Industrial Verification Using the KIND Model Checker Lucas Wagner Jedidiah McClurg

Similar documents
Model Checking of Aerospace Domain Models in an Industrial Context

Tools for Formally Reasoning about Systems. June Prepared by Lucas Wagner

Coverage Metrics and Requirements-Based Testing

Semantics of Statecharts

Bridging the Gap Between Model-Based Development and Model Checking

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

Beyond Static Code Analysis

Mike Whalen Program Director, UMSEC University of Minnesota

Why We Model: Using MBD Effectively in Critical Domains

Rockwell Collins Evolving FM Methodology

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

Model-Based Design for High Integrity Software Development Mike Anthony Senior Application Engineer The MathWorks, Inc.

Automated Requirements-Based Testing

Specification Centered Testing

Generating MC/DC Adequate Test Sequences Through Model Checking

Hardware Implementation, Processors and EMC

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

A Tabular Expression Toolbox for Matlab/Simulink

Complexity-Reducing Design Patterns for Cyber-Physical Systems. DARPA META Project. AADL Standards Meeting January 2011 Steven P.

SCR: A PRACTICAL METHOD FOR REQUIREMENTS SPECIFICATION

Static program checking and verification

SCADE S E M I N A R I N S O F T W A R E E N G I N E E R I N G P R E S E N T E R A V N E R B A R R

Overview of SRI s. Lee Pike. June 3, 2005 Overview of SRI s. Symbolic Analysis Laboratory (SAL) Lee Pike

Verification, Validation and Test in Model Based Design Manohar Reddy

Applications of Program analysis in Model-Based Design

Programming Embedded Systems

SCALABLE AND ACCURATE SMT-BASED MODEL CHECKING OF DATA FLOW SYSTEMS

From Design to Production

Automating Best Practices to Improve Design Quality

Verification and Test with Model-Based Design

A Framework for the Formal Verification of Time-Triggered Systems

DRYING CONTROL LOGIC DEVELOPMENT USING MODEL BASED DESIGN

Simulink Verification and Validation

Testing and Validation of Simulink Models with Reactis

Leveraging Formal Methods for Verifying Models and Embedded Code Prashant Mathapati Application Engineering Group

Utilisation des Méthodes Formelles Sur le code et sur les modèles

Proving the Shalls. Early Validation of Requirements Through Formal Methods

An Introduction to Lustre

PKIND: A parallel k-induction based model checker

The Effect of Program and Model Structure on the Effectiveness of MC/DC Test Adequacy Coverage

Verifying Safety Property of Lustre Programs: Temporal Induction

Verification and Validation of High-Integrity Systems

Simulink/Stateflow. June 2008

Certification Authorities Software Team (CAST) Position Paper CAST-25

Safety Assurance in Software Systems From Airplanes to Atoms

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

State of Practice. Automatic Verification of Embedded Control Software with ASTRÉE and beyond

On the Generation of Test Cases for Embedded Software in Avionics or Overview of CESAR

Verification and Validation Introducing Simulink Design Verifier

Model-Based Design of Connected and Autonomous Vehicles

Development of Security Software: A High Assurance Methodology

Finite State Verification. CSCE Lecture 21-03/28/2017

Engineering of Reliable Software Systems

Leveraging Formal Methods Based Software Verification to Prove Code Quality & Achieve MISRA compliance

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols

Overview of the KeY System

From OCL to Propositional and First-order Logic: Part I

Guidelines for deployment of MathWorks R2010a toolset within a DO-178B-compliant process

PVS, SAL, and the ToolBus

Model-based Architectural Verification & Validation

Model Checking Embedded C Software using k-induction and Invariants

Master Thesis. Using Requirement Templates to Automate Requirements Formalization

Implementation and Verification Daniel MARTINS Application Engineer MathWorks

Predicate Refinement Heuristics in Program Verification with CEGAR

Presented by Greg Pollari (Rockwell Collins) and Nigel Shaw (Eurostep)

DIVERSITY TG Automatic Test Case Generation from Matlab/Simulink models. Diane Bahrami, Alain Faivre, Arnault Lapitre

Software Development with Automatic Code Generation: Observations from Novice Developer Viewpoint

SCR*: A Toolset for Specifying and. Analyzing Software Requirements? Constance Heitmeyer, James Kirby, Bruce Labaw and Ramesh Bharadwaj

Developing AUTOSAR Compliant Embedded Software Senior Application Engineer Sang-Ho Yoon

Using SCADE to Develop Mission-critical High-quality Radar Application Software

Jay Abraham 1 MathWorks, Natick, MA, 01760

CoCoSpec: A Mode-aware Contract Language for Reactive Systems

Introduction to Dynamic Analysis

The Use of Computing Clusters and Automatic Code Generation to Speed Up Simulation Tasks

ABHELSINKI UNIVERSITY OF TECHNOLOGY

Why testing and analysis. Software Testing. A framework for software testing. Outline. Software Qualities. Dependability Properties

Automatización de Métodos y Procesos para Mejorar la Calidad del Diseño

Echo: A Practical Approach to Formal Verification

Requirements Analysis of a Quad-Redundant Flight Control System

Opportunities for Industrial Applications of Formal Methods

Automating Best Practices to Improve Design Quality

Reducing Verification Costs through Practical Formal Methods: A Survey

Edwards Air Force Base Accelerates Flight Test Data Analysis Using MATLAB and Math Works. John Bourgeois EDWARDS AFB, CA. PRESENTED ON: 10 June 2010

Aerospace Software Engineering

This project has received funding from the European Union s Horizon 2020 research and innovation programme under grant agreement No

Software Verification of Safety-Critical Aerospace Systems1

Verification of Intelligent Software

Having a BLAST with SLAM

CS/ECE 5780/6780: Embedded System Design

Aerospace Systems Directorate

The University of Iowa Fall CS:5810 Formal Methods in Software Engineering. Introduction

SPIDER: A Fault-Tolerant Bus Architecture

FPGA-Based Embedded Systems for Testing and Rapid Prototyping

ExCuSe A Method for the Model-Based Safety Assessment of Simulink and Stateflow Models

Static Analysis by A. I. of Embedded Critical Software

Simulink Design Verifier vs. SPIN a Comparative Case Study

Distributed Systems Programming (F21DS1) Formal Verification

Boeing Certification Techniques for Advanced Flight Critical Systems Challenge Problem Integration (CerTA FCS CPI) Briefing at the

Software System Design and Implementation

Adding Formal Requirements Modeling to SysML

Transcription:

Industrial Verification Using the KIND Model Checker Lucas Wagner Jedidiah McClurg {lgwagner,jrmcclur}@rockwellcollins.com

Software Complexity is Becoming Overwhelming Advancements in computing technology have increased the capability of systems by enabling more complex software to be utilized. 2

Software in Defense Systems 3

K Words Airborne Software Complexity 100000 Doubles Every Two Years! 10000 1000 A310 2M A320 4M A330/A340 10M A300FF 100 A300B 200K 10 INS 23K 1 4K 1965 1970 1975 1980 1985 1990 1995 J.P. Potocki De Montalk, Computer Software in Civil Aircraft, Sixth Annual Conference on Computer Assurance (COMPASS 91), Gaithersberg, MD, June 24-27, 1991. 4

Airborne Software Complexity Similar Growth Has Been Seen by Boeing Complexity 230K 100 777 Size 777 No. of Signals Object Code (Mbytes) 747-400 747-400 0 1970 747-200 757/767 Year 1995 747-200 0 1970 757/767 Year 1995 5

Why is complexity a problem? Complex modern software is becoming prohibitively expensive to validate and verify using traditional methods. Validation and Verification is usually a level of effort activity. One can always write more tests, but how much is enough? Exhaustive methods are necessary to prove the absence of errors, but are impractical (and impossible) using traditional methods on modern systems. Verification and Validation using traditional methods is costly. The traditional waterfall development paradigm can lead to costly iterative fixes when errors are discovered late in the development cycle. Errors missed by gaps in traditional testing might be discovered in service leading to very costly. 6

A Partial Solution What is needed? An iterative V&V approach that can detect errors early in the development cycle, preferably at the design stage. Provides a high level of assurance, preferably exhaustive. Can be learned rather quickly (weeks to months) and does not require years to become an expert. Software model-checking is a partial solution to this problem. 7

Over the last decade, Rockwell Collins has developed and refined a formal translation framework to enable modelchecking of software developed in the Model-Based Development paradigm. What is Model-Based Development (MBD)? A set of domain specific graphical notations used to develop software. Using MBD enables early simulation and debugging of models. Demonstrably correct models can be used to generate tests cases and source code for use on targeted processors. MATLAB Simulink, Esterel Technologies SCADE Suite What is Model-Checking? Exhaustively proves user specified properties about a model Fully automated Generates a counterexample if a property is false Reduce Costs and Improve Quality by Using Analysis to Find Errors During Early Design 8

Traditional Verification vs. Model Checking Testing Checks Only the Values We Select Model Checker Tries Every Possible Value! Even Small Systems Have Trillions (of Trillions) of Possible Tests! Finds every exception to the property being checked! 9

Rockwell Collins Translation Framework Kind Simulink Simulink Gateway SCADE NuSMV Prover Reactis Lustre ACL2 StateFlow PVS Simulink Safe State Gateway Machines C, Ada Rockwell Collins/U of Minnesota Esterel Technologies SRI International Reactive Systems MathWorks University of Iowa SAL SAL Symbolic Model Checker SAL Bounded Model Checker SAL Infinite Model Checker 10

Industrial Application of Model-Checking CerTA FCS Phase I Sponsored by the Air Force Research Labs Air Vehicles (RB) Directorate - Wright Patterson Investigate Roles of Testing and Formal Verification Can formal verification complement or replace some testing? Example Model Lockheed Martin Adaptive UAV Flight Control System Redundancy Management Logic in the Operational Flight Program (OFP) Well suited for verification using the NuSMV model-checker Lockheed Martin Aero Based on Testing Enhanced During CerTA FCS Graphical Viewer of Test Cases Support for XML/XSLT Test Cases Added C++ Oracle Framework Developed Tests from Requirements Executed Tests Cases on Test Rig Rockwell Collins Based on Model-Checking Enhanced During CerTA FCS Support for Simulink blocks Support for Stateflow Support for Prover model-checker Developed Properties from Requirements Proved Properties using Model-Checking WPAFB 08-5183 RBO-08685 8/20/2008 11

CerTA FCS Phase I Verification Results Model Checking Testing Errors Found in Redundancy Manager Triplex Voter 5 0 Failure Processing 3 0 Reset Manager Total 4 12 0 0 Model-Checking Found 12 Errors that Testing Missed Spent More Time on Testing than Model-Checking 60% of total on testing vs. 40% on model-checking Model-checking was more cost effective than testing at finding design errors. WPAFB 08-5183 RBO-08685 8/20/2008 12

KIND Model Checker As model-checking technology has improved, Rockwell Collins has been looking for the next generation model-checker to expand the set of problems we can solve. Specifically, the following capabilities were considered: Improved reasoning over infinite state systems Improved reasoning over arithmetically intense systems Low or no cost (NuSMV, SAL) KIND was our choice KIND offers k-inductive model checking, which is similar to bounded model checking, but works for many- or infinitestate systems. KIND has performed well on a large group of our models We have made some improvements Integrated with the Rockwell Collins Translator GUI Intuitive presentation of solver results (counterexamples, etc.) Invariant generation 13

Number of properties KIND Initial Benchmark Results KIND showed promising results on our first tests The Microwave Example is a simple model of a microwave, with 13 properties. KIND on Microwave Example 10 9 8 7 6 5 4 3 2 1 0 0-5 5-10 10-15 15-20 20-25 25-30 30+ Solver time (s) 14

Number of problems More KIND Benchmark Results The Univ. of Iowa benchmark set contains 896 models from various domains (memory, simulation, counters, etc.), each with a safety property. Roughly half are valid, and half are falsifiable KIND on UIowa Benchmarks 700 600 500 400 300 200 100 0 0-10 10-20 20-30 30-40 40-50 50-60 60+ Solver time (s) 15

Number of properties Triplex Voter The triplex voter is a large control system with 150 properties and 23 hand-calculated invariants/assumptions. KIND on Triplex Voter 160 140 120 100 80 60 40 20 0 0-10 10-20 20-30 30-40 40-50 50+ Solver time (s) 16

Number of properties Complex Stateflow Model The NASA Docking Example models a spacecraft docking procedure. We examined 22 safety properties with KIND. A large percentage of these appear to be non-k-inductive! KIND on NASA Docking Example 12 10 8 6 4 2 0 0-100 100-200 200-300 300-400 400-500 500-600 600+ Solver time (s) 17

XML Property Reports KIND needed a uniform output format We developed an XML schema for solver outputs: <?xml version="1.0"?> <Results xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> <File>microwave.kind.lus</File> <Property name="s1"> <Date>2011-03-25</Date> <Runtime unit="sec" timeout="false">9.124</runtime> <K>13</K> <Answer>valid</Answer> </Property> </Results> 18

False Property with Counterexample Counterexamples are presented in a form that can be parsed and displayed as a spreadsheet, etc. <?xml version="1.0"?> <Results xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> <File>C:\test\large\car_all_e3_1068_e5_882.kind.lus</File> <Property name="ok"> <Date>2011-05-19</Date> <Runtime unit="sec" timeout="false">0.328</runtime> <K>2</K> <Answer>falsifiable</Answer> <Counterexample> <Signal name="ok" node="top" type="bool"> <Value time="0">1</value> <Value time="1">0</value> </Signal> <Signal name="voiture_speed" node="top" type="int"> <Value time="0">0</value> <Value time="1">-2</value> </Signal> <Signal name="voiture_time" node="top" type="int"> <Value time="0">0</value> <Value time="1">0</value> </Signal> </Counterexample> </Property> </Results> 19

Graphical User Interface The user interface to the tool is important, since many potential users are not formal methods experts. 20

Difficulty - Stateflow Models Stateflow is a complex modeling language with a variety of state diagram-like constructs. Lustre models derived from Stateflow are hard to verify State, counters, variable interdependencies 21

Number of properties Solution - Invariant Generation Invariant Generation via static analysis! Range invariants can change a property from very difficult (K > 100) to easy (K = 5). Simple implications between variables ( mode invariants) can change the property from difficult (K > 50) to easy (K = 2). 12 10 KIND on NASA Docking Example Properties needing additional invariants 8 6 4 2 0 0-100 100-200 200-300 300-400 400-500 500-600 600+ Solver time (s) 22

Acknowledgements NASA Langley Research Center Ricky Butler Paul Miner George Hagen (formerly of University of Iowa) Air Force Research Labs Dave Homan Jon Hoffman Brian Hulbert Wendy Chou University of Minnesota Prof. Mats P. E. Heimdahl Michael Whalen (formerly of Rockwell Collins) University of Iowa Prof. Cesare Tinelli Dr. Teme Kahsai 23

Questions/Comments? 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback