Verifying the Safety of a Flight-Critical System

Brat, Guillaume; Bushnell, David; Davies, Misty; Giannakopoulou, Dimitra; Howar, Falk; Kahsai, Temesghen

doi:10.1007/978-3-319-19249-9_20

Cited by 26 publications

(23 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As such, written requirements or specifications for the autopilot and controls software have not been developed. For our case study, we concentrated on 5 properties derived from [8]. Out of the 5 properties, PKind were able to prove only one property directly.…”

Section: Tcm Longitudinal Controlsmentioning

confidence: 99%

“…We use the bounded model checking (BMC) engine of PKind to find test cases that satisfy the MC/DC coverage criterion. Bounded model checking may not be able to find a test case for some condition within an acceptable time limit 8 . In such cases, we conclude that the generated test suite does not reach the MC/DC coverage.…”

Section: Dynamic Analysis Via E-acsl Annotationmentioning

confidence: 99%

See 1 more Smart Citation

Compilation of synchronous observers as code contracts

Dieumegard¹,

Garoche²,

Kahsai

et al. 2015

Proceedings of the 30th Annual ACM Symposium on Applied Computing

Self Cite

View full text Add to dashboard Cite

Synchronous languages have long been the standard formalism for modeling and implementing embedded control software in critical domains like avionics, automotive or railway system development. Those languages are equipped with qualified compilers that generate the target final embedded code. An extensively used technique to define the expected behavior is the use of synchronous observers. Those observers are typically used for simulation and testing purposes. However, the information contained in those observers is lost during the compilation process. This makes the verification of expected behavior at code level difficult, since it requires the re-specification of the observer. In this paper, we propose an integrated process in which functional properties expressed at the model level through synchronous observers are compiled as code-level contracts. We also show how these specifications, both at model level and code level could be analyzed via SMT-based model checking, static analysis and runtime verification. We have implemented these techniques in a tool chain targeting embedded systems modeled in Simulink.

show abstract

Section: Tcm Longitudinal Controlsmentioning

confidence: 99%

Section: Dynamic Analysis Via E-acsl Annotationmentioning

confidence: 99%

Compilation of synchronous observers as code contracts

Dieumegard¹,

Garoche²,

Kahsai

et al. 2015

Proceedings of the 30th Annual ACM Symposium on Applied Computing

Self Cite

View full text Add to dashboard Cite

show abstract

“…TCM. We have generated 2 safe benchmarks from the Simulink models (taken from the case study [6]) by first generating the C code using the Embedded Coder 7 and then encoding the program into a symbolic transition system. Results.…”

Section: From Satisfiability To Verificationmentioning

confidence: 99%

Invariant Checking of NRA Transition Systems via Incremental Reduction to LRA with EUF

Cimatti

Griggio

Irfan

et al. 2017

Tools and Algorithms for the Construction and Analysis of Systems

View full text Add to dashboard Cite

Model checking invariant properties of designs, represented as transition systems, with non-linear real arithmetic (NRA), is an important though very hard problem. On the one hand NRA is a hard-to-solve theory; on the other hand most of the powerful model checking techniques lack support for NRA. In this paper, we present a counterexample-guided abstraction refinement (CEGAR) approach that leverages linearization techniques from differential calculus to enable the use of mature and efficient model checking algorithms for transition systems on linear real arithmetic (LRA) with uninterpreted functions (EUF). The results of an empirical evaluation confirm the validity and potential of this approach.This work was performed as part of the H2020-and to proceed incrementally. These extra functions are usually not available, or they have a very high computational cost.In this paper, we propose a completely different approach to tackle invariant checking for NRA transition systems. Basically, we work with an abstract version of the transition system, expressed over LRA with EUF, for which we have effective verification tools [9]. In the abstract space, nonlinear multiplication is modeled as an uninterpreted function. When spurious counter-examples are found, the abstraction is tightened by the incremental introduction of linear constraints, including tangent planes resulting from differential calculus, and monotonicity constraints.We implemented the approach on top of the NUXMV model checker [7], leveraging the IC3 engine with Implicit Abstraction [9] for invariant checking of transition systems over LRA with EUF. We compared it, on a wide set of benchmarks, against multiple approaches working at NRA level, including BMC and k-induction using SMT(NRA), the recent interpolation-based ISAT3 engine [24], and the static abstraction approach proposed in [8]. The results demonstrate substantial superiority of our approach, that is able to solve the highest number of benchmarks.The effectiveness of our approach is possibly explained with the following insights. On the one hand, in contrast to LRA, NRA is a hard-to-solve theory: in practice, most available complete solvers rely on CAD techniques [12], which require double exponential time in worst case. Thus, we try to avoid NRA reasoning, trading it for LRA and EUF reasoning. On the other hand, proving properties of practical NRA transition systems may not require the full power of non-linear solving. In fact, some systems are "mostly-linear" (i.e. non-linear constraints are associated to a very small part of the system), an example being the Transport Class Model (TCM) for aircraft simulation from the Simulink model library [19]. Furthermore, even NRA transition systems with significant non-linear dynamics may admit a piecewise-linear invariant of the transition system that is strong enough to prove the property.Structure. In Sec. 2 we discuss the related work, and in Sec. 3 introduce some background. In Sec. 4 we discuss the approach in the setting of SMT(NRA). In Sec. 5 we pr...

show abstract

“…It addresses the automatic expression and computation of robustness properties for SISO (single-input single-output) systems over the code artifact. This class of systems is well studied and is representative enough of the realistic-size systems we are targeting, such as the NASA Transport Class Model [5], the ROSACE usecase [17], or industry-level Full Authority Digital Engine Control (FADEC).…”

Section: Robustnessmentioning

confidence: 99%

Formal Analysis of Robustness at Model and Code Level

Wang

Garoche

Roux

et al. 2016

Proceedings of the 19th International Conference on Hybrid Systems: Computation and Control

View full text Add to dashboard Cite

Robustness analyses play a major role in the synthesis and analysis of controllers. For control systems, robustness is a measure of the maximum tolerable model inaccuracies or perturbations that do not destabilize the system. Analyzing the robustness of a closed-loop system can be performed with multiple approaches: gain and phase margin computation for single-input single-output (SISO) linear systems, mu analysis, IQC computations, etc. However, none of these techniques consider the actual code in their analyses.The approach presented here relies on an invariant computation on the discrete system dynamics. Using semi-definite programming (SDP) solvers, a Lyapunov-based function is synthesized that captures the vector margins of the closedloop linear system considered. This numerical invariant expressed over the state variables of the system is compatible with code analysis and enables its validation on the code artifact.This automatic analysis extends verification techniques focused on controller implementation, addressing validation of robustness at model and code level. It has been implemented in a tool analyzing discrete SISO systems and generating over-approximations of phase and gain margins. The analysis will be integrated in our toolchain for Simulink and Lustre models autocoding and formal analysis.

show abstract

Verifying the Safety of a Flight-Critical System

Cited by 26 publications

References 25 publications

Compilation of synchronous observers as code contracts

Compilation of synchronous observers as code contracts

Invariant Checking of NRA Transition Systems via Incremental Reduction to LRA with EUF

Formal Analysis of Robustness at Model and Code Level

Contact Info

Product

Resources

About