Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Model-Based Development in Aerospace Systems: Challenges to Adoption Mats P. E. Heimdahl University of Minnesota Software Engineering Center Critical.

Published byGilbert Fields Modified over 9 years ago

Similar presentations

Presentation on theme: "Formal Model-Based Development in Aerospace Systems: Challenges to Adoption Mats P. E. Heimdahl University of Minnesota Software Engineering Center Critical."— Presentation transcript:

1 Formal Model-Based Development in Aerospace Systems: Challenges to Adoption Mats P. E. Heimdahl University of Minnesota Software Engineering Center Critical Systems Research Group Department of Computer Science and Engineering University of Minnesota

2 and a Plea for Help

3 Domain of Concern

4 How we Develop Software Concept Formation Requirements Specification Design Implementation Integration System Unit Test Integration Test System Test Object Code Test Analysis

5 Model-Based Development Specification Model Visualization Prototyping Testing Code Analysis Properties

6 Model-Based Development Tools Commercial Products –Esterel Studio and SCADE Studio from Esterel Technologies –Rhapsody from I-Logix –Simulink and Stateflow from Mathworks Inc. –Rose Real-Time from Rational –Etc. Etc.

7 System Specification/Model How we Will Develop Software Concept Formation Requirements Implementation Integration Properties Analysi s Integration Test Syste m Test Specification Test

8 What Does Industry Want? Better / Safer Cheaper Faster

9 Model-Based Development Examples

10 Problem 1 Believing Testing Can be Eliminated Testing will always be a crucial (and costly) component

11 How we Develop Software Concept Formation Requirements Specification Design Implementation Integration System Unit Test Integration Test System Test Analysis Object Code Test

12 System Specification/Model Testing Does not go Away Concept Formation Requirements Implementation Integration Properties Extensive Testing (MC/DC)

13 System Specification/Model It Simply Moves Concept Formation Requirements Implementation Integration Properties Extensive Testing (MC/DC)

14 System Specification/Model Do it the Right Way Concept Formation Requirements Implementation Integration Properties Analysi s Integration Test Syste m Test Specification Test Unit Test

15 Example: ADGS-2100 Adaptive Display & Guidance System Requirement Drive the Maximum Number of Display Units Given the Available Graphics Processors Counterexample Found in 5 Seconds! Checking 573 Properties Found 98 Errors 883 Subsystems 9,772 Simulink Blocks 2.9 x 10 52 Reachable States

16 Remedy Be honest about the capabilities of model- based development and formal methods –Done right, provides outstanding requirements, models, analysis, etc., etc. –May greatly reduce the effort spent in testing

17 Problem 2 Believing the Model is Everything The model is never enough

18 Modeling is so much fun Properties Specification/Model Modeling Frenzy Concept Formation Requirements Implementation Integration How do we know the model is “right”? Headfirst into modeling System

19 Specification/Model Do it the Right Way Concept Formation Requirements Implementation Integration Properties Analysi s Integration Test Syste m Test Specification Test Unit Test

20 Remedies Recognize the Role of Software Requirements –The model is not everything Development Methods for Model-Based Development Badly Needed –Model-Based Software Development Process Develop Tools and Techniques for Model, Properties, and Requirements Management Develop Inspection Checklists and Style Guidelines for Models

21 Problem 3 Trusting Verification To really mess things up, you need formal verification

22 Model Checking Process Does the system have property X? Model Engineer SMV Automatic Translation SMV Properties Properties Automated Check Yes! SMV Spec. Automatic Translation

23 Model Checking Process Does the system have property X? Model Engineer SMV Automatic Translation SMV Properties Properties SMV Spec. Automatic Translation Counter Example Automated Check No!

24 Property or Model: Who is Right? AG(Onside_FD_On -> Mode_Annunciations_On) The Mode Annunciations shall be turned on when the Flight Director is turned on AG( (Is_This_Side_Active & Onside_FD_On) -> Mode_Annunciations_On) If this side is active, the Mode Annunciations shall be turned on when the Flight Director is turned on If this side is active and the Mode Annunciations are off, the Mode Annunciations shall be turned on when the Flight Director is turned on AG( ! Mode_Annunciations_On -> AX ((Is_This_Side_Active & Onside_FD_On) -> Mode_Annunciations_On)))

25 Translated All the “Shalls” into SMV Properties

26 Analysis Process Steps All properties verified (!), or… Counterexamples found for some properties Simulate counterexample in MBD environment and make corrections to: –model –properties –requirements –assumptions (invariants)

27 Remedies Develop techniques to determine adequacy of model and property set –How do we know they are any “good” Techniques for management of invariants –How do we validate the assumptions we make Methodology and guidance badly needed –Tools with training wheels –“Verification for Dummies” All we need is one high-profile verified system to fail spectacularly to set us back a decade or more

28 Model Checking Process Why? Guru Does the system have property X? Model Engineer SMV Automatic Translation SMV Properties Properties SMV Spec. Automatic Translation Out to Lunch ?

29 Problem 4 Believing One Tool Will Be Enough To be effective, we need a suite of notations and analysis tools (and the ability to continually integrate new ones)

30 Original Tool Chain RSML -e NuSMV Model Checker PVS Theorem Prover Rockwell Collins/U of Minnesota SRI International RSML -e to NuSMV Translator RSML -e to PVS Translator

31 Conversion to SCADE Design Verifier SCADE Lustre NuSMV PVS Safe State Machines Simulink Gateway StateFlow SPY Esterel Technologies MathWorks University of Minnesota/Rockwell Collins (NASA LaRC Funded) University of Minnesota (NASA IV&V Funded)

32 Reactive Systems Esterel Technologies MathWorks SRI International University of Minnesota/Rockwell Collins (NASA LaRC) University of Minnesota (NASA IV&V) Current(?) Tool Status Design Verifier SCADE Lustre NuSMV PVS Safe State Machines SAL ICS Symbolic Model Checker Bounded Model Checker Infinite Model Checker Simulink Gateway StateFlow Reactis SPY

33 Three Conjectures No one modeling language will be universally accepted, nor universally applicable No one verification/validation tool will satisfy the analysis needs of a user Languages and tools must be tested on real world problems by practicing engineers –Preferably in commercial tools

34 Translation – with no IL Effort = m * n High quality translations Lustre ++ poly tables SCADE RSML -e PVS poly’ SMVC m modeling languages n target languages poly

35 Translation – with IL Effort = m + n Low quality translations Lustre IL Lustre ++ poly tables SCADE RSML -e PVS poly’ SMVC m modeling languages n target languages poly

36 A Proposed Framework (Van Wyk) Based on techniques from extensible programming languages, specifically attribute grammars extended with forwarding. Hypothesis: –An extensible language may serve as a host language for domain specific extensions (to construct new modeling languages), –while forwarding enables the feasible construction of high quality translations from source specification languages to target analysis languages. Provided to spur discussion only! There may be better solutions.

37 Translation – with lang. exts. Effort = m + n + Σ t I High quality translations Lustre Host Lustre ++ poly tables SCADE RSML -e PVS poly’ SMVC m modeling languages n target languages forwarding poly pvs_trans (t2) pvs_trans (t1) c_trans (t3) forwarding c_trans smv_trans pvs_trans

38 Remedies Next generation tools must allow easy extension and modification of notations to meet domain specific needs They must allow easy construction of high- quality translations from modeling notations to analysis tools They also must enable controlled reuse of tool infrastructure to make tool extensions cost effective

39 Problem Summary Believing Testing Can be Eliminated Believing the Model is Everything Trusting Verification Believing One Tool Will Be Enough

40 Thank You Rockwell Collins –Steven Miller –Michael Whalen –Alan Tribble –Michael Peterson NASA Langley –Ricky Butler –Kelly Hayhurst –Celeste Bellcastro NASA Ames –Michael Lowry NASA IV&V Facility –Kurt Woodham (L3-Titan) My Students at Minnesota –Anjali Joshi –Ajitha Rajan –Yunja Choi, –Sanjai Rayadurgam –Devaraj George –Dan O'Brien Opinions in talk are mine. Do not blame the innocent.

41 Discussion

42 For More Information Michael W. Whalen et. al., Formal Validation of Avionics Software in a Model- Based Development Process, Formal Methods in Industrial Critical Systems (FMICS’2007), July 2007. Steven P. Miller, Alan C. Tribble, Michael W. Whalen, Mats P. E. Heimdahl, Providing the Shalls, International Journal on Software Tools for Technology Transfer (STTT), Feb 2006. Michael W. Whalen, John D. Innis, Steven P. Miller, and Lucas G. Wagner, ADGS-2100 Adaptive Display & Guidance System, NASA Contractor Report NASA-2006-CR213952, Feb. 2006. Available at http://hdl.handle.net/2002/16162. http://hdl.handle.net/2002/16162 A lot of good reading at http://shemesh.larc.nasa.gov/fm/fm-collins-intro.htmlhttp://shemesh.larc.nasa.gov/fm/fm-collins-intro.html Eric Van Wyk and Mats Heimdahl. Flexibility in modeling languages and tools: A Call to Arms. To appear in Software Tools for Technology Transfer.

Download ppt "Formal Model-Based Development in Aerospace Systems: Challenges to Adoption Mats P. E. Heimdahl University of Minnesota Software Engineering Center Critical."

Similar presentations

Integration of MBSE and Virtual Engineering for Detailed Design

Integration of MBSE and Virtual Engineering for Detailed Design
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
CASE tools Upper CASE tools: support for the analysis and design Lower CASE tools: support for construction and maintenance 1980s… Nowadays… Integrated.

CASE tools Upper CASE tools: support for the analysis and design Lower CASE tools: support for construction and maintenance 1980s… Nowadays… Integrated.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.

1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Dagstuhl Intro Mike Whalen Program Director University of Minnesota Software Engineering Center.

Dagstuhl Intro Mike Whalen Program Director University of Minnesota Software Engineering Center.
SAS_08_Model_Val_Tech_Heimdahl MAC-T IVV-08-152 Model-Validation in Model-Based Development Kurt Woodham L-3 Communications Ajitha Rajan, Mats Heimdahl.

SAS_08_Model_Val_Tech_Heimdahl MAC-T IVV Model-Validation in Model-Based Development Kurt Woodham L-3 Communications Ajitha Rajan, Mats Heimdahl.
Dagstuhl Intro Mike Whalen. 2 Mike Whalen My main goal is to reduce software verification and validation (V&V) cost and increasing.

Dagstuhl Intro Mike Whalen. 2 Mike Whalen My main goal is to reduce software verification and validation (V&V) cost and increasing.
© Copyright 2009 Rockwell Collins, Inc. All rights reserved. Formal Methods for Critical Systems Dr. Steven P. Miller Midwest Verification Day September.

© Copyright 2009 Rockwell Collins, Inc. All rights reserved. Formal Methods for Critical Systems Dr. Steven P. Miller Midwest Verification Day September.
Presented by: Thabet Kacem Spring 2010. Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.
VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.

VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.
Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (www.dcs.warwick.ac.uk/~doron/notes.html)

Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (
Advanced Technology Center Slide 1 Formal Verification of Flight Critical Software Dr. Steven P. Miller Advanced Computing Systems Elise A. Anderson Commercial.

Advanced Technology Center Slide 1 Formal Verification of Flight Critical Software Dr. Steven P. Miller Advanced Computing Systems Elise A. Anderson Commercial.
CONNIE HEITMEYER Center for High Assurance Computer Systems Naval Research Laboratory Washington, DC Workshop on the Verification Grand Challenge SRI International.

CONNIE HEITMEYER Center for High Assurance Computer Systems Naval Research Laboratory Washington, DC Workshop on the Verification Grand Challenge SRI International.
Advanced Technology Center Slide 1 Formal Methods in Safety-Critical Systems Dr. Steven P. Miller Advanced Computing Systems Rockwell Collins 400 Collins.

Advanced Technology Center Slide 1 Formal Methods in Safety-Critical Systems Dr. Steven P. Miller Advanced Computing Systems Rockwell Collins 400 Collins.
Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.

Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.
Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.

Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.
1 SWE 205 - Introduction to Software Engineering Lecture 3 Introduction to Software Engineering.

1 SWE Introduction to Software Engineering Lecture 3 Introduction to Software Engineering.

Similar presentations

Ads by Google