Formal testing for separation assurance

Giannakopoulou, Dimitra; Bushnell, David; Schumann, Johann; Erzberger, Heinz; Heere, Karen R.

doi:10.1007/s10472-011-9224-3

Cited by 14 publications

(22 citation statements)

References 37 publications

(37 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The three AAC components that calculate resolution maneuvers have undergone verification through simulation as well as ongoing component-level verification utilizing formal methods [5,15,25]. However, there is an important verification aspect that has never been addressed: the cooperation between components.…”

Section: Related Workmentioning

confidence: 99%

Formal specification and verification of a coordination protocol for an automated air traffic control system

Zhao

Rozier

2014

Science of Computer Programming

View full text Add to dashboard Cite

Safe separation between aircraft is the primary consideration in air traffic control. To achieve the required level of assurance for this safety-critical application, the Automated Airspace Concept (AAC) proposes three levels of conflict detection and resolution. Recently, a high-level operational concept was proposed to define the cooperation between components in the AAC. However, the proposed coordination protocol has not been formally studied. We use formal verification techniques to ensure there are no potentially catastrophic design flaws remaining in the AAC design before the next stage of production. We formalize the high-level operational concept, which was previously described only in natural language, in NuSMV and perform model validation by checking against LTL/CTL specifications we derive from the system description. We write LTL specifications describing safe system operations and use model checking for system verification. We employ specification debugging to ensure correctness of both sets of formal specifications and model abstraction to reduce model checking time and enable fast, design-time checking. We analyze two counterexamples revealing unexpected emergent behaviors in the operational concept that triggered design changes by system engineers to meet safety standards. Our experience report illuminates the application of formal methods in real safety-critical system development by detailing a complete end-to-end design-time verification process including all models and specifications.

show abstract

Section: Related Workmentioning

confidence: 99%

Formal specification and verification of a coordination protocol for an automated air traffic control system

Zhao

Rozier

2014

Science of Computer Programming

View full text Add to dashboard Cite

show abstract

“…In this section, we discuss our experience with the development of techniques that ensure the creation of robust software prototypes for novel algorithms in the aerospace domain [7,16]. Our experience was obtained during a collaborative effort between the Robust Software Engineering (RSE) group and the NextGen group at the NASA Ames Research Center.…”

Section: Test-case Generationmentioning

confidence: 99%

“…More specifically, we decided to model check descriptions of the inputs of such algorithms, in order to automatically generate large numbers of test inputs. We call this approach model checking of the system as a black box, since we only require knowledge about the inputs of the system under test, and not of the system implementation itself [13,16]. Through automatic generation and execution of large numbers of test inputs, it becomes much easier to engage the domain experts in our work, since they see a more immediate benefit from the application of our techniques.…”

Section: Test-case Generationmentioning

confidence: 99%

"Fly Me to the Moon": Verification of Aerospace Systems

Giannakopoulou¹

2010

2010 8th IEEE International Conference on Software Engineering and Formal Methods

Self Cite

View full text Add to dashboard Cite

“…2) The Automated Airspace Concept: All AAC components that calculate resolution maneuvers have undergone verification through simulation as well as ongoing component-level verification utilizing formal methods [19], [12], [7], [18], [23]. The fault-tolerance of the AutoResolver algorithm given trajectory prediction errors was evaluated via simulation in [17].…”

Section: Introductionmentioning

confidence: 99%

Probabilistic model checking for comparative analysis of automated air traffic control systems

Zhao¹,

Rozier²

2014

2014 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)

View full text Add to dashboard Cite

Ensuring aircraft stay safely separated is the primary consideration in air traffic control. To achieve the required level of assurance for this safety-critical application, the Automated Airspace Concept (AAC) proposes a network of components providing multiple levels of separation assurance, including conflict detection and resolution. In our previous work, we conducted a formal study of this concept including specification, validation, and verification utilizing the NuSMV and CadenceSMV model checkers to ensure there are no potentially catastrophic design flaws remaining in the AAC design before the next stage of production. In this paper, we extend that work to include probabilistic model checking of the AAC system. 1 We are motivated by the system designers requirement to compare different design options to optimize the functional allocation of the AAC components. Probabilistic model checking provides quantitative measures for evaluating different design options, helping system designers to understand the impact of parameters in the model on a given critical safety requirement. We detail our approach to modeling and probabilistically analyzing this complex system consisting of a real-time algorithm, a logic protocol, and human factors. We utilize both Discrete Time Markov Chain (DTMC) and Continuous Time Markov Chain (CTMC) models to capture the important behaviors in the AAC components. The separation assurance algorithms, which are defined over specific time ranges, are modeled using a DTMC. The emergence of conflicts in an airspace sector and the reaction times of pilots, which can be simplified as Markov processes on continuous time, are modeled as a CTMC. Utilizing these two models, we calculate the probability of an unresolved conflict as a measure of safety and compare multiple design options.

show abstract

Formal testing for separation assurance

Cited by 14 publications

References 37 publications

Formal specification and verification of a coordination protocol for an automated air traffic control system

Formal specification and verification of a coordination protocol for an automated air traffic control system

"Fly Me to the Moon": Verification of Aerospace Systems

Probabilistic model checking for comparative analysis of automated air traffic control systems

Contact Info

Product

Resources

About