The Time-Triggered Protocol TTP/C constitutes the core of the communication level of the Time-Triggered Architecture for dependable real-time systems. TTP/C ensures consistent data distribution, even in the presence of faults occurring to nodes or the communication channel. However, the protocol mechanisms of TTP/C rely on a rather optimistic fault hypothesis. Therefore, an independent component, the central guardian, employs static knowledge about the system to transform arbitrary node failures into failure modes that are covered by the fault hypothesis. This paper presents a modular formal analysis of the communication properties of TTP/C based on the guardian approach. Through a hierarchy of formal models, we give a precise description of the arguments that support the desired correctness properties of TTP/C. First, requirements for correct communication are expressed on an abstract level. By stepwise refinement we show both that these abstract requirements are met under the optimistic fault hypothesis, and how the guardian model allows a broader class of node failures to be tolerated. The models have been developed and mechanically checked using the specification and verification system PVS.

Online Copy

Paper: Preprint available as PDF (221 KB) PVS specification and proof files (for PVS Version 3.1): Save the dump file safecomp2004.dump (149 KB) in a new directory. Unpack the theories with M-x undump-pvs-files within PVS. The top-level theory is top.pvs.

BibTeX Entry

@Article{PvH07, author = {Holger Pfeifer and Friedrich von Henke}, title = "{Modular Formal Analysis of the Central Guardian in the Time-Triggered Architecture}", journal = {Reliability Engineering \& System Safety}, year = 2007, volume = {92}, number = {11}, pages = {1538-1550}, note = "doi:10.1016/j.ress.2006.10.006" }