Formal Verification of an Avionics Sensor Voter Using SCADE

Redundancy management is widely utilized in mission critical digital flight control systems. This study focuses on the use of SCADE (Safety Critical Application Development Environment) and its formal verification component, the Design Verifier, to assess the design correctness of a sensor voter algorithm used for management of three redundant sensors. The sensor voter algorithm is representative of embedded software used in many aircraft today. The algorithm, captured as a Simulink diagram, takes input from three sensors and computes an output signal and a hardware flag indicating correctness of the output. This study is part of an overall effort to compare several model checking tools to the same problem. SCADE is used to analyze the voter’s correctness in this part of the study. Since synthesis of a correct environment for analysis of the voter’s normal and off-normal behavior is a key factor when applying formal verification tools, this paper is focused on 1) the different approaches used for modeling the voter’s environment and 2) the strengths and shortcomings of such approaches when applied to the problem under investigation.

[1]  Darren D. Cofer,et al.  Formal Modeling and Analysis of an Avionics Triplex Sensor Voter , 2003, SPIN.

[2]  Stephen Osder,et al.  Practical View of Redundancy Management Application and Theory , 1999 .

[3]  Koen Claessen,et al.  SAT-Based Verification without State Space Traversal , 2000, FMCAD.

[4]  B Dion Correct-By-Construction Methods for the Development of Safety-Critical Applications , 2004 .

[5]  Robert de Simone,et al.  ESTEREL: a formal method applied to avionic software development , 2000, Sci. Comput. Program..

[6]  François Pilarski Cost Effectiveness of Formal Methods in the Development of Avionics Systems at AÉROSPATIALE , 1998, B.

[7]  R. P. G. Collinson,et al.  Introduction to avionics , 1996 .

[8]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[9]  Mary Sheeran,et al.  A Tutorial on Stålmarck's Proof Procedure for Propositional Logic , 2000, Formal Methods Syst. Des..

[10]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.

[11]  Mary Sheeran,et al.  A Tutorial on Stålmarcks's Proof Procedure for Propositional Logic , 1998, FMCAD.

[12]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[13]  Stavros Tripakis,et al.  From simulink to SCADE/lustre to TTA: a layered approach for distributed embedded applications , 2003 .

[14]  Mark Ryan,et al.  Logic in Computer Science: Modelling and Reasoning about Systems , 2000 .

[15]  Nicolas Halbwachs,et al.  Synchronous Observers and the Verification of Reactive Systems , 1993, AMAST.

[16]  Fei Xie,et al.  Automatic Creation of Environment Models via Training , 2004, TACAS.