Mike Whalen Program Director, UMSEC University of Minnesota

Similar documents
Rockwell Collins Evolving FM Methodology

Complexity-Reducing Design Patterns for Cyber-Physical Systems. DARPA META Project. AADL Standards Meeting January 2011 Steven P.

Tools for Formally Reasoning about Systems. June Prepared by Lucas Wagner

Requirements Analysis of a Quad-Redundant Flight Control System

Mike Whalen. Program Director University of Minnesota Software Engineering Center. Software Engineering Center

PSL for Assume-Guarantee Contracts in AADL Models

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

Towards Synthesis from Assume-Guarantee Contracts involving Infinite Theories: A Preliminary Report

Compositional Verification of a Medical Device System

Industrial Verification Using the KIND Model Checker Lucas Wagner Jedidiah McClurg

Verification Condition Generation via Theorem Proving

Your What is My How: Iteration and Hierarchy in System Design

AADL Requirements Annex Review

Introduction to the Guardol Programming Language and Verification System

Model Checking of Aerospace Domain Models in an Industrial Context

SCALABLE AND ACCURATE SMT-BASED MODEL CHECKING OF DATA FLOW SYSTEMS

Coverage Metrics and Requirements-Based Testing

Areas related to SW verif. Trends in Software Validation. Your Expertise. Research Trends High level. Research Trends - Ex 2. Research Trends Ex 1

Linking Abstract Analysis to Concrete Design: A Hierarchical Approach to Verify Medical CPS Safety

Compositional Cutpoint Verification

arxiv: v1 [cs.se] 27 Apr 2016

From Design Contracts to Component Requirements Verification

COMPASS: FORMAL METHODS FOR SYSTEM-SOFTWARE CO-ENGINEERING

VS 3 : SMT Solvers for Program Verification

Formal Verification. Lecture 10

A Tabular Expression Toolbox for Matlab/Simulink

6. Hoare Logic and Weakest Preconditions

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Symbolic Synthesis of Observability Requirements for Diagnosability

Architecture-driven development of Climate Control Software LMS Imagine.Lab Embedded Software Designer Siemens DF PL

A short manual for the tool Accumulator

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Cover Page. The handle holds various files of this Leiden University dissertation

Xuandong Li. BACH: Path-oriented Reachability Checker of Linear Hybrid Automata

PKIND: A parallel k-induction based model checker

HECTOR: Formal System-Level to RTL Equivalence Checking

SCADE. SCADE Architect System Requirements Analysis EMBEDDED SOFTWARE

Lecture 11 Lecture 11 Nov 5, 2014

Formal Modeling and Verification of Interlocking Systems Featuring Sequential Release

ExCuSe A Method for the Model-Based Safety Assessment of Simulink and Stateflow Models

F-Soft: Software Verification Platform

Verification of Fault-Tolerant Protocols with Sally

Finite State Verification. CSCE Lecture 21-03/28/2017

Verification Condition Generation

A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm

Proving liveness. Alexey Gotsman IMDEA Software Institute

Program Analysis and Constraint Programming

Tree Interpolation in Vampire

Combinatorics I (Lecture 36)

Model-Based Design of Connected and Autonomous Vehicles

Model Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

Abstract Interpretation

CIS 890: Safety-Critical Systems

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Reducing Verification Costs through Practical Formal Methods: A Survey

An Information Model for High-Integrity Real Time Systems

CIS 890: Safety Critical Systems

JPF SE: A Symbolic Execution Extension to Java PathFinder

Formally-Proven Kosaraju s algorithm

Automated Freedom from Interference Analysis for Automotive Software

arxiv:submit/ [math.co] 9 May 2011

Tutorial on Model Checking Modelling and Verification in Computer Science

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

High-Level Information Interface

Fall 2014 SEI Research Review Verifying Evolving Software

Advances in Programming Languages

Semantic Importance Sampling for Statistical Model Checking

Local Two-Level And-Inverter Graph Minimization without Blowup

Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification

Verifying the Safety of Security-Critical Applications

Midwest Verification Day 2011

Specification Centered Testing

Distributed Systems Programming (F21DS1) Formal Verification

PVS, SAL, and the ToolBus

Warm-Up Problem. Let be a set of well-formed Predicate logic formulas. Let be well-formed Predicate logic formulas. Prove or disprove the following.

AFRL-RI-RS-TR

Symbolic Execution and Proof of Properties

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II

Proofs and Proof Certification in the TLA + Proof System

Verifying Safety Property of Lustre Programs: Temporal Induction

Automated Refinement Checking of Asynchronous Processes. Rajeev Alur. University of Pennsylvania

Verified Secure Routing

SCADE S E M I N A R I N S O F T W A R E E N G I N E E R I N G P R E S E N T E R A V N E R B A R R

An Annotated Language

A Hoare Logic Contract Theory: An Exercise in Denotational Semantics

Predicate Refinement Heuristics in Program Verification with CEGAR

TEITP User and Evaluator Expectations for Trusted Extensions. David Hardin Rockwell Collins Advanced Technology Center Cedar Rapids, Iowa USA

Automated Proof with Caduceus: Recent Industrial Experience

CS 161 Computer Security

HW/SW Co-Verification of a RISC CPU using Bounded Model Checking

Correctness of specifications. Correctness. Correctness of specifications (2) Example of a Correctness Proof. Testing versus Correctness Proofs

Boeing Certification Techniques for Advanced Flight Critical Systems Challenge Problem Integration (CerTA FCS CPI) Briefing at the

From Event-B Models to Dafny Code Contracts

Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science Algorithms For Inference Fall 2014

Formal Verification! Prof. Leon Osterweil! Computer Science 520/620! Spring 2012!

Inductive Invariant Generation via Abductive Inference

Yices 1.0: An Efficient SMT Solver

ECE 587 Hardware/Software Co-Design Lecture 12 Verification II, System Modeling

Transcription:

Formal Analysis for Communicating Medical Devices Mike Whalen Program Director, UMSEC University of Minnesota Research Topics Multi-Domain Analysis of System Architecture Models Compositional Assume-Guarantee Reasoning Next: Incorporating different notions of time D. Cofer, A. Gacek, S. Miller, M. Whalen, and B. LaValley. Compositional Verification of Architectural Models. NFM 2012 Analysis of Component-Level MBD Models Simulink/Stateflow Rhapsody W. Visser, M. Dwyer, and M. Whalen, The Hidden Models of Model Checking. Journal of Software and Systems Modeling, [Submitted Under Review] T. Kahsai, P.L. Garoche, C. Tinelli, and M. Whalen. Incremental Verification with Mode Machine Invariants in State Machines. NFM 2012 Automated Analysis of Datatype-Manipulating Programs Automated proofs of (arbitrarily large) data structures. Based on extension of Kuncak & Suter POPL11 algorithm D. Hardin, K. Slind, M. Whalen, and T.H. Pham. The Guardol Language and Verification System, TACAS 2012 M. Whalen, A. Gacek, and D. Cofer. Hierararchical Circular Compositional Reasoning. UMSEC Tech Report 2012-1 1

Vision System design & verification through pattern application and compositional reasoning VOTE MULTIPLE DATA VERIFIED AVAILABILITY SENSOR 1 SENSOR 2 SENSOR 3 ARCHITECTURE MODEL LRU COMPUTING RESOURCE A COMPUTING RESOURCE COMPUTING RESOURCE B COMPOSITIONAL PROOF OF CORRECTNESS (ASSUME GUARANTEE) FAIL-SILENT NODE FROM REPLICAS VERIFIED INTEGRITY SAFETY, BEHAVIORAL, PERFORMANCE PROPERTIES VERIFICATION ABSTRACTION REUSE COMPOSITION Copyright 2011 Rockwell Collins, Inc. All rights reserved. 3 Multi-domain modeling & analysis Architecture model captures properties, relationships, contracts between and within domains Supports system-level analysis Behavioral (Subset of) PSL properties Structural/Static Model constraints ANNOTATE & VERIFY MODELS ARCH PATTERN LIBRARY COMPONENT LIBRARY IMPORT COMPONENT MODELS & CONTRACTS SYSTEM MODEL SYSTEM MODELING ENVIRONMENT FOUNDRY CONFIG SYSTEM IMPLEMENTATION Probabilistic Fault modeling CONTEXT LIBRARY HETEROGENEOUS COMPONENT MODELS WITH FORMAL CONTRACTS MULTI-DOMAIN COMPOSITIONAL REASONING & ANALYSIS SYSTEM ARCHITECTURE REFERENCE MODEL FOR INTEGRATION / ANALYSIS CONSTRAINTS ifab FOUNDRY WITH MANUFACTURING CONSTRAINTS Resource Allocation Schedule, memory, bandwidth Manufacturability Resources, processes Copyright 2011 Rockwell Collins, Inc. All rights reserved. 4 2

Tool Chain SysML SysML-AADL translation OSATE: AADL modeling Enterprise Architect AADL Lustre EDICT: Architectural patterns Lute: Structural verification AGREE: Compositional behavior verification Eclipse KIND 5 GPCA Example Property of Interest: If a Stop command is received, then within 1 second, measured flow rate shall be zero. We will prove this property compositionally based on the architecture of the subsystem. 3

Architecture of GPCA GPCA Hardware Flow Rate Detector Door Position Controller Software Humidity Temp Air Pressure Battery Power Supply Air In Line Detector Motor Buzzer Infusion Command Proof of GPCA GPCA Hardware Flow Rate Detector Position Controller Software Humidity Temp Battery Power Supply Motor Buzzer Assertion: When a Stop infusion command is received, then within 1 second, measured flow rate shall be zero. Infusion Command 4

Proof of Reciprocating GPCA Reciprocating Hardware Flow Rate Detector Humidity Battery Motor Door Temp Power Supply Buzzer if pump is in no ambient flow position and pump motor is off, then flow rate will be zero within 200 ms Assertion: When powered on, pump cycles between ambient and no-ambient flow states every 300 ms. Controller Software When pump stop command occurs, pump motor will be switched off when pump motor position reaches no-ambient flow state. Assertion: When a Stop infusion command is received, then within 1 second, measured flow rate shall be zero. Rotary GPCA Rotary Hardware Flow Rate Detector Humidity Battery Door Temp Power Supply if pump is in no ambient flow position and pump motor is off, then flow rate will be zero within 400 ms Controller Software When pump stop command occurs, pump motor will be immediately switched off. Motor Buzzer Assertion: When a Stop infusion command is received, then within 1 second, measured flow rate shall be zero. 5

DEMO Underlying Formalism: Circular Compositional Reasoning Suppose we have Then if for all q Γ G((Z(H(Θ q )) ^ Δ q ) q) Then: G(q) for all q Q [Adapted from McMillan] 6

Formulation applied to Hierarchical Reasoning So given component contracts: Γ = { G(H(A c ) P c ) c C } we add a set of obligations that tie the system assumption to the component assumptions We can prove G(q) for all elements of Q which means we prove our system property Problem: Liveness Obligations are of the form: Γ G((Z(H(Θ q )) ^ Δ q ) q) where Γ = { G(H(A c ) P c ) c C } Unfortunately, having G operator on the lefthand of an implication means that this is a liveness formula. We want to use provers that only support safety We want to reflect the component guarantees directly into the G operator on the right. 7

Safety Formulation We define c^ as (A c ^ P c ) for component c. and define C^ as {c^ c C } and define Δ c and Θ c to match Δ c and Θ q. Then we can define obligations that involve only past-time temporal operators: to establish (G(H(A s )) P s ) D. Cofer, A. Gacek, S. Miller, M. Whalen, and B. LaValley. Compositional Verification of Architectural Models. NFM 2012 M. Whalen, A. Gacek, and D. Cofer. Hierararchical Circular Compositional Reasoning. UMSEC Tech Report 2012-1 Component-Level Analysis 8

Making k-induction model checkers mode aware K-induction is a model checking technique that can be used with SMT solvers Very scalable if properties can be inductively proven Unfortunately, Inductive proofs often fail because properties are too weak Lots of work on lemma/invariant discovery to strengthen properties Bjesse and Claessen: SAT-based verification without State Space Traversal Bradley: SAT-based Model Checking without Unrolling Tinelli: Instantiation-Based Invariant Discovery However, these techniques do not work for state machines / modes Created new lemma discovery technique for modes and implemented it in Kind model checker Discover cliques of integer or enumerated model variables Use abstract interpretation to discover small subrange integer modes Posit relationships between mode variables and inductively verify. Initial results are very positive [NFM 2012] Simple Example of Induction Failure: Microwave Mode Logic Want to prove if we re cooking then the door is closed G((mode = 2) => door_closed); 9

Making it inductive Induction step: Start from arbitrary state in which property holds: G((mode = 2) => door_closed); Note that the mode variable does not directly affect the value of the state machine. Need to relate entry concrete value to state machine value. Add lemma: G((mode = 2) <=> Suppose we start the induction step in (state_var = COOKING)) state SETUP, the door is closed, and mode = 2. We stay here for k steps (for any k), then open the door entry: mode = 1 entry: mode = 2 state SETUP entry: mode = 3 GPCA Simulink/StateflowStateflow Model Simulink/Stateflow GPCA pump controller Generic Patient-Controlled Analgesia Infusion pump with input from the patient Reference model for model-based development for medical devices Analysis through test-case generation (Reactis) Analysis through model checking Kind and SAL using RCI/UMN Gryphon tool set 10

Conclusion Mature Simulink/Stateflow analysis capability Gryphon tool suite and Kind model checker Ongoing high-visibility projects at Rockwell Collins using model checking (CAS: Crew Alerting System) Recent capabilities in Kind make it significantly stronger tool Using this to analyze large GPCA models New AGREE system architecture analysis capability Support models in AADL and SysML Tools built in Eclipse Freely available Translates to Kind and will eventually target more: (NuSMV, PVS) Combining results from several funding streams Kind invariant work co-sponsored by AFOSR AGREE work co-sponsored by DARPA (META-II program) Creating substantial reasoning capabilities for tools that engineers use! 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback