F-22 Raptor - Universität Paderborn
Transcription
F-22 Raptor - Universität Paderborn
Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer F-22 Raptor Model-Based Software Development and Automated Code Generation for Safety-Critical Systems Cause: Bug in Flight Control Software for the Seminar „Advanced Topics in Software Engineering for Safety-Critical Systems“ Author: Robert Traussnig Advisor: Dr. Holger Giese 2 MLOC Ada Code 7 Billion Dollars Cost for Software 20 Years Software Development Time Paderborn, July 2004 1 Automated Code-Generation for Safety-Critical Systems Agenda Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer 1. Motivation 1. Motivation 2. Historical Overview and Trends 3. Model Based Software Development 4. Application: Airbus Industries 5. Standards, Qualification and Certification 6. SCADE 7. Outlook and Conclusion Automated Code-Generation for Safety-Critical Systems 2 Automated Code-Generation for Safety-Critical Systems Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer - growing complexity of safety-critical software systems - increasing development time and cost vs. time-to-market - verification activities are cost-intensive and time-consuming - software quality needs to be improved 3 Automated Code-Generation for Safety-Critical Systems 4 1 2. Historical Overview and Trends Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer 3. Model Based Software Development Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer 70s - Manual Coding: Machine Code, Assembly 80s Proof Requirements and Design Document -Structured Programming: C, Ada (Subsets for Safety-Critical Applications, eg. SPARKAda) Software Model Simulation 90s 10s - Model-Based Software Development e.g. SCADE ion at lid on Va d cati an rifi Ve 00s - Object-Oriented Programming e.g. FAA OOT Initiative 5 Automated Code-Generation for Safety-Critical Systems 3. Benefits of Model Based SW Development Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer Automated Qualified Code Generator Source Code 6 Automated Code-Generation for Safety-Critical Systems 3. Model Based Software Development Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer UML (Unified Modelling Language) in FUJABA tool: - Model is the software specification: it is the unique point-of-reference in the project - Sourcecode is automatically generated from the model with a (qualified) Code Generator - Code is correct and up-to-date by construction Just Draw It! - Documentation is automatically generated from the model: it is correct and up-to-date by construction - Model can be used for simulation, using the same code as the actual implementation - Formal proof techniques can be applied to the model to detect bugs or prove safety properties Automated Code-Generation for Safety-Critical Systems 7 Automated Code-Generation for Safety-Critical Systems 8 2 3. Model Based Software Development Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer 3. From the V-Model to the Y-Model Manual Coding Programming Code Standard Automatic Code Generator Generating Code Qualified Code Generator No Code Test Design Verifier 9 Automated Code-Generation for Safety-Critical Systems 4. Application: Airbus Industries Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer Automated Design Verification Time 10 Automated Code-Generation for Safety-Critical Systems 4. Application: Airbus Industries - average development & test of 10.000 Lines of Code (KLOC) of DO-178 level B avionics software: 16 man-years Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer On-Board Software 20 - cost of a major bug is between $1M - $500M 15 -> Airbus decided in the early 80‘s to introduce automated code generation. MBytes - cost of a minor bug detected in flight is between $100K - $500K 10 5 0 A 310 (1970s) Source: Esterel Technologies Automated Code-Generation for Safety-Critical Systems A 320 (1980s) A 340 (1990s) Source: Esterel Technologies 11 Automated Code-Generation for Safety-Critical Systems 12 3 Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer 4. Application: Airbus Industries Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer 4. Application: Airbus Industries Errors detected per 100 KBytes of code 500 Errors 400 300 70 % ACG Code 200 100 A340/600 FCSC (Flight Control Secondary Computer): 0 70 % automatically generated code 50 % reduction in development cost reduction in modification cycle time by factor 3 A 310 (1970s) A 320 (1980s) A 340 (1990s) Source: Esterel Technologies “No software bug ever detected in flight (including flight test) since the beginning of the use of ACG for Fly-By-Wire software.” [F. Pothon, Airbus France] Source: Esterel Technologies 13 Automated Code-Generation for Safety-Critical Systems 5. Standards, Certification and Qualification Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer 14 Automated Code-Generation for Safety-Critical Systems 5. Standards, Certification and Qualification Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer DO 178B Software Criticality Levels Relevant Standards for Safety-Critical Software: - RTCA DO-178B (Civil Aircraft), 1980 and 1992 Flight Control Systems - ARP 4754 - IEC 61508 „Functional Safety of Electrical / Electronic / Programmable Electronic Safety-Related Systems“ Backup Systems Warning Systems Source: Esterel Technologies Automated Code-Generation for Safety-Critical Systems 15 Automated Code-Generation for Safety-Critical Systems 16 4 5. Standards, Certification and Qualification Qualifiable: Qualified: Certified: Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer 5. Standards, Certification and Qualification Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer Qualification Requirements of the Automated Code Generator (ACG) with respect to DO-178B: Tool has been developed in such a way that it is “prequalified” or „qualifiable“ which means that it is ready for qualification on specific projects ACG defined as: „Tool whose output is part of the airborne software and thus can introduce errors“ On a per-project basis only. Tool Criticality Level has to match the final Software Criticality Level. DO-178B, section 12.2.1: „If a software tool is to be qualified, the software development processes for the tool should satisfy the same objectives as the software development processes of airborne software.“ Legal recognition by the certification authority that a product, service, organization or person complies with the requirements. „The software level assigned to the tool should be the same as that for the airborne software it produces.“ 17 Automated Code-Generation for Safety-Critical Systems 6. SCADE: Introduction Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer 18 Automated Code-Generation for Safety-Critical Systems 6. SCADE: Process Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer • • • • SCADE (Safety Critical Application Development Environment) Developed 1997 by Airbus Industries Since 2001 development and distribution by Esterel Technolgies De-facto Standard in Aerospace and Nuclear Powerplant Industries • Core Application for EU-SafeAir (ASDE: Avionics Systems Development Environment) Project Automated Code-Generation for Safety-Critical Systems 19 Automated Code-Generation for Safety-Critical Systems 20 5 6. SCADE: Software Requirements Specs Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer 6. SCADE: Software Requirements Specs Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer II. Hierarchical and Concurrent State Machines: I. Continous Control: Blockdiagrams for Continous Control Traditional Control Schema Scade Representation of Control Schema 21 Automated Code-Generation for Safety-Critical Systems 6. SCADE: Generated Safe Code Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer 7. Outlook and Conclusion - no pointer artithmetic, no dynamic memory allocation - no operating system call - fixed length loops for arrays or delay - code is traceable to the model: nodes, variables and constants 22 Automated Code-Generation for Safety-Critical Systems Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer - Model-Based Development is a new paradigm for safety-critical software - Automated Code Generation reduces time-to-market and cost while increasing quality - Aerospace Industry is driving the use of tools and definition of new standards (FAA DO-178C including MBD and ACG) - Limits and Constraints: - few qualified tools available - no qualified compiler yet - manual coding still necessary - steep learning curve for developers Automated Code-Generation for Safety-Critical Systems 23 Automated Code-Generation for Safety-Critical Systems 24 6 Universität Paderborn AG Softwaretechnik Prof. Dr. W. Schäfer Thank you for the Attention! Questions, please. Automated Code-Generation for Safety-Critical Systems 25 7