1 Core Capabilities Communications Navigation Automated Flight - - PDF document

1
SMART_READER_LITE
LIVE PREVIEW

1 Core Capabilities Communications Navigation Automated Flight - - PDF document

Apr 01, 2023 19 likes •131 views

Proving the Shalls: The Future of Requirements ? Steven P. Miller, Ph.D. Advanced Computing Systems Rockwell Collins 400 Collins Road NE, MS 108-206 Cedar Rapids, Iowa 52498 spmiller@rockwellcollins.com 11/07/2004 Page 1 Who We Are A

slide-1
SLIDE 1

1

Page 1 11/07/2004

Proving the Shalls: The Future of Requirements

Steven P. Miller, Ph.D. Advanced Computing Systems Rockwell Collins 400 Collins Road NE, MS 108-206 Cedar Rapids, Iowa 52498 spmiller@rockwellcollins.com

?

Page 2 11/07/04

Who We Are A World Leader In Aviation Electronics And Airborne/ Mobile Communications Systems For Commercial And Military Applications

Page 3 11/07/04

Air Transport IFE Comm Displays

30%

Government 45% Commercial 55%

25% 45%

Business Regional Nav Integrated Applications

2002 Sales: $2.5 Billion Portfolio Composition

slide-2
SLIDE 2

2

Page 4 11/07/04

Core Capabilities Communications Navigation Displays / Surveillance Automated Flight Control Integrated Aviation Electronics In-Flight Entertainment Aviation Services Information Management Systems

Page 5 11/07/04

Formal Methods at Rockwell Collins

  • Participants in the MCC Formal Methods Transition Study

1991

  • Formal Specification of the µReal Time Executive in RAISE

1992

  • Formal Specification of the GE1 Graphics Processor

1996

  • Formal Verification of Microprocessors

1993 - 2003

– AAMP5 Microcode Using PVS 1994 – AAMP-FV Microcode Using PVS 1995 – JEM Java Virtual Machine Microprocessor Using PVS 1998 – FCP2002 Microcode Using ACL2 1999 – FCP 2002-2000 Microcode Equivalence Using ACL2 2001 – AAMP7 Security Separation Kernel Using ACL2 2003

  • Formal Validation of Embedded System Requirements

1995 - 2003

– FGS Mode Logic using SPC’s CoRE Method 1995 – FGS Mode Logic using NRL’s SCR* Tools 1996 – FGS Mode Logic Using PVS 1997 – FGS Mode Logic Using Matrix-X and T-VEC 1998 – FGS Mode Logic Using RMSL-e, PVS, and NuSMV 2002 – FGS/FMS/AT Logic Using SCADE and Simulink 2004

Page 6 11/07/04

Methods and Tools for Flight Critical Systems Project

  • Five Year Project Started in 2001
  • Part of NASA’s Aviation Safety Program
  • Funded by the NASA Langley Research Center and Rockwell Collins
  • Heavy Focus on Requirements Validation
  • University of Minnesota is a Subcontractor to Collins
  • Modeling Flight Guidance and Flight Management Systems
  • Working with Commercial Tool Vendors to Ensure Technology Transfer
slide-3
SLIDE 3

3

Page 7 11/07/04

Model-Based Development Life Cycle Elicitation Modeling Simulation Analysis Autocode Autotest Reuse

Page 8 11/07/04

Model-Based Development Examples

Company Product Tools Specified & Autocoded Benefits Claimed

Airbus A340 SCADE With Code Generator
  • 70% Fly-by-wire Controls
  • 70% Automatic Flight Controls
  • 50% Display Computer
  • 40% Warning & Maint Computer
  • 20X Reduction in Errors
  • Reduced Time to Market
Eurocopter EC-155/135 Autopilot SCADE With Code Generator
  • 90 % of Autopilot
  • 50% Reduction in Cycle Time
GE & Lockheed Martin FADEDC Engine Controls ADI Beacon
  • Not Stated
  • Reduction in Errors
  • 50% Reduction in Cycle Time
  • Decreased Cost
Schneider Electric Nuclear Power Plant Safety Control SCADE With Code Generator
  • 200,000 SLOC Auto Generated
from 1,200 Design Views
  • 8X Reduction in Errors while
Complexity Increased 4x US Spaceware DCX Rocket MATRIXx
  • Not Stated
  • 50-75% Reduction in Cost
  • Reduced Schedule & Risk
PSA Electrical Management System SCADE With Code Generator
  • 50% SLOC Auto Generated
  • 60% Reduction in Cycle Time
  • 5X Reduction in Errors
CSEE Transport Subway Signaling System SCADE With Code Generator
  • 80,000 C SLOC Auto Generated
  • Improved Productivity from
20 to 300 SLOC/day Honeywell Commercial Aviation Systems Primus Epic Flight Control System MATLAB Simulink
  • 60% Automatic Flight Controls
  • 5X Increase in Productivity
  • No Coding Errors
  • Received FAA Certification
Page 9 11/07/04

Elicitation of Requirements Elicitation Modeling Simulation Analysis Autocode Autotest Reuse

slide-4
SLIDE 4

4

Page 10 11/07/04

Capture Requirements as Shalls

Page 11 11/07/04

Modeling Elicitation Modeling Simulation Analysis Autocode Autotest Reuse

Page 12 11/07/04

Sample RSML-e Requirements

slide-5
SLIDE 5

5

Page 13 11/07/04

Simulation Elicitation Modeling Simulation Analysis Autocode Autotest Reuse

Page 14 11/07/04

Simulation Demonstration

Page 15 11/07/04

Using Formal Analysis for Early Validation of Requirements Elicitation Modeling Simulation Analysis Autocode Autotest Reuse

Theorem Provers Model Checkers Requirements Safety Properties Mode Confusion Properties

slide-6
SLIDE 6

6

Page 16 11/07/04

What Are Model Checkers?

Breakthrough Technology of the 1990’s Widely Used in Hardware Verification (Intel, Motorola, IBM, …) Conduct an Exhaustive Search of the Global State Space – Consider All Combinations of Inputs and States – Produces a Counter Example if a Property is Not True Easy to Use – “Push Button” Formal Methods – Very Little Human Effort Unless You Are At the Tool’s Limits Limitations – State Space Explosion (1020 – 10300 States) – Awkward Notation for Specifying Properties (Temporal Logic)

Page 17 11/07/04

Advantage of Model Checking System

Testing Checks Only the Values We Select

Even Small Systems Have Trillions (of Trillions) of Possible Tests!

Page 18 11/07/04

Advantage of Model Checking Model

Model Checking Tries Every Possible Input and State!

slide-7
SLIDE 7

7

Page 19 11/07/04

Model Checking Using RSML-e and NuSMV

Does the system have property X?

Model

Engineer

SMV

Automatic Translation SMV Properties Properties Automated Check

Yes!

Counter Example SMV Spec. Automatic Translation Automatic Translation Model Abstraction

Page 20 11/07/04

Translated All the Shalls into SMV Properties

Page 21 11/07/04

Only Two Types of Properties Were Needed AG(Is_This_Side_Active -> (Mode_Annunciations_On <-> (Onside_FD_On | Offside_FD_On = TRUE | Is_AP_Engaged))) AG((!Onside_FD_On & !Is_AP_Engaged)-> AX(Is_AP_Engaged -> Onside_FD_On))

  • I. Safety Constraint Over All States
  • II. Constraint Over All States and All Next States
slide-8
SLIDE 8

8

Page 22 11/07/04

Validate Requirements through Model Checking

  • Proved Over 280 Properties in Less Than an Hour
  • Found Several Errors
  • Some Were Errors in the Model
  • Most Were Incorrect Shalls
  • Revised the Shalls to Improve the Requirements
Page 23 11/07/04

What are Theorem Provers?

Available Since Late 1980’s – Widely Used on Security and Safety-Critical Systems Use Rules of Inference to Prove New Properties – Also Consider All Combinations of Inputs and States – Also Equivalent to Testing with an Infinite Set of Test Cases – Generate An Unprovable Proof Obligation if a Property is False Not Limited by State Space – Applicable to Almost Any Formal Specification Limitations – Require Experience - About Six Months to Become Proficient – Constructing Proofs is Labor Intensive

Page 24 11/07/04

Theorem Proving Using PVS

Does the system have property X?

Model

Engineer

Automatic Translation PVS Spec.

PVS

Why not?

Guru Automated Proof Automatic Translation PVS Properties Properties

slide-9
SLIDE 9

9

Page 25 11/07/04

Validate Requirements Using Theorem Proving

  • Proved Several Hundred Properties Using PVS
  • More Time Consuming that Model-Checking
  • Use When Model-Checking Won’t Work
Page 26 11/07/04

Strengths and Weaknesses

  • f Specification Styles

Natural Language Property Based Constructive Model Ambiguity Likely Eliminated Eliminated Inconsistency Likely Possible Eliminated Incompleteness Likely Possible Eliminated Implementation Bias Possible Possible Likely

Early Life Cycle Late

Page 27 11/07/04

Approach to Requirements Validation Elicitation Modeling Simulation Analysis Autocode Autotest Reuse

Informal Properties Constructive Model Formal Validation Customer Validation

slide-10
SLIDE 10

10

Page 28 11/07/04

Original Tool Chain

RSML-e NuSMV Model Checker PVS Theorem Prover

Rockwell Collins/U of Minnesota SRI International RSML-e to NuSMV Translator RSML-e to PVS Translator

Page 29 11/07/04

Current Tool Chain

SCADE Lustre NuSMV PVS

Esterel Technologies Rockwell Collins

Prover Safe State Machines

Lustre Compiler

Simulink

MathWorks Simulink Gateway

StateFlow

SRI International

Page 30 11/07/04

Future Tool Chain?

SCADE Lustre NuSMV PVS

Esterel Technologies Rockwell Collins

Prover Safe State Machines

Lustre Compiler

Simulink

MathWorks Simulink Gateway

StateFlow

SRI International

SAL ICS Symbolic Model Checker ACL2 Bounded Model Checker Infinite Model Checker

slide-11
SLIDE 11

11

Page 31 11/07/04

Conclusions

Model-Based Development is the Industrial Use Formal Specification – Providing the Modeling Language Has Well Defined Formal Semantics Convergence of Model-Based Development and Formal Verification – Key is to Get Engineers Producing Specifications that Can be Analyzed Need Several Approaches to Formal Verification – Model-Checking Because it is Simple and Easy to Use – Theorem Proving for When Model Checking isn’t Practical Constructive Requirements Models are a Useful – Executable, Consistent, and Complete – Autogenerate Code and Test Cases Shalls are Just Informal Property Based Specifications – Easy Way to Elicit an Informal Description of the Requirements – Validate Constructive Model by Proving the Shalls!