Automatic Verification and Analysis of Complex Systemsalur/NSFSymbolic08/Damm.pdf · Exponential...
Transcript of Automatic Verification and Analysis of Complex Systemsalur/NSFSymbolic08/Damm.pdf · Exponential...
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
AVACS*Automatic Verification and Analysis
of Complex SystemsSelected Results first funding phase
Werner DammAVACS coordinator
*see www.avacs.org
•Werner Damm•Martin Fränzle•Ernst Rüdiger Olderog•Oliver Theel
•Bernd Finkbeiner•Holger Hermanns•Reinhard Wilhelm
•Kurt Mehlhorn•Viorica Sofronie-Stokkermann•Uwe Waldmann•Christoph Weidenbach
•Bernd Becker•Bernhard Nebel•Andreas Podelski•Christoph Scholl
Associated PIs•George Pappas, U of Pennsylvania
•Stephan Ratschan Academy of
Sciences of the Czech Republic
•Lothar Thiele ETHZ
DFG Funding: ~ 2.5 M € /Year4+4+4 years, 1.1.2004
65 Research Assistants,29 of which are funded by the DFG
AVACS Structure
NSF Workshop on Symbolic Computation3
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
Structure of Presentation
• Application Challenges• Where we are: Highlights of Phase I• Conclusion
Exponential Growth in Complexity: Avionics
FlightControl
Utilities
Cockpit
AESU1
EHM1
EHM2
EEC1
EEC2
FCSC1COM MON
FCSC2FCGC2
FCGC3
SFCC2
COM MONCOM MONSFCC1
FCGC1
ADIRU1
ADIRU3
ADIRU2
FM3
FM2FM1
FW2FCDC2
FW1FCDC1
AESU2
ACR2 opt
SCI
L1 L2 R2 R1
C2 R3
C1EEC4
EHM4
EEC3
EHM3
SW13
IOM
ELMCBMSB24
ELMCBMSB24
FuelCOM MON
FuelLG,TP&BSCOM MON
CIDS
Ventil °&press
CIDS
IRDC
COM MONLG,TP&BS
COM MON
COM MON COM MON COM MON
IOM
ACR1
SCI
Air conditioning
PESC
SPDB
IPCU
SPDB
VSCPWCU
IRDC
doors ctrl,oxygen ctrl
ext lightsctrl
IPCU
ECB
HSMAIC?
HSMAIC?
COM MONFCSC3 TBCCOM MON
L3
IOMIOM ACMFFDIF
ATC1 ATC2
Ventil °&press Air conditioningimplementation TBD
Engines
OpenWorld
767/
A31
0
777
A34
0-60
0 A38
0 (T
BC
)
CO
NC
OR
DE
/AP
OLL
O
747-
200
A30
0
A33
0
A32
0Function SW in MB
Signal Interfaces x 1000
© H. Butz, Airbus, AAET 2005
0
100
200
300
400
500
600
700
1965 1970 1975 1980 1985 1990 1995 2000 2005
NSF Workshop on Symbolic Computation5
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
1980 1985 1990 1995 2000 2005 2010
10kB
100kB
1MB
10MB
100MB
1GB
6502
68000
80486
PII
P4
7er
7er
7er5er
7er Successor
ca. 7 yearsHW Growth Rate 70%2
SW Growth Rate 300%2
Every 4 years: tenfold increase
Flash MemoryPC RAM
1 H.-G. Frischkorn, BMW 2W. Schleuter, Audi
Exponential Growth in Complexity –Memory Usage in Vehicles1
Sample Automotive Applications: Active and Passive Safety Systems
© Siemens VDO Automotive AG
Reduction of accident probability
Get ready for the accident
Mitigation of accident impactfor passengers
Normal Driving Critical Condition Pre-Crash In-Crash Post-Crash
pro.pilot
Blind Spot DetectionLane Departure WarningNight VisionAdaptive Cruise ControlDriver Monitoring
Vehicle Dynamics
ABSAnti Slip Control (e.g. ESP)
Pre-Crash system
RestraintSystem
Front AirbagSide Airbag
Post-Crash system
GSMTelemetricsRescue
Sco
peS
yste
mS
ituat
ion
Accident happensAccident avoidance
C r a s h
NSF Workshop on Symbolic Computation7
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
The Application Context
• Complex Embedded Systems are key enablers for safeflight and safe ground transportation
• Exponential growth in system complexity is a challenge for quality assurance
• In choosing benchmarks from embedded transport applications, AVACS contributes to meeting forthcoming requirements of pertinent safety standards– “If a model-based approach meets the criteria to be
considered a formal method, formal verification techniques such as reasoning or proof can be used to meet certification objectives. . . ” (from moderated forum on DO 178 C definition)
NSF Workshop on Symbolic Computation8
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
Automatic Verification of Complex Systems: Models
• Extremely Heterogeneous Model Space– Systems of Systems– ....– Cycle Accurate models of
HW• Comprehensive and
Scalable Verification requires– Relating Models at
different Design Levels– Identification of typical
model characteristic
RBC RBC
NSF Workshop on Symbolic Computation9
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
Requirements
Heterogeneous RequirementSpace– Reliability
„probability of total a/c failure is lessthan 10-9 per flight hour“
– Coordination“Crossing will grant access if secured”
– Local Control“The train will never run faster than
permitted speed”“enforce brake profile”
– Real-Time“When receiving unconditional
emergency stop message the train shall be tripped within 5 msec”
“Brake curve control task activated every 30 msecs”
RBC RBC
NSF Workshop on Symbolic Computation10
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
To Cover the Model- and Requirement Space of Complex Safety Critical Systems
with Automatic Verification Methods
Giving Mathematical Evidenceof Compliance of Models
To Dependability, Coordination, Controland Real-Time Requirements
The AVACS Vision
Verificationof Hybrid Systems
Verificationof Hybrid Systems
Verificationof Real-
TimeSystems
HolisticSystem
Verification
AVACS Competence Layers
V&A Core Technologies
Abstraction – Decision Diagrams – Constraint Solving – Heuristic Search – Linear Programming – Model Checking – Lyapunov Method – SMT – Decision Procedures
Combining V&A Technology( x1&x2& …xn for s )*
xj ∈ v&a kernel technologies, s ∈ systems
Models of Complex Systemsreal-time – hybrid –distributed system – systems of systems
Complex SystemsEmbedded Transportation Applications
AVACS
Apply divide-and-conquer approach: Tackle in first phase each dimension of
complexity in isolation
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
Where we are: Highlights of Phase I
NSF Workshop on Symbolic Computation13
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
Dimensions of Complexity I: Real-Time< 30 ms
< 10 ms Challenge– Concurrency– Rich specification
languages– Time Gap from virtual
Timing to physicalExecution Time
– WCET on distributedtarget architectures
NSF Workshop on Symbolic Computation14
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
AVACS Today
Automatically verify real time systems with complex data(reals, parameters, unbounded arrays of reals, …., ETCS emergency message system)Fast bug finding in systems with 65 processes and a product state space of 1.88 x 10104 statesGuarantees for Worst Case Execution Time for airborne processor boards used for primary flight control in A380Automatic optimal task deployment (100 tasks) on industry standard target architectures (30 Electronic Control Units)Bridge from virtual time models to physical execution time on industry standard target architectures
Dimensions of Complexity II: Hybrid Systems
Challenge– Dimensionality Barrier
„Does it work? Up to 10dimensions. Sometimes...“[E. Asarin, 2004]
– Complex dynamicsClosed deterministic linear vs open non linear
– Large discrete state space– Beyond Safety
NSF Workshop on Symbolic Computation16
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
AVACS Today
Bounded model checking of open linear hybrid systemswith up to 25 dimensions (Train Collision Avoidance system)Proving safety of non-linear hybrid systems with transcendental functions (TCAS Round-About maneuver)Verification of linear hybrid automata with up to 220
discrete states (Flap Controller)BMC on design-level controller models with linear dynamicsand up to 2240 discrete states and 18 dimensionsVerify asymptotic stability of linear HS (speed supervision) and non-linear systemsVerify full LTL requirements on non-lineardiscrete time HS (TCAS Round-About man.)
NSF Workshop on Symbolic Computation17
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
Coping with Complex Dynamics in Hybrid Systems
• Developed suite of constraint-solving (HySAT, HSolver, iSAT) and automata based approaches (LIRA) for BMC of hybrid systems with linear and non-linear dynamics
• Key Results– HySAT: performance improvements for linear dynamics by multiple
orders of magnitude, demonstrated using scalable model of “elastic train-platoon” benchmark over existing BMC approaches, based on learning and structure exploitation
– iSAT: integrating learning into interval-based constraint solving for non-linear robust systems leads to consistent speed-up of multiple orders of magnitude, outperforms AB-Solver by orders of magnitude on non-trivial benchmarks
– LIRA outperforms LASH as decision procedure for FO(R,Z,+,<) by orders of magnitude, based on BDD based automata representations
NSF Workshop on Symbolic Computation18
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
Coping with large discrete state spaces in HS
• Challenge addressed– Industrial controller models show large discrete state spaces
(induced e.g. from counters, healthiness checks, parallel state machines, …)
– Explicit discrete state representation not feasible• Key results
– Model-Checking of linear hybrid automata with precise on-the-fly predicate abstraction combining AIG(Lin), HySAT, and decision procedures demonstrated on variants of Flap Controller and TrainApplication with more than 220 discrete states
– CEGAR Approach addressing design-level controller models as captured in Statemate, Scade, … by learning ω-Automata fromcounterexamples drastically reduces number of refinement steps, demonstrated on
• Autopilot model with 235 discrete states and 23 reals• Flap Controller with 2240 discrete states and 18 reals
NSF Workshop on Symbolic Computation19
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
Beyond Safety: coping with Richer Requirements
• Challenge addressed– Extending the scope of hybrid system verification methods beyond
verification of safety properties• Key results
– Automatic synthesis of Lyapunov function demonstrating asymptotic stability based on LMI (linear systems) resp. non-linear robust constraint solving, demonstrated e.g. on train-speed supervision controller
– Abstraction refinement based approach for proving region stability for linear hybrid systems, demonstrated on suite of benchmarks including emergency braking
– Abstraction refinement based algorithm for verifying full LTL requirements for non-linear discrete time hybrid systems guaranteed to terminate for robust designs
– Proof System for Hybrid Dynamic Logic for parameterized verification of non-linear hybrid systems
• demonstrated on ETCS collision avoidance protocol
NSF Workshop on Symbolic Computation20
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
Dimensions of Complexity III: Systems
Challenge– Complexity– Dynamically
Cooperating Systems– Dependability
Properties
RBC RBC
Event 2
Event 1
Event 3
NSF Workshop on Symbolic Computation21
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
AVACS Today
Disproving Realizability through Black-Boxing reduces state space of 2310 to 2184 states in Wireless Interlocking Protocol of Deutsche Bahn (FFB) (13.8 s falsification time)
Automatic Verification of safety and liveness properties of dynamically communicating systems (Platooning)
Integrated tool-chain for probabilistic timed reachabilityanalysis of hazardous states (Brake-Risk Assessment for ETCS Level 3, 1023 states, reduced by optimizations to 105
states)
NSF Workshop on Symbolic Computation22
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
Automating Compositional Verification
• Challenge addressed: Partial design verification– Proving realizability of partial designs– Inferring all we need to know about unknown components– Generating certificates/documentation sufficient to re-verify designs
for changed component implementations• Key results
– Precise characterization of borderline of decidability of realizability based on key concept of information forks
– On-the-fly synthesis of assumptions for compositional model-checking yielding 6 fold improvement over monolithic verification
– Combination of AI-learning, SAT/BDD based multi-valued logic verification, and automata-minimization based methods
• FFB Benchmark 4 trains, 28 train segments, demonstrated collision in presence of faulty component within 15 s
• Multi-party signature signing protocol, outperforming Mocha by two orders of magnitude
NSF Workshop on Symbolic Computation23
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
Coping with systems-of-systems
• Challenge addressed– Cooperation between traffic agents is based on dynamically
changing communications structures, with agents dynamically entering and leaving cooperation-partnerships
– Automatic verification of coherence to cooperation protocols coping with dynamically changing communication structure
• Key results:– Concise mathematical models, logics and algorithms for the
verification of dynamically communicating systems combining shape analysis, abstraction refinement, predicate- and data-abstraction, abstraction refinement, and symbolic model-checking for verification of both safety (e.g. about adhering to legal shapes) and liveness (e.g. merge maneuvers will complete) properties
– Demonstrated on car-platooning benchmark
NSF Workshop on Symbolic Computation24
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
Formal dependability analysis of system models
• Challenge addressed:– Provision of guaranteed probabilistic bounds on occurrence of top-
level events for system models enriched with fault-hypothesis within given time-period
• Key results:– Formal Reduction to model-checking of continuous time markov
decision processes, underlying complete tool-chain computing probability of cut-sets for system models and failures captured in extension of Statemate
– Drastric improvements in efficiency due to series of optimizations including fully symbolic algorithm for computing branching simulation quotients allowing to handle models out of reach for previously existing stochastic model-checking algorithms
– Demonstrated on ETCS case study• Allowing to handle models with 1023 states • Optimizations size passed to stochastic mc to 105 states
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
Conclusion
NSF Workshop on Symbolic Computation26
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG
Conclusion
• Symbolic analysis methods are instrumental for coping with the complexity of industrial applications in demonstrating their safety
• Industry standards are increasingly pushing towards application of formal methods in establishing safety– ISO CD 26262 – DO 178 C– Cenelec EN 50128
• Significant investments in foundational research are required to lift scalability and scope of symbolic analysis methods to the level required for such future usages
• See www.avacs.results for publications and benchmarks
Impact on Transportation Domain
7 FP
ARTEMIS
JTI
BMBF Funding
Programs
ITEA2
Innovation Potentials
Benchmarks
IndustrialChallenges
ResearchProjects
Funding
AVACS
Airbus, Alstom, Bosch, BMW, Carmeq, Continental, DaimlerChrysler, EADS, IAI, Infineon, Knorr-Bremse, SiemensTransportation, SiemensVDO, ST Microelectronics, Thales
AbsInt, Extesy, ETAS, EsterelTechnologies, OSC Embedded Systems, Telelogic
Proposals
-ALBERT-LUDWIGSUNIVERSITÄT FREIBURG