F-X Fornari Esterel Technologiessynchron2008.lri.fr/slides/fornari.pdfDO-178B IEC 61508 EN 50128...

Copyright © Esterel Technologies - SYNCHRON 2008 Aussois1

Certification of a Scade 6 Certification of a Scade 6

compilercompiler

F-X Fornari

Esterel Technologies

2Copyright © Esterel Technologies - SYNCHRON 2008 Aussois

IntroductionIntroduction

� Topic : What does mean “developping a certified

software” ?

� In particular, using embedded sofware development rules !

�What are the constraints and the challenges ?

� Presentation of DO-178B

�Context, and what it is

� How it was applied for KCG 6.0.1

�What is the process for a tool such as KCG

�What are the impacts / the choices


Esterel Technologies Esterel Technologies -- MissionMission

To provide critical embedded system and software

developers a certified, domain optimized, model-

based development environment and associated

services to reduce time-to-deployment, and as

required, time-to-certification for:

DO-178B – Aerospace and Defense

EN 50128 – Rail Transportation

IEC 61508 – Industrial and Transportation

IEC 60880 - Nuclear

© Esterel Technologies - An ISO 9001:2000 Certified Company - Confidential & Proprietary


Who We AreWho We Are……

� Founded in 1999

� ISO 9001:2000 Certified for Design and Sale of

Critical Software Tools and Services

� Core competency: Critical embedded systems

modeling and application development

� Worldwide presence

� Direct : USA/Canada/France/Gemany/UK/China

� Via channels:

India/Israel/Italy/Japan/Korea/Russia/Spain/Turkey

5Copyright © Esterel Technologies - SYNCHRON 2008 Aussois© Esterel Technologies - An ISO 9001:2000 Certified Company - Confidential & Proprietary

Existing CapabilitiesExisting Capabilities

ModelModel--Based DevelopmentBased Development

for Critical Embedded Systems and Softwarefor Critical Embedded Systems and Software

Control Engineering

Embedded Software

On-Board

Embedded Graphics


The SCADEThe SCADE™™ Certified Software FactoryCertified Software Factory

SYSTEM

SPEC DESIGNDESIGN VERIFYVERIFY GENERATEGENERATESYSTEM

TEST

Model Coverage

Analysis

Debugging &

SimulationFormal

Verification

Automatic

Design

Documentation

Integrated

Configuration

Management

SCADE Suite KCG

Architecture

Design

Capture

SCADE DisplayKCG

RTOS Adaptors

DO-178B

IEC 61508

EN 50128

Qualification Kits,

Certificates &

Handbooks

Object Code

Verification

Requirements

Management

Gateway

Graphical

Animation

Ergonomics

Checking

SCADE Suite/SCADE Display

Integration

Algorithm

Design

Capture


What is Unique About SCADE?What is Unique About SCADE?

� SCADE is being developed specifically to address critical

embedded system and software applications

� SCADE is certified/qualified according to following

international safety standards:

�DO-178B qualification up to Level A – Aerospace & Defense

� IEC 61508 certification up to SIL 3 – Transportation & Industry

�EN 50128 certification up to SIL 3/4 – Rail Transportation

� IEC 60880 full compliance – Nuclear industry


Certification In AvionicsCertification In Avionics

� Avionic industry is the most regulated one

� 1st international conference in 1910 !

� Everything is ruled:

� Conception, …

� Transportation, Crew, ..

� Noise, Population health, …

� Leisure

� Components must be conceived such that:

� Defects wrt flight security take-off or landing are EXTREMELY UNPROBABLE, and do not result from simple cause

� Any other defects are IMPROBABLE

0

(single

fault)

1

(double

fault)

2

(triple

fault)

Catastrophic A B C

Hazardous B C D

Major C D E

Minor D E E

No Safety Effect E E E

Failure

Condition

Classification

Degree of redundancy

Severy Matrix


DO 178 BDO 178 B

� DO-178 B is a mean of conformity for embedded software

“It is in general not feasible to assess the number or kinds of software errors, if any,that may remain after the completion of system design, development, and test. DO-178B/ED-12B, provides acceptable means for assessing and controlling the software used to program digital computer-based systems”

� Based on 5 principles:� Well-defined software engineering processes

� Everything must be always verified

� Independent authority assesses respect of objectives

� Norm must be agreed by every one

� Manufacturers are responsible of the means


� Lots verification activities

� Accuracy of requirements

� Accuracy of algorithms

� Architecture

� Source code versus requirements

Benefits of Using A Certified ACGBenefits of Using A Certified ACG

Objective Verification

1 Low-level requirements comply with high-level requirements.

Not eliminated

2 Low-level requirements are accurate and

consistent.

Automated

3 Low-level requirements are compatible with

target computer.

Not eliminated

4 Low-level requirements are verifiable. Eliminated

5 Low-level requirements conform to standards. Automated

6 Low-levels requirements are traceable to high-

level requirements.

Not eliminated

7 Algorithms are accurate. Not eliminated

8 Software architecture is compatible with high-

level requirements.

Not eliminated

9 Software architecture is consistent. Automated

10 Software architecture is compatible with target

computer.

Not eliminated

11 Software architecture is verifiable. Eliminated

12 Software architecture conforms to standards. Automated

13 Software partitioning integrity is confirmed. Not eliminated

Objective Verification

1 Source Code complies with low-level requirements Eliminated

2 Source Code complies with software architecture Eliminated

3 Source Code is verifiable Eliminated

4 Source Code conforms to standards Eliminated

5 Source Code is traceable to low-level requirements Eliminated

6 Source Code is accurate and consistent Eliminated

7 Output of software integration process is complete

and correct

Not eliminated

High-Level requirements=

Low-level Requirements


Certification of KCG 6.0Certification of KCG 6.0

� Scade 6 + KCG 6.0.1

�Use of a formally defined language

�Use of a certified tool

� How ?

�DO-178 B expects specific activities for embedded software

�Do the same for KCG, with proper arguments, since it runs on a PC

�Level of qualification is the same as targetted applications � A

�Other norms (transport mainly)

�By equivalence when possible (most of the case)

�Or add specific activities


D0D0--178 B Implementation178 B Implementation

SW Planning SW Planning SW Planning SW Planning ProcessProcessProcessProcess

Integral processes

Certification Liaison Certification Liaison Certification Liaison Certification Liaison ProcessProcessProcessProcess

SW Configuration Management SW Configuration Management SW Configuration Management SW Configuration Management ProcessProcessProcessProcess

SW SW SW SW Quality Quality Quality Quality Assurance Assurance Assurance Assurance ProcessProcessProcessProcess

SW SW SW SW Verification ProcessVerification ProcessVerification ProcessVerification Process

SW SW SW SW Requirements Requirements Requirements Requirements ProcessProcessProcessProcess

SW Design SW Design SW Design SW Design ProcessProcessProcessProcess

SW SW SW SW Coding Coding Coding Coding ProcessProcessProcessProcess

Integration Integration Integration Integration ProcessProcessProcessProcess

Plans & standards

HLR

LLR & Architecture

Source code & object code

Integrated Executable code

HLR, LLR & Architecture, source code & object code, integrated executable code

Traceability Syst Req/HLR, HLR/LLR & LLR/Source code

Verification/SCM/SQA Records

SW Accomplishment Summary

TraceabiltyHLR/LLRPlans &

standards

TraceabiltyLLR/Source code

Development processes


Initial PhaseInitial Phase

� Assessment of the new Scade 6 language

�Done in collaboration with Verimag, LIP6

�Also inspired from Esterel SyncCharts

�� implemented with a prototype

� Project starts, with Planning Phase

�Tool Qualification Plan

�Development & environment (tools, methodologies, CM, …)

�Standards (specs, design, coding, tests)

�All these documents must be reviewed and accepted.

This will be the case for any docs.


Use Of CamlUse Of Caml

� Caml was very natural for R&D

� It is very-well suited for compilers ☺☺☺☺ (ACG ..)

�Prototype already in caml

� But:

�DO-178 B: Use the best language for a given project

�Domain is very conservative ��: Use C (or possibly instantiated C++)

� Need to:

�Demonstrate the compatibility between DO-178 B and caml

� Ex: analysis of ocaml bug list

�Find means to assess that generated code is under control !

� This generated various activities detailed later…


SpecificationsSpecifications

� Scade 6 language : powerfull but understandable

�Safe State Machines à la Esterel, but “simplified”

�Arrays, with controlled dynamic indexation

� Iterators (map, fold, …)

�Better control blocks: activation blocks

� Specifications:

�Opportunity to formalize the language

�Opportunity to rewritte the specification of the tool itself

�Need to take into account GUI needs, so we got

� A textual language

� Its enriched equivalent in XML for graphical purposes

HighHigh--Level RequirementsLevel Requirements

KCG

Textual Scade

XML Scade

Textual Scade

C Code

other

x = pre(y)

<Equation><lefts>

<VariableRef name="_L21"/></lefts><right>

<PreOp>

<flow><ListExpression>

<items><IdExpression>

<path><ConstVarRef name="_L18"/>

</path></IdExpression>

</items></ListExpression>

</flow></PreOp>

</right><pragmas>

<ed:Equation oid="win_19E/5348/624/3C3EF06E/4FAE"/></pragmas>

</Equation>


DesignDesign

� 2 Levels:�1 - Architecture of the software: the binaries, and the global flows

�2a- Detailed design : functions specifications

�must be very closed to code ….

�2b- Derived requirements : not related to high-level requirements

� libraries, runtime

�Main difficulties:�High-level requirements must be linked to Low-level requirements

�Hierarchy is theoritically possible, rarely in pratice

�Data coupling & control coupling

� Check of all data ranges => how for a compiler ?

�� Use of an integrated approach to eliminate that point


CodingCoding

� Use of caml

�Without objects, nor experimental features

�For all 3 binaries: kcg (toplevel), x2s, and s2c

� Libraries

�Fully documented ☺☺☺☺, and unit tested

� Runtime

�Partially rewritten, in particular GC

�simple stop&copy. Memory increase is done by steps.


VerificationVerification

� Covers various activities�Major part in DO-178 B

� Validation = testing�Unit testing, HLR testing

� Verification�Respect of standards (Specs, Design, Coding, Tests)

�Of phases outputs (Plans, Specs, Design, Coding, Tests)

�Done in extenso by the team, with independency

�Done by sampling by quality engineer

� All activities are traced�Possible Deviations or Request for improvements

� In Tool Accomplishment Summary/Safety Case documents


Specific VerificationsSpecific Verifications

� Check of generated object code

� Check that the output of C / caml compilers are traceable to source, or can

be justified

� Based on significant samples for C, and specific study for caml (Paris VII)

� Justification of system/libraries calls

� Demonstration of safety

� 100% MC/DC expected

� Done on C and ML.

� Also done on generated code from tests

� Safety analysis

� Required for EIC 61508/EN 50128

� Impact of environment: user, system (Windows !), … on tool behavior


Verification ToolsVerification Tools

� Concept (DO-178 B)

�A tool that can automatize verification activities, without introducing

errors

�Must be qualified as verification tool

�Qualification is:

�A plan, requirements on specific usage, tests, results & verifications.

�Should be done for anything that is used for automation

� Tools used:

�RTRT (IBM), Reqtify (Geensys), kcgsim, mlcov, diff


mlcovmlcov

�Mlcov

�Joint work with Paris VII

�provides structural & MC/DC

coverage for caml

�Best technical paper PADL ‘08.

�Available on Esterel Tech. Web

site.


Mlcov reportsMlcov reports


SummarySummary

� Developping a tool level A (or SIL3/4) �

� Impact on Scade 6 definition (user context in mind)

�Formal semantics of the language: new kind of requirements

� Use of caml

�New approach in that domain

�Required justification, new GC, specific analysis

�Development of a specific MC/DC tool

� “grey” box testing:

�A way to fulfill DO-178 B requirements, while being manageable

�Got a certified KCG 6.0.1 tool, BUT….


Is thatOK on disk ?

KCG 6.0.1: Context of useKCG 6.0.1: Context of use

SCADE

KCG

Target comp

Scade model

C Code

Binary

Certified

Is there any

problem ?



SCADE

KCG

Target comp

Scade model

C Code

Binary

Certified

Reporter

Verification tool

Is there any

problem ?



SCADE

KCG

Target comp

Scade model

C Code

Binary

Certified

Reporter

Verification tool

CVK

Test Suite

F-X Fornari Esterel Technologiessynchron2008.lri.fr/slides/fornari.pdfDO-178B IEC 61508 EN 50128...

Documents

Transcript of F-X Fornari Esterel Technologiessynchron2008.lri.fr/slides/fornari.pdfDO-178B IEC 61508 EN 50128...