Formal Verification of Flight Critical Software Dr Steven

Formal Verification of Flight Critical Software Dr. Steven P. Miller Advanced Computing Systems Elise A. Anderson Commercial Systems Flight Control Rockwell Collins 400 Collins Road NE, MS 108 -206 Cedar Rapids, Iowa 52498 {spmiller, eaanders}@rockwellcollins. com Advanced Technology Center Slide 1

Concept Overview Mode Logic Specification Simulink Model Counter Example FCS 50000 Flight Control System Advanced Technology Center The system shall be in Vertical Go Around only if it is also in Lateral Go Around AX AG(LGA -> VGA) Formal Properties Mode Logic Requirements Slide 2 Nu. SMV Model Checker

Outline of Presentation Introduction Model Checking Specification of the FCS 5000 Mode Logic Verification of the FCS 5000 Mode Logic Concluding Remarks Advanced Technology Center Slide 3

Who Are We? A World Leader In Aviation Electronics And Airborne/ Mobile Communications Systems For Commercial And Military Applications Communications Navigation Automated Flight Control Displays / Surveillance Aviation Services In-Flight Entertainment Integrated Aviation Electronics Information Management Systems Advanced Technology Center Slide 4

Automated Analysis Section 1992 AAMP 5 Microcode Verification (PVS) NASA La. RC Funded AAMP-FV Microcode Verification (PVS) 1994 NSA Funded AFRL Funded AAMP 5 Partitioning (PVS) Tech Transfer 1996 JEM Java Virtual Machine (PVS) FGS Mode Confusion Study (PVS) 1998 2000 2002 FCP 2002 Microcode (ACL 2) NASA FGS Safety Analysis (RSML-e) 2004 Displays Verification (Nu. SMV) Av. SSP FGS Mode Confusion (RSML-e) NSA FCS 5000 FGS Verification (Nu. SMV) SHADE (ACL 2) 2006 Advanced Technology Center AAMP 7 Separation Kernel (ACL 2) Slide 5 AFRL v. Faat (ACL 2, PVS) Green. Hills Integrity RTOS (ACL 2)

Methods and Tools for Flight Critical Systems Project § Five Year Project Started in 2001 § Part of NASA’s Aviation Safety Program (Contract NCC-01001) § Funded by the NASA Langley Research Center and Rockwell Collins § Practical Application of Formal Methods To Modern Avionics Systems Advanced Technology Center Slide 6

Outline of Presentation Introduction Model Checking Specification of the FCS 5000 Mode Logic Verification of the FCS 5000 Mode Logic Concluding Remarks Advanced Technology Center Slide 7

What Are Model Checkers? § Breakthrough Technology of the 1990’s § Widely Used in Hardware Verification (Intel, Motorola, IBM, …) § Several Different Types of Model Checkers – Explicit, Symbolic, Bounded, Infinite Bounded, … § Exhaustive Search of the Global State Space – Consider All Combinations of Inputs and States – Equivalent to Exhaustive Testing of the Model – Produces a Counter Example if a Property is Not True § Easy to Use – “Push Button” Formal Methods – Very Little Human Effort Unless You’re at the Tool’s Limits § Limitations – State Space Explosion (10100 – 10300 States) Advanced Technology Center Slide 8

Advantage of Model Checking Testing Checks Only the Values We Select Even Small Systems Have Trillions (of Trillions) of Possible Tests! Advanced Technology Center Slide 9

Advantage of Model Checking Model Checker Tries Every Possible Input and State! Advanced Technology Center Slide 10

Translation Framework Advanced Technology Center Slide 11

Example - ADGS-2100 Adaptive Display & Guidance System 883 Subsystems 9, 772 Simulink Blocks 2. 9 x 1052 Reachable States Requirement Drive the Maximum Number of Display Units Given the Available Graphics Processors Counterexample Found in 5 Seconds! Checking 373 Properties Found Over 60 Errors Advanced Technology Center Slide 12

Outline of Presentation Introduction Model Checking Specification of the FCS 5000 Mode Logic Verification of the FCS 5000 Mode Logic Concluding Remarks Advanced Technology Center Slide 13

Flight Guidance System Overview Advanced Technology Center Slide 14

Simple Mode Transition Diagram Advanced Technology Center Slide 15

Synchronous Composition of Two Mode Transition Diagrams 1 z Advanced Technology Center Slide 16

