Joint use of static and dynamic software verification techniques: a cross-domain view in safety critical system industries

International audienceHow different are the approaches to combining formal methods (FM) and testing in the safety standards of the automotive, aeronautic, nuclear, process, railway and space industries? This is the question addressed in this paper by a cross-domain group of experts involved in the revision committees of ISO 26262, DO-178C, IEC 60880, IEC 61508, EN 50128 and ECSS-Q-ST-8OC. First we review some commonalities and differences regarding application of formal methods in theaforementioned standards. Are they mandatory or recommended only? What kind of properties are they advised to be applied to? What is specified in the different standards regarding coverage (both functional and structural) if testing and formal methods are used jointly?We also account for the return on experience of the group members in the six industrial domains regarding state of the art practice of joint use of formal methods and testing. Where did formal methods actually prove to outperform testing? Then we discuss verification coverage, and more specifically the role of structural coverage. Does structural coverage play the same role in all the standards? Is it specific to testing and irrelevant for formal methods? What verification terminationcriteria is applicable in case FM-test mix? We conclude on some prospective views on how software safety standards may evolve to maximize the benefits of joint use of dynamic (testing) and static (FM) verification methods

Multi-domain comparison of safety standards

International audienceThis paper presents an analysis of safety standards and their implementation in certification strategies from different domains such as aeronautics, automation, automotive, nuclear, railway and space. This work, performed in the context of the CG2E ("Club des Grandes Entreprises de l'Embarqué"), aims at identifying the main similarities and dissimilarities, for potential cross-domain harmonization. We strive to find the most comprehensive 'trans-sectorial' approach, within a large number of industrial domains. Exhibiting the 'true goals' of their numerous applicable standards, related to the safety of system and software, is a first important step towards harmonization, sharing common approaches, methods and tools whenever possible

Static Analysis of the Accuracy in Control Systems: Principles and Experiments

Abstract. Finite precision computations can severely affect the accuracy of computed solutions. We present a complete survey of a static analysis based on abstract interpretation, and a prototype implementing this analysis for C code, for studying the propagation of rounding errors occurring at every intermediary step in floating-point computations. In the first part of this paper, we briefly present the domains and techniques used in the implemented analyzer, called FLUCTUAT. We describe in the second part, the experiments made on real industrial codes, at Institut de Radioprotection et de Sûreté Nucléaire and at Hispano-Suiza, respectively coming from the nuclear industry and from aeronautics industry. This paper aims at filling in the gaps between some theoretical aspects of the static analysis of floating-point computations that have been described in [13, 14, 21], and the necessary choices of algorithms and implementation, in accordance with practical motivations drawn from real industrial cases

A Geometric Perspective on ML Safety Assurance

Some people claim AI-ML suffers from a reliability glass ceiling effect, around 10e-2 per inference, that makes it incompatible with safety-criticality by several orders of magnitude. Others advocate that safety nets and development assurance will overcome this gap so that there is no real concern indeed. We propose an explanation to the reliability plateauing phenomenon based on geometry of approximant adjustment, and on ML verification practices. We advocate the need for a new field we coined as HR ML (Highly Reliable) and UHR ML (Ultra Highly Reliable). Relying on Topological Data Analysis in high dimensions, its aim is to supplement data-science pointbased verification with volume-based verification in order to meet the needed 10e-5 / inf. error rates (and beyond). We argue that process-based ML assurance and safety monitors alone will not overcome the reliability barrier. Our HR-ML concept for safety-related applications is a research proposition at the confluence of ML assurance and system assurance

Tool Qualification in Multiple Domains: Status and Perspectives

International audienceThis paper provides a global perspective on qualification of tools used for development or verification of safety critical software. The increasing complexity and criticality of safety critical software requires a high degree of rigor in the development and verification processes. These processes are regulated by standards such as DO-178C/ED-12C for airborne software, EN 50128 for railway equipment, IEC 61508 / IEC 61511 / IEC 62061 for industry, ISO 26262 for automotive, ECSS (in particular Q80, E40) for European space and IEC 60880 for the nuclear industry. Development and verification of application software increasingly rely on the use of tools automating complex verification and/or development activities. This paper provides a comparative overview of the current major standards regarding tools, and proposes improvements in the approach for tool qualification

Towards Rebalancing Safety Design, Assessment and Assurance

International audienceCyber-physical systems have evolved faster than development technologies, which in turn have evolved faster than safety standards, despite periodic revisions. By 2020, a significant cumulative gap exists between development assurance and its perceived effectiveness on safety of the highly complex systems developed nowadays. This paper explores how this gap could be at least partly closed. First, we review new techniques that are emerging from hybrid system research and that might influence verification of system safety in the future, then we discuss some problems in industrial practice of safety assessment and in safety standards. These problems are widely acknowledged in all industrial domains, especially when facing certification of AI-enabled autonomous vehicles (cars, drones, trains, underwater unmanned vehicles etc.). Finally, we propose some orientations to evolve the development assurance standards so that they may facilitate accommodation of these new techniques without adding new assurance requirements to the legacy ones. We advocate a new balance for future assurance that would introduce new structural and behavioural analyses while reducing some aspects of dysfunctional analysis

Tool Qualification in Multiple Domains: Status and Perspectives

International audienceThis paper provides a global perspective on qualification of tools used for development or verification of safety critical software. The increasing complexity and criticality of safety critical software requires a high degree of rigor in the development and verification processes. These processes are regulated by standards such as DO-178C/ED-12C for airborne software, EN 50128 for railway equipment, IEC 61508 / IEC 61511 / IEC 62061 for industry, ISO 26262 for automotive, ECSS (in particular Q80, E40) for European space and IEC 60880 for the nuclear industry. Development and verification of application software increasingly rely on the use of tools automating complex verification and/or development activities. This paper provides a comparative overview of the current major standards regarding tools, and proposes improvements in the approach for tool qualification

Joint use of static and dynamic software verification techniques: a cross-domain view in safety critical system industries

International audienceHow different are the approaches to combining formal methods (FM) and testing in the safety standards of the automotive, aeronautic, nuclear, process, railway and space industries? This is the question addressed in this paper by a cross-domain group of experts involved in the revision committees of ISO 26262, DO-178C, IEC 60880, IEC 61508, EN 50128 and ECSS-Q-ST-8OC. First we review some commonalities and differences regarding application of formal methods in theaforementioned standards. Are they mandatory or recommended only? What kind of properties are they advised to be applied to? What is specified in the different standards regarding coverage (both functional and structural) if testing and formal methods are used jointly?We also account for the return on experience of the group members in the six industrial domains regarding state of the art practice of joint use of formal methods and testing. Where did formal methods actually prove to outperform testing? Then we discuss verification coverage, and more specifically the role of structural coverage. Does structural coverage play the same role in all the standards? Is it specific to testing and irrelevant for formal methods? What verification terminationcriteria is applicable in case FM-test mix? We conclude on some prospective views on how software safety standards may evolve to maximize the benefits of joint use of dynamic (testing) and static (FM) verification methods