nasa langley formal methods workshop 1 may 2008 newport
play

NASA Langley formal methods workshop, 1 May 2008, Newport News VA, - PowerPoint PPT Presentation

Dec 27, 2022 •92 likes •496 views

NASA Langley formal methods workshop, 1 May 2008, Newport News VA, version of SCC April 2008, based on Kickoff for Formally Supported Safety Cases For Adaptive Systems, NASA LaRC, 9 April 2008 Uses Runtime Verification Workshop, Budapest,

  1. NASA Langley formal methods workshop, 1 May 2008, Newport News VA, version of SCC April 2008, based on Kickoff for “Formally Supported Safety Cases For Adaptive Systems”, NASA LaRC, 9 April 2008 Uses Runtime Verification Workshop, Budapest, March 2008 Loosely based on FDA Assurance Cases, 21, 22 Feb 2008 Loosely based on Open Group Paris 23 April 2007, slight revisions of Open Group San Diego 31 January 2007, major rewrite of HCSS Aviation Safety Workshop, Alexandria, Oct 5,6 2006 Based on University of Illinois ITI Distinguished Lecture Wednesday 5 April 2006 based on ITCES invited talk, Tuesday 4 April 2006

  2. Formal Methods and Certification John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods and Certification 1

  3. Overview • Standards- vs. goal-based safety cases • Formal methods in goal-based safety cases • Multi-legged safety cases • Compositional approaches to system properties John Rushby, SR I Formal Methods and Certification 2

  4. Frameworks for Certification • Certification provides assurance that deploying a given system does not pose an unacceptable risk of adverse consequences • Current methods explicitly depend on ◦ Standards and regulations ◦ Rigorous examination of the whole, finished system And implicitly on ◦ Conservative practices ◦ Safety culture • All of these are changing John Rushby, SR I Formal Methods and Certification 3

  5. The Standards-Based Approach to Software Certification • E.g., airborne s/w (DO-178B), security (Common Criteria) • Applicant follows a prescribed method (or processes) ◦ Delivers prescribed outputs ⋆ e.g., documented requirements, designs, analyses, tests and outcomes; traceability among these • Works well in fields that are stable or change slowly ◦ Can institutionalize lessons learned, best practice ⋆ e.g. evolution of DO-178 from A to B to C • But less suitable with novel problems, solutions, methods John Rushby, SR I Formal Methods and Certification 4

  6. A Recent Incident • Fuel emergency on Airbus A340-642, G-VATL, on 8 February 2005 (AAIB SPECIAL Bulletin S1/2005) • Toward the end of a flight from Hong Kong to London: two engines flamed out, crew found certain tanks were critically low on fuel, declared an emergency, landed at Amsterdam • Two Fuel Control Monitoring Computers (FCMCs) on this type of airplane; they cross-compare and the “healthiest” one drives the outputs to the data bus • Both FCMCs had fault indications, and one of them was unable to drive the data bus • Unfortunately, this one was judged the healthiest and was given control of the bus even though it could not exercise it • Further backup systems were not invoked because the FCMCs indicated they were not both failed John Rushby, SR I Formal Methods and Certification 5

  7. Implicit and Explicit Factors • See also ATSB incident report for in-flight upset of Boeing 777, 9M-MRG (Malaysian Airlines, near Perth Australia) • How could gross errors like these pass through rigorous assurance standards? • Maybe effectiveness of current certification methods depends on implicit factors such as safety culture, conservatism • Current business models are leading to a loss of these ◦ Outsourcing, COTS, complacency, innovation • Surely, a credible certification regime should be effective on the basis of its explicit practices • How else can we cope with challenges of the future? John Rushby, SR I Formal Methods and Certification 6

  8. Standards and Goal-Based Assurance • All assurance is based on arguments that purport to justify certain claims , based on documented evidence • Standards usually define only the evidence to be produced • The claims and arguments are implicit • Hence, hard to tell whether given evidence meets the intent • E.g., is MC/DC coverage evidence for good testing or good requirements? • Recently, goal-based assurance methods have been gaining favor: these make the elements explicit John Rushby, SR I Formal Methods and Certification 7

  9. The Goal-Based Approach to Software Certification • E.g., UK air traffic management (CAP670 SW01), UK defence (DefStan 00-56), growing interest elsewhere • Applicant develops a safety case ◦ Whose outline form may be specified by standards or regulation (e.g., 00-56) ◦ Makes an explicit set of goals or claims ◦ Provides supporting evidence for the claims ◦ And arguments that link the evidence to the claims ⋆ Make clear the underlying assumptions and judgments ⋆ Should allow different viewpoints and levels of detail • Generalized to security, dependability, assurance cases • The case is evaluated by independent assessors ◦ Explicit claims, evidence, argument John Rushby, SR I Formal Methods and Certification 8

  10. Toulmin’s Model of Argument • Certification is ultimately a judgement • So classical formal reasoning may not be entirely appropriate • Advocates of assurance cases often look to Toulmin’s model of argument • Toulmin stresses justification rather than inference Grounds Grounds Claim subclaim Qualifier (Evidence) (Evidence) Warrant Backing Rebuttal (Argument) • Supported in safety cases by notations (e g., GSN), tools (e.g., ASCE); also tools for intelligence agencies John Rushby, SR I Formal Methods and Certification 9

  11. Toulmin’s Model of Argument (ctd.) Claim: This is the expressed opinion or conclusion that the arguer wants accepted by the audience Grounds: This is the evidence or data for the claim Qualifier: An adverbial phrase indicating the strength of the claim (e.g., certainly, presumably, probably, possibly, etc.) Warrant: The reasoning or argument (e.g., rules or principles) for connecting the data to the claim Backing: Further facts or reasoning used to support or legitimate the warrant Rebuttal: Circumstances or conditions that cast doubt on the argument; it represents any reservations or “exceptions to the rule” that undermine the reasoning expressed in the warrant or the backing for it John Rushby, SR I Formal Methods and Certification 10

  12. Reconciling Toulmin’s Approach with Formal Methods • We do formal methods • So the qualifier is always ⊢ or | = • How can we reconcile these with the reasonable doubts manifested in Toulmin’s approach? • One idea ◦ Implicit in the work of Jackson and Zave, Goodenough and Weinstock, and others Is to put them in the assumptions A 1 , . . . , A n under which the system S satisfies the requirements R A 1 , . . . , A n , S ⊢ R • Then do safety analysis on each assumption A i ◦ e.g., FMEA, HAZOP, FTA, other HA techniques John Rushby, SR I Formal Methods and Certification 11

  13. Other Proof Hazards • The system specification S and requirements R should be analyzed similarly • And there’s a possibility the proof is flawed ◦ Proof diversity may mitigate this Or deliberately unsound—e.g., static analysis • And the implementation of the specification ◦ Usually a subsidiary claim or claims • Can do hazard analysis and mitigation on all these • Observe this framework provides an uncontroversial and constructive treatment for the hysterical concerns of Fetzer John Rushby, SR I Formal Methods and Certification 12

  14. Implementation Hazards • Currently, we apply safety analysis methods (HA, FTA, FMEA, HAZOP etc.) to an informal system description ◦ Little automation, but in principle ◦ These are abstracted ways to examine all reachable states • Then, to be sure the implementation does not introduce new hazards, require it exactly matches the analyzed description ◦ Hence, DO-178B is about correctness, not safety • Instead, use a formal system description ◦ Then have automated forms of reachability analysis ◦ Closer to the implementation, smaller gap to bridge • Analyze the implementation for preservation of safety, not correctness John Rushby, SR I Formal Methods and Certification 13

  15. Implementation Hazards: Standards Focus on Correctness Rather than Safety safety goal system rqts system specs safety validation software rqts software specs correctness verification code • Premature focus on correctness is hugely expensive goal-based methods could reduce this • Could also allow runtime checking of safety properties John Rushby, SR I Formal Methods and Certification 14

  16. Even Weak Models Have Value A wealth of opportunities to the left; can apply them early, too new Numbur of cases examined 10^10 opportunities current practice 10^8 10^6 10^4 10^2 state machines models simulations h/w in loop flight h/w Fidelity of model John Rushby, SR I Formal Methods and Certification 15

  17. Overall V&V Process Traditional Vee Diagram (Much Simplified) time and money system requirements test unit/integration design/code test John Rushby, SR I Formal Methods and Certification 16

  18. Vee Diagram Tightened with Formal Analysis time and money system requirements test unit/integration design/code test Example: Rockwell-Collins John Rushby, SR I Formal Methods and Certification 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal

Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal

Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal Methods Symposium NASA HQ, Washington DC 14th April 2010 (09:0010:00) 0 Table of contents Intels diverse verification problems Verifying

834 views • 45 slides
Research in the Verification of Flight-Critical Systems Alwyn Goodloe NASA Langley Research

Research in the Verification of Flight-Critical Systems Alwyn Goodloe NASA Langley Research

Research in the Verification of Flight-Critical Systems Alwyn Goodloe NASA Langley Research Center Overview Background Verification and Certification Aircraft self-separation Runtime verification Formal-Methods for numerical

812 views • 50 slides
The NASA Langley Multidisciplinary Uncertainty Quantification Challenge Luis G. Crespo

The NASA Langley Multidisciplinary Uncertainty Quantification Challenge Luis G. Crespo

The NASA Langley Multidisciplinary Uncertainty Quantification Challenge Luis G. Crespo National Institute of Aerospace Sean P. Kenny and Daniel P. Giesy Dynamic Systems and Control Branch, NASA Langley Research Center This paper

342 views • 9 slides
NASA Langley Research Center Science Directorate E/PO Team NASA Science for the Math Classroom

NASA Langley Research Center Science Directorate E/PO Team NASA Science for the Math Classroom

NASA Langley Research Center Science Directorate E/PO Team NASA Science for the Math Classroom Preston Lewis Kristyn Damadeo Agenda Introductions Overview of NASA Langley Research Center Science Directorate Resources Graphing for

698 views • 58 slides
Career Life Balance Kristin Y. Rozier . . . . NASA Rice Langley March 14, 2008 University

Career Life Balance Kristin Y. Rozier . . . . NASA Rice Langley March 14, 2008 University

Background At Work Outside of Work Long-Distance Relationships Summary Career Life Balance Kristin Y. Rozier . . . . NASA Rice Langley March 14, 2008 University Research Center Kristin Y. Rozier Career Life Balance Background At

270 views • 15 slides
Valerie Miller Mechanical Option Advisor: Dr. Freihaut NASA Langley Research Center

Valerie Miller Mechanical Option Advisor: Dr. Freihaut NASA Langley Research Center

Valerie Miller Mechanical Option Advisor: Dr. Freihaut NASA Langley Research Center Administration Office Building One (AOB1); Langley, VA March 30, 2015 Presentation Outline I. Introduction (1 slide) II. Building background (2 slides) a.

339 views • 6 slides
.. evolved in NASA wind tunnels during the last few years to study the aerodynamic problems of the

.. evolved in NASA wind tunnels during the last few years to study the aerodynamic problems of the

1 HIGH-SPEED AERONAUTICS NASA Langley Research Center Langley Station, Hampton, Va. Presented at Field Inspection of Advanced Research and Technology Hampton, Virginia May 18-22, 1964 ~ ~ HIGH-SPEED AERONAUTICS INTRODUCTION You are in the test

512 views • 14 slides
A Self-Stabilizing Hybrid Fault-Tolerant Synchronization Protocol Mahyar R. Malekpour

A Self-Stabilizing Hybrid Fault-Tolerant Synchronization Protocol Mahyar R. Malekpour

Langley Research Center A Self-Stabilizing Hybrid Fault-Tolerant Synchronization Protocol Mahyar R. Malekpour NASA-Langley Research Center mahyar.r.malekpour@nasa.gov +1 757-864-1513 http://shemesh.larc.nasa.gov/people/mahyar.htm Langley

241 views • 20 slides
Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical foundations of computer science 2 Formal Methods Logical foundations of computer science A language that machines can understand 2 Formal Methods

1.22k views • 121 slides
SMT-based model checking techniques for formal software verification of synchronous dataflow

SMT-based model checking techniques for formal software verification of synchronous dataflow

An insight into SMT-based model checking techniques for formal software verification of synchronous dataflow programs Jonathan Laurent Ecole Normale Sup erieure, National Institute of Aerospace, NASA Langley Research Center August 11 th ,

1.01k views • 67 slides
Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why Formalisms? Relationships Flaws Some systems Conclusions Why Formal Methods? We already can build systems. Roman Engineers built

671 views • 12 slides
Achieving Agreement In Three Rounds With Bounded-Byzantine Faults Mahyar Malekpour NASA Langley

Achieving Agreement In Three Rounds With Bounded-Byzantine Faults Mahyar Malekpour NASA Langley

Achieving Agreement In Three Rounds With Bounded-Byzantine Faults Mahyar Malekpour NASA Langley Research Center AIAA SciTech 2017, 7-14 January 2017 Grapevine, Texas Communication And Synchronization Distributed systems are integral part

318 views • 14 slides
Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3. Course syllabus 4. Course objectives Introductory Lecture 5. Course organization 1. Lecturer 2. Formal Methods Name: Dilian Gurov Formal

56 views • 3 slides
Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations of computer science Formal Methods Logical foundations of computer science A language that machines can understand Formal Methods Logical

1.67k views • 123 slides
Formal Methods Software Engineering 2008 Bernd Schoeller ETH Zurich The Grand Challenge The

Formal Methods Software Engineering 2008 Bernd Schoeller ETH Zurich The Grand Challenge The

Formal Methods Software Engineering 2008 Bernd Schoeller ETH Zurich The Grand Challenge The ideal of correct software has long been the goal of research in Computer Science. We now have a good theoretical understanding of how to describe what

806 views • 31 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Beyond Miners Rule Free Energy Damage Equivalence Alec Feinberg, Ph.D. DfRSoftware Company

Beyond Miners Rule Free Energy Damage Equivalence Alec Feinberg, Ph.D. DfRSoftware Company

Beyond Miners Rule Free Energy Damage Equivalence Alec Feinberg, Ph.D. DfRSoftware Company DfRSoft@gmail.net, www.DfRSoft.Com (617) 943-9034 DfRSoft Miners Rule - Energy Approach to Damage Miners empirical rule was an important

368 views • 19 slides
Static Failure Mode Prediction Models Mechanically Fastened Joints Joining & Assembly Static

Static Failure Mode Prediction Models Mechanically Fastened Joints Joining & Assembly Static

Static Failure Mode Prediction Models Mechanically Fastened Joints Joining & Assembly Static Failure Modes Net Section Shear Fastener Bearing Fastener Shear Tension Tear Out Pull Out Basic Assumptions for our Predictions Failure of

293 views • 10 slides
Probabilistic roadmaps (PRMs) How do you plan in high dimensional state spaces? Problem we want

Probabilistic roadmaps (PRMs) How do you plan in high dimensional state spaces? Problem we want

Probabilistic roadmaps (PRMs) How do you plan in high dimensional state spaces? Problem we want to solve Given: a point-robot (robot is a point in space) a start and goal configuration Find: path from start to goal that does not

898 views • 43 slides
HIV-NAT 017 SQV and LPV-RTV in Treatment-Experienced Children HIV-NAT 017: Study Design Study

HIV-NAT 017 SQV and LPV-RTV in Treatment-Experienced Children HIV-NAT 017: Study Design Study

SQV and LPV-RTV in Treatment-Experienced Children HIV-NAT 017 SQV and LPV-RTV in Treatment-Experienced Children HIV-NAT 017: Study Design Study Design: HIV-NAT 017 Background : Single-arm, open-label, prospective phase IV study to assess

203 views • 6 slides
Runtime Verification Workshop, Budapest, March 2008 FDA Assurance Cases, 21, 22 Feb 2008 Based on

Runtime Verification Workshop, Budapest, March 2008 FDA Assurance Cases, 21, 22 Feb 2008 Based on

Runtime Verification Workshop, Budapest, March 2008 FDA Assurance Cases, 21, 22 Feb 2008 Based on Open Group Paris 23 April 2007, slight revisions of Open Group San Diego 31 January 2007, major rewrite of HCSS Aviation Safety Workshop,

690 views • 31 slides
Polish in-kind contribution to the FAIR cryogenic system Maciej Chorowski, Jaros aw Fydrych

Polish in-kind contribution to the FAIR cryogenic system Maciej Chorowski, Jaros aw Fydrych

Polish in-kind contribution to the FAIR cryogenic system Maciej Chorowski, Jaros aw Fydrych Wroc aw University of Technology - Poland FAIR Cryogenics Review, 27-28.02.2012 Contents 1. Polish in-kind contribuition 2. Local cryogenics for

704 views • 32 slides
Numeric Rela5onal Operators The if Statement The if statement

Numeric Rela5onal Operators The if Statement The if statement

if Statement Ensures that a statement is executed only when some Flow of Control: Branching condi5on is true (Savitch, Chapter 3) Condi5ons typically involve comparison

545 views • 7 slides
MINER n A Cross Sections what is MINER n A ? why MINER n A ? n beam and n flux n / n inclusive

MINER n A Cross Sections what is MINER n A ? why MINER n A ? n beam and n flux n / n inclusive

MINER n A Cross Sections what is MINER n A ? why MINER n A ? n beam and n flux n / n inclusive x-sections nuclear effects NuFACT2017 Alessandro Bravar Uppsala Universit de Genve 26 Sept. 2017 for the Miner n a Collaboration Neutrino

285 views • 25 slides

More recommend