A Methodology for Evaluating Artifacts Produced by a Formal Verification Process

The goal of this study is to produce a methodology for evaluating the claims and arguments employed in, and the evidence produced by formal verification activities. To illustrate the process, we conduct a full assessment of a representative case study for the Enabling Technology Development and Demonstration (ETDD) program. We assess the model checking and satisfiabilty solving techniques as applied to a suite of abstract models of fault tolerant algorithms which were selected to be deployed in Orion, namely the TTEthernet startup services specified and verified in the Symbolic Analysis Laboratory (SAL) by TTTech. To this end, we introduce the Modeling and Verification Evaluation Score (MVES), a metric that is intended to estimate the amount of trust that can be placed on the evidence that is obtained. The results of the evaluation process and the MVES can then be used by non-experts and evaluators in assessing the credibility of the verification results

Integrated Formal Analysis of Timed-Triggered Ethernet

We present new results related to the verification of the Timed-Triggered Ethernet (TTE) clock synchronization protocol. This work extends previous verification of TTE based on model checking. We identify a suboptimal design choice in a compression function used in clock synchronization, and propose an improvement. We compare the original design and the improved definition using the SAL model checker

A Time-Triggered Constraint-Based Calculus for Avionic Systems

The Integrated Modular Avionics (IMA) architec- ture and the Time-Triggered Ethernet (TTEthernet) network have emerged as the key components of a typical architecture model for recent civil aircrafts. We propose a real-time constraint-based calculus targeted at the analysis of such concepts of avionic embedded systems. We show our framework at work on the modelisation of both the (IMA) architecture and the TTEthernet network, illustrating their behavior by the well-known Flight Management System (FMS)

Impact of AS6802 Synchronization Protocol on Time-Triggered and Rate-Constrained Traffic

TTEthernet is an Ethernet-based synchronized network technology compliant with the AFDX standard. It supports safety-critical applications by defining different traffic classes: Time-Triggered (TT), Rate-Constrained (RC), and Best-Effort traffic. The synchronization is managed through the AS6802 protocol, which defines so-called Protocol Control Frames (PCFs) to synchronize the local clock of each device. In this paper, we analyze the synchronization protocol to assess the impact of the PCFs on TT and RC traffic. We propose a method to decrease the impact of PCFs on TT and a new Network Calculus model to compute RC delay bounds with the influence of both PCF and TT traffic. We finish with a performance evaluation to i) assess the impact of PCFs, ii) show the benefits of our method in terms of reducing the impact of PCFs on TT traffic and iii) prove the necessity of taking the PCF traffic into account to compute correct RC worst-case delays and provide a safe system

IST Austria Thesis

Hybrid automata combine finite automata and dynamical systems, and model the interaction of digital with physical systems. Formal analysis that can guarantee the safety of all behaviors or rigorously witness failures, while unsolvable in general, has been tackled algorithmically using, e.g., abstraction, bounded model-checking, assisted theorem proving. Nevertheless, very few methods have addressed the time-unbounded reachability analysis of hybrid automata and, for current sound and automatic tools, scalability remains critical. We develop methods for the polyhedral abstraction of hybrid automata, which construct coarse overapproximations and tightens them incrementally, in a CEGAR fashion. We use template polyhedra, i.e., polyhedra whose facets are normal to a given set of directions. While, previously, directions were given by the user, we introduce (1) the first method for computing template directions from spurious counterexamples, so as to generalize and eliminate them. The method applies naturally to convex hybrid automata, i.e., hybrid automata with (possibly non-linear) convex constraints on derivatives only, while for linear ODE requires further abstraction. Specifically, we introduce (2) the conic abstractions, which, partitioning the state space into appropriate (possibly non-uniform) cones, divide curvy trajectories into relatively straight sections, suitable for polyhedral abstractions. Finally, we introduce (3) space-time interpolation, which, combining interval arithmetic and template refinement, computes appropriate (possibly non-uniform) time partitioning and template directions along spurious trajectories, so as to eliminate them. We obtain sound and automatic methods for the reachability analysis over dense and unbounded time of convex hybrid automata and hybrid automata with linear ODE. We build prototype tools and compare—favorably—our methods against the respective state-of-the-art tools, on several benchmarks

Formal Modelling and Verification of the Clock Synchronization Algorithm of FlexRay

The hundreds of electronic control devices used in an automotive system can effectively communicate with one another, thanks to an in-vehicle network (IVN) like FlexRay. Even though every node in the network will be running on its local clock, a global notion of time is essential. The clock synchronisation algorithm accomplishes this global time between the nodes in FlexRay. In this era of self-driving cars, the vehicle’s safety is paramount. For the vehicle to operate safely and smoothly, timely communication of information is critical, and the clock synchronisation algorithm plays a vital role in this. It is essential to formally test the clock synchronisation algorithm’s correctness. This paper attempts to model and verify the clock synchronisation algorithm of FlexRay using formal methods, which in turn enhance the reliability of safety-critical automotive systems. The clock synchronisation is modelled as a network of six timed automata in the UPPAAL model checker. Three system models were developed, a model for an ideal clock, another for a drifting clock, and a third model considering propagation delay. The precision of the clocks is verified to be within the prescribed limits. Simulation studies are also conducted on the model to ensure that the clock’s drift is always within the precision

Étude et simulation du protocole TTEthernet sur un sous-système de gestion de vols et adaptation de la planification des tâches à des fins de simulation

TTEthernet est une technologie réseau déterministe qui permet d’apporter des améliorations à la qualité de services de la couche 2 d’Ethernet. Les composants implémentant ces services enrichissent les fonctionnalités d’Ethernet avec une synchronisation distribuée tolérante aux fautes, un partitionnement temporel robuste de la bande passante et une communication synchrone avec une latence fixe et une très faible gigue. Les services de TTEthernet permettent de faciliter la conception de systèmes distribués robustes, moins complexes et évolutifs capables de tolérer des défaillances multiples. La simulation constitue, de nos jours, une étape incontournable dans le processus de conception de systèmes critiques et représente un support précieux pour la validation et l’évaluation des performances. CoRE4INET est un projet regroupant l’ensemble des modèles de simulation de TTEthernet disponible actuellement. Il se base sur l’extension des modèles du framework INET d’OMNeT++. Notre objectif est d’étudier et de simuler le protocole TTEthernet sur un sous-système de gestion de vols (FMS). L’idée est d’utiliser CoRE4INET pour concevoir le modèle de simulation du système cible. Le problème est que CoRE4INET n’offre pas un outil de planification de tâches pour le réseau TTEthernet. Pour remédier à ce problème on propose une adaptation, pour des fins de simulation, d’une approche de planification de tâches basée sur la spécification formelle des contraintes réseau. L’utilisation du solveur Yices a permis la traduction de l’ensemble des spécifications formelles en un programme exécutable générant le plan de transmission souhaité. Une étude de cas nous a permis, à la fin, d’évaluer l’impact de l’agencement des instants d’envoi des trames TT sur les performances de chaque type de trafic du système

Intégration itérative des systèmes avioniques communicants en mode synchrone et asynchrone

Les systèmes avioniques modernes sont des systèmes distribués complexes et évolutifs. Ces systèmes sont conçus d’une manière itérative en intégrant à chaque itération une ou plusieurs fonctionnalités. L’ajout de nouvelles fonctionnalités impose des coûts supplémentaires de reconfiguration de telle sorte que l’ensemble du système soit conforme aux exigences temps-réel. Ces systèmes reposent également sur l’adoption d’un protocole de communication déterministe tel que le protocole AFDX. Ce dernier est utilisé dans les avions modernes tels que l’A380 de Airbus et le B787 de Boeing. Il repose sur une communication asynchrone avec limitation de la bande passante. Ce mécanisme permet d’assurer des délais finis de communication. La recherche de plus de déterminisme a poussé la communauté scientifique à chercher d’autres alternatives à AFDX. Le standard Time-triggered Ethernet constitue une bonne alternative. En plus de la communication asynchrone à bande passante limitée, il définit également une communication synchrone. Suivant le type de communication, les approches de vérification des exigences temps-réel diffèrent. Pour analyser les flux asynchrones, on utilise principalement des approches analytiques. Elles assurent un bon compromis entre performance et pessimisme. Pour les flux synchrones, on s’appuie plutôt sur le formalisme de contraintes pour synthétiser un ordonnancement faisable. La combinaison des deux flux constitue un défi en termes de vérification. De plus, les approches de vérification définies ne modélisent ni l’aspect évolutif ni la notion coût.----------ABSTRACT: Modern avionics systems are complex and evolving distributed ones. They are designed iteratively by integrating at each iteration one or more functionalities. Adding new functionality may impose additional reconfiguration costs so that the whole system complies with the realtime requirements. These systems also rely on the adoption of a deterministic communication protocol such as AFDX. The latter is used in modern aircrafts such as the Airbus A380 and the Boeing B787. It relies on asynchronous communication with bandwidth limitations. This mechanism ensures finite communication delays. The search for more determinism encourage the scientific community to look for other alternatives to AFDX. The Time-triggered Ethernet standard is a good alternative. In addition to asynchronous communication with limited bandwidth, it also defines synchronous ones. Depending on the type of communication, verification approaches of real-time requirements differ. To analyze asynchronous flows, we mainly use analytical approaches. They ensure a good compromise between performance and pessimism. For synchronous flows, we rely instead on constraint formalism to synthesize a feasible scheduling. The combination of the two flows is a challenge in terms of verification. In addition, defined verification approaches do not model neither the evolving aspect nor the cost concept