Abstract
Digital systems in an out-of-nominal environment (e.g., one causing hardware bit flips) may not be expected to function correctly in all respects but may be required to fail safely. We present an approach for understanding and verifying a system’s out-of-nominal behavior as an abstraction of nominal behavior that preserves designated critical safety requirements. Because abstraction and refinement are already widely used for improved tractability in formal design and proof techniques, this additional way of viewing an abstraction can potentially verify a system’s out-of-nominal safety with little additional work. We illustrate the approach with a simple model of a turnstile controller with possible logic faults (formalized in the temporal logic of actions and NuSMV), noting how design choices can be guided by the desired out-of-nominal abstraction. Principles of robustness in complex systems (specifically, Boolean networks) are found to be compatible with the formal abstraction approach. This work indicates a direction for broader use of formal methods in safety-critical systems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abrial, J.R.: Modeling in Event-B: System and Software Engineering, 1st edn. Cambridge University Press, Cambridge (2010)
Cimatti, A., Clarke, E., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: NuSMV 2: an opensource tool for symbolic model checking. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 359–364. Springer, Heidelberg (2002)
Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement for symbolic model checking. J. ACM 50, 752–794 (2003)
Fey, G.: Assessing system vulnerability using formal verification techniques. In: Kotásek, Z., Bouda, J., Černá, I., Sekanina, L., Vojnar, T., Antoš, D. (eds.) MEMICS 2011. LNCS, vol. 7119, pp. 47–56. Springer, Heidelberg (2012)
Güdemann, M., Ortmeier, F.: Probabilistic model-based safety analysis. In: Proceedings of the 8th Workshop on Quantitative Aspects of Programming Languages, pp. 114–128, March 2010
Jackson, M., Zave, P.: Deriving specifications from requirements: an example. In: Proceedings of the 17th International Conference on Software Engineering, pp. 15–24 (1995)
Joshi, A., Heimdahl, M.P.E., Miller, S.P., Whalen, M.W.: Model-based safety analysis. NASA Contractor Report CR-2006-213953, February 2006
Joshi, A., Miller, S.P., Whalen, M., Heimdahl, M.P.: A proposal for model-based safety analysis. In: Proceedings of the 24th Digital Avionics Systems Conference, October 2005
Kauffman, S.A.: The Origins of Order: Self-Organization and Selection in Evolution. Oxford University Press, Oxford (1993)
Kobayashi, N., Sato, R., Unno, H.: Predicate abstraction and CEGAR for higher-order model checking. In: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 222–233, June 2011
Lamport, L.: Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley, Boston (2002)
Mayo, J.R., Armstrong, R.C., Hulette, G.C.: Digital system robustness via design constraints: the lesson of formal methods. In: Proceedings of the 9th Annual IEEE International Systems Conference, pp. 109–114, April 2015
Mytkowicz, T., Diwan, A., Bradley, E.: Computer systems are dynamical systems. Chaos 19, 033124 (2009)
Seshia, S.A., Li, W., Mitra, S.: Verification-guided soft error resilience. In: Proceedings of the Conference on Design, Automation and Test in Europe, pp. 1442–1447, April 2007
Vorobeychik, Y., Mayo, J.R., Armstrong, R.C., Ruthruff, J.R.: Noncooperatively optimized tolerance: decentralized strategic optimization in complex systems. Phys. Rev. Lett. 107, 108702 (2011)
Acknowledgments
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration (NNSA) under contract DE-AC04-94AL85000. This work was funded by NNSA’s Advanced Simulation and Computing (ASC) Program.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A High-Level Model for Turnstile in TLA
As discussed in Sect. 3 and Sect. 4.1, TLA+ is used to specify and verify both nominal and out-of-nominal models for the turnstile example. The nominal model is shown in Fig. 4 and the out-of-nominal model in Fig. 5. Both models have three variables \( lock \), \( coin \), and \( push \), corresponding to the variables L, C, and P described in Sect. 3. The specifications are given in the idiomatic TLA+ style: \( Init \) constrains the initial conditions, \( Next \) describes the “next step” relation, and \( Spec \) expresses the complete temporal logic specification [11].
The relation \( Next \) is defined by existential quantification over parameters c and p, representing new values of \( coin \) and \( push \) in the relation \( Step \). This somewhat contorted idiom is used because a step must completely describe the evolution of each variable. The existential expresses that \( coin \) and \( push \) may each evolve nondeterministically at each step.
The property \( TypeInvariant \) states that each variable is limited to Boolean values, while \( Safety \) expresses the set of safety properties drawn from S1 through S4 that apply to each model. In the nominal model, \( OutOfNominalSpec \) imports the out-of-nominal specification for use in proving refinement (see Sect. 4.1). The type invariant, safety, and refinement properties were checked for correctness using the TLC model checker.
TLA+ specification for the nominal turnstile.
TLA+ specification for the out-of-nominal turnstile.
B Boolean Network Model for Turnstile in NuSMV
As described in Sect. 4.2, the NuSMV model checker is used to verify the robustness of the tiered combinational logic implementing the safety-critical term \(\lnot C \wedge L\), along the lines of previous work [12]. The inputs are taken as node 0 (\(\lnot C\)) and node 1 (L), and the output is taken as node 18. The Boolean network (BN) is checked for conformance to the abstraction in the presence of any single internal bit flip in one of the first \(n_{\text {max}}\) tiers, where \(n_{\text {max}} \in \{1,\dots ,20\}\). Figure 6 shows an extract from the model in the case where node 2 can be flipped and \(n_{\text {max}} = 14\). It is found that the quiescent BN is immune to any single bit flip up to \(n_{\text {max}} = 15\), whereas the chaotic BN can be corrupted by a single bit flip for any value of \(n_{\text {max}}\).
Extract from a NuSMV model that is programmatically generated so that all tiers and all nodes can be checked for susceptibility to bit flips. The linear temporal logic (LTL) property at the end expresses conformance of the out-of-nominal output to the abstraction \(\lnot C \wedge L\).
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Mayo, J.R., Armstrong, R.C., Hulette, G.C. (2016). Leveraging Abstraction to Establish Out-of-Nominal Safety Properties. In: Artho, C., Ölveczky, P. (eds) Formal Techniques for Safety-Critical Systems. FTSCS 2015. Communications in Computer and Information Science, vol 596. Springer, Cham. https://doi.org/10.1007/978-3-319-29510-7_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-29510-7_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29509-1
Online ISBN: 978-3-319-29510-7
eBook Packages: Computer ScienceComputer Science (R0)