SlideShare a Scribd company logo
1 of 30
 
Formal Methods in Air Traffic Control Neil White Copyright © Altran Praxis  Open-DO
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
Context ,[object Object],[object Object],Copyright © Altran Praxis
UK Air Traffic Control Copyright © Altran Praxis limited 2010
[object Object],Copyright © Altran Praxis limited 2010
Why iFACTS? ,[object Object],Copyright © Altran Praxis
What is iFACTS? ,[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
Medium Term Conflict Detection: Separation Monitor Copyright © Altran Praxis limited 2010
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
The complete iFACTS specification ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
The Z specification
Z training ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
Z tools ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
Z tools ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
The state machine specification ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
State machine training & tools ,[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
The SPARK Implementation ,[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
Code
SPARK Training ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
SPARK Tools ,[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
Test Design
The Challenge of Test Design How many potential tests for this fragment?
The Challenge of Test Design ,[object Object],[object Object],[object Object],Copyright © Altran Praxis
Test reference models ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
Mathematica tools & training ,[object Object],[object Object],[object Object],Copyright © Altran Praxis
Conclusions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Copyright © Altran Praxis

More Related Content

What's hot (8)

Infix to-postfix examples
Infix to-postfix examplesInfix to-postfix examples
Infix to-postfix examples
 
NYU transcript
NYU transcriptNYU transcript
NYU transcript
 
Programming Terminology
Programming TerminologyProgramming Terminology
Programming Terminology
 
Algorithms and flowcharts ppt (seminar presentation)..
 Algorithms and flowcharts  ppt (seminar presentation).. Algorithms and flowcharts  ppt (seminar presentation)..
Algorithms and flowcharts ppt (seminar presentation)..
 
GMU transcript
GMU transcriptGMU transcript
GMU transcript
 
NWTC unoffical Transcript
NWTC unoffical TranscriptNWTC unoffical Transcript
NWTC unoffical Transcript
 
TOEFL ITP Reading Strategy.pptx
TOEFL ITP Reading Strategy.pptxTOEFL ITP Reading Strategy.pptx
TOEFL ITP Reading Strategy.pptx
 
CXC Certificate - 2001
CXC Certificate - 2001CXC Certificate - 2001
CXC Certificate - 2001
 

Viewers also liked

Classic Formal Methods Model Checking
Classic Formal Methods Model CheckingClassic Formal Methods Model Checking
Classic Formal Methods Model Checking
tyramisu
 
Data Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware PlatformData Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware Platform
WSO2
 
Formal Verification Techniques
Formal Verification TechniquesFormal Verification Techniques
Formal Verification Techniques
DVClub
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts
WSO2
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
Amazon Web Services
 
Automotive Lighting: Technology, Industry, and Market Trends - 2016 Report by...
Automotive Lighting: Technology, Industry, and Market Trends - 2016 Report by...Automotive Lighting: Technology, Industry, and Market Trends - 2016 Report by...
Automotive Lighting: Technology, Industry, and Market Trends - 2016 Report by...
Yole Developpement
 

Viewers also liked (20)

Industrial use of formal methods
Industrial use of formal methodsIndustrial use of formal methods
Industrial use of formal methods
 
Classic Formal Methods Model Checking
Classic Formal Methods Model CheckingClassic Formal Methods Model Checking
Classic Formal Methods Model Checking
 
Introduction to formal methods
Introduction to formal methodsIntroduction to formal methods
Introduction to formal methods
 
Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'
 
Data Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware PlatformData Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware Platform
 
Formal methods 4 - Z notation
Formal methods   4 - Z notationFormal methods   4 - Z notation
Formal methods 4 - Z notation
 
Agile Software Development Overview
Agile Software Development OverviewAgile Software Development Overview
Agile Software Development Overview
 
Formal Verification Techniques
Formal Verification TechniquesFormal Verification Techniques
Formal Verification Techniques
 
Choosing Your Log Management Approach: Buy, Build or Outsource
Choosing Your Log Management Approach: Buy, Build or OutsourceChoosing Your Log Management Approach: Buy, Build or Outsource
Choosing Your Log Management Approach: Buy, Build or Outsource
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts
 
Dominique Cerutti : Leading the disruptions | Zinnov Confluence '16 Munich
Dominique Cerutti : Leading the disruptions | Zinnov Confluence '16 MunichDominique Cerutti : Leading the disruptions | Zinnov Confluence '16 Munich
Dominique Cerutti : Leading the disruptions | Zinnov Confluence '16 Munich
 
Simon Best : Change, disruption and opportunity | Zinnov Confluence '16 Munich
Simon Best : Change, disruption and opportunity | Zinnov Confluence '16 MunichSimon Best : Change, disruption and opportunity | Zinnov Confluence '16 Munich
Simon Best : Change, disruption and opportunity | Zinnov Confluence '16 Munich
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logic
 
Dr David Soldani : Leading the disruptions | Zinnov Confluence '16 Munich
Dr David Soldani : Leading the disruptions | Zinnov Confluence '16 MunichDr David Soldani : Leading the disruptions | Zinnov Confluence '16 Munich
Dr David Soldani : Leading the disruptions | Zinnov Confluence '16 Munich
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
Formal verification
Formal verificationFormal verification
Formal verification
 
Automotive Lighting: Technology, Industry, and Market Trends - 2016 Report by...
Automotive Lighting: Technology, Industry, and Market Trends - 2016 Report by...Automotive Lighting: Technology, Industry, and Market Trends - 2016 Report by...
Automotive Lighting: Technology, Industry, and Market Trends - 2016 Report by...
 
Zinnov Zones for IoT Services 2017
Zinnov Zones for IoT Services 2017Zinnov Zones for IoT Services 2017
Zinnov Zones for IoT Services 2017
 
Zinnov Zones 2016 - Product Engineering Services
Zinnov Zones 2016 - Product Engineering ServicesZinnov Zones 2016 - Product Engineering Services
Zinnov Zones 2016 - Product Engineering Services
 

Similar to The Use of Formal Methods on the iFACTS Air Traffic Control Project

Learn software testing with tech partnerz 3
Learn software testing with tech partnerz 3Learn software testing with tech partnerz 3
Learn software testing with tech partnerz 3
Techpartnerz
 
Software Testing - Sajid Sidi
Software Testing - Sajid SidiSoftware Testing - Sajid Sidi
Software Testing - Sajid Sidi
Sajid Sidi
 
AtifBhatti resume
AtifBhatti resumeAtifBhatti resume
AtifBhatti resume
Atif Bhatti
 

Similar to The Use of Formal Methods on the iFACTS Air Traffic Control Project (20)

SpiraTeam Overview Presentation (2019)
SpiraTeam Overview Presentation (2019)SpiraTeam Overview Presentation (2019)
SpiraTeam Overview Presentation (2019)
 
Rapise Overview Presentation (2019)
Rapise Overview Presentation (2019)Rapise Overview Presentation (2019)
Rapise Overview Presentation (2019)
 
JavaMicroBenchmarkpptm
JavaMicroBenchmarkpptmJavaMicroBenchmarkpptm
JavaMicroBenchmarkpptm
 
LAD - GroundBreakers - Jul 2019 - Using Oracle Autonomous Health Framework to...
LAD - GroundBreakers - Jul 2019 - Using Oracle Autonomous Health Framework to...LAD - GroundBreakers - Jul 2019 - Using Oracle Autonomous Health Framework to...
LAD - GroundBreakers - Jul 2019 - Using Oracle Autonomous Health Framework to...
 
SpiraTeam Overview Presentation (2021)
SpiraTeam Overview Presentation (2021)SpiraTeam Overview Presentation (2021)
SpiraTeam Overview Presentation (2021)
 
Rapise Overview Presentation (2021)
Rapise Overview Presentation (2021)Rapise Overview Presentation (2021)
Rapise Overview Presentation (2021)
 
Takaya Flying Probe Tester.pdf
Takaya Flying Probe Tester.pdfTakaya Flying Probe Tester.pdf
Takaya Flying Probe Tester.pdf
 
Bangalore based Test automation and Testing service Company - Oak Systems Pvt...
Bangalore based Test automation and Testing service Company - Oak Systems Pvt...Bangalore based Test automation and Testing service Company - Oak Systems Pvt...
Bangalore based Test automation and Testing service Company - Oak Systems Pvt...
 
SpiraTest Overview Presentation (2019)
SpiraTest Overview Presentation (2019)SpiraTest Overview Presentation (2019)
SpiraTest Overview Presentation (2019)
 
Learn software testing with tech partnerz 3
Learn software testing with tech partnerz 3Learn software testing with tech partnerz 3
Learn software testing with tech partnerz 3
 
RapidRma
RapidRmaRapidRma
RapidRma
 
How CapitalOne Transformed DevTest or Continuous Delivery - AppSphere16
How CapitalOne Transformed DevTest or Continuous Delivery - AppSphere16How CapitalOne Transformed DevTest or Continuous Delivery - AppSphere16
How CapitalOne Transformed DevTest or Continuous Delivery - AppSphere16
 
Tdd dev session
Tdd dev sessionTdd dev session
Tdd dev session
 
Overview and Analysis of Automated Testing Tools: Ranorex, Test Complete, Se...
Overview and Analysis of Automated Testing Tools:  Ranorex, Test Complete, Se...Overview and Analysis of Automated Testing Tools:  Ranorex, Test Complete, Se...
Overview and Analysis of Automated Testing Tools: Ranorex, Test Complete, Se...
 
Software Testing - Sajid Sidi
Software Testing - Sajid SidiSoftware Testing - Sajid Sidi
Software Testing - Sajid Sidi
 
What does it take to be a performance tester?
What does it take to be a performance tester?What does it take to be a performance tester?
What does it take to be a performance tester?
 
Resume
ResumeResume
Resume
 
Using language workbenches and domain-specific languages for safety-critical ...
Using language workbenches and domain-specific languages for safety-critical ...Using language workbenches and domain-specific languages for safety-critical ...
Using language workbenches and domain-specific languages for safety-critical ...
 
Oracle super cluster for oracle e business suite
Oracle super cluster for oracle e business suiteOracle super cluster for oracle e business suite
Oracle super cluster for oracle e business suite
 
AtifBhatti resume
AtifBhatti resumeAtifBhatti resume
AtifBhatti resume
 

More from AdaCore

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
AdaCore
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
AdaCore
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!
AdaCore
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR Architecture
AdaCore
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
AdaCore
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar Technology
AdaCore
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling Software
AdaCore
 

More from AdaCore (20)

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languages
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic library
 
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing Solutions
 
Taming event-driven software via formal verification
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verification
 
Pushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofPushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program Proof
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configuration
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded Software
 
Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware Development
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR Architecture
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar Technology
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 context
 
Application of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareApplication of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle software
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling Software
 
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise Environment
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 

Recently uploaded (20)

A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 

The Use of Formal Methods on the iFACTS Air Traffic Control Project

Editor's Notes

  1. Document reference: S.P9999.99.99, issue 1.0 Page
  2. Document reference: S.P9999.99.99, issue 1.0 Page Good morning If you were expecting Rod Chapman, and are thinking “gosh Rod’s let himself go”, then the key news is that I’m not Rod. I’m Neil White. I work as a principal engineer for Altran Praxis. More significantly, I’m the engineering manager for several projects, including the large formal methods project I’m talking about today. I also run the software practice. For those of you who don’t yet know, Altran Praxis was recently formed by the merger of Praxis and SC2. Altran has been Praxis’ parent for over 10 years, and SC2 was a sister company based in the south of France. The two companies have been working closely for a while, and bring different technologies together but with a very similar ethos. It’s a great mix. Public marriage of existing private relationship. In today’s context, Praxis brings a long history of formal methods from the UK base, and a long history of Agile methods from the French base.
  3. Document reference: S.P9999.99.99, issue 1.0 Page In 30 mins I can deal with one topic in depth, or go for a rapid canter across a wider spectrum. I’m going for the latter, not least to ward off the snooze effect of that food! I’m going to talk generally about a project called iFACTS to set the context, and then I’m going to talk about formal methods through the project lifecycle and give a personal opinion of the pro’s and con’s. I ought to fess up: I’m a long term formalist with a passion for mathematics and rigor, but I also like success, and delivery, and especially profit, so formal methods have to work for me in industry.
  4. Document reference: S.P9999.99.99, issue 1.0 Page iFACTS is an ATC system being procured by NATS – the UK air traffic provider. NATS are world leaders in ATC innovation. Partly through necessity; UK ATC is very very busy because of the dense population and our geographic position below transatlantic air traffic. I can only scratch the surface of the project. There is loads more detail on the NATS website
  5. Document reference: SPARK User Group, issue 1.1 Page UK airspace is divided into sectors.
  6. Document reference: SPARK User Group, issue 1.1 Page Each sector has a team of 3 (currently) looking after the traffic in that sector. The planner accepts aircraft into the sector, and arranges for them to be handed off to the next sector. Arrangements include height, speed, heading, etc. He talks to other planning controllers. Ne deals with the boundary. The tactical is the controller in comms with the aircraft. She basically gets them from the in to the out of this sector. She deals with the interier. The assistant prints paper strips and generally helps out. Increased capacity comes through more sectors and thus more controllers. Except we have hit the limit. The hand-over burden now outweighs getting a new sector. We need tools to help.
  7. Document reference: S.P9999.99.99, issue 1.0 Page iFACTS will allow greater capacity in the existing sectors through the provision of new tools.
  8. Document reference: S.P9999.99.99, issue 1.0 Page We replace the paper flight strips with electronic ones. Not a great computer challenge. (Big usage challenge though.) An enabler. Enabler because once we have all the data that’s currently on paper into the system, we can do things with it. We create a trajectory through space and time for each flight. We add uncertainty as a cone along the trajectory. The closer to “now”, the more certain you can be. Some maneuvers increase or decrease uncertainty. We can then compare every trajectory with every other trajectory to identify possible conflicts up to 15 mins in advance. Currently controllers work with a much shorter look-ahead of only a few minutes. This also gives the controllers a “what if” capability so that we don’t maneuver aircraft into annoying places in the first place! So as you can see, we augmenting – not replacing – the current system. “ Biggest advance in ATC since the introduction of Radar”
  9. Page This is an example of part of the HMI. Each symbol is a pair of aircraft. This is time to the closest approach between a pair of aircraft. This is the distance at closest approach. Note this says nothing about current gap. Symbols tell you the attitude of the approach. Colors tell you something about severity. White is a deviation – an aircraft not doing what it’s told. Document reference: SPARK User Group, issue 1.1
  10. Document reference: S.P9999.99.99, issue 1.0 Page So lets’ start looking at formal methods.
  11. Document reference: S.P9999.99.99, issue 1.0 Page The specification is large, and split into a couple of technologies. The dominant part is a formal Z specification. There is some inherited mathematics defining algorithms. We could re-write in Z, but it costs, and can only add defects. We don’t! It’s already unambiguous. We just tie functions to Z. The HMI specification is in state tables. A small amount – eg stating non-functional requirements on performance or resource usage is in English commentary.
  12. Random bit of Z. Not expected to read this! English description and (more detailed) mathematical description. This is a schema. These are variables with types. This is a mathematical relationship between the variables. We can generate the document with and without the mathematics for distinct readerships. The English needs to work in both. The maths has more detail. Extends, doesn’t contradict, the English. 4250 pages. All customer reviewed. Everything flows from this: design, code, test, everything.
  13. Document reference: S.P9999.99.99, issue 1.0 Page How do we get a body of Z engineers? Reading and writing are different skills. Teaching reading is easy, and we have a lot of data to support that. People are up to speed fast. We can teach almost anyone who si not scared of basic maths. Teaching writing is harder. We pre-select harder, and the learning curve is longer and steeper. Some people don’t make it. Not a surprise – not everyone can do anything. There are people who will never write good code, or write good tests.
  14. Document reference: S.P9999.99.99, issue 1.0 Page Tools support is a key issues. We use Word. We don’t love it! However, when teaching people Z you really don’t want to simultaneously teach them other tools too. Fight selective battles! The template includes a Z font, an ability to kick off the FuZZ type checker, and the ability to launch a graphical analysis too that shows you the linkage and structure of the specification.
  15. Document reference: S.P9999.99.99, issue 1.0 Page Word has made for an easier environment for new users. But it retains all the usual problems of large word documents. In particular, when developing a branch the merge can be tortuous. Binary word files means that you have little option but to use Word to do the merge. Going forward, a Z-aware merge tool for the underlying OO XML might be one option to help merge.
  16. Document reference: S.P9999.99.99, issue 1.0 Page The HMI spec is a simple state machine Describe… We could clearly draw this, but we get more material on the page in tables. Leads to a clear mapping to code if we want. Under the look-and-feel, we tie operations into the Z. So a button press is the trigger for a Z operation. A text field is the output from a Z operation.
  17. Document reference: S.P9999.99.99, issue 1.0 Page Beauty of this is the sheer simplicity.
  18. Document reference: S.P9999.99.99, issue 1.0 Page
  19. Document reference: S.P9999.99.99, issue 1.0 Page I don’t want to shock, but I’m actually going to pass up the opportunity to extol the virtues of SPARK. I think this audience is pretty SPARK-aware, but please grab me later if you want to talk about the language. In summary, it’s an annotated subset of Ada which is designed for people who want their programs to be safe, secure, or frankly just correct. We have 150KLSLOC, all of which has a proof of the absence of any possible Ada exception.
  20. Document reference: S.P9999.99.99, issue 1.0 Page Again, we have trained a lot of people with a diverse background. All our SPARK coders read Z and do proof. Note that we are not doing a correctness proof. It’s not cost-effective for this project. The level of integrity doesn’t warrant the work. (Remember my comment on profit!)
  21. Document reference: S.P9999.99.99, issue 1.0 Page In comparison to Z, the SPARK toolset is mature and excellent. And again, please see me for details or your AdaCore rep for a very reasonable quotation!
  22. Document reference: S.P9999.99.99, issue 1.0 Page
  23. Our testing is driven by the Z. We require specification and code coverage. We devise possible conditions by analysis of the mathematics. Partition analysis and equivalence classes. We write these in a Z-like notation.
  24. Keeping test under control is – however – a big challenge. Just because you can devise a test case, doesn’t mean that you can afford to generate the test, or that it’s a good test. How many in this small example?
  25. Document reference: S.P9999.99.99, issue 1.0 Page Far too many! We triage out the low-value test conditions. Drop duplicates or contradictions. Then by carefully crafting scripts we can knock off a large number of conditions in one go. This is an activity that takes skill and domain knowledge. If you take the easy option “we will test that” then out test program will grow to commercially un-viable proportions. Too long, and too costly. But of course, we do need to be sure of the verification – we need a safety argument at the end of the day! In summary: Maths tells you all possible tests, but so many that we could test for years. Trick is to pick high value tests
  26. Document reference: S.P9999.99.99, issue 1.0 Page We use an independent implementation to help with the detailed trajectory algorithm testing. We use the “reference model” to generate the expected outcomes. Diverse implementation notation and programmer, so risk of common failure. (Outside of spec error.)
  27. Document reference: S.P9999.99.99, issue 1.0 Page Interestingly, the reference model has proven very accurate. (Although not not eg fast enough for real use.) Need to be careful not to draw too many conclusions from a small study. Worthy of further evaluation. We could throw loads of tests at this automatically!
  28. Document reference: S.P9999.99.99, issue 1.0 Page Conclusion Formal methods – being unambiguous – help us throughout the life cycle. We have a project of over 100 engineers, and have had precisely zero scaling problems in the technologies. In particular, the oft-cited problem reasons of “training” and “learning” doesn’t hold true. (Which of course argues that we can train any number of Ada programmers too.) The achilles heel – if there is one – is the tool support. We don’t have enough tool support, and enough integrated tooling. There are exceptions – like the Examiner – but for Z etc. we need more.
  29. Document reference: S.P9999.99.99, issue 1.0 Page Document Control Altran Praxis Limited, 20 Manvers Street, Bath BA1 1PX. Copyright © Altran Praxis. All rights reserved. Changes history Issue 0.1 (date): Changes forecast