Eric Jenn

Use of PERC Pico in the AIDA avionics platform

In this paper, we present the DIANA experiment on the use of Java in avionics safety critical applications. First, we discuss some concerns about the porting of the Java platform on the ARINC 653 operating system. Then the paper focuses on some important features of the Safety Critical Java Technology adopted in the project. Particular attention is turned on the Java memory model which is stack-based as opposed to the ongoing JSR-302 memory regions model. Benefits and issues of this approach are discussed through a real use case implementation representing part of a Flight Warning System.

A case study of specification and verification using JML in an avionics application

The literature for deductive formal verification is quite rich; however, very few case studies have been done. The authors present a case study of using deductive formal verification of a navigation system from the avionics domain. Both writing the specifications and their verification with a runtime assertion checker and KEY, a tool using automatic theorem proving techniques for verifying JAVA programs, are covered.

Safety critical applications and hard real-time profile for Java: a case study in avionics

Despite Javas initial promise of providing a reliable and cost-effective platform-independent environment, the language appears to be unfavourable in the area of high-integrity systems and real-time systems.To address this issue, the language environment must provide not only a well-defined specification or subset, but also a complete environment with appropriate analysis tools. This paper describes an architecturally neutral real-time frame-work, which is proposed by the HIJA project, for safety critical systems with analysis tools. The goal of this paper is to present an overview of hard real-time profile and report on its current status. An avionic application is selected to experiment with the ANRT framework and the SCJ profile is also illustrated.

Formal Verification of a Rover Anti-collision System

In this paper, we integrate inductive proof, bounded model checking, test case generation and equivalence proof techniques to verify an embedded system. This approach is implemented using the Systerel Smart Solver (S3) toolset. It is applied to verify properties at system, software, and code levels. The verification process is illustrated on an anti-collision system (ARP for Automatic Rover Protection) implemented on-board a rover. Focus is placed on the verification of safety and functional properties and the proof of equivalence between the design model and the generated code.

Integrated formal verification of safety-critical software

This work presents a formal verification process based on the Systerel Smart Solver (S3) toolset for the development of safety-critical embedded software. In order to guarantee the correctness of the implementation of a set of textual requirements, the process integrates different verification techniques (inductive proof, bounded model checking, test cases generation, and equivalence proof) to handle different types of properties at their best capacities. It is aimed at the verification of properties at system, design, and code levels. To handle the floating-point arithmetic (FPA) in both the design and the code, an FPA library is designed and implemented in S3. This work is illustrated on an Automatic Rover Protection system implemented onboard a robot. Focus is placed on the verification of safety and functional properties and on the equivalence proof between the design model and the generated code.

Event-B at Work: Some Lessons Learnt from an Application to a Robot Anti-collision Function.

The technical and academic aspects of the Event-B method, and the abstract description of its application in industrial contexts are the subjects of numerous publications. In this paper, we describe the experience of development engineers non familiar with Event-B to getting to grips with this method. We describe in details how we used the formalism, the refinement method, and its supporting toolset to develop the simple anti-collision function embedded in a small rolling robot. We show how the model has been developed from a set of high-level requirements and refined down to the software specification. For each phase of the development, we explain how we used the method, expose the encountered difficulties, and draw some practical lessons from this experiment.

Model-Checking Real-Time Properties of an Auto Flight Control System Function

We relate an experiment in modeling and verification of a part of an avionic function. The problem addressed is the correctness of a temporal condition enabling the detection of a range of faults in the implementation of the function. Using the Fiacre/Tina verification toolset, we produced a formal model abstracting the function, and confirmed by model-checking that the condition determined analytically is indeed correct. The modelling issues ensuring tractability of the model are discussed.

Stepwise Formal Modeling and Verification of Self-Adaptive Systems with Event-B. The Automatic Rover Protection Case Study

For a long time, formal methods have been effectively applied to design and develop safety-critical systems to ensure safety and the correctness of desired functional behaviors through formal reasoning. The development of high confidence self-adaptive autonomous systems, such as Automatic Rover Protection(ARP), is one of the challenging problems in the area of verified software that needs formal reasoning and proof-based development. In this paper, we propose a methodology that reveals the issues involved in the formal modeling and verification of self-adaptive autonomous systems using correct by construction approach. This work also provides a set of guidelines for tacking the different issues to avoid collision by preserving the local and global properties of an autonomous system. We cater for the specification of functional requirements, timing requirements, spatial and temporal behavior, and safety properties. We present a refinement strategy, modeling patterns to capture the essence of a self-adaptive autonomous system, and a substantial example based approach on an industrial case study: TwIRTee. For developing the formal models of autonomous system, we use the Event-B modeling language and associated Rodin tools to check and verify the correctness of required system behavior and internal consistency under the given safety properties.

Correct-by-construction specification to verified code

Event‐B is a formal notation and method for the systems development. The key feature of this method is to produce correct‐by‐construction system designs. Once the correct design is established, the remaining work is to generate or implement correct code from the design. Two main problems remain in the process from the correct‐by‐construction design to the correct software. First, the Event‐B design is “quasi‐correct” due to some technical limitations. For instance, it is still difficult to prove the liveness properties by the Rodin platform; it is not possible to construct the Event‐B design with floating‐point arithmetic, and sometimes, the Event‐B model is incomplete and must rely on the third‐party libraries. Therefore, a method is needed to complement these modeling and proof gaps. Secondly, proving the correctness of an automatic code generator is very difficult; therefore, a method is needed to guarantee the correctness of the produced code without proving the code generator. In this article, we address the above 2 problems by introducing an intermediate formal language called High‐Level Language (HLL) between the Event‐B models and the C code. The Event‐B model is translated to HLL with an additional schedule configuration, where Event‐B invariants and system invariants (here, deadlock‐freeness and liveness properties) are proved using a SAT‐based model checker called S3. This proof guarantees the correctness of the HLL model with respect to the Event‐B model. The C code is then automatically generated from the HLL model for most functions and is manually implemented for the third‐party ones according to the function contracts defined in Event‐B. The correctness of the generated C code is guaranteed using the equivalence proof, and the correctness of the implemented C code is guaranteed using the conformance proof. Through the article, we use a traffic light controller to illustrate the proposed method; then, we apply the method to an automatic protection function of a 3‐wheeled robot to evaluate its feasibility.

Model Execution and Debugging - A Process to Leverage Existing Tools.

Model checking is an effective technique for the verification of critical systems. However, it relies on behavioral models which writing and verification is most of time costly. Thus, those models shall be validated and debugged thoroughly, and simulation, i.e. model execution, can be used for that purpose. To reduce the development costs of simulators and ensure their behavioral consistency with model verifiers, we advocate the reuse of parts of the model verification toolchain to implement them. To support this claim, this paper proposes a method illustrated with a realistic case study applied to FIACRE behavioral models. The approach relies on the creation and exploitation of relations between models representing the information required by the user on the one hand, and information produced by the tools, on the other hand.