Transcript Validating a Hamilton-Jacobi Approximation to Hybrid

National Workshop on Aviation Software
Systems for The Second Century of Flight:
Design for Certifiably Dependable Systems
(HCSS-AS)
Claire Tomlin (UCB/Stanford)
John Hansman (MIT)
Jonathan Sprinkle (UCB)
(Co-chairs)
October 5-6, 2006
Alexandria VA
http://chess.eecs.berkeley.edu/hcssas/
Welcome
•
The Federal Government recognizes that the rapidly increasing software
and system complexity of aviation systems makes the development of
high integrity, high confidence aviation software and systems crucial for
the future of civilian and military aviation systems
•
67 registered participants
– 28 from academia
– 21 from industry
– 18 from government
•
30 position papers
•
Sponsors:
– NSF (Helen Gill)
– NCO (Frankie King, Sally Howe)
– Federal Networking and Information Technology Research and Development
(NITRD) Program High Confidence Software and Systems (HCSS)
Coordinating Group (CG)
•
Supporting government agencies: FAA, NASA, AFRL, OSD
The Problem Statement
•
Software related issues are the “Achilles Heel” of modern aerospace system
development
– low level programming, ad hoc approaches, stand-alone and static
implementations, and little code re-use
– prolonged design schedules, excessive cost, dis-innovation, difficulty in
maintenance, upgrades, and retrofits
– issue is exacerbated for critical systems where high integrity requirements yield
certification challenges and barriers
– verification and validation is labor intensive and expensive
•
Exacerbated for critical systems with high integrity requirements
•
Current processes are inefficient and inadequate for future needs
– Increased functionality leads to added complexity
– Networked distributed systems
– reconfigurable, adaptive, mixed initiative
•
Academic community generally decoupled from practitioners
•
•
•
New approaches, understanding and breakthroughs required
Success would be a significant economic and opportunity stimulant
Issue recognized by many organizations but real progress has been slow
HCSS-AS Workshop Planning Meeting
• November 9-10, 2005 at the University of Washington,
Seattle
• 35 invited participants from academia, industry, and
government
• Goals of the Workshop Planning Meeting:
– Identify the key issue areas which will form the basis for the
workshop
– Define the key players who should be included
– Define the current state of the art in software for critical aviation
systems
– Lay out potential research programs
• Talks and all other information available at:
http://chess.eecs.berkeley.edu/hcssas/
Key Issues Identified
• Certification Issues
–
–
–
–
What should the certification criteria be?
How do you certify non-deterministic or adaptive systems?
Overlap between software and other parts of the system
Security issues
• Costs or Barriers to Innovation
– Design for certification
– Lifecycle issues, costs of upgrades, etc.
– Design for reuse
• Methods
– Automated tools for V&V
– Experimental platforms
– Metrics
• Systems Issues
– Human/software integration issues
– Hardware/software integration issues
– Integration with procedures/environment
• Emergent Issues
– Adaptive, non-deterministic systems
• Education
Application Domains
–
–
–
–
–
Air Traffic Management (ATM)
Unmanned Aerial Vehicles (UAVs)
Flight control
Command and Control (C&C)
Communication, Navigation, and Surveillance (CNS)
systems
– Aircraft and infrastructure integration
HCSS-AS Workshop
Overall Goal:
Improve the design, certification, and operation of next generation
avionics platforms, while maintaining strict levels of safety
Workshop goal:
– Bring together the practice community with the research
community to define the intellectual agenda in software for critical
aviation systems
• Define current state of the art
• Identify key issues and needs
• Identify promising research approaches
• Define educational needs and approaches
HCSS-AS Workshop: Education
Motivation:
• “We need to understand a priori how would the costs would get
reduced if we invested in a better process for software design and
certification.”
• “What technologies, what metrics, need to be achieved to instill
confidence in an automated function?”
Education:
• What are the common abstractions that everyone in the domain
should understand? (Logic, dynamics, control…)
• It is hard to develop real-world scalable solutions without good
examples, and it is hard to get good examples: how to recruit
exemplars (sanitized) of “close to” real examples from industry?
• Need a “science of flight critical systems assurance”
Overall Program
• 4 Keynote talks
–
–
–
–
John Hansman
Michael Leahy
John Rushby
Don Winter
• 5 Invited Talk Sessions
– Applications
– Certification and
assessment
– Systems issues
– Education
– Methods
• General discussion time
• 4 Working Groups
– Applications
– Certification and
assessment
– Systems and crosscutting
issues
– Methods
• 2 Breakout sessions:
– Thursday afternoon
– Friday morning and
afternoon
• Working group outbriefs:
– Friday 2-3pm
Questions to Participants
• For working group break out sessions, participants are asked to
consider each of the following four questions:
– What are the top three lessons learned/technology in this area of X?
– What are the top three needs that have not been met?
– What are the top three research topics/challenges (with timelines)
being/should be pursued in your domain of expertise related to X?
– What are the top three challenges (with timelines) in the area of X
(including outside your domain of expertise)?
• There will be a leader and scribe assigned to each working group
• Working group deliverables:
– By Friday 2pm, the working groups will provide annotated powerpoint
of the working group discussion.
Working group outbriefs and written report
•
•
•
•
•
Problem statement
Summary of state of the art
R&D challenges
Prioritized list of IT research needs
Roadmap for the next 5 and 10 years
Deliverables of the Workshop
• Immediately after the workshop, the HCSS-AS
website will have
– Copies of the presentation slides
– Audio clips of (some of) the talks
•
•
•
•
First draft of WG summaries: November 2006
Final draft of WG summaries: January 2007
First draft executive summary: February 2007
Final report: April 2007
Today’s schedule
• Keynote address: John Hansman
• Morning:
– Applications session
– Discussion
• Keynote address: Michael Leahy
• Afternoon:
– Certification and assessment
– Systems issues
– Education
• Working groups
• 6pm: Reception
Backups
System Development and Certification
Model V&V
•Control Power V&V
•Control Law V&V
•Functional V&V
Requirements Development
Design/Implementation
Software V&V
•Unit/Component Test
•Hardware/Software Integration (HSI)
Hardware V&V
System and Software
Testing
•Qualification Test (Safety of Flight)
•Aircraft Integration
System V&V
System
Certification
•Standalone (Static)
•Integrated (Dynamic)
•Failure Modes and Effects Test
(FMET)
[Source: Jim Buffington, LM Aero]
FAA regulatory standard: RTCA DO-178B
FAA standard (1992):
RTCA DO-178B (Eurocae standard ED-12B)
“Software Considerations in Airborne Systems and
Equipment Certification”
SOFTWARE CONSIDERATIONS IN AIRBORNE
SYSTEMS
AND EQUIPMENT CERTIFICAION
DOCUMENT NO. RTCA/DO-178B
December 1, 1992
Prepared by: SC-167
RTCA
• “Process-based” certification
• Interesting points:
“Requirements and Technical Concepts for Aviation”
– Certification applies to the end product (ie. airframe), incl. all systems
– Applies to a given application of a given product (other applications of the
same product require further certification)
– It requires that all code MUST be there as a direct result of a requirement
– It requires full testing of the system and all component parts (including the
software) on the target platform and in the target environment
– Objectives-Based tables: “What, not how”
• Criticality Categories (A,B,C,D) / Objectives Matrix
[sources: Jim Krodel, Pratt & Whitney, http://aar400.tc.faa.gov/Programs/FlightSafety/sdss/]
Issues Under Consideration for SC205 Sub-groups
• Technology/Domains Under Consideration
– Formal Methods
– Model Based Design & Verification
• Model Verification and Level of Pedigree
• Certification of Proof by Models
– Software Tools
• And our reliance on them from a certification perspective
– Object Oriented Technology
– Comms-Nav-Sur/Air-Traffic-Management
[source: Jim Krodel, Pratt & Whitney]
Tools for modeling, design, and code generation
Designing safety critical control systems requires a seamless cooperation
of tools:
– Modeling and design at the control level
– Development tools at the software level
– Implementation tools at the platform level
Simulink
SCADE/Lustre
TTA
An example (from Paul Caspi’s group, Verimag, Grenoble)
is a tool which combines:
• Simulink: natural control design tool, yet lacks essential programming
language features (typing, modularity, simple and clear semantics)
• SCADE/Lustre: SCADE (Safety Critical Application Development
Environment) based on the synchronous programming language Lustre
– Includes a DO 178B compliant automatic code generator
– Used in Airbus A340, A380
•
TTA (Time Triggered Architecture): distributed implementations built
on a synchronous bus distributing to every computing unit a global fault
tolerant clock
– Used in Boeing B777 fly-by-wire system