runtime verification workshop budapest march 2008 fda
play

Runtime Verification Workshop, Budapest, March 2008 FDA Assurance - PowerPoint PPT Presentation

May 25, 2023 •377 likes •690 views

Runtime Verification Workshop, Budapest, March 2008 FDA Assurance Cases, 21, 22 Feb 2008 Based on Open Group Paris 23 April 2007, slight revisions of Open Group San Diego 31 January 2007, major rewrite of HCSS Aviation Safety Workshop,

  1. Runtime Verification Workshop, Budapest, March 2008 FDA Assurance Cases, 21, 22 Feb 2008 Based on Open Group Paris 23 April 2007, slight revisions of Open Group San Diego 31 January 2007, major rewrite of HCSS Aviation Safety Workshop, Alexandria, Oct 5,6 2006 Based on University of Illinois ITI Distinguished Lecture Wednesday 5 April 2006 based on ITCES invited talk, Tuesday 4 April 2006

  2. Runtime Certification John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Runtime Certification: 1

  3. Certification • Certification and high-assurance and have long been supporters and customers of verification technology • Big changes are under way in these areas ◦ I’ll describe some of them • These create new opportunities for runtime verification ◦ I’ll point out some of these John Rushby, SR I Runtime Certification: 2

  4. Current Certification Practice • Certification provides assurance that deploying a given system does not pose an unacceptable risk of adverse consequences • Current methods explicitly depend on ◦ Standards and regulations ◦ Rigorous examination of the whole, finished system And implicitly on ◦ Conservative practices ◦ Safety culture • All of these are changing John Rushby, SR I Runtime Certification: 3

  5. The Standards-Based Approach to Software Certification • E.g., airborne s/w (DO-178B), security (Common Criteria) • Applicant follows a prescribed method (or processes) ◦ Delivers prescribed outputs ⋆ e.g., documented requirements, designs, analyses, tests and outcomes, traceability among these • Works well in fields that are stable or change slowly ◦ Can institutionalize lessons learned, best practice ⋆ e.g. evolution of DO-178 from A to B to C • But less suitable with novel problems, solutions, methods John Rushby, SR I Runtime Certification: 4

  6. A Recent Incident • Fuel emergency on Airbus A340-642, G-VATL, on 8 February 2005 (AAIB SPECIAL Bulletin S1/2005) • Toward the end of a flight from Hong Kong to London: two engines flamed out, crew found certain tanks were critically low on fuel, declared an emergency, landed at Amsterdam • Two Fuel Control Monitoring Computers (FCMCs) on this type of airplane; they cross-compare and the “healthiest” one drives the outputs to the data bus • Both FCMCs had fault indications, and one of them was unable to drive the data bus • Unfortunately, this one was judged the healthiest and was given control of the bus even though it could not exercise it • Further backup systems were not invoked because the FCMCs indicated they were not both failed John Rushby, SR I Runtime Certification: 5

  7. Implicit and Explicit Factors • See also ATSB incident report for in-flight upset of Boeing 777, 9M-MRG (Malaysian Airlines, near Perth Australia) • How could gross errors like these pass through rigorous assurance standards? • Maybe effectiveness of current certification methods depends on implicit factors such as safety culture, conservatism • Current business models are leading to a loss of these ◦ Outsourcing, COTS, complacency, innovation • Surely, a credible certification regime should be effective on the basis of its explicit practices John Rushby, SR I Runtime Certification: 6

  8. Standards and Goal-Based Assurance • All assurance is based on arguments that purport to justify certain claims , based on documented evidence • Standards usually define only the evidence to be produced • The claims and arguments are implicit • Hence, hard to tell whether given evidence meets the intent • E.g., is MC/DC coverage evidence for good testing or good requirements? • Recently, goal-based assurance methods have been gaining favor: these make the elements explicit John Rushby, SR I Runtime Certification: 7

  9. The Goal-Based Approach to Software Certification • E.g., air traffic management (CAP670 SW01), UK defence • Applicant develops an assurance case ◦ Whose outline form may be specified by standards or regulation (e.g., MOD DefStan 00-56) ◦ Makes an explicit set of goals or claims ◦ Provides supporting evidence for the claims ◦ And arguments that link the evidence to the claims ⋆ Make clear the underlying assumptions and judgments ⋆ Should allow different viewpoints and levels of detail • The case is evaluated by independent assessors ◦ Explicit claims, evidence, argument John Rushby, SR I Runtime Certification: 8

  10. Toulmin’s Model of Argument • Certification is ultimately a judgement • So classical formal reasoning may not be entirely appropriate • Advocates of assurance cases often look to Toulmin’s model of argument • Toulmin stresses justification rather than inference Grounds Grounds Claim subclaim Qualifier (Evidence) (Evidence) Warrant Backing Rebuttal (Argument) John Rushby, SR I Runtime Certification: 9

  11. Toulmin’s Model of Argument (ctd.) Claim: This is the expressed opinion or conclusion that the arguer wants accepted by the audience Grounds: This is the evidence or data for the claim Qualifier: An adverbial phrase indicating the strength of the claim (e.g., certainly, presumably, probably, possibly, etc.) Warrant: The reasoning or argument (e.g., rules or principles) for connecting the data to the claim Backing: Further facts or reasoning used to support or legitimate the warrant Rebuttal: Circumstances or conditions that cast doubt on the argument; it represents any reservations or “exceptions to the rule” that undermine the reasoning expressed in the warrant or the backing for it John Rushby, SR I Runtime Certification: 10

  12. Reconciling Toulmin’s Approach with Formal Methods • We do formal methods • So the qualifier is always ⊢ or | = • How can we reconcile these with the reasonable doubts manifested in Toulmin’s approach? • One idea ◦ Implicit in the work of Jackson and Zave, Goodenough and Weinstock, and others Is to put them in the assumptions A 1 , . . . , A n under which the system S satisfies the requirements R A 1 , . . . , A n , S ⊢ R • Then do subsidiary analysis on each assumption A i John Rushby, SR I Runtime Certification: 11

  13. Analysis of Assumptions How do we know assumption A i is valid? One or more of: • It is justified as a subsidiary claim • All our system tests succeeded • It was not implicated in failed system tests • Runtime check John Rushby, SR I Runtime Certification: 12

  14. Runtime Verification for Assumption Failure • It is part of the assurance case • So must be credible (sound, complete, . . . ) • Probably need a sensible recovery action ◦ Not like Ariane 501 ◦ Systematic approaches may be feasible • What runtime verification methods and specification languages are appropriate?—over to you John Rushby, SR I Runtime Certification: 13

  15. Other Proof Hazards • The system specification S and requirements R should be analyzed similarly • And the implementation of the specification ◦ Usually a subsidiary claim or claims • And there’s a possibility the proof is flawed • Or deliberately unsound ◦ E.g., static analysis • Diversity may mitigate this • Observe this framework provides an uncontroversial and constructive treatment for the hysterical concerns of Fetzer John Rushby, SR I Runtime Certification: 14

  16. Implementation Hazards • Currently, we apply safety analysis methods (HA, FTA, FMEA etc.) to an informal system description ◦ Little automation, but in principle ◦ These are abstracted ways to examine all reachable states • Then, to be sure the implementation does not introduce new hazards, require it exactly matches the analyzed description ◦ Hence, DO-178B is about correctness, not safety • Instead, use a formal system description ◦ Then have automated forms of reachability analysis ◦ Closer to the implementation, smaller gap to bridge • Analyze the implementation for preservation of safety, not correctness John Rushby, SR I Runtime Certification: 15

  17. Implementation Hazards: Standards Focus on Correctness Rather than Safety safety goal system rqts system specs safety verification software rqts software specs correctness verification code • Premature focus on correctness is hugely expensive • Goal-based methods could reduce this • And runtime verification may be able to check some safety properties directly—over to you John Rushby, SR I Runtime Certification: 16

  18. Multi-Legged Arguments • More evidence is required at higher Levels/EALs/SILs • What’s the argument that these deliver increased assurance? • Generally an implicit appeal to diversity ◦ And belief that diverse methods fail independently ◦ Not true in n -version software, should be viewed with suspicion here too • Want to distinguish rational multi-legged cases from nervous demands for more and more and . . . • Need to know the arguments supported by each item of evidence, and how they compose John Rushby, SR I Runtime Certification: 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NASA Langley formal methods workshop, 1 May 2008, Newport News VA, version of SCC April 2008,

NASA Langley formal methods workshop, 1 May 2008, Newport News VA, version of SCC April 2008,

NASA Langley formal methods workshop, 1 May 2008, Newport News VA, version of SCC April 2008, based on Kickoff for Formally Supported Safety Cases For Adaptive Systems, NASA LaRC, 9 April 2008 Uses Runtime Verification Workshop, Budapest,

496 views • 39 slides
Integration of Runtime Verification into Metamodeling F. Macias T. Scheffel M. Schmitz R. Wang

Integration of Runtime Verification into Metamodeling F. Macias T. Scheffel M. Schmitz R. Wang

Integration of Runtime Verification into Metamodeling F. Macias T. Scheffel M. Schmitz R. Wang M. Leucker A. Rutle V. Stolz 28th Nordic Workshop on Programming Theory (NWPT16), Denmark 1 / 23 Why Runtime Verification? DSML do not

1.43k views • 23 slides
Leveraging DTrace for runtime verification Carl Martin Rosenberg June 7th, 2016 Department of

Leveraging DTrace for runtime verification Carl Martin Rosenberg June 7th, 2016 Department of

Leveraging DTrace for runtime verification Carl Martin Rosenberg June 7th, 2016 Department of Informatics, University of Oslo Context: Runtime verification Desired properties Every request gets an answer System Buffers should never

656 views • 64 slides
1 Budapest Workshop, Oct. 2015 / 38 Quantifier Polarity and Verification Goal To gain

1 Budapest Workshop, Oct. 2015 / 38 Quantifier Polarity and Verification Goal To gain

Quantifier Polarity and Verification Quantifier Polarity, Numerosity, and Verification Procedures: Experimental Explorations Yosef Grodzinsky Safra Brain Research Center, Language, Logic and Cogni;on

236 views • 22 slides
Techniques for Evolution-Aware Runtime Verification Owolabi Legunsen, Yi Zhang, Milica

Techniques for Evolution-Aware Runtime Verification Owolabi Legunsen, Yi Zhang, Milica

Techniques for Evolution-Aware Runtime Verification Owolabi Legunsen, Yi Zhang, Milica Hadi-Tanovi, Grigore Rou, Darko Marinov ICST 2019 4/26/2019 CCF-1421503, CCF-1421575, CCF-1763788, CNS-1619275, CNS-1646305, CNS-1740916 Runtime

448 views • 30 slides
What is a Trace? A Runtime Verification Perspective Giles Reger 1 Klaus Havelund 2 1 University of

What is a Trace? A Runtime Verification Perspective Giles Reger 1 Klaus Havelund 2 1 University of

What is a Trace? A Runtime Verification Perspective Giles Reger 1 Klaus Havelund 2 1 University of Manchester, Manchester, UK 2 Jet Propulsion Laboratory, California Inst. of Technology, USA ISoLa 2016 Corfu, October 12, 2016 1/19 Runtime

421 views • 25 slides
PROGRAM YOUR OWN RV SYSTEM an exercise in DSL design Klaus Havelund Jet Propulsion Laboratory,

PROGRAM YOUR OWN RV SYSTEM an exercise in DSL design Klaus Havelund Jet Propulsion Laboratory,

PROGRAM YOUR OWN RV SYSTEM an exercise in DSL design Klaus Havelund Jet Propulsion Laboratory, USA Summer School on Cyber-Physical Systems July 7-10, 2014 Definition of Runtime Verification Definition (Runtime Verification) Runtime

1.23k views • 109 slides
Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko Yoshida Imperial College London 1 In collaboration with: Matthew Arrott (OOI) Gary Brown (Red Hat) Stephen Henrie (OOI) Bippin Makoond

1.38k views • 80 slides
Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko

Scribble, Runtime Verification and Multiparty Session Types http://mrg.doc.ic.ac.uk/ Nobuko Yoshida Imperial College London 1 In collaboration with: Matthew Arrott (OOI) Gary Brown (Red Hat) Stephen Henrie (OOI) Bippin Makoond

1.38k views • 78 slides
Some Thoughts on Runtime Verification Oded Maler VERIMAG CNRS and the University of Grenoble

Some Thoughts on Runtime Verification Oded Maler VERIMAG CNRS and the University of Grenoble

Some Thoughts on Runtime Verification Oded Maler VERIMAG CNRS and the University of Grenoble (UGA) France RV, September 2016 Madrid Before Dinner Speech I like long and general introductions in my papers and talks Not everybody does:

544 views • 39 slides
Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics)

Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics)

Introduction Preliminaries Semantics of Runtime Control Semantics of Synthesis of Controlling Programs Expressiveness of Controlling Runtime Monitoring, Verification, Enforcement and Control of C Programs (From Tool to Semantics) Zhe Chen

558 views • 55 slides
Runtime Model Predictive Verification on Embedded Platforms 1 Pei Zhang, Jianwen Li, Joseph

Runtime Model Predictive Verification on Embedded Platforms 1 Pei Zhang, Jianwen Li, Joseph

Runtime Model Predictive Verification on Embedded Platforms 1 Pei Zhang, Jianwen Li, Joseph Zambreno, Phillip H. Jones, Kristin Yvonne Rozier Presenter: Pei Zhang Iowa State University peizhang@iastate.edu September 28, 2018 1 Work supported

487 views • 32 slides
Runtime Verification of P4 Switches with Reinforcement Learning Apoorv Shukla (TU Berlin) with

Runtime Verification of P4 Switches with Reinforcement Learning Apoorv Shukla (TU Berlin) with

Runtime Verification of P4 Switches with Reinforcement Learning Apoorv Shukla (TU Berlin) with Kevin Nico Hudemann (TU Berlin), Artur Hecker (Huawei), Stefan Schmid (Vienna Uni.) Apoorv Shukla| NetAI19 P4 [1] : Data plane Programming Language

644 views • 25 slides
Using BDDs to capture data in Runtime verification (RV) [HP18] Per Ove Ringdal November 29, 2019

Using BDDs to capture data in Runtime verification (RV) [HP18] Per Ove Ringdal November 29, 2019

Using BDDs to capture data in Runtime verification (RV) [HP18] Per Ove Ringdal November 29, 2019 Contents Motivation Syntax and semantics of QTL QTL Example An Efficient Algorithm Using BDDs Summary References Verifying file operations

622 views • 35 slides
A Scala API for Runtime Verification Klaus Havelund Jet Propulsion Laboratory Pasadena,

A Scala API for Runtime Verification Klaus Havelund Jet Propulsion Laboratory Pasadena,

A Scala API for Runtime Verification Klaus Havelund Jet Propulsion Laboratory Pasadena, California A Scala API for Runtime Verification DSL Klaus Havelund Jet Propulsion Laboratory Pasadena, California understanding complex systems by

469 views • 32 slides
Three-Valued Asynchronous Distributed Runtime Verification Torben Scheffel Institute for

Three-Valued Asynchronous Distributed Runtime Verification Torben Scheffel Institute for

Three-Valued Asynchronous Distributed Runtime Verification Torben Scheffel Institute for Software Engineering and Programming Languages University of Lbeck, Germany scheffel@isp.uni-luebeck.de October 19, 2014 Torben Scheffel Three-Valued

531 views • 27 slides
Beyond Miners Rule Free Energy Damage Equivalence Alec Feinberg, Ph.D. DfRSoftware Company

Beyond Miners Rule Free Energy Damage Equivalence Alec Feinberg, Ph.D. DfRSoftware Company

Beyond Miners Rule Free Energy Damage Equivalence Alec Feinberg, Ph.D. DfRSoftware Company DfRSoft@gmail.net, www.DfRSoft.Com (617) 943-9034 DfRSoft Miners Rule - Energy Approach to Damage Miners empirical rule was an important

368 views • 19 slides
Static Failure Mode Prediction Models Mechanically Fastened Joints Joining & Assembly Static

Static Failure Mode Prediction Models Mechanically Fastened Joints Joining & Assembly Static

Static Failure Mode Prediction Models Mechanically Fastened Joints Joining & Assembly Static Failure Modes Net Section Shear Fastener Bearing Fastener Shear Tension Tear Out Pull Out Basic Assumptions for our Predictions Failure of

293 views • 10 slides
Probabilistic roadmaps (PRMs) How do you plan in high dimensional state spaces? Problem we want

Probabilistic roadmaps (PRMs) How do you plan in high dimensional state spaces? Problem we want

Probabilistic roadmaps (PRMs) How do you plan in high dimensional state spaces? Problem we want to solve Given: a point-robot (robot is a point in space) a start and goal configuration Find: path from start to goal that does not

898 views • 43 slides
Polish in-kind contribution to the FAIR cryogenic system Maciej Chorowski, Jaros aw Fydrych

Polish in-kind contribution to the FAIR cryogenic system Maciej Chorowski, Jaros aw Fydrych

Polish in-kind contribution to the FAIR cryogenic system Maciej Chorowski, Jaros aw Fydrych Wroc aw University of Technology - Poland FAIR Cryogenics Review, 27-28.02.2012 Contents 1. Polish in-kind contribuition 2. Local cryogenics for

704 views • 32 slides
Numeric Rela5onal Operators The if Statement The if statement

Numeric Rela5onal Operators The if Statement The if statement

if Statement Ensures that a statement is executed only when some Flow of Control: Branching condi5on is true (Savitch, Chapter 3) Condi5ons typically involve comparison

545 views • 7 slides
MINER n A Cross Sections what is MINER n A ? why MINER n A ? n beam and n flux n / n inclusive

MINER n A Cross Sections what is MINER n A ? why MINER n A ? n beam and n flux n / n inclusive

MINER n A Cross Sections what is MINER n A ? why MINER n A ? n beam and n flux n / n inclusive x-sections nuclear effects NuFACT2017 Alessandro Bravar Uppsala Universit de Genve 26 Sept. 2017 for the Miner n a Collaboration Neutrino

285 views • 25 slides
DarkSide-20k and the Darkside Program for Dark Matter Searches Cristiano Galbiati Princeton

DarkSide-20k and the Darkside Program for Dark Matter Searches Cristiano Galbiati Princeton

DarkSide-20k and the Darkside Program for Dark Matter Searches Cristiano Galbiati Princeton University APC Paris Diderot GDR Neutrinos LPSC Grenoble June 6, 2016 DarkSide-20k Institutions 41 10 ] 2 ) 7 [cm 0 0 2 ( ) 5 P

836 views • 42 slides
Unsupervised Learning George Konidaris gdk@cs.brown.edu Fall 2019 Machine Learning Subfield of

Unsupervised Learning George Konidaris gdk@cs.brown.edu Fall 2019 Machine Learning Subfield of

Unsupervised Learning George Konidaris gdk@cs.brown.edu Fall 2019 Machine Learning Subfield of AI concerned with learning from data . Broadly, using: Experience To Improve Performance On Some Task (Tom Mitchell, 1997)

888 views • 45 slides

More recommend