Sustaining Property Verification of Synchronous Dependable Protocols Over Implementation

Abstract: It is often considered that a protocol that has been verified for its dependability properties at the protocol level maintains these proven properties over its implementation. Focusing on synchronous protocols, we demonstrate that this assumption can easily be fallacious. We utilize the example of an existing formally verified diagnostic protocol as implemented onto the targeted time-triggered architecture (TTA). The cause is identified as the overlap mismatch across the computation and communication phases in… Show more

“…A convenient abstraction layer is provided by a mechanism called read/send alignment e s s a g e b r o a d c a s t e d b a s e d o n T D M A s c h e d u l e N o d e j o b e x e c u t i o n j o b 3 j o b 3 j o b 4 t i m e Figure 2. TDMA communication and internal node schedule [4,23] which enables nodes to exchange and compute messages as if there were dedicated links between every pair of nodes and the replicated jobs were executed parallel in time. This facilitates the development of applications where replicated jobs are assumed to maintain a common consistent state (e.g., diagnosis [23]).…”

“…Note that more simplistic models can be proposed by assuming services like alignment or membership. For example, it was shown that the frame-based model can be used to model general TT systems if alignment is used [4]. In this paper, on the contrary, we propose a realistic model which can also be used for the design of new algorithms that exploit the characteristics of the TT architecture.…”

“…Similarly to the type of fun (see Snippet 1), all values are ternary (0, 1 and error). The correctness of the abstraction can be shown by proving consistency, i.e., replica jobs have the same state at the end of each round 4 :…”

“…The time-triggered (TT) paradigm has emerged as a viable concept to implement safety-critical systems, with implementations such as TTA [14], FlexRay [24] or SAFEbus [10] actually deployed in the avionic and automotive fields. The use of formal methods is increasingly being advocated for the verification of general safetycritical systems (e.g., [20] previous work [4,21] that for TT systems the correctness of a high-level application does not directly imply the correctness of its implementation. Consequently, formal techniques dedicated to time-triggered systems are needed especially given their increasing deployment.…”

“…Consequently, formal techniques dedicated to time-triggered systems are needed especially given their increasing deployment. Results about successful formal analysis of TT systems do exist; however, they present specific solutions (e.g., [25,21,4]) where modeling patterns can only partially be re-used in new projects. Therefore, we propose a generalized customizable model of TT applications which is not restricted to any dedicated implementation and can be used by practitioners in the field.…”

Aiding Modular Design and Verification of Safety-Critical Time-Triggered Systems by Use of Executable Formal Specifications

“…A convenient abstraction layer is provided by a mechanism called read/send alignment e s s a g e b r o a d c a s t e d b a s e d o n T D M A s c h e d u l e N o d e j o b e x e c u t i o n j o b 3 j o b 3 j o b 4 t i m e Figure 2. TDMA communication and internal node schedule [4,23] which enables nodes to exchange and compute messages as if there were dedicated links between every pair of nodes and the replicated jobs were executed parallel in time. This facilitates the development of applications where replicated jobs are assumed to maintain a common consistent state (e.g., diagnosis [23]).…”

“…Note that more simplistic models can be proposed by assuming services like alignment or membership. For example, it was shown that the frame-based model can be used to model general TT systems if alignment is used [4]. In this paper, on the contrary, we propose a realistic model which can also be used for the design of new algorithms that exploit the characteristics of the TT architecture.…”

“…Similarly to the type of fun (see Snippet 1), all values are ternary (0, 1 and error). The correctness of the abstraction can be shown by proving consistency, i.e., replica jobs have the same state at the end of each round 4 :…”

“…The time-triggered (TT) paradigm has emerged as a viable concept to implement safety-critical systems, with implementations such as TTA [14], FlexRay [24] or SAFEbus [10] actually deployed in the avionic and automotive fields. The use of formal methods is increasingly being advocated for the verification of general safetycritical systems (e.g., [20] previous work [4,21] that for TT systems the correctness of a high-level application does not directly imply the correctness of its implementation. Consequently, formal techniques dedicated to time-triggered systems are needed especially given their increasing deployment.…”

“…Consequently, formal techniques dedicated to time-triggered systems are needed especially given their increasing deployment. Results about successful formal analysis of TT systems do exist; however, they present specific solutions (e.g., [25,21,4]) where modeling patterns can only partially be re-used in new projects. Therefore, we propose a generalized customizable model of TT applications which is not restricted to any dedicated implementation and can be used by practitioners in the field.…”

Aiding Modular Design and Verification of Safety-Critical Time-Triggered Systems by Use of Executable Formal Specifications

Model Checking of Consensus Algorit