Alan Wassyng

Lessons Learned from a Successful Implementation of Formal Methods in an Industrial Project

This paper describes the lessons we learned over a thirteen year period while helping to develop the shutdown systems for the nuclear generating station at Darlington, Ontario, Canada. We begin with a brief description of the project and then show how we modified processes and notations developed in the academic community so that they are acceptable for use in industry. We highlight some of the topics that proved to be particularly challenging and that would benefit from more in-depth study without the pressure of project deadlines.

Software certification: is there a case against safety cases?

Safety cases have become popular, even mandated, in a number of jurisdictions that develop products that have to be safe. Prior to their use in software certification, safety cases were already in use in domains like aviation, military applications, and the nuclear industry. Argument based methodologies/approaches have recently become the cornerstone for structuring justification and evidence to support safety claims. We believe that the safety case methodology is useful for the software certification domain, but needs to be tailored, more clearly defined, and more appropriately structured in analogy with regulatory regimes in classical engineering disciplines. This paper presents a number of reasons as to why current approaches to safety cases do not satisfy essential attributes for an effective software certification process and proposes improvements based on lessons learned from other engineering disciplines. In particular, the safety case approach lacks the highly prescriptive and domain specific nature that can be seen in other engineering specialities, in terms of engineering and analysis methods to be applied in generating the relevant evidence. Safety case approaches and corresponding methods should aim to achieve the levels of precision and effectiveness of engineering methods underpinning regulatory regimes in other engineering disciplines.

Certifiably safe software-dependent systems: challenges and directions

The amount and impact of software-dependence in critical systems impinging on daily life is increasing rapidly. In many of these systems, inadequate software and systems engineering can lead to economic disaster, injuries or death. Society generally does not recognize the potential of losses from deficiencies of systems due to software until after some mishap occurs. Then there is an outcry, reflecting societal expectations; however, few know what it takes to achieve the expected safety and, in general, loss-prevention. On the one hand there are unprecedented, exponential increases in size, inter-dependencies, intricacies, numbers and variety in the systems and distribution of development processes across organizations and cultures. On the other hand, industrys capability to verify and validate these systems has not kept up. Mere compliance with existing standards, techniques, and regulations cannot guarantee the safety properties of these systems. The gap between practice and capability is increasing rapidly. This paper considers the future of software engineering as needed to support development and certification of safety-critical software-dependent systems. We identify a collection of challenges and document their current state, the desired state, gaps and barriers to reaching the desired state, and potential directions in software engineering research and education that could address the gaps and barriers.

A COUPLED FINITE ELEMENT-BOUNDARY ELEMENT METHOD OF STRESS ANALYSIS

Abstract The finite element and boundary element of stress analysis are both well established numerical techniques for determination of stress and displacement distributions in bodies subject to applied load. The inherent advantages of the boundary element method are the ease with which infinite body problems may be analysed, and the efficiency of analysis typically associated with a boundary value solution procedure. Application of the method is limited by the requirement of linear constitutive behaviour for the medium. The finite element method presents antithetical advantages and limitations. Complex constitutive behaviour may be modelled, at the expense of numerical efficiency and, for infinite bodies, inadequate representation of remote boundary conditions. Coupling of finite element and boundary element methods of stress analysis is shown to preserve the advantages of each procedure, and eliminates their individual disadvantages. Procedures employed in the development of a first-generation coupled FE-BE algorithm are described. Solutions of some simple problems verifying the performance of the coupled code are presented.

Software tools for safety-critical software development

We briefly present a software methodology for safety-critical software, developed over many years to cope with industrial safety-critical applications in the Canadian nuclear industry. Following this we present discussion on software tools that have been used to support this methodology, and software tools that could be used, but have not been used for a variety of reasons. Based on our experience, we also present and motivate a list of high-level requirements for tools that would facilitate the development of safety-critical software using the presented methods, together with a small number of tools that we believe are worth developing in the future.

On software certification: we need product-focused approaches

In this paper we begin by examining the “certification” of a consumer product, a baby walker, that is product-focused, i.e., the certification process requires the performance of precisely defined tests on the product with measurable outcomes. We then review current practices in software certification and contrast the software regimes process-oriented approach to certification with the product-oriented approach typically used in other engineering disciplines. We make the case that product-focused certification is required to produce reliable software intensive systems. These techniques will have to be domain and even product specific to succeed.

Insulin Pump Software Certification

The insulin pump is a safety-critical embedded medical device used for treatment of type 1 and insulin treated type 2 diabetes. Malfunction of the insulin pump will endanger the users life. All countries impose some regulation on the sale and use of medical devices. The purpose of such regulation is to protect the public by imposing standards of safety for medical devices, including insulin pumps. The regulator in the USA, the USA Food and Drug Administration FDA, actually goes further, and includes efficacy in the regulatory requirement. Until recently, regulatory approval was dependent on process based guidance. However, this has proven to be inadequate in some most cases where the device depends on software for its safe and effective operation, and the FDA recently changed its approval process for infusion pumps including insulin pumps, so that the production of an assurance case that demonstrates that the device is safe and effective is now a strongly suggested regulatory requirement. However the current regulatory guidance does not recommend any particular software development methodology, and does not include definitive guidance on the evaluation component of the certification process. In this paper, we briefly review the related USA regulatory standards for insulin pumps, highlight development and certification challenges, briefly discuss attributes of a safe, secure and dependable insulin pump, and propose an effective certification process for insulin pumps.

Timing tolerances in safety-critical software

Many safety-critical software applications are hard real-time systems. They have stringent timing requirements that have to be met. We present a description of timing behaviour that includes precise definitions as well as analysis of how functional timing requirements interact with performance timing requirements, and how these concepts can be used by software designers. The definitions and analysis presented explicitly deal with tolerances in all timing durations. Preliminary work indicates that some requirements may be met at significantly reduced CPU bandwidth through reduced variation in cycle time.

Software certification experience in the canadian nuclear industry: lessons for the future

The computer controlled shutdown systems for the Nuclear Power Generating Station at Darlington, Canada, have been subject to licensing scrutinization on a number of occasions. After the first licence was approved in 1990, the licensee, Ontario Hydro, was given a number of years by the regulator to redesign the shutdown systems so that they would be more maintainable. This paper briefly describes the original certification process, lessons learned, and the subsequent development and certification of the shutdown systems. The development, internal certification processes and the regulators certification process are briefly described. Although twenty years has elapsed since this work started, and there are new analysis techniques and tools that could be applied today, the original process itself has withstood the test of time extraordinarily well. This paper describes principles that explain why it was so successful, and how we can develop more modern approaches from this experience.

Formal Verification of the Implementability of Timing Requirements

There has been relatively little work on the implementability of timing requirements. We have previously provided definitions of fundamental timing operators that explicitly considered tolerances on property durations and intersample jitter. In this work we identify three environmental assumptions and compare the implementability of a Held_For operator in each of them, formalizing this analysis in PVS. We show how to design a software component that implements the Held_For operator and then verify it in PVS. This pre-verified component is then used to guide the design of more complex components and to decompose their design verification into simple inductive proofs as demonstrated through the implementation of a timing requirement for an example application.