beyond integration the challenge of compositional
play

Beyond Integration: The Challenge of Compositional Assurance John - PowerPoint PPT Presentation

Dec 22, 2023 •254 likes •551 views

Beyond Integration: The Challenge of Compositional Assurance John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Compositional Assurance: 1 Assurance and Certification: The Traditional

  1. Beyond Integration: The Challenge of Compositional Assurance John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Compositional Assurance: 1

  2. Assurance and Certification: The Traditional Approach • The FAA, for example, certifies only airplanes, engines and propellers • The things we care about are system properties • So certification focuses on systems • But modern engineering and business practices use massive subcontracting, component-based development, and COTS, so that integrators have less insight than before into subsystem designs • Strong case for “qualification” of components Business case: Component vendors want it (cf. IMA) Certification case: Systems-only approach is no longer credible John Rushby, SR I Compositional Assurance: 2

  3. Compositional Assurance and Certification: The Vision • Components (and subsystems) are delivered with assurance ◦ We’ll consider later what that should mean • Assurance for the system is a calculation based on its design and the assurance of its components ◦ Systems are certified without looking inside components • Notice that steps in this direction would also reduce the integration problem ◦ I.e., the problem that you cannot be sure how things will work together based solely on their requirements, specifications, and design documents John Rushby, SR I Compositional Assurance: 3

  4. Compositional Design and Development • Compositional assurance will be impossible unless there is a deliberate (and successful!) attempt to control subsystem interactions during design and development • This is also what is needed for clean integration • And it is also one of the things needed for safety: cf. Perrow’s tight coupling and high interactive complexity ◦ Would be manifested through excessively complex mutual assumptions and guarantees • The alternative is massive testing at every stage, and you still have no guarantee of success John Rushby, SR I Compositional Assurance: 4

  5. Interfaces and Integration Frameworks • Components interact through interfaces • So we need precise specification and assurance for interfaces ◦ We’ll consider later what that should mean • And assurance that there are no overlooked interfaces ◦ E.g., interaction through the plant • And assurance that there are no unintended interfaces ◦ E.g., interaction through shared resources ◦ E.g., interaction due to faults • The purpose of an integration framework is to eliminate unintended interactions John Rushby, SR I Compositional Assurance: 5

  6. Integration Frameworks • Are architectures that guarantee some system-level properties without requiring cooperation from the components they integrate—which may be faulty or actively malicious • E.g., time and space partitioning in shared processors ◦ Architectures for Integrated Modular Avionics (IMA) ◦ Separation kernels for security • E.g., time and space partitioning for shared communications and distributed computation ◦ Partitioning Communication System (PCS) for security ⋆ PCS does CORBA, others do publish-subscribe, or multiplex TCP/IP securely ◦ Safety-critical “buses” ⋆ E.g., Time-Triggered Arch (TTA), FlexRay, SPIDER • E.g., the MILS architecture for security John Rushby, SR I Compositional Assurance: 6

  7. Integration (Framework) Anecdotes Powertrain integration: car engines from one plant, gearboxes from another • Typically months of work to get them to work together • A few hours using TTA Multi-channel FADEC integration: get single channel working, then add second channel • Typically months of work to get both channels cooperating • A few hours using TTA Assurance benefits beyond those in integration John Rushby, SR I Compositional Assurance: 7

  8. Assurance and Certification • With integration frameworks we might begin to get a handle on compositional assurance, so let’s look at software assurance and certification in a bit more detail • I’m using assurance to mean the technical judgment that a component or system satisfies some property • And certification to mean official sanction of some assurance • In some regimes (e.g., security), judgments whether a system is fit for some purpose are separate from certification of its properties; in others (e.g., civil aircraft) they are combined • All assurance is based on arguments that purport to justify certain claims , based on documented evidence • There are two approaches to assurance: implicit (standards based), and explicit (goal-based) John Rushby, SR I Compositional Assurance: 8

  9. The Standards-Based Approach to Software Certification • E.g., airborne s/w (DO-178B), security (Common Criteria) • Applicant follows a prescribed method (or processes) ◦ Delivers prescribed outputs ⋆ e.g., documented requirements, designs, analyses, tests and outcomes, traceability among these • Internal (DERs) and/or external (NIAP) review • Works well in fields that are stable or change slowly ◦ Can institutionalize lessons learned, best practice ⋆ e.g. evolution of DO-178 from A to B to C • But less suitable with novel problems, solutions, methods John Rushby, SR I Compositional Assurance: 9

  10. Critique of Standards-Based Approaches • Usually define only the evidence to be produced • The claims and arguments are implicit • Hence, hard to tell whether given evidence meets the intent • E.g., use a “safe programming language (subset)” ◦ Misra C: no demonstration of effectiveness, some contrary experience (cf. Les Hatton) ◦ Coverity, Prefix etc.: strong bug-finding, probabilistic absence of runtime exceptions ◦ Spark Ada (with the Examiner): guaranteed absence of run time exceptions • And the intent (i.e., argument) may not be obvious • E.g., MC/DC testing ◦ Is it evidence for good testing or good requirements? John Rushby, SR I Compositional Assurance: 10

  11. Do The Standards-Based Approaches Work? • Fuel emergency on Airbus A340-642, G-VATL, on 8 February 2005 (AAIB SPECIAL Bulletin S1/2005) • Toward the end of a flight from Hong Kong to London: two engines shut down, crew discovered they were critically low on fuel, declared an emergency, landed at Amsterdam • Two Fuel Control Monitoring Computers (FCMCs) on this type of airplane; they cross-compare and the “healthiest” one drives the outputs to the data bus • Both FCMCs had fault indications, and one of them was unable to drive the data bus • Unfortunately, this one was judged the healthiest and was given control of the bus even though it could not exercise it • Further backup systems were not invoked because the FCMCs indicated they were not both failed John Rushby, SR I Compositional Assurance: 11

  12. Safety Culture • See also incident report for Boeing 777, 9M-MRG (Malaysian Airlines, near Perth Australia) • And several others • It seems that current development and certification practices may be insufficient in the absence of safety culture • Current business models are leading to a loss of safety culture ◦ Outsourcing, COTS • Safety culture is implicit knowledge • Surely, a certification regime should be effective on the basis of its explicit requirements John Rushby, SR I Compositional Assurance: 12

  13. The Goal-Based Approach to Software Certification • E.g., air traffic management (CAP670 SW01), UK aircraft • Applicant develops an assurance case ◦ Whose outline form may be specified by standards or regulation (e.g., MOD DefStan 00-56) ◦ Makes an explicit set of goals or claims ◦ Provides supporting evidence for the claims ◦ And arguments that link the evidence to the claims ⋆ Make clear the underlying assumptions and judgments ⋆ Should allow different viewpoints and levels of detail • The case is evaluated by independent assessors ◦ Claims, evidence, argument John Rushby, SR I Compositional Assurance: 13

  14. What Should the Evidence Look Like? • Evidence about the process, organization, people • Evidence about the product Reviews: based on human judgment and consensus ◦ e.g., requirements inspections, code walkthroughs Analysis: can be repeated and checked by others, and potentially by machine ◦ Formal methods/static analysis ◦ Tests • Generally prefer multiple forms of evidence and their corresponding arguments: multi-legged assurance cases John Rushby, SR I Compositional Assurance: 14

  15. Formal Methods • Modern formal methods are automated techniques for calculating properties of software and its (model based) designs and specifications • Unlike testing, considers all possible execution sequences • Invariably finds bugs in certified s/w (e.g., DO-178B Level A) • Tradeoffs between degree of automation, number of false alarms, complexity of the software artifact, and the properties analyzed • Can do small properties of big programs today: static analysis ◦ Absence of runtime errors (Spark Ada Examiner) ◦ No loss of arithmetic precision (Astr´ ee for A380) ◦ Worst case execution time (AbsInt for A380) ◦ Properties of MBD (SCADE for A380) These are all European, but the raw technology is better-developed in the USA John Rushby, SR I Compositional Assurance: 15

Recommend

Compositional Software Model Checking Dan R. Ghica Oxford University Computing Laboratory

Compositional Software Model Checking Dan R. Ghica Oxford University Computing Laboratory

Compositional Software Model Checking Dan R. Ghica Oxford University Computing Laboratory October 18, 2002 Outline of talk program verification issues the semantic challenge programming languages the logical challenge

854 views • 38 slides
ECE 566: Grid Integration of Wind Energy Systems S. Suryanarayanan Associate Professor ECE

ECE 566: Grid Integration of Wind Energy Systems S. Suryanarayanan Associate Professor ECE

Basic integration issues Challenge in integration References ECE 566: Grid Integration of Wind Energy Systems S. Suryanarayanan Associate Professor ECE Dept. Suryanarayanan ECE 566 Lecture/Week 3b Basic integration issues Challenge in

830 views • 63 slides
Structure of Presentation Introduction Challenges in the Verification of Challenge 1:

Structure of Presentation Introduction Challenges in the Verification of Challenge 1:

Structure of Presentation Introduction Challenges in the Verification of Challenge 1: Variety of modeling languages Electronic Control Units Challenge 2: Learning curve for Requirement Capture Challenge 3: Integration with

250 views • 11 slides
Integration: a multilevel governance challenge New Forms of service delivery for municipalities,

Integration: a multilevel governance challenge New Forms of service delivery for municipalities,

Migration and Refugees Integration: a multilevel governance challenge New Forms of service delivery for municipalities, the contribution of social dialogue and good practice for well being at work Monday November 14 th 2016 Ramon Sanahuja

479 views • 29 slides
The Challenge of an HIV Cure HIV provirus integration and expression on long-term suppressive

The Challenge of an HIV Cure HIV provirus integration and expression on long-term suppressive

HIV Drug Resistance Program National Cancer Institute at Frederick The Challenge of an HIV Cure HIV provirus integration and expression on long-term suppressive therapy John M. Coffin Tufts University Objectives 1. To understand the role of

445 views • 42 slides
The Integration Challenge: Friendships Between International and Domestic Students in Canada

The Integration Challenge: Friendships Between International and Domestic Students in Canada

The Integration Challenge: Friendships Between International and Domestic Students in Canada NAFS A: Association of International Educators Boston, Massachusetts May 2015 Outline: The extent to which friendships are formed between

738 views • 54 slides
A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston College g , g Andrew W. Appel, Princeton University Jan 8 2006 Jan 8, 2006 1 Mobile Code Security Protect trusted system against

561 views • 26 slides
FINDING QUALITY IN QUANTITY: THE CHALLENGE OF DISCOVERING VALUABLE SOURCES FOR INTEGRATION

FINDING QUALITY IN QUANTITY: THE CHALLENGE OF DISCOVERING VALUABLE SOURCES FOR INTEGRATION

FINDING QUALITY IN QUANTITY: THE CHALLENGE OF DISCOVERING VALUABLE SOURCES FOR INTEGRATION Theodoros Rekatsinas University of Maryland Amol Deshpande, Xin Luna Dong, Lise Getoor and Divesh Srivastava DATA, DATA, DATA Clean Analyze

514 views • 25 slides
The Mobility Challenge for Growth and Integration in Europe Klaus F . Zimmermann September 2013

The Mobility Challenge for Growth and Integration in Europe Klaus F . Zimmermann September 2013

IZA Policy Paper No. 69 P O L I C Y P A P E R S E R I E S The Mobility Challenge for Growth and Integration in Europe Klaus F . Zimmermann September 2013 Forschungsinstitut zur Zukunft der Arbeit Institute for the Study of Labor The

358 views • 20 slides
Software Engineering and Architecture Refactoring and Integration Testing The power of automated

Software Engineering and Architecture Refactoring and Integration Testing The power of automated

Software Engineering and Architecture Refactoring and Integration Testing The power of automated tests Two product variants Alphatown and Betatown Four models to handle this compositional proposal has nice properties... How do

865 views • 44 slides
Bruno Gavranovi c SYCO2 Compositional Deep Learning December 18, 2018 1 / 36 Compositional

Bruno Gavranovi c SYCO2 Compositional Deep Learning December 18, 2018 1 / 36 Compositional

Bruno Gavranovi c SYCO2 Compositional Deep Learning December 18, 2018 1 / 36 Compositional Deep Learning Bruno Gavranovi c Faculty of Electrical Engineering and Computing (FER) University of Zagreb, Croatia bruno.gavranovic@fer.hr

1.22k views • 102 slides
CD/MH Integration Workgroup The What and the How of integration CD Integration Workgroup

CD/MH Integration Workgroup The What and the How of integration CD Integration Workgroup

CD/MH Integration Workgroup The What and the How of integration CD Integration Workgroup RECOMMENDATIONS TO THE TASK FORCE July 18, 2014 Each Behavioral Health Organization should provide rapid access to the following billable services along a

790 views • 9 slides
Compositional Real-Time Scheduling Framework Insik Shin 1 , Insup Lee 1 1 University of

Compositional Real-Time Scheduling Framework Insik Shin 1 , Insup Lee 1 1 University of

Compositional Framework Bounded Delay Resource Model Schedulability Analysis Utilization Bounds Component Abstraction Conclusion Compositional Real-Time Scheduling Framework Insik Shin 1 , Insup Lee 1 1 University of Pennsylvania 15 November

362 views • 33 slides
Safety control with performance guarantees of cooperative systems using compositional abstractions

Safety control with performance guarantees of cooperative systems using compositional abstractions

Cooperative systems Centralized symbolic control Compositional approach Safety control with performance guarantees of cooperative systems using compositional abstractions Pierre-Jean Meyer Antoine Girard Emmanuel Witrant Universit e

849 views • 45 slides
Functional and Object-Oriented Approaches to Compositional Programming Martin Odersky Core

Functional and Object-Oriented Approaches to Compositional Programming Martin Odersky Core

Functional and Object-Oriented Approaches to Compositional Programming Martin Odersky Core Computer Science Institute Ecole Polytechnique Federal de Lausanne 1 Contents 1. What is Compositional Programming? 2. Why is it important? What are

1.12k views • 99 slides
STEP CHALLENGE February 7 th March 8 th CHALLENGE OVERVIEW This Step Challenge is a fun

STEP CHALLENGE February 7 th March 8 th CHALLENGE OVERVIEW This Step Challenge is a fun

Marion County Public Schools STEP CHALLENGE February 7 th March 8 th CHALLENGE OVERVIEW This Step Challenge is a fun and effective 30-day walking challenge where your goal is to increase your daily average steps by 25% * ! *If you are not

466 views • 8 slides
Compositional Autoconstructive Dynamics Kyle I. Harrington , Evolutionary Computation Kyle I.

Compositional Autoconstructive Dynamics Kyle I. Harrington , Evolutionary Computation Kyle I.

Compositional Autoconstruc- tive Dynamics Compositional Autoconstructive Dynamics Kyle I. Harrington , Evolutionary Computation Kyle I. Harrington 1 , 2 GA GP Meta-Evolution 1 DEMO lab Autoconstructive Michtom School of Computer Science

488 views • 44 slides
SenseDSL: Automating the Integration of Sensors for MCU-based Robots and Cyber- Physical Systems

SenseDSL: Automating the Integration of Sensors for MCU-based Robots and Cyber- Physical Systems

SenseDSL: Automating the Integration of Sensors for MCU-based Robots and Cyber- Physical Systems 2007 DARPA Urban Challenge Autonomously driving vehicle Caroline participating in the 2007 DARPA Urban Challenge. Experimental Miniature Vehicle

367 views • 12 slides
Clustering compositional data trajectories F. Greco , F. Bruno Dipartimento di Scienze Statistiche

Clustering compositional data trajectories F. Greco , F. Bruno Dipartimento di Scienze Statistiche

Clustering compositional data trajectories F. Greco , F. Bruno Dipartimento di Scienze Statistiche Universit di Bologna Outline We deal with trajectories of compositional data, that is with sequences of composition measurements in domains.

479 views • 33 slides
Part Sizes of Smooth Supercritical Compositional Structures Part Sizes of Smooth Supercritical

Part Sizes of Smooth Supercritical Compositional Structures Part Sizes of Smooth Supercritical

Part Sizes of Smooth Supercritical Compositional Structures Part Sizes of Smooth Supercritical Compositional Structures Jason Z. Gao Carleton University, Ottawa, Canada Based on joint work with Ed Bender A simple example Ordinary compositions:

824 views • 50 slides
Parsing with Compositional Vector Grammars BY RICHARD SOCHER, JOHN BAUER, CHRISTOPHER D. MANNING,

Parsing with Compositional Vector Grammars BY RICHARD SOCHER, JOHN BAUER, CHRISTOPHER D. MANNING,

Parsing with Compositional Vector Grammars BY RICHARD SOCHER, JOHN BAUER, CHRISTOPHER D. MANNING, ANDREW Y. NG PRESENT BY YUNCHENG WU Outline Introduction Related Works Compositional Vector Grammars (this paper) Experiments Takeaways

888 views • 34 slides
Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International

Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International

Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Compositional Cert for MILS: 1 Intuitive Security Architecture Almost all system designs are portrayed in

548 views • 28 slides
Modeling Event Implications for Compositional Semantics Sai Qian Maxime Amblard Calligramme,

Modeling Event Implications for Compositional Semantics Sai Qian Maxime Amblard Calligramme,

Modeling Event Implications for Compositional Semantics Modeling Event Implications for Compositional Semantics Sai Qian Maxime Amblard Calligramme, LORIA & INRIA Nancy Grand-Est CAuLD Workshop: Logical Methods for Discourse December 13,

805 views • 36 slides
Integration Programme? Integration Strategy? No national or local integration programme (not

Integration Programme? Integration Strategy? No national or local integration programme (not

Integration Programme? Integration Strategy? No national or local integration programme (not voluntary or compulsory) BUT Citizenship now requires a language and culture test National government is now piloting a personal integration

778 views • 13 slides

More recommend