Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Copyright © Esterel Technologies - SYNCHRON 2008 Aussois1
Certification of a Scade 6 Certification of a Scade 6
compilercompiler
F-X Fornari
Esterel Technologies
2Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
IntroductionIntroduction
� Topic : What does mean “developping a certified
software” ?
� In particular, using embedded sofware development rules !
�What are the constraints and the challenges ?
� Presentation of DO-178B
�Context, and what it is
� How it was applied for KCG 6.0.1
�What is the process for a tool such as KCG
�What are the impacts / the choices
3Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
Esterel Technologies Esterel Technologies -- MissionMission
To provide critical embedded system and software
developers a certified, domain optimized, model-
based development environment and associated
services to reduce time-to-deployment, and as
required, time-to-certification for:
DO-178B – Aerospace and Defense
EN 50128 – Rail Transportation
IEC 61508 – Industrial and Transportation
IEC 60880 - Nuclear
© Esterel Technologies - An ISO 9001:2000 Certified Company - Confidential & Proprietary
4Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
Who We AreWho We Are……
� Founded in 1999
� ISO 9001:2000 Certified for Design and Sale of
Critical Software Tools and Services
� Core competency: Critical embedded systems
modeling and application development
� Worldwide presence
� Direct : USA/Canada/France/Gemany/UK/China
� Via channels:
India/Israel/Italy/Japan/Korea/Russia/Spain/Turkey
5Copyright © Esterel Technologies - SYNCHRON 2008 Aussois© Esterel Technologies - An ISO 9001:2000 Certified Company - Confidential & Proprietary
Existing CapabilitiesExisting Capabilities
ModelModel--Based DevelopmentBased Development
for Critical Embedded Systems and Softwarefor Critical Embedded Systems and Software
Control Engineering
Embedded Software
On-Board
Embedded Graphics
6Copyright © Esterel Technologies - SYNCHRON 2008 Aussois© Esterel Technologies - An ISO 9001:2000 Certified Company - Confidential & Proprietary
The SCADEThe SCADE™™ Certified Software FactoryCertified Software Factory
SYSTEM
SPEC DESIGNDESIGN VERIFYVERIFY GENERATEGENERATESYSTEM
TEST
Model Coverage
Analysis
Debugging &
SimulationFormal
Verification
Automatic
Design
Documentation
Integrated
Configuration
Management
SCADE Suite KCG
Architecture
Design
Capture
SCADE DisplayKCG
RTOS Adaptors
DO-178B
IEC 61508
EN 50128
Qualification Kits,
Certificates &
Handbooks
Object Code
Verification
Requirements
Management
Gateway
Graphical
Animation
Ergonomics
Checking
SCADE Suite/SCADE Display
Integration
Algorithm
Design
Capture
7Copyright © Esterel Technologies - SYNCHRON 2008 Aussois© Esterel Technologies - An ISO 9001:2000 Certified Company - Confidential & Proprietary
What is Unique About SCADE?What is Unique About SCADE?
� SCADE is being developed specifically to address critical
embedded system and software applications
� SCADE is certified/qualified according to following
international safety standards:
�DO-178B qualification up to Level A – Aerospace & Defense
� IEC 61508 certification up to SIL 3 – Transportation & Industry
�EN 50128 certification up to SIL 3/4 – Rail Transportation
� IEC 60880 full compliance – Nuclear industry
8Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
Certification In AvionicsCertification In Avionics
� Avionic industry is the most regulated one
� 1st international conference in 1910 !
� Everything is ruled:
� Conception, …
� Transportation, Crew, ..
� Noise, Population health, …
� Leisure
� Components must be conceived such that:
� Defects wrt flight security take-off or landing are EXTREMELY UNPROBABLE, and do not result from simple cause
� Any other defects are IMPROBABLE
0
(single
fault)
1
(double
fault)
2
(triple
fault)
Catastrophic A B C
Hazardous B C D
Major C D E
Minor D E E
No Safety Effect E E E
Failure
Condition
Classification
Degree of redundancy
Severy Matrix
9Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
DO 178 BDO 178 B
� DO-178 B is a mean of conformity for embedded software
“It is in general not feasible to assess the number or kinds of software errors, if any,that may remain after the completion of system design, development, and test. DO-178B/ED-12B, provides acceptable means for assessing and controlling the software used to program digital computer-based systems”
� Based on 5 principles:� Well-defined software engineering processes
� Everything must be always verified
� Independent authority assesses respect of objectives
� Norm must be agreed by every one
� Manufacturers are responsible of the means
10Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
� Lots verification activities
� Accuracy of requirements
� Accuracy of algorithms
� Architecture
� Source code versus requirements
Benefits of Using A Certified ACGBenefits of Using A Certified ACG
Objective Verification
1 Low-level requirements comply with high-level requirements.
Not eliminated
2 Low-level requirements are accurate and
consistent.
Automated
3 Low-level requirements are compatible with
target computer.
Not eliminated
4 Low-level requirements are verifiable. Eliminated
5 Low-level requirements conform to standards. Automated
6 Low-levels requirements are traceable to high-
level requirements.
Not eliminated
7 Algorithms are accurate. Not eliminated
8 Software architecture is compatible with high-
level requirements.
Not eliminated
9 Software architecture is consistent. Automated
10 Software architecture is compatible with target
computer.
Not eliminated
11 Software architecture is verifiable. Eliminated
12 Software architecture conforms to standards. Automated
13 Software partitioning integrity is confirmed. Not eliminated
Objective Verification
1 Source Code complies with low-level requirements Eliminated
2 Source Code complies with software architecture Eliminated
3 Source Code is verifiable Eliminated
4 Source Code conforms to standards Eliminated
5 Source Code is traceable to low-level requirements Eliminated
6 Source Code is accurate and consistent Eliminated
7 Output of software integration process is complete
and correct
Not eliminated
High-Level requirements=
Low-level Requirements
11Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
Certification of KCG 6.0Certification of KCG 6.0
� Scade 6 + KCG 6.0.1
�Use of a formally defined language
�Use of a certified tool
� How ?
�DO-178 B expects specific activities for embedded software
�Do the same for KCG, with proper arguments, since it runs on a PC
�Level of qualification is the same as targetted applications � A
�Other norms (transport mainly)
�By equivalence when possible (most of the case)
�Or add specific activities
12Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
D0D0--178 B Implementation178 B Implementation
SW Planning SW Planning SW Planning SW Planning ProcessProcessProcessProcess
Integral processes
Certification Liaison Certification Liaison Certification Liaison Certification Liaison ProcessProcessProcessProcess
SW Configuration Management SW Configuration Management SW Configuration Management SW Configuration Management ProcessProcessProcessProcess
SW SW SW SW Quality Quality Quality Quality Assurance Assurance Assurance Assurance ProcessProcessProcessProcess
SW SW SW SW Verification ProcessVerification ProcessVerification ProcessVerification Process
SW SW SW SW Requirements Requirements Requirements Requirements ProcessProcessProcessProcess
SW Design SW Design SW Design SW Design ProcessProcessProcessProcess
SW SW SW SW Coding Coding Coding Coding ProcessProcessProcessProcess
Integration Integration Integration Integration ProcessProcessProcessProcess
Plans & standards
HLR
LLR & Architecture
Source code & object code
Integrated Executable code
HLR, LLR & Architecture, source code & object code, integrated executable code
Traceability Syst Req/HLR, HLR/LLR & LLR/Source code
Verification/SCM/SQA Records
SW Accomplishment Summary
TraceabiltyHLR/LLRPlans &
standards
TraceabiltyLLR/Source code
Development processes
13Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
Initial PhaseInitial Phase
� Assessment of the new Scade 6 language
�Done in collaboration with Verimag, LIP6
�Also inspired from Esterel SyncCharts
�� implemented with a prototype
� Project starts, with Planning Phase
�Tool Qualification Plan
�Development & environment (tools, methodologies, CM, …)
�Standards (specs, design, coding, tests)
�All these documents must be reviewed and accepted.
This will be the case for any docs.
14Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
Use Of CamlUse Of Caml
� Caml was very natural for R&D
� It is very-well suited for compilers ☺☺☺☺ (ACG ..)
�Prototype already in caml
� But:
�DO-178 B: Use the best language for a given project
�Domain is very conservative ����: Use C (or possibly instantiated C++)
� Need to:
�Demonstrate the compatibility between DO-178 B and caml
� Ex: analysis of ocaml bug list
�Find means to assess that generated code is under control !
� This generated various activities detailed later…
15Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
SpecificationsSpecifications
� Scade 6 language : powerfull but understandable
�Safe State Machines à la Esterel, but “simplified”
�Arrays, with controlled dynamic indexation
� Iterators (map, fold, …)
�Better control blocks: activation blocks
� Specifications:
�Opportunity to formalize the language
�Opportunity to rewritte the specification of the tool itself
�Need to take into account GUI needs, so we got
� A textual language
� Its enriched equivalent in XML for graphical purposes
16Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
HighHigh--Level RequirementsLevel Requirements
KCG
Textual Scade
XML Scade
Textual Scade
C Code
other
x = pre(y)
<Equation><lefts>
<VariableRef name="_L21"/></lefts><right>
<!-- pre (_L18) --><PreOp>
<flow><ListExpression>
<items><IdExpression>
<path><ConstVarRef name="_L18"/>
</path></IdExpression>
</items></ListExpression>
</flow></PreOp>
</right><pragmas>
<ed:Equation oid="win_19E/5348/624/3C3EF06E/4FAE"/></pragmas>
</Equation>
17Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
DesignDesign
� 2 Levels:�1 - Architecture of the software: the binaries, and the global flows
�2a- Detailed design : functions specifications
�must be very closed to code ….
�2b- Derived requirements : not related to high-level requirements
� libraries, runtime
�Main difficulties:�High-level requirements must be linked to Low-level requirements
�Hierarchy is theoritically possible, rarely in pratice
�Data coupling & control coupling
� Check of all data ranges => how for a compiler ?
�� Use of an integrated approach to eliminate that point
18Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
CodingCoding
� Use of caml
�Without objects, nor experimental features
�For all 3 binaries: kcg (toplevel), x2s, and s2c
� Libraries
�Fully documented ☺☺☺☺, and unit tested
� Runtime
�Partially rewritten, in particular GC
�simple stop©. Memory increase is done by steps.
19Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
VerificationVerification
� Covers various activities�Major part in DO-178 B
� Validation = testing�Unit testing, HLR testing
� Verification�Respect of standards (Specs, Design, Coding, Tests)
�Of phases outputs (Plans, Specs, Design, Coding, Tests)
�Done in extenso by the team, with independency
�Done by sampling by quality engineer
� All activities are traced�Possible Deviations or Request for improvements
� In Tool Accomplishment Summary/Safety Case documents
20Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
Specific VerificationsSpecific Verifications
� Check of generated object code
� Check that the output of C / caml compilers are traceable to source, or can
be justified
� Based on significant samples for C, and specific study for caml (Paris VII)
� Justification of system/libraries calls
� Demonstration of safety
� 100% MC/DC expected
� Done on C and ML.
� Also done on generated code from tests
� Safety analysis
� Required for EIC 61508/EN 50128
� Impact of environment: user, system (Windows !), … on tool behavior
21Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
Verification ToolsVerification Tools
� Concept (DO-178 B)
�A tool that can automatize verification activities, without introducing
errors
�Must be qualified as verification tool
�Qualification is:
�A plan, requirements on specific usage, tests, results & verifications.
�Should be done for anything that is used for automation
� Tools used:
�RTRT (IBM), Reqtify (Geensys), kcgsim, mlcov, diff
22Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
mlcovmlcov
�Mlcov
�Joint work with Paris VII
�provides structural & MC/DC
coverage for caml
�Best technical paper PADL ‘08.
�Available on Esterel Tech. Web
site.
23Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
Mlcov reportsMlcov reports
24Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
SummarySummary
� Developping a tool level A (or SIL3/4) �
� Impact on Scade 6 definition (user context in mind)
�Formal semantics of the language: new kind of requirements
� Use of caml
�New approach in that domain
�Required justification, new GC, specific analysis
�Development of a specific MC/DC tool
� “grey” box testing:
�A way to fulfill DO-178 B requirements, while being manageable
�Got a certified KCG 6.0.1 tool, BUT….
25Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
Is thatOK on disk ?
KCG 6.0.1: Context of useKCG 6.0.1: Context of use
SCADE
KCG
Target comp
Scade model
C Code
Binary
Certified
Is there any
problem ?
26Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
KCG 6.0.1: Context of useKCG 6.0.1: Context of use
SCADE
KCG
Target comp
Scade model
C Code
Binary
Certified
Reporter
Verification tool
Is there any
problem ?
27Copyright © Esterel Technologies - SYNCHRON 2008 Aussois
KCG 6.0.1: Context of useKCG 6.0.1: Context of use
SCADE
KCG
Target comp
Scade model
C Code
Binary
Certified
Reporter
Verification tool
CVK
Test Suite
Copyright © Esterel Technologies - SYNCHRON 2008 Aussois28