Formal specification and verification of a coordination protocol for an automated air traffic control system

Safe separation between aircraft is the primary consideration in air traffic control. To achieve the required level of assurance for this safety-critical application, the Automated Airspace Concept (AAC) proposes three levels of conflict detection and resolution. Recently, a high-level operational concept was proposed to define the cooperation between components in the AAC. However, the proposed coordination protocol has not been formally studied. We use formal verification techniques to ensure there are no potentially catastrophic design flaws remaining in the AAC design before the next stage of production.We formalize the high-level operational concept, which was previously described only in natural language, in both NuSMV and CadenceSMV, and perform model validation by checking against temporal logic specifications in LTL and CTL that we derive from the system description. We write LTL specifications describing safe system operations and use model checking for system verification. We employ specification debugging to ensure correctness of both sets of formal specifications and model abstraction to reduce model checking time and enable fast, design-time checking. We analyze two counterexamples revealing unexpected emergent behaviors in the operational concept that triggered design changes by system engineers to meet safety standards. Our experience report illuminates the application of formal methods in real safety-critical system development by detailing a complete end-to-end design-time verification process including all models and specifications. Formalize the high-level operational concept and perform model validation.Write formal specifications and use model checking for system verification.Employ LTL specification debugging to ensure correctness of formal specifications.Analyze two counterexamples revealing unexpected emergent behaviors that triggered design changes by system engineers to meet safety standards.Illuminate the application of formal methods in real safety-critical system development.

[1]  Steven P. Miller Will This Be Formal? , 2008, TPHOLs.

[2]  Ilkka Niemelä,et al.  The LIME Interface Specification Language and Runtime Monitoring Tool , 2009, RV.

[3]  C. Eisner,et al.  Efficient Detection of Vacuity in ACTL Formulaas , 1997, CAV.

[4]  Heinz Erzberger,et al.  Tactical Conflict Alerting Aid for Air Traffic Controllers , 2009 .

[5]  Constance L. Heitmeyer,et al.  Automated consistency checking of requirements specifications , 1996, TSEM.

[6]  Marco Roveri,et al.  Formal analysis of hardware requirements , 2006, 2006 43rd ACM/IEEE Design Automation Conference.

[7]  Marco Roveri,et al.  RAT: A Tool for the Formal Analysis of Requirements , 2007, CAV.

[8]  Heinz Erzberger,et al.  Algorithm and operational concept for resolving short-range conflicts , 2010 .

[9]  Dimitra Giannakopoulou,et al.  Verification and validation of air traffic systems: Tactical separation assurance , 2009, 2009 IEEE Aerospace conference.

[10]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[11]  Mats Per Erik Heimdahl,et al.  Model checking software requirement specifications using domain reduction abstraction , 2003, 18th IEEE International Conference on Automated Software Engineering, 2003. Proceedings..

[12]  Ilan Beer,et al.  Efficient Detection of Vacuity in Temporal Model Checking , 2001, Formal Methods Syst. Des..

[13]  Marta Z. Kwiatkowska,et al.  Probabilistic symbolic model checking with PRISM: a hybrid approach , 2004, International Journal on Software Tools for Technology Transfer.

[14]  Orna Kupferman,et al.  Sanity Checks in Formal Verification , 2006, CONCUR.

[15]  Dana Fisman,et al.  A Framework for Inherent Vacuity , 2009, Haifa Verification Conference.

[16]  Mats Per Erik Heimdahl,et al.  Proving the shalls , 2003, International Journal on Software Tools for Technology Transfer.

[17]  R. BurchJ.,et al.  Symbolic model checking , 1992 .

[18]  Amir Pnueli,et al.  On the synthesis of a reactive module , 1989, POPL '89.

[19]  Moshe Y. Vardi,et al.  Optimized temporal monitors for SystemC , 2010, RV.

[20]  Xi Wang,et al.  Safety Analysis of the Advanced Airspace Concept using Monte Carlo Simulation , 2010 .

[21]  Aaron R. Bradley,et al.  SAT-Based Model Checking without Unrolling , 2011, VMCAI.

[22]  Marco Pistore,et al.  NuSMV 2: An OpenSource Tool for Symbolic Model Checking , 2002, CAV.

[23]  Johann Schumann,et al.  Temporal-Logic Based Runtime Observer Pairs for System Health Management of Real-Time Systems , 2014, TACAS.

[24]  Ilkka Niemelä,et al.  Model checking of safety-critical software in the nuclear engineering domain , 2012, Reliab. Eng. Syst. Saf..

[25]  Heinz Erzberger,et al.  Safety Analysis for Advanced Separation Concepts , 2006 .

[26]  Pierre Wolper,et al.  An automata-theoretic approach to branching-time model checking , 2000, JACM.

[27]  Kristin Yvonne Rozier,et al.  Linear Temporal Logic Symbolic Model Checking , 2011, Comput. Sci. Rev..

[28]  S. P. Miller,et al.  Software safety analysis of a flight management system vertical navigation function - a status report , 2003, Digital Avionics Systems Conference, 2003. DASC '03. The 22nd.

[29]  Heinz Erzberger,et al.  Automated Conflict Resolution, Arrival Management and Weather Avoidance for ATM , 2010 .

[30]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[31]  Ole J. Mengshoel,et al.  Towards Real-Time, On-Board, Hardware-Supported Sensor and Software Health Management for Unmanned Aerial Systems , 2015 .

[32]  Moshe Y. Vardi,et al.  LTL Satisfiability Checking , 2007, SPIN.

[33]  Keijo Heljanko,et al.  Electronic Communications of the EASST Volume 46 ( 2011 ) Proceedings of the 11 th International Workshop on Automated Verification of Critical Systems ( AVoCS 2011 ) A Symbolic Model Checking Approach to Verifying Satellite Onboard Software , 2011 .

[34]  Gilles Dowek,et al.  Modeling and verification of an air traffic concept of operations , 2004, ISSTA '04.

[35]  Moshe Y. Vardi,et al.  A Multi-encoding Approach for LTL Symbolic Satisfiability Checking , 2011, FM.

[36]  Enrico Tronci,et al.  Model-Checking Based on Fluid Petri Nets for the Temperature Control System of the ICARO Co-generative Plant , 2002, SAFECOMP.

[37]  Joost-Pieter Katoen,et al.  The COMPASS Approach: Correctness, Modelling and Performability of Aerospace Systems , 2009, SAFECOMP.

[38]  Gianfranco Ciardo,et al.  Formal Verification of the NASA Runway Safety Monitor , 2005, Electron. Notes Theor. Comput. Sci..

[39]  Junbeom Yoo,et al.  Formal Modeling and Verification of Safety-Critical Software , 2009, IEEE Software.

[40]  Joseph Y. Halpern,et al.  Decision procedures and expressiveness in the temporal logic of branching time , 1982, STOC '82.

[41]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[42]  Orna Kupferman,et al.  Vacuity Detection in Temporal Model Checking , 1999, CHARME.

[43]  Alessio Lomuscio,et al.  Towards model checking interpreted systems , 2003, AAMAS '03.

[44]  Fausto Giunchiglia,et al.  NUSMV: a new symbolic model checker , 2000, International Journal on Software Tools for Technology Transfer.

[45]  Yunja Choi,et al.  From NuSMV to SPIN: Experiences with model checking flight guidance systems , 2007, Formal Methods Syst. Des..

[46]  Edmund M. Clarke,et al.  Model checking and abstraction , 1994, TOPL.

[47]  Johann Schumann,et al.  Formal testing for separation assurance , 2011, Annals of Mathematics and Artificial Intelligence.

[48]  Heinz Erzberger,et al.  Automated Conflict Resolution For Air Traffic Control , 2005 .

[49]  Joseph Y. Halpern,et al.  Decision procedures and expressiveness in the temporal logic of branching time , 1982, STOC '82.

[50]  Robert P. Kurshan,et al.  Model Checking and Abstraction , 2002, SARA.