Verifying the Safety of a Flight-Critical System

This paper describes our work on demonstrating verification technologies on a flight-critical system of realistic functionality, size, and complexity. Our work targeted a commercial aircraft control system named Transport Class Model (TCM), and involved several stages: formalizing and disambiguating requirements in collaboration with do- main experts; processing models for their use by formal verification tools; applying compositional techniques at the architectural and component level to scale verification. Performed in the context of a major NASA milestone, this study of formal verification in practice is one of the most challenging that our group has performed, and it took several person months to complete it. This paper describes the methodology that we followed and the lessons that we learned.Comment: 17 pages, 5 figure

Generating Property-Directed Potential Invariants By Backward Analysis

This paper addresses the issue of lemma generation in a k-induction-based formal analysis of transition systems, in the linear real/integer arithmetic fragment. A backward analysis, powered by quantifier elimination, is used to output preimages of the negation of the proof objective, viewed as unauthorized states, or gray states. Two heuristics are proposed to take advantage of this source of information. First, a thorough exploration of the possible partitionings of the gray state space discovers new relations between state variables, representing potential invariants. Second, an inexact exploration regroups and over-approximates disjoint areas of the gray state space, also to discover new relations between state variables. k-induction is used to isolate the invariants and check if they strengthen the proof objective. These heuristics can be used on the first preimage of the backward exploration, and each time a new one is output, refining the information on the gray states. In our context of critical avionics embedded systems, we show that our approach is able to outperform other academic or commercial tools on examples of interest in our application field. The method is introduced and motivated through two main examples, one of which was provided by Rockwell Collins, in a collaborative formal verification framework.Comment: In Proceedings FTSCS 2012, arXiv:1212.657

The development and application of aerodynamic uncertainties: And flight test verification for the space shuttle orbiter

The approach used in establishing the predicted aerodynamic uncertainties and the process used in applying these uncertainties during the design of the Orbiter flight control system and the entry trajectories are presented. The flight test program that was designed to verify the stability and control derivatives with a minimum of test flights is presented and a comparison of preflight predictions with preliminary flight test results is made. It is concluded that the approach used for the Orbiter is applicable to future programs where testing is limited due to time constraints or funding

Evaluating Model Testing and Model Checking for Finding Requirements Violations in Simulink Models

Matlab/Simulink is a development and simulation language that is widely used by the Cyber-Physical System (CPS) industry to model dynamical systems. There are two mainstream approaches to verify CPS Simulink models: model testing that attempts to identify failures in models by executing them for a number of sampled test inputs, and model checking that attempts to exhaustively check the correctness of models against some given formal properties. In this paper, we present an industrial Simulink model benchmark, provide a categorization of different model types in the benchmark, describe the recurring logical patterns in the model requirements, and discuss the results of applying model checking and model testing approaches to identify requirements violations in the benchmarked models. Based on the results, we discuss the strengths and weaknesses of model testing and model checking. Our results further suggest that model checking and model testing are complementary and by combining them, we can significantly enhance the capabilities of each of these approaches individually. We conclude by providing guidelines as to how the two approaches can be best applied together.Comment: 10 pages + 2 page reference

The dynamic phenomena of a tethered satellite: NASA's first Tethered Satellite Mission, TSS-1

The tethered satellite system (TSS) was envisioned as a means of extending a satellite from its base (space shuttle, space station, space platform) into a lower or higher altitude in order to more efficiently acquire data and perform science experiments. This is accomplished by attaching the satellite to a tether, deploying it, then reeling it in. When its mission is completed, the satellite can be returned to its base for reuse. If the tether contains a conductor, it can also be used as a means to generate and flow current to and from the satellite to the base. When current is flowed, the tether interacts with the Earth's magnetic field, deflecting the tether. When the current flows in one direction, the system becomes a propulsive system that can be used to boost the orbiting system. In the other direction, it is a power generating system. Pulsing the current sets up a dynamic oscillation in the tether, which can upset the satellite attitude and preclude docking. A basic problem occurs around 400-m tether length, during satellite retrieval when the satellite's pendulous (rotational) mode gets in resonance with the first lateral tether string mode. The problem's magnitude is determined by the amount of skiprope present coming into this resonance condition. This paper deals with the tethered satellite, its dynamic phenomena, and how the resulting problems were solved for the first tethered satellite mission (TSS-1). Proposals for improvements for future tethered satellite missions are included. Results from the first tethered satellite flight are summarized