Heber Herencia-Zapana

Reference modelling in support of M&S—foundations and applications

Whether by design or by practice, systems engineering (SE) processes are used more and more often in Modeling and Simulation (M&S). While the two disciplines are very close, there are some differences that must be taken into account in order to successfully reuse practices from one community to another. In this paper, we introduce the M&S System Development Framework (MS-SDF) that unifies SE and M&S processes. The MS-SDF comprises the SE processes of requirements capture, conceptual modelling, and verification and validation (V&V), and extends them to M&S. We use model theory as a deductive apparatus in order to develop the MS-SDF. We discuss the benefits of the MS-SDF especially in the selection between federation development and multi-model approaches and the design of composable models and simulations. Lastly, a real life application example of the framework is provided.

PVS linear algebra libraries for verification of control software algorithms in C/ACSL

The problem of ensuring control software properties hold on their actual implementation is rarely tackled. While stability proofs are widely used on models, they are never carried to the code. Using program verification techniques requires express these properties at the level of the code but also to have theorem provers that can manipulate the proof elements. We propose to address this challenge by following two phases: first we introduce a way to express stability proofs as C code annotations; second, we propose a PVS linear algebra library that is able to manipulate quadratic invariants, i.e., ellipsoids. Our framework achieves the translation of stability properties expressed on the code to the representation of an associated proof obligation (PO) in PVS. Our library allows us to discharge these POs within PVS.

Small satellite systems design methodology: A formal and agile design process

We propose to develop a model-based systems engineering process that results in high-confidence designs for small satellite systems in the pico-/nano-class, i.e. <; 50kg. This objective will be achieved through the integration of formal methods and model based systems engineering to develop an agile framework for high-confidence designs for these small systems. We propose, Reliable and Formal Design (RFD) process whose results are correct by construction, formally verified, and responsive to system requirement changes. This paper develops an intelligent framework that ties requirements, models, and simulations in a cogent manner. Furthermore, this papers provides a formulation for consistency and traceability, where the latter enforces a condition on the relationship between abstraction layers, that is, the function that refines any layer of abstraction into a successive layer must have a dual. An example of this refinement is illustrated using PVS to express the logical requirement formulation and for providing type checking proof.

Stochastic stability of nonlinear sampled data systems with a jump linear controller

This paper analyzes the stability of a sampled-data system consisting of a deterministic, nonlinear, time-invariant, continuous-time plant and a stochastic, discrete-time, jump linear controller. The jump linear controller models, for example, computer systems and communication networks that are subject to stochastic upsets or disruptions. This sampled-data model has been used in the analysis and design of fault-tolerant systems and computer-control systems with random communication delays without taking into account the inter-sample response. To analyze stability, appropriate topologies are introduced for the signal spaces of the sampled-data system. With these topologies, the ideal sampling and zero-order-hold operators are shown to be measurable maps. This paper shows that the known equivalence between the stability of a deterministic, linear sampled-data system and its associated discrete-time representation as well as between a nonlinear sampled-data system and a linearized representation holds even in a stochastic framework.

Toward a formalism of modeling and simulation using model theory

This article proposes a Modeling and Simulation (M&S) formalism using Model Theory. The article departs from the premise that M&S is the science that studies the nature of truth using models and simulations. Truth in models and simulations is relative as they seek to answer specific modeling questions. Consequently, truth in M&S is relative because every model is a purposeful abstraction of reality. We use Model Theory to express the proposed formalism because it is built from the premise that truth is relative. The proposed formalism allows us to: (1) deduce formal definitions and explanations of areas of study in M&S, including conceptual modeling, validity, and interoperability, and (2) gain insight into which tools can be used to semi-automate validation and interoperation processes.

Developing proof carrying code to formally assure termination in fault tolerant distributed controls systems

We address the semantic gap between the model and the implementation of control algorithms for distributed systems in a formal fashion: we provide an interactive (partially automated) method by which to translate the global, model level theoretical properties, such as stability and convergence, into code level assertions and invariants which assure termination of the relevant implementations and validity of the result. We outline a simple flight control system example for altitude holding, and describe a fault-tolerant distributed agreement protocol among n processor nodes, in the presence of a varying network topology. We develop a Lyapunov-like function for the distributed algorithm, and attain a polynomial time theoretical bound on the convergence time Tconv ∝ n3. We then exploit the Lyapunov function and convergence proof, in order to derive requisite ANSI-C Specification Language (ACSL) annotations for the C code distributed implementation, in order to guarantee termination. The ACSL annotations can then be used to automatically generate formal proof obligations via the Frama-C tool. These proof obligations also encompass assertions relating to timing, memory allocation, type checking and processor specific issues. The proof obligations can then be automatically discharged using a theorem prover, and their success guarantees that the behavior of the corresponding distributed code will evince the global properties proven for the model. Thus, the verification process spans efforts from the high-level control theory to the low-level implementation as a C program.

Model theoretic implications for agent languages in support of interoperability and composability

This paper evaluates the implications of model theory for agent languages. The tasks of ambassador agents are to represent simulations and identify potential contributions, select the best solutions in light of the question, compose the selected best solutions to provide the new functionality, and orchestrate their execution. Model-based data engineering can help to identify the information that needs to be exchanged between systems, existential and transformational dependencies can be identified using graph theory, and Petri nets can represent the availability of required information. All structures can be computed and fall under the realm of formal languages. Model theory is a subset of mathematics that focuses on the study of formal languages and their interpretations. Interpreting the terms model, simulation, and data of the modeling and simulation community using model theoretic terms allows the application of model theoretic insights. This allows to formally and unambiguously capture requirements for interoperability and composability.

Bilinear system interconnections and generating series of weighted Petri nets

This paper has three objectives. The first objective is to provide a simpler proof concerning a sufficient condition due to Ferfera under which bilinearity is preserved for cascade interconnections. The next objective is to provide a specific counterexample to show that this condition does not apply to the feedback connection. The final objective is to show that the well-known correspondence between rational series and formal power series recognized by weighted finite-state automata can be generalized to produce a correspondence between the generating series of cascaded and feedback connected bilinear systems and a class of weighted Petri nets.

Formalizing probabilistic safety claims

A safety claim for a system is a statement that the system, which is subject to hazardous conditions, satisfies a given set of properties. Following work by John Rushby and Bev Littlewood, this paper presents a mathematical framework that can be used to state and formally prove probabilistic safety claims. It also enables hazardous conditions, their uncertainties, and their interactions to be integrated into the safety claim. This framework provides a formal description of the probabilistic composition of an arbitrary number of hazardous conditions and their effects on system behavior. An example is given of a probabilistic safety claim for a conflict detection algorithm for aircraft in a 2D airspace. The motivation for developing this mathematical framework is that it can be used in an automated theorem prover to formally verify safety claims.

Formal verification of lateral and temporal safety buffers for state-based conflict detection

This article presents an analytical definition of lateral and temporal safety buffers to be used in state-based conflict detection algorithms. A lateral buffer is a distance to be added to the minimum lateral separation to accommodate for uncertainty in the surveillance information. A temporal buffer is a time to be added to the lookahead conflict detection time to accommodate for dropped surveillance messages due to signal attenuation. These safety buffers are defined using precise mathematical statements and the main theorems give numerical upper bounds on the probability of a missed alert. A particular case is considered where absolute bounds on the errors in position and velocity information are known. In this case, under well-defined assumptions provided in this article, safety buffers are given that guarantee mathematically that the probability of a missed alert is zero. The results are presented as theorems, which were formally proven using a mechanical theorem prover.