0
Formal Method for Avionics Software Verification From a real use for Airbus aircrafts to the integration in ED-12C/DO-178C...
Formal Method : Advantages <ul><li>Improved  understanding  of a computer program’s specifications </li></ul><ul><li>More ...
Formal Method on A380 <ul><li>1 st  type :  Proof of generic  properties </li></ul><ul><ul><li>WCET computation </li></ul>...
Formal Method on A380 : 1 st  Type <ul><li>aiT  for WCET computation </li></ul><ul><ul><li>Developed by Absint ( www. absi...
Formal Method :  1 st  Type  Next to come <ul><li>Fluctuat  : precision of Floating-point calculus   </li></ul><ul><ul><li...
Formal Method on A380 :  2 nd  Type  Unit Proof <ul><li>Caveat  for Unit Proving </li></ul><ul><ul><li>Developed by CEA, t...
Formal Method on A380 : Unit Proof <ul><li>A Caveat property is based on first order predicates :   </li></ul><ul><ul><li>...
Formal Method on A380 : Unit Proof Design <ul><li>LLR composed by : </li></ul><ul><ul><li>properties </li></ul></ul><ul><u...
Formal Method on A380 : Unit Proof - Definition of proof environment - Flows Generation Verification  of Flows against Des...
Formal Method on A380 :  Conclusions <ul><li>Static verification and formal method are : </li></ul><ul><ul><li>Cheaper  fo...
DO-178C Formal Method Supplement <ul><li>Enable  the use of Formal Method in place of conventional methods by </li></ul><u...
FM supplement <ul><li>Applies  only  when  credit is sought  from formal method to reach verification objectives </li></ul...
What is a Formal Method ? <ul><li>Descriptive  notations  and  analytical  methods used to construct, develop and reason a...
What is a Formal Model ? <ul><li>A model is  an abstract representation of a given set of aspects of a system that is used...
What is a Formal Analysis ? <ul><li>The use of  mathematical  reasoning to guarantee that properties are  always  satisfie...
Notion of property <ul><li>Properties are the formalization of requirements: </li></ul><ul><ul><li>Functional requirements...
Being Sound <ul><li>A method is  formal  if it has a  sound  mathematical basis, typically realized by a formal notation: ...
Conservative representation <ul><li>When a formal model is created from an informal item to do a formal analysis </li></ul...
DO-178/ED-12 – Verification Process System Requirements High-Level Requirements Software Architecture Source Code Executab...
FM Supplement : Formal verification <ul><li>Formal Analysis might replace : </li></ul><ul><ul><li>Review and analysis obje...
FM Supplement :  Formal verification instead of reviews HLR  Formal  HLR Accuracy & Consistency  HW Compatibility  Verifia...
FM Supplement :  Formal verification instead of reviews HLR  Formal  HLR Accuracy & Consistency  HW Compatibility  Verifia...
FM Supplement : Formal verification <ul><li>Formal Analysis might replace : </li></ul><ul><ul><li>Review and analysis obje...
FM Supplement :  Formal verification for EOC HLR  Accuracy & Consistency  HW Compatibility  Verifiability Conformance  Alg...
FM Supplement : Formal verification <ul><li>Formal Analysis might replace : </li></ul><ul><ul><li>Review and analysis obje...
FM Supplement :  Formal verification for EOC HLR  Accuracy & Consistency  HW Compatibility  Verifiability Conformance  Alg...
FM Supplement : Formal verification <ul><li>Formal Analysis might replace : </li></ul><ul><ul><li>Review and analysis obje...
To conclude <ul><li>Static verification and formal method are : </li></ul><ul><ul><li>Cheaper  for the same or even better...
Special thanks to  <ul><li>Airbus Formal Method team members: </li></ul><ul><ul><li>Jean Souyris  &  David Delmas </li></u...
 
© AIRBUS OPERATIONS S.A.S. All rights reserved. Confidential and proprietary document. This document and all information c...
Upcoming SlideShare
Loading in...5
×

Formal Method for Avionics Software Verification

3,680

Published on

This talk will give examples of Airbus use of Formal Methods to verify avionics software, and summarises the integration of Formal Methods in the upcoming ED-12/DO-178 issue C. Firstly, examples of verification based on theorem proving or abstract interpretation will show how Airbus has already taken advantage of the use of Formal Methods to verify avionics software. Secondly, we will show how Formal Method for verification has been introduced in the upcoming issue C of ED-12/DO-178.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,680
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
195
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of " Formal Method for Avionics Software Verification"

  1. 1. Formal Method for Avionics Software Verification From a real use for Airbus aircrafts to the integration in ED-12C/DO-178C Open-DO Conference Combining Formality with Agility for Critical Software Presented by Hervé Delseny Head of Software Process Definition and Follow-up Expert in Software Aspects of Certification Avionics and Simulation Products Airbus
  2. 2. Formal Method : Advantages <ul><li>Improved understanding of a computer program’s specifications </li></ul><ul><li>More accuracy and less ambiguity </li></ul><ul><li>Proof verification of a program’s conformity with respect to its specification </li></ul><ul><li>Proof is exhaustive </li></ul><ul><ul><li>all of the program’s behaviours meet the property </li></ul></ul><ul><ul><li>property is proved for all possible input combinations. </li></ul></ul>
  3. 3. Formal Method on A380 <ul><li>1 st type : Proof of generic properties </li></ul><ul><ul><li>WCET computation </li></ul></ul><ul><ul><li>Stack consumption computation </li></ul></ul><ul><ul><li>And next to come : </li></ul></ul><ul><ul><li>Precision of Floating-point calculus </li></ul></ul><ul><ul><li>Proof of absence of Run Time Errors </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>2 nd type : Unit Proof of functional properties </li></ul><ul><ul><li>Instead of Unit Tests. </li></ul></ul>
  4. 4. Formal Method on A380 : 1 st Type <ul><li>aiT for WCET computation </li></ul><ul><ul><li>Developed by Absint ( www. absint .com ) </li></ul></ul><ul><ul><li>Abstract Interpretation based </li></ul></ul><ul><ul><li>Analysis of binary code; Model of the CPU & Chipset </li></ul></ul><ul><ul><li>Worst Case Execution Time computation of programs </li></ul></ul><ul><ul><li>Used for DO-178B level A software </li></ul></ul><ul><li>Stackanalyzer for stack consumption computation </li></ul><ul><ul><li>Developed by Absint ( www. absint .com ) </li></ul></ul><ul><ul><li>Abstract Interpretation based </li></ul></ul><ul><ul><li>Analysis of binary code </li></ul></ul><ul><ul><li>Tighter maximum stack usage computation </li></ul></ul><ul><ul><li>Used for DO178B level A, B and C software. </li></ul></ul>
  5. 5. Formal Method : 1 st Type Next to come <ul><li>Fluctuat : precision of Floating-point calculus </li></ul><ul><ul><li>Developed by CEA, the French nuclear research center </li></ul></ul><ul><ul><li>Abstract Interpretation based </li></ul></ul><ul><ul><li>Analysis of C or assembly code </li></ul></ul><ul><ul><li>Safe computation of the numerical (rounding) errors introduced by basic operators or input filtering code </li></ul></ul><ul><li>Astrée : proof of absence of Run Time Errors </li></ul><ul><ul><li>Developed by ENS (Pr.Cousot’s team at Ecole normale supérieure de Paris) </li></ul></ul><ul><ul><li>Abstract Interpretation based </li></ul></ul><ul><ul><li>Analysis of C code </li></ul></ul><ul><ul><li>Proof of absence of RTE like division by zero, numerical overflow, out of bounds access to an array. </li></ul></ul>
  6. 6. Formal Method on A380 : 2 nd Type Unit Proof <ul><li>Caveat for Unit Proving </li></ul><ul><ul><li>Developed by CEA, the French nuclear research center </li></ul></ul><ul><ul><li>Deductive method; Weakest Precondition </li></ul></ul><ul><ul><li>Analysis of C code </li></ul></ul><ul><ul><li>DO178B Level A </li></ul></ul><ul><ul><li>Verification of compliance to Low Level Requirements in replacement of Unit Testing. </li></ul></ul>
