This page presents PVS and SAL models of fault-tolerant distributed systems developed by SRI as part of a NASA-funded project on the modeling and analysis of fault-tolerant distributed systems. This project is part of NASA's effort on Verification and Validation of Flight-Critical Software.
Timed-Triggered Ethernet (or TTEthernet)is a communication infrastructure that enables the use of Ethernet in real-time, distributed systems. TTEthernet is compatible with traditional IEEE 802.3 switched Ethernet standards, and is designed to support dataflows of mixed criticality on a single network. For traffic of the highest criticality, TTEthernet provides a timed-triggered communication service that relies on a fault-tolerant clock-synchronization protocol.
We have developed formal models of parts of the TTEthernet protocols
and analyzed safety-critical properties using
both SAL
and PVS. Related work by Wilfried
Steiner is described in the SAL Wiki.
The following SAL specifications focus on TTEthernet's compression function. They show that better synchronization can be achieved by a simple change to the original TTEthernet definition.
In 1973, Daly, Hpokins, and McKenna (from Draper Lab.) presented a fault-tolerant digital clocking system at the FTCS conference. This is probably one of the first published system designs that is intended to tolerate arbitrary, asymmetric faults (i.e., Byzantine faults).
The following SAL models (05/14/2012) are two variant formalizations of this Draper Clock-Synchronization Protocol developed by Ashish Tiwari.
We also used QBF solvers to synthesize deterministic Byzantine consensus procedures. The following SAL models (08/19/2013) were used to perform synthesis. Note that the models have uninitialized parameters - and hence SAL will be unable to prove anything interesting about them. The models were used as automatically construct an input for a QBF solver.The following SAL model is an abstraction of a module that implements a fault-tolerant mid-value select on asynchronously produced inputs. This is part of a larger system that has both discrete and continuous dynamics, Our goal is to model the full system using Hybrid SAL and we have adapted the timed relational abstraction techique supported by Hybrid SAL to abstract asynchronous sampling of continous signals. This approach will be fully automated in future releases of Hybrid SAL.
The following model (05/14/2012) shows the resulting abstraction, for the aysnchronous mid-value select module and includes proofs of various properties.
A converter for translating models written in Tempo to models in HybridSal.