do-178c / ed-12c model based supplement - mathworks · pierre lionne, sc-205 / wg-71 sg-4...
Post on 21-Mar-2020
10 Views
Preview:
TRANSCRIPT
Pierre Lionne,
SC-205 / WG-71 SG-4 Co-Chairman
1 Nov. 2011
DO-178C / ED-12C
Model Based Supplement
© 2010 APSYS - All rights reserved
Summary
• Introduction
• Foundations Concepts
• Highlights
• Conclusion
© 2010 APSYS - All rights reserved
Introduction
© 2010 APSYS - All rights reserved
Introduction
DO-178B
ED-94B
Issues
DO-178C
ED-94C
Supplement X
Supplement Y
TOR
© 2010 APSYS - All rights reserved
Introduction
SC 205WG 71
Document Integration
Issues & Rationale
Tools
Model Based Development & Verification
Object Oriented
Formal Methods
CNS/ATM & Safety
SG 1
SG 2
SG 3
SG 4
SG 5
SG 6
SG 7
© 2010 APSYS - All rights reserved
Foundation Concepts
© 2010 APSYS - All rights reserved
Foundation Concepts
• Models to express requirements
• Scope of supplement
• Modeling Technique
• Model “Parent” Requirements
• Simulation
© 2010 APSYS - All rights reserved
Concept #1
• Model is an acceptable means to express
completely software requirements or
architecture
WHC_DFS_38/39
Status
1
reset counter
if { }Conf Status
Counter
raise confirmation flag
else { }
Conf Status
increment counter
elseif { }
counter_N_1
Counter
Conf StatusUnit Delay
1/z
Relational
Operator
>
Merge Status
Merge
Merge Counter
MergeIf
u1
u2
if(u1 == 0)
elseif(u2 == 1)
else
Goto
[counter]
From
[counter]
nb_ticks
2
enable
1
action
uint16
boolean
uint16
uint16
boolean
uint16
boolean
boolean
boolean
booleanaction
uint16
uint16action
Req_001: The XX module shall
Wait 10ms before entering
in blabl state
Req_002: The XX module ….
Derived Req_003: …
© 2010 APSYS - All rights reserved
WHC_DFS_38/39
Status
1
reset counter
if { }Conf Status
Counter
raise confirmation flag
else { }
Conf Status
increment counter
elseif { }
counter_N_1
Counter
Conf StatusUnit Delay
1/z
Relational
Operator
>
Merge Status
Merge
Merge Counter
MergeIf
u1
u2
if(u1 == 0)
elseif(u2 == 1)
else
Goto
[counter]
From
[counter]
nb_ticks
2
enable
1
action
uint16
boolean
uint16
uint16
boolean
uint16
boolean
boolean
boolean
booleanaction
uint16
uint16action
Concept #2
• The supplement applies to any model that is
used to define software artifacts whatever
the process that produced it
WHC_DFS_38/39
Status
1
reset counter
if { }Conf Status
Counter
raise confirmation flag
else { }
Conf Status
increment counter
elseif { }
counter_N_1
Counter
Conf StatusUnit Delay
1/z
Relational
Operator
>
Merge Status
Merge
Merge Counter
MergeIf
u1
u2
if(u1 == 0)
elseif(u2 == 1)
else
Goto
[counter]
From
[counter]
nb_ticks
2
enable
1
action
uint16
boolean
uint16
uint16
boolean
uint16
boolean
boolean
boolean
booleanaction
uint16
uint16action
© 2010 APSYS - All rights reserved
Concept #3
• Modeling Technique =– A Modeling Language
AND– A manner of using this language
• Modeling Technique has to be suitable to the type and tothe level of abstraction of the information to be expressed
• Modeling Technique have to be described in ModelStandards
© 2010 APSYS - All rights reserved
Concept #4
• Model should be developed from a complete
set of requirements and constraints external
to it
Model Parent
Requirements
© 2010 APSYS - All rights reserved
Concept #5
• Simulation: appropriate means to support
model verification
Model Parent
Requirements
© 2010 APSYS - All rights reserved
Concept #6
• Simulation may be used to support the
testing effort
WHC_DFS_38/39
Status
1
reset counter
if { }Conf Status
Counter
raise confirmation flag
else { }
Conf Status
increment counter
elseif { }
counter_N_1
Counter
Conf StatusUnit Delay
1/z
Relational
Operator
>
Merge Status
Merge
Merge Counter
MergeIf
u1
u2
if(u1 == 0)
elseif(u2 == 1)
else
Goto
[counter]
From
[counter]
nb_ticks
2
enable
1
action
uint16
boolean
uint16
uint16
boolean
uint16
boolean
boolean
boolean
booleanaction
uint16
uint16action
Model Parent
Requirements
Executable Object Code
© 2010 APSYS - All rights reserved
Highlights
© 2010 APSYS - All rights reserved
Highlights
• System / Software
• Planning Process
• Development Process
• Verification Process
• Tools
© 2010 APSYS - All rights reserved
System / Software
• Interfaces between System and Software
processes updated to address the case
where system team produces a software
model
© 2010 APSYS - All rights reserved
Planning Process
• Introduction of Model Standards
– Syntax & Semantic of the language
– Constraint on complexity
– Means to identify Requirements
– Derived requirements identification
– Means to establish traceability
– …
© 2010 APSYS - All rights reserved
Development Process
• Same guidance apply for requirements
expressed in a model
• Model elements which do not represent
requirements should be identified
© 2010 APSYS - All rights reserved
Verification Process
Guidance from DO-178C / ED-12C
Core Document remains applicable
© 2010 APSYS - All rights reserved
Verification Process
Simulation & model verification:
• New means => New artifacts:– Simulation Cases & Procedures
– Simulation Results
• Simulation Cases based on
Model Parent Requirements
© 2010 APSYS - All rights reserved
Verification Process
WHC_DFS_38/39
Status
1
reset counter
if { }Conf Status
Counter
raise confirmation flag
else { }
Conf Status
increment counter
elseif { }
counter_N_1
Counter
Conf StatusUnit Delay
1/z
Relational
Operator
>
Merge Status
Merge
Merge Counter
MergeIf
u1
u2
if(u1 == 0)
elseif(u2 == 1)
else
Goto
[counter]
From
[counter]
nb_ticks
2
enable
1
action
uint16
boolean
uint16
uint16
boolean
uint16
boolean
boolean
boolean
booleanaction
uint16
uint16action
Model Parent
Requirements
Simulation Results
Simulation Procedures
Simulation Cases
Development
Verification
© 2010 APSYS - All rights reserved
Verification Process
Test:
• Same guidance than in DO-178B / ED-12B:
– Compliance & Robustness with LLR
– Compliance & Robustness with HLR
© 2010 APSYS - All rights reserved
Verification Process
High Level
Requirements
Low Level
Requirements
Executable Object Code
Test (classical)
© 2010 APSYS - All rights reserved
WHC_DFS_38/39
Status
1
reset counter
if { }Conf Status
Counter
raise confirmation flag
else { }
Conf Status
increment counter
elseif { }
counter_N_1
Counter
Conf StatusUnit Delay
1/z
Relational
Operator
>
Merge Status
Merge
Merge Counter
MergeIf
u1
u2
if(u1 == 0)
elseif(u2 == 1)
else
Goto
[counter]
From
[counter]
nb_ticks
2
enable
1
action
uint16
boolean
uint16
uint16
boolean
uint16
boolean
boolean
boolean
booleanaction
uint16
uint16action
Verification Process
Test (example #1)
Low Level
Requirements
Executable Object Code
Model = HLR
© 2010 APSYS - All rights reserved
Verification Process
High Level
Requirements
Executable Object Code
Test (example #2)
WHC_DFS_38/39
Status
1
reset counter
if { }Conf Status
Counter
raise confirmation flag
else { }
Conf Status
increment counter
elseif { }
counter_N_1
Counter
Conf StatusUnit Delay
1/z
Relational
Operator
>
Merge Status
Merge
Merge Counter
MergeIf
u1
u2
if(u1 == 0)
elseif(u2 == 1)
else
Goto
[counter]
From
[counter]
nb_ticks
2
enable
1
action
uint16
boolean
uint16
uint16
boolean
uint16
boolean
boolean
boolean
booleanaction
uint16
uint16action
Model = LLR
© 2010 APSYS - All rights reserved
Verification Process
Executable Object Code
Test (example #3)
WHC_DFS_38/39
Status
1
reset counter
if { }Conf Status
Counter
raise confirmation flag
else { }
Conf Status
increment counter
elseif { }
counter_N_1
Counter
Conf StatusUnit Delay
1/z
Relational
Operator
>
Merge Status
Merge
Merge Counter
MergeIf
u1
u2
if(u1 == 0)
elseif(u2 == 1)
else
Goto
[counter]
From
[counter]
nb_ticks
2
enable
1
action
uint16
boolean
uint16
uint16
boolean
uint16
boolean
boolean
boolean
booleanaction
uint16
uint16action
Model = HLR + LLR
© 2010 APSYS - All rights reserved
Verification Process
WHC_DFS_38/39
Status
1
reset counter
if { }Conf Status
Counter
raise confirmation flag
else { }
Conf Status
increment counter
elseif { }
counter_N_1
Counter
Conf StatusUnit Delay
1/z
Relational
Operator
>
Merge Status
Merge
Merge Counter
MergeIf
u1
u2
if(u1 == 0)
elseif(u2 == 1)
else
Goto
[counter]
From
[counter]
nb_ticks
2
enable
1
action
uint16
boolean
uint16
uint16
boolean
uint16
boolean
boolean
boolean
booleanaction
uint16
uint16action
Model Parent
Requirements
Executable Object Code
Test (example 3)
Model = HLR + LLR
© 2010 APSYS - All rights reserved
Verification Process
Test (example 3)
When model express both LLR and HLR, it is
required to show:
– Compliance & Robustness of EOC with Model
– Compliance & Robustness of EOC with Model Parent Requirements
(whatever the process that produced it)
© 2010 APSYS - All rights reserved
Verification Process
Model Coverage Analysis: Detect unintended
functions in a model
Model Parents
Requirements
Unintended function
WHC_DFS_38/39
Status
1
reset counter
if { }Conf Status
Counter
raise confirmation flag
else { }
Conf Status
increment counter
elseif { }
counter_N_1
Counter
Conf StatusUnit Delay
1/z
Relational
Operator
>
Merge Status
Merge
Merge Counter
MergeIf
u1
u2
if(u1 == 0)
elseif(u2 == 1)
else
Goto
[counter]
From
[counter]
nb_ticks
2
enable
1
action
uint16
boolean
uint16
uint16
boolean
uint16
boolean
boolean
boolean
booleanaction
uint16
uint16action
Executable
© 2010 APSYS - All rights reserved
Verification Process
Simulation & Test:
• Some testing objectives can be achieved
by a combination of simulation and other
traditional means.
• HW/SW Integration test objectives cannot
be achieved by simulation.
© 2010 APSYS - All rights reserved
Tools
Model Parent
Requirements
Source Code
Executable Object
Code
Model
Standards
WHC_DFS_38/39
Status
1
reset counter
if { }Conf Status
Counter
raise confirmation flag
else { }
Conf Status
increment counter
elseif { }
counter_N_1
Counter
Conf StatusUnit Delay
1/z
Relational
Operator
>
Merge Status
Merge
Merge Counter
MergeIf
u1
u2
if(u1 == 0)
elseif(u2 == 1)
else
Goto
[counter]
From
[counter]
nb_ticks
2
enable
1
action
uint16
boolean
uint16
uint16
boolean
uint16
boolean
boolean
boolean
booleanaction
uint16
uint16action
Code Verification & Validation
Code Coverage
Code Verification & Validation
Code Coverage
Code ConformanceCode Inspector
Test Model Coverage
Trace Tool
Trace Tool
Model Conformance
© 2010 APSYS - All rights reserved
Conclusion
© 2010 APSYS - All rights reserved
Highlights
Model Parent
Requirements
Source Code
Executable Object
Code
Model
Standards
Concept #3 WHC_DFS_38/39
Status
1
reset counter
if { }Conf Status
Counter
raise confirmation flag
else { }
Conf Status
increment counter
elseif { }
counter_N_1
Counter
Conf StatusUnit Delay
1/z
Relational
Operator
>
Merge Status
Merge
Merge Counter
MergeIf
u1
u2
if(u1 == 0)
elseif(u2 == 1)
else
Goto
[counter]
From
[counter]
nb_ticks
2
enable
1
action
uint16
boolean
uint16
uint16
boolean
uint16
boolean
boolean
boolean
booleanaction
uint16
uint16action
Concept #1 #2
Concept #4
Concept #5
Concept #6
© 2010 APSYS - All rights reserved
Conclusion
• In the continuity of existing rules
• Consistent with current practices
• Try to anticipate future trends
© 2010 APSYS - All rights reserved
The reproduction, distribution and utilization of this document as well as
the communication of its contents to others without express authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or design.
Thank you for your attention!
35
Title
Date
top related