Paul S. Miner. Verification of fault-tolerant clock synchronization systems. Technical report, NASA Langley Research Center, 1993.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....we make several assumptions; these must be guaranteed by any implementation of the clock synchronization algorithms. Since we use a probabilistic clock reading method and so processes can fail to read correct clocks within a given maximum error, our assumptions are somewhat different from those of [7, 8, 5]. The main differences are in the failure assumptions which limit the number of independent clock reading failures. 4.3.1 Initialization We require that at the start of the first round all correct clocks be within a constant of each other, where will be determined later. Constant is also ....

P. Miner. Verification of fault-tolerant clock synchronization systems. Technical Report TP3349, NASA, Nov 1993.

....that correctness of a whole class of clock synchronization algorithms depends on common general assumptions and presented a general theory for that class. Subsequently, Shankar [8] verified Schneider s proof with the help of the EHDM system, a predecessor of the PVS verification system. Miner [2] was able to relax some of the assumptions and extended the reasoning about recovery from transient faults. The theories developed by Shankar and Miner allow for a generic verification of algorithms that use an averaging function. The formalization of these clock synchronization algorithms takes a ....

....formulation of the intermediate lemmas. A theory for the non averaging algorithm [9] is obtained by instantiation of the generic theory. Similarly, a general theory of averaging algorithms is derived as an instance of the general theory; it is equivalent to the formalization presented by Miner [2]. Miner states a set of assumptions for his proofs of agreement. These assumptions are partially covered by the general clock synchronization theory. The properties and definitions of clocks are identical to those of the general clock synchronization theory. The averaging theory introduces the ....

[Article contains additional citation context not shown here]

P. S. Miner. Verification of fault-tolerant clock synchronization systems. Technical report, NASA, 1994.

....at slightly different rates) The restart problem is to reestablish synchronization after transient faults have afflicted one or more (or all) controllers. The synchronization problem is well understood and many algorithms to solve it have been developed, analyzed, and formally verified [LMS85, Min93, Sha92, WL88] The algorithm employed in TTA belongs to the general class of averaging synchronization algorithms [Sch87] each controller i estimates its skew relative to each controller p by comparing the reading of its local clock at the instant when the message in slot p arrives against s i ....

....has been formally verified [PSvH99] One way to construct a startup algorithm is as a variation on a synchronization algorithm: even if the local clocks of various controllers are initially far apart, successive rounds of averaging should bring them into convergence. This is plausible, but Miner [Min93] presents scenarios in which the controllers do not converge to a single coordinated entity, but instead divide into two cliques, each synchronized among themselves but unaware of the existence of the other clique. It is possible that some startup algorithms of this kind are correct, and can be ....

Paul S. Miner. Verification of fault-tolerant clock synchronization systems. NASA Technical Paper 3349, NASA Langley Research Center, Hampton, VA, November 1993.

....abstract algorithm and its instantiation for interactive convergence. This formalization was subsequently improved by Miner (reducing the difficulty of the proof obligations needed to establish the correctness of specific instantiations) who also verified the Welch Lynch instantiation [38]. All these verifications were undertaken with EHDM [61] a precursor to PVS [41] The treatment developed by By having the SYF field set in the MEDL (the global schedule known to all nodes) A node whose clock loses synchronization will suffer send and or receive faults and will therefore be ....

Paul S. Miner. Verification of fault-tolerant clock synchronization systems. NASA Technical Paper 3349, NASA Langley Research Center, Hampton, VA, November 1993. 4

....the full configuration of the system by observing message traffic during startup. This seems vulnerable to masquerading faults. The method for initial synchronization of clocks in FlexRay is not described. It is difficult to initialize the Welch Lynch algorithm if faults are present at startup: Min93] describes scenarios that lead to independent cliques. It seems that TTA s clique avoidance protocol will rescue it from these scenarios, but in the absence of such a mechanism, it is not clear how FlexRay can do so. There are clock synchronization algorithms that self stabilize in the presence ....

....and several other automobile companies and their suppliers. Aircraft engine controllers and cockpit automation systems under development by Honeywell will be certified under FAA requirements. The basic Welch Lynch clock synchronization protocol employed in TTA has been formally verified by Miner [Min93] and by Schwier and von Henke [SvH98] The actual TTA protocol has been formally verified by Pfeifer, Schwier, and von Henke [PSvH99] A new verification is planned (by me) that will extend the analysis beyond the standard fault hypothesis of TTA using a hybrid fault model developed by Schmid ....

[Article contains additional citation context not shown here]

Paul S. Miner. Verification of fault-tolerant clock synchronization systems. NASA Technical Paper 3349, NASA Langley Research Center, Hampton, VA, November 1993.

....For any TSP p that is correct in the real time interval [t j p ; t j 1 p ] r min t j 1 p Gamma t j p r max . Assumption A6 bounds the real time delay between similar events in the same round for different TSPs by a constant fi, and is referred to as the bounded delay assumption. Miner [19] claims that a similar assumption used in [4, 29, 30] should follow from the clock synchronization algorithm, and derives a general proof of correctness which dispenses with the bounded delay assumption. For simplicity, we adopt the approach of [4, 29, 30] A6 (Bounded delay) For any TSPs p and q ....

P. S. Miner, Verification of Fault-Tolerant Clock Synchronization Systems, NASA Technical Paper 3349, November 1993.

....[11] was the first to observe that correctness of averaging algorithms depends on common general assumptions about the applied convergence function. Subsequently, Shankar [13] verified Schneider s proof with the help of the EHDM system, a predecessor of the PVS verification system [7,6,5] Miner [4] was able to relax some of the assumptions and extended the reasoning about recovery from transient faults. The theories developed by Shankar and Miner allow for a generic verification of algorithms that use an averaging function. The formalization of these clock synchronization algorithms takes a ....

....averaging algorithms as a specialization of imain. Here, the central generic parameter is the convergence function, and a simpler set of assumptions is essentially sufficient to derive the agreement property. The assumptions about the convergence function are equivalent to those given by Miner [4]. The agreement theorem is obtained by instantiating the generic theory imain; this requires demonstrating that the generic assumptions of imain are satisfied by the actual parameters which in turn is achieved by derivation from the assumptions on the convergence function. The final theory ....

[Article contains additional citation context not shown here]

P. S. Miner. Verification of fault-tolerant clock synchronization systems. NASA Technical Paper 3349, NASA Langley Research Center, Nov. 1993.

....q generic theory for clock synchronization IC i p , Cfn( C 6 verified clock synchronization for TTP Gamma Gamma Gamma Gamma Psi R Figure 1: Structure of the TTP instance of the generic theory for clock synchronization. verify Schneider s proof [19, 20] and Miner [12], and more recently Schwier and v. Henke [18] have further improved the constraints and the organization of the proof itself, respectively. By following this general two step approach to clock synchronization we can make use of existing PVS formalizations of the generic synchronization proof. ....

....on which the clock synchronization proof is based are indeed satisfied by the concrete TTP algorithm. For the verification of the TTP clock synchronization we utilize a variant of our own formalization of the generic derivation in PVS [18] This formalization is similar to Miner s development [12] in EHDM, a predecessor of the PVS verification system, with the organization of the various PVS theories and proofs being improved to also incorporate non averaging algorithms. The existing formalization, however, had to be generalized in order to accommodate it to the particular needs of TTP. ....

[Article contains additional citation context not shown here]

P. S. Miner. Verification of Fault-Tolerant Clock Synchronization Systems. NASA Technical Paper 3349, NASA Langley Research Center, January 1994.

....formal methods, such as formal specification and verification of algorithms, to avoid such faults in synchronization functions. Many of the clock synchronization algorithms described herein have been formally verified using mechanical theorem provers or specification and verification systems. In [15], clock synchronization algorithms based on interactive convergence are formally verified, and errors in the published analysis [13] were discovered and corrected. A schematic protocol for Byzantine fault tolerant clock synchronization is mechanically verified in [27] with the results compared to ....

Miner, P. S., Verification of Fault-Tolerant Clock Synchronization. PhD thesis, College of William and Mary, July 1992.

....make several assumptions; these must be guaranteed by any implementation of the clock synchronization algorithms. Since we use a probabilistic clock reading method and so processes can fail to read correct clocks within a given maximum error, our assumptions are somewhat different from those of [7, 8, 5]. The main differences are in the failure assumptions which limit the number of independent clock reading failures. 4.3.1 Initialization We require that at the start of the first round all correct clocks be within a constant ffi S of each other, where ffi S will be determined later. Constant ffi ....

P. Miner. Verification of fault-tolerant clock synchronization systems. Technical Report TP-3349, NASA, Nov 1993.

....ARCHITECTURES AND THE DESIGN OF PVS 5 almost as difficult as proving synchronization in the first place. Furthermore, by modifying Shankar s treatment, he was able to verify that this condition could be established once and for all from suitably modified versions of the other 10 constraints [34]. Using this simplified approach, he then formally specified and verified the instantiation that characterizes the very attractive Welch Lynch faulttolerant mid point algorithm [35] Miner and colleagues at Indiana University later developed and implemented a verified clock synchronization circuit ....

Paul S. Miner, "Verification of fault-tolerant clock synchronization systems", NASA Technical Paper 3349, NASA Langley Research Center, Hampton, VA, Nov. 1993.

.... the classical Byzantine fault tolerant clock synchronization algorithms [26,28] the Oral Messages Algorithm for Interactive Consistency [2,23] fault masking and transient recovery by majority voting [6, 24] extensions of clock synchronization to hybrid fault models [25] and transient recovery [20], extensions of the Oral Messages algorithm to the hybrid fault model [16,18] and several levels in the implementations of these algorithms [5] have been subjected to mechanically checked formal specification and verification. In this paper, we describe the formal verification of an Oral ....

Paul S. Miner. Verification of fault-tolerant clock synchronization systems. NASA Technical Paper 3349, NASA Langley Research Center, Hampton, VA, November 1993.

.... Delta determines how long a process has to wait after a broadcast before performing the clock correction. For simplicity, we assume that broadcasting a message, computing the adjustment, and storing arrival times are instantaneous operations. If two SYNC messages 1 We use the terminology of [3]. T : T 0 repeat forever wait until V C p = T ; broadcast SYNC; wait for Delta time units; ADJ p : T ffi Gamma cfn(ARR p ) CORR p : CORR p ADJ p ; T : T P end of loop. on reception of SYNC from q do ARR p [q] V C p . Figure 1: Pseudo Code for Process p. are received from two ....

P. Miner. Verification of Fault-Tolerant Clock Synchronization Systems. Technical Report TP-3349, NASA, 1993.

....ORA [61, 4, 63, 30, 62] Concurrently we gained experience at Langley using a number of the prover systems including EHDM, Nqthm, and HOL. During that time we were primarily occupied with the design and verification (in EHDM) of a fault tolerant architecture designed to withstand transient faults [23, 8, 22, 21, 20, 41]. Generalizing our models, Rushby at SRI verified transient recovery for an abstract architecture [48, 49] Through Langley support, researchers at Boeing worked with Carl Levitt s group at the University of California at Davis. The Davis group worked in the HOL system. Boeing and Davis ....

Paul S. Miner. Verification of fault-tolerant clock synchronization systems. NASA Technical Paper 3349, November 1993.

....described here. Shankar s mechanically checked formal verification [19] of Schneider s general treatment [18] would be a good starting place for formal investigation of such extensions (particularly with Miner s formally verified extension to transient recovery for the Welch Lynch instantiation [11, 21]) Another interesting topic for future investigation is the apparent divergence in fault tolerance between algorithms for consensus and those for clock synchronization when hybrid fault models are considered. As we have seen, the hybrid interactive convergence algorithm for clock synchronization ....

Paul S. Miner. Verification of fault-tolerant clock synchronization systems. NASA Technical Paper 3349, NASA Langley Research Center, Hampton, VA, November 1993.

....a finite interval asserts gc active. gc(collect,gc active) M) 4 = await collect=T ; compute gc active=F; fM = garbage collect(M)g] 3.2. 4 Clock Synchronizer In this section we develop a protocol specification for a fault tolerant clock synchronizer from formal and informal descriptions in [60]. Four or more such clock synchronizer elements periodically synchronizing their individual clocks using a voting 24 CHAPTER 3. A LANGUAGE FOR PROTOCOL SPECIFICATION scheme can provide a fault tolerant clock. The timing diagram for the clock synchronizer element shown in Figure 3.7 does not ....

