Chencheng Xu,Chengcheng Zhao,Zhiguo Shi,Jiming Chen

DOI: https://doi.org/10.1109/cdc49753.2023.10384236

2023-01-01

Abstract:Compared to safe obstacle avoidance in the position space, ensuring the safety of the attitude system in today's aerial vehicle operations is more challenging due to the non-Euclidean nature of the attitude space and the underactuated nature of the system. To address this issue, we first propose the geometric exponential barrier condition (GEBC) to produce barrier certificates on the manifold, by which attitude safety requirements can be encoded globally into the verification problems of attitude control systems. Then, we use exponential coordinates to characterize GEBCs, which makes them describable in terms of quantifier-free real arithmetic logic (QF-NRA) and efficiently solvable by current satisfiability modulo theories (SMT) solvers. A performance criterion is further discussed where we propose an effective algorithm to construct safe operational regions with different controllers, which can help with nominal controller selection and tuning. Finally, we demonstrate our approach in a quadrotor system and analyze the safe performance of two PD controllers on the proposed safe operation criterion.

Omar A. Jasim,Sandor M. Veres

DOI: https://doi.org/10.48550/arXiv.2006.10860

2020-06-19

Abstract:A control system verification framework is presented for unmanned aerial vehicles using theorem proving. The framework's aim is to set out a procedure for proving that the mathematically designed control system of the aircraft satisfies robustness requirements to ensure safe performance under varying environmental conditions. Extensive mathematical derivations, which have formerly been carried out manually, are checked for their correctness on a computer. To illustrate the proceedures, a higher-order logic interactive theorem-prover and an automated theorem-prover are utilized to formally verify a nonlinear attitude control system of a generic multi-rotor UAV over a stability domain within the dynamical state space of the drone. Further benefits of the proceedures are that some of the resulting methods can be implemented onboard the aircraft to detect when its controller breaches its flight envelop limits due to severe weather conditions or actuator/sensor malfunction. Such a detection procedure can be used to advise the remote pilot or an onboard intelligent agent to decide on some alterations of the planned flight path or to perform emergency landing.

Systems and Control

Calvin Coopmans,Michal Podhradsky,Nathan V. Hoffer

DOI: https://doi.org/10.1109/red-uas.2015.7440998

2015-11-01

Abstract:Unmanned aerial system (UAS) use is ever-increasing. In this paper; it is shown that even with low-cost hardware and open-source software, simple numerical testing practices (software- and hardware-in-the-loop) can prove the accuracy and usefulness of an aeronautical flight model, as well as provide valuable pre-flight testing of many situations typically only encountered in flight: high winds, hardware failure, etc. Software and hardware simulation results are compared with actual flight testing results to show that these modeling and testing techniques are accurate and provide a useful testing platform for a small unmanned aerial vehicle. Source code used in simulation is open and provided to the community.

V. V. Kul’ba,E. A. Mikrin,B. V. Pavlov,S. K. Somov

DOI: https://doi.org/10.1134/s0005117923100065

2024-02-26

Automation and Remote Control

Abstract:This paper conceptualizes the main principles of comprehensive software verification for an onboard spacecraft control system. An optimal comprehensive verification strategy for onboard software is selected by rigorously stating and solving the corresponding optimization problem. Software verification methods with functional correctness indicators are proposed.

automation & control systems,instruments & instrumentation

O. A. Jasim,S. M. Veres

DOI: https://doi.org/10.1017/aer.2022.45

2022-05-11

The Aeronautical Journal

Abstract:A control system verification framework is presented for unmanned aerial vehicles using theorem proving. The framework's aim is to set out a procedure for proving that the mathematically designed control system of the aircraft satisfies robustness requirements to ensure safe performance under varying environmental conditions. Extensive mathematical derivations, which have formerly been carried out manually, are checked for their correctness on a computer. To illustrate the procedures, a higher-order logic interactive theorem-prover and an automated theorem-prover are utilised to formally verify a nonlinear attitude control system of a generic multi-rotor UAV over a stability domain within the dynamical state space of the drone. Further benefits of the procedures are that some of the resulting methods can be implemented onboard the aircraft to detect when its controller breaches its flight envelope limits due to severe weather conditions or actuator/sensor malfunction. Such a detection procedure can be used to advise the remote pilot, or an onboard intelligent agent, to decide on some alterations of the planned flight path or to perform emergency landing.

Murray L. Ireland,Ruth Hoffmann,Alice Miller,Gethin Norman,Sandor M. Veres

DOI: https://doi.org/10.48550/arXiv.1609.00177

2016-09-01

Abstract:If autonomous vehicles are to be widely accepted, we need to ensure their safe operation. For this reason, verification and validation (V&V) approaches must be developed that are suitable for this domain. Model checking is a formal technique which allows us to exhaustively explore the paths of an abstract model of a system. Using a probabilistic model checker such as PRISM, we may determine properties such as the expected time for a mission, or the probability that a specific mission failure occurs. However, model checking of complex systems is difficult due to the loss of information during abstraction. This is especially so when considering systems such as autonomous vehicles which are subject to external influences. An alternative solution is the use of Monte Carlo simulation to explore the results of a continuous-time model of the system. The main disadvantage of this approach is that the approach is not exhaustive as not all executions of the system are analysed. We are therefore interested in developing a framework for formal verification of autonomous vehicles, using Monte Carlo simulation to inform and validate our symbolic models during the initial stages of development. In this paper, we present a continuous-time model of a quadrotor unmanned aircraft undertaking an autonomous mission. We employ this model in Monte Carlo simulation to obtain specific mission properties which will inform the symbolic models employed in formal verification.

Robotics

Matt Luckcuck,Marie Farrell,Oisín Sheridan,Rosemary Monahan

DOI: https://doi.org/10.48550/arXiv.2110.09277

2021-10-18

Software Engineering

Abstract:Verification of complex, safety-critical systems is a significant challenge. Manual testing and simulations are often used, but are only capable of exploring a subset of the system's reachable states. Formal methods are mathematically-based techniques for the specification and development of software, which can provide proofs of properties and exhaustive checks over a system's state space. In this paper, we present a formal requirements-driven methodology, applied to a model of an aircraft engine controller that has been provided by our industrial partner. Our methodology begins by formalising the controller's natural-language requirements using the (pre-existing) Formal Requirements Elicitation Tool (FRET), iteratively, in consultation with our industry partner. Once formalised, FRET can automatically translate the requirements to enable their verification alongside a Simulink model of the aircraft engine controller; the requirements can also guide formal verification using other approaches. These two parallel streams in our methodology seek to combine the results from formal requirements elicitation, classical verification approaches, and runtime verification; to support the verification of aerospace systems modelled in Simulink, from the requirements phase through to execution. Our methodology harnesses the power of formal methods in a way that complements existing verification techniques, and supports the traceability of requirements throughout the verification process. This methodology streamlines the process of developing verifiable aircraft engine controllers, by ensuring that the requirements are formalised up-front and useable during development. In this paper we give an overview of (FRET), describe our methodology and work to-date on the formalisation and verification of the requirements, and outline future work using our methodology.

Guillaume Brat,David Bushnell,Misty Davies,Dimitra Giannakopoulou,Falk Howar,Temesghen Kahsai

DOI: https://doi.org/10.48550/arXiv.1502.02605

2015-02-10

Abstract:This paper describes our work on demonstrating verification technologies on a flight-critical system of realistic functionality, size, and complexity. Our work targeted a commercial aircraft control system named Transport Class Model (TCM), and involved several stages: formalizing and disambiguating requirements in collaboration with do- main experts; processing models for their use by formal verification tools; applying compositional techniques at the architectural and component level to scale verification. Performed in the context of a major NASA milestone, this study of formal verification in practice is one of the most challenging that our group has performed, and it took several person months to complete it. This paper describes the methodology that we followed and the lessons that we learned.

Software Engineering

Konstantin Dmitriev,Shanza Ali Zafar,Kevin Schmiechen,Yi Lai,Micheal Saleab,Pranav Nagarajan,Daniel Dollinger,Markus Hochstrasser,Stephan Myschik,Florian Holzapfel

DOI: https://doi.org/10.48550/arXiv.2010.06505

2020-10-14

Abstract:The emergence of a global market for urban air mobility and unmanned aerial systems has attracted many startups across the world. These organizations have little training or experience in the traditional processes used in civil aviation for the development of software and electronic hardware. They are also constrained in the resources they can allocate for dedicated teams of professionals to follow these standardized processes. To fill this gap, this paper presents a custom workflow based on a subset of objectives derived from the foundational standards for safety critical software DO-178C/DO-331. The selection of objectives from the standards is based on the importance, degree of automation, and reusability of specific objectives. This custom workflow is intended to establish a lean and highly automated development life cycle resulting in higher quality software with better maintainability characteristics for research and prototype aircraft. It can also be proposed as means of compliance for software of certain applications such as unmanned aircraft systems, urban air mobility and general aviation. By producing the essential set of development and verification artifacts, the custom workflow also provides a scalable basis for potential future certification in compliance with DO-178C/DO-331. The custom workflow is demonstrated in a case study of an Autopilot Manual Disconnection System.

Software Engineering

Marie Farrell,Rafael C. Cardoso,Louise A. Dennis,Clare Dixon,Michael Fisher,Georgios Kourtis,Alexei Lisitsa,Matt Luckcuck,Matt Webster

DOI: https://doi.org/10.48550/arXiv.1908.10738

2019-08-28

Abstract:Ensuring that autonomous space robot control software behaves as it should is crucial, particularly as software failure in space often equates to mission failure and could potentially endanger nearby astronauts and costly equipment. To minimise mission failure caused by software errors, we can utilise a variety of tools and techniques to verify that the software behaves as intended. In particular, distinct nodes in a robotic system often require different verification techniques to ensure that they behave as expected. This paper introduces a method for integrating the various verification techniques that are applied to robotic software, via a First-Order Logic (FOL) specification that captures each node's assumptions and guarantees. These FOL specifications are then used to guide the verification of the individual nodes, be it by testing or the use of a formal method. We also outline a way of measuring our confidence in the verification of the entire system in terms of the verification techniques used.

Software Engineering,Robotics

Omar M. Alhawi,Mustafa A. Mustafa,Lucas C. Cordeiro

DOI: https://doi.org/10.48550/arXiv.1906.11488

2019-10-11

Abstract:The proliferation of Unmanned Aerial Vehicles (UAVs) embedded with vulnerable monolithic software has recently raised serious concerns about their security due to concurrency aspects and fragile communication links. However, verifying security in UAV software based on traditional testing remains an open challenge mainly due to scalability and deployment issues. Here we investigate software verification techniques to detect security vulnerabilities in typical UAVs. In particular, we investigate existing software analyzers and verifiers, which implement fuzzing and bounded model checking (BMC) techniques, to detect memory safety and concurrency errors. We also investigate fragility aspects related to the UAV communication link. All UAV components (e.g., position, velocity, and attitude control) heavily depend on the communication link. Our preliminary results show that fuzzing and BMC techniques can detect various software vulnerabilities, which are of particular interest to ensure security in UAVs. We were able to perform successful cyber-attacks via penetration testing against the UAV both connection and software system. As a result, we demonstrate real cyber-threats with the possibility of exploiting further security vulnerabilities in real-world UAV software in the foreseeable future.

Cryptography and Security,Logic in Computer Science

Yonghua Xiong,Ke Li,Zhentao Liu,Jinhua She

DOI: https://doi.org/10.20965/jaciii.2021.p0248

2021-01-01

Journal of Advanced Computational Intelligence and Intelligent Informatics

Abstract:In recent years, there have been several breakthroughs in the theoretical research of servo control algorithms. However most of these control algorithms remain in the simulation stage. They are difficult to be applied directly to practical platforms or complex industrial sites because of the lack of an experimental system suitable for the verification of their effectiveness. To address this problem, we designed a multi-function servo control algorithm verification experiment system (MVES) within the MATLAB/Simulink theoretical simulation model directly to communicate with the TwinCAT 3 PLC master program to perform different servo control experiments. The MVES supports various Simulink models. However, its and the operation is simple and convenient, which greatly reduces the workload of the algorithm test and has important practical value. Two sets of comparative experiments were used to verify the versatility and superiority of MVES.

Yvonne Murray,Martin Sirevåg,Pedro Ribeiro,David A. Anisi,Morten Mossige

DOI: https://doi.org/10.1016/j.scico.2021.102766

2021-12-27

Abstract:As a general trend in industrial robotics, an increasing number of safety functions are being developed or re-engineered to be handled in software rather than by physical hardware such as safety relays or interlock circuits. This trend reinforces the importance of supplementing traditional, input-based testing and quality procedures which are widely used in industry today, with formal verification and model-checking methods. To this end, this paper focuses on a representative safety-critical system in an ABB industrial paint robot, namely the High-Voltage electrostatic Control system (HVC). The practical convergence of the high-voltage produced by the HVC, essential for safe operation, is formally verified using a novel and general co-verification framework where hardware and software models are related via platform mappings. This approach enables the pragmatic combination of highly diverse and specialised tools. The paper's main contribution includes details on how hardware abstraction and verification results can be transferred between tools in order to verify system-level safety properties. It is noteworthy that the HVC application considered in this paper has a rather generic form of a feedback controller. Hence, the co-verification framework and experiences reported here are also highly relevant for any cyber-physical system tracking a setpoint reference.

Robotics,Formal Languages and Automata Theory

Bingfeng XU,Zhiqiu HUANG,Jun HU,Xiaofeng YU

DOI: https://doi.org/CNKI:11-1929/V.20120201.0941.002

2012-01-01

Abstract:Current research of airborne software focuses on providing airworthiness certification evidence in software development process. As modern complex airborne software architecture is component-based and distributed, this paper considers the issue of checking the safety dependence relationship of software components against objectives that the airworthiness certification standard stipulates, which is one of the key problems of airborne software development in the design phase. Firstly, the static structure of a system is specified by a systems modeling language (SysML) block definition diagram with the description of safety properties. Secondly, the SysML block definition diagram is transformed to a block dependence graph for precise formal description. Thirdly, a method for checking the consistency between the safety dependence relationship in the static system structure and objectives of the airworthiness certification standard is proposed. Finally, an example of an aircraft navigation system is provided to illustrate how to use the method in the airborne software development process. The integrated safety level of a system is promoted by applying this method, and it can be used to provide airworthiness certification evidence.

Maike Schwammberger,Christopher Harper,Gleifer Vaz Alves,Greg Chance,Tony Pipe,Kerstin Eder

DOI: https://doi.org/10.48550/arXiv.2208.05273

2022-08-10

Abstract:Automated Vehicles (AVs) are rapidly maturing in the transportation domain. However, the complexity of the AV design problem is such that no single technique is sufficient to provide adequate validation of key properties such as safety, reliability or trustworthiness. In this vision paper, a combination of a spatial traffic logic and agent-based verification methods with a validation method that uses assertion checking of simulations is proposed. We sketch how to integrate the respective approaches within a methodological framework called Corroborative Verification and Validation (V&V).The Corroborative V&V framework identifies three different verification and validation levels for AVs (formal verification, simulation-based testing, real-world experiments) and specifies connections and evidence between these levels. We define specifications for the formal relationships that must be established between processes, system models and requirements models for the evidence from formal design verification and simulation-based testing to corroborate each other and enhance assurance confidence from verification and validation.

Software Engineering

Tim Stahl,Matthis Eicher,Johannes Betz,Frank Diermeyer

DOI: https://doi.org/10.48550/arXiv.2005.07740

2020-05-16

Abstract:Regulatory approval and safety guarantees for autonomous vehicles facing frequent functional updates and complex software stacks, including artificial intelligence, are a challenging topic. This paper proposes a concept and guideline for the development of an online verification module -- the Supervisor -- capable of handling the aforementioned challenges. The concept presented for the establishment of a Supervisor is designed in a way to identify and monitor an extensive list of features contributing to safe operation. As a result, a safe overall (sub)system is attained. Safeguarding a motion planner of an autonomous race vehicle is used to illustrate the procedure and practicability of the framework at hand. The capabilities of the proposed method are evaluated in a scenario-based test environment and on full-scale vehicle data.

Systems and Control

Mohammed Al-Nuaimi,Sapto Wibowo,Hongyang Qu,Jonathan Aitken,Sandor Veres

DOI: https://doi.org/10.3390/jsan10030042

2021-06-29

Journal of Sensor and Actuator Networks

Abstract:The evolution of driving technology has recently progressed from active safety features and ADAS systems to fully sensor-guided autonomous driving. Bringing such a vehicle to market requires not only simulation and testing but formal verification to account for all possible traffic scenarios. A new verification approach, which combines the use of two well-known model checkers: model checker for multi-agent systems (MCMAS) and probabilistic model checker (PRISM), is presented for this purpose. The overall structure of our autonomous vehicle (AV) system consists of: (1) A perception system of sensors that feeds data into (2) a rational agent (RA) based on a belief–desire–intention (BDI) architecture, which uses a model of the environment and is connected to the RA for verification of decision-making, and (3) a feedback control systems for following a self-planned path. MCMAS is used to check the consistency and stability of the BDI agent logic during design-time. PRISM is used to provide the RA with the probability of success while it decides to take action during run-time operation. This allows the RA to select movements of the highest probability of success from several generated alternatives. This framework has been tested on a new AV software platform built using the robot operating system (ROS) and virtual reality (VR) Gazebo Simulator. It also includes a parking lot scenario to test the feasibility of this approach in a realistic environment. A practical implementation of the AV system was also carried out on the experimental testbed.

Jonas Fritzsch,Tobias Schmid,Stefan Wagner

DOI: https://doi.org/10.1109/ICST49551.2021.00049

2020-11-20

Abstract:In the age of autonomously driving vehicles, functionality and complexity of embedded systems are increasing tremendously. Safety aspects become more important and require such systems to operate with the highest possible level of fault tolerance. Simulation and systematic testing techniques have reached their limits in this regard. Here, formal verification as a long established technique can be an appropriate complement. However, the necessary preparatory work like adequately modeling a system and specifying properties in temporal logic are anything but trivial. In this paper, we report on our experiences applying model checking to verify the arbitration logic of a Vehicle Control System. We balance pros and cons of different model checking techniques and tools, and reason about our choice of the symbolic model checker NuSMV. We describe the process of modeling the architecture, resulting in ~1500 LOC, 69 state variables and 38 LTL constraints. To handle this large-scale model, we automate and optimize the model checking procedure for use on multi-core CPUs and employ Bounded Model Checking to avoid the state explosion problem. We share our lessons learned and provide valuable insights for architects, developers, and test engineers involved in this highly present topic.

Software Engineering,Hardware Architecture,Systems and Control

Max Taylor,Haicheng Chen,Feng Qin,Christopher Stewart

DOI: https://doi.org/10.48550/arXiv.2106.14959

2021-06-29

Abstract:Control firmware in unmanned aerial vehicles (UAVs) uses sensors to model and manage flight operations, from takeoff to landing to flying between waypoints. However, sensors can fail at any time during a flight. If control firmware mishandles sensor failures, UAVs can crash, fly away, or suffer other unsafe conditions. In-situ model checking finds sensor failures that could lead to unsafe conditions by systematically failing sensors. However, the type of sensor failure and its timing within a flight affect its manifestation, creating a large search space. We propose Avis, an in-situ model checker to quickly uncover UAV sensor failures that lead to unsafe conditions. Widely used control firmware already support operating modes. Avis injects sensor failures as the control firmware transitions between modes - a key execution point where mishandled software exceptions can trigger unsafe conditions. We implemented Avis and applied it to ArduPilot and PX4. Avis found unsafe conditions 2.4X faster than Bayesian Fault Injection, the leading, state-of-the-art approach. Within the current code base of ArduPilot and PX4, Avis discovered 10 previously unknown software bugs that lead to unsafe conditions. Additionally, we reinserted 5 known bugs that caused serious, unsafe conditions and Avis correctly reported all of them.

Software Engineering

Siddhartha Bhattacharyya,Jennifer Davis,Anubhav Gupta,Nandith Narayan,Michael Matessa

DOI: https://doi.org/10.4204/EPTCS.348.11

2021-10-25

Abstract:As aircraft systems become increasingly autonomous, the human-machine role allocation changes and opportunities for new failure modes arise. This necessitates an approach to identify the safety requirements for the increasingly autonomous system (IAS) as well as a framework and techniques to verify and validate that an IAS meets its safety requirements. We use Crew Resource Management techniques to identify requirements and behaviors for safe human-machine teaming behaviors. We provide a methodology to verify that an IAS meets its requirements. We apply the methodology to a case study in Urban Air Mobility, which includes two contingency scenarios: unreliable sensor and aborted landing. For this case study, we implement an IAS agent in the Soar language that acts as a copilot for the selected contingency scenarios and performs takeoff and landing preparation, while the pilot maintains final decision authority. We develop a formal human-machine team architecture model in the Architectural Analysis and Design Language (AADL), with operator and IAS requirements formalized in the Assume Guarantee REasoning Environment (AGREE) Annex to AADL. We formally verify safety requirements for the human-machine team given the requirements on the IAS and operator. We develop an automated translator from Soar to the nuXmv model checking language and formally verify that the IAS agent satisfies its requirements using nuXmv. We share the design and requirements errors found in the process as well as our lessons learned.

Software Engineering,Human-Computer Interaction,Logic in Computer Science