Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

Similar documents
Tools for Formally Reasoning about Systems. June Prepared by Lucas Wagner

Presented by Greg Pollari (Rockwell Collins) and Nigel Shaw (Eurostep)

Verification and Validation of Models for Embedded Software Development Prashant Hegde MathWorks India Pvt. Ltd.

System Architecture Virtual Integration (SAVI) Presentation to PDT Europe 2016

Complexity-Reducing Design Patterns for Cyber-Physical Systems. DARPA META Project. AADL Standards Meeting January 2011 Steven P.

Architecture-driven development of Climate Control Software LMS Imagine.Lab Embedded Software Designer Siemens DF PL

Safety Assurance in Software Systems From Airplanes to Atoms

Leveraging Formal Methods Based Software Verification to Prove Code Quality & Achieve MISRA compliance

Mike Whalen Program Director, UMSEC University of Minnesota

Verification and Test with Model-Based Design

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

Model-Based Design for High Integrity Software Development Mike Anthony Senior Application Engineer The MathWorks, Inc.

Introduction to Formal Methods

Industrial Verification Using the KIND Model Checker Lucas Wagner Jedidiah McClurg

Deliver robust products at reduced cost by linking model-driven software testing to quality management.

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

Flight Systems are Cyber-Physical Systems

Verification and Validation of High-Integrity Systems

Verification and Validation Introducing Simulink Design Verifier

정형기법을활용한 AUTOSAR SWC 의구현확인및정적분석

Software Verification and Validation (VIMMD052) Introduction. Istvan Majzik Budapest University of Technology and Economics

Rockwell Collins Evolving FM Methodology

AADL Requirements Annex Review

Testing! Prof. Leon Osterweil! CS 520/620! Spring 2013!

Automating Best Practices to Improve Design Quality

The Software Assurance Ecosystem: OMG s Approach to Systems & Software Assurance

Verification and Validation

Applications of Program analysis in Model-Based Design

An Information Model for High-Integrity Real Time Systems

Chapter 4 Objectives

UniLFS: A Unifying Logical Framework for Service Modeling and Contracting

Part 5. Verification and Validation

Model-Based Design for Safety-Critical and Mission-Critical Applications Bill Potter Technical Marketing April 17, 2008

Implementation and Verification Daniel MARTINS Application Engineer MathWorks

Safety Argument based on GSN for Automotive Control Systems. Yutaka Matsubara Nagoya University

Contract-based design, model checking, and model-based safety assessment

Formal Verification for UML/SysML models

Certification Requirements for High Assurance Systems

A Model-Based Reference Workflow for the Development of Safety-Related Software

MASP Chapter on Safety and Security

AMASS. Architecture-driven, Multi-concern and Seamless Assurance and Certification of Cyber-Physical Systems

Proofs and Proof Certification in the TLA + Proof System

COMPASS: FORMAL METHODS FOR SYSTEM-SOFTWARE CO-ENGINEERING

Certification Authorities Software Team (CAST) Position Paper CAST-25

High-Assurance Cyber Space Systems (HACSS) for Small Satellite Mission Integrity

Guidelines for deployment of MathWorks R2010a toolset within a DO-178B-compliant process

Developing AUTOSAR Compliant Embedded Software Senior Application Engineer Sang-Ho Yoon

XIV. The Requirements Specification Document (RSD)

Intro to Proving Absence of Errors in C/C++ Code

Update on AADL Requirements Annex

Best Practices for Model-Based Systems Engineering

Leveraging Formal Methods for Verifying Models and Embedded Code Prashant Mathapati Application Engineering Group

Automated Freedom from Interference Analysis for Automotive Software

Unit 1 Introduction to Software Engineering

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

BUILDING GOOD-QUALITY FUNCTIONAL SPECIFICATION MODEL

Mixed Critical Architecture Requirements (MCAR)

Just-In-Time Certification

Software Model Checking: Theory and Practice

CSSE 490 Model-Based Software Engineering: Transformation Systems

CS 161 Computer Security

Requirement Analysis

ISO compliant verification of functional requirements in the model-based software development process

Verification and Validation. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 22 Slide 1

SCADE. SCADE Architect System Requirements Analysis EMBEDDED SOFTWARE

Addressing Future Challenges in the Development of Safe and Secure Software Components The MathWorks, Inc. 1

Adding Formal Requirements Modeling to SysML

Q Body of techniques supported by. R precise mathematics. R powerful analysis tools. Q Rigorous, effective mechanisms for system.

Deriving safety requirements according to ISO for complex systems: How to avoid getting lost?

Evidence-based Development coupling structured argumentation with requirements development.

Verification and Validation

Verification and Validation

Investigation of System Timing Concerns in Embedded Systems: Tool-based Analysis of AADL Models

OMG Systems Modeling Language Tutorial May, 2012

ExCuSe A Method for the Model-Based Safety Assessment of Simulink and Stateflow Models

For presentation at the Fourth Software Engineering Institute (SEI) Software Architecture Technology User Network (SATURN) Workshop.

Component Design. Systems Engineering BSc Course. Budapest University of Technology and Economics Department of Measurement and Information Systems

Using Model-Based Design in conformance with safety standards

Automating Best Practices to Improve Design Quality

Verification and Validation. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 22 Slide 1

CIS 890: High-Assurance Systems

Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 22 Slide 1

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Certification of Model Transformations

Boeing Certification Techniques for Advanced Flight Critical Systems Challenge Problem Integration (CerTA FCS CPI) Briefing at the

SySTEMA. SYstem & Safety Tool for Executing Model-based Analyses

ISO Compliant Automatic Requirements-Based Testing for TargetLink

Software architecture in ASPICE and Even-André Karlsson

International Journal of Computer Engineering and Applications, Volume XII, Special Issue, September 18, ISSN SOFTWARE TESTING

From Design to Production

What s New with the MATLAB and Simulink Product Families. Marta Wilczkowiak & Coorous Mohtadi Application Engineering Group

Automatización de Métodos y Procesos para Mejorar la Calidad del Diseño

COMPASS GRAPHICAL MODELLER

Coding Standards in FACE Conformance. John Thomas, Chris Edwards, and Shan Bhattacharya

Model-Based Design of Connected and Autonomous Vehicles

Using Formal Methods Tools to Improve Security in an Autonomous Military Truck

Describing the architecture: Creating and Using Architectural Description Languages (ADLs): What are the attributes and R-forms?

Chapter 1: Programming Principles

A Software Safety Argument Pattern Catalogue

handled appropriately. The design of MILS/MSL systems guaranteed to perform correctly with respect to security considerations is a daunting challenge.

Transcription:

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context Raytheon Michael Nolan USAF AFRL Aaron Fifarek Jonathan Hoffman 3 March 2016 Copyright 2016. Unpublished Work. Raytheon Company.

Agenda Motivation Trust and Certification Process Background Formal Analysis Requirements Analysis Architecture Model Traceability SysML Representation of Autonomous System and Autonomous System Development Basic example of Autonomous Systems T&E in MBE context Summary 2

Motivation Introduction, Discovery, and Cost of Software Faults 1,2,3 Identified Need 70% of faults are introduced 3.5% faults are found 1x estimated nominal cost for fault removal Requirement Development Opportunity to find faults as they are introduced when costs are low Architecture Development 1. NIST Planning report 02-3, The Economic Impacts of Inadequate Infrastructure for Software Testing, May 2002. 2. D. Galin, Software Quality Assurance: From Theory to Implementation, Pearson/Addison-Wesley (2004) 3. B.W. Boehm, Software Engineering Economics, Prentice Hall (1981) Detailed Design Implementation Integration 20% of faults are introduced 16% faults are found 5x estimated nominal cost for fault removal Validation Verification Transition 20.5% faults are found 300-1000x estimated nominal cost for fault removal 10% of faults are introduced 59.5% faults are found 20-80x estimated nominal cost for fault removal Rework and certification is 70% of SW cost. 4 3

Trust and Certification Products / Process Compositionally Verified Systems of Systems Design Requirement Formalization & Analysis Requirements Architecture Models Architecture Formalization & Analysis FORMALIZED SAFETY ASSESSMENT HAZARD MITIGATION REQUIREMENTS Validation Analytical Proof Synthesis Simulation Testing Multiple New Autonomy Need V&V Technology Paths Modeling, Simulation, Test & Evaluation Run Time Assurance Assurance Validator Certified Assurance Case System Design and Safety Requirements (ARP 4761, ARP 4754/A, MIL-HDBK-882E) Testable Requirements & Verification Plans (DO-178C/254, MIL-HDBK-516) 4

Formal Analysis Formal Methods refers to mathematically rigorous techniques and tools for the specification, design and verification of software and hardware systems. - Langley Formal Methods (http://shemesh.larc.nasa.gov/fm/fm-what.html) What is Formal Analysis? Analysis performed on mathematically precise models utilizing elegant Computer Science algorithms and tools Model-Checking Theorem Proving Why do we want to do it? We can exhaustively search the behavior of models to prove or disprove desired properties Removal of ambiguity due to required mathematical rigor Can identify unintended and unspecified behaviors 5

Analysis Advantage of Model Checking Testing Checks Only the Values We Select Model Checker Tries Every Possible Value! Even Small Systems Have Trillions (of Trillions) of Possible Tests! Finds every exception to the property being checked! 6

Requirements Development & Analysis Precise, structured standards to automate requirement evaluation for testability, traceability, and de-confliction 7

Formal Requirements Analysis Natural language requirements are difficult to process logically and mathematically especially if they are not written with a formal basis The flight control function that performs the automatic avoidance maneuver shall be of a level of redundancy equivalent to the primary flight control system What is the formal definition of this constraint on the system? Not a trivial definition on the system Formal Methods refers to mathematically rigorous techniques and tools for the specification, design and verification of software and hardware systems. - Langley Formal Methods (http://shemesh.larc.nasa.gov/fm/fm-what.html) Temporal logic definitions are not obvious to write for most individuals and takes years of practice to master effectively What does that mean? There may be logical basis but it s not accessible to others. 8

Formal Requirements Analysis Our Approach Pattern Implementation Constrain natural language to patterns which contain a scope and a predicate Enforces the formal basis necessary to ensure mathematical rigor Can requirements be defined and verified compositionally? Property Patterns Classes Occurrence Order Absence Universality Existence Bounded Existence Precedence Response Chain Precedence Chain Response 9

Architecture Guarantee appropriate decisions with traceable evidence during the system architectural design 10

Architecture: AADL and AGREE The Architecture Analysis & Design Language (AADL) Developed by SAE Architecture modeling notation with well-defined semantics Assume Guarantee REasoning Environment (AGREE) plugins Developed by University of Minnesota and Rockwell Collins Part of the DARPA High-Assurance Cyber Military Systems (HACMS) program 1 Assumptions Guarantees Assumption: something a system assumes about it s environment (inputs) System Implementation 1. Kathleen Fisher, Using Formal Methods to Enable More Secure Vehicles: Tufts University, 16 September, 2014 DARPA's HACMS Program, URL: http://wp.doc.ic.ac.uk/riapav/wpcontent/uploads/sites/28/2014/05/hacms-fisher.pdf [cited 27 Jul. 2015]. Guarantee: what you can assume about the system and the performance of the system (outputs) 11

AGREE Assume Guarantee REasoning Environment Assume-Guarantee Contract - Verifiable set of Assumptions and Guarantees that abstracts the behavior of a system component implementation Assumptions Constraints over what a component expects to see from its environment Guarantees Constraints over how a component behaves in response to its environment 12

Compositional Verification A series of techniques to allow for systems to be decomposed into less complex modules to be enforce a hierarchical structure that can be leveraged for compositional techniques Systems can be hierarchically organized Requirements vs. architectural design must be a matter of perspective Need better support for N-level decompositions for requirements and architectural design 1 1. Whalen, Michael W., et al. Your What Is My How : Iteration and Hierarchy in System Design. Software, IEEE 30.2 (2013): 54-60. 13

Model Development Cumulative Evidence Through Research, Developmental, and Operational Test 14

Introduce Simulink and SLDV Uses formal methods to find violations of design properties and assumptions Formal Analysis techniques from: Prover Plug-In Polyspace formal analysis engine from MathWorks 15

SLDV Analysis Property Model Property Model Property Blocks 16

Requirements Traceability Requirement - SpeAR Property Architecture - AGREE Guarantee Modeling - Simulink Design Verifier Property 17

Model Lifecycle Management Perspective MLM autonomy perspective starts with MLM framework «analysis model» rev1 «arch model» rev1 Bob Mary «cad model» rev1

SysML Representation of Autonomous System and Autonomous System Development - Building on the MLM framework - Nominal autonomous system modeled in SysML (Rhapsody example) - UML Test Protocol or similar utility is used - Enables efficient pairing of requirements, test straps, procedures, reports, and other artifacts with each member of a product family - Models are executable within modeling environment at chosen level of fidelity 3/7/2016 19

Basic example of Autonomous Systems T&E in MBE context Basic Machine Learning algorithm hosted in Simulink Data sets for nominal autonomous system developed Simulink components integrated within Rhapsody (SysML) Model executed in the SysML environment SysML test utilities placed around test and test results IBM Test Conductor or potentially RQM wrapper Systems trained with different data sets behaved differently MBE considerations Configuration management, Data management Flexibility, product family architecture support Training Data is paired with the autonomous system Ability to trace system development back to the training data set used Autonomous systems development requires additional MBSE considerations 3/7/2016 20

Summary Discovery of critical flaws early in the design process can save time and money Formal requirement traceability throughout design process Composability for reuse and modular verification Autonomous systems development requires additional MBSE considerations 21

Future Directions of Work Continued research in the Development Process Requirements Realizability arguments could identify early conflicts Natural language masking of formal representations Architecture Abstraction of different compositional levels across different teams Modeling Bounding nonlinear behavior within discrete defined systems Assurance Case Construction Utilize the artifacts from the Development Process to provide evidence of behavior Move the formulation forward with these artifacts Implementing the Development Process on more complex systems Testing the scalability of the techniques Designing challenges that approach the complexity of Air Force domain systems Potentially build on MBSE autonomy structure Run-time Assurance for nonlinear autonomy If we can t formally prove or test can we bound? How can we safely bound a system? 22

Questions? aaron.fifarek.ctr@us.af.mil jonathan.hoffman.2@us.af.mil mknolan@raytheon.com Copyright 2016. Unpublished Work. Raytheon Company.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback