Skip to main content
SpringerLink
Log in

Formal verification of the NASA runway safety monitor

  • Special Section on Advances In Automated Verification of Critical Systems
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

The runway safety monitor (RSM) designed by Lockheed Martin is part of NASA’s effort to reduce aviation accidents. We developed a Petri net model of the RSM protocol and used the model checking functions of our tool (stochastic and model checking analyzer for reliability and timing) SMART (Stochestic and model checking analyses for seliability and tunnig) to investigate a number of safety properties for the RSM. To mitigate the impact of state-space explosion, we built a highly discretized model of the system, obtained by partitioning the monitored runway zone into a grid of smaller volumes and by considering scenarios involving only two aircraft. The model also assumes that there are no communication failures, such as bad input from radar or lack of incoming data, thus it relies on a consistent view of reality by all participants. In spite of these simplifications, we were able to expose potential problems in the conceptual design of RSM. Our findings were forwarded to the design engineers, who undertook corrective action. Additionally, the results stress the efficiency attained by the new model checking algorithms implemented in SMART, and demonstrate their applicability to real-world systems. Attempts to verify RSM with similar NuSMV and SPIN models have failed due to excessive memory consumption.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Beskenis, S.O., Green, D.F., Hyer, P.V., Johnson, E.J. Jr.: Integrated Display System for Low Visibility Landing and Surface Operations. NASA Langley Contractor Report 208446, July 1998

  2. Bryant R.E. (1986) Graph-based algorithms for boolean function manipulation. IEEE Trans. Comput. 35(8): 677–691

    Google Scholar 

  3. Carreño V., Gottliebsen, H., Butler, R., Kalvala, S.: Formal Modeling and Analysis of a Preliminary SATS Concept. NASA Langley Technical Report 12999, March 2004

  4. Chan W., Anderson R.J., Beame P., Burns S., Modugno F., Notkin D., Reese J.D. (1998) Model checking large software specifications. IEEE Trans. Softw. Eng. 24(7): 498–520

    Article  Google Scholar 

  5. Chapiro, D.M.: Globally-Asynchronous Locally-Synchronous Systems. Ph.D. Thesis, Stanford University (1984)

  6. Ciardo, G., Jones, R.L., Miner, A.S., Siminiceanu, R.I.: SMART: stochastic model checking analyzer for reliability and timing, User Manual. http://cs.ucr.edu/~ciardo/SMART/

  7. Ciardo, G., Jones, R.L., Miner, A.S., Siminiceanu, R.I.: Logical and stochastic modeling with SMART. In: Modeling Techniques and Tools for Computer Performance Evaluation. LNCS 2794, pp. 78–97, (2003)

  8. Ciardo, G., Lüttgen, G., Siminiceanu, R.: Saturation: An efficient iteration strategy for symbolic state space generation. In: Proceedings of Tools and the Algorithms for the Construction and Analysis of Systems (TACAS 2001), LNCS 2031, pp. 328–342, Genova, Italy, April 2001

  9. Ciardo G., Miner A.S. (1999) A data structure for the efficient Kronecker solution of GSPNs. In: Buchholz P. (eds) Proceedings of the 8th International Workshop on Petri Nets and Performance Models (PNPM’99). Zaragoza Spain, IEEE Computer Society Press, pp. 22–31, September

    Google Scholar 

  10. Ciardo, G., Siminiceanu, R.: Using edge-valued decision diagrams for symbolic generation of shortest paths. In: Proceedings 4th International Conference on Formal in Computer-Aided Design (FMCAD ’02), LNCS 2517, pp. 256–273, Portland, November 2002. Springer Berlin Heidelberg New York

  11. Cimatti A., Clarke E.M., Giunchiglia F., Roveri M. (1999) NuSMV: a new Symbolic Model Verifier. In: Halbwachs N., Peled D. (eds) Proceedings of Computer-Aided Verification (CAV’99), LNCS 1633. Trento, Italy, Springer, Berlin, Heidelberg New York, pp. 495–499 July

  12. Clarke, E.M., Allen Emerson, E.: Design and synthesis of synchronization skeletons using branching time temporal logic. In: IBM Workshop on Logics of Programs, LNCS 131, pp. 52–71. Springer, Berlin Heidelberg New York 1981

  13. Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press (1999)

  14. Dowek, G., Muñoz, C., Carreño, V.: Abstract Model of the SATS Concept of Operations: Initial Results and Recommendations. NASA Langley Technical Report 213006, March 2004

  15. Fernandez, J.-C., Garavel, H., Kerbrat, A., Mounier, L.: CADP: a protocol validation and verification toolbox. LNCS 1102, pp. 437–446, Springer, Berlin Heidelberg New York 1996

  16. Green, D.F., Jr.: Runway safety monitor algorithm for runway incursion detection and alerting. NASA Langley Contractor Report 211416, Jan 2002

  17. Heimdahl, M.P.E.: Experiences and lessons from the analysis of TCAS II. In: Proceedings of ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA ’96), pp. 79–83, 1996

  18. Henzinger T.A., Ho P.-H., Wong-Toi H. (1997) HYTECH: a model checker for hybrid systems. Int. J. Soft. Tools Technol. Transfer (STTT) 1(1–2): 110–122

    Article  Google Scholar 

  19. Holzmann G.J. (1997) The model checker SPIN. IEEE Trans. Softw. Eng. 23(5): 279–295

    Article  MathSciNet  Google Scholar 

  20. Jones, D.R.: Runway Incursion Prevention System Fact Sheet. October 2000

  21. Kwiatkowska, M., Norman, G., Parke, D. PRISM: Probabilistic Symbolic Model Checker. In: Proceedings of Computer Performance Evaluation/TOOLS, pp. 200–204, Apr 2003

  22. Livadas, C., Lygeros, J., Lynch, N.A.: High-Level Modeling and Analysis of TCAS. RTSS ’99, IEEE Press (1999)

  23. McMillan, K.L.: Symbolic Model Checking: An Approach to the State-explosion Problem. PhD thesis, Carnegie-Mellon University 1992

  24. Miner, A.S., Ciardo, G.: Efficient reachability set generation and storage using decision diagrams. In: Proceedings of 21th International Conference on Applications and Theory of Petri Nets (ICATPN ’99), LNCS, vol 1639, pp. 6–25, (1999)

  25. Miner A.S. (2004) Saturation for a general class of models. In: Franceschinis G., Katoen J.-P., Woodside M. (eds) Proceedings QEST. Enschede, The Netherlands, pp. 282–291

    Google Scholar 

  26. Murata T. (1989) Petri Nets: properties, analysis and applications. In: Proceedings of IEEE, vol. 77(4): 541–579

    Article  Google Scholar 

  27. Timmerman, J.: Runway Incursion Prevention System, ADS-B and DGPS data link analysis, Dallas – Ft. Worth International Airport. NASA Contractor Report 211242, NASA Langley, Hampton, VA, November 2001

Download references

Author information

Authors and Affiliations

  1. National Institute of Aerospace, Hampton, VA, 23666, USA

    Radu I. Siminiceanu

  2. University of California, Riverside, CA, 92521, USA

    Gianfranco Ciardo

Authors
  1. Radu I. Siminiceanu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gianfranco Ciardo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Radu I. Siminiceanu.

Additional information

Work supported in part by the National Aeronautics and Space Administration under grant NAG-1-02095 and by the National Science Foundation under grants CCR-0219745 and ACI-0203971.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Siminiceanu, R.I., Ciardo, G. Formal verification of the NASA runway safety monitor. Int J Softw Tools Technol Transfer 9, 63–76 (2007). https://doi.org/10.1007/s10009-006-0004-z

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-006-0004-z

Keywords

Search

Navigation