Safety Assurance in Software Systems From Airplanes to Atoms

Transcription

1 Safety Assurance in Software Systems From Airplanes to Atoms MDEP Conference on New Reactor Design Activities Session Digital I&C: Current & Emerging Technical Challenges September 07 Dr. Darren Cofer

2 Rockwell Collins: Advanced Technology Center Trusted Systems Group Formal methods for verification Model-based development Practical and effective tools Certification (DO-78C) Domains Avionics systems Commercial and military Manned and unmanned Safety and security

3 Similar Concerns Safety-critical Regulated Redundancy for fault-tolerance Software intensive Fail-safe Fail-op 3

4 Similar Challenges Increased use of software in safetycritical functions Houston, we have a problem. Complexity of software Incorporation of COTS hardware/software New technologies that challenge the existing certification process Limitations of testing for safety assurance Cybersecurity What can the nuclear industry learn from civil aviation experience? 4

5 Assertion : The nuclear industry can benefit from aerospace software development and verification practices. 5

6 Certification Process for Civil Aviation Design Assurance CFR Title 4 Part 5 Airworthiness Standards: Transport Category Intended Aircraft Function Function, Failure, & Safety Information Safety Assessment Process Guidelines and Methods (ARP 476) System Design Operational Environment Means of Compliance System Development Processes (ARP 4754A) Functional Aircraft Requirements Implementation Hardware Requirements Guidelines for Integrated Modular Avionics (DO-97) Software Requirements Implementation Hardware Development Life-Cycle (DO-54) Software Development Life-Cycle (DO-78C) 6

7 DO-78 Principles Primarily a quality document, not safety Demonstrate that software implements requirements and nothing else (no surprises) Requirements-based testing Traceability among requirements, test cases, code Structural coverage metrics to determine adequacy of testing 7

8 Assertion : To cope with software complexity, the aerospace industry is moving toward use of formal methods. 8

9 Throttle Throttle V_cmd [m/s] V_s [m/s] V_cmd [m/s] V_s [m/s] h_cmd [m/s] psi_cmd [rad] psi [rad] h [m] h_cmd [m/s] h [m] psi_cmd [rad] psi [rad] Throttle V_cmd [m/s] V_s [m/s] h_cmd [m/s] h [m] psi_cmd [rad] psi [rad] Throttle Throttle V_cmd [m/s] V_s [m/s] V_cmd [m/s] V_s [m/s] h_cmd [m/s] h [m] psi_cmd [rad] psi [rad] h_cmd [m/s] h [m] psi_cmd [rad] psi [rad] Throttle V_cmd [m/s] V_s [m/s] h_cmd [m/s] h [m] psi_cmd [rad] psi [rad] Formal Methods: Complete Exploration of Design = 5 Velocity Tracker Velocity Tracker - control_cmd control_cmd Velocity Tracker Velocity Tracker elevator [rad] theta [rad] q [rad/sec] theta_cmd [rad] elevator [rad] rudder [rad] r [rad/sec] theta [rad] q [rad/sec] rudder [rad] phi [rad] r [rad/sec] aileron [rad] p [rad/sec] baseline control phi [rad] - aileron [rad] p [rad/sec] 0 flaps baseline control 0 flaps - control_cmd 0 flaps Altitude Tracker Psi Tracker Altitude Tracker Psi Tracker elevator [rad] theta [rad] q [rad/sec] rudder [rad] r [rad/sec] phi [rad] aileron [rad] p [rad/sec] baseline control [theta_cmd] [phi_cmd] [theta_cmd] Altitude Tracker Psi Tracker feedback feedback ref_cmds ref_cmds [theta_cmd] [phi_cmd] feedback ref_cmds - control_cmd control_cmd Velocity Tracker Velocity Tracker elevator [rad] theta [rad] q [rad/sec] theta_cmd [rad] elevator [rad] rudder [rad] r [rad/sec] theta [rad] q [rad/sec] rudder [rad] phi [rad] r [rad/sec] aileron [rad] p [rad/sec] baseline control phi [rad] - aileron [rad] p [rad/sec] 0 flaps baseline control 0 flaps - control_cmd 0 flaps Altitude Tracker Psi Tracker Altitude Tracker Psi Tracker elevator [rad] theta [rad] q [rad/sec] rudder [rad] r [rad/sec] phi [rad] aileron [rad] p [rad/sec] baseline control [theta_cmd] [phi_cmd] [theta_cmd] [phi_cmd] Altitude Tracker Psi Tracker Proof [theta_cmd] [phi_cmd] feedback feedback ref_cmds ref_cmds feedback ref_cmds [phi_cmd] Testing can only show the presence of bugs (and only if you are lucky) Analysis can show the absence of bugs (with evidence of correctness) 9

10 Formal Methods and Aircraft Certification Mode Logic Flight Guidance System DO-78C/DO-333 Case Study Theorem Proving demonstrated on the FGS design model Model Checking demonstrated on the Mode Logic Simulink model Abstract Interpretation demonstrated on the Heading Control Law source code control_cmd - 0 flaps V_cmd [m/s] Throttle V_s [m/s] Velocity Tracker h_cmd [m/s] h [m] elevator [rad] theta [rad] Altitude Tracker q [rad/sec] rudder [rad] r [rad/sec] psi_cmd [rad] psi [rad] phi [rad] aileron [rad] Psi Tracker p [rad/sec] baseline control Heading Control [theta_cmd] [phi_cmd] feedback ref_cmds Formal methods reduce cost and increase confidence through early detection and elimination of errors 0

11 Assertion 3: Formal methods can also address cybersecurity concerns for high-assurance systems.

12 High-Assurance Cyber Military Systems

13 Boeing Unmanned Little Bird Helicopter 3

14 High-Assurance Cyber Military Systems Final Demonstrations Boeing Unmanned Little Bird (ULB): Mesa AZ, Feb 07 Quadcopter: Sterling VA, Apr 07 Demonstrated cyber-resiliency of both vehicles Before and after flight demonstrations Attacked in-flight Comprehensive evaluation by white hat cyber-attackers Cyber-resiliency achieved through application of formal methods Model checking of architecture properties Synthesis/verification of software components Comprehensive proof of correctness of operating system Formal methods are practical and effective for achieving cybersecurity in real aerospace systems 4

15 For More Information HACMS final demo video DARPA Blocks Cyberattacks on Unmanned Little Bird In Flight (Aviation Week) Cybersecurity Skeptics Now Embracing Formal Methods (ACM Ubiquity) DO-78C/333 Certification Case Studies Using Formal Methods 5