Certification of a Scade 6 compiler

Certification of a Scade 6 compiler F-X Fornari Esterel Technologies 1

Introduction Topic : What does mean developping a certified software? In particular, using embedded sofware development rules! What are the constraints and the challenges? Presentation of DO-178B Context, and what it is How it was applied for KCG 6.0.1 What is the process for a tool such as KCG What are the impacts / the choices 2

Esterel Technologies - Mission To provide critical embedded system and software developers a certified, domain optimized, modelbased development environment and associated services to reduce time-to-deployment, and as required, time-to-certification for: DO-178B Aerospace and Defense EN 50128 Rail Transportation IEC 61508 Industrial and Transportation IEC 60880 - Nuclear 3 Esterel Technologies Copyright - An Esterel ISO 9001:2000 Technologies Certified - SYNCHRON Company 2008 - Confidential Aussois & Proprietary

Who We Are Founded in 1999 ISO 9001:2000 Certified for Design and Sale of Critical Software Tools and Services Core competency: Critical embedded systems modeling and application development Worldwide presence Direct : USA/Canada/France/Gemany/UK/China Via channels: India/Israel/Italy/Japan/Korea/Russia/Spain/Turkey 4

Model-Based Development for Critical Embedded Systems and Software Existing Capabilities Control Engineering Embedded Software On-Board Embedded Graphics 5 Esterel Technologies Copyright - An Esterel ISO 9001:2000 Technologies Certified - SYNCHRON Company 2008 - Confidential Aussois & Proprietary

The SCADE Certified Software Factory SYSTEM SPEC DESIGN VERIFY GENERATE SYSTEM TEST Debugging & Simulation Formal Verification SCADE Suite KCG Algorithm Design Capture Model Coverage Analysis Object Code Verification SCADE Suite/SCADE Display Integration RTOS Adaptors SCADE Display KCG Architecture Design Capture Graphical Animation Ergonomics Checking 6 Requirements Management Gateway Integrated Configuration Management Automatic Design Documentation Esterel Technologies Copyright - An Esterel ISO 9001:2000 Technologies Certified - SYNCHRON Company 2008 - Confidential Aussois & Proprietary DO-178B IEC 61508 EN 50128 Qualification Kits, Certificates & Handbooks

What is Unique About SCADE? SCADE is being developed specifically to address critical embedded system and software applications SCADE is certified/qualified according to following international safety standards: DO-178B qualification up to Level A Aerospace & Defense IEC 61508 certification up to SIL 3 Transportation & Industry EN 50128 certification up to SIL 3/4 Rail Transportation IEC 60880 full compliance Nuclear industry 7 Esterel Technologies Copyright - An Esterel ISO 9001:2000 Technologies Certified - SYNCHRON Company 2008 - Confidential Aussois & Proprietary

Certification In Avionics Avionic industry is the most regulated one 1st international conference in 1910! Everything is ruled: Conception, Transportation, Crew,.. Noise, Population health, Leisure Components must be conceived such that: Defects wrt flight security take-off or landing are EXTREMELY UNPROBABLE, and do not result from simple cause Any other defects are IMPROBABLE Failure Condition Classification Severy Matrix Degree of redundancy 1 (double fault) 0 (single fault) 2 (triple fault) Catastrophic A B C Hazardous B C D Major C D E Minor D E E No Safety Effect E E E 8

DO 178 B DO-178 B is a mean of conformity for embedded software It is in general not feasible to assess the number or kinds of software errors, if any,that may remain after the completion of system design, development, and test. DO- 178B/ED-12B, provides acceptable means for assessing and controlling the software used to program digital computer-based systems Based on 5 principles: Well-defined software engineering processes Everything must be always verified Independent authority assesses respect of objectives Norm must be agreed by every one Manufacturers are responsible of the means 9

Benefits of Using A Certified ACG Objective 1 Low-level requirements comply with high-level requirements. 2 Low-level requirements are accurate and consistent. Verification Not eliminated Automated 3 Low-level requirements are compatible with Lots verification activities target computer. Not eliminated 4 Low-level requirements are verifiable. Eliminated 5 Low-level requirements conform to standards. Automated 6 Low-levels Accuracy requirements of are requirements traceable to highlevel Not eliminated requirements. 7 Algorithms Accuracy are accurate. of algorithms Not eliminated 8 Software architecture is compatible with highlevel Not eliminated requirements. 9 Software Architecture architecture is consistent. Automated 10 Software architecture is compatible with target Not eliminated computer. 11 Software architecture is verifiable. Eliminated 12 Software architecture conforms to standards. Automated 13 Software partitioning integrity is confirmed. Not eliminated Source code versus requirements High-Level requirements = Low-level Requirements Objective Verification 1 Source Code complies with low-level requirements Eliminated 2 Source Code complies with software architecture Eliminated 3 Source Code is verifiable Eliminated 4 Source Code conforms to standards Eliminated 5 Source Code is traceable to low-level requirements Eliminated 6 Source Code is accurate and consistent Eliminated 7 Output of software integration process is complete Not eliminated and correct 10

Certification of KCG 6.0 Scade 6 + KCG 6.0.1 Use of a formally defined language Use of a certified tool How? DO-178 B expects specific activities for embedded software Do the same for KCG, with proper arguments, since it runs on a PC Level of qualification is the same as targetted applications A Other norms (transport mainly) By equivalence when possible (most of the case) Or add specific activities 11

D0-178 B Implementation SW Planning Process Plans & standards Plans & standards SW Requirements Process Traceabilty HLR/LLR HLR SW Design Process Traceabilty LLR/Source code LLR & Architecture SW Coding Process Development processes Source code & object code Integration Process Integrated Executable code HLR, LLR & Architecture, source code & object code, integrated executable code Traceability Syst Req/HLR, HLR/LLR & LLR/Source code Verification/SCM/SQA Records SW Accomplishment Summary SW Verification Process SW Configuration Management Process SW Quality Assurance Process Certification Liaison Process Integral processes 12

Initial Phase Assessment of the new Scade 6 language Done in collaboration with Verimag, LIP6 Also inspired from Esterel SyncCharts implemented with a prototype Project starts, with Planning Phase Tool Qualification Plan Development & environment (tools, methodologies, CM, ) Standards (specs, design, coding, tests) All these documents must be reviewed and accepted. This will be the case for any docs. 13

Use Of Caml Caml was very natural for R&D It is very-well suited for compilers (ACG..) Prototype already in caml But: DO-178 B: Use the best language for a given project Domain is very conservative : Use C (or possibly instantiated C++) Need to: Demonstrate the compatibility between DO-178 B and caml Ex: analysis of ocaml bug list Find means to assess that generated code is under control! This generated various activities detailed later 14

Specifications Scade 6 language : powerfull but understandable Safe State Machines à la Esterel, but simplified Arrays, with controlled dynamic indexation Iterators (map, fold, ) Better control blocks: activation blocks Specifications: Opportunity to formalize the language Opportunity to rewritte the specification of the tool itself Need to take into account GUI needs, so we got A textual language Its enriched equivalent in XML for graphical purposes 15

High-Level Requirements x = pre(y) Textual Scade Textual Scade KCG C Code XML Scade other <Equation> <lefts> <VariableRef name="_l21"/> </lefts> <right> <!-- pre (_L18) --> <PreOp> <flow> <ListExpression> <items> <IdExpression> <path> <ConstVarRef name="_l18"/> </path> </IdExpression> </items> </ListExpression> </flow> </PreOp> </right> <pragmas> <ed:equation oid="win_19e/5348/624/3c3ef06e/4fae"/> </pragmas> </Equation> 16

Design 2 Levels: 1 - Architecture of the software: the binaries, and the global flows 2a- Detailed design : functions specifications must be very closed to code. 2b- Derived requirements : not related to high-level requirements libraries, runtime Main difficulties: High-level requirements must be linked to Low-level requirements Hierarchy is theoritically possible, rarely in pratice Data coupling & control coupling Check of all data ranges => how for a compiler? Use of an integrated approach to eliminate that point 17

Coding Use of caml Without objects, nor experimental features For all 3 binaries: kcg (toplevel), x2s, and s2c Libraries Fully documented, and unit tested Runtime Partially rewritten, in particular GC simple stop&copy. Memory increase is done by steps. 18

Verification Covers various activities Major part in DO-178 B Validation = testing Unit testing, HLR testing Verification Respect of standards (Specs, Design, Coding, Tests) Of phases outputs (Plans, Specs, Design, Coding, Tests) Done in extenso by the team, with independency Done by sampling by quality engineer All activities are traced Possible Deviations or Request for improvements In Tool Accomplishment Summary/Safety Case documents 19

Specific Verifications Check of generated object code Check that the output of C / caml compilers are traceable to source, or can be justified Based on significant samples for C, and specific study for caml (Paris VII) Justification of system/libraries calls Demonstration of safety 100% MC/DC expected Done on C and ML. Also done on generated code from tests Safety analysis Required for EIC 61508/EN 50128 Impact of environment: user, system (Windows!), on tool behavior 20

Verification Tools Concept (DO-178 B) A tool that can automatize verification activities, without introducing errors Must be qualified as verification tool Qualification is: A plan, requirements on specific usage, tests, results & verifications. Should be done for anything that is used for automation Tools used: RTRT (IBM), Reqtify (Geensys), kcgsim, mlcov, diff 21

mlcov Mlcov Joint work with Paris VII provides structural & MC/DC coverage for caml Best technical paper PADL 08. Available on Esterel Tech. Web site. 22

Mlcov reports 23

Summary Developping a tool level A (or SIL3/4) Impact on Scade 6 definition (user context in mind) Formal semantics of the language: new kind of requirements Use of caml New approach in that domain Required justification, new GC, specific analysis Development of a specific MC/DC tool grey box testing: A way to fulfill DO-178 B requirements, while being manageable Got a certified KCG 6.0.1 tool, BUT. 24

KCG 6.0.1: Context of use SCADE Scade model Certified Is that OK on disk? KCG C Code Is there any problem? Target comp 25 Binary

KCG 6.0.1: Context of use SCADE Scade model Certified Reporter KCG Verification tool Is there any problem? C Code Target comp 26 Binary

KCG 6.0.1: Context of use SCADE Scade model Certified Reporter KCG Verification tool CVK C Code Target comp 27 Test Suite Binary

28