SCADE Suite in Space Applications

SCADE Suite in Space Applications at EADS David Lesens 09/10/2008

Overview Introduction Historical use of SCADE at EADS Astrium ST Why using SCADE? The Automatic Transfer Vehicle (ATV) M51 and Vega R&T preparing the future Model transformation Assessment of SCADE 6 Points to be improved Conclusion 29/04/2010 p2

Astrium: part of EADS, a global leader in aerospace and defence Commercial Aircraft No.1 Helicopters No.1 Missile Systems No.2 Astrium No.3 Military Transport Aircraft No.3 Military Air Systems No.4 29/04/2010 p3

Astrium s activities are based in three key areas Astrium Space Transportation The European prime contractor for civil and military space transportation and manned space activities Astrium Satellites A world leader in the design and manufacture of satellite systems Astrium Services At the forefront of satellite services in the secure communications, Earth observation and navigation fields 29/04/2010 p4

An impressive product and capability portfolio Launchers: Ariane, Soyuz, Rockot, Vega Ballistic missiles, missile defence Future launchers Orbital systems: Columbus, ATV, Operations, Atmospheric re-entry systems Propulsion & equipment System design, system integration & production 29/04/2010 p5

Overview Introduction Historical use of SCADE at EADS Astrium ST Why using SCADE? The Automatic Transfer Vehicle (ATV) M51 and Vega R&T preparing the future Model transformation Assessment of SCADE 6 Points to be improved Conclusion 29/04/2010 p6

The classical V development cycle Late detection of errors GNC studies Data Spacecraft management Qualification Error Error detection Delay for the error detection Specification Validation Design Code Integration Unitary tests Delay for the error correction 29/04/2010 p7

Reduction of delays and costs GNC studies Data Spacecraft management Qualification Decrease the number of late errors Immediate correction Automatic test generation Test replay Early validation Simulation Proof Software Model Validation Unitary & integration testing at model level Automatic Code Generation Code Fusion of specification & design 29/04/2010 p8

Model Driven Engineering A model shall allow : The communication between the different teams System teams (GNC, vehicle, thermal, operations, ) Software teams (architect, specification, design, development, ) And also customers and external reviewers An early verification via a strong semantic, insuring Consistency Completeness Formal model, and possibility of proof Non ambiguity Model simulation And automatic code generation 29/04/2010 p9

Model or programming language? Abstraction & semantic Scade Ada C++ C Simulink Matlab or S_functions Assembly language Binary code 29/04/2010 p10

Overview Introduction Historical use of SCADE at EADS Astrium ST Why using SCADE? The Automatic Transfer Vehicle (ATV) M51 and Vega R&T preparing the future Model transformation Assessment of SCADE 6 Points to be improved Conclusion 29/04/2010 p11

The Automated Transfer Vehicle (ATV) It supplies onward the following services to the ISS: Refuelling ISS orbit correction, Freight delivery, ISS trash destruction. The ATV mission in 2008 9 th of March Launch by Ariane 5 3 rd of April Automatic Docking on the ISS 5 th of September Dedocking from the ISS 29 th of September Deorbitation Safety software specified using SCADE V3 29/04/2010 p12

Static description Description of software architecture Description of types and constants 29/04/2010 p13

Behavioural description Description of (very) Simple automaton Description of sequences 29/04/2010 p14

Automatic documentation generation 29/04/2010 p15

Formal proofs on the ATV safety Software SCADE model Environment description LESAR tools Logical Property Exhaustive verification True property Diagnostic The LESAR tool is developed by the VERIMAG laboratory (the same results has now been reached with Prover) 29/04/2010 p16

Examples of proved properties Specification of the environment by regular expressions Use of the reglo tool cam_arm( on, arm, cam_cmd, tc, hltc ) = prefix( Properties [-on, -arm, -cam_cmd, -tc, -hltc]*. [ on, -arm, -cam_cmd, -tc, -hltc]. [-on, -arm, -cam_cmd, -tc, -hltc]*. ~~ ) ; (the same result has now been reached with SCADE 6 automata) A red button implies eventually a CAM triggering before 4 cycles Real time property The two MSU chains can not triggered both a CAM at the same time Mutual exclusion property 29/04/2010 p17

SCADE V3 on the ATV: Conclusion Improvement of the specification quality Suppression of ambiguity (formal semantics) Early detection of errors by simulation Exhaustive proofs of some critical properties Formal proof has allowed detecting errors (even if formal proof does not replace tests) Why shall we go further? Modelling limited to very simple automata The ATV code has not been automatically generated 29/04/2010 p18

Overview Introduction Historical use of SCADE at EADS Astrium ST Why using SCADE? The Automatic Transfer Vehicle (ATV) M51 and Vega R&T preparing the future Model transformation Assessment of SCADE 6 Points to be improved Conclusion 29/04/2010 p19

Other uses SCADE V3 has also been used to formalize the specifications: Of the M51 software Of the Vega software 29/04/2010 p20

Overview Introduction Historical use of SCADE at EADS Astrium ST Why using SCADE? The Automatic Transfer Vehicle (ATV) M51 and Vega R&T preparing the future Model transformation Assessment of SCADE 6 Points to be improved Conclusion 29/04/2010 p21

R&T: SCADE 6 for future projects Suborbital flight? ATV Evolution? 29/04/2010 p22

Overview Introduction Historical use of SCADE at EADS Astrium ST Why using SCADE? The Automatic Transfer Vehicle (ATV) M51 and Vega R&T preparing the future Model transformation Assessment of SCADE 6 Points to be improved Conclusion 29/04/2010 p23

Astrium process GNC (*) prototype Matlab/Simulink Need of refinement GNC (*) System requirement capture Mission management KCG UML/SysML Rhapsody Need of refinement SCADE and Ada or C++ (*) Guidance, Navigation, Control 29/04/2010 p24

From SysML or AADL to SCADE AADL SCADE model automatically generated SCADE 29/04/2010 p25

From Simulink to SCADE Simulink SCADE model automatically generated SCADE 29/04/2010 p26

Conclusion: Will we use automatic model transformation? The tools work correctly but our process of use is today not clear! The software model (in SCADE) needs more details than the system model (in SysML/AADL/) Numerical protections Telemetry / Telecommand Real time aspects The software and system architectures are often different The use of automatic model transformation tools is not foreseen today (we remain today in a manual refinement process) 29/04/2010 p27

Overview Introduction Historical use of SCADE at EADS Astrium ST Why using SCADE? The Automatic Transfer Vehicle (ATV) M51 and Vega R&T preparing the future Model transformation Assessment of SCADE 6 Points to be improved Conclusion 29/04/2010 p28

Assessment of SCADE V6 on a case study Ada ATV main software SGS Our objectives Solar Generation System redeveloped in SCADE V6 (automata & data flows) Automatic code generation with KCG Test of the whole software on validation platform 29/04/2010 p29

Modelling of data flow architecture The initial architecture in SART The new architecture in SCADE V6 29/04/2010 p30

Modelling of Finite State Machine Initial representation of FSM Use of powerful hierarchical automata 29/04/2010 p31

Modelling of activation condition Specification of activation condition in SART (Process Activation Table) Formalization of activation condition by SCADE 6 automata 29/04/2010 p32

Modelling of simple mathematical equation Specification of simple monitoring Modelling of monitoring in SCADE V6 29/04/2010 p33

Assessment of SCADE 6: Conclusion A complete functionalities of the ATV has been redeveloped in SCADE V6 Architecture and data flows Complex hierarchical automata and sequences Verified by simulation (coverage checked by MTC) Remaining work for 2008 Test on validation platform Integration to our Software Development Environment (SDE) Configuration management, traceability Windows / Unix We will be ready to start an operational development in SCADE 6 in 2009 29/04/2010 p34

Overview Introduction Historical use of SCADE at EADS Astrium ST Why using SCADE? The Automatic Transfer Vehicle (ATV) M51 and Vega R&T preparing the future Model transformation Assessment of SCADE 6 Points to be improved Conclusion 29/04/2010 p35

SCADE 6 has very powerful automata 29/04/2010 p36

but not very intuitive for reviewers (*)! <SM1> (*) Non SCADE users State1 1 Strong without history State4 true 1 1 true State2 Weak without history true Synchronized without history 29/04/2010 p37 Weak with history State5 true State7 * * 1 1 true 1 true * State3 State6 Strong with history Synchronized with history

Graphical or textual? Some times a textual description is better than a graphical one z = (a * x) + (b * y) + c; But operators +, -, *, / can not be overloaded Equations with vectors and matrixes are not naturally written 29/04/2010 p38

The textual editor can be improved! The layout is modified after saving 29/04/2010 p39

SCADE generates today only C A textual description/programming language is needed SCADE and C are not enough Automatic Ada code generation would be a solution ACCELERATION POSITION Adapted to embedded software Would improve the typing? VELOCITY Name ACCELERATION POSITION VELOCITY Type T_ ACCELERATION T_POSITION T_ VELOCITY KCG for Ada is in the Esterel Technologies roadmap 29/04/2010 p40

Basic data types are missing! A library is supplied for integer 8, 16, 32 bits But the user shall developed its own library for simple and double float precisions 29/04/2010 p41

Use of clock activate MODE MODE1 A1 2 Y1 MODE MODE2 Input1 A2 2 Y2 MODE Output1 The generated code is very good 29/04/2010 p42 MODE A3 MODE3 2 Y3 Too much variables shall be defined switch (MODE) { case MODE2 : Output1 = A2(Input1); break; case MODE1 : Output1 = A1(Input1); break; case MODE3 : Output1 = A3(Input1); break;

Frequency 10Hz No multithreading code generation A Rate Monotonic Scheduling is compatible with the synchronous approach and would be useful Frequency 20Hz Thread end Frequency 100 Hz Thread end Thread Thread end end Thread end Thread end Thread end 10 ms RDV 50 ms 29/04/2010 p43

Overview Introduction Historical use of SCADE at EADS Astrium ST Why using SCADE? The Automatic Transfer Vehicle (ATV) M51 and Vega R&T preparing the future Model transformation Assessment of SCADE 6 Points to be improved Conclusion 29/04/2010 p44

Conclusion SCADE V3 has been successfully used in the past On a limited scope A full SCADE V6 development is foreseen for future projects Editor, Simulator Model Test Coverage (MTC) Design Verifier Qualified Code Generator (KCG) with the hope of some improvements / additional features in future versions! Especially Ada qualified code generator 29/04/2010 p45

Thank you for your attention Any question? david.lesens@astrium.eads.net 29/04/2010 p46