Joint use of static and dynamic software verification techniques: a cross-domain view in safety critical system industries

International audienceHow different are the approaches to combining formal methods (FM) and testing in the safety standards of the automotive, aeronautic, nuclear, process, railway and space industries? This is the question addressed in this paper by a cross-domain group of experts involved in the revision committees of ISO 26262, DO-178C, IEC 60880, IEC 61508, EN 50128 and ECSS-Q-ST-8OC. First we review some commonalities and differences regarding application of formal methods in theaforementioned standards. Are they mandatory or recommended only? What kind of properties are they advised to be applied to? What is specified in the different standards regarding coverage (both functional and structural) if testing and formal methods are used jointly?We also account for the return on experience of the group members in the six industrial domains regarding state of the art practice of joint use of formal methods and testing. Where did formal methods actually prove to outperform testing? Then we discuss verification coverage, and more specifically the role of structural coverage. Does structural coverage play the same role in all the standards? Is it specific to testing and irrelevant for formal methods? What verification terminationcriteria is applicable in case FM-test mix? We conclude on some prospective views on how software safety standards may evolve to maximize the benefits of joint use of dynamic (testing) and static (FM) verification methods

Autonomous and connected vehicles: Collaboration of Aeronautic and Automotive industries to face the huge challenges for safe and secure embedded systems.

International audienceFacing the challenge of the development of safety system for autonomous and connected vehicles, the close collaboration of different partners from aeronautic and automotive fields is a key. By merging the competences and different technological cultures, each partner will take advantages in terms of technical and economical performances. To promote this close collaboration of all the players in Systems of Transportation Autonomous and Connected, Aerospace Valley is setting up a collaborative project (STAC)

Perspectives on Probabilistic Assessment of Systems and Software

International audienceSafety standards in most domains (aeronautics, automotive, industry, nuclear, railway, space) consider software (and more generally, design) as a deterministic artefact. They propose a global rationale combining probabilistic evidence on hardware random failures and deterministic evidence on systematic causes of failures including software. In a context where software is more and more pervasive in all systems, and where it is sometimes advocated that software complexity and size seem to provide some relevance to a probabilistic view of software behaviour, several initiatives suggest to change the way to address software in the global system safety assessment. This is a complex question with many facets. Among them the authors propose to discuss in the paper:-foundations, relevance and limits of probabilistic assessment for software,-relationship between software criticality category, (or class, DAL/SIL/ASIL/SSIL etc.) and probabilistic safety objectives,-the rationale for software diversification and to what extent probabilistic assessment is part of it

Joint use of static and dynamic software verification techniques: a cross-domain view in safety critical system industries

International audienceHow different are the approaches to combining formal methods (FM) and testing in the safety standards of the automotive, aeronautic, nuclear, process, railway and space industries? This is the question addressed in this paper by a cross-domain group of experts involved in the revision committees of ISO 26262, DO-178C, IEC 60880, IEC 61508, EN 50128 and ECSS-Q-ST-8OC. First we review some commonalities and differences regarding application of formal methods in theaforementioned standards. Are they mandatory or recommended only? What kind of properties are they advised to be applied to? What is specified in the different standards regarding coverage (both functional and structural) if testing and formal methods are used jointly?We also account for the return on experience of the group members in the six industrial domains regarding state of the art practice of joint use of formal methods and testing. Where did formal methods actually prove to outperform testing? Then we discuss verification coverage, and more specifically the role of structural coverage. Does structural coverage play the same role in all the standards? Is it specific to testing and irrelevant for formal methods? What verification terminationcriteria is applicable in case FM-test mix? We conclude on some prospective views on how software safety standards may evolve to maximize the benefits of joint use of dynamic (testing) and static (FM) verification methods

Criticality categories across safety standards in different domains

International audienc

A cross-domain comparison of software development assurance standards

International audienceThis paper compares the influence of Development Assurance Levels (DALs) on the prescribed objectives, activities, methods and tools of six different software development assurance standards, indeed that of civil aviation, automotive, space, process automation, nuclear and railway. Through an inventory of their respective requirements, we attempt to compare the software safety levels ensured by each standard for its lowest and highest DALs.We first explain the rationale of the comparison, i.e on what basis we compare the securing effects of the various process-based or product-based requirements issued by the six software development assurance standards. Then we review the DAL-dependent variability of each standard and finally outline some tentative cross-domain equivalence classes or ranking

Cross domain comparison of System Assurance

International audienceThis paper presents an analysis of the impact of the Development Assurance Level (DAL) or Safety Integrity Level (SIL) on the system activities in various application domains represented in the CG2E “Club des Grandes Entreprises en Embarqué”) and specially on the dependability, safety norms and standards working group. The main goals of this paper are to: • Analyse the impact in each application domain, • Identify and discuss the similarities and the dissimilarities in order to find the cross domain synergies