Professional Documents
Culture Documents
Experiences With Formal Verification in The Design of High Integrity Embedded System & DAE Initiatives
Experiences With Formal Verification in The Design of High Integrity Embedded System & DAE Initiatives
Bhattacharjee BARC
April 8, 2013 NAL, Bangalore 1
Their fear is also aided by media hyped infamous computer systems failures
April 8, 2013
NAL, Bangalore
April 8, 2013
NAL, Bangalore
Subsystem Propulsion Guidance and navigation Electrical Operational ordnance Structures Software and computing Pneumatics and hydraulics Unknown
Source: DEVELOPING SAFETY-CRITICAL SOFTWARE REQUIREMENTS FOR COMMERCIAL REUSABLE LAUNCH VEHICLES, FAA/NASA, 2006 (www.faa.gov)
April 8, 2013
NAL, Bangalore
Development of In-house Static Analysis and Visualisation Tools (Assembly and C) (1989-95) Identified Thrust Areas in Formal Methods, V&V
April 8, 2013
NAL, Bangalore
April 8, 2013
NAL, Bangalore
Software
April 8, 2013
Hardware
Trustworthiness of Processors
Implementation of the Instruction Set Architecture (has it been implemented correctly?) Robustness from security (Has it been evaluated from perspectives of system security e.g. IEC62443?) Software Issues (Challenges & Issues with Design Process & Tools are same as in software) Device Failure : Can we monitor their internal states to predict failure?
Analysis of Software Hardware Interactions (Can we model sw-hw interaction for analysing complex interactions to validate behavioral and performance aspects?)
NAL, Bangalore 9
April 8, 2013
April 8, 2013
NAL, Bangalore
10
April 8, 2013
NAL, Bangalore
11
When I&C systems perform functions important to safety, these systems must be demonstrated to be safe and reliable with appropriate degree of confidence. Safety critical functions must be identified based on Postulated Initiating Events (PIE)
April 8, 2013
NAL, Bangalore
12
Computation Errors
Calculation or computation errors (incorrect algorithms, calculation overflow, etc.) Data errors (out of range data, incorrect inputs, large data rates, etc.) Logic errors (improper or unexpected commands, failure to issue a command, etc.) Interface errors (incorrect messaging, poor interface layout and design, etc.) Environment-related errors (improper use of tools, Compilers, changes in operating system, etc.) Hardware-related errors (memory errors, SEUs, unexpected computer shutdown, etc.)
April 8, 2013 NAL, Bangalore 14
Assessment
In other words, the software in these systems must be demonstrated to be safe and to have high level of integrity.
April 8, 2013 NAL, Bangalore 15
Assessment
Integrity should be assured by developing system/software using systematic, technically appropriate, carefully controlled, fully documented and reviewable engineering process, which is suitably interfaced with V and V activities. Emphasis on Process
April 8, 2013
NAL, Bangalore
16
Safety-integrity : probability of a safety related system satisfactorily performing the required safety functions under all the stated conditions within a stated period of time. Safety integrity level : discrete level (one out of a possible four) for specifying the safety integrity requirements... where SIL 4 has the highest level of safety integrity and SIL 1 the lowest.
April 8, 2013
NAL, Bangalore
19
level.
April 8, 2013
Interrupt handling and exceptions handling in embedded systems Appropriateness of Finite Arithmetic, pointers and Buffer usage Communication protocols Compliance to quality standards and programming guidelines Absence of malicious programs.
April 8, 2013 NAL, Bangalore 21
Testing Is Complex
April 8, 2013
NAL, Bangalore
22
April 8, 2013
Need for Rigorous and Precise Program Analysis to detect data flow anomalies, RTE NAL, Bangalore
23
Verification of Absence of Runtime Errors (RTE) Arsenals: Automated Rigorous Program Analysis
(ACE-II, Astree)
LLR
HLR
LLR
Call Tree
checkTrip
readRTD
applyLogic
genSignals
writeDevice
April 8, 2013
NAL, Bangalore
25
April 8, 2013
NAL, Bangalore
26
Experience
Verification of Reactor Trip Logic Verification of Function Blocks (~80) of an Inhouse PLC Type safeness and verifying against Runtime Errors Translation Validation Also used for external projects from ADA, VSSC, DRDL
April 8, 2013
Used PVS as backend Theorem Prover Not Automatic and difficult to be used by Design Engineers
NAL, Bangalore
27
April 8, 2013
NAL, Bangalore
28
Synthesis
April 8, 2013
NAL, Bangalore
30
Property
Property Translator
Abstraction/ Refinement Manager
VHDL Design
IR Translator
IR
Symbolic Simulator
Constraint Solver
Achieves scalable verification of designs with both data and control dominated sub-parts Combines symbolic simulation, abstraction-refinement, and bounded model checking with word-level constraint solving
Used for the functional verification of VHDL designs used in in-house developed Hardware
boards used in C&I Applications
Properties in PSL extracted from FPGA Requirements Specification and submitted for
verification
Counterexamples produced by the tool helped in increasing precision of specification Papers in CAV'11 and TACAS'13
April 8, 2013 NAL, Bangalore 32
April 8, 2013
NAL, Bangalore
33
April 8, 2013
NAL, Bangalore
34
Tool Assessment
Independent Output Assessment: Can the output of the tool be verified to be correct through an independent means? Some possibilities include manual review of tool output, comparison with a second equivalent tool . Relevant History: Does the tool have a welldocumented history of usage where it has consistently produced acceptable results? The history of usage may include similar applications.
April 8, 2013
NAL, Bangalore
35
No No Qualification Necessary
Yes
Will the tools output be verified as per applicable standard?
Yes
No
Who will do?
No
Are processes of standard Eliminated, reduced or automated by use of tool?
Yes
Some Discussions
April 8, 2013
NAL, Bangalore
37
Design Tools:
Domain Specific Modelling Language, Automatic code generator (Verify Once) Proof obligation generator (For Safety
Functions)
Analytical Tools:
Compliance analyzer (Rigorous Program
New Issues
Can we be future ready?
Distributed Heterogeneous System Handling Multicore processors Failsafe Programmable FPGA designs Languages
Model based, Type safe languages, Functional Compilation issues Rigorous Program Analysis
April 8, 2013
DAE Contributions through Extramural Research Setting up of CFDVS at IIT Bombay to promote research in Formal Verification Techniques. Development of Tools and Techniques with improved precision and scalability in collaboration with CFDVS. Development of Automated Program Testing Techniques at IIT Kanpur.
April 8, 2013 NAL, Bangalore 43
Thank You
April 8, 2013
NAL, Bangalore
44