Using SCADE to Develop Mission-critical High-quality Radar Application Software

Similar documents
SCADE Display for the Design of Airborne and Ground-Based Radar Human-Machine Interfaces (HMIs)

INTEGRATING SYSTEM AND SOFTWARE ENGINEERING FOR CERTIFIABLE AVIONICS APPLICATIONS

SCADE System, a comprehensive toolset for smooth transition from Model-Based System Engineering to certified embedded control and display software

Methodology Handbook. Efficient Development of Safe Avionics Display Software with DO-178B Objectives Using Esterel SCADE. Third Edition (Revision 1)

Certification Authorities Software Team (CAST) Position Paper CAST-25

SCADE. SCADE 19.2 Solutions for ARINC 661 Compliant Systems. The ARINC 661 Standard EMBEDDED SOFTWARE

SCADE TRAINING PROGRAM 2016

Data-Based System Engineering: ICDs management with SysML

FORMALIZED SOFTWARE DEVELOPMENT IN AN INDUSTRIAL ENVIRONMENT

SCADE. SCADE Display Graphical Prototyping and Design. Tailored for Critical Embedded HMIs EMBEDDED SOFTWARE

ANSYS SCADE 17.0 Solutions for ARINC 661-Compliant Systems

SCADE. SCADE Suite Tailored for Critical Applications EMBEDDED SOFTWARE

SCADE S E M I N A R I N S O F T W A R E E N G I N E E R I N G P R E S E N T E R A V N E R B A R R

Part 5. Verification and Validation

ISO Compliant Automatic Requirements-Based Testing for TargetLink

Guidelines for deployment of MathWorks R2010a toolset within a DO-178B-compliant process

BUILDING GOOD-QUALITY FUNCTIONAL SPECIFICATION MODEL

Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 22 Slide 1

Using SCADE System for the Design and Integration of Critical Systems

Simulink/Stateflow. June 2008

Clock-directed Modular Code-generation for Synchronous Data-flow Languages

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

ΗΜΥ 317 Τεχνολογία Υπολογισμού

Verification and Validation. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 22 Slide 1

Fundamentals of Programming Languages. PL quality factors Lecture 01 sl. dr. ing. Ciprian-Bogdan Chirila

Efficient Development of Airborne Software with SCADE Suite

How much is a mechanized proof worth, certification-wise?

Software Verification and Validation (VIMMD052) Introduction. Istvan Majzik Budapest University of Technology and Economics

A Scade Suite to Modelica Interface

ISO compliant verification of functional requirements in the model-based software development process

IBM Rational Rhapsody

Verification and Validation

Synchronous Kahn Networks (ten years later)

A Comparison of the Booch Method and Shlaer-Mellor OOA/RD

Objectives. Chapter 19. Verification vs. validation. Topics covered. Static and dynamic verification. The V&V process

Aerospace Software Engineering

Certification Requirements for High Assurance Systems

Leveraging Formal Methods for Verifying Models and Embedded Code Prashant Mathapati Application Engineering Group

Verification and Test with Model-Based Design

Checklist for Requirements Specification Reviews

RAISE in Perspective

Verification and Validation

Verification and Validation

By Jason Ghidella, PhD, and Pieter J. Mosterman, PhD. Left Elevator. actuator. hydraulic system 1 left outer. left inner

Automating Best Practices to Improve Design Quality

GNAT Pro Innovations for High-Integrity Development

ACCELERATING DO-254 VERIFICATION

REDUCING CERTIFICATION GRANULARITY TO INCREASE ADAPTABILITY OF AVIONICS SOFTWARE

IBM Rational Rhapsody

An incremental and multi-supplement compliant process for Autopilot development to make drones safer

Production Code Generation and Verification for Industry Standards Sang-Ho Yoon Senior Application Engineer

FOUR INDEPENDENT TOOLS TO MANAGE COMPLEXITY INHERENT TO DEVELOPING STATE OF THE ART SYSTEMS. DEVELOPER SPECIFIER TESTER

Requirement Analysis

Distributed Systems Programming (F21DS1) Formal Verification

Moving MATLAB Algorithms into Complete Designs with Fixed-Point Simulation and Code Generation

Safety Manual. for ait, Astrée, StackAnalyzer. AbsInt Angewandte Informatik GmbH

Timing Analysis on Complex Real-Time Automotive Multicore Architectures

Certified Automotive Software Tester Sample Exam Paper Syllabus Version 2.0

Model-Based Design for Safety-Critical and Mission-Critical Applications Bill Potter Technical Marketing April 17, 2008

By: Chaitanya Settaluri Devendra Kalia

Using Model-Based Design in conformance with safety standards

AADL : about code generation

By V-cubed Solutions, Inc. Page1. All rights reserved by V-cubed Solutions, Inc.

CERT C++ COMPLIANCE ENFORCEMENT

Automotive System and Software Engineering with Model Based Design

Modeling and Verification of Aircraft Stability Controller

A Model-Based Reference Workflow for the Development of Safety-Related Software

Software Engineering 2 A practical course in software engineering. Ekkart Kindler

Towards an industrial use of FLUCTUAT on safety-critical avionics software

A Mini Challenge: Build a Verifiable Filesystem

MONIKA HEINER.

Automating Best Practices to Improve Design Quality

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

Coding Standards in FACE Conformance. John Thomas, Chris Edwards, and Shan Bhattacharya

3.7 Denotational Semantics

Applications of Program analysis in Model-Based Design

SOFTWARE QUALITY OBJECTIVES FOR SOURCE CODE

Software Development with Automatic Code Generation: Observations from Novice Developer Viewpoint

Recommended Practice for Software Requirements Specifications (IEEE)

Energy Infrastructure Demands Mission Critical Networking

Verification and Validation

Homework #2. If (your ID number s last two digits % 6) = 0: 6, 12, 18

We will focus on data dependencies: when an operand is written at some point and read at a later point. Example:!

Static analysis of concurrent avionics software

Introduction to Formal Methods

A Proposal for Verified Code Generation from Modelica

Testing! Prof. Leon Osterweil! CS 520/620! Spring 2013!

CIS 890: Safety Critical Systems

Verification and Validation of High-Integrity Systems

lnteroperability of Standards to Support Application Integration

A Data-Centric Approach for Modular Assurance Abstract. Keywords: 1 Introduction

Model-Based Design for High Integrity Software Development Mike Anthony Senior Application Engineer The MathWorks, Inc.

LYREBIRD David Cock

Subprograms. Bilkent University. CS315 Programming Languages Pinar Duygulu

Standardkonforme Absicherung mit Model-Based Design

Model-Based Engineering for the Development of ARINC653 Architectures

Verification and Validation. Assuring that a software system meets a user s needs. Verification vs Validation. The V & V Process

2015 The MathWorks, Inc. 1

A number of optimizations are already in use by the majority of companies in industry, notably:

Specification and Testing of Banknote Processing Systems with Coloured Petri Nets

Transcription:

Using SCADE to Develop Mission-critical High-quality Radar Application Software Bernard Dion and Aubanel Monnier Esterel Technologies, Parc Euclide 8 rue Blaise Pascal, F-78990, Elancourt, France bernard.dion@esterel-technologies.com aubanel.monnier@esterel-technologies.com Abstract: The development of embedded software for radar applications may require software design processes that comply with the DO-178B standard or related processes. This raises issues about cost and productivity associated with the development of such mission-critical applications. In this paper, we introduce the value of the formal design, verification, and implementation technologies offered by modelbased development with SCADE to develop radar applications and comply with DO-178B. In essence, we look at the problems developers face when confronted with compliance to demanding quality standards and how the SCADE Suite technology helps them increase their productivity while maintaining the highest level of availability and reliability in their applications. We also discuss the new version standard in development, DO- 178C. Key Words: radar software, model-based design, certification, DO-178B, DO-178C I INTRODUCTION Safety and mission-critical software development requires rigorous processes, methods, and tools in order to ensure high quality and reliability of the developed product. In the aeronautics industry, authorities, such as FAA or EASA, certify the produced software according to the DO-178B standard [3]. Certification is the process verifying that the entire development life cycle conforms to the requirements of the standard. In DO-178B, the software development process is decomposed in phases with precise objectives. Then, verification that the output of each phase conforms to the requirements the phase receives as inputs is required. The overall objective of these verification activities is to make sure that a given phase does not introduce errors during its realization. The challenge is to master the cost of these verification activities, which in a certification context represent the highest part of the overall cost, while ensuring a high reliability and quality of the resulting software. In this paper, we show how the SCADE Suite approach promoted by Esterel Technologies [1] provides solutions for this challenge when applied to mission-critical embedded software for radar applications. The approach is based on modelbased development supported by a formal software development language, which has the desired characteristics for safe modeling. The core ideas of the approach are: Minimizing the risk of error introduction while modeling; Increasing the detection of errors and ambiguities in the early requirement specification coming from the system level activities; and Enabling the automatic code generation with a certified code generator producing high-quality and reliable software. The paper is organized as follows: Section II presents the model-based design method of SCADE Suite, showing its benefits regarding the challenge. Section III presents the model-based verification activities enabled in the SCADE Suite framework. Section IV presents the certified automatic code generation showing the properties of the resulting code and its advantages. II MODEL-BASED DESIGN WITH SCADE System requirements for safety and mission-critical embedded software are made of low-level parts in charge of handling the I/O data coming from or going to the hardware environment parts in charge of administrating the I/O data to transform them from their hardware representation, such as bus frames, into software data-structures and parts corresponding to the software core functions exchanging information with the hardware environment through the low-level parts. In this context, the system requirements for the software controller functions express both the 1

mathematical framework that has to be implemented and the logical aspects (modes, control logic in the algorithms). For complex systems handling a high number of input data and logical conditions, capturing the requirements to build a software specification is very challenging and error-prone. Indeed, especially for the logical aspects, completeness is hard to establish, ambiguities are often present, and as it is easy to miss corner cases. The SCADE model-based development approach promotes the use of a rigorous language to capture both the mathematical and logical system requirements using a user-friendly graphical notation: bloc diagrams for the modeling of the mathematical aspects as data-flow equations and state machines for modeling of the logical aspects. The power of SCADE allows for both formalisms within the same modeling environment and the ability to enable nesting of data-flow bloc diagrams inside states, as well as the nesting of state machines inside bloc diagrams, with no limitation [2]. This increases readability and compactness of specifications in a very significant manner. SCADE is used to model the reactive part of the software controller. This is the part that must be called in a cyclic way in a real-timee environment; it calls the SCADE function based on a regular frequency or based on events. At this level, hand code may be needed to complete the portion covered by SCADE to develop the functions elaborating and administrating the data coming from and going to the low-level layers and hardware environment, see Figure 1. Figure 1: SCADE part in the embedded system Figure 2 shows an example of a SCADE model specifying a radar application. Figure 2: the Radar top level view in SCADE The Scade language relies on a formal semantics ensuring deterministic behavior. Moreover, modeling constructs are safe by forcing the user to correctly handle initialization of data under all conditions, by ensuring bounded iterative schemes preventing from infinite loops, and by forcing the explicit data typing of all variables and ensuring type consistency of the model. Model errors such as absence of initialization, type mismatch, incompletee connections, and unused variables are automatically checked and detected at model level. The benefit of the Scade language is clearly to capture the requirements in a straightforward way by expressing explicitly the interplay between logical and computation aspects (see Figures 3 and 4). The Scade modeling activity tends to reveal systematically the presence of ambiguities in the requirements. Typically, at model level, a case where a data is used while it was not specified how that data is initialized is detected. 2

Figure 3: radar mode management in SCADE Unitary2_t Add_New_Plot.Plot_i.Flag Plot_i.Plot_i Link_Plot_Track_Compute_Array NotLinked Unitary2_t Unitary_InputUnitary3_t Unitary3_t Unitary_Out MAXSIZE Figure 4: a radar algorithm in SCADE As this is a strong need for all radar applications, the Scade language provides powerful constructs to handle arrays and matrix computation using a vector data type. Constructs are provided to uniformly apply a function over all of the elements of an array in one operation and in one execution cycle. Figure 5 shows the example of the pair-wise sum of two vectors of integers performed using the SCADE Map operator: if the two input vectors are A = [a1,,an] and B = [b1,,bn], then this model computes C = [a1 + b1,,an + bn]. A B m ap<<5>> Figure 5: the SCADE Map operator III MODEL BASED VERIFICATION WITH SCADE The objective of verification of a SCADE model is to show that the software requirement specification developed with SCADE is compliant and complete with respect to the system requirements given as input, and that there is no unintended function that has been introduced during the SCADE modeling phase. The first type of verification is model review, within which it is verified that each SCADE C modeling element is related to an input requirement. To ease this verification, the SCADE environment provides a tool-supported management of the traceability of requirements through the module called the SCADE LifeCycle Requirement Management Gateway (RM Gateway). A traceability project can be defined and traceability information can be easily flowed down from requirements to SCADE modeling constructs because of the RM Gateway. The RM Gateway provides features to automatically compute the requirement coverage percentage and performs impact analysis on input requirement changes. The key property of SCADE is that a SCADE model is executable. Therefore, in addition to model review, functional verification can be operated through testing using the SCADE Suite Simulator. In addition, SCADE provides features to measure automatically the structural coverage of a SCADE model with respect to a suite of requirement-based tests. Coverage analysis may reveal uncovered modeling parts, which may be due to test incompleteness, dead model parts, etc. The module in charge of performing the functional verification and coverage measurement is SCADE Suite Model Test Coverage. In SCADE Suite, features are available for conducting user-friendly simulation sessions by building a graphical environment in which inputs can be efficiently elaborated and outputs 3

comfortably visualized. This is enabled by the coupling with SCADE Display, which is a flexible graphics design and code generation tool suite for the development of safety-critical embedded display systems. With native support of the OpenGL SC standard, SCADE Display is the new generation display framework, spanning prototyping, display design, simulation, verification and validation, certified code generation, and smooth integration with other applications. Figure 6 shows a typical simulation session of a radar SCADE model where the input and outputs are controlled from and displayed to a SCADE Display graphical model. Figure 6: radar simulation session with SCADE Suite and SCADE Display The benefit of enabling a complete verification of the software requirement specification is that it allows for discovering errors and shortcomings at the early stage of the software development life cycle. Discovering these errors late in the process would be much more costly. IV CERTIFICATION WITH SCADE In a traditional software development flow, the software requirement specification phase is followed by the coding phase in order to implement the software. Then, the verification of the coding phase requires ensuring that the source code complies with the software requirements specification through review and traceability, that the code is functionally correct, and that the tests cover structurally the code in a sufficient manner. In SCADE, the coding phase is fully automated by the certified C code generator SCADE Suite KCG (KCG). The generated C code has the desired properties for safety critical applications. The code is traceable with respect to the SCADE model and is human readable. The code is ANSI-C compliant, platform independent, and portable. A sample of code generated from a small operator is shown in Figure 7, where the code generated for the state machine portion is very close to a human approach for state machines coding, and the code corresponding to the sum over vectors is exactly the way a C coder would have written it. The behavior is guaranteed to be deterministic; the code has no dynamic memory allocation, no pointer arithmetic, statically bounded loops, safe typing, and safe array access preventing from outbound access. Regarding performance, SCADE users have reported that the code conforms to the constraints of critical software for both size and speed. Being certified, the resulting code from KCG can be trusted, and verification activities at the code level simply eliminated. Traditionally these activities represent a significant part of the overall cost. void Map_Pkg(inC_Map_Pkg *inc, outc_map_pkg *outc ) { 4

kcg_int i; array_1 tmp; /* Pkg::Map::SM1::SSM_SM1_dispatch_sel */ SSM_Map_SM1_ST SSM_SM1_dispatch_sel; /*... skipped initialization code... */ switch (SSM_SM1_dispatch_sel) { case SSM_SM1_STOP Pkg : copy_array_1 ( &outc->c, &tmp ); outc->m_pre_ = SSM_SM1_STOP Pkg; break; case SSM_SM1_GO Pkg : for (i = 0; i < 5; i++) { outc->c[i] = inc->a[i] + inc->b[i]; outc->m_pre_ = SSM_SM1_GO Pkg; break; Figure 7: SCADE Suite KCG code sample CONCLUSION The model-based approach of SCADE for the development of mission and safety-critical radar application software comes with complete methodology compliant with the most stringent requirements of safety standards including DO- 178B. The aim of this approach is to enable the development of high quality and reliable applications while reducing the cost of their development and verification compared to traditional flows based on manual coding. The key idea is to switch from a process whose main phases are Design/Code/Verify to a process whose main phases are Design/Verify/Generate. By doing so, the main verification activities are conducted earlier and rely on trusted automatic code generation. The characteristics and benefits of each phase are as follows: Design: the Scade language includes a graphical notation to capture both the mathematical computation aspects and the control logic. The notation allows for mixing of bloc diagrams for data-flow computations and state machines for the state-based logic, and nesting them with no limitation. By being unambiguous and formal, the notation can reveal errors in the system requirements. Verify: a SCADE model is executable, enabling verification of the compliance of the model with respect to the input requirements, in addition to model review. Moreover, the SCADE Suite Model Test Coverage module allows for verification of the structural coverage of the SCADE model in order to ensure the model is doing no more and no less than capturing the input requirements. Generate: the SCADE Suite KCG code generator produces safe, target independent, readable, and traceable ANSI-C code. KCG is certified with respect to DO-178B (Level A) and as such, the verification activities on the C code can be removed. The code has the desired properties for safety-critical applications (no dynamic memory, no pointer arithmetic, statically bounded loops, variables initialized before used, etc.). The code performances are thus highly predictable. The SCADE users feedback have reported a 30 to 50 percent savings in the overall cost of the software lifecycle compared to flows based on manual coding. This approach has been further refined within the new version of the standard (DO-178C), and its technology supplements including Model-based Development and Verification and Formal Method. The SCADE environment is now ready for the new standard. REFERENCES 1. Esterel Technologies Web Site, http://www.esterel-technologies.com 2. Colaço, Jean-Louis; Pagano, Bruno; Pouzet, Marc. A Conservative Extension of Synchronous Dataflow with State Machines. s.l. : EMSOFT, 2005 3. DO-178B Software Considerations in Airborne Systems and Equipement Certification, RCTA and EUROCAE, 1992 4. DO-178B Methodological Handbook, Esterel Technologies Web Site BIO DATA OF AUTHORS Bernard Dion is co-founder and Chief Technical Officer of Esterel Technologies since 1999. He is the Secretary of the tools qualification group of the SC205/WG71 committee (DO-178C). In 1978, he received a Ph.D. in Computer Sciences from the University of Wisconsin at Madison (USA). Aubanel Monnier is a Senior Consultant at Esterel technologies since 2002. He is a member of the ARINC 661 standardization committee for Cockpit Display Systems. In 2001, he received an Engineering degree from ESI in Nice-Sophia Antipolis (France). 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback