advanced technology center slide 1 formal verification of flight critical software dr. steven p....

Advanced Technology Center Slide 1

Formal Verification of Flight Critical SoftwareFormal Verification of Flight Critical Software

Dr. Steven P. Miller

Advanced Computing Systems

Elise A. Anderson

Commercial Systems Flight Control

Rockwell Collins

400 Collins Road NE, MS 108-206

Cedar Rapids, Iowa 52498

{spmiller,eaanders}@rockwellcollins.com


Concept OverviewConcept Overview

FGSR

ModeLogic

ControlLaws

FGSL

ModeLogic

ControlLaws

AutopilotPFDRPFDL

Air DataL

FMSL

Air DataR

FMSR

FCP

ControlSurfaces

FCS 50000 Flight Control

System

HDG Switch

HDG Switch [Not VAPPR]

GA Switch

PowerUp

SYNC Switch

LAPPR Capture

Chg Coupled-side

ROLL HDG LAPPR LGA

Event 1

Event 2

Event 3Event 4Event 5

Event 6Event 7

VGA

HDG Switch

Event 8Not VGA Event 9

Mode LogicSpecification

SimulinkModel

Mode LogicRequirements

The system shall be in Vertical Go Around

only if it is also in Lateral Go Around

FormalProperties

AX AG(LGA -> VGA) NuSMV Model

Checker

CounterExample


Outline of PresentationOutline of Presentation

Introduction

Model Checking

Specification of the FCS 5000 Mode Logic

Verification of the FCS 5000 Mode Logic

Concluding Remarks


Who Are We?Who Are We?

Communications

Automated Flight Control

Displays / Surveillance

Aviation Services

In-Flight Entertainment

Integrated Aviation Electronics

Information Management Systems

Navigation

A World Leader In Aviation Electronics And Airborne/ Mobile Communications Systems For Commercial And Military Applications


Automated Analysis SectionAutomated Analysis Section

AAMP5 Microcode Verification (PVS)

AAMP-FV Microcode Verification (PVS)

JEM Java Virtual Machine (PVS)

FCP 2002 Microcode (ACL2)

AAMP7 Separation Kernel (ACL2)

FGS Mode Confusion Study (PVS)

FGS Safety Analysis (RSML-e) FGS Mode

Confusion (RSML-e)

Displays Verification (NuSMV)

FCS 5000 FGS Verification (NuSMV)

SHADE(ACL2)

GreenHillsIntegrity RTOS

(ACL2)

1994

1996

1998

2000

2002

2004

2006

AAMP5 Partitioning (PVS)

NASA

NSA

1992

vFaat (ACL2,

PVS)

AFRL

Tech Transfer

NASA LaRC Funded

NSA Funded

AFRL Funded

AvSSP


Methods and Tools for Methods and Tools for Flight Critical Systems ProjectFlight Critical Systems Project

Five Year Project Started in 2001

Part of NASA’s Aviation Safety Program (Contract NCC-01001)

Funded by the NASA Langley Research Center and Rockwell Collins

Practical Application of Formal Methods To Modern Avionics Systems



Introduction

Model Checking



Concluding Remarks


What Are Model Checkers?What Are Model Checkers?

Breakthrough Technology of the 1990’s Widely Used in Hardware Verification (Intel, Motorola, IBM, …) Several Different Types of Model Checkers

– Explicit, Symbolic, Bounded, Infinite Bounded, …

Exhaustive Search of the Global State Space – Consider All Combinations of Inputs and States– Equivalent to Exhaustive Testing of the Model– Produces a Counter Example if a Property is Not True

Easy to Use– “Push Button” Formal Methods– Very Little Human Effort Unless You’re at the Tool’s Limits

Limitations– State Space Explosion (10100 – 10300 States)


Advantage of Model CheckingAdvantage of Model Checking

Testing Checks Only the Values We Select

Even Small Systems Have Trillions (of Trillions) of Possible Tests!


Advantage of Model CheckingAdvantage of Model Checking

Model Checker Tries Every Possible Input and State!


Translation FrameworkTranslation Framework

Simulink

StateFlow

SCADE

Safe StateMachines

SimulinkGateway

SimulinkGateway

Lustre

NuSMV

PVS

DesignVerifier

SAL

ICS

SymbolicModel Checker

BoundedModel Checker

Infinite BoundedModel Checker

Reactis

MathWorks

Esterel Technologies

SRI International

Rockwell Collins/University of Minnesota

Reactis


Example - ADGS-2100 Adaptive Display & Example - ADGS-2100 Adaptive Display & Guidance SystemGuidance System

RequirementDrive the Maximum Number of Display Units

Given the Available Graphics Processors

Counterexample Found in 5 Seconds!

Checking 373 PropertiesFound Over 60 Errors

883 Subsystems

9,772 Simulink Blocks

2.9 x 1052 Reachable States



Introduction

Model Checking



Concluding Remarks


Flight Guidance System OverviewFlight Guidance System Overview

FGSR

ModeLogic

ControlLaws

FGSL

ModeLogic

ControlLaws

AutopilotPFDRPFDL

Air DataL

FMSL

Air DataR

FMSR

FCP

ControlSurfaces


Simple Mode Transition DiagramSimple Mode Transition Diagram

HDG Switch


GA Switch

PowerUp

SYNC Switch

LAPPR Capture

Chg Coupled-side

ROLL HDG LAPPR LGA

Event 1

Event 2


Event 6Event 7

VGA

HDG Switch



Synchronous Composition of Synchronous Composition of Two Mode Transition DiagramsTwo Mode Transition Diagrams

1-z

1-z



Introduction

Model Checking



Concluding Remarks


Summary of Errors FoundSummary of Errors Found

Model-Checking Detected the Majority of Errors

Model-Checking Detected the Most Serious Errors

Found Early in the Lifecycle during Requirements Analysis

Dectected By

Likelihood of Being Found by Traditional Methods

Trivial Likely Possible Unlikely Total

Inspection 1 2 3

Modeling 5 1 6

Simulation

Model Checking 2 1 13 1 17 Total 2 6 15 3 26


Verification of IndividualVerification of Individual Mode Transition Diagrams Mode Transition Diagrams

HDG Switch


GA Switch

PowerUp

SYNC Switch

LAPPR Capture

Chg Coupled-side

ROLL HDG LAPPR LGA

Event 1

Event 2


Event 6Event 7

VGA

HDG Switch


AX AG( LGA AX( Event9 ROLL ))

AX AG( LGA AX( (Event4 & !Event6 & !Event9) HDG))

AX AG( Event8 LGA ) False


Errors Found Verifying Errors Found Verifying Individual Mode MachinesIndividual Mode Machines

Model-Checking Found Half the Errors

Tended to Find the Less Serious Errors

Counter Example Pinpoints Source of the Error

Dectected By



Inspection 1 2 3

Modeling 5 1 6

Simulation

Model Checking 2 1 6 9 Total 2 6 8 2 18


Verification of Composite MachinesVerification of Composite Machines

RequirementMode A1 => Mode B1

5.1 x 1027 Reachable States

Mode Controller B

Mode Controller A

Counterexample Found inLess than Two Minutes!

Found 8 More Errors


Errors Found by Model-Checking Errors Found by Model-Checking Composite Mode Transition Diagrams Composite Mode Transition Diagrams

Errors Found Tended to Be More Serious Errors

Checking Relationships Between Mode Transition Diagrams

Difficult to Find by Inspections & Simulation

Dectected By



Inspection

Modeling

Simulation

Model Checking 7 1 8 Total 7 1 8



Introduction

Model Checking



Concluding Remarks


ConclusionsConclusions

Model-Based Development is the Industrial Use Formal Specification

Convergence of Model-Based Development and Formal Verification– Engineers are Producing Specifications that Can be Analyzed– Formal Verification Tools are Getting More Powerful

Model Checking is Very Cost Effective– Simple and Easy to Use– Finds All Exceptions to a Property– Used to Find Errors Early in the Lifecycle

Applied to Models with Only Boolean and Enumerated Types


Future DirectionsFuture Directions

Numerically Intensive Systems– Infinite Bounded Model Checkers– Decision Procedures for Integers

and Real Numbers

Non-linear Arithmetic– Automatic Extraction of

Conservative Abstractions

Applications– Spacing & Trajectory– Required Navigation Performance (RNP)– Collision Avoidance– Advanced Flight Control

Theorem Provers

Arbitrary ModelsLabor Intensive

Infinite Bounded Model Checkers

Infinite State Models using k- Induction

Implicit State

< 10 200 Reachable States

Model Checkers


For More InformationFor More Information

Alan C. Tribble, Steven P. Miller, and David L. Lempia, Software Safety Analysis of a Flight Guidance System, NASA Contractor Report CR-2004-213004, March 2004, available at http://techreports.larc.nasa.gov/ltrs/dublincore/2004/cr/NASA-2004-cr213004.html.

Alan C. Tribble and Steven P. Miller, Safety Analysis of Software Intensive Systems, IEEE Aerospace and Electronic Systems, Vol. 19, No. 10, pp. 21 - 26, October 2004.

Steven P. Miller, Mats P.E. Heimdahl, and Alan C. Tribble, Proving the Shalls, in Proceedings of FM 2003: the 12th International FME Symposium, Pisa, Italy, Sept. 8-14, 2003.

Alan C. Tribble, David D. Lempia, and Steven P. Miller, Software Safety Analysis of a Flight Guidance System, in Proceedings of the 21st Digital Avionics Systems Conference (DASC'02), Irvine, California, Oct. 27-31, 2002.


Backup SlidesBackup Slides


Model Checking ProcessModel Checking Process

Does the systemhave property X?

Model

Engineer

SMV

Automatic TranslationSMV Properties

Properties

Automated Check

Yes!

Counter Example

SMVSpec.

Automatic Translation

advanced technology center slide 1 formal verification of flight critical software dr. steven p....

Documents

avssp slide

mode logic verification

breakthrough technology

verification nusmv fcs

nasa langley research

small systems

hardware verification

vfaat acl2