  7. 7. Formal Method on A380 : Unit Proof <ul><li>A Caveat property is based on first order predicates : </li></ul><ul><ul><li>Boolean expressions (  ,  ,  ,  ,  ), Relational operators (  , <, >,  ,  ,  ), Arithmetic expressions ( +, -,  , /,   ), Quantifiers (  ,  ) </li></ul></ul><ul><li>A Caveat property defines a relation between input operand(s) and /or output operand(s) of the service </li></ul><ul><li>Objectives </li></ul><ul><ul><li>Reduce costs of software verification without compromising the effectiveness of the verification </li></ul></ul><ul><li>Solution selected </li></ul><ul><ul><li>Definition of low-level requirements (LLR) using formal properties (design) </li></ul></ul><ul><ul><li>Unit proof verification supported by the CAVEAT tool, which replaces the unit test activity. </li></ul></ul>
  8. 8. Formal Method on A380 : Unit Proof Design <ul><li>LLR composed by : </li></ul><ul><ul><li>properties </li></ul></ul><ul><ul><li>data-control flows </li></ul></ul><ul><ul><li>mapping constraint </li></ul></ul><ul><ul><li>timing constraint </li></ul></ul><ul><li>Pseudo-code </li></ul>Coding <ul><li>Code production based on LLR </li></ul><ul><li>verification of mapping constraint (reading of source code) </li></ul>Unit Proofs <ul><li>Verification of compliance of C-source to properties (LLR) </li></ul><ul><li>Automatic verification of the data/control flow </li></ul>Integration <ul><li>Functional verification of HLR </li></ul><ul><li>Verification of timing constraint (LLR) </li></ul><ul><li>Verification of mapping constraint (reading of linking file) </li></ul>Subset Specification <ul><li>HLR </li></ul>
  9. 9. Formal Method on A380 : Unit Proof - Definition of proof environment - Flows Generation Verification of Flows against Design Proof performing Analysis of Proof Results Design Phase Data & control flows Caveat Caveat Flows Code compliant With Design Coding Phase C Source Functional Properties Caveat Process Management Tool Caveat is integrated into the process management tool to automate the proof process If OK If not OK
  10. 10. Formal Method on A380 : Conclusions <ul><li>Static verification and formal method are : </li></ul><ul><ul><li>Cheaper for the same or even better level of quality, compared to the traditional testing approach </li></ul></ul><ul><ul><li>Industrially applicable now : tools are available </li></ul></ul><ul><li>Our vision : </li></ul><ul><ul><li>Extend the use of formal proof to a wider functional area </li></ul></ul><ul><ul><li>Extend the use of static verification tools for Run Time errors,… </li></ul></ul><ul><ul><li>Apply the Formal Method supplement of DO-178C. </li></ul></ul>
  11. 11. DO-178C Formal Method Supplement <ul><li>Enable the use of Formal Method in place of conventional methods by </li></ul><ul><ul><li>Providing guidance on how to use Formal Method </li></ul></ul><ul><ul><ul><li>Modifying existing objectives </li></ul></ul></ul><ul><ul><ul><li>Defining new objectives </li></ul></ul></ul><ul><ul><ul><li>Describing needed activities </li></ul></ul></ul><ul><ul><ul><li>Describing evidence to meet objectives </li></ul></ul></ul><ul><ul><li>Giving information on the fundamentals of Formal Methods </li></ul></ul><ul><ul><li>Dealing with Formal Method specific characteristics </li></ul></ul><ul><li>Let’s go deeper in this supplement … </li></ul>
  12. 12. FM supplement <ul><li>Applies only when credit is sought from formal method to reach verification objectives </li></ul>Gives guidance for planning, development and verification processes <ul><li>Motivates to use formal methods: </li></ul><ul><ul><li>More formalism (syntax and semantics) </li></ul></ul><ul><ul><li>Implies more completeness, more correctness, more accuracy, more consistency,… </li></ul></ul><ul><ul><li>Improves communication between engineers </li></ul></ul><ul><ul><li>But still requires verifications. </li></ul></ul>
  13. 13. What is a Formal Method ? <ul><li>Descriptive notations and analytical methods used to construct, develop and reason about mathematical models of system behavior </li></ul>A formal method is a formal analysis carried out on a formal model. Formal Method Formal model Formal Analysis
