Constructing a Safety Case for Automatically Generated Code from Formal Program Verification Information

Formal methods can in principle provide the highest levels of assurance of code safety by providing formal proofs as explicit evidence for the assurance claims. However, the proofs are often complex and difficult to relate to the code, in particular if it has been generated automatically. They may also be based on assumptions and reasoning principles that are not justified. This causes concerns about the trustworthiness of the proofs and thus the assurance claims. Here we present an approach to systematically construct safety cases from information collected during a formal verification of the code, in particular from the construction of the logical annotations necessary for a formal, Hoare-style safety certification. Our approach combines a generic argument that is instantiated with respect to the certified safety property (i.e., safety claims) with a detailed, program-specific argument that can be derived systematically because its structure directly follows the course the annotation construction takes through the code. The resulting safety cases make explicit the formal and informal reasoning principles, and reveal the top-level assumptions and external dependencies that must be taken into account. However, the evidence still comes from the formal safety proofs. Our approach is independent of the given safety property and program, and consequently also independent of the underlying code generator. Here, we illustrate it for the AutoFilter system developed at NASA Ames.

[1]  E. Denney,et al.  A Software Safety Certification Tool for Automatically Generated Guidance, Navigation and Control Code , 2008, 2008 IEEE Aerospace Conference.

[2]  Tim Kelly,et al.  Arguing Safety - A Systematic Approach to Managing Safety Cases , 1998 .

[3]  Nurlida Basir,et al.  Deriving Safety Cases for the Formal Safety Certification of Automatically Generated Code , 2009, Electron. Notes Theor. Comput. Sci..

[4]  Peter G. Bishop,et al.  A Methodology for Safety Case Development , 2000, SSS.

[5]  Ewen Denney,et al.  A generic annotation inference algorithm for the safety certification of automatically generated code , 2006, GPCE '06.

[6]  Ewen Denney,et al.  Correctness of Source-Level Safety Policies , 2003, FME.

[7]  Hoyt Lougee,et al.  SOFTWARE CONSIDERATIONS IN AIRBORNE SYSTEMS AND EQUIPMENT CERTIFICATION , 2001 .

[8]  Derek W. Reinhardt,et al.  Use of the C++ Programming Language in Safety Critical Systems , 2005 .

[9]  Nancy G. Leveson,et al.  Safeware: System Safety and Computers , 1995 .

[10]  Johann Schumann,et al.  Automating the implementation of Kalman filter algorithms , 2004, TOMS.

[11]  Rodney J. Douglas KIDS: A Semi-Automatic Program Development System , 1990 .

[12]  Ingo Stürmer,et al.  Overview of existing safeguarding techniques for automatically generated code , 2005, ACM SIGSOFT Softw. Eng. Notes.

[13]  Ewen Denney,et al.  Certifiable program generation , 2005, GPCE'05.

[14]  Mark Jones,et al.  Software certificate management (SoftCeMent'05) , 2005, ASE '05.

[15]  N. Audsley,et al.  Automatic code generation for airborne systems , 2003, 2003 IEEE Aerospace Conference Proceedings (Cat. No.03TH8652).

[16]  Gilles Dowek,et al.  Principles of programming languages , 1981, Prentice Hall International Series in Computer Science.

[17]  Wai Wong,et al.  Validation of HOL Proofs by Proof Checking , 1999, Formal Methods Syst. Des..

[18]  Krzysztof Czarnecki,et al.  Generative programming - methods, tools and applications , 2000 .

[19]  Colin O'Halloran,et al.  Issues for the automatic generation of safety critical software , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[20]  Mats Per Erik Heimdahl,et al.  On the requirements of high-integrity code generation , 1999, Proceedings 4th IEEE International Symposium on High-Assurance Systems Engineering.

[21]  Douglas R. Smith,et al.  KIDS: A Semiautomatic Program Development System , 1990, IEEE Trans. Software Eng..

[22]  Michael R. Lowry,et al.  Deductive Composition of Astronomical Software from Subroutine Libraries , 1994, CADE.

[23]  Ingo Stürmer,et al.  Test suite design for code generation tools , 2003, 18th IEEE International Conference on Automated Software Engineering, 2003. Proceedings..

[24]  Wolfgang Reif,et al.  The KIV-Approach to Software Verification , 1995, KORSO Book.

[25]  Alexander Pretschner,et al.  ICSE workshop: software engineering for automotive systems , 2004, Proceedings. 26th International Conference on Software Engineering.

[26]  Manfred Broy,et al.  KORSO: Methods, Languages, and Tools for the Construction of Correct Software , 1995, Lecture Notes in Computer Science.

[27]  I. Toyn,et al.  Proof vs testing in the context of safety standards , 2005, 24th Digital Avionics Systems Conference.

[28]  Ewen Denney,et al.  Annotation Inference for Safety Certification of Automatically Generated Code (Extended Abstract) , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[29]  B. Fischer,et al.  Software Certification and Software Certificate Management Systems ( Position Paper ) , 2005 .

[30]  R. Alfaro-LeFevre Critical thinking. , 1997, Nursing spectrum.

[31]  Robert Andrew Weaver,et al.  The Safety of Software - Constructing and Assuring Arguments , 2003 .