Formal Verification in Aeronautics: Current Practice and Upcoming Standard. Yannick Moy, AdaCore ACSL Workshop, Fraunhofer FIRST

Similar documents
Certification Authorities Software Team (CAST) Position Paper CAST-25

Deductive Verification in Frama-C and SPARK2014: Past, Present and Future

GNAT Pro Innovations for High-Integrity Development

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

Static analysis of concurrent avionics software

Certification of Model Transformations

Hybrid Verification in SPARK 2014: Combining Formal Methods with Testing

Changing the way the world does software

Why testing and analysis. Software Testing. A framework for software testing. Outline. Software Qualities. Dependability Properties

An incremental and multi-supplement compliant process for Autopilot development to make drones safer

Advanced Test Coverage Criteria: Specify and Measure, Cover and Unmask

Static Analysis Techniques

(See related materials in textbook.) CSE 435: Software Engineering (slides adapted from Ghezzi et al & Stirewalt

Use of formal methods in embedded software development: stakes, constraints and proposal

Automatic Qualification of Abstract Interpretation-based Static Analysis Tools. Christian Ferdinand, Daniel Kästner AbsInt GmbH 2013

DO-330/ED-215 Benefits of the new Tool Qualification

Practical introduction to Frama-C (without Mathematical notations ;-) )

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

WIND RIVER ANSWERS TO 50 QUESTIONS TO ASK YOUR ARINC 653 VENDOR

Green Hills Software, Inc.

Formal Methods and their role in Software and System Development. Riccardo Sisto, Politecnico di Torino

Deductive Program Verification with Why3, Past and Future

On the Generation of Test Cases for Embedded Software in Avionics or Overview of CESAR

By V-cubed Solutions, Inc. Page1. All rights reserved by V-cubed Solutions, Inc.

Frama-C WP Tutorial. Virgile Prevosto, Nikolay Kosmatov and Julien Signoles. June 11 th, 2013

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

Guidelines for deployment of MathWorks R2010a toolset within a DO-178B-compliant process

Complexity-Reducing Design Patterns for Cyber-Physical Systems. DARPA META Project. AADL Standards Meeting January 2011 Steven P.

Program Verification (6EC version only)

Institut Supérieur de l Aéronautique et de l Espace Ocarina: update and future directions

Don t Be the Developer Whose Rocket Crashes on Lift off LDRA Ltd

Development Guidance and Certification Considerations

Sanitizing Sensitive Data: How to get it Right (or at least Less Wrong ) Roderick Chapman, 22nd September 2017

CIS 890: Safety-Critical Systems

Tools for Formally Reasoning about Systems. June Prepared by Lucas Wagner

SPARK Update Ada Europe 2012

DO-254 Testing of High Speed FPGA Interfaces by Nir Weintroub, CEO, and Sani Jabsheh, Verisense

AdaCore Vendor Presentation

CIS 890: Safety Critical Systems

SPARKSkein A Formal and Fast Reference Implementation of Skein

Leveraging Formal Methods for Verifying Models and Embedded Code Prashant Mathapati Application Engineering Group

Towards an industrial use of FLUCTUAT on safety-critical avionics software

Sanitizing Sensitive Data: How to get it Right (or at least Less Wrong ) Roderick Chapman, 14th June 2017

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Model-Based Design for High Integrity Software Development Mike Anthony Senior Application Engineer The MathWorks, Inc.

ACCELERATING DO-254 VERIFICATION

Static Analysis by A. I. of Embedded Critical Software

Différents cas d application de l'analyse Statique avec Frama-C dans un contexte industriel

Technical presentation

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

Analysis Package White Paper. ADM Task Force January 2006

The SPIN Model Checker

Verification and Test with Model-Based Design

Formal Methods Expert to IMA-SP Kernel Qualification Preparation

Language Techniques for Provably Safe Mobile Code

Ada 2012, SPARK 2014, and Combining Proof and Test!

AdaCore technologies

Methodology Handbook. Efficient Development of Safe Avionics Display Software with DO-178B Objectives Using Esterel SCADE. Third Edition (Revision 1)

Formal Methods for Software Development

An Evaluation of the Advantages of Moving from a VHDL to a UVM Testbench by Shaela Rahman, Baker Hughes

Lectures 20, 21: Axiomatic Semantics

MONIKA HEINER.

Tokeneer: Beyond Formal Program Verification

ECE 587 Hardware/Software Co-Design Lecture 11 Verification I

Matching Logic. Grigore Rosu University of Illinois at Urbana-Champaign

Integrated Modular Avionics Development Guidance and Certification Considerations

Compatible Qualification Metrics for Formal Property Checking

K and Matching Logic

Testing. Prof. Clarkson Fall Today s music: Wrecking Ball by Miley Cyrus

Critical Analysis of Computer Science Methodology: Theory

SPARK 2014 User s Guide

Ontology Engineering for Product Development

ISO compliant verification of functional requirements in the model-based software development process

DO-178C / ED-12C Model Based Supplement. Pierre Lionne, SC-205 / WG-71 SG-4 Co-Chairman 1 Nov. 2011

How much is a mechanized proof worth, certification-wise?

Formal Verification and Automatic Testing for Model-based Development in compliance with ISO 26262

Verification and Validation

AADL Requirements Annex Review

DO-178C Compliance of Verisoft Formal Methods

Software Testing CS 408

Efficient Development of Airborne Software with SCADE Suite

Qualification of Verification Environments Using Formal Techniques

CIS 890: Safety Critical Systems

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

AUTOBEST: A microkernel-based system (not only) for automotive applications. Marc Bommert, Alexander Züpke, Robert Kaiser.

Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 22 Slide 1

Information Extraction from Real-time Applications at Run Time

A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software

Opportunities and Obstacles to Using Static Analysis for the Development of Safety-Critical Software

Flight Systems are Cyber-Physical Systems

GeneAuto for Ada and SPARK

IBM Rational Rhapsody

A Comparison of SPARK with MISRA C and Frama-C

Just-In-Time Certification

oating-point implementation in C

3 4

Formal Verification for UML/SysML models

ISO Compliant Automatic Requirements-Based Testing for TargetLink

Subsystem Hazard Analysis (SSHA)

By: Chaitanya Settaluri Devendra Kalia

Transcription:

Formal Verification in Aeronautics: Current Practice and Upcoming Standard Yannick Moy, AdaCore ACSL Workshop, Fraunhofer FIRST

Outline Project Hi-Lite Industrial Applications DO-178C DO-178B 1992 2012 2013

DO-178B

What is DO-178B/ED-12B? RTCA EUROCAE nt me s lop sse ve ce De Pro g n i n n a l P s s e Proc Ve rifi Pro catio ces n ses Software Considerations in Airborne Systems and Equipment Certification System Aspects a n a M n o i t a s r s u e g i c f n o Pro C t n e g em e l c y C e f i L e r a w t f o S

Automatic Verification by Testing Reviews and Analyses Testing Process Requirements-based EVERYTHING from: Development process Normal range Robustness Verification is process not simply testing.testing, in Verification general, Test coverage cannot show the absence of errors. Mostly manual Statement Branch Review = inspection MC/DC Analysis = evidence

Cost is Driving Interest for Correct-by-Construction Kirstie Bellman, META project, Boeing

Formal Methods One page in DO-178B Formal methods are complementary to testing. Reserved to problems which cannot be tested: concurrency, distributed processing, redundancy management and synchronization The use of formal specifications alone forces requirements to be unambiguous.

Most Important Lesson Most of the errors in software development are now generally accepted as being attributable to errors in requirements (LLR or HLR). FM Discussion Paper

Airbus Pioneering Work code Pre: X>0 Post: Y=X+1 HLR LLR = contracts proofs tests

Airbus / CEA LIST Joint Work Formal Verification of Avionics Software Products (FM 2009): Caveat: qualification at Airbus for use in A380 program Caveat: formal verification of C programs Frama-C + Why + AltErgo: formal verification of C programs GPL release of Frama-C 10 years of formal methods application summarized Airbus develops TASTER plug-in In Frama-C (coding standards) 1995 2005 2006 2008 2009 2010

DO-178C

Acknowledging Modern Development Techniques DO-178C + Tools qualification document + + + Model based Object-oriented Formal development & related tech. methods supplement supplement supplement

Formal Methods Supplement Formal methods [ ] might be the primary source of evidence for the satisfaction of many of the objectives concerned with development and verification. M A N U S U O U G I B formal model D N U O S formal analysis deductive methods model checking abstract interpretation D S E I N F O I I T T S P U J UM S AS proofs

Benefits of Formal Modeling FM Supplement & FM Discussion Paper mprove requirements Unambiguous description of requirements Precise communication between Reduce error introduction engineers Objective verification evidence: - one formal model (consistency and accuracy) - between formal models (compliance)

Benefits of Formal Analysis FM Supplement & FM Discussion Paper mprove error detection Detect exceptions and deadlocks Detect unintended functions (wrongdoing) Reduce effort Non-interference (MILS) WCET / bounded stack size Correct (a)synchronous behavior

Relation to Coverage Structural coverage analysis, however, is driven out of the impracticality of achieving exhaustive testing. When only formal methods are used [ ] alternative activities are required for coverage analysis. FM Supplement

Industrial Examples

Airbus Unit Proof

Airbus Example of Property LET COND_FCT = ( k int. k>0 and k<=a1f2_zone_size (A1F2_Memory_Zone[k] = 0xFF) ); The initial value is correct for all the indexes LET COND_ERR = ( k int. k>0 and k<=a1f2_zone_size and (A1F2_Memory_Zone[k] 0xFF) ); There exists an index for which the initial value is wrong

Rockwell-Collins Model-Based Software Design

Rockwell-Collins Example of Property AG(LEFT_DU_AVAILABLE -> LEFT_DU_APPLICATION!= BLANK) AG(RIGHT_DU_AVAILABLE ->RIGHT_DU_APPLICATION!= BLANK) In all reachable states, if the left DU is available, then its application shall not be blank. AG( LEFT_DU_APPLICATION!= MAP -> AX( LEFT_DU_APPLICATION = MAP -> CURSOR_LOCATION = LEFT_DU ) ) In any state which sets LEFT_DU_APPLICATION to MAP, the CURSOR_LOCATION must be LEFT_DU.

SHOLIS Separation, Contracts and Run-time Errors Z specification Rigorous argument 150 proofs 500 pages SPARK code + specification SPARK Examiner SPARK Simplifier 9000 VCs SPARK Checker

SHOLIS (well, Tokeneer) Example of Property procedure AddElementToLogFile (ElementID : in ElementT; Description : in DescriptionT); --# global in Clock.Now; --# in out NumberLogEntries; --# derives AuditSystemFault, --# LogFiles from *, --# Description & --# NumberLogEntries from *; --# pre NumberLogEntries < MaxLogEntries; --# post NumberLogEntries = NumberLogEntries~ + 1 and --# (LogFileEntries~(CurrentLogFile~) = Max -> --# LogFileEntries(CurrentLogFile) = 1;

Project Hi-Lite

Perceived Limitations of Formal Methods today for Software state-space explosion alien to engineers theory versus reality FM Discussion Paper not long ago for Hardware capacity limited difficult to use lacking methodologies SCDsource Special Technology Report

Limitations of Unit Proof vs Unit Testing Expertise: required for writing contracts and carrying proof Duplication: contract not shared between testing and proof Isolation: unit test and unit proof cannot be combined Confusion: not the same semantics for testing and proof Debugging: contracts and proof cannot be executed

Solution: Executable Contracts

Executable Contracts in Ada 2012

Objectives of Project Hi-Lite Facilitate proofs of safety / security / properties One language of assertions Testing + proof + static analysis Subset of C or Ada code Mixed Ada-C code

Project Partners

Sketch of Communications Between Tools

Open Project FLOSS SPARK GCC (GNAT) GPS CodePee r Why / Alt-Ergo Frama-C Hi-Lite Latest Open Release GPL 2010 GPL 2010 GPL 2010 Ope n BTS GAP Open mailinglist one-way Ope n VCS Open dev. 2 teams GAP GPL GPL / CeCILL-C 2010 LGPLv2 2010 GPL 2011? plugins

Conclusions While DO-178B was centered on testing, DO-178C allows formal verification instead of testing. Past industrial applications have shown formal verification can be cost-effective. To bridge the gap between unit proof (FM) and unit testing (engineers), project Hi-Lite defines executable contracts for C and Ada.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback