Reliable Design of Safety Reliable Design of Safety Critical SystemsCritical Systems

Dr. Abhik Roychoudhury

School of Computing

E-mail : abhik@comp.nus.edu.sg

Safety Critical SystemsSafety Critical Systems

Safety Design invariants must always hold in all executions of

the system.

Critical Violating invariants in any execution can be disastrous.

Examples Air traffic controller Automobile parts.

Straits Times News ReportStraits Times News Report

Airbag sensory system in Automobiles

“--- this thing will probably have to work only once in 10 years, but it better work then, otherwise you might die.”

News Report on design work at Ang Mo Kio Facility (Singapore) of Delphi Automotive Systems.

Methodological view pointMethodological view point

Inject higher reliability in design life cycle. Safety critical systems often have a

computer component. This trend is increasing with growth of

embedded applications. What kind of computer systems are they ?

Reactive SystemsReactive Systems

Continuously interacts with its environment.

Interaction with env. is asynchronous. Often, its response to environment needs to

obey time constraints. Often consists of a concurrent composition

of processes.

Why study them now ?Why study them now ?

Embedded systems Using a computer component as part of a bigger system

becoming pervasive.

Many of them safety-critical e.g. automobile parts Current verification techniques do not suffice.

Lack of tool support for reliable modeling. Perceived as intrusive to design process.

Validation TechniquesValidation Techniques

In circuit Emulator (ICE)Logic AnalyzerModel based simulationFormal verification techniques

Model Checking Deduction Combinations of the two

In circuit Emulator (ICE)In circuit Emulator (ICE)

Used widely in industry for designs where a microproc. interacts with potpourri of peripherals.

ICE is a dedicated hardware for a particular processor which allows its internals to be read.

Response of processor (to environment) observed by physically replacing chip with ICE.

Logic AnalyzerLogic Analyzer

Used for sampling many signals simultaneously in a complex design.

Can snoop on a bus to observe interactions of a microprocessor with its environment.

ICE and Logic Analyzer do not work when: Processor, peripherals, bus all integrated in a chip. System-on-Chip (SoC) – Current industry trend.

Model based simulationModel based simulation

Simulate and observe the behaviors of a system model, rather than the system itself.

Takes validation/debugging higher in the design life-cycle.

Since a model is validated, can take place prior to system integrationHardware software co-simulation (POLIS)

Model CheckingModel Checking

Same as model based simulation except that you check all possible behaviors.

Needed for checking critical properties. Can be used if model has finite states. Many realistic systems are infinite-state e.g. all

real-time systems. For these systems, extensions of model checking

exist (via deduction).

Some questions Some questions

How to accommodate the complex mix of

languages in which a safety critical system is described ?

Automation and efficiency of simulation/validation

Should all the validation be static ? What about run-time checks ?

Project 1: UML diagramsProject 1: UML diagrams

UML (Unified Modeling Language) emerging as industry standard for high level visual description of software.

UML provides 2 diagrams for modeling reactive systems – State Charts (Modeling components)– Msg. Seq. Charts (Interaction between components)

Any real-life reactive system (e.g. software for controlling airbus) modeled as a combination of StateCharts and MSC.

Project 1: UML diagramsProject 1: UML diagrams

How to analyze such designs (written in 2 languages) ? How to generate code from these high level descriptions ?

Convert diagrams to an intermediate textual representation. Should be rich enough to handle real-time constraints. Tools for conversion between UML and textual. Techniques for simulating behaviors of textual description.

Jointly with Dr. Roland Yap (ryap@comp.nus.edu.sg)

Project 2: Run time ChecksProject 2: Run time Checks

Design of reactive Embedded Systems becoming component based.

Designers use vendor provided off-the-shelf component and plug them into a bus.

The bus as well as the components often integrated into a single chip, called System-on-chip designs.

Project 2: Run time ChecksProject 2: Run time Checks

Vendor provided components are unreliable. But designer does not have the paper design of

these components. How to ensure reliable operation of these

components in safety critical systems ? System level testing will not work. Entire system

in one chip.

Project 2: Run time ChecksProject 2: Run time Checks

Plant an observer process. The observer will snoop on the bus. Detects possible failures to transmit signals. Raises alarm for critical failures.

Software implementation of the observer. Empirical study to estimate its accuracy.

Component based DesignsComponent based Designs

Research aimed at facilitating component based development of embedded systems.

Focus on the communication protocols between interacting hardware components.

Synthesis of Interfaces in Embedded Systems. (rp097) - Jointly with Prof. P.S. Thiagarajan

(thiagu@comp.nus.edu.sg)

http://www.comp.nus.edu.sg/~loolf

My Side of the StoryMy Side of the Story

Each of the projects in the area of model based validation tools and techniques.

Projects hinge on a well-studied case study serving as the driving application.

Manageable smaller chunks exist for bigger projects.

… … and yoursand yours

At the end of the projects, you will – Gain familiarity with software engineering

industry standards e.g. UML– Gain familiarity with Electronic Design

Automation industry standards

During the project :– Not falling off the deep-end

Contact InformationContact Information

E-mail : abhik@comp.nus.edu.sgOffice : S16 06-08Telephone : 874-8939

See You