Modelo Hiperelástico Gent

Formal methods can be regarded as different concepts to different people. The term “formal methods” originates in formal logic, but now is mainly used in the area of Computer Science to refer to a wide range of mathematically based approaches for the analysis of computerised systems. In this section, we investigate the role of for- mal methods both in the system development life cycle and in the critical aerospace engineering context.

3.1.1 Formal Methods in System Life Cycle

From the perspective of a system life cycle, one relevant and widely recognised defi- nition to this thesis of formal methods is that a formal method is a collection of syntax and formal semantics associated with automatic verification tools. They can be used to precisely model the requirements of a system design, and to prove properties of the underlying model, and to prove correctness of an eventual implementation with respect to that model [60]. Thus, formal methods can loosely be defined as either specification, theorem proving, or model checking. In this thesis, we concentrate on the latter.

As shown in Figure 3.1, in order to apply model checking to a level of system

3.1. FORMAL METHODS 30 Modelling Modelling System model System Specification Formalising Requirements Property specification Verification Satisfied Violated +

counterexample Simulation error

Model checking

Figure 3.1: Three parts of model checking (adapted from [12]).

design and development, the tasks to be performed are logically divided into three phases:

• Modelling: in the first phase, the system design or mission scenario is formally represented in a formalism that is acceptable to automatic verification tools, known as model checkers. For some cases, abstraction may be used to remove or hide less important or unnecessary details of the system design.

• Specification: the next phase is to state and express the important and necessary properties that the system must satisfy. Again, it is essential to use a formalism that is acceptable to the model checker. In this phase, a formal temporal logic is usually used for hardware and software systems.

• Verification: model checkers then are used to verify the validity of the speci- fication against the proposed model exhaustively. The most common mode of operation is for these tools to verify the state space of a system for satisfaction of the specifications and to generate verification results. For negative results pro- duced by the model checker, the counter example is available to be analysed, and then the problem can be traced back either to the model or specification due to such incorrectness. After that, suitable modification actions can be subsequently taken.

3.1. FORMAL METHODS 31

System Design Formal Methods Error _PrototypeDevelop _SimulationTesting & Error …

Validation Specificaion

Debug Specification

Formal Methods _SpecificaionVerification Debug

Specification Use Specifications for Verification Formal Models Yes No No Revise Revise Use Specifications for Verification

Figure 3.2: The role of formal methods in system development lifecycle in aerospace engineering.

3.1.2 Formal Methods for Aerospace Engineering

There are three key application domains to which formal methods have been applied extensively and successfully. The first domain is safety critical systems where failure may endanger human life, such as fly-by-wire control systems and railway signalling systems. The second domain is security critical systems, involving security protocols and applications where failure means unauthorised access to sensitive information, such as medical records. The third is standardisation and certification: where systems are designed to meet specific, internationally recognised, standards or regulations. In this case, it is important that the standards can be interpreted uniformly.

In addition, as underlying formal verification techniques have matured, and a num- ber of automatic tools have become available as well, formal methods have had an increasingly significant impact on aerospace engineering. Formal methods are mainly used in the design time of system development for various aerospace and space mis-

sions. They also have been recommended in the DO-178B1_{standard for certification,}

and successfully applied in many aerospace contexts. Figure 3.2 illustrates a typical system development process in aerospace engineering that integrates formal methods as a fundamental approach to the early design of satellite and space systems.

Model checking is a formal method for verifying finite state systems, such as analysing sequential circuit designs and communication protocols. During the de- 1_{DO-178B: a guideline that deals with the safety of safety-critical applications used in certain air-}

3.1. FORMAL METHODS 32 velopment of traditional satellite and space systems, model checking methods have been used effectively to validate onboard software [19, 48]. Model checking based design tools enable the early validation of software requirements. Examples of model checkers for this purpose includes NASA’s JavaPathfinder [55], Cadence SMV [62], Carnegie Mellon’s NuSMV [26], and Bell Lab’s SPIN [63], etc. Model checkers can be used to detect dead code, integer overflow, division by zero, and violations of system design properties. Modelling approaches vary to some extent in the way that systems are represented and the associated model checking can be categorised accordingly as: referred to as: explicit state, bounded, symbolic, approximate, or probabilistic. In general, most model checkers analyse and operate on discretised models of systems.

Model checking and probabilistic model checking have been extensively applied to aerospace systems in the area of safety-critical applications. In [50], authors propose an approach to quantitatively assessing safety properties using the PRISM probabil- isitic model checker, and illustrate the approach with a representative system design from the airborne industry. A verification technique is developed in [33] for analysing the decision-making component in agent-based hybrid systems. In [59], authors devel- oped a model checker called ETMCC, which has been used in several non-trivial case studies to support the automated verification of performability properties. The paper [3] provides a review of the usage of formal methods and model checking for relia- bility, availability, maintainability, safety analysis for safety-critical applications in the area of aerospace and transportation. The paper [127] describes the advantages, dis- advantages, and challenges in applying formal methods and model checking to safety- critical applications. In [144], the authors performed formal specification, verification, and model validation of a coordination protocol for an automated air traffic control system for safety-critical applications using NuSMV and Cadence SMV.

Explicit state model checking refers to the way that the state space is represented when checking properties. Here, states are represented explicitly and not abstracted or merged. Conversely, in symbolic state model checking the state space is stored in a reduced form, which is represented symbolically as a binary decision diagram (BDD). Probabilistic model checking is an effective approach to analysing systems exhibiting stochastic behaviours, and is a highly suitable approach for use in the design, analysis, and implementation of satellite systems and their missions. Within the theory of computation, model checking is essentially rooted in automata and temporal logic. In the next section we introduce important preliminaries of model checking, with a focus on labelled transition systems and temporal logic.