Requirements Analysis of a Quad-Redundant Flight Control System

  • John Backes
  • Darren Cofer
  • Steven Miller
  • Michael W. Whalen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9058)


In this paper we detail our effort to formalize and prove requirements for the Quad-redundant Flight Control System (QFCS) within NASA’s Transport Class Model (TCM). We use a compositional approach with assume-guarantee contracts that correspond to the requirements for software components embedded in an AADL system architecture model. This approach is designed to exploit the verification effort and artifacts that are already part of typical software verification processes in the avionics domain. Our approach is supported by an AADL annex that allows specification of contracts along with a tool, called AGREE, for performing compositional verification. The goal of this paper is to show the benefits of a compositional verification approach applied to a realistic avionics system and to demonstrate the effectiveness of the AGREE tool in performing this analysis.


Model Checker Requirement Analysis Actuator Signal Handling Quality Compositional Reasoning 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Crum, V., Buffington, J., Tallant, G., Krogh, B., Plaisted, C., Prasanth, R., Bose, P., Johnson, T.: Validation verification of intelligent and adaptive control systems. In: Proceedings of the Aerospace Conference 2004. IEEE (2004)Google Scholar
  2. 2.
    Feiler, P.H., Gluch, D.P.: Model-Based Engineering with AADL: An Introduction to the SAE Architecture Analysis & Design Language, 1st edn. Addison-Wesley Professional (2012)Google Scholar
  3. 3.
    The Software Engineering Institute: OSATE: Plug-ins for front-end processing of AADL models (2013)Google Scholar
  4. 4.
    Cofer, D.D., Gacek, A., Miller, S.P., Whalen, M.W., LaValley, B., Sha, L.: Compositional verification of architectural models. In: Goodloe, A.E., Person, S. (eds.) Proceedings of the 4th NASA Formal Methods Symposium (NFM 2012). Berlin, vol. 7226, pp. 126–140. Heidelberg, Springer-Verlag (2012)Google Scholar
  5. 5.
    Gacek, A., Backes, J., Whalen, M.W., Cofer, D.: AGREE Users Guide\(^3\) (2014).
  6. 6.
    Halbwachs, N., Caspi, P., Raymond, P., Pilaud, D.: The synchronous dataflow programming language LUSTRE. In: Proceedings of the IEEE, pp. 1305–1320 (1991)Google Scholar
  7. 7.
    University of Iowa: Kind2: a multi-engine smt-based automatic model checker for safety properties of lustre programs (2014)Google Scholar
  8. 8.
    JKind: A Java implementation of the KIND model checker\(^4\) (2013).
  9. 9.
    Hueschen, R.M.: Development of the transport class model (TCM) aircraft simulation from a sub-scale generic transport model (GTM) simulation. NASA Technical Report (2011)Google Scholar
  10. 10.
    Brat, G., Bushnell, D., Davies, M., Giannakopoulou, D., Howar, F., Kahsai, T.: Verifying the saftety of a flight-critical system. NASA Technical Report (2015)Google Scholar
  11. 11.
    Cooper, G., Harper, R.: The use of pilot rating in the evaluation of aircraft handling qualities. NASA Technical Report (1969)Google Scholar
  12. 12.
    Dutertre, B., de Moura, L.: The Yices SMT solver. SRI International Tech Report (2006)Google Scholar
  13. 13.
    Gacek, A., Katis, A., Whalen, M., Backes, J., Cofer, D.: Towards realizability checking for contracts using theories. In: NASA Formal Methods Symposium (2015)Google Scholar
  14. 14.
    Caspi, P., Mazuet, C., Paligot, N.R.: About the design of distributed control systems, the quasi-synchronous approach (2001)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • John Backes
    • 1
  • Darren Cofer
    • 1
  • Steven Miller
    • 1
  • Michael W. Whalen
    • 2
  1. 1.Rockwell CollinsBloomingtonUSA
  2. 2.University of MinnesotaMinneapolisUSA

Personalised recommendations