mechanized formal analysis for safety critical systems
play

Mechanized Formal Analysis for Safety-Critical Systems: The - PDF document

Jan 07, 2023 •216 likes •433 views

Mechanized Formal Analysis for Safety-Critical Systems: The Convergence of Need and Opportunity John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SRI Mechanized Analysis: 1

  1. � � � Mechanized Formal Analysis for Safety-Critical Systems: The Convergence of Need and Opportunity John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SRI Mechanized Analysis: 1 Overview The need But why mechanized formal analysis? The opportunity John Rushby, SRI Mechanized Analysis: 2

  2. � � � � � � � � � � � � � The Need More and more safety-critical applications More complex safety-critical applications More challenging regulatory frameworks More challenging commercial environment John Rushby, SRI Mechanized Analysis: 3 More and More Safety-Critical Applications More complete automation in mass transit E.g., driverless trains More functions become automated in airplanes E.g., doors, escape slides More kinds of automation in airplanes E.g., general aviation New industries automating critical functions E.g., brake-, steer-by-wire in cars But the pool of talent and experience is small John Rushby, SRI Mechanized Analysis: 4

  3. � � � � � � � � � � � � � � � � � � � More Complex Safety-Critical Applications Integrated modular avionics (IMA) and similar developments in other industries Previously, systems were federated Meaning each function had its own computer system Few connections between them So there were strong barriers to fault propagation Now, systems share resources Processors, communications buses So need highly assured partitioning to restore barriers to fault propagation And they interact more intimately E.g., braking, suspension, steering, on cars Raising concern about unintended emergent behavior John Rushby, SRI Mechanized Analysis: 5 More Challenging Regulatory Frameworks Integrated modular avionics RTCA SC-200 and Eurocae WG60 Want modular certification based on separately qualified components It’s not enough to show the components are “good” Like the inertial measurement units of Ariane 4 and 5 Need to be able to show the combination of components will be “good” Unlike in Ariane 5 This is what computer scientists call compositional reasoning Deducing properties of the combination From those of the components Plus some “algebra of combination” But compositional certification is different from compositional verification John Rushby, SRI Mechanized Analysis: 6

  4. � � � � � � � � � � � � � More Challenging Commercial Environment Need to reduce costs Certification costs are about half of total And time to market Need to be able to upgrade and enhance already certified systems And want to be able to customize certified systems John Rushby, SRI Mechanized Analysis: 7 Summarizing. . . Traditional methods for development, assurance, and certification of safety-critical systems are at their limits We need new methods for assurance and certification that are more efficient and more reliable Move from reliance on process to evaluation of the product New methods should be less labor-intensive Move from reviews Processes that depend on human judgment and consensus To analysis Processes that can be repeated and checked by others, and potentially so by machine This language is from DO-178B/ED-12B John Rushby, SRI Mechanized Analysis: 8

  5. � � � � � � ✄ � ✞ � � � � � � � But Why Mechanized Formal Methods? Formal analysis is about calculating properties of computer system designs Just like engineers in traditional disciplines use calculation to examine their designs E.g., PDEs for aerodynamics, finite elements for structures So, with suitable design descriptions, we could use formal calculations to Determine whether all reachable states satisfy some property Determine whether a certain state is always achievable Generate a (near) complete set of test cases John Rushby, SRI Mechanized Analysis: 9 So What’s the Problem? The problem is that formal calculations are much harder than those in traditional engineering The applied math of computer science is formal logic So calculation is done by automated deduction �✂✁☎✄ Where all problems are NP-hard, most are superexponential ( ), nonelementary ✞✡✠ ✁✝✆✟✞ ( ), or undecidable Why? Have to search a massive space of discrete possibilities But that exactly mirrors why it’s so hard to provide assurance for computerized systems with lots of discrete logic John Rushby, SRI Mechanized Analysis: 10

  6. � � � � � � � � � � � � � � � � � Assurance for Discrete Logic That is, requirements, specifications, code having lots of discrete conditions Absence of continuity means that extrapolation from incomplete testing is unsound Combinations of different behaviors grow so rapidly complete testing is infeasible However, symbolic analysis can (in principle) consider all cases E.g., examine the consequences of rather than enumerating �✂✁☎✄ (1, 2), (1,3), (1, 4), . . . (2, 3),. . . Sound and feasible, though hard This is what formal analysis is about John Rushby, SRI Mechanized Analysis: 11 But Hasn’t That Been Tried and Failed? Yes, it failed for three reasons No suitable design descriptions Code is formal, but too big, and too late Requirements and specifications were informal Engineers rejected formal specification languages (e.g., ours) Narrow notion of formal verification Didn’t contribute to traditional processes (e.g., testing) Didn’t reduce costs or time (e.g., by early fault detection) It was “all or nothing” Lack of automation Couldn’t mechanize the huge search effectively So needed human guidance—and interactive theorem proving is an arcane skill But now there’s an opportunity to fix all that John Rushby, SRI Mechanized Analysis: 12

