Good morning. I’m Larry Dalton, manager of the High Integrity Software Systems Engineering Dept. at Sandia National Laboratories. I’m going to talk to you today about the immense challenges associated with surety of software systems (slide).

We use the term Surety, applied to software, in the same way as you have already heard it defined today as 1) reliable in normal environments, 2) safe in abnormal environments, and 3) secure in malevolent environments. The first thing that I want to impress on you is the pervasive use of software in today and tomorrows world and also the level at which most of it is created. Except for those applications where the consequences of failure are simply to great, software is by and large created at level 1. That is, software surety by "design-test-fix" meaning mitigation is after the fact.

It’s hard to imagine any element of your life that today is not impacted in some direct or indirect way by the use of software based systems. For example, aircraft and air traffic control is totally dependent upon massive software. The Boeing 777, as an example, has four and one half million lines of software in it. Current automobiles have as many as 30 microprocessors on board which now even control the accelerator.

The vision that we have at Sandia National Laboratories, and I would hope we share that vision here, is to address such systems with the objective of establishing quantifiable confidence in the reliability, safety, and security of those systems. The key word here is quantifiable and that is the grand challenge. The need is amplified by our propensity to create more and more complex systems far faster than we know how to deal with the consequences of failures those systems. An example here on the left picture, at some cost to the French, is the Ariane 5 missile disaster. On a system that cost $8 billion to develop and launch the first satellite. That was the result in about 36 seconds of flight. It was a software error that resulted in erroneous attitude control commands that physically exceeded the structural integrity of the missile and resulted in complete destruction of the missile and its payload. This is a classic example of the propensity to create very complex software based control systems without the proper attention to reliability, safety, and security. The cost to the French is in hundreds of millions of dollars. This was probably thought of as a level 3 system but perhaps was only a level 1.

Quantitative surety is already imposed by the FAA in their statement that "catastrophic failure should be. so unlikely that they are not anticipated to occur during the entire operational life of all airplanes of one type." To prove or demonstrate this is a formidable if not intractable task today, remembering that the Boeing 777 has four and a half million lines of code in it. I would like to point out that commercial aircraft designs represent levels 2, 3, and some aspects of level 4.

Sandia National Laboratories has a 50-year history in surety of nuclear weapons as well as satellite systems and rockets systems as some examples. We are mapping surety level 4 principles as used to achieve nuclear weapons reliability, safety and security into other high consequence systems to drive those systems as much as possible towards surety level 4, which as you remember is based in laws of nature or mathematics.

In collaboration and corroboration with some of you perhaps and many universities and other agencies, we’re conducting research in three major domains. The first is in the area of improving the ability to unambiguously and completely specify requirements. Many studies indicate that somewhere between 50 percent, on a bad day 100 percent of all systems failures occur because of the inability to succinctly, correctly, completely, and unambiguously state what it is that you wanted to have constructed. Knowledge capture is a highly skilled, experiential based and cognitive process and is a level 2 activity.

The second area of research is the implementation, or creation of that which you wanted to have done. We’re doing research in automated software creation that’s verifiably correct based on precise mathematical methods which we expect to take us to the level 4 of surety for software creation.

And third, knowing the propensities for human error and given that systems we create are extremely complex, we have a program referred to as Systems Immunology. Systems Immunology is focused on providing surety level 4 solutions for real-time fault detection and management in complex systems. The Systems Immunology^TM research is employing Micro-Electro-Mechanical Systems (MEMS) in the small microelectronic world as a means of providing isolation and protection of critical assets and functions much as is done within a nuclear weapon to protect the nuclear explosive package. This approach relieves some of the proof or analysis burden on the software in that based on level 4 principles, with great certainty, it can be said that a system will not arrive at a catastrophic state. As I’d mentioned already there are a lot of folks working these problems and we surely look forward to partnering with some of you to solve this immense national and international challenge. I certainly look forward to working with you later on today in the software surety workshop. Thank you.

Questions and Comments || Acknowledgment and Disclaimer