modular certification research activities
play

Modular Certification Research Activities John Rushby Computer - PowerPoint PPT Presentation

Jun 10, 2023 •208 likes •602 views

Modular Certification Research Activities John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Mod Cert Research: 1 Overview Modular certification: what is it? Research activities and

  1. Modular Certification Research Activities John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Mod Cert Research: 1

  2. Overview • Modular certification: what is it? • Research activities and an aside on automated verification • Partitioning • Assume/Guarantee analysis and domino failures • Coupling through the plants • Summary John Rushby, SR I Mod Cert Research: 2

  3. Modular Certification: What Is It? • Currently: certify the whole aircraft ◦ Suppose some software was used in another aircraft? ◦ Informal reuse of certification argument ◦ Now being formalized in AC20-RSC • ModCert: software comes with qualification data ◦ Modules may be bigger, more interdependent than contemplated for RSC • Full certification examines the qualification data but does not go inside the design • Requires that the qualification data provides everything you need to know • For further qualification or certification, the qualification data is as good as the actual thing John Rushby, SR I Mod Cert Research: 3

  4. Modular Certification: Deliberations • RTCA Special Committee 200 • And Eurocae Working Group 60 • Have joined forces to develop guidance for (Integrated) Modular Avionics • Goal is a document DO-xxx/ED-yyy by March 2004 • “The document should promote aircraft systems design using modular avionics by developing guidance for regulatory approval of the platform and supporting components through the assurance of safety and performance requirements, with attention to means of organizing data developed and used by multiple stakeholders” John Rushby, SR I Mod Cert Research: 4

  5. Modular Certification: Why Is It Wanted? • An enabler for Modular Avionics (MA) ◦ And a different business model that might go with it ◦ Module supplier owns the qualification data • And for Integrated Modular Avionics (IMA) • And for Incremental Certification John Rushby, SR I Mod Cert Research: 5

  6. Traditional Approach + = Requirements, analyses, flow down, go inside components John Rushby, SR I Mod Cert Research: 6

  7. Modular Certification Approach + = Requirements, analyses stop at component interface and do not go inside: e.g., an RTOS John Rushby, SR I Mod Cert Research: 7

  8. Integrated Modular Avionics Separately qualified modules can be combined and used without going inside their designs: e.g., a fadec and a thrust reverser John Rushby, SR I Mod Cert Research: 8

  9. Incremental Certification Qualified Incrementally certified Incrementally certified John Rushby, SR I Mod Cert Research: 9

  10. Research Activity in Support of Modular Certification • Sponsored by NASA • In-house work at NASA Langley ◦ Wednesday: Paul Miner on Spider ◦ But focus of that session was DO254 • Honeywell/SRI/TTTech ◦ Modular Aerospace Controls (MAC) architecture ◦ Engine controller for Aeromachi trainer, F16 ◦ Based on Time Triggered Architecture (TTA) The work I’m reporting is from here John Rushby, SR I Mod Cert Research: 10

  11. Goals of Research Activity • Develop computer science basis for modular certification ◦ What do I need to know about components ◦ And the way they are put together ◦ To be sure the whole thing works safely? ◦ And how can I verify these things? ◦ Want to push the envelope • This kind of computer science is formal methods • But before you all leave. . . • The goal is not to impose formal methods • But to use it to develop techniques and automated tools that might actually be useful John Rushby, SR I Mod Cert Research: 11

  12. Aside: Formal Methods vs. Automated Verification • Formal methods is not a religion ◦ But it does have many sects • All want to treat software as mathematics • Some because they think that’s good for you • Others because you can calculate with mathematics ◦ This is automated verification ◦ Just as CFD calculates the lift and drag of a wing ◦ So automated verification calculates properties of software John Rushby, SR I Mod Cert Research: 12

  13. Automated Verification • Is routine in some areas ◦ Processor design, for example • There’s a tradeoff between how automated it is • And how deep the properties are that you can get to • But there’s tremendous progress year by year John Rushby, SR I Mod Cert Research: 13

  14. Automated Verification (ctd) Fully automated: (in principle) • Could there be a runtime exception? • Is this piece of code reachable? • Unit test case generation (e.g., MC/DC coverage of a Stateflow diagram) Largely Automated: (Have to write the spec) • Can there ever be more than two collisions on the bus during TTA startup with six nodes? Partially Automated: (Have to guide the analysis) • Is the TTA group membership always correct for any combination of faults within the fault hypothesis? John Rushby, SR I Mod Cert Research: 14

