DHS-DOD Software Assurance Forum, McLean VA 6 Oct 2008 Very loosely based on Daniel s 2007 briefing

Similar documents
Scientific Certification

New Directions in V&V Evidence, Arguments, and Automation

HCMDSS/MD PnP, Boston, 26 June 2007

HACMS kickoff meeting: TA2

Principled Construction of Software Safety Cases

When Formal Systems Kill. Computer Ethics and Formal Methods

Validation of ultra-high dependability 20 years on

Workshop on the Future of Nuclear Robotics Safety Cases

Putting the Systems in Security Engineering An Overview of NIST

Formal Composition for. Time-Triggered Systems

SWEN 256 Software Process & Project Management

Tutorial, CPS PI Meeting, DC 3 5 Oct 2013

Australian Census 2016 and Privacy Impact Assessment (PIA)


Automated Integration Of Potentially Hazardous Open Systems

Dr. Cynthia Dion-Schwartz Acting Associate Director, SW and Embedded Systems, Defense Research and Engineering (DDR&E)

Reconsidering the Role of Systems Engineering in DoD Software Problems

Assurance Cases The Home for Verification*

SAFETY CASES: ARGUING THE SAFETY OF AUTONOMOUS SYSTEMS SIMON BURTON DAGSTUHL,

Executive Summary. Chapter 1. Overview of Control

NILS SHONAN MEETING 048 INTEGRATION OF FORMAL METHODS AND TESTING FOR MODEL BASED SYSTEM-ENGINEERING. Werner Damm

Modeling Enterprise Systems

Leveraging 21st Century SE Concepts, Principles, and Practices to Achieve User, Healthcare Services, and Medical Device Development Success

Developing a CubeSat Model-Based System Engineering (MBSE) Reference Model Interim Status #3

Automated Driving Systems with Model-Based Design for ISO 26262:2018 and SOTIF

Requirements and Safety Cases

Formal Methods and Critical Systems In the Real World

Systems Engineering Overview. Axel Claudio Alex Gonzalez

How does one know which repository is worth its salt?

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT. pursuant to Article 294(6) of the Treaty on the Functioning of the European Union

SBIR/STTR & Commercialization of University Innovations

Commercial Marine Shipping in Canada: Understanding the Risks

The Importance of Scientific Reproducibility in Evidence-based Rulemaking

ABSTRACT INTRODUCTION

COEN7501: Formal Hardware Verification

DSAC & Dstl after the Science Capability Review

Towards a multi-view point safety contract Alejandra Ruiz 1, Tim Kelly 2, Huascar Espinoza 1

VLSI Physical Design Prof. Indranil Sengupta Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Aircraft Structure Service Life Extension Program (SLEP) Planning, Development, and Implementation

University Secretary and Clerk to the Board of Governors

Solutions to selected exercises

Background T

What Use is Verified Software?

BERKELEY DAVIS IRVINE LOS ANGELES MERCED RIVERSIDE SAN DIEGO SAN FRANCISCO. Chair of the Assembly of the Academic Senate

Emerging and Readily Available Technologies and National Security: A Framework for Addressing Ethical, Legal, and Societal Issues

Validation and Verification of Field Programmable Gate Array based systems

Compendium Overview. By John Hagel and John Seely Brown

Focusing Software Education on Engineering

Copyright 2016 Rockwell Collins, Inc. All rights reserved. LVC for Autonomous Aircraft Systems Testing

Limits to Dependability Assurance - A Controversy Revisited (Or: A Question of Confidence )

Assessing the Value Proposition for Operationally Responsive Space

System of Systems Software Assurance

Despite the euphonic name, the words in the program title actually do describe what we're trying to do:

Combination Products Verification, Validation & Human Factors Sept. 12, 2017

Policy Perspective: The Current and Proposed Security Framework

24 Challenges in Deductive Software Verification

Assessing the Welfare of Farm Animals

The Drive for Innovation in Systems Engineering

Organized by the Computing Community Consortium Honorary Co-Sponsors: Congressman Bart Gordon (D-TN) Congressman Ralph Hall (R-TX) Congressman Daniel

A Direct Path to Dependable Software

Outline. Outline. Assurance Cases: The Safety Case. Things I Like Safety-Critical Systems. Assurance Case Has To Be Right

The Use of Patterns in Systems Engineering Satya Moorthy Robert Cloutier, Ph.D. Lockheed Martin MS2

Appendix B: Example Research-Activity Description

ARTES Competitiveness & Growth Full Proposal. Requirements for the Content of the Technical Proposal

SMR Regulators Forum. Pilot Project Report. Report from Working Group on Graded Approach

Overview on Medicines Regulation: regulatory cooperation and harmonization in focus

MAXIMISING THE ATM POSITIVE CONTRIBUTION TO SAFETY - A

Office for Nuclear Regulation

Credible Autocoding for Verification of Autonomous Systems. Juan-Pablo Afman Graduate Researcher Georgia Institute of Technology

Traditional Methodology Applied to a Non-Traditional Development.

TECHNICAL AND OPERATIONAL NOTE ON CHANGE MANAGEMENT OF GAMBLING TECHNICAL SYSTEMS AND APPROVAL OF THE SUBSTANTIAL CHANGES TO CRITICAL COMPONENTS.

December Eucomed HTA Position Paper UK support from ABHI

Statement of Work (SOW) inemi Environmentally Sustainable Electronics TIG Value Recovery from End-of-Life Electronics

RAX: Lessons Learned in Our Spaceflight Endeavor

V & V of Flight-Critical Systems. Guillaume Brat, NASA ARC

HOW TO SUCCESSFULLY CONDUCT LARGE-SCALE MODELING AND SIMULATION PROJECTS. Osman Balci

Certification Report on CLOCKSS

MIL-STD-882E: Implementation Challenges. Jeff Walker, Booz Allen Hamilton NDIA Systems Engineering Conference Arlington, VA

Decatur is Growing Gardeners (DIGG), Treasurer, Decatur, IL, June Present

Invisible Formal Methods: Generating Efficient Test Sets With a Model Checker

Science Impact Enhancing the Use of USGS Science

MACHINE LEARNING. The Frontiers of. The Raymond and Beverly Sackler U.S.-U.K. Scientific Forum

Public Discussion. January 10, :00 a.m. to 1:15 p.m. EST. #NASEMscicomm. Division of Behavioral and Social Sciences and Education

Cyber Physical Systems: Next Generation of Embedded Systems

Regulatory Reforms in Mexico Energy Production and Environmental Protection. A Technical Regulator for a New Market Frame

A NATIONAL KEY RESEARCH AND TECHNOLOGY INFRASTRUCTURE STRATEGY

Arshad Mansoor, Sr. Vice President, Research & Development INNOVATION SCOUTS: EXPANDING EPRI S TECHNOLOGY INNOVATION NETWORK

ULS Systems Research Roadmap

ICSU World Data System Strategic Plan Trusted Data Services for Global Science

Network Science and Engineering Update. Computing Community Consortium 7 July 2008 Ellen Zegura

SIMULATION-BASED ACQUISITION: AN IMPETUS FOR CHANGE. Wayne J. Davis

How Rough is Your Project? Andrew Pyke Project Governance & Control Symposium 2016

Technology Roadmapping. Lesson 3

Overview: National AI R&D Strategic Plan

Autonomy Test & Evaluation Verification & Validation (ATEVV) Challenge Area

Innovations in Cosourcing

Software-Intensive Systems Producibility

Industrial Experience with SPARK. Praxis Critical Systems

Level 1 VRQ Qualifications in Photo Imaging (7512) Assessment pack

Small Robot User Assessment irobot PackBot EOD Evaluation Report

Transcription:

DHS-DOD Software Assurance Forum, McLean VA 6 Oct 2008 Very loosely based on Daniel s 2007 briefing

Software For Dependable Systems: Sufficient Evidence? John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Sufficient Evidence?: 1

What Report by a committee of the National Research Council of the National Academies More precisely, the Committee on Certifiably Dependable Software Systems of the Computer Science and Telecommunications Board Many briefings and meetings over a two-year study period Report issued just under a year ago Public presentation in October 2007, and continuing Such as this one Paperback available from the National Academies Press John Rushby, SR I Sufficient Evidence?: 2

Why Sponsored by several government agencies FAA, NSA, NSF, ONR With encouragement from others Due to concern about the pervasiveness of software and its increasing presence in mission-critical roles And the risks of undependability in software And uncertainty about the value of certification Not to mention the high cost John Rushby, SR I Sufficient Evidence?: 3

Who Committee Daniel Jackson, Massachusetts Institute of Technology, Chair Joshua Bloch, Google Inc. Michael Dewalt, Certification Systems, Inc. Reed Gardner, University of Utah School of Medicine Peter Lee, Carnegie Mellon University Steven Lipner, Microsoft Trustworthy Computing Group Charles Perrow, Yale University Jon Pincus, Microsoft Research John Rushby, SRI International Lui Sha, University of Illinois at Urbana-Champaign Martyn Thomas, Martyn Thomas Associates Scott Wallsten, American Enterprise Institute/Brookings Joint Center David Woods, Ohio State University Staff Lynette I Millett, Study Director David Padgham, Associate Program Officer Joe Eisenberg, Director, CSTB John Rushby, SR I Sufficient Evidence?: 4

Summary Can software be made dependable in a cost-effective manner? Assessment of the state we re in Suggested Approach Broader Issues Findings and recommendations John Rushby, SR I Sufficient Evidence?: 5

Assessment Things we know Software has directly led to some deaths and injuries And to legions of lesser failures, infelicities, and dysfunction Bugs in code account for 3% of software failures Most failures are caused by unanticipated interactions among subsystems and with the environment Due to poorly understood requirements Quality achieved is highly variable Certification regimes and standards have mixed record John Rushby, SR I Sufficient Evidence?: 6

A Recent Incident Fuel emergency on Airbus A340-642, G-VATL, on 8 February 2005 (AAIB SPECIAL Bulletin S1/2005) Toward the end of a flight from Hong Kong to London: two engines flamed out, crew found certain tanks were critically low on fuel, declared an emergency, landed at Amsterdam Two Fuel Control Monitoring Computers (FCMCs) on this type of airplane; they cross-compare and the healthiest one drives the outputs to the data bus Both FCMCs had fault indications, and one of them was unable to drive the data bus Unfortunately, this one was judged the healthiest and was given control of the bus even though it could not exercise it Further backup systems were not invoked because the FCMCs indicated they were not both failed John Rushby, SR I Sufficient Evidence?: 7

Assessment Things we don t know Extent to which good safety record in some areas is due to implicit factors more than certification Conservatism, safety culture, experience Which are undergoing rapid change Outsourcing, COTS, complacency, innovation True extent and frequency of software failures True efficacy of various development approaches True benefits of different certification approaches John Rushby, SR I Sufficient Evidence?: 8

Assessment Consequences Mandating a particular process won t guarantee dependability Cannot be too prescriptive on tools and techniques Favor an approach based on explicit evidence That supports an argument for satisfaction of stated claims Advocate collection and dissemination of data so that we learn what works John Rushby, SR I Sufficient Evidence?: 9

Approach Three Es Explicitness About claims made, properties established About assumptions on environment and usage About the level of dependability Evidence Supporting an assurance case that the claims hold Open to independent audit Transparency in collection and publication of data Expertise Systems approach needed But also CS knowledge and skill Desired evidence is a stretch even for best practice John Rushby, SR I Sufficient Evidence?: 10

Standards and Goal-Based Assurance Cases All assurance is based on arguments that purport to justify certain claims, based on documented evidence Standards usually define only the evidence to be produced The claims and arguments are implicit Hence, hard to tell whether given evidence meets the intent E.g., is MC/DC coverage evidence for good testing or good requirements? Recently, goal-based assurance methods have been gaining favor E.g., UK air traffic management, UK defence, US FDA, next Common Criteria (maybe) These make the elements explicit We favor them because they are founded on reason John Rushby, SR I Sufficient Evidence?: 11

Process and Testing Huge reliance on these currently A good process is necessary e.g., to preserve the chain of evidence But not sufficient We want evidence about the product Testing is necessary but comes too late And is not sufficient Examines only a tiny fraction of possible scenarios Look toward analysis e.g., static analysis, model checking, automated formal verification and test generation These can examine all possible scenarios Albeit often under simplifying assumptions John Rushby, SR I Sufficient Evidence?: 12

Even Weak Models Have Value A wealth of opportunities to the left; can apply them early, too Numbur of cases examined 10^10 10^8 10^6 10^4 10^2 new opportunities current practice state machines models simulations h/w in loop flight h/w Fidelity of model John Rushby, SR I Sufficient Evidence?: 13

Overall V&V Process Traditional Vee Diagram (Much Simplified) time and money requirements system test design/code unit/integration test John Rushby, SR I Sufficient Evidence?: 14

Vee Diagram Tightened with Formal Analysis time and money requirements system test design/code unit/integration test Example: Rockwell-Collins John Rushby, SR I Sufficient Evidence?: 15

Getting Started and Making the Change A culture change is needed First steps Make some claims Provide some evidence and an argument Let the market show interest and reward Next steps Powerful customers demand a case And transparency about failures, processes, evidence Making the change (from a standards-based regime) How about evidence-based standards? John Rushby, SR I Sufficient Evidence?: 16

Broader Issues Education Software construction as systems building High school: less mechanism, more problem solving University: more on requirements, analysis, argument Research Tools and techniques for assurance cases Compositional assurance for system-level properties The assurance argument may not decompose on architectural lines So what is architecture? Systems are often tightly and accidentally coupled So what is coupling? John Rushby, SR I Sufficient Evidence?: 17

Assessment Summary Need improvements to keep pace with demand for dependable software Recommended Approach Dependability case based on explicit claims, evidence Process and testing: necessary but not sufficient Certification = analysis of dependability case demand accountability Policy Issues Transparency essential for a dependable software market Failure data should be collected, published and analyzed Education and research should be focused on dependability Please read the full report and help start a movement! John Rushby, SR I Sufficient Evidence?: 18

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback