formal methods for safety assessment of critical software
play

Formal methods for Safety Assessment of Critical Software at RATP - PowerPoint PPT Presentation

Jul 11, 2023 •160 likes •498 views

Formal methods for Safety Assessment of Critical Software at RATP Engineering Department -- RATP/ING/STF/QS/AQL Evguenia DMITRIEVA / Oct 16 2014, Toulouse Plan 1. Industrial Context 2. Formal methods for software safety assessment : PERF 3.

  1. Formal methods for Safety Assessment of Critical Software at RATP Engineering Department -- RATP/ING/STF/QS/AQL Evguenia DMITRIEVA / Oct 16 2014, Toulouse

  2. Plan 1. Industrial Context 2. Formal methods for software safety assessment : PERF 3. Use Cases 4. Conclusion 2 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  3. RATP’s Software Safety Assessment lab  Primary mission: internal assessment 55000 p. of safety critical software (ATP, Interlocking)  Created in 1990: almost 25 years of ING 1100 p. (Engineering Department) experience  AQL team: 30 persons, 50% engineers STF 300 p. and PhD, 50% technicians (Railway Transportation Systems)  Accredited by COFRAC, the French QS accreditation body 80 p. (Safety Assessment)  Customers: internal (RATP) or external AQL 30 p. (Software Safety Assessment lab) 3 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  4. AQL mission: independent assessment of safety critical software  Check of safety cases provided by suppliers  Additional analysis and verifications wherever supplier’s methodology thought to be weak  Covering the whole V lifecycle 4 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  5. AQL interventions 5 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  6. Why using Formal Proof ? SACEM (pre-CBTC / 1989): retro-engineering (Z method) and formal proof  10 unsafe bugs found that had not been discovered with the « classical process » based on tests METEOR (driverless CBTC / 1998): developed with B method  get rid of of unit and integration tests  delivery of a safe software at « first shot » (no need for other release after commissioning). 6 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  7. How using Formal Proof ? 90s: (example: METEOR project)  – RATP forces its supplier to use a Formal Method allowing Formal Proof (B method)  Since the 2000s: (example: Computer Based Interlocking) – Public procurement laws: in a tender, it is forbidden to favor a supplier – Forcing the use of formal methods = a way to favor some suppliers – => RATP is only allowed to encourage the use of Formal Proof  RATP asked Prover Technology Company to develop a high integrity level (“SIL4”) Formal Proof Tool Suite (“Prover Certifier”) Goal: providing means to perform the formal verification, a posteriori, of a product that was  not developed using a proof based process (like B method). 7 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  8. The PERF approach  PERF = P roof E xecuted over a R etroengineered F ormal model  PERF = P reuve d’ E valuation par R etromodélisation F ormelle  Principle: using formal proof and techniques to verify properties over an already developed software product  Techniques: – Basic synchronous modelling language (HLL) – Proof engine using SAT solving, k-induction, proof certification, …  Scope: – Applicative SW (not low-level) + configuration data – Verification of « safety » properties (invariants) 8 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  9. The PERF approach Software System environment (source code or Safety requirements (assumptions) formal model or …) Front End Formal environment model Proof Obligations (Translator) (HLL) (HLL) Formal execution model PERF Tool Suite (HLL) Proof certificate 9 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  10. The PERF approach System Requirement Specification Equipment Safety  Formal verification of: Requirement Properties Specification 1 – Safety Software Requirement Properties – Safety Properties Specification Formal Software Design – Equivalence of behaviors 2 – Equivalence of behaviors Source code 10 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  11. System+ Env System+ Env PERF Tool Suite + Properties + Properties 1 2 Diversification, proof logging Translator 2 Translator 1  and proof checking CENELEC EN50128 compliant  System+ Env System+ Env development process + Properties + Properties HLL HLL Independent assessment by  RATP (AQL) Expander 1 Expander 2 System+ Env System+ Env + Properties + Properties LLL LLL Equivalence Equivalence Constructor System Properties Proof Engine OK/KO Equivalence Proof Engine OK/KO Proof Proof Log ProofLog OK/KO Checker Proof Log Proof Checker ProofLog OK/KO Safety Analysis Flow Equivalence Analysis Flow 11 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  12. Use cases:  Verification of Safety Properties of SCADE models  Verification of Safety Properties of C or Ada code  Verification of equivalence beetween SCADE model and generated source code (C and Ada)  Soon: Verification of Safety Properties of Relay Based Interlocking  The use of PERF has allowed to reveal and fix safety critical bugs (before commissioning) ! 12 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  13. Computer Based Interlocking : PMI Safety Hazards  Derailment : on moving or badly set point, over speed  Collision : front, rear, side  Human operatives’ Injuries : downgraded modes C S A B Ag ZAP PMI PMI 13 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  14. Computer Based Interlocking : PMI Safety Properties : Derailment on moving point A point must not be controlled when the train is approaching the signal • Zone-ZAP-Occ => ~Ag_CMD_Right & ~Ag_CMD_Left A point must not be controlled when the train is located at this point • Zone-Ag-Occ => ~Ag_CMD_Right & ~Ag_CMD_Left C S A B Ag ZAP PMI PMI 14 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  15. Computer Based Interlocking : PMI Safety Properties : Derailment on moving point A point must not be controlled when the train is approaching the signal • Zone-ZAP-Occ => ~Ag_CMD_Right & ~Ag_CMD_Left C S A B Ag ZAP PMI PMI 15 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  16. Computer Based Interlocking : PMI Safety Properties : Derailment on moving point A point must not be controlled when the train is approaching the signal • Zone-ZAP-Occ => ~Ag_CMD_Right & ~Ag_CMD_Left Train_App_Sig_S := Zone_Zap_S_Occ & (Sig_S_G \/ Tempo_DA_S) Train_App_Sig_S => ~Ag_CMD_Right & ~Ag_CMD_Left C S A B Ag ZAP PMI PMI => High level properties but the model of environment is rather complex 16 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  17. CBTC : Ouragan L13 Software Requirements (SEL)  software implements correctly its specification  often low-level and algorithmic  refinement system requirements into software one’s should be verified otherwise  no need of environment model 17 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  18. Composant SurveillerRecul_CC Exigeance SEL_Bord_SurveillerRecul_CC_0002 Dans l’état « Opérationnel BORD », le composant SurveillerRecul_CC doit vérifier le domaine de définition de ses données d’entrée. Dans le cas où une des entrées au moins dépasse son domaine admissible, le composant n’exécute pas ses traitements et génère une alarme « out of range ». Les sorties prennent les valeurs par défaut ci-dessous. Dans le cas contraire, le composant doit exécuter ses traitements. Les valeurs par défaut des interfaces de sorties sont définies tel que Interface Valeur par défaut PFU_SurveillerReculTrain_REC.IFU_ReculIntempestif C_DEMANDE_FU_DEFAUT =================================================================================== Formalisation de l’exigence en HLL InRange(v) := v : [C_VITESSE_MIN_mmps, C_VITESSE_MAX_mmps]; Vitesses_OutOfRange ( VitessesTrain ) := ~(InRange(VitessesTrain.Max) &InRange(VitessesTrain.Inst) & InRange(VitessesTrain.Min)); Prop_SEL_REC_02 := ( Vitesses_OutOfRange(PE_OdometrieVitesse_ODO.VitessesTrainBord) # Vitesses_OutOfRange(PE_OdometrieVitesse_ODO.VitessesTrainMessagerie) ) => ( ~ PFU_SurveillerReculTrain_REC. IFU_ReculIntempestif.ValiditeDemandeFU & ~PFU_SurveillerReculTrain_REC. IFU_ReculIntempestif.NonDemandeFU & PFU_SurveillerReculTrain_REC. IFU_ReculIntempestif.ContextePPFU = C_CONTEXTE_FU_DEFAUT ) 18 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  19. CBTC : Ouragan L13 Equipment or System Requirements (DCSS)  Software implements correctly its system (equipment) requirements  Higher level of abstraction  Independent of implementation choices  No need to verify SRS  Environment model may be needed but not so complex 19 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

F Formal Modeling and Verification of l M d li d V ifi ti f Safety-Critical Software

F Formal Modeling and Verification of l M d li d V ifi ti f Safety-Critical Software

Submitted to IEEE Software 2009 - Special issue on Software Development for Embedded Systems F Formal Modeling and Verification of l M d li d V ifi ti f Safety-Critical Software implemented in PLC JUNBEOM YOO JUNBEOM YOO KONKUK

882 views • 32 slides
Practically Formal Development and Assurance of Complex Software-Intensive Safety-Critical

Practically Formal Development and Assurance of Complex Software-Intensive Safety-Critical

Practically Formal Development and Assurance of Complex Software-Intensive Safety-Critical Systems Alan Wassyng work with Zinovy Diskin, Nicholas Annable, and Mark Lawford CyPhyAssure, 20 March 2019 GSN-like Assurance Cases Pros

720 views • 33 slides
Pragmatic integration of model driven engineering and formal methods for safety critical systems

Pragmatic integration of model driven engineering and formal methods for safety critical systems

Pragmatic integration of model driven engineering and formal methods for safety critical systems design Marc Pantel and many others IRIT - ACADIE ENSEEIHT - INPT - Universit de Toulouse Institute of Cybernetics Institute Tallinn

1.58k views • 110 slides
How testable is Business Software? Peter Schrammel What is this talk about? Desire for software

How testable is Business Software? Peter Schrammel What is this talk about? Desire for software

How testable is Business Software? Peter Schrammel What is this talk about? Desire for software that has fewer bugs Focus on non-safety-critical software Great techniques developed by formal methods, programming languages and

454 views • 41 slides
Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Outline Formal specifications CISC422/853: Formal Methods Types of formal specifications: in Software Engineering: assertions invariants Computer-Aided Verification safety and liveness properties How to express safety

226 views • 22 slides
Objectives To introduce the concept of safety-critical software To describe the

Objectives To introduce the concept of safety-critical software To describe the

Chapter 21 Chapter 21 Safety-Critical Software Learning Objective . Developing software which should never compromise the overall safety of a system. Frederick T Sheldon Assistant Professor of Computer Science Washington State University CS

327 views • 15 slides
Formal Model Based Safety Assessment Marco Bozzano, Roberto Cavada, Alessandro Cimatti, Cristian

Formal Model Based Safety Assessment Marco Bozzano, Roberto Cavada, Alessandro Cimatti, Cristian

NuSMV3: a framework for Formal Model Based Safety Assessment Marco Bozzano, Roberto Cavada, Alessandro Cimatti, Cristian Mattarei Fondazione Bruno Kessler, Trento (Italy) Roadmap Formal Model Based Safety Assessment Formal Safety

497 views • 37 slides
Software Verification/Validation Methods and Tools . . . or Practical Formal Methods John Rushby

Software Verification/Validation Methods and Tools . . . or Practical Formal Methods John Rushby

Software Verification/Validation Methods and Tools . . . or Practical Formal Methods John Rushby Computer Science Laboratory SRI International Menlo Park, CA John Rushby, SR I Practical Formal Methods: 1 Need: Growing Importance and Cost of

278 views • 12 slides
Safety critical software y Patrick R.H Place Kyo C.Kang

Safety critical software y Patrick R.H Place Kyo C.Kang

Safety critical software y Patrick R.H Place Kyo C.Kang 200310323 Purpose To understand the role of safety critical software in To understand the role of safety-critical software in

410 views • 21 slides
Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in system development Aim to increase confidence in riktighet of system Apply to both hardware and software 1 Formal methods Complement other

524 views • 25 slides
FSA General FSA ECDIS Formal Safety Assessment Electronic Chart Display and

FSA General FSA ECDIS Formal Safety Assessment Electronic Chart Display and

FSA General FSA ECDIS Formal Safety Assessment Electronic Chart Display and Information System Rolf Skjong, dr, chief scientist Stavanger, 8 January 2006 Background Use of risk assessment Nuclear Industry in 60s:

296 views • 28 slides
Formal Methods for Critical Systems: A verified implementation of nested procedures Tristan

Formal Methods for Critical Systems: A verified implementation of nested procedures Tristan

Formal Methods for Critical Systems: A verified implementation of nested procedures Tristan Crolard 1 ICAR15 8-9 October 2015 Joint work with: 1 Pierre Courtieu, 1 , 2 Maria-Virginia Aponte, Julia Lawall 3 1. CNAM / Cedric / CPR team 2.

980 views • 71 slides
Formal Methods for Industrial Critical Systems at Trinity College, University of Dublin (FMICS

Formal Methods for Industrial Critical Systems at Trinity College, University of Dublin (FMICS

Formal Methods for Industrial Critical Systems at Trinity College, University of Dublin 2000 Andrew Butterfield c Formal Methods for Industrial Critical Systems at Trinity College, University of Dublin (FMICS 2003, Rros, June 7th 2003)

1.02k views • 16 slides
Certification of Safety-Critical, Software-Intensive Systems EECS4312: Software Engineering

Certification of Safety-Critical, Software-Intensive Systems EECS4312: Software Engineering

Certification of Safety-Critical, Software-Intensive Systems EECS4312: Software Engineering Requirements Fall 2019 C HEN -W EI W ANG McMaster Centre for Software Certification Led a $20M project (MAR.2008 to SEP .2016) of ORF-RE (Ontario

812 views • 37 slides
Safety Critical Flight Software Code Coverage Utilization Nate Uitenbroek Outline Background

Safety Critical Flight Software Code Coverage Utilization Nate Uitenbroek Outline Background

Safety Critical Flight Software Code Coverage Utilization Nate Uitenbroek Outline Background Safety Critical Software Classifying Standards Contrast Commercial Aviation and Space Flight Observations Orion Specific

435 views • 41 slides
C++ for Safety-Critical Systems DI Gnter Obiltschnig Applied Informatics Software Engineering

C++ for Safety-Critical Systems DI Gnter Obiltschnig Applied Informatics Software Engineering

C++ for Safety-Critical Systems DI Gnter Obiltschnig Applied Informatics Software Engineering GmbH guenter.obiltschnig@appinf.com A life-critical system or safety-critical system is a system whose failure or malfunction may result in: >

899 views • 87 slides
SCHEMA INFERENCE FOR MASSIVE JSON DATASETS ! ! ParisBD 2017 " ! ! Mohamed-Amine Baazizi 1 ,

SCHEMA INFERENCE FOR MASSIVE JSON DATASETS ! ! ParisBD 2017 " ! ! Mohamed-Amine Baazizi 1 ,

" SCHEMA INFERENCE FOR MASSIVE JSON DATASETS ! ! ParisBD 2017 " ! ! Mohamed-Amine Baazizi 1 , Houssem Ben Lahmar 2 , Dario Colazzo 3 , " Giorgio Ghelli 4 , Carlo Sartiani 5 " (1) Universit Pierre et Marie Curie, France

215 views • 20 slides
SPARQL to SQL Translation Based on an Intermediate Query Language Sami Kiminki, Jussi Knuuttila

SPARQL to SQL Translation Based on an Intermediate Query Language Sami Kiminki, Jussi Knuuttila

SPARQL to SQL Translation Based on an Intermediate Query Language Sami Kiminki, Jussi Knuuttila and Vesa Hirvisalo Department of Computer Science and Engineering Aalto University, School of Science and Technology November 8th, 2010

940 views • 64 slides
ArangoDB Siegen, 31 August 2017 Max Neunhffer www.arangodb.com Documents (JSON) In this

ArangoDB Siegen, 31 August 2017 Max Neunhffer www.arangodb.com Documents (JSON) In this

ArangoDB Siegen, 31 August 2017 Max Neunhffer www.arangodb.com Documents (JSON) In this talk, when I say document, I mean JSON document: JSON example { "name": "Neunhffer", "firstName":

783 views • 37 slides
UAS Mathematics Programs and Courses Advising Reminders and Updates UAS Mathematics Program

UAS Mathematics Programs and Courses Advising Reminders and Updates UAS Mathematics Program

UAS Mathematics Programs and Courses Advising Reminders and Updates UAS Mathematics Program University of Alaska Southeast Fall 2018 Convocation Mathematics Program (UAS) Mathematics at UAS Fall 2018 Convocation 1 / 9 GER and Other Service

658 views • 28 slides
+ - E + E- E + + E - = E E - + E + 'b 't .Z .I 4"1il sA lia 'b7- dq p"rnqrrluot

+ - E + E- E + + E - = E E - + E + 'b 't .Z .I 4"1il sA lia 'b7- dq p"rnqrrluot

Lecture 4 1. Review superposi.on principle and dipole field pa5ern Field Pa5ern of Charge: + - + - Method of Parallelogram: E - E + E + - E + E- E + + E - = E E - + E

479 views • 9 slides
Tableau helps people see and Designing Tableau understand data Tableau Research Suppose you

Tableau helps people see and Designing Tableau understand data Tableau Research Suppose you

Maureen Stone, Tableau Research 6/19/2019 Helping people see and understand data Maureen Stone, Sr. Manager Tableau Research https://dfp.ubc.ca/news-and-events/events/helping-people-see-understand-data, includes a video Roadmap What does

154 views • 11 slides
THoSP: an Algorithm for Nesting Property Graphs Giacomo Bergami 1 Andr Petermann 2 Danilo

THoSP: an Algorithm for Nesting Property Graphs Giacomo Bergami 1 Andr Petermann 2 Danilo

THoSP: an Algorithm for Nesting Property Graphs Giacomo Bergami 1 Andr Petermann 2 Danilo Montesi 1 1 st Joint GRADES-NDA International Workshop, 2018 10th June 2018 Universit di Bologna 1 , Universitt Leipzig 2 Key Ideas Key Ideas

953 views • 34 slides
X-ray and gamma-ray binaries with the ANTARES telescope A. Snchez-Losa D. Dornic A. Colerio

X-ray and gamma-ray binaries with the ANTARES telescope A. Snchez-Losa D. Dornic A. Colerio

Time-dependent search of neutrino emission from X-ray and gamma-ray binaries with the ANTARES telescope A. Snchez-Losa D. Dornic A. Colerio (IFIC) (INFN Sezione di Bari) (CPPM) agustin.sanchez@infn.ba.it dornic@cppm.in2p3.fr

588 views • 13 slides

More recommend