Paul Miner. Verification of fault-tolerant clock synchronization systems. Technical Report 3349, National Aeronautics and Space Administration, Hampton, VA, November 1993.

....For any TSP p that is correct in the real time interval [t j p ; t j 1 p ] r min t j 1 p Gamma t j p r max . Assumption A6 bounds the real time delay between similar events in the same round for different TSPs by a constant fi, and is referred to as the bounded delay assumption. Miner [23] claims that a similar assumption used in [4, 35, 36] should follow from the clock synchronization algorithm, and derives a general proof of correctness which dispenses with the bounded delay assumption. For simplicity, we adopt the approach of [4, 35, 36] A6 (Bounded delay) For any TSPs p and q ....

P. S. Miner, Verification of Fault-Tolerant Clock Synchronization Systems, NASA Technical Paper 3349, Langley Research Center, November 1993.

No context found.

Paul S. Miner. Verification of fault-tolerant clock synchronization systems. Technical report, NASA Langley Research Center, 1993.

No context found.

Paul S. Miner. Verification of fault-tolerant clock synchronization systems. NASA Technical Paper 3349, NASA Langley Research Center, Hampton, VA, November 1993.

No context found.

Paul S. Miner. Verification of fault-tolerant clock synchronization systems. NASA Technical Paper 3349, NASA Langley Research Center, Hampton, VA, November 1993.

....Architectural components realizing fault tolerant algorithms require effective design techniques. Even if the algorithm is formally verified, a simple bug in the realization could introduce a single point failure. There are a number of cases of mechanically verified faulttolerant algorithms [11, 20, 12], as well as verified specifications of high level system descriptions [6, 7, 16, 23] In addition, there have been exercises demonstrating the application of mechanical theorem provers to the verification of hardware components realizing faulttolerant algorithms [22, 1, 13] The difficulty with ....

....Synchronization A critical function in a fault tolerant architecture is synchronizing the clocks of the redundant computing elements. Schneider [19] demonstrates that many fault tolerant clock synchronization algorithms can be treated as refinements of a general protocol. Shankar [20] and Miner [12] have provided mechanically checked proofs of Schneider s paradigm. A generalized view of the algorithm employed by each participant in the protocol is: do forever f exchange clock values determine adjustment for this interval determine local time to apply correction when time, apply correctiong ....

[Article contains additional citation context not shown here]

Paul S. Miner. Verification of fault-tolerant clock synchronization systems. Technical Paper 3349, NASA, Langley Research Center, Hampton, VA, November 1993.

....by SRI and was partially verified. 8 CLI reproduced the SRI verification of the interactive convergence algorithm using the Boyer Moore theorem prover [140] NASA Langley researchers designed and implemented a fault tolerant clock synchronization circuit capable of recovery from transient faults [85, 84, 83]. The top level specification for the design is the Ehdm verification of Schneider s paradigm. The circuit was implemented with programmable logic devices (PLDs) and FOXI fiber optic communications chips [90] 7 The bounded delay assumption was shown to follow from the other assumptions of the ....

Miner, Paul S.: Verification of Fault-Tolerant Clock Synchronization Systems. NASA Technical Paper 3349, Nov. 1993.

....by SRI and was partially verified. 6 CLI reproduced the SRI verification of the interactive convergence algorithm using the Boyer Moore theorem prover [122] NASA Langley researchers designed and implemented a fault tolerant clock synchronization circuit capable of recovery from transient faults [75, 74, 73]. The top level specification for the design is the Ehdm verification of Schneider s paradigm. The circuit was implemented with programmable logic devices (PLDs) and FOXI fiber optic communications chips [77] Using a combination of formal techniques, a verified clock synchronization circuit ....

Miner, Paul S.: Verification of Fault-Tolerant Clock Synchronization Systems. NASA Technical Paper 3349, Nov. 1993.

No context found.

P. S. Miner. Verification of Fault-Tolerant Clock Synchronization Systems. NASA Technical Paper 3349, NASA Langley Research Center, January 1994.

No context found.

Paul S. Miner. Verification of fault-tolerant clock synchronization systems. NASA Technical Paper 3349, NASA Langley Research Center, Hampton, VA, November 1993.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC