ON THE DESIGN OF SIDE�STICK CONTROLLERS IN FLY�BY�WIRE
AIRCRAFT
�
Mu�y Thomas and Bowen Ormsby
University of Glasgow� Scotland� U�K�
resp ect to some safety requirements� Two mo dels� of increas� Abstract
ing complexity� are develop ed and analysed using the ISO
formal description technique LOTOS �Language of Tempo�
This pap er presents the problem of designing the functional
ral Ordering Speci�cation� ���� LOTOS is appropriate since
b ehaviour of the interaction b etween two side�stick con�
we are concerned only with relative time� rather than with
trollers� an autopilot� and a �ightcontrol computer in a
real time�
�y�by�wire aircraft� Two mo dels are develop ed using the
The �rst section gives the informal requirements of the
ISO formal description technique LOTOS� and analysed us�
side�sticks controllers� and the second section intro duces LO� ing rigorous abstract testing techniques�
TOS� The basic design description is given in the third sec�
Keywords� Avionics� Design� Formal Description Tech�
tion� followed by an analysis of the design� Then� the design
niques� LOTOS� Pro cess Algebras� Safety�Critical Software�
is extended to include time� and this to o is analysed� There
Sp eci�cation� Testing� Veri�cation� Validation�
follows a discussion and our conclusions �
Intro duction
� Requirements
The reliabili tyofsoftwareinemb edded computer systems is
The requirements have b een extracted from ����
a matter of increasing concern� particularl y for safety�critical
Each pilot has a side�stick� and the two sticks are linked
systems�
to the �ightcontrol computer� Normally� b oth sticks are
There are no known quantitative metho ds for demon�
enabled and movements of them pro duce a resp onse which
strating high levels of software reliabili ty ��� � �� instead�
dep ends on the sum of their displacements� up to a maximum
most approaches to software in safety�critical situations rely
of the full de�ection of one stick� So� if b oth sticks are moved
mainly on assurance� based on the evidence pro duced dur�
forward two degrees� the aircraft will b ehave as if one stick
ing the software lifecycle� Our interest lies in augmenting
had b een moved forward four degrees� Similarly� equal and
the preliminary and detailed design stages with mathemati�
opp osite movements cancel each other out�
cal mo delling and validation stages� our goal is the reduction
In an emergency � one pilot can override the other pilot�s
of errors and design changes during unit testing after imple�
controls by pressing a button on his�her stick� This button
mentation �i�e� by �nding the errors before implementation��
�which also acts as the autopilot disengage button� causes
us� we are interested in applying formal metho ds as design Th
inputs from the other pilot�s stick to b e ignored� and gives
to ols�
prioritycontrol to the pilot who pressed it� If the button is
The aerospace industry is an area where software� on
held down for more than thirty seconds� the stick retains pri�
the whole� is extending existing electromechanical systems�
orityuntil the system is reset bycentralising the disengaged
the concerns of control and protection must b e clearly sep�
stick� This override system allows one pilot to take sole con�
arated and quali�ed� with a high degree of assurance� It
trol of the aircraft if the other pilot gets into di�cultyorif
is b ecoming clear from our own exp erience� from others in
a stick jams�
the �eld ���� �� � ��� and in the aerospace industry �eg� �����
Amongst many other controls� b oth pilots also havean
that techniques such as static analysis and validation based
autopilot engage button� If b oth pilots are in control �i�e�
on mathematical mo dels can have an imp ortantroletoplay
not overridden� and one of them presses this button� the au�
in the design of safety�critical software� This is particularly
topilot also gains control of the aircraft until one of the pilots
the case when analysis addresses the questions of whether
presses the autopilot disengage button on his�her side�stick�
the software satis�es safety constraints�
A pilot in control can engage or disengage the autopilot� but
Here� we consider a case study� the problem of design�
a pilot not in control cannot a�ect the state of the autopilot�
ing the functional b ehaviour of the interactions b etween two
side�stick controllers� the autopilot� and a �ightcontrol com�
� Design Descriptions
puter in a �y�by�wire aircraft� This is a relevant example
since such a con�guration is part of the current Airbus Indus�
The natural language description given ab ove� whilst rela�
trie A��� ���� Our aim is to develop a mo del from an initial
tively clear� is still ambiguous and incomplete� Further� it
statement of the requirements� to verify that the mo del do es
o�ers no p ossibili ty of rigorously demonstrating that it is a
ful�l the requirements� and to provide some degree of assur�
go o d� safe proto col that can b e implemented�
ance that this is a go o d design by analysing the mo del with
Our intention is to develop a design description whichis
�
closer to an eventual implementation � but abstract enough Funded by University of Glasgow Research Studentship
opns n��n��n��n�����p��p��p��p� � �� stickpos to allow for rigorous analysis of the essential b ehaviour�
Succ � Pred � stickpos �� stickpos The formal description technique LOTOS is used to
��� ��eq� mo del the design� LOTOS is a pro cess algebra �similar to � stickpos�stickpos �� stickpos
CCS ��� but with data typ es and multi�way synchronisa� eqns forall x�y�stickpos
tion� which allows us to mo del pro cesses that can b e non� ���
deterministic and�or concurrent� with or without synchro� endtype
nisation� Pro cesses can b e parameterised by abstract data
A pilot�s controls consists of the x and y co ordinates of
typ e values� and suchvalues can b e passed� or negotiated�
a stick� the co ordinates are selected with op erations xstick
between pro cesses through synchronisation�
and ystick� and the co ordinates are incremented and decre�
A good intro duction to LOTOS is given in ���� a very
mented with op erations xinc� xdec� etc� The op eration
brief review of the features of LOTOS we use is as follows�
central is a predicate to test whether b oth co ordinates are
Pro cesses are built up from constant pro cesses� events� and
at the origin� Again� many of the equations are omitted�
pro cess op erators� Events are atomic� indivisi bl e actions� In
the following� P and Q are pro cesses�
type pilotcontrols is stickpos
sorts pcontrols
LOTOS Informal description
opns mk� stickpos�stickpos �� pcontrols
exit termination
xstick�ystick� pcontrols �� stickpos
a�P pre�x P byevent a
xinc�xdec� pcontrols �� pcontrols
P��Q choice b etween P and Q
yinc�ydec� pcontrols �� pcontrols
P��Q b ecome Q after P terminates
central� pcontrols �� bool
P ��� Q P in parallel with Q
eqns forall x�y�stickpos
P ��l�� Q P in parallel with Q�synchronisin g
ofsort stickpos
on events in list l
xstick�mk�x�y�� � x�
�exp� �� P if exp holds then b ecome P
ystick�mk�x�y�� � y�
ofsort pcontrols
Abstract data typ es are sp eci�ed �in the ACT ONE sub�
xinc�mk�x�y�� � mk�succ�x��y��
language� using many�sorted equational logic� Values and
xdec�mk�x�y�� � mk�pred�x��y��
pro cesses are combined in twoways� lists of values maybe
���
asso ciated with events� and pro cesses may b e parameterised
ofsort bool
byvalues� We use two forms of value asso ciation with events�
central�mk�x�y��� ��x eq ��� and �y eq ����
the event o�er a�v o�ers value v at event a� and the event
endtype
o�er a�v�T o�ers anyvalue of typ e T at event a�Twoevents
o�ering equivalentvalues may synchnronise� e�g� a�true can
There are � distinct values for priority status�
synchronise with a�true�or a�not�false�� and an event of�
fer a�v� can synchronise with an event o�er a�v��T� with
type priority is boolean
the e�ect that v� is b ound to v�� when v� has typ e T�
sorts priority
The underlying semantics of a LOTOS description is a
opns one�two�none � �� priority
state transition system� rather like a �nite state automata�
�eq� �priority� priority �� bool
except that there is no restriction to �nite states� We use
eqns
laws which describ e equivalences b etween pro cesses� based
���
on the concept of weak bisimulati on ��� b etween transition
endtype
systems� �Bisimulati on is so�called b ecause the pro cesses can
simulate each other�� These laws include� for example� the
There are � values for autopilot status�
rule that choice is commutative� and that parallel pro cesses
type autopilot is boolean renamedby
expand into pro cesses involvin g only choice and pre�x�
sortnames autopilot for bool
For brevity� all the events in our descriptions will b e ob�
opnnames on for true
servable� This will allow us to omit the usual list of ob�
off for false
servable� parameter events in pro cess declarations� except
endtype
in the few cases where the actual and formal events do in�
deed di�er� We also intro duce some further� trivial� abuses
The main pro cess comp onents of the system are the two
of LOTOS notation� for brevity�
�human� pilots� referred to as pilot � and pilot �� the autopi�
lot� and the �ightcontrol computer�
� Basic Design
The two�human� pilots� b ehaviours are identical� up to
the names of the events� and so the pro cess is parameterised�
We b egin with a design of the basic system� excluding timing
Each pilot maymove the stick along one of the four axes�
constraints�
forward �Fd�� backward �Bk�� left �Lt�� right�Rt�� depress or
Four data typ es are de�ned to represent the status of
release their priority button� �P�and�Pr� resp ectively�and
a stick� a pilot�s controls �pcontrols�� the control priority
depress or release their autopilot button� �AU�and�AuD�
�priority� and the autopilot�Intheinterest of brevity�
resp ectively�
most of the �obvious� equations are omitted from these
typ es�
process Pilot�Fd�Bk�Lt�Rt�Au�AuD�P�PR���
A stick can b e in any p osition along an axis from n� �neg�
�Fd��Bk��Lt��Rt��
ative ��top��positive ��� with �� as origin� Stick p ositions
Pr �� Au �� P �� AuD��Pilot
may b e summed� with over and under�ows rounded up or
�� exit
down to n�� p� resp ectively�
endproc
type stickpos is boolean The autopilot has a more restricted functionali tywhich
sorts stickpos includes only stickmovements�
where process AutoPilot�Fd�Bk�Lt�Rt� ��
Pilot� � Pilot�F��B��L��R��A��AD��P��PR��� �Fd �� Bk �� Lt �� Rt��AutoPilot
Pilot� � Pilot�F��B��L��R��A��AD��P��PR��� and �� exit
AutoPilot � AutoPilot�F��B��L��R��� endproc
The �ight control computer p olls for the current
The State pro cess is where the b ehaviour of the interaction
�summed� p ositions of the sticks and the priorities with event
between the pilots is de�ned� All pilot events are p ossible�
s� and sends on the appropriate signal with event signal
i�e� a pilot can always apply a force to his�her stick�button�
to the control surfaces� There are several p ossibiliti es for
but that eventmayhave no observable e�ect� Since much
combining the inputs into the appropriate signal� dep ending
of the details concerning the three pilots is similar� wehave
on which�human� pilot �if any� is in overall control� and
omitted parts of this pro cess �unfortunately� LOTOS is not
whether or not the autopilot is engaged�
higher order and do es not allow parameterisation over pro�
cesses��
process FCC ��
s�pi��pi��pi��pcontrols�one�on�
s� process State�pi��pi��pi��pcontrol
signal�mk�xstick�pi���xstick�pi���
p�priority�a�autopilot���
ystick�pi���ystick�pi����
F��State�yinc�pi���pi��pi��p�a�
FCC�s�signal�
�� F��State�pi��yinc�pi���pi��p�a�
�� s�pi��pi��pi��pcontrols�one�off�
�� F��State�pi��pi��yinc�pi���p�a�
signal�mk�xstick�pi���ystick�pi����
FCC�s�signal�
���similarly for B��B��B��R��R��R��L��L��L����
ntrols�two�on� �� s�pi��pi��pi��pco
signal�mk�xstick�pi���xstick�pi���
�� P����not �p eq two����State�pi��pi��pi��one�off�
ystick�pi���ystick�pi����
�� �p eq two� ��State�pi��pi��pi��p�a��
FCC�s�signal�
�� P����not �p eq one����State�pi��pi��pi��two�off�
�� s�pi��pi��pi��pcontrols�two�off�
�� �p eq one� ��State�pi��pi��pi��p�a��
signal�mk�xstick�pi���ystick�pi����
�� PR����p eq one� ��State�pi��pi��pi��none�off�
FCC�s�signal�
�� �not�p eq one����State�pi��pi��pi��p�a��
�� s�pi��pi��pi��pcontrols�none�on�
�� PR����p eq two� ��State�pi��pi��pi��none�off�
signal�mk�xstick�pi���xstick�pi���xstick�pi���
�� �not�p eq two����State�pi��pi��pi��p�a��
ystick�pi���ystick�pi���ystick�pi����
�� A����not�p eq two�� ��State�pi��pi��pi��p�on�
FCC�s�signal�
�� �p eq two� ��State�pi��pi��pi��p�a��
ff� �� s�pi��pi��pi��pcontrols�none�o
�� A����not�p eq one�� ��State�pi��pi��pi��p�on�
signal�mk�xstick�pi���xstick�pi���
�� �p eq one�� ��State�pi��pi��pi��p�a��
ystick�pi���ystick�pi����
�� AD����not�p eq two����State�pi��pi��pi��p�off�
FCC�s�signal�
�� �p eq two� ��State�pi��pi��pi��p�a��
�� exit
�� AD����not�p eq one����State�pi��pi��pi��p�off�
endproc
�� �p eq one� ��State�pi��pi��pi��p�a��
�� �s�pi��pi��p�a�State�pi��pi��pi��p �a��
The e�ects of the pilots� actions on the FCC are de�ned
�� exit
by the pro cess State� which is comp osed� in a constraint�
endproc
oriented style� with the three pilots and the FCC� The
constraint�oriented style ���� is one in which constraints are
Note that the e�ect of the priority and autopilot button
regarded as b ehavioural prop erties of the system� and the
events dep end on the overall pilot priority�
complete system is formed bycombining all of these prop er�
ties using a form of parallelism� Unconstrained parallelis m
� Analysis
corresp onds to the disjunction of the b ehavioural prop er�
ties� and constrained parallelism� i�e� with synchronisatio n�
Our analysis of the design has two aims� to verify that it
corresp onds to a form of conjunction �dep ending on the syn�
do es ful�ll the requirements� and that to showthatitisa
chronising events��
go o d design with resp ect to some basic safety prop erties�
The constraint�oriented style is the b est approach� for
Some of them are�
this problem� for two reasons� First� in the design pro cess� it
allows us to separate concerns and decouple the main com�
�� Moving a pilot�s stick cannot a�ect the state of control
p onents of the system� the pilots and the FCC� We can con�
nor of the autopilot�
sider them in isolation� as indep endent agents� and then de�
�� If the autopilot is on� then the signal sums the au�
�ne their interaction� Second� this approach b est re�ects the
topilot stick p ositions with the pilots� stick p ositions
separation of comp onents in the intended hardware�software
�dep ending on who is in control��
implementation�
�� If the autopilot is o�� then the autopilot stick p ositions
The overall pro cess is given by the appropriate combina�
are not summed in the signal�
tion of the �ve comp onents�
�� If b oth pilots are in control �i�e� neither is overridden�
process Controller�pi�� pi��pi��pcontrols�
and one of them presses the autopilot button� the au�
p�priority�a�autopilot���
topilot also gains control of the aircraft until one of the
State�pi��pi��pi��p�a�
pilots presses the autopilot disengage button on their
��all events��
side�stick�
�Pilot� ��� Pilot� ��� AutoPilot�
��s�� �� A pilot in control can engage or disengage the autopi�
FCC�s�signals� lot� but a pilot not in control cannot a�ect the state of
endproc the autopilot�
Demonstrating that the other prop erties hold involves Unlike the description of the �ightwarning computer in
considerably more complex test pro cesses� It is easier to LOTOS in ���� we are able to p erform rigorous analysis di�
demonstrate that a re�nement of a prop erty holds� For ex� rectly on our design� �In ���� �black�b ox� testing was p er�
ample� we can easily show a re�nement of prop erty�� formed on an ADA implementation ��
Sp eci�cally�we p erform an abstract form of testing�
Controller�x�y�none�o ff�
called prop erty testing which is describ ed in and used exten�
��all events��
sively in ����� Testing� in LOTOS� is a form of state reach�
�P��
ability analysis� prop erty testing is a more abstract form of
�Sticks�F��B��R��L�� ��� Sticks�F��B��R��L��
testing for a sp eci�c prop erty� The prop ertyisde�nedas
��� Sticks�F��B��R��L���
a LOTOS pro cess� and then the test pro cess is combined�
��
in parallel� synchronisin g on the events of the test pro cess�
A�� s�pi��pi��pi��pcontrols�none�off�exit�
with the given pro cess� Essentially�we are testing to see if
the given pro cess can b ehave like the test pro cess� without
Informally�we are testing for� givennopilotisinoverall
deadlo ck� If the test is passed� then we can b e assured that
control and the autopilot is o�� if pilot � depresses his�her
the prop erty do es hold� in that the test b ehaviour is p ossi�
priority button� and then after anynumber of events which
ble� On the other hand� if the test is not passed� then we
do not include any button events� pilot � depresses his�her
can conclude only that the b ehaviour is not p ossible for the
autopilot� the autopilot is still o��
states considered so far�
One requirementwhichwe are not able to express and
This illustrates an imp ortant p oint� there are always
verify in this design is one concerning time� namely�the
more states to explore b ecause there are in�nitely many
behaviour when a priority button has b een engaged for a
pro cesses� i�e� the pro cesses have the form P��exit��
length of time� In order to express this� we will need to
����P�We can only reason conclusively� using testing� over
extend the design to include a notion of time� we will do so
a �nite numb er of states� However� if we detect duplicate
in Section ��
states� then we can reason ab out recursive pro cesses� using
a �xed p oint theorem� This means that if wecan�nda
��� Discussion� the Design Pro cess recursive de�nition of the combined pro cess under insp ec�
tion� then if the test cannot b e passed in the non�recursive
The LOTOS mo del has b een invaluable � it has allowed us to
pre�xes� we can conclude that the test can never b e passed�
precisely de�ne our design� to test it� and analyse it� More�
eri�cation Prop erty testing is not the most sophisticated v
over� the activity of describing the design in LOTOS made
technique in comparison to� say� a temp oral�mo dal logic�
us think very carefully� and hard� ab out the interactions of
But� it is particularl y attractive to us b ecause it can b e p er�
the various comp onents of the system� Wewere often forced
formed with the software to ol LOLA �see ����� � a simula�
to determine the interaction b etween pilot control and the
tion to ol for symb olic computation that can recognise dupli�
autopilot� in more detail� than was explicitl y discussed in
cate states� Also� and no less imp ortant� we use LOLA for
the requirements� For example� when the autopilot is dis�
straightforward prototyping� or animation� when developing
y� �We conclude that it engaged� what is the control priorit
the descriptions�
remains unchanged��
We cannot discuss each prop erty in detail here� but as one
Also� we did get some asp ects of the design clearly wrong�
example� consider testing for the �rst prop erty� Because this
For example� at �rst� we could not show the �fth prop erty�
is a general prop erty� i�e� not one ab out a sp eci�c instance of
This was b ecause in the pro cess State we had the choices
the controller� the test pro cess dep ends on the free variables
in the given pro cess� say Controller�x�y�p�a��At �rst� it
seems then that the corresp onding test pro cess is the pro cess
AD��State�pi��pi��p�off� �� AD��State�pi��pi��p�off�
which o�ers anynumberofstickevents from the three pilots�
i�e� any pilot can switch o� the autopilot� But� the require�
followed by an o�er of the s event�theeventwhich passes
ments clearly state that a pilot not in control cannot a�ect
information to the �ight controller� with the priority and
the state of the autopilot� and in our design� a pilot is only
autopilot values unchanged� i�e�
not in control when the other pilot has sole control� e�g� pi�
Controller�x�y�p�a�
lot � is not in control when the priorityistwo� Fortunately�
��all events��
through the pro cess of testing� we found the error� and cor�
��Sticks�F��B��R��L�� ��� Sticks�F��B��R��L��
rected it accordingly� A �nal lesson learned was� catchde�
��� Sticks�F��B��R��L���
sign errors early�develop the design iteratively�andsavethe
���s�pi��pi��pi��pcontro ls�p�a�exit��
iterations carefully� In other words� careful managementof
the design pro cess is essential�
where Sticks����� is just identical to AutoPilot�
Using LOLA� the test is passed� with a suitable depth of
state exploration� However� this only shows that it is possible
� Timed Design
that the stick actions do not a�ect the priority or autopilot
status� it do es not show that they cannot have such an e�ect�
In this section we discuss how to augment our design with an
In order to show this� we need to show that tests suchas
explicit mo del of time� We will not deal with real time� since
we do not know what these constraints are for this problem�
Controller�x�y�p�on�
There are various ways to mo del time� wehavechosen to
��all events��
take an approachwhich is consistentwiththeinterleaving
��Sticks�F��B��R��L�� ��� Sticks�F��B��R��L��
mo del of paralleli sm �rather than true concurrency� whic h
��� Sticks�F��B��R��L���
underlies LOTOS� All pro cesses synchronise on one clo ck�
���s�pi��pi��pi��pcontrols�p�off�exit��
with the tickevent t� The tick is assumed to b e of sucha
cannot b e passed� Using LOLA� we are able to transform short duration that at most one event can o ccur at each tick�
this particular pro cess into a �rather large and complicated� although no event is required to o ccur�
set of recursion equations� examination of the non�recursive First� we extend the current description in a constraint�
pre�xes reveals that this test cannot b e passed� oriented style� with a clo ck pro cess� In addition to the tick
Again� the pro cess of making the LOTOS description has event� this pro cess o�ers an event now whichisassociated
forced us to consider just the kinds of details not covered by with the currentvalue of the clo ck�
the requirements� Recall that priority cannot b e given to
the pilot without control� unless the disengaged stickhas
process Clock�t�now��current�Nat���
b een centralised� But� for example� if a pilot has absolute
t� Clock�t�now��Succ�current��
control� and the other pilot depresses his�her priority button
�� now�current� Clock�t�now��current�
when his�her stickiscentralised� then do es the other pilot
�� exit
immediately gain control� without the �rst pilot releasing
endproc
his�her priority button� �We conclude that the answer is
yes��
Each high level pro cess in the controller pro cess is aug�
Moreover� what happ ens when a pilot who has absolute
mented with an initial o�er of the tickevent� So� for example
control releases his�her priority button� We conclude that
instead of �Pilot� ��� Pilot� ��� AutoPilot� wede�ne
this should have no e�ect on the overall priority when the
a pro cess Pilots�
other pilot�s stick is not centralised� The absolute priorityis
usually only relinquis hed after actions from b oth pilots �as�
process Pilots ��
suming that the pilot not in control has to centralise his�her
t� �Pilot� ��� Pilot� ��� AutoPilot�
stick�� This re�ects� we think� the idea that the timing con�
�� Pilots
straint is there to alleviate the need for a pilot to depress the
endproc
priority button for long p erio ds of time� and so after a p erio d
Second� we extend the design to mo del the b ehaviour
of time� depression or release of that button� in the absence
when a priority button has b een engaged for a length of
of anycentralising movements to the other stick �e�g� the
time� e�g� �� seconds� We will assume here� without loss of
other pilot has had a heart attack�� conveys no information�
generality� that a tick represents a second� Again� we extend
However� an overidden pilot can gain control from one in ab�
the description in a constraint�oriented style with a pro cess
solute control if� after �� seconds� he�she centralises his�her
Button which stores the last time of depression of a priority
stick and presses his�her priority button�
button� Event wb mo dels the write action and event rb the
The State pro cess is where the mo de is determined� If
read action�
one pilot has sole control� then this involves determining
whether or not that pilot has absolute control� This is done
process Button�rb�wb��time�Nat���
by comparing the current time with the last time a priority
wb�btime�Nat� Button�rb�wb��bt ime�
button was engaged�
�� rb�time� Button�rb�wb��time�
process State
�� exit
�pi��pi��pi��pcontrols�p�priority�a�autopilot���
endproc
�p eq none� �� State��pi��pi��pi��p�a�
�� �not�p eq none�� ��
The pro cess State is extended to re�ect three di�erent
�now�time�Nat� rb�pt�Nat�
mo des� These are� as b efore� i�e� neither pilot has overall
���p eq one� and ��time � pt� gt ����
control� pilot � has what we call absolute control� or pilot
�� State�one
� has absolute control� By absolute control wemeanthata
�� ��p eq one� and ��time � pt� lt ����
pilot has had sole priority for more than �� seconds�
�� State��pi��pi��pi��p�a�
These three mo des are mo delled by subpro cesses State�
�� ��p eq two� and ��time � pt� gt ����
�which is essentially the old pro cess State� but it recur�
�� State�two
sively calls the new State instead of State��� State�one
�� ��p eq two� and ��time � pt� lt ����
and State�two�
�� State��pi��pi��pi��p�a�
The two latter pro cesses are identical� mo dulo event and
endproc
value renaming� State�one� for example� de�nes the b e�
haviour when pilot � has absolute control� Since the e�ects
Finally� the synchronisation lists in the overall controller pro�
of the stickmovements are exactly as in State�� these are
cess are amended�
omitted�
process Controller
process State�one
ols� �pi��pi��pi��pcontr
�pi��pi��pi��pcontrols�p�priority�a�autopilot� ��
p�priority�a�autopilot�time�pt�Nat���
t�
State�pi��pi��pi��p�a�
� ���
��all events��
�� P��State��pi��pi��pi��p�a�
Pilots
������now�time�Nat�wb�time� �� P���central�pi
��t�s��
State�pi��pi��pi��two�a��
FCC�s�signals�t�
�� �not�central�pi������State�one�pi��pi��pi��p�a�
��t�now��
�� PR���central�pi�����State�pi��pi��pi��none�a�
Clock�t�now��time�
�� �not�central�pi������State�one�pi��pi��pi��p�a�
��rb�wb��
�� PR��State�one�pi��pi��pi��p�a�
Button�rb�wb��pt�
�� A��State�one�pi��pi��pi��p�on�
endproc
�� A��State�one�pi��pi��pi��p�a�
f� �� AD��State�one�pi��pi��pi��p�of
�� AD��State�one�pi��pi��pi��p�a�
� Analysis
�� �s�pi��pi��pi��p�a�State�one�pi��pi��pi��p�a��
This design was considerably more di�cult to develop and �� State�one�pi��pi��pi��p�a�
analyse than the basic design� The use of an automated test� �� exit�
ing and simulation to ol suchasLOLAwas crucial as timing endproc
��� T� Bolognesi and E� Brinksma� Intro duction to the ISO constraints are notoriously di�cult to get right� and this
Sp eci�cation Language LOTOS� In P�H�J� van Eijk� example was no exception� Moreover� with the additional
C�A� Vissers� and M� Diaz� editors� The Formal De� events� the state space has grown enormously and some de�
scription Technique LOTOS� pages ������ Elsevier Sci� gree of automation is essential�
ence Publishers B�V� �North�Holland�� �����
The prop erties to consider remain as b efore� with the ad�
dition of a variety of prop erties ab out the b ehaviour when
��� Hub ert Garavel and Ren�e�Pierre Hautb ois� Experiment�
a pilot gains and loses absolute control� Again� wedonot
ing LOTOS in Aerospace Industry�chapter ��� Amast
give full details here� but as an example� we describ e how
Series in Computing� World Scienti�c� ����� To app ear�
we can construct the test� if pilot � is in priority for more
��� Fly�by�wire controls� The new airliner standard� Inter�
than �� seconds� pilot ��s stick is not centralised� and pilot
national Civil Aviation Authority Bul letin� pages ������
� depresses his�her priority button� then pilot � is still in
March �����
priority�We de�ne a pro cess which expands into a choice
between instances of the form�
��� International Organisation for Standardisatio n� Infor�
n m
t� P �� �t�� F �� �t�� � P �� s�pi��pi��pi��one�a�
mation Processing Systems � Open Systems Intercon�
where n � m � ���
nection � LOTOS � A Formal Description Technique
We consider only one stickevent after the P� �and it do esn�t
Based on the Temporal Ordering of Observational Be�
matter which one it is� b ecause wehavealreadyshown that
haviour� �����
stickevents cannot a�ect the status of the priority or au�
��� C� Kirkwo o d and M� Thomas� Exp eriences with LO�
topilot� Also� we do not constrain the o ccurrences of button
TOS Veri�cation� A Rep ort on Two Case Studies� �����
read or writes in the test� therefore it is imp ortant to exclude
Submitted for publication �
rb and wb from the synchronisatio n list b etween the events
��� B� Littlewo o d� The Need for Evidence from Disparate
the test and the controller�
Sources to Evaluate Software Safety� In T� Anderson
F� Redmill� editor� Directions in Safety�Critical Sys�
� Discussion
tems� Safety Critical Systems Club� �����
Issues in the developmentofsafety� ��� J� McDermid�
Until recently� LOTOS has b een used mainly for descrip�
critical systems� In T� Anderson F� Redmill� editor�
tions in the OSI �op en systems interconnection� context and
Safety Critical Systems� Current issues� techniques and
the telecommunications �eld �some other applicatio ns are
standards� Safety Critical Systems Club� Chapman and
rep orted in ���� ���� At �rst� this seemed a new application
Hall� �����
area for LOTOS� but in hindsight� this problem has many
��� R� Milner� A Calculus of Communicating Systems�
characteristics of a proto col and LOTOS has b een ideal for
LNCS ��� Springer�Verlag� �����
articulating many of the design decisions� It has allowed�
indeed forced us to think carefully ab out the interaction
���� J� Rushby� Formal Sp eci�cation and Veri�cation for
between pilots and in particular� how and when priorityis
Critical Systems� Tools� Achievements� and Prosp ects�
gained and relinquish ed� This study is a preliminary inves�
Technical Rep ort EPRI TR�������� Electric Power Re�
tigation of the problem� and future work will consider other
search Institute� January �����
p ossible proto cols for this system�
���� J Rushby� Formal Metho ds and the Certi�cation of
Critical Systems� Technical Rep ort CSL������ SRI In�
ternational� Decemb er �����
� Conclusions
���� M� Thomas� The Story of the Therac��� in LOTOS�
LOTOS has allowed us to develop a constraint�oriented de�
High Integrity Systems Journal� ���������� �����
sign description for this problem� This approach invites us
���� K� J� Turner� editor� Using Formal Description Tech�
to develop and test the imp ortant details of the comp onents�
niques� An Introduction to ESTELLE� LOTOS and
and then to consider their interactions� The resulting design
SDL� Communication and Distributed Systems� Wiley�
is one which is close enough to the implementation design�
�����
yet abstract enough to allow for rigorous reasoning using
automated to ols� We are able to conclude� with some con��
dence� that wehave a go o d� safe design�
Acknowledgements
We thank Tom Melham for his comments�
Addresses for corresp ondence
M� Thomas� Dept� of Computing Science� B� Ormsby� Dept�
of Aerospace Engineering� University of Glasgow� Glasgow
G�� �QQ� Scotland�
k� email� muffy�dcs�gla�ac�uk� bowen�dcs�gla�ac�u
References
��� L� M� Barro ca and J� A� McDermid� Formal Meth�
o ds� Use and Relevance for the Development of Safety�
Critical Systems� The Computer Journal� ������ �����