Quality Assurance of Models for Autocoding



Similar documents
Certification of a Scade 6 compiler

SCADE Suite in Space Applications

Model Based System Engineering (MBSE) For Accelerating Software Development Cycle

F-22 Raptor. Agenda. 1. Motivation

Introduction of ISO/DIS (ISO 26262) Parts of ISO ASIL Levels Part 6 : Product Development Software Level

Power inverters: Efficient energy transformation through efficient TargetLink code

Development of AUTOSAR Software Components within Model-Based Design

Aircraft & Defense Vehicle Simulation Lab

LISA Pathfinder SUMMARY

Software Production. Industrialized integration and validation of TargetLink models for series production

INTEGRATION OF THE CODE GENERATION APPROACH IN THE MODEL-BASED DEVELOPMENT PROCESS BY MEANS OF TOOL CERTIFICATION

Continuous Integration Build-Test-Delivery (CI-BTD) Framework in compliance with ISO26262

Certification Authorities Software Team (CAST) Position Paper CAST-13

Abstract Interpretation-based Static Analysis Tools:

Caterpillar Automatic Code Generation

SOFTWARE DEVELOPMENT STANDARD FOR SPACECRAFT

Software Development Principles Applied to Graphical Model Development

MODEL-BASED DEVELOPMENT OF AUTOMOTIVE EMBEDDED SOFTWARE IN COMPLIANCE WITH ISO 26262: CHALLENGES & EFFECTIVE SOLUTIONS 8 JUNE - 9 JUNE 2015

Requirements Engineering Management Findings Report

Criteria for Software Tools Evaluation in the Development of Safety-Critical Real-Time Systems 1

SPiCE for SPACE: A Process Assessment and Improvement Method for Space Software Development

Best Practices for Verification, Validation, and Test in Model- Based Design

PRESENTATION SPACE MISSIONS

Model-Based Development of Safety-Critical Software: Safe and Effi cient

Christie Price Subcontract Administrator Lockheed Martin Corporation South Wadsworth Blvd. Littleton, CO 80125

ENEA: THE PROVEN LEADER IN SAFETY CRITICAL AVIONICS SYSTEMS

IBM Rational Rhapsody

DO-178B compliance: turn an overhead expense into a competitive advantage

TÜ V Rheinland Industrie Service

ESA s Data Management System for the Russian Segment of the International Space Station

Quality Assurance Methods for Model-based Development: A Survey and Assessment

MathWorks Automotive Conference 2015 Simon Fürst, 2015/09/24. MODEL-BASED SOFTWARE DEVELOPMENT: AN OEM S PERSPECTIVE.

Integrated Project Management Tool for Modeling and Simulation of Complex Systems

Technical Data Sheet SCADE R17 Solutions for ARINC 661 Compliant Systems Design Environment for Aircraft Manufacturers, CDS and UA Suppliers

Critical Systems and Software Solutions

Rapid Modular Software Integration (RMSI)

On-board Software Reference Architecture for Payloads

Aerospace Engineering: Space Stream Overview

Converting Models from Floating Point to Fixed Point for Production Code Generation

Requirements Management John Hrastar

Software Engineering Reference Framework

Department of Finance and Deregulation 2011/004 Portfolio Panels for IT Services ATTACHMENT A

5 Certifiable safe airborne software process analyses

A Study on Software Metrics and Phase based Defect Removal Pattern Technique for Project Management

SCOPE PRESENTATION INTRODUCTION

Best practices for developing DO-178 compliant software using Model-Based Design

Automating Code Reviews with Simulink Code Inspector

etamax space GmbH Company Presentation

The «SQALE» Analysis Model An analysis model compliant with the representation condition for assessing the Quality of Software Source Code

Making model-based development a reality: The development of NEC Electronics' automotive system development environment in conjunction with MATLAB

What is a life cycle model?

Qualifying Software Tools According to ISO 26262

System Engineering Data Repository

Achieving Functional Safety with Global Resources and Market Reach

Executive Summary - 1 -

Your Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.

Software Engineering for Software-Intensive Systems: III The Development Life Cycle

How cloud-based systems and machine-driven big data can contribute to the development of autonomous vehicles

Rigorous Methods for Software Engineering (F21RS1) High Integrity Software Development

ARINC 653. An Avionics Standard for Safe, Partitioned Systems

Testing of safety-critical software some principles

Efficient Verification for Avionic Product Development

Why it may be time to consider Certified Avionics for UAS (Unmanned Aerial Vehicles/Systems) White paper

Embedded Software Development with MPS

Verification and Validation According to ISO 26262: A Workflow to Facilitate the Development of High-Integrity Software

AN EVALUATION OF MODEL-BASED SOFTWARE SYNTHESIS FROM SIMULINK MODELS FOR EMBEDDED VIDEO APPLICATIONS

Mission Operation Ground. ESA. Mario Merri GSAW, Los Angeles, USA 2 Mar 2011 ESA UNCLASSIFIED

1.1 The Nature of Software... Object-Oriented Software Engineering Practical Software Development using UML and Java. The Nature of Software...

Aerospace Information Technology Topics for Internships and Bachelor s and Master s Theses

Meeting DO-178B Software Verification Guidelines with Coverity Integrity Center

Reduce Medical Device Compliance Costs with Best Practices.

Criteria for Flight Project Critical Milestone Reviews

EHOOKS Prototyping is Rapid Again

Cisco Services for IPTV

Using Model and Code Reviews in Model-based Development of ECU Software Mirko Conrad, Heiko Dörr, Ines Fey, Ingo Stürmer

Operability in the SAVOIR Context

Highlights & Next Steps

Software Project Management Plan. Team Synergy Version: 1.0 Date: 1/27/03

How To Develop A Telelogic Harmony/Esw Project

Continuous Engineering in practice

Space product assurance

AIRBUS Avionics and Simulation Products Open Source modeling tools in embedded projects

Wiederverwendung von Testfällen bei der modellbasierten SW-Entwicklung

Software: Driving Innovation for Engineered Products. Page

DEDICATED TO SOLUTIONS. Automotive System and Software Development

Using the Agile Methodology to Mitigate the Risks of Highly Adaptive Projects

Software Verification/Validation Methods and Tools... or Practical Formal Methods

Parameters for Efficient Software Certification

4 Applying DO-178B for safe airborne software

CASS TEMPLATES FOR SOFTWARE REQUIREMENTS IN RELATION TO IEC PART 3 SAFETY FUNCTION ASSESSMENT Version 1.0 (5128)

System Software Product Line

Outline. III The Development Life Cycle. Characteristics of Software Development Methodologies. The Prototyping Process

Transcription:

Quality Assurance of Models for Autocoding Ann Cass, Pierre Castori S YNS PACE AG Hardstrasse 11 CH - 4052 Basel ac@synspace.com, pc@synspace.com Abstract: Automatic Code Generation is an emerging technology that holds great promise for future generations of embedded systems. However, ACG raises many fundamental questions about model and code quality. A series of experiments promise to provide an enhanced approach to Software Quality Assurance in order to allow autocoding to become a trusted industrial solution for on board space software. 1 Introduction In the recent years, the automatic generation of source code based on a model of the system or software (autocoding) has received increased attention from the embedded software community. In fact, modelling and autocoding are now among the main challenges for improving the development of safety-critical embedded software. Impressive benefits have been reported by the companies who have played a key role in the industrial use of this technology, such as Airbus, BMW and Eurocopter: Cost reduction up to 50%, shorter lead times through executable specifications, (almost) immediate availability of changes in the software, etc. [Ca02, EST, Ba03]. The space industry is taking note of these benefits and several projects have studied the technical feasibility of autocoding the control software that flies on board satellites [TAV99, Co00, OSA]. Modelling is currently used in the space industry for mission feasibility studies and for describing and simulating the behaviour of algorithms in particular for Guidance, Navigation, and Control (GNC) systems. However, up until now, these models have rarely been usedfurther in the development process. Autocoding opens these possibilities but requires a greater understanding and control on the quality of source models and generated code than classical coding. In addition, modelling and automatic code generation have a strong impact on the development process and require new or modified practices. These difficulties need to be tackled and solved before autocoding becomes a 'standard' way of working in the industry. Such challenges are faced by other safety critical embedded domains as well such as aerospace and automotive [ET03, BM02, HS01]. The European Space Agency (ESA) has identified modelling and autocoding as cornerstones of its technology roadmap for the development of spacecraft over the next decade in the programme European Harmonisation in On-Board Software and has 501

launched a project "Automatic Code Generation"1 (ACG) to demonstrate the possibility of using autocoding for safety critical embedded systems. A series of experiments will provide detailed insight into the impact of modelling and autocoding on the specification, design, coding and validation phases. These experiments (performed by space industrials and described in more detail in [ CZ04, ZL05]) investigate the feasibility of ACG by autocoding parts of software already developed for previous space missions. The experimental situation is rich as the original software and the project validation facilities are still available for use and comparison. In addition, the history of the original mission projects (e.g. time and effort spent, changes to requirements, etc) is available and provides a solid baseline for observing differences in the autocoding development process. The experiments use some of the ACG tools leading in the market today (dspace TargetLink, ESTEREL Technologies SCADE, Telelogic Tau G2). They will identify potential problems or risks with modelling and autocoding and support the definition of suitability criteria for autocoding environments to be used in the production of embedded systems. Finally, the project will provide constructive guidelines that enable the effective use of autocoding. Meanwhile, SYNS PACE is responsible for the Quality Assurance and Safety aspects of the experiments. As modelling and code generation affect a variety of software engineering activities, the corresponding QA processes must also be adapted to ensure the fulfilment of quality requirements. Our focus in the study is thus twofold: - To assess whether Automatic Code Generation can be successfully used for producing safety- or mission-critical software, - To assess and advise what changes should occur to quality assurance processes (and therefore the relevant space standards) to incorporate ACG. 2 Adapting the QA Process for Modelling and Autocoding Defining a consistent strategy for Quality Assurance in an ACG lifecycle represents a significant innovation, as ACG affects many areas of the software development process and raises fundamental issues about quality. New QA activities must be identified to ensure that quality requirements for the product and process are fulfilled. For the ACG project, S YNS PACE has identified a number of modifications to the traditional space QA process. These are represented in the form of changes to ECSS-Q-80 [EC03], the European space standard for software QA. All proposed changes remain to be confirmed during the experiments, but a few are described in this section. In terms of product quality assurance, ACG raises fundamental questions about the importance of certain classic code quality attributes such as readability, complexity and modularity. In addition, the quality control of the autocode model takes on an important significance. Quality properties must be defined and verified for models that 1 This work is supported by ESA/ESTEC Contract No. 18056/04/NL/JA. The ACG project consortium includes EADS ST, SciSys, BSSE, and SYNSPACE. 502

ensure the quality of the code generated. This leads to a new focus on measures of model quality and modelling standards, described in the sections below. 2.1 Measures of Model Quality QA must establish the expected quality characteristics both of the final product and of intermediate work products (specifications, designs etc). For traditional manual development, a defined set of quality attributes exists for source code. Indeed the current quality standards applicable for the development of European space software [ EC03] contain a number of requirements on attributes which represent code quality, but no such quality requirements are defined for models used for autocoding in industry. It is not even clear to what extent it is possible to define generic quality attributes that are independent of the specific modelling languages. In the study, a first examination is to be performed, seeing if certain measures associated with code quality (e.g. McCabe complexity) can also be adapted to apply for autocode models, or at least if certain measures can be defined to control the generation of code. 2.2 Modelling Standards A common approach to ensuring higher quality autocode is to restrict the use of the modelling language. This has been observed as an effective means of improving performance by removing constructs that are not efficient for the target compiler [Co00]. Code size can be decreased by 30% using very simple rules such as declaring that only one instance of a process is authorised at execution time. The declaration of procedures as inline is another such possible rule [MO98]. This shows that modelling for autocode encompasses more than just defining a correct model of the system or software. Tailoring of the model and configuration of the tool used to produce code is also a key part. Therefore a complete set of rules specific to the modelling language and tool used (called a modelling standard) must be defined. In [Ba03], experiments made at the BMW Group show a reduction of 55% in size and 77% in execution time of the generated code just by using a set of 70 rules at the modelling level. [TAV99] considers that appropriate design rules might be needed to achieve a correct level of numerical accuracy. Some authors even believe that the main obstacle preventing widespread acceptance of ACG in safety-related projects is the lack of industry-wide definitions and modelling standards against which models can be verified [ Fr03]. One notable exception is the MAAB Style Guide, a modelling standard in the automotive domain [MA01], which includes rules to prevent inefficient or unreadable code as well as errors in the code or with code generators and compilers. In the ACG experiments, modelling standards will be applied by the projects for the different modelling languages used. These standards will be refined based on the result of code quality analyses as well as validation testing. 2.3 QA of the Modelling and Autocoding Process In terms of the quality assurance of the development process, ACG introduces a number of issues including the need to assess the translation between the model and the code and possibly the certification, qualification or fitness requirements of the tools composing the autocoding environment [ OH00]. Other issues include ensuring traceability between 503

elements in models and software requirements, ensuring the configuration control of autocode models (i.e. tracking versions and changes made to models), and managing upgrades in the code generation tools. A critical aspect of process assurance focuses on ensuring safety. During the original baseline projects, software safety analyses were performed placing certain constraints on the on the design of the software. This was particularly the case for the experiment Monitoring and Safety Unit of the Automated Transfer Vehicle. Used for managing the docking manoeuvre as it joins the International Space Station, this subsystem represents the highest possible level of safety critical space software. The consequences of this original safety analysis were in the form of constraints: requirements added to the software requirements specifications to cover e.g. conditions for reporting bad health status, actions to be performed when some units report bad health status, new actions to be performed within precise time ranges or design constraints added to architectural and detailed designs: e.g. partitioned memory and redundancy. Studies such as the SETTA project [SE02] have highlighted that decoupling can occur between the functional development process and the safety analysis process. The focus in the ACG experiments will be to see if these original design constraints are still relevant and are feasible to implement in the autocode models and autocoding development process. 3 QA in the ACG Experiments Findings from the experiments will come from three main sources: - Metrics from a quality model for autocode, - Code analysis and reviews, and - Lessons learned workshop. S YNS PACE has developed a quality model for the experiments, based on a tailoring of an ISO 9126 conformant quality model developed for the space domain [SP02]. Of particular interest are the quality attributes associated with code functionality, reliability, maintenance and safety as well software development and system engineering effectiveness. Additional metrics are included to cover quality aspects of the autocode models (e.g. size, complexity) as discussed above. Overall project productivity and reactivity (time to change) will also be evaluated. Two code reviews are planned during the implementation phase. These analyses of the generated code will be performed by S YNS PACE to provide insight on the quality of the generated code and the effectiveness of modelling standards applied. S YNS PACE will use the TICS [TIO] tool to verify that the generated code is in compliance with the MISRA C coding standards [ MI98]. 4 Conclusion 504

Automatic Code Generation is an emerging technology that holds great promise for future generations of embedded systems. However, ACG raises many questions about model and code quality. An enhanced and thoughtful approach to Software Quality Assurance is, therefore, required to allow autocoding to become a trusted industrial solution. As a practical result of the experiments, changes to standards and guidelines are proposed which can be widely used for mission- and safety-critical software. 5 References [Ba03] Baumgartner, W., Turbo für den C-Code, RealTimes 2-2003, BMW Group, 2003. [BM02] Bostic, D., Milam, W. P., Wang, Y., Cook, J. A., SmartVehicle Baseline Report Embedded Software Analysis and Generation, Ford Motor Company, May 2002. [Ca02] Camus, J. L., Efficient Development of Avionics Software with DO-178B Safety [Co00] Objectives, Esterel Technologies, 2002. Conquet, E., SPACES: Software Production Using Automatic Code Generation for Embedded Systems, Process Improvement Experiment, Final Report, ESSI Project Number 27931, Astrium, May 2000. [CZ04] Cormery, P., Zindy, G., Conquet, E., Automatic Code Generation in Space On-Board Applications: From R&D to Industrial Use, Proceedings of the DASIA 2004. [EC03] ECSS-Q-80B, Product Assurance : Software Product Assurance, 10 October 2003. [EST] Esterel Technologies, Faster and Cheaper Level A Software Certification with SCADE, Eurocopter. [ET03] ETAS, Generating Efficient Production Code, ETAS, ASCET case Study No 4, [Fr03] December 2003. Frost G. (Ricardo Tarragon Ltd.), Automatic code generation for safety-critical systems, MIRA New Technology 2003. [HS01] Heintz, P., Siller, A., Waldmann, P., ASCET-SD Traffics Trade Safe rail vehicles thanks to ETAS tools, RealTimes 1-2001, 2001. [MA01] The MathWorks Automotive Advisory Board (MAAB), Controller Style Guidelines for Production Intent Using MATLAB, Simulink and Stateflow, Version 1.00, April 2001. [MI98] MISRA-C:1998 Guidelines for the Use of the C Language in Vehicle Based Software, ISBN 0 9524156 9 0, April 1998. [OH00] O'Halloran, C., DERA, Issues for the Automatic Generation of Safety Critical Software, Proceedings of the Fifteenth IEEE International Conference on Automated Software Engineering (ASE'00), p. 277, September 11-15, 2000, Grenoble, France. [OSA] O'Donnell, J. R., Stephen, D., Andrews, F. et. al., Development and Testing of Automatically-Generated ACS Flight Software for the MAP Spacecraft, NASA Goddard Space Flight Center. [SE02] The SETTA Consortium, Systems Engineering for Time Triggered Architectures Final Document, Deliverable D7.3, Version 1.0, April 2002. [SP02] ESA/ESTEC SPEC/TN3 V3.4 Space Domain Specific Software Product Quality Models, Requirements and Related Evaluation Methods, February 2002. [TAV99] Teraillon, J.L., Ankersen, F., Vardanega, T., Carranza, J.M., Automatic Code Generation [TIO] [ZL05] and Space On-Board Software, Proceedings of the DASIA 1999 conference. TIOBE Coding Standards Framework. See www.tiobe.com Zindy, G., Lacan, Ph. et. al, Automatic Code Generation: Issues and Solutions, Proceedings of the DASIA 2005 conference. 505

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information