TY - GEN
T1 - Model-based analysis of Timed-Triggered Ethernet
AU - Dutertre, Bruno
AU - Easwaran, Arvind
AU - Hall, Brendan
AU - Steiner, Wilfried
PY - 2012
Y1 - 2012
N2 - Timed-Triggered Ethernet (TTEthernet) is a communication infrastructure that enables the use of Ethernet networks in real-time, distributed applications. The core of TTEthernet is a set of fault-tolerant protocols for clock synchronization, startup, and clique detection and resolution. We present recent work on model-based analysis of the TTEthernet startup and synchronization protocols. We first use automated test-generation tools to drive high-coverage testing of prototype TTEthernet hardware, based on a state-machine model of the TTEthernet protocols. With almost no human guidance, this technique enables us to achieve MC/DC coverage of the startup protocol under valid fault scenarios. We then focus on the TTEthernet clock-synchronization protocol. We develop correctness proofs of key properties of this protocol using the PVS interactive theorem prover [1]. As a result of this formalization, we have identified a suboptimal design choice in the clock-compression function defined in the TTEthernet draft standard [2]. We propose an alternative definition and, using model-checking tools, we show that the new function achieves better clock precision than the original. These results demonstrate effective use of modeling and formal techniques in proof and test of a fault-tolerant network infrastructure relevant to avionics and other embedded systems.
AB - Timed-Triggered Ethernet (TTEthernet) is a communication infrastructure that enables the use of Ethernet networks in real-time, distributed applications. The core of TTEthernet is a set of fault-tolerant protocols for clock synchronization, startup, and clique detection and resolution. We present recent work on model-based analysis of the TTEthernet startup and synchronization protocols. We first use automated test-generation tools to drive high-coverage testing of prototype TTEthernet hardware, based on a state-machine model of the TTEthernet protocols. With almost no human guidance, this technique enables us to achieve MC/DC coverage of the startup protocol under valid fault scenarios. We then focus on the TTEthernet clock-synchronization protocol. We develop correctness proofs of key properties of this protocol using the PVS interactive theorem prover [1]. As a result of this formalization, we have identified a suboptimal design choice in the clock-compression function defined in the TTEthernet draft standard [2]. We propose an alternative definition and, using model-checking tools, we show that the new function achieves better clock precision than the original. These results demonstrate effective use of modeling and formal techniques in proof and test of a fault-tolerant network infrastructure relevant to avionics and other embedded systems.
UR - http://www.scopus.com/inward/record.url?scp=84872473594&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84872473594&partnerID=8YFLogxK
U2 - 10.1109/DASC.2012.6382445
DO - 10.1109/DASC.2012.6382445
M3 - Conference contribution
AN - SCOPUS:84872473594
SN - 9781467316996
T3 - AIAA/IEEE Digital Avionics Systems Conference - Proceedings
SP - 9D21-9D211
BT - 31st Digital Avionics Systems Conference
T2 - 31st Digital Avionics Systems Conference: Projecting 100 Years of Aerospace History into the Future of Avionics, DASC 2012
Y2 - 14 October 2012 through 18 October 2012
ER -