I presented the topic of the STPA safety analysis approach and software verificaiton to teach master students how to verify software design and software implementations against the STPA safety requirements which is documented in XSTAMPP.
live-blog and tweet this presentation given that you attribute it to its author and respect the rights and licenses of its parts. based on slides by @SMEasterbrook und @ethanwhite
main components used in STPA Data Lists • Accidents • Hazards • System Goals • Design and safety Requirements Data Tables • Unsafe Control Actions • Corresponding Safety Constraints • Causal Factors
Integration Test • System Test • Acceptance Test • … Static Verification (Analysis) • Code Conventions Verification • Bad Practices (anti-Pattern) Detection • Software Metrics Calculation • Formal Verification • … Approaches to Verification Ghezzi, et al. Fundamentals of Software Engineering, Prentice Hall, ISBN 0-13-099183-X
Software Requirements Software Control Actions? Feedback? Autonomous vehicle modelled in graphical notations e.g. State- machine, stateflow. Software Design Models written in natural language e.g. English Software Code written in high-level programming language e.g. C, C++ or Java Formalisation Transformation
a system changes over time Temporal Logics (TL) “is a convenient formalism technique for specifying and verifying properties of reactive systems” Linear Temporal Logic (LTL) “is a mathematical language for description linear-time properties” Properties of interest include : - Safety : “Nothing bad will happen” - Liveness: “Something good will happen”. - Fairness : “Independent subsystems make progress
proposition symbols [p, r, q,..], Boolean operators , and temporal operators: TL Operator LTL Operator Meaning Diagram G ∅ means ”globally/always”. ∅ is true now and forever in the future X ∅ means “at the next time”. ∅ is true in the next state F ∅ means “eventually”. ∅ is true in some future state ℛ ψ R ∅ means “releases”. ∅ is true until and including the point where ψ become true. If ψ never becomes true, then ∅ must remain true forever ψ U ∅ means ”until”. ψ is at least true until ∅ happens at the current or a future position
“The train door software must not close (reopen) the train door when there is a person in the doorway”? 1. LTL= G ((Person_In_Door_Way) -> G (ControlAction=Close)) 2. LTL = G (!(Person_In_Door_Way) -> (ControlAction=Close) ) 3. LTL = G ((Person_In_Door_Way) -> X ! (ControlAction=Close)) 4. LTL = G ((Person_In_Door_Way) -> X! (ControlAction=Open)) 3 Minutes
software meets its requirements. At the design level • The verification model can be constructed/extracted from the software behaviour models such as finite state machine. • Model checkers can be used at this level are: 1. SMV (Symbolic model Verifier) model checker 2. NuSMV Model checker 3. … At the implementation level • The verification model can be constructed/extracted directly from software code written in C or Java. • Software model checkers can be used at this level are: 1. SPIN (Simple Promela Interpreter) 2. …
by ITC-IRST and UniTN 1999 •It is an extension and re-implementation of SMV model checker. •It based on Binary Decision Diagram (BDD) to verify finite state machine against its specifications expressed in LTL
SMV model of the train door controller ? 1. LTL= G ((Person_In_Door_Way) -> G (ControlAction=Close)) 2. LTL = G (!(Person_In_Door_Way) -> (ControlAction=Close) ) 3. LTL = G ((Person_In_Door_Way) -> X ! (ControlAction=Close)) 4. LTL = G ((Person_In_Door_Way) -> X ! (ControlAction=Open)) 3 Minutes
correctness of software. •It can not make the software safe or reduce the risk. •It needs expert users •The requirements can not be directly verified by software model checker •State explosion problem
colleague how to apply STPA to the train door system and do the following: 1. Write one accident that the software controller of train door can contribute in. 2. Write 3 hazards which maybe cause this accident. 3. Translate the identified hazards into the safety constraints. 4. Draw the control structure diagram of the train door system. 5. Identify one unsafe control action and translate it into a corresponding safety constraint. 10 Minutes
person is injured while the train closed the door. • …. Hazards • H1- Door close on a person in the doorway. • … System-level safety constraint • The train door controller must not close the door while a person is in the doorway • … safety control structure diagram of train door system
Unsafe Control Actions • UCA1.1- Train door controller closes the door while a person in the doorway • … Corresponding Safety Constraints • CSC 1.1- Train door controller must not close the door while a person or object is in the doorway • …
UCA1.1- Train door controller closes the door while a person in the doorway Basic Scenario • RUCA1.1- The door software controller provided the control action close door while the train is stopped, train position is aligned, door state is open and a person is in the doorway. Refined software safety constraint • RSC1.1- The door software controller must not provide the control action close door while the train is stopped, train position is aligned, door state is open and a person is in the doorway.
action (CA) is based on the occurrence of the set of values of process model variables and higher inputs (CS). • Rule 1: When CS occur in the execution path, the software must not (!) provide CA. Then, LTL formula can be expressed as: LTL = G ( CS → ! CA). • Rule 2: When CS occur in the execution path, the software must provide CA at the next step. then LTL formula can be expressed as:LTL = G ( CS → X CA) • Rule 3: The software must always not (!) provide CA too early (U) before CS the occurrence of CS still not become true. Then, the LTL formula can be expressed as: LTL = G ((CA →CS) & (!CA U CS)) • Rule 4: The software must always not (!) provide CA too late (U) while the occurrences of the critical set of combinations CS has become previously true in the execution path. Then, the LTL formula can be expressed as: LTL = G ((CS → CA) & (!CS U CA))
for the following software safety requirements: 1. “The train door software controller must not provide the control action close door while the train is stopped, train position is aligned, door state is open and a person is in the doorway” 2. The train door software controller must provide the control action open door when there is a person in doorway. 5 Minutes
institute through student project and job (2013-2017). •Designed specially to serve the widespread adoption and use of STAMP in different areas. •It extended with an plugin called STPA verifier to support the software safety and verification (formal verification and testing activities). www.xstampp.de
Safety-based Test Cases traverse not satisfied satisfied modify export LTL formulae STPA Results Traceability matrix transform check SMV Model Safe Test Model model Test case sheet transform Generating Safety-based Test Cases 1 Modelling STPA Results 2 Transforming into a Formal Model 3 Checking Correctness with Model Checker 4 Generating Runnable Safe Test Model 5 Algorithm
NuSMV logo: http://nusmv.fbk.eu • Train door photo is taken from http://www.bbc.com/news/uk-england- tyne-24634884 • Principle of model checker photo : https://mitpress.mit.edu/books/principles- model-checking
asimabdulkhaleq
karlov
jamashita
asial_edu
matleenalaakso
cbtlibrary
levii
takuro_nakajima
japanstrokeassociation
akiraasano
deanohume
tammyeverts
lauravandoore
destraynor
smashingmag
stephaniewalter
chriscoyier
jonrohan
addyosmani
sonatard
sferik
yeseniaperezcruz
![Dr. Asim Abdulkhaleq e-mail [email protected] stuttgart.de phone +49 (0) 711](https://files.speakerdeck.com/presentations/79f5b02ab93341efbe862bee1e315432/slide_46.jpg){kind=link}
