SlideShare a Scribd company logo

Applying Theorem Proving for Safety-Critical Vehicle Software

Download as PPTX, PDF
AdaCore
AdaCore

S. Yoneki, K. Zanma, K. Toyozumi / JTEKT corporation J. Kanig/AdaCore

Technology
1 of 31
JTEKT CORPORATION Application of theorem proving for safety-critical vehicle software S. Yoneki, K. Zanma, K. Toyozumi / JTEKT corporation J. Kanig/AdaCore 1
JTEKT CORPORATION Background • For current vehicle, loss of specified function is not acceptable. – ISO 26262-10:2018 addresses this topic but mostly random hardware failure is focused. Software systematic faults also face the same issue but very limited guidance is provided. 2 12.4 Software development phase 12.4.1 Software fault avoidance and tolerance Safety-related availability requirements for software can be addressed by two approaches: fault avoidance (12.4.2) and fault tolerance (12.4.3). 12.4.2 Software fault avoidance The methods for fault avoidance are intended to reduce the overall occurrence of systematic faults. The necessary amount of fault avoidance can be achieved by developing software elements using ISO 26262-6:2018. 12.4.3 Software fault tolerance Techniques for fault tolerance try to keep the item operational despite the presence of software systematic faults. Some fault tolerant mechanisms are mentioned in ISO 26262-6:2018, 7.4.12, NOTE 2 and NOTE 3. From ISO 26262-10:2018 Can we claim that fault leading to loss of specified functions is avoided? For the software fault tolerance, we need additional safety mechanisms such as backup (degraded) control, diversified software. But this is not always possible depending on many reason (performance limitation, resource limitation, etc.) How to deal with it?
JTEKT CORPORATION • Comparison with software safety design for conventional EPS system and the requirements for coming EPS system Safety requirements on the main function for a conventional EPS system: • The system shall prevent unwanted output from the main function in order to avoid hazardous event. Current implementation 3 Main function QM (D) Safety mech. ASIL D(D) Systematic fault Risk mitigation is made by combination of main function and shut-down function. Safety requirements on the main function for the latest EPS system • The system shall maintain a specified function provided by the main function in order to avoid a hazardous event. Main function QM(D) Safety mech. ASIL D(D) Systematic fault Example: However, this is very difficult (or impossible) in some case (e.g. I/O control, state machine) !!! SHUT DOWN SPECIFIED FUNCTION Example: Risk mitigation is made by combination of main function and shut-down function.
JTEKT CORPORATION Key for solving the issue • Currently no specific criteria for sufficiency of measures during development. 4 Start For each architectural element, how failure modes caused by systematic faults will propagate is analyzed. The criticality of the fault mode is decided based on possibility of violating the safety goals or safety requirements Is the possibility of the failure mode sufficiently mitigated during the safety measures taken during development? Introduction of appropriate safety mechanisms Provide rationale for sufficiency (including introduction of additional measures) YESNO Typical chart to decide the necessity of safety mechanism In general, it is difficult to demonstrate this sufficiency to the customer since no well established criteria.  There are several supporting evidences (but they are not "silver bullet") • Code metrics • Test coverage • Proven in use  Based on the situation, criteria for acceptance is not the same for all customers Can we demonstrate it by "formal verification"?
JTEKT CORPORATION Formal verification • Generally speaking, it is hard to claim that the software is bug-free by test. → Testing only demonstrates existing of bug. • Formal verification is recommended by ISO 26262-6. Not highly recommended because it is difficult to apply it. However…. – Formal verification may demonstrate that there is no systematic failure that leads to loss of specified function. – If this is true, then formal verification is considered as strong tool. 5 From ISO/FDIS 26262-6
JTEKT CORPORATION Model checking vs Theorem proving • Two approaches for formal verification; model checking and theorem proving. – Model checking: The software to be proved is translated into state transition model and all states and transitions are explored in the model. – Theorem proving: From the software and its specifications, mathematical proof is made. The truth of proof implies conformance of the system to its specification. 6 Model checking Theorem proving Remark Number of states to be handled finite Not limited Theorem proving verifies program itself. Therefore, number of states is not related to the capability of theorem proving. On the other hand model checking is hard to apply for numeric calculation because it easily results in state explosion Automation Auto Semi-auto Model checking can proceed automatically via a software tool once model is created. Ability to represent target software Low High For model checking, software has to be translated in the state transition model. In order to prevent state explosion, software has to be abstracted. During such abstraction process, systematic faults in the software program may be hidden. On the other hand, in theorem proving, source program is translated one-by-one. Difficulty Low High Because theorem proving usually needs extra information for the proof by a human, expertise is high Simple comparison of model checking and theorem proving w.r.t. finding SW bugs Our target is to demonstrate "bug-free" for a very specific software component to which safety mechanism is hard to apply. Because of this, "theorem proving" is selected for the study.
JTEKT CORPORATION What is the "theorem proving" • Theorem proving is: – Like "code review" with logical (or mathematical) proof – Possible to trace how to proof based on logical equation • Mathematical (or logical) proof that if the pre-condition is satisfied, then post condition after program run is also satisfied. 7 Pre condition: Conditions that are satisfied before execution of program to be verified. Post condition: Conditions that are satisfied after execution of program to be verified. Program (e.g. C source code) Program is theoretically translated and checked that if pre condition is "true", then post condition is also true. Post condition can be defined at the arbitrary level based on what is to be proved, such as: • Don’t output unwanted value; • No access outside the array; • No divide by zero. Other assumptions are made: • No interference with other programs or hardware • Called functions are correctly specified • …
JTEKT CORPORATION Simple example • Pre condition The property that the input parameters (x, y) have { 3x - 2y ≥ 0 } • Program y := x – y +10 … S1 x := x + 2 * y … S2 • Post condition The property (e.g. safety threshold) that the resulting value has to possess. { x ≥ 20 } 8 Pre condition is transformed as : x + 2(x – y + 10) ≥ 20 Proof for S1: Substitute y of intermediate post condition {x – 2y ≥ 20} with x - y + 10, then {x + 2(x – y + 10) ≥ 20 }. This is equivalent with precondition. This means that post condition of S1 is always satisfied if pre condition is satisfied. For S1, pre condition is {x + 2(x – y + 10) ≥ 20 }, and post condition is {x – 2y ≥ 20} For S2, pre condition is {x – 2y ≥ 20}, and post condition is { x ≥ 20 } Proof for S2: Substitute x of post condition {x ≥ 20} with x + 2 * y, then {x – 2y ≥ 20 }. This is equivalent with precondition. This means that post condition of S2 is always satisfied if pre condition is satisfied. If pre condition of the program is satisfied, post condition is always satisfied. From proof of S1and S2
JTEKT CORPORATION Difference between conventional testing • The approach to demonstrate how a bug is not included in the software. 9 Testing Theorem proving Experimental approach: • It might be difficult to claim that the software is 100% tested. • Test coverage can be measured by, for example, structural coverage to demonstrate that the software is tested as far as reasonable practical. • High coverage is good rational that the risk of bug is quite low, such the overage for safety critical software is acceptable or not depends on the customer. Logical approach: • It can be possible to claim that software does not contain any bugs with evidence. • A safety critical software unit is demonstrated as bug-free in logical way. • This make us possible to convince all our customers that the software unit will not cause a safety critical event. Necessity of safety mechanism depends on customers. Safety mechanism for the software unit is not necessary any more for all customers.
JTEKT CORPORATION Weak points of theorem proving • Timing issue – Theorem proving does not verify calculation time. Therefore, it is difficult to demonstrate if output is acquired within the specified time flame. • Hardware (or ISA) dependent issues – It can be possible to deal with but much effort is needed for, such as: • Bit manipulation • Address calculation • Big endian/Little endian 10 This has to be confirmed by other methods such as worst-case execution time analysis. This has to be confirmed by, for example, static code analyzer Theorem proving is not perfect solution but give additional confidence for correctness of software from logical point of view.
JTEKT CORPORATION Case study • We tried to apply theorem proving to actual software element to get better understanding of this method. – Purposes for the case study are: 1. To understand the method "theorem proving". – The method has not been well know to automotive industry (at least in Japan). – Therefore, if we apply this method, we have to give clear explanation to our customers. 2. To investigate feasibility to apply this method to automotive E/E system software. – Since this method is quite new for us, we did not have clear image about how it works. – We need to know how we can use this method for our purpose. 11 SAMPLE for the case study - Software element for autonomous driving. • Function: To decide whether acceleration pedal or break pedal is operated to release deceleration control by halt break • Safety requirement: − if halt brake switch is not active, deceleration done flag shall not be "ON". − if acceleration pedal position is smaller that halt break cancel position, declaration done flag shall not be "ON"
JTEKT CORPORATION Case study: source code void dec_vo_JdgDecCtrlDone( void ) { if ( u1_tDecCtrlInitReq == KU1_ON ) { dec_u1_DecCtrlDone = KU1_OFF; } else { if ( ( u1_VehicleCanDiagMaskReq == KU1_OFF ) && ( u1_tEBC1CanRcv == KU1_ON ) && ( u1_tEBSBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tBrakePedalPositionDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBSRedWarningSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBC1TimeOutErrStatusStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitch == DEC_KU1_HaltBrakeSwitchActive ) ) { if ( ( u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos ) || ( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) ) { dec_u1_DecCtrlDone = KU1_ON; } else { dec_u1_DecCtrlDone = KU1_OFF; } } else { dec_u1_DecCtrlDone = KU1_OFF; } } } 12
JTEKT CORPORATION Case study: Safety requirements Interpretation of two safety requirements at code level − safety requirement 1: This means the situation that “if HaltBrakeSwitch is not active, DecCtrlDone != KU1_ON”. − safety requirement 2: This means the situation that “if AcceleratorPedalPosition1 < KHaltBrkCancelAccelPedalPos, DecCtrlDone != KU1_ON”. 13
JTEKT CORPORATION Case study: Verification strategy • In the program, if-statements are nested. • Therefore, theorem proving is applied for step-by-step manner. 14 if … else … If … else … Software portion 1: This is verified with internal if statement (software portion 2 below) as black box. This means that all possible outcome is assumed as pre- condition. Software portion 2: This program is verified independently. NOTE: The purpose of strategy is to do the case study. Depending on the tool capability, it is possible to make proof for complete software without splitting portions.
JTEKT CORPORATION Case study: Proof of SW portion 1 (1) void dec_vo_JdgDecCtrlDone( void ) { if ( u1_tDecCtrlInitReq == KU1_ON ) { dec_u1_DecCtrlDone = KU1_OFF; } else { if ( ( u1_VehicleCanDiagMaskReq == KU1_OFF ) && ( u1_tEBC1CanRcv == KU1_ON ) && ( u1_tEBSBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tBrakePedalPositionDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBSRedWarningSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBC1TimeOutErrStatusStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitch == DEC_KU1_HaltBrakeSwitchActive ) ) { if ( ( u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos ) || ( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) ) { dec_u1_DecCtrlDone = KU1_ON; } else { dec_u1_DecCtrlDone = KU1_OFF; } } else { dec_u1_DecCtrlDone = KU1_OFF; } } } 15 Scope of verification
JTEKT CORPORATION Case study: Proof of SW portion 1 (2) void dec_vo_JdgDecCtrlDone( void ) { if ( u1_tDecCtrlInitReq == KU1_ON ) { dec_u1_DecCtrlDone = KU1_OFF; } else { if ( ( u1_VehicleCanDiagMaskReq == KU1_OFF ) && ( u1_tEBC1CanRcv == KU1_ON ) && ( u1_tEBSBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tBrakePedalPositionDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBSRedWarningSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBC1TimeOutErrStatusStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitch == DEC_KU1_HaltBrakeSwitchActive ) ) { DO SOMETHING BUT INDEPENDENTLY FROM "u1_tHaltBrakeSwitch" (to be verified separately) } } else { dec_u1_DecCtrlDone = KU1_OFF; } } } 16 Scope of verification
JTEKT CORPORATION Case study: Proof of SW portion 1 (3) • Pre-condition and post-condition for the scope of verification 17 Program: if ( ( u1_VehicleCanDiagMaskReq == KU1_OFF ) && ( u1_tEBC1CanRcv == KU1_ON ) && ( u1_tEBSBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tBrakePedalPositionDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBSRedWarningSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBC1TimeOutErrStatusStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitch == DEC_KU1_HaltBrakeSwitchActive ) ) { DO SOMETHING BUT INDEPENDENTLY FROM "u1_tHaltBrakeSwitch" (to be verified separately) } } else { dec_u1_DecCtrlDone = KU1_OFF; } Pre condition: {true} Post condition: {u1_tHaltBrakeSwitch != DEC_KU1_HaltBrakeSwitchActive → dec_u1_DecCtrlDone != KU1_ON}
JTEKT CORPORATION Case study: Proof of SW portion 1 (4) • If branch is taken 18 Pre condition: {true ˄ } Program: DO SOMETHING BUT INDEPENDENTLY FROM "u1_tHaltBrakeSwitch" ( u1_VehicleCanDiagMaskReq == KU1_OFF ) && ( u1_tEBC1CanRcv == KU1_ON ) && ( u1_tEBSBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tBrakePedalPositionDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBSRedWarningSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBC1TimeOutErrStatusStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitch == DEC_KU1_HaltBrakeSwitchActive ) ) Post condition {u1_tHaltBrakeSwitch != DEC_KU1_HaltBrakeSwitchActive → dec_u1_DecCtrlDone != KU1_ON} According to the pre condition, (u1_tHaltBrakeSwitch != DEC_KU1_HaltBrakeSwitchActive) is false. Therefore, post-condition is always true. Therefore, the portion of the program is correct.
JTEKT CORPORATION Case study: Proof of SW portion 1 (5) • If branch is not taken 19 Pre condition: {true ˄ }┐( u1_VehicleCanDiagMaskReq == KU1_OFF ) && ( u1_tEBC1CanRcv == KU1_ON ) && ( u1_tEBSBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tBrakePedalPositionDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBSRedWarningSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBC1TimeOutErrStatusStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitch == DEC_KU1_HaltBrakeSwitchActive ) ) Pre condition modified: {true ˄ }( u1_VehicleCanDiagMaskReq != KU1_OFF ) || ( u1_tEBC1CanRcv != KU1_ON ) || ( u1_tEBSBrakeSwitchDataRangeErrStatus == DEC_KU1_ChkErrDeterminedState ) || ( u1_tBrakePedalPositionDataRangeErrStatus == DEC_KU1_ChkErrDeterminedState ) || ( u1_tEBSRedWarningSignalDataRangeErrStatus == DEC_KU1_ChkErrDeterminedState ) || ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus == DEC_KU1_ChkErrDeterminedState ) || ( u1_tHaltBrakeSwitchDataRangeErrStatus == DEC_KU1_ChkErrDeterminedState ) || ( u1_tEBC1TimeOutErrStatusStatus == DEC_KU1_ChkErrDeterminedState ) || ( u1_tHaltBrakeSwitch != DEC_KU1_HaltBrakeSwitchActive ) ) Pre condition modified again: {true} The pre condition after this modification is weaker (allows more situations) than previous one. Therefore, this modification is valid for the propose.
JTEKT CORPORATION Case study: Proof of SW portion 1 (6) • If branch is not taken(continue) 20 Program: dec_u1_DecCtrlDone = KU1_OFF Post condition: {u1_tHaltBrakeSwitch != DEC_KU1_HaltBrakeSwitchActive → dec_u1_DecCtrlDone != KU1_ON} If the pre condition is satisfied, the post condition is also satisfied Pre condition modified again (from previous page): {true}
JTEKT CORPORATION Case study: Proof of SW portion 2 (1) void dec_vo_JdgDecCtrlDone( void ) { if ( u1_tDecCtrlInitReq == KU1_ON ) { dec_u1_DecCtrlDone = KU1_OFF; } else { if ( ( u1_VehicleCanDiagMaskReq == KU1_OFF ) && ( u1_tEBC1CanRcv == KU1_ON ) && ( u1_tEBSBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tBrakePedalPositionDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBSRedWarningSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBC1TimeOutErrStatusStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitch == DEC_KU1_HaltBrakeSwitchActive ) ) { if ( ( u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos ) || ( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) ) { dec_u1_DecCtrlDone = KU1_ON; } else { dec_u1_DecCtrlDone = KU1_OFF; } } else { dec_u1_DecCtrlDone = KU1_OFF; } } } 21 Scope of verification
JTEKT CORPORATION Case study: Proof of SW portion 2 (2) • Pre-condition and post -condition for the scope of verification 22 Program: if ( ( u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos ) || ( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) ) { dec_u1_DecCtrlDone = KU1_ON; } else { dec_u1_DecCtrlDone = KU1_OFF; } Pre condition: {true} Post condition: {u1_tBrakePedalPosition < DEC_KU2_KHaltBrkCancelBrkPedalPos → dec_u1_DecCtrlDone != KU1_ON}
JTEKT CORPORATION Case study: Proof of SW portion 2 (3) • If branch is taken 23 Pre condition: {true ˄ }( u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos ) || ( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) Program: dec_u1_DecCtrlDone = KU1_ON; Post condition: {u1_tBrakePedalPosition < DEC_KU2_KHaltBrkCancelBrkPedalPos → dec_u1_DecCtrlDone != KU1_ON} Pre condition modification: {true ˄ (( u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos) ˅ }( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) Post condition modified: {dec_u1_DecCtrlDone == KU1_ON → u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos} dec_u1_DecCtrlDone == KU1_ON in case that the conditions shown as right side. Because of this, post condition is "false" ( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) An issue was found!
JTEKT CORPORATION Case study: Proof of SW portion 2 (4) • If branch is not taken 24 Pre condition: {true ˄ ┐ }( u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos ) || ( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) Program: dec_u1_DecCtrlDone = KU1_OFF; Pre condition modified: {true ˄ }( u1_tBrakePedalPosition < DEC_KU2_KHaltBrkCancelBrkPedalPos ) && ( ( u1_tEEC2CanRcv != KU1_ON ) || ( u1_tAcceleratorPedalPosition1DataRangeErrStatus == DEC_KU1_ChkErrDeterminedState ) || ( u1_tEEC2TimeOutErrStatus == DEC_KU1_ChkErrDeterminedState ) || ( (u2)u1_tAcceleratorPedalPosition1 < DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) Post condition: {u1_tBrakePedalPosition < DEC_KU2_KHaltBrkCancelBrkPedalPos → dec_u1_DecCtrlDone != KU1_ON} If the pre condition is satisfied, the post condition is also satisfied
JTEKT CORPORATION Results of case study • Positive points: – It is demonstrated that the method can be used to demonstrate logically the correctness of program. Therefore, if the proof is successfully done, it can be claimed that there is no bug as far as logical point of view • Negative points: – It is very "tough" work for the software engineers to do this because of • Lack of knowledge of theorem proving; • Lack of time to do it. (this is very time consuming) 25 If the negative points are overcome, it can be understood that this method have high potential for safety critical portion software component. → For the proving itself, tool support is expected.
JTEKT CORPORATION Possibility to use supporting tools • In order to overcome such difficulty, the usage of commercial tool can be considered. • For this purpose, we tried to use SPARK. – SPARK is: • Programming language for safe and secure software • Very readable • Strong type-checking • Formal verification tool • Proves absence of access to uninitialized data • Proves absence of runtime errors: – Values within expected ranges – Buffer overflow – Division by zero • Proves user-specified properties – Results: • Same conclusion but very short time. • There is still difficulty to define appropriate set of pre and post conditions. 26 This is used in the case studies.
JTEKT CORPORATION Steps to use SPARK • Theorem proving with SPARK by following steps. 1. Transform from C to SPARK: – Since the automotive E/E system software is developed as modification from existing one, it is assumed that the software is written by C language. – For most of the automotive E/E system, one-by-one interpretation can be possible. – Of course, this is not necessary if software is developed by SPARK from scratch. 2. Define property to be proved 3. Execution 27 This is the most important task for this method.
JTEKT CORPORATION How to integrate theorem proving? • In order to successfully perform theorem proving, safety properties (pre- condition & post-condition) have to be determined at the necessary level of detail. – At least, each software unit has its own safety property if it is safety related. 28 Software architectural design (Clause 7 of ISO 26262-6) • Software architectural design • Safety analysis • Safety requirement refinement Software unit design & implementation (Clause 8 of ISO 26262-6) • Software unit design • Software unit implementation Software unit verification (Clause 9 of ISO 26262-6) • Software unit static verification (review, code analysis) • Software unit dynamic verification (or testing) • Based on the result of them, expected behaviour shall be defined for safety related SW elements. • Decision making for application of theorem proving. − Safety properties are extracted for each SW unit. • Theorem proving is done as a part of SW unit verification
JTEKT CORPORATION Decision making for application • Currently SW FMEA is enhanced to add such information. – (1) to (8) are done in the same way as conventional FMEA – If the software element is judged as safety critical based on the result of analysis ((5) to (8)), decision is made for necessity of applying theorem proving. There are two points for this decision. • Point 1: The feasibility to apply safety mechanism with respect to the failure mode: If it is hard to apply safety mechanism to meet safety requirement with respect to the failure mode assumed, we have to rely on safety measures during development. Theorem proving is one of the powerful methodology for this purpose. • Point 2: The risk of systematic failure in the specification for the software element: Theorem proving on source code level can detect coding error. However, this method does not address specification error. Therefore, it is a prerequisite that systematic faults in specification has already been eliminated. – If it is decided to apply theorem proving, properties are identified. 29 Item SW function SW element Failure mode Effect Theorem proving applied? Properties Operating mode Locallevel System Level ASIL Pre- condition Post- condition (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) Since the methodology is not mature for us, area of application is still limited.
JTEKT CORPORATION More systematic approach • Our absolute goal is to claim that our software does not need any safety mechanism for software systematic fault! • To achieve this, mode systematic approach from specification to implementation is needed. 30 Theorem proving  Formal description language + Model Checking?? Formal description language ?? WearetryingtoapplySPARK fortheseareaasacandidatesolution
JTEKT CORPORATION Conclusions and future steps • Theorem proving can be used to demonstrate that software is free from systematic fault during coding. – Thanks to this, it can be possible to claim fault avoidance is achieved. – As a result, no additional safety mechanism is necessary!! • For the next step, JTEKT will investigate to apply similar proof for upper abstraction level to reach safety mechanism-free software design. – Logical proof from specification to implementation. – This will need additional effort for software design at high level, but • Reduce software testing: Since no safety mechanism, test for it is not necessary anymore. • Reduce required performance: Since run-time checking is no more implemented, it is not necessary to spent hardware resource for it. • Reduce effort for justification of safety: Since everything is theoretically explained, we don't need to rely on in-direct evidence (such as code metrics, test case and test coverage) for safety. 31 JTEKT has started to apply theorem proving to safety critical software elements.

Recommended

Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentAdaCore
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareAdaCore
 
WESPr 18 presentation slides CAV Taguchi
WESPr 18 presentation slides CAV TaguchiWESPr 18 presentation slides CAV Taguchi
WESPr 18 presentation slides CAV TaguchiKenji Taguchi
 
Safe & Sec Case Patterns (ASSURE 2015)
Safe & Sec Case Patterns (ASSURE 2015)Safe & Sec Case Patterns (ASSURE 2015)
Safe & Sec Case Patterns (ASSURE 2015)Kenji Taguchi
 
Waise 2021 Uber ATG Safety Case Framework and ANSI/UL 4600
Waise 2021 Uber ATG Safety Case Framework and ANSI/UL 4600Waise 2021 Uber ATG Safety Case Framework and ANSI/UL 4600
Waise 2021 Uber ATG Safety Case Framework and ANSI/UL 4600Kenji Taguchi
 
NEN_SIL Platform_Risk matrix guide
NEN_SIL Platform_Risk matrix guideNEN_SIL Platform_Risk matrix guide
NEN_SIL Platform_Risk matrix guideRianne Boek
 
Cav Taguchi autosec china slides
Cav Taguchi autosec china slidesCav Taguchi autosec china slides
Cav Taguchi autosec china slidesKenji Taguchi
 
Linking Traceability with GSN (Assure 2014)
Linking Traceability with GSN (Assure 2014)Linking Traceability with GSN (Assure 2014)
Linking Traceability with GSN (Assure 2014)Kenji Taguchi
 

Recommended

Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentAdaCore
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareAdaCore
 
WESPr 18 presentation slides CAV Taguchi
WESPr 18 presentation slides CAV TaguchiWESPr 18 presentation slides CAV Taguchi
WESPr 18 presentation slides CAV TaguchiKenji Taguchi
 
Safe & Sec Case Patterns (ASSURE 2015)
Safe & Sec Case Patterns (ASSURE 2015)Safe & Sec Case Patterns (ASSURE 2015)
Safe & Sec Case Patterns (ASSURE 2015)Kenji Taguchi
 
Waise 2021 Uber ATG Safety Case Framework and ANSI/UL 4600
Waise 2021 Uber ATG Safety Case Framework and ANSI/UL 4600Waise 2021 Uber ATG Safety Case Framework and ANSI/UL 4600
Waise 2021 Uber ATG Safety Case Framework and ANSI/UL 4600Kenji Taguchi
 
NEN_SIL Platform_Risk matrix guide
NEN_SIL Platform_Risk matrix guideNEN_SIL Platform_Risk matrix guide
NEN_SIL Platform_Risk matrix guideRianne Boek
 
Cav Taguchi autosec china slides
Cav Taguchi autosec china slidesCav Taguchi autosec china slides
Cav Taguchi autosec china slidesKenji Taguchi
 
Linking Traceability with GSN (Assure 2014)
Linking Traceability with GSN (Assure 2014)Linking Traceability with GSN (Assure 2014)
Linking Traceability with GSN (Assure 2014)Kenji Taguchi
 
19 Jun 2018 - Hazard Analysis and Functional Safety Compliance
19 Jun 2018 - Hazard Analysis and Functional Safety Compliance 19 Jun 2018 - Hazard Analysis and Functional Safety Compliance
19 Jun 2018 - Hazard Analysis and Functional Safety Compliance Intland Software GmbH
 
MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines - MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines - Automotive IQ
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextAdaCore
 
CAST Architecture Checker
CAST Architecture CheckerCAST Architecture Checker
CAST Architecture CheckerCAST
 
Cast vs sonar
Cast vs sonarCast vs sonar
Cast vs sonarRajesh Kumar
 
Cost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety CaseCost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety CaseIQPC
 
Mynd company presentation
Mynd company presentationMynd company presentation
Mynd company presentationDavide Enrico Arnoldi
 
IEC 61511 introduction
IEC 61511 introduction IEC 61511 introduction
IEC 61511 introduction KoenLeekens
 
Introduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL CertificationIntroduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL CertificationISA Boston Section
 
HSSEQ-RECM Presentation.
HSSEQ-RECM Presentation.HSSEQ-RECM Presentation.
HSSEQ-RECM Presentation.Marco Parodi
 
System Assurance & RAMS
System Assurance & RAMSSystem Assurance & RAMS
System Assurance & RAMSMetro Rail News
 
Making Network Security Relevant
Making Network Security RelevantMaking Network Security Relevant
Making Network Security RelevantHP Enterprise Italia
 
Bilbro james
Bilbro jamesBilbro james
Bilbro jamesNASAPMC
 
Complying with New Functional Safety Standards
Complying with New Functional Safety StandardsComplying with New Functional Safety Standards
Complying with New Functional Safety StandardsDesign World
 
Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...
Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...
Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...Kenexis
 
Safety Instrumentation
Safety Instrumentation Safety Instrumentation
Safety Instrumentation Living Online
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examInfosec
 
20100121 04 - Présentation du CISQ par cast software
20100121 04 - Présentation du CISQ par cast software20100121 04 - Présentation du CISQ par cast software
20100121 04 - Présentation du CISQ par cast softwareLeClubQualiteLogicielle
 
[CLASS 2014] Palestra Técnica - Alexandre Euclides
[CLASS 2014] Palestra Técnica - Alexandre Euclides[CLASS 2014] Palestra Técnica - Alexandre Euclides
[CLASS 2014] Palestra Técnica - Alexandre EuclidesTI Safe
 
SE2018_Lec 19_ Software Testing
SE2018_Lec 19_ Software TestingSE2018_Lec 19_ Software Testing
SE2018_Lec 19_ Software TestingAmr E. Mohamed
 
Some Commonly Asked Question For Software Testing
Some Commonly Asked Question For Software TestingSome Commonly Asked Question For Software Testing
Some Commonly Asked Question For Software TestingKumari Warsha Goel
 
Testing ppt
Testing pptTesting ppt
Testing pptkiran theja
 

More Related Content

What's hot

19 Jun 2018 - Hazard Analysis and Functional Safety Compliance
19 Jun 2018 - Hazard Analysis and Functional Safety Compliance 19 Jun 2018 - Hazard Analysis and Functional Safety Compliance
19 Jun 2018 - Hazard Analysis and Functional Safety Compliance Intland Software GmbH
 
MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines - MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines - Automotive IQ
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextAdaCore
 
CAST Architecture Checker
CAST Architecture CheckerCAST Architecture Checker
CAST Architecture CheckerCAST
 
Cost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety CaseCost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety CaseIQPC
 
IEC 61511 introduction
IEC 61511 introduction IEC 61511 introduction
IEC 61511 introduction KoenLeekens
 
Introduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL CertificationIntroduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL CertificationISA Boston Section
 
HSSEQ-RECM Presentation.
HSSEQ-RECM Presentation.HSSEQ-RECM Presentation.
HSSEQ-RECM Presentation.Marco Parodi
 
Bilbro james
Bilbro jamesBilbro james
Bilbro jamesNASAPMC
 
Complying with New Functional Safety Standards
Complying with New Functional Safety StandardsComplying with New Functional Safety Standards
Complying with New Functional Safety StandardsDesign World
 
Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...
Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...
Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...Kenexis
 
Safety Instrumentation
Safety Instrumentation Safety Instrumentation
Safety Instrumentation Living Online
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examInfosec
 
20100121 04 - Présentation du CISQ par cast software
20100121 04 - Présentation du CISQ par cast software20100121 04 - Présentation du CISQ par cast software
20100121 04 - Présentation du CISQ par cast softwareLeClubQualiteLogicielle
 
[CLASS 2014] Palestra Técnica - Alexandre Euclides
[CLASS 2014] Palestra Técnica - Alexandre Euclides[CLASS 2014] Palestra Técnica - Alexandre Euclides
[CLASS 2014] Palestra Técnica - Alexandre EuclidesTI Safe
 

What's hot (19)

19 Jun 2018 - Hazard Analysis and Functional Safety Compliance
19 Jun 2018 - Hazard Analysis and Functional Safety Compliance 19 Jun 2018 - Hazard Analysis and Functional Safety Compliance
19 Jun 2018 - Hazard Analysis and Functional Safety Compliance
 
MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines - MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines -
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 context
 
CAST Architecture Checker
CAST Architecture CheckerCAST Architecture Checker
CAST Architecture Checker
 
Cast vs sonar
Cast vs sonarCast vs sonar
Cast vs sonar
 
Cost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety CaseCost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety Case
 
Mynd company presentation
Mynd company presentationMynd company presentation
Mynd company presentation
 
IEC 61511 introduction
IEC 61511 introduction IEC 61511 introduction
IEC 61511 introduction
 
Introduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL CertificationIntroduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL Certification
 
HSSEQ-RECM Presentation.
HSSEQ-RECM Presentation.HSSEQ-RECM Presentation.
HSSEQ-RECM Presentation.
 
System Assurance & RAMS
System Assurance & RAMSSystem Assurance & RAMS
System Assurance & RAMS
 
Making Network Security Relevant
Making Network Security RelevantMaking Network Security Relevant
Making Network Security Relevant
 
Bilbro james
Bilbro jamesBilbro james
Bilbro james
 
Complying with New Functional Safety Standards
Complying with New Functional Safety StandardsComplying with New Functional Safety Standards
Complying with New Functional Safety Standards
 
Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...
Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...
Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...
 
Safety Instrumentation
Safety Instrumentation Safety Instrumentation
Safety Instrumentation
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the exam
 
20100121 04 - Présentation du CISQ par cast software
20100121 04 - Présentation du CISQ par cast software20100121 04 - Présentation du CISQ par cast software
20100121 04 - Présentation du CISQ par cast software
 
[CLASS 2014] Palestra Técnica - Alexandre Euclides
[CLASS 2014] Palestra Técnica - Alexandre Euclides[CLASS 2014] Palestra Técnica - Alexandre Euclides
[CLASS 2014] Palestra Técnica - Alexandre Euclides
 

Similar to Applying Theorem Proving for Safety-Critical Vehicle Software

SE2018_Lec 19_ Software Testing
SE2018_Lec 19_ Software TestingSE2018_Lec 19_ Software Testing
SE2018_Lec 19_ Software TestingAmr E. Mohamed
 
Some Commonly Asked Question For Software Testing
Some Commonly Asked Question For Software TestingSome Commonly Asked Question For Software Testing
Some Commonly Asked Question For Software TestingKumari Warsha Goel
 
Code coverage in theory and in practice form the do178 b perspective
Code coverage in theory and in practice form the do178 b perspectiveCode coverage in theory and in practice form the do178 b perspective
Code coverage in theory and in practice form the do178 b perspectiveEngineering Software Lab
 
Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective Engineering Software Lab
 
Software Testing and Quality Assurance Assignment 2
Software Testing and Quality Assurance Assignment 2Software Testing and Quality Assurance Assignment 2
Software Testing and Quality Assurance Assignment 2Gurpreet singh
 
SE2_Lec 20_Software Testing
SE2_Lec 20_Software TestingSE2_Lec 20_Software Testing
SE2_Lec 20_Software TestingAmr E. Mohamed
 
What are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | EdurekaWhat are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | EdurekaEdureka!
 
Deployment of Debug and Trace for features in RISC-V Core
Deployment of Debug and Trace for features in RISC-V CoreDeployment of Debug and Trace for features in RISC-V Core
Deployment of Debug and Trace for features in RISC-V CoreIRJET Journal
 
Testing Interview Questions.pdf
Testing Interview Questions.pdfTesting Interview Questions.pdf
Testing Interview Questions.pdfPradeepaKannan6
 
Detecting soft errors by a purely software approach
Detecting soft errors by a purely software approachDetecting soft errors by a purely software approach
Detecting soft errors by a purely software approachMd. Hasibur Rashid
 
Detecting soft errors by a purely software approach
Detecting soft errors by a purely software approachDetecting soft errors by a purely software approach
Detecting soft errors by a purely software approachMd. Hasibur Rashid
 
Qualifying a high performance memory subsysten for Functional Safety
Qualifying a high performance memory subsysten for Functional SafetyQualifying a high performance memory subsysten for Functional Safety
Qualifying a high performance memory subsysten for Functional SafetyPankaj Singh
 
Ch13 system testexecution
Ch13 system testexecutionCh13 system testexecution
Ch13 system testexecutionabcxyz_abc
 
Test Case Optimization and Redundancy Reduction Using GA and Neural Networks
Test Case Optimization and Redundancy Reduction Using GA and Neural Networks Test Case Optimization and Redundancy Reduction Using GA and Neural Networks
Test Case Optimization and Redundancy Reduction Using GA and Neural Networks IJECEIAES
 
Model Driven Testing: requirements, models & test
Model Driven Testing: requirements, models & test Model Driven Testing: requirements, models & test
Model Driven Testing: requirements, models & test Gregory Solovey
 
Software engineering quality assurance and testing
Software engineering quality assurance and testingSoftware engineering quality assurance and testing
Software engineering quality assurance and testingBipul Roy Bpl
 
A Novel Approach to Derive the Average-Case Behavior of Distributed Embedded ...
A Novel Approach to Derive the Average-Case Behavior of Distributed Embedded ...A Novel Approach to Derive the Average-Case Behavior of Distributed Embedded ...
A Novel Approach to Derive the Average-Case Behavior of Distributed Embedded ...ijccmsjournal
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedAshley Zupkus
 

Similar to Applying Theorem Proving for Safety-Critical Vehicle Software (20)

SE2018_Lec 19_ Software Testing
SE2018_Lec 19_ Software TestingSE2018_Lec 19_ Software Testing
SE2018_Lec 19_ Software Testing
 
Some Commonly Asked Question For Software Testing
Some Commonly Asked Question For Software TestingSome Commonly Asked Question For Software Testing
Some Commonly Asked Question For Software Testing
 
Testing ppt
Testing pptTesting ppt
Testing ppt
 
Code coverage in theory and in practice form the do178 b perspective
Code coverage in theory and in practice form the do178 b perspectiveCode coverage in theory and in practice form the do178 b perspective
Code coverage in theory and in practice form the do178 b perspective
 
Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective
 
Software Testing and Quality Assurance Assignment 2
Software Testing and Quality Assurance Assignment 2Software Testing and Quality Assurance Assignment 2
Software Testing and Quality Assurance Assignment 2
 
SE2_Lec 20_Software Testing
SE2_Lec 20_Software TestingSE2_Lec 20_Software Testing
SE2_Lec 20_Software Testing
 
What are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | EdurekaWhat are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | Edureka
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
Deployment of Debug and Trace for features in RISC-V Core
Deployment of Debug and Trace for features in RISC-V CoreDeployment of Debug and Trace for features in RISC-V Core
Deployment of Debug and Trace for features in RISC-V Core
 
Testing Interview Questions.pdf
Testing Interview Questions.pdfTesting Interview Questions.pdf
Testing Interview Questions.pdf
 
Detecting soft errors by a purely software approach
Detecting soft errors by a purely software approachDetecting soft errors by a purely software approach
Detecting soft errors by a purely software approach
 
Detecting soft errors by a purely software approach
Detecting soft errors by a purely software approachDetecting soft errors by a purely software approach
Detecting soft errors by a purely software approach
 
Qualifying a high performance memory subsysten for Functional Safety
Qualifying a high performance memory subsysten for Functional SafetyQualifying a high performance memory subsysten for Functional Safety
Qualifying a high performance memory subsysten for Functional Safety
 
Ch13 system testexecution
Ch13 system testexecutionCh13 system testexecution
Ch13 system testexecution
 
Test Case Optimization and Redundancy Reduction Using GA and Neural Networks
Test Case Optimization and Redundancy Reduction Using GA and Neural Networks Test Case Optimization and Redundancy Reduction Using GA and Neural Networks
Test Case Optimization and Redundancy Reduction Using GA and Neural Networks
 
Model Driven Testing: requirements, models & test
Model Driven Testing: requirements, models & test Model Driven Testing: requirements, models & test
Model Driven Testing: requirements, models & test
 
Software engineering quality assurance and testing
Software engineering quality assurance and testingSoftware engineering quality assurance and testing
Software engineering quality assurance and testing
 
A Novel Approach to Derive the Average-Case Behavior of Distributed Embedded ...
A Novel Approach to Derive the Average-Case Behavior of Distributed Embedded ...A Novel Approach to Derive the Average-Case Behavior of Distributed Embedded ...
A Novel Approach to Derive the Average-Case Behavior of Distributed Embedded ...
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically Guaranteed
 

More from AdaCore

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?AdaCore
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesAdaCore
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic libraryAdaCore
 
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsAdaCore
 
Taming event-driven software via formal verification
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verificationAdaCore
 
Pushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofPushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofAdaCore
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationAdaCore
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...AdaCore
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!AdaCore
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaCore
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...AdaCore
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologyAdaCore
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareAdaCore
 
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentAdaCore
 
Multi-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical SystemsMulti-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical SystemsAdaCore
 
Ada 202x A broad overview of relevant news
Ada 202x A broad overview of relevant newsAda 202x A broad overview of relevant news
Ada 202x A broad overview of relevant newsAdaCore
 
Verification and Validation of Robotic Assistants
Verification and Validation of Robotic AssistantsVerification and Validation of Robotic Assistants
Verification and Validation of Robotic AssistantsAdaCore
 
An Alternative Approach to DO-178B
An Alternative Approach to DO-178BAn Alternative Approach to DO-178B
An Alternative Approach to DO-178BAdaCore
 

More from AdaCore (20)

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languages
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic library
 
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing Solutions
 
Taming event-driven software via formal verification
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verification
 
Pushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofPushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program Proof
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configuration
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR Architecture
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar Technology
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling Software
 
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise Environment
 
Multi-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical SystemsMulti-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical Systems
 
Ada 202x A broad overview of relevant news
Ada 202x A broad overview of relevant newsAda 202x A broad overview of relevant news
Ada 202x A broad overview of relevant news
 
Verification and Validation of Robotic Assistants
Verification and Validation of Robotic AssistantsVerification and Validation of Robotic Assistants
Verification and Validation of Robotic Assistants
 
An Alternative Approach to DO-178B
An Alternative Approach to DO-178BAn Alternative Approach to DO-178B
An Alternative Approach to DO-178B
 

Recently uploaded

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Recently uploaded (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 

Applying Theorem Proving for Safety-Critical Vehicle Software

  • 1. JTEKT CORPORATION Application of theorem proving for safety-critical vehicle software S. Yoneki, K. Zanma, K. Toyozumi / JTEKT corporation J. Kanig/AdaCore 1
  • 2. JTEKT CORPORATION Background • For current vehicle, loss of specified function is not acceptable. – ISO 26262-10:2018 addresses this topic but mostly random hardware failure is focused. Software systematic faults also face the same issue but very limited guidance is provided. 2 12.4 Software development phase 12.4.1 Software fault avoidance and tolerance Safety-related availability requirements for software can be addressed by two approaches: fault avoidance (12.4.2) and fault tolerance (12.4.3). 12.4.2 Software fault avoidance The methods for fault avoidance are intended to reduce the overall occurrence of systematic faults. The necessary amount of fault avoidance can be achieved by developing software elements using ISO 26262-6:2018. 12.4.3 Software fault tolerance Techniques for fault tolerance try to keep the item operational despite the presence of software systematic faults. Some fault tolerant mechanisms are mentioned in ISO 26262-6:2018, 7.4.12, NOTE 2 and NOTE 3. From ISO 26262-10:2018 Can we claim that fault leading to loss of specified functions is avoided? For the software fault tolerance, we need additional safety mechanisms such as backup (degraded) control, diversified software. But this is not always possible depending on many reason (performance limitation, resource limitation, etc.) How to deal with it?
  • 3. JTEKT CORPORATION • Comparison with software safety design for conventional EPS system and the requirements for coming EPS system Safety requirements on the main function for a conventional EPS system: • The system shall prevent unwanted output from the main function in order to avoid hazardous event. Current implementation 3 Main function QM (D) Safety mech. ASIL D(D) Systematic fault Risk mitigation is made by combination of main function and shut-down function. Safety requirements on the main function for the latest EPS system • The system shall maintain a specified function provided by the main function in order to avoid a hazardous event. Main function QM(D) Safety mech. ASIL D(D) Systematic fault Example: However, this is very difficult (or impossible) in some case (e.g. I/O control, state machine) !!! SHUT DOWN SPECIFIED FUNCTION Example: Risk mitigation is made by combination of main function and shut-down function.
  • 4. JTEKT CORPORATION Key for solving the issue • Currently no specific criteria for sufficiency of measures during development. 4 Start For each architectural element, how failure modes caused by systematic faults will propagate is analyzed. The criticality of the fault mode is decided based on possibility of violating the safety goals or safety requirements Is the possibility of the failure mode sufficiently mitigated during the safety measures taken during development? Introduction of appropriate safety mechanisms Provide rationale for sufficiency (including introduction of additional measures) YESNO Typical chart to decide the necessity of safety mechanism In general, it is difficult to demonstrate this sufficiency to the customer since no well established criteria.  There are several supporting evidences (but they are not "silver bullet") • Code metrics • Test coverage • Proven in use  Based on the situation, criteria for acceptance is not the same for all customers Can we demonstrate it by "formal verification"?
  • 5. JTEKT CORPORATION Formal verification • Generally speaking, it is hard to claim that the software is bug-free by test. → Testing only demonstrates existing of bug. • Formal verification is recommended by ISO 26262-6. Not highly recommended because it is difficult to apply it. However…. – Formal verification may demonstrate that there is no systematic failure that leads to loss of specified function. – If this is true, then formal verification is considered as strong tool. 5 From ISO/FDIS 26262-6
  • 6. JTEKT CORPORATION Model checking vs Theorem proving • Two approaches for formal verification; model checking and theorem proving. – Model checking: The software to be proved is translated into state transition model and all states and transitions are explored in the model. – Theorem proving: From the software and its specifications, mathematical proof is made. The truth of proof implies conformance of the system to its specification. 6 Model checking Theorem proving Remark Number of states to be handled finite Not limited Theorem proving verifies program itself. Therefore, number of states is not related to the capability of theorem proving. On the other hand model checking is hard to apply for numeric calculation because it easily results in state explosion Automation Auto Semi-auto Model checking can proceed automatically via a software tool once model is created. Ability to represent target software Low High For model checking, software has to be translated in the state transition model. In order to prevent state explosion, software has to be abstracted. During such abstraction process, systematic faults in the software program may be hidden. On the other hand, in theorem proving, source program is translated one-by-one. Difficulty Low High Because theorem proving usually needs extra information for the proof by a human, expertise is high Simple comparison of model checking and theorem proving w.r.t. finding SW bugs Our target is to demonstrate "bug-free" for a very specific software component to which safety mechanism is hard to apply. Because of this, "theorem proving" is selected for the study.
  • 7. JTEKT CORPORATION What is the "theorem proving" • Theorem proving is: – Like "code review" with logical (or mathematical) proof – Possible to trace how to proof based on logical equation • Mathematical (or logical) proof that if the pre-condition is satisfied, then post condition after program run is also satisfied. 7 Pre condition: Conditions that are satisfied before execution of program to be verified. Post condition: Conditions that are satisfied after execution of program to be verified. Program (e.g. C source code) Program is theoretically translated and checked that if pre condition is "true", then post condition is also true. Post condition can be defined at the arbitrary level based on what is to be proved, such as: • Don’t output unwanted value; • No access outside the array; • No divide by zero. Other assumptions are made: • No interference with other programs or hardware • Called functions are correctly specified • …
  • 8. JTEKT CORPORATION Simple example • Pre condition The property that the input parameters (x, y) have { 3x - 2y ≥ 0 } • Program y := x – y +10 … S1 x := x + 2 * y … S2 • Post condition The property (e.g. safety threshold) that the resulting value has to possess. { x ≥ 20 } 8 Pre condition is transformed as : x + 2(x – y + 10) ≥ 20 Proof for S1: Substitute y of intermediate post condition {x – 2y ≥ 20} with x - y + 10, then {x + 2(x – y + 10) ≥ 20 }. This is equivalent with precondition. This means that post condition of S1 is always satisfied if pre condition is satisfied. For S1, pre condition is {x + 2(x – y + 10) ≥ 20 }, and post condition is {x – 2y ≥ 20} For S2, pre condition is {x – 2y ≥ 20}, and post condition is { x ≥ 20 } Proof for S2: Substitute x of post condition {x ≥ 20} with x + 2 * y, then {x – 2y ≥ 20 }. This is equivalent with precondition. This means that post condition of S2 is always satisfied if pre condition is satisfied. If pre condition of the program is satisfied, post condition is always satisfied. From proof of S1and S2
  • 9. JTEKT CORPORATION Difference between conventional testing • The approach to demonstrate how a bug is not included in the software. 9 Testing Theorem proving Experimental approach: • It might be difficult to claim that the software is 100% tested. • Test coverage can be measured by, for example, structural coverage to demonstrate that the software is tested as far as reasonable practical. • High coverage is good rational that the risk of bug is quite low, such the overage for safety critical software is acceptable or not depends on the customer. Logical approach: • It can be possible to claim that software does not contain any bugs with evidence. • A safety critical software unit is demonstrated as bug-free in logical way. • This make us possible to convince all our customers that the software unit will not cause a safety critical event. Necessity of safety mechanism depends on customers. Safety mechanism for the software unit is not necessary any more for all customers.
  • 10. JTEKT CORPORATION Weak points of theorem proving • Timing issue – Theorem proving does not verify calculation time. Therefore, it is difficult to demonstrate if output is acquired within the specified time flame. • Hardware (or ISA) dependent issues – It can be possible to deal with but much effort is needed for, such as: • Bit manipulation • Address calculation • Big endian/Little endian 10 This has to be confirmed by other methods such as worst-case execution time analysis. This has to be confirmed by, for example, static code analyzer Theorem proving is not perfect solution but give additional confidence for correctness of software from logical point of view.
  • 11. JTEKT CORPORATION Case study • We tried to apply theorem proving to actual software element to get better understanding of this method. – Purposes for the case study are: 1. To understand the method "theorem proving". – The method has not been well know to automotive industry (at least in Japan). – Therefore, if we apply this method, we have to give clear explanation to our customers. 2. To investigate feasibility to apply this method to automotive E/E system software. – Since this method is quite new for us, we did not have clear image about how it works. – We need to know how we can use this method for our purpose. 11 SAMPLE for the case study - Software element for autonomous driving. • Function: To decide whether acceleration pedal or break pedal is operated to release deceleration control by halt break • Safety requirement: − if halt brake switch is not active, deceleration done flag shall not be "ON". − if acceleration pedal position is smaller that halt break cancel position, declaration done flag shall not be "ON"
  • 12. JTEKT CORPORATION Case study: source code void dec_vo_JdgDecCtrlDone( void ) { if ( u1_tDecCtrlInitReq == KU1_ON ) { dec_u1_DecCtrlDone = KU1_OFF; } else { if ( ( u1_VehicleCanDiagMaskReq == KU1_OFF ) && ( u1_tEBC1CanRcv == KU1_ON ) && ( u1_tEBSBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tBrakePedalPositionDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBSRedWarningSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBC1TimeOutErrStatusStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitch == DEC_KU1_HaltBrakeSwitchActive ) ) { if ( ( u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos ) || ( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) ) { dec_u1_DecCtrlDone = KU1_ON; } else { dec_u1_DecCtrlDone = KU1_OFF; } } else { dec_u1_DecCtrlDone = KU1_OFF; } } } 12
  • 13. JTEKT CORPORATION Case study: Safety requirements Interpretation of two safety requirements at code level − safety requirement 1: This means the situation that “if HaltBrakeSwitch is not active, DecCtrlDone != KU1_ON”. − safety requirement 2: This means the situation that “if AcceleratorPedalPosition1 < KHaltBrkCancelAccelPedalPos, DecCtrlDone != KU1_ON”. 13
  • 14. JTEKT CORPORATION Case study: Verification strategy • In the program, if-statements are nested. • Therefore, theorem proving is applied for step-by-step manner. 14 if … else … If … else … Software portion 1: This is verified with internal if statement (software portion 2 below) as black box. This means that all possible outcome is assumed as pre- condition. Software portion 2: This program is verified independently. NOTE: The purpose of strategy is to do the case study. Depending on the tool capability, it is possible to make proof for complete software without splitting portions.
  • 15. JTEKT CORPORATION Case study: Proof of SW portion 1 (1) void dec_vo_JdgDecCtrlDone( void ) { if ( u1_tDecCtrlInitReq == KU1_ON ) { dec_u1_DecCtrlDone = KU1_OFF; } else { if ( ( u1_VehicleCanDiagMaskReq == KU1_OFF ) && ( u1_tEBC1CanRcv == KU1_ON ) && ( u1_tEBSBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tBrakePedalPositionDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBSRedWarningSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBC1TimeOutErrStatusStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitch == DEC_KU1_HaltBrakeSwitchActive ) ) { if ( ( u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos ) || ( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) ) { dec_u1_DecCtrlDone = KU1_ON; } else { dec_u1_DecCtrlDone = KU1_OFF; } } else { dec_u1_DecCtrlDone = KU1_OFF; } } } 15 Scope of verification
  • 16. JTEKT CORPORATION Case study: Proof of SW portion 1 (2) void dec_vo_JdgDecCtrlDone( void ) { if ( u1_tDecCtrlInitReq == KU1_ON ) { dec_u1_DecCtrlDone = KU1_OFF; } else { if ( ( u1_VehicleCanDiagMaskReq == KU1_OFF ) && ( u1_tEBC1CanRcv == KU1_ON ) && ( u1_tEBSBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tBrakePedalPositionDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBSRedWarningSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBC1TimeOutErrStatusStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitch == DEC_KU1_HaltBrakeSwitchActive ) ) { DO SOMETHING BUT INDEPENDENTLY FROM "u1_tHaltBrakeSwitch" (to be verified separately) } } else { dec_u1_DecCtrlDone = KU1_OFF; } } } 16 Scope of verification
  • 17. JTEKT CORPORATION Case study: Proof of SW portion 1 (3) • Pre-condition and post-condition for the scope of verification 17 Program: if ( ( u1_VehicleCanDiagMaskReq == KU1_OFF ) && ( u1_tEBC1CanRcv == KU1_ON ) && ( u1_tEBSBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tBrakePedalPositionDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBSRedWarningSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBC1TimeOutErrStatusStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitch == DEC_KU1_HaltBrakeSwitchActive ) ) { DO SOMETHING BUT INDEPENDENTLY FROM "u1_tHaltBrakeSwitch" (to be verified separately) } } else { dec_u1_DecCtrlDone = KU1_OFF; } Pre condition: {true} Post condition: {u1_tHaltBrakeSwitch != DEC_KU1_HaltBrakeSwitchActive → dec_u1_DecCtrlDone != KU1_ON}
  • 18. JTEKT CORPORATION Case study: Proof of SW portion 1 (4) • If branch is taken 18 Pre condition: {true ˄ } Program: DO SOMETHING BUT INDEPENDENTLY FROM "u1_tHaltBrakeSwitch" ( u1_VehicleCanDiagMaskReq == KU1_OFF ) && ( u1_tEBC1CanRcv == KU1_ON ) && ( u1_tEBSBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tBrakePedalPositionDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBSRedWarningSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBC1TimeOutErrStatusStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitch == DEC_KU1_HaltBrakeSwitchActive ) ) Post condition {u1_tHaltBrakeSwitch != DEC_KU1_HaltBrakeSwitchActive → dec_u1_DecCtrlDone != KU1_ON} According to the pre condition, (u1_tHaltBrakeSwitch != DEC_KU1_HaltBrakeSwitchActive) is false. Therefore, post-condition is always true. Therefore, the portion of the program is correct.
  • 19. JTEKT CORPORATION Case study: Proof of SW portion 1 (5) • If branch is not taken 19 Pre condition: {true ˄ }┐( u1_VehicleCanDiagMaskReq == KU1_OFF ) && ( u1_tEBC1CanRcv == KU1_ON ) && ( u1_tEBSBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tBrakePedalPositionDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBSRedWarningSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBC1TimeOutErrStatusStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitch == DEC_KU1_HaltBrakeSwitchActive ) ) Pre condition modified: {true ˄ }( u1_VehicleCanDiagMaskReq != KU1_OFF ) || ( u1_tEBC1CanRcv != KU1_ON ) || ( u1_tEBSBrakeSwitchDataRangeErrStatus == DEC_KU1_ChkErrDeterminedState ) || ( u1_tBrakePedalPositionDataRangeErrStatus == DEC_KU1_ChkErrDeterminedState ) || ( u1_tEBSRedWarningSignalDataRangeErrStatus == DEC_KU1_ChkErrDeterminedState ) || ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus == DEC_KU1_ChkErrDeterminedState ) || ( u1_tHaltBrakeSwitchDataRangeErrStatus == DEC_KU1_ChkErrDeterminedState ) || ( u1_tEBC1TimeOutErrStatusStatus == DEC_KU1_ChkErrDeterminedState ) || ( u1_tHaltBrakeSwitch != DEC_KU1_HaltBrakeSwitchActive ) ) Pre condition modified again: {true} The pre condition after this modification is weaker (allows more situations) than previous one. Therefore, this modification is valid for the propose.
  • 20. JTEKT CORPORATION Case study: Proof of SW portion 1 (6) • If branch is not taken(continue) 20 Program: dec_u1_DecCtrlDone = KU1_OFF Post condition: {u1_tHaltBrakeSwitch != DEC_KU1_HaltBrakeSwitchActive → dec_u1_DecCtrlDone != KU1_ON} If the pre condition is satisfied, the post condition is also satisfied Pre condition modified again (from previous page): {true}
