We hope that during the symposium we shall network, exchange opinions and technical information regarding the problem and possible solutions, promote awareness of this area, and (ideally) form a basis for some continued common work.
Note: As is often the case in fast-moving fields, terminology is in flux. The topic of the conference is “Simulation-based approaches for finding and categorizing high-risk scenarios in socio-technical systems”. We encourage people who are interested in simulation-based approaches for “cyber-physical systems”, “systems of systems”, “complex systems” or “systems engineering” to also attend.
Here are some answers to questions we were asked about the symposium:
Socio-technical systems are complex systems-of-systems comprising of electronics, software, mechanics, people and so on. Examples are airports, airplanes, robotic systems, military systems, hospitals, smart cities, complex energy systems etc.
The term “cyber-physical systems” is also used by many people, though it usually excludes the human element. People also refer to such systems simply as “complex systems”.
One kind of risk is that which results in an accident. See for example the accidents mentioned in the References section, such as the Ariane 5 accident, the Plugger friendly-fire accident, the Lufthansa 2904 accident and so on.
We are also talking about risks which do not result in accidents. E.g. the risk that a sub-system will simply not be usable in the context of a bigger system, or that a system will be unacceptable because it is unavailable, or impossible to maintain, etc.
Finally, simulation-based approaches are also applicable to security risks. The symposium will touch upon security risks, but they are at the periphery.
Let us call the system we are investigating the “Device Under Test” or DUT (some people call it the “System Under Test”). Let us further call the DUT + its environment the “DVE” (for “Design and Verification Environment”).
Then, a simulation-based approach is any approach which primarily runs (executes) a model of the DVE. That model, however, could be of many kinds: It could be an abstract, high-level model, or it could be a low-level model from which part of the DUT is created automatically.
The model could also be the DUT itself. For instance, a simulation-based approach to testing a flight navigation system could include the actual, built navigation system as part of the model.
We expect most models to be object-and-event oriented, but some will be continuous (e.g. system dynamics models).
Finally, models will often contain a mix of the above. For instance, an aviation-related model can conceivably contain a high-level behavioral model of the pilot, the actual, physical navigation system, and some continuous model representing the weather.
There is nothing wrong with all the other approaches to SRM, and there are quite a few of those, including fault trees, Nancy Leveson’s STAMP, formal approaches, and many others. They are all helpful and very deserving of discussions. In fact, we discuss them briefly in some of the presentations.
However, we feel that the simulation-based approach have a huge potential which may now get closer to being realized (see next section), and even a full day is not enough to discuss it.
Here are two related questions we were asked:
The answer to that is that this again would dilute the topic. Most SRM approaches (e.g. fault trees, STAMP, formal methods) could be described as “model-based”.
Again, this is so not to dilute the topic. There are many excellent conferences dealing with formal approaches to complex systems,
Further, while formal approaches have indeed been successful in electronic design verification, finding some very-hard-to-find bugs, the vast majority of bugs are found by simulation. This fact may not have been obvious to you if you were mainly reading academic papers, since those are overwhelmingly about formal approaches, but the statistics have been fairly consistent over the past two decades.
Approaches which enhance simulation via formal techniques are, however, in the scope of the symposium.
We believe that risk analysis based on system simulation will become increasingly important. Ideally, such full system simulation (including simulation of hardware, software, mechanics, human behavior etc.) will:
There are several promising research directions in this area (see some references in the next section). There are also several examples in industry, but this is still the exception (unlike the situation in chip design, where most bugs are found that way).
We believe this is caused by the following reasons, all of which are in the process of transition:
We are talking about both.
Assume that your current DUT is an aircraft navigation system: The risks we are trying to avoid could result from the navigation system not meeting its specifications (this is commonly called verification). They could also result from somebody failing to specify something, thus making the navigation system unsuitable for this aircraft (this is commonly called validation).
We decided to hold this (first) installment of the SSRM symposium in Hebrew so that everybody will feel comfortable to talk and share their experience freely and efficiently.
We expect around 50 people. The room can hold 80 – please confirm via email if you can.
Note:
Some of the abstracts are still missing – come back
here in a week or two.
Abstract: In the presentation,
I will define System Risk Management and discuss how it is done today
and why this may not be sufficient. I will then try to draw from
experience in the (somewhat related) field of chip verification, where
simulation-based MDV is the leading methodology. I will investigate why
MDV works so well for chips, and why it is not sufficient for SRM. I'll
end with some challenges and open questions, and try to provide context
for the other presentations.
Yoav Hollander currently runs
Foretellix, a company devoted to simulation-based system risk
management. After receiving his BSC in Computer Science from Ben Gurion
University, Yoav joined National Semiconductor Corporation, and has
been embroiled in simulation-based verification ever since. After
consulting to several semiconductor companies, Yoav founded Verisity in
1995. Verisity was acquired by Cadence in 2005. Yoav worked for Cadence
in various titles (mostly CTO of verification) until June 2011, and
still consults for them.
G. Waizman, E. Blank, I. Benenson
Abstract. We
present SAFEPED, multi-agent spatially
explicit 3D simulator of drivers' and pedestrians' traffic. The SAFEPED
agents,
autonomously behaving pedestrians and drivers, follow their
pre-established
trajectories (e.g., while crossing the junction) and see and react to
the each
other's movements trying to preserve their velocities while avoiding
the
collisions. Formalization of pedestrians' and
drivers' behavior in
SAFEPED follows robotic algorithm of collision avoidance and Gibson's
theory of
visual perception. Model parameters are estimated based
on video
monitoring at selected spots and motion analysis. The goal of the
SAFEPED is to
investigate risky road spots and analyze the influence of proposed
changes in
architecture and traffic regulations on the accident risks. We
present the
SAFEPED model, the results of the video monitoring analysis and
investigate
simple road situations on the way to full-scale analysis of the
real-world
black spots.
Dr. Assaf Marron
Weizmann
Institute of Science, Rehovot,
Abstract. We propose an approach to software development, called behavioral programming, which offers new capabilities in incremental development. Behavioral programming is an extension and generalization of scenario-based programming introduced with the language of live sequence charts (LSC), and is now implemented also in Java, in the functional programming language Erlang, and in other platforms.
A behavioral program consists of modules called behavior threads, each of which represents an independent scenario (sometimes analogous to a use-case appearing in a requirements document) which describes sequences of events that the system should and shouldn’t do following certain chains of events. A collective execution mechanism interlaces these independent behavior specifications into integrated system behavior. For example, a game-playing application may be programmed by coding each of the rules of the game and each of the attack or defense tactics as a separate, autonomous, sequence of required or forbidden events. Throughout development, the system manifests meaningful overall behavior which is further sculpted and refined as new behavior threads are added, non intrusively, i.e., without modifying the code of existing behaviors and without interacting with them directly.
We also present a model-checking tool for verifying applications developed in this manner, without first-translating them into a model-checker specific language. We show how counterexamples produced by the model-checker can be used in incremental development.
Originally designed for end-user requirements specification, behavioral programming emerges as a programming platform for final executable applications, as well as simulation models. We believe that it can be very applicable to simulation based system risk management in its inherent support of multiple agents, the incremental nature of specifying what-if scenarios, and the availability of model-checker.
The Java packages and model-checker are available online.
The talk reflects joint research primarily with Prof. David Harel (Weizmann), Dr. Gera Weiss (Ben Gurion Univ.), and Dr. Robby Lampert (Weizmann), and surveys work by other researchers as well.
Dr.
Assaf Marron
is a researcher in David Harel’s group at the
Weizmann Institute of Science
Computer Science and Applied Mathematics Department. His current
research
interests include scenario-based programming, machine learning and
information
visualization. Assaf holds a PhD in computer science from the
Abstract. In
this talk I
will attempt to draw an analogy between the emerging area of
Moshe Levinger
joined the IBM Research lab in Haifa in 1992 -- after completing his
MSc in the area of Computational Linguistics, at the
Technion. During his tenure at the IBM Haifa lab, he has held various
technical and managerial roles in the domain of h/w verification. In
the last several years, he serves as the senior manager for the
"Verification & Analytics" area at IBM Haifa.
Abstract.