Formal Model-Based Development in Aerospace Systems: Challenges to Adoption Mats P. E. Heimdahl University of Minnesota Software Engineering Center Critical.

Slides:

Advertisements

Similar presentations

Integration of MBSE and Virtual Engineering for Detailed Design

Advertisements

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

CASE tools Upper CASE tools: support for the analysis and design Lower CASE tools: support for construction and maintenance 1980s… Nowadays… Integrated.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Dagstuhl Intro Mike Whalen Program Director University of Minnesota Software Engineering Center.

SAS_08_Model_Val_Tech_Heimdahl MAC-T IVV Model-Validation in Model-Based Development Kurt Woodham L-3 Communications Ajitha Rajan, Mats Heimdahl.

Dagstuhl Intro Mike Whalen. 2 Mike Whalen My main goal is to reduce software verification and validation (V&V) cost and increasing.

© Copyright 2009 Rockwell Collins, Inc. All rights reserved. Formal Methods for Critical Systems Dr. Steven P. Miller Midwest Verification Day September.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.

Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (

Advanced Technology Center Slide 1 Formal Verification of Flight Critical Software Dr. Steven P. Miller Advanced Computing Systems Elise A. Anderson Commercial.

CONNIE HEITMEYER Center for High Assurance Computer Systems Naval Research Laboratory Washington, DC Workshop on the Verification Grand Challenge SRI International.

Advanced Technology Center Slide 1 Formal Methods in Safety-Critical Systems Dr. Steven P. Miller Advanced Computing Systems Rockwell Collins 400 Collins.

Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.

Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.

1 SWE Introduction to Software Engineering Lecture 3 Introduction to Software Engineering.

Automated V&V for High Integrity Systems A Targeted Formal Methods Approach Simon Burton Research Associate Rolls-Royce University Technology Centre University.

Software Engineering for Safety : A Roadmap Presentation by: Manu D Vij CS 599 Software Engineering for Embedded Systems.

Dr. Ralph R. Young Director of Software Engineering PRC, Inc. (703) Fifth IEEE International Symposium on Requirements Engineering.

Overview of the Multos construction process Chad R. Meiners.

Supplement 02CASE Tools1 Supplement 02 - Case Tools And Franchise Colleges By MANSHA NAWAZ.

End-to-End Design of Embedded Real-Time Systems Kang G. Shin Real-Time Computing Laboratory EECS Department The University of Michigan Ann Arbor, MI

Introduction to Software Testing

By Ryan Mowry.  Graphical models of system  Entire system or just parts  Complex systems easier to understand  “Capture key requirements and demonstrate.

University of Toronto Department of Computer Science CSC444 Lec04- 1 Lecture 4: Software Lifecycles The Software Process Waterfall model Rapid Prototyping.

3rd Annual Energistics Standards Summit Standards – Benefits across Industries Michael Strathman Aspen Technology, Inc 23 October 2008.

Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR.

CENTRE FOR FORMAL DESIGN AND VERIFICATION OF SOFTWARE

Model-Based Design & Analysis

Assurance techniques for code generators Ewen Denney USRA/RIACS, NASA Ames Bernd Fischer ECS, U Southampton.

1 Reconfigurable Environment For Analysis and Test of Software Systems (REATSS) Dan McCaugherty /19/2004.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

Advanced Technology Center Slide 1 Model-Based Safety Analysis Overview Dr. Steven P. Miller Dr. Mats P. E. Heimdahl Advanced Computing Systems Rockwell.

Advanced Technology Center Slide 1 Requirements-Based Testing Dr. Mats P. E. Heimdahl University of Minnesota Software Engineering Center Dr. Steven P.

1 New Development Techniques: New Challenges for Verification and Validation Mats Heimdahl Critical Systems Research Group Department of Computer Science.

B. Fernández, D. Darvas, E. Blanco Formal methods appliedto PLC code verification Automation seminar CERN – IFAC (CEA) 02/06/2014.

Model-Driven Analysis Frameworks for Embedded Systems George Edwards USC Center for Systems and Software Engineering

Copyright John C. Knight SOFTWARE ENGINEERING FOR DEPENDABLE SYSTEMS John C. Knight Department of Computer Science University of Virginia.

Framework for the Development and Testing of Dependable and Safety-Critical Systems IKTA 065/ Supported by the Information and Communication.

John D. McGregor Session 2 Preparing for Requirements V & V

1 A Spectrum of IV&V Modeling Techniques Mats Heimdahl (Co-PI) Jimin Gao (RA) University of Minnesota Tim Menzies (Co-PI) David Owen (RA) West Virginia.

Verification and Validation in the Context of Domain-Specific Modelling Janne Merilinna.

MSFC Avionics Department Flight Software Group CMM Level 2 Certified Automated Software Coding Standards System Development Team Assessment Team Luis Trevino.

Verifying Autonomous Planning Systems Even the best laid plans need to be verified Prepared for the 2005 Software Assurance Symposium (SAS) DS1 MSL EO1.

© 2012 xtUML.org Bill Chown – Mentor Graphics Model Driven Engineering.

Quality Driven SystemC Design By Nasir Mahmood. Hybrid Approach The idea here is to combine the strengths of simulation – namely the ability to handle.

Integrating Systems: models and fault modes SESAM-möte, 19 Oktober, 2005 Jonas Elmqvist Real-Time Systems Laboratory Department of Computer and Information.

Page 1 Analysis of Asynchronous Systems Steven P. Miller Michael W. Whalen {spmiller, Advanced Computing Systems Rockwell.

Model Checking and Model-Based Design Bruce H. Krogh Carnegie Mellon University.

Development of Methodologies for Independent Verification and Validation of Neural Networks NAG OSMA-F001-UNCLASS Methods and Procedures.

Page 1 Advanced Technology Center HCSS 03 – April 2003 vFaat: von Neumann Formal Analysis and Annotation Tool David Greve Dr. Matthew Wilding Rockwell.

1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.

High Confidence Software and Systems HCMDSS Workshop Brad Martin June 2, 2005.

Verification & Validation By: Amir Masoud Gharehbaghi

CrossCheckSimulation Results Conclusions References Model Instrumentation Modeling with CUTS Property Specification SPRUCE Challenge Problem Checking Model.

Using Symbolic PathFinder at NASA Corina Pãsãreanu Carnegie Mellon/NASA Ames.

Be.wi-ol.de User-friendly ontology design Nikolai Dahlem Universität Oldenburg.

Automated Formal Verification of PLC (Programmable Logic Controller) Programs

Assessing Requirements Quality through Requirements Coverage Ajitha RajanUniversity of Minnesota Mats HeimdahlUniversity of Minnesota Kurt WoodhamL3 Communications.

Model Based Systems Engineering Visualization Steven Corns Missouri University of Science & Technology.

SAMCAHNG Yun Goo Kim I. Formal Model Based Development & Safety Analysis II. UML (Model) Based Safety RMS S/W Development February KIM, YUN GOO.

Model-Driven Analysis Frameworks for Embedded Systems

Introduction to Software Testing

Object-Oriented Systems Development Life Cycle (CH-3)

Automated Extraction of Inductive Invariants to Aid Model Checking

Automated Analysis and Code Generation for Domain-Specific Models

Presentation transcript:

Formal Model-Based Development in Aerospace Systems: Challenges to Adoption Mats P. E. Heimdahl University of Minnesota Software Engineering Center Critical Systems Research Group Department of Computer Science and Engineering University of Minnesota

and a Plea for Help

Domain of Concern

How we Develop Software Concept Formation Requirements Specification Design Implementation Integration System Unit Test Integration Test System Test Object Code Test Analysis

Model-Based Development Specification Model Visualization Prototyping Testing Code Analysis Properties

Model-Based Development Tools Commercial Products –Esterel Studio and SCADE Studio from Esterel Technologies –Rhapsody from I-Logix –Simulink and Stateflow from Mathworks Inc. –Rose Real-Time from Rational –Etc. Etc.

System Specification/Model How we Will Develop Software Concept Formation Requirements Implementation Integration Properties Analysi s Integration Test Syste m Test Specification Test

What Does Industry Want? Better / Safer Cheaper Faster

Model-Based Development Examples

Problem 1 Believing Testing Can be Eliminated Testing will always be a crucial (and costly) component

How we Develop Software Concept Formation Requirements Specification Design Implementation Integration System Unit Test Integration Test System Test Analysis Object Code Test

System Specification/Model Testing Does not go Away Concept Formation Requirements Implementation Integration Properties Extensive Testing (MC/DC)

System Specification/Model It Simply Moves Concept Formation Requirements Implementation Integration Properties Extensive Testing (MC/DC)

System Specification/Model Do it the Right Way Concept Formation Requirements Implementation Integration Properties Analysi s Integration Test Syste m Test Specification Test Unit Test

Example: ADGS-2100 Adaptive Display & Guidance System Requirement Drive the Maximum Number of Display Units Given the Available Graphics Processors Counterexample Found in 5 Seconds! Checking 573 Properties Found 98 Errors 883 Subsystems 9,772 Simulink Blocks 2.9 x Reachable States

Remedy Be honest about the capabilities of model- based development and formal methods –Done right, provides outstanding requirements, models, analysis, etc., etc. –May greatly reduce the effort spent in testing

Problem 2 Believing the Model is Everything The model is never enough

Modeling is so much fun Properties Specification/Model Modeling Frenzy Concept Formation Requirements Implementation Integration How do we know the model is “right”? Headfirst into modeling System

Specification/Model Do it the Right Way Concept Formation Requirements Implementation Integration Properties Analysi s Integration Test Syste m Test Specification Test Unit Test

Remedies Recognize the Role of Software Requirements –The model is not everything Development Methods for Model-Based Development Badly Needed –Model-Based Software Development Process Develop Tools and Techniques for Model, Properties, and Requirements Management Develop Inspection Checklists and Style Guidelines for Models

Problem 3 Trusting Verification To really mess things up, you need formal verification

Model Checking Process Does the system have property X? Model Engineer SMV Automatic Translation SMV Properties Properties Automated Check Yes! SMV Spec. Automatic Translation

Model Checking Process Does the system have property X? Model Engineer SMV Automatic Translation SMV Properties Properties SMV Spec. Automatic Translation Counter Example Automated Check No!

Property or Model: Who is Right? AG(Onside_FD_On -> Mode_Annunciations_On) The Mode Annunciations shall be turned on when the Flight Director is turned on AG( (Is_This_Side_Active & Onside_FD_On) -> Mode_Annunciations_On) If this side is active, the Mode Annunciations shall be turned on when the Flight Director is turned on If this side is active and the Mode Annunciations are off, the Mode Annunciations shall be turned on when the Flight Director is turned on AG( ! Mode_Annunciations_On -> AX ((Is_This_Side_Active & Onside_FD_On) -> Mode_Annunciations_On)))

Translated All the “Shalls” into SMV Properties

Analysis Process Steps All properties verified (!), or… Counterexamples found for some properties Simulate counterexample in MBD environment and make corrections to: –model –properties –requirements –assumptions (invariants)

Remedies Develop techniques to determine adequacy of model and property set –How do we know they are any “good” Techniques for management of invariants –How do we validate the assumptions we make Methodology and guidance badly needed –Tools with training wheels –“Verification for Dummies” All we need is one high-profile verified system to fail spectacularly to set us back a decade or more

Model Checking Process Why? Guru Does the system have property X? Model Engineer SMV Automatic Translation SMV Properties Properties SMV Spec. Automatic Translation Out to Lunch ?

Problem 4 Believing One Tool Will Be Enough To be effective, we need a suite of notations and analysis tools (and the ability to continually integrate new ones)

Original Tool Chain RSML -e NuSMV Model Checker PVS Theorem Prover Rockwell Collins/U of Minnesota SRI International RSML -e to NuSMV Translator RSML -e to PVS Translator

Conversion to SCADE Design Verifier SCADE Lustre NuSMV PVS Safe State Machines Simulink Gateway StateFlow SPY Esterel Technologies MathWorks University of Minnesota/Rockwell Collins (NASA LaRC Funded) University of Minnesota (NASA IV&V Funded)

Reactive Systems Esterel Technologies MathWorks SRI International University of Minnesota/Rockwell Collins (NASA LaRC) University of Minnesota (NASA IV&V) Current(?) Tool Status Design Verifier SCADE Lustre NuSMV PVS Safe State Machines SAL ICS Symbolic Model Checker Bounded Model Checker Infinite Model Checker Simulink Gateway StateFlow Reactis SPY

Three Conjectures No one modeling language will be universally accepted, nor universally applicable No one verification/validation tool will satisfy the analysis needs of a user Languages and tools must be tested on real world problems by practicing engineers –Preferably in commercial tools

Translation – with no IL Effort = m * n High quality translations Lustre ++ poly tables SCADE RSML -e PVS poly’ SMVC m modeling languages n target languages poly

Translation – with IL Effort = m + n Low quality translations Lustre IL Lustre ++ poly tables SCADE RSML -e PVS poly’ SMVC m modeling languages n target languages poly

A Proposed Framework (Van Wyk) Based on techniques from extensible programming languages, specifically attribute grammars extended with forwarding. Hypothesis: –An extensible language may serve as a host language for domain specific extensions (to construct new modeling languages), –while forwarding enables the feasible construction of high quality translations from source specification languages to target analysis languages. Provided to spur discussion only! There may be better solutions.

Translation – with lang. exts. Effort = m + n + Σ t I High quality translations Lustre Host Lustre ++ poly tables SCADE RSML -e PVS poly’ SMVC m modeling languages n target languages forwarding poly pvs_trans (t2) pvs_trans (t1) c_trans (t3) forwarding c_trans smv_trans pvs_trans

Remedies Next generation tools must allow easy extension and modification of notations to meet domain specific needs They must allow easy construction of high- quality translations from modeling notations to analysis tools They also must enable controlled reuse of tool infrastructure to make tool extensions cost effective

Problem Summary Believing Testing Can be Eliminated Believing the Model is Everything Trusting Verification Believing One Tool Will Be Enough

Thank You Rockwell Collins –Steven Miller –Michael Whalen –Alan Tribble –Michael Peterson NASA Langley –Ricky Butler –Kelly Hayhurst –Celeste Bellcastro NASA Ames –Michael Lowry NASA IV&V Facility –Kurt Woodham (L3-Titan) My Students at Minnesota –Anjali Joshi –Ajitha Rajan –Yunja Choi, –Sanjai Rayadurgam –Devaraj George –Dan O'Brien Opinions in talk are mine. Do not blame the innocent.

Discussion

For More Information Michael W. Whalen et. al., Formal Validation of Avionics Software in a Model- Based Development Process, Formal Methods in Industrial Critical Systems (FMICS’2007), July Steven P. Miller, Alan C. Tribble, Michael W. Whalen, Mats P. E. Heimdahl, Providing the Shalls, International Journal on Software Tools for Technology Transfer (STTT), Feb Michael W. Whalen, John D. Innis, Steven P. Miller, and Lucas G. Wagner, ADGS-2100 Adaptive Display & Guidance System, NASA Contractor Report NASA-2006-CR213952, Feb Available at A lot of good reading at Eric Van Wyk and Mats Heimdahl. Flexibility in modeling languages and tools: A Call to Arms. To appear in Software Tools for Technology Transfer.