Integration of Formal Methods into Design and Implementation of - - PowerPoint PPT Presentation

integration of formal methods into design and
SMART_READER_LITE
LIVE PREVIEW

Integration of Formal Methods into Design and Implementation of - - PowerPoint PPT Presentation

Dec 09, 2023 281 likes •594 views

Successes Bottlenecks Need for a New Direction Future Challenges Integration of Formal Methods into Design and Implementation of Aerospace Systems Kristin Yvonne Rozier Rice University December 11, 2014 Kristin Yvonne Rozier Integration

slide-1
SLIDE 1

Successes Bottlenecks Need for a New Direction Future Challenges

Integration of Formal Methods into Design and Implementation

  • f Aerospace Systems

Kristin Yvonne Rozier

Rice University

December 11, 2014

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-2
SLIDE 2

Successes Bottlenecks Need for a New Direction Future Challenges

Formal Methods Have Greatly Impacted Aerospace Engineering

Expected design-time component Recommended in DO-178B standard for certification Successfully applied in many aerospace contexts. . .

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-3
SLIDE 3

Successes Bottlenecks Need for a New Direction Future Challenges

Successes: Full-Scale and Real-Life

Explicit Model Checking

  • A. Groce, K. Havelund, G. Holzmann, R. Joshi, and R-G. Xu. “Establishing flight

software reliability: testing, model checking, constraint-solving, monitoring and learning.” Annals of Mathematics and Artificial Intelligence 70, no. 4 (2014): 315-349.

  • P. Mehlitz, “Trust Your Model - Verifying Aerospace System Models with Java

Pathfinder,” Proc. IEEE Aerospace Conf., Big Sky, MT, Mar. 1-8, 2008.

  • A. Betin Can, T. Bultan, M. Lindvall, B. Lux, S. Topp, “Eliminating synchronization

faults in air traffic control software via design for verification with concurrency controllers,” Automated Software Engineering 14 (2) (2007) 129178.

  • C. Mu˜

noz, V. Carre˜ no, G. Dowek, “Formal analysis of the operational concept for the small aircraft transportation system,” in: Rigorous Engineering of Fault-Tolerant Systems, LNCS, vol. 4157, 2006, pp. 306325.

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-4
SLIDE 4

Successes Bottlenecks Need for a New Direction Future Challenges

Successes: Full-Scale and Real-Life

Symbolic Model Checking

  • A. Cimatti, M. Gario, C. Mattarei, K.Y. Rozier, and S. Tonetta.“Comparing Automated

Air Traffic Control Designs via Formal Safety Assessment,” under submission as of December, 2014.

  • Y. Zhao and K.Y. Rozier. “Formal specification and verification of a coordination

protocol for an automated air traffic control system.” Science of Computer Programming Journal, volume 96, number 3, pages 337-353, Elsevier, December, 2014.

  • M. Bozzano, A. Cimatti, J-P. Katoen, V.Y. Nguyen, T. Noll, and M. Roveri. “The

COMPASS approach: Correctness, modeling and performability of aerospace systems.” In Computer Safety, Reliability, and Security, pp. 173-186. Springer, 2009.

  • R. Anderson, P. Beame, S. Burns, W. Chan, F. Modugno, D. Notkin, J.D. Reese,

“Model checking large software specifications,” IEEE TSE 24 (1996) 156166.

  • T. Sreemani, J.M. Atlee, “Feasibility of model checking software requirements: a case

study,” in: COMPASS, IEEE, 1996, pp. 7788.

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-5
SLIDE 5

Successes Bottlenecks Need for a New Direction Future Challenges

Successes: Full-Scale and Real-Life

Probabilistic Model Checking

  • Y. Zhao, and K.Y. Rozier. “Probabilistic Model Checking for Comparative Analysis of

Automated Air Traffic Control Systems.” In IEEE/ACM 2014 International Conference

  • n Computer-Aided Design (ICCAD), IEEE/ACM, November, 2014.
  • C. von Essen, and D. Giannakopoulou: “Analyzing the Next Generation Airborne

Collision Avoidance System.” TACAS 2014.

  • Z. Peng, Y. Lu, A. Miller, C. Johnson, and T. Zhao. “ A probabilistic model checking

approach to analysing reliability, availability, and maintainability of a single satellite system.” In European Modeling Symposium (EMS), pp. 611-616. IEEE, 2013.

  • B. Dutertre. “Probabilistic Analysis of Distributed Fault-Tolerant Systems.” NASA

/CR2011-217090 (2011).

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-6
SLIDE 6

Successes Bottlenecks Need for a New Direction Future Challenges

Successes: Full-Scale and Real-Life, By Project

Theorem Proving

ACAS-X (Airborne Collision Avoidance System X) J-B. Jeannin, K. Ghorbal, Y. Kouskoulas, R. Gardner, A. Schmidt, E. Zawadzki, and A. Platzer. “A Formally Verified Hybrid System for the Next-Generation Airborne Collision Avoidance System.” CMU-CS-14-138 (2014). ACCoRD (state-based conflict detection & resolution algorithms)

  • A. Narkawicz, C. Mu˜

noz, and G. Dowek, “Provably Correct Conflict Prevention Bands Algorithms,” Science of Computer Programming 77, 2012. Chorus (tactical conflict & loss of separation detection & resolution) R.W. Butler, G. E. Hagen, and J. M. Maddalon. “The Chorus conflict and loss of separation resolution algorithms.” NASA/TM2013-218030 (2013). Stratway (strategic separation)

  • G. Hagen, R. Butler, and J. Maddalon. “Stratway: A modular approach to

strategic conflict resolution.” AIAA ATIO, 2011. KB3D (CD&R)

  • C. Mu˜

noz, R. Siminiceanu, V. Carre˜ no, and G. Dowek. “KB3D reference manual-version 1.” NASA/TM-2005-213769 (2005).

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-7
SLIDE 7

Successes Bottlenecks Need for a New Direction Future Challenges

Successes: After the Design Phase . . .

Static Analysis, Dynamic Analysis, and Symbolic Execution

  • D. Giannakopoulou, F. Howar, M. Isberner, T. Lauderdale, Z. Rakamaric, V. Raman:

“Taming Test Inputs for Separation Assurance.” ASE 2014.

  • P. S. Duggirala, L. Wang, S. Mitra, M. Viswanathan, and C. Mu˜
  • noz. “Temporal

Precedence Checking for Switched Models and Its Application to a Parallel Landing Protocol,” Proc. 19th Int’l Symposium on Formal Methods (FM 2014), LNCS, Vol. 8442, pp. 215-229, 2014. SymbolicPathFinder (symbolic analysis)

  • C. P˘

as˘ areanu, W. Visser, D. Bushnell, J. Geldenhuys, P. Mehlitz, and N. Rungta. “Symbolic PathFinder: integrating symbolic execution with model checking for Java bytecode analysis.” Automated Software Engineering 20, no. 3 (2013): 391-425.

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-8
SLIDE 8

Successes Bottlenecks Need for a New Direction Future Challenges

Successes: Mission Time

Runtime Monitoring

rt-R2U2 (system & safety health management)

  • T. Reinbacher, K. Y. Rozier, and J. Schumann. “Temporal-Logic Based Runtime

Observer Pairs for System Health Management of Real-Time Systems.” In TACAS, volume 8413 of LNCS, pages 357–372, Springer-Verlag, 5-13 April 2014. Copilot

  • L. Pike, A. Goodloe, R. Morisset, and S. Niller. “Copilot: a hard real-time

runtime monitor.” In Runtime Verification, pp. 345-359. Springer, 2010.

Runtime Monitoring faces fewer challenges that design-time verification: less formal

  • nly specs needed

specs inherited from design time Still not often adapted to flight-certifiable!

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-9
SLIDE 9

Successes Bottlenecks Need for a New Direction Future Challenges

Progress

Impactful results Efficiency of analysis Coverage of analysis Adaptability to specific problems Scalability Recognition of the need for formal methods in aerospace system design and runtime In the design stage, where changes are cheapest, easiest, and most impactful is where we face the biggest bottlenecks. . .

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-10
SLIDE 10

Successes Bottlenecks Need for a New Direction Future Challenges

A Goal Aerospace System Design Process

System Design Build Prototype Simulation Testing and

...

ERROR NO Model Check SPEC DEBUGGING Specification Model Verification SPEC DEBUGGING USE SPECIFICATIONS FOR RUNTIME MONITORING YES NO ERROR REVISE YES Specification Validation Model Validation via Model Checking M = Formal System Model Model

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-11
SLIDE 11

Successes Bottlenecks Need for a New Direction Future Challenges

Bottlenecks

Creating a system model/complete formalizable design

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-12
SLIDE 12

Successes Bottlenecks Need for a New Direction Future Challenges

Bottlenecks

Creating a system model/complete formalizable design Writing formal specifications/getting precise requirements

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-13
SLIDE 13

Successes Bottlenecks Need for a New Direction Future Challenges

Bottlenecks

Creating a system model/complete formalizable design Writing formal specifications/getting precise requirements Artifacts analyzable by one tool do not translate to any other

Need to know from the beginning all features/expressability that will be needed and choose the right tool from the start Cannot change direction, translate between tools, or start again

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-14
SLIDE 14

Successes Bottlenecks Need for a New Direction Future Challenges

Bottlenecks

Creating a system model/complete formalizable design Writing formal specifications/getting precise requirements Artifacts analyzable by one tool do not translate to any other

Need to know from the beginning all features/expressability that will be needed and choose the right tool from the start Cannot change direction, translate between tools, or start again

Constantly have to re-explain the model/specification context

continuous vs discrete time level of abstraction types of system that can be reasoned about

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-15
SLIDE 15

Successes Bottlenecks Need for a New Direction Future Challenges

Bottlenecks

Creating a system model/complete formalizable design Writing formal specifications/getting precise requirements Artifacts analyzable by one tool do not translate to any other

Need to know from the beginning all features/expressability that will be needed and choose the right tool from the start Cannot change direction, translate between tools, or start again

Constantly have to re-explain the model/specification context

continuous vs discrete time level of abstraction types of system that can be reasoned about

Outputs also require human translation (e.g. counterexamples) Each project requires a very active middleman engaging for a long time!

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-16
SLIDE 16

Successes Bottlenecks Need for a New Direction Future Challenges

The Bottom Line

Bottom Line: INPUTS to formal analysis are the BIGGEST challenge

System Design Model Check ERROR M = Formal System Model Model Verification Specification

... ... ...

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-17
SLIDE 17

Successes Bottlenecks Need for a New Direction Future Challenges

Proposed Solutions

code-level analysis NLP → LTL structured inputs training system designers in formal methods Each may be part of a solution None of these solves the problem

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-18
SLIDE 18

Successes Bottlenecks Need for a New Direction Future Challenges

Code-Level Analysis Does Not Solve the Modeling Problem

Mostly written by untrained engineers using no coding standards

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-19
SLIDE 19

Successes Bottlenecks Need for a New Direction Future Challenges

Code-Level Analysis Does Not Solve the Modeling Problem

Mostly written by untrained engineers using no coding standards No organization/spaghetti code

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-20
SLIDE 20

Successes Bottlenecks Need for a New Direction Future Challenges

Code-Level Analysis Does Not Solve the Modeling Problem

Mostly written by untrained engineers using no coding standards No organization/spaghetti code Often very large or intractable, full of dead code

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-21
SLIDE 21

Successes Bottlenecks Need for a New Direction Future Challenges

Code-Level Analysis Does Not Solve the Modeling Problem

Mostly written by untrained engineers using no coding standards No organization/spaghetti code Often very large or intractable, full of dead code Not an actual model of the intended system

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-22
SLIDE 22

Successes Bottlenecks Need for a New Direction Future Challenges

Code-Level Analysis Does Not Solve the Modeling Problem

Mostly written by untrained engineers using no coding standards No organization/spaghetti code Often very large or intractable, full of dead code Not an actual model of the intended system People inherently write bad code

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-23
SLIDE 23

Successes Bottlenecks Need for a New Direction Future Challenges

Code-Level Analysis Does Not Solve the Modeling Problem

Mostly written by untrained engineers using no coding standards No organization/spaghetti code Often very large or intractable, full of dead code Not an actual model of the intended system People inherently write bad code Does not solve the problems of specifications

Automatic specifications check code quality, not design Development mismatch: code is a final system; too late to check design-time specifications

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-24
SLIDE 24

Successes Bottlenecks Need for a New Direction Future Challenges

Code-Level Analysis Does Not Solve the Modeling Problem

Mostly written by untrained engineers using no coding standards No organization/spaghetti code Often very large or intractable, full of dead code Not an actual model of the intended system People inherently write bad code Does not solve the problems of specifications

Automatic specifications check code quality, not design Development mismatch: code is a final system; too late to check design-time specifications

Design = code Need to analyze the design Code needs to be auto-generated; people should not write the code Still useful for re-use of trusted components, analysis of final composed code, emergency verification

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-25
SLIDE 25

Successes Bottlenecks Need for a New Direction Future Challenges

NLP Does Not Solve the Specification Problem

Can extract some types: maybe LTL but not theorems Can automatically run specification debuggers Remaining Challenges: Incomplete requirements Matching variables to a model Maintaining level of abstraction Context Output organization and usability

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-26
SLIDE 26

Successes Bottlenecks Need for a New Direction Future Challenges

Solving the Problem: The View from 10K Feet

No more individual tools! Need a toolset! Need to combine multiple formal methods tools into a unified suite Must be standardized in some way Must be sold by a company

Need a start-up or business to market it widely at a reasonable price

Must be taught in aerospace engineering departments at universities

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-27
SLIDE 27

Successes Bottlenecks Need for a New Direction Future Challenges

Solving the Problem: Need for a Standard Toolset

Need a professional, intuitive GUI

Restrictions on context serving as built-in reminders Needs to do the job of today’s middleman!

Needs to organize, index, and cross-reference specifications and modeling components Needs to allow for:

compositional modeling, component/specification re-use, automatic documentation and structure visualization

Cannot let people write their own code!

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-28
SLIDE 28

Successes Bottlenecks Need for a New Direction Future Challenges

Solving the Problem: Need for a Standard Toolset

Must be compatible with other V&V methods Both able to:

Translate between analysis techniques Provide artifacts for testing and simulation Test case generation Produce simulation models Automate visualization (i.e. counterexamples)

Needs a unified choice of graphical displays for outputs (counterexamples, fault trees, dependencies, etc.) Replace middleman with customer service department

System designers can pay for support or call in with individual questions

We don’t have any tools for some of these yet!

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-29
SLIDE 29

Successes Bottlenecks Need for a New Direction Future Challenges

For Our Future

Need models/formal system descriptions Need specifications Need output visualization Need unified toolset for widespread adaptation Need to overcome stigmas: learning curve, usefulness, etc.

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys

slide-30
SLIDE 30

Successes Bottlenecks Need for a New Direction Future Challenges

For Our Future

Need models/formal system descriptions Need specifications Need output visualization Need unified toolset for widespread adaptation Need to overcome stigmas: learning curve, usefulness, etc.

... So how do we do that?

Kristin Yvonne Rozier Integration of FM into Design & Implementation of Aero Sys