Systems Engineering for Automating V&V of Dependable Systems

John S. Baras Institute for Systems Research University of Maryland College Park 301-405-6606 [email protected]

NITRD HCSS-AS National Workshop on Aviation Software Systems: Design for Certifiably Dependable Systems October 5-6, 2006 Alexandria, VA

Aviation Systems and Software

• Aviation systems are complex

heterogeneous

engineering systems - hardware and software components • Must be viewed as

distributed, asynchronous and hybrid dynamic systems

• Systems of subsystems that

sense

,

make decisions

and

execute actions

--- many closed-loop subsystems • Subsystems that perform this sensing or decision making or action execution

are not co-located

• Communications occur between sensing blocks, decision making blocks and action execution blocks that are subject to greatly varying constraints on timing, communication bandwidth and delay • This distributed asynchronous dynamic systems view of avionics systems has not been promoted to date • Essential, in our view, for understanding: fundamental architectural issues stability and robustness performance

vs

complexity trade-offs leads to new fundamental rethinking of the foundations for dynamic collaboration between local subsystems, subject to the constraints of distributed real-time operation, asynchronous operation, bandwidth, delay.

ASS as Distributed Hybrid Systems

• • Current and future aviation systems are

software intensive systems

• Furthermore they are

net-centric systems --

interacting and collaborating agents (c.f. systems or subsystems) • In any approach to design for certifiable dependable systems, a

systems engineering

methodology must be followed – means specifically that interactions with human users, other systems and subsystems, and the environment must be accounted for and evaluated they involve many

Challenges:

–

Architecture

– – –

Requirements

and their

Management Formalization of the constraints imposed by the physical layer(s) What is meant by a dependable system

, as well by

certification of a dependable system

is not well understood for systems with the characteristics described above.

Compositional Approach -- Components

• • We advocate a

Compositional Approach

dependable systems • Emphasize dynamic systems as well as to design for certifiable include dynamic monitoring, sensing and corrections as allowed means to achieve dependable systems ) dynamic dependability (i.e. we •

Approach marries quantitative systems engineering with a compositional approach to networked systems -- Components are the critical elements.

• Certification involves both

hard certifications

well as

soft certifications

and is accomplished by a synergistic application of

performance analysis

(optimization, constrained based reasoning, logic) as well as

formal models

(mode checking, automatic theorem proving, timing analysis including concurrency).

Our long term approach will utilize: mixture of methods

from

computer science

(distributed communicating processes, formal models, concurrency, formal verification-validation, model checking, automatic theorem proving) and from

control-communication systems

feedback, system dynamics and stability, change detection, adaptive control and correction, robustness).

(hybrid systems, multi-agent systems,

Compositional Approach - Components

• • We develop formal dynamic models for ASS that respect the constraints, while at the same time formally specifying the

structure

(what the ASS consists of?) and

behavior

(what the ASS does?) from SE perspective. • Within this framework that distributed and asynchronous operation will be built in as constraints (logical or numerical), and where timing, bandwidth and delay constraints between sensing, decision making and action execution blocks will also be modeled. • To completely model and understand properties of ASS we need a framework that

combines logical and numerical models

, thus hybrid systems.

But we also need a combination of methods that can handle these hybrid models for decision making, robustness, inference

Compositional System Synthesis & Integration

Integrated System Synthesis Tools - Environments missing … Iterate to Find a Feasible Solution / Change as needed

Assess Available Information

Change structure/behavior model as needed

Define Requirements Effectiveness Measures Create Behavior Model Map behavior onto structure Allocate Requirements Specifications Perform Trade-Off Analysis

Model-based Beyond UML Rapsody UPPAAL Artist Tools MATLAB, MAPLE Modelica DOORS, etc OPCAD CPLEX, SOLVER, ILOG

Create Sequential build & Test Plan Create Structure Model

Integrated Multiple Views is Hard !

Generate derivative requirements metrics

Model-Based Information-Centric Abstractions

Compositional System Synthesis and Integration: the Next Frontier

●

From a Reductionist Approach to an Integrative Approach

●

The challenge is to generate system predictable behavior by integrating behaviors of the components

● ● It is not all in the software environments

Need a combination of

● Model-Based system and software design and integration ●

and

Deeper analysis of system models and properties

Model-Based System and Software Design and Integration Domain Specific Modeling Languages

semantics that can be composed and manipulated (DSML) with

Composition platforms



correct by construction systems platforms and models of computations; substantial reduction in V&V

System and component behavioral abstractions

that can support Incremental System Integration



while preserving testability and predictability

Fully integrated semantically

control, software and systems design tools and platforms

• • • • • • •

Deeper Analysis of System Models and Properties

Principles for system integration Network Science



System Science



Fundamental performance limitations of networked systems Fundamental implications of physical implementation Fundamental performance limitations of distributed asynchronous systems , with concurrency constraints, with non-collocated sensors, decision making and actuation nodes, with multiple feedback loops, with delay and bandwidth constraints Distributed control of and inference in the same Theories of compositionality Much better integration of logic and optimization trade-off analysis in dynamical systems for

Cross-Linked Executable, Formal and Performance Models for ASS

Executable Models Formal Models Performance Models

• • • • • •

Cross-Linked Models

Executable system models

(ESM) utilize modern software engineering methodologies to develop object-oriented and component-based models, utilizing UML2 and other advanced software systems – Rapsody, etc. From these models automatic generation of executable code for all elements is possible. Embedded in these models are semantics of the operation and composition of the various components.

Formal system models

timed automata sense. (FSM) are based on communicating extended finite state machines (deterministic or stochastic) (CEFSM) or on colored timed Petri nets (deterministic or stochastic) (CTPN). They are linked with the executable models via bisimulation relationships, and typically correspond to approximations of the executable models by emphasizing timing behavior of the modeled system in a

Performance system models

schemes. (PSM) are based on various approximate dynamic system model frameworks (queuing systems, differential equations and fluid flow, difference equations, discrete event systems) together with performance metrics that can be evaluated using the models either analytically or by efficient numerical Performance models are linked to executable models via bisimulation relationships, and typically correspond to approximations of the executable models emphasizing performance and quality metrics or bounds. Performance models are also linked to Formal models via bisimulation relationships and critical event correspondence.

Cross-Linked Models

• This is already a substantial extension from current distributed software engineering practice • A further extension is that we will develop a

formal compositional

(or

component based

) version of this approach . • This includes development of semantics for linking components of the software and of the system, including the associated

theories of components and compositionality

. This, methodology and framework is in itself an important contribution to system science. • It is this specific framework and underlying mathematical methodologies that we utilize to describe, model and evaluate the

structure of ASS

performance. (including software structure and architecture) versus multi-criteria (multiple metrics) • Represents an innovative departure from current state of the art in ASS investigations that focus almost entirely on behavior (i.e. the dynamics of the algorithms implemented by the ASS).

Cross Linked Models

• Our framework allows us

to investigate the design of both structure and operation

(i.e. behavior) within a well integrated framework.

• A significant and unique feature of our approach is that we will be able to check

correctness of functionality

as well as

performance

system or its components. of the software • Furthermore and most significantly the proposed approach and framework allows the

automation

(to a large degree)

of the validation, verification and testing

of the software system and of its dynamic operation.