Model Checking a TTCAN Implementation

Overall conference acceptance rate 22%This paper describes how the SPIN model checker has been applied to find and correct problems in the software design of a distributed vessel control system currently under development at a control systems specialist in New Zealand. The system under development is a mission critical control system used on large marine vessels. Hence, the requirement to study the architecture and verify the implementation of the system. The model checking work reported here focused on analysing the implementation of the Time-Triggered Controller-Area-Network (TTCAN) protocol, as this is used as the backbone for communications between devices and thus is a crucial part of the control system. The starting point was to develop a set of general techniques for model checking TTCAN-like protocols. The techniques developed include modelling the progression of time efficiently in SPIN, TTCAN message transmission, TTCAN error handling, and CAN bus arbitration. These techniques form the basis of a set of models developed to check the implementation of TTCAN in the control system as well as the fault tolerance schemes added to the system. Descriptions of the models and properties developed to check the correctness of the implementation are given, and verification results are presented and discussed. This application of model checking to an industrial design problem has uncovered and corrected a number of potentially costly issues in the original design