• Home

  • Documents

  • Deterministic Modeling and Qualifi able Ada Code Generation for … · 2018-05-22 ·...
5
Ada Language Addresses Safety-Critical Applications Human life often depends on the performance of mission-critical, real-time applications that control systems such as commercial and military airplanes, submarines, mass transit systems, railway systems, rockets, etc. Developers of these systems have to meet a standard, such as DO-178C, that defines a process for proving that the software does what it is supposed to do and does not do anything else. The Ada programming language is unique in that it was designed under contract to the United States Department of Defense in the late 1970s and early 1980s to address these types of applications and re- place the hundreds of different programming languages that were then used in mission-critical software projects. Some of the key features of Ada include compressive support for object oriented programming, explicit concurrency, real-time programming, strong typing and synchronous message passing. Ada has been used to develop many well-known and highly critical applica- tions, such as the Patriot Missile Command and Control Center, U.S. Navy Submarine Combat System, Boeing 777 Airplane Information Management System, United States Federal Aviation Administration Conflict Detection Tool, French High-Speed Rail (TGV), Delta II and Delta IV commercial rockets and many others. White Paper Deterministic Modeling and Qualifiable Ada Code Generation for Safety-Critical Projects Ada is a time-tested, safe and secure programming language that was specifically designed for large and long-lived applications where safety and security are essential. Traditionally, Ada development teams have faced the challenge of a lengthy, time-consuming development process; the most difficult part has typically been proving compliance with standards, such as DO-178C, used to qualify high-integrity software. A model-based design approach that involves the creation of an executable model in a block diagram design environment improves the efficiency of Ada coding, but the potential for ambiguities between the system requirements and software implementation in existing modeling environments still requires a long and tedious qualification process. ANSYS SCADE products provide a complete solution for development of high integrity Ada applica- tions, including a formally defined modeling environment that provides all of the inherent benefits of the model-based design approach while avoiding the ambiguity inherent in other Ada modeling environ- ments. The SCADE KCG Ada Code Generator is qualifiable for DO-178C and certified for IEC 61508 and EN 50128 to ensure that the generated code behaves exactly as the design with respect to software requirements. The new tools are part of a complete development environment that substantially reduces the development time for safety-critical applications built with the Ada language. 1 The SCADE Product Family

Deterministic Modeling and Qualifi able Ada Code Generation for … · 2018-05-22 · Deterministic Modeling and Qualifi able Ada Code Generation for Safety-Critical Projects If

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Deterministic Modeling and Qualifi able Ada Code Generation for … · 2018-05-22 · Deterministic Modeling and Qualifi able Ada Code Generation for Safety-Critical Projects If

Ada Language Addresses Safety-Critical ApplicationsHuman life often depends on the performance of mission-critical, real-time applications that control systems such as commercial and military airplanes, submarines, mass transit systems, railway systems, rockets, etc. Developers of these systems have to meet a standard, such as DO-178C, that defi nes a process for proving that the software does what it is supposed to do and does not do anything else. The Ada programming language is unique in that it was designed under contract to the United States Department of Defense in the late 1970s and early 1980s to address these types of applications and re-place the hundreds of diff erent programming languages that were then used in mission-critical software projects. Some of the key features of Ada include compressive support for object oriented programming, explicit concurrency, real-time programming, strong typing and synchronous message passing. Ada has been used to develop many well-known and highly critical applica-tions, such as the Patriot Missile Command and Control Center, U.S. Navy Submarine Combat System, Boeing 777 Airplane Information Management System, United States Federal Aviation Administration Confl ict Detection Tool, French High-Speed Rail (TGV), Delta II and Delta IV commercial rockets and many others.

White Paper

Deterministic Modeling and Qualifi able Ada Code Generation for Safety-Critical Projects

Ada is a time-tested, safe and secure programming language that was specifi cally designed for large and long-lived applications where safety and security are essential. Traditionally, Ada development teams have faced the challenge of a lengthy, time-consuming development process; the most diffi cult part has typically been proving compliance with standards, such as DO-178C, used to qualify high-integrity software. A model-based design approach that involves the creation of an executable model in a block diagram design environment improves the effi ciency of Ada coding, but the potential for ambiguities between the system requirements and software implementation in existing modeling environments still requires a long and tedious qualifi cation process. ANSYS SCADE products provide a complete solution for development of high integrity Ada applica-tions, including a formally defi ned modeling environment that provides all of the inherent benefi ts of the model-based design approach while avoiding the ambiguity inherent in other Ada modeling environ-ments. The SCADE KCG Ada Code Generator is qualifi able for DO-178C and certifi ed for IEC 61508 and EN 50128 to ensure that the generated code behaves exactly as the design with respect to software requirements. The new tools are part of a complete development environment that substantially reduces the development time for safety-critical applications built with the Ada language.

1

The SCADE Product Family

Page 2: Deterministic Modeling and Qualifi able Ada Code Generation for … · 2018-05-22 · Deterministic Modeling and Qualifi able Ada Code Generation for Safety-Critical Projects If

Deterministic Modeling and Qualifi able Ada Code Generation for Safety-Critical Projects

2

Challenges of Developing Mission-Critical Ada ApplicationsIn the traditional method of Ada code development, specifi cations are con-ceptualized by systems architects, captured as text documents, and passed to project teams that specialize in areas such as algorithm development and analog electronics. These teams write software and perform tests to verify that the code matches the specifi cations. Verifying the code requires assembling the hardware, including the target computing device and the elec-tromechanical components that are being controlled. A key problem with this approach is that errors often remain undetected until all the modules can be tested together at the prototype stage. Because the cost of fi xing a problem gen-erally increases by an order of magnitude as the design progresses, late-stage problems quickly drive up development costs. As the size and complexity of safety-critical systems increases at a rapid rate, the cost, time and risk involved in manually producing, testing and verifying tens of millions of lines of code is increasing at an astronomical pace.

Many Ada development teams have addressed this challenge by moving to model based development methods that provide engineers with the capability to quickly build a graphical model of safety-critical software and systems using prebuilt components without requiring manual code writing, although hand-written code can be incorporated when required. Engineers can simulate the behavior of the model and immediately view the results, making it possible to gain critical insights early in the systems design process and to rapidly improve the model’s performance. Engineers also can link the predicted behavior to spe-cifi c customer requirements. Later in the design cycle, the model can be used to automatically generate software that can be downloaded to an embedded hardware system to evaluate the prototype in real time.

But model-based design environments used until now for Ada are non-deter-ministic, so they open the door to ambiguity, which creates the potential for misinterpretations of system requirements and software implementations. Both the systems architects and the software developers have their own specifi c terminology that might not be familiar to the other team, making it diffi cult to prove that the automatically generated code meets the requirements. During the qualifi cation process, the development team must overcome the issues of ambiguity or non-determinism in the model to prove that the code can be trusted. Addressing this concern to the degree of certainty required for DO-178C and other certifi cation standards is a long and diffi cult process that off sets a substantial portion of the savings that would otherwise be achieved through model-based design and automatic code generation.

SCADE Suite KCG automatically generates C code and Ada code directly from the model.

Page 3: Deterministic Modeling and Qualifi able Ada Code Generation for … · 2018-05-22 · Deterministic Modeling and Qualifi able Ada Code Generation for Safety-Critical Projects If

Deterministic Modeling and Qualifi able Ada Code Generation for Safety-Critical Projects

3

Deterministic Modeling Environment Ada Code DevelopmentThe ANSYS SCADE Suite provides a new approach to Ada code development that overcomes these challenges. SCADE Suite off ers a deterministic modeling environment that prevents potential ambiguities by defi ning formal unambigu-ous semantics that avoid misinterpretations between systems architects and developers. The SCADE modeling environment provides formal data-fl ow and control-fl ow constructs. Hierarchy is supported via user-defi ned operators and hierarchical state machines. Most checks such as strong type-checking, namespace analysis, causality analysis, clock analysis and initialization analysis can be performed at the model level during design.

SCADE Suite supports software reliability throughout the entire development process from requirements defi nition to code generation, software verifi cation and validations. Operational requirements can be written in tools including IBM® Rational® DOORS®, Rational RequisitePro® or Borland® CaliberRM®, and linked together using the SCADE Requirement Management Gateway.Test cases can be developed with SCADE Test, and can be seamlessly run either on host or on target using IBM® Rational Test RealTime, LDRA TestBed or Vector Cast, with structural coverage ensured at model and code levels.

SCADE LifeCycle Requirement Management Gateway provides a complete and interactive solution to manage traceability links between high level require-ments (HLRs) to low level requirements (LLRs) and from HLRs to test cases and procedures. This tool automates the process of validating that 100 per-cent of HLRs have been implemented and 100 percent of HLRs are covered by test cases and procedures.

Block Diagrams Represent Architecture and SoftwareSCADE System software uses block diagrams based on the SysML standard to represent software architecture components and connect them through ports and connectors. Once the software functional decomposition is available, the next step is to produce a software architectural design that implements the requirements using software blocks. The design includes an explanation of how the requirements have been allocated to the architecture. Consistency of the architecture can be validated with the SCADE System checker, and data propagation can be analyzed through all the views. Software engineers model the software components associated with the software architecture, often using state machines and data fl ows to model the logic and control laws. Software requirements can be traced through the development process to ensure that they are met. The architecture components and the design models can be synchronized, ensuring a complete consistency in the work-fl ow. SCADE Suite incorporates a reusable symbol library that promotes re-use and commonality of design within and across software projects.

The SCADE development process

Page 4: Deterministic Modeling and Qualifi able Ada Code Generation for … · 2018-05-22 · Deterministic Modeling and Qualifi able Ada Code Generation for Safety-Critical Projects If

Deterministic Modeling and Qualifi able Ada Code Generation for Safety-Critical Projects

4

SCADE Syntactic and Semantic Checker perform an in-depth analysis of the model consistency, including detection of missing defi nitions, warnings on unused defi nitions, detection of non-initialized variables, coherence of data types and interfaces, detection of causality issues on data-fl ow dependen-cies, and coherence of the production/consumption rates of data. The rules that are automatically verifi ed by this tool are part of the formal language defi nition. Compliance with these rules ensures that the model fully respects the semantics, which ensures its determinism.

Detecting Functional Faults Early in Design ProcessModel simulation provides an effi cient method of detecting functional faults at the earliest possible moment. Test cases can be run and validated in the host environment long before they are run in the much more expensive and complicated target hardware environment. SCADE Test Environment for Host allows developers using SCADE Suite to automate the creation and manage-ment of test cases. The coverage of tests can be analyzed using the Qualifi ed Model Test Coverage tool. Complete test coverage ensures that the design fully complies with its software requirements. SCADE Test Environment for Host automates the process of running these test cases and generating conformance and model coverage reports, resulting in signifi cant time and cost savings relative to manual testing. The tool has been qualifi ed as a verifi cation tool for DO-178C/DO-330, so the results prove the compliance of a SCADE model with its HLRs. The same functional test execution is provided on host and targets independent of code generation.

The generated code fulfi lls embedded application constraints such as avoid-ing dynamic allocation, bounded loops, etc., and is readable, commented and easily traceable back to the requirements. Integration is made easy by a Python API that gives access to generated objects. Consistency of module integration is verifi ed at the model level before generating the Ada code, eliminating the need for integration verifi cation at the code level. The SCADE KCG Ada code generator is qualifi ed as a DO-178C development tool (cf. section 12.2 of DO-178C), so the conformance of the code to the input model is trusted, eliminating the need for verifi cation activities related to the coding phase as the objectives are automatically fulfi lled. The SCADE Ada code generator is the only Ada code generator developed according to key high-integrity standards including DO-330 (DAL A) TQL1, EN 50128 (SIL 3/4) and IEC 61508 (SIL 3) T3 and ISO 26262 TCL3. The same SCADE model can be used to generate Ada or C code so that it’s easy to change from Ada to C or vice versa, and/or to generate both Ada and C code so the results can be cross-checked for resiliency in a high-safety environment.

Page 5: Deterministic Modeling and Qualifi able Ada Code Generation for … · 2018-05-22 · Deterministic Modeling and Qualifi able Ada Code Generation for Safety-Critical Projects If

Deterministic Modeling and Qualifi able Ada Code Generation for Safety-Critical Projects

If you’ve ever seen a rocket launch, fl own on an airplane, driven a car, used a computer, touched a mobile device, crossed a bridge or put on wearable technology, chances are you’ve used a product where ANSYS software played a critical role in its creation. ANSYS is the global leader in engineering simulation. We help the world’s most innovative companies deliver radically better products to their customers. By off ering the best and broadest portfolio of engineering simulation software, we help them solve the most complex design challenges and engineer products limited only by imagination.Visit www.ansys.com for more information.

Any and all ANSYS, Inc. brand, product, service and feature names, logos and slogans are registered trademarks or trademarks of ANSYS, Inc. or its subsidiaries in the United States or other countries. All other brand, product, service and feature names or trademarks are the property of their respective owners.

ANSYS, Inc.Southpointe2600 ANSYS DriveCanonsburg, PA [email protected]

© 2016 ANSYS, Inc. All Rights Reserved.

Substantial Reductions in Development and Verifi cation CostSCADE users have achieved substantial reductions in development and verifi cation cost. Users report that they have doubled the average number of executable lines of code developed per person per day, from fi ve for manual coding to 10 with model-based design, while also reducing execution time. Software certifi cation cost is reduced by an average of 50 percent. Cod-ing, review and testing cost are reduced by 70 percent to 90 percent. The software update cycle time is shortened by 65 percent to 75 percent. SCADE tools provide additional savings by eliminating manual coding errors and the need for low-level testing. The cost of design changes and associated testing throughout project lifecycle and testing cost is reduced by 70 percent to 90 percent.

ConclusionANSYS SCADE Suite provides a complete solution for development of high-integrity Ada applications, supporting the complete development cycle from system level, design level and testing. A formally defi ned modeling environ-ment provides all the inherent benefi ts of the model-based design approach while avoiding the ambiguity inherent in other Ada modeling environments. Modeling capabilities that rely on a formal notation ensure accuracy and de-terminism of the model behavior and enable automatic coding and automatic verifi cation of model consistency. A deterministic model-based development process supported by a qualifi ed tool chain delivers the following benefi ts:• Syntactic and semantic consistency checks of the model are automatic • Coding is automatic and source code review is not required• Design and verifi cation are done at the model-level, thus identifying

problems early in the development cycle• Verifi cation is primarily high-level and requirements-based• The same SCADE model generates ready-to-embed Ada or C code qualifi ed

according to DO-178C• SCADE Suite has a long track record of successfully certifi ed projects

5


Deterministic Methods

Deterministic Methods

Documents
Thomasson Industrial Qualifi cations Services

Thomasson Industrial Qualifi cations Services

Documents
RFC 8655: Deterministic Networking Architecture · 2019. 10. 17. · Deterministic Networking Architecture Abstract This document provides the overall architecture for Deterministic

RFC 8655: Deterministic Networking Architecture · 2019. 10. 17. · Deterministic Networking Architecture Abstract This document provides the overall architecture for Deterministic

Documents
Deterministic Scheduling

Deterministic Scheduling

Documents
English Language Qualifications(LCCIMKG-1002-05) · 3 About LCCI International Qualifi cations from EDI LCCI International Qualifi cations from EDI are off ered through a growing

English Language Qualifications(LCCIMKG-1002-05) · 3 About LCCI International Qualifi cations from EDI LCCI International Qualifi cations from EDI are off ered through a growing

Documents
CCE506: STOCHASTIC PROCESSES, DETECTION & ESTIMATIONmustafa-halabi.appspot.com/NOTESCCE506.pdf · de nition includes deterministic as well as non-deterministic signals. A deterministic

CCE506: STOCHASTIC PROCESSES, DETECTION & ESTIMATIONmustafa-halabi.appspot.com/NOTESCCE506.pdf · de nition includes deterministic as well as non-deterministic signals. A deterministic

Documents
Deterministic Modeling

Deterministic Modeling

Documents
Microassembly – deterministic

Microassembly – deterministic

Documents
Internationally Recognized British Qualifi cations Degrees Final.pdf• Internationally recognized British qualifi cations - NCC Education and Middlesex University. ... • Database

Internationally Recognized British Qualifi cations Degrees Final.pdf• Internationally recognized British qualifi cations - NCC Education and Middlesex University. ... • Database

Documents
Training Characteristics of Qualifi ers for the U.S. Olympic ...run-fit.com/wp-content/uploads/olympictrials.pdfpic Marathon Trials qualifi ers. Methods: All qualifi ers (104 men,

Training Characteristics of Qualifi ers for the U.S. Olympic ...run-fit.com/wp-content/uploads/olympictrials.pdfpic Marathon Trials qualifi ers. Methods: All qualifi ers (104 men,

Documents
MTFB | MTR60B - National Public Seating · mto60b 8 60"x60" 34"x86"x54½" 29"-17" 25"-13" 27"-15" 32"-20" ada-1 ada-1 ada-2 ada-2 ada-3 ada-1 ada-2 ada-3 ada-1 ada-2 stool & bench

MTFB | MTR60B - National Public Seating · mto60b 8 60"x60" 34"x86"x54½" 29"-17" 25"-13" 27"-15" 32"-20" ada-1 ada-1 ada-2 ada-2 ada-3 ada-1 ada-2 ada-3 ada-1 ada-2 stool & bench

Documents
Multiscale Geometric Integration of Deterministic and ... Geometric Integration of Deterministic and ... Multiscale Geometric Integration of Deterministic and Stochastic ... Kapitza’s

Multiscale Geometric Integration of Deterministic and ... Geometric Integration of Deterministic and ... Multiscale Geometric Integration of Deterministic and Stochastic ... Kapitza’s

Documents
Deterministic Annealing

Deterministic Annealing

Documents
Time Deterministic Java

Time Deterministic Java

Documents
Non Deterministic Automata

Non Deterministic Automata

Documents
The Role of Deterministic and Non-Deterministic Rule

The Role of Deterministic and Non-Deterministic Rule

Documents
Statement of Qualifi cations … · February 3rd, 2012 Statement of Qualifi cations. ATTACHMENT 3.1.2 0064-054-703, P101, R201 & C501 STATEMENT OF QUALIFICATIONS CHECKLIST AND CONTENTS

Statement of Qualifi cations … · February 3rd, 2012 Statement of Qualifi cations. ATTACHMENT 3.1.2 0064-054-703, P101, R201 & C501 STATEMENT OF QUALIFICATIONS CHECKLIST AND CONTENTS

Documents
Homogenization Results for a Deterministic Multi … · Homogenization Results for a Deterministic Multi-domains Periodic Control ... Homogenization Results for a Deterministic

Homogenization Results for a Deterministic Multi … · Homogenization Results for a Deterministic Multi-domains Periodic Control ... Homogenization Results for a Deterministic

Documents
Deterministic Design Process - Massachusetts Institute of ...web.mit.edu/2.75/lab/Deterministic Design Process 16 September 2014... · Deterministic Design Process ... •Powerful

Deterministic Design Process - Massachusetts Institute of ...web.mit.edu/2.75/lab/Deterministic Design Process 16 September 2014... · Deterministic Design Process ... •Powerful

Documents
Deterministic simulation testing

Deterministic simulation testing

Economy & Finance
Exploiting Negative Curvature in Deterministic and ... Negative Curvature in Deterministic and ... in our deterministic algorithms and provide the ... Curvature in Deterministic and

Exploiting Negative Curvature in Deterministic and ... Negative Curvature in Deterministic and ... in our deterministic algorithms and provide the ... Curvature in Deterministic and

Documents
Deterministic Petrophysics

Deterministic Petrophysics

Documents
Deterministic ethernet

Deterministic ethernet

Documents
International Qualifi cations Guide 2009/2010 - LCCI … Update/LCCI International Qualifications... · International Qualifi cations Guide 2009/2010 Tel. +44 (0) ... model answers,

International Qualifi cations Guide 2009/2010 - LCCI … Update/LCCI International Qualifications... · International Qualifi cations Guide 2009/2010 Tel. +44 (0) ... model answers,

Documents
LCCI International Qualifi cations Update Update/LCCI Update October 2011.pdf · LCCI International Qualifi cations Update. ... Level 3 Cost Accounting ... The Level 2 Certifi

LCCI International Qualifi cations Update Update/LCCI Update October 2011.pdf · LCCI International Qualifi cations Update. ... Level 3 Cost Accounting ... The Level 2 Certifi

Documents
Improving Convergence of Deterministic Policy … Convergence of Deterministic Policy Gradient Algorithms ... convergence of deterministic policy gradient algorithms on practical

Improving Convergence of Deterministic Policy … Convergence of Deterministic Policy Gradient Algorithms ... convergence of deterministic policy gradient algorithms on practical

Documents
Find out more about CIE's professional development qualifi … · 2019-05-30 · Conference, Kuala Lumpur 18. CIE’s professional development qualifi cations 20. Teacher training

Find out more about CIE's professional development qualifi … · 2019-05-30 · Conference, Kuala Lumpur 18. CIE’s professional development qualifi cations 20. Teacher training

Documents
Bayesian Prediction of Deterministic Functions, with ... · Bayesian Prediction of Deterministic Functions, with Applications to the ... Bayesian Prediction of Deterministic Functions,

Bayesian Prediction of Deterministic Functions, with ... · Bayesian Prediction of Deterministic Functions, with Applications to the ... Bayesian Prediction of Deterministic Functions,

Documents
Deterministic Modelling Biomechanic

Deterministic Modelling Biomechanic

Documents
Deterministic Performance Estimation

Deterministic Performance Estimation

Documents