A Methodology for the Design and Verification of Globally Asynchronous/Locally Synchronous Architectures

Recent advanced in model-checking have made it practical to formally verify the correctness of many complex synchronous systems (i.e., systems driven by a single clock). However, many computer systems are implemented by asynchronously composing several synchronous components, where each component has its own clock and these clocks are not synchronized. Formal verification of such Globally Asynchronous/Locally Synchronous (GA/LS) architectures is a much more difficult task. In this report, we describe a methodology for developing and reasoning about such systems. This approach allows a developer to start from an ideal system specification and refine it along two axes. Along one axis, the system can be refined one component at a time towards an implementation. Along the other axis, the behavior of the system can be relaxed to produce a more cost effective but still acceptable solution. We illustrate this process by applying it to the synchronization logic of a Dual Fight Guidance System, evolving the system from an ideal case in which the components do not fail and communicate synchronously to one in which the components can fail and communicate asynchronously. For each step, we show how the system requirements have to change if the system is to be implemented and prove that each implementation meets the revised system requirements through modelchecking.

[1]  Marco Bozzano,et al.  The NuSMV Model Checker , 2010 .

[2]  S.P. Miller,et al.  Mode confusion analysis of a flight guidance system using formal methods , 2003, Digital Avionics Systems Conference, 2003. DASC '03. The 22nd.

[3]  Stephen A. Edwards,et al.  The synchronous languages 12 years later , 2003, Proc. IEEE.

[4]  David Greve,et al.  The Common Criteria , Formal Methods and ACL 2 , 2004 .

[5]  Mats Per Erik Heimdahl,et al.  Specification-based prototyping for embedded systems , 1999, ESEC/FSE-7.

[6]  E. Allen Emerson,et al.  Temporal and Modal Logic , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[7]  Steven P. Miller,et al.  Flight Guidance System Requirements Specification , 2003 .

[8]  Wolfgang Thomas,et al.  Handbook of Theoretical Computer Science, Volume B: Formal Models and Semantics , 1990 .

[9]  Peter Neumann,et al.  Safeware: System Safety and Computers , 1995, SOEN.

[10]  R.W. Butler,et al.  A formal methods approach to the analysis of mode confusion , 1998, 17th DASC. AIAA/IEEE/SAE. Digital Avionics Systems Conference. Proceedings (Cat. No.98CH36267).

[11]  Mats Per Erik Heimdahl,et al.  Proving the shalls , 2003, International Journal on Software Tools for Technology Transfer.

[12]  L HeitmeyerConstance,et al.  Automated consistency checking of requirements specifications , 1996 .

[13]  Tom Caddy,et al.  Common Criteria , 2005, Encyclopedia of Cryptography and Security.

[14]  Marco Bozzano,et al.  Improving System Reliability via Model Checking: The FSAP/NuSMV-SA Safety Analysis Platform , 2003, SAFECOMP.

[15]  Steven P. Miller,et al.  Software safety analysis of a flight guidance system , 2002, Proceedings. The 21st Digital Avionics Systems Conference.

[16]  Constance L. Heitmeyer,et al.  Automated consistency checking of requirements specifications , 1996, TSEM.

[17]  Marco Bozzano,et al.  Improving Safety Assessment of Complex Systems: An Industrial Case Study , 2003, FME.

[18]  W E Vesely,et al.  Fault Tree Handbook , 1987 .

[19]  Natarajan Shankar,et al.  Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS , 1995, IEEE Trans. Software Eng..

[20]  Stephan Merz,et al.  Model Checking , 2000 .