  • 21. JTEKT CORPORATION Case study: Proof of SW portion 2 (1) void dec_vo_JdgDecCtrlDone( void ) { if ( u1_tDecCtrlInitReq == KU1_ON ) { dec_u1_DecCtrlDone = KU1_OFF; } else { if ( ( u1_VehicleCanDiagMaskReq == KU1_OFF ) && ( u1_tEBC1CanRcv == KU1_ON ) && ( u1_tEBSBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tBrakePedalPositionDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBSRedWarningSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tABSEBSAmberWarnSignalDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitchDataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEBC1TimeOutErrStatusStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tHaltBrakeSwitch == DEC_KU1_HaltBrakeSwitchActive ) ) { if ( ( u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos ) || ( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) ) { dec_u1_DecCtrlDone = KU1_ON; } else { dec_u1_DecCtrlDone = KU1_OFF; } } else { dec_u1_DecCtrlDone = KU1_OFF; } } } 21 Scope of verification
  • 22. JTEKT CORPORATION Case study: Proof of SW portion 2 (2) • Pre-condition and post -condition for the scope of verification 22 Program: if ( ( u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos ) || ( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) ) { dec_u1_DecCtrlDone = KU1_ON; } else { dec_u1_DecCtrlDone = KU1_OFF; } Pre condition: {true} Post condition: {u1_tBrakePedalPosition < DEC_KU2_KHaltBrkCancelBrkPedalPos → dec_u1_DecCtrlDone != KU1_ON}
  • 23. JTEKT CORPORATION Case study: Proof of SW portion 2 (3) • If branch is taken 23 Pre condition: {true ˄ }( u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos ) || ( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) Program: dec_u1_DecCtrlDone = KU1_ON; Post condition: {u1_tBrakePedalPosition < DEC_KU2_KHaltBrkCancelBrkPedalPos → dec_u1_DecCtrlDone != KU1_ON} Pre condition modification: {true ˄ (( u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos) ˅ }( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) Post condition modified: {dec_u1_DecCtrlDone == KU1_ON → u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos} dec_u1_DecCtrlDone == KU1_ON in case that the conditions shown as right side. Because of this, post condition is "false" ( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) An issue was found!
  • 24. JTEKT CORPORATION Case study: Proof of SW portion 2 (4) • If branch is not taken 24 Pre condition: {true ˄ ┐ }( u1_tBrakePedalPosition >= DEC_KU2_KHaltBrkCancelBrkPedalPos ) || ( ( u1_tEEC2CanRcv == KU1_ON ) && ( u1_tAcceleratorPedalPosition1DataRangeErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( u1_tEEC2TimeOutErrStatus != DEC_KU1_ChkErrDeterminedState ) && ( (u2)u1_tAcceleratorPedalPosition1 >= DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) Program: dec_u1_DecCtrlDone = KU1_OFF; Pre condition modified: {true ˄ }( u1_tBrakePedalPosition < DEC_KU2_KHaltBrkCancelBrkPedalPos ) && ( ( u1_tEEC2CanRcv != KU1_ON ) || ( u1_tAcceleratorPedalPosition1DataRangeErrStatus == DEC_KU1_ChkErrDeterminedState ) || ( u1_tEEC2TimeOutErrStatus == DEC_KU1_ChkErrDeterminedState ) || ( (u2)u1_tAcceleratorPedalPosition1 < DEC_KU2_KHaltBrkCancelAccelPedalPos ) ) Post condition: {u1_tBrakePedalPosition < DEC_KU2_KHaltBrkCancelBrkPedalPos → dec_u1_DecCtrlDone != KU1_ON} If the pre condition is satisfied, the post condition is also satisfied
  • 25. JTEKT CORPORATION Results of case study • Positive points: – It is demonstrated that the method can be used to demonstrate logically the correctness of program. Therefore, if the proof is successfully done, it can be claimed that there is no bug as far as logical point of view • Negative points: – It is very "tough" work for the software engineers to do this because of • Lack of knowledge of theorem proving; • Lack of time to do it. (this is very time consuming) 25 If the negative points are overcome, it can be understood that this method have high potential for safety critical portion software component. → For the proving itself, tool support is expected.
  • 26. JTEKT CORPORATION Possibility to use supporting tools • In order to overcome such difficulty, the usage of commercial tool can be considered. • For this purpose, we tried to use SPARK. – SPARK is: • Programming language for safe and secure software • Very readable • Strong type-checking • Formal verification tool • Proves absence of access to uninitialized data • Proves absence of runtime errors: – Values within expected ranges – Buffer overflow – Division by zero • Proves user-specified properties – Results: • Same conclusion but very short time. • There is still difficulty to define appropriate set of pre and post conditions. 26 This is used in the case studies.
  • 27. JTEKT CORPORATION Steps to use SPARK • Theorem proving with SPARK by following steps. 1. Transform from C to SPARK: – Since the automotive E/E system software is developed as modification from existing one, it is assumed that the software is written by C language. – For most of the automotive E/E system, one-by-one interpretation can be possible. – Of course, this is not necessary if software is developed by SPARK from scratch. 2. Define property to be proved 3. Execution 27 This is the most important task for this method.
  • 28. JTEKT CORPORATION How to integrate theorem proving? • In order to successfully perform theorem proving, safety properties (pre- condition & post-condition) have to be determined at the necessary level of detail. – At least, each software unit has its own safety property if it is safety related. 28 Software architectural design (Clause 7 of ISO 26262-6) • Software architectural design • Safety analysis • Safety requirement refinement Software unit design & implementation (Clause 8 of ISO 26262-6) • Software unit design • Software unit implementation Software unit verification (Clause 9 of ISO 26262-6) • Software unit static verification (review, code analysis) • Software unit dynamic verification (or testing) • Based on the result of them, expected behaviour shall be defined for safety related SW elements. • Decision making for application of theorem proving. − Safety properties are extracted for each SW unit. • Theorem proving is done as a part of SW unit verification
  • 29. JTEKT CORPORATION Decision making for application • Currently SW FMEA is enhanced to add such information. – (1) to (8) are done in the same way as conventional FMEA – If the software element is judged as safety critical based on the result of analysis ((5) to (8)), decision is made for necessity of applying theorem proving. There are two points for this decision. • Point 1: The feasibility to apply safety mechanism with respect to the failure mode: If it is hard to apply safety mechanism to meet safety requirement with respect to the failure mode assumed, we have to rely on safety measures during development. Theorem proving is one of the powerful methodology for this purpose. • Point 2: The risk of systematic failure in the specification for the software element: Theorem proving on source code level can detect coding error. However, this method does not address specification error. Therefore, it is a prerequisite that systematic faults in specification has already been eliminated. – If it is decided to apply theorem proving, properties are identified. 29 Item SW function SW element Failure mode Effect Theorem proving applied? Properties Operating mode Locallevel System Level ASIL Pre- condition Post- condition (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) Since the methodology is not mature for us, area of application is still limited.
  • 30. JTEKT CORPORATION More systematic approach • Our absolute goal is to claim that our software does not need any safety mechanism for software systematic fault! • To achieve this, mode systematic approach from specification to implementation is needed. 30 Theorem proving  Formal description language + Model Checking?? Formal description language ?? WearetryingtoapplySPARK fortheseareaasacandidatesolution
  • 31. JTEKT CORPORATION Conclusions and future steps • Theorem proving can be used to demonstrate that software is free from systematic fault during coding. – Thanks to this, it can be possible to claim fault avoidance is achieved. – As a result, no additional safety mechanism is necessary!! • For the next step, JTEKT will investigate to apply similar proof for upper abstraction level to reach safety mechanism-free software design. – Logical proof from specification to implementation. – This will need additional effort for software design at high level, but • Reduce software testing: Since no safety mechanism, test for it is not necessary anymore. • Reduce required performance: Since run-time checking is no more implemented, it is not necessary to spent hardware resource for it. • Reduce effort for justification of safety: Since everything is theoretically explained, we don't need to rely on in-direct evidence (such as code metrics, test case and test coverage) for safety. 31 JTEKT has started to apply theorem proving to safety critical software elements.

Editor's Notes

  1. 1