formal methods for safety assessment of critical software
play

Formal methods for Safety Assessment of Critical Software at RATP - PowerPoint PPT Presentation

Jul 11, 2023 •160 likes •498 views

Formal methods for Safety Assessment of Critical Software at RATP Engineering Department -- RATP/ING/STF/QS/AQL Evguenia DMITRIEVA / Oct 16 2014, Toulouse Plan 1. Industrial Context 2. Formal methods for software safety assessment : PERF 3.

  1. Formal methods for Safety Assessment of Critical Software at RATP Engineering Department -- RATP/ING/STF/QS/AQL Evguenia DMITRIEVA / Oct 16 2014, Toulouse

  2. Plan 1. Industrial Context 2. Formal methods for software safety assessment : PERF 3. Use Cases 4. Conclusion 2 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  3. RATP’s Software Safety Assessment lab  Primary mission: internal assessment 55000 p. of safety critical software (ATP, Interlocking)  Created in 1990: almost 25 years of ING 1100 p. (Engineering Department) experience  AQL team: 30 persons, 50% engineers STF 300 p. and PhD, 50% technicians (Railway Transportation Systems)  Accredited by COFRAC, the French QS accreditation body 80 p. (Safety Assessment)  Customers: internal (RATP) or external AQL 30 p. (Software Safety Assessment lab) 3 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  4. AQL mission: independent assessment of safety critical software  Check of safety cases provided by suppliers  Additional analysis and verifications wherever supplier’s methodology thought to be weak  Covering the whole V lifecycle 4 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  5. AQL interventions 5 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  6. Why using Formal Proof ? SACEM (pre-CBTC / 1989): retro-engineering (Z method) and formal proof  10 unsafe bugs found that had not been discovered with the « classical process » based on tests METEOR (driverless CBTC / 1998): developed with B method  get rid of of unit and integration tests  delivery of a safe software at « first shot » (no need for other release after commissioning). 6 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  7. How using Formal Proof ? 90s: (example: METEOR project)  – RATP forces its supplier to use a Formal Method allowing Formal Proof (B method)  Since the 2000s: (example: Computer Based Interlocking) – Public procurement laws: in a tender, it is forbidden to favor a supplier – Forcing the use of formal methods = a way to favor some suppliers – => RATP is only allowed to encourage the use of Formal Proof  RATP asked Prover Technology Company to develop a high integrity level (“SIL4”) Formal Proof Tool Suite (“Prover Certifier”) Goal: providing means to perform the formal verification, a posteriori, of a product that was  not developed using a proof based process (like B method). 7 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  8. The PERF approach  PERF = P roof E xecuted over a R etroengineered F ormal model  PERF = P reuve d’ E valuation par R etromodélisation F ormelle  Principle: using formal proof and techniques to verify properties over an already developed software product  Techniques: – Basic synchronous modelling language (HLL) – Proof engine using SAT solving, k-induction, proof certification, …  Scope: – Applicative SW (not low-level) + configuration data – Verification of « safety » properties (invariants) 8 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  9. The PERF approach Software System environment (source code or Safety requirements (assumptions) formal model or …) Front End Formal environment model Proof Obligations (Translator) (HLL) (HLL) Formal execution model PERF Tool Suite (HLL) Proof certificate 9 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  10. The PERF approach System Requirement Specification Equipment Safety  Formal verification of: Requirement Properties Specification 1 – Safety Software Requirement Properties – Safety Properties Specification Formal Software Design – Equivalence of behaviors 2 – Equivalence of behaviors Source code 10 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  11. System+ Env System+ Env PERF Tool Suite + Properties + Properties 1 2 Diversification, proof logging Translator 2 Translator 1  and proof checking CENELEC EN50128 compliant  System+ Env System+ Env development process + Properties + Properties HLL HLL Independent assessment by  RATP (AQL) Expander 1 Expander 2 System+ Env System+ Env + Properties + Properties LLL LLL Equivalence Equivalence Constructor System Properties Proof Engine OK/KO Equivalence Proof Engine OK/KO Proof Proof Log ProofLog OK/KO Checker Proof Log Proof Checker ProofLog OK/KO Safety Analysis Flow Equivalence Analysis Flow 11 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  12. Use cases:  Verification of Safety Properties of SCADE models  Verification of Safety Properties of C or Ada code  Verification of equivalence beetween SCADE model and generated source code (C and Ada)  Soon: Verification of Safety Properties of Relay Based Interlocking  The use of PERF has allowed to reveal and fix safety critical bugs (before commissioning) ! 12 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  13. Computer Based Interlocking : PMI Safety Hazards  Derailment : on moving or badly set point, over speed  Collision : front, rear, side  Human operatives’ Injuries : downgraded modes C S A B Ag ZAP PMI PMI 13 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  14. Computer Based Interlocking : PMI Safety Properties : Derailment on moving point A point must not be controlled when the train is approaching the signal • Zone-ZAP-Occ => ~Ag_CMD_Right & ~Ag_CMD_Left A point must not be controlled when the train is located at this point • Zone-Ag-Occ => ~Ag_CMD_Right & ~Ag_CMD_Left C S A B Ag ZAP PMI PMI 14 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  15. Computer Based Interlocking : PMI Safety Properties : Derailment on moving point A point must not be controlled when the train is approaching the signal • Zone-ZAP-Occ => ~Ag_CMD_Right & ~Ag_CMD_Left C S A B Ag ZAP PMI PMI 15 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  16. Computer Based Interlocking : PMI Safety Properties : Derailment on moving point A point must not be controlled when the train is approaching the signal • Zone-ZAP-Occ => ~Ag_CMD_Right & ~Ag_CMD_Left Train_App_Sig_S := Zone_Zap_S_Occ & (Sig_S_G \/ Tempo_DA_S) Train_App_Sig_S => ~Ag_CMD_Right & ~Ag_CMD_Left C S A B Ag ZAP PMI PMI => High level properties but the model of environment is rather complex 16 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  17. CBTC : Ouragan L13 Software Requirements (SEL)  software implements correctly its specification  often low-level and algorithmic  refinement system requirements into software one’s should be verified otherwise  no need of environment model 17 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  18. Composant SurveillerRecul_CC Exigeance SEL_Bord_SurveillerRecul_CC_0002 Dans l’état « Opérationnel BORD », le composant SurveillerRecul_CC doit vérifier le domaine de définition de ses données d’entrée. Dans le cas où une des entrées au moins dépasse son domaine admissible, le composant n’exécute pas ses traitements et génère une alarme « out of range ». Les sorties prennent les valeurs par défaut ci-dessous. Dans le cas contraire, le composant doit exécuter ses traitements. Les valeurs par défaut des interfaces de sorties sont définies tel que Interface Valeur par défaut PFU_SurveillerReculTrain_REC.IFU_ReculIntempestif C_DEMANDE_FU_DEFAUT =================================================================================== Formalisation de l’exigence en HLL InRange(v) := v : [C_VITESSE_MIN_mmps, C_VITESSE_MAX_mmps]; Vitesses_OutOfRange ( VitessesTrain ) := ~(InRange(VitessesTrain.Max) &InRange(VitessesTrain.Inst) & InRange(VitessesTrain.Min)); Prop_SEL_REC_02 := ( Vitesses_OutOfRange(PE_OdometrieVitesse_ODO.VitessesTrainBord) # Vitesses_OutOfRange(PE_OdometrieVitesse_ODO.VitessesTrainMessagerie) ) => ( ~ PFU_SurveillerReculTrain_REC. IFU_ReculIntempestif.ValiditeDemandeFU & ~PFU_SurveillerReculTrain_REC. IFU_ReculIntempestif.NonDemandeFU & PFU_SurveillerReculTrain_REC. IFU_ReculIntempestif.ContextePPFU = C_CONTEXTE_FU_DEFAUT ) 18 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

  19. CBTC : Ouragan L13 Equipment or System Requirements (DCSS)  Software implements correctly its system (equipment) requirements  Higher level of abstraction  Independent of implementation choices  No need to verify SRS  Environment model may be needed but not so complex 19 Evguenia Dmitrieva Oct 16th 2014 Formal methods for Safety Assessment of Critical Software at RATP

Recommend

F Formal Modeling and Verification of l M d li d V ifi ti f Safety-Critical Software

F Formal Modeling and Verification of l M d li d V ifi ti f Safety-Critical Software

Submitted to IEEE Software 2009 - Special issue on Software Development for Embedded Systems F Formal Modeling and Verification of l M d li d V ifi ti f Safety-Critical Software implemented in PLC JUNBEOM YOO JUNBEOM YOO KONKUK

882 views • 32 slides
Practically Formal Development and Assurance of Complex Software-Intensive Safety-Critical

Practically Formal Development and Assurance of Complex Software-Intensive Safety-Critical

Practically Formal Development and Assurance of Complex Software-Intensive Safety-Critical Systems Alan Wassyng work with Zinovy Diskin, Nicholas Annable, and Mark Lawford CyPhyAssure, 20 March 2019 GSN-like Assurance Cases Pros

720 views • 33 slides
Pragmatic integration of model driven engineering and formal methods for safety critical systems

Pragmatic integration of model driven engineering and formal methods for safety critical systems

Pragmatic integration of model driven engineering and formal methods for safety critical systems design Marc Pantel and many others IRIT - ACADIE ENSEEIHT - INPT - Universit de Toulouse Institute of Cybernetics Institute Tallinn

1.58k views • 110 slides
How testable is Business Software? Peter Schrammel What is this talk about? Desire for software

How testable is Business Software? Peter Schrammel What is this talk about? Desire for software

How testable is Business Software? Peter Schrammel What is this talk about? Desire for software that has fewer bugs Focus on non-safety-critical software Great techniques developed by formal methods, programming languages and

454 views • 41 slides
Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Outline Formal specifications CISC422/853: Formal Methods Types of formal specifications: in Software Engineering: assertions invariants Computer-Aided Verification safety and liveness properties How to express safety

226 views • 22 slides
Objectives To introduce the concept of safety-critical software To describe the

Objectives To introduce the concept of safety-critical software To describe the

Chapter 21 Chapter 21 Safety-Critical Software Learning Objective . Developing software which should never compromise the overall safety of a system. Frederick T Sheldon Assistant Professor of Computer Science Washington State University CS

327 views • 15 slides
Formal Model Based Safety Assessment Marco Bozzano, Roberto Cavada, Alessandro Cimatti, Cristian

Formal Model Based Safety Assessment Marco Bozzano, Roberto Cavada, Alessandro Cimatti, Cristian

NuSMV3: a framework for Formal Model Based Safety Assessment Marco Bozzano, Roberto Cavada, Alessandro Cimatti, Cristian Mattarei Fondazione Bruno Kessler, Trento (Italy) Roadmap Formal Model Based Safety Assessment Formal Safety

497 views • 37 slides
Software Verification/Validation Methods and Tools . . . or Practical Formal Methods John Rushby

Software Verification/Validation Methods and Tools . . . or Practical Formal Methods John Rushby

Software Verification/Validation Methods and Tools . . . or Practical Formal Methods John Rushby Computer Science Laboratory SRI International Menlo Park, CA John Rushby, SR I Practical Formal Methods: 1 Need: Growing Importance and Cost of

278 views • 12 slides
Safety critical software y Patrick R.H Place Kyo C.Kang

Safety critical software y Patrick R.H Place Kyo C.Kang

Safety critical software y Patrick R.H Place Kyo C.Kang 200310323 Purpose To understand the role of safety critical software in To understand the role of safety-critical software in

410 views • 21 slides
Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in system development Aim to increase confidence in riktighet of system Apply to both hardware and software 1 Formal methods Complement other

524 views • 25 slides
FSA General FSA ECDIS Formal Safety Assessment Electronic Chart Display and

FSA General FSA ECDIS Formal Safety Assessment Electronic Chart Display and

FSA General FSA ECDIS Formal Safety Assessment Electronic Chart Display and Information System Rolf Skjong, dr, chief scientist Stavanger, 8 January 2006 Background Use of risk assessment Nuclear Industry in 60s:

296 views • 28 slides
Formal Methods for Critical Systems: A verified implementation of nested procedures Tristan

Formal Methods for Critical Systems: A verified implementation of nested procedures Tristan

Formal Methods for Critical Systems: A verified implementation of nested procedures Tristan Crolard 1 ICAR15 8-9 October 2015 Joint work with: 1 Pierre Courtieu, 1 , 2 Maria-Virginia Aponte, Julia Lawall 3 1. CNAM / Cedric / CPR team 2.

980 views • 71 slides
Formal Methods for Industrial Critical Systems at Trinity College, University of Dublin (FMICS

Formal Methods for Industrial Critical Systems at Trinity College, University of Dublin (FMICS

Formal Methods for Industrial Critical Systems at Trinity College, University of Dublin 2000 Andrew Butterfield c Formal Methods for Industrial Critical Systems at Trinity College, University of Dublin (FMICS 2003, Rros, June 7th 2003)

1.02k views • 16 slides
Certification of Safety-Critical, Software-Intensive Systems EECS4312: Software Engineering

Certification of Safety-Critical, Software-Intensive Systems EECS4312: Software Engineering

Certification of Safety-Critical, Software-Intensive Systems EECS4312: Software Engineering Requirements Fall 2019 C HEN -W EI W ANG McMaster Centre for Software Certification Led a $20M project (MAR.2008 to SEP .2016) of ORF-RE (Ontario

812 views • 37 slides
Safety Critical Flight Software Code Coverage Utilization Nate Uitenbroek Outline Background

Safety Critical Flight Software Code Coverage Utilization Nate Uitenbroek Outline Background

Safety Critical Flight Software Code Coverage Utilization Nate Uitenbroek Outline Background Safety Critical Software Classifying Standards Contrast Commercial Aviation and Space Flight Observations Orion Specific

435 views • 41 slides
C++ for Safety-Critical Systems DI Gnter Obiltschnig Applied Informatics Software Engineering

C++ for Safety-Critical Systems DI Gnter Obiltschnig Applied Informatics Software Engineering

C++ for Safety-Critical Systems DI Gnter Obiltschnig Applied Informatics Software Engineering GmbH guenter.obiltschnig@appinf.com A life-critical system or safety-critical system is a system whose failure or malfunction may result in: >

899 views • 87 slides
Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical foundations of computer science 2 Formal Methods Logical foundations of computer science A language that machines can understand 2 Formal Methods

1.22k views • 121 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

631 views • 33 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

1.75k views • 151 slides
Formal Methods Software Engineering 2008 Bernd Schoeller ETH Zurich The Grand Challenge The

Formal Methods Software Engineering 2008 Bernd Schoeller ETH Zurich The Grand Challenge The

Formal Methods Software Engineering 2008 Bernd Schoeller ETH Zurich The Grand Challenge The ideal of correct software has long been the goal of research in Computer Science. We now have a good theoretical understanding of how to describe what

806 views • 31 slides
Transferable Learning Outcomes 1. Purpose 2. Assessment methods 3. Assessing Critical

Transferable Learning Outcomes 1. Purpose 2. Assessment methods 3. Assessing Critical

Transferable Learning Outcomes 1. Purpose 2. Assessment methods 3. Assessing Critical Thinking AAC&U survey of 318 US employers: said demonstrated capacity to think critically, 93% communicate clearly, and solve complex problems

374 views • 24 slides
Lectures for Marktoberdorf 2010 Summer School Software and Systems Safety: Specification and

Lectures for Marktoberdorf 2010 Summer School Software and Systems Safety: Specification and

Lectures for Marktoberdorf 2010 Summer School Software and Systems Safety: Specification and Verification Formal Methods And Argument-based Safety Cases John Rushby Computer Science Laboratory SRI International Menlo Park, CA John Rushby FM

1.29k views • 109 slides
Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why Formalisms? Relationships Flaws Some systems Conclusions Why Formal Methods? We already can build systems. Roman Engineers built

671 views • 12 slides
Safe Reinforcement Learning via Formal Methods Nathan Fulton and Andr Platzer Carnegie Mellon

Safe Reinforcement Learning via Formal Methods Nathan Fulton and Andr Platzer Carnegie Mellon

Safe Reinforcement Learning via Formal Methods Nathan Fulton and Andr Platzer Carnegie Mellon University Safety-Critical Systems "How can we provide people with cyber-physical systems they can bet their lives on?" - Jeannette Wing

568 views • 55 slides

More recommend