SMT-Based Formal Verification of a TTEthernet Synchronization Function


Steiner, W., Dutertre, B. (2010). SMT-Based Formal Verification of a TTEthernet Synchronization Function. In: Kowalewski, S., Roveri, M. (eds) Formal Methods for Industrial Critical Systems. FMICS 2010. Lecture Notes in Computer Science, vol 6371. Springer, Berlin, Heidelberg.


TTEthernet is a communication infrastructure for mixed-criticality systems that integrates dataflow from applications with different criticality levels on a single network. For applications of highest criticality, TTEthernet provides a synchronization strategy that tolerates multiple failures. The resulting fault-tolerant timebase can then be used for time-triggered communication to ensure temporal partitioning on the shared network.

In this paper, we present the formal verification of the compression function which is a core element of the clock synchronization service of TTEthernet. The compression function is located in the TTEthernet switches: it collects clock readings from the end systems, performs a fault-tolerant median calculation, and feedbacks the result to the end systems. While traditionally the formal proof of these types of algorithms is done by theorem proving, we successfully use the model checker sal-inf-bmc incorporating the YICES SMT solver. This approach improves the automatized verification process and, thus, reduces the manual verification overhead.

Keywords: Observation Window, Clock Synchronization, Compression Function, Permanence Function, Collection Phase

Read more from SRI