Model-Based Software Development and Automated Code Generation for Safety-Critical Systems F-22 Raptor for the Seminar Advanced Topics in Software Engineering for Safety-Critical Systems Cause: Bug in Flight Control Software Author: Robert Traussnig Advisor: Dr. Holger Giese Paderborn, July 2004 2 MLOC Ada Code 7 Billion Dollars Cost for Software 20 Years Software Development Time 1 2 Agenda 1. Motivation 1. Motivation 2. Historical Overview and Trends 3. Model Based Software Development 5. Standards, Qualification and Certification 6. SCADE 7. Outlook and Conclusion - growing complexity of safety-critical software systems - increasing development time and cost vs. time-to-market - verification activities are cost-intensive and time-consuming - software quality needs to be improved 3 4 1
2. Historical Overview and Trends 3. Model Based Software Development 70s 80s 90s 00s - Manual Coding: Machine Code, Assembly -Structured Programming: C, Ada (Subsets for Safety-Critical Applications, eg. SPARKAda) - Object-Oriented Programming e.g. FAA OOT Initiative Requirements and Design Document Validation and Verification Software Model Automated Qualified Code Generator Proof Simulation 10s - Model-Based Software Development e.g. SCADE Source Code 5 6 3. Benefits of Model Based SW Development 3. Model Based Software Development - Model is the software specification: it is the unique point-of-reference in the project UML (Unified Modelling Language) in FUJABA tool: - Sourcecode is automatically generated from the model with a (qualified) Code Generator - Code is correct and up-to-date by construction - Documentation is automatically generated from the model: it is correct and up-to-date by construction - Model can be used for simulation, using the same code as the actual implementation Just Draw It! - Formal proof techniques can be applied to the model to detect bugs or prove safety properties 7 8 2
3. Model Based Software Development 3. From the V-Model to the Y-Model Manual Coding Programming Code Standard Automatic Code Generator Generating Code Qualified Code Generator No Code Test Design Verifier Automated Design Verification Time 9 10 - average development & test of 10.000 Lines of Code (KLOC) of DO-178 level B avionics software: 16 man-years On-Board Software - cost of a minor bug detected in flight is between $100K - $500K - cost of a major bug is between $1M - $500M -> Airbus decided in the early 80 s to introduce automated code generation. MBytes 20 15 10 5 0 A 310 (1970s) A 320 (1980s) A 340 (1990s) 11 12 3
Errors detected per 100 KBytes of code A340/600 FCSC (Flight Control Secondary Computer): 70 % automatically generated code 50 % reduction in development cost reduction in modification cycle time by factor 3 Errors 500 400 300 200 100 0 70 % ACG Code A 310 (1970s) A 320 (1980s) A 340 (1990s) No software bug ever detected in flight (including flight test) since the beginning of the use of ACG for Fly-By-Wire software. [F. Pothon, Airbus France] 13 14 5. Standards, Certification and Qualification 5. Standards, Certification and Qualification Relevant Standards for Safety-Critical Software: - RTCA DO-178B (Civil Aircraft), 1980 and 1992 - ARP 4754 - IEC 61508 Functional Safety of Electrical / Electronic / Programmable Electronic Safety-Related Systems Flight Control Systems Backup Systems DO 178B Software Criticality Levels Warning Systems 15 16 4
5. Standards, Certification and Qualification 5. Standards, Certification and Qualification Qualifiable: Qualified: Certified: Tool has been developed in such a way that it is prequalified or qualifiable which means that it is ready for qualification on specific projects On a per-project basis only. Tool Criticality Level has to match the final Software Criticality Level. Legal recognition by the certification authority that a product, service, organization or person complies with the requirements. Qualification Requirements of the Automated Code Generator (ACG) with respect to DO-178B: ACG defined as: Tool whose output is part of the airborne software and thus can introduce errors DO-178B, section 12.2.1: If a software tool is to be qualified, the software development processes for the tool should satisfy the same objectives as the software development processes of airborne software. The software level assigned to the tool should be the same as that for the airborne software it produces. 17 18 6. SCADE: Introduction 6. SCADE: Process SCADE (Safety Critical Application Development Environment) Developed 1997 by Airbus Industries Since 2001 development and distribution by Esterel Technolgies De-facto Standard in Aerospace and Nuclear Powerplant Industries Core Application for EU-SafeAir (ASDE: Avionics Systems Development Environment) Project 19 20 5
6. SCADE: Software Requirements Specs 6. SCADE: Software Requirements Specs I. Continous Control: Blockdiagrams for Continous Control II. Hierarchical and Concurrent State Machines: Traditional Control Schema Scade Representation of Control Schema 21 22 6. SCADE: Generated Safe Code 7. Outlook and Conclusion - no pointer artithmetic, no dynamic memory allocation - no operating system call - fixed length loops for arrays or delay - code is traceable to the model: nodes, variables and constants - Model-Based Development is a new paradigm for safety-critical software - Automated Code Generation reduces time-to-market and cost while increasing quality - Aerospace Industry is driving the use of tools and definition of new standards (FAA DO-178C including MBD and ACG) - Limits and Constraints: - few qualified tools available - no qualified compiler yet - manual coding still necessary - steep learning curve for developers 23 24 6
Thank you for the Attention! Questions, please. 25 7