Darren D. Cofer

Software model checking takes off

A translator framework enables the use of model checking in complex avionics systems and other industrial settings.

Compositional verification of architectural models

This paper describes a design flow and supporting tools to significantly improve the design and verification of complex cyber-physical systems. We focus on system architecture models composed from libraries of components and complexity-reducing design patterns having formally verified properties. This allows new system designs to be developed rapidly using patterns that have been shown to reduce unnecessary complexity and coupling between components. Components and patterns are annotated with formal contracts describing their guaranteed behaviors and the contextual assumptions that must be satisfied for their correct operation. We describe the compositional reasoning framework that we have developed for proving the correctness of a system design, and provide a proof of the soundness of our compositional reasoning approach. An example based on an aircraft flight control system is provided to illustrate the method and supporting analysis tools.

Integration of formal analysis into a model-based software development process

The next generation of military aerospace systems will includeadvanced control systems whose size and complexity will challenge currentverification and validation approaches. The recent adoption by the aerospaceindustry of model-based development tools such as Simulink® and SCADESuite™ is removing barriers to the use of formal methods for the verification ofcritical avionics software. Formal methods use mathematics to prove that softwaredesign models meet their requirements, and so can greatly increase confidencein the safety and correctness of software. Recent advances in formalanalysis tools have made it practical to formally verify important properties ofthese models to ensure that design defects are identified and corrected early inthe lifecycle. This paper describes how formal analysis tools can be insertedinto a model-based development process to decrease costs and increase qualityof critical avionics software.

Implementing logical synchrony in integrated modular avionics

Many avionics systems must be implemented as redundant, distributed systems in order to provide the necessary level of fault tolerance. To correctly perform their function, the individual nodes of these systems must agree on some part of the global system state. Developing protocols to achieve this agreement is greatly simplified if the nodes execute synchronously relative to each other, but many Integrated Modular Avionics architectures assume nodes will execute asynchronously. This paper presents a simple design pattern, Physically Asynchronous/Logically Synchronous (PALS), that allows developers to design and verify a distributed, redundant system as though all nodes execute synchronously. This synchronous design can then be distributed over a physically asynchronous architecture in such a way that the logical correctness of the design is preserved. Use of this complexity reducing design pattern greatly simplifies the development and verification of fault tolerant distributed applications, ensures optimal system performance, and provides a standard argument for system certification.

Pattern-Based Composition and Analysis of Virtually Synchronized Real-Time Distributed Systems

Designing and verifying distributed protocols in a multi-rate asynchronous system is, in general, extremely difficult when the distributed computations require consistent input views, consistent actions and synchronized state transitions. In this paper, we address this problem and introduce a formal, complexity-reducing architectural pattern, called Multi-Rate PALS system, to support virtual synchronization in multi-rate distributed computations. The pattern supports a component to be virtually synchronized with other components in different instantiations of this pattern. We present an application of a hierarchical control system to show that the composition of these instantiations can be used to achieve desired system-level properties, such as distributed consistency and distributed coordination. We verify the logical synchronization guarantee of this pattern, which holds as long as the pattern assumptions are satisfied. We also discuss the correctness analysis necessary to validate these assumptions and provide a tool support to perform this analysis automatically on the AADL models.

Requirements Analysis of a Quad-Redundant Flight Control System

In this paper we detail our effort to formalize and prove requirements for the Quad-redundant Flight Control System (QFCS) within NASA’s Transport Class Model (TCM). We use a compositional approach with assume-guarantee contracts that correspond to the requirements for software components embedded in an AADL system architecture model. This approach is designed to exploit the verification effort and artifacts that are already part of typical software verification processes in the avionics domain. Our approach is supported by an AADL annex that allows specification of contracts along with a tool, called AGREE, for performing compositional verification. The goal of this paper is to show the benefits of a compositional verification approach applied to a realistic avionics system and to demonstrate the effectiveness of the AGREE tool in performing this analysis.

Model checking: cleared for take off

The increasing popularity of model-based development tools and the growing power of model checkers are making it practical to use formal methods for verification of avionics software. This paper describes a translator framework that enables model checking tools to be easily integrated into a model-based development environment to increase assurance, reduce cost, and satisfy certification objectives. In particular, we describe how formal methods can be used to satisfy certification objectives of DO-178C/ED-12C, the soon-to-be-published guidance document for software aspects of certification for commercial aircraft.

Certification considerations for adaptive systems

Advanced capabilities planned for the next generation of unmanned aircraft will be based on complex new algorithms and non-traditional software elements. These aircraft will incorporate adaptive and intelligent control algorithms that will provide enhanced safety, autonomy, and high-level decision-making functions normally performed by human pilots, as well as robustness in the presence of failures and adverse flight conditions. This paper discusses the characteristics of adaptive algorithms and the challenges they present to certification for operation in the National Airspace System (NAS). We provide mitigation strategies that may make it possible to overcome these challenges.

Resolute: an assurance case language for architecture models

Arguments about the safety, security, and correctness of a complex system are often made in the form of an assurance case. An assurance case is a structured argument, often represented with a graphical interface, that presents and supports claims about a systems behavior. The argument may combine different kinds of evidence to justify its top level claim. While assurance cases deliver some level of guarantee of a systems correctness, they lack the rigor that proofs from formal methods typically provide. Furthermore, changes in the structure of a model during development may result in inconsistencies between a design and its assurance case. Our solution is a framework for automatically generating assurance cases based on 1) a system model specified in an architectural design language, 2) a set of logical rules expressed in a domain specific language that we have developed, and 3) the results of other formal analyses that have been run on the model. We argue that the rigor of these automatically generated assurance cases exceeds those of traditional assurance case arguments because of their more formal logical foundation and direct connection to the architectural model.

Towards Realizability Checking of Contracts Using Theories

Virtual integration techniques focus on building architectural models of systems that can be analyzed early in the design cycle to try to lower cost, reduce risk, and improve quality of complex embedded systems. Given appropriate architectural descriptions and compositional reasoning rules, these techniques can be used to prove important safety properties about the architecture prior to system construction. Such proofs build from “leaf-level” assume/guarantee component contracts through architectural layers towards top-level safety properties. The proofs are built upon the premise that each leaf-level component contract is realizable; i.e., it is possible to construct a component such that for any input allowed by the contract assumptions, there is some output value that the component can produce that satisfies the contract guarantees. Without engineering support it is all too easy to write leaf-level components that can’t be realized. Realizability checking for propositional contracts has been well-studied for many years, both for component synthesis and checking correctness of temporal logic requirements. However, checking realizability for contracts involving infinite theories is still an open problem. In this paper, we describe a new approach for checking realizability of contracts involving theories and demonstrate its usefulness on several examples.