Esterel Technologies © 2001 — 1 SCADE* The Cost and Time Effective solution for Safety Critical Software Development *Safety Critical Applications Development Environment Francois-Xavier Dormoy : SCADE Product Technical Manager

2 Esterel Technologies © 2001 —  Critical real time embedded systems:  Flight control in avionics  Command control system in nuclear power plant  Signaling system for railway transport  Airbag or ABS in cars ...  Safety is part of the requirements:  No software/system errors (reliability)  Reliability of the used tools can be assessed  Development in compliance with standards (DO-178B)  Time to market  Productivity Needs Temporal constraints Safety and qualification constraints Economic constraints

3 Esterel Technologies © 2001 —  Good Foundation : SCADE Language:  Formal  Easy to learn  Close to industrial habits  SCADE Studio:  Full-Integrated solution for system development  Powerful, ergonomic and reliable tools  DO178B level A C Code generator  Strong partnership with partners:  With customers (Airbus, Schneider)  With research laboratory (Verimag, Paris VI)  With other tool providers (Prover Technology AB)  Continuous enhancements:  New 4.1 Release, plan for next releases SCADE Answers Formal Simple Reliable Powerful

4 Esterel Technologies © 2001 — A Strong foundation: the synchronous approach  The program cyclically examines its inputs  read inputs (events & values)  compute the systems outputs and/or new states  write the outputs  Generally the loop is performed according to a basic clock  Some of the computations may be performed at a lower pace (for instance every 2 cycles) The synchronous approach enables to achieve determinism and is suited for time-triggered applications/functions:

5 Esterel Technologies © 2001 — SCADE Language: a formal approach  SCADE language = graphical implementation of the synchronous language LUSTRE*  formal & deterministic  intuitive & familiar visual representation  structured  readable & ease of reuse  functional approach  readable  strongly typed  reliability  You can execute right away a SCADE specification BC A C B B1 B2 B3 C1C2 *For more information about LUSTRE language, visit the IMAG web site: A B B1 B2 B3 C C1 C2

6 Esterel Technologies © 2001 — SCADE notation: Several views according to the need node counter (init, incr : int; reset : bool ) returns ( count : int ); let count=init -> if reset then init else pre(count) + incr; tel; B1 B2 B3 B A B B1 B2 B3 C C1 C2 Hierarchical View Op1 Op 2 Op3 B2 Take off On ground 1:cond1 1:cond3 2:cond2 1:cond1 B3 Flight 1:cond4 Flight 1:cond5 State Machine View Net View

7 Esterel Technologies © 2001 — SCADE References  Avionics / Space EADS (Airbus, EUROCOPTER), DASSAULT, SFIM, INTERTECHNIQUE, MESSIER BUGATTI, HONEYWELL (for BOEING), THALES, PRATT&WITNEY, MESSIER DOWTY...  Automotive / Ground transport AUDI, PSA, TEMIC, CSEE Transport, RATP,...  Energy production SCHNEIDER ELECTRIC, EDF, FRAMATOME  Others OTIS, ….

8 Esterel Technologies © 2001 — Providing a Competitive Edge to Airbus  Application  AIRBUS development program  Principal Challenges  Decrease coding errors  Master software life cycle  Reduce time-to-market  Results  On the A340 project, the ratio of automatically generated code reached 70% (fly-by-wire)  Specification changes were perfectly mastered and the modified code was quickly made available, therefore reducing time-to-market  For 100 Kbytes of code, errors ratio: X20 decrease.  On-going  Use of SCADE for A340/600 Level A Equipment that will Claim Credit for SCADE Qualifiable Code Generator during Certification in 2001

9 Esterel Technologies © 2001 — Providing a Competitive Edge to Eurocopter  Application  EC - 155/135 Auto Pilot  Principal Challenges  Reduce development cycle time  Reduce certification cycle time for DO-178B Level A compliance  Results  Reduced development cycle time by 50%.  90% of the auto-pilot code was generated  JAA certification of EC 135 with SCADE as qualified code generation tool for DO 178B level A in Oct 1999

10 Esterel Technologies © 2001 — Providing a Competitive Edge to Schneider Electric  Application  CO3 N4 Nuclear Power Plant Safety Control  Koslosduy Nuclear Power Plant Reengineering  Principal Challenges  Cut down error ratio during test phases  Results  200,000 lines of code automatically produced with SCADE from 1,200 design views  Error ratio has been cut down by a factor of 8 while complexity has increased 4x

11 Esterel Technologies © 2001 — Providing a Competitive Edge to PSA  Application  Electrical management systems  Principal Challenges  Decrease coding errors  Reduce time-to-market  Results  Reduced development cycle time by 60%.  50% of code was generated  Errors ratio: 80% less then expected

12 Esterel Technologies © 2001 — Providing a Competitive Edge to CSEE Transport  Application  Hong Kong Subway Signaling System re-engineering  Principal Challenges  increase productivity  Results  16 subway stations  254 SCADE operators  2,705 I/O  1.5 Mb of C code lines running on 1 processor  80,000 lines of C code developed in 12 men/month ==> 300 lines/day developer instead of 20!

13 Esterel Technologies © 2001 — SCADE Studio: Integrated tools set: Simulation Edition Documentation Validation Tests Code Generation SCADE Editor Unit and Integration tests SCADE Simulator SCADE Code Generator SCADE Prover Plug In Proof

14 Esterel Technologies © 2001 — SCADE Studio : the Editor  Powerful creation & modification  Easy to learn and use  Native Windows look & feel  Project creation wizards  Dynamical consistency  Libraries  Productivity improvements (drag and drop - short cut bar, …)  Consistency on the model provided by the tool  Semantic checks or methodological checks provided  Easy reuse of previous designs (library concept)  Customizable  CM functions using SCCI standard (Continuus, ClearCase, PVCS, …)

15 Esterel Technologies © 2001 — SCADE Studio: the Simulator  Graphical simulation  Fully integrated in SCADE Studio  Breakpoints for debbuging  Access to internal variables for debugging  Execution of a SCADE description  Early detection of specification errors 3 modes  Batch: data driven scenaro  Batch: Tcl Scenario  Interactive integrated in SCADE Studio SCADE model SCADE Simulator - Test inputs & outputs - Non regression tests What You Simulate Is What You Embed

16 Esterel Technologies © 2001 —  Portable code:  ANSI C  Two code generators:  DO-178B level A compliant  Standard C Code generator  High integrity code characteristics:  Static memory allocation  Bounded stack  No dead code  Portable  Readable & traceable  Deterministic behavior guaranteed  Customizable code generation:  Execution speed  Memory optimization SCADE Studio: the Code Generators SCADE model SCADE Generator - Description: C files - Integration files (external functions skeletons, Makefile,...

17 Esterel Technologies © 2001 —  No dependency loop, every variable is computable, clocks and sub-clocks processes are consistent  Benchmarks show +50% down to 0% code size & execution time compared to manual code  Easy and safe integration with existing code  Modular code generation  Generated code is easy to test: no complicated structures, no dead code  Typed variables SCADE Studio : the Code Generator

18 Esterel Technologies © 2001 — SCADE studio : the Code Generators  Code generation is customizable according to each target & project constraints For instance:  Call mode: each SCADE operator generated as a function  Inline mode: the whole sub-tree code is expanded in one function ... A B C SCADE description Call mode A{... B();... C();... } Inline mode A{... /*begin of B */... /*end of B */... /*begin of C */... /*end of C */... }

19 SCADE Studio : Prover Plug-In for SCADE  Exhaustively assesses your designs (completeness & correctness)  Enforce safety properties (can my door be opened while flying?)  Use generated faulty scenarios to fix your designs  Mathematically prove complete requirements fulfillment  Prove designs non-regression  Check modules integration easily  Quickly and easily  Use SCADE formalism: no new language to learn!  Integrated within SCADE Editor graphical interface  Modular BOMBARDIER divided their testing efforts by 10 with Prover engine Major aerospace & automotive actors are starting to use Prover Plug-In Formal proof is a major breakthrough in software development

20 Esterel Technologies © 2001 —  Why  Adds requirement management to SCADE development environment  Integration Technical aspect  Easy installation and startup  Automatic importation into DOORS of SCADE models data  SCADE data can be part of a more complex system of DOORS modules  The overall system objects (requirements, design, test reports, etc) can be linked and managed within DOORS environment SCADE Studio coupling module : DOORS link

21 Esterel Technologies © 2001 — Benefits of SCADE TM : From V to Y Cycle Life Cycle -20% -25% -50% Time Cost % Manual coding Use of a “regular” automatic code generator Use of the qualifiable code generator as a verification tool Use of proof technology Use of the qualifiable code generator as a development tool -60% 40

22 Esterel Technologies © 2001 — SCADE Studio : The New 4.1 Release  Prover Plug In for proofing properties  Graphical simulator fully integrated in the editor with new functions (breakpoints, bookmarks,…)  New edition enhancements (new connection behavior, automatic backup, global printing function, …)  More efficient code generator function (New options to reduce generated code RAM & execution time, DO178B C Code generator porting in windows, target directory customizing)  New library components (mathematical functions, integrators, …) ... End October (NT & W2000)

23 Esterel Technologies © 2001 — Conclusion  Dedicated to critical real time systems  Yet chosen by major actors of the domain  Easy to use and intuitive  Efficient  Very good foundation which allow a prosperous future