AdaCore and its research partners conducted Project Hi-Lite, a three-year, €3.9 million effort aimed at popularising formal methods in the development of high integrity software by combining formal verification and testing. Hi-Lite took advantage of Airbus’ decade-long experience using formal verification methods to create high integrity systems, and exploited the powerful industrial tools already developed by the project partners. The work was sponsored by the French Government and the General Council of the Département of Essonne and was conducted by a partnership comprising AdaCore, Altran, Astrium Space Transportation, CEA List, INRIA Toccata and Thales Communications.
Hi-Lite’s main goal was to make formal verification faster and easier to use across large, multi-language projects that need to meet safety certification criteria, and the project has successfully achieved this objective. “Hi-Lite has allowed us to take advanced program-proving technology that was developed in academia and adapt it for industrial use,” said Yannick Moy, Hi-Lite Project Manager at AdaCore. “The project has shown that formal verification can complement testing and play a prominent and practical role in verifying critical software.”
Testing is often time consuming and costly, especially when the software has to comply with standards such as DO-178B or its recent revision DO-178C for commercial airborne systems (used by certification authorities including the FAA, EASA and Transport Canada). As high integrity systems grow in size and complexity, formal methods like those investigated in the Hi-Lite project provide a cost-effective solution that decreases the need for testing, speeds up project development, and facilitates system certification. These techniques are especially relevant in a DO-178C context, in light of the Formal Methods Supplement (DO-333) that provides standard guidance on how formal analysis fits into the verification process.
The Hi-Lite project has produced the first tools that can integrate testing and formal verification for both Ada and C programs - the SPARK toolset for Ada and the Frama-C platform for C. Both toolchains rely on state-of-the-art program-proving