Formal Method for Avionics Software Verification

Formal Method for Avionics Software Verification From a real use for Airbus aircrafts to the integration in ED-12C/DO-178C Open-DO Conference Combining Formality with Agility for Critical Software Presented by Hervé Delseny Head of Software Process Definition and Follow-up Expert in Software Aspects of Certification Avionics and Simulation Products Airbus

Formal Method : Advantages
Improved understanding of a computer program’s specifications
More accuracy and less ambiguity
Proof verification of a program’s conformity with respect to its specification
Proof is exhaustive
all of the program’s behaviours meet the property
property is proved for all possible input combinations.

Formal Method on A380
1 st type : Proof of generic properties
WCET computation
Stack consumption computation
And next to come :
Precision of Floating-point calculus
Proof of absence of Run Time Errors
…
2 nd type : Unit Proof of functional properties
Instead of Unit Tests.

Formal Method on A380 : 1 st Type
aiT for WCET computation
Developed by Absint ( www. absint .com )
Abstract Interpretation based
Analysis of binary code; Model of the CPU & Chipset
Worst Case Execution Time computation of programs
Used for DO-178B level A software
Stackanalyzer for stack consumption computation
Developed by Absint ( www. absint .com )
Analysis of binary code
Tighter maximum stack usage computation
Used for DO178B level A, B and C software.

Formal Method : 1 st Type Next to come
Fluctuat : precision of Floating-point calculus
Developed by CEA, the French nuclear research center
Analysis of C or assembly code
Safe computation of the numerical (rounding) errors introduced by basic operators or input filtering code
Astrée : proof of absence of Run Time Errors
Developed by ENS (Pr.Cousot’s team at Ecole normale supérieure de Paris)
Analysis of C code
Proof of absence of RTE like division by zero, numerical overflow, out of bounds access to an array.

Formal Method on A380 : 2 nd Type Unit Proof
Caveat for Unit Proving
Developed by CEA, the French nuclear research center
Deductive method; Weakest Precondition
Analysis of C code
DO178B Level A
Verification of compliance to Low Level Requirements in replacement of Unit Testing.

Formal Method on A380 : Unit Proof
A Caveat property is based on first order predicates :
Boolean expressions (  ,  ,  ,  ,  ), Relational operators (  , <, >,  ,  ,  ), Arithmetic expressions ( +, -,  , /,   ), Quantifiers (  ,  )
A Caveat property defines a relation between input operand(s) and /or output operand(s) of the service
Objectives
Reduce costs of software verification without compromising the effectiveness of the verification
Solution selected
Definition of low-level requirements (LLR) using formal properties (design)
Unit proof verification supported by the CAVEAT tool, which replaces the unit test activity.

Formal Method on A380 : Unit Proof Design
LLR composed by :
properties
data-control flows
mapping constraint
timing constraint
Pseudo-code
Coding
Code production based on LLR
verification of mapping constraint (reading of source code)
Unit Proofs
Verification of compliance of C-source to properties (LLR)
Automatic verification of the data/control flow
Integration
Functional verification of HLR
Verification of timing constraint (LLR)
Verification of mapping constraint (reading of linking file)
Subset Specification
HLR

Formal Method on A380 : Unit Proof - Definition of proof environment - Flows Generation Verification of Flows against Design Proof performing Analysis of Proof Results Design Phase Data & control flows Caveat Caveat Flows Code compliant With Design Coding Phase C Source Functional Properties Caveat Process Management Tool Caveat is integrated into the process management tool to automate the proof process If OK If not OK

Formal Method on A380 : Conclusions
Static verification and formal method are :
Cheaper for the same or even better level of quality, compared to the traditional testing approach
Industrially applicable now : tools are available
Our vision :
Extend the use of formal proof to a wider functional area
Extend the use of static verification tools for Run Time errors,…
Apply the Formal Method supplement of DO-178C.

DO-178C Formal Method Supplement
Enable the use of Formal Method in place of conventional methods by
Providing guidance on how to use Formal Method
Modifying existing objectives
Defining new objectives
Describing needed activities
Describing evidence to meet objectives
Giving information on the fundamentals of Formal Methods
Dealing with Formal Method specific characteristics
Let’s go deeper in this supplement …

FM supplement
Applies only when credit is sought from formal method to reach verification objectives
Gives guidance for planning, development and verification processes
Motivates to use formal methods:
More formalism (syntax and semantics)
Implies more completeness, more correctness, more accuracy, more consistency,…
Improves communication between engineers
But still requires verifications.

What is a Formal Method ?
Descriptive notations and analytical methods used to construct, develop and reason about mathematical models of system behavior
A formal method is a formal analysis carried out on a formal model. Formal Method Formal model Formal Analysis

What is a Formal Model ?
A model is an abstract representation of a given set of aspects of a system that is used for analysis, simulation, code generation, or any combination thereof
A formal notation is a notation having a precise , unambiguous , mathematically defined syntax and semantics . A formal model is a model defined using a formal notation Formal Method Formal model Formal Analysis

What is a Formal Analysis ?
The use of mathematical reasoning to guarantee that properties are always satisfied by a formal model.
Formal Analysis Formal Method Formal model

Notion of property
Properties are the formalization of requirements:
Functional requirements
Check of a flash zone:
verify that the whole Flash zone is initialized to value 0xFF,
if a memory location is different from 0xFF, the check has failed
Or
Non functional requirements
No over sizing of stack use during execution
No over timing of CPU use during execution
No runtime errors like 0 division
…

Being Sound
A method is formal if it has a sound mathematical basis, typically realized by a formal notation:
A sound method never assert that a property is true when it is not. Formal model of the requirements Formal Analysis OK X Not Sound

Conservative representation
When a formal model is created from an informal item to do a formal analysis
We need to be sure that whatever is proved about the formal model also applies to what is modeled . Then review or analysis should be used to demonstrate that the formal statement is a conservative representation of the informal requirement Requirements Formal model of the requirements Formal Analysis Results

DO-178/ED-12 – Verification Process System Requirements High-Level Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements Compliance Robustness Compatible With Target Compliance Robustness Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Verifiability Conformance Accuracy & Consistency Complete & Correct Compliance Traceability Architecture Compatibility Compliance Traceability Compliance Compliance Traceability Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Consistency HW Compatibility Verifiability Conformance Partition Integrity

FM Supplement : Formal verification
Formal Analysis might replace :
Review and analysis objectives.

FM Supplement : Formal verification instead of reviews HLR Formal HLR Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements When HLR are formaly expressed Formal analysis can be used Verifiability Conformance Accuracy & Consistency Complete & Correct Compliance Traceability Architecture Compatibility Compliance Traceability Compliance Compliance Traceability Compliance Robustness Compatible With Target Compliance Robustness Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Consistency HW Compatibility Verifiability Conformance Partition Integrity

FM Supplement : Formal verification instead of reviews HLR Formal HLR Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements When HLR and LLR are formaly expressed Formal analysis can be used Formal LLR Compliance Traceability Verifiability Conformance Accuracy & Consistency Complete & Correct Compliance Traceability Architecture Compatibility Compliance Traceability Compliance Compliance Traceability Compliance Robustness Compatible With Target Compliance Robustness Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Consistency HW Compatibility Verifiability Conformance Partition Integrity

Review and analysis objectives
Conformance tests versus HLR & LLR
Robustness tests
In that case the structural coverage objectives are achieved if it can be demonstrated that:
Each requirements is completely covered
The set of requirements is complete in regards of the attended function
There is no non expected dependencies between output and input data
There is no dead code.

FM Supplement : Formal verification for EOC HLR Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements When LLR are formaly expressed with a conservative representation between code and EOC, then Formal analysis can be used to replace some tests Formal LLR Compliance Traceability X Verifiability Conformance Accuracy & Consistency Complete & Correct Compliance Traceability Architecture Compatibility Compliance Traceability Compliance Compliance Traceability Compliance Robustness Compatible With Target Compliance Robustness Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Consistency HW Compatibility Verifiability Conformance Partition Integrity Conservative representation

Robustness tests
Formal Analysis might help for verification of compatibility with the hardware.

FM Supplement : Formal verification for EOC HLR Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements Compatible With Target Properties might be proved directly on EOC : WCET, Stack usage, … Compatible With Target Verifiability Conformance Accuracy & Consistency Complete & Correct Compliance Traceability Architecture Compatibility Compliance Traceability Compliance Compliance Traceability Compliance Robustness Compliance Robustness Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Consistency HW Compatibility Verifiability Conformance Partition Integrity

Robustness tests
Formal Analysis might help for verification of compatibility with the hardware
Formal Analysis cannot replace HW/SW integration tests
Therefore testing will always be required.

To conclude
Static verification and formal method are :
Cheaper for the same or even better level of quality, compared to the traditional testing approach
Industrially applicable now : tools are available
Guidance will soon exist with the Formal Method supplement of DO-178C
Therefore no more breakers for using Formal Method for avionics software.

Special thanks to
Airbus Formal Method team members:
Jean Souyris & David Delmas
The Formal Method team of DO-178C committee:
All the SubGroup 6 of SC205/WG71 committee, and especially the chairmen
Duncan Brown (Aero Engine Control)
Kelly Hayhurst (NASA Langley Research Center)
Virginie Wiels (ONERA) « my » coach in Formal Method

© AIRBUS OPERATIONS S.A.S. All rights reserved. Confidential and proprietary document. This document and all information contained herein is the sole property of AIRBUS OPERATIONS S.A.S. No intellectual property rights are granted by the delivery of this document or the disclosure of its content. This document shall not be reproduced or disclosed to a third party without the express written consent of AIRBUS OPERATIONS S.AS. This document and its content shall not be used for any purpose other than that for which it is supplied. The statements made herein do not constitute an offer. They are based on the mentioned assumptions and are expressed in good faith. Where the supporting grounds for these statements are not shown, AIRBUS OPERATIONS S.A.S will be pleased to explain the basis thereof. AIRBUS, its logo, A300, A310, A318, A319, A320, A321, A330, A340, A350, A380, A400M are registered trademarks.

http://www.open-do.org	240
http://www.slideshare.net	9
http://www.open-do-178c.org	1

Formal Method for Avionics Software Verification

by AdaCore on Apr 28, 2010

Accessibility

Tags

Upload Details

Usage Rights

3 Embeds 250

Statistics

Formal Method for Avionics Software Verification — Presentation Transcript