Aaron Dutle

DAIDALUS: Detect and Avoid Alerting Logic for Unmanned Systems

This article consists of a collection of slides from the authors conference presentation.

On realizations of a joint degree matrix

The joint degree matrix of a graph gives the number of edges between vertices of degree i and degree j for every pair ( i , j ) . One can perform restricted swap operations to transform a graph into another with the same joint degree matrix. We prove that the space of all realizations of a given joint degree matrix over a fixed vertex set is connected via these restricted swap operations. This was claimed before, but there is a flaw in the proof, which we illustrate by example. We also give a simplified proof of the necessary and sufficient conditions for a matrix to be a joint degree matrix, which includes a general method for constructing realizations. Finally, we address the corresponding MCMC methods to sample uniformly from these realizations.

Software Validation via Model Animation

This paper explores a new approach to validating software implementations that have been produced from formally-verified algorithms. Although visual inspection gives some confidence that the implementations faithfully reflect the formal models, it does not provide complete assurance that the software is correct. The proposed approach, which is based on animation of formal specifications, compares the outputs computed by the software implementations on a given suite of input values to the outputs computed by the formal models on the same inputs, and determines if they are equal up to a given tolerance. The approach is illustrated on a prototype air traffic management system that computes simple kinematic trajectories for aircraft. Proofs for the mathematical models of the system’s algorithms are carried out in the Prototype Verification System (PVS). The animation tool PVSio is used to evaluate the formal models on a set of randomly generated test cases. Output values computed by PVSio are compared against output values computed by the actual software. This comparison improves the assurance that the translation from formal models to code is faithful and that, for example, floating point errors do not greatly affect correctness and safety properties.

Formally-Verified Decision Procedures for Univariate Polynomial Computation Based on Sturm's and Tarski's Theorems

Sturm’s theorem is a well-known result in real algebraic geometry that provides a function that computes the number of roots of a univariate polynomial in a semi-open interval, not counting multiplicity. A generalization of Sturm’s theorem is known as Tarski’s theorem, which provides a linear relationship between functions known as Tarski queries and cardinalities of certain sets. The linear system that results from this relationship is in fact invertible and can be used to explicitly count the number of roots of a univariate polynomial on a set defined by a system of polynomial relations. This paper presents a formalization of these results in the PVS theorem prover, including formal proofs of Sturm’s and Tarski’s theorems. These theorems are at the basis of two decision procedures, which are implemented as computable functions in PVS. The first, based on Sturm’s theorem, determines satisfiability of a single polynomial relation over an interval. The second, based on Tarski’s theorem, determines the satisfiability of a system of polynomial relations over the real line. The soundness and completeness properties of these decision procedures are formally verified in PVS. The procedures and their correctness properties enable the implementation of PVS strategies for automatically proving existential and universal statements on polynomial systems. Since the decision procedures are formally verified in PVS, the soundness of the strategies depends solely on the internal logic of PVS rather than on an external oracle.

Computing hypermatrix spectra with the Poisson product formula

We compute the spectrum of the ‘all ones’ hypermatrix using the Poisson product formula. This computation includes a complete description of the eigenvalues’ multiplicities, a seemingly elusive aspect of the spectral theory of tensors. We also give a distributional picture of the spectrum as a point-set in the complex plane. Finally, we use the technique to analyse the spectrum of ‘sunflower hypergraphs’, a class that has played a prominent role in extremal hypergraph theory.

Unmanned aircraft systems in the national airspace system: a formal methods perspective

As the technological and operational capabilities of unmanned aircraft systems (UAS) have grown, so too have international efforts to integrate UAS into civil airspace. However, one of the major concerns that must be addressed in realizing this integration is that of safety. For example, UAS lack an on-board pilot to comply with the legal requirement that pilots see and avoid other aircraft. This requirement has motivated the development of a detect and avoid (DAA) capability for UAS that provides situational awareness and maneuver guidance to UAS operators to aid them in avoiding and remaining well clear of other aircraft in the airspace. The NASA Langley Research Center Formal Methods group has played a fundamental role in the development of this capability. This article gives a selected survey of the formal methods work conducted in support of the development of a DAA concept for UAS. This work includes specification of low-level and high-level functional requirements, formal verification of algorithms, and rigorous validation of software implementations.

Greedy Galois Games

Abstract We show that two duelers with similar, lousy shooting skills (a.k.a. Galois duelers) will choose to take turns firing in accordance with the famous Thue–Morse sequence if they greedily demand their chances to fire as soon as the others a priori probability of winning exceeds their own. This contrasts with a result from the approximation theory of complex functions, which says what more patient duelers would do, if they really cared about being as fair as possible. We note a consequent interpretation of the Thue–Morse sequence in terms of certain expansions in fractional bases close to, but greater than, 1.

Automatic Estimation of Verified Floating-Point Round-Off Errors via Static Analysis

This paper introduces a static analysis technique for computing formally verified round-off error bounds of floating-point functional expressions. The technique is based on a denotational semantics that computes a symbolic estimation of floating-point round-off errors along with a proof certificate that ensures its correctness. The symbolic estimation can be evaluated on concrete inputs using rigorous enclosure methods to produce formally verified numerical error bounds. The proposed technique is implemented in the prototype research tool PRECiSA (Program Round-off Error Certifier via Static Analysis) and used in the verification of floating-point programs of interest to NASA.

A Formal Analysis of the Compact Position Reporting Algorithm

The Compact Position Reporting (CPR) algorithm is a safety-critical element of the Automatic Dependent Surveillance - Broadcast (ADS-B) protocol. This protocol enables aircraft to share their current states, i.e., position and velocity, with traffic aircraft in their vicinity. CPR consists of a collection of functions that encode and decode aircraft position data (latitude and longitude). Incorrect position decoding from CPR has been reported to the American and European organizations responsible for the ADS-B standard. This paper presents a formal analysis of the CPR algorithm in the Prototype Verification System (PVS). This formal analysis shows that the published requirements for correct decoding are insufficient, even if computations are assumed to be performed using exact real arithmetic. As a result of this analysis tightened requirements are proposed. These requirements, which are being considered by the standards organizations, are formally proven to guarantee correct decoding under exact real arithmetic. In addition, this paper proposes mathematically equivalent, but computationally simpler forms to several expressions in the CPR functions in order to reduce imprecise calculation.

Coordination Logic for Repulsive Resolution Maneuvers

This paper presents an algorithm for determining the direction an aircraft should maneuver in the event of a potential conflict with another aircraft. The algorithm is implicitly coordinated, meaning that with perfectly reliable computations and information, it will in- dependently provide directional information that is guaranteed to be coordinated without any additional information exchange or direct communication. The logic is inspired by the logic of TCAS II, the airborne system designed to reduce the risk of mid-air collisions between aircraft. TCAS II provides pilots with only vertical resolution advice, while the proposed algorithm, using a similar logic, provides implicitly coordinated vertical and horizontal directional advice.