Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Technology Center Slide 1 Formal Methods in Safety-Critical Systems Dr. Steven P. Miller Advanced Computing Systems Rockwell Collins 400 Collins.

Published byLuke Reeves Modified over 9 years ago

Similar presentations

Presentation on theme: "Advanced Technology Center Slide 1 Formal Methods in Safety-Critical Systems Dr. Steven P. Miller Advanced Computing Systems Rockwell Collins 400 Collins."— Presentation transcript:

1 Advanced Technology Center Slide 1 Formal Methods in Safety-Critical Systems Dr. Steven P. Miller Advanced Computing Systems Rockwell Collins 400 Collins Road NE, MS 108-206 Cedar Rapids, Iowa 52498 spmiller@rockwellcollins.com

2 Advanced Technology Center Slide 2 What Problem are We Solving?  Safety-Critical Software Is Too Expensive  Safety-Critical Software Is Often Wrong  DO-178B Certification Is Too Expensive Cut Development Costs/Cycle Time in Half Find 10x More Errors than Current Methods Already Applying This to DO-178B Developments

3 Advanced Technology Center Slide 3 Are We Making Progress?  Model-Based Development Spreading Rapidly  Prove Properties of Simulink & SCADE Models  Finding Errors Early in the Lifecycle Several projects at Rockwell Collins In Seconds on Models with Over 10 **100 States On Real Products!

4 Advanced Technology Center Slide 4 Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Some Recent Accomplishments The Underlying Technology What’s Next? Summary

5 Advanced Technology Center Slide 5 Who Are We? Communications Automated Flight Control Displays / Surveillance Aviation Services In-Flight Entertainment Integrated Aviation Electronics Information Management Systems Navigation A World Leader In Aviation Electronics And Airborne/ Mobile Communications Systems For Commercial And Military Applications

6 Advanced Technology Center Slide 6 Rockwell Collins Headquartered in Cedar Rapids, Iowa 14,500 Employees Worldwide

7 Advanced Technology Center Slide 7 RCI Advanced Technology Center  The Advanced Technology Center (ATC) identifies, acquires, develops and transitions value-driven technologies to support the continued growth of Rockwell Collins.  The Automated Analysis group applies mathematical tools and reasoning to the problem of producing high assurance systems. Commercial Systems Government Systems Advanced Technology Center

8 Slide 8 Automated Analysis Group  Participants in the MCC Formal Methods Transition Study1991  Formal Specification of the μReal Time Executive in RAISE1992  Formal Specification of the GE1 Graphics Processor1996  Formal Verification of Microprocessors 1993 - 2005 – AAMP5 Microcode Using PVS 1994 – AAMP-FV Microcode Using PVS1995 – JEM Java Virtual Machine Microprocessor Using PVS1998 – FCP2002 Microcode Using ACL21999 – FCP 2002-2000 Microcode Equivalence Using ACL22001 – AAMP7 Security Separation Kernel Using ACL22003  Formal Validation of Embedded System Requirements 1995 - 2005 – FGS Mode Logic using SPC’s CoRE Method1995 – FGS Mode Logic using NRL’s SCR* Tools1996 – FGS Mode Logic Using PVS1997 – FGS Mode Logic Using Matrix-X and T-VEC1998 – FGS Mode Logic Using RMSL-e, PVS, and NuSMV2002 – FGS/FMS/AT Logic Using SCADE and Simulink2004

9 Advanced Technology Center Slide 9 Methods and Tools for Flight Critical Systems Project  Five Year Project Started in 2001  Part of NASA’s Aviation Safety Program (Contract NCC-01001)  Funded by the NASA Langley Research Center and Rockwell Collins  Practical Application of Formal Methods To Modern Avionics Systems

10 Advanced Technology Center Slide 10 Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Some Recent Accomplishments The Underlying Technology What’s Next? Summary

11 Advanced Technology Center Slide 11 Convergence of Two Trends Model-Based Development Automated Analysis A Revolutionary Change in How We Design and Build Systems

12 Advanced Technology Center Slide 12 Model-Based Development Examples

13 Advanced Technology Center Slide 13 Does Model-Based Development Scale? Systems Developed Using MBD Flight Control Auto Pilot Flight Warning Cockpit Display Fuel Management Landing Gear Braking Steering Anti-Icing Electrical Load Management Airbus A380 Length 239 ft 6 in Wingspan 261 ft 10 in Maximum Takeoff Weight 1,235,000 lbs PassengersUp to 840 Range9,383 miles

14 Advanced Technology Center Slide 14 How Do We Reduce Costs and Improve Quality? Requirements Elicitation Modeling Simulation Automated Analysis Autocode Autotest Reuse Clear Specifications Improves Communication Easy Validation Finds Errors Early Cheaper Than Manual Analysis Finds the Really Hard Errors Eliminates Manual Coding Makes Model Primary Artifact Reduces Cost of Testing Enables More Testing 10% 15% 5% 10% - 20%

15 Advanced Technology Center Slide 15 Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Some Recent Accomplishments The Underlying Technology What’s Next? Summary

16 Advanced Technology Center Slide 16 Flight Guidance System Mode Logic Requirements Elicitation Modeling Simulation Automated Analysis Autocode Autotest Reuse

17 Advanced Technology Center Slide 17 Captured Requirements as Shalls

18 Advanced Technology Center Slide 18Modeling Requirements Elicitation Modeling Simulation Automated Analysis Autocode Autotest Reuse

19 Advanced Technology Center Slide 19 Modeling Notations node Thrust_Required( FG_Mode : FG_Mode_Type ; Airborne : bool ; In_Flare : bool ; Emergency_Descent : bool; Windshear_Warning : bool ; In_Eng_Accel_Zone : bool ; On_Ground : bool) returns (IsTrue : bool) ; let IsTrue = (FG_Thrust_Mode(FG_Mode) and Airborne) or (Airborne and Emergency_Descent) or Windshear_Warning or ((FG_Mode = ThrottleRetard) and In_Flare) or (In_Eng_Accel_Zone and On_Ground) ; tel ; Textual (Lustre, PVS, SAL, …) Tabular (RSML -e, SCR) Graphical (Simulink, SCADE)

20 Advanced Technology Center Slide 20Simulation Requirements Elicitation Modeling Simulation Automated Analysis Autocode Autotest Reuse

21 Advanced Technology Center Slide 21Simulation

22 Advanced Technology Center Slide 22 Automated Analysis Requirements Elicitation Modeling Simulation Automated Analysis Autocode Autotest Reuse Theorem ProversModel Checkers

23 Advanced Technology Center Slide 23 What Are Model Checkers?  Breakthrough Technology of the 1990’s  Widely Used in Hardware Verification (Intel, Motorola, IBM, …)  Several Different Types of Model Checkers – Explicit, Symbolic, Bounded, Infinite Bounded, …  Exhaustive Search of the Global State Space – Consider All Combinations of Inputs and States – Equivalent to Exhaustive Testing of the Model – Produces a Counter Example if a Property is Not True  Easy to Use – “Push Button” Formal Methods – Very Little Human Effort Unless You’re at the Tool’s Limits  Limitations – State Space Explosion (10 20 – 10 300 States)

24 Advanced Technology Center Slide 24 Advantage of Model Checking System Testing Checks Only the Values We Select Even Small Systems Have Trillions (of Trillions) of Possible Tests!

25 Advanced Technology Center Slide 25 Advantage of Model Checking Model Model Checker Tries Every Possible Input and State!

26 Advanced Technology Center Slide 26 Model Checking Process Does the system have property X? Model Engineer SMV Automatic Translation SMV Properties Properties Automated Check Yes! Counter Example SMV Spec. Automatic Translation

27 Advanced Technology Center Slide 27 Translated Shalls into SMV Properties

28 Advanced Technology Center Slide 28 Validate Requirements through Model Checking  Proved Over 280 Properties in Less Than an Hour  Found Several Errors  Some Were Errors in the Model  Most Were Incorrect Shalls  Revised the Shalls to Improve the Requirements

29 Advanced Technology Center Slide 29 Translator Optimizations Model CPU Time (To Compute Reachable States) Improvement BeforeAfter Mode1> 2 hours11 sec  Mode2> 6 hours169 sec  Mode3> 2 hours14 sec  Mode48 minutes< 1 sec480x Arch34 sec< 1 sec34x WBS29+ hours1 sec105,240x

30 Advanced Technology Center Slide 30 What are Theorem Provers?  Available Since Late 1980’s – Widely Used on Security and Safety-Critical Systems  Use Rules of Inference to Prove New Properties – Also Consider All Combinations of Inputs and States – Also Equivalent to Testing with an Infinite Set of Test Cases – Generate An Unprovable Proof Obligation if a Property is False  Not Limited by State Space – Applicable to Almost Any Formal Specification  Limitations – Require Experience - About Six Months to Become Proficient – Constructing Proofs is Labor Intensive

31 Advanced Technology Center Slide 31 Theorem Proving Using PVS Does the system have property X? Model Engineer Automatic Translation PVS Spec. PVS Why not? Guru Automated Proof Automatic Translation PVS Properties Properties

32 Advanced Technology Center Slide 32 Validate Requirements Using Theorem Proving  Proved Several Hundred Properties Using PVS  More Time Consuming that Model-Checking  Use When Models are Stable and Model-Checking Won’t Work

33 Advanced Technology Center Slide 33 Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Some Recent Accomplishments The Underlying Technology What’s Next? Summary

34 Advanced Technology Center Slide 34 Example 1 – Mode Logic Requirement Mode A1 => Mode B1 6.8 x 10 21 Reachable States Mode Controller B Mode Controller A Counterexample Found in Less than Two Minutes! Found 27 Errors to Date

35 Advanced Technology Center Slide 35 Example 2 – Displays Logic Requirement Drive the Maximum Number of Display Units Given the Available Graphics Processors Counterexample Found in 5 Seconds! Checked 178 Properties – Found Several Errors 883 Subsystems 9,772 Simulink Blocks 2.9 x 10 52 Reachable States

36 Advanced Technology Center Slide 36 Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Some Recent Accomplishments The Underlying Technology What’s Next? Summary

37 Advanced Technology Center Slide 37 Original Tool Chain RSML -e NuSMV Model Checker PVS Theorem Prover Rockwell Collins/U of Minnesota SRI International RSML -e to NuSMV Translator RSML -e to PVS Translator

38 Advanced Technology Center Slide 38 Conversion to SCADE Esterel Technologies Rockwell Collins Design Verfier SRI International SCADE Lustre NuSMV PVS Safe State Machines

39 Advanced Technology Center Slide 39 Extension to MATLAB Simulink Esterel Technologies Rockwell Collins Design Verfier MathWorks SRI International SCADE Lustre NuSMV PVS Safe State Machines Simulink Gateway StateFlow

40 Advanced Technology Center Slide 40 Adding SRI Tools to the Chain Esterel Technologies Rockwell Collins Design Verfier MathWorks SRI International SCADE Lustre NuSMV PVS Safe State Machines ACL2 SAL ICS Symbolic Model Checker Bounded Model Checker Infinite Model Checker Simulink Gateway StateFlow

41 Advanced Technology Center Slide 41 Current Tool Chain Esterel Technologies Rockwell Collins Design Verfier MathWorks SRI International SCADE Lustre NuSMV PVS Safe State Machines ACL2 SAL ICS Symbolic Model Checker Bounded Model Checker Infinite Model Checker Simulink Gateway StateFlow Reactive Systems Reactis

42 Advanced Technology Center Slide 42 Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Some Recent Accomplishments The Underlying Technology What’s Next? Summary

43 Advanced Technology Center Slide 43 Extending the Verification Domain BDD-Based Model Checkers Boolean & Enumerated Types Very Large State Spaces SAT-Based Model Checkers Complex Boolean & Enumerated Types + Integers & Reals Infinite State Spaces Arbitrary Systems (Real Numbers, Large Integers, Infinite State…) Theorem Provers

44 Advanced Technology Center Slide 44 Verification of Adaptive Systems

45 Advanced Technology Center Slide 45 Requirements Based Test Case Generation Conformance Testing  Autogenerate Test Cases From Model  Commercial Tools Available – (T-VEC, REACTIS)  Show Code Conforms to the Model  Goal is Structural Coverage (MC/DC) Requirements Based Testing  State Requirements as Properties  Automatically Generate Tests  Goal is to Cover the Requirement Code Generator Create Model Code Model Requirements Create Requirements Based Tests Create Additional Structural Tests Test Case Generator Test Case Generator Properties

46 Advanced Technology Center Slide 46 Model-Based Safety Analysis  Add Fault Model for Physical System Power A Pedal 1 Feed back Plant Fault Tolerant Control Unit ( BSCU ) Braking System System A Power B Pedal 2 System B  Model the Physical System  Automation Enables “What-If” Consideration of System Designs and Digital Controller Architecture  Integrates System and Safety Engineering About a Common Model and the Digital Controller Architecture

47 Advanced Technology Center Slide 47 Outline of Presentation Introduction Overview of Our Approach An Example – FGS Mode Logic Some Recent Accomplishments The Underlying Technology What’s Next? Summary

48 Advanced Technology Center Slide 48Summary  Formal Verification is Becoming Practical – Availability of Accurate Models Early in the Lifecycle – Growing Power of Automated Analysis Tools  Benefits – Find Errors Early – Avoid Rework Late in the Lifecycle – Cheaper and Easier than Traditional Methods – Orders of Magnitude Better at Finding Errors

49 Advanced Technology Center Slide 49Summary  Almost 15 Years of Experience  Thriving Automated Analysis Group  Doing Extensive Work for NASA and the NSA  Broad Tool Expertise – PVS, ACL2, NuSMV, Prover, SAL, Simulink, SCADE, SCR, …  Focus on “Application to Real Systems” Rockwell Collins is a World Leader in the Industrial Use of Formal Methods

Download ppt "Advanced Technology Center Slide 1 Formal Methods in Safety-Critical Systems Dr. Steven P. Miller Advanced Computing Systems Rockwell Collins 400 Collins."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Formal Methods and Testing Goal: software reliability Use software engineering methodologies to develop the code. Use formal methods during code development.

Formal Methods and Testing Goal: software reliability Use software engineering methodologies to develop the code. Use formal methods during code development.
Certifying Auto-generated Flight Code Ewen Denney Robust Software Engineering NASA Ames Research Center California, USA.

Certifying Auto-generated Flight Code Ewen Denney Robust Software Engineering NASA Ames Research Center California, USA.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.

1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.
© Copyright 2013 Rockwell Collins All rights reserved. Company Official and Proprietary Rockwell Collins and Formal Methods September 20, 2013.

© Copyright 2013 Rockwell Collins All rights reserved. Company Official and Proprietary Rockwell Collins and Formal Methods September 20, 2013.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
IPOG: A General Strategy for T-Way Software Testing

IPOG: A General Strategy for T-Way Software Testing
Dagstuhl Intro Mike Whalen Program Director University of Minnesota Software Engineering Center.

Dagstuhl Intro Mike Whalen Program Director University of Minnesota Software Engineering Center.
SAS_08_Model_Val_Tech_Heimdahl MAC-T IVV-08-152 Model-Validation in Model-Based Development Kurt Woodham L-3 Communications Ajitha Rajan, Mats Heimdahl.

SAS_08_Model_Val_Tech_Heimdahl MAC-T IVV Model-Validation in Model-Based Development Kurt Woodham L-3 Communications Ajitha Rajan, Mats Heimdahl.
Dagstuhl Intro Mike Whalen. 2 Mike Whalen My main goal is to reduce software verification and validation (V&V) cost and increasing.

Dagstuhl Intro Mike Whalen. 2 Mike Whalen My main goal is to reduce software verification and validation (V&V) cost and increasing.
© Copyright 2009 Rockwell Collins, Inc. All rights reserved. Formal Methods for Critical Systems Dr. Steven P. Miller Midwest Verification Day September.

© Copyright 2009 Rockwell Collins, Inc. All rights reserved. Formal Methods for Critical Systems Dr. Steven P. Miller Midwest Verification Day September.
Presented by: Thabet Kacem Spring 2010. Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.
Using UML, Patterns, and Java Object-Oriented Software Engineering Royce’s Methodology Chapter 16, Royce’ Methodology.

Using UML, Patterns, and Java Object-Oriented Software Engineering Royce’s Methodology Chapter 16, Royce’ Methodology.
Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (www.dcs.warwick.ac.uk/~doron/notes.html)

Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
Advanced Technology Center Slide 1 Formal Verification of Flight Critical Software Dr. Steven P. Miller Advanced Computing Systems Elise A. Anderson Commercial.

Advanced Technology Center Slide 1 Formal Verification of Flight Critical Software Dr. Steven P. Miller Advanced Computing Systems Elise A. Anderson Commercial.
Formal Model-Based Development in Aerospace Systems: Challenges to Adoption Mats P. E. Heimdahl University of Minnesota Software Engineering Center Critical.

Formal Model-Based Development in Aerospace Systems: Challenges to Adoption Mats P. E. Heimdahl University of Minnesota Software Engineering Center Critical.

Similar presentations

Ads by Google