On Teaching Applied Formal Methods in Aerospace Engineering

  • Kristin Yvonne RozierEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11758)


As formal methods come into broad industrial use for verification of safety-critical hardware, software, and cyber-physical systems, there is an increasing need to teach practical skills in applying formal methods at both the undergraduate and graduate levels. In the aerospace industry, flight certification requirements like the FAA’s DO-178B, DO-178C, DO-333, and DO-254, along with a series of high-profile accidents, have helped turn knowledge of formal methods into a desirable job skill for a wide range of engineering positions. We approach the question of verification from a safety-case perspective: the primary teaching goal is to impart students with the ability to look at a verification question and identify what formal methods are applicable, which tools are available, what the outputs from those tools will say about the system, and what they will not, e.g., what parts of the safety case need to be provided by other means. We overview the lectures, exercises, exams, and student projects in a mixed-level (undergraduate/graduate) Applied Formal Methods course (Additional materials are available on the course website: taught in an Aerospace Engineering department. We highlight the approach, tools, and techniques aimed at imparting a good sense of both the state of the art and the state of the practice of formal methods in an effort to effectively prepare students headed for jobs in an increasingly formal world.



Information on our recent work can be found at: Thanks to the Aerospace Engineering departments at Iowa State University and the University of Cincinnati for their forward thinking in recognizing the need to develop such a course. AERE/COMS 407/507 was developed over the Spring 2017, and Fall 2017 and 2018 semesters at ISU; parts of the class were first developed during the Spring 2015 and 2016 semesters at UC. Thanks to all of the students who actively participated in those courses, especially for coming up with such fantastic half-semester projects. Some course materials were inspired by or directly derived from The TeachLogic Project (; special thanks goes to Ian Barland, John Greiner, and Moshe Vardi for their brilliant teaching tools. Thanks to the NASA Langley Formal Methods Group for providing an excellent PVS course both in-person [6] and online with a rich collection of regularly-updated teaching materials. ( Thanks to the many guest speakers including: Nikolaj Bjørner, Jonathan Hoffman, Yogananda Jeppu, César Muñoz, Lucas Wagner.


