Transcript No Slide Title
Systems Engineering for Automating V&V of Dependable Systems
John S. Baras Institute for Systems Research University of Maryland College Park 301-405-6606 [email protected]
NITRD HCSS-AS National Workshop on Aviation Software Systems: Design for Certifiably Dependable Systems October 5-6, 2006 Alexandria, VA
Aviation Systems and Software
• Aviation systems are complex
heterogeneous
engineering systems - hardware and software components • Must be viewed as
distributed, asynchronous and hybrid dynamic systems
• Systems of subsystems that
sense
,
make decisions
and
execute actions
--- many closed-loop subsystems • Subsystems that perform this sensing or decision making or action execution
are not co-located
• Communications occur between sensing blocks, decision making blocks and action execution blocks that are subject to greatly varying constraints on timing, communication bandwidth and delay • This distributed asynchronous dynamic systems view of avionics systems has not been promoted to date • Essential, in our view, for understanding: fundamental architectural issues stability and robustness performance
vs
complexity trade-offs leads to new fundamental rethinking of the foundations for dynamic collaboration between local subsystems, subject to the constraints of distributed real-time operation, asynchronous operation, bandwidth, delay.
ASS as Distributed Hybrid Systems
• • Current and future aviation systems are
software intensive systems
• Furthermore they are
net-centric systems --
interacting and collaborating agents (c.f. systems or subsystems) • In any approach to design for certifiable dependable systems, a
systems engineering
methodology must be followed – means specifically that interactions with human users, other systems and subsystems, and the environment must be accounted for and evaluated they involve many
Challenges:
–
Architecture
– – –
Requirements
and their
Management Formalization of the constraints imposed by the physical layer(s) What is meant by a dependable system
, as well by
certification of a dependable system
is not well understood for systems with the characteristics described above.
Compositional Approach -- Components
• • We advocate a
Compositional Approach
dependable systems • Emphasize dynamic systems as well as to design for certifiable include dynamic monitoring, sensing and corrections as allowed means to achieve dependable systems ) dynamic dependability (i.e. we •
Approach marries quantitative systems engineering with a compositional approach to networked systems -- Components are the critical elements.
• Certification involves both
hard certifications
well as
soft certifications
and is accomplished by a synergistic application of
performance analysis
(optimization, constrained based reasoning, logic) as well as
formal models
(mode checking, automatic theorem proving, timing analysis including concurrency).
Our long term approach will utilize: mixture of methods
from
computer science
(distributed communicating processes, formal models, concurrency, formal verification-validation, model checking, automatic theorem proving) and from
control-communication systems
feedback, system dynamics and stability, change detection, adaptive control and correction, robustness).
(hybrid systems, multi-agent systems,
Compositional Approach - Components
• • We develop formal dynamic models for ASS that respect the constraints, while at the same time formally specifying the
structure
(what the ASS consists of?) and
behavior
(what the ASS does?) from SE perspective. • Within this framework that distributed and asynchronous operation will be built in as constraints (logical or numerical), and where timing, bandwidth and delay constraints between sensing, decision making and action execution blocks will also be modeled. • To completely model and understand properties of ASS we need a framework that
combines logical and numerical models
, thus hybrid systems.
But we also need a combination of methods that can handle these hybrid models for decision making, robustness, inference
Compositional System Synthesis & Integration
Integrated System Synthesis Tools - Environments missing … Iterate to Find a Feasible Solution / Change as needed
Assess Available Information
Change structure/behavior model as needed
Define Requirements Effectiveness Measures Create Behavior Model Map behavior onto structure Allocate Requirements Specifications Perform Trade-Off Analysis
Model-based Beyond UML Rapsody UPPAAL Artist Tools MATLAB, MAPLE Modelica DOORS, etc OPCAD CPLEX, SOLVER, ILOG
Create Sequential build & Test Plan Create Structure Model
Integrated Multiple Views is Hard !
Generate derivative requirements metrics
Model-Based Information-Centric Abstractions
Compositional System Synthesis and Integration: the Next Frontier
●
From a Reductionist Approach to an Integrative Approach
●
The challenge is to generate system predictable behavior by integrating behaviors of the components
● ● It is not all in the software environments
Need a combination of
● Model-Based system and software design and integration ●
and
Deeper analysis of system models and properties
Model-Based System and Software Design and Integration Domain Specific Modeling Languages
semantics that can be composed and manipulated (DSML) with
Composition platforms
correct by construction systems platforms and models of computations; substantial reduction in V&V
System and component behavioral abstractions
that can support Incremental System Integration
while preserving testability and predictability
Fully integrated semantically
control, software and systems design tools and platforms
• • • • • • •
Deeper Analysis of System Models and Properties
Principles for system integration Network Science
System Science
Fundamental performance limitations of networked systems Fundamental implications of physical implementation Fundamental performance limitations of distributed asynchronous systems , with concurrency constraints, with non-collocated sensors, decision making and actuation nodes, with multiple feedback loops, with delay and bandwidth constraints Distributed control of and inference in the same Theories of compositionality Much better integration of logic and optimization trade-off analysis in dynamical systems for
Cross-Linked Executable, Formal and Performance Models for ASS
Executable Models Formal Models Performance Models
• • • • • •
Cross-Linked Models
Executable system models
(ESM) utilize modern software engineering methodologies to develop object-oriented and component-based models, utilizing UML2 and other advanced software systems – Rapsody, etc. From these models automatic generation of executable code for all elements is possible. Embedded in these models are semantics of the operation and composition of the various components.
Formal system models
timed automata sense. (FSM) are based on communicating extended finite state machines (deterministic or stochastic) (CEFSM) or on colored timed Petri nets (deterministic or stochastic) (CTPN). They are linked with the executable models via bisimulation relationships, and typically correspond to approximations of the executable models by emphasizing timing behavior of the modeled system in a
Performance system models
schemes. (PSM) are based on various approximate dynamic system model frameworks (queuing systems, differential equations and fluid flow, difference equations, discrete event systems) together with performance metrics that can be evaluated using the models either analytically or by efficient numerical Performance models are linked to executable models via bisimulation relationships, and typically correspond to approximations of the executable models emphasizing performance and quality metrics or bounds. Performance models are also linked to Formal models via bisimulation relationships and critical event correspondence.
Cross-Linked Models
• This is already a substantial extension from current distributed software engineering practice • A further extension is that we will develop a
formal compositional
(or
component based
) version of this approach . • This includes development of semantics for linking components of the software and of the system, including the associated
theories of components and compositionality
. This, methodology and framework is in itself an important contribution to system science. • It is this specific framework and underlying mathematical methodologies that we utilize to describe, model and evaluate the
structure of ASS
performance. (including software structure and architecture) versus multi-criteria (multiple metrics) • Represents an innovative departure from current state of the art in ASS investigations that focus almost entirely on behavior (i.e. the dynamics of the algorithms implemented by the ASS).
Cross Linked Models
• Our framework allows us
to investigate the design of both structure and operation
(i.e. behavior) within a well integrated framework.
• A significant and unique feature of our approach is that we will be able to check
correctness of functionality
as well as
performance
system or its components. of the software • Furthermore and most significantly the proposed approach and framework allows the
automation
(to a large degree)
of the validation, verification and testing
of the software system and of its dynamic operation.