Outline of Presentation Introduction Model Checking Specification of the FCS 5000 Mode Logic Verification of the FCS 5000 Mode Logic Concluding Remarks Advanced Technology Center Slide 17

Summary of Errors Found Likelihood of Being Found by Traditional Methods Dectected By Trivial Likely Unlikely Total 1 Inspection Possible 2 3 5 Modeling 1 1 6 13 15 6 Simulation Model Checking Total 2 2 1 3 17 26 § Model-Checking Detected the Majority of Errors § Model-Checking Detected the Most Serious Errors § Found Early in the Lifecycle during Requirements Analysis Advanced Technology Center Slide 18

Verification of Individual Mode Transition Diagrams AX AG( LGA AX( Event 9 ROLL )) AX AG( LGA AX( (Event 4 & !Event 6 & !Event 9) HDG)) AX AG( Event 8 LGA ) Advanced Technology Center False Slide 19

Errors Found Verifying Individual Mode Machines Likelihood of Being Found by Traditional Methods Dectected By Trivial Likely Unlikely Total 1 Inspection Possible 2 3 5 Modeling 1 6 6 8 9 18 Simulation Model Checking Total 2 2 2 § Model-Checking Found Half the Errors § Tended to Find the Less Serious Errors § Counter Example Pinpoints Source of the Error Advanced Technology Center Slide 20

Verification of Composite Machines Mode Controller A 5. 1 x 1027 Reachable States Mode Controller B Requirement Mode A 1 => Mode B 1 Counterexample Found in Less than Two Minutes! Found 8 More Errors Advanced Technology Center Slide 21

Errors Found by Model-Checking Composite Mode Transition Diagrams Likelihood of Being Found by Traditional Methods Dectected By Trivial Likely Possible Unlikely Total 7 7 1 1 8 8 Inspection Modeling Simulation Model Checking Total § Errors Found Tended to Be More Serious Errors § Checking Relationships Between Mode Transition Diagrams § Difficult to Find by Inspections & Simulation Advanced Technology Center Slide 22

Outline of Presentation Introduction Model Checking Specification of the FCS 5000 Mode Logic Verification of the FCS 5000 Mode Logic Concluding Remarks Advanced Technology Center Slide 23

Conclusions § Model-Based Development is the Industrial Use Formal Specification § Convergence of Model-Based Development and Formal Verification – Engineers are Producing Specifications that Can be Analyzed – Formal Verification Tools are Getting More Powerful § Model Checking is Very Cost Effective – Simple and Easy to Use – Finds All Exceptions to a Property – Used to Find Errors Early in the Lifecycle § Applied to Models with Only Boolean and Enumerated Types Advanced Technology Center Slide 24

Future Directions § Numerically Intensive Systems – Infinite Bounded Model Checkers – Decision Procedures for Integers Real Numbers Theorem Provers and Infinite Bounded Model Checkers Implicit State Model Checkers 200 < 10 Reachable States § Non-linear Arithmetic – Automatic Extraction of Conservative Abstractions Infinite State Models using k- Induction § Applications – Spacing & Trajectory – Required Navigation Performance (RNP) – Collision Avoidance – Advanced Flight Control Advanced Technology Center Slide 25 Arbitrary Models Labor Intensive

For More Information § Alan C. Tribble, Steven P. Miller, and David L. Lempia, Software Safety Analysis of a Flight Guidance System, NASA Contractor Report CR-2004 -213004, March 2004, available at http: //techreports. larc. nasa. gov/ltrs/dublincore/2004/cr/NASA-2004 cr 213004. html. § Alan C. Tribble and Steven P. Miller, Safety Analysis of Software Intensive Systems, IEEE Aerospace and Electronic Systems, Vol. 19, No. 10, pp. 21 - 26, October 2004. § Steven P. Miller, Mats P. E. Heimdahl, and Alan C. Tribble, Proving the Shalls, in Proceedings of FM 2003: the 12 th International FME Symposium, Pisa, Italy, Sept. 8 -14, 2003. § Alan C. Tribble, David D. Lempia, and Steven P. Miller, Software Safety Analysis of a Flight Guidance System, in Proceedings of the 21 st Digital Avionics Systems Conference (DASC'02), Irvine, California, Oct. 27 -31, 2002. Advanced Technology Center Slide 26

Backup Slides Advanced Technology Center Slide 27

Model Checking Process SMV Spec. Model Automatic Translation Does the system have property X? Yes! Counter Example heck omated C Aut SMV Automatic Translation Engineer SMV Properties Advanced Technology Center Slide 28