Скачать презентацию Formal Methods in Safety-Critical Systems Dr Steven P Скачать презентацию Formal Methods in Safety-Critical Systems Dr Steven P

0ffb174f84304bef4f5ca0b7e1264a90.ppt

  • Количество слайдов: 49

Formal Methods in Safety-Critical Systems Dr. Steven P. Miller Advanced Computing Systems Rockwell Collins Formal Methods in Safety-Critical Systems Dr. Steven P. Miller Advanced Computing Systems Rockwell Collins 400 Collins Road NE, MS 108 -206 Cedar Rapids, Iowa 52498 spmiller@rockwellcollins. com Advanced Technology Center Slide 1

What Problem are We Solving? § Safety-Critical Software Is Too Expensive Cut Development Costs/Cycle What Problem are We Solving? § Safety-Critical Software Is Too Expensive Cut Development Costs/Cycle Time in Half § Safety-Critical Software Is Often Wrong Find 10 x More Errors than Current Methods § DO-178 B Certification Is Too Expensive Already Applying This to DO-178 B Developments Advanced Technology Center Slide 2

Are We Making Progress? § Model-Based Development Spreading Rapidly Several projects at Rockwell Collins Are We Making Progress? § Model-Based Development Spreading Rapidly Several projects at Rockwell Collins § Prove Properties of Simulink & SCADE Models In Seconds on Models with Over 10**100 States § Finding Errors Early in the Lifecycle On Real Products! Advanced Technology Center Slide 3

Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Some Recent Accomplishments The Underlying Technology What’s Next? Summary Advanced Technology Center Slide 4

Who Are We? A World Leader In Aviation Electronics And Airborne/ Mobile Communications Systems Who Are We? A World Leader In Aviation Electronics And Airborne/ Mobile Communications Systems For Commercial And Military Applications Communications Navigation Automated Flight Control Displays / Surveillance Aviation Services In-Flight Entertainment Integrated Aviation Electronics Information Management Systems Advanced Technology Center Slide 5

Rockwell Collins Headquartered in Cedar Rapids, Iowa 14, 500 Employees Worldwide Advanced Technology Center Rockwell Collins Headquartered in Cedar Rapids, Iowa 14, 500 Employees Worldwide Advanced Technology Center Slide 6

RCI Advanced Technology Center Government Systems Commercial Systems Advanced Technology Center § The Advanced RCI Advanced Technology Center Government Systems Commercial Systems Advanced Technology Center § The Advanced Technology Center (ATC) identifies, acquires, develops and transitions value-driven technologies to support the continued growth of Rockwell Collins. § The Automated Analysis group applies mathematical tools and reasoning to the problem of producing high assurance systems. Advanced Technology Center Slide 7

Automated Analysis Group § Participants in the MCC Formal Methods Transition Study 1991 § Automated Analysis Group § Participants in the MCC Formal Methods Transition Study 1991 § Formal Specification of the μReal Time Executive in RAISE 1992 § Formal Specification of the GE 1 Graphics Processor 1996 § Formal Verification of Microprocessors – AAMP 5 Microcode Using PVS – AAMP-FV Microcode Using PVS – JEM Java Virtual Machine Microprocessor Using PVS – FCP 2002 Microcode Using ACL 2 – FCP 2002 -2000 Microcode Equivalence Using ACL 2 – AAMP 7 Security Separation Kernel Using ACL 2 1993 - 2005 Formal Validation of Embedded System Requirements – FGS Mode Logic using SPC’s Co. RE Method – FGS Mode Logic using NRL’s SCR* Tools – FGS Mode Logic Using PVS – FGS Mode Logic Using Matrix-X and T-VEC – FGS Mode Logic Using RMSL-e, PVS, and Nu. SMV – FGS/FMS/AT Logic Using SCADE and Simulink 1995 - 2005 § Advanced Technology Center Slide 8 1994 1995 1998 1999 2001 2003 1995 1996 1997 1998 2002 2004

Methods and Tools for Flight Critical Systems Project § Five Year Project Started in Methods and Tools for Flight Critical Systems Project § Five Year Project Started in 2001 § Part of NASA’s Aviation Safety Program (Contract NCC-01001) § Funded by the NASA Langley Research Center and Rockwell Collins § Practical Application of Formal Methods To Modern Avionics Systems Advanced Technology Center Slide 9

Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Some Recent Accomplishments The Underlying Technology What’s Next? Summary Advanced Technology Center Slide 10

Convergence of Two Trends Model-Based Development Automated Analysis A Revolutionary Change in How We Convergence of Two Trends Model-Based Development Automated Analysis A Revolutionary Change in How We Design and Build Systems Advanced Technology Center Slide 11

Model-Based Development Examples Advanced Technology Center Slide 12 Model-Based Development Examples Advanced Technology Center Slide 12

Does Model-Based Development Scale? Airbus A 380 Systems Developed Using MBD • Flight Control Does Model-Based Development Scale? Airbus A 380 Systems Developed Using MBD • Flight Control • Auto Pilot • Flight Warning • Cockpit Display • Fuel Management Length 239 ft 6 in • Landing Gear Wingspan 261 ft 10 in • Braking Maximum Takeoff Weight 1, 235, 000 lbs Passengers Up to 840 Range 9, 383 miles Advanced Technology Center Slide 13 • Steering • Anti-Icing • Electrical Load Management

How Do We Reduce Costs and Improve Quality? Requirements Elicitation Reuse 15% Autotest Modeling How Do We Reduce Costs and Improve Quality? Requirements Elicitation Reuse 15% Autotest Modeling 10% Reduces Cost of Testing Clear Specifications Improves Communication Enables More Testing 5% Autocode Simulation 10% Eliminates Manual Coding Easy Validation Makes Model Primary Artifact Finds Errors Early Automated Analysis 10% - 20% Cheaper Than Manual Analysis Advanced Technology Center Slide 14 Finds the Really Hard Errors

Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Some Recent Accomplishments The Underlying Technology What’s Next? Summary Advanced Technology Center Slide 15

Flight Guidance System Mode Logic Requirements Elicitation Reuse Modeling Autotest Simulation Autocode Automated Analysis Flight Guidance System Mode Logic Requirements Elicitation Reuse Modeling Autotest Simulation Autocode Automated Analysis Advanced Technology Center Slide 16

Captured Requirements as Shalls Advanced Technology Center Slide 17 Captured Requirements as Shalls Advanced Technology Center Slide 17

Modeling Requirements Elicitation Reuse Modeling Autotest Simulation Autocode Automated Analysis Advanced Technology Center Slide Modeling Requirements Elicitation Reuse Modeling Autotest Simulation Autocode Automated Analysis Advanced Technology Center Slide 18

Modeling Notations Textual (Lustre, PVS, SAL, …) Tabular (RSML-e, SCR) node Thrust_Required( FG_Mode : Modeling Notations Textual (Lustre, PVS, SAL, …) Tabular (RSML-e, SCR) node Thrust_Required( FG_Mode : FG_Mode_Type ; Airborne : bool ; In_Flare : bool ; Emergency_Descent : bool; Windshear_Warning : bool ; In_Eng_Accel_Zone : bool ; On_Ground : bool) returns (Is. True : bool) ; let Is. True = (FG_Thrust_Mode(FG_Mode) and Airborne) or (Airborne and Emergency_Descent) or Windshear_Warning or ((FG_Mode = Throttle. Retard) and In_Flare) or (In_Eng_Accel_Zone and On_Ground) ; tel ; Advanced Technology Center Slide 19 Graphical (Simulink, SCADE)

Simulation Requirements Elicitation Reuse Modeling Autotest Simulation Autocode Automated Analysis Advanced Technology Center Slide Simulation Requirements Elicitation Reuse Modeling Autotest Simulation Autocode Automated Analysis Advanced Technology Center Slide 20

Simulation Advanced Technology Center Slide 21 Simulation Advanced Technology Center Slide 21

Automated Analysis Reuse Requirements Elicitation Modeling Autotest Simulation Autocode Automated Analysis Model Checkers Advanced Automated Analysis Reuse Requirements Elicitation Modeling Autotest Simulation Autocode Automated Analysis Model Checkers Advanced Technology Center Theorem Provers Slide 22

What Are Model Checkers? § Breakthrough Technology of the 1990’s § Widely Used in What Are Model Checkers? § Breakthrough Technology of the 1990’s § Widely Used in Hardware Verification (Intel, Motorola, IBM, …) § Several Different Types of Model Checkers – Explicit, Symbolic, Bounded, Infinite Bounded, … § Exhaustive Search of the Global State Space – Consider All Combinations of Inputs and States – Equivalent to Exhaustive Testing of the Model – Produces a Counter Example if a Property is Not True § Easy to Use – “Push Button” Formal Methods – Very Little Human Effort Unless You’re at the Tool’s Limits § Limitations – State Space Explosion (1020 – 10300 States) Advanced Technology Center Slide 23

Advantage of Model Checking Testing Checks Only the Values We Select Even Small Systems Advantage of Model Checking Testing Checks Only the Values We Select Even Small Systems Have Trillions (of Trillions) of Possible Tests! System Advanced Technology Center Slide 24

Advantage of Model Checking Model Checker Tries Every Possible Input and State! Model Advanced Advantage of Model Checking Model Checker Tries Every Possible Input and State! Model Advanced Technology Center Slide 25

Model Checking Process SMV Spec. Model Automatic Translation Does the system have property X? Model Checking Process SMV Spec. Model Automatic Translation Does the system have property X? Yes! Counter Example heck omated C Aut SMV Automatic Translation Engineer SMV Properties Advanced Technology Center Slide 26

Translated Shalls into SMV Properties Advanced Technology Center Slide 27 Translated Shalls into SMV Properties Advanced Technology Center Slide 27

Validate Requirements through Model Checking § § § Proved Over 280 Properties in Less Validate Requirements through Model Checking § § § Proved Over 280 Properties in Less Than an Hour Found Several Errors Some Were Errors in the Model Most Were Incorrect Shalls Revised the Shalls to Improve the Requirements Advanced Technology Center Slide 28

Translator Optimizations CPU Time Model (To Compute Reachable States) Improvement Mode 1 Before > Translator Optimizations CPU Time Model (To Compute Reachable States) Improvement Mode 1 Before > 2 hours After 11 sec Mode 2 > 6 hours 169 sec Mode 3 > 2 hours 14 sec Mode 4 Arch 8 minutes 34 sec < 1 sec 480 x 34 x WBS 29+ hours 1 sec Advanced Technology Center Slide 29 105, 240 x

What are Theorem Provers? § Available Since Late 1980’s – Widely Used on Security What are Theorem Provers? § Available Since Late 1980’s – Widely Used on Security and Safety-Critical Systems § Use Rules of Inference to Prove New Properties – Also Consider All Combinations of Inputs and States – Also Equivalent to Testing with an Infinite Set of Test Cases – Generate An Unprovable Proof Obligation if a Property is False § Not Limited by State Space – Applicable to Almost Any Formal Specification § Limitations – Require Experience - About Six Months to Become Proficient – Constructing Proofs is Labor Intensive Advanced Technology Center Slide 30

Theorem Proving Using PVS Model PVS Spec. Automatic Translation Why not? Does the system Theorem Proving Using PVS Model PVS Spec. Automatic Translation Why not? Does the system have property X? Guru A d. P omate ut roof PVS Automatic Translation Engineer Advanced Technology Center Properties PVS Properties Slide 31

Validate Requirements Using Theorem Proving § Proved Several Hundred Properties Using PVS § More Validate Requirements Using Theorem Proving § Proved Several Hundred Properties Using PVS § More Time Consuming that Model-Checking § Use When Models are Stable and Model-Checking Won’t Work Advanced Technology Center Slide 32

Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Some Recent Accomplishments The Underlying Technology What’s Next? Summary Advanced Technology Center Slide 33

Example 1 – Mode Logic Mode Controller A 6. 8 x 1021 Reachable States Example 1 – Mode Logic Mode Controller A 6. 8 x 1021 Reachable States Mode Controller B Requirement Mode A 1 => Mode B 1 Counterexample Found in Less than Two Minutes! Found 27 Errors to Date Advanced Technology Center Slide 34

Example 2 – Displays Logic 883 Subsystems 9, 772 Simulink Blocks 2. 9 x Example 2 – Displays Logic 883 Subsystems 9, 772 Simulink Blocks 2. 9 x 1052 Reachable States Requirement Drive the Maximum Number of Display Units Given the Available Graphics Processors Counterexample Found in 5 Seconds! Checked 178 Properties – Found Several Errors Advanced Technology Center Slide 35

Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Some Recent Accomplishments The Underlying Technology What’s Next? Summary Advanced Technology Center Slide 36

Original Tool Chain RSML-e to Nu. SMV Translator Nu. SMV Model Checker RSML-e to Original Tool Chain RSML-e to Nu. SMV Translator Nu. SMV Model Checker RSML-e to PVS Translator Rockwell Collins/U of Minnesota SRI International Advanced Technology Center Slide 37 PVS Theorem Prover

Conversion to SCADE Nu. SMV SCADE Lustre Safe State Machines Design Verfier Rockwell Collins Conversion to SCADE Nu. SMV SCADE Lustre Safe State Machines Design Verfier Rockwell Collins Esterel Technologies SRI International Advanced Technology Center PVS Slide 38

