Results 1  10
of
29
A Comparison of Bus Architectures for SafetyCritical Embedded Systems
, 2001
"... Abstract. Embedded systems for safetycritical applications often integrate multiple “functions ” and must generally be faulttolerant. These requirements lead to a need for mechanisms and services that provide protection against fault propagation and ease the construction of distributed faulttoler ..."
Abstract

Cited by 121 (5 self)
 Add to MetaCart
Abstract. Embedded systems for safetycritical applications often integrate multiple “functions ” and must generally be faulttolerant. These requirements lead to a need for mechanisms and services that provide protection against fault propagation and ease the construction of distributed faulttolerant applications. A number of bus architectures have been developed to satisfy this need. This paper reviews the requirements on these architectures, the mechanisms employed, and the services provided. Four representative architectures (SAFEbus TM, SPIDER, TTA, and FlexRay) are briefly described. 1
Systematic formal verification for faulttolerant timetriggered algorithms
 IEEE Transactions on Software Engineering
, 1999
"... Abstract—Many critical realtime applications are implemented as timetriggered systems. We present a systematic way to derive such timetriggered implementations from algorithms specified as functional programs (in which form their correctness and faulttolerance properties can be formally and mech ..."
Abstract

Cited by 51 (2 self)
 Add to MetaCart
Abstract—Many critical realtime applications are implemented as timetriggered systems. We present a systematic way to derive such timetriggered implementations from algorithms specified as functional programs (in which form their correctness and faulttolerance properties can be formally and mechanically verified with relative ease). The functional program is first transformed into an untimed synchronous system, and then to its timetriggered implementation. The first step is specific to the algorithm concerned, but the second is generic and we prove its correctness. This proof has been formalized and mechanically checked with the PVS verification system. The approach provides a methodology that can ease the formal specification and assurance of critical faulttolerant systems. Keywords—Formal methods, formal verification, timetriggered algorithms, synchronous systems, PVS. I.
An Overview of Formal Verification for the TimeTriggered Architecture
, 2002
"... We describe formal verification of some of the key algorithms in the TimeTriggered Architecture (TTA) for realtime safetycritical control applications. ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
(Show Context)
We describe formal verification of some of the key algorithms in the TimeTriggered Architecture (TTA) for realtime safetycritical control applications.
A formally verified algorithm for clock synchronization under a hybrid fault model
 IN THIRTEENTH ACM SYMPOSIUM ON PRINCIPLES OF DISTRIBUTED COMPUTING
, 1994
"... A small modification to the interactive convergence clock synchronization algorithm allows it to tolerate a larger number of simple faults than the standard algorithm, without reducing its ability to tolerate arbitrary or “Byzantine” faults. Because the extended caseanalysis required by the new fa ..."
Abstract

Cited by 22 (7 self)
 Add to MetaCart
(Show Context)
A small modification to the interactive convergence clock synchronization algorithm allows it to tolerate a larger number of simple faults than the standard algorithm, without reducing its ability to tolerate arbitrary or “Byzantine” faults. Because the extended caseanalysis required by the new fault model complicates the already intricate argument for correctness of the algorithm, it has been subjected to mechanicallychecked formal verification. The fault model examined is similar to the “hybrid ” one previously used for the problem of distributed consensus: in addition to arbitrary faults, we also admit symmetric (Le., consistent) and manifest (i.e., detectable) faults. With n processors, the modified algorithm can withstand a arbitrary, s symmetric, and m manifest faults simultaneously, provided n> 3a + 29 + m. A further extension to the fault model includes link faults with bound n> 3a + 2s + m + 1 where 1 is the maximum, over all pairs of processors, of the number of processors that have faulty links to one or other of the pair. The
Probabilistic Internal Clock Synchronization
 In Proceedings of the Thirteenth Symposium on Reliable Distributed Systems, Dana Point, Ca
, 2003
"... We propose an improved probabilistic method for reading remote clocks in systems subject to unbounded communication delays and use this method to design a family of faulttolerant probabilistic internal clock synchronization protocols. The members of this family differ in the failure classes they to ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
We propose an improved probabilistic method for reading remote clocks in systems subject to unbounded communication delays and use this method to design a family of faulttolerant probabilistic internal clock synchronization protocols. The members of this family differ in the failure classes they tolerate, from crash to arbitrary. Because of probabilistic reading, our protocols achieve better synchronization precisions than those achievable by previously known deterministic algorithms. Another advantage of the proposed protocols is that they use a linear, instead of quadratic, number of messages, and that message exchanges are staggered in time instead of all happening in narrow synchronization intervals. The envelope and drift rates of the synchronized clocks are proven to be optimal. 1
Formal Verification for TimeTriggered Clock Synchronization
, 1999
"... Distributed dependable realtime systems crucially depend on faulttolerant clock synchronization. This paper reports on the formal analysis of the clock synchronization service provided as an integral feature by the TimeTriggered Protocol (TTP), a communication protocol particularly suitable for sa ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
Distributed dependable realtime systems crucially depend on faulttolerant clock synchronization. This paper reports on the formal analysis of the clock synchronization service provided as an integral feature by the TimeTriggered Protocol (TTP), a communication protocol particularly suitable for safetycritical control applications, such as in automotive “bywire ” systems. We describe the formal model extracted from the TTP specification and its formal verification, using the PVS system. Verification of the central clock synchronization properties is achieved by linking the TTP model of the synchronization algorithm to a generic derivation of the properties from abstract assumptions, essentially establishing the TTP algorithm as a concrete instance of the generic one by verifying that it satisfies the abstract assumptions. We also show how the TTP algorithm provides the clock synchronization that is required by a previously proposed general framework for verifying timetriggered algorithms.
Formal Verification of an Interactive Consistency Algorithm for the Draper FTP . . .
 IN COMPASS ’94 (PROCEEDINGS OF THE NINTH ANNUAL CONFERENCE ON COMPUTER ASSURANCE
, 1994
"... Faulttolerant systems for critical applications should tolerate as many kinds of faults and as large a number of faults as possible, while using as little hardware as feasible. And they should be provided with strong assurances for their correctness. Byzantine ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
Faulttolerant systems for critical applications should tolerate as many kinds of faults and as large a number of faults as possible, while using as little hardware as feasible. And they should be provided with strong assurances for their correctness. Byzantine
Verication of clock synchronization algorithms: Experiments on a combination of deductive tools
 In Proceedings of AVOCS 2005, volume 145 of ENTCS
, 2005
"... We report on an experiment in combining the theorem prover Isabelle with automatic firstorder arithmetic provers to increase automation on the verification of distributed protocols. As a case study for the experiment we verify several averaging clock synchronization algorithms. We present a formal ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
We report on an experiment in combining the theorem prover Isabelle with automatic firstorder arithmetic provers to increase automation on the verification of distributed protocols. As a case study for the experiment we verify several averaging clock synchronization algorithms. We present a formalization of Schneider’s generalized clock synchronization protocol [15] in Isabelle/HOL. Then, we verify that the convergence functions used in two clock synchronization algorithms, namely, the Interactive Convergence Algorithm (ICA) of Lamport and MelliarSmith [10] and the Faulttolerant Midpoint algorithm of LundeliusLynch [11], satisfy Schneider’s general conditions for correctness. The proofs are completely formalized in Isabelle/HOL. We identify the parts of the proofs which are not fully automatically proven by Isabelle builtin tactics and show that these proofs can be handled by automatic firstorder provers with support for arithmetic like ICS and CVC Lite. Key words: Theorem proving, verification, clock synchronization. 1
Mechanical Verification of Clock Synchronization Algorithms
 In Formal Techniques in RealTime and FaultTolerant Systems
, 1998
"... Clock synchronization algorithms play a crucial role in a variety of faulttolerant distributed architectures. Although those algorithms are similar in their basic structure, the particular designs differ considerably, for instance in the way clock adjustments are computed. This paper develops a ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
(Show Context)
Clock synchronization algorithms play a crucial role in a variety of faulttolerant distributed architectures. Although those algorithms are similar in their basic structure, the particular designs differ considerably, for instance in the way clock adjustments are computed. This paper develops a formal generic theory of clock synchronization algorithms which extracts the commonalities of specific algorithms and their correctness arguments; this generalizes previous work by Shankar and Miner by covering nonaveraging adjustment functions, in addition to averaging algorithms. The generic theory is presented as a set of parameterized PVS theories, stating the general assumptions on parameters and demonstrating the verification of generic clock synchronization. The generic theory is then specialized to the class of algorithms using averaging functions, yielding a theory that corresponds to those of Shankar and Miner. As examples of the verification of concrete, published algorithms, the formal verification of an instance of an averaging algorithms (by Welch and Lynch [1]) and of a nonaveraging algorithm (by Srikant and Toueg [9]) is exhibited.
A Unified FaultTolerance Protocol
, 2004
"... Davies and Wakerly show that Byzantine fault tolerance can be achieved by a cascade of broadcasts and middle value select functions. We present an extension of the Davies and Wakerly protocol, the unified protocol, and its proof of correctness. The unified protocol provides faulttolerance as a serv ..."
Abstract

Cited by 14 (5 self)
 Add to MetaCart
Davies and Wakerly show that Byzantine fault tolerance can be achieved by a cascade of broadcasts and middle value select functions. We present an extension of the Davies and Wakerly protocol, the unified protocol, and its proof of correctness. The unified protocol provides faulttolerance as a service to other protocols. We prove that it satisfies validity and agreement properties for communication of exact values. We then introduce bounded communication error into the model. Inexact communication is inherent for clock synchronization protocols. We prove that validity and agreement properties hold for inexact communication, and that exact communication is a special case. As a running example, we illustrate the unified protocol using the SPIDER family of faulttolerant architectures. In particular we demonstrate that the SPIDER interactive consistency, distributed diagnosis, and clock synchronization protocols are instances of the unified protocol.