1. No category

Manhours comparison

Verification of Safety
Critical Software
Nick Tudor
tel: +44 1684 894489
email: [email protected]
Computational Logic QMUL 26 Mar 04
The Agenda
• The NDI Control Law
• A Path Finding Experiment
• Benefits
• Resistance
• Questions
Computational Logic QMUL 26 Mar 04
The NDI Control Law
Computational Logic QMUL 26 Mar 04
Control software
Example of successful application
Verification of autocoded Non-linear Dynamic
Inversion Control Laws embedded in Vectored thrust
Aircraft Advanced flight Control (VAAC) Harrier
Computational Logic QMUL 26 Mar 04
Part of NDI Control Law
Computational Logic QMUL 26 Mar 04
Year 1999
• One man ; 3 months
• Used RTW Ada autocoder
– Produced 3 procedures, Step, Control Law & End
– 800 LOC
• Used manual refinement
• Interactive proof to discharge the 36 VCs
• Print out of instructions to ProofPower took ~180
pages
Computational Logic QMUL 26 Mar 04
Year 2000
• Outstanding MSc Student at the world renowned
Computer Science Dept, University of York
• Modules in the Simulink could be replicated in the
autocode
– 5 Modules
– Used packages to get 3 procedures per package
– 1200 LOC
– 43 VCs (not proven)
• Now meant that effort could be divided and system
upgraded in modular fashion (modular certification)
Computational Logic QMUL 26 Mar 04
Meanwhile – Reverse Engineered Safety
Evidence
• Fortran not used in development for 25 procedures
• Procedure results for remaining 331 procedures
– Positive compliance: 88%
– Negative compliance: 2%
– Tool problems: 2%
– Inconclusive: 7%
• Verification condition results (16,000 VCs)
– Totally automatic proofs: 95.7%
– Part-automatic, part-interactive proofs: 3.1%
– Unproven: 1.2%
Computational Logic QMUL 26 Mar 04
Year 2003
• 4 people; 1 week
• Still using RTW Ada autocoder
– Produced 8 procedures
– 850 LOC
• Used refinement script to drive automatic refinement
• Automatic proof using Supertac to discharge 94% of
373 VCs (21 remained)
– Improvements since then
Computational Logic QMUL 26 Mar 04
A Path Finding Experiment
Computational Logic QMUL 26 Mar 04
Why do an experiment?
• The embryonic technique has been applied to
experimental control laws (…….and it worked!!)
• No metrics were gathered, therefore:
“How good is it for my project?”
• No independent assessment by industry or MOD on
a real project
• Safety/certification issues to be addressed
• Applicability: Safety/non-safety critical?
Computational Logic QMUL 26 Mar 04
The Comparison
Requirement - Fortran
Translation to Simulink
{Done in 2001}
Confirmed equivalent
Manually Code
into SPARK Ada
Iterate
Autocode/Autoprove
Unit test
100% pass
Computational Logic QMUL 26 Mar 04
Manhours comparison
Computational Logic QMUL 26 Mar 04
PRICE-S ROM Comparison
Based
on oneGroups
result extrapolated toStaffing
1KLOC – Dates are irrelevant
ALL
Profile
5
Conventiona
l
CFM
4
Q /A
SEPM
3
Persons
SEPM
2
D ata
1
Pgm
D es
0
JAN
MAY
SEP
03
JAN
03
MAY
03
SEP
04
JAN
04
MAY
04
0505
(O C T
03
to
A PR
Computational Logic QMUL 26 Mar 04
05)
Results Interpretation
• CAVEAT: THIS IS ONE EXPERIMENT WITH
CONSTRAINTS
• Two separate analysis were carried out on the results:
– BAES/York University and PFG SW Cost Forecasting
• Represents 21/2 - 4 1/2 times faster than existing process
for Design , Code & Unit Test (BAES/York)
• Based on a nominal 1000LOCs, code development effort
reduced to 28% (ie 72% savings) (PFG)
• Typically would expect 0.33 LOC per person per hour;
CLawZ is at worst 40 and at best 100 times faster (PFG)
• Translates to approx 30-40% savings in software life
cycle costs (CADMID) (PFG)
Computational Logic QMUL 26 Mar 04
Benefits
Computational Logic QMUL 26 Mar 04
Model development and proof V&V
vs
Traditional development and V&V
Flight Test
Concept/Req
Design
Rig Tests
Mathematical
Specification,
Simulink autocode
Proof and
limited tests
Computational Logic QMUL 26 Mar 04
Resistance
“…is futile” – The Borg Collective
Computational Logic QMUL 26 Mar 04
Barriers to be overcome
• Industrial investment in existing tools, processes,
people, training
• NIH
• Not C – yet!
• Certification and tool qualification
• How do I know I have got the right Simulink……?
• ….and are safety properties in the Simulink reflected in
the code…and can I demonstrate that to certifier?
Computational Logic QMUL 26 Mar 04
Proving Properties - Certification
G{S}
H{S}
Safety Case
Property needs to be
provable in the code
Computational Logic QMUL 26 Mar 04
Mind the Gap!
Safety gap
Computational Logic QMUL 26 Mar 04
Any Questions?
Verification of Safety
Critical Software
Nick Tudor
tel: +44 1684 894489
email: [email protected]
Computational Logic QMUL 26 Mar 04

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz