Changing the way the world does software

Transcription

1 Changing the way the world does software

2 Automated Certification from Soup to Nuts Nick Tudor

3 Introducing D-RisQ D-RisQ is a SME based in Malvern, UK. All personnel have a background in mathematics, engineering and computer science Huge experience in analysis of complex systems and software across many sectors Safety and security critical systems, automotive, aerospace, robotics Build automated formal analysis tools Focus on cost/time reduction Builds upon the use of commercially available and widely used development tools

4 D-RisQ FM Ecosystem English CSP Verification Design CSP Protocols Packet Analysis CSP Formal Methods Design Networks CSP Simulink/ Stateflow Z SysML CSP CSP Object Code Source Code CSP Viruses HOL EOC Vulnerability CSP HOL CSP Ada Z Z C HOL

5 D-RisQ FM Ecosystem English CSP Verification Design CSP Protocols Packet Analysis CSP Formal Methods Modelworks CLawZ Design Networks CSP Simulink/ Stateflow Z SysML CSP CSP Object Code FEVER Source Code CSP Viruses HOL EOC Vulnerability CSP HOL CSP Ada Z Z C HOL

6 The USMOOTH Problem Project led by ASV How to design a decision making system that can support Unmanned Safe Maritime Operations Over The Horizon for extended durations (weeks)? How to provide assurance that the software does what is required and nothing else? How could we support a safety argument What standards could be used? Not necessarily maritime standards At what cost and can the process be easily [cheaply] repeated? NB This is safety critical software

7 Acceptable Behaviour Behaviour Boundary Defined by: User requirements Regulations Physics Environment 0 1 Everything in here must be acceptable The more complex, Acceptability demonstrated by: the more cost to Probing the boundary and verify conventionally By design/development processes Aiming to ensure: Nothing can penetrate or leak from the boundary And everything inside is done correctly

8 Engineering, Formal Methods and Certification

9 Verification Objectives DO-178C Soup A-3.2 Accuracy & Consistency A-3.3 HW Compatibility A-3.4 Verifiability A-3.5 Conformance A-3.7 Algorithm Accuracy A-4. 8 Architecture Compatibility System (A-2: 1, 2) High-Level A-4.1 Compliance A-4.6 Traceability (A-2: 3, 4, 5) A-3.1 Compliance A-3.6 Traceability A-6.1 Compliance A-6.2 Robustness A-7.1 Procedures are correct A-7.2 Results are Correct A-7.3 Test Coverage of HLRs A-7.4 Test Coverage of LLRs A-7.5 MC/DC A-7.6 Decision Coverage A-7.7 Statement Coverage A-7.8 Coupling Coverage A-4.9 Consistency A-4.10 HW Compatibility A-4.11 Verifiability A-4.12 Conformance A-4.13 Partition Integrity Architecture Low-Level A-4.2 Accuracy & Consistency A-4.3 HW Compatibility A-4.4 Verifiability A-4.5 Conformance A-4.7 Algorithm Accuracy A-5.2 Compliance A-5.3 Verifiability A-5.4 Conformance A-5.6 Accuracy & Consistency A-5.8 PDI Complete & Correct A-5.9 PDI Verified (A-2: 6) Source Code A-5.1 Compliance A-5.5 Traceability A-6.3 Compliance A-6.4 Robustness A-7.9 Untraceable object code Nuts A-5.7 Complete & Correct (A-2: 7) Executable Object Code A-6.5 Compatible With Target Compliance: with requirements Conformance: with standards

10 Verification Objectives DO-333 FM.A Additional Objectives FM.A-3.2 Accuracy & Consistency FM.A-3.3 HW Compatibility FM.A-3.4 Verifiability FM.A-3.5 Conformance FM.A-3.7 Algorithm Accuracy FM.A-4. 8 Architecture Compatibility System (FM.A-2: 1, 2) High-Level FM.A-4.1 Compliance FM.A-4.6 Traceability (FM.A-2: 3, 4, 5) FM.A-3.1 Compliance FM.A-3.6 Traceability FM.A-6.1 Compliance FM.A-6.2 Robustness FM.A-7.1 Procedures are Correct FM.A-7.2 Results are Correct FM.A-7.3 Coverage of HLRs FM.A-7.4 Coverage of LLRs FM.A Structural Coverage FM.A-4.9 Consistency FM.A-4.10 HW Compatibility FM.A-4.11 Verifiability FM.A-4.12 Conformance FM.A-4.13 Partition Integrity FM.A Additional Objectives Architecture Low-Level FM.A-4.2 Accuracy & Consistency FM.A-4.3 HW Compatibility FM.A-4.4 Verifiability FM.A-4.5 Conformance FM.A-4.7 Algorithm Accuracy FM.A-5.2 Compliance FM.A-5.3 Verifiability FM.A-5.4 Conformance FM.A-5.6 Accuracy & Consistency FM.A-5.8 PDI Complete & Correct FM.A-5.9 PDI Verified FM.A Additional Objectives FM.A-7.9 Property Preservation FM.A-7.10 Additional Objectives FM.A-5.7 Complete & Correct (FM.A-2: 6) Source Code (FM.A-2: 7) Executable Object Code FM.A-5.1 Compliance FM.A-5.5 Traceability FM.A-6.3 Compliance FM.A-6.4 Robustness FM.A-6.5 Compatible With Target Compliance: with requirements Conformance: with standards

11 Verification Objectives DO-333, Certification and Costs System System (FM.A-2: 1, 2) High-Level (FM.A-2: 3, 4, 5) Architecture Design Low-Level (FM.A-2: 6) Source Code Source Code (FM.A-2: 7) Executable Object Code Executable Object Code

12 , Certification and Costs System Development cost: 20-50% DO-333 Design Table FM.A-2 Objectives Table FM.A-3 Objectives Table FM.A-4 Objectives Table FM.A-5 Objectives Table FM.A-6 Objectives Table FM.A-7 Objectives Source Code Verification cost: 50-80% Executable Object Code Processor

13 IT STARTS WITH REQUIREMENTS D-RisQ

14 We Need Unambiguous Must be able to bound the required behaviour in a form that: Enables it to be agreed that it is the required behaviour Language understood by regulator and developer The language must enable formalisation Enable checks for conflicting requirements language should allow abstraction Minimal assumptions about architecture Enables a wider possibility of solution

15 and Certification - USMOOTH System LRE System Document (SRD) v1.0 Design DO-333 Table FM.A-2 Objectives Table FM.A-3 Objectives LRE Specification (SRS) v1.0 Source Code Executable Object Code Processor

16 and Certification - USMOOTH System Reviewed LRE System Document (SRD) v1.0 Design DO-333 Table FM.A-2 Objectives Table FM.A-3 Objectives LRE Specification (SRS) v1.0 Source Code Executable Object Code Processor

17 SOFTWARE DESIGN AND REQUIREMENTS VERIFICATION D-RisQ

18 Systems, and Certification System Reviewed LRE Specification (SRS) v1.0 Design DO-333 Table FM.A-2 Objectives Table FM.A-3 Objectives Table FM.A-4 Objectives LRE Simulink/ Stateflow Design v1.0 Source Code Executable Object Code Processor

19 Manual Manual Automatic D-RisQ Modelworks for Properties Description English D-RisQ Language Automatic Communicating Sequential Processes (CSP) Formal Language Simulink/Stateflow Formal Model check (FDR4) Systems Description Simulink/ Stateflow Modelworks Formal Language Communicating Sequential Processes (CSP) Formal Language Pre-defined Stability, reachability & exit Properties Manual design effort Automatic Automatic Automatic

20 Systems, and Certification System Reviewed Modelworks LRE Specification (SRS) v1.0 Design DO-333 Table FM.A-2 Objectives Table FM.A-3 Objectives Table FM.A-4 Objectives LRE Simulink/ Stateflow Design v1.0 Source Code Executable Object Code Processor

21 Hours Independent Experiments mid Feb 17 Now can being analysed by MW ~60% ~40% ~60% ~60% ~30% ~30% More automation of Modelworks due shortly

22 SOFTWARE SOURCE CODE VERIFICATION AGAINST DESIGN D-RisQ

23 Source Code System Reviewed Modelworks LRE Simulink/ Stateflow Design v1.0 Design DO-333 Table FM.A-2 Objectives Table FM.A-3 Objectives Table FM.A-4 Objectives Table FM.A-5 Objectives Source Code Autocoded using dspace TargetLink to C Executable Object Code Processor

24 Overview of the D-RisQ CLawZ Process Autocoder Simulink Code Development Z Producer Z User Interface Proof using Theorem Prover ProofPower Verification

25 Source Code System Reviewed Modelworks LRE Simulink/ Stateflow Design v1.0 Design DO-333 Table FM.A-2 Objectives Table FM.A-3 Objectives Table FM.A-4 Objectives Table FM.A-5 Objectives CLawZ Source Code CLawZ for C not yet fully developed; Verification not done Autocoded using dspace TargetLink to C Executable Object Code Processor

26 EXECUTABLE OBJECT CODE VERIFICATION

27 Executable Object Code System Reviewed Modelworks Autocoded using dspace TargetLink to C Design DO-333 Table FM.A-2 Objectives Table FM.A-3 Objectives Table FM.A-4 Objectives Table FM.A-5 Objectives Table FM.A-6 Objectives CLawZ Source Code Executable Object Code Compiled to ARM Processor

28 D-RisQ FEVER Formal Executable object code VERification Source Code Compiler Executable Object Code Processor Instruction Set Architecture User Interface Formalised in HOL Formalised in HOL Work in progress Proof using Theorem Prover ProofPower (HOL) Target is currently ARM

29 Executable Object Code System Reviewed Modelworks Autocoded using dspace TargetLink to C Design DO-333 Table FM.A-2 Objectives Table FM.A-3 Objectives Table FM.A-4 Objectives Table FM.A-5 Objectives Table FM.A-6 Objectives CLawZ Source Code Compiled to ARM FEVER Executable Object Code Processor

30 COVERAGE

31 DO-333 FM.6.7.f Options for verification activities of Executable Object Code include: (1) Formal analysis of Executable Object Code can be used to satisfy the objectives if all of the following conditions are satisfied: The requirements are formally expressed. A formal model of the Executable Object Code is defined. Formal evidence demonstrates that the formal model of the Executable Object Code satisfies the requirements. (2) Formal analysis of Source Code can be used to satisfy the objectives if all of the following conditions are satisfied: The requirements are formally expressed. A formal model of the Source Code is defined. Formal evidence demonstrates that the formal model of the Source Code satisfies the requirements. Complementary analysis shows property preservation between the Source Code and the EOC.

32 FMA-6 Our Approach System High-Level Development Activity Review/Analysis Activity Test Activity Formal Analysis Formal Representation Compliance Robustness Modelworks Architecture Design Low-Level Compliance Robustness CLawZ Source Code Executable Object Code Compliance Robustness FEVER Formal Proof of Property Preservation

33 Executable Object Code System Reviewed Modelworks Design DO-333 Table FM.A-2 Objectives Table FM.A-3 Objectives Table FM.A-4 Objectives Table FM.A-5 Objectives Table FM.A-6 Objectives CLawZ Source Code Table FM.A-7 Objectives FEVER Executable Object Code Processor

34 COSTS

35 Locking in IP and Reducing Cost System DO-333 Design Table FM.A-2 Objectives Table FM.A-3 Objectives Table FM.A-4 Objectives Table FM.A-5 Objectives Table FM.A-6 Objectives IP effort here Source Code Table FM.A-7 Objectives Automatic = Significant cost reductions Executable Object Code Processor

36 Summary Unmanned systems have to have a high integrity autonomous decision making system The business case for wider adoption is based on fast, cost effective assurance Automated formal proof from requirements to binary tools being built USMOOTH is showing that this is possible Regulatory approval of safety case and approach using DO-333 as we propose, still required Demonstration to follow in 2017

37 Changing the way the world does software