Abstract
Formal methods tools have been shown to be effective at finding defects in safety-critical systems, including avionics systems in commercial aircraft. The publication of DO-178C and the accompanying formal methods supplement DO-333 provide guidance for aircraft manufacturers and equipment suppliers who wish to obtain certification credit for the use of formal methods for software development and verification.
However, there are still a number of issues that must be addressed before formal methods tools can be injected into the design process for avionics systems. DO-178C requires that a tool used to meet certification objectives be qualified to demonstrate that its output can be trusted. The qualification of formal methods tools is a relatively new concept presenting unique challenges for both formal methods researchers and software developers in the aerospace industry.
This paper presents the results of a recent project studying the qualification of formal methods tools. We have identified potential obstacles to their qualification and proposed mitigation strategies. We have conducted two case studies based on different qualification approaches for an open source formal verification tool, the Kind 2 model checker. The first case study produced a qualification package for Kind 2. The second demonstrates the feasibility of independently verifying the output of Kind 2 through the generation of proof certificates and verifying these certificates with a qualified proof checker, in lieu of qualifying the model checker itself.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
RTCA DO-178C: Software considerations in airborne systems and equipment certification, Washington, DC (2011)
Woodcock, J., Larsen, P.G., Bicarregui, J., Fitzgerald, J.S.: Formal methods: practice and experience. ACM Comput. Surv. 41, 19 (2009)
RTCA DO-333: Formal methods supplement to DO-178C and DO-278A, Washington, DC (2011)
RTCA DO-330: Software tool qualification considerations, Washington, DC (2011)
Cofer, D., Miller, S.: DO-333 certification case studies. In: Badger, J.M., Rozier, K.Y. (eds.) NFM 2014. LNCS, vol. 8430, pp. 1–15. Springer, Cham (2014). doi:10.1007/978-3-319-06200-6_1
Cofer, D., Klein, G., Slind, K., Wiels, V.: Qualification of formal methods tools (Dagstuhl seminar 15182). Dagstuhl Rep. 5, 142–159 (2015)
OCamlPro: Alt-ergo (2013). https://alt-ergo.ocamlpro.com/
AdaCore: SPARK Pro (2014). http://www.adacore.com/sparkpro/
Leroy, X.: A formally verified compiler back-end. J. Autom. Reason. 43, 363–446 (2009)
Camus, J.L., DeWalt, M.P., Pothon, F., Ladier, G., Boulanger, J.L., Blanquart, J.P., Quere, P., Ricque, B., Gassino, J.: Tool qualification in multiple domains: status and perspectives. In: Embedded Real Time Software and Systems, Toulouse, France, 5–7 February, vol. 7991. Springer (2014)
Miller, S.P., Whalen, M.W., Cofer, D.D.: Software model checking takes off. Commun. ACM 53, 58–64 (2010)
Champion, A., Mebsout, A., Sticksel, C., Tinelli, C.: The Kind 2 model checker. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9780, pp. 510–517. Springer, Cham (2016). doi:10.1007/978-3-319-41540-6_29
NASA: Qualification of Formal Methods Tools Under DO-330 (2017). https://shemesh.larc.nasa.gov/fm/FMinCert/DO-330-case-studies-RC.html
Mebsout, A., Tinelli, C.: Proof certificates for SMT-based model checkers for infinite-state systems. In: FMCAD, Mountain View, California, USA, October 2016. http://cs.uiowa.edu/~amebsout/papers/fmcad2016.pdf
Halbwachs, N., Caspi, P., Raymond, P., Pilaud, D.: The synchronous dataflow programming language LUSTRE. In: Proceedings of the IEEE, pp. 1305–1320 (1991)
de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78800-3_24
Barrett, C., Conway, C.L., Deters, M., Hadarean, L., Jovanović, D., King, T., Reynolds, A., Tinelli, C.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22110-1_14
Stump, A., Oe, D., Reynolds, A., Hadarean, L., Tinelli, C.: SMT proof checking using a logical framework. Form. Methods Syst. Des. 41, 91–118 (2013)
Gacek, A.: JKind - a Java implementation of the KIND model checker (2014). https://github.com/agacek/jkind
Acknowledgments
This work was funded by NASA contract NNL14AA06C.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Wagner, L., Mebsout, A., Tinelli, C., Cofer, D., Slind, K. (2017). Qualification of a Model Checker for Avionics Software Verification. In: Barrett, C., Davies, M., Kahsai, T. (eds) NASA Formal Methods. NFM 2017. Lecture Notes in Computer Science(), vol 10227. Springer, Cham. https://doi.org/10.1007/978-3-319-57288-8_29
Download citation
DOI: https://doi.org/10.1007/978-3-319-57288-8_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-57287-1
Online ISBN: 978-3-319-57288-8
eBook Packages: Computer ScienceComputer Science (R0)