VVFCS Project

This page presents PVS and SAL models of fault-tolerant distributed systems developed by SRI as part of a NASA-funded project on the modeling and analysis of fault-tolerant distributed systems. This project is part of NASA's effort on Verification and Validation of Flight-Critical Software.

Models of the TTEthernet Synchronization Protocol

Timed-Triggered Ethernet (or TTEthernet) is a communication infrastructure that enables the use of Ethernet in real-time, distributed systems. TTEthernet is compatible with traditional IEEE 802.3 switched Ethernet standards, and is designed to support dataflows of mixed criticality on a single network. For traffic of the highest criticality, TTEthernet provides a timed-triggered communication service that relies on a fault-tolerant clock-synchronization protocol.

We have developed formal models of parts of the TTEthernet protocols and analyzed safety-critical properties using both SAL and PVS. Related work by Wilfried Steiner is described in the SAL Wiki.

SAL Models (02/11/2012)

The following SAL specifications focus on TTEthernet's compression function. They show that better synchronization can be achieved by a simple change to the original TTEthernet definition.

PVS Models (02/11/2012)

The following PVS file contains a general specification of TTEthernet's compression function and proofs of several important properties. The specification and proofs were developed using PVS 5.0.

Draper Clock-Synchronization Protocol in SAL

In 1973, Daly, Hpokins, and McKenna (from Draper Lab.) presented a fault-tolerant digital clocking system at the FTCS conference. This is probably one of the first published system designs that is intended to tolerate arbitrary, asymmetric faults (i.e., Byzantine faults).

The following SAL models (05/14/2012) are two variant formalizations of this Draper Clock-Synchronization Protocol developed by Ashish Tiwari.

Asynchronous Mid-Value Select in Hybrid SAL

The following SAL model is an abstraction of a module that implements a fault-tolerant mid-value select on asynchronously produced inputs. This is part of a larger system that has both discrete and continuous dynamics, Our goal is to model the full system using Hybrid SAL and we have adapted the timed relational abstraction techique supported by Hybrid SAL to abstract asynchronous sampling of continous signals. This approach will be fully automated in future releases of Hybrid SAL.

The following model (05/14/2012) shows the resulting abstraction, for the aysnchronous mid-value select module and includes proofs of various properties.

Asynchronous Mid-Value Select in SAL and in PVS

The following SAL and PVS models examine properties of a fault-tolerant voter that relies on mid-value select. The case study is the same as the one done in Hybrid SAL above, but the modeling approach is different.

HybridSAL - Relational Abstraction of Hybdrid Systems

Several enhancements to HybridSAL have been implemented. The HybridSAL tool is available on Ashish Tiwari's relationa abstraction webpage. This webpage also includes papers, examples, and documentation.

Tempo2HSal - Converter from Tempo to HybridSal

A converter for translating models written in Tempo to models in HybridSal.