SCADE tools

1
SCADE tools

• SCADE System
• SCADE Suite
• SCADE Display
• SCADE development modules

2
Model Based Development With SCADE Tools
3
SCADE SYSTEM

• a system architecture design and modeling tool
  that allows system engineers to model the design
  of system components and structure using SysML
  block diagrams.
• allows to extract parts of the main system model
  and exchange these subsystem software models with
  development teams.
• Software teams can then work on the subsystem
  software design with SCADE Suite.
• Comparison of system model versions is
  facilitated when the subsystem software model is
  reintegrated into the main system model
• SCADE LifeCycle Reporter allows systems engineers
  to automatically generate up-to-date
  documentation at any point in the development
  cycle.

4
SCADE Suite

• With native integration of the Scade language and
  its unified formal notation, SCADE Suite is the
  unique integrated design environment for critical
  applications spanning
• requirements management,
• model-based design,
• simulation,
• verification,
• qualifiable/certified code generation,
• and interoperability with other development tools
  and platforms

5
SCADE SuiteIntegrated Data Flow and SSM editors
6
SCADE SuiteSimulator
7
SCADE Display

• SCADE Display is a flexible graphics design and
  code generation tool suite for the development of
  safety-critical embedded display systems.
• native support of the OpenGL SC standard, SCADE
  Display is the new generation display framework,
  spanning
• prototyping,
• display design,
• simulation,
• verification validation,
• DO-178B certified code generation for level A
  software and
• smooth integration with other applications.
• tightly coupled with SCADE Suite enabling
  unprecedented visibility from the deployed
  application to the end-user displays.

8
SCADE Suite DISPLAY for SW development
9
SW design Process with SCADE Suite Display
10
SW Coding Process with SCADE Suite Display
11
SCADE SCOPE
12
SCADE code integration
13
Typical SW architecturefor graphics
14
Timing Verifier integration in SCADE Suite
15
RT Vizu of SW Spec
16
ACG Certification
17
Typical SW life-Cyclewithin D0178 context
18
Abbreviations
SNCC système numérique de contrôle commande
DCS Digital Control System? SIFSafety
Instrument Function OSHAOccupational Safety
Health Administration EPAEnvironmental
Protection Agency ISA Instrumentation Systems
and Automation Society IEC International
Electrotechnical Commission TMR Triplicated
Modular Redundant PLC programmable logic
Controller FMECAFailure Mode, Effects, and
Criticality Analysis AMDECAnalyse des Modes de
Défaillance, Effets et Criticité
19
SCADE at Airbus

• contents

20
System Modelling Verification(SCADE Airbus)
21
SW Coding Testing(SCADE Airbus)
22
A350 XWB Large interchangeable displays
23
Simulator Architecture(Ansaldo)
24
SCADE at Thales

• contents

25
Projects using SCADEThales

• THALES is leader in Cockpit Interactive Solutions
• AIRBUS A380 Cockpit Project developped by THALES

26
Projects using SCADEThales
27
Projects using SCADEThales
28
Why SCADE(Thales)

• text

29
SCADE at AREVA

• contents

30
AREVA Organisation
31
Why SCADE(Areva)

• Adapted to our deployed development process
• SCADE formalism (node and data flow) is
  equivalent to the
• Structured Analysis SA-RT/SD method used at AREVA
  TA (Structured Analysis, Structured Design)
• Understood by both system and software engineers
• Improvement of mutual comprehension is required
  by the IEC606802006 standard
• Supporting our generic design policy
• SCADE cycle-based language is well adapted to the
  way embedded safety-critical software are
  designed at AREVA TA
• Easier to reach SIL4 than with the former classic
  development method
• SCADE simulator early detection of errors in
  specification
• SCADE KCG no unit testing at code level
• Less expensive deployment than other formal
  methods
• Only one week to design with the principal SCADE
  functions
• Improved software validation
• Formal proof techniques are enabled

32
SCADE integration in dev Process(AREVA)

• SIL4 developments (and some SIL0)
• SCADE modelling of system specification
• Definition of Interface functions and data flow
  between functions
• Traceability links between requirement
  specification and functions, using SCADE RM
  Gateway
• Functions allocation to subsystems
• Software SCADE Design
• Software architecture design inherit from system
  model
• Refinement of requirement allocated to functions,
• Design of each function
• SCADE 6 SSM and map/fold
• Restricted uses of imported node (efficiency or
  SCADE limits, reuse legacy code)
• VV
• Check of modelling rules
• Check of requirements
• Node and function testing (Uses of SCADE
  Simulator and SCADE MTC),
• Integration and validation testing (on host
  machine prior to on-target)
• System integration and validation testing (on
  host machine prior to final equipment)
• Version control distributed SCADE model
  development.

33
System Modelling with SCADE (AREVA)

• Requirements modelling
• Physical and safety allocation of requirements
• Interfaces of each subsystem with its environment
• Traceability with functional specification (RM
  Gateway)

34
SW Design with SCADE (AREVA)

• Refine the subsystems models (node and data flow)
  into full software architecture
• In the EN50128 process Software Requirement and
  architecture specification (generated with the
  reporter function)
• Refine design to terminal node (full SCADE or
  imported)
• In the EN50128 process Software and module
  design
• Use of KCG for code generation
• In the EN50128 process Code
• Non SIL4 designer tests with simulator
• Good AREVA TA practice to improve model quality
  before VV

35
System SW Design Validation(AREVA)

• The various VV activities are
• Requirement-based tests specification
• Tests scenarios Define inputs and the waited
  output for all requirement in document and in
  tests files,
• Automatic launch of validation tests
• Compute the test, play the test and verify the
  outputs against the expected result
• Automatic tests reporter with AREVA TA tools
• Analysis of the test coverage score with SCADE MTC

36
System SW Design Validation(AREVA)

• Different simulations can be chosen
• SCADE graphic simulator
• Well suited to verify node during the design
• Cannot be used in an automatic test bench
• Interface is poor to achieve system testing with
  massive number of I/Os
• Command line mode
• Same mode as the graphic one but with TCL
  language elements (functions and comments)
• Harder to use than graphical mode
• TCL script
• Use of TCL instruction sequence to initialise
  input, verify waited values of outputs, increase
  cycle, flatten structure or array types,
• Use TCL programming power loop, generic
  sub-functions,
• TCL scenario script can be call by another
  script thus a launcher can sequence the
  scenarios.
• All I/O transitions can be recorded
• External simulator calling SCADE via a DLL
  interface
• Equivalent to TCL script but harder to use
  (continuity, support, )

• Test bench based on TCL scripts to check check
  all software component
• For each component
• Rebuild for each component a test program
• Play scenario and compare outputs to expected
  values,
• Generate a log file with principal script step
  information.
• Generate a log file with the history of the I/O
  transitions.
• For all the components
• Compute an HTML report of validation with
• A link to log files,
• A validation success rate,
• A global model test coverage score

37
Research Infrastructure(DLR)
38
Development Process(DLR)

• Integrated development process for the entire
  research infrastructure
• Stimulated byAutomatic launch of validation
  tests
• Domain-Engineering(e.g. virt. institute DeSCAS)
• Requirements Engineering (e.g. EU-Project CESAR)
• Service oriented architectures (SOA)
• Model-based development(e.g. SCADE)

39
Dominion Project(DLR)
40
SCADE at ASTRIUM

• contents

41
Dev Life-Cycle(ASTRIUM)
42
Formal proofs on the ATV safety Software(ASTRIUM)

• The LESAR tool is developed by the VERIMAG
  laboratory
• Example of proven properties
• Specification of the environment by regular
  expressions
• cam_arm( on, arm, cam_cmd, tc, hltc ) prefix(
  -on, -arm, -cam_cmd, -tc, -hltc. on, -arm,
  -cam_cmd, -tc, -hltc.-on, -arm, -cam_cmd, -tc,
  hltc. )
• Properties
• A red button implies eventually a CAM
  triggering before 4 cycles
• Real time property
• The two MSU chains can not triggered both a CAM
  at the same time
• Mutual exclusion property

• the same results has now been reached with Prover)

43
SCADE at POSCON

• contents

44
PSD System Diagram(POSDOM)
45
PSD System Diagram(POSDOM)
46
Development Process to Achieve SIL 3RAMS System
Life-Cycle
47
Development Process to Achieve SIL 3PSD RAMS H/W
Management
48
Development Process to Achieve SIL 3PSD RAMS S/W
Development(V Model method)
49
Development Process to Achieve SIL 3PSD RAMS
Project Output
50
SCADE at Liebherr

• Contents
• Connecting the neutral SCADE model with the
  global PLC data

51
SCADE for SIL2 systemsLiebherr

• Connecting the neutral SCADE model with the
  global PLC data

52
PME1 control system(LiebHerr)

• Central Intelligence
• Distributed IOs
• Real Time CAN Protocol
• Single synchronous Application Task
• Safety Level until SIL2
• Massive reuse of software modules

• text

53
PME1 link data flow(LiebHerr)

• Interface
• Config file with all variables of PLC system
• Clear Separation of responsibilities between
  Liebherr and Esterel
• Generates
• New textual operator Integration Toplevel
• Special C-Code with mappings

• SCADE

• liebherr

54
SCADE at Siemens

• Contents

55
From SysML to SCADE SCADE system designer Siemens

• SysML
• Architecture
• Different views
• communications
• deployment
• use cases
• SCADE
• Design language
• Embedded control
• Simulation

56
Timing analysis and SCADESiemens

• Timing analysis
• WCET computation
• Communication architecture do we meet our
  timing requirements?
• What is the impact of different architecture
  alternatives regarding timing?
• Deeper understanding of system performance
  characteristics

57
Model-based worst-case timing approachSiemens

• Abstract model of resources, processes,
  scheduling policies and communication pathways

58
Elicitation of system behavior by modeling
Siemens

59
Model-based penetration into an existing target
system architecture Siemens

• SCADE Components

60
SCADE at Invensys

• Contents
• (Railway-TDMS (Train Data Mngt System))

61
TDMS Architectural PrincipalsSimple Partitioning
Invensys
62
SCADE TDMS Development TDMS Partitioning -
Partitions Invensys

• Standard interface
• Communicate via Ports
• Partition mode
• Application Partitions
• System Partitions
• Similar to ARINC 653
• Fault Handling
• Dual Redundant for availability
• Adapt by Adding/Removing Features/Partitions
• Requires agility

63
SCADE TDMS DevelopmentProject Process Evolved
Agile Feature Driven Approach
64
SCADE at KEPCO

• Contents
• SCADE for ISODE ( Integrated SW Dev Env) for NP
  Systems

65
ISODE Overview KEPCO
66
ISODE Overview KEPCO
67
Validation and Verification Process TEPCO

• Design Verifier
• A property is implemented in a SCADE node called
  an Observer.
• As inputs, it receives the values the property
  focuses on.
• It has one output, which is true if and only if
  the property is true

68
Automatic Documentation Generation TEPCO
69
Target Importing Process TEPCO
70
Target Importing Process TEPCO
71
PPS Application-Bistable Module TEPCO
72
PPS Application-Coincidence Module TEPCO
73
title