1 / 22

Verification of Safety Critical Software

Verification of Safety Critical Software. Nick Tudor tel: +44 1684 894489 email: njtudor@qinetiq.com. The Agenda. The NDI Control Law A Path Finding Experiment Benefits Resistance Questions. The NDI Control Law. Control software. Example of successful application.

kateb
Download Presentation

Verification of Safety Critical Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Verification of Safety Critical Software Nick Tudor tel: +44 1684 894489 email: njtudor@qinetiq.com Computational Logic QMUL 26 Mar 04

  2. The Agenda • The NDI Control Law • A Path Finding Experiment • Benefits • Resistance • Questions Computational Logic QMUL 26 Mar 04

  3. The NDI Control Law Computational Logic QMUL 26 Mar 04

  4. Control software Example of successful application Verification of autocoded Non-linear Dynamic Inversion Control Laws embedded in Vectored thrust Aircraft Advanced flight Control (VAAC) Harrier Computational Logic QMUL 26 Mar 04

  5. Part of NDI Control Law Computational Logic QMUL 26 Mar 04

  6. Year 1999 • One man ; 3 months • Used RTW Ada autocoder • Produced 3 procedures, Step, Control Law & End • 800 LOC • Used manual refinement • Interactive proof to discharge the 36 VCs • Print out of instructions to ProofPower took ~180 pages Computational Logic QMUL 26 Mar 04

  7. Year 2000 • Outstanding MSc Student at the world renowned Computer Science Dept, University of York • Modules in the Simulink could be replicated in the autocode • 5 Modules • Used packages to get 3 procedures per package • 1200 LOC • 43 VCs (not proven) • Now meant that effort could be divided and system upgraded in modular fashion (modular certification) Computational Logic QMUL 26 Mar 04

  8. Meanwhile – Reverse Engineered Safety Evidence • Fortran not used in development for 25 procedures • Procedure results for remaining 331 procedures • Positive compliance: 88% • Negative compliance: 2% • Tool problems: 2% • Inconclusive: 7% • Verification condition results (16,000 VCs) • Totally automatic proofs: 95.7% • Part-automatic, part-interactive proofs: 3.1% • Unproven: 1.2% Computational Logic QMUL 26 Mar 04

  9. Year 2003 • 4 people; 1 week • Still using RTW Ada autocoder • Produced 8 procedures • 850 LOC • Used refinement script to drive automatic refinement • Automatic proof using Supertac to discharge 94% of 373 VCs (21 remained) • Improvements since then Computational Logic QMUL 26 Mar 04

  10. A Path Finding Experiment Computational Logic QMUL 26 Mar 04

  11. Why do an experiment? • The embryonic technique has been applied to experimental control laws (…….and it worked!!) • No metrics were gathered, therefore: “How good is it for my project?” • No independent assessment by industry or MOD on a real project • Safety/certification issues to be addressed • Applicability: Safety/non-safety critical? Computational Logic QMUL 26 Mar 04

  12. Requirement - Fortran Confirmed equivalent Iterate Autocode/Autoprove Unit test 100% pass The Comparison Manually Code into SPARK Ada Translation to Simulink{Done in 2001} Computational Logic QMUL 26 Mar 04

  13. Manhours comparison Computational Logic QMUL 26 Mar 04

  14. Conventional PRICE-S ROM ComparisonBased on one result extrapolated to 1KLOC – Dates are irrelevant Computational Logic QMUL 26 Mar 04

  15. Results Interpretation • CAVEAT: THIS IS ONE EXPERIMENT WITH CONSTRAINTS • Two separate analysis were carried out on the results: • BAES/York University and PFG SW Cost Forecasting • Represents 21/2 - 4 1/2 times faster than existing process for Design , Code & Unit Test (BAES/York) • Based on a nominal 1000LOCs, code development effort reduced to 28% (ie 72% savings) (PFG) • Typically would expect 0.33 LOC per person per hour; CLawZ is at worst 40 and at best 100 times faster (PFG) • Translates to approx 30-40% savings in software life cycle costs (CADMID) (PFG) Computational Logic QMUL 26 Mar 04

  16. Benefits Computational Logic QMUL 26 Mar 04

  17. Model development and proof V&VvsTraditional development and V&V Flight Test Concept/Req Design Rig Tests Mathematical Specification, Simulink autocode Proof and limited tests Computational Logic QMUL 26 Mar 04

  18. Resistance “…is futile” – The Borg Collective Computational Logic QMUL 26 Mar 04

  19. Barriers to be overcome • Industrial investment in existing tools, processes, people, training • NIH • Not C – yet! • Certification and tool qualification • How do I know I have got the right Simulink……? • ….and are safety properties in the Simulink reflected in the code…and can I demonstrate that to certifier? Computational Logic QMUL 26 Mar 04

  20. Proving Properties - Certification G{S} H{S} Safety Case Property needs to be provable in the code Computational Logic QMUL 26 Mar 04

  21. Mind the Gap! Safety gap Computational Logic QMUL 26 Mar 04

  22. Any Questions? Verification of Safety Critical Software Nick Tudor tel: +44 1684 894489 email: njtudor@qinetiq.com Computational Logic QMUL 26 Mar 04

More Related