19,878 research outputs found
Verifying the Safety of a Flight-Critical System
This paper describes our work on demonstrating verification technologies on a
flight-critical system of realistic functionality, size, and complexity. Our
work targeted a commercial aircraft control system named Transport Class Model
(TCM), and involved several stages: formalizing and disambiguating requirements
in collaboration with do- main experts; processing models for their use by
formal verification tools; applying compositional techniques at the
architectural and component level to scale verification. Performed in the
context of a major NASA milestone, this study of formal verification in
practice is one of the most challenging that our group has performed, and it
took several person months to complete it. This paper describes the methodology
that we followed and the lessons that we learned.Comment: 17 pages, 5 figure
Generating Property-Directed Potential Invariants By Backward Analysis
This paper addresses the issue of lemma generation in a k-induction-based
formal analysis of transition systems, in the linear real/integer arithmetic
fragment. A backward analysis, powered by quantifier elimination, is used to
output preimages of the negation of the proof objective, viewed as unauthorized
states, or gray states. Two heuristics are proposed to take advantage of this
source of information. First, a thorough exploration of the possible
partitionings of the gray state space discovers new relations between state
variables, representing potential invariants. Second, an inexact exploration
regroups and over-approximates disjoint areas of the gray state space, also to
discover new relations between state variables. k-induction is used to isolate
the invariants and check if they strengthen the proof objective. These
heuristics can be used on the first preimage of the backward exploration, and
each time a new one is output, refining the information on the gray states. In
our context of critical avionics embedded systems, we show that our approach is
able to outperform other academic or commercial tools on examples of interest
in our application field. The method is introduced and motivated through two
main examples, one of which was provided by Rockwell Collins, in a
collaborative formal verification framework.Comment: In Proceedings FTSCS 2012, arXiv:1212.657
The development and application of aerodynamic uncertainties: And flight test verification for the space shuttle orbiter
The approach used in establishing the predicted aerodynamic uncertainties and the process used in applying these uncertainties during the design of the Orbiter flight control system and the entry trajectories are presented. The flight test program that was designed to verify the stability and control derivatives with a minimum of test flights is presented and a comparison of preflight predictions with preliminary flight test results is made. It is concluded that the approach used for the Orbiter is applicable to future programs where testing is limited due to time constraints or funding
Evaluating Model Testing and Model Checking for Finding Requirements Violations in Simulink Models
Matlab/Simulink is a development and simulation language that is widely used
by the Cyber-Physical System (CPS) industry to model dynamical systems. There
are two mainstream approaches to verify CPS Simulink models: model testing that
attempts to identify failures in models by executing them for a number of
sampled test inputs, and model checking that attempts to exhaustively check the
correctness of models against some given formal properties. In this paper, we
present an industrial Simulink model benchmark, provide a categorization of
different model types in the benchmark, describe the recurring logical patterns
in the model requirements, and discuss the results of applying model checking
and model testing approaches to identify requirements violations in the
benchmarked models. Based on the results, we discuss the strengths and
weaknesses of model testing and model checking. Our results further suggest
that model checking and model testing are complementary and by combining them,
we can significantly enhance the capabilities of each of these approaches
individually. We conclude by providing guidelines as to how the two approaches
can be best applied together.Comment: 10 pages + 2 page reference
The dynamic phenomena of a tethered satellite: NASA's first Tethered Satellite Mission, TSS-1
The tethered satellite system (TSS) was envisioned as a means of extending a satellite from its base (space shuttle, space station, space platform) into a lower or higher altitude in order to more efficiently acquire data and perform science experiments. This is accomplished by attaching the satellite to a tether, deploying it, then reeling it in. When its mission is completed, the satellite can be returned to its base for reuse. If the tether contains a conductor, it can also be used as a means to generate and flow current to and from the satellite to the base. When current is flowed, the tether interacts with the Earth's magnetic field, deflecting the tether. When the current flows in one direction, the system becomes a propulsive system that can be used to boost the orbiting system. In the other direction, it is a power generating system. Pulsing the current sets up a dynamic oscillation in the tether, which can upset the satellite attitude and preclude docking. A basic problem occurs around 400-m tether length, during satellite retrieval when the satellite's pendulous (rotational) mode gets in resonance with the first lateral tether string mode. The problem's magnitude is determined by the amount of skiprope present coming into this resonance condition. This paper deals with the tethered satellite, its dynamic phenomena, and how the resulting problems were solved for the first tethered satellite mission (TSS-1). Proposals for improvements for future tethered satellite missions are included. Results from the first tethered satellite flight are summarized
- …