Hybrid Theorem Proving of Aerospace Systems: Applications and Challenges
Abstract
Complex software systems are becoming increasingly prevalent in aerospace applications: in particular, to accomplish critical tasks. Ensuring the safety of these systems is crucial, as they can have subtly different behaviors under slight variations in operating conditions. This paper advocates the use of formal verification techniques and in particular theorem proving for hybrid software-intensive systems as a well-founded complementary approach to the classical aerospace verification and validation techniques, such as testing or simulation. As an illustration of these techniques, a novel lateral midair collision-avoidance maneuver is studied in an ideal setting, without accounting for the uncertainties of the physical reality. The challenges that naturally arise when applying such technology to industrial-scale applications is then detailed, and proposals are given on how to address these issues.
References
[1] , “AUVSI: RQ-7 Likely Not to Blame for C-130 Collision,” Flight Daily News, Aug. 2011.
[2] , “Review of the BFU Überlingen Accident Report,” Dept. of Computing Science, Univ. of Glasgow, Glasgow, Scotland, 2004, www.dcs.gla.ac.uk/~johnson/Eurocontrol/Ueberlingen/Ueberlingen_Final_Report.PDF [retrieved Sept. 2014].
[3] , “Engineering Spacecraft Mission Software Using a Model-Based and Safety-Driven Design Methodology,” Journal of Aerospace Computing, Information, and Communication, Vol. 3, No. 11, 2006, pp. 562–586. doi:https://doi.org/10.2514/1.24677 1542-9423
[4] , “Fifteen Years of Formal Property Verification in Intel,” 25 Years of Model Checking, edited by Grumberg O. and Veith H., Springer–Verlag, Berlin, 2008, pp. 139–144.
[5] , “Astrée: From Research to Industry,” Static Analysis: Lecture Notes in Computer Science, Vol. 4634, edited by Nielson H. and Filé G., Springer–Verlag, Berlin, 2007, pp. 437–451.
[6] , “Static Analysis and Verification of Aerospace Software by Abstract Interpretation,” AIAA [email protected] 2010, AIAA Paper 2010-3385, 2010.
[7] , “Differential Dynamic Logic for Hybrid Systems,” Journal of Automated Reasoning, Vol. 41, No. 2, 2008, pp. 143–189. doi:https://doi.org/10.1007/s10817-008-9103-8 JAREEW 0168-7433
[8] , “Logics of Dynamical Systems,” Logic in Computer Science (LICS’12), IEEE, Piscataway, NJ, 2012, pp. 13–24.
[9] , “Computing Differential Invariants of Hybrid Systems As Fixedpoints,” Computer Assisted Verification: Lecture Notes in Computer Science, Vol. 5123, edited by Gupta A. and Malik S., Springer–Verlag, Berlin, 2008, pp. 176–189.
[10] , “The Theory of Hybrid Automata,” Proceedings of the Eleventh Annual IEEE Symposium on Logic in Computer Science, IEEE, Piscataway, NJ, 1996, pp. 278–292.
[11] , Logical Analysis of Hybrid Systems: Proving Theorems for Complex Dynamics, Springer–Verlag, Heidelberg, 2010.
[12] , “KeYmaera: A Hybrid Theorem Prover for Hybrid Systems,” Automated Reasoning: Lecture Notes in Computer Science, Vol. 5195, edited by Armando A., Baumgartner P. and Dowek G., Springer–Verlag, Berlin, 2008, pp. 171–178.
[13] , “Adaptive Cruise Control: Hybrid, Distributed, and Now Formally Verified,” Formal Methods: Lecture Notes in Computer Science, Vol. 6664, Springer–Verlag, Berlin, 2011, pp. 42–56.
[14] , “Safe Intersections: At the Crossing of Hybrid Systems and Verification,” Intelligent Transportation Systems (ITSC’11), edited by Yi K., IEEE, Piscataway, NJ, 2011, pp. 1181–1186. doi:https://doi.org/10.1109/ITSC.2011.6083138
[15] , “Towards Formal Verification of Freeway Traffic Control,” Proceedings of the 2nd International Conference on Cyber-Physical Systems (ICCPS’12), edited by Lu C., IEEE, Piscataway, NJ, 2012, pp. 171–180.
[16] , “European Train Control System: A Case Study in Formal Verification,” Formal Engineering Methods: Lecture Notes in Computer Science, Vol. 5885, edited by Breitman K. and Cavalcanti A., Springer–Verlag, Berlin, 2009, pp. 246–265.
[17] , “Formal Verification of Curved Flight Collision Avoidance Maneuvers: A Case Study,” Formal Methods: Lecture Notes in Computer Science, Vol. 5850, edited by Cavalcanti A. and Dams D., Springer–Verlag, Berlin, 2009, pp. 547–562.
[18] , “Formal Verification of Distributed Aircraft Controllers,” Proceedings of the 16th International Conference on Hybrid Systems: Computation and Control (HSCC’13), edited by Belta C. and Ivancic F., ACM, Philadelphia, April 2013, pp. 125–130.
[19] , “On Provably Safe Obstacle Avoidance for Autonomous Robotic Ground Vehicles,” Robotics: Science and Systems IX, edited by Newman P., Fox D. and Hsu D., Technische Universität Berlin, Berlin, June 2013, http://www.roboticsproceedings.org/rss09/p14.pdf [retrieved Sept. 2014].
[20] , “Certifying the Safe Design of a Virtual Fixture Control Algorithm for a Surgical Robot,” Proceedings of the 16th International Conference on Hybrid Systems: Computation and Control (HSCC’13), edited by Belta C. and Ivancic F., ACM, Philadelphia, April 2013, pp. 263–272.
[21] , “On Curves of Minimal Length with a Constraint on Average Curvature, and with Prescribed Initial and Terminal Positions and Tangents,” American Journal of Mathematics, Vol. 79, No. 3, 1957, pp. 497–516. doi:https://doi.org/10.2307/2372560 AJMAAN 0002-9327
[22] , “Decentralized Air Traffic Management Systems: Performance and Fault Tolerance,” Proceedings of the IFAC International Workshop on Motion Control (MC’98), The International Federation of Automatic Control, 1998, pp. 259–264.
[23] , “Conflict Resolution for Air Traffic Management: A Study in Multi-Agent Hybrid Systems,” IEEE Transactions on Automatic Control, Vol. 43, No. 4, 1998, pp. 509–521. doi:https://doi.org/10.1109/9.664154 IETAA9 0018-9286
[24] , “Differential-Algebraic Dynamic Logic for Differential-Algebraic Programs,” Journal of Logic and Computation, Vol. 20, No. 1, 2010, pp. 309–352. doi:https://doi.org/10.1093/logcom/exn070 JLCOEU
[25] , “Characterizing Algebraic Invariants by Differential Radical Invariants,” Tools and Algorithms for the Construction and Analysis of Systems: Lecture Notes in Computer Science, Vol. 8413, edited by Ábrahám E. and Havelund K., Springer–Verlag, Berlin, 2014, pp. 279–294.
[26] , “Stochastic Differential Dynamic Logic for Stochastic Hybrid Programs,” Automated Deduction: Lecture Notes in Computer Science, Vol. 6803, edited by Bjørner N. and Sofronie-Stokkermans V., Springer–Verlag, Berlin, 2011, pp. 431–445.
[27] , “A New Approach to Linear Filtering and Prediction Problems,” Journal of Basic Engineering, Vol. 82, No. 1, 1960, pp. 35–45. doi:https://doi.org/10.1115/1.3662552 JBAEAI 0021-9223
[28] , “Next-Generation Airborne Collision Avoidance System,” Lincoln Laboratory Journal, Vol. 19, No. 1, 2012, pp. 17–33, https://www.ll.mit.edu/publications/journal/pdf/vol19_no1/19_1_1_Kochenderfer.pdf [retrieved Sept. 2014]. LLJ0EJ 0896-4130
[29] , Markov Decision Processes: Discrete Stochastic Dynamic Programming, Wiley, Hoboken, NJ, 2009.
[30] , “Analyzing the Next Generation Airborne Collision Avoidance System,” Tools and Algorithms for the Construction and Analysis of Systems: Lecture Notes in Computer Science, Vol. 8413, edited by Ábrahám E. and Havelund K., Springer–Verlag, Berlin, 2014, pp. 620–635.
[31] , “ModelPlex: Verified Runtime Validation of Verified Cyber-Physical System Models,” Runtime Verification: Lecture Notes in Computer Science, Vol. 8734, edited by Bonakdarpour B. and Smolka S. A., Springer–Verlag, Berlin, 2014, pp. 199–214.
[32] , “HybridFluctuat: A Static Analyzer of Numerical Programs Within a Continuous Environment,” Computer Aided Verification: Lecture Notes in Computer Science, Springer–Verlag, Berlin, 2009, pp. 620–626.
[33] , “The Gauge Domain: Scalable Analysis of Linear Inequality Invariants,” Computer Aided Verification: Lecture Notes in Computer Science, Vol. 7358, edited by Madhusudan P. and Seshia S., Springer–Verlag, Berlin, 2012, pp. 139–154.
[34] , Dynamic Programming, Princeton Univ. Press, Princeton, NJ, 1962.
[35] “Software Considerations in Airborne Systems and Equipment Certification,” RTCA STD DO-178C, Washington, D.C., 2012.
[36] , “Software Model Checking Takes Off,” Communications of the ACM, Vol. 53, No. 2, 2010, pp. 58–64. doi:https://doi.org/10.1145/1646353 CACMA2 0001-0782
[37] , “Formal Verification of Avionics Software Products,” Formal Methods: Lecture Notes in Computer Science, Vol. 5850, edited by Cavalcanti A. and Dams D., Springer–Verlag, Berlin, 2009, pp. 532–546.
[38] , “A Review of Conflict Detection and Resolution Modeling Methods,” IEEE Transactions on Intelligent Transportation Systems, Vol. 1, No. 4, 2000, pp. 179–189. doi:https://doi.org/10.1109/6979.898217
[39] , “Provably Safe Coordinated Strategy for Distributed Conflict Resolution,” 2005 AIAA Guidance Navigation, and Control Conference and Exhibit, AIAA Paper 2005-6047, 2005.
[40] , “Formal Verification of an Optimal Air Traffic Conflict Resolution and Recovery Algorithm,” Logic, Language, Information and Computation: Lecture Notes in Computer Science, Vol. 4576, edited by Leivant D. and de Queiroz R., Springer–Verlag, Berlin, 2007, pp. 177–188.
[41] , “Computing Differential Invariants of Hybrid Systems As Fixedpoints,” Formal Methods in System Design, Vol. 35, No. 1, 2009, pp. 98–120. doi:https://doi.org/10.1007/s10703-009-0079-8 FMSDE6 0925-9856
[42] , “A Probabilistic Approach to Aircraft Conflict Detection,” IEEE Transactions on Intelligent Transportation Systems, Vol. 1, No. 4, 2000, pp. 199–220. doi:https://doi.org/10.1109/6979.898224
[43] , “Aircraft and Weather Models for Probabilistic Collision Avoidance in Air Traffic Control,” Proceedings of the 41st IEEE Conference on Decision and Control, Vol. 3, IEEE, Piscataway, NJ, 2002, pp. 2427–2432.
[44] , “Collision Avoidance as a Differential Game: Real-Time Approximation of Optimal Strategies Using Higher Derivatives of the Value Function,” IEEE International Conference on Systems, Man, and Cybernetics, 1997. Computational Cybernetics and Simulation, 1997, Vol. 3, IEEE, Piscataway, NJ, 1997, pp. 2308–2313.
[45] , “Comparison of Centralized and Decentralized Conflict Resolution Strategies for Multiple-Aircraft Problems,” AIAA Guidance, Navigation, and Control Conference, AIAA Paper 2000-4268, 2000.
[46] , “Protocol-Based Conflict Resolution for Air Traffic Control,” Air Traffic Control Quarterly, Vol. 15, No. 1, 2007, pp. 1–34. ATCQER 1064-3818
[47] , “A Time-Dependent Hamilton-Jacobi Formulation of Reachable Sets for Continuous Dynamic Games,” IEEE Transactions on Automatic Control, Vol. 50, No. 7, 2005, pp. 947–957. doi:https://doi.org/10.1109/TAC.2005.851439 IETAA9 0018-9286
[48] , “SpaceEx: Scalable Verification of Hybrid Systems,” Computer Aided Verification: Lecture Notes in Computer Science, Vol. 6806, edited by Gopalakrishnan G. and Qadeer S., Springer–Verlag, Berlin, 2011, pp. 379–395.
[49] , “Proving Safety Properties of an Aircraft Landing Protocol Using I/O Automata and the PVS Theorem Prover: A Case Study,” Formal Methods: Lecture Notes in Computer Science, Vol. 4085, edited by Misra J., Nipkow T. and Sekerinski E., Springer–Verlag, Berlin, 2006, pp. 64–80.
[50] , “Safety Verification of an Aircraft Landing Protocol: A Refinement Approach,” Hybrid Systems: Computation, and Control: Lecture Notes in Computer Science, Vol. 4416, edited by Bemporad A., Bicchi A. and Buttazzo G., Springer–Verlag, Berlin, 2007, pp. 557–572.
[51] , “Aircraft Autolander Safety Analysis Through Optimal Control-Based Reach Set Computation,” Journal of Guidance, Control, and Dynamics, Vol. 30, No. 1, 2007, pp. 68–77. doi:https://doi.org/10.2514/1.21562 JGCDDT 0162-3192