  15. Back to Modular Certification • Idea is to figure out what properties you need ◦ Of the components ◦ And of the architecture in which they are located ◦ And of the way they interact • To be confident that these combine to guarantee properties of the overall system • Implicit in this is a shift from process-based to product-based assurance John Rushby, SR I Mod Cert Research: 15

  16. Old and New Issues • Does this component do its own thing safely and correctly? Standard assurance methods can take care of this • Could this component (perhaps due to malfunction) stop some other component doing its thing safely and correctly? This is the new: you may not yet know what the other components are Three ways one component can adversely affect another ◦ Monopolize or corrupt shared resources ◦ Interact improperly (send bad data, fail to follow protocol) ◦ Generate a hazard through coupling of the plants (e.g., thrust reverser moves when engine thrust is above idle) Consider each of these in turn John Rushby, SR I Mod Cert Research: 16

  17. Context: Generic Embedded Control System disturbances controlled plant actuators sensors controller operator inputs John Rushby, SR I Mod Cert Research: 17

  18. Now Suppose We have Two Of Them disturbances controlled plant actuators sensors controller operator inputs John Rushby, SR I Mod Cert Research: 18

  19. Unintended Interaction Through Shared Resources controlled plant actuators sensors controller interaction through shared resources John Rushby, SR I Mod Cert Research: 19

  20. The Architecture Must Enforce Partitioning • One component (even if faulty) cannot be allowed to affect the operation of another through shared resources ◦ Write to its memory, devices ◦ Grab locks, CPU time ◦ Collide on access to shared bus, devices • Components cannot guarantee this themselves—it’s a property of the architecture in which they operate • This is partitioning • Whole idea of modular certification is that you can understand interactions of components by considering their specified interfaces • So partitioning is about enforcing interfaces John Rushby, SR I Mod Cert Research: 20

  21. Partitioning • Top-level requirement specification for partitioning: ◦ Behavior perceived by nonfaulty components must be consistent with some behavior of faulty components interacting with it through specified interfaces • Federated architecture ensures this by physical means • IMA or MAC architectures such as Primus Epic or TTA must ensure this by logical means • For single processors, space partitioning is standard O/S technology: memory management, virtual machines, etc. • Time partitioning can get tricky if using dynamic scheduling with locks, budgets, slack time, etc. ◦ Recall failures of Mars Pathfinder (priority inversions) John Rushby, SR I Mod Cert Research: 21

  22. Partitioning in Bus Architectures • Partitioning in distributed systems can be vulnerable to collisions, contention, babbling on the bus, etc. ◦ CAN buses, for example, are not suitable for highly critical applications • Mechanisms to ensure partitioning in bus architectures rely on sophisticated distributed algorithms ◦ Fault tolerant clock synchronization ◦ Fault tolerant consistent message delivery, etc. • Algorithms of these kinds are found in SAFEbus, TTA, and SPIDER John Rushby, SR I Mod Cert Research: 22

  23. TTA Bus Architecure Host Host Host Host Interface Interface Interface Interface Host Host Host Host Interface Interface Interface Interface Star Hub Bus Bus/hub must be replicated; hub is a logical bus John Rushby, SR I Mod Cert Research: 23

  24. Assurance For Partitioning • The subtlety of the algorithms underlying partitioning in bus architectures can make automated verification worthwhile ◦ Quite challenging ◦ But only needs to be done once • The benefit over traditional forms of examination is that automated verification considers all possible behaviors • Can also be used to perform static scheduling • And to calculate worst case execution time John Rushby, SR I Mod Cert Research: 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IIBA Certification Overview 1 Topics A. Benefits of Attaining an IIBA Certification B. IIBA

IIBA Certification Overview 1 Topics A. Benefits of Attaining an IIBA Certification B. IIBA

IIBA Certification Overview 1 Topics A. Benefits of Attaining an IIBA Certification B. IIBA Certification Options C. Applying for Certification D. Exam Activities Register and Prepare E. Benefits of BABOK studying 2/13/2018, p. 1

127 views • 10 slides
Modular Program and Modular Design for LARP Quadrupoles A research program and magnet design

Modular Program and Modular Design for LARP Quadrupoles A research program and magnet design

Superconducting Magnet Division Modular Program and Modular Design for LARP Quadrupoles A research program and magnet design based on flat racetrack coil modules Ramesh Gupta May 4, 2005 (Revised June 14, 2005) Ramesh Gupta, BNL Modular

478 views • 26 slides
Small Modular Reactor Design and Deployment IREA 10/14/2018 www.inl.gov INL SMR Activities

Small Modular Reactor Design and Deployment IREA 10/14/2018 www.inl.gov INL SMR Activities

INL/MIS-15-34247 Small Modular Reactor Design and Deployment IREA 10/14/2018 www.inl.gov INL SMR Activities INL works with all vendors to provide fair access to the laboratory benefits INL works with industry on SMR technology and

634 views • 24 slides
Voluntary EU certification for Voluntary EU certification for non-residential buildings

Voluntary EU certification for Voluntary EU certification for non-residential buildings

Voluntary EU certification for Voluntary EU certification for non-residential buildings Definition of an Energy Performance Scale Jana Bendalov BUILDING TESTING AND RESEARCH INSTITUTE / Slovakia 09 January 2012 1 Context

609 views • 19 slides
Trust-Related Activities: Internet Certification Authorities Revocation and SSL

Trust-Related Activities: Internet Certification Authorities Revocation and SSL

83 - Paris Trust-Related Activities: Internet Certification Authorities Revocation and SSL Replacements/Enhancements Massimiliano Pala <pala@nyu.edu> Scott Rea <Scott@DigCert.com> CRISSP NYU Poly DigiCert OpenCA Labs

403 views • 18 slides
AC 20.IMA and RTCA/DO- Administration 297, Integrated Modular Avionics (IMA) Development

AC 20.IMA and RTCA/DO- Administration 297, Integrated Modular Avionics (IMA) Development

Federal Aviation AC 20.IMA and RTCA/DO- Administration 297, Integrated Modular Avionics (IMA) Development Guidance Certification and Considerations Issues involved with invoking RTCA/DO-297 as an Acceptable Means of Compliance for

360 views • 14 slides
ORGANIZING REGULATED RESEARCH ACTIVITIES ORGANIZING REGULATED RESEARCH ACTIVITIES Research

ORGANIZING REGULATED RESEARCH ACTIVITIES ORGANIZING REGULATED RESEARCH ACTIVITIES Research

ORGANIZING REGULATED RESEARCH ACTIVITIES ORGANIZING REGULATED RESEARCH ACTIVITIES Research Involving Human Subjects (IRB) Research Involving Animals (IACUC) HUMAN SUBJECT RESEARCH SINGLE IRB REVIEWS HSR requires IRB review

163 views • 14 slides
Architecture Healthcare Pillars of Research Board Board Certification Certification

Architecture Healthcare Pillars of Research Board Board Certification Certification

Education & Education & Networking Networking Sponsoring Research Architecture Healthcare Pillars of Research Board Board Certification Certification Consensus based guidelines 8/1/2019 1 8/1/2019 Ongoing 4

408 views • 11 slides
Small Modular Reactor (SMR) Regulators Forum Stewart Magruder Regulatory Activities Section

Small Modular Reactor (SMR) Regulators Forum Stewart Magruder Regulatory Activities Section

Small Modular Reactor (SMR) Regulators Forum Stewart Magruder Regulatory Activities Section Division of Nuclear Installation Safety Department of Nuclear Safety and Security Members Canada China Finland France Korea

359 views • 12 slides
1 2 3 KASS Certification Procedure Operation System Certification Certification Training

1 2 3 KASS Certification Procedure Operation System Certification Certification Training

1 2 3 KASS Certification Procedure Operation System Certification Certification Training Inspection/Audit Establish MoC Status of Operator/ Maintainer Manual, Function Identify CRB Record and Interfaces Result of Form Ground/

618 views • 24 slides
Research and Grid activities Research and Grid activities in Laboratory MSI of IFI in Laboratory

Research and Grid activities Research and Grid activities in Laboratory MSI of IFI in Laboratory

Research and Grid activities Research and Grid activities in Laboratory MSI of IFI in Laboratory MSI of IFI Nguyen Hong Quang C.Sc. Professor IFI, Hanoi, Vietnam 03/04/10 Outline Presentation of IFI Research in MSI Laboratory Grid

415 views • 25 slides
CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO

CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO

CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO APPLY TO WRITE Once you have logged into the Then under Certification The Certification committee Application Forms may be CAPLA website using

687 views • 37 slides
EMBEDDED SYSTEMS ACTIVITIES @IISc, 2010 - 11 Main activities Research in various departments

EMBEDDED SYSTEMS ACTIVITIES @IISc, 2010 - 11 Main activities Research in various departments

EMBEDDED SYSTEMS ACTIVITIES @IISc, 2010 - 11 Main activities Research in various departments Development support for products Entrepreneurship activities Curriculum development and training Research activities 2010 onwards

1.15k views • 47 slides
1 CERTIFICATION Coming to you soon! 2 What is OPTA VIA Certification? OPTA VIA

1 CERTIFICATION Coming to you soon! 2 What is OPTA VIA Certification? OPTA VIA

1 CERTIFICATION Coming to you soon! 2 What is OPTA VIA Certification? OPTA VIA Certification is based on Dr. As Habits of Health Transformational System and is available to all Coaches who want to apply and reinforce their knowledge of

613 views • 19 slides
Certification Pathway to CCC-A Todd R. Philbrick, CAE Director, Certification Ex Officio to the

Certification Pathway to CCC-A Todd R. Philbrick, CAE Director, Certification Ex Officio to the

ASHA Certification Pathway to CCC-A Todd R. Philbrick, CAE Director, Certification Ex Officio to the CFCC Presentation Overview What is Certification? CCC-A Certification Standards CCC-A Application Process FAQs Keep your

209 views • 19 slides
Briefing on Small Modular Reactors Bill Borchardt Executive Director for Operations March 29,

Briefing on Small Modular Reactors Bill Borchardt Executive Director for Operations March 29,

Briefing on Small Modular Reactors Bill Borchardt Executive Director for Operations March 29, 2011 Agenda Overview Michael Johnson Advanced Reactor Program Michael Mayfield Small Modular Reactor Licensing Activities

409 views • 29 slides
Faster and still safe: Combining screening techniques and structured dictionaries to accelerate

Faster and still safe: Combining screening techniques and structured dictionaries to accelerate

Faster and still safe: Combining screening techniques and structured dictionaries to accelerate the Lasso Cssio F. DANTAS, Rmi GRIBONVAL cassio.fraga-dantas@inria.fr, remi.gribonval@inria.fr 1 - 03/04/18 Accelerate the Lasso

664 views • 54 slides
Provider based Virtual Private Networks An introduction and an MPLS case Lecture slides for

Provider based Virtual Private Networks An introduction and an MPLS case Lecture slides for

HELSINKI UNIVERSITY OF TECHNOLOGY Provider based Virtual Private Networks An introduction and an MPLS case Lecture slides for S-38.192 3.3.2005 Mika Ilvesmki Networking laboratory HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmki, Lic.Sc.

362 views • 15 slides
Large BGP Communities David Freedman david.freedman@uk.clara.net Claranet 19/01/2017 UKNOF36,

Large BGP Communities David Freedman david.freedman@uk.clara.net Claranet 19/01/2017 UKNOF36,

Large BGP Communities David Freedman david.freedman@uk.clara.net Claranet 19/01/2017 UKNOF36, London 1 In brief. BGP Communities Attribute (RFC 1997, Aug 1996) Designed for Internet Broad support in BGP implementations. 32

429 views • 9 slides
BGP Large Communities: a new BGP Routing Heuristic Montevideo, Uy | 21/09/2017 BGP Large

BGP Large Communities: a new BGP Routing Heuristic Montevideo, Uy | 21/09/2017 BGP Large

BGP Large Communities: a new BGP Routing Heuristic Montevideo, Uy | 21/09/2017 BGP Large Communities: a new BGP Routing Heuristic Lucenildo Aquino Jnior Agenda BGP Communities BGP Extended Communities BGP Large Communities

549 views • 26 slides
Efficiently Enforcing Strong Memory Ordering in GPUs Abhayendra Singh* , Shaizeen Aga, Satish

Efficiently Enforcing Strong Memory Ordering in GPUs Abhayendra Singh* , Shaizeen Aga, Satish

Efficiently Enforcing Strong Memory Ordering in GPUs Abhayendra Singh* , Shaizeen Aga, Satish Narayanasamy Google, University of Michigan, Ann Arbor Dec 9, 2015 University of Michigan Electrical Engineering and Computer Science *author

749 views • 52 slides
On the Need for Extended Transactional Models@Run.Time Presented at

On the Need for Extended Transactional Models@Run.Time Presented at

On the Need for Extended Transactional Models@Run.Time Presented at MRT 2015, Ottawa, Canada Mahdi Derakhshanmanesh 1 , Marvin Grieger 2 and Jrgen Ebert 1 {manesh,

1.15k views • 88 slides
tt sttts t

tt sttts t

tt sttts t ts t s t trs st r r

470 views • 30 slides
Earnings Summary Second Quarter 2020 Conference Call Tuesday, July 28, 2020 10:00 a.m. ET

Earnings Summary Second Quarter 2020 Conference Call Tuesday, July 28, 2020 10:00 a.m. ET

Earnings Summary Second Quarter 2020 Conference Call Tuesday, July 28, 2020 10:00 a.m. ET Webcast link: https://78449.themediaframe.com/dataconf/productusers/hun/mediaframe/38928/indexl.html Participant dial-in numbers: Domestic callers:

489 views • 15 slides

More recommend