Scalability of formal methods for validation and verification of software control systems

Transcription

1 Scalability of formal methods for validation and verification of software control systems COPYRIGHT 2012 HAMILTON SUNDSTRAND CORPORATION. THIS DOCUMENT IS THE PROPERTY OF HAMILTON SUNDSTRAND CORPORATION (HSC). YOU MAY NOT POSSESS, USE, COPY OR DISCLOSE THIS DOCUMENT OR ANY INFORMATION IN IT, FOR ANY PURPOSE, INCLUDING, WITHOUT LIMITATION, TO DESIGN, MANUFACTURE OR REPAIR PARTS, OR OBTAIN ANY GOVERNMENT APPROVAL TO DO SO, WITHOUT HSC S EXPRESS WRITTEN PERMISSION. NEITHER RECEIPT NOR POSSESSION OF THIS DOCUMENT ALONE, FROM ANY SOURCE, CONSTITUTES SUCH PERMISSION. POSSESSION, USE, COPYING OR DISCLOSURE BY ANYONE WITHOUT HSC S EXPRESS WRITTEN PERMISSION IS NOT AUTHORIZED AND MAY RESULT IN CRIMINAL AND/OR CIVIL LIABILITY. E. Scholte (Hamilton Sundstrand) A. Ferrari (ALES s.r.l.) Team: C. Liu, C. Pinello, R. Kumar (UTRC) L. Mangeruca, C. Sofronis (ALES s.r.l.) EAR STATEMENT WARNING -- This document or file contains technical data the export of which is, or may be, restricted by the Export Administration Act and the Export Administration Regulations (EAR), 15 C.F.R. parts Diversion contrary to U.S. law is prohibited. The export, re-export, transfer or re-transfer of this technical data to any other company, entity, person, or destination, or for any use or purpose other than that for which the technical data was originally provided by Hamilton Sundstrand, is prohibited without prior written approval from Hamilton Sundstrand and authorization under applicable export control laws. EAR Export Classification: ECCN EAR99 June Aerospace Decision and Control Workshop Georgia Institute of Technology Atlanta, GA

2 OUTLINE Systems at Hamilton Sundstrand System Integration and Control Integrated Modular Avionics, Software, 178C Formal Methods for Model Based Validation and Verification Scalability Challenges: Abstractions and Automatic Simplifications 1

3 HAMILTON SUNDSTRAND AEROSPACE SYSTEMS INDUSTRIAL Electric Systems Air Management Engine Systems Space Systems Compressors Fire Protection Propellers Systems Auxiliary Power Actuation Systems Specialty Pumps Hamilton Sundstrand is among the world s largest suppliers of technologically advanced aerospace and industrial products.

4 HAMILTON SUNDSTRAND Experience 1900 s today Curtiss T

5 HAMILTON SUNDSTRAND Electric Systems Electric Systems Platforms Integrated Drive Generator Variable Frequency Generator Power Control / Conversion ERJ170/190 Boeing 737 F-35 JSF A320 A350 Boeing 787 C919 CSeries Power Distribution / Management Emergency Power Electric Systems has 22 active development programs

6 SYSTEM INTEGRATION AND SOFTWARE System integration encompassing mechanical, electrical, and software control systems. Increased use of networks and software to implement functionality 178C: Model Based Development and Formal Methods How to leverage existing model based techniques for validation and verification of highly integrated cyber physical systems? (How to reuse existing models created during development?) 5

7 MODEL BASED VERIFICATION TECHNIQUES Need to manage complexity growth in cost/schedule effective manners Augment testing with formal methods Develop models at the different abstraction layers to enable early and consistent guidance Use analysis (formal analysis) to verify correct behavior at different layers Customer specification Aircraft System Model Validation/Verification techniques System Requirement Document System Behavioral Model Formal analysis Formal analysis of discrete systems (finite state) using model checkers Simulation Derived Requirement Document Component Model Physical testing Software Implementation Model

8 ELECTRIC SYSTEM CONTROL INTEGRATION Generation and Primary Power Distribution Typical 6-9 main power sources S = {on, off, failed} LGEN ExtPwr APU RGEN Typical contactors (actuators) C = {on, off, failed open, failed closed} AC Bus L TRU AC Bus R TRU Order of nominal physical configurations: ~2^43 = 8,796,093,022,208 DC Bus L DC Bus R (Physical system constraints will reduce this number) Batt Bus L Batt Batt Bus R

9 SYSTEM SIZE AND INCREASED INTEGRATION Increase reliance on electric power in aircraft raises complexity of system due to integration Increased use of software and networks to provide system functionality Use Finite State Models and model checking to evaluate system control design System Fault No fault 1 Single contactor fault (Stuck Open) ~12 Single contactor fault (Stuck Open and Stuck Close) Single component fault (i.e. contactor, TRU, Bus, BPCU, GCU failure) Number of Configurations ~26 ~40 Dual failure operation ~1,000 Typical conventional system (Single cruise mode system configuration)

10 MODEL CHECKING Use Formal Model of the controller/software and determine whether properties (i.e. requirements) are met for all possible input sequences Looks at all possible behaviors of the system Automated procedure if the system is Finite State Model (system requirements/ functionality) Model Checker Tool OR YES NO and a counterexample (sequence of inputs) is given System/function modeled as Finite State Machine Specification (System property) Requirement formalized using (temporal) logic

11 SYSTEM REQUIREMENT MODELING Formulate system requirements as invariants or use Linear Temporal Logic S1 S2 C1 C2 ACBUS

12 SCALABILITY OF MODEL CHECKING Methods for increasing checkable system size: Binary Decision Diagram ordering NP-hard to find best ordering, use heuristics Automatic simplifications Automatic abstractions Example Test System Counter limit Baseline [s] BDD Ordering [s] , , ,000,

13 SIMPLIFICATION AND ABSTRACTION Constant Propagation and simplification Simplifies expressions by propagating constant values through operators Substitute variables with their values Range Reduction By propagating range information through the model Reduce variable data types while still supporting the computed ranges Typical tested system: Originally > 40,000 Boolean Variables Reduce to ~ 6,000 Boolean Variables Automated Subsystem Abstraction Using Cone of Influence automatically remove subsystems Conservative Abstraction Substitute part of the system with one or more input variables Dynamics of substituted part is lost conservative approximation 12

14 SUMMARY Current aircraft systems are increasing in complexity Increased reliance on software control systems for electric power distribution Use of automated techniques enabler for increasing scalability of existing verification engines Questions?