Industrial Applications and Challenges for Verifying Reactive Embedded Software. Tom Bienmüller, SC 2 Summer School, MPI Saarbrücken, August 2017

Similar documents
PEGASUS Effectively ensuring automated driving. Prof. Dr.-Ing. Karsten Lemmer April 6, 2017

William Milam Ford Motor Co

Automated Driving Systems with Model-Based Design for ISO 26262:2018 and SOTIF

VSI Labs The Build Up of Automated Driving

Credible Autocoding for Verification of Autonomous Systems. Juan-Pablo Afman Graduate Researcher Georgia Institute of Technology

A Roadmap for Connected & Autonomous Vehicles. David Skipp Ford Motor Company

Dr George Gillespie. CEO HORIBA MIRA Ltd. Sponsors

ADAS Development using Advanced Real-Time All-in-the-Loop Simulators. Roberto De Vecchi VI-grade Enrico Busto - AddFor

Automated Testing of Autonomous Driving Assistance Systems

Introduction to Systems Engineering

Testing in the Google car era Are we ready?

Horizon 2020 ICT Robotics Work Programme (draft - Publication: 20 October 2015)

Stanford Center for AI Safety

M&S Requirements and VV&A: What s the Relationship?

DENSO

24 Challenges in Deductive Software Verification

KNOW & FEEL. Enhance your interdisciplinary system knowledge and feel the implementation of objective criteria in the vehicle.

ARGUING THE SAFETY OF MACHINE LEARNING FOR HIGHLY AUTOMATED DRIVING USING ASSURANCE CASES LYDIA GAUERHOF BOSCH CORPORATE RESEARCH

Meeting the Challenges of Formal Verification

Model-Based Design as an Enabler for Supply Chain Collaboration

COEN7501: Formal Hardware Verification

A Winning Combination

DOCTORAL THESIS (Summary)

AVACS Automatic Verification and Analysis of Complex Systems

Virtual Homologation of Software- Intensive Safety Systems: From ESC to Automated Driving

CSC384 Intro to Artificial Intelligence* *The following slides are based on Fahiem Bacchus course lecture notes.

New 2018* Executive Master Program Mobility Systems Engineering & Management. Technology + Management

New 2018* Executive Master Program Mobility Systems Engineering & Management. Technology + Management

Components that move

DENSO www. densocorp-na.com

The IEEE Global Initiative for Ethical Considerations in Artificial Intelligence and Autonomous Systems. Overview June, 2017

Significant Reduction of Validation Efforts for Dynamic Light Functions with FMI for Multi-Domain Integration and Test Platforms

Virtual testing by coupling high fidelity vehicle simulation with microscopic traffic flow simulation

SWEN 256 Software Process & Project Management

Embracing Complexity. Gavin Walker Development Manager

NX CAM Update and future directions The latest technology advances Dr. Tom van t Erve

Pragmatic Strategies for Adopting Model-Based Design for Embedded Applications. The MathWorks, Inc.

The IEEE Global Initiative for Ethical Considerations in Artificial Intelligence and Autonomous Systems. Overview April, 2017

Taking a broader view

HIGH-STRENGTH CONNECTIONS

LEARNING FROM THE AVIATION INDUSTRY

Verification and Validation for Safety in Robots Kerstin Eder

ECSEL JU Update. Andreas Wild Executive Director

NILS SHONAN MEETING 048 INTEGRATION OF FORMAL METHODS AND TESTING FOR MODEL BASED SYSTEM-ENGINEERING. Werner Damm

Making your ISO Flow Flawless Establishing Confidence in Verification Tools

Engineering for Success in the Space Industry

How Preferred Networks has Defined Their Values: The Promise and Challenge of Deep Learning in Domains of Physical Control

CMSC 372 Artificial Intelligence. Fall Administrivia

5G R&D at Huawei: An Insider Look

What could be driving the Lab of the future and is the Smart Lab really a thing?

Safe, Efficient and Effective Testing of Connected and Autonomous Vehicles Paul Jennings. Franco-British Symposium on ITS 5 th October 2016

Does it Pay Off? Model-Based Verification and Validation of Embedded Systems!

Final Report Non Hit Car And Truck

AMS Verification for High Reliability and Safety Critical Applications by Martin Vlach, Mentor Graphics

CPE/CSC 580: Intelligent Agents

Automotive Needs and Expectations towards Next Generation Driving Simulation

This list supersedes the one published in the November 2002 issue of CR.

HACMS kickoff meeting: TA2

Artificial Intelligence

Neu. Executive Master Program Mobility Systems Engineering & Management. Technology + Management

Simulationbased Development of ADAS and Automated Driving with the Help of Machine Learning

Map of Human Computer Interaction. Overview: Map of Human Computer Interaction

Combining ROS and AI for fail-operational automated driving

CS6700: The Emergence of Intelligent Machines. Prof. Carla Gomes Prof. Bart Selman Cornell University

Program Automotive Security and Privacy

Model-Based Development of Embedded Systems

MODEL-BASED DEVELOPMENT OF AUTOMOTIVE EMBEDDED SOFTWARE IN COMPLIANCE WITH ISO 26262: CHALLENGES & EFFECTIVE SOLUTIONS November 21 22, 2016

Artificial Intelligence and Robotics Getting More Human

When Formal Systems Kill. Computer Ethics and Formal Methods

Tutorials.

Getting to Smart Paul Barnard Design Automation

TRB Workshop on the Future of Road Vehicle Automation

Current Challenges for Measuring Innovation, their Implications for Evidence-based Innovation Policy and the Opportunities of Big Data

INTELLIGENT SOFTWARE QUALITY MODEL: THE THEORETICAL FRAMEWORK

A SERVICE-ORIENTED SYSTEM ARCHITECTURE FOR THE HUMAN CENTERED DESIGN OF INTELLIGENT TRANSPORTATION SYSTEMS

Aerospace Software* Cost and Timescale Reduction *and complex electronic hardware

Scientific Certification

progressive assurance using Evidence-based Development

Federico Forti, Erdi Izgi, Varalika Rathore, Francesco Forti

PEGASUS General introduction to PEGASUS & Opening of the exhibition. Prof. Dr. Thomas Form 9th November 2017

Cyber-Physical Systems: Challenges for Systems Engineering

Intelligent Agents & Search Problem Formulation. AIMA, Chapters 2,

Presentation on DeepTest: Automated Testing of Deep-Neural-N. Deep-Neural-Network-driven Autonomous Car

in the New Zealand Curriculum

Research about Technological Innovation with Deep Civil-Military Integration

MicroControl: high quality products, premium service, satisfied customers

ARTEMIS The Embedded Systems European Technology Platform

DECISION BASED KNOWLEDGE MANAGEMENT FOR DESIGN PROJECT OF INNOVATIVE PRODUCTS

A.I in Automotive? Why and When.

Artificial Intelligence: An overview

A New Approach to the Design and Verification of Complex Systems

SLIDE: Evaluation of a Formalized Encryption Library for Safety- Critical Embedded Systems

Lies, Damned Lies and Hardware Verification. Mike Bartley, Test and Verification Solutions

Ground Systems Department

AN AUTONOMOUS SIMULATION BASED SYSTEM FOR ROBOTIC SERVICES IN PARTIALLY KNOWN ENVIRONMENTS

BRAIN CONTROLLED CAR FOR DISABLED USING ARTIFICIAL INTELLIGENCE

Space Challenges Preparing the next generation of explorers. The Program

STEINBICHLER 25 YEARS OF INSPIRING INNOVATION ABIS OPTICAL SURFACE INSPECTION

Physics Based Sensor simulation

Autonomous Automation: How do we get to a Million Miles of testing?

Transcription:

Industrial Applications and Challenges for Verifying Reactive Embedded Software Tom Bienmüller, SC 2 Summer School, MPI Saarbrücken, August 2017

Agenda 2 Who am I? Who is BTC Embedded Systems? Formal Methods in Automotive Industry Breathing industrial life into formal methods: expectations, applications and challenges Today: (model-based) floating-point embedded software component development Tomorrow: model checkers in industrial applications how to gain end user s confidence Day after tomorrow: autonomous driving minds off!

Who am I 3 Studied Computer Science at University of Oldenburg; diploma thesis on multi-threaded CPU exception handling (1997) Worked at the group of Prof. Dr. Werner Damm in Oldenburg; received doctoral degree in 2003 on optimizations of model-checking procedures for reactive systems Since 2003 in BTC-Embedded Systems lifting formal methods to industrial level regarding performance, applicability, quality, and usability Responsible for Product Development and Quality Assurance for BTC EmbeddedPlatform product Application implementing Formal Specification, Formal Verification, Automatic Test Vector generation

Who is BTC Embedded Systems? 4 Company established in 1999 BTC-ES Headquarter in Oldenburg Offices in Stuttgart, Berlin and Paris BTC Japan Co., Ltd. BTC Embedded Systems Romania SRL BTC China > 100 Employees worldwide Expert for automatic Testing, Verification and Validation of embedded Software and Systems Automotive Domain Safety Critical & High Quality Relevant Safety Standard ISO-26262 BTC official Test-Partner of dspace for Matlab/Simulink/TargetLink IBM Rational for Rhapsody-UML

Agenda 5 Who am I? Who is BTC Embedded Systems? Formal Methods in Automotive Industry Breathing industrial life into formal methods: expectations, applications and challenges Today: (model-based) floating point embedded software component development Tomorrow: model checkers in industrial applications how to gain end user s confidence Day after tomorrow: autonomous driving minds off!

Formal Methods in Industry: Toyota Japan 6 Toyota Prius, Application of both automatic test vector generation for B2B-Testing and formal verification against formal requirements Shinichi Abe, General Manager of Toyota HV System Control Development Division: To complete the new process the development teams then selected dspace s production code generator TargetLink in combination with the test and validation tools EmbeddedTester and EmbeddedValidator by TargetLink s strategic partner BTC Embedded Systems AG. Adoption of this proven toolchain further increased the overall development efficiency and in the end allowed Toyota to produce all of the final control software s code in-house from TargetLink. Source: http://techon.nikkeibp.co.jp/atclen/news_en/15mk/070500684

Formal Methods in Industry: MAN Germany 7 Overall MBD-Development Process, Application of both automatic test vector generation for B2B-Testing and formal Verification against formal requirements Stefan Teuchert, Head of the Department Software-Development and Base Technologies, MAN Nutzfahrzeuge AG (Munich): MAN Nutzfahrzeuge AG successfully uses EmbeddedTester and EmbeddedValidator as a standard Automatic Test and Validation Environment for the leading AutoCode Generator TargetLink in the Model Driven Development of series-production Power Train applications. The automatic test generation, execution, analysis and debug capabilities of EmbeddedTester is one important key to fulfill the high efficiency and quality levels of MAN Nutzfahrzeuge AG, under the permanent time-to-market pressure.

Formal Methods in Industry further Success Stories 8 Ford Wabco DENSO PSA Peugeot Citroën Deutz Claas See BTC-ES web-site

Agenda 9 Who am I? Who is BTC Embedded Systems? Formal Methods in Automotive Industry Breathing industrial life into formal methods: expectations, applications and challenges Today: (model-based) floating-point embedded software component development Tomorrow: model checkers in industrial applications how to gain end user s confidence Day after tomorrow: autonomous driving minds off!

BTC-ES Motivation to join SC 2 Network 10 Mission Statement "BTC Embedded Systems AG" Our mission is to enable customers to increase product quality in a shortened design phase by introducing automatic test and verification technology to the model-based systems & software development process. We need to keep pace with increasing demands on formal methods and techniques from markets First SC 2 Motivation: Regarding supported model class : IEEE-754 Second SC 2 Motivation: Regarding quality of / confidence in our tools for formal methods : Proof Certificates Third SC 2 Motivation: Regarding potential combination of Symbolic Computation and Satisfiability Checking for verification of autonomous cars systems

IEEE-754 Floating Point 11 Model checking / computation complexity fixed-point (integer) floating-point Target CPU Complexity

IEEE-754-based Floating Point Support Motivation 12 Embedded Software in Automotive domain still integer dominated Fixed-Point approximation for real numbers Model Checkers reducing formal verification to Boolean satisfiability work well for this type of models Reduced cost for CPUs containing floating-point-units IEEE-754-based floating point approximation for real numbers Almost all our customers (OEM, Supplier) have at least pilot projects Model Checkers reducing formal verification to Boolean satisfiability do not always work sufficiently well for this type of models Performance issue: bit blasting approach inefficient both in time and space Approach special solution for special problem : use SMT with native IEEE-754 support

IEEE-754-based Floating Point Support SAT vs. SMT 13 SAT: floating-point Numbers and Operations reduced to bit level fine-granular and bit-exact approach; induces complexity in space and in time ( bit blasting ) SMT: floating-point Numbers and Operations can be handled on arithmetic level more abstract, thus efficient in space and more freedom in optimizations may lead to efficient theory algorithms gap becomes more important for complex floating-point operations like mathematical functions: 1.4 == exp(x) with double x in [-104.0, 89.0] for SAT in our product: providing implementation of exp() reducing to standard operations 700 LOC cbmc solving time ~5min Experimental for SMT: native support isat3 solving time << 1sec (but on real arithmetic, no floating-point yet!)

Confidence in Model Checkers 14 Required Tool Confidence R&D Evaluation Production Safety Critical Production Tool Application

Certified Software Confidence ISO Requirements 15 In ISO-26262, automating process steps by software tools requires tool qualification fit for purpose Depending on addressed Safety Integrity Level, different measures to give evidence for Confidence in the Tool BTC-ES received tool qualification for Back-to-Back-Testing in 2010 In 2017, use case Formal Verification shall be qualified

Quality Expectation for Model Checkers 16 End user s perception: Phrase 1: Everybody knows that each software contains bugs Phrase 2: Model Checkers detect all bugs which are in a software End user s conclusion: When we apply model checkers, our software does not contain bugs But Model Checker s are made of software so they contain bugs A false negative is no problem can verify by simulation But what about a false positive? A false positive is a big problem the model checker gave the wrong ultimate answer no bug found!

Model Checkers in Software Production 17 More and more applications of formal verification techniques in automotive embedded software production development Semantic Bugs in formal verification tools have tremendous effect on end-user s processes, product quality and reputation Users trust and rely a lot on such tools. Very high reliability expected. Single bugs may lead to huge additional cost when iterations are needed, not counting issues occurring in the field Loss of reputation for users and tool vendors even for single bugs even though everybody agrees that no software is free of bugs, formal verification tools need to be (almost) 100% reliable Customers already requested ISO-certification of BTC-ES formal verification tools. This requires to achieve high tool confidence level What can we do to achieve close to 100% confidence in formal Verification Software Tools? Each individual bug counts!

Two complementary Approaches 18 Offline Quality Assurance : traditional QA during Software Development incl. highly sophisticated testing environment Huge amount of (customer) models Back-to-back test between different model checkers when possible... Online Quality Assurance : check the results of formal verification Tasks online within end-user s environment Easy and established for counterexamples / witnesses : probe by postsimulation against end-user s model/design Hard and not established for certifications / true- / unreachable- Results Goal: get Confidence by 99% offline QA and 1% online QA BTC-ES requires support by academic experts for online QA of the specification holds -results

Idea on how to address Online-QA Proof Certificates 19 Find reliable (approximated) solutions to the online-detection of wrong true-results Additional requirements to potential solutions Needs to be embedded in workflow without introducing additional user interaction Ideally, obtain Proof Certificates on the level of the input language to the verification process (production C-code; see next slide) Certification technology shall not increase verification time too much Take user-acceptance into account One straight forward approach to online QA: why don t we just simply apply a second model checker to gain trust? Requires to have second implementation, which vendor does not have Requires doubled time and space, what user s environment does not have And we believe one can do better

Proof Certificates Conceptual Sketch 20

Verifying Autonomously Driving Cars Combining Symbolic Computation with Satisfiability-Checking? 21 Test Complexity / Transport Authority Demands hands on hands off eyes / mind off steering wheel optional SAE automated vehicle classifications

Autonomous Driving Observations 22 Getting the same confidence in an autonomously driving car s function by traditional testing methods would require to go over 80-times to the sun and back (following Hermann Winner, expert for car technology) More that 13 billion kilometers This will not be feasible. Hence, changed approach: based on virtual validation and intelligent definition of driving scenarios plus parallel observation of safety goals, traffic rules etc Requires dedicated coverage criterion to get test-exit criteria Requires to convince transport authority / standardization authorities get some statistical argument enabling to derive needed sufficient amount of driving kilometers (bringing the need to really drive down to a reasonable number again) artificial intelligence meets embedded software development Stage 1 (e.g., highway driving): object detection uses AI algorithms, controller developed the traditional way Stage 2 (e.g., urban driving): also controller contains AI-components?

General Test Architecture (Stage 1) 23 Virtual Validation Scenarios RADAR LiDAR 3D-Video Autonomous Driving Algorithm Object Detection Observer Controller Ego Model / Environmental Model Test Result Object Detection is based on AI-algorithms ( Deep Learning ) Controller is traditionally developed without any AI aspects This ensures same reaction upon same driving situation

Challenges: Verification of AD-Algorithm 24 Formal verification of safety goals would require to deal with discrete controller algorithm, but also with continuous systems like the ego car or the environment (other cars, human beings etc) Combine Satisfiability Checking ( controller) with Symbolic Computation (ego-car, environmental behavior)? Verification by sufficient testing One approach for SC 2 : generate test cases automatically using verification technology (using the same combination of SC*SC as mentioned above) Requires further ingredients like stochastic argument for test exit criterion When Controller is implemented also using AI algorithms ( Stage 2 ): reuse symbolic computation algorithms for trained artificial intelligence implementations?

Summary 25 Formal Methods reached real (safety) embedded software production Providing usable tools requires dealing with increased demand comes along with more sophisticated Target CPUs ( IEEE-754 Floating-Point) End user s having confidence in the correctness of tools output ( proofcertificates; tool qualification) Innovations such as autonomous driving requires to re-think traditional verification and validation strategies Today s industrial testing and formal verification approaches will not always be feasible! Artificial intelligence meets safety critical systems development

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback