Transcript Slide 1
QinetiQ in confidence © Copyright QinetiQ 10 th January 2007 www.QinetiQ.com
1
QinetiQ in confidence © Copyright QinetiQ
EVOCS work relevant to MOSAIC
Colin O’Halloran A presentation to: University of York 27 th November 2007 www.QinetiQ.com
QinetiQ in confidence
Contents slide
© Copyright QinetiQ 01 WP4.1.1
Background 02 WP 4.1.1
Subset Extension of CLawZ Simulink 03 WP 4.1.1
Development of Veriflow Subset 04 WP4.1.2
Background 05 WP4.1.2
Tools Formalised C Subset and Analysis 06 WP 4.1.3 Robustness Analysis 07 WP 4.2.1 Background 08 WP 4.2.1 Extension of the QinetiQ Dependability Library to automotive applications 10 th January 2007 www.QinetiQ.com
3
QinetiQ in confidence
WP4.1
© Copyright QinetiQ
Automated and Formal Model Based Design
•
WP 4.1.1
– Background • Previous work has focussed on safety critical code for flight control laws and the Ada programming language. • • The tools therefore need to be adapted to cope with the needs of the automotive sector which means the adoption of the C programming language as well as extending the subsets of the modelling tools as they currently stand. The focus of this work is on individual, high dependability, complex systems which will then form part of a System of Systems.
10 th January 2007 www.QinetiQ.com
4
QinetiQ in confidence
WP4.1
© Copyright QinetiQ
Automated and Formal Model Based Design
• WP 4.1.1 – – Extension of CLawZ Simulink Subset The CLawZ Simulink subset has been supplied to partners for evaluation An sample of Simulink models have been assessed by QinetiQ • • Continuous blocks, such as versions“Clock”, “Integrator” and “Memory”, must be replaced by discrete versions for autocoding and verification.
Certain blocks are purely for modelling purposes and are irrelevant to autocoding an implementation, e.g. “From Workspace”, “To Workspace” and the CAN blockset.
• • • MATLAB interfaces are problematic because they allow implementation programs to be smuggled in rather than models for autocode.
S-Functions explicitly allow implementations to be smuggled in.
A recently developed Z producer supports extensions to the Simulink subset, the intention is to support data type conversions, “From” and “Goto” blocks, but undisciplined use of “Goto” and “From” leads to maintenance cost issues.
10 th January 2007 www.QinetiQ.com
5
QinetiQ in confidence
WP4.1
© Copyright QinetiQ
Automated and Formal Model Based Design
• WP 4.1.1
– – – – – – Development of Veriflow Subset Extended tool to automatically generate Z specification from a Stateflow model in order to accommodate large models and automotive style Some validation with “Improved Hood Controller” model supplied by Jaguar-Land Rover.
Revealed an inefficiency in the tool that is being investigated Tool also generated Ada code to trial approach verification approach using Aerospace toolset Verification from an aerospace domain model to Ada code conducted successfully with measurements for time taken.
First order measurements indicate that time and cost is equivalent to that taken for the development of safety critical code.
10 th January 2007 www.QinetiQ.com
6
QinetiQ in confidence
WP4.1
© Copyright QinetiQ
Automated and Formal Model Based Design
•
WP 4.1.2
– Background • In order to undertake analysis of the code, a relevant subset of the C programming language will need to be formalised in Z. • • This subset will be based upon the MISRA guidelines, but will be focussed on semantic as well as syntactic correctness. The breadth of the C subset will provide constraints on the eventual uses, but will ensure that the code is amenable to analysis through the use of automated proof. 10 th January 2007 www.QinetiQ.com
7
QinetiQ in confidence
WP4.1
© Copyright QinetiQ
Automated and Formal Model Based Design
•
WP 4.1.2
– – – Formalised C Subset and Analysis Tools MISRA compliant subset language called C ♭ has been defined A formal semantics in Z for C ♭ statements • (this includes assignment) has been defined except for function calls (deferred but straightforward) • A formal semantics in Z for most C ♭ expressions has been defined, some binary expressions and “sizeof” expressions to be done (function calls deferred but straightforward) A prototype verification tool based on the formal semantics has been developed and forms part of a validation of the formal semantics.
10 th January 2007 www.QinetiQ.com
8
QinetiQ in confidence
WP4.1
© Copyright QinetiQ
Automated and Formal Model Based Design
• WP 4.1.3 – Background • • • Although code can be correct with respect to the design, it is often not apparent at the design stage that the design decisions have implications for the code. These decisions relate to the context of use of the system. In particular, there are 2 main areas of concern: the environment and the processor. This WP will carry out robustness analysis in the context of system and platform though the use of automatic static analysis techniques. 10 th January 2007 www.QinetiQ.com
9
QinetiQ in confidence © Copyright QinetiQ
Malporte 2.0 status
• WP 4.1.3 – Robustness Analysis Objectives have remained unchanged • Evolution – • • Soundness Speed • Accuracy Introduction of generics into C# to re-implement and simplify Malporte 2.0 architecture.
10 th January 2007 www.QinetiQ.com
10
QinetiQ in confidence © Copyright QinetiQ
Malporte 2.0 status
C++ C Ada Producers
68020 (prototype) ANDF file Installers
Installers
Malporte SPARC
Intel
Other... HTML
XML Text
10 th January 2007 www.QinetiQ.com
11
QinetiQ in confidence © Copyright QinetiQ
Malporte 2.0 status
• Malporte 2.0 architecture reflects Architecture Neutral Distribution Format (ANDF) Open Software Foundation standard and contains a formal model of memory and access to memory.
– This underpins soundness and supports evolution.
– Allows incremental development • Architecture separates out concerns of symbolic execution and mathematical predicates that describe values in memory and the conditions of access to memory.
• There are hundreds of ANDF constructs that are represented by C# methods on classes.
• Only a fraction of the constructs are used for any specific program and some constructs are seldom used (one construct we have never seen used in practice).
10 th January 2007 www.QinetiQ.com
12
QinetiQ in confidence © Copyright QinetiQ
Malporte 2.0 status
• • • • • • The ongoing work is the implementation of the methods for these constructs.
There are certain key constructs that correspond to loops, procedure calls and structures in memory – These take a few weeks to implement and test Most of the rest take hours or minutes to implement, a small minority will take a few days.
Progress has been good and QinetiQ are currently analysing an avionics ILS while implementing the methods corresponding to the ANDF constructors used in the C code.
Validation against Malporte 1.2 results for an ILS occurred at end of October.
By December we aim to validate Malporte 2.0 against signal conditioning code in an avionics DECMU.
10 th January 2007 www.QinetiQ.com
13
QinetiQ in confidence © Copyright QinetiQ
Malporte 2.0 next steps
• • • • • Incorporate WMG evaluation into Malporte 2.0 incremental development Determine ANDF constructors required for next phase of evaluation Compare with ANDF constructors covered for aerospace domain Determine what extra constructors require implementation, if any, and focus on these for WMG evaluation.
In parallel we will be working on simplifying predicate conditions that characterise when software is vulnerable to unpredictable behaviour.
– Will support human validation and the next phase of WMG evaluation 10 th January 2007 www.QinetiQ.com
14
QinetiQ in confidence
WP4.2
© Copyright QinetiQ
Dependable Systems of Systems
• WP 4.2.1
– Background • Following the selection of a critical part of an automotive SoS architecture, we will develop the Dependability Library (DL) of building blocks to formally represent the specifications of the individual systems’ interfaces. • • This will include the communications medium and will involve the use of various formalisms in combination, as the properties of any one particular system cannot be represented by one alone. A key component of this extension is the development of automated specification generation from which it should be possible to provide tailor-able building blocks. 10 th January 2007 www.QinetiQ.com
15
QinetiQ in confidence
WP4.2
© Copyright QinetiQ
Dependable Systems of Systems
• WP 4.2.1
– – – – – – Extension of the QinetiQ Dependability Library to automotive applications Development of A/C reasoning for automotive domain • Vertical A/C ideas Workshop on benefits of A/C reasoning for SoS and identification of case studies from JLR • • A/C reasoning supports separate description and validation of individual systems Enables compositional reasoning (systems by contracts) • Suitable for legacy or Off The Shelf systems unlike usual approaches Information and models on Immobilisation and Infotainment SoSs provided by JLR Model of immobiliser with library components developed and properties of interest identified with checks Compilation problem with FDR holding this up at the moment Scalability o f analysis is the next step 10 th January 2007 www.QinetiQ.com
16
www.QinetiQ.com