Formal verification of fault tolerance in safety-critical reconfigurable modules

  • Jerker HammarbergEmail author
  • Simin Nadjm-Tehrani
Special section on formal methods for industrial critical systems


Demands for higher flexibility in aerospace applications has led to increasing deployment of reconfiguarble modules. In several cases the industry is looking into Field Programmable Gate Arrays (FPGA) as a means of efficient adaption of existing components. This paper addresses the safety analysis issues for reconfigurable modules with an emphasis on FPGAs. FPGAs act as digital hardware but in the context of safety analysis they should be treated as software, i.e. with added demands on formal analysis. The contributions of this paper are twofold. First, we illustrate a development process using a language with formal semantics (Esterel) for design, formal verification of high-level design, and automatic code generation down to synthesizable VHDL. We argue that this process reduces the likelihood of systematic (permanent) faults in the design, and still produces VHDL code that may be of acceptable quality (size of FPGA, delay). Secondly, in a general approach that is equally applicable to other formal design languages, we illustrate how the effect of transient fault modes and faults in external modules can be formally studied. We modularly extended the component design model with fault models that represent specific or random faults (e.g. radiation leading to bit flips in the component under design), and transient or permanent faults in the rest of the environment. Some faults corrupt inputs to the component and others jeopardise the effect of output signals that control the environment. This process supports a formal version of Failure Modes and Effects Analysis (FMEA). The set-up is then used to formally determine which (single or multiple) fault modes cause violation of the top-level safety-related property, much in the spirit of fault-tree analyses (FTA). All of this is done with out building the fault tree and using a common model for design and for safety analyses. An aerospace hydraulic monitoring system is used to illustrate the analysis of fault tolerance .


