An Overview of Formal Verification for the Time-Triggered Architecture

We describe formal verification of some of the key algorithms in the Time-Triggered Architecture (TTA) for real-time safety-critical control applications. Some of these algorithms pose formidable challenges to current techniques and have been formally verified only in simplified form or under restricted fault assumptions. We describe what has been done and what remains to be done and indicate some directions that seem promising for the remaining cases and for increasing the automation that can be applied. We also describe the larger challenges posed by formal verification of the interaction of the constituent algorithms and of their emergent properties.

[1]  K. Mani Chandy,et al.  Proofs of Networks of Processes , 1981, IEEE Transactions on Software Engineering.

[2]  Joost-Pieter Katoen,et al.  A probabilistic extension of UML statecharts: Specification and Verification. , 2002 .

[3]  D.S. Hardin,et al.  Invariant performance: a statement of task isolation useful for embedded application integration , 1999, Dependable Computing for Critical Applications 7.

[4]  John Rushby Formal Verification of Transmission Window Timing for the Time-Triggered Architecture , 2001 .

[5]  Kedar S. Namjoshi,et al.  On the Competeness of Compositional Reasoning , 2000, CAV.

[6]  Friedrich W. von Henke,et al.  Mechanical Verification of Clock Synchronization Algorithms , 1998, FTRTFT.

[7]  Michael Paulitsch,et al.  The transition from asynchronous to synchronous system operation: an approach for distributed fault-tolerant systems , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[8]  J. Rushby,et al.  Formal verification of algorithms for critical systems , 1991, SIGSOFT '91.

[9]  Ashish Tiwari,et al.  A Technique for Invariant Generation , 2001, TACAS.

[10]  Fred B. Schneider,et al.  Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.

[11]  Fred B. Schneider,et al.  Understanding Protocols for Byzantine Clock Synchronization , 1987 .

[12]  John Rushby A formally verified algorithm for clock synchronization under a hybrid fault model , 1994, PODC '94.

[13]  H. Pfeifer,et al.  Formal verification for time-triggered clock synchronization , 1999, Dependable Computing for Critical Applications 7.

[14]  John Rushby Formal Verification of McMillan's Compositional Assume-Guarantee Rule , 2001 .

[15]  Nancy A. Lynch,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[16]  Philip M. Thambidurai,et al.  Interactive consistency with multiple failure modes , 1988, Proceedings [1988] Seventh Symposium on Reliable Distributed Systems.

[17]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[18]  John Rushby,et al.  An Introduction to Formal Specification and Verification using EHDM , 1991 .

[19]  Natarajan Shankar,et al.  ICS: Integrated Canonizer and Solver , 2001, CAV.

[20]  Hermann Kopetz,et al.  Elementary versus composite interfaces in distributed real-time systems , 1999, Proceedings. Fourth International Symposium on Autonomous Decentralized Systems. - Integration of Heterogeneous Systems -.

[21]  Anish Arora,et al.  Detectors and correctors: a theory of fault-tolerance components , 1998, Proceedings. 18th International Conference on Distributed Computing Systems (Cat. No.98CB36183).

[22]  H. R. Simpson Four-slot fully asynchronous communication mechanism , 1990 .

[23]  Stefan Poledna,et al.  Fault-tolerant real-time systems - the problem of replica determinism , 1996, The Kluwer international series in engineering and computer science.

[24]  Thomas A. Henzinger,et al.  Giotto: a time-triggered language for embedded programming , 2001, Proc. IEEE.

[25]  Neil Henderson,et al.  The Formal Classification and Verification of Simpson's 4-Slot Asynchronous Communication Mechanism , 2002, FME.

[26]  Michael Stonebraker,et al.  The Morgan Kaufmann Series in Data Management Systems , 1999 .

[27]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[28]  S Miner Paul,et al.  Verification of Fault-Tolerant Clock Synchronization Systems , 2003 .

[29]  Keith Marzullo,et al.  Tolerating failures of continuous-valued sensors , 1990, TOCS.

[30]  John M. Rushby,et al.  Bus Architectures for Safety-Critical Embedded Systems , 2001, EMSOFT.

[31]  Nancy A. Lynch,et al.  A New Fault-Tolerance Algorithm for Clock Synchronization , 1988, Inf. Comput..

[32]  Hermann Kopetz,et al.  Temporal firewalls in large distributed real-time systems , 1997, Proceedings of the Sixth IEEE Computer Society Workshop on Future Trends of Distributed Computing Systems.

[33]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[34]  Wim H. Hesselink,et al.  An assertional criterion for atomicity , 2002, Acta Informatica.

[35]  John Rushby Formal Verification of Marzullo's Sensor Fusion Interval , 2002 .

[36]  Kedar S. Namjoshi,et al.  On the completeness of compositional reasoning , 2000 .

[37]  Kenneth L. McMillan,et al.  Circular Compositional Reasoning about Liveness , 1999, CHARME.

[38]  John M. Rushby,et al.  Automated Deduction and Formal Methods , 1996, CAV.

[39]  Ben L. Di Vito,et al.  Formal Techniques for Synchronized Fault-Tolerant Systems , 1992 .

[40]  Shmuel Katz,et al.  Low-Overhead Time-Triggered Group Membership , 1997, WDAG.

[41]  Yassine Lakhnech,et al.  Automatic Generation of Invariants , 1999, Formal Methods Syst. Des..

[42]  Bernadette Charron-Bost,et al.  On the impossibility of group membership , 1996, PODC '96.

[43]  John Rushby,et al.  Formal verification of algorithms for critical systems , 1991 .

[44]  Natarajan Shankar Mechanical Verification of a Generalized Protocol for Byzantine Fault Tolerant Clock Synchronization , 1992, FTRTFT.

[45]  Rushby John,et al.  Partitioning in Avionics Architectures: Requirements, Mechanisms, and Assurance , 1999 .

[46]  Natarajan Shankar,et al.  A case-study in component-based mechanical verification of fault-tolerant programs , 1999, Proceedings 19th IEEE International Conference on Distributed Computing Systems.

[47]  Günter Grünsteidl,et al.  TTP - A Protocol for Fault-Tolerant Real-Time Systems , 1994, Computer.

[48]  John M. Rushby Verification Diagrams Revisited: Disjunctive Invariants for Easy Verification , 2000, CAV.

[49]  Natarajan Shankar,et al.  Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS , 1995, IEEE Trans. Software Eng..

[50]  Natarajan Shankar,et al.  Abstract and Model Check While You Prove , 1999, CAV.

[51]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[52]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1983, PODS '83.

[53]  John Rushby,et al.  Dependable Computing for Critical Applications 7 , 1999, Dependable Computing for Critical Applications 7.

[54]  Holger Pfeifer Formal Verification of the TTP Group Membership Algorithm , 2000, FORTE.

[55]  B SchneiderFred Implementing fault-tolerant services using the state machine approach: a tutorial , 1990 .

[56]  Shlomi Dolev,et al.  Self Stabilization , 2004, J. Aerosp. Comput. Inf. Commun..

[57]  Yassine Lakhnech,et al.  A Transformational Approach for Generating Non-linear Invariants , 2000, SAS.

[58]  Karsten Stahl,et al.  Verifying Universal Properties of Parameterized Networks , 2000, FTRTFT.

[59]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[60]  Karsten Stahl,et al.  Abstracting WS1S Systems to Verify Parameterized Networks , 2000, TACAS.

[61]  John Rushby,et al.  A Comparison of Bus Architectures for Safety-Critical Embedded Systems , 2003 .

[62]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[63]  Natarajan Shankar,et al.  Combining Theorem Proving and Model Checking through Symbolic Analysis , 2000, CONCUR.

[64]  P. M. Melliar-Smith,et al.  Synchronizing clocks in the presence of faults , 1985, JACM.

[65]  Ulrich Schmid How to model link failures: a perception-based fault model , 2001, 2001 International Conference on Dependable Systems and Networks.

[66]  Hermann Kopetz,et al.  The non-blocking write protocol NBW: A solution to a real-time synchronization problem , 1993, 1993 Proceedings Real-Time Systems Symposium.

[67]  John M. Rushby,et al.  Systematic Formal Verification for Fault-Tolerant Time-Triggered Algorithms , 1999, IEEE Trans. Software Eng..

[68]  Hermann Kopetz,et al.  The time-triggered model of computation , 1998, Proceedings 19th IEEE Real-Time Systems Symposium (Cat. No.98CB36279).

[69]  Bill Roscoe TTP: A case study in combining induction and data independence , 1999 .

[70]  Leslie Lamport,et al.  Concurrent reading and writing , 1977, Commun. ACM.

[71]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[72]  L. McMillanmcmillan Circular Compositional Reasoning about Liveness , 1999 .

[73]  Carl E. Landwehr,et al.  Dependable Computing for Critical Applications 4 , 1995, Dependable Computing and Fault-Tolerant Systems.

[74]  John Rushby Model Checking Simpson's Four-Slot Fully Asynchronous Communication Mechanism , 2002 .

[75]  Kousha Etessami,et al.  Optimizing Büchi Automata , 2000, CONCUR.

[76]  Anish Arora,et al.  Component based design of fault-tolerance , 1999 .

[77]  Ulrich Schmid,et al.  How to reconcile fault-tolerant interval intersection with the Lipschitz condition , 2001, Distributed Computing.

[78]  John Rushby A FAULT-MASKING AND TRANSIENT-RECOVERY MODEL FOR DIGITAL FLIGHT-CONTROL SYSTEMS , 1993 .

[79]  Hermann Kopetz,et al.  Real-time systems , 2018, CSC '73.

[80]  Ian George Clark A unified approach to the study of asynchronous communication mechanisms in real-time systems , 2000 .

[81]  James H. Anderson Lamport on mutual exclusion: 27 years of planting seeds , 2001, PODC '01.

[82]  Ahmed Bouajjani,et al.  Parametric Verification of a Group Membership Algorithm , 2002, FTRTFT.

[83]  Michael Paulitsch,et al.  An investigation of membership and clique avoidance in TTP/C , 2000, Proceedings 19th IEEE Symposium on Reliable Distributed Systems SRDS-2000.

[84]  Nils Klarlund,et al.  MONA 1.x: New Techniques for WS1S and WS2S , 1998, CAV.