Formal verification for time-triggered clock synchronization

Distributed dependable real time systems crucially depend on fault tolerant clock synchronization. The paper reports on the formal analysis of the clock synchronization service provided as an integral feature by the Time-Triggered Protocol (TTP), a communication protocol particularly suitable for safety-critical control applications, such as in automotive "by-wire" systems. We describe the formal model extracted from the TTP specification and its formal verification, using the PVS system. Verification of the central clock synchronization properties is achieved by linking the TTP model of the synchronization algorithm to a generic derivation of the properties from abstract assumptions, essentially establishing the TTP algorithm as a concrete instance of the generic one by verifying that it satisfies the abstract assumptions. We also show how the TTP algorithm provides the clock synchronization that is required by a previously proposed general framework for verifying time-triggered algorithms.

[1]  William R. Bevier,et al.  The design and proof of correctness of a fault-tolerant circuit , 1990 .

[2]  John Rushby,et al.  Formal verification of algorithms for critical systems , 1991 .

[3]  P. M. Melliar-Smith,et al.  Synchronizing clocks in the presence of faults , 1985, JACM.

[4]  Jean-Yves Roger,et al.  Advances in Information Technologies: The Business Challenge , 1999 .

[5]  Friedrich W. von Henke,et al.  Mechanical Verification of Clock Synchronization Algorithms , 1998, FTRTFT.

[6]  Thomas Thurner,et al.  Time-triggered architecture for safety-related distributed real-time systems in transportation systems , 1998, Digest of Papers. Twenty-Eighth Annual International Symposium on Fault-Tolerant Computing (Cat. No.98CB36224).

[7]  Danny Dolev,et al.  On the possibility and impossibility of achieving clock synchronization , 1984, STOC '84.

[8]  Natarajan Shankar,et al.  Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS , 1995, IEEE Trans. Software Eng..

[9]  William R. Bevier,et al.  The Proof of Correctness of a Fault-Tolerant Circuit Design , 1992 .

[10]  Fred B. Schneider,et al.  Understanding Protocols for Byzantine Clock Synchronization , 1987 .

[11]  Hermann Kopetz,et al.  TTP - A time-triggered protocol for fault-tolerant real-time systems , 1993, FTCS-23 The Twenty-Third International Symposium on Fault-Tolerant Computing.

[12]  Ben L. Di Vito,et al.  Formal Techniques for Synchronized Fault-Tolerant Systems , 1992 .

[13]  John M. Rushby,et al.  Systematic Formal Verification for Fault-Tolerant Time-Triggered Algorithms , 1999, IEEE Trans. Software Eng..

[14]  Hermann Kopetz,et al.  Clock Synchronization in Distributed Real-Time Systems , 1987, IEEE Transactions on Computers.

[15]  Friedrich W. von Henke,et al.  Formal Verification of Algorithms for Critical Systems , 1993, IEEE Trans. Software Eng..

[16]  Natarajan Shankar Mechanical Verification of a Generalized Protocol for Byzantine Fault Tolerant Clock Synchronization , 1992, FTRTFT.

[17]  Shmuel Katz,et al.  Low-Overhead Time-Triggered Group Membership , 1997, WDAG.

[18]  Hermann Kopetz The Time-Triggered Approach to Real-Time System Design , 1995 .

[19]  Günter Grünsteidl,et al.  TTP - A Protocol for Fault-Tolerant Real-Time Systems , 1994, Computer.

[20]  Natarajan Shankar Mechanical Verification of a Schematic Byzantine Clock Synchronization Algorithm , 1991 .

[21]  G. B. Finelli,et al.  The Infeasibility of Quantifying the Reliability of Life-Critical Real-Time Software , 1993, IEEE Trans. Software Eng..

[22]  Hermann Kopetz,et al.  The time-triggered architecture , 1998, Proceedings First International Symposium on Object-Oriented Real-Time Distributed Computing (ISORC '98).