This paper reports an industrial experiment of formal proof techniques applied to avionics software. This application became possible by using Caveat, a tool dedicated to assistance in comprehension and formal verification of safety critical applications written in C. With this approach it is possible to reduce significantly the actual verification effort (based on test) in achieving the verification objectives defined by the DO 178B [4]. 1.3. Proof of Property Property-or program-proof is a well known technique, based on Hoare's [1] or Dijkstra's [2] theories. An interesting characteristic of these theories is that they can be computer aided, i.e. a tool can be developed to help prove properties. In order to meet the objectives defined in section 1.1 the requirements for such a tool are listed below. Ability to prove avionics C code. This is the strongest requirement because formal verification is dedicated to real software products. Ease of learning and use. The main point, here, is the ability of the tool to be used by "standard" software developers, not only by a team of formal proof specialists. Early payback. Tool aided formal proof must be used in replacement (not in addition) of the most tedious and expensive phases of the testing process. Easy integration. The use of the tool should not break down the actual verification process and environment. A tool which meets this requirement is Caveat, developed by the French Commissariat à l'énergie atomique (CEA). This tool-evaluated by Aerospatiale during the European project LAW [3]-is a "verification assistant" able to perform proof of property. 1.4. Avionics Software Characteristics Functions. The different classes of functions of an avionics software product are numerical computation, hardware handling, communication protocols, security/protection mechanisms, fault-detection and recovery, Boolean computation. Properties. An avionics software must have the following types of property : functional, safety, robustness and temporal. Architecture and sizes. The design and coding rules of an avionics software lead to a modular architecture. They also limit the size and complexity of the individual modules. The size of an entire avionics software product may be up to 500,000 lines of code. Algorithms. From that point of view, avionics software is never very complicated. For instance, the loops are very simple (eg : array initialisation, search within an array). So one of the great difficulties of automatic property proof, i.e the analysis of loops, is simplified a lot.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.