Conference Paper

Formal Analysis of a Triplex Sensor Voter in an Industrial Context

Authors:
To read the full-text of this research, you can request a copy directly from the author.

Abstract

For several years, Rockwell Collins has been developing and using a verification framework for MATLAB Simulink © and SCADE SuiteTMmodels that can generate input for different proof engines. Recently, we have used this framework to analyze aerospace domain models containing arithmetic computations. In particular, we investigated the properties of a triplex sensor voter, which is a redundancy management unit implemented using linear arithmetic operations as well as conditional expressions (such as saturation). The objective of this analysis was to analyze functional and non-functional properties, but also to parameterize certain parts of the model based on the analysis results of other parts. In this article, we focus on results about the reachable state space of the voter, which prove the bounded-input bounded-output stability of the system, and the absence of arithmetic overflows. We also consider implementations using floating point arithmetic.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the author.

... Figure 7 depicts the corresponding square. On Figure 7a we can see the first preimage calculated by our backward reachability analysis as black triangles, and the strengthening lemmas found by hand in [14] transposed to the two input system as a gray octagon. Calculating ECH on this first preimage does not allow to conclude the proof of the PO. ...
... The only goal here is to generate potential invariants for the PO, and Figure 7 shows that the ICH yields exactly the dual, in the [−0.4, 0.4] 2 square, of the octagon invariant found by hand in [14]. This second idea of using ICHs to perform over-approximations will be discussed in Section 8.4. ...
... The stability of the system with neither fault detection nor reset was already proven in [14], but the necessary lemmas had to be found by hand after the Scade Design Verifier, Kind as well as Astrée (which was run on C-Code generated from the Lustre source) failed at automatically verifying the BIBO property. Furthermore, once the strengthening lemma 9 has been found, a template can easily be inferred: template(min, max ) = min ≤ EqualizationA + EqualizationB + EqualizationC ≤ max (10) ...
Article
This paper addresses the issue of potential invariant generation in the formal analysis of transition systems with k-induction, in the linear real/integer arithmetic fragment. First, quantifier elimination is used to find parameters for generic templates such that the said templates become inductive. Second, a backward analysis, also using quantifier elimination, outputs preimages of the negation of the proof objective, viewed as unauthorized states, or gray states. Two heuristics are proposed to take advantage of this source of information and generate potential invariants: a thorough exploration of the possible partitionings of the gray state space, and an inexact exploration regrouping and over-approximating disjoint areas of the gray state space. Both aim at discovering hidden relations between state variables. K-induction is used to isolate actual invariants and to check if they make the proof objective inductive. These heuristics can be used on the first preimage of the backward exploration, and each time a new one is output, refining the information on the gray states. We show, on examples of interest in the application field of critical embedded systems, that our approach is able to prove properties for which other academic or commercial tools fail. The different methods are introduced as components of a collaborative formal verification framework based on k-induction and are motivated through two examples, one of which was provided by Rockwell Collins.
... Figure 4 depicts the corresponding square. On Figure 4a we can see the first preimage calculated by our backward reachability analysis as black triangles, and the strengthening lemmas found by hand in [11] transposed to the two input system as a gray octagon. Calculating ECH on this first preimage does not allow to conclude. ...
... The only goal here is to generate potential invariants for the PO, and Figure 4 shows that the ICH yields exactly the dual, in the [−0.4, 0.4] 2 square, of the octagon invariant found by hand in [11]. This second idea of using ICHs to perform overapproximations will be discussed in Section 7.4. ...
... The stability of the system without fault detection nor reset was already proven in [11], but the necessary lemmas had to be found by hand after the Scade Design Verifier, Kind as well as Astrée (which was run on C-Code generated from the Lustre source) failed at automatically verifying the BIBO property. ...
Article
Full-text available
This paper addresses the issue of lemma generation in a k-induction-based formal analysis of transition systems, in the linear real/integer arithmetic fragment. A backward analysis, powered by quantifier elimination, is used to output preimages of the negation of the proof objective, viewed as unauthorized states, or gray states. Two heuristics are proposed to take advantage of this source of information. First, a thorough exploration of the possible partitionings of the gray state space discovers new relations between state variables, representing potential invariants. Second, an inexact exploration regroups and over-approximates disjoint areas of the gray state space, also to discover new relations between state variables. k-induction is used to isolate the invariants and check if they strengthen the proof objective. These heuristics can be used on the first preimage of the backward exploration, and each time a new one is output, refining the information on the gray states. In our context of critical avionics embedded systems, we show that our approach is able to outperform other academic or commercial tools on examples of interest in our application field. The method is introduced and motivated through two main examples, one of which was provided by Rockwell Collins, in a collaborative formal verification framework.
... Other voter algorithms which use a (possibly weighted) average value are more sensitive to one of the input values being out of the normal bounds. The Simulink model of the voter is shown in figure 2. A slightly more complicated version of this voter has been analyzed in [5]. It differs from the version presented in this article by the use of saturation operators which limit the change rate of the output. ...