  1. 1.
    Ameur, Y.A., Boniol, F., Wiels, V.: Toward a wider use of formal methods for aerospace systems design and verification. Int. J. Softw. Tools Technol. Transf. 12(1), 1–7 (2010)CrossRefGoogle Scholar
  2. 2.
    Basir, N., Denney, E., Fischer, B.: Constructing a safety case for automatically generated code from formal program verification information. In: Harrison, M.D., Sujan, M.-A. (eds.) SAFECOMP 2008. LNCS, vol. 5219, pp. 249–262. Springer, Heidelberg (2008). Scholar
  3. 3.
    Behm, P., Benoit, P., Faivre, A., Meynadier, J.-M.: Météor: a successful application of B in a large project. In: Wing, J.M., Woodcock, J., Davies, J. (eds.) FM 1999. LNCS, vol. 1708, pp. 369–387. Springer, Heidelberg (1999). Scholar
  4. 4.
    Bérard, B., et al.: Systems and Software Verification: Model-checking Techniques and Tools. Springer, Heidelberg (2013).
  5. 5.
    Bittner, B., et al.: An integrated process for FDIR design in aerospace. In: Ortmeier, F., Rauzy, A. (eds.) IMBSA 2014. LNCS, vol. 8822, pp. 82–95. Springer, Cham (2014). Scholar
  6. 6.
    Butler, R., et al.: NASA/NIA PVS Class 2012. NIA, Hampton, Virginia, USA, October 9–12 (2012).
  7. 7.
    Butler, R., Maddalon, J., Geser, A., Muñoz, C.: Simulation and verification I: formal analysis of air traffic management systems: the case of conflict resolution and recovery. In: Proceedings of the 35th Conference on Winter Simulation: Driving Innovation, pp. 906–914. Winter Simulation Conference (2003)Google Scholar
  8. 8.
    CENELEC, EN50126: Railway applications-the specification and demonstration of reliability. Availability, Maintainability and Safety (RAMS) (2001).
  9. 9.
    CENELEC, EN50128: Railway applications-communication, signaling and processing systems-software for railway control and protection systems (2011).
  10. 10.
    Denney, E., Pai, G., Pohl, J.: Heterogeneous aviation safety cases: integrating the formal and the non-formal. In: 2012 IEEE 17th International Conference on Engineering of Complex Computer Systems, pp. 199–208. IEEE (2012)Google Scholar
  11. 11.
    EN50129, CENELEC: Railway applications-communication, signalling and processing systems-safety related electronic systems for signalling. British Standards Institution, United Kingdom. ISBN, pp. 0580–4181 (2003)Google Scholar
  12. 12.
    von Essen, C., Giannakopoulou, D.: Analyzing the next generation airborne collision avoidance system. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 620–635. Springer, Heidelberg (2014). Scholar
  13. 13.
  14. 14.
    Gario, M., Cimatti, A., Mattarei, C., Tonetta, S., Rozier, K.Y.: Model checking at scale: automated air traffic control design space exploration. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9780, pp. 3–22. Springer, Cham (2016). Scholar
  15. 15.
    Geist, J., Rozier, K.Y., Schumann, J.: Runtime observer pairs and bayesian network reasoners on-board FPGAs: flight-certifiable system health management for embedded systems. In: Bonakdarpour, B., Smolka, S.A. (eds.) RV 2014. LNCS, vol. 8734, pp. 215–230. Springer, Cham (2014). Scholar
  16. 16.
    Guarro, S., et al.: Formal framework and models for validation and verification of software-intensive aerospace systems. In: AIAA Information Systems-AIAA Infotech@ Aerospace, p. 0418 (2017)Google Scholar
  17. 17.
    Kochenderfer, M.J., Chryssanthacopoulos, J.: Robust airborne collision avoidance through dynamic programming. Massachusetts Institute of Technology, Lincoln Laboratory, Project Report ATC-371 (2011)Google Scholar
  18. 18.
    Mattarei, C., Cimatti, A., Gario, M., Tonetta, S., Rozier, K.Y.: Comparing different functional allocations in automated air traffic control design. In: Proceedings of Formal Methods in Computer-Aided Design (FMCAD 2015), Austin, Texas, USA. IEEE/ACM, September 2015Google Scholar
  19. 19.
    Radio Technical Commission for Aeronautics: DO-333 – formal methods supplement to DO-178C and DO-278A (2011).
  20. 20.
    Radio Technical Commission for Aeronautics: DO-178C/ED-12C – software considerations in airborne systems and equipment certification (2012).
  21. 21.
    Radio Technical Commission for Aeronautics (RTCA): DO-178B: Software considerations in airborne systems and equipment certification, December 1992Google Scholar
  22. 22.
    Radio Technical Commission for Aeronautics (RTCA): DO-254: Design assurance guidance for airborne electronic hardware, April 2000Google Scholar
  23. 23.
    Reinbacher, T., Rozier, K.Y., Schumann, J.: Temporal-logic based runtime observer pairs for system health management of real-time systems. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 357–372. Springer, Heidelberg (2014). Scholar
  24. 24.
    Rozier, K.Y., Schumann, J., Ippolito, C.: Intelligent hardware-enabled sensor and software safety and health management for autonomous UAS. Technical Memorandum NASA/TM-2015-218817, NASA, NASA Ames Research Center, Moffett Field, CA 94035, USA, May 2015Google Scholar
  25. 25.
    Rozier, K.: Linear temporal logic symbolic model checking. Comput. Sci. Rev. J. 5(2), 163–203 (2011). Scholar
  26. 26.
    Rozier, K., Rozier, E.: Reproducibility, correctness, and buildability: the three principles for ethical public dissemination of computer science and engineering research. In: IEEE International Symposium on Ethics in Engineering, Science, and Technology, Ethics 2014, pp. 1–13. IEEE, May 2014Google Scholar
  27. 27.
    Rozier, K.Y., Vardi, M.Y.: LTL satisfiability checking. In: Bošnački, D., Edelkamp, S. (eds.) SPIN 2007. LNCS, vol. 4595, pp. 149–167. Springer, Heidelberg (2007). Scholar
  28. 28.
    Rozier, K.Y., Vardi, M.Y.: A multi-encoding approach for LTL symbolic satisfiability checking. In: Butler, M., Schulte, W. (eds.) FM 2011. LNCS, vol. 6664, pp. 417–431. Springer, Heidelberg (2011). Scholar
  29. 29.
    Rozier, K.Y., Vardi, M.Y.: Deterministic compilation of temporal safety properties in explicit state model checking. In: Biere, A., Nahir, A., Vos, T. (eds.) HVC 2012. LNCS, vol. 7857, pp. 243–259. Springer, Heidelberg (2013). Scholar
  30. 30.
    NASA UTM Research Transition Team (RTT): NASA UTM NextGen concept of operations v1.0, May 2018.
  31. 31.
    Rushby, J.: A safety-case approach for certifying adaptive systems. In: AIAA Infotech@ Aerospace Conference and AIAA Unmanned... Unlimited Conference, pp. 1–16 (2009)Google Scholar
  32. 32.
    Rushby, J.: Logic and epistemology in safety cases. In: Bitsch, F., Guiochet, J., Kaâniche, M. (eds.) SAFECOMP 2013. LNCS, vol. 8153, pp. 1–7. Springer, Heidelberg (2013). Scholar
  33. 33.
    Schumann, J., Moosbrugger, P., Rozier, K.Y.: R2U2: monitoring and diagnosis of security threats for unmanned aerial systems. In: Bartocci, E., Majumdar, R. (eds.) RV 2015. LNCS, vol. 9333, pp. 233–249. Springer, Cham (2015). Scholar
  34. 34.
    U.S. Department of Transportation Federal Aviation Administration: Introduction to TCAS II version 7.1, February 2011. hQ-111358.
  35. 35.
    Vardi, M.Y.: Branching vs. linear time: final showdown. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, pp. 1–22. Springer, Heidelberg (2001). Scholar
  36. 36.
    Wei, P., Atkins, E., Schnell, T., Rozier, K.Y., Hunter, G.: NSF PFI:BIC: pre-departure dynamic geofencing, en-route traffic alerting, emergency landing and contingency management for intelligent low-altitude airspace UAS traffic management, July 2017.
  37. 37.
    Wiels, V., Delmas, R., Doose, D., Garoche, P.L., Cazin, J., Durrieu, G.: Formal verification of critical aerospace software. AerospaceLab (4), 1–8 (2012).
  38. 38.
    Zhao, Y., Rozier, K.Y.: Formal specification and verification of a coordination protocol for an automated air traffic control system. In: Proceedings of the 12th International Workshop on Automated Verification of Critical Systems (AVoCS 2012). Electronic Communications of the EASST, vol. 53. European Association of Software Science and Technology (2012)Google Scholar
  39. 39.
    Zhao, Y., Rozier, K.Y.: Formal specification and verification of a coordination protocol for an automated air traffic control system. Sci. Comput. Program. J. 96(3), 337–353 (2014)CrossRefGoogle Scholar
  40. 40.
    Zhao, Y., Rozier, K.Y.: Probabilistic model checking for comparative analysis of automated air traffic control systems. In: Proceedings of the 33rd IEEE/ACM International Conference On Computer-Aided Design (ICCAD 2014), San Jose, California, USA, pp. 690–695. IEEE/ACM, November 2014Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Iowa State UniversityAmesUSA

Personalised recommendations