1 / 28

Formal Verification of Flight Critical Software

Formal Verification of Flight Critical Software. Dr. Steven P. Miller Advanced Computing Systems Elise A. Anderson Commercial Systems Flight Control Rockwell Collins 400 Collins Road NE, MS 108-206 Cedar Rapids, Iowa 52498 {spmiller,eaanders}@rockwellcollins.com. Concept Overview.

mguinn
Download Presentation

Formal Verification of Flight Critical Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formal Verification of Flight Critical Software Dr. Steven P. Miller Advanced Computing Systems Elise A. Anderson Commercial Systems Flight Control Rockwell Collins 400 Collins Road NE, MS 108-206 Cedar Rapids, Iowa 52498 {spmiller,eaanders}@rockwellcollins.com

  2. Concept Overview Mode Logic Specification Simulink Model Counter Example The system shall be in Vertical Go Around only if it is also in Lateral Go Around NuSMV Model Checker AX AG(LGA -> VGA) Formal Properties Mode Logic Requirements FCS 50000 Flight Control System

  3. Outline of Presentation Introduction Model Checking Specification of the FCS 5000 Mode Logic Verification of the FCS 5000 Mode Logic Concluding Remarks

  4. Who Are We? Communications Navigation Automated Flight Control Displays / Surveillance Aviation Services In-Flight Entertainment Integrated Aviation Electronics Information Management Systems A World Leader In Aviation Electronics And Airborne/ Mobile Communications Systems For Commercial And Military Applications

  5. Automated Analysis Section 1992 AAMP5 Microcode Verification (PVS) NASA LaRC Funded NSA Funded AAMP-FV Microcode Verification (PVS) 1994 AFRL Funded AAMP5 Partitioning (PVS) Tech Transfer 1996 JEM Java Virtual Machine (PVS) FGS Mode Confusion Study (PVS) 1998 FCP 2002 Microcode (ACL2) 2000 AvSSP AAMP7 Separation Kernel (ACL2) NASA FGS Safety Analysis (RSML-e) FGS Mode Confusion (RSML-e) NSA AFRL 2002 vFaat (ACL2, PVS) 2004 FCS 5000 FGS Verification (NuSMV) SHADE (ACL2) GreenHills Integrity RTOS (ACL2) Displays Verification (NuSMV) 2006

  6. Methods and Tools for Flight Critical Systems Project • Five Year Project Started in 2001 • Part of NASA’s Aviation Safety Program (Contract NCC-01001) • Funded by the NASA Langley Research Center and Rockwell Collins • Practical Application of Formal Methods To Modern Avionics Systems

  7. Outline of Presentation Introduction Model Checking Specification of the FCS 5000 Mode Logic Verification of the FCS 5000 Mode Logic Concluding Remarks

  8. What Are Model Checkers? • Breakthrough Technology of the 1990’s • Widely Used in Hardware Verification (Intel, Motorola, IBM, …) • Several Different Types of Model Checkers • Explicit, Symbolic, Bounded, Infinite Bounded, … • Exhaustive Search of the Global State Space • Consider All Combinations of Inputs and States • Equivalent to Exhaustive Testing of the Model • Produces a Counter Example if a Property is Not True • Easy to Use • “Push Button” Formal Methods • Very Little Human Effort Unless You’re at the Tool’s Limits • Limitations • State Space Explosion (10100 – 10300 States)

  9. Advantage of Model Checking Testing Checks Only the Values We Select Even Small Systems Have Trillions (of Trillions) of Possible Tests!

  10. Advantage of Model Checking Model Checker Tries Every Possible Input and State!

  11. Translation Framework

  12. Example - ADGS-2100 Adaptive Display & Guidance System 883 Subsystems 9,772 Simulink Blocks 2.9 x 1052 Reachable States Requirement Drive the Maximum Number of Display Units Given the Available Graphics Processors Counterexample Found in 5 Seconds! Checking 373 Properties Found Over 60 Errors

  13. Outline of Presentation Introduction Model Checking Specification of the FCS 5000 Mode Logic Verification of the FCS 5000 Mode Logic Concluding Remarks

  14. Flight Guidance System Overview

  15. Simple Mode Transition Diagram

  16. Synchronous Composition of Two Mode Transition Diagrams 1-z 1-z

  17. Outline of Presentation Introduction Model Checking Specification of the FCS 5000 Mode Logic Verification of the FCS 5000 Mode Logic Concluding Remarks

  18. Summary of Errors Found • Model-Checking Detected the Majority of Errors • Model-Checking Detected the Most Serious Errors • Found Early in the Lifecycle during Requirements Analysis

  19. Verification of Individual Mode Transition Diagrams AX AG( LGA  AX( Event9  ROLL )) AX AG( LGA  AX( (Event4 & !Event6 & !Event9)  HDG)) False AX AG( Event8  LGA )

  20. Errors Found Verifying Individual Mode Machines • Model-Checking Found Half the Errors • Tended to Find the Less Serious Errors • Counter Example Pinpoints Source of the Error

  21. Verification of Composite Machines Mode Controller A 5.1 x 1027 Reachable States Mode Controller B Requirement Mode A1 => Mode B1 Counterexample Found in Less than Two Minutes! Found 8 More Errors

  22. Errors Found by Model-Checking Composite Mode Transition Diagrams • Errors Found Tended to Be More Serious Errors • Checking Relationships Between Mode Transition Diagrams • Difficult to Find by Inspections & Simulation

  23. Outline of Presentation Introduction Model Checking Specification of the FCS 5000 Mode Logic Verification of the FCS 5000 Mode Logic Concluding Remarks

  24. Conclusions • Model-Based Development is the Industrial Use Formal Specification • Convergence of Model-Based Development and Formal Verification • Engineers are Producing Specifications that Can be Analyzed • Formal Verification Tools are Getting More Powerful • Model Checking is Very Cost Effective • Simple and Easy to Use • Finds All Exceptions to a Property • Used to Find Errors Early in the Lifecycle • Applied to Models with Only Boolean and Enumerated Types

  25. Future Directions Theorem Provers Infinite Bounded Model Checkers Infinite State Models using k - Induction Arbitrary Models Labor Intensive Implicit State Model Checkers 200 < 10 Reachable States • Numerically Intensive Systems • Infinite Bounded Model Checkers • Decision Procedures for Integers and Real Numbers • Non-linear Arithmetic • Automatic Extraction of Conservative Abstractions • Applications • Spacing & Trajectory • Required Navigation Performance (RNP) • Collision Avoidance • Advanced Flight Control

  26. For More Information • Alan C. Tribble, Steven P. Miller, and David L. Lempia, Software Safety Analysis of a Flight Guidance System, NASA Contractor Report CR-2004-213004, March 2004, available at http://techreports.larc.nasa.gov/ltrs/dublincore/2004/cr/NASA-2004-cr213004.html. • Alan C. Tribble and Steven P. Miller, Safety Analysis of Software Intensive Systems, IEEE Aerospace and Electronic Systems, Vol. 19, No. 10, pp. 21 - 26, October 2004. • Steven P. Miller, Mats P.E. Heimdahl, and Alan C. Tribble, Proving the Shalls, in Proceedings of FM 2003: the 12th International FME Symposium, Pisa, Italy, Sept. 8-14, 2003. • Alan C. Tribble, David D. Lempia, and Steven P. Miller, Software Safety Analysis of a Flight Guidance System, in Proceedings of the 21st Digital Avionics Systems Conference (DASC'02), Irvine, California, Oct. 27-31, 2002.

  27. Backup Slides

  28. Model Checking Process Does the systemhave property X? SMV Automatic Translation Counter Example Properties SMV Properties SMV Spec. Model Automatic Translation Automated Check Yes! Engineer

More Related