Safety analysis Formal verification Fault tolerance FPGA Esterel 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Berry G, Gonthier G (1992) The Esterel synchronous programming language: design, semantics, implementation. Sci Comput Programm 19(2):87–152CrossRefGoogle Scholar
  2. 2.
    Bozzano M, Villafiorita A (2003) Improving system reliability via model checking: the FSAP/NuSMV-SA safety analysis platform. In: Proceedings of the 22nd international conference on computer safety, reliability and security (SAFECOMP’03). Lecture notes in computer science, vol 2788. Springer, Berlin Heidelberg New York, pp 49–62Google Scholar
  3. 3.
    Deneux J (2001) Automated fault-tree analysis. Master’s thesis, Uppsala University, Uppsala, SwedenGoogle Scholar
  4. 4.
    Dutuit Y, Rauzy A (2000) Efficient algorithms to assess components and gates importances in fault tree analysis. Reliabil Eng Sys Safety 72(2):213–222CrossRefGoogle Scholar
  5. 5.
    Edwards SA (2002) High-level synthesis from the synchronous language Esterel. In: Proceedings of the international workshop on logic and synthesis (IWLS), New Orleans, June 2002Google Scholar
  6. 6.
    ESACS: Enhanced safety assessment for complex systems (2004) Accessed 30 AprilGoogle Scholar
  7. 7.
    Esterel Technologies Web site (2004) Accessed 30 AprilGoogle Scholar
  8. 8.
    Fenelon P, McDermid JA, Nicholson M, Pumfrey DJ (1994) Towards integrated safety analysis and design. ACM SIGAPP Appl Comput Rev 1(2):21–32CrossRefGoogle Scholar
  9. 9.
    Ghosh S (1999) Hardware description languages: concepts and principles. Wiley-IEEE Press, New YorkGoogle Scholar
  10. 10.
    Halbwachs N (1992) Synchronous programming of reactive systems. Kluwer international series in engineering and computer science, December 1992Google Scholar
  11. 11.
    Halbwachs N, Lagnier F, Raymond P (1993) Synchronous observers and the verification of reactive systems. In: Proceedings of the 3rd international conference on algebraic methodology and software technology (AMAST’93), workshops in computing. Springer, Berlin Heidelberg New York, June 1993Google Scholar
  12. 12.
    Hammarberg J (2002) High-level development and formal verification of reconfigurable hardware. Master’s thesis LiTH-IDA-Ex-02/102, Linköping University, Linköping, SwedenGoogle Scholar
  13. 13.
    Henley EJ, Kumamoto H (1981) Reliability engineering and risk assessment. Prentice-Hall, Upper Saddle River, NJGoogle Scholar
  14. 14.
    Holbrook D (2001) FPGA use for safety critical functions in an air intercept missile. In: Proceedings of the 19th international system safety conference, pp 618–628Google Scholar
  15. 15.
    Hutchings BL, Nelson BE (2000) Using general-purpose programming languages for FPGA design. In: Proceedings of the international conference on design automation. IEEE Press, New York, pp 561–566Google Scholar
  16. 16.
    INRIA TICK project Web page (2004) Accessed 30 AprilGoogle Scholar
  17. 17.
    Katz RB (2000) Faster, better, cheaper space flight electronics – an analytical case study. In: Proceedings of the conference on Mil/Aero applications of programmable logic devices (MAPLD), September 2000Google Scholar
  18. 18.
    Leveson NG (2001) The role of software in recent aerospace accidents. In: Proceedings of the conference on international system safety, September 2001Google Scholar
  19. 19.
    Le Guernic P, Gautier T, Le Borgne M, Le Maire C (1991) Programming real-time applications with SIGNAL. Proc IEEE 79:1321–1336CrossRefGoogle Scholar
  20. 20.
    Manian R, Coppit D, Sullivan KJ, Dugan JB (1999) Bridging the gap between systems and dynamic fault tree models. In: Proceedings of the annual symposium on reliability and maintainability. IEEE Press, New York, pp 105–111Google Scholar
  21. 21.
    Manna Z, Pnueli A (1992) The temporal logic of reactive and concurrent systems – specification. Springer, Berlin Heidelberg New YorkGoogle Scholar
  22. 22.
    McMillan KL (1992) Symbolic model checking – an approach to the state explosion problem. Technical Report CMU-CS-92-131, Carnegie Mellon University, PittsburghGoogle Scholar
  23. 23.
    Musa JD, Iannino A, Okumoto K (1987) Software reliability – measurement, prediction, application. McGraw-Hill, New YorkGoogle Scholar
  24. 24.
    Rauzy A (2002) Mode automata and their compilation into fault trees. Reliabil Eng Sys Safety 78(1):1–12CrossRefGoogle Scholar
  25. 25.
    Shivakumar P, Kistler M, Keckler SW, Burger D, Alvisi L (2002) Modeling the effect of technology trends on the soft error rate of combinational logic. In: Proceedings of the international conference on dependable systems and networks, June 2002. IEEE Press, New York, pp 389–398Google Scholar
  26. 26.
    Sheeran M, Singh S, Stålmarck G (2000) Checking safety properties using induction and a SAT-solver. In: Proceedings of the international conference on formal methods in computer-aided design, November 2000Google Scholar
  27. 27.
    Sheeran M, Stålmarck G (2000) A tutorial on Stålmarck’s proof procedure for propositional logic. In: Proceedings of the international conference on formal methods in computer-aided design, November 2000Google Scholar
  28. 28.
    Synplify Pro product Web page (2004) Accessed 30 AprilGoogle Scholar
  29. 29.
    Åkerlund O, Nadjm-Tehrani S, Stålmarck G (1999) Integration of formal methods into system safety and reliability analysis. In: Proceedings of the 17th international conference on system safety, September 1999Google Scholar

Copyright information

© Springer-Verlag 2004

Authors and Affiliations

  1. 1.Department of Computer and Information ScienceLinköping UniversityLinköpingSweden
  2. 2.DST Control ABLinköpingSweden

Personalised recommendations