This talk will give examples of Airbus use of Formal Methods to verify avionics software, and summarises the integration of Formal Methods in the upcoming ED-12/DO-178 issue C. Firstly, examples of verification based on theorem proving or abstract interpretation will show how Airbus has already taken advantage of the use of Formal Methods to verify avionics software. Secondly, we will show how Formal Method for verification has been introduced in the upcoming issue C of ED-12/DO-178.

1. Formal Method for Avionics Software Verification From a real use for Airbus aircrafts to the integration in ED-12C/DO-178C Open-DO Conference Combining Formality with Agility for Critical Software Presented by Hervé Delseny Head of Software Process Definition and Follow-up Expert in Software Aspects of Certification Avionics and Simulation Products Airbus

9. Formal Method on A380 : Unit Proof - Definition of proof environment - Flows Generation Verification of Flows against Design Proof performing Analysis of Proof Results Design Phase Data & control flows Caveat Caveat Flows Code compliant With Design Coding Phase C Source Functional Properties Caveat Process Management Tool Caveat is integrated into the process management tool to automate the proof process If OK If not OK

19. DO-178/ED-12 – Verification Process System Requirements High-Level Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements Compliance Robustness Compatible With Target Compliance Robustness Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Verifiability Conformance Accuracy & Consistency Complete & Correct Compliance Traceability Architecture Compatibility Compliance Traceability Compliance Compliance Traceability Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Consistency HW Compatibility Verifiability Conformance Partition Integrity

21. FM Supplement : Formal verification instead of reviews HLR Formal HLR Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements When HLR are formaly expressed Formal analysis can be used Verifiability Conformance Accuracy & Consistency Complete & Correct Compliance Traceability Architecture Compatibility Compliance Traceability Compliance Compliance Traceability Compliance Robustness Compatible With Target Compliance Robustness Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Consistency HW Compatibility Verifiability Conformance Partition Integrity

22. FM Supplement : Formal verification instead of reviews HLR Formal HLR Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements When HLR and LLR are formaly expressed Formal analysis can be used Formal LLR Compliance Traceability Verifiability Conformance Accuracy & Consistency Complete & Correct Compliance Traceability Architecture Compatibility Compliance Traceability Compliance Compliance Traceability Compliance Robustness Compatible With Target Compliance Robustness Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Consistency HW Compatibility Verifiability Conformance Partition Integrity

24. FM Supplement : Formal verification for EOC HLR Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements When LLR are formaly expressed with a conservative representation between code and EOC, then Formal analysis can be used to replace some tests Formal LLR Compliance Traceability X Verifiability Conformance Accuracy & Consistency Complete & Correct Compliance Traceability Architecture Compatibility Compliance Traceability Compliance Compliance Traceability Compliance Robustness Compatible With Target Compliance Robustness Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Consistency HW Compatibility Verifiability Conformance Partition Integrity Conservative representation

26. FM Supplement : Formal verification for EOC HLR Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy System Requirements Software Architecture Source Code Executable Object Code Low-Level Requirements Compatible With Target Properties might be proved directly on EOC : WCET, Stack usage, … Compatible With Target Verifiability Conformance Accuracy & Consistency Complete & Correct Compliance Traceability Architecture Compatibility Compliance Traceability Compliance Compliance Traceability Compliance Robustness Compliance Robustness Accuracy & Consistency HW Compatibility Verifiability Conformance Algorithm Accuracy Consistency HW Compatibility Verifiability Conformance Partition Integrity

31. © AIRBUS OPERATIONS S.A.S. All rights reserved. Confidential and proprietary document. This document and all information contained herein is the sole property of AIRBUS OPERATIONS S.A.S. No intellectual property rights are granted by the delivery of this document or the disclosure of its content. This document shall not be reproduced or disclosed to a third party without the express written consent of AIRBUS OPERATIONS S.AS. This document and its content shall not be used for any purpose other than that for which it is supplied. The statements made herein do not constitute an offer. They are based on the mentioned assumptions and are expressed in good faith. Where the supporting grounds for these statements are not shown, AIRBUS OPERATIONS S.A.S will be pleased to explain the basis thereof. AIRBUS, its logo, A300, A310, A318, A319, A320, A321, A330, A340, A350, A380, A400M are registered trademarks.