en 50128:2011 –what’s new and - esterel · pdf file1 © 2014 ansys, inc....
TRANSCRIPT
1 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
EN 50128:2011 – What’s new and applying it to your development and
verification process
Gérard Morin
VP Professional Services
ESTEREL Technologies, ANSYS Group
2 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
EN 50128:2011 OVERVIEW
SCADE MODEL-BASED APPROACH
CERTIFICATION
3 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Introduction
“The railway domain is used to use various kind of formal methods in many applications with success.
The application of a formal method has a real impact on the software quality and on the effective cost. The reduction of the number of software versions is one of the most significant benefits.
With ANSYS, we have created a training dedicated to the railway domain in which we explain how to assume the CENELEC 50128:2011 standard with the SCADE® solution.
This webinar is a good introduction to our valuable joint work.”
4 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
EN 50128:2011 OVERVIEWStructure of EN 50128:2011Quality AssuranceV-Cycle
SCADE MODEL-BASED APPROACH
CERTIFICATION
5 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Structure of EN 50128:2011
EN 50128
Clause 5
Clause 6
Clause 7
Clause 8
Configuration Data
Generic software
Software Assurance
Clause 9MaintenanceDeployment
Organization
Clause 4SSIL
6 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Structure of EN 50128:2011
EN 50128
Clause 5
Clause 6
Clause 7
Clause 8
Configuration Data
Generic software
Software Assurance
Clause 9MaintenanceDeployment
Organization
Clause 4SSIL
Annex A Annex D
Bibliography of Techniques
Annex B
Key Roles
Tables of Criteria
Annex C
Documents Control Summary
7 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Safety Integrity Level (SIL)
The SIL is allocated to software from System Safety Analysis
The SIL can be allocated to a requirement or to the complete software
For software, it is called Software SIL (SSIL)
The 5 values of SSIL:• 0 failure has no impact or low impact on safety
• 1, 2 medium impact on safety
• 3, 4 high impact - death(s)
8 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
An EN 50128:2011 Compliant Processis Driven by Quality Assurance
M: Mandatory, HR: Highly Recommended, R: Recommended
FprEN 50128:2011 - 72 -
Table A.8 � Software Analysis Techniques (6.3) 2279
TECHNIQUE/MEASURE Ref SIL 0 SIL 1 SIL 2 SIL 3 SIL 4
1. Static Software Analysis D.13 D.37 Table A.19
R HR HR HR HR
2. Dynamic Software Analysis Table A.13 Table A.14
- R R HR HR
3. Cause Consequence Diagrams D.6 R R R R R
4. Event Tree Analysis D.22 - R R R R
5. Software Error Effect Analysis D.25 - R R HR HR
Requirement:
1) One or more of these techniques shall be selected to satisfy the Software Safety Integrity Level being used.
2280
Table A.9 � Software Quality Assurance (6.5) 2281
TECHNIQUE/MEASURE Ref SIL 0 SIL 1 SIL 2 SIL 3 SIL 4
1. Accredited to EN ISO 9001 7.1 R HR HR HR HR
2. Compliant with EN ISO 9001 7.1 M M M M M
3. Compliant with ISO/IEC 90003 7.1 R R R R R
4. Company Quality System 7.1 M M M M M
5. Software Configuration Management D.48 M M M M M
6. Checklists D.7 R HR HR HR HR
7. Traceability D.58 R HR HR M M
8. Data Recording and Analysis D.12 HR HR HR M M
Requirements
1) This table shall be applied to different roles and all phases.
