Adolfo Villafiorita

Improving System Reliability via Model Checking: The FSAP/NuSMV-SA Safety Analysis Platform

Safety critical systems are becoming more complex, both in the type of functionality they provide and in the way they are demanded to interact with their environment. Such growing complexity requires an adequate increase in the capability of safety engineers to assess system safety, including analyzing the bahaviour of a system in degraded situations. Formal verification techniques, like symbolic model checking, have the potential of dealing with such a complexity and are more often being used during system design. In this paper we present the FSAP/NuSMV-SA platform, based on the NuSMV2 model checker, that implements known and novel techniques to help safety engineers perform safety analysis. The main functionalities of FSAP/NuSMV-SA include: failure mode definition based on a library of failure modes, fault injection, automatic fault tree construction for monotonic and non-monotonic systems, failure ordering analysis. The goal is to provide an environment that can be used both by design engineers to formally verify a system and by safety engineers to automate certain phases of safety assessment. The platform is being developed within the ESACS project (Enhanced Safety Analysis for Complex Systems), an European-Union-sponsored project in the avionics sector, whose goal is to define a methodology to improve the safety analysis practice for complex systems development.

The FSAP/NuSMV-SA Safety Analysis Platform

Safety-critical systems are becoming more complex, both in the type of functionality they provide and in the way they are demanded to interact with the environment. Such a growing complexity requires an adequate increase in the capability of safety engineers to assess system safety, including analyzing the behavior of a system in degraded situations. Formal verification techniques, like symbolic model checking, have the potential of dealing with such a complexity and are now being used more often. However, existing techniques have little tool support and therefore their use for safety analysis remains limited. In this paper, we present FSAP/NuSMV-SA, a platform which aims to improve the development cycle of complex systems by providing a uniform environment that can be used both at design time and for safety assessment. The platform makes the modeling and safety assessment of complex systems easier by providing a facility for automatically augmenting a system model with failure modes, whose definitions are retrieved from a predefined library. In this way, it is possible to assess the system safety both in nominal conditions and in user-specified degraded situations, i.e., in the presence of faults. Furthermore, the platform provides a pattern-based definition of temporal logic formulas, which simplifies the definition of safety requirements. The platform consists of a graphical user interface (FSAP) and an engine (NuSMV-SA) which is based on the NuSMV model checker. The model checking engine provides a support for system simulation and standard model checking capabilities, like property verification and the generation of counterexamples. Furthermore, algorithms have been implemented to automate the generation of artifacts that are typical of reliability analysis, e.g., fault trees. The platform can derive fault trees automatically (for both monotonic and non-monotonic systems) from the definition of the system model and of the possible faults. The interface of the platform has been designed to improve usability for people who are not expert in formal verification. The platform has been evaluated in collaboration with an industrial partner and tested on some industrial case studies.

Improving Safety Assessment of Complex Systems: An Industrial Case Study

The complexity of embedded controllers is steadily increasing. This trend, stimulated by the continuous improvement of the computational power of hardware, demands for a corresponding increase in the capability of design and safety engineers to maintain adequate safety levels. The use of formal methods during system design has proved to be effective in several practical applications. However, the development of certain classes of applications, like, for instance, avionics systems, also requires the behaviour of a system to be analysed under certain degraded situations (e.g., when some components are not working as expected). The integration of system design activities with safety assessment and the use of formal methods, although not new, are still at an early stage. These goals are addressed by the ESACS project, a European- Union-sponsored project grouping several industrial companies from the aeronautic field. The ESACS project is developing a methodology and a platform – the ESACS platform – that helps safety engineers automating certain phases of their work. This paper reports on the application of the ESACS methodology and on the use of the ESACS platform to a case study, namely, the Secondary Power System of the Eurofighter Typhoon aircraft.

Formal Specification and Development of a Safety-Critical Train Management System

In this paper we describe the on-going specification and development of Ansaldos Radio Block Center (RBC), a component of the next-generation European Rail Traffic Management System (ERTMS). The RBC will be responsible of managing the movement of trains equipped with radio communication. Its development process is critical: the RBC is a large-scale and complex system, it must provide several novel services at different levels of functionality, it must guarantee interoperability according to European standards, and, last but not least, a high level of safety. We have addressed these issues by devising a development based on formal specifications. ERTMS scenarios have been formalized in order to provide a better understanding of the interoperability requirements. The architecture of the RBC has been formally specified such that the system can be incrementally built as an overlay system (compatible with the existing train detection and interlocking systems) and modularly expanded to control different kinds of trains. The formal specifications of the behaviour of each RBC module have been structured hierarchically: they provide an easy-to-understand documentation for customers and developers; moreover, they can be simulated and validated automatically at the early stage of the development process, thus providing a high level of confidence in their safety in a cost-effective way.

ABSFOL: A Proof Checker with Abstraction

Let ~Ui =<Ai,/2i, Ai > be a formal system, where At is a first order language, /2i a set of axioms, and Ai a set of inference rules. An abstraction is a pair of formal systems s and ~Ua, together with a total function fA : Ag ~ Aa. From now on we use the word context as a synonym of formal system. We also use the terms ground and abstract to denote (objects of) ~Ug and ~Ua respectively (e.g. the ground language is the language of Zg). Many possible forms of abstraction can be defined, which, in turn, can be used in many possible ways. Here we concentrate on a specific use of abstraction where theorems are proved according to the five step process depicted in Fig. 1. In the first step we define fa . In the second step we apply fA to the elements of the ground context to obtain the abstract context. In the third step we prove the abstract goal, that is, we find a proof Ha of fA(r where r is the ground goal. In the fourth step we unabstract or map back Ha, that is, we generate from Ha a tree Ha, called outline, of schematic formulas. Schematic formulas are needed as usually fA is many-to-one; this allows us to build simpler and easier to solve abstract problems. The parameters occurring in the formulas in II1 represent possible choices in unabstracting abstract formulas into ground formulas. In the fifth and last step, called refinement, we t ransform/ /1 into a ground proof Hg. This is achieved by building a sequence of o u t l i n e s / / 2 , . . . , / / , , where Hi (with 2 < i < n) either instantiates a parameter of Hi-1 or adds a proof step to ]7/-1; and then by checking that H , actually represents a p r o o f / / a of r The details and a complete description of the theory hinted above can be found in [GW92a, GWO2b]. ABSFOL is an interactive theorem prover with abstraction that supports almost all the forms and uses of abstraction we are aware of. ABSFOL is built on top of GETFOL [Giu94], from which it inherits all the tools for building proofs and for multi-contextual reasoning ~. This last feature is essential for abstraction, as the ground and t h e abstract formal systems are distinct. ABSFOL does not embed any heuristics for using abstraction, nor does it constrain the user to any specific order in the execution of the five steps of Fig. 1. Interaction with ABSFOL happens via a listen-act-respond loop. The system prints a prompt, waits for the user to type a command terminated by a semicolon, executes the command, and then outputs some description of the result. In this note we will overview how

Formal Specification and Validation of a Vital Communication Protocol

Formal methods have a great potential of application as powerful specification and early debugging methods in the development of industrial systems. In certain application fields, formal methods are even becoming part of standards. However, the application of formal methods in the development of industrial products is by no means trivial. Indeed, formal methods can be costly, slow down the process of development, and require changes on the development cycle, and training. This paper describes a project developed by Ansaldo Segnalamento Ferroviario with the collaboration of IRST. Formal methods have been successfully applied to the development of an industrial communication protocol for distributed, safety critical systems. The project used a formal language to specify the protocol, and model checking techniques to validate the model.

SAT-based decision procedures for normal modal logics: A theoretical framework

Tableau systems are very popular in AI for their simplicity and versatility. In recent papers we showed that tableau-based procedures are intrinsically inefficient, and proposed an alternative approach of building decision procedures on top of SAT decision procedure. We called this approach “SAT-based”. In extensive empirical tests on the case study of modal K, a SAT-based procedure drastically outperformed state-of-the-art tableau-based systems. In this paper we provide the theoretical foundations for developing SAT-based decision procedures for many different modal logics.

A General Purpose Reasoner for Abstraction

The goal of the work described in this paper is the development of a system, called ABSFOL, which allows the user to state declaratively abstractions and to use them according to the desired control strategy. ABSFOL has been successfully tested on many examples. So far we have failed to find an interesting abstraction whose implementation requires a major programming effort.

Abstract Proof Checking: An Example Motivated by an Incompleteness Theorem

We demonstrate the use of abstraction in aiding the construction of aninteresting and difficult example in a proof-checking system. Thisexperiment demonstrates that abstraction can make proofs easier tocomprehend and to verify mechanically. To support such proof checking, wehave developed a formal theory of abstraction and added facilities for usingabstraction to the GETFOL proof-checking system.

Abstraction as a form of elaboration tolerance

Elaboration tolerance is “the ability of accepting changes to a persons or a computer programs representation of facts without starting all over” [8]. In this paper we investigate how abstraction (in the sense of [5]) helps in achieving a certain degree of elaboration tolerance. We do so by mechanizing in absfol (an interactive theorem prover with abstraction) two famous representations of the missionaries and cannibals problem and by showing how abstraction helps in finding solutions in such representations “...without starting all over.”