Verification of Safety Critical Software

Computational Logic QMUL 26 Mar 04

Verification of Safety Critical SoftwareNick Tudortel: +44 1684 894489email: njtudor@qinetiq.com

The Agenda

• The NDI Control Law

• A Path Finding Experiment

• Benefits

• Resistance

• Questions

The NDI Control Law

Control software

Example of successful application

Verification of autocoded Non-linear Dynamic Inversion Control Laws embedded in Vectored thrust Aircraft Advanced flight Control (VAAC)

Harrier

Part of NDI Control Law

Year 1999

• One man ; 3 months

• Used RTW Ada autocoder

– Produced 3 procedures, Step, Control Law & End

– 800 LOC

• Used manual refinement

• Interactive proof to discharge the 36 VCs

• Print out of instructions to ProofPower took ~180 pages

Year 2000

• Outstanding MSc Student at the world renowned Computer Science Dept, University of York

• Modules in the Simulink could be replicated in the autocode– 5 Modules– Used packages to get 3 procedures per package– 1200 LOC– 43 VCs (not proven)

• Now meant that effort could be divided and system upgraded in modular fashion (modular certification)

Meanwhile – Reverse Engineered Safety Evidence• Fortran not used in development for 25

procedures• Procedure results for remaining 331 procedures

– Positive compliance: 88%– Negative compliance: 2% – Tool problems: 2%– Inconclusive: 7%

• Verification condition results (16,000 VCs)– Totally automatic proofs: 95.7%– Part-automatic, part-interactive proofs: 3.1%– Unproven: 1.2%

Year 2003

• 4 people; 1 week

• Still using RTW Ada autocoder

– Produced 8 procedures

– 850 LOC

• Used refinement script to drive automatic refinement

• Automatic proof using Supertac to discharge 94% of 373 VCs (21 remained)

– Improvements since then

A Path Finding Experiment

Why do an experiment?

• The embryonic technique has been applied to experimental control laws (…….and it worked!!)

• No metrics were gathered, therefore: “How good is it for my project?”

• No independent assessment by industry or MOD on a real project

• Safety/certification issues to be addressed

• Applicability: Safety/non-safety critical?

The Comparison

Translation to Simulink{Done in 2001}

Manually Code into SPARK Ada

Confirmed equivalent

Requirement - Fortran

Iterate

Unit testAutocode/Autoprove

100% pass

Manhours comparison

ALL Groups Staffing Profile

SEPM (PM)

SEPM (SE)

Persons

(OCT 03 to APR 05)

JAN 03 MAY 03 SEP 03 JAN 04 MAY 04 SEP 04 JAN 05 MAY 05

Conventional

PRICE-S ROM ComparisonBased on one result extrapolated to 1KLOC – Dates are irrelevant

Results Interpretation

• CAVEAT: THIS IS ONE EXPERIMENT WITH CONSTRAINTS

• Two separate analysis were carried out on the results:– BAES/York University and PFG SW Cost Forecasting

• Represents 21/2 - 4 1/2 times faster than existing process for Design , Code & Unit Test (BAES/York)

• Based on a nominal 1000LOCs, code development effort reduced to 28% (ie 72% savings) (PFG)

• Typically would expect 0.33 LOC per person per hour; CLawZ is at worst 40 and at best 100 times faster (PFG)

• Translates to approx 30-40% savings in software life cycle costs (CADMID) (PFG)

Benefits

Model development and proof V&Vvs

Traditional development and V&V

Concept/Req

Design

Flight Test

Rig Tests

Proof and limited tests

Mathematical Specification,

Simulink autocode

Resistance“…is futile” – The Borg Collective

Barriers to be overcome

• Industrial investment in existing tools, processes, people, training

• NIH

• Not C – yet!

• Certification and tool qualification

• How do I know I have got the right Simulink……?

• ….and are safety properties in the Simulink reflected in the code…and can I demonstrate that to certifier?

Proving Properties - Certification

G{S} H{S}

Property needs to be provable in the code

Safety Case

Safety gap

Mind the Gap!

Verification of Safety Critical SoftwareNick Tudortel: +44 1684 894489email: njtudor@qinetiq.com

Any Questions?

Verification of Safety Critical Software

Documents

Transcript of Verification of Safety Critical Software

Check Sheets for Annual Verification of Critical Systems · Check sheets for Annual Verification of Critical Ventilation Systems on Healthcare Sites Check Sheets for Annual Verification

Verification & Validation of Safety Critical Software

Software Verification - CSI Documentsdocs.csiamerica.com/manuals/sap2000/Verification/Methodology.pdf · Software Verification PROGRAM NAME: SAP2000 REVISION NO.: 14 METHODOLOGY -

Product-Line Verification of Safety-Critical Software

Software Verification & Validation

Critical Real Time Software Verification - Inria

Software Development and Verification compliance to DO ... · •Software verification plan •Software requirements specification •Software design document

Software Verification and Validation Prof. Lionel Briand ... · Software Verification and Validation Prof. Lionel ... • Founded the first IEEE conference on software verification

Software requirement verification & validation

METHODOLOGY DEVELOPMENT FOR THE VERIFICATION … · WjPC-TR-90-3067 AD-A229 932 METHODOLOGY DEVELOPMENT FOR THE VERIFICATION AND VALIDATION OF FLIGHT CRITICAL SYSTEMS SOFTWARE Ronald

Software Verification Etabs

Automated Quantitative Software Verification

09-Software Validation, Verification

Software Engineering Verification and Validation Slide 1 Verification and Validation Software Engineering.

Formal Modeling and Verification of Safety-Critical Softwarese.kaist.ac.kr/ekjee/paper/IEEESoftware2009-jbyoo.pdf · 2016-07-08 · based process for developing safety-critical software

VERIFICATION OF CONTROL MEASURES FOR CRITICAL …

Evaluation Techniques applied for Mission-Critical Software of … · 2017-03-02 · Evaluation Techniques applied for Mission-Critical Software of ... Independent Verification &

Formal Software Verification

Chapter 6: Software Verification

Formal Software Verification for Early Stage Design Final ... · PDF fileFormal Software Verification for Early Stage ... Software Verification for Early Stage Design ... in machine-readable