Formal Verification of Flight Critical Software

1
Formal Verification of Flight Critical Software

• Dr. Steven P. Miller
• Advanced Computing Systems
• Elise A. Anderson
• Commercial Systems Flight Control
• Rockwell Collins
• 400 Collins Road NE, MS 108-206
• Cedar Rapids, Iowa 52498
• spmiller,eaanders_at_rockwellcollins.com

2
Concept Overview
FCS 50000 Flight Control System
3
Outline of Presentation

• Introduction
• Model Checking
• Specification of the FCS 5000 Mode Logic
• Verification of the FCS 5000 Mode Logic
• Concluding Remarks

4
Who Are We?
A World Leader In Aviation Electronics And
Airborne/ Mobile Communications Systems For
Commercial And Military Applications
5
Automated Analysis Section
1992
AAMP5 Microcode Verification (PVS)
NASA LaRC Funded
NSA Funded
AAMP-FV Microcode Verification (PVS)
1994
AFRL Funded
AAMP5 Partitioning (PVS)
Tech Transfer
1996
JEM Java Virtual Machine (PVS)
FGS Mode Confusion Study (PVS)
1998
FCP 2002 Microcode (ACL2)
2000
AvSSP
AAMP7 Separation Kernel (ACL2)
NASA
FGS Safety Analysis (RSML-e)
FGS Mode Confusion (RSML-e)
NSA
AFRL
2002
vFaat (ACL2, PVS)
FCS 5000 FGS Verification (NuSMV)
SHADE (ACL2)
GreenHills Integrity RTOS (ACL2)
2004
Displays Verification (NuSMV)
2006
6
Methods and Tools for Flight Critical Systems
Project

• Five Year Project Started in 2001
• Part of NASAs Aviation Safety Program
  (Contract NCC-01001)
• Funded by the NASA Langley Research Center and
  Rockwell Collins
• Practical Application of Formal Methods To
  Modern Avionics Systems

7
Outline of Presentation

• Introduction
• Model Checking
• Specification of the FCS 5000 Mode Logic
• Verification of the FCS 5000 Mode Logic
• Concluding Remarks

8
What Are Model Checkers?

• Breakthrough Technology of the 1990s
• Widely Used in Hardware Verification (Intel,
  Motorola, IBM, )
• Several Different Types of Model Checkers
• Explicit, Symbolic, Bounded, Infinite Bounded,
• Exhaustive Search of the Global State Space
• Consider All Combinations of Inputs and States
• Equivalent to Exhaustive Testing of the Model
• Produces a Counter Example if a Property is Not
  True
• Easy to Use
• Push Button Formal Methods
• Very Little Human Effort Unless Youre at the
  Tools Limits
• Limitations
• State Space Explosion (10100 10300 States)

9
Advantage of Model Checking
Testing Checks Only the Values We Select
Even Small Systems Have Trillions (of Trillions)
of Possible Tests!
10
Advantage of Model Checking
Model Checker Tries Every Possible Input and
State!
11
Translation Framework
12
Example - ADGS-2100 Adaptive Display Guidance
System
883 Subsystems 9,772 Simulink Blocks 2.9 x 1052
Reachable States
Requirement Drive the Maximum Number of Display
Units Given the Available Graphics Processors
Counterexample Found in 5 Seconds!
Checking 373 Properties Found Over 60 Errors
13
Outline of Presentation

• Introduction
• Model Checking
• Specification of the FCS 5000 Mode Logic
• Verification of the FCS 5000 Mode Logic
• Concluding Remarks

14
Flight Guidance System Overview
15
Simple Mode Transition Diagram
16
Synchronous Composition of Two Mode Transition
Diagrams
1-z
1-z
17
Outline of Presentation

• Introduction
• Model Checking
• Specification of the FCS 5000 Mode Logic
• Verification of the FCS 5000 Mode Logic
• Concluding Remarks

18
Summary of Errors Found

• Model-Checking Detected the Majority of Errors
• Model-Checking Detected the Most Serious Errors
• Found Early in the Lifecycle during Requirements
  Analysis

19
Verification of Individual Mode Transition
Diagrams
AX AG( LGA ? AX( Event9 ? ROLL ))
AX AG( LGA ? AX( (Event4 !Event6 !Event9) ?
HDG))
? False
AX AG( Event8 ? LGA )
20
Errors Found Verifying Individual Mode Machines

• Model-Checking Found Half the Errors
• Tended to Find the Less Serious Errors
• Counter Example Pinpoints Source of the Error

21
Verification of Composite Machines
Mode Controller A
5.1 x 1027 Reachable States
Mode Controller B
Requirement Mode A1 gt Mode B1
Counterexample Found in Less than Two Minutes!
Found 8 More Errors
22
Errors Found by Model-Checking Composite Mode
Transition Diagrams

• Errors Found Tended to Be More Serious Errors
• Checking Relationships Between Mode Transition
  Diagrams
• Difficult to Find by Inspections Simulation

23
Outline of Presentation

• Introduction
• Model Checking
• Specification of the FCS 5000 Mode Logic
• Verification of the FCS 5000 Mode Logic
• Concluding Remarks

24
Conclusions

• Model-Based Development is the Industrial Use
  Formal Specification
• Convergence of Model-Based Development and Formal
  Verification
• Engineers are Producing Specifications that Can
  be Analyzed
• Formal Verification Tools are Getting More
  Powerful
• Model Checking is Very Cost Effective
• Simple and Easy to Use
• Finds All Exceptions to a Property
• Used to Find Errors Early in the Lifecycle
• Applied to Models with Only Boolean and
  Enumerated Types

25
Future Directions

• Numerically Intensive Systems
• Infinite Bounded Model Checkers
• Decision Procedures for Integers and Real
  Numbers
• Non-linear Arithmetic
• Automatic Extraction of Conservative
  Abstractions
• Applications
• Spacing Trajectory
• Required Navigation Performance (RNP)
• Collision Avoidance
• Advanced Flight Control

26
For More Information

• Alan C. Tribble, Steven P. Miller, and David L.
  Lempia, Software Safety Analysis of a Flight
  Guidance System, NASA Contractor Report
  CR-2004-213004, March 2004, available at
  http//techreports.larc.nasa.gov/ltrs/dublincore/2
  004/cr/NASA-2004-cr213004.html.
• Alan C. Tribble and Steven P. Miller, Safety
  Analysis of Software Intensive Systems, IEEE
  Aerospace and Electronic Systems, Vol. 19, No.
  10, pp. 21 - 26, October 2004.
• Steven P. Miller, Mats P.E. Heimdahl, and Alan C.
  Tribble, Proving the Shalls, in Proceedings of
  FM 2003 the 12th International FME Symposium,
  Pisa, Italy, Sept. 8-14, 2003.
• Alan C. Tribble, David D. Lempia, and Steven P.
  Miller, Software Safety Analysis of a Flight
  Guidance System, in Proceedings of the 21st
  Digital Avionics Systems Conference (DASC'02),
  Irvine, California, Oct. 27-31, 2002.

27
Backup Slides
28
Model Checking Process
SMV Spec.
Model
Automatic Translation
Automated Check
Yes!
Engineer