INVARIANTS EEN 417 Fall 2013
When is a Design of a System “Correct”? A design is correct when it meets its specification (requirements) in its operating environment “A design without specification cannot be right or wrong, it can only be surprising!” Simply running a few tests is not enough! Many embedded systems are deployed in safety-critical applications (avionics, automotive, medical, …)
Ariane disaster, 1996 $500 million software failure FDIV error, 1994 $500 million Estimated worst-case worm cost: > $50 billion
Ariane 5 Flight June 1996, the first test flight of the Ariane 5 rocket system Rocket self-destructed 37 seconds after launch.
Ariane 5 Flight 501 What caused the disaster? A data conversion from 64-bit floating point to 16-bit signed integer
Ariane 5 Flight 501 Max value for 16-bit signed integer – 32,768 Max value for a 64-bit floating point? – 1.79*10^308
Ariane 5 Flight 501 Software had been written and tested for the Ariane 4, where the variables had been protected by a handler. Code was include in Ariane 5 for reuse, despite the fact that the software was not required for the Ariane 5.
Pentium FDIV Bug Intel’s Pentium 5 – Professor Thomas Nicely noticed inconsistencies in calculations when adding Pentiums to his cluster – Floating-point division operations didn’t quite come out right. Off by 61 parts per million
Pentium FDIV Bug Intel acknowledged the flaw, but claimed it wasn’t serious. Wouldn’t affect most users. Byte magazine estimated only 1 in 9 billion floating point operations would suffer the error.
Pentium FDIV Bug Total cost to Intel? $450 million
Korean Air Flight 801 Air Traffic Control Minimum Safe Altitude Warning system – lets pilots know when they are too close to the ground. System in Guam had been giving off spurious alarms, and prevented the airport’s other systems from detecting aircrafts approaching below minimum safe altitude Engineers modified the system to limit alarms.
200 Deaths
High Frequency Trading Algorithmic trading, seeks to exploit small differences in prices, millions of programs running How do they interact? How does something written by Company A affect something written by Company B?
High Frequency Trading 2010 Flash Crash – largest intraday point loss – Losses recovered in minutes, but scared regulatory bodies US SEC and CFTC consluded that HFT contributed to the volatility.
High Frequency Trading SEC and FTC stated – “market makers and other liquidity providers widened their quote spreads, reduced liquidity, and withdrew from the market” Some signal set off their algorithms, caused a joint movement which helped cause the crash
HOW DO WE PREVENT THESE PROBLEMS?
Specification, Verification, and Control Specification A mathematical statement of the design objective (desired properties of the system) Verification Does the designed system achieve its objective in the operating environment? Controller Synthesis Given an incomplete design, synthesize a strategy to complete the system so that it achieves its objective in the operating environment
Propositional Logic Atomic formulas: Statements about an input, output, or state of a state machine. Examples: These are propositions (true or false statements) about a state machine with input or output x and state s. formulameaning x x is present x = 1 x is present and has value 1 s machine is in state s
Propositional Logic Propositional logic formulas: More elaborate statements about an input, output, or state of a state machine. Examples: Here, p 1 and p 2 are either atomic formulas or propositional logic formulas. formulameaning
Execution Trace of a State Machine
Propositional Logic on Traces
Example: Specification of the SpaceWire Protocol (European Space Agency standard)
The problem with most specifications Specifications tend to be written by non- engineers, and tend to be written in English. Why is this a problem?
WRAP UP
For next time Read Chapter 12 – Invariants and Temporal Logic