Modelling and Verification of Multiple UAV Mission Using SMV

Model checking has been used to verify the correctness of digital circuits, security protocols, communication protocols, as they can be modelled by means of finite state transition model. However, modelling the behaviour of hybrid systems like UAVs in a Kripke model is challenging. This work is aimed at capturing the behaviour of an UAV performing cooperative search mission into a Kripke model, so as to verify it against the temporal properties expressed in Computation Tree Logic (CTL). SMV model checker is used for the purpose of model checking

Master of Science

thesisDirect equivalence testing is a framework for detecting errors in C compilers and application programs that exploits the fact that program semantics should be preserved during the compilation process. Binaries generated from the same piece of code should remain equivalent irrespective of the compiler, or compiler optimizations, used. Compiler errors as well as program errors such as out of bounds memory access, stack over ow, and use of uninitialized local variables cause nonequivalence in the generated binaries. Direct equivalence testing has detected previously unknown errors in real world embedded software like TinyOS and in di fferent compilers like msp430-gcc and llvm-msp430

Multi-core devices for safety-critical systems: a survey

Multi-core devices are envisioned to support the development of next-generation safety-critical systems, enabling the on-chip integration of functions of different criticality. This integration provides multiple system-level potential benefits such as cost, size, power, and weight reduction. However, safety certification becomes a challenge and several fundamental safety technical requirements must be addressed, such as temporal and spatial independence, reliability, and diagnostic coverage. This survey provides a categorization and overview at different device abstraction levels (nanoscale, component, and device) of selected key research contributions that support the compliance with these fundamental safety requirements.This work has been partially supported by the Spanish Ministry of Economy and Competitiveness under grant TIN2015-65316-P, Basque Government under grant KK-2019-00035 and the HiPEAC Network of Excellence. The Spanish Ministry of Economy and Competitiveness has also partially supported Jaume Abella under Ramon y Cajal postdoctoral fellowship (RYC-2013-14717).Peer ReviewedPostprint (author's final draft

Automatic deployment of an RPAS Mission Manager to an ARINC-653 compliant system

[EN] The development process of avionics system requiring a high level of safety is subjected to rigorous development and verification standards. In order to accelerate and facilitate this process, we present a testbed that uses a suite of methods and tools to comply with aerospace standards for certification. To illustrate the proposed methodology, we designed a Mission Management System for Remotely Piloted Aircraft Systems (RPAS) that was deployed on a particular run-time execution platform called XtratuM, an ARINC-653 compliant system developed in our research group. The paper discusses the system requirements, the software architecture, the key issues for porting designs to XtratuM, and how to automatize this process. Results show that the proposed testbed is a good platform for designing and qualifying avionics applications.This research has been financed by the Institute of Control Systems and Industrial Computing (Ai2), and by projects GVA AICO/2015/126 (Ayudas para Grupos de Investigacion Consolidables) and GVA ACIF/2016/197 (Ayudas para la contratacion de personal investigador en formacion de caracter predoctoral) of the Spanish Regional Government "Generalitat Valenciana".Usach Molina, H.; Vila Carbó, JA.; Crespo, A.; Yuste Pérez, P. (2018). Automatic deployment of an RPAS Mission Manager to an ARINC-653 compliant system. Journal of Intelligent & Robotic Systems. 92(3-4):587-598. https://doi.org/10.1007/s10846-017-0694-3S587598923-4Aeronautical Radio, Inc.: ARINC specification 653-1. Avionics Application Software Standard Interface (2003)Bonasso, R., Kerri, R., Jenks, K., Johnson, G.: Using the 3T architecture for tracking Shuttle RMS procedures. In: Proceedings of the IEEE International Joint Symposia on Intelligence and Systems. IEEE, Rockville, MD, USA (1998) https://doi.org/10.1109/IJSIS.1998.685440fentISS: XtratuM Hypervisor Emulator (SKE) start guide. Tech. rep., Universidad Politècnica de València (2015)Fons, B.: Plataforma para diseño y ejecución de aplicaciones de aviónica. Universitat Politècnica de València, Master’s thesis (2013)International Civil Aviation Organization: Doc. 9613 AN/937: Performance-based Navigation (PBN) Manual, 4th edn. (2013)International Civil Aviation Organization: Doc. 10019, AN/507: Manual on Remotely Piloted Aircraft Systems (RPAS), 1st edn. (2015)Koehl, D.: SESAR initiatives for RPAS integration. In: ICAO Remotely Piloted Aircraft Systems Symposium. Montreal, Canada (2015)Masmano, M., Ripoll, I., Crespo, A., Metge, J.: XtratuM: A hypervisor for safety critical embedded systems. In: Proceedings of the 11th Real-Time Linux Workshop. Dresden, Germany (2009)Masmano, M., Valiente, Y., Balbastre, P., Ripoll, I., Crespo, A., Metge, J.: LithOS: A ARINC-653 guest operating for XtratuM. In: Proceedings of the 12th Real-Time Linux Workshop. Nairobi, Kenia (2010)McCarley, J.S., Wickens, C.D.: Human factors implications of UAVs in the national airspace. Tech. Rep. AHFD-05-05/FAA-05-01, University of Illinois, Institute of Aviation, Aviation Human Factors Division (2005)North Atlantic Treaty Organization: STANAG 4703: Light Unmanned Aircraft Systems Airworthiness Requirements. NATO Standarization Agency (2014)Radio Technical Commission for Aeronautics (RTCA): DO-178C/ED-12C Software Considerations in Airborne Systems and Equipment Certification. RTCA (2011)Ribeiro, L.R., Oliveira, N.M.R.: UAV autopilot controllers test platform using Matlab/Simulink and X-Plane. In: 40th ASEE/ IEEE Frontiers in Education Conference. IEEE, Washington, DC, USA (2010). https://doi.org/10.1109/FIE.2010.5673378Spitzer, C.R.: Digital Avionics Handbook: Elements, Software and Functions, 2nd edn. CRC Press (2006)The MathWorks Inc.: Simulink Coder Target Language Compiler (2012)Usach, H.: Integridad y tolerancia a fallos en sistemas de aviónica. Universitat Politècnica de València, Master’s thesis (2014)Usach, H., Fons, B., Vila, J., Crespo, A.: An autopilot testbed for IMA (Integrated Modular Avionics) architectures. In: Proceedings of the 19th IFAC Symposium on Automatic Control in Aerospace. Elsevier, Würzburg, Germany (2013). https://doi.org/10.3182/20130902-5-DE-2040.00076Usach, H., Vila, J., Crespo, A., Yuste, P.: A highly-automated RPAS Mission Manager for integrated airspace. In: Proceedings of the 5th International Conference on Application and Theory of Automation in Command and Control Systems, ATACCS’15. ACM, Toulouse, France (2015). https://doi.org/10.1145/2899361.289936

