The focus of traditional model checking has been on the verification problem where counterexamples play a secondary role. In many potential uses of model checkers, however, counterexamples play a primary role. For example, in safety analysis, achieving perfect safety in the system being analysed is often impossible or too expensive. In such a case, the analyst is interested in discovering all of the situations that can lead to unsafe conditions in order to assess their likelihood. These situations appear as counterexamples to a system safety property expressed as a temporal logic formula in model checking.This thesis proposes an approach to model checking when counterexample generation is the primary goal. Model checking is viewed as a search for counterexamples rather than simply ensuring that a specification is satisfied by a model. The temporal logic used is Linear Temporal Logic (LTL).Most existing model checkers stop after the first counterexample is found. The few that can generate multiple counterexample paths typically generate too many counterexample paths that are slight variations of each other. For LTL, a counterexample path is an infinite sequence of states, and the number of counterexample paths for a model checking problem can be infinite. Typically, the analyst is interested in a finite number of classes of counterexample, with each class represented by a single counterexample path.However, the classes of interest are often specific to the problem domain. An approach explored in this thesis is to control the generation of counterexample paths by allowing the analyst to direct the search for a counterexample path to rule in or rule out certain classes of counterexamples. The counterexample paths generated are of the so-called lasso form, each consisting of a prefix part (a possibly empty finite sequence of states) and a cycle part (a non-empty finite sequence of states that is repeated forever).The main technique proposed for controlled generation of counterexamples within a symbolic framework is called directed counterexample generation. The search for a counterexample path is directed using two kinds of constraints: a global constraint which is a state property that must be satisfied by all states in the counterexample path, and a cycle constraint which is a state property that must be satisfied by at least one state in the cycle part of a counterexample path. While global constraints can be easily integrated with existing techniques for counterexample path generation, cycle constraints entail a search technique different from the existing techniques. As well as controlling the generation of multiple counterexample paths, the use of constraints can greatly reduce the search space in generating individual counterexample paths. The framework together with directed counterexample generation provide an infrastructure for exploring the counterexample space in a model checking problem.ii Model checking, and thus counterexample generation, suffers from the state explosion problem. Although many...
No abstract
No abstract
A cut set is a collection of component failure modes that could lead to a system failure. Cut Set Analysis (CSA) is applied to critical systems to identify and rank system vulnerabilities at design time. Model checking tools have been used to automate the generation of minimal cut sets but are generally based on checking reachability of system failure states. This paper describes a new approach to CSA using a Linear Temporal Logic (LTL) model checker called BT Analyser that supports the generation of multiple counterexamples. The approach enables a broader class of system failures to be analysed, by generalising from failure state formulae to failure behaviours expressed in LTL. The traditional approach to CSA using model checking requires the model or system failure to be modified, usually by hand, to eliminate already-discovered cut sets, and the model checker to be rerun, at each step. By contrast, the new approach works incrementally and fully automatically, thereby removing the tedious and error-prone manual process and resulting in significantly reduced computation time. This in turn enables larger models to be checked. Two different strategies for using BT Analyser for CSA are presented. There is generally no single best strategy for model checking: their relative efficiency depends on the model and property being analysed. Comparative results are given for the A320 hydraulics case study in the Behavior Tree modelling language.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.