Software Aspects of Aeronautical Certification and Static Analysis Tools

ladier@aerospace-valley.
com 09/2010
Janvier 2010
Gérard LADIER
Airbus / Aerospace Valley
Software aspects of aeronautical

certification and static analysis
tools
Equipment Rules (JAR/FAR 25-1309)
• “Essential” equipment must be designed to perform its intended
functions
• The airplane systems and associated components, considered
separately and in relation to other systems, must be designed
so that :
– The occurrence of any failure condition which would prevent the
continued safe flight and landing of the airplane is extremely
improbable, and
– The occurrence of any other failure conditions which would reduce
the capability of the airplane or the ability of
© AIRBUS FRANCE S.A.S. Tous droits réservés. Document confidentiel.
the crew to cope with adverse operating

conditions is improbable
• ...
Page 2
Means of conformance
It is in general not
feasible to assess the
number or kinds of
software errors, if any,
that may remain after the
completion of system
design, development, and
test. DO-178B/ED-12B,
provides acceptable
means for assessing and
controlling the software

used to program digital -
computer-based systems ”
Software
Page 3
First principle
Process T(q)
HLR
Define HLR's
Process T(q+1)
HLR(1)+ Implementation detail
Define HLR(1)
Process T(q+2) HLR(2)+ Implementation detail
We can’t get Define HLR(2)
clean water
from a dirty
pipe

Process T(x)
Evidences are Produce Object
Object Code
requested on Code
the pipe …
Page 4
DO-178/ED-12 : evidences on the pipe …
• “DO-178B/ED-12B is primarily a process-oriented document”
=> Set of requirements on the processes (dev., verif, etc.) and
their outputs
• “The occurrence of any failure condition which would prevent the
continued safe flight and landing of the airplane is extremely
improbable”
=> Evidences on the fulfilment of these requirements vary
depending on the software “criticality” level
Applicabilité Catégorie de
Objectif par niveau Produit contrôle par

logiciel niveau logiciel
description Réf A B C D Description Réf. A B C D
3 La couverture de test 6.4.4.1        
des exigences de haut Résultats de Vérification 11.14
niveau est assurée du Logiciel
Page 5
Life cycle and processes
• Definition of separate processes that will be combined for a

given project to describe its life cycle:
– Planning process (organization/plans rather than scheduling)
– Development process (specification, design, coding, integration)
– Integral processes (verification, configuration management, quality
assurance, certification liaison process).
• Define for each process:
– The Assurance objectives
– The means of achieving those objectives
– The process input data

– The process activities
– The process products
– The transition criteria, which must be met in order to proceed
Page 6
Main common requirements on the developement
processes
• Standards must be written and evidences of compliance with the rules should be
provided
• Rules ?
Dozen of documents
Define precisely how to perform an activity (methods, means, constraints,
expected outputs, etc.
consistent
precise
tracable
Each
developed requirement
or design item verifiable
should be
Page 7
Configuration management & Quality Assurance
To assist in satisfying general objectives to:

Control configuration of the software throughout the software life cycle
Be able to replicate the executable object code
Control process inputs and outputs during the software life cycle
Provide baselines for review, assessment and change control
Ensure problems management and change control
Ensure archiving and recovery.
To provide evidences that:

What’s done is what’s described in plans
Transition criteria are reached
A conformity review of the software is conducted
Main characteristics :
Independence
Active role during the life cycle process
Page 8
Tools qualification -1
Necessary when processes required by the rest of

the document are eliminated, reduced or
automated by the use of a
deterministic software tool
whose outputs are not verified.
3 qualification criteria depending on the
risk associated to the tool usage :
Criteria 1 : Development Tool
Criteria 2 : Verification tool which could have an impact on the
resulting software :
used to justify the elimination or reduction of:
Verification process other than that automated by the tool,
or Development process which could have an impact on the
resulting software
Criteria 3 : verification tool Page 9
Tools qualification - 2
– Combination of the
qualification criteria
with the
software level to
give the Tool
Qualification Level:
Two distinct roles are defined :

– The user
• He defines his needs (Tool Operational Requirements-TOR)
and validate the tool in its usage context
– The developper
• He defines his development specification (Tool Requirement-TR),
develops the tool and provides the life cycle data
 Sharing of activities between these two roles are defined for

COTS tools(11.3)
Page 10
Tools qualification - 3
Qualification requirements :
TQL 1, 2 et 3 :
– TQL 4 ones + « implementation » requirements :
• Depending on the level of the final product software developed with the tool
TQL 4 :
– TQL 5 ones + «project management» requirements :
• TOR reviews (complete, accurate, and consistent)
• Definition of processes in plans
• Definition of the TR and verification / TOR
• Verification of the tool / TR et requirements coverage
• Configuration and change managements

TQL 5 :
– «contracting authority» requirements, mainly concentrated in the TOR :
• Table T-0 defining all the “user” requirements including the validation of the
tool versus the need expressed in the “avionics” PSAC
• Plus one requirement : «Impact of known problems on the TOR »
Page 11
Second principe
A clean pipe may

not deliver clean
water

Filters are piled to
detect and
eliminate
impurities
Page 12
Verification
• The most important section of DO-178/ED-12, in term of :
volume : 13 pages of description ( ~ 5 pages for other processes )
Workload incurred (A380 : 4 lines of test for line of embedded code …)
• Basic principles:
– “Integral” process => applies to all the development processes
– Combination of :
• Reviews ,
• Analysis
• Tests
to detect and identify errors
introduced during development
Page 13
Reviews ? Analysis ? Tests ?
• Three major tools for bug-busters :
Review : inspection of a product by an
independant (level A) person;
qualitative evaluation
Analysis : detailed examination of a

process, potentially done by a tool
quantitative evaluation
Test : running the software and

comparison of actual outputs to
expected ones
– Functional test
– NO TEST BASED ON CODE STRUCTURE
– Functional & Structural coverage analysis
Page 14
DO-178/ED-12 - The verification process
System
A-3.2 Accuracy & Consistency A-3.1 Compliance
A-3.3 HW Compatibility Requirements A-3.6 Traceability
Compliance: with requirements
A-3.4 Verifiability (A-2: 1, 2) Conformance: with standards
A-3.5 Conformance
A-3.7 Algorithm Accuracy
High-Level
Requirements A7 Verification of verification
(Functional & Structural coverage)
A-4. 8 Architecture Compatibility A-4.1 Compliance
A-4.6 Traceability
(A-2: 3, 4, 5)
A-4.9 Consistency A-4.2 Accuracy & Consistency
A-4.10 HW Compatibility A-4.3 HW Compatibility
A-4.11 Verifiability A-4.4 Verifiability
A-4.12 Conformance A-4.5 Conformance
A-4.13 Partition Integrity
Software Low-Level
Architecture A-4.7 Algorithm Accuracy
Requirements
A-5.2 Compliance
(A-2: 6) A-5.1 Compliance A-6.3 Compliance
A-5.5 Traceability A-6.4 Robustness

A-5.3 Verifiability
A-5.4 Conformance
A-5.6 Accuracy & Consistency Source Code
(A-2: 7) A-6.1 Compliance

A-6.2 Robustness
Executable
Object Code
A-5. 7 Complete & Correct A-6.5 Compatible With Target
Page 15
Third principe
Potentially
opposite
interests are at
stake

Independant
authorities
assess the
process and
product
Page 16
The ED-12B/DO-178B - certification liaison
• Objective:
ensure effective communication/understanding between the
applicant and the certification authorities
• Means:
– The Plan for Software Aspects of Certification, given to the
Authorities as early as possible
– Reviews carried out by the certification
authorities “software” specialists
as much as they want
– Software Accomplishment
Summary and
Software Configuration Index.
Page 17
Fourth principe
All the interests but

must be taken into
account to build a
recognized set of
requirements

DO-178/ED-12
is built and
updated by all
the concerned
specialists and
actors
Page 18
Consensus on requirements
• Joint meetings between the RTCA SC-205 EUROCAE WG-71
• Openness, consensus :
– More than 1200 people registered on the WEB site
– about 120 attendees in each meeting : aircraft manufacturers, engine
makers, equipment suppliers, authorities, scientists and consultants
– The final text has to be agreed by each of the attendees
Page 19
DO-178C/ED-12C
Interface
• The « core document » will be Spec
completed by supplements :
Supplement A
Supplement –guidance used in conjunction DO-178C Supplement B
with DO-178C/ED-12C that addresses the
unique nature of a specific technology or a
specific method. A supplement adds, deletes ED-12C Supplement …
or otherwise modifies: objectives, activities,
explanatory text, and software life cycle data in
DO-178C/ED-12C.
• This structuring principle enables ...Supplement N
incremental future development

of software requirements
DO-278A
/
DO-248C/ED-94C
ED-109A FAQ/DP/RATIONALE
Page 20
The DO-178C/ED-12C : evolution of the content
• Major improvements are in the supplements :

– Object Oriented technology
– Model Based Development
– Formal Method Technology
– Tools Qualification
• In the core document :
– Basically clarification and improvement in consistency and
accuracy.
– Except for the tool qualification part :
• Separation of the «why ?» part (>in the core doc) from the «how ?»
part (>supplement)
• Significant evolution of the « why ? »
Page 21
Formal Methods Technology supplement
• The FM introductory section insists on the interest of using FM for
verification
• The FA (Formal Analysis) may completely replace :
– Reviews & analysis (except for validation of « derived requirements »)
– Conformance test versus /HLR et /LLR
– Software integration tests
– Robustness tests
• FA may help for the verification of compatibility with the hardware
• FA cannot replace HW/SW integration test
• The structural coverage objectives are achieved if it can be demonstrated
that :
– Each requirement is completely covered
– The set of requirements is complete in regards of the attended function
– There is no non expected dependences between output and input data
– There is no dead code
Page 22
Fitfh principe
Only requirements
are mandatory, not
the means

Building the
« pipe » is to be
dealt with by the

suppliers
Page 23
Today
Which industrial use for Static Analysis tools ?
Page 25
Not so frequent …
How to convince certification Authorities ?
Example of the “unit level proof of LLR”

• Discussion with Cert. Auth. software specialists much before the
actual use of the tool, to get a general feedback (go/no go)
• Demonstration of the soundness of the approach
• Definition of specific rules and standards
• Demonstration of the completeness of the properties
• Definition of LLR as pseudo-code + properties
• Smooth integration in the overall verif./traceability processes
• Detect and eliminate dead code

• Verify the executable code
• Qualify the tool (verification ++ tool)
Tomorrow …
Which industrial use for Static Analysis tools ?
Tomorrow … 1
• Proof of absence of Real Time Execution error :

– ASTREE (ENS/ABSINT)
• For effective certification credit
• Precision of Floating-point calculus :

– Fluctuat (CEA) :
• Abstract Interpretation based; analysis of C or
assembly code
• Safe computation of the numerical (rounding) errors
introduced by basic operators or input filtering code
• In use by Airbus for evaluation :

– Research prototype for the C language
– Pre-industrial prototype for the TMS320C33
assembly language
Tomorrow … 2
• Validation of the compilation

– Lcertify (ENS) :
• Research activity in Airbus
– Compcert (INRIA) :
• Industrial prototype available
• Efficient compilation of a complete subset of the A380 fly-by-
wire software
• Other “translation validation tools” would be highly
desirable (e.g. Scade -> C)
• Various analysis of C code :
– FRAMA-C (CEA) :
• Plugin WP to succeed CAVEAT
• Plugin TASTER for syntaxic control (coding rules enforcement)
• Plugin for data flow/control flow verification, coming soon
Special thanks …
• To the co-chairs of the fantastic formal methods SG of the DO-178C

joint committee:
– Kelly Hayhurst (NASA)
– Duncan Brown (Rolls Royce)
• To the Airbus Formal Methods dream team :

– Famantanantsoa Randimbivololona
– Jean Souyris
– David Delmas
• And to Hervé Delseny from Airbus, who liaised both …
Page 32
Made on http://www.wordle.net
Made on http://www.wordle.net
Page 33

Software Aspects of Aeronautical Certification and Static Analysis Tools

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Software Aspects of Aeronautical Certification and Static Analysis Tools

Uploaded by

Copyright:

Available Formats

ladier@aerospace-valley.

Airbus / Aerospace Valley

Software aspects of aeronautical

the crew to cope with adverse operating

controlling the software

Process T(q+2) HLR(2)+ Implementation detail

We can’t get Define HLR(2)

Objectif par niveau Produit contrôle par

• Definition of separate processes that will be combined for a

– The process input data

To assist in satisfying general objectives to:

To provide evidences that:

A conformity review of the software is conducted

Necessary when processes required by the rest of

Two distinct roles are defined :

 Sharing of activities between these two roles are defined for

• Configuration and change managements

A clean pipe may

Analysis : detailed examination of a

Test : running the software and

A-5.5 Traceability A-6.4 Robustness

(A-2: 7) A-6.1 Compliance

All the interests but

• This structuring principle enables ...Supplement N

incremental future development

• Major improvements are in the supplements :

dealt with by the

Example of the “unit level proof of LLR”

• Detect and eliminate dead code

• Proof of absence of Real Time Execution error :

• Precision of Floating-point calculus :

• In use by Airbus for evaluation :

• Validation of the compilation

• To the co-chairs of the fantastic formal methods SG of the DO-178C

• To the Airbus Formal Methods dream team :

• And to Hervé Delseny from Airbus, who liaised both …

You might also like