Challenges and Work Directions for Europe

International audienceEmbedded Systems are components integrating software and hardware, that are jointly and specifically designed to provide a given set of functionalities. These components may be used in a huge variety of applications, including transport (avionics, space, automotive, trains), electrical and electronic appliances (cameras, toys, television, washers, dryers, audio systems, and cellular phones), process control (energy production and distribution, factory automation), telecommunications (satellites, mobile phones and telecom networks), security (e-commerce, smart cards), etc. We expect that within a short timeframe, embedded systems will be a part of virtually all equipment designed or manufactured in Europe, the USA, and Asia

Lessons from Formally Verified Deployed Software Systems (Extended version)

The technology of formal software verification has made spectacular advances, but how much does it actually benefit the development of practical software? Considerable disagreement remains about the practicality of building systems with mechanically-checked proofs of correctness. Is this prospect confined to a few expensive, life-critical projects, or can the idea be applied to a wide segment of the software industry? To help answer this question, the present survey examines a range of projects, in various application areas, that have produced formally verified systems and deployed them for actual use. It considers the technologies used, the form of verification applied, the results obtained, and the lessons that can be drawn for the software industry at large and its ability to benefit from formal verification techniques and tools. Note: a short version of this paper is also available, covering in detail only a subset of the considered systems. The present version is intended for full reference.Comment: arXiv admin note: text overlap with arXiv:1211.6186 by other author

Model Checking at Scale: Automated Air Traffic Control Design Space Exploration

Many possible solutions, differing in the assumptions and implementations of the components in use, are usually in competition during early design stages. Deciding which solution to adopt requires considering several trade-offs. Model checking represents a possible way of comparing such designs, however, when the number of designs is large, building and validating so many models may be intractable. During our collaboration with NASA, we faced the challenge of considering a design space with more than 20,000 designs for the NextGen air traffic control system. To deal with this problem, we introduce a compositional, modular, parameterized approach combining model checking with contract-based design to automatically generate large numbers of models from a possible set of components and their implementations. Our approach is fully automated, enabling the generation and validation of all target designs. The 1,620 designs that were most relevant to NASA were analyzed exhaustively. To deal with the massive amount of data generated, we apply novel data-analysis techniques that enable a rich comparison of the designs, including safety aspects. Our results were validated by NASA system designers, and helped to identify novel as well as known problematic configurations

Specification and verification of network algorithms using temporal logic

In software engineering, formal methods are mathematical-based techniques that are used in the specification, development and verification of algorithms and programs in order to provide reliability and robustness of systems. One of the most difficult challenges for software engineering is to tackle the complexity of algorithms and software found in concurrent systems. Networked systems have come to prominence in many aspects of modern life, and therefore software engineering techniques for treating concurrency in such systems has acquired a particular importance. Algorithms in the software of concurrent systems are used to accomplish certain tasks which need to comply with the properties required of the system as a whole. These properties can be broadly subdivided into `safety properties', where the requirement is `nothing bad will happen', and `liveness properties', where the requirement is that `something good will happen'. As such, specifying network algorithms and their safety and liveness properties through formal methods is the aim of the research presented in this thesis. Since temporal logic has proved to be a successful technique in formal methods, which have various practical applications due to the availability of powerful model-checking tools such as the NuSMV model checker, we will investigate the specification and verification of network algorithms using temporal logic and model checking. In the first part of the thesis, we specify and verify safety properties for network algorithms. We will use temporal logic to prove the safety property of data consistency or serializability for a model of the execution of an unbounded number of concurrent transactions over time, which could represent software schedulers for an unknown number of transactions being present in a network. In the second part of the thesis, we will specify and verify the liveness properties of networked flooding algorithms. Considering the above in more detail, the first part of this thesis specifies a model of the execution of an unbounded number of concurrent transactions over time in propositional Linear Temporal Logic (LTL) in order to prove serializability. This is made possible by assuming that data items are ordered and that the transactions accessing these data items respects this order, as then there is a bound on the number of transactions that need to be considered to prove serializability. In particular, we make use of recent work which places such bounds on the number of transactions needed when data items are accessed in order, but do not have to be accessed contiguously, i.e., there may be `gaps' in the data items being accessed by individual transactions. Our aim is to specify the concurrent modification of data held on routers in a network as a transactional model. The correctness of the routing protocol and ensuring safety and reliability then corresponds to the serializability of the transactions. We specify an example of routing in a network and the corresponding serializability condition in LTL. This is then coded up in the NuSMV model checker and proofs are performed. The novelty of this part is that no previous research has used a method for detecting serializablity and cycles for unlimited number of transactions accessing the data on routers where the transactions way of accessing the data items on the routers have a gap. In addition to this, linear temporal logic has not been used in this scenario to prove correctness of the network system. This part is very helpful in network administrative protocols where it is critical to maintain correctness of the system. This safety property can be maintained using the presented work where detection of cycles in transactions accessing the data items can be detected by only checking a limited number of cycles rather than checking all possible cycles that can be caused by the network transactions. The second part of the thesis offers two contributions. Firstly, we specify the basic synchronous network flooding algorithm, for any fixed size of network, in LTL. The specification can be customized to any single network topology or class of topologies. A specification for the termination problem is formulated and used to compare different topologies with regards to earlier termination. We give a worked example of one topology resulting in earlier termination than another, for which we perform a formal verification using the NuSMV model checker. The novelty of the second part comes in using linear temporal logic and the NuSMV model checker to specify and verify the liveness property of the flooding algorithm. The presented work shows a very difficult scenario where the network nodes are memoryless. This makes detecting the termination of network flooding very complicated especially with networks of complex topologies. In the literature, researchers focussed on using testing and simulations to detect flooding termination. In this work, we used a robust technique and a rigorous method to specify and verify the synchronous flooding algorithm and its termination. We also showed that we can use linear temporal logic and the model checker NuSMV to compare synchronous flooding termination between topologies. Adding to the novelty of the second contribution, in addition to the synchronous form of the network flooding algorithm, we further provide a formal model of bounded asynchronous network flooding by extending the synchronous flooding model to allow a sent message, non-deterministically, to either be received instantaneously, or enter a transit phase prior to being received. A generalization of `rounds' from synchronous flooding to the asynchronous case is used as a unit of time to provide a measure of time to termination, as the number of rounds taken, for a run of an asynchronous system. The model is encoded into temporal logic and a proof obligation is given for comparing the termination times of asynchronous and synchronous systems. Worked examples are formally verified using the NuSMV model checker. This work offers a constraint-based methodology for the verification of liveness properties of software algorithms distributed across the nodes in a network.</div

Autonomy @ Ames

This is a powerpoint presentation that highlights autonomy across the 15 NASA technology roadmaps, including specific examples of projects (past and present) at NASA Ames Research Center. The NASA technology roadmaps are located here: http:www.nasa.govofficesocthomeroadmapsindex.htm