Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Eliminating synchronization faults in air traffic control software via design for verification with concurrency controllers
Betin Can A., Bultan T., Lindvall M., Lux B., Topp S. Automated Software Engineering14 (2):129-178,2007.Type:Article
Date Reviewed: Jun 20 2008

This paper discusses design for verification that uses a model checker--namely, the action language verifier (ALV)--to detect and prevent synchronization faults in the domain of avionic systems. More specifically, the paper describes experimental results obtained by applying ALV to an automated air traffic control (ATC) software element known as the tactical separation assisted flight environment (TSAFE). TSAFE is responsible for maintaining proper separation between airplanes flying in commercial airspace.

There are four main contributions in this paper: the reconstruction of TSAFE in the concurrency controller pattern, the justification for using this pattern, and identification and replacement of all synchronization statements with appropriate concurrency control protocols, such as RW and MUTX; the implementation of TSAFE using distributed client/server in Java; the creation of 140 faulty versions of TSAFE using manual seeded faults, as well as randomly and automatically seeded faults; and a two-step verification of a TSAFE behavior, interface, and behavioral verification, using the ALV model checker.

The paper is well written and well organized. It definitely represents many technical efforts in the design of very complex and critical systems. The main benefit of its approach is the efficient and effective use of the model checker to detect the synchronization problems that may cause inconsistency in the state of a safety-critical system. This possible inconsistency may result in the system being in a hazardous state that may ultimately lead to an accident.

The main concern of this approach is that it does not elaborate on how the automatic translation of the concurrency controller pattern into ALV is achieved. More specifically, the discussion regarding transformation rules is unclear and incomplete. Discussion of the transformation rules is necessary in order to better understand, and therefore better appreciate, the work and the automatic translation of the concurrency control pattern into an input that can be used by the ALV model checker.
Reviewer:  Hassan Reza Review #: CR135749 (0905-0468)
Bookmark and Share
 
Model Checking (D.2.4 ... )
 
 
Patterns (D.2.11 ... )
 
 
Concurrent Programming (D.1.3 )
 
 
Design Tools and Techniques (D.2.2 )
 
 
Software Architectures (D.2.11 )
 
Would you recommend this review?
yes
no
Other reviews under "Model Checking": Date
Systems and software verification: model-checking techniques and tools
B ., Bidoit M., Finkel A., Laroussinie F., Petit A., Petrucci L., Schnoebelen P., McKenzie P., Springer-Verlag New York, Inc., New York, NY, 1999.  190, Type: Book (9783540415237)		 Sep 30 2002
Module checking
Kupferman O., Vardi M., Wolper P. Information and Computation 164(2): 322-344, 2001. Type: Article		 Mar 1 2002
SMC: a symmetry-based model checker for verification of safety and liveness properties
Sistla A., Gyuris V., Emerson E. ACM Transactions on Software Engineering and Methodology 9(2): 133-166, 2000. Type: Article		 Sep 1 2000
more...
E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use | Privacy Policy