Formal Specification and Verification of a Coordination Protocol for an Automated Air Traffic Control System

摘要

Safe separation between aircraft is the primary consideration in air trafficcontrol. To achieve the required level of assurance for this safety-critical application,the Automated Airspace Concept (AAC) proposes three levels of conflict detectionand resolution. Recently, a high-level operational concept was proposed to definethe cooperation between components in the AAC. However, the proposed coordinationprotocol has not been formally studied. We use formal verification techniquesto ensure there are no potentially catastrophic design flaws remaining in the AACdesign before the next stage of production.We formalize the high-level operational concept, which was previously describedonly in natural language, in NuSMV and perform model validation by checkingagainst LTL/CTL specifications we derive from the system description. We writeLTL specifications describing safe system operations and use model checking forsystem verification. We employ specification debugging to ensure correctness ofboth sets of formal specifications and model abstraction to reduce model checkingtime and enable fast, design-time checking. We analyze two counterexamplesrevealing unexpected emergent behaviors in the operational concept that triggereddesign changes by system engineers to meet safety standards. Our experience reportilluminates the application of formal methods in real safety-critical system developmentby detailing a complete end-to-end design-time verification process includingall models and specifications.