advanced technology center slide 1 formal methods in safety-critical systems dr. steven p. miller...
TRANSCRIPT
Advanced Technology Center Slide 1
Formal Methods in Formal Methods in Safety-Critical SystemsSafety-Critical Systems
Dr. Steven P. Miller
Advanced Computing Systems
Rockwell Collins
400 Collins Road NE, MS 108-206
Cedar Rapids, Iowa 52498
Advanced Technology Center Slide 2
What Problem are We Solving?What Problem are We Solving?
Safety-Critical Software Is Too Expensive
Safety-Critical Software Is Often Wrong
DO-178B Certification Is Too Expensive
Cut Development Costs/Cycle Time in Half
Find 10x More Errors than Current Methods
Already Applying This to DO-178B Developments
Advanced Technology Center Slide 3
Are We Making Progress?Are We Making Progress?
Model-Based Development Spreading Rapidly
Prove Properties of Simulink & SCADE Models
Finding Errors Early in the Lifecycle
Several projects at Rockwell Collins
In Seconds on Models with Over 10**100 States
On Real Products!
Advanced Technology Center Slide 4
Outline of PresentationOutline of Presentation
Introduction
Overview of Our Approach
An Example – FGS Mode Logic
Some Recent Accomplishments
The Underlying Technology
What’s Next?
Summary
Advanced Technology Center Slide 5
Who Are We?Who Are We?
Communications
Automated Flight Control
Displays / Surveillance
Aviation Services
In-Flight Entertainment
Integrated Aviation Electronics
Information Management Systems
Navigation
A World Leader In Aviation Electronics And Airborne/ Mobile Communications Systems For Commercial And Military Applications
Advanced Technology Center Slide 6
Rockwell CollinsRockwell Collins
Headquartered in Cedar Rapids, Iowa
14,500 Employees Worldwide
Advanced Technology Center Slide 7
RCI Advanced Technology CenterRCI Advanced Technology Center
The Advanced Technology Center (ATC) identifies, acquires, develops and transitions value-driven technologies to support the continued growth of Rockwell Collins.
The Automated Analysis group applies mathematical tools and reasoning to the problem of producing high assurance systems.
Commercial Systems Government Systems
Advanced Technology Center
Advanced Technology Center Slide 8
Automated Analysis GroupAutomated Analysis Group
Participants in the MCC Formal Methods Transition Study 1991
Formal Specification of the μReal Time Executive in RAISE 1992
Formal Specification of the GE1 Graphics Processor 1996
Formal Verification of Microprocessors 1993 - 2005– AAMP5 Microcode Using PVS
1994– AAMP-FV Microcode Using PVS 1995– JEM Java Virtual Machine Microprocessor Using PVS 1998– FCP2002 Microcode Using ACL2 1999– FCP 2002-2000 Microcode Equivalence Using ACL2 2001– AAMP7 Security Separation Kernel Using ACL2 2003
Formal Validation of Embedded System Requirements 1995 - 2005– FGS Mode Logic using SPC’s CoRE Method 1995– FGS Mode Logic using NRL’s SCR* Tools 1996– FGS Mode Logic Using PVS 1997– FGS Mode Logic Using Matrix-X and T-VEC 1998– FGS Mode Logic Using RMSL-e, PVS, and NuSMV 2002– FGS/FMS/AT Logic Using SCADE and Simulink 2004
Advanced Technology Center Slide 9
Methods and Tools for Methods and Tools for Flight Critical Systems ProjectFlight Critical Systems Project
Five Year Project Started in 2001
Part of NASA’s Aviation Safety Program (Contract NCC-01001)
Funded by the NASA Langley Research Center and Rockwell Collins
Practical Application of Formal Methods To Modern Avionics Systems
Advanced Technology Center Slide 10
Outline of PresentationOutline of Presentation
Introduction
Overview of Our Approach
An Example – FGS Mode Logic
Some Recent Accomplishments
The Underlying Technology
What’s Next?
Summary
Advanced Technology Center Slide 11
Convergence of Two TrendsConvergence of Two Trends
Model-Based Development
AutomatedAnalysis
A Revolutionary Change in How We Design and Build Systems
Advanced Technology Center Slide 12
Model-Based Development ExamplesModel-Based Development Examples
Company Product Tools Specified & Autocoded Benefits Claimed
Airbus A340 SCADE With Code Generator
70% Fly-by-wire Controls 70% Automatic Flight Controls 50% Display Computer 40% Warning & Maint Computer
20X Reduction in Errors Reduced Time to Market
Eurocopter EC-155/135 Autopilot
SCADE With Code Generator
90 % of Autopilot
50% Reduction in Cycle Time
GE & Lockheed Martin
FADEDC Engine Controls
ADI Beacon Not Stated
Reduction in Errors 50% Reduction in Cycle Time Decreased Cost
Schneider Electric
Nuclear Power Plant Safety Control
SCADE With Code Generator
200,000 SLOC Auto Generated from 1,200 Design Views
8X Reduction in Errors while Complexity Increased 4x
US Spaceware
DCX Rocket MATRIXx Not Stated
50-75% Reduction in Cost Reduced Schedule & Risk
PSA Electrical Management System
SCADE With Code Generator
50% SLOC Auto Generated 60% Reduction in Cycle Time 5X Reduction in Errors
CSEE Transport
Subway Signaling System
SCADE With Code Generator
80,000 C SLOC Auto Generated Improved Productivity from 20 to 300 SLOC/day
Honeywell Commercial Aviation Systems
Primus Epic Flight Control System
MATLAB Simulink
60% Automatic Flight Controls 5X Increase in Productivity No Coding Errors Received FAA Certification
Advanced Technology Center Slide 13
Does Model-Based Development Scale?Does Model-Based Development Scale?
Systems Developed Using MBD
• Flight Control
• Auto Pilot
• Flight Warning
• Cockpit Display
• Fuel Management
• Landing Gear
• Braking
• Steering
• Anti-Icing
• Electrical Load Management
Airbus A380
Length 239 ft 6 in
Wingspan 261 ft 10 in
Maximum Takeoff Weight 1,235,000 lbs
Passengers Up to 840
Range 9,383 miles
Advanced Technology Center Slide 14
How Do We Reduce CostsHow Do We Reduce Costsandand Improve Quality? Improve Quality?
RequirementsElicitation
Modeling
Simulation
AutomatedAnalysis
Autocode
Autotest
Reuse
Clear SpecificationsImproves Communication
Easy Validation
Finds Errors Early
Cheaper Than Manual Analysis Finds the Really Hard Errors
Eliminates Manual Coding
Makes Model Primary Artifact
Reduces Cost of Testing
Enables More Testing
10%
10%
15%
5%
10% - 20%
Advanced Technology Center Slide 15
Outline of PresentationOutline of Presentation
Introduction
Overview of Our Approach
An Example – FGS Mode Logic
Some Recent Accomplishments
The Underlying Technology
What’s Next?
Summary
Advanced Technology Center Slide 16
Flight Guidance System Mode LogicFlight Guidance System Mode Logic
RequirementsElicitation
Modeling
Simulation
AutomatedAnalysis
Autocode
Autotest
Reuse
Advanced Technology Center Slide 17
Captured Requirements as ShallsCaptured Requirements as Shalls
Advanced Technology Center Slide 18
ModelingModeling
RequirementsElicitation
Modeling
Simulation
AutomatedAnalysis
Autocode
Autotest
Reuse
Advanced Technology Center Slide 19
Modeling NotationsModeling Notations
node Thrust_Required( FG_Mode : FG_Mode_Type ; Airborne : bool ; In_Flare : bool ; Emergency_Descent : bool; Windshear_Warning : bool ; In_Eng_Accel_Zone : bool ; On_Ground : bool) returns (IsTrue : bool) ;
let
IsTrue = (FG_Thrust_Mode(FG_Mode) and Airborne) or (Airborne and Emergency_Descent) or Windshear_Warning or ((FG_Mode = ThrottleRetard) and In_Flare) or (In_Eng_Accel_Zone and On_Ground) ;tel ;
Textual (Lustre, PVS, SAL, …) Tabular (RSML-e, SCR)
Graphical (Simulink, SCADE)
Advanced Technology Center Slide 20
SimulationSimulation
RequirementsElicitation
Modeling
Simulation
AutomatedAnalysis
Autocode
Autotest
Reuse
Advanced Technology Center Slide 21
SimulationSimulation
Advanced Technology Center Slide 22
Automated AnalysisAutomated Analysis
RequirementsElicitation
Modeling
Simulation
AutomatedAnalysis
Autocode
Autotest
Reuse
Theorem ProversModel Checkers
Advanced Technology Center Slide 23
What Are Model Checkers?What Are Model Checkers?
Breakthrough Technology of the 1990’s Widely Used in Hardware Verification (Intel, Motorola, IBM, …) Several Different Types of Model Checkers
– Explicit, Symbolic, Bounded, Infinite Bounded, …
Exhaustive Search of the Global State Space – Consider All Combinations of Inputs and States– Equivalent to Exhaustive Testing of the Model– Produces a Counter Example if a Property is Not True
Easy to Use– “Push Button” Formal Methods– Very Little Human Effort Unless You’re at the Tool’s Limits
Limitations– State Space Explosion (1020 – 10300 States)
Advanced Technology Center Slide 24
Advantage of Model CheckingAdvantage of Model Checking
System
Testing Checks Only the Values We Select
Even Small Systems Have Trillions (of Trillions) of Possible Tests!
Advanced Technology Center Slide 25
Advantage of Model CheckingAdvantage of Model Checking
Model
Model Checker Tries Every Possible Input and State!
Advanced Technology Center Slide 26
Model Checking ProcessModel Checking Process
Does the systemhave property X?
Model
Engineer
SMV
Automatic TranslationSMV Properties
Properties
Automated Check
Yes!
Counter Example
SMVSpec.
Automatic Translation
Advanced Technology Center Slide 27
Translated Shalls into SMV PropertiesTranslated Shalls into SMV Properties
Advanced Technology Center Slide 28
Validate Requirements Validate Requirements through Model Checkingthrough Model Checking
Proved Over 280 Properties in Less Than an Hour Found Several Errors Some Were Errors in the Model Most Were Incorrect Shalls Revised the Shalls to Improve the Requirements
Advanced Technology Center Slide 29
Translator OptimizationsTranslator Optimizations
Model
CPU Time(To Compute Reachable States)
ImprovementBefore After
Mode1 > 2 hours 11 sec Mode2 > 6 hours 169 sec Mode3 > 2 hours 14 sec Mode4 8 minutes < 1 sec 480x
Arch 34 sec < 1 sec 34x
WBS 29+ hours 1 sec 105,240x
Advanced Technology Center Slide 30
What are Theorem Provers?What are Theorem Provers?
Available Since Late 1980’s– Widely Used on Security and Safety-Critical Systems
Use Rules of Inference to Prove New Properties– Also Consider All Combinations of Inputs and States
– Also Equivalent to Testing with an Infinite Set of Test Cases
– Generate An Unprovable Proof Obligation if a Property is False
Not Limited by State Space– Applicable to Almost Any Formal Specification
Limitations– Require Experience - About Six Months to Become Proficient
– Constructing Proofs is Labor Intensive
Advanced Technology Center Slide 31
Theorem Proving Using PVSTheorem Proving Using PVS
Does the systemhave property X?
Model
Engineer
Automatic Translation
PVSSpec.
PVS
Why not?
Guru
Automated Proof
Automatic Translation
PVS PropertiesProperties
Advanced Technology Center Slide 32
Validate Requirements Validate Requirements Using Theorem ProvingUsing Theorem Proving
Proved Several Hundred Properties Using PVS
More Time Consuming that Model-Checking
Use When Models are Stable and Model-Checking Won’t Work
Advanced Technology Center Slide 33
Outline of PresentationOutline of Presentation
Introduction
Overview of Our Approach
An Example – FGS Mode Logic
Some Recent Accomplishments
The Underlying Technology
What’s Next?
Summary
Advanced Technology Center Slide 34
Example 1 – Mode LogicExample 1 – Mode Logic
RequirementMode A1 => Mode B1
6.8 x 1021 Reachable States
Mode Controller B
Mode Controller A
Counterexample Found inLess than Two Minutes!
Found 27 Errors to Date
Advanced Technology Center Slide 35
Example 2 – Displays LogicExample 2 – Displays Logic
RequirementDrive the Maximum Number of Display Units
Given the Available Graphics Processors
Counterexample Found in 5 Seconds!
Checked 178 Properties – Found Several Errors
883 Subsystems
9,772 Simulink Blocks
2.9 x 1052 Reachable States
Advanced Technology Center Slide 36
Outline of PresentationOutline of Presentation
Introduction
Overview of Our Approach
An Example – FGS Mode Logic
Some Recent Accomplishments
The Underlying Technology
What’s Next?
Summary
Advanced Technology Center Slide 37
Original Tool ChainOriginal Tool Chain
RSML-e
NuSMV Model Checker
PVS Theorem Prover
Rockwell Collins/U of Minnesota
SRI International
RSML-e to NuSMVTranslator
RSML-e to PVSTranslator
Advanced Technology Center Slide 38
Conversion to SCADEConversion to SCADE
Esterel Technologies
Rockwell Collins
DesignVerfier
SRI International
SCADE
Lustre
NuSMV
PVS
Safe StateMachines
Advanced Technology Center Slide 39
Extension to MATLAB SimulinkExtension to MATLAB Simulink
Esterel Technologies
Rockwell Collins
DesignVerfier
MathWorks
SRI International
SCADE
Lustre
NuSMV
PVS
Safe StateMachines
Simulink
SimulinkGateway
StateFlow
Advanced Technology Center Slide 40
Adding SRI Tools to the ChainAdding SRI Tools to the Chain
Esterel Technologies
Rockwell Collins
DesignVerfier
MathWorks
SRI International
SCADE
Lustre
NuSMV
PVS
Safe StateMachines
ACL2
SAL
ICS
SymbolicModel Checker
BoundedModel Checker
Infinite Model Checker
Simulink
SimulinkGateway
StateFlow
Advanced Technology Center Slide 41
Current Tool ChainCurrent Tool Chain
Esterel Technologies
Rockwell Collins
DesignVerfier
MathWorks
SRI International
SCADE
Lustre
NuSMV
PVS
Safe StateMachines
ACL2
SAL
ICS
SymbolicModel Checker
BoundedModel Checker
Infinite Model Checker
Simulink
SimulinkGateway
StateFlow
Reactive Systems
Reactis
Advanced Technology Center Slide 42
Outline of PresentationOutline of Presentation
Introduction
Overview of Our Approach
An Example – FGS Mode Logic
Some Recent Accomplishments
The Underlying Technology
What’s Next?
Summary
Advanced Technology Center Slide 43
Extending the Verification DomainExtending the Verification Domain
BDD-Based Model Checkers
Boolean & Enumerated TypesVery Large State Spaces
SAT-Based Model Checkers
Complex Boolean & Enumerated Types + Integers & Reals
Infinite State Spaces
Arbitrary Systems
(Real Numbers, Large Integers, Infinite State…)
Theorem Provers
Advanced Technology Center Slide 44
Verification of Adaptive SystemsVerification of Adaptive Systems
Advanced Technology Center Slide 45
Requirements Based Test Case GenerationRequirements Based Test Case Generation
Conformance Testing Autogenerate Test Cases From Model Commercial Tools Available
– (T-VEC, REACTIS)
Show Code Conforms to the Model Goal is Structural Coverage (MC/DC)
Requirements Based Testing State Requirements as Properties
Automatically Generate Tests
Goal is to Cover the Requirement
CodeGenerator
CreateModel
Code
Model
Requirements
CreateRequirements Based Tests
CreateAdditional
Structural Tests
Test CaseGenerator
Test CaseGenerator
Properties
Advanced Technology Center Slide 46
Model-Based Safety AnalysisModel-Based Safety Analysis
Add Fault Model for Physical System
Power A
Pedal 1
Feed back
Plant
Fault Tolerant
Control Unit
( BSCU )
Braking System
System A
Power B
Pedal 2 System B
Plant Model
AntiSkid Command
Braking + AntiSkid
Command
Green Pump Blue Pump
Isolation ValveIsolation Valve
Shut Normal System
NORMAL
ALTERNATE
Accumulator Pump
Meter Valve
Meter Valve
Meter Valve
Accumulator Valve
Mechanical Pedal
Selector Valve
Loss AllBraking
Normal SysLoss
Green PumpLoss
Meter ValveLoss
BSCU Lossof Command
PowerSupplies
Fail
BSCU SelectSignal
Inverted
Alt SysLoss
Acc/AS/MechMeter Fails
Both PumpsFail
Blue Fails Acc Fails
SelValveStuck
Model the Physical System
Automation Enables “What-If” Consideration of System Designs
and Digital Controller Architecture Integrates System and Safety Engineering About a Common Model
and the Digital Controller Architecture
Advanced Technology Center Slide 47
Outline of PresentationOutline of Presentation
Introduction
Overview of Our Approach
An Example – FGS Mode Logic
Some Recent Accomplishments
The Underlying Technology
What’s Next?
Summary
Advanced Technology Center Slide 48
SummarySummary
Formal Verification is Becoming Practical– Availability of Accurate Models Early in the Lifecycle
– Growing Power of Automated Analysis Tools
Benefits– Find Errors Early
– Avoid Rework Late in the Lifecycle
– Cheaper and Easier than Traditional Methods
– Orders of Magnitude Better at Finding Errors
Advanced Technology Center Slide 49
SummarySummary
Almost 15 Years of Experience
Thriving Automated Analysis Group
Doing Extensive Work for NASA and the NSA
Broad Tool Expertise– PVS, ACL2, NuSMV, Prover, SAL, Simulink, SCADE, SCR, …
Focus on “Application to Real Systems”
Rockwell Collins is a World Leader in the Industrial Use of Formal Methods