Experiences in using model checking to verify real time properties of a landing gear control system

International audienceThis paper presents experiences in using several model checking tools to verify properties of a critical real time embedded system. The tools we tested are Lesar, SMV, Prover Plug In for SCADE and Uppaal. The application is the landing gear control system of a military aircraft, developed by Dassault Aviation. The property to be verified states that the gear must be down in at most 14 seconds. Results (success and verification time) depend a lot on the way time is handled by the verification tools

Joint use of static and dynamic software verification techniques: a cross-domain view in safety critical system industries

International audienceHow different are the approaches to combining formal methods (FM) and testing in the safety standards of the automotive, aeronautic, nuclear, process, railway and space industries? This is the question addressed in this paper by a cross-domain group of experts involved in the revision committees of ISO 26262, DO-178C, IEC 60880, IEC 61508, EN 50128 and ECSS-Q-ST-8OC. First we review some commonalities and differences regarding application of formal methods in theaforementioned standards. Are they mandatory or recommended only? What kind of properties are they advised to be applied to? What is specified in the different standards regarding coverage (both functional and structural) if testing and formal methods are used jointly?We also account for the return on experience of the group members in the six industrial domains regarding state of the art practice of joint use of formal methods and testing. Where did formal methods actually prove to outperform testing? Then we discuss verification coverage, and more specifically the role of structural coverage. Does structural coverage play the same role in all the standards? Is it specific to testing and irrelevant for formal methods? What verification terminationcriteria is applicable in case FM-test mix? We conclude on some prospective views on how software safety standards may evolve to maximize the benefits of joint use of dynamic (testing) and static (FM) verification methods

Software Factory Testing Tools: an Analysis Framework

International audienceThis paper compares seven tools devoted to software verification and validation that are being developed by several participants of MoDriVal project 1

gear

in using model checking to verify real time properties of a landin

ESTEREL: A formal method applied to avionic software development

International audienceDassault Aviation is a French aircraft manufacturer building civil business jets (the Falcon family) and military jet fighters (the Mirage and Rafale families). It has been concerned with formal methods inside the development process of avionic software since 1989. In this paper, we give a comprehensive account of three industrial-size studies carried out at Dassault Aviation using the reactive synchronous language ESTEREL and its toolset, in collaboration with the public research team that develops ESTEREL at Ecole des Mines de Paris and INRIA Sophia-Antipolis. We deal with software engineering issues related to compilation, optimization and verification of safety-critical embedded software. The goal is to ensure production of efficient and reliable code

A Geometric Perspective on ML Safety Assurance

Some people claim AI-ML suffers from a reliability glass ceiling effect, around 10e-2 per inference, that makes it incompatible with safety-criticality by several orders of magnitude. Others advocate that safety nets and development assurance will overcome this gap so that there is no real concern indeed. We propose an explanation to the reliability plateauing phenomenon based on geometry of approximant adjustment, and on ML verification practices. We advocate the need for a new field we coined as HR ML (Highly Reliable) and UHR ML (Ultra Highly Reliable). Relying on Topological Data Analysis in high dimensions, its aim is to supplement data-science pointbased verification with volume-based verification in order to meet the needed 10e-5 / inf. error rates (and beyond). We argue that process-based ML assurance and safety monitors alone will not overcome the reliability barrier. Our HR-ML concept for safety-related applications is a research proposition at the confluence of ML assurance and system assurance

Towards Rebalancing Safety Design, Assessment and Assurance

International audienceCyber-physical systems have evolved faster than development technologies, which in turn have evolved faster than safety standards, despite periodic revisions. By 2020, a significant cumulative gap exists between development assurance and its perceived effectiveness on safety of the highly complex systems developed nowadays. This paper explores how this gap could be at least partly closed. First, we review new techniques that are emerging from hybrid system research and that might influence verification of system safety in the future, then we discuss some problems in industrial practice of safety assessment and in safety standards. These problems are widely acknowledged in all industrial domains, especially when facing certification of AI-enabled autonomous vehicles (cars, drones, trains, underwater unmanned vehicles etc.). Finally, we propose some orientations to evolve the development assurance standards so that they may facilitate accommodation of these new techniques without adding new assurance requirements to the legacy ones. We advocate a new balance for future assurance that would introduce new structural and behavioural analyses while reducing some aspects of dysfunctional analysis

Software Safety - A journey across domains and safety standards

International audienc

Joint use of static and dynamic software verification techniques: a cross-domain view in safety critical system industries

International audienceHow different are the approaches to combining formal methods (FM) and testing in the safety standards of the automotive, aeronautic, nuclear, process, railway and space industries? This is the question addressed in this paper by a cross-domain group of experts involved in the revision committees of ISO 26262, DO-178C, IEC 60880, IEC 61508, EN 50128 and ECSS-Q-ST-8OC. First we review some commonalities and differences regarding application of formal methods in theaforementioned standards. Are they mandatory or recommended only? What kind of properties are they advised to be applied to? What is specified in the different standards regarding coverage (both functional and structural) if testing and formal methods are used jointly?We also account for the return on experience of the group members in the six industrial domains regarding state of the art practice of joint use of formal methods and testing. Where did formal methods actually prove to outperform testing? Then we discuss verification coverage, and more specifically the role of structural coverage. Does structural coverage play the same role in all the standards? Is it specific to testing and irrelevant for formal methods? What verification terminationcriteria is applicable in case FM-test mix? We conclude on some prospective views on how software safety standards may evolve to maximize the benefits of joint use of dynamic (testing) and static (FM) verification methods