Eric Engstrom

Verifying Time Partitioning in the DEOS Scheduling Kernel

This paper describes an experiment to use the Spin model checking system to support automated verification of time partitioning in the Honeywell DEOS real-time scheduling kernel. The goal of the experiment was to investigate whether model checking with minimal abstraction could be used to find a subtle implementation error that was originally discovered and fixed during the standard formal review process. The experiment involved translating a core slice of the DEOS scheduling kernel from C++ into Promela, constructing an abstract “test-driver” environment and carefully introducing several abstractions into the system to support verification. Attempted verification of several properties related to time-partitioning led to the rediscovery of the known error in the implementation. The case study indicated several limitations in existing tools to support model checking of software. The most difficult task in the original DEOS experiment was constructing an adequate environment to close the system for verification. The fidelity of the environment was of crucial importance for achieving meaningful results during model checking. In this paper, we describe the initial environment modeling effort and a follow-on experiment with using semi-automated environment generation methods. Program abstraction techniques were also critical for enabling verification of DEOS. We describe an implementation scheme for predicate abstraction, an approach based on abstract interpretation, which was developed to support DEOS verification.

Certification considerations for adaptive systems

Advanced capabilities planned for the next generation of unmanned aircraft will be based on complex new algorithms and non-traditional software elements. These aircraft will incorporate adaptive and intelligent control algorithms that will provide enhanced safety, autonomy, and high-level decision-making functions normally performed by human pilots, as well as robustness in the presence of failures and adverse flight conditions. This paper discusses the characteristics of adaptive algorithms and the challenges they present to certification for operation in the National Airspace System (NAS). We provide mitigation strategies that may make it possible to overcome these challenges.

Applications of model checking at Honeywell Laboratories

This paper provides a brief overview of five projects in which Honeywell has successfully used or developed model checking methods in the verification and synthesis of safety-critical systems.

Composable Code Generation for Model-Based Development

Many engineering and application domains, including distributed real-time and embedded (DRE) systems, are increasingly employing a graphical model-based development approach. However, the full potential of this approach has not yet been realized due to the complexity of automatically generating non-standard types of code. In this paper, we present a new framework for generating code that is referred to as composable code generation. Under this framework, code generators are not written as monolithic programs that are separate from their corresponding graphical models as has been the practice in the past. Instead, code generators are composed of modular entity-specific generation routines that are attached directly to modeling entities, their meta-data, or to collections of modeling entities. Code is built up by traversing the model, querying each entity that is encountered for a specific type of code generation routine and then executing each accessed routine. We describe this framework in detail and provide experimental results from a DRE application domain.