Formal Analysis of a Triplex Sensor Voter in an Industrial Context

Dierkes, Michael

doi:10.1007/978-3-642-24431-5_9

Cited by 5 publications

(9 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The Figure 7b shows the result of HullQe's inexact hull computation modulo non-empty intersection on the two-input voter. We can see that the gray regions obtained by HullQe match exactly the octagonal invariant of [7], their negation then exactly delimits the octagonal region enclosing the equalization values. The following results are obtained when analyzing BIBO(1.2) (cf Equation 1) on the triplex voter: the first pre-image of the negated proof objective contain 23 distinct polyhedra, the HullQe lemma generation algorithm creates 41 potential lemmas, out of which 32 are found to be 1-inductive and allow to strengthen the proof objective.…”

Section: Hullqe: a Technique For Property Directed Invariant Generationmentioning

confidence: 71%

“…Then, the triplication of each sensor allows to tolerate a faulty sensor. We rely on the triplex presented in [7].…”

Section: Safety Architecturementioning

confidence: 99%

“…In this paper we restrict on the BIBO property; -the triplex voter contract, presented in [7], bounds the output of the voter according to bounds on the input. It is also a BIBO property, the formalisation and verification of which is detailed in Section 5.1; -the Sat nodes correspond to the validator nodes evocated above for the replicated sensors, a typical specification would be that lb ≤ o ≤ ub where o is the output flow, lb and ub are lower and upper saturation bounds.…”

Section: Need For Formal Specificationmentioning

confidence: 99%

“…In [7], the author managed to manually identify octagonal regions enclosing the equalization values (a relational invariant over the sums of equalization values), and prove them using a k-induction tool. The k-induction technique, as it can only prove user-specified properties and not infer new properties by itself, is of no help in this situation.…”

Section: Triplex Voting Verification Challengesmentioning

confidence: 99%

“…In green, we show the octagonal invariants of [7], in gray, we show the gray states polyhedra obtained after two iterations of the pre-image computation. The Figure 7b shows the result of HullQe's inexact hull computation modulo non-empty intersection on the two-input voter.…”

Section: Hullqe: a Technique For Property Directed Invariant Generationmentioning

confidence: 99%

See 4 more Smart Citations

Formal Methods for the Analysis of Critical Control Systems Models: Combining Non-Linear and Linear Analyses

Champion¹,

Delmas²,

Dierkes³

et al. 2013

SAE Int. J. Aerosp.

Self Cite

View full text Add to dashboard Cite

Abstract. Critical control systems are often built as a combination of a control core with safety mechanisms allowing to recover from failures. For example a PID controller used with triplicated inputs and voting. Typically these systems would be designed at the model level in a synchronous language like Lustre or Simulink, and their code automatically generated from these models. We present a new analysis framework combining the analysis of open-loop stable controllers with safety constructs (redundancy, voters, ...). We introduce the basic analysis approaches: abstract interpretation synthesizing quadratic invariants and backward analysis based on quantifier elimination and convex hull computation synthesizing linear invariants. Then we apply it on a simple but representative example that no other available state-of-the-art technique is able to analyze. This contribution is another step towards early use of formal methods for critical embedded software such as the ones of the aerospace industry. Control-Command Software Focused Analyses to Address V&V and Certification NeedsThe aerospace industry is notoriously faced with highly critical issues. The safety of systems should be guaranteed even if the cost of ensuring safety is important. In development costs of the Boeing 777 [8], software accounts for a third of all costs. In this third, 70% consists in verification costs while only 30% are devoted to software development. Other aircraft manufacturers have similar figures. The software specific certification regulatory document, ie. the recently updated DO 178-C, characterizes different levels of criticality from level A -the most critical -to level E -the less critical. Depending on the identified level, verification and validation activities are more or less intensive and therefore costly. This certification document has recently been updated and it also provides a formal methods supplement, identified as RTCA DO 333. This supplement explicitly enables the use of formal methods for critical embedded software.Among the various systems of an aircraft, and their associated software, one of the most critical is the flight control system of the aircraft. Addressing the issue of verifying such specific software seems to be a pertinent goal: proposing 2 A. Champion, R. Delmas, M. Dierkes, P.L. Garoche, P. Roux new ways to validate it could both increase the trust we have in the released software and reduce the cost of V & V by providing more automatic (and exhaustive) analysis means.These reactive system can be seen as the composition of two parts. The first is the computation core itself, achieving the main objective of the software: controlling the aircraft by receiving inputs from sensors and commanding the aircraft actuators. The second part tries to handle any possible failure of sensors or of the core system. This safety architecture is mainly based on information redundancy and fusion. These two parts are usually designed using a model based approach.The approach of control system modeling as proposed by The...

show abstract

Section: Hullqe: a Technique For Property Directed Invariant Generationmentioning

confidence: 71%

“…Then, the triplication of each sensor allows to tolerate a faulty sensor. We rely on the triplex presented in [7].…”

Section: Safety Architecturementioning

confidence: 99%

Section: Need For Formal Specificationmentioning

confidence: 99%

Section: Triplex Voting Verification Challengesmentioning

confidence: 99%

Section: Hullqe: a Technique For Property Directed Invariant Generationmentioning

confidence: 99%

See 3 more Smart Citations

Formal Methods for the Analysis of Critical Control Systems Models: Combining Non-Linear and Linear Analyses

Champion¹,

Delmas²,

Dierkes³

et al. 2013

SAE Int. J. Aerosp.

Self Cite

View full text Add to dashboard Cite

show abstract

Formal Methods for the Analysis of Critical Control Systems Models: Combining Non-linear and Linear Analyses

Champion

Delmas

Dierkes³

et al. 2013

Formal Methods for Industrial Critical Systems

Self Cite

View full text Add to dashboard Cite

Critical control systems are often built as a combination of a control core with safety mechanisms allowing to recover from failures. For example a PID controller used with triplicated inputs and voting. Typically these systems would be designed at the model level in a synchronous language like Lustre or Simulink, and their code automatically generated from these models. We present a new analysis framework combining the analysis of open-loop stable controllers with safety constructs (redundancy, voters, ...). We introduce the basic analysis approaches: abstract interpretation synthesizing quadratic invariants and backward analysis based on quantifier elimination and convex hull computation synthesizing linear invariants. Then we apply it on a simple but representative example that no other available state-of-the-art technique is able to analyze. This contribution is another step towards early use of formal methods for critical embedded software such as the ones of the aerospace industry.

show abstract

Integrated formal verification of safety-critical software

Jenn

Breton³

et al. 2017

Int J Softw Tools Technol Transfer

View full text Add to dashboard Cite

OATAO is an open access repository that collects the work of Toulouse researchers and makes it freely available over the web where possible. Abstract This work presents a formal verification process based on the Systerel Smart Solver (S3) toolset for the development of safety-critical embedded software. In order to guarantee the correctness of the implementation of a set of textual requirements, the process integrates different verification techniques (inductive proof, bounded model checking, test case generation and equivalence proof) to handle different types of properties at their best capacities. It is aimed at the verification of properties at system, design, and code levels. To handle the floating-point arithmetic (FPA) in both the design and the code, an FPA library is designed and implemented in S3. This work is illustrated on an Automatic Rover Protection (ARP) system implemented on-board a robot. Focus is placed on the verification of safety and functional properties and on the equivalence proof between the design model and the generated code.

show abstract

Formal Analysis of a Triplex Sensor Voter in an Industrial Context

Cited by 5 publications

References 4 publications

Formal Methods for the Analysis of Critical Control Systems Models: Combining Non-Linear and Linear Analyses

Formal Methods for the Analysis of Critical Control Systems Models: Combining Non-Linear and Linear Analyses

Formal Methods for the Analysis of Critical Control Systems Models: Combining Non-linear and Linear Analyses

Integrated formal verification of safety-critical software

Contact Info

Product

Resources

About