Presentation is loading. Please wait.

Presentation is loading. Please wait.

INVARIANTS EEN 417 Fall 2013. When is a Design of a System “Correct”? A design is correct when it meets its specification (requirements) in its operating.

Published byAnnabel Jennings Modified over 8 years ago

Similar presentations

Presentation on theme: "INVARIANTS EEN 417 Fall 2013. When is a Design of a System “Correct”? A design is correct when it meets its specification (requirements) in its operating."— Presentation transcript:

1 INVARIANTS EEN 417 Fall 2013

2 When is a Design of a System “Correct”? A design is correct when it meets its specification (requirements) in its operating environment “A design without specification cannot be right or wrong, it can only be surprising!” Simply running a few tests is not enough! Many embedded systems are deployed in safety-critical applications (avionics, automotive, medical, …)

3 Ariane disaster, 1996 $500 million software failure FDIV error, 1994 $500 million Estimated worst-case worm cost: > $50 billion

4 Ariane 5 Flight 501 4 June 1996, the first test flight of the Ariane 5 rocket system Rocket self-destructed 37 seconds after launch.

5 Ariane 5 Flight 501 What caused the disaster? A data conversion from 64-bit floating point to 16-bit signed integer

6 Ariane 5 Flight 501 Max value for 16-bit signed integer – 32,768 Max value for a 64-bit floating point? – 1.79*10^308

7 Ariane 5 Flight 501 Software had been written and tested for the Ariane 4, where the variables had been protected by a handler. Code was include in Ariane 5 for reuse, despite the fact that the software was not required for the Ariane 5.

8 Pentium FDIV Bug Intel’s Pentium 5 – Professor Thomas Nicely noticed inconsistencies in calculations when adding Pentiums to his cluster – Floating-point division operations didn’t quite come out right. Off by 61 parts per million

9 Pentium FDIV Bug Intel acknowledged the flaw, but claimed it wasn’t serious. Wouldn’t affect most users. Byte magazine estimated only 1 in 9 billion floating point operations would suffer the error.

10 Pentium FDIV Bug Total cost to Intel? $450 million

11 Korean Air Flight 801 Air Traffic Control Minimum Safe Altitude Warning system – lets pilots know when they are too close to the ground. System in Guam had been giving off spurious alarms, and prevented the airport’s other systems from detecting aircrafts approaching below minimum safe altitude Engineers modified the system to limit alarms.

12 200 Deaths

13 High Frequency Trading Algorithmic trading, seeks to exploit small differences in prices, millions of programs running How do they interact? How does something written by Company A affect something written by Company B?

14 High Frequency Trading 2010 Flash Crash – largest intraday point loss – Losses recovered in minutes, but scared regulatory bodies US SEC and CFTC consluded that HFT contributed to the volatility.

15 High Frequency Trading SEC and FTC stated – “market makers and other liquidity providers widened their quote spreads, reduced liquidity, and withdrew from the market” Some signal set off their algorithms, caused a joint movement which helped cause the crash

16 HOW DO WE PREVENT THESE PROBLEMS?

17 Specification, Verification, and Control Specification A mathematical statement of the design objective (desired properties of the system) Verification Does the designed system achieve its objective in the operating environment? Controller Synthesis Given an incomplete design, synthesize a strategy to complete the system so that it achieves its objective in the operating environment

18 Propositional Logic Atomic formulas: Statements about an input, output, or state of a state machine. Examples: These are propositions (true or false statements) about a state machine with input or output x and state s. formulameaning x x is present x = 1 x is present and has value 1 s machine is in state s

19 Propositional Logic Propositional logic formulas: More elaborate statements about an input, output, or state of a state machine. Examples: Here, p 1 and p 2 are either atomic formulas or propositional logic formulas. formulameaning

20 Execution Trace of a State Machine

21 Propositional Logic on Traces

22 Example: Specification of the SpaceWire Protocol (European Space Agency standard)

23 The problem with most specifications Specifications tend to be written by non- engineers, and tend to be written in English. Why is this a problem?

24 WRAP UP

25 For next time Read Chapter 12 – Invariants and Temporal Logic

Download ppt "INVARIANTS EEN 417 Fall 2013. When is a Design of a System “Correct”? A design is correct when it meets its specification (requirements) in its operating."

Similar presentations

Testing and Inspecting to Ensure High Quality

Testing and Inspecting to Ensure High Quality
Chapter 16: Recovery System

Chapter 16: Recovery System
50.530: Software Engineering

50.530: Software Engineering
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development 2.
1. Software in our lives, then and now  Medical (processing and analysis, Computer Aided Surgery, other various equipment)  Financial and business (banking,

1. Software in our lives, then and now  Medical (processing and analysis, Computer Aided Surgery, other various equipment)  Financial and business (banking,
CSC 4250 Computer Architectures September 12, 2006 Appendix H. Computer Arithmetic.

CSC 4250 Computer Architectures September 12, 2006 Appendix H. Computer Arithmetic.
Ethics in a Computing Culture

Ethics in a Computing Culture
23/05/2015Dr Andy Brooks1 FOR0383 Software Quality Assurance Lecture 2 ESA Ariane 5 Rocket Flight 501.

23/05/2015Dr Andy Brooks1 FOR0383 Software Quality Assurance Lecture 2 ESA Ariane 5 Rocket Flight 501.
1 Basic Definitions: Testing What is software testing? Running a program In order to find faults a.k.a. defects a.k.a. errors a.k.a. flaws a.k.a. faults.

1 Basic Definitions: Testing What is software testing? Running a program In order to find faults a.k.a. defects a.k.a. errors a.k.a. flaws a.k.a. faults.
CSE 1301 Lecture 6B More Repetition Figures from Lewis, “C# Software Solutions”, Addison Wesley Briana B. Morrison.

CSE 1301 Lecture 6B More Repetition Figures from Lewis, “C# Software Solutions”, Addison Wesley Briana B. Morrison.
Software Development Methodology for Robotic and Embedded Systems (from drawing to coding) Presented by Iwan Setiawan for Robot and Technology Fair (01-12-09)-

Software Development Methodology for Robotic and Embedded Systems (from drawing to coding) Presented by Iwan Setiawan for Robot and Technology Fair ( )-
©Ian Sommerville 2000CS 365 Ariane 5 launcher failureSlide 1 The Ariane 5 Launcher Failure June 4th 1996 Total failure of the Ariane 5 launcher on its.

©Ian Sommerville 2000CS 365 Ariane 5 launcher failureSlide 1 The Ariane 5 Launcher Failure June 4th 1996 Total failure of the Ariane 5 launcher on its.
Bellevue University CIS 205: Introduction to Programming Using C++ Lecture 3: Primitive Data Types.

Bellevue University CIS 205: Introduction to Programming Using C++ Lecture 3: Primitive Data Types.
Software Engineering: Where are we? And where do we go from here? V22.0474-001 Software Engineering Lecture 23 Clark Barrett New York University 4/17/2006.

Software Engineering: Where are we? And where do we go from here? V Software Engineering Lecture 23 Clark Barrett New York University 4/17/2006.
ARIANE 5 FAILURE ► BACKGROUND:- ► European space agency’s re-useable launch vehicle. ► Ariane-4 was a major success ► Ariane -5 was developed for the larger.

ARIANE 5 FAILURE ► BACKGROUND:- ► European space agency’s re-useable launch vehicle. ► Ariane-4 was a major success ► Ariane -5 was developed for the larger.
Moving To Code 3 More on the Problem-Solving Process §The final step in the problem-solving process is to evaluate and modify (if necessary) the program.

Moving To Code 3 More on the Problem-Solving Process §The final step in the problem-solving process is to evaluate and modify (if necessary) the program.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.

Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
©Ian Sommerville 2004Software Engineering Case Studies Slide 1 The Ariane 5 Launcher Failure June 4th 1996 Total failure of the Ariane 5 launcher on its.

©Ian Sommerville 2004Software Engineering Case Studies Slide 1 The Ariane 5 Launcher Failure June 4th 1996 Total failure of the Ariane 5 launcher on its.
Data Types. Every program must deal with data The data is usually described as a certain type This type determines what you can do with the data and how.

Data Types. Every program must deal with data The data is usually described as a certain type This type determines what you can do with the data and how.
CPSC 372 John D. McGregor Module 0 Session 1 Introduction.

CPSC 372 John D. McGregor Module 0 Session 1 Introduction.

Similar presentations

Ads by Google