  7. � � � � � � � � � � � � � � � � The Opportunity A convergence of three trends Industrial adoption of model-based development environments Use a model of the system (and its environment) as the focus for all design and development activities E.g., SCADE and Esterel, Simulink/Stateflow, UML Some of these are ideal for formal methods (others are not, but can make do) New kinds of formal activities Fault tree analysis, test case generation, extended static checking (ESC), runtime verification, environment synthesis, formal exploration More powerful, more automated deductive techniques Approaches based on “little engines of proof” New engines: commodity SAT, Multi-Shostak, “lemmas on demand” New techniques: bounded model checking (BMC), � -induction, abstraction John Rushby, SRI Mechanized Analysis: 13 Industrial Adoption of Model-Based Development Environments Here, we’re interested in SCADE And in the exciting prospects that it’s now under the same roof as Esterel E.g., Use of SyncCharts to describe complex discrete logic And in links to Matlab (Simulink/Stateflow) These give access to formal descriptions throughout the lifecycle Now, we just need to add analysis John Rushby, SRI Mechanized Analysis: 14

  8. � � � � � � � � New Kinds of Formal Analyses and Activities Support design exploration in the early lifecycle “Can this state and that both be active simultaneously?” “Show me an input sequence that can get me to here with � ✁� ☎✄ ” Provide feedback and assurance in the early lifecycle Extended static checking, reachability analysis (for hybrid and infinite-state as well as discrete systems) Automate costly and error-prone manual processes E.g., test case generation Together, these can provide a radical improvement in the traditional “V,” in addition to that already provided by SCADE John Rushby, SRI Mechanized Analysis: 15 Simplified Vee Diagram time and money system requirements test unit/integration design/code test Automated formal analysis can tighten the vee John Rushby, SRI Mechanized Analysis: 16

  9. � � � � � � � � � � Tightened Vee Diagram time and money system requirements test unit/integration design/code test John Rushby, SRI Mechanized Analysis: 17 More Powerful, More Automated Deductive techniques In the early lifecycle we have continuous quantities (real numbers and their derivatives), integers, other infinite and rich domains Later in the lifecycle, we have bounded integers, bitvectors, abstract data types Several of these theories are decidable, such as Real closed fields Integer linear arithmetic Equality with uninterpreted functions Fixed-width bitvectors The challenge is to decide their combination and to do it efficiently Need to make some compromises The combination of quantified integer linear arithmetic with equality over uninterpreted functions is undecidable But the ground (unquantified) combination is decidable First successful combination methods were pioneered at SRI and Stanford more than 20 years ago, and we’ve continued to improve them ever since John Rushby, SRI Mechanized Analysis: 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking, Theorem Proving SMT Solving, Abstraction, and Static Analysis With SAL, PVS, and Yices, and more John Rushby Computer Science Laboratory SRI

1.89k views • 161 slides
Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile devices Carlos Luna Grupo de Seguridad Inform atica, InCo Facultad de Ingenier a, Universidad de la Rep ublica, Uruguay Formal analysis

751 views • 56 slides
Pragmatic integration of model driven engineering and formal methods for safety critical systems

Pragmatic integration of model driven engineering and formal methods for safety critical systems

Pragmatic integration of model driven engineering and formal methods for safety critical systems design Marc Pantel and many others IRIT - ACADIE ENSEEIHT - INPT - Universit de Toulouse Institute of Cybernetics Institute Tallinn

1.58k views • 110 slides
F Formal Modeling and Verification of l M d li d V ifi ti f Safety-Critical Software

F Formal Modeling and Verification of l M d li d V ifi ti f Safety-Critical Software

Submitted to IEEE Software 2009 - Special issue on Software Development for Embedded Systems F Formal Modeling and Verification of l M d li d V ifi ti f Safety-Critical Software implemented in PLC JUNBEOM YOO JUNBEOM YOO KONKUK

882 views • 32 slides
Practically Formal Development and Assurance of Complex Software-Intensive Safety-Critical

Practically Formal Development and Assurance of Complex Software-Intensive Safety-Critical

Practically Formal Development and Assurance of Complex Software-Intensive Safety-Critical Systems Alan Wassyng work with Zinovy Diskin, Nicholas Annable, and Mark Lawford CyPhyAssure, 20 March 2019 GSN-like Assurance Cases Pros

720 views • 33 slides
Clearsy Provides safety critical systems and softwares Fersil is the railway activity of

Clearsy Provides safety critical systems and softwares Fersil is the railway activity of

Clearsy Provides safety critical systems and softwares Fersil is the railway activity of Clearsy Clearsy Provides safety critical sytems SIL2 to SIL4 Provides safety critical softwares SIL2 to SIL4 Uses the B formal method to

490 views • 13 slides
Formal methods for Safety Assessment of Critical Software at RATP Engineering Department --

Formal methods for Safety Assessment of Critical Software at RATP Engineering Department --

Formal methods for Safety Assessment of Critical Software at RATP Engineering Department -- RATP/ING/STF/QS/AQL Evguenia DMITRIEVA / Oct 16 2014, Toulouse Plan 1. Industrial Context 2. Formal methods for software safety assessment : PERF 3.

498 views • 32 slides
attachment I: FOOD SAFETY MANAGEMENT SYSTEMS 1 HACCP HAZARD ANALYSIS AND CRITICAL CONTROL

attachment I: FOOD SAFETY MANAGEMENT SYSTEMS 1 HACCP HAZARD ANALYSIS AND CRITICAL CONTROL

attachment I: FOOD SAFETY MANAGEMENT SYSTEMS 1 HACCP HAZARD ANALYSIS AND CRITICAL CONTROL POINTS 2 1. Introduction The HACCP System is designed to control the production process and is based on principles and preventive concepts. It

1.8k views • 142 slides
Safety Analysis of Systems Aaron R. Bradley Stanford University Safety Analysis of Systems

Safety Analysis of Systems Aaron R. Bradley Stanford University Safety Analysis of Systems

Safety Analysis of Systems Aaron R. Bradley Stanford University Safety Analysis of Systems 1/39 Why Analyze Systems? Two trends: increasing prominence in controlling and decision-making roles rising complexity (multi-core

1.16k views • 86 slides
Design and Analysis of Safety Critical Systems Peter Seiler and Bin Hu Department of Aerospace

Design and Analysis of Safety Critical Systems Peter Seiler and Bin Hu Department of Aerospace

Design and Analysis of Safety Critical Systems Peter Seiler and Bin Hu Department of Aerospace Engineering & Mechanics University of

796 views • 54 slides
SAVE ORCA Formal Modeling, Safety Analysis, and Verification of Organic Computing Applications

SAVE ORCA Formal Modeling, Safety Analysis, and Verification of Organic Computing Applications

SAVE ORCA Formal Modeling, Safety Analysis, and Verification of Organic Computing Applications Hella Seebach , Florian Nafz and Wolfgang Reif What has happend in the last months? Software Engineering Guideline for Resource-Flow Systems

828 views • 29 slides
Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Outline Formal specifications CISC422/853: Formal Methods Types of formal specifications: in Software Engineering: assertions invariants Computer-Aided Verification safety and liveness properties How to express safety

226 views • 22 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 149 Outline Introduction 1 Formal

861 views • 68 slides
C++ for Safety-Critical Systems DI Gnter Obiltschnig Applied Informatics Software Engineering

C++ for Safety-Critical Systems DI Gnter Obiltschnig Applied Informatics Software Engineering

C++ for Safety-Critical Systems DI Gnter Obiltschnig Applied Informatics Software Engineering GmbH guenter.obiltschnig@appinf.com A life-critical system or safety-critical system is a system whose failure or malfunction may result in: >

899 views • 87 slides
Formal Methods for Critical Systems: A verified implementation of nested procedures Tristan

Formal Methods for Critical Systems: A verified implementation of nested procedures Tristan

Formal Methods for Critical Systems: A verified implementation of nested procedures Tristan Crolard 1 ICAR15 8-9 October 2015 Joint work with: 1 Pierre Courtieu, 1 , 2 Maria-Virginia Aponte, Julia Lawall 3 1. CNAM / Cedric / CPR team 2.

980 views • 71 slides
Formal Models and Analysis for Self-Adaptive Cyber- Physical Systems International Conference on

Formal Models and Analysis for Self-Adaptive Cyber- Physical Systems International Conference on

Formal Models and Analysis for Self-Adaptive Cyber- Physical Systems International Conference on Formal Aspects of Component Software, Besanon, France, 19 th October 2016. Prof. Dr. Holger Giese Head of the System Analysis & Modeling

704 views • 47 slides
Exceptionally Available Dynamic IFC cu 1 Michael Greenberg 1 Ben Karel 1 Benjamin C. Pierce 1

Exceptionally Available Dynamic IFC cu 1 Michael Greenberg 1 Ben Karel 1 Benjamin C. Pierce 1

Draft Exceptionally Available Dynamic IFC cu 1 Michael Greenberg 1 Ben Karel 1 Benjamin C. Pierce 1 Greg Morrisett 2 C at alin Hrit 1 University of Pennsylvania 2 Harvard University Abstract more sophisticated dynamic checks can soundly

632 views • 14 slides
Introduction DPLL(+ T ) as a transition system Completeness: variable-inactivity, iterative

Introduction DPLL(+ T ) as a transition system Completeness: variable-inactivity, iterative

Outline Introduction DPLL( + T ) as a transition system Completeness: variable-inactivity, iterative deepening Decision procedures by DPLL( + T ) with speculative inferences The theorem-proving method DPLL(+ T ) 1 Maria Paola Bonacina

943 views • 77 slides
The conditional CAPM does not explain asset- pricing anomalies Jonathan Lewellen & Stefan

The conditional CAPM does not explain asset- pricing anomalies Jonathan Lewellen & Stefan

The conditional CAPM does not explain asset- pricing anomalies Jonathan Lewellen & Stefan Nagel HEC School of Management, March 17, 2005 Background Size, B/M, and momentum portfolios, 1964 2001 Monthly returns (%) Avg. returns CAPM

1.11k views • 78 slides
EQUITABLE GROUP FIRST QUARTER 2015 FINANCIAL SUMMARY May 13, 2015 Forward-Looking Statements

EQUITABLE GROUP FIRST QUARTER 2015 FINANCIAL SUMMARY May 13, 2015 Forward-Looking Statements

EQUITABLE GROUP FIRST QUARTER 2015 FINANCIAL SUMMARY May 13, 2015 Forward-Looking Statements Certain forward-looking statements may be made in this presentation, including statements regarding possible future business, financing and growth

490 views • 17 slides
(Semi-)Automatic Normalization of Historical Texts using Distance Measures and the Norma tool

(Semi-)Automatic Normalization of Historical Texts using Distance Measures and the Norma tool

Corpora Methods Norma Tool Evaluation (Semi-)Automatic Normalization of Historical Texts using Distance Measures and the Norma tool Marcel Bollmann Department of Linguistics Ruhr-University Bochum, Germany Second Workshop on Annotation of

626 views • 35 slides
metaDictionary Towards a Generic eInfrastructure for Detecting Variance in Language by

metaDictionary Towards a Generic eInfrastructure for Detecting Variance in Language by

Variance in Language and Genome Annotating Digitized Print Dictionaries Annotating Morpheme Decompositions metaDictionary Towards a Generic eInfrastructure for Detecting Variance in Language by Exploiting Dictionary Information Dietmar

587 views • 20 slides
ARTIFICIAL INTELLIGENCE Machine learning: introduction Lecturer: Silja Renooij These slides are

ARTIFICIAL INTELLIGENCE Machine learning: introduction Lecturer: Silja Renooij These slides are

Utrecht University INFOB2KI 2019-2020 The Netherlands ARTIFICIAL INTELLIGENCE Machine learning: introduction Lecturer: Silja Renooij These slides are part of the INFOB2KI Course Notes available from www.cs.uu.nl/docs/vakken/b2ki/schema.html

408 views • 21 slides
Patterns of CO 2 variability from AIRS data Alexander Ruzmaikin & George Aumann in

Patterns of CO 2 variability from AIRS data Alexander Ruzmaikin & George Aumann in

Patterns of CO 2 variability from AIRS data Alexander Ruzmaikin & George Aumann in collaboration and discussions with Steve Licata, Jan Gohlke, Tom Pagano, Ed Olson, Mous Chahine and Yuk Yung Jet Propulsion Laboratory, California Institute

510 views • 17 slides

More recommend