is behaviorally equivalent to the model. The goals of the two processes differ significantly and this report explores suitable testing metrics and automation strategies for each. To support requirements-based testing, we define novel objective requirements coverage metrics similar to existing specification and code coverage metrics. For model-based testing, we briefly describe automation strategies and examine the fault-finding capability of different structural coverage metrics using tests automatically generated from the model

    Flight Guidance System Validation Using SPIN

    Get PDF
    To verify the requirements for the mode control logic of a Flight Guidance System (FGS) we applied SPIN, a widely used software package that supports the formal verification of distributed systems. These requirements, collectively called the FGS specification, were developed at Rockwell Avionics & Communications and expressed in terms of the Consortium Requirements Engineering (CoRE) method. The properties to be verified are the invariants formulated in the FGS specification, along with the standard properties of consistency and completeness. The project had two stages. First, the FGS specification and the properties to be verified were reformulated in PROMELA, the input language of SPIN. This involved a semantics issue, as some constructs of the FGS specification do not have well-defined semantics in CoRE. Then we attempted to verify the requirements' properties using the automatic model checking facilities of SPIN. Due to the large size of the state space of the FGS specification an exhaustive state space analysis with SPIN turned out to be impossible. So we used the supertrace model checking procedure of SPIN that provides for a partial analysis of the state space. During this process, we found some subtle errors in the FGS specification

    Free adjustment of a triangulation net

    Get PDF
    It is often useful to determine the measures of precision of the directly observed quantities in a triangulation net. Provided the net is not strained these measures are unique to a particular set of observations and weights. Unique measures for the precision of the indirectly observed quantities cannot be found by classical means although several ad hoc approaches can be used to approximate to this measure of the 'inherent strength' of a net. Bjerhammar's theory of generalised matrix inverses can be used to derive measures of precision for the indirectly observed quantities, which may be interpreted as reflecting the inherent strength of the net. The theory of adjustment of a triangulation net by the method of variation of co-ordinates is described, followed by an explanation of the theory bf generalised inverses. Methods for the practical derivation of particular inverses are described, following Mittermayer. The characteristics of Normal, Transnormal and Stochastic Ring inverses in solution of Normal equations BX = R, are described

    The engineering design integration (EDIN) system

    Get PDF
    A digital computer program complex for the evaluation of aerospace vehicle preliminary designs is described. The system consists of a Univac 1100 series computer and peripherals using the Exec 8 operating system, a set of demand access terminals of the alphanumeric and graphics types, and a library of independent computer programs. Modification of the partial run streams, data base maintenance and construction, and control of program sequencing are provided by a data manipulation program called the DLG processor. The executive control of library program execution is performed by the Univac Exec 8 operating system through a user established run stream. A combination of demand and batch operations is employed in the evaluation of preliminary designs. Applications accomplished with the EDIN system are described

    "Automation Surprise" in Aviation

    Get PDF
    Conflicts between the pilot and the automation, when pilots detect but do not understand them, cause “automation sur- prise” situations and jeopardize flight safety. We conducted an experiment in a 3-axis motion flight simulator with 16 pi- lots equipped with an eye-tracker to analyze their behavior and eye movements during the occurrence of such a situation. The results revealed that this conflict engages participant’s at- tentional abilities resulting in excessive and inefficient visual search patterns. This experiment confirmed the crucial need to design solutions for detecting the occurrence of conflict- ual situations and to assist the pilots. We therefore proposed an approach to formally identify the occurrence of “automa- tion surprise” conflicts based on the analysis of “silent mode changes” of the autopilot. A demonstrator was implemented and allowed for the automatic trigger of messages in the cock- pit that explains the autopilot behavior. We implemented a real-time demonstrator that was tested as a proof-of-concept with 7 subjects facing 3 different conflicts with automation. The results shown the efficacy of this approach which could be implemented in existing cockpits

    Attacking (and defending) the Maritime Radar System

    Full text link
    Operation of radar equipment is one of the key facilities used by navigators to gather situational awareness about their surroundings. With an ever increasing need for always-running logistics and tighter shipping schedules, operators are relying more and more on computerized instruments and their indications. As a result, modern ships have become a complex cyber-physical system in which sensors and computers constantly communicate and coordinate. In this work, we discuss novel threats related to the radar system, which is one of the most security-sensitive component on a ship. In detail, we first discuss some new attacks capable of compromising the integrity of data displayed on a radar system, with potentially catastrophic impacts on the crew' situational awareness or even safety itself. Then, we present a detection system aimed at highlighting anomalies in the radar video feed, requiring no modifications to the target ship configuration. Finally, we stimulate our detection system by performing the attacks inside of a simulated environment. The experimental results clearly indicate that the attacks are feasible, rather easy to carry out, and hard-to-detect. Moreover, they prove that the proposed detection technique is effective

    Advanced Transport Operating System (ATOPS) color displays software description: MicroVAX system

    Get PDF
    This document describes the software created for the Display MicroVAX computer used for the Advanced Transport Operating Systems (ATOPS) project on the Transport Systems Research Vehicle (TSRV). The software delivery of February 27, 1991, known as the 'baseline display system', is the one described in this document. Throughout this publication, module descriptions are presented in a standardized format which contains module purpose, calling sequence, detailed description, and global references. The global references section includes subroutines, functions, and common variables referenced by a particular module. The system described supports the Research Flight Deck (RFD) of the TSRV. The RFD contains eight Cathode Ray Tubes (CRTs) which depict a Primary Flight Display, Navigation Display, System Warning Display, Takeoff Performance Monitoring System Display, and Engine Display

    Safety assessment methods for avionics software system

    Get PDF
    Nowadays, the avionics software has been becoming more and more critical for both civil and military aircraft. However, the software may become crazy sometimes and may cause the catastrophic result if any failure in software. Therefore, the software safety assessment is not only crucial to the specific software, but also for the system and aircraft. Although there are some industry standards as guidelines for development of software system, applications of these standards to practical software systems are still challenged and hard to operate in practice. This thesis tries to solve this problem. After analyses and summaries of the system safety assessment process and existing software safety assessment process in different fields, research wants to propose the systematic and comprehensive software safety assessment process and method for avionics software. The thesis presents the research process, and proposes one suitable avionics software safety assessment process. Meanwhile, thesis uses a real functional block in flight management system as a case study, and then conducts the software safety requirement assessment based on the proposed software safety assessment method. After analysis the result of case study, this proposed software safety assessment process and methods can quickly and correctly identify the software design errors. So, this analysis can use to prove the feasibility and validity of this proposed software safety assessment process and methods, which will help engineers modify every software design errors at the early stage in order to guarantee the software safety
    corecore