A Quantum Computing Approach to the Verification and Validation of Complex

Cyber-Physical Systems

Achieving Quality and Cost Control in the Development of Enormous Systems

Copyright 2011 Lockheed Martin Corporation

Safe and Secure Systems and Software Symposium (S5)Beavercreek, Ohio

Program Objective & Products

• Objective

– Develop a system-level verification & validation (V&V) approach and enabling tools that generate probabilistic measures of correctness for an entire large-scale cyber-physical system, where…

– V&V costs insensitive to system complexity.

• Products

– Definition of a protocol/process for performing V&V of complex cyber-physical systems using a quantum simulators, and…

– Demonstration of the utility of the process using an appropriate cyber-physical system (e.g., a triplex VMS for a representative unmanned aircraft) and an existing quantum adiabatic simulator.

2

For the record:

The task of ‘discovery and removal’ of errors from the behavior of our mechatronic products is “V&V”• This includes “software V&V”, of course, but goes beyond to excising

faults in the implicit software expressed by “hardware-in-the-loop” and on to “man-in-the-loop”.

Quantum V&V spans a complex system: the source code is but one subsystem, the processor it runs on is another; the actuators, sensors, wiring harness, structure, and all the rest are others; even the human controlling it, locally or remotely, contemporaneously or via prior programming.

Implicit and explicit software together ARE the system

3

Background

• V&V is the fastest growing cost in systemintegration and growth rates areaccelerating...– Growth in system complexity drives

exponential growth in certification costs.

– Test automation cannot contain growth fed by emergent requirements for new autonomous, intelligent, and adaptive systems.

– Formal methods are provably incomplete and are not reducing costs; ‘correct by construction’ techniques are reducing costs some but are likewise provably incomplete.

Unsustainable development model with current V&V techniques

4

Hardness of Verification & Validation

• V&V is provably hard…– Church-Turing Theorem: 20th century founders of computer science

proved computer-aided software engineering can never catch all errors in the general case – Hilbert’s third problem, Gödel's theorem.

• Today, we agree on a social contract…– If we test critical software in accordance with conventional wisdom, it

will be certified – even though we cannot know if it’s error free.

– Probability of failure: The compact implies there is no way to know the probability of failure of any system based on software controls –so we do not and cannot know how safe our systems truly are.

– Intractability: Even modest systems are now so large it would take the age of the universe to test every failure mode.

David

Hilbert

Alonzo

Church

Alan

TuringKurt Gödel

“Testing can show the presence, not the absence of bugs” – E. W. Dijkstra

“Most errors found in operational software can be traced to requirements flaws… ” – N. G. Leveson

5

Quantum Verification & Validation

• Cyber-Physical Systems (CPS) bound the V&V problem because the physical layer constrains the cyber layer– Noether’s First Theorem: for every symmetry in a physical system, for

which mathematics offers a good model (i.e. a Hamiltonian Lagrangianmodel), there is an associated conservation law.

– Conjecture: while logical Turing Machines (TM) are subject to the Church-Turing Thesis (CTT), real CPS further constrain logic with thermodynamics and are subject to physical simulations not subject to CTT.

• Run a thermodynamic simulation of the system so that errors appear as low energy states– Adiabatic Quantum Simulation performs exactly this evolution and the

appearance of low energy states indicates existence of bugs

6

Unsustainable development model with current V&V techniques

A Typical Complex Cyber-Physical System

Left Air Data Probe

Nose Air Data Probe

Right Air Data Probe

Triplex VMC- CCDL- GPS- IMU- Data Bus- Discrete I/O

Nose LG

Left MLG

Right MLG

EMA

EMA

Actuator Control Unit

(Dual Channel)

Actuator Control Unit

(Dual Channel)

Actuator Control Unit

(Single Channel)

EMA

EMA

Spoiler

Spoiler

7

Quantum Simulation

• In December 2010, LM acquired computational time from D-Wave Systems

• D-Wave produces the only commercialized quantum simulator– Some contention over the “quantumness” of D-Wave’s simulator.

– Recently developed proofs that show the simulator is better than classical.

• State of the art yields 90 qubits, expect 500+ within two years

8

Using Quantum Computing for V&V

• The V&V problem is divided into two sequential phases:

– Phase I – map the classical V&V problem into a problem that can be solved by a quantum computing device.

– Phase II – solve the resulting problem using a quantum computer and/or simulator running on a classical computer.

Inputs Intermediate states Outputs

i1

i2

i3

i4

i5

i6

o1

o2

o3

s4

s3

s2

s1

Phase I Phase II

9

Our Current Quantum-V&V Insight

• How a V&V simulator works– Invariants (and their relationships) are extracted from the code – using any

one of several approaches now under evaluation (Daikon, image/pattern recognition approaches, a ‘smoothness criterion’ approach, a chemical modeling approach, etc).

– The invariants are written into a ‘satisfiability’ expression.

– The resulting satisfiability problem is solved using standard algorithms on an adiabatic quantum computer or a massively parallel classical computer.

• What we have / what needs to be developed– We have: 1) notional baseline for a QV&V procedure; 2) a (classical) computer

code to support partial attainment of our objectives, 3) first generation quantum processor (the DW-1) that we think can be used to carry us into initial utility.

– To be developed: we are testing the core algorithm now (further development is required); develop (or acquire) “invariance extractor”, design & develop an integrated q-sim system testbed based on the DW-1 or derivative.

10

Phase I Approach

• Using machine learning techniques and a variety of commercially available tools extract invariants from the system:

– Empirically determined by repeated execution

– Successfully demonstrated for a software-only model last month

– We are proposing to extend our approach to the entire cyber-physical system (i.e., HW and SW)

Inputs Intermediate states Outputs

i1

i2

i3

i4

i5

i6

o1

o2

o3

s4

s3

s2

s1

11

Phase I Approach cont.

Next we build a reversible reduced machine model of the cyber-physical system

Based on translating the invariants to a Boolean constraint satisfaction problem

Already successfully demonstrated on a software-only model last month

12

Phase II Approach

Using the reduced machine model “run it in reverse” on the D-Wave quantum adiabatic computer while fixing invariants to FALSE Propagate violations backwards through the reduced machine circuit model

Find bug(s) and generate probability of correctness

13

Phase II Approach cont.

• Input problem:– Programmatically or through a user interface

– Access available through a web service connected to the hardware

• Problem is mapped to hardware– True/false converted to +1/-1

– Higher-order interactions are made 2-local

– Connectivity of Ising representation mapped to hardware architecture

• Problem is solved on hardware– Hardware output is stochastic (temperature is not zero) so solve multiple times

– Answers converted from Ising representation back to true/false, and returned in DIMACS output format

14

A Probabilistic Metric?

15

Current Status

• LM studying V&V leveraging Adiabatic Quantum Simulation teamed with D-Wave and several universities:– Harvard

– MIT

– Carnegie Mellon

– U. Southern California

– U. Chicago

– UC-Berkeley

• Demonstrated capability to run “hard” problems on the quantum simulator solving a simple SW test case

• High-potential verification techniques from USC team

• Recent results from our Harvard team show a promising approach to verifying a complete sample problem

16

– U. Edinburgh, UK

– U. Sherbrooke

– U. British Columbia

– U. Waterloo

– Dalhousie

– India Institute of Technology

Questions?

17