... The value of 0.4 can be found by trial and error, or automatically using the invariant generation approach described in [5]. In general, it turned out that the absolute value of the equalization variables is bounded by 2 * M axDev. ...
... Note that for this version of the voter, no further invariants are necessary for the stability proof. This is different in the case of the voter analyzed in [5], where additional invariants are necessary which give an upper bound for the pairwise sum resp. difference of the equalization values. ...
... The triplex sensor voter (TSV) 3 is used in a common form of redundant aircraft system triplex modular redundancy (TMR), which relies on three identical sensors to compute an output value from the three input values by the voter, as shown in Fig. 7 published in the work [19]. The TSV subtracts an equalization value from each of the three inputs. ...
... The formal analysis of TSV was first studied by Dajani-Brown et al. in the work [17], where real values were abstracted by integer values and integrators were not used. The work [19] analyzed the Simulink model with real numbers by both simulation and formal verification, and then estimated the impact of rounding errors caused by the floating-point implementation using SMT solvers and abstract interpretation. The work [11] strengthened the stability property by generating lemmas using a property-directed approach. ...
Article
Full-text available
This work presents a formal verification process based on the Systerel Smart Solver (S3) toolset for the development of safety-critical embedded software. In order to guarantee the correctness of the implementation of a set of textual requirements, the process integrates different verification techniques (inductive proof, bounded model checking, test cases generation, and equivalence proof) to handle different types of properties at their best capacities. It is aimed at the verification of properties at system, design, and code levels. To handle the floating-point arithmetic (FPA) in both the design and the code, an FPA library is designed and implemented in S3. This work is illustrated on an Automatic Rover Protection system implemented onboard a robot. Focus is placed on the verification of safety and functional properties and on the equivalence proof between the design model and the generated code.
... They cover for instance transportation means (car, aircraft, rail, space-vehicles, etc.) or medical devices (pacemaker, scanners, etc. ). The inclusion of switched or hybrid modelizations on critical systems has had many benefits like reduced energy expenses [NW05] or on-the-fly sensor error detection and prevention [Die11]. The trade-off is an increased complexity of the software and a reduced capacity to control and predict the behavior of these systems. ...
Thesis
The computation of invariant sets for dynamical systems is a crucialelement of program verification and control theory, as such setscertify the absence of unwanted behaviours. We consider in particularswitched systems, for which the computation of invariants is alreadydifficult. Recently, several approaches based on optimizationtechniques such as semi-definite programming have been appliedsuccessfully to compute piecewise quadratic invariants of switchedsystems. However, their high computational cost becomes prohibitive onlarge instances.In this thesis, we develop a new class of algorithms to computepiecewise quadratic invariants. These algorithms rely on geometrical and metricproperties of the space of positive semidefinite matrices equippedwith the Löwner order.First, we characterize minimal upper bounds in this order. We show inparticular that the set of minimal upper bounds of two matrices can beidentified to a quotient of an indefinite orthogonal group, providinga ``quantitative'' refinement of a theorem of Kadison. More generally,we characterize minimal upper bounds with respect to a cone ordering,and show that for a wide family of cones, there is a canonicalselection of a minimal upper bound, defined in terms of the generatingfunction of the cones. This extends the construction of the Löwnerellipsoid. In the case of the cone of positive semidefinite matrices,we show that this canonical selection satifies several matrixinequalities, and we estimate its Lispchitz constant with respect toconvenient invariant metrics defined on the interior of the cone(Riemannian metric, Thompson metric).Then, we apply these results to the computation of piecewise-quadraticinvariants. We formulate the latter as a non-linear fixed pointproblem over a product of spaces of positive definite matrices. Thisproblem involves an operator which may be thought of as the tropicalanalogue of the Kraus maps (quantum channels) arising in quantuminformation theory. This leads to a class of fast iterative numericalschemes, avoiding the recourse to linear matrix inequalities, which weshow to converge, under some restrictions. We implemented thisapproach, by developing the tool MEGA (``Minimal ellipsoid geometricanalyser''), and report experimental results, on switched linear andaffine systems, showing an improvement of several orders of magnitudein terms of scalability, on some instances (with e.g., approximationsof the joint spectral radius in dimension 500). We also applied thismethod to the approximation of the value function of switched linearquadratic optimal control problems.
... In [11], Dierkes analyzed the Simulink model with real numbers by both simulation and formal verification, then estimated the impact of rounding errors caused by the floating-point implementation using SMT solvers and abstract interpretation. In [6], Champion et al. strengthened the stability property by generating lemmas using a property-directed approach. ...
Conference Paper
Full-text available
Model checking has made a lot of progress since its infancy. For a long time, industrial applications were still limited to some very specific domains out of which the technique bumps into the state explosion wall. Nowadays things evolve and some tools are able to tackle real world use cases outside of the known domains. We give here the feedback collected when using model checking on several industrial strength use cases and give indication on how we take into account the specific domain constraints.
Conference Paper
Critical control systems are often built as a combination of a control core with safety mechanisms allowing to recover from failures. For example a PID controller used with triplicated inputs. Typically those systems would be designed at the model level in a synchronous language like Lustre or Simulink, and their code automatically generated from those models. In previous SAE symposium, we addressed the formal analysis of such systems - focusing on the safety parts - using a combination of formal techniques, ie. k-induction and abstract interpretation. The approach developed here extends the analysis of the system to the control core. We present a new analysis framework combining the analysis of open-loop stable controller with those safety constructs. We introduce the basic analysis approaches: abstract interpretation synthesizing quadratic invariants and backward analysis based on quantifier elimination. Then we apply it on a simple but representative example that no other available state-of-the-art technique is able to analyze. This contribution is another step towards early use of formal methods for critical embedded software such as the ones of the aerospace industry.
Article
Full-text available
This volume contains the proceedings of the First International Workshop of Formal Techniques for Safety-Critical Systems (FTSCS 2012), held in Kyoto on November 12, 2012, as a satellite event of the ICFEM conference. The aim of this workshop is to bring together researchers and engineers interested in the application of (semi-)formal methods to improve the quality of safety-critical computer systems. FTSCS is particularly interested in industrial applications of formal methods. Topics include: - the use of formal methods for safety-critical and QoS-critical systems, including avionics, automotive, and medical systems; - methods, techniques and tools to support automated analysis, certification, debugging, etc.; - analysis methods that address the limitations of formal methods in industry; - formal analysis support for modeling languages used in industry, such as AADL, Ptolemy, SysML, SCADE, Modelica, etc.; and - code generation from validated models. The workshop received 25 submissions; 21 of these were regular papers and 4 were tool/work-in-progress/position papers. Each submission was reviewed by three referees; based on the reviews and extensive discussions, the program committee selected nine regular papers, which are included in this volume. Our program also included an invited talk by Ralf Huuck.
Conference Paper
Full-text available
LUSTRE is a synchronous data-flow language for programming systems which interact with their environments in real-time. After an informal presentation of the language, we describe its semantics by means of structural inference rules. Moreover, we show how to use this semantics in order to generate efficient sequential code, namely, a finite state automaton which represents the control of the program. Formal rules for program transformation are also presented.
Article
Full-text available
A translator framework enables the use of model checking in complex avionics systems and other industrial settings.
Article
A perspective is developed on holy redundancy management techniques for flight-critical systems have matured since the earliest applications in the 1960s, driven largely by the introduction of more powerful computer resources. As this evolution occurred, the basic issues involving system architecture tradeoffs changed very little, although the hardware mechanizations of the earlier analog systems have been replaced largely with the software of the newer digital systems. These basic issues are reviewed and how they tend to be resolved in practical mechanizations is shown. The large body of literature on analytic redundancy theory developed since the 1970s is discussed in the context of its applicability to practical systems. It is shown that analytic redundancy has an important role in real-world systems but that it is not a replacement for physical redundancy, and its proper implementation requires that it be embedded within the physical redundancy structure of the system.
Conference Paper
Software model checking has recently been successful in discovering bugs in production software. Most tools have targeted heap related programming mistakes and control-heavy programs. However, real-time and embedded controllers implemented in software are susceptible to computational numeric instabilities. We target verification of numerical programs that use floating-point types, to detect loss of numerical precision incurred in such programs. Techniques based on abstract interpretation have been used in the past for such analysis. We use bounded model checking (BMC) based on Satisfiability Modulo Theory (SMT) solvers, which work on a mixed integer-real model that we generate for programs with floating points. We have implemented these techniques in our software verification platform. We report experimental results on benchmark examples to study the effectiveness of model checking on such problems, and the effect of various model simplifications on the performance of model checking.
Conference Paper
Digital flight control systems utilize redundant hardware to meet high reliability requirements. In this study we use the SMV model checker to assess the design correctness of a sensor voter algorithm used to manage three redundant sensors. The sensor voter design is captured as a Simulink diagram. The requirements verified include normal operation, transient conditions, and fault handling. The sensor voter algorithm is a realistic example of flight citical embedded software used to manage redundant air data or inertial reference sensors. We are using it to evaluate different design methods, languages, and tools currently available for formal verification. Key issues are 1) integration of formal verification into existing development processes and tools, and 2) synthesis of the correct environment (world abstraction) needed for analysis of normal and off-normal operation conditions.
Conference Paper
We present a general approach for verifying safety properties of Lus- tre programs automatically. Key aspects of the approach are the choice of an expressive rst-order logic in which Lustre's semantics is modeled very naturally, the tailoring to this logic of SAT-based k-induction and abstraction techniques, and the use of SMT solvers to reason eciently in this logic. We discuss initial experimental results showing that our imple- mentation of the approach is highly competitive with existing verication solutions for Lustre.
Analysis of a triplex sensor voter at Rockwell Collins France. Oral presentation at the TAPAS workshop without article
  • M Dierkes
Prover plug-in product description
  • Prover Technology
Lustre: A declarative language for programming synchronous systems
  • P Caspi
  • D Pilaud
  • N Halbwachs
  • J Plaice