Certification & Qualification

Quentin OchemNovember 4th 2015

DO-178C

EN 50128:2011

Overall Picture

ArchitectureCertifiable LibrariesCertifiable PlatformsObject Oriented Techniques

VerificationTesting toolsStructural code coverageFormal proofStatic Analysis

Development EnvironmentSustained Branches

DesignFormal SpecificationModel to Code Generation

[Architecture] Libraries and Platforms

PowerPC / ARM / Leon / AVR…

Bare Board VxWorks 653 / Cert / 7Lynx178PikeOS

AdaC

Zero FootprintCert Profile

Ravenscar profileEN 50128SIL 3/4

DO-178Level A

EN 50128

T3

[Architecture] Object Orientation

?type A380 is new Plane …

procedure Open_Doors(My_Plane : Plane)with Pre => My_Plane.On_Ground and My_Plane.Speed = 0.0, Post => My_Plane.Doors_Opened and My_Plane.Pressurization_Off;

type Plane is abstract …

procedure Open_Doors (My_Plane : Plane)with Pre => My_Plane.On_Ground, Post => My_Plane.Doors_Opened;

type Glider is new Plane …

procedure Open_Doors(My_Plane : Plane)with Pre => null, Post => My_Plane.Doors_Unlocked;

procedure Operate(My_Plane : Plane’Class)isbegin if My_Plane.On_Ground then My_Plane.Open_Doors; My_Plane.Move_Passengers_Out; end if;

DO-332OO.6.7

[Design] Model to Code Generation

QGen Code Generation(Ada or C)

EN 50128SIL3/4

Automatic Translation ofModel Tests to Code Test

DO-178CTQL-1

Simulink®StateFlow®

…

Credit sought on code reviewCredit sought on code test & coverage

(in progress)

(in progress)

[Design] Formal Specification

Low Level Requirements

Software ComponentDesign Specification

DO-178C EN-50128

type A380 is new Plane …

procedure Open_Doors(My_Plane : Plane)

with Pre => My_Plane.On_Ground and My_Plane.Speed = 0.0,

Post => My_Plane.Doors_Opened and My_Plane.Pressurization_Off;

DO-333FM.6.3.2

EN 50128D.28

[Development] Sustained Branches

2012 2013 20147.0

7.0.1

7.0.2

7.0.3

7.0.4

7.2.3

7.1.2 7.2.2

7.1.1 7.2.1

7.1 7.2

Critical Fixes

Critical Fixes

Critical Fixes

EN 50128

6.7.4.11DO-1784.4.2.f

[Verification] Testing Tools

Test Skeleton

Test

Subprogram under Test

Actual Code

Stub

StubSkeleton

calls

callscalls

GNATtest will generate Test and Stub Skeletons for Units / SubprogramsThe developer writes tests and subs in Ada

EN 50128

7.5DO-1786.4.3.c

[Verification] Structural Code Coverage

HOST

TARGET

PureFunctional Test

GNATemulator / Valgrind / dynamiRIO

CoverageData

Executable

Coverage Information

PureFunctional Test

Lauterbarch /iSystems

SourcesAda 83 / 95 / 05 / 2012

C 99

StatementDecisionMC/DC

DO-178TQL-5

EN 50128

T2

(no instrumentation)

Source to Object Traceability Study

DO-1786.4.4.2.

b

[Verification] Static Analysis

GNATcheck

Coding standard

check

Metrics check

Ada feature usage check

CodePeer

Out of range checks

Overflow checks

Uninitialized variables

check

GNATstack

Worst case stack consumpti

onDO-178TQL-5

EN 50128

T2

[Verification] Formal Proof

Low Level Requirements

Software ComponentDesign Specification

DO-178C EN-50128type A380 is new Plane …

procedure Open_Doors(My_Plane : Plane)

with Pre => My_Plane.On_Ground and My_Plane.Speed = 0.0,

Post => My_Plane.Doors_Opened and My_Plane.Pressurization_Off;

Low Level Test Source Code Verification

type A380 is new Plane …

procedure Open_Doors(My_Plane : Plane) isbegin -- codeend Open_Doors;

Formal proof Formal proof

SPARK will formally verify implementation of subprogram according to the specified contractSPARK will (also) formally verify absence of run-time errors and data flow

DO-333FM.6.3.2

EN 50128D.28

Conclusion

ArchitectureCertifiable LibrariesCertifiable PlatformsObject Oriented Techniques

VerificationTesting toolsStructural code coverageFormal proofStatic Analysis

Development EnvironmentSustained Branches

DesignFormal SpecificationModel to Code Generation

Bare Board

VxWorks

Math LibraryRavenscar

PikeOS

LiskovPowerPCARM

LEON

SPARKQGEN

GNAT Pro

GNATcheck

CodePeerGNATstack

GNATcoverageSPARKGNATtest

EN 50128Qualifiable Certifiable

DO-178Qualifiable Certifiable