Model Checking at Scale: Automated Air Traffic Control Design Space Exploration

Many possible solutions, differing in the assumptions and implementations of the components in use, are usually in competition during early design stages. Deciding which solution to adopt requires considering several trade-offs. Model checking represents a possible way of comparing such designs, however, when the number of designs is large, building and validating so many models may be intractable. During our collaboration with NASA, we faced the challenge of considering a design space with more than 20,000 designs for the NextGen air traffic control system. To deal with this problem, we introduce a compositional, modular, parameterized approach combining model checking with contract-based design to automatically generate large numbers of models from a possible set of components and their implementations. Our approach is fully automated, enabling the generation and validation of all target designs. The 1,620 designs that were most relevant to NASA were analyzed exhaustively. To deal with the massive amount of data generated, we apply novel data-analysis techniques that enable a rich comparison of the designs, including safety aspects. Our results were validated by NASA system designers, and helped to identify novel as well as known problematic configurations

More Scalable LTL Model Checking via Discovering Design-Space Dependencies (D3)

Modern system design often requires comparing several models over a large design space. Different models arise out of a need to weigh different design choices, to check core capabilities of versions with varying features, or to analyze a future version against previous ones. Model checking can compare different models; however, applying model checking off-the-shelf may not scale due to the large size of the design space for today’s complex systems. We exploit relationships between different models of the same (or related) systems to optimize the model-checking search. Our algorithm, D3 , preprocesses the design space and checks fewer model-checking instances, e.g., using nuXmv. It automatically prunes the search space by reducing both the number of models to check, and the number of LTL properties that need to be checked for each model in order to provide the complete model-checking verdict for every individual model-property pair. We formalize heuristics that improve the performance of D3 . We demonstrate the scalability of D3 by extensive experimental evaluation, e.g., by checking 1,620 real-life models for NASA’s NextGen air traffic control system. Compared to checking each model-property pair individually, D3 is up to 9.4 × faster

Survey of Human Models for Verification of Human-Machine Systems

We survey the landscape of human operator modeling ranging from the early cognitive models developed in artificial intelligence to more recent formal task models developed for model-checking of human machine interactions. We review human performance modeling and human factors studies in the context of aviation, and models of how the pilot interacts with automation in the cockpit. The purpose of the survey is to assess the applicability of available state-of-the-art models of the human operators for the design, verification and validation of future safety-critical aviation systems that exhibit higher-level of autonomy, but still require human operators in the loop. These systems include the single-pilot aircraft and NextGen air traffic management. We discuss the gaps in existing models and propose future research to address them

Generalized Philosophy of Alerting with Applications for Parallel Approach Collision Prevention

An alerting system is automation designed to reduce the likelihood of undesirable outcomes that are due to rare failures in a human-controlled system. It accomplishes this by monitoring the system, and issuing warning messages to the human operators when thought necessary to head off a problem. On examination of existing and recently proposed logics for alerting it appears that few commonly accepted principles guide the design process. Different logics intended to address the same hazards may take disparate forms and emphasize different aspects of performance, because each reflects the intuitive priorities of a different designer. Because performance must be satisfactory to all users of an alerting system (implying a universal meaning of acceptable performance) and not just one designer, a proposed logic often undergoes significant piecemeal modification before gaining general acceptance. This report is an initial attempt to clarify the common performance goals by which an alerting system is ultimately judged. A better understanding of these goals will hopefully allow designers to reach the final logic in a quicker, more direct and repeatable manner. As a case study, this report compares three alerting logics for collision prevention during independent approaches to parallel runways, and outlines a fourth alternative incorporating elements of the first three, but satisfying stated requirements.NASA grant NAG1-218

Stochastic hybrid system : modelling and verification

Hybrid systems now form a classical computational paradigm unifying discrete and continuous system aspects. The modelling, analysis and verification of these systems are very difficult. One way to reduce the complexity of hybrid system models is to consider randomization. The need for stochastic models has actually multiple motivations. Usually, when building models complete information is not available and we have to consider stochastic versions. Moreover, non-determinism and uncertainty are inherent to complex systems. The stochastic approach can be thought of as a way of quantifying non-determinism (by assigning a probability to each possible execution branch) and managing uncertainty. This is built upon to the - now classical - approach in algorithmics that provides polynomial complexity algorithms via randomization. In this thesis we investigate the stochastic hybrid systems, focused on modelling and analysis. We propose a powerful unifying paradigm that combines analytical and formal methods. Its applications vary from air traffic control to communication networks and healthcare systems. The stochastic hybrid system paradigm has an explosive development. This is because of its very powerful expressivity and the great variety of possible applications. Each hybrid system model can be randomized in different ways, giving rise to many classes of stochastic hybrid systems. Moreover, randomization can change profoundly the mathematical properties of discrete and continuous aspects and also can influence their interaction. Beyond the profound foundational and semantics issues, there is the possibility to combine and cross-fertilize techniques from analytic mathematics (like optimization, control, adaptivity, stability, existence and uniqueness of trajectories, sensitivity analysis) and formal methods (like bisimulation, specification, reachability analysis, model checking). These constitute the major motivations of our research. We investigate new models of stochastic hybrid systems and their associated problems. The main difference from the existing approaches is that we do not follow one way (based only on continuous or discrete mathematics), but their cross-fertilization. For stochastic hybrid systems we introduce concepts that have been defined only for discrete transition systems. Then, techniques that have been used in discrete automata now come in a new analytical fashion. This is partly explained by the fact that popular verification methods (like theorem proving) can hardly work even on probabilistic extensions of discrete systems. When the continuous dimension is added, the idea to use continuous mathematics methods for verification purposes comes in a natural way. The concrete contribution of this thesis has four major milestones: 1. A new and a very general model for stochastic hybrid systems; 2. Stochastic reachability for stochastic hybrid systems is introduced together with an approximating method to compute reach set probabilities; 3. Bisimulation for stochastic hybrid systems is introduced and relationship with reachability analysis is investigated. 4. Considering the communication issue, we extend the modelling paradigm

Specification: The Biggest Bottleneck in Formal Methods and Autonomy

Advancement of AI-enhanced control in autonomous systems stands on the shoulders of formal methods, which make possible the rigorous safety analysis autonomous systems require. An aircraft cannot operate autonomously unless it has design-time reasoning to ensure correct operation of the autopilot and runtime reasoning to ensure system health management, or the ability to detect and respond to off-nominal situations. Formal methods are highly dependent on the specifications over which they reason; there is no escaping the “garbage in, garbage out” reality. Specification is difficult, unglamorous, and arguably the biggest bottleneck facing verification and validation of aerospace, and other, autonomous systems. This VSTTE invited talk and paper examines the outlook for the practice of formal specification, and highlights the on-going challenges of specification, from design-time to runtime system health management. We exemplify these challenges for specifications in Linear Temporal Logic (LTL) though the focus is not limited to that specification language. We pose challenge questions for specification that will shape both the future of formal methods, and our ability to more automatically verify and validate autonomous systems of greater variety and scale. We call for further research into LTL Genesis

Towards Real-Time, On-Board, Hardware-Supported Sensor and Software Health Management for Unmanned Aerial Systems

For unmanned aerial systems (UAS) to be successfully deployed and integrated within the national airspace, it is imperative that they possess the capability to effectively complete their missions without compromising the safety of other aircraft, as well as persons and property on the ground. This necessity creates a natural requirement for UAS that can respond to uncertain environmental conditions and emergent failures in real-time, with robustness and resilience close enough to those of manned systems. We introduce a system that meets this requirement with the design of a real-time onboard system health management (SHM) capability to continuously monitor sensors, software, and hardware components. This system can detect and diagnose failures and violations of safety or performance rules during the flight of a UAS. Our approach to SHM is three-pronged, providing: (1) real-time monitoring of sensor and software signals; (2) signal analysis, preprocessing, and advanced on-the-fly temporal and Bayesian probabilistic fault diagnosis; and (3) an unobtrusive, lightweight, read-only, low-power realization using Field Programmable Gate Arrays (FPGAs) that avoids overburdening limited computing resources or costly re-certification of flight software. We call this approach rt-R2U2, a name derived from its requirements. Our implementation provides a novel approach of combining modular building blocks, integrating responsive runtime monitoring of temporal logic system safety requirements with model-based diagnosis and Bayesian network-based probabilistic analysis. We demonstrate this approach using actual flight data from the NASA Swift UAS