Abstract
Demands for higher flexibility in aerospace applications has led to increasing deployment of reconfiguarble modules. In several cases the industry is looking into Field Programmable Gate Arrays (FPGA) as a means of efficient adaption of existing components. This paper addresses the safety analysis issues for reconfigurable modules with an emphasis on FPGAs. FPGAs act as digital hardware but in the context of safety analysis they should be treated as software, i.e. with added demands on formal analysis. The contributions of this paper are twofold. First, we illustrate a development process using a language with formal semantics (Esterel) for design, formal verification of high-level design, and automatic code generation down to synthesizable VHDL. We argue that this process reduces the likelihood of systematic (permanent) faults in the design, and still produces VHDL code that may be of acceptable quality (size of FPGA, delay). Secondly, in a general approach that is equally applicable to other formal design languages, we illustrate how the effect of transient fault modes and faults in external modules can be formally studied. We modularly extended the component design model with fault models that represent specific or random faults (e.g. radiation leading to bit flips in the component under design), and transient or permanent faults in the rest of the environment. Some faults corrupt inputs to the component and others jeopardise the effect of output signals that control the environment. This process supports a formal version of Failure Modes and Effects Analysis (FMEA). The set-up is then used to formally determine which (single or multiple) fault modes cause violation of the top-level safety-related property, much in the spirit of fault-tree analyses (FTA). All of this is done with out building the fault tree and using a common model for design and for safety analyses. An aerospace hydraulic monitoring system is used to illustrate the analysis of fault tolerance .
Similar content being viewed by others
References
Berry G, Gonthier G (1992) The Esterel synchronous programming language: design, semantics, implementation. Sci Comput Programm 19(2):87–152
Bozzano M, Villafiorita A (2003) Improving system reliability via model checking: the FSAP/NuSMV-SA safety analysis platform. In: Proceedings of the 22nd international conference on computer safety, reliability and security (SAFECOMP’03). Lecture notes in computer science, vol 2788. Springer, Berlin Heidelberg New York, pp 49–62
Deneux J (2001) Automated fault-tree analysis. Master’s thesis, Uppsala University, Uppsala, Sweden
Dutuit Y, Rauzy A (2000) Efficient algorithms to assess components and gates importances in fault tree analysis. Reliabil Eng Sys Safety 72(2):213–222
Edwards SA (2002) High-level synthesis from the synchronous language Esterel. In: Proceedings of the international workshop on logic and synthesis (IWLS), New Orleans, June 2002
ESACS: Enhanced safety assessment for complex systems (2004) http://www.cert.fr/esacs/principal.html. Accessed 30 April
Esterel Technologies Web site (2004) http://www.esterel-technologies.com. Accessed 30 April
Fenelon P, McDermid JA, Nicholson M, Pumfrey DJ (1994) Towards integrated safety analysis and design. ACM SIGAPP Appl Comput Rev 1(2):21–32
Ghosh S (1999) Hardware description languages: concepts and principles. Wiley-IEEE Press, New York
Halbwachs N (1992) Synchronous programming of reactive systems. Kluwer international series in engineering and computer science, December 1992
Halbwachs N, Lagnier F, Raymond P (1993) Synchronous observers and the verification of reactive systems. In: Proceedings of the 3rd international conference on algebraic methodology and software technology (AMAST’93), workshops in computing. Springer, Berlin Heidelberg New York, June 1993
Hammarberg J (2002) High-level development and formal verification of reconfigurable hardware. Master’s thesis LiTH-IDA-Ex-02/102, Linköping University, Linköping, Sweden
Henley EJ, Kumamoto H (1981) Reliability engineering and risk assessment. Prentice-Hall, Upper Saddle River, NJ
Holbrook D (2001) FPGA use for safety critical functions in an air intercept missile. In: Proceedings of the 19th international system safety conference, pp 618–628
Hutchings BL, Nelson BE (2000) Using general-purpose programming languages for FPGA design. In: Proceedings of the international conference on design automation. IEEE Press, New York, pp 561–566
INRIA TICK project Web page (2004) http://www.inria.fr/recherche/equipes/tick.en.html. Accessed 30 April
Katz RB (2000) Faster, better, cheaper space flight electronics – an analytical case study. In: Proceedings of the conference on Mil/Aero applications of programmable logic devices (MAPLD), September 2000
Leveson NG (2001) The role of software in recent aerospace accidents. In: Proceedings of the conference on international system safety, September 2001
Le Guernic P, Gautier T, Le Borgne M, Le Maire C (1991) Programming real-time applications with SIGNAL. Proc IEEE 79:1321–1336
Manian R, Coppit D, Sullivan KJ, Dugan JB (1999) Bridging the gap between systems and dynamic fault tree models. In: Proceedings of the annual symposium on reliability and maintainability. IEEE Press, New York, pp 105–111
Manna Z, Pnueli A (1992) The temporal logic of reactive and concurrent systems – specification. Springer, Berlin Heidelberg New York
McMillan KL (1992) Symbolic model checking – an approach to the state explosion problem. Technical Report CMU-CS-92-131, Carnegie Mellon University, Pittsburgh
Musa JD, Iannino A, Okumoto K (1987) Software reliability – measurement, prediction, application. McGraw-Hill, New York
Rauzy A (2002) Mode automata and their compilation into fault trees. Reliabil Eng Sys Safety 78(1):1–12
Shivakumar P, Kistler M, Keckler SW, Burger D, Alvisi L (2002) Modeling the effect of technology trends on the soft error rate of combinational logic. In: Proceedings of the international conference on dependable systems and networks, June 2002. IEEE Press, New York, pp 389–398
Sheeran M, Singh S, Stålmarck G (2000) Checking safety properties using induction and a SAT-solver. In: Proceedings of the international conference on formal methods in computer-aided design, November 2000
Sheeran M, Stålmarck G (2000) A tutorial on Stålmarck’s proof procedure for propositional logic. In: Proceedings of the international conference on formal methods in computer-aided design, November 2000
Synplify Pro product Web page (2004) http://www.synplicity.com/products/synplifypro. Accessed 30 April
Åkerlund O, Nadjm-Tehrani S, Stålmarck G (1999) Integration of formal methods into system safety and reliability analysis. In: Proceedings of the 17th international conference on system safety, September 1999
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Hammarberg, J., Nadjm-Tehrani, S. Formal verification of fault tolerance in safety-critical reconfigurable modules. Int J Softw Tools Technol Transfer 7, 268–279 (2005). https://doi.org/10.1007/s10009-004-0152-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10009-004-0152-y