Update on Behavior Language for Embedded Systems with Software for Proof Based Analysis of Behavior

Transcription

1 October 19, 2010 BLESS Progress Report (1) Update on Behavior Language for Embedded Systems with Software for Proof Based Analysis of Behavior Brian Larson Multitude Corporation October 19, 2010

2 October 19, 2010 BLESS Progress Report (2) Behavior Language for Embedded Systems with Software (BLESS) BLESS is AADL Annex Sublanguage(s) (v2 standardized by SAE in 2009) Inspired by Behavioural Annex (BA) Sublanguage Grammar of BLESS Coordinated with BA BLESS proof tool currently Java application; to become OSATE v2 (by SEI) plugin Convert BLESS behavior to BA to leverage BA tools Make adding proofs to models incremental, low-risk

3 October 19, 2010 BLESS Progress Report (3) Origins of BLESS Guidant (now Boston Scientific) used proprietary architecture language PADL derived from MetaH AADL, also derived from MetaH, was SAE International standard; anticipated migration to supplant home-brewed tools with commercial tools attended AADL tutorial at SEI (2007) invited to participate in AADL standard committee as medical device industry user reviewed v2 core standard and all annex standard documents Behavioural annex sublanguage (BA) might be augmented with Assertions to become proof outlines that could be transformed into a formal correctness proof by a proof tool like the one created for DANCE

4 October 19, 2010 BLESS Progress Report (4) Origins of BLESS, continued created temporal logic for Assertions while editing PACEMAKER System Specification (2006) migrate proof tool from ANTLR2 to ANTLR3 (start 2008, ongoing) wrote LRM defining semantics from set theory in LaTeX* (2009) BLESS grammar coordinated with BA grammar to make it easy to convert BLESS programs to BA text suspended in frustration development of OSATE/Eclipse plugin (2009); get tool working as Java application first VVI.aadl pushed through BLESS proof tool before May 2010 meeting of AADL committee in Toulouse (v0.12); half-day workshop/tutorial following was well received *please read it; ask questions; challenge suppositions

5 October 19, 2010 BLESS Progress Report (5) News DDD.aadl proved correct last Friday semantics for timeout dispatch conditions extended to express that none of the dispatch conditions leaving a source state has fired since the time of previous suspension, tops

6 October 19, 2010 BLESS Progress Report (6) BLESS is Three AADL Annex Sublanguages Assertion attached individually to features such as ports; annex libraries allow multiple assertions subbless attached only to subprograms; has only value transformations and Assertions without time expressions; subbless DANCE BLESS attached only to thread, device, or system AADL components; has states, transitions, timeouts, actions including communication, events, and Assertions with time expressions

7 October 19, 2010 BLESS Progress Report (7) BLESS is Three AADL Sublanguages subbless action firstorder predicate BLESS states transitions communication event dispatch persistence Assertion ˆ

8 October 19, 2010 BLESS Progress Report (8) Assertions are Temporal Logic Formulas Assertion grammar is first-order predicate calculus augmented and ˆ says when a predicate is true in real time: p@t means p is true at time t ˆ says when a predicate is true in thread periods (clock ticks): d@i means d is true i ticks (thread periods) from now; i is usually negative says when a predicate is true the previous tick: c means cˆ-1 the value of c set by the thread last period; used in calculating new values for this period; c:=c -1 decrements c each clock cycle

9 October 19, 2010 BLESS Progress Report (9) Lower Rate Limit Assertion Lower Rate Limit (LRL) -- The Lower Rate Limit (LRL) is the number of -- generator pace pulses -- delivered per minute (atrium or ventricle) -- in the absence of -- Sensed intrinsic activity. -- Sensor-controlled pacing at a higher rate. -- The LRL is affected in the following ways: When Rate Hysteresis is disabled, the LRL shall -- define the longest allowable pacing interval In DXX or VXX modes, the LRL interval starts -- at a ventricular sensed or paced event <<LRL:theTime: -- there has been a V-pace or a non-refractory V-sense exists t:timing_properties::time -- within the previous LRL interval in (thetime-pp::lower_rate_limit_interval)..thetime -- in which a heartbeat was paced if not sensed that (nr_vs or vp)@t >> means that at thetime, there has been a non-refractory, ventricular sense (nr_vs) or ventricular pace (vp) in the previous period lasting lower_rate_limit_interval.

10 October 19, 2010 BLESS Progress Report (10) Timeout va,sav,pav -[on dispatch timeout (vp nr_vs) PP::Lower_Rate_Limit_interval ms]->va {...}; pav -[on dispatch vs]-> pav_check_vrp{}; <<((vp or and not (exists t:timing_properties::time in now-pp::lower_rate_limit_interval,,now that (vp or )) and (VAI(now) and LAST_VP_OR_VS() and LAST_AS() and LRL(now) and URL(now))>>

11 October 19, 2010 BLESS Progress Report (11) Including a term that says no dispatch condition was true between time-of-previous-suspension, tops, and the present instant, now: <<((vp or nr_vs)@(now-pp::lower_rate_limit_interval) and not (exists t:timing_properties::time in now-pp::lower_rate_limit_interval,,now that (vp or nr_vs)@t )) and VAI(now) and LAST_VP_OR_VS() and LAST_AS() and LRL(now) and URL(now) and not (exists u:timing_properties::time in tops,,now that ((vp or nr_vs)@(u-pp::lower_rate_limit_interval) and not (exists t:timing_properties::time in u-pp::lower_rate_limit_interval,,u that (vp or nr_vs)@t )) or (as@u) or (vs@u) or (((vp or nr_vs)@(u-va_interval) and not (exists t:timing_properties::time in u-va_interval,,u that (vp or nr_vs)@t ))) or (stop) )>>

12 October 19, 2010 BLESS Progress Report (12) Dense time, actions, durations semantics of Assertions can express temporal behavior declaratively BLESS quantification integrates properties across time Needed to add open ranges: lb,,ub lb,.ub lb.,ub

13 October 19, 2010 BLESS Progress Report (13) DDD.aadl Proof 998 Theorems 414 lines of code 4 minutes run-time script to prove each initial obligation individually

14 October 19, 2010 BLESS Progress Report (14) BLESS, most recently DDD.aadl has been a challenging second example; many new or converted proof rules; caused re-evaluation of proof obligations for thread behavior Released tool (v0.14) yesterday; LRM (still v0.13) Many classes of proof rules and features added since Toulouse extensive use of ANTLR, 36 grammars and string template groups

15 October 19, 2010 BLESS Progress Report (15) Plentiful interesting things to do... use BLESS to prove RTEdge correctness integrate with Fiacre model checker (TOPCASED) attempt conversion of stand-alone application to OSATE (SEI) or STOOD (Ellidiss) plugins, experiment with avionics (Dassault), NPP shutdown systems (NRC), or robotics (PaR), add code generation to proof tool, Ocarina or ANTLR demonstrate proved-correct software running on real hardware for Pacemaker Challenge behavior semantics shoot-out : Fiacre, Maude, Ocarina, BLESS... but scarce funding

16 October 19, 2010 BLESS Progress Report (16) ESA s Avionics Reference Architecture and IMA Modeling Might be opportunity to integrate BLESS with TOPCASED (ASSERT) tool suite, and experiment with avionics subject Safety-critical systems complexity tamed using math like every other engineering discipline Ensure execution correctness with both proofs and testing Compose proved-correct building blocks into proved-correct systems

17 October 19, 2010 BLESS Progress Report (17) Team to Define Experiment Using BLESS on ESA s Avionics Reference Architecture Thierry Cornilleau - Dassault Aviation Pierre Dissaux - Ellidiss (STOOD, Adele) Jerome Hughes - ISAE (Ocarina) Mamoun Filalai - IRIT (Fiacre) Frank Singhoff - Brest (concurrency control protocols) Eric Conquet - ESA (ASSERT)* Julien Delange- ESA (ARA) Laurent Pautet - ESA (ARA) Serban Gheorghe - Edgewater (RTEdge) Oleg Sokolsky - UPenn (cyber-physical systems) Peter, Bruce, Dio, Lutz - SEI (OSATE) others? * What we prove is what we get.