© Copyright 2009 Rockwell Collins, Inc. All rights reserved. Formal Methods for Critical Systems...

© Copyright 2009 Rockwell Collins, Inc. All rights reserved.

Formal Methods for Critical SystemsDr. Steven P. Miller

Midwest Verification Day September 12, 2009


2

Acknowledgements

• NASA Langley Research Center (Ricky Butler)

• Air Force Research Labs (RD Directorate)

• University of Minnesota (Dr. Mats P. E. Heimdahl)

• Dr. Michael Whalen (Rockwell Collins)

• Dr. Darren Cofer (Rockwell Collins)


3

Presentation Overview

Who Are We?

What Problem are We Solving?

Overview of Our Approach

Case Studies

Challenges and Future Directions


4

Rockwell Collins

Headquartered in Cedar Rapids, Iowa

20,000 Employees Worldwide

2008 Sales of $4.77 Billion

AfricaJ ohannesburg, South Africa

AsiaBangkok, ThailandBeijing, ChinaHong KongHyderabad, IndiaKuala Lumpur, MalaysiaManila, PhilippinesMoscow, RussiaOsaka, J apanShanghai, ChinaSingaporeTokyo, J apan

AustraliaAuckland, New ZealandBrisbane, AustraliaMelbourne, AustraliaSydney, Australia

CanadaMontrealOttawa

EuropeAmsterdam, NetherlandsFrankfurt, GermanyHeidelberg, GermanyLondon, EnglandLyon, FranceManchester, EnglandParis, FranceReading, EnglandRome, I talyToulouse, France

MexicoMexicali

South AmericaSantiago, ChileSao J ose dos Campos, BrazilSao Paulo, Brazil

MinnesotaMinneapolis

MissouriKansas CitySt. Louis

New YorkNew York

North CarolinaCharlotteRaleigh

OklahomaMidwest CityTulsa

OregonPortland

PennsylvaniaPhiladelphiaPittsburgh

TexasDallasFort WorthRichardson

UtahSalt Lake City VirginiaSterlingWarrenton

WashingtonKirklandRentonSeattle

Washington, DC

CaliforniaCarlsbadCypressI rvineLos AngelesPomonaPowaySan FranciscoSan J oseTustin

FloridaMelbourneMiamiOrlando

GeorgiaAtlantaWarner Robins

HawaiiHonolulu

I llinoisChicago

I owaBellevueCoralvilleDecorahManchester

KansasWichita

MarylandWhite Marsh

MassachusettsBoston

MichiganAnn ArborDetroit

I nternationalDomestic

AfricaJ ohannesburg, South Africa

AsiaBangkok, ThailandBeijing, ChinaHong KongHyderabad, IndiaKuala Lumpur, MalaysiaManila, PhilippinesMoscow, RussiaOsaka, J apanShanghai, ChinaSingaporeTokyo, J apan

AustraliaAuckland, New ZealandBrisbane, AustraliaMelbourne, AustraliaSydney, Australia

CanadaMontrealOttawa

EuropeAmsterdam, NetherlandsFrankfurt, GermanyHeidelberg, GermanyLondon, EnglandLyon, FranceManchester, EnglandParis, FranceReading, EnglandRome, I talyToulouse, France

MexicoMexicali

South AmericaSantiago, ChileSao J ose dos Campos, BrazilSao Paulo, Brazil

MinnesotaMinneapolis

MissouriKansas CitySt. Louis

New YorkNew York

North CarolinaCharlotteRaleigh

OklahomaMidwest CityTulsa

OregonPortland

PennsylvaniaPhiladelphiaPittsburgh

TexasDallasFort WorthRichardson

UtahSalt Lake City VirginiaSterlingWarrenton

WashingtonKirklandRentonSeattle

Washington, DC

CaliforniaCarlsbadCypressI rvineLos AngelesPomonaPowaySan FranciscoSan J oseTustin

FloridaMelbourneMiamiOrlando

GeorgiaAtlantaWarner Robins

HawaiiHonolulu

I llinoisChicago

I owaBellevueCoralvilleDecorahManchester

KansasWichita

MarylandWhite Marsh

MassachusettsBoston

MichiganAnn ArborDetroit

I nternationalDomestic


5

• Commercial/Military Avionics Systems

• Communications

• Navigation & Landing Systems

• Flight Control

• Displays

• Weapon Data Links

“Working together creating the most trusted source of communication and aviation electronic solutions”

“Working together creating the most trusted source of communication and aviation electronic solutions”

Rockwell Collins’ core business is based on the delivery of High Assurance Systems


6

Advanced Technology Center

Identify, acquire, develop and transition value-driven technologies to support the continued growth of Rockwell Collins.

Technologists: 173Administrators: 10Technicians: 31

Automated Analysis Section

Applies mathematical tools and reasoning to the production of high assurance systems.

Technologists: 10Administrators: 1

27%9%

64%PhD

MS

BABA

46%

37%17%PhD

Masters

Bachelors


7

AAMP5 MicrocodeVerification

(PVS)

AAMP-FVMicrocodeVerification

(PVS)

AAMP5Partitioning

(PVS)

JEM JavaμProc(PVS)

FGS ModeConfusion

Study(PVS)

FCP 2002Microcode

(ACL2) AAMP7Separation

Kernel(ACL2)l

FGS ModeConfusion(RSML-e,

PVS)

FGS Safety Analysis(RSML-e, NuSMV)

ADGS 2100 (Simulink,NuSMV)

NASA Aviation Safety

vFaat(ACL2,PVS)

NSA

SHADE(ACL2)

Turnstile(SPARK)

Guardol(ACL2,Prover)

AFRL

GreenhillsIntegrity

RTOS(ACL2)

CerTAFCS

(NuSMV, Prover)

GreenhillsIntegrity

Gen4(ACL2)

MixedCriticality

Architectures

1994 1996 1998 2000 2002 2004 20061992 2008 2010

Formal Methods atRockwell Collins


8


Who Are We?



Case Studies



9

1

10

100

1000

10000

100000

1965 1970 1975 1980 1985 1990 1995

K W

ord

s

INS

4K

A300B

200K

A300FF

A3102M

A320

4M

A330/A340

10M

23K

J.P. Potocki De Montalk, Computer Software in Civil Aircraft, Sixth Annual Conference on Computer Assurance (COMPASS ’91), Gaithersberg, MD, June 24-27, 1991.

Airborne Software Doubles Every Two Years


10

Complexity Size

19951970

No. ofSignals

ObjectCode

(Mbytes)

230K

0

100

019951970

Year

747-200757/767

747-400

777

747-200757/767

747-400

777

Year

Similar Growth Has Been Seen by Boeing


11WPAFB 08-5183 RBO-08685 8/20/2008


12


Who Are We?



Case Studies



13

Exploit the Convergence of Two Trends

• Model-Based Development– Domain specific graphical notations– MATLAB Simulink®, Esterel Technologies SCADE Suite™– Enable early simulation and debugging– Automated generation of code and tests

• Model-Checking– Prove properties about a model– Explore all possible inputs and states– Highly automated– Generates a counterexample if a property is false– Explicit, implicit (BDD), SMT-Solver, …

Reduce Costs and Improve Quality byUsing Analysis to Find Errors During Early Design


14

Kind

Rockwell Collins Translation Framework

SCADE

Lustre

NuSMV

PVSSafe StateMachines

SAL Symbolic Model Checker

SAL

Simulink Simulink

Gateway

StateFlow

Reactis ACL2

Prover

SimulinkGateway

C, Ada

SAL Infinite Model Checker

SAL Bounded Model Checker

Rockwell Collins/U of Minnesota

MathWorks

SRI International

Reactive Systems

Esterel Technologies


15

• Many small Lustre-to-Lustre translation passes

• Each pass refines closer to the target language

• Each pass deals with one change

• Pre/Post conditions definewhen a pass is valid

Pretty Print

Lustre Lustre Lustre

Lustre

Lustre

Lustre

Lustre C Code

Pretty Print

Lustre Lustre Ada Code

Pretty Print

Lustre PVS

Pretty Print

Lustre Lustre

Lustre NuSMV

Pretty Print

Lustre Lustre Prover

Lustre

RDV

LustreREPRNC

RDV

SCA

RNC IPS

RC

REN

FNH

PTL

IAS

RCRFBY

RACT

RNST

A Product Family of Translators

• Last step pretty printsto the target language

• Extensive reuse of passes

• New translators can be developed quickly (usually in less than a week)


16

Model

CPU Time

(For NuSMV to Compute Reachable States)

Improvement

Before After

Mode1 > 2 hours 11 sec > 650x



Mode4 8 minutes < 1 sec 480x

Arch 34 sec < 1 sec 34x

WBS 29+ hours 1 sec 105,240x

Translators Optimize for Specific Analysis Tools


17


Who Are We?



Case Studies



18

ADGS-2100 Adaptive Display & Guidance System

Example Requirement:

The Cursor Shall Never be Positioned on an Inactive Display

Counterexample Found in 5 Seconds

Checked 563 Properties -Found and Corrected 98 Errors

in Early Design Models

Modeled in Simulink

Translated to NuSMV

4,295 Subsystems

16,117 Simulink Blocks

Over 1037 Reachable States


19

Translation Time: 1-4 HoursTurnaround: 1 Day to 1 Week

Iteration 1

Simulink R14

Model

Simulink R13

Model

SCADE Model

NuSMV Model

Translation Time: 10 MinutesTurnaround: 3 Hours to 2 Days

Iteration 2

Simulink R14

Model

Reactis Model

NuSMV Model

Translation Time: 10 MinutesTurnaround: 10 Minutes

Iteration 3

Simulink R14

Model

Reactis Model

NuSMV Model

ATC Group(Beige)

Dev. Group(Blue)

ADGS-2100 Technology Transfer


20

• Sponsored by the Air Force Research Labs– Air Vehicles (RB) Directorate - Wright Patterson

• Investigate Roles of Testing and Formal Verification– Can formal verification complement or replace some testing?

• Example Model – Lockheed Martin Adaptive UAV Flight Control System– Redundancy Management Logic in the Operational Flight Program (OFP)– Well suited for verification using the NuSMV model-checker

Lockheed Martin Aero Rockwell Collins

• Enhanced During CerTA FCS

• Based on Testing

– Graphical Viewer of Test Cases– Support for XML/XSLT Test Cases– Added C++ Oracle Framework

• Developed Tests from Requirements

• Executed Tests Cases on Test Rig

• Developed Properties from Requirements

– Support for Simulink blocks– Support for Stateflow– Support for Prover model-checker

• Enhanced During CerTA FCS

• Based on Model-Checking

• Proved Properties using Model-Checking

CerTA FCS Phase I

WPAFB 08-5183 RBO-08685 8/20/2008


21

For Each of Ten Control Surfaces

• Triplex Voter – Input monitor, sensor fusion, and

failure isolation

• Failure Processing– Logs failures into a data store

• Reset Manager– Reset logic for sensors and control

surfaces (not shown)

Subsystems / Blocks

Charts / Transitions

Truth Table Cells

Reachable State Space Properties

Triplex voter 10 / 96 3 / 35 198 6.0 * 1013 48

Failure processing

7 / 42 0 / 0 0 2.1 * 104 6

Reset manager

6 / 31 2 / 26 0 1.32 * 1011 8

Total 23 / 169 5 / 61 198 N/A 62

CerTA FCS Phase I - OFP Redundancy Management Logic

4

input_sel

3

totalizer_cnt

2

persistence_cnt

1

failure_report

pc

trigger

input_a

input_b

input_c

DST_index

input_sel

triplex_input_selector

input_a

input_b

input_c

trip_lev el

persist_lim

MS

f ailreport

pc

tc

triplex_input_monitor

trip_level

trip_level1

persist_lim

persistence limit

[DSTi]

[C]

[B]

[status_c]

[status_b]

[status_a]

[A]

[trigger]

[DSTi][MS]

[MS]

[DSTi][A]

[prev_sel]

[prev_sel]

[DSTi]

[trigger]

[trigger]

[status_c]

[status_b]

[status_a]

[A]

[A]

IndexVector

[C]

[B]

[C]

[B]

[C]

[B]

f ailure_report

dst_index

Failure_Processing

mon_f ailure_report

status_a

status_b

status_c

prev _sel

input_a

input_b

input_c

f ailure_report

Failure_Isolation

Extract Bits[0 3]

Extract Bits

DOC

Text

double

DST

Data StoreRead

8

dst_index

7

status_c

6

status_b

5

status_a

4

input_c

3

input_b

2

input_a

1

sync

persist_lim

totalizer_cnt<tc>

trip_lev el

persistence_cnt<pc>

sy nc<>

f ailreport

Input Monitor

Failure Processing

Failure Isolation

Sensor Fusion

WPAFB 08-5183 RBO-08685 8/20/2008


22

Errors Found in Redundancy ManagerModel Checking Testing

Triplex Voter

Failure Processing

Reset Manager

Total

3

5

4

12

0

0

0

0

• Model-Checking Found 12 Errors that Testing Missed

• Spent More Time on Testing than Model-Checking– 60% of total on testing vs. 40% on model-checking

Model-checking was more cost effective than testing at finding design errors.

CerTA FCS Phase I – Errors Found

WPAFB 08-5183 RBO-08685 8/20/2008


23

• Sponsored by the Air Force Research Labs– Air Vehicles (RB) Directorate - Wright Patterson

• Can Model Checking be Used on Numerically Complex Systems?– Large, numerically intensive, non-linear systems

CerTA FCS Phase II

• Example Model– Lockheed Martin Adaptive UAV

Flight Control System– Effector Blender (EB) – Generates actuator commands

for aircraft control surfaces– Matrix arithmetic of floating

point numbers

WPAFB 08-5183 RBO-08685 8/20/2008


24

• Generates Actuator Commands– Six control surfaces– Adapts its behavior as aircraft

state changes– Iterative algorithm that

repeatedly manipulates a 3 x 6 matrix of floating point numbers

• Large Complex Model– Inputs

• 32 floating point inputs• 3 x 6 matrix of floating point values

– Outputs• 1 x 6 vector of floating point values

– 166 Simulink subsystems– 2000+ basic Simulink blocks– Huge reachable state space

• Completely Functional– No internal state

Surf1 left vertical tailsurf2 right vertical tailsurf3 left flapsurf4 right flapsurf5 left outboard spoilersurf6 right outboard spoiler

Control EffectorArrangement

Spoilers (L&R)

V-Tail Rudders (L&R)

Flaps (L&R)

CerTA FCS Phase II – Effector Blender

1

EffectorBlender

29

28

27

26

25

24

23

22

21

20

19

18

17

16

15

14

13

12

11

10

9

8

7

6

5

4

3

2

1

WPAFB 08-5183 RBO-08685 8/20/2008


25

• No Explicit Requirements for the Effector Blender Model– Requirements defined for Effector Blender + aircraft model– Addition of aircraft model pushes verification beyond current tools

• Avoid Properties Verifiable by Other Means– Control theory – stability, tracking performance, feedback design …– Simulation – design validation– Implementation – code generation/compilation, scheduling, …

• Focus on the Consistency of the Effector Blender Model– Relationships the model should always maintain– Partial requirements specification

• Preservation of Control Surface Limits– EB computes upper and lower limits for each control surface command– Function of aircraft design, aircraft state, and max extension per cycle– Commanded extension should always be between these limits

CerTA FCS Phase II – What to Verify?

WPAFB 08-5183 RBO-08685 8/20/2008


26

• Floating Point Numbers– Fixed number of bits with a movable decimal (radix) point– No decision procedures for floating point numbers available

• Real Numbers– Real numbers have unbounded size and precision– Would hide errors caused by limitations of floating point arithmetic– Control theory problems are inherently non-linear– Decision procedures for non-linear real numbers have exponential cost

• Solution - Translate Floating Point Numbers into Fixed Point– Extended translation framework to automate this translation– Convert floating point to fixed point (scaling provided by user)– Convert fixed point into integers (use bit shifting to preserve magnitude)– Shift from NuSMV (BDD-based) to Prover (SMT-solver) model checker

• Advantages & Issues– Use bit-level integer decision procedures for model checking– Results unsound due to loss of precision– Highly likely to find errors – very valuable tool for debugging

CerTA FCS Phase II – Verification of Floating Point Numbers

WPAFB 08-5183 RBO-08685 8/20/2008


27

Typical Specification– Models are typically organized in a hierarchy of subsystems– Subsystems are often nested several levels deep– Most of the complexity is in the leaf subsystems– Leaf subsystems can often be verified through model checking

CerTA FCS Phase II – Compositional Verification

1Out1

1In1

2In2

In_B1

In_B2Out_B

Subsystem B

In_A1

In_A2Out_A

Subsystem A

P2 & P3 -> Q1

Q2

P1 & Q1 -> Q2

Q1

Composition of Subsystems– Tends to be simple– Lends itself well to theorem proving

P2 & P3 => Q1P1 & Q1 => Q2

P1 & P2 & P3 => Q=>

Q

P1

P2 & P3

Issues– Need to avoid circular reasoning to ensure soundness

– Can be ensured by eliminating cyclic dependencies between atomic subsystems

– Identifying the right leaf level invariants to support composition

– Complexity of the proof obligations for the intermediate levels

– Lack of a unified automated verification system

WPAFB 08-5183 RBO-08685 8/20/2008


28

• Can Model-Checking be Used on Numerically Complex Systems?– Large, numerically intensive, non-linear systems

CerTA FCS Phase II - Results

• Effector Blender– Inputs

• 32 floating point inputs• 3 x 6 matrix of floating point values

– Outputs• 1 x 6 vector of floating point values

– 166 Simulink subsystems– 2000+ basic Simulink blocks

• Errors Found– Five previously unknown errors that would drive actuators past their limits– Several implementation errors were being masked by defensive programming

WPAFB 08-5183 RBO-08685 8/20/2008


29


Who Are We?



Case Studies



30

Theorem Provers

Arbitrary ModelsLabor Intensive

Non Linear Arithmetic

Transcendental Functions

Floating Point

Decision Procedures

Extending the Verification Domain

• Very Large or Infinite State Systems– SMT-Solvers– Large integers and reals– Limited to linear arithmetic– Ease of use is a concern

SMT-Solvers

Infinite State Modelsusing k - Induction

Implicit State

< 10 200 Reachable States

Model Checkers

• Non-Linear Arithmetic– Multiplication/division of real variables– Transcendental functions (trigonometric, …)– Essential to navigation systems

• Large Finite Systems (<10200 States)– Implicit state (BDD) model checkers– Easy to use and very effective

• Theorem Provers– Deal with arbitrary models– Concerns are ease of use and labor cost

• Floating Point Arithmetic– Most modeling languages use

floating point (not real) numbers


31

setDesiredSpeedboolean

2

modeuint32

1

setEvent

safetyCondition

cancel

brakePedal

carGear

carSpeed

validinputs

safetyCondition

resumeEvent

mode _logic

onOff

decel

set

accel

resume

safetyCondition

mode

setDesiredSpeed

Delay = 1 Sec

Delay = 1 Sec

validInputsboolean

true_false

8

carSpeeddouble

miles_per_hour

7

carGearuint32

enumerated

6

brakePedalbooleanon_off

5

cancelboolean

true _false

4

accelResumebooleanon_off

3

decelSetbooleanon_off

2

onOffbooleanon_off

1

cruiseThrottledouble

miles_per_hour

1

throttleDelta%_per_step

thottleDelta%_per_second

1.00

isCruiseActive ?

<Init = 0.0>

z

1

StepsPerSec

<U=10.0><L=-10.0>

<U=100.0><L=0.0>

NO THROTTLEdouble

0.0

double

carSpeeddouble

miles_per_hour

3

desiredSpeeddouble

miles_per_hour

2

modeuint32

enumerated

1

Adjusts the cruise throttle position to hold the car to a desired speed .

CruiseController

desiredSpeeddouble

miles_per_hour

3


percentage

2

modeuint32enumerated

1

[carSpeed ]

[carSpeed ]

SetThrottle

mode

desiredSpeed

carSpeed

cruiseThrottle

SetDesiredSpeed

mode

carSpeed

setDesiredSpeed

desiredSpeed

ModeLogic

onOff

decelSet

accelResume

cancel

brakePedal

carGear

carSpeed

validInputs

mode

setDesiredSpeed

Goto

[carSpeed ]

validInputsboolean

true_false

8

carSpeeddouble

miles_per_hour

7

carGearuint32

enumerated

6

brakePedalbooleanon_off

5

cancelboolean

true_false

4

accelResumebooleanon_off

3

decelSetbooleanon_off

2

onOffbooleanon_off

1


percentage

3

desiredSpeeddouble

miles_per_hour

2

modeuint32

enumerated

1

isBrakePressed?[brakePosition ]

CruiseController

onOff

decelSet

accelResume

cancel

brakePedal

carGear

carSpeed

validInputs

mode

cruiseThrottle

desiredSpeed

validInputsboolean

true_false

7

carSpeeddouble

miles_per_hour

6

carGearuint32

enumerated

5

cancelboolean

true_false

4

accelResumeboolean

true_false

3

decelSetboolean

true_false

2

onOffboolean

true_false

1

Composition of Subsystems

– Tends to be simple– Well suited for theorem proving

Typical Model-Based Specification

– Models are organized in a hierarchy several levels deep

– Most of the complexity is in the leaf models

– Leaf models can often be verified through model checking

What Should the User Interface Be?

– Not emacs!– Integrated with the model – Simple theorem proving– Powerful model checking

Combining Theorem Proving and Model Checking For Compositional Verification


32

• How Many Properties Do I Need?– When am I done?– Are there coverage metrics like there are for testing?– How do I convince the certification authorities I’m done?

• Are Some Properties Better than Others?– Properties related to safety– Cross cutting properties find the most important errors– Simple, local properties find a surprising number of errors

• Is There a Process or Heuristics for Defining Properties?– Prove a property about each discontinuity in each output

• What is the Relationship Between Proof and Testing– Can proving replace some testing?– Can testing replace some proving?

Finding the Right Properties


33

System Architectural Modeling & Analysis

Target Hardware

Separation Kernel

Reusable Trusted Middleware(RTOS, I/O , RT-CORBA)

Sys Specific Middleware(Schedule, Communication Routes)

App A App B App C

Common Computing Resource 1



IMA BUS

PerformanceAnalysis

SafetyAnalysis

SecurityAnalysis

IMA Cabinet

ADL

SystemArchitecture

Model

Auto

Generate

Logical

Physical

SimulinkModel

VAPSModel

CCode

AdaCode

CCode

Level BClassified Level C

Unclassified

Level ATop Secret

System Architecture Development

So

ftware C

om

po

nen

t Develo

pm

ent


34

• Formal Methods Are Practical and Are Being Widely Used

– Model Based Development is the industrial use of formal methods

– The engineers get to pick the modeling tools!

– Semantics of some of the commercial tools could be improved

• Formal Verification Tools Are Being Used in Industry

– Key is to verify the models the engineers are already building

– Large portions of existing systems can be verified with model checkers

– Need to make model checking accessible to the average engineer

• Directions for the Future Work

– Making verification tools more powerful and easier to use

– Integration of theorem proving and model checking

– Finding the right properties

– Modeling and analysis of system architectural models

Conclusions


35

http://shemesh.larc.nasa.gov/fm/fm-collins-intro.html

• Whalen, M., Cofer, D., Miller, S., Krogh, B., Storm, W.: Integration of Formal Analysis into a Model-Based Software Development Process. In 12th International Workshop on Formal Methods for Industrial Critical Systems (FMICS2007), Berlin, Germany (2007).

• Whalen, M., Innis, J., Miller, S., Wagner, L.: ADGS-2100 Adaptive Display & Guidance System Window Manager Analysis, CR-2006-213952, NASA (2006).

• Mats P.E. Heimdahl, Michael W. Whalen, Ajitha Rajan, and Steven P. Miller, Testing Strategies for Model-Based Development, NASA Contractor Report NASA-2006-CR214307, April 2006. Available at http://hdl.handle.net/2002/214307.

• Miller, S., Tribble, A., Whalen, M., Heimdahl, M., Proving the Shalls, International Journal on Software Tools for Technology Transfer (STTT), Feb 2006.

• Michael W. Whalen, John D. Innis, Steven P. Miller, and Lucas G. Wagner, ADGS-2100 Adaptive Display & Guidance System, NASA Contractor Report NASA-2006-CR213952, Feb. 2006. Available at http://hdl.handle.net/2002/16162.

• Steven P. Miller, Mike W. Whalen, Dan O’Brien, Mats P.E. Heimdahl, and Anjali Joshi, A Methodology for the Design and Verification of Globally Asynchronous/Locally Synchronous Architectures, NASA Contractor Report NASA/CR-2005-213912, Sept. 2005. Available at http://hdl.handle.net/2002/15934.

• Miller, S., Anderson, E., Wagner, L., Whalen, M., Heimdahl, M.: Formal Verification of Flight Critical Software. In AIAA Guidance, Navigation and Control Conference and Exhibit, AIAA-2005-6431, American Institute of Aeronautics and Astronautics (2005).

For More Information


36

Backup Slides


37

node Thrust_Required( FG_Mode : FG_Mode_Type ; Airborne : bool ; In_Flare : bool ; Emergency_Descent : bool; Windshear_Warning : bool ; In_Eng_Accel_Zone : bool ; On_Ground : bool) returns (IsTrue : bool) ;

let

IsTrue = (FG_Thrust_Mode(FG_Mode) and Airborne) or (Airborne and Emergency_Descent) or Windshear_Warning or ((FG_Mode = ThrottleRetard) and In_Flare) or (In_Eng_Accel_Zone and On_Ground) ;tel ;

Textual (Z, VDM, PVS, Lustre, …) Tabular (RSML-e, SCR)

Graphical (SCADE, Simulink)

Evolution of Modeling Approaches


38WPAFB 08-5183 RBO-08685 8/20/2008


39

HDG Switch

HDG Switch [Not VAPPR]

GA Switch

PowerUp

SYNC Switch

LAPPR Capture

Chg Coupled-side

ROLL HDG LAPPR LGA

Event 1

Event 2

Event 3Event 4Event 5

Event 6Event 7

VGA

HDG Switch

Event 8Not VGA Event 9

FCS 5000 Flight Control Mode Logic

• Determines Armed and Active Modes of the Aircraft– Active mode enables a control law to move aircraft control surfaces– Armed mode can become active when the right conditions are met

• Five Mode Machines Analyzed in the FCS 5000 Mode Logic– 36 modes, 172 events, 488 transitions– Transition in one mode machine can affect behavior of the others


40

6.8 x 1021 Reachable States

Mode Controller B

Mode Controller A

Counterexample Found inLess than Two Minutes

Found 26 Errors in Early Requirements Models


Example RequirementMode A1 => Mode B1

Modeled in Simulink

Translated to NuSMV


41

Summary of Errors Found

• Model-checking detected the majority of errors

• Model-checking detected the most serious errors

• Found early in the lifecycle during requirements analysis

Detected By

Likelihood of Being Found by Traditional Methods

Trivial Likely Possible Unlikely Total

Inspection 1 2 3

Modeling 5 1 6

Simulation

Model Checking 2 1 13 1 17

Total 2 6 15 3 26



42

Company Product Tools Specified & Autocoded Benefits Claimed

Airbus A340 SCADE With Code Generator

70% Fly-by-wire Controls 70% Automatic Flight Controls 50% Display Computer 40% Warning & Maint Computer

20X Reduction in Errors Reduced Time to Market

Eurocopter EC-155/135 Autopilot

SCADE With Code Generator

90 % of Autopilot

50% Reduction in Cycle Time

GE & Lockheed Martin

FADEDC Engine Controls

ADI Beacon Not Stated

Reduction in Errors 50% Reduction in Cycle Time Decreased Cost

Schneider Electric

Nuclear Power Plant Safety Control


200,000 SLOC Auto Generated from 1,200 Design Views

8X Reduction in Errors while Complexity Increased 4x

US Spaceware

DCX Rocket MATRIXx Not Stated

50-75% Reduction in Cost Reduced Schedule & Risk

PSA Electrical Management System


50% SLOC Auto Generated 60% Reduction in Cycle Time 5X Reduction in Errors

CSEE Transport

Subway Signaling System


80,000 C SLOC Auto Generated Improved Productivity from 20 to 300 SLOC/day

Honeywell Commercial Aviation Systems

Primus Epic Flight Control System

MATLAB Simulink

60% Automatic Flight Controls 5X Increase in Productivity No Coding Errors Received FAA Certification

Model-Based Development


43

0

10

20

30

40

50

60

70

Preparation Initial Test Rework Grand Total

% T

otal

Rec

urrin

g C

osts

Test: time to write the tests

MC: time to write the properties and set up the models for analysis

Test: time to run the tests.

MC: running the tools, analyzing and explaining counter-examples to LM Aero, and creating a revised model.

Test: time spent fixing errors in test cases.

MC: time to repeat analysis.

Testing Model-Checking

CerTA FCS Phase I - Testing and Model Checking Recurring Costs

Spent ~50% more time testing than model-checking.

WPAFB 08-5183 RBO-08685 8/20/2008


44

Verifying Asynchronous Systems

• Occur Frequently in System Designs– Implement fault tolerance or meet performance requirements

• No Global Clock - Each Node Has Its Own Clock

• Quasi-Synchronous System– Clocks have similar (but not identical) periods, drift, jitter

• Interleaving Leads to State Space Explosion– Makes model checking difficult

• Need to Exploit the Constraints Imposed by Quasi-Synchrony

Date post:	17-Dec-2015
Category:	Documents
Upload:	stuart-henry
View:	216 times
Download:	4 times

© Copyright 2009 Rockwell Collins, Inc. All rights reserved. Formal Methods for Critical Systems...

Documents