César A. Muñoz

Formalization of Bernstein Polynomials and Applications to Global Optimization

This paper presents a formalization in higher-order logic of a practical representation of multivariate Bernstein polynomials. Using this representation, an algorithm for finding lower and upper bounds of the minimum and maximum values of a polynomial has been formalized and verified correct in the Prototype Verification System (PVS). The algorithm is used in the definition of proof strategies for formally and automatically solving polynomial global optimization problems.

Conflict Detection and Resolution for 1,2,...N Aircraft

This paper presents a mathematical framework for the formal specification of aircraft conflict detection and resolution algorithms and the verification of their properties. The framework is illustrated with original algorithms that detect conflicts with multiple aircraft and eectively solve all them via vertical speed-only maneuvers. 8 and temporary delegation of responsibility for separation. 9 This confusion could be avoided by providing rigorous definitions of the concepts and properties that are fundamental to all CD&R systems. This paper presents a mathematical framework for the formal specification and analysis of conflict de- tection and resolution algorithms and their properties. This framework applies to state-based, pairwise, geometric, and distributed conflict detection and resolution algorithms. State-based (or tactical) refers to the use of aircraft state information, e.g., position and velocity vectors, as opposed to strategic approaches that use intent information, e.g., flight plan. Pairwise refers the use of a conflict detection and resolution logic for two distinguished aircraft: the ownship and the trac aircraft. Geometric refers to the use of lin- ear projections to predict aircraft trajectories as opposed to probabilistic or performance-based trajectories. Finally, distributed refers to systems that are deployed on several aircraft detecting and solving conflicts for the ownship as opposed to centralized systems that detect and simultaneously solve conflicts for a large set of aircraft. The distributed approach that we consider in this framework requires minimal communication between the aircraft. In particular, the only information that is periodically exchanged between the aircraft is the state information, e.g., position and velocity vectors of the aircraft. Examples of algorithms and ap- proaches that are included in this framework are the self-organizational approach, 10 the modified potential algorithm, 7 the geometric optimization approach, 8 and the KB3D algorithm and its extensions. 11-14 This paper is organized as follows. Section II provides the geometric background for state-based conflict detection and resolution. The CD&R framework is presented in Section III, for conflict detection, and Section IV, for conflict resolution. These sections illustrate the use of the framework with original conflict detection and resolution algorithms for multiple aircraft. The mathematical development presented in this paper has been formally verified in the Program Verification System (PVS). 15

Formal verification of conflict detection algorithms

Abstract.Safety assessment of new air traffic management systems is a main issue for civil aviation authorities. Standard techniques such as testing and simulation have serious limitations in new systems that are significantly more autonomous than the older ones. In this paper, we present an innovative approach for establishing the correctness of conflict detection systems. Fundamental to our approach is the concept of trajectory, and how we represent a continuous physical trajectory by a continuous path in the x-y plane constrained by physical laws and operational requirements. From the model of trajectories, we extract, and formally prove, high-level properties that can serve as a framework to analyze conflict scenarios. We use the AILS (Airborne Information for Lateral Spacing) alerting algorithm as a case study of our approach.

Rewriting Modulo SMT and Open System Analysis

This paper proposes rewriting modulo SMT, a new technique that combines the power of SMT solving, rewriting modulo theories, and model checking. Rewriting modulo SMT is ideally suited to model and analyze infinite-state open systems, i.e., systems that interact with a non-deterministic environment. Such systems exhibit both internal non-determinism, which is proper to the system, and external non-determinism, which is due to the environment. In a reflective formalism, such as rewriting logic, rewriting modulo SMT can be reduced to standard rewriting. Hence, rewriting modulo SMT naturally extends rewriting-based reachability analysis techniques, which are available for closed systems, to open systems. The proposed technique is illustrated with the formal analysis of a real-time system that is beyond the scope of timed-automata methods.

DAIDALUS: Detect and Avoid Alerting Logic for Unmanned Systems

This article consists of a collection of slides from the authors conference presentation.

Verification of Numerical Programs: From Real Numbers to Floating Point Numbers

Numerical algorithms lie at the heart of many safety-critical aerospace systems. The complexity and hybrid nature of these systems often requires the use of interactive theorem provers to verify that these algorithms are logically correct. Usually, proofs involving numerical computations are conducted in the infinitely precise realm of the field of real numbers. However, numerical computations in these algorithms are often implemented using floating point numbers. The use of a finite representation of real numbers introduces uncertainties as to whether the properties verified in the theoretical setting hold in practice. This short paper describes work in progress aimed at addressing these concerns. Given a formally proven algorithm, written in the Program Verification System (PVS), the Frama-C suite of tools is used to identify sufficient conditions and verify that under such conditions the rounding errors arising in a C implementation of the algorithm do not affect its correctness. The technique is illustrated using an algorithm for detecting loss of separation among aircraft.

Rewriting modulo SMT and open system analysis

This paper proposes rewriting modulo SMT, a new technique that combines the power of SMT solving, rewriting modulo theories, and model checking. Rewriting modulo SMT is ideally suited to model and analyze infinite-state open systems, i.e., systems that interact with a non-deterministic environment. Such systems exhibit both internal non-determinism, which is proper to the system, and external non-determinism, which is due to the environment. In a reflective formalism, such as rewriting logic, rewriting modulo SMT can be reduced to standard rewriting. Hence, rewriting modulo SMT naturally extends rewriting-based reachability analysis techniques, which are available for closed systems, to open systems. The proposed technique is illustrated with the formal analysis of a real-time system that is beyond the scope of timed-automata methods.

Structural Embeddings: Mechanization with Method

The most powerful tools for analysis of formal specifications are general-purpose theorem provers and model checkers, but these tools provide scant methodological support. Conversely, those approaches that do provide a well-developed method generally have less powerful automation. It is natural, therefore, to try to combine the better-developed methods with the more powerful general-purpose tools. An obstacle is that the methods and the tools often employ very different logics. We argue that methods are separable from their logics and are largely concerned with the structure and organization of specifications. We propose a technique called structural embedding that allows the structural elements of a method to be supported by a general-purpose tool, while substituting the logic of the tool for that of the method. We have found this technique quite effective and we provide some examples of its application. We also suggest how general-purpose systems could be restructured to support this activity better.

Dependent types and explicit substitutions: a meta-theoretical development

We present a dependent-type system for a λ-calculus with explicit substitutions. In this system, meta-variables, as well as substitutions, are first-class objects. We show that the system enjoys properties like type uniqueness, subject reduction, soundness, confluence, and weak normalization.

Software Validation via Model Animation

This paper explores a new approach to validating software implementations that have been produced from formally-verified algorithms. Although visual inspection gives some confidence that the implementations faithfully reflect the formal models, it does not provide complete assurance that the software is correct. The proposed approach, which is based on animation of formal specifications, compares the outputs computed by the software implementations on a given suite of input values to the outputs computed by the formal models on the same inputs, and determines if they are equal up to a given tolerance. The approach is illustrated on a prototype air traffic management system that computes simple kinematic trajectories for aircraft. Proofs for the mathematical models of the system’s algorithms are carried out in the Prototype Verification System (PVS). The animation tool PVSio is used to evaluate the formal models on a set of randomly generated test cases. Output values computed by PVSio are compared against output values computed by the actual software. This comparison improves the assurance that the translation from formal models to code is faithful and that, for example, floating point errors do not greatly affect correctness and safety properties.