Upload
adacore
View
400
Download
1
Embed Size (px)
Citation preview
Certification & Qualification
Quentin OchemNovember 4th 2015
DO-178C
EN 50128:2011
Overall Picture
ArchitectureCertifiable LibrariesCertifiable PlatformsObject Oriented Techniques
VerificationTesting toolsStructural code coverageFormal proofStatic Analysis
Development EnvironmentSustained Branches
DesignFormal SpecificationModel to Code Generation
[Architecture] Libraries and Platforms
PowerPC / ARM / Leon / AVR…
Bare Board VxWorks 653 / Cert / 7Lynx178PikeOS
AdaC
Zero FootprintCert Profile
Ravenscar profileEN 50128SIL 3/4
DO-178Level A
EN 50128
T3
[Architecture] Object Orientation
?type A380 is new Plane …
procedure Open_Doors(My_Plane : Plane)with Pre => My_Plane.On_Ground and My_Plane.Speed = 0.0, Post => My_Plane.Doors_Opened and My_Plane.Pressurization_Off;
type Plane is abstract …
procedure Open_Doors (My_Plane : Plane)with Pre => My_Plane.On_Ground, Post => My_Plane.Doors_Opened;
type Glider is new Plane …
procedure Open_Doors(My_Plane : Plane)with Pre => null, Post => My_Plane.Doors_Unlocked;
procedure Operate(My_Plane : Plane’Class)isbegin if My_Plane.On_Ground then My_Plane.Open_Doors; My_Plane.Move_Passengers_Out; end if;
DO-332OO.6.7
[Design] Model to Code Generation
QGen Code Generation(Ada or C)
EN 50128SIL3/4
Automatic Translation ofModel Tests to Code Test
DO-178CTQL-1
Simulink®StateFlow®
…
Credit sought on code reviewCredit sought on code test & coverage
(in progress)
(in progress)
[Design] Formal Specification
Low Level Requirements
Software ComponentDesign Specification
DO-178C EN-50128
type A380 is new Plane …
procedure Open_Doors(My_Plane : Plane)
with Pre => My_Plane.On_Ground and My_Plane.Speed = 0.0,
Post => My_Plane.Doors_Opened and My_Plane.Pressurization_Off;
DO-333FM.6.3.2
EN 50128D.28
[Development] Sustained Branches
2012 2013 20147.0
7.0.1
7.0.2
7.0.3
7.0.4
7.2.3
7.1.2 7.2.2
7.1.1 7.2.1
7.1 7.2
Critical Fixes
Critical Fixes
Critical Fixes
EN 50128
6.7.4.11DO-1784.4.2.f
[Verification] Testing Tools
Test Skeleton
Test
Subprogram under Test
Actual Code
Stub
StubSkeleton
calls
callscalls
GNATtest will generate Test and Stub Skeletons for Units / SubprogramsThe developer writes tests and subs in Ada
EN 50128
7.5DO-1786.4.3.c
[Verification] Structural Code Coverage
HOST
TARGET
PureFunctional Test
GNATemulator / Valgrind / dynamiRIO
CoverageData
Executable
Coverage Information
PureFunctional Test
Lauterbarch /iSystems
SourcesAda 83 / 95 / 05 / 2012
C 99
StatementDecisionMC/DC
DO-178TQL-5
EN 50128
T2
(no instrumentation)
Source to Object Traceability Study
DO-1786.4.4.2.
b
[Verification] Static Analysis
GNATcheck
Coding standard
check
Metrics check
Ada feature usage check
CodePeer
Out of range checks
Overflow checks
Uninitialized variables
check
GNATstack
Worst case stack consumpti
onDO-178TQL-5
EN 50128
T2
[Verification] Formal Proof
Low Level Requirements
Software ComponentDesign Specification
DO-178C EN-50128type A380 is new Plane …
procedure Open_Doors(My_Plane : Plane)
with Pre => My_Plane.On_Ground and My_Plane.Speed = 0.0,
Post => My_Plane.Doors_Opened and My_Plane.Pressurization_Off;
Low Level Test Source Code Verification
type A380 is new Plane …
procedure Open_Doors(My_Plane : Plane) isbegin -- codeend Open_Doors;
Formal proof Formal proof
SPARK will formally verify implementation of subprogram according to the specified contractSPARK will (also) formally verify absence of run-time errors and data flow
DO-333FM.6.3.2
EN 50128D.28
Conclusion
ArchitectureCertifiable LibrariesCertifiable PlatformsObject Oriented Techniques
VerificationTesting toolsStructural code coverageFormal proofStatic Analysis
Development EnvironmentSustained Branches
DesignFormal SpecificationModel to Code Generation
Bare Board
VxWorks
Math LibraryRavenscar
PikeOS
LiskovPowerPCARM
LEON
SPARKQGEN
GNAT Pro
GNATcheck
CodePeerGNATstack
GNATcoverageSPARKGNATtest
EN 50128Qualifiable Certifiable
DO-178Qualifiable Certifiable