2. Formal Method : Advantages
3. Formal Method on A380
4. Formal Method on A380 : 1 stType
5. Formal Method :1 stTypeNext to come
6. Formal Method on A380 :2 ndTypeUnit Proof
7. Formal Method on A380 : Unit Proof
8. Formal Method on A380 : Unit Proof Design
Coding
Unit Proofs
Integration
Subset Specification
9. Formal Method on A380 : Unit Proof - Definition of proof environment - Flows Generation Verificationof Flows against Design Proof performing Analysis of Proof Results Design Phase Data & control flows Caveat Caveat Flows Code compliantWith Design Coding Phase C Source Functional Properties Caveat Process Management Tool Caveat is integrated into the process management tool to automate the proof process If OK If not OK 10. Formal Method on A380 :Conclusions
11. DO-178C Formal Method Supplement
12. FM supplement
Givesguidancefor planning, development and verification processes
13. What is a Formal Method ?
Aformal methodis aformal analysiscarried out on aformal model. Formal Method Formal model Formal Analysis 14. What is a Formal Model ?
Aformal notationis a notation having aprecise ,unambiguous ,mathematicallydefinedsyntaxandsemantics . Aformal modelis a model defined using aformal notation Formal Method Formal model Formal Analysis 15. What is a Formal Analysis ?
Formal Analysis Formal Method Formal model 16. Notion of property
17. Being Sound
A sound methodnever assertthat aproperty is truewhenit is not. Formal model of the requirements Formal Analysis OK X Not Sound 18. Conservative representation
We need to be sure thatwhatever is proved about the formal model also applies to what is modeled . Then review or analysis should be used to demonstrate that the formal statement is aconservative representationof the informal requirement Requirements Formal model of the requirements Formal Analysis Results 19. DO-178/ED-12 Verification Process System Requirements High-Level Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements ComplianceRobustness Compatible With Target ComplianceRobustness Accuracy & ConsistencyHW CompatibilityVerifiability ConformanceAlgorithm Accuracy VerifiabilityConformance Accuracy & Consistency Complete & Correct ComplianceTraceability Architecture Compatibility ComplianceTraceability Compliance ComplianceTraceability Accuracy & Consistency HW CompatibilityVerifiabilityConformanceAlgorithm Accuracy Consistency HW CompatibilityVerifiabilityConformancePartition Integrity 20. FM Supplement : Formal verification
21. FM Supplement :Formal verification instead of reviews HLRFormalHLR Accuracy & ConsistencyHW CompatibilityVerifiability ConformanceAlgorithm Accuracy Accuracy & ConsistencyHW CompatibilityVerifiability ConformanceAlgorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements When HLR are formaly expressed Formal analysis can be used VerifiabilityConformance Accuracy & Consistency Complete & Correct ComplianceTraceability Architecture Compatibility ComplianceTraceability Compliance ComplianceTraceability ComplianceRobustness Compatible With Target ComplianceRobustness Accuracy & Consistency HW CompatibilityVerifiabilityConformanceAlgorithm Accuracy Consistency HW CompatibilityVerifiabilityConformancePartition Integrity 22. FM Supplement :Formal verification instead of reviews HLRFormalHLR Accuracy & ConsistencyHW CompatibilityVerifiability ConformanceAlgorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements When HLR and LLR are formaly expressed Formal analysis can be used FormalLLR ComplianceTraceability VerifiabilityConformance Accuracy & Consistency Complete & Correct ComplianceTraceability Architecture Compatibility ComplianceTraceability Compliance ComplianceTraceability ComplianceRobustness Compatible With Target ComplianceRobustness Accuracy & Consistency HW CompatibilityVerifiabilityConformanceAlgorithm Accuracy Consistency HW CompatibilityVerifiabilityConformancePartition Integrity 23. FM Supplement : Formal verification
24. FM Supplement :Formal verification for EOC HLRAccuracy & ConsistencyHW CompatibilityVerifiability ConformanceAlgorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements When LLR are formaly expressed with a conservative representation between code and EOC, then Formal analysis can be used to replace some tests FormalLLR ComplianceTraceability X VerifiabilityConformance Accuracy & Consistency Complete & Correct ComplianceTraceability Architecture Compatibility ComplianceTraceability Compliance ComplianceTraceability ComplianceRobustness Compatible With Target ComplianceRobustness Accuracy & Consistency HW CompatibilityVerifiabilityConformanceAlgorithm Accuracy Consistency HW CompatibilityVerifiabilityConformancePartition Integrity Conservative representation 25. FM Supplement : Formal verification
26. FM Supplement :Formal verification for EOC HLRAccuracy & ConsistencyHW CompatibilityVerifiability ConformanceAlgorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements Compatible With Target Properties might be proved directly on EOC : WCET, Stack usage, Compatible With Target VerifiabilityConformance Accuracy & Consistency Complete & Correct ComplianceTraceability Architecture Compatibility ComplianceTraceability Compliance ComplianceTraceability ComplianceRobustness ComplianceRobustness Accuracy & Consistency HW CompatibilityVerifiabilityConformanceAlgorithm Accuracy Consistency HW CompatibilityVerifiabilityConformancePartition Integrity 27. FM Supplement : Formal verification
28. To conclude
29. Special thanks to
30. 31. AIRBUS OPERATIONS S.A.S. All rights reserved. Confidential and proprietary document. This document and all information contained herein is the sole property of AIRBUS OPERATIONS S.A.S. No intellectual property rights are granted by the delivery of this document or the disclosure of its content. This document shall not be reproduced or disclosed to a third party without the express written consent of AIRBUS OPERATIONS S.AS. This document and its content shall not be used for any purpose other than that for which it is supplied. The statements made herein do not constitute an offer. They are based on the mentioned assumptions and are expressed in good faith. Where the supporting grounds for these statements are not shown, AIRBUS OPERATIONS S.A.S will be pleased to explain the basis thereof. AIRBUS, its logo, A300, A310, A318, A319, A320, A321, A330, A340, A350, A380, A400M are registered trademarks.