2282
Table A.10 � Software Maintenance (9.2) 2283
TECHNIQUE/MEASURE Ref SIL 0 SIL 1 SIL 2 SIL 3 SIL 4
1. Impact Analysis D.32 R HR HR M M
2. Data Recording and Analysis D.12 HR HR HR M M
2284
2285
9 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
EN 50128:2011 V-Cycle
Software Assessment PlanSoftware Planning Phase
Software Requirement Phase
Software Architecture Phase
Software Component Design Phase
Software Component Implementation Phase
Software Component Testing Phase
Software Integration Phase
Software Validation Phase
System
Software
Software Requirements SpecificationOverall Test Specification
Software Architecture SpecificationSoftware Design SpecificationSoftware Interface SpecificationSoftware Integration Test SpecSw/Hw Integration Test Spec
Software Component Design SpecificationSoftware Component Test Specification
Software Source Code & Supporting Documentation
Software Component Test Report
Software Integration Test ReportSw/Hw Integration Test Report
Overall Software Test ReportSoftware Validation Report
Ver
ific
atio
nR
epo
rt
Ver
ific
atio
nR
epo
rt
Ve
rifi
cati
on
Re
po
rt
Ver
ific
atio
nR
epo
rt
Software Assessment PlanSoftware Assessment Report
Software Quality Assurance PlanSoftware Configuration Mgmt PlanSoftware Verification PlanSoftware Validation PlanSoftware Maintenance Plan
Software Maintenance RecordsSoftware Change Records
System requirement SpecificationSystem architecture descriptionHardware documentsSafety Requirements
Ver
ific
atio
nR
epo
rt
System Development Phase Software Maintenance Phase
10 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
EN 50128:2011 OVERVIEW
SCADE MODEL-BASED APPROACHSCADE SuiteSCADE Model-Based V-Cycle5 Basic Principles of EN 50128:2011
CERTIFICATION
11 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
SCADE Suite
ControlSoftware Design
PROTOTYPE & DESIGN
Object Code &
Compiler
Verification
SCADE Suite KCG
C & Ada
RTOS Adaptors
DO-178B
DO-178C
IEC 61508
EN 50128
ISO 26262
Certification Kits
GENERATE
Model Coverage
Analysis
Formal
Verification
Time & Stack
Optimization
Debug &
Simulation
Model Checks
Plant Model Co-
simulation (incl. FMI)
VERIFY
12 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Rail Automation Applicationswith SCADE
Automatic Train Control and Protection Systems: ETCS, CTCS & CBTC
– Emergency braking, overspeed protection, vehicle speed control, ATP/ATO
– Satellite-based locomotive control
– On-board displays (DMI)
Interlockings
Doors opening and departure interlocks
Train detection systems (Axle counters)
Level Crossing Protection
Control Centers: Fault reportingand Interlocking Displays
RATP – Paris Metro
Ansaldo Signal
Siemens Rail Transportation
Korea POSCON – Platform Screen Door
13 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Modeling
Modeling is a major technique mentioned by the standard.Modeling can be used for: Requirement, Architecture, Design.
FprEN 50128:2011 - 76 -
Table A.17 � Modelling 2300
TECHNIQUE/MEASURE Ref SIL 0 SIL 1 SIL 2 SIL 3 SIL 4
1. Data Modelling D.65 R R R HR HR
2. Data Flow Diagrams D.11 - R R HR HR
3. Control Flow Diagrams D.66 R R R HR HR
4. Finite State Machines or State Transition Diagrams
D.27 - HR HR HR HR
5. Time Petri Nets D.55 - R R HR HR
6. Decision/Truth Tables D.13 R R R HR HR
7. Formal Methods D.28 - R R HR HR
8. Performance Modelling D.39 - R R HR HR
9. Prototyping/Animation D.43 - R R R R
10. Structure Diagrams D.51 - R R HR HR
11. Sequence Diagrams D.67 R HR HR HR HR
Requirements:
1) A modelling guideline shall be defined and used.
2) At least one of the HR techniques shall be chosen.
2301
Table A.18 � Performance Testing 2302
TECHNIQUE/MEASURE Ref SIL 0 SIL 1 SIL 2 SIL 3 SIL 4
1. Avalanche/Stress Testing D.3 - R R HR HR
2. Response Timing and Memory Constraints D.45 - HR HR HR HR
3. Performance Requirements D.40 - HR HR HR HR
2303
Table A.19 � Static Analysis 2304
TECHNIQUE/MEASURE Ref SIL 0 SIL 1 SIL 2 SIL 3 SIL 4
1. Boundary Value Analysis D.4 - R R HR HR
2. Checklists D.7 - R R R R
3. Control Flow Analysis D.8 - HR HR HR HR
4. Data Flow Analysis D.10 - HR HR HR HR
5. Error Guessing D.20 - R R R R
6. Walkthroughs/Design Reviews D.56 HR HR HR HR HR
2305
14 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
FprEN 50128:2011 - 76 -
Table A.17 � Modelling 2300
TECHNIQUE/MEASURE Ref SIL 0 SIL 1 SIL 2 SIL 3 SIL 4
1. Data Modelling D.65 R R R HR HR
2. Data Flow Diagrams D.11 - R R HR HR
3. Control Flow Diagrams D.66 R R R HR HR
4. Finite State Machines or State Transition Diagrams
D.27 - HR HR HR HR
5. Time Petri Nets D.55 - R R HR HR
6. Decision/Truth Tables D.13 R R R HR HR
7. Formal Methods D.28 - R R HR HR
8. Performance Modelling D.39 - R R HR HR
9. Prototyping/Animation D.43 - R R R R
10. Structure Diagrams D.51 - R R HR HR
11. Sequence Diagrams D.67 R HR HR HR HR
Requirements:
1) A modelling guideline shall be defined and used.
2) At least one of the HR techniques shall be chosen.
2301
Table A.18 � Performance Testing 2302
TECHNIQUE/MEASURE Ref SIL 0 SIL 1 SIL 2 SIL 3 SIL 4
1. Avalanche/Stress Testing D.3 - R R HR HR
2. Response Timing and Memory Constraints D.45 - HR HR HR HR
3. Performance Requirements D.40 - HR HR HR HR
2303
Table A.19 � Static Analysis 2304
TECHNIQUE/MEASURE Ref SIL 0 SIL 1 SIL 2 SIL 3 SIL 4
1. Boundary Value Analysis D.4 - R R HR HR
2. Checklists D.7 - R R R R
3. Control Flow Analysis D.8 - HR HR HR HR
4. Data Flow Analysis D.10 - HR HR HR HR
5. Error Guessing D.20 - R R R R
6. Walkthroughs/Design Reviews D.56 HR HR HR HR HR
2305
Modeling
SCADE Modeling Style
15 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
SCADE Suite Modeling
A
B
B1
B2
B3
C
C1
C2
Hierarchical
View
Net View
1
Display Logic
1
AlarmManager
1
FlightController
speed
altitude
throttleCmd
elev atorCmd
JV_Speed_Alarm
SDY_Pitch_Angle
SDY_Roll_Angle
SDY_Alti
SDY_Baro_Scale
<FlightMode>
AUTOPILOT
1
UnitConv ert
KTStoKMH
2
UnitConv ert
FTtoM
MCPspeed
MCPaltitude AltitudeTarget
SpeedTarget
MANUAL
SpeedTarget = (speed) -> ( last 'SpeedTarget);
AltitudeTarget = (altitude) -> ( last 'AltitudeTarget);
SpeedTarget
AltitudeTarget
JV_Alti_Alarm
SDY_Airspeed
MCP_UnlockRoll
1
AutoPilot
1
not AutoPilot
1
AlarmManagerSingle
alarmSpeedThreshold alarmSpeedTimer
2
AlarmManagerSingle
alarmAltThreshold alarmAltTimer
speedSensor
speedSetpoint
JV_Speed_Alarm
altSensor
altSetpoint
JV_Alti_Alarm
8
UnitConv ert
MtoFT
2
ComputePitchRoll
9
UnitConv ert
KMHtoKTS
100.0
speedSensor
altSensor
SDY_Airspeed
SDY_Pitch_Angle
SDY_Roll_Angle
SDY_Alti
SDY_Baro_Scale
MCP_UnlockRoll
1
DetectRegulationError
AlarmThreshold
<AlarmMgt>
NoAlarm
Alarm
<SubAlarmMgt>
Fugitiv e
Conf irmed
AlarmConf irmedtrue
Alarm
Sensor
Setpoint
1
Alarm
1
not Alarm
1
AlarmConf irmedTimer
times true
L1 = L2 * L3;
L2 = in;
L3 = Factor;
out = L1;
16 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
SCADE V-CycleSystem Development Phase
Software Requirement Phase Software Validation Phase
Software Maintenance PhaseSoftware Assessment PlanSoftware Planning PhaseSystem
Software
HW/SW Architecture Phase HW/SW Integration Phase
SCADE SW Architecture Phase SCADE Integration Phase
SCADE Component
Design Phase
SCADE Component Coding Phase
SCADE Component Testing Phase
SCADE Testing
Preparation Phase
17 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
SCADE V-CycleSystem Development Phase
Software Requirement Phase
Software Maintenance PhaseSoftware Assessment PlanSoftware Planning PhaseSystem
Software
HW/SW Architecture Phase HW/SW Integration Phase
SCADE SW Architecture Phase SCADE Integration Phase
SCADE Component
Design Phase
SCADE Component Coding Phase
SCADE Component Testing Phase
SCADE Testing
Preparation Phase
SCADE Architecture Design Model Generated Documentation
Requirements to SCADE Architecture Allocation Matrix
SCADE Design Model SCADE Detailed Design DocumentRequirements to SCADE Model Traceability Matrix
SCADE Test Cases (Components + Integration)Requirements toTest Cases Traceability Matrix
SCADE Component Test Results SCADE Coverage Results
SCADE Component Generated codeSCADE Compiler Verification Kit Results
SCADE Integration Test Results SCADE Coverage Results
Software Validation Phase
Overall Software Test ReportSoftware Validation Report
18 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Basic Principles of EN 50128:2011
Architecture and Components
Documentation and Traceability
Configuration Management and Project Management
Verification
Certification
19 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
HW/SW Architecture according to EN 50128:2011
Safe Platform
Application
HW1 HW2 HW3
Integrity MeasuresDiagnostics
I/O Drivers
Scheduling
SCADE Generic
Component
SCADE Component
Legacy Component
Legacy Code
Parameters
20 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Architecture and Components
• Model-Based Design approach facilitates the identification of Architecture and Functional itemso Architecture Model: assembly of SCADE Operators with explicit
communication between Operators
o Use of Library Components: enhanced modularity and reusability
TrackStates
PointStates
PointPosition
SignalPositionsTrainsBlocked
Start
1
ControlCommand
TrainIdVisibleTrainIds
IdOnPoints
IdVisibleOnTracks
IdOnTracks
TrackPointIdVisible
IdVisible
IdVisibleOnPoints
2
Display ::Display
ITINERARIES
ITINERARIES
21 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Architecture and Components
Each SCADE model can be managed as a library component:
• A SCADE model can use several library components.
• Libraries can be organized hierarchically.
• When a library is used in a project, its access is read only.
Libraries structure the user definitions of SCADE projects:
• You can create your own library components, fully test them and reuse them from other projects.
• The libraries used by a model are specified in the model project.
22 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Architecture and Components
Station Control SW
Control Command Display
MovementAuthority
Station State Mgmt
3 Components in Library
23 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Documentation & Traceability
Documentation enables auditability of the project artifacts
Documentation must be:– Traceable– Structured to allow expansion as project proceeds– recorded in a form appropriate for manipulation, processing and storage
Among the 46 required documents, Design Specifications are automatically generated from the models
Traceability matrixes are automated as well
24 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Documentation & TraceabilityInterface Specification
- 43 - FprEN 50128:2011
7.3.4.19 The description of interfaces shall address 1436
a) pre/post conditions, 1437
b) definition and description of all boundary values for all specified data, 1438
c) behaviour when the boundary value is exceeded, 1439
d) behaviour when the value is at the boundary, 1440
e) For time-critical input and output data: 1441
1) time constraints and requirements for correct operation, 1442
2) management of exceptions. 1443
f) allocated memory for the interface buffers and the mechanisms to detect that the memory cannot be 1444 allocated or all buffers are full, where applicable, 1445
g) existence of synchronization mechanisms between functions (see e)). 1446
All data from and to the interfaces shall be defined for the whole range of values defined by the type of the 1447 data, including the ranges which are not used when processed by the functions: 1448
a) definition and description of all equivalence classes for all specified data and each software function using 1449 them, 1450
b) definition of unused or forbidden equivalence classes 1451
NOTE The data type includes the following: 1452
1) input parameters and output results of functions and/or procedures; 1453
2) data specified in telegrams or communication packets; 1454
3) data from the hardware. 1455
7.3.4.20 A Software Design Specification shall be written, under the responsibility of the Designer, on the 1456 basis of the Software Requirements Specification, the Software Architecture Specification and the Software 1457 Interface Specification. 1458
Requirements from 7.3.4.21 to 7.3.4.24 refer to the Software Design Specification. 1459
7.3.4.21 The input documents shall be available, although not necessarily finalised, prior to the start of the 1460 design process. 1461
7.3.4.22 The Software Design Specification shall describe the software design based on a decomposition 1462 into components with each component having a Software Component Design Specification and a Software 1463 Component Test Specification. 1464
7.3.4.23 The Software Design Specification shall address 1465
a) software components traced back to software architecture and their safety integrity level, 1466
b) interfaces of software components with the environment, 1467
c) interfaces between the software components, 1468
d) data structures, 1469
e) allocation and tracing of requirements on components, 1470
f) main algorithms and sequencing. 1471
g) error reporting mechanisms 1472
25 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Documentation & TraceabilityInterface Specification
Name Type Comments and Information
AccIn AccItinerary_t
Comments: Global flow contains the differents elements states and informations for the TrainAnnotations:PointItineryIdsRole______________ : array of Id of the points on ItiniraryPre_post_Condition : N/AUnit______________ : N/ARange_____________ : [0;MAX_POINTS]Robustness________ : N/ATime_Constraints__ : N/AMemory____________ : N/A
PointStateRole______________ : array of State of points in previous cyclePre_post_Condition : N/AUnit______________ : N/ARange_____________ : [IDLE;SET;OCCUPIED]Robustness________ : N/ATime_Constraints__ : N/AMemory____________ : N/A
../..
Inputs of StationStateMgtName Type Comments and Information
TrackStatesOccState_t^MAX_TRACKS
Annotations:TrackStatesRole______________ : array of state of the tracksPre_post_Condition : N/AUnit______________ : N/ARange_____________ : [IDLE;SET;OCCUPIED]Robustness________ : N/ATime_Constraints__ : N/AMemory____________ : N/A
PointStatesOccState_t^MAX_POINTS
Annotations:PointStatesRole______________ : array of states of the pointsPre_post_Condition : N/AUnit______________ : N/ARange_____________ : [IDLE;SET;OCCUPIED]Robustness________ : N/ATime_Constraints__ : N/AMemory____________ : N/A
PointPositionPosition_t^MAX_POINTS
Annotations:PointPositionRole______________ : array of position of the pointsPre_post_Condition : N/AUnit______________ : N/ARange_____________ : [STRAIGHT;TURN]Robustness________ : N/ATime_Constraints__ : N/AMemory____________ : N/A
../..
Outputs of StationStateMgt
26 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Configuration Management and Project Management
It is key that the Project Manager has at his disposal a Configuration Management tool and a Project Dashboard, that are synchronized with its Model-Based Development Environment.
Root1.1 Root1.2 Root1.3
Architecture team workspace
Root
A1.1 A1.2 A1.3 A1.4
Func A
Root
Component A workspace
Approved architecture
Slow, restricted evolution
Read-only
Frequent evolution
27 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Model-Based Verification
It is a combination of several Model-Based Verification techniques
• Semantics check of the model
Error message: Incompatible type
interface
local_CruiseSpeed
QuickDecel
2
CruiseSpeedMgt
QuickAccel
CruiseSpeed
Set
Speed
bool
bool
bool
tSpeed
tSpeedtSpeed
locate
28 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Model-Based Verification
It is a combination of several Model-based Verification techniques
• Semantics check of the model
• User design rules check of the model
Implementation of the rule« All local variables start by l_ »
Execution of the script that dumps result of the script for eachelement
29 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Model-Based Verification
It is a combination of several Model-based Verification techniques
• Semantics check of the model
• User design rules check of the model
• Complexity check of the model
30 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Model-Based Verification
It is a combination of several Model-based Verification techniques
• Semantics check of the model
• User design rules check of the model
• Complexity check of the model
• Review of the model
31 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Model-Based Verification
It is a combination of several Model-based Verification techniques
• Semantics check of the model
• User design rules check of the model
• Complexity check of the model
• Review of the model• Traceability analysis between
higher-level requirements and the model
32 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Model-Based Verification
It is a combination of several Model-based Verification techniques
• Semantics check of the model
• User design rules check of the model
• Complexity check of the model
• Review of the model• Traceability analysis between
higher-level requirements and the model
• Timing and stack analysis at model-level
33 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Model-Based Verification
It is a combination of several Model-based Verification techniques
• Semantics check of the model
• User design rules check of the model
• Complexity check of the model
• Review of the model• Traceability analysis between
higher-level requirements and the model
• Timing and stack analysis at model-level
• Simulation that supports the thorough exploration of the dynamic behavior
34 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Combined Testing Process
The SCADE Combined Testing Process is a SCADE model-Based approach for combining efficient and rigorous testingacivities
Objectives are the following:• Optimize the testing effort
• Maximize the benefit from KCG qualification/certification
Combination is the following:• Software requirements-based testing
• Low-level testing on a sample
• Testing on host and on target
35 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
“Traditional” Testing Process
Application Code
Libraries
Application Code
Scheduler and I/O
An embedded application is typically made of:
• A scheduler or an operating system + drivers for inputs and outputs
• The code of the application
• Libraries of some elementary operations (C code) that are repeatedly used in the application
36 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
“Traditional” Testing Process
Application Code
Libraries
Application Code
Scheduler and I/O
Low-Level Tests
Low-Level Tests
Low-Level Tests
Low-Level Testing (a.k.a. Unit Testing) is applied to the 3 components of the application.
Low-level Testing of the Application Code is time consuming, requires updates each time there is code update (which is a standard situation), and the stopping criterion is not easy to establish.
Stable
Stable
Massive, many updates
37 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
“Traditional” Testing Process
Requirements-Based Tests
The requirements-based tests are coded in C, and/or in a specific target test toolformat, and run on target; thus, they are debugged on target .
Target test tool structural coverage measurement can be the stopping criterion, generally mixed with low-level test coverage scores, sometimes not easy to justify.
Application Code
Libraries
Application Code
Scheduler and I/O
Low-Level Tests
Low-Level Tests
Low-Level TestsStable
Stable
Massive, many updates
On Target
38 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
SCADE Combined Testing Process (CTP)
Application Code
Libraries(C code)
SCADEGenerated
Application Code
Scheduler and I/O
An embedded application designed with SCADE Suite is typically made of:
• A scheduler or an operating system + drivers for inputs and outputs
• The code of the application, generated by SCADE Suite KCG
• Libraries of some elementary imported operators (C code) that are repeatedly called in the SCADE model (SCADE libraries are part of the generated code).
39 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
SCADE Combined Testing Process (CTP)
Application Code
Libraries(C code)
SCADEGenerated
Application Code
Scheduler and I/O
Low-Level Tests
Low-Level TestsStable
Stable
• No change in low-level testing against the scheduler and I/O (or OS) and against the libraries of C Code
40 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
SCADE Combined Testing Process (CTP)
Application Code
Libraries(C code)
SCADEGenerated
Application Code
Scheduler and I/O
Low-Level Tests
Low-Level TestsStable
Stable
Model Test Coverage
(assessed with MTC)
Requirements-Based Tests
with QTE
On Host and/or on Target
The specification-based tests are created using SCADE LifeCycle QTE and run on host (SCADE simulation) and/or on target (target testing) according to the test strategy that has been established.
SCADE Suite MTC is the unique means to monitor and stop the requirements-based testing activities.
41 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
SCADE Combined Testing Process (CTP)
Application Code
Libraries(C code)
SCADEGenerated
Application Code
Scheduler and I/O
Low-Level Tests
Low-Level TestsStable
Stable
CVK BricksLow-Level TestsStable
Model Test Coverage
(assessed with MTC)
Requirements-Based Tests
with QTE
On Host and/or on Target
SCADE Suite CVK is a low-level test suite used to perform unit testing on target of all the C constructs of the SCADE generated application code.
No Low-Level Tests
42 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Software Test Strategy: 3 Stages
SwCTSSwCTS
SwCSSwCS
SwCS SwCTS
Verification
Verification
Objective = 100% Structural Coverage(Criterion = DC for Sil 3 / 4 and Branches for Sil 2)
On Host
Sw ComponentTest Specification
SCADE SimulatorSCADE QTESCADE MTC
SwITSSwINS
Verification
Verification
Sw/Sw IntegrationObjective = 100% of interfacesOn Host
Sw IntegrationTest Specification
SCADE SimulatorSCADE QTE
SCADE RM Gway
SwRS OSTS
Verification
Verification
Objective = 100% of Software RequirementsOn Target
Overall Sw Test Specification
SCADE QTESCADE RM Gway
43 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
“Overall Testing: To analyze and test the integrated software and hardware to ensure compliance with the Software Requirements Specification with particular emphasis on the functional and safety aspects according to the software safety integrity level and to check whether it is fit for its intended application.
…
The software shall be exercised either by connection to real items of hardware or actual systems with which it would interface in operation, or by simulation of input signals and loads driven by outputs.”
Overall Testing / Software Validation
44 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
QTE Use: Develop Validation Tests on Host
1.CreateTest Project
2.Edit Test Project
3.Launch Test Tools
4.Reports
45 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
QTE Use: Generate Test Harness for Target
5.Select Target:• RTRT• LDRA Tb• …
6. GenerateTest
Harness
46 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
How to facilitate the HW/SW Integration in a Model-Based Approach
Simplorer
47 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
EN 50128:2011 OVERVIEW
SCADE MODEL-BASED APPROACH
CERTIFICATION
48 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Certification of a Software
Certification is about assessing the evidence that the work is done right:
• Each generation/transformation is verified, or the corresponding tool is qualified
• It includes:• Documents (written, generated)• Models• Tests• Code (C code, object code)
• Each phase of the V-Cycle is concluded by a Verification Report
• It is demonstrated that the product complies with the specified safety requirements: Safety Case
49 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
How SCADE and its EN 50128 Certification Optimize the Certification Process
• Avoid the burden of verifying that the generated code exactlyoperates as the model; the SCADE Suite Code Generