CS Communication & Systèmes – Charte 2010 1 SCADE tools SCADE System SCADE Suite SCADE Display...

CS Communication & Systèmes – Charte 20101

SCADE tools

SCADE System

SCADE Suite

SCADE Display

SCADE development modules


Model Based Development With SCADE Tools


SCADE SYSTEM

• a system architecture design and modeling tool that allows system engineers to model the design of system components and structure using SysML block diagrams.

• allows to extract parts of the main system model and exchange these subsystem software models with development teams.

• Software teams can then work on the subsystem software design with SCADE Suite.

• Comparison of system model versions is facilitated when the subsystem software model is reintegrated into the main system model

• SCADE LifeCycle Reporter allows systems engineers to automatically generate up-to-date documentation at any point in the development cycle.


SCADE Suite

• With native integration of the Scade language and its unified formal notation, SCADE Suite is the unique integrated design environment for critical applications spanning

•requirements management,•model-based design,•simulation, •verification, •qualifiable/certified code generation,

•and interoperability with other development tools and platforms


SCADE SuiteIntegrated Data Flow and SSM editors


SCADE SuiteSimulator


SCADE Display

• SCADE Display is a flexible graphics design and code generation tool suite for the development of safety-critical embedded display systems.

• native support of the OpenGL SC standard, SCADE Display is the new generation display framework, spanning

•prototyping, •display design, •simulation, •verification & validation, •DO-178B certified code generation for level A software and

•smooth integration with other applications.

• tightly coupled with SCADE Suite® enabling unprecedented visibility from the deployed application to the end-user displays.


SCADE Suite& DISPLAY for SW development


SW design Process with SCADE Suite & Display


SW Coding Process with SCADE Suite & Display


SCADE SCOPE


SCADE code integration


Typical SW architecturefor graphics


Timing Verifier integration in SCADE Suite


RT Vizu of SW Spec


ACG & Certification


Typical SW life-Cyclewithin D0178 context


Abbreviations

SNCC =système numérique de contrôle commande

DCS= Digital Control System?

SIF=Safety Instrument Function

OSHA=Occupational Safety & Health Administration

EPA=Environmental Protection Agency

ISA= Instrumentation Systems and Automation Society

IEC= International Electrotechnical Commission

TMR = Triplicated Modular Redundant

PLC = programmable logic Controller

FMECA=Failure Mode, Effects, and Criticality Analysis

AMDEC=Analyse des Modes de Défaillance, Effets et Criticité

SNCC =système numérique de contrôle commande

DCS= Digital Control System?

SIF=Safety Instrument Function

OSHA=Occupational Safety & Health Administration

EPA=Environmental Protection Agency

ISA= Instrumentation Systems and Automation Society

IEC= International Electrotechnical Commission

TMR = Triplicated Modular Redundant

PLC = programmable logic Controller

FMECA=Failure Mode, Effects, and Criticality Analysis

AMDEC=Analyse des Modes de Défaillance, Effets et Criticité


SCADE at Airbus

contents


System Modelling & Verification

(SCADE Airbus)


SW Coding & Testing(SCADE Airbus)


A350 XWB Large interchangeable

displays


Simulator Architecture(Ansaldo)


SCADE at Thales

contents


Projects using SCADEThalesTHALES is leader in Cockpit

Interactive Solutions

AIRBUS A380 Cockpit Project developped by THALES


Projects using SCADEThales


Why SCADE(Thales)

text


SCADE at AREVA

contents


AREVA Organisation


Why SCADE(Areva)

Adapted to our deployed development process SCADE formalism (node and data flow) is equivalent to the

Structured Analysis SA-RT/SD method used at AREVA TA (Structured Analysis, Structured Design)

Understood by both system and software engineers Improvement of mutual comprehension is required by the IEC60680:2006 standard

Supporting our generic design policy

SCADE cycle-based language is well adapted to the way embedded safety-critical software are designed at AREVA TA

Easier to reach SIL4 than with the former classic development method SCADE simulator : early detection of errors in specification

SCADE KCG : no unit testing at code level

Less expensive deployment than other formal methods Only one week to design with the principal SCADE functions

Improved software validation Formal proof techniques are enabled


SCADE integration in dev Process(AREVA)

SIL4 developments (and some SIL0)

SCADE modelling of system specification : Definition of Interface functions and data flow between functions

Traceability links between requirement specification and functions, using SCADE RM Gateway

Functions allocation to subsystems

Software SCADE Design : Software architecture design inherit from system model

Refinement of requirement allocated to functions,

Design of each function

SCADE 6 : SSM and map/fold

Restricted uses of imported node (efficiency or SCADE limits, reuse legacy code)

V&V Check of modelling rules

Check of requirements

Node and function testing (Uses of SCADE Simulator and SCADE MTC),

Integration and validation testing (on host machine prior to on-target)

System integration and validation testing (on host machine prior to final equipment)

Version control: distributed SCADE model development.


System Modelling with SCADE (AREVA)

Requirements modelling

Physical and safety allocation of requirements

Interfaces of each subsystem with its environment

Traceability with functional specification (RM Gateway)


SW Design with SCADE (AREVA)

Refine the subsystems models (node and data flow) into full software architecture

In the EN50128 process: Software Requirement and architecture specification (generated with the reporter function)

Refine design to terminal node (full SCADE or imported)

In the EN50128 process: Software and module design

Use of KCG for code generation In the EN50128 process: Code

Non SIL4 designer tests with simulator

Good AREVA TA practice to improve model quality before V&V


System & SW Design Validation(AREVA)

The various V&V activities are:

Requirement-based tests specification Tests scenarios : Define inputs and the waited output for all requirement in

document and in tests files,

Automatic launch of validation tests Compute the test, play the test and verify the outputs against the expected

result

Automatic tests reporter with AREVA TA tools

Analysis of the test coverage score with SCADE MTC


System & SW Design Validation(AREVA)Different simulations can be chosen:

SCADE graphic simulator: Well suited to verify node during the design

Cannot be used in an automatic test bench

Interface is poor to achieve system testing with massive number of I/Os

“Command line” mode: Same mode as the graphic one but with TCL language elements

(functions and comments)

Harder to use than graphical mode

TCL script: Use of TCL instruction sequence to initialise input, verify waited

values of outputs, increase cycle, flatten structure or array types, …

Use TCL programming power: loop, generic sub-functions, …

TCL scenario script can be call by another script; thus a « launcher » can sequence the scenarios.

All I/O transitions can be recorded

External simulator calling SCADE via a DLL interface Equivalent to TCL script but harder to use (continuity, support, …)

Test bench based on TCL scripts to check check all software componentFor each component :

•Rebuild for each component a test program

•Play scenario and compare outputs to expected values,

•Generate a log file with principal script step information.

•Generate a log file with the history of the I/O transitions.

For all the components :•Compute an HTML report of validation with

• A link to log files, • A validation success rate,• A global model test coverage

score


Research Infrastructure(DLR)


Development Process(DLR)

Integrated development process for the entire research infrastructure

Stimulated by:Automatic launch of validation tests

Domain-Engineering(e.g. virt. institute DeSCAS)

Requirements Engineering (e.g. EU-Project CESAR)

Service oriented architectures (SOA)

Model-based development(e.g. SCADE)


Dominion Project(DLR)


SCADE at ASTRIUM

contents


Dev Life-Cycle(ASTRIUM)


Formal proofs on the ATV safety Software

(ASTRIUM)

The LESAR tool is developed by the VERIMAG laboratory

Example of proven properties Specification of the environment by “regular expressions”

• cam_arm( on, arm, cam_cmd, tc, hltc ) =prefix( [-on, -arm, -cam_cmd, -tc, -hltc]*.[ on, -arm, -cam_cmd, -tc, -hltc].[-on, -arm, -cam_cmd, -tc, hltc]*.~~ ) ;

Properties

A “red button” implies eventually a CAM triggering before 4 cycles

• Real time property

The two MSU chains can not triggered both a CAM at the same time

• Mutual exclusion property

the same results has now been reached with Prover)


SCADE at POSCON

contents


PSD System Diagram(POSDOM)


Development Process to Achieve SIL 3

RAMS System Life-Cycle


Development Process to Achieve SIL 3PSD RAMS H/W Management


Development Process to Achieve SIL 3PSD RAMS S/W Development(V Model method)


Development Process to Achieve SIL 3PSD RAMS Project Output


SCADE at Liebherr

Contents

Connecting the neutral SCADE model with the global PLC data


SCADE for SIL2 systemsLiebherr

Connecting the neutral SCADE model with the global PLC data


PME1 control system(LiebHerr)

Central Intelligence

Distributed IOs

Real Time CAN Protocol

Single synchronous Application Task

Safety Level until SIL2

Massive reuse of software modules

text


PME1 link data flow(LiebHerr)

Interface Config file with all variables of PLC system

Clear Separation of responsibilities between Liebherr and Esterel

Generates New textual operator “Integration Toplevel”

Special C-Code with mappings

liebherr

SCADE


SCADE at Siemens

Contents


From SysML to SCADE: SCADE system designer Siemens

SysML: Architecture

Different views

• communications

• deployment

• use cases

SCADE: Design language

Embedded control

Simulation


Timing analysis and SCADESiemens

Timing analysis

WCET computation

Communication architecture – do we meet our timing requirements?

What is the impact of different architecture alternatives regarding timing?

Deeper understanding of system performance characteristics


Model-based worst-case timing approachSiemens

Abstract model of resources, processes, scheduling policies and communication pathways


Elicitation of system behavior by modeling Siemens


Model-based penetration into an existing target

system architecture Siemens

SCADE Components


SCADE at Invensys

Contents

(Railway-TDMS (Train Data Mngt System))


TDMS Architectural Principals

Simple Partitioning Invensys


SCADE TDMS Development: TDMS Partitioning - Partitions

InvensysStandard interface

Communicate via Ports

Partition mode

Application Partitions

System Partitions

Similar to ARINC 653

Fault Handling

Dual Redundant for availability

Adapt by Adding/Removing Features/Partitions

Requires agility


SCADE TDMS Development:Project Process: Evolved Agile Feature Driven

Approach


SCADE at KEPCO

Contents

SCADE for ISODE ( Integrated SW Dev Env) for NP Systems


ISODE Overview KEPCO


Validation and Verification Process TEPCODesign Verifier

A property is implemented in a SCADE node called an Observer.

As inputs, it receives the values the property focuses on.

It has one output, which is true if and only if the property is true


Automatic Documentation Generation TEPCO


Target Importing Process TEPCO


PPS Application-Bistable Module TEPCO


PPS Application-Coincidence Module TEPCO


title

CS Communication & Systèmes – Charte 2010 1 SCADE tools SCADE System SCADE Suite SCADE Display...

Documents

Transcript of CS Communication & Systèmes – Charte 2010 1 SCADE tools SCADE System SCADE Suite SCADE Display...