Timing Tolerances in Safety-Critical Software Alan Wassyng, Mark Lawford, Xiayong Hu FM 2005 Software Quality Research Laboratory McMaster University

1 Introduction n Built on definitions and analysis developed at Ontario Power Generation for safety-critical software applications in the nuclear power industry. n Need to describe timing behaviour that includes tolerances in time durations. n Need to describe timing tolerances that allow deviations from ideal behaviour specified by typical requirements models.

2 Examp l e n To filter noisy signals we may specify that a sensor signal above its setpoint (the event) sustained for 300 ms causes a “trip”. n If the event is sustained for less than 300 ms, the trip must not occur. n Similarly, if the event is sustained for 300 ms or longer, the trip must be generated. n Without tolerances on the time duration, these requirements would be impossible to meet, so the duration may be specified as 300±50 ms for instance. Introduction

3 Implementations of example specification. Informal spec: Trip if m_signal is above setpoint for 300±50 ms. Introduction

4 Model & Notation n Model: u Finite State Machine, discrete time with arbitrarily small clock-tick. u Stimuli  monitored variables. u Responses  controlled variables. u C(t) - vector of values of controlled variables at time t. u M(t) - vector of values of monitored variables at time t. u S(t) - vector of values of state variables at time t. u C(t k )  R(M(t k ), S(t k )) S(t k+1 )  NST(M(t k ), S(t k )) where t 0 is time of initialisation,  t = t k+1 - t k k = 0,1,2,…

5 n Notation: u t now represents current time. u variable -n is value of variable n clock-ticks ago. u We use tabular expressions wherever possible: Model & Notation =

6 Definitions n (Condition) Held for (d,  L,  R) (Infix operator) duration defined by constant d (>0), with tolerances -  L, +  R (0 ≤  L < d, 0 ≤  R)

7 n Formal definition of “Held for” Definitions

8 n Periodic(Condition, d,  L,  R) Definitions

9 n Formal definition of “Periodic” Definitions

10 n SyncPeriodic(d,  L,  R) Definitions

11 n Formal definition of “SyncPeriodic” Definitions

12 Functional Timing Requirements n Functional timing requirements are timing requirements that are directly related to the required behaviour of the application. u So, “Held for”, “Periodic” and “SyncPeriodic” are examples of templates describing functional timing requirements. u Other common functional timing requirements can be modeled in similar fashion. u These requirements are interpreted within the constraints of the governing model, in our case the discrete time FSM with arbitrarily small clock-tick. This describes idealised behaviour with the capability of including tolerances on all timing durations.

13 Performance Timing Requirements n Idealised behaviour totally ignores the fact that an implementation cannot continuously monitor sensor values and requires a finite, non-zero amount of time to process its results. n To complete the description of the required behaviour, a requirements document must also specify the performance tolerances that are allowed in meeting functional timing requirements. n We identify two different performance timing requirements. u Timing Resolution u Response Allowance

14 n Timing Resolution PTRs

15 n Response Allowance u The Response Allowance (RA) for a controlled-monitored variable pair specifies an allowable processing delay. u Each controlled variable must have an RA specified for it. The RA applies to the controlled variable and the particular monitored variable on which the controlled variable’s behaviour depends. u The RA is measured from the time the event actually occurred in the physical domain, until the time the value of the controlled variable is generated and crosses the application boundary into the physical domain. u The RA for the pair c-m is meaningless if c does not change its value in response to a change in the value of m (the effect must be visible externally). u The time sequence of externally generated values of a controlled variable c cannot be altered by consideration of the RAs for each c-m pair. PTRs

16 PTRs

17 PTRs NO!

18 Interaction Between FTRs & PTRs n Timing resolution & sustained events (  j: ts j  TR )

19 Interaction ts_min  ts j  ts_max for each j  {0..n} Need at least 2 samples in this interval to ensure decision based on value in this interval

20 Interaction 0 < ts_max  (  L +  R) / 2  implementable (  L +  R) < ts_max  not implementable Need at least 2 samples in this interval to ensure decision based on value in this interval

21 Interaction (  L +  R) / 2 < ts_max  (  L +  R): k min = int((d -  L) / ts_max); k max = int((d -  L) / ts_min) k min  k max  k max  ts_min  d -  L & k max  ts_max > d -  L   k |  ts j = d -  L -  (  arbitrarily small > 0)  not implementable. k = k min = k max   ts j  d -  L   ts j > d -  L So, if (k + 2)  ts_max  d +  R then it is implementable. k j=1 k k+1 and

22 Interaction Analysis applied to examples. The tolerances on the sample intervals are shown in paren- theses. As we would expect, jitter in the sample interval makes it more difficult to implement the requirement.

23 Interaction Analysis applied to examples. The tolerances on the sample intervals are shown in paren- theses. Longer durations are more difficult to implement.

24 Interaction n Response allowance with sustained events u Two cases to consider: F Event ends before it is sustained. Easy to deal with. The usual ra is applied. F Event is successfully sustained. Not so easy. Apply ra for the unsuccessful case in addition to the maximum duration of the sustained event, i.e. d +  R. u Example: ra is 250 ms, event must be sustained for k_delay ms, k_delay in [400-40, ] ms. F Response allowance is 675 ms if sustained, 250 ms if not. F We write it as 675 ms Held for (k_delay) / 250 ms.

25 Conclusion n We have separated functional and performance timing requirements. n We have provided example definitions for specific functional timing requirements, and the definitions include the effects of tolerances. n We have also analysed specific interactions between functional and performance timing requirements.

26 n So - why do we think this is useful? u The definitions are precise and practical. They allow behaviours that agree with our intuitive concepts but can be used to adjudicate objectively in cases where we have a “discussion” between verifiers and developers. u The advantage of having formal definitions and analyses that deal with tolerances is that we can now develop tools that will help automate scheduling and verification of timing requirements. u The analysis is simple yet effective. We do not have to force TRs to be less than (  L +  R) /2. We can find implementable sampling intervals in the range ( (  L +  R) /2, (  L +  R) ), and we have shown that minimising jitter in the sampling intervals is really worth while. Even small jitter can result in not being able to implement a requirement unless we have the maximum sampling interval less than (  L +  R) /2. Conclusion

27 n Future work u Complete formalisation of timing requirements and their implementation using PVS. Currently partially completed, including confirmation of the analysis presented earlier. u Analysis of effect of TRs and RAs on intermediate functions in the requirements decomposition. Conclusion

28 Thanks - see you at FM’06 at McMaster University, Canada