High-level modeling and analysis of the traffic alert and collision avoidance system (TCAS)

We demonstrate a high-level approach to modeling, analyzing, and verifying complex safety-critical systems through a case study on the traffic alert and collision avoidance system (TCAS); an avionics system that detects and resolves aircraft collision threats. Due to the complexity of the TCAS software and the hybrid nature of the closed-loop system, the traditional testing technique of exhaustive simulation does not constitute a viable verification approach. Moreover, the detailed specification of the system software employed to date as a means toward analysis and verification neither helps in intuitively understanding the behavior of the system nor enables the analysis of the closed-loop system behavior. We advocate defining high-level hybrid system models that capture the behavior not only of the software but also of the airplanes, sensors, pilots, etc. In particular, we show how the core components of TCAS can be captured by relatively simple hybrid I/O automata, which are amenable to format analysis. We then outline a methodology for establishing conditions under which TCAS guarantees sufficient separation in altitude for aircraft involved in collision threats. The contributions of the paper are the high-level models of the closed-loop TCAS system and the demonstration of the usefulness of high-level modeling, analysis, and verification techniques.