In what sectors or in what industry is the culture strongly pushing or enforcing the use of formal methods?

Main -> FAQ -> ExFAQ-HM-2


 * Theme: External Factor Pushing for Formal Method Adoption (ExFac)
 * Role: HM

Answer
We structure our answer by industrial sectors from the cultural point of view. We also recommend looking at the related FAQ about sector specific standards which may or may not position themselves with respect to formal methods.

Transportation Sector
The Météor Case - Historically, the first industrial deployment of the B method in industry has been pushed by RATP (Régie Autonome des Transports Parisien - Parisian underground). The introduction of FM started in the beginning of the 1980s with an automatic train control system asked by RATP (called SACEM). A technical choice called VPC (Vital Coded Processor) was made in order to reduce the need of diversification. A consequence was that software redundancy was removed and test validation was not enough to achieve the required "zero default". As a consequence a method based on a formal specification and with modula-2 code assertions was designed. Despite the heaviness of this process and its weak automation, the confidence achieved by this first application had convinced RATP. For the following tender, the Météor line, they demanded the use of formal method for safety critical software development. On the industrial side, the adoption was fostered by the fact that RATP accepted to pay an extra fee that would overcome the additional risk endured by the industrial.

A similar scenario could also be envisioned for Event-B: RATP might require Event-B for future projects, DEPLOY provides the opportunity to get ready for this. As a matter of fact, there has already been a project named Co-Pilot on automating the doors of Line 13 in Paris, with Event-B. This project was led by ClearSy, also part of Deploy.

Space Sector
The European Space sector is strongly influenced by ESA (European Space Agency). ESA has been making some use of formal methods for 10 years. Space standards force users to do intensive unit testing (up to 80% of the budget goes into testing). Space standards allow one to use formal methods, but do not allow one to decrease the test effort. With formal methods, they could argue for a justifiable decrease in testing. As a matter of fact, every project in space has some deviation from the standard, and in the end, ESA makes the final decision. It seems that one could decrease the test effort where formal methods are used, but this has to be negotiated. The space sector is now using Polyspace and other static analyzers. Polyspace is even required by one of the major actors in space sector, namely: Astrium UK. The sector has also been using Simulink and SCADE for years.

In space industry, the development process must obey the prescription of the space standards for hardware and software. This standard has been set up by ESA because all projects in the space sector involve a wide set of contractors, and these can subcontract as well. In this setting, a standard for the development process aims at ensuring a standard level of quality within all the contractors. They vary according to the project and the contractor, and tend to extend or upgrade each others. For instance, the Galileo standard is a tailoring of the ECSS-E-40-B (European Cooperation for Space Standardisation).

It recognizes three different life cycles: waterfall, incremental and evolutionary. Critical systems must always be developed following a waterfall life cycle. The standard prescribes a set of deliverables, and a set of analyses to be performed during the development such as FDIR and FTA.

Aerospace sector
Airbus has a long experience with the development and deployment of formal tool in its engineering process. Airbus took part to the following research projects: DAEDALUS, ASTREE, THESEE, CAT, U3CAT, ASBAPROD, ES_PASS that notably developed abstract interpretation to formally analyze software source code and detect software-specific bugs such as overflows, null pointers, etc. Airbus has now a well-established internal development process, where formal verification is applied to check various aspects of software products, including e.g.: stack analysis, abstract interpretation for errors, and abstract interpretation for worse-case execution time prediction.

Digital Systems
The biggest industrial players developing digital systems have been investing a lot in formal methods, either using existing tools or developing their own technology, as a response to the increasing complexity of their products and to the prohibitive cost of recalls caused by bugs. A key date in this evolution was 1994 with a massive recall following the bug in the floating point division instruction of the Intel Pentium processor. This trend started with hardware -related companies, and spread later on software-related companies.
 * AMD ordered a proof of its own floating point division algorithm . These were carried out using the ACL2 theorem prover, and by the authors of this prover.
 * Intel has developed an Integrated Design and Verification environment, building on the Forte formal verification system
 * Microsoft has developed a set of formal verification tools, targeting specific issues such as driver verification, or generic proving of software written in C . As an example, automated driver verification is now part of the development process advocated by Microsoft for drivers