copyright 2004 - john c. knight software engineering for dependable systems john c. knight...

Copyright 2004 - John C. Knight

SOFTWARE ENGINEERINGFORDEPENDABLE SYSTEMS

John C. Knight

Department of Computer ScienceUniversity of Virginia


Overview

My General Interest:

Systems that are REALLY important.Systems where failure means: injury,

death, destruction, chaos, etc.

Safety-critical Embedded Systems Crucial Application Networks

Two halves of overall

research program


Electronic Automobile Systems

Brakes

Suspension

EngineControl

Traction Control

Steering

Transmission

By wire… With no physical backup…


Digital Fly By Wire

Computers

Networks

Failure Rate < 10-9/hour

Wire Not Plumbing....

Copyright 2004 - John C. Knight03/6/02

System Complexity

0

1

2

3

4

5

6

7

F-1

4A

F-1

5A

E-2

C

F-1

8A

F-1

6C

F-1

4D

C-1

7C

F-1

8C

B-1

B

F-1

5E

F-2

2

B-7

77

19711971 19721972

19801980 1984198419891989 19921992

19871987

1987198719891989

1.5M*1.5M*

2M*2M*

Analog Avionics

Hybrid Avionics

Digital Avionics

IntegratedDigital Avionics

Rel

ativ

e C

omp

lexi

ty

19961996

*Lines of Code

From Steve Miller, Rockwell Collins


Critical Infrastructure

These are safety-critical systems


Wide Area Augmentation System

Free flight Precision

approaches


Sizewell B Nuclear Plant

Primary protection system 100,000 lines of code Over 600 processors…. 50,000 test cases “Failed” 52% Real problem was inability to

determine correct response


Wide Area Augmentation System

Original cost est. $892.4 Current estimate $2,900 Orig. del. date 1998 Current estimate 2003

Many other major modernization programs in similar states (STARS, AMASS)


What Are The Areas Of Research?

Formal methods, especially specification System architectures Verification Tools Other miscellaneous things that are fun


Specification

About 60% of defects in practice are specification errors

Community solution approach: Formal languages, i.e., languages with

semantics defined in mathematics Powerful mechanism for

communication and analysis Rarely used…


The Situation At Present

Idiots Idiots

AcademicsIndustrialPractitioners

We think we understand this


The Situation In The Future

Don’t Do It Again

Sorry!

AcademicsIndustrialPractitioners


Specific Research Integration of formal and informal languages:

They are different, both are needed in all systems How should they be combined? How do you analyze the combination?

Embedded system survivability: Don’t make it reliable, make it survivable Complex combination of specification, analysis &

arch Tool support:

Powerful toolsets developed See: http://www.cs.virginia.edu/zeus


SPECIFICATIONSPECIFICATION

Zeus Specification Tools

Manipulation& Analysis




Analysis:•Symbol defns•Symbols uses•Invariants•Etc.

Analysis:•Symbol defns•Symbols uses•Invariants•Etc.

MEANINGNatural

Language

MEANINGNatural

Language

FUNCTIONFormal

Language

FUNCTIONFormal

Language

MAPFormal

Structure

MAPFormal

Structure


The Network Problem•Very Large Networks•Interdependent Networks•Heterogeneous Nodes•Non-Local Faults•Sequential Faults


Survivability As Control

Control Function

“Sensor” Signals “Actuator” Commands

From Sensors To Actuators


Dynamic ReconfigurationSingle Component Reconfiguration

? ?

?

Application Reconfiguration


Willow Architecture Logical View

Reactive

ActiveControl

ActiveControl

Proactive

ActiveManagement

ActiveManagement

NewPostures

NewPostures

CommandsCommands

Operator

Administrator

Intelligence

Analysis

Development

Trust boundary

DuringAttack

Beforeand

AfterAttack


Critical NetworkedApplication


Sensors

Actuators

Application State & Analysis Model

SelfHealing

TolerateAnticipated

Faults

PlannedPostureChange

SystemUpdate

SystemDeployment

External Input

Approach to Fault Treatment




Sensors

Actuators

Willow Architectural Issues Hierarchic faults Control loop interactions:

Asynchronous Priority & resources Conflicting goals

Network scale: Volume of software State model Wide area change

Exceptions and results: Dynamic app’l membership Absolute vs. statistical Result “harvesting”

Target system actuation: Lightweight Standard interface & protocol

Network State &Analysis Model

SelfHealing

TolerateAnticipated

Faults

PlannedPostureChange

SystemUpdate

SystemDeployment

External Input


Summary Lots of crucial applications—many more

than most people think Very challenging engineering Very significant research problems Many exciting ideas here at UVA Lots of opportunities to contribute

Breakout session: Thursday at 5:00PM

Olsson 236D


Questions?

copyright 2004 - john c. knight software engineering for dependable systems john c. knight...

Documents