A Quantum Computing Approach to the Verification and Validation of Complex Cyber-Physical Systems Achieving Quality and Cost Control in the Development of Enormous Systems Safe and Secure Systems and Software Symposium (S5) Beavercreek, Ohio Copyright 2011 Lockheed Martin Corporation
Program Objective & Products Objective Develop a system-level verification & validation (V&V) approach and enabling tools that generate probabilistic measures of correctness for an entire largescale cyber-physical system, where V&V costs insensitive to system complexity. Products Definition of a protocol/process for performing V&V of complex cyberphysical systems using a quantum simulators, and Demonstration of the utility of the process using an appropriate cyberphysical system (e.g., a triplex VMS for a representative unmanned aircraft) and an existing quantum adiabatic simulator. 2
For the record: The task of discovery and removal of errors from the behavior of our mechatronic products is V&V This includes software V&V, of course, but goes beyond to excising faults in the implicit software expressed by hardware-in-the-loop and on to man-in-the-loop. Quantum V&V spans a complex system: the source code is but one subsystem, the processor it runs on is another; the actuators, sensors, wiring harness, structure, and all the rest are others; even the human controlling it, locally or remotely, contemporaneously or via prior programming. Implicit and explicit software together ARE the system 3
Background V&V is the fastest growing cost in system integration and growth rates are accelerating... Growth in system complexity drives exponential growth in certification costs. Test automation cannot contain growth fed by emergent requirements for new autonomous, intelligent, and adaptive systems. Formal methods are provably incomplete and are not reducing costs; correct by construction techniques are reducing costs some but are likewise provably incomplete. Unsustainable development model with current V&V techniques 4
Hardness of Verification & Validation V&V is provably hard Church-Turing Theorem: 20th century founders of computer science proved computer-aided software engineering can never catch all errors in the general case Hilbert s third problem, Gödel's theorem. Today, we agree on a social contract If we test critical software in accordance with conventional wisdom, it will be certified even though we cannot know if it s error free. Probability of failure: The compact implies there is no way to know the probability of failure of any system based on software controls so we do not and cannot know how safe our systems truly are. Intractability: Even modest systems are now so large it would take the age of the universe to test every failure mode. Testing can show the presence, not the absence of bugs E. W. Dijkstra Most errors found in operational software can be traced to requirements flaws N. G. Leveson Kurt Gödel David Hilbert Alonzo Church Alan Turing 5
Quantum Verification & Validation Cyber-Physical Systems (CPS) bound the V&V problem because the physical layer constrains the cyber layer Noether s First Theorem: for every symmetry in a physical system, for which mathematics offers a good model (i.e. a Hamiltonian Lagrangian model), there is an associated conservation law. Conjecture: while logical Turing Machines (TM) are subject to the Church-Turing Thesis (CTT), real CPS further constrain logic with thermodynamics and are subject to physical simulations not subject to CTT. Run a thermodynamic simulation of the system so that errors appear as low energy states Adiabatic Quantum Simulation performs exactly this evolution and the appearance of low energy states indicates existence of bugs Unsustainable development model with current V&V techniques 6
A Typical Complex Cyber-Physical System Actuator Control Unit (Dual Channel) Spoiler EMA Left MLG Triplex VMC - CCDL - GPS - IMU - Data Bus - Discrete I/O EMA Left Air Data Probe Actuator Control Unit (Single Channel) Nose Air Data Probe Nose LG EMA Right Air Data Probe Right MLG Actuator Control Unit (Dual Channel) Spoiler EMA 7
Quantum Simulation In December 2010, LM acquired computational time from D- Wave Systems D-Wave produces the only commercialized quantum simulator Some contention over the quantumness of D-Wave s simulator. Recently developed proofs that show the simulator is better than classical. State of the art yields 90 qubits, expect 500+ within two years 8
Using Quantum Computing for V&V The V&V problem is divided into two sequential phases: Phase I map the classical V&V problem into a problem that can be solved by a quantum computing device. Phase II solve the resulting problem using a quantum computer and/or simulator running on a classical computer. Phase I Phase II Inputs Intermediate states Outputs i 1 i 2 s 1 s 4 o 1 i 3 o 2 i 4 s 3 i 5 o 3 i 6 s 2 9
Our Current Quantum-V&V Insight How a V&V simulator works Invariants (and their relationships) are extracted from the code using any one of several approaches now under evaluation (Daikon, image/pattern recognition approaches, a smoothness criterion approach, a chemical modeling approach, etc). The invariants are written into a satisfiability expression. The resulting satisfiability problem is solved using standard algorithms on an adiabatic quantum computer or a massively parallel classical computer. What we have / what needs to be developed We have: 1) notional baseline for a QV&V procedure; 2) a (classical) computer code to support partial attainment of our objectives, 3) first generation quantum processor (the DW-1) that we think can be used to carry us into initial utility. To be developed: we are testing the core algorithm now (further development is required); develop (or acquire) invariance extractor, design & develop an integrated q-sim system testbed based on the DW-1 or derivative. 10
Phase I Approach Using machine learning techniques and a variety of commercially available tools extract invariants from the system: Empirically determined by repeated execution Successfully demonstrated for a software-only model last month We are proposing to extend our approach to the entire cyber-physical system (i.e., HW and SW) Inputs Intermediate states Outputs i 1 i 2 s 1 s 4 o 1 i 3 i 4 i 5 s 3 o 2 o 3 i 6 s 2 11
Phase I Approach cont. Next we build a reversible reduced machine model of the cyber-physical system Based on translating the invariants to a Boolean constraint satisfaction problem Already successfully demonstrated on a software-only model last month 12
Phase II Approach Using the reduced machine model run it in reverse on the D-Wave quantum adiabatic computer while fixing invariants to FALSE Propagate violations backwards through the reduced machine circuit model Find bug(s) and generate probability of correctness 13
Phase II Approach cont. Input problem: Programmatically or through a user interface Access available through a web service connected to the hardware Problem is mapped to hardware True/false converted to +1/-1 Higher-order interactions are made 2-local Connectivity of Ising representation mapped to hardware architecture Problem is solved on hardware Hardware output is stochastic (temperature is not zero) so solve multiple times Answers converted from Ising representation back to true/false, and returned in DIMACS output format 14
A Probabilistic Metric? 15
Current Status LM studying V&V leveraging Adiabatic Quantum Simulation teamed with D-Wave and several universities: Harvard MIT Carnegie Mellon U. Southern California U. Chicago UC-Berkeley U. Edinburgh, UK U. Sherbrooke U. British Columbia U. Waterloo Dalhousie India Institute of Technology Demonstrated capability to run hard problems on the quantum simulator solving a simple SW test case High-potential verification techniques from USC team Recent results from our Harvard team show a promising approach to verifying a complete sample problem 16
Questions? 17