dvanced Technology Center Slide 1 Formal Methods in Formal Methods in Safety-Critical Systems Safety-Critical Systems Dr. Steven P. Miller Advanced Computing Systems Rockwell Collins 400 Collins Road NE, MS 108-206 Cedar Rapids, Iowa 52498 [email protected]
Formal Methods in Safety-Critical Systems. Dr. Steven P. Miller Advanced Computing Systems Rockwell Collins 400 Collins Road NE, MS 108-206 Cedar Rapids, Iowa 52498 [email protected]. What Problem are We Solving?. Safety-Critical Software Is Too Expensive - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Advanced Technology Center Slide 1
Formal Methods in Formal Methods in Safety-Critical SystemsSafety-Critical Systems
What Problem are We Solving?What Problem are We Solving?
Safety-Critical Software Is Too Expensive
Safety-Critical Software Is Often Wrong
DO-178B Certification Is Too Expensive
Cut Development Costs/Cycle Time in Half
Find 10x More Errors than Current Methods
Already Applying This to DO-178B Developments
Advanced Technology Center Slide 3
Are We Making Progress?Are We Making Progress?
Model-Based Development Spreading Rapidly
Prove Properties of Simulink & SCADE Models
Finding Errors Early in the Lifecycle
Several projects at Rockwell Collins
In Seconds on Models with Over 10**100 States
On Real Products!
Advanced Technology Center Slide 4
Outline of PresentationOutline of Presentation
Introduction
Overview of Our Approach
An Example – FGS Mode Logic
Some Recent Accomplishments
The Underlying Technology
What’s Next?
Summary
Advanced Technology Center Slide 5
Who Are We?Who Are We?
Communications
Automated Flight Control
Displays / Surveillance
Aviation Services
In-Flight Entertainment
Integrated Aviation Electronics
Information Management Systems
Navigation
A World Leader In Aviation Electronics And Airborne/ Mobile Communications Systems For Commercial And Military Applications
Advanced Technology Center Slide 6
Rockwell CollinsRockwell Collins
Headquartered in Cedar Rapids, Iowa
14,500 Employees Worldwide
Advanced Technology Center Slide 7
RCI Advanced Technology CenterRCI Advanced Technology Center
The Advanced Technology Center (ATC) identifies, acquires, develops and transitions value-driven technologies to support the continued growth of Rockwell Collins.
The Automated Analysis group applies mathematical tools and reasoning to the problem of producing high assurance systems.
Commercial Systems Government Systems
Advanced Technology Center
Advanced Technology Center Slide 8
Automated Analysis GroupAutomated Analysis Group
Participants in the MCC Formal Methods Transition Study 1991
Formal Specification of the μReal Time Executive in RAISE 1992
Formal Specification of the GE1 Graphics Processor 1996
Formal Verification of Microprocessors 1993 - 2005– AAMP5 Microcode Using PVS
1994– AAMP-FV Microcode Using PVS 1995– JEM Java Virtual Machine Microprocessor Using PVS 1998– FCP2002 Microcode Using ACL2 1999– FCP 2002-2000 Microcode Equivalence Using ACL2 2001– AAMP7 Security Separation Kernel Using ACL2 2003
Formal Validation of Embedded System Requirements 1995 - 2005– FGS Mode Logic using SPC’s CoRE Method 1995– FGS Mode Logic using NRL’s SCR* Tools 1996– FGS Mode Logic Using PVS 1997– FGS Mode Logic Using Matrix-X and T-VEC 1998– FGS Mode Logic Using RMSL-e, PVS, and NuSMV 2002– FGS/FMS/AT Logic Using SCADE and Simulink 2004
Advanced Technology Center Slide 9
Methods and Tools for Methods and Tools for Flight Critical Systems ProjectFlight Critical Systems Project
Five Year Project Started in 2001
Part of NASA’s Aviation Safety Program (Contract NCC-01001)
Funded by the NASA Langley Research Center and Rockwell Collins
Practical Application of Formal Methods To Modern Avionics Systems
Advanced Technology Center Slide 10
Outline of PresentationOutline of Presentation
Introduction
Overview of Our Approach
An Example – FGS Mode Logic
Some Recent Accomplishments
The Underlying Technology
What’s Next?
Summary
Advanced Technology Center Slide 11
Convergence of Two TrendsConvergence of Two Trends
Model-Based Development
AutomatedAnalysis
A Revolutionary Change in How We Design and Build Systems
Advanced Technology Center Slide 12
Model-Based Development ExamplesModel-Based Development Examples
Company Product Tools Specified & Autocoded Benefits Claimed
IsTrue = (FG_Thrust_Mode(FG_Mode) and Airborne) or (Airborne and Emergency_Descent) or Windshear_Warning or ((FG_Mode = ThrottleRetard) and In_Flare) or (In_Eng_Accel_Zone and On_Ground) ;tel ;
Exhaustive Search of the Global State Space – Consider All Combinations of Inputs and States– Equivalent to Exhaustive Testing of the Model– Produces a Counter Example if a Property is Not True
Easy to Use– “Push Button” Formal Methods– Very Little Human Effort Unless You’re at the Tool’s Limits
Limitations– State Space Explosion (1020 – 10300 States)
Advanced Technology Center Slide 24
Advantage of Model CheckingAdvantage of Model Checking
System
Testing Checks Only the Values We Select
Even Small Systems Have Trillions (of Trillions) of Possible Tests!
Advanced Technology Center Slide 25
Advantage of Model CheckingAdvantage of Model Checking
Model
Model Checker Tries Every Possible Input and State!
Advanced Technology Center Slide 26
Model Checking ProcessModel Checking Process
Does the systemhave property X?
Model
Engineer
SMV
Automatic TranslationSMV Properties
Properties
Automated Check
Yes!
Counter Example
SMVSpec.
Automatic Translation
Advanced Technology Center Slide 27
Translated Shalls into SMV PropertiesTranslated Shalls into SMV Properties
Advanced Technology Center Slide 28
Validate Requirements Validate Requirements through Model Checkingthrough Model Checking
Proved Over 280 Properties in Less Than an Hour Found Several Errors Some Were Errors in the Model Most Were Incorrect Shalls Revised the Shalls to Improve the Requirements