An experimental Study using ACSL and Frama-C to formulate and verify Low-Level Requirements from a DO-178C compliant Avionics Project

Safety critical avionics software is a natural application area for formal verification. This is reflected in the formal method's inclusion into the certification guideline DO-178C and its formal methods supplement DO-333. Airbus and Dassault-Aviation, for example, have conducted studies in using formal verification. A large German national research project, Verisoft XT, also examined the application of formal methods in the avionics domain. However, formal methods are not yet mainstream, and it is questionable if formal verification, especially formal deduction, can be integrated into the software development processes of a resource constrained small or medium enterprise (SME). ESG, a Munich based medium sized company, has conducted a small experimental study on the application of formal verification on a small portion of a real avionics project. The low level specification of a software function was formalized with ACSL, and the corresponding source code was partially verified using Frama-C and the WP plugin, with Alt-Ergo as automated prover. We established a couple of criteria which a method should meet to be fit for purpose for industrial use in SME, and evaluated these criteria with the experience gathered by using ACSL with Frama-C on a real world example. The paper reports on the results of this study but also highlights some issues regarding the method in general which, in our view, will typically arise when using the method in the domain of embedded real-time programming.Comment: In Proceedings F-IDE 2015, arXiv:1508.0338

Climbing the Software Assurance Ladder - Practical Formal Verification for Reliable Software

There is a strong link between software quality and software reliability. By decreasing the probability of imperfection in the software, we can augment its reliability guarantees. At one extreme, software with one unknown bug is not reliable. At the other extreme, perfect software is fully reliable. Formal verification with SPARK has been used for years to get as close as possible to zero-defect software. We present the well-established processes surrounding the use of SPARK at Altran UK, as well as the deployment experiments performed at Thales to finetune the gradual insertion of formal verification techniques in existing processes. Experience of both long-term and new users helped us define adoption and usage guidelines for SPARK based on five levels of increasing assurance that map well with industrial needs in practice

Formal methods for industrial critical systems, preface to the special section

[EN] This special issue contains improved versions of selected papers from the workshops on Formal Methods for Industrial Critical Systems (FMICS) held in Eindhoven, The Netherlands, in November 2009 and in Antwerp, Belgium, in September 2010. These were, respectively, the 14th and 15th of a series of international workshops organized by an open working group supported by ERCIM (European Research Consortium for Informatics and Mathematics) that promotes research in all aspects of formal methods (see details in http://www.inrialpes.fr/vasy/fmics/). The FMICS workshops that have produced this special issue considered papers describing original, previously unpublished research and not simultaneously submitted for publication elsewhere, and dealing with the following themes: Design, specification, code generation and testing based on formal methods. Methods, techniques and tools to support automated analysis, certification, debugging, learning, optimization and transformation of complex, distributed, real-time and embedded systems. Verification and validation methods that address shortcomings of existing methods with respect to their industrial applicability (e.g., scalability and usability issues). Tools for the development of formal design descriptions. Case studies and experience reports on industrial applications of formal methods, focusing on lessons learned or new research directions. Impact and costs of the adoption of formal methods. Application of formal methods in standardization and industrial forums. The selected papers are the result of several evaluation steps. In response to the call for papers, FMICS 2009 received 24 papers and FMICS 2010 received 33 papers, with 10 and 14 accepted, respectively, which were published by Springer- Verlag in the series Lecture Notes in Computer Science (volumes 5825 [1] and 6371 [2]). Each paper was reviewed by at least three anonymous referees which provided full written evaluations. After the workshops, the authors of 10 papers were invited to submit extended journal versions to this special issue. These papers passed two review phases, and finally 7 were accepted to be included in the journal.his work has been partially supported by the EU (FEDER) and the Spanish MEC TIN2010-21062-C02-02 project, MICINN INNCORPORA-PTQ program, and by Generalitat Valenciana, ref. PROMETEO2011/052.Alpuente Frasnedo, M.; Joubert ., C.; Kowalewski, S.; Roveri, M. (2013). Formal methods for industrial critical systems, preface to the special section. Science of Computer Programming. 78(7):775-777. doi:10.1016/j.scico.2012.05.005S77577778

Using ACL2 to Verify Loop Pipelining in Behavioral Synthesis

Behavioral synthesis involves compiling an Electronic System-Level (ESL) design into its Register-Transfer Level (RTL) implementation. Loop pipelining is one of the most critical and complex transformations employed in behavioral synthesis. Certifying the loop pipelining algorithm is challenging because there is a huge semantic gap between the input sequential design and the output pipelined implementation making it infeasible to verify their equivalence with automated sequential equivalence checking techniques. We discuss our ongoing effort using ACL2 to certify loop pipelining transformation. The completion of the proof is work in progress. However, some of the insights developed so far may already be of value to the ACL2 community. In particular, we discuss the key invariant we formalized, which is very different from that used in most pipeline proofs. We discuss the needs for this invariant, its formalization in ACL2, and our envisioned proof using the invariant. We also discuss some trade-offs, challenges, and insights developed in course of the project.Comment: In Proceedings ACL2 2014, arXiv:1406.123

Developing a distributed electronic health-record store for India

The DIGHT project is addressing the problem of building a scalable and highly available information store for the Electronic Health Records (EHRs) of the over one billion citizens of India