Scientific Certification

Similar documents
New Directions in V&V Evidence, Arguments, and Automation

DHS-DOD Software Assurance Forum, McLean VA 6 Oct 2008 Very loosely based on Daniel s 2007 briefing

HCMDSS/MD PnP, Boston, 26 June 2007

Automated Driving Systems with Model-Based Design for ISO 26262:2018 and SOTIF

Validation of ultra-high dependability 20 years on

Tutorial, CPS PI Meeting, DC 3 5 Oct 2013

HACMS kickoff meeting: TA2

Formal Composition for. Time-Triggered Systems

Towards a multi-view point safety contract Alejandra Ruiz 1, Tim Kelly 2, Huascar Espinoza 1

SAFIR2014: CORSICA Coverage and rationality of the software I&C safety assurance

How to Show Legacy Software Meets Modern Standards

Outline. Outline. Assurance Cases: The Safety Case. Things I Like Safety-Critical Systems. Assurance Case Has To Be Right

Assurance Cases The Home for Verification*

Aircraft Structure Service Life Extension Program (SLEP) Planning, Development, and Implementation

SAFETY CASES: ARGUING THE SAFETY OF AUTONOMOUS SYSTEMS SIMON BURTON DAGSTUHL,

Distributed Systems Programming (F21DS1) Formal Methods for Distributed Systems

From Safety Integrity Level to Assured Reliability and Resilience Level for Compositional Safety Critical Systems

Principled Construction of Software Safety Cases

TECHNICAL AND OPERATIONAL NOTE ON CHANGE MANAGEMENT OF GAMBLING TECHNICAL SYSTEMS AND APPROVAL OF THE SUBSTANTIAL CHANGES TO CRITICAL COMPONENTS.

UNIT-III LIFE-CYCLE PHASES

The AMADEOS SysML Profile for Cyber-physical Systems-of-Systems

A NEW METHODOLOGY FOR SOFTWARE RELIABILITY AND SAFETY ASSURANCE IN ATM SYSTEMS

ERAU the FAA Research CEH Tools Qualification

The Test and Launch Control Technology for Launch Vehicles

24 Challenges in Deductive Software Verification

Requirements and Safety Cases

Background T

Using MIL-STD-882 as a WHS Compliance Tool for Acquisition

Functional safety for semiconductor IP

INTERNATIONAL CONFERENCE ON ENGINEERING DESIGN ICED 03 STOCKHOLM, AUGUST 19-21, 2003

UNIT VIII SYSTEM METHODOLOGY 2014

Research on the evaluation model of the software reliability for

COEN7501: Formal Hardware Verification

AC 20.IMA and RTCA/DO- 297, Integrated Modular Avionics (IMA) Development Guidance Certification and Considerations

Industrial Experience with SPARK. Praxis Critical Systems

Limits to Dependability Assurance - A Controversy Revisited (Or: A Question of Confidence )

When Formal Systems Kill. Computer Ethics and Formal Methods

Bridging Functional Safety Analysis and Software Architecture Assessment Safety scenarios in Architecture Trade-off Analysis Method (ATAM)

Chapter 8: Verification & Validation

UNFPA/WCARO Census: 2010 to 2020

My 36 Years in System Safety: Looking Backward, Looking Forward

M&S Requirements and VV&A: What s the Relationship?

Validation and Verification of Field Programmable Gate Array based systems

Making your ISO Flow Flawless Establishing Confidence in Verification Tools

A FLEXIBLE APPROACH TO AUTHORIZATION OF UAS SOFTWARE

SWEN 256 Software Process & Project Management

Separation of Concerns in Software Engineering Education

Verification and Validation for Safety in Robots Kerstin Eder

A New Approach to the Design and Verification of Complex Systems

Challenges for Qualitative Electrical Reasoning in Automotive Circuit Simulation

Seeking Obsolescence Tolerant Replacement C&I Solutions for the Nuclear Industry

A NEW APPROACH FOR VERIFICATION OF SAFETY INTEGRITY LEVELS ABSTRACT

Failures: Their definition, modelling & analysis

V & V of Flight-Critical Systems. Guillaume Brat, NASA ARC

The Preliminary Risk Analysis Approach: Merging Space and Aeronautics Methods

DeltaV SIS Logic Solver

Artificial intelligence and judicial systems: The so-called predictive justice

Invisible Formal Methods: Generating Efficient Test Sets With a Model Checker

Software Eng. 2F03: Logic For Software Engineering

Technology Transfer: An Integrated Culture-Friendly Approach

Formalising Event Reconstruction in Digital Investigations

A SYSTEMIC APPROACH TO KNOWLEDGE SOCIETY FORESIGHT. THE ROMANIAN CASE

SMR Regulators Forum. Pilot Project Report. Report from Working Group on Graded Approach

Introduction to Software Engineering

Changed Product Rule. International Implementation Team Outreach Meeting With European Industry. September 23, 2009 Cologne, Germany

The Three Laws of Artificial Intelligence

AIRWORTHINESS & SAFETY: ARE WE MISSING A LINK?

The UK Generic Design Assessment

PRIMATECH WHITE PAPER COMPARISON OF FIRST AND SECOND EDITIONS OF HAZOP APPLICATION GUIDE, IEC 61882: A PROCESS SAFETY PERSPECTIVE

Proposing an Education System to Judge the Necessity of Nuclear Power in Japan

Understand that technology has different levels of maturity and that lower maturity levels come with higher risks.

WORKSHOP ON BASIC RESEARCH: POLICY RELEVANT DEFINITIONS AND MEASUREMENT ISSUES PAPER. Holmenkollen Park Hotel, Oslo, Norway October 2001

p-percent Coverage in Wireless Sensor Networks

Software Product Assurance for Autonomy On-board Spacecraft

Software in Safety Critical Systems: Achievement and Prediction John McDermid, Tim Kelly, University of York, UK

ARGUING THE SAFETY OF MACHINE LEARNING FOR HIGHLY AUTOMATED DRIVING USING ASSURANCE CASES LYDIA GAUERHOF BOSCH CORPORATE RESEARCH

IAEA Training in level 1 PSA and PSA applications. PSA Project. IAEA Guidelines for PSA

CIS 890: High-Assurance Systems

Industrial Applications and Challenges for Verifying Reactive Embedded Software. Tom Bienmüller, SC 2 Summer School, MPI Saarbrücken, August 2017

Performance-Based Full Policy Cycle for Digital Single Market

CRITERIA FOR AREAS OF GENERAL EDUCATION. The areas of general education for the degree Associate in Arts are:

Software Maintenance Cycles with the RUP

Technical-oriented talk about the principles and benefits of the ASSUMEits approach and tooling

SPDO. Phase 1 System Requirements Specification (SyRS) Tim Stevenson SPDO System Engineer

CSCI 699: Topics in Learning and Game Theory Fall 2017 Lecture 3: Intro to Game Theory. Instructor: Shaddin Dughmi

Building a Preliminary Safety Case: An Example from Aerospace

IEEE STD AND NEI 96-07, APPENDIX D STRANGE BEDFELLOWS?

Formal Methods and Critical Systems In the Real World

Verification and Validation of Integrated Vehicle Health Management

2017 Laws of Duplicate Bridge. Summary of Significant changes

Project Administration Instructions

SYSTEMS ENGINEERING MANAGEMENT IN DOD ACQUISITION

Model Based Systems Engineering (MBSE) Business Case Considerations An Enabler of Risk Reduction

AVACS Automatic Verification and Analysis of Complex Systems

Meeting the Challenges of Formal Verification

Dynamic Games: Backward Induction and Subgame Perfection

Launchpad Maths. Arithmetic II

Dr Daniela Cancila. Laboratoire des composants logiciels pour la Sécurité et la Sûreté des Systèmes (L3S)

Use of the Graded Approach in Regulation

Autonomy Test & Evaluation Verification & Validation (ATEVV) Challenge Area

Transcription:

Scientific Certification John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Scientific Certification: 1

Does The Current Approach Work? Fuel emergency on Airbus A340-642, G-VATL, on 8 February 2005 (AAIB SPECIAL Bulletin S1/2005) Toward the end of a flight from Hong Kong to London: two engines shut down, crew discovered they were critically low on fuel, declared an emergency, landed at Amsterdam Two Fuel Control Monitoring Computers (FCMCs) on this type of airplane; they cross-compare and the healthiest one drives the outputs to the data bus Both FCMCs had fault indications, and one of them was unable to drive the data bus Unfortunately, this one was judged the healthiest and was given control of the bus even though it could not exercise it Further backup systems were not invoked because the FCMCs indicated they were not both failed John Rushby, SR I Scientific Certification: 2

Safety Culture It seems that current development and certification practices may be insufficient in the absence of safety culture Current business models are leading to a loss of safety culture Safety culture is implicit knowledge Surely, a certification regime should be effective on the basis of its explicit requirements John Rushby, SR I Scientific Certification: 3

MC/DC Test Coverage Need criteria to indicate when we have done enough (unit) testing This is for assurance, not debugging Do not expect to find any errors Vast literature on this topic Many criteria are based on structural coverage of the program E.g., branch coverage MISRA, DO178B Level A, require MC/DC coverage Generate tests from requirements, and measure coverage on the code John Rushby, SR I Scientific Certification: 4

MC/DC and Automated Test Generation It s quite easy to automate test generation using model checking technology (check out sal-atg) Trouble is, the model checker can be too clever: generally finds shortest test to reach a given test goal E.g., autopilot has two modes (used in pairs) In active mode, complex rules determine when to enter roll mode In standby mode, just follows active partner Given test goal to exercise entry to roll mode, model checker puts system in standby mode, then tells it to go to roll mode Naïve automated test generation can yield tests that achieve MC/DC coverage but have very poor error detection It s implicit that there s a rational test purpose John Rushby, SR I Scientific Certification: 5

Purpose of MC/DC Testing It has been said that the real benefit of MC/DC testing is not that it forces reasonably thorough test coverage But that it forces highly detailed requirements specifications Because code coverage must be achieved from tests derived from requirements And this is its real, implicit purpose John Rushby, SR I Scientific Certification: 6

Approaches to Software Certification The implicit (or indirect) standards-based approach Airborne s/w (DO-178B), security (Common Criteria) Follow a prescribed method (or prescribed processes) Deliver prescribed outputs e.g., documented requirements, designs, analyses, tests and outcomes, traceability among these Internal (DERs) and/or external (NIAP) review Works well in fields that are stable or change slowly Can institutionalize lessons learned, best practice e.g. evolution of DO-178 from A to B to C But less suitable with novel problems, solutions, methods Implicit that the prescribed processes achieve the safety goals No causal or evidential link from processes to goals John Rushby, SR I Scientific Certification: 7

Approaches to Software Certification (ctd.) The explicit goal based approach e.g., air traffic management (CAP670 SW01), UK aircraft Applicant develops an assurance case Whose outline form may be specified by standards or regulation (e.g., MOD DefStan 00-56) Makes an explicit set of goals or claims Provides supporting evidence for the claims And arguments that link the evidence to the claims Make clear the underlying assumptions and judgments Should allow different viewpoints and levels of detail The case is evaluated by independent assessors John Rushby, SR I Scientific Certification: 8

Evidence and Arguments Evidence can be facts, assumptions, or sub-claims (from a lower level argument) Arguments can be Analytic: can be repeated and checked by others, and potentially by machine e.g., logical proofs, calculations, tests Probabilistic (quantitative statistical) reasoning is a special case Reviews: based on human judgment and consensus e.g., code walkthroughs Qualitative: have an indirect or implicit link to claims e.g., CMI levels, staff skills and experience John Rushby, SR I Scientific Certification: 9

Critique of Standards-Based Approaches The claims, arguments, and assumptions are usually only implicit in the standards-based approaches And many of the arguments turn out to be qualitative Requirements to follow certain design practices Requirements for safe subsets of C, C++ and other coding standards (JSF standard is a 1 mbyte Word file) cf. MISRA C vs. SPARK ADA (with the Examiner) No evidence these are effective, some contrary evidence John Rushby, SR I Scientific Certification: 10

Critique of Standards-Based Approaches (ctd) Even when analytic evidence and arguments are employed, their selection and degree of application are often based on qualitative judgments Formal specifications (but not formal analysis) at some EAL levels MC/DC tests for DO-178B Level A Because we cannot demonstrate how well we ve done, we ll show how hard we ve tried And for really critical components, we ll try harder This is the notion of software integrity levels (SILs) Little evidence what works, nor that more is better John Rushby, SR I Scientific Certification: 11

Non-Critique of Standards-Based Approaches Often accused of too much focus on the process, not enough on the product Yes, but some explicit processes are required to establish traceability So we can be sure that it was this version of the code that passed those tests, and they were derived from that set of requirements which were partly derived from that fault tree analysis of this subsystem architecture John Rushby, SR I Scientific Certification: 12

From Software To System Certification The things we care about are system properties So certification focuses on systems E.g., the FAA certifies airplanes, engines and propellers But modern engineering and business practices use massive subcontracting and component-based development that provide little visibility into subsystem designs Strong case for qualification of components Business case: Component vendors want it (cf. IMA) Certification case: system integrators and certifiers do not have have visibility into designs and processes But then system certification is based on the certification data delivered with the components Must certify systems without looking inside subsystems John Rushby, SR I Scientific Certification: 13

Compositional Analysis Computer scientists know ways to do compositional verification of programs e.g., Prove that component A guarantees P in an environment that ensures Q Prove that component B guarantees Q in an environment that ensures P Conclude that A B guarantees P and Q Assumes programs interact only through explicit computational mechanisms (e.g., shared variables) Software and systems can interact through other mechanisms Computational context: shared resources Noncomputational mechanisms: the controlled plant So compositional certification is harder than verification John Rushby, SR I Scientific Certification: 14

Unintended Interaction Through Shared Resources This must not happen Need an integration framework (i.e., an architecture) that guarantees composability and compositionality Composability: properties of a component are preserved when it is used within a larger system Compositionality: properties of a system can be derived from those of its components This is what partitioning is about (or separation in a MILS security context) Except that partitioning may fall short in the presence of faults (e.g., ARINC 653, some avionics buses) We still lack a good formal definition of partitioning And a cost-effective verification methodology for it John Rushby, SR I Scientific Certification: 15

Unintended Interaction Through The Plant The notion of interface must be expanded to include assumptions about the noncomputational environment (i.e., the plant) Cf. Ariane V failure (due to differences from Ariane IV) Compositional reasoning must take the plant into account (i.e., composition of hybrid systems) Must also consider response to failures And must avoid a race to the bottom John Rushby, SR I Scientific Certification: 16

A Science of Certification Certification is ultimately a judgment that a system is adequately safe/secure/whatever for a given application in a given environment But the judgment should be based on as much explicit and credible evidence as possible A Science of Certification would be about ways to develop that evidence John Rushby, SR I Scientific Certification: 17

Making Certification More Scientific Favor explicit over implicit approaches At the very least, expose and examine the claims, arguments and assumptions implicit in standards-based approaches Be wary of qualitative (implicit) evidence Replace qualitative evidence by analytic evidence that supports sub-claims of a form that can feed into a largely analytic argument at higher levels Be wary of qualitative selections of evidence (SILs) Rather than qualitatively weakening the evidence, weaken the claims instead, and absorb the resulting hazards elsewhere in the system design John Rushby, SR I Scientific Certification: 18

Analytic Evidence The move to model based development presents a (once in a lifetime) opportunity to move analytic methods into the early lifecycle, mostly based on formal methods Modern automated formal methods can deliver strong claims about small properties very economically Static analysis, model checking, infinite bounded model checking and k-induction using SMT solvers, hybrid abstraction (which uses theorem proving over reals) Larger properties will require combined methods (cf. the Evidential Tool Bus) The applications of formal methods extend beyond verification and refutation (bug finding): test generation, fault tree analysis, human factors,... Tool diversity may be an alternative to tool qualification John Rushby, SR I Scientific Certification: 19

Compositional Certification This is the big research challenge It demands clarification of the difference between verification and certification (because we know how to do the former compositionally, but not the latter) And explication of what constitutes an interface to a certified component The certification data is in terms of the interface only You cannot look inside Compositional certification should extend to incremental certification, reuse, and modification It s also the big challenge for regulatory agencies A completely different way of doing business John Rushby, SR I Scientific Certification: 20

A Research Agenda The Science of Certification Or a science for certification Specification and verification of integration frameworks Partitioning, separation, buses High-performance automated verification for strong properties of model-based designs Mostly infinite state and hybrid systems And automation of related processes (test generation, FTA) Compositional certification Composition of hybrid systems Tool qualification Evidence management Integrated methods and arguments Probabilities plus verification John Rushby, SR I Scientific Certification: 21

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback