SummaryFor highly safety‐critical applications, rigorous offline verification should be complemented by online verification. One promising technique is Online Model Checking (OMC). The basic approaches on how to design and implement OMC have been discussed in a couple of papers. As OMC is a run‐time‐provided service, it seems to be natural providing it by an operating system (OS) service like any other service offered by the OS. In this paper, we study the feasibility of this approach, that is, whether OMC can be integrated efficiently into an OS. As we are dealing with real‐time systems, the OS in our case is a real‐time operating system (RTOS). This study makes use of a specific OMC system, implemented in our group. We also have implemented a highly efficient RTOS with an extremely small footprint, called ORCOS (Organic ReConfigurable Operating System). Therefore, we use ORCOS as an example RTOS to investigate the feasibility of integrating OMC as an RTOS service. The correctness of the RTOS is not subject to be verified in this case; it is just the service provider. In order to ease understanding the approach, the paper contains a brief introduction into the fundamental concepts of OMC and the way to provide it as an integrated RTOS service. Additionally, basic principles of ORCOS are presented. Based on these foundations, we discuss various integration methods. OMC may become an integral part of the RTOS; it may become a separate task running on the same host as the RTOS, or it may be implemented on a remote host as a kind of service‐oriented architecture. In all three cases, OMC runs concurrently to the application task to be online model checked. We argue that the second approach turns out to be the most appropriate one. It is well suited to state‐of‐the‐art hypervisor‐based mixed criticality architectures, running on a multi‐core hardware platform. In addition, the service‐oriented architecture is discussed as well, however only marginally. To test the feasibility of the approach, an analytical investigation of the implied overhead is carried out. This investigation is complemented by experiments based on a prototype implementation. The promising results obtained by these two studies then are further underpinned by a realistic case study. We use the resolution advisory component of traffic alert and collision avoidance system for this purpose. Copyright © 2015 John Wiley & Sons, Ltd.
Read full abstract