Experiences and lessons from the analysis of TCAS II
ISSTA '96 Proceedings of the 1996 ACM SIGSOFT international symposium on Software testing and analysis
Model Checking Large Software Specifications
IEEE Transactions on Software Engineering
Using Edge-Valued Decision Diagrams for Symbolic Generation of Shortest Paths
FMCAD '02 Proceedings of the 4th International Conference on Formal Methods in Computer-Aided Design
Saturation: An Efficient Iteration Strategy for Symbolic State-Space Generation
TACAS 2001 Proceedings of the 7th International Conference on Tools and Algorithms for the Construction and Analysis of Systems
Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic
Logic of Programs, Workshop
A Data Structure for the Efficient Kronecker Solution of GSPNs
PNPM '99 Proceedings of the The 8th International Workshop on Petri Nets and Performance Models
High-Level Modeling and Analysis of TCAS
RTSS '99 Proceedings of the 20th IEEE Real-Time Systems Symposium
Integrated Display System for Low Visibility Landing and Surface Operations
Integrated Display System for Low Visibility Landing and Surface Operations
Logic and stochastic modeling with SMART
Performance Evaluation - Modelling techniques and tools for computer performance evaluation
Formal analysis of the operational concept for the small aircraft transportation system
Rigorous Development of Complex Fault-Tolerant Systems
| Hi-index | 0.00 |
The Runway Safety Monitor (RSM) designed by Lockheed Martin is part of NASA's effort to reduce aviation accidents. We developed a Petri net model of the RSM protocol and used the model checking functions of our tool SMART to investigate behaviors that can be classified as missed alarm scenarios in RSM. To apply discrete-state techniques and mitigate the impact of the resulting state-space explosion phenomenon, our model uses a highly discretized view of the system obtained by partitioning the monitored runway zone into a grid of smaller volumes and by considering scenarios involving only two aircraft. The model also assumes that there are no communication failures, such as bad input from radar or lack of incoming data, thus it relies on a consistent view of reality by all participants. In spite of these simplifications, we were able to expose potential problems in the RSM conceptual design. Our findings were forwarded to the design engineers, who undertook corrective action. The results stress the high level of efficiency attained by the new model checking algorithms implemented in our tool SMART, and demonstrate their applicability to real-world systems. Attempts to verify RSM with NuSMV and SPIN have failed due to excessive memory consumption.