Results 1 - 10
of
35
Using Symbolic Execution for Verifying Safety-Critical Systems
, 2001
"... Safety critical systems require to be highly reliable and thus special care is taken when verifying them in order to increase the confidence in their behavior. This paper addresses the problem of formal verification of safety critical systems by providing empirical evidence of the practical applicab ..."
Abstract
-
Cited by 53 (0 self)
- Add to MetaCart
Safety critical systems require to be highly reliable and thus special care is taken when verifying them in order to increase the confidence in their behavior. This paper addresses the problem of formal verification of safety critical systems by providing empirical evidence of the practical applicability of symbolic execution and of its usefulness for checking safety-related properties. In this paper, symbolic execution is used for building an operational model of the software on which safety properties, expressed by means of a Path Description Language (PDL), can be assessed.
Differential-Algebraic Dynamic Logic for Differential-Algebraic Programs
"... Abstract. We generalise dynamic logic to a logic for differential-algebraic programs, i.e., discrete programs augmented with first-order differentialalgebraic formulas as continuous evolution constraints in addition to first-order discrete jump formulas. These programs characterise interacting discr ..."
Abstract
-
Cited by 41 (28 self)
- Add to MetaCart
(Show Context)
Abstract. We generalise dynamic logic to a logic for differential-algebraic programs, i.e., discrete programs augmented with first-order differentialalgebraic formulas as continuous evolution constraints in addition to first-order discrete jump formulas. These programs characterise interacting discrete and continuous dynamics of hybrid systems elegantly and uniformly. For our logic, we introduce a calculus over real arithmetic with discrete induction and a new differential induction with which differential-algebraic programs can be verified by exploiting their differential constraints algebraically without having to solve them. We develop the theory of differential induction and differential refinement and analyse their deductive power. As a case study, we present parametric tangential roundabout maneuvers in air traffic control and prove collision avoidance in our calculus.
Timed I/O Automata: A Mathematical Framework for Modeling and Analyzing Real-Time Systems
- In RTSS 2003: The 24th IEEE International Real-Time Systems Symposium, Cancun,Mexico
, 2003
"... We describe the Timed Input/Output Automata (TIOA) framework, a general mathematical framework for modeling and analyzing real-time systems. It is based on timed I/O automata, which engage in both discrete transitions and continuous trajectories. The framework includes a notion of external behavior, ..."
Abstract
-
Cited by 39 (8 self)
- Add to MetaCart
(Show Context)
We describe the Timed Input/Output Automata (TIOA) framework, a general mathematical framework for modeling and analyzing real-time systems. It is based on timed I/O automata, which engage in both discrete transitions and continuous trajectories. The framework includes a notion of external behavior, and notions of composition and abstraction. We define safety and liveness properties for timed I/O automata, and a notion of receptiveness, and prove basic results about all of these notions. The TIOA framework is defined as a special case of the new Hybrid I/O Automata (HIOA) modeling framework for hybrid systems. Specifically, a TIOA is an HIOA with no external variables; thus, TIOAs communicate via shared discrete actions only, and do not interact continuously. This restriction is consistent with previous real-time system models, and gives rise to some simplifications in the theory (compared to HIOA). The resulting model is expressive enough to describe complex timing behavior, and to express the important ideas of previous timed automata frameworks.
Formal Verification of Curved Flight Collision Avoidance Maneuvers: A Case Study
, 2009
"... under contracts no. 2008TJ1860, and by the Air Force (University of Vanderbilt) under contract no. 18727S3. The views and conclusions contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of any sponsoring ..."
Abstract
-
Cited by 29 (14 self)
- Add to MetaCart
(Show Context)
under contracts no. 2008TJ1860, and by the Air Force (University of Vanderbilt) under contract no. 18727S3. The views and conclusions contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of any sponsoring institution or government. Keywords: formal verification of hybrid systems, deduction, air traffic control, logic for hybrid Aircraft collision avoidance maneuvers are important and complex applications. Curved flight exhibits nontrivial continuous behavior. In combination with the control choices during air traffic maneuvers, this yields hybrid systems with challenging interactions of discrete and continuous dynamics. As a case study illustrating the use of a new proof assistant for a logic for nonlinear hybrid systems, we analyze collision freedom of roundabout maneuvers in air traffic control, where appropriate curved flight, good timing, and compatible maneuvering are crucial for guaranteeing safe spatial separation of aircraft throughout their flight. We show that formal verification of hybrid systems can scale to curved flight maneuvers required in aircraft control applications. We introduce a fully flyable variant of the roundabout collision avoidance maneuver and verify safety properties
Hybrid I/O Automata Revisited
- Proceedings Fourth International Workshop on Hybrid Systems: Computation and Control (HSCC'01
, 2001
"... In earlier work, we developed a mathematical hybrid I/O automaton (HIOA) modeling... ..."
Abstract
-
Cited by 28 (3 self)
- Add to MetaCart
(Show Context)
In earlier work, we developed a mathematical hybrid I/O automaton (HIOA) modeling...
High-level modeling and analysis of the traffic alert and collision avoidance system
- TCAS). Proceedings of the IEEE
, 2000
"... In this paper, we demonstrate a high-level approach to modeling, analyzing, and verifying complex safety-critical systems through a case study on the Traffic Alert and Collision Avoidance System (TCAS) [1–3]; an avionics system that detects and resolves aircraft collision threats. Due to the complex ..."
Abstract
-
Cited by 18 (5 self)
- Add to MetaCart
In this paper, we demonstrate a high-level approach to modeling, analyzing, and verifying complex safety-critical systems through a case study on the Traffic Alert and Collision Avoidance System (TCAS) [1–3]; an avionics system that detects and resolves aircraft collision threats. Due to the complexity of the TCAS software and the hybrid nature of the closed-loop system, the traditional testing technique of exhaustive simulation does not constitute a viable verification approach. Moreover, the detailed specification of the system software employed to date as a means towards analysis and verification, neither help in intuitively understanding the behavior of the system, nor enable the analysis of the closed-loop system behavior. We advocate defining high-level hybrid system models that capture the behavior not only of the software, but also of the airplanes, sensors, pilots, etc. In particular, we show how the core components of TCAS can be captured by relatively simple Hybrid I/O Automata (HIOA) [4, 5], which are amenable to formal analysis. We then outline a methodology for establishing conditions under which TCAS guarantees sufficient separation in altitude for aircraft involved in collision threats. The contributions of this paper are the high-level models of the closed-loop TCAS system and the demonstration of the usefulness of high-level modeling, analysis, and verification techniques.
Symbolic reachability analysis of lazy linear hybrid automata
- in FORMATS, ser. Lecture Notes in Computer Science, J.-F. Raskin and
, 2007
"... Abstract. Lazy linear hybrid automata (LLHA) model the discrete time behavior of control systems containing finite-precision sensors and actuators interacting with their environment under bounded inertial delays. In this paper, we present a symbolic technique for reachability analysis of lazy linear ..."
Abstract
-
Cited by 14 (8 self)
- Add to MetaCart
(Show Context)
Abstract. Lazy linear hybrid automata (LLHA) model the discrete time behavior of control systems containing finite-precision sensors and actuators interacting with their environment under bounded inertial delays. In this paper, we present a symbolic technique for reachability analysis of lazy linear hybrid automata. The model permits invariants and guards to be nonlinear predicates but requires flow values to be constants. Assuming finite precision, flows represented by uniform linear predicates can be reduced to those containing values from a finite set of constants. We present an abstraction hierarchy for LLHA. Our verification technique is based on bounded model checking and k-induction for reachability analysis at different levels of the abstraction hierarchy within an abstraction-refinement framework. The counterexamples obtained during BMC are used to construct refinements in each iteration. Our technique is practical and compares favorably with state-of-the-art tools, as demonstrated on examples that include the Air Traffic Alert and Collision Avoidance System (TCAS). 1
Safety Verification of Model Helicopter Controller using Hybrid Input/Output Automata
, 2003
"... This paper presents an application of the Hybrid I/O Automaton modelling framework [9] to a realistic hybrid system verification problem. A supervisory pitch controller for ensuring the safety of a model helicopter system is designed and verified. The supervisor periodically observes the plant state ..."
Abstract
-
Cited by 12 (9 self)
- Add to MetaCart
This paper presents an application of the Hybrid I/O Automaton modelling framework [9] to a realistic hybrid system verification problem. A supervisory pitch controller for ensuring the safety of a model helicopter system is designed and verified. The supervisor periodically observes the plant state and takes over control from the user when the latter is capable of taking the plant to an unsafe state. The design of the supervisor is limited by the actuator bandwidth, the sensor inaccuracies and the sampling rates. Safety is proved by inductively reasoning over the executions of the composed system automaton. The paper also presents a set of language constructs for specifying hybrid I/O automata.