Extension to MATLAB Simulink Gateway Nu. SMV SCADE Lustre State. Flow Safe State Machines Extension to MATLAB Simulink Gateway Nu. SMV SCADE Lustre State. Flow Safe State Machines Design Verfier Rockwell Collins Esterel Technologies SRI International Math. Works Advanced Technology Center PVS Slide 39

Adding SRI Tools to the Chain Simulink Gateway Nu. SMV SCADE Lustre State. Flow Adding SRI Tools to the Chain Simulink Gateway Nu. SMV SCADE Lustre State. Flow Safe State Machines PVS ACL 2 Design Verfier ICS Rockwell Collins SAL Esterel Technologies SRI International Math. Works Advanced Technology Center Symbolic Model Checker Bounded Model Checker Infinite Model Checker Slide 40

Current Tool Chain Simulink Gateway Nu. SMV SCADE Reactis State. Flow Lustre Safe State Current Tool Chain Simulink Gateway Nu. SMV SCADE Reactis State. Flow Lustre Safe State Machines PVS ACL 2 Design Verfier ICS Rockwell Collins SAL Esterel Technologies SRI International Math. Works Bounded Model Checker Infinite Model Checker Reactive Systems Advanced Technology Center Symbolic Model Checker Slide 41

Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Some Recent Accomplishments The Underlying Technology What’s Next? Summary Advanced Technology Center Slide 42

Extending the Verification Domain Theorem Provers SAT-Based BDD-Based Arbitrary Systems Model Checkers (Real Numbers, Extending the Verification Domain Theorem Provers SAT-Based BDD-Based Arbitrary Systems Model Checkers (Real Numbers, & Enumerated Types State…) Boolean Large Integers, Infinite Complex Boolean & Enumerated Types + Integers & Reals Very Large State Spaces Infinite State Spaces Advanced Technology Center Slide 43

Verification of Adaptive Systems Advanced Technology Center Slide 44 Verification of Adaptive Systems Advanced Technology Center Slide 44

Requirements Based Test Case Generation Requirements Properties Requirements Based Testing § State Requirements as Requirements Based Test Case Generation Requirements Properties Requirements Based Testing § State Requirements as Properties § Automatically Generate Tests § Create Test Case Requirements Generator Based Tests Goal is to Cover the Requirement Create Model Conformance Testing § § Autogenerate Test Cases From Model Commercial Tools Available – (T-VEC, REACTIS) Show Code Conforms to the Model Goal is Structural Coverage (MC/DC) Advanced Technology Center Slide 45 Code Generator Code Create Test Case Additional Generator Structural Tests

Model-Based Safety Analysis Green Pump Blue Pump Isolation Valve Power A Pedal 1 System Model-Based Safety Analysis Green Pump Blue Pump Isolation Valve Power A Pedal 1 System A Plant Feed back Pedal 2 Power B System B Fault Tolerant Braking System Control Unit ( BSCU ) Selector Valve Shut Normal System N O R M A L Anti. Skid Command Braking+ Anti. Skid Command Meter Valve A Accumulator L Valve T E Accumulator R Pump N Meter A Valve Mechanical T Pedal E Meter Valve Plant Model § Model the Physical System and the Digital Controller Architecture § Add Fault Model for Physical System and Digital Controller Architecture § Integrates System and Safety Engineering About a Common Model § Automation Enables “What-If” Consideration of System Designs Advanced Technology Center Slide 46

Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Some Recent Accomplishments The Underlying Technology What’s Next? Summary Advanced Technology Center Slide 47

Summary § Formal Verification is Becoming Practical – Availability of Accurate Models Early in Summary § Formal Verification is Becoming Practical – Availability of Accurate Models Early in the Lifecycle – Growing Power of Automated Analysis Tools § Benefits – Find Errors Early – Avoid Rework Late in the Lifecycle – Cheaper and Easier than Traditional Methods – Orders of Magnitude Better at Finding Errors Advanced Technology Center Slide 48

Summary Rockwell Collins is a World Leader in the Industrial Use of Formal Methods Summary Rockwell Collins is a World Leader in the Industrial Use of Formal Methods § Almost 15 Years of Experience § Thriving Automated Analysis Group § Doing Extensive Work for NASA and the NSA § Broad Tool Expertise – PVS, ACL 2, Nu. SMV, Prover, SAL, Simulink, SCADE, SCR, … § Focus on “Application to Real Systems” Advanced Technology Center Slide 49