1 / 9

Commercial Displays Model Checking

Commercial Displays Model Checking. Display Management Logic. Avionics Display Project DCA. New Commercial aircraft under development DCA – The Displays and Crew Alerting System being developed by Rockwell Collins. Provides primary flight information to the flight crew

isabella-fuentes
Download Presentation

Commercial Displays Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Commercial Displays Model Checking Display Management Logic

  2. Avionics Display Project DCA • New Commercial aircraft under development • DCA – The Displays and Crew Alerting System being developed by Rockwell Collins. • Provides primary flight information to the flight crew • Display Management – Application within the DCA system that is responsible for allocation of display system resources and management of redundancy. (Display system similar to current project)

  3. The Problem of Display Management • Display management requirements state that the DCA system: • Must keep the highest priority displays available to the pilots as long as there are sufficient system resources to do so. • Must keep the Captain’s and First Officer’s Display processes separate as long as there are sufficient system resources to do so. • Display management can be viewed as a state machine having a very large number of states. • Simulink models were used to develop the display management design.

  4. The Problem of Display Management • Due to the flight critical nature of the display management function, it is imperative that the display management function design is complete and correct. • The customer requires display system functionality early in aircraft development cycle. • In prior development programs this level of maturity was often not achieved until verification testing could be preformed on the target hardware. • Problems found during testing late in the development are expensive to correct and cause delays in the development schedule.

  5. Model Checking Benefits • Find and correct errors early in the development cycle. • Model checking was started prior to the software coding, in parallel to system design. • Errors are easier and far less expensive to fix at this stage. • Gain better understanding of the system requirements and uncover missing requirements. • Properties are precise statement of system requirements • Writing properties uncovers ambiguities in English text requirements • Gain high-level of confidence in correctness of models • Expect shorter test cycle and fewer bugs

  6. DCA Application Architecture • DCA application consists of 5 main subsystems • We are analyzing 4 of the 5 subsystems • Remaining subsystem is considered less critical * = several open problem reports, but still early in analysis process

  7. Model Checking Subsystem 1 • Display Resource Redundancy Management – Subsystem 1 • The model checking process identified 43 formal properties for this model. • The initial run of the tools produced 27 counterexamples. • Model checker generates one counterexample per property violated • Model contained several violations of some properties • Number of design problems > Number of counterexamples • After several iterations of development and model checking, all of the errors in the design were located and corrected • During the process several counter examples were discovered to be caused by discrepancies in the original English text requirements. • Each discrepancy was reviewed with the customer and updates were made as appropriate. • Subsystem 1 model now completes with no counterexamples (June 2005)

  8. Iteration 1 Iteration 2 Iteration 3 Simulink R14 Model Simulink R14 Model Simulink R14 Model Simulink R13 Model Reactis Model Reactis Model SCADE Model NuSMV Model NuSMV Model NuSMV Model Tech Transfer & Process Improvements Dev. Group(Blue) ATC Group(Beige) Translation Time: 10 MinutesTurnaround: 3 Hours to 2 Days Translation Time: 1-4 HoursTurnaround: 1 Day to 1 Week Translation Time: 10 MinutesTurnaround: 10 Minutes

  9. Model Checking on the DCA system • Find errors early in development cycle • Model Errors • Requirements Errors • Additional Requirements • Considers corner cases that are difficult to find during test • Quick feedback • Model checker proves/disproves property in seconds • Possible to do “tight-loop” development • Our development group now runs model checker without assistance • Tool chain is fairly straightforward • Writing properties still requires some help • Useful part of our tool chain

More Related