  14. 14. What is a Formal Model ? <ul><li>A model is an abstract representation of a given set of aspects of a system that is used for analysis, simulation, code generation, or any combination thereof </li></ul>A formal notation is a notation having a precise , unambiguous , mathematically defined syntax and semantics . A formal model is a model defined using a formal notation Formal Method Formal model Formal Analysis
  15. 15. What is a Formal Analysis ? <ul><li>The use of mathematical reasoning to guarantee that properties are always satisfied by a formal model. </li></ul>Formal Analysis Formal Method Formal model
  16. 16. Notion of property <ul><li>Properties are the formalization of requirements: </li></ul><ul><ul><li>Functional requirements </li></ul></ul><ul><ul><ul><li>Check of a flash zone: </li></ul></ul></ul><ul><ul><ul><ul><li>verify that the whole Flash zone is initialized to value 0xFF, </li></ul></ul></ul></ul><ul><ul><ul><ul><li>if a memory location is different from 0xFF, the check has failed </li></ul></ul></ul></ul><ul><ul><li>Or </li></ul></ul><ul><ul><li>Non functional requirements </li></ul></ul><ul><ul><ul><li>No over sizing of stack use during execution </li></ul></ul></ul><ul><ul><ul><li>No over timing of CPU use during execution </li></ul></ul></ul><ul><ul><ul><li>No runtime errors like 0 division </li></ul></ul></ul><ul><ul><ul><li>… </li></ul></ul></ul>
  17. 17. Being Sound <ul><li>A method is formal if it has a sound mathematical basis, typically realized by a formal notation: </li></ul>A sound method never assert that a property is true when it is not. Formal model of the requirements Formal Analysis OK X Not Sound
  18. 18. Conservative representation <ul><li>When a formal model is created from an informal item to do a formal analysis </li></ul>We need to be sure that whatever is proved about the formal model also applies to what is modeled . Then review or analysis should be used to demonstrate that the formal statement is a conservative representation of the informal requirement Requirements Formal model of the requirements Formal Analysis Results
  19. 19. DO-178/ED-12 – Verification Process System Requirements High-Level Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements Compliance Robustness Compatible With Target Compliance Robustness Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Verifiability Conformance Accuracy & Consistency Complete & Correct Compliance Traceability Architecture Compatibility Compliance Traceability Compliance Compliance Traceability Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Consistency HW Compatibility Verifiability Conformance Partition Integrity
  20. 20. FM Supplement : Formal verification <ul><li>Formal Analysis might replace : </li></ul><ul><ul><li>Review and analysis objectives. </li></ul></ul>
  21. 21. FM Supplement : Formal verification instead of reviews HLR Formal HLR Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements When HLR are formaly expressed Formal analysis can be used Verifiability Conformance Accuracy & Consistency Complete & Correct Compliance Traceability Architecture Compatibility Compliance Traceability Compliance Compliance Traceability Compliance Robustness Compatible With Target Compliance Robustness Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Consistency HW Compatibility Verifiability Conformance Partition Integrity
  22. 22. FM Supplement : Formal verification instead of reviews HLR Formal HLR Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements When HLR and LLR are formaly expressed Formal analysis can be used Formal LLR Compliance Traceability Verifiability Conformance Accuracy & Consistency Complete & Correct Compliance Traceability Architecture Compatibility Compliance Traceability Compliance Compliance Traceability Compliance Robustness Compatible With Target Compliance Robustness Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Consistency HW Compatibility Verifiability Conformance Partition Integrity
  23. 23. FM Supplement : Formal verification <ul><li>Formal Analysis might replace : </li></ul><ul><ul><li>Review and analysis objectives </li></ul></ul><ul><ul><li>Conformance tests versus HLR & LLR </li></ul></ul><ul><ul><li>Robustness tests </li></ul></ul><ul><li>In that case the structural coverage objectives are achieved if it can be demonstrated that: </li></ul><ul><ul><li>Each requirements is completely covered </li></ul></ul><ul><ul><li>The set of requirements is complete in regards of the attended function </li></ul></ul><ul><ul><li>There is no non expected dependencies between output and input data </li></ul></ul><ul><ul><li>There is no dead code. </li></ul></ul>
  24. 24. FM Supplement : Formal verification for EOC HLR Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements When LLR are formaly expressed with a conservative representation between code and EOC, then Formal analysis can be used to replace some tests Formal LLR Compliance Traceability X Verifiability Conformance Accuracy & Consistency Complete & Correct Compliance Traceability Architecture Compatibility Compliance Traceability Compliance Compliance Traceability Compliance Robustness Compatible With Target Compliance Robustness Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Consistency HW Compatibility Verifiability Conformance Partition Integrity Conservative representation
  25. 25. FM Supplement : Formal verification <ul><li>Formal Analysis might replace : </li></ul><ul><ul><li>Review and analysis objectives </li></ul></ul><ul><ul><li>Conformance tests versus HLR & LLR </li></ul></ul><ul><ul><li>Robustness tests </li></ul></ul><ul><li>Formal Analysis might help for verification of compatibility with the hardware. </li></ul>
  26. 26. FM Supplement : Formal verification for EOC HLR Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements Compatible With Target Properties might be proved directly on EOC : WCET, Stack usage, … Compatible With Target Verifiability Conformance Accuracy & Consistency Complete & Correct Compliance Traceability Architecture Compatibility Compliance Traceability Compliance Compliance Traceability Compliance Robustness Compliance Robustness Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Consistency HW Compatibility Verifiability Conformance Partition Integrity
  27. 27. FM Supplement : Formal verification <ul><li>Formal Analysis might replace : </li></ul><ul><ul><li>Review and analysis objectives </li></ul></ul><ul><ul><li>Conformance tests versus HLR & LLR </li></ul></ul><ul><ul><li>Robustness tests </li></ul></ul><ul><li>Formal Analysis might help for verification of compatibility with the hardware </li></ul><ul><li>Formal Analysis cannot replace HW/SW integration tests </li></ul><ul><li>Therefore testing will always be required. </li></ul>
  28. 28. To conclude <ul><li>Static verification and formal method are : </li></ul><ul><ul><li>Cheaper for the same or even better level of quality, compared to the traditional testing approach </li></ul></ul><ul><ul><li>Industrially applicable now : tools are available </li></ul></ul><ul><ul><li>Guidance will soon exist with the Formal Method supplement of DO-178C </li></ul></ul><ul><ul><li>Therefore no more breakers for using Formal Method for avionics software. </li></ul></ul>
  29. 29. Special thanks to <ul><li>Airbus Formal Method team members: </li></ul><ul><ul><li>Jean Souyris & David Delmas </li></ul></ul><ul><li>The Formal Method team of DO-178C committee: </li></ul><ul><ul><li>All the SubGroup 6 of SC205/WG71 committee, and especially the chairmen </li></ul></ul><ul><ul><li>Duncan Brown (Aero Engine Control) </li></ul></ul><ul><ul><li>Kelly Hayhurst (NASA Langley Research Center) </li></ul></ul><ul><li>Virginie Wiels (ONERA) « my » coach in Formal Method </li></ul>
  30. 31. © AIRBUS OPERATIONS S.A.S. All rights reserved. Confidential and proprietary document. This document and all information contained herein is the sole property of AIRBUS OPERATIONS S.A.S. No intellectual property rights are granted by the delivery of this document or the disclosure of its content. This document shall not be reproduced or disclosed to a third party without the express written consent of AIRBUS OPERATIONS S.AS. This document and its content shall not be used for any purpose other than that for which it is supplied. The statements made herein do not constitute an offer. They are based on the mentioned assumptions and are expressed in good faith. Where the supporting grounds for these statements are not shown, AIRBUS OPERATIONS S.A.S will be pleased to explain the basis thereof. AIRBUS, its logo, A300, A310, A318, A319, A320, A321, A330, A340, A350, A380, A400M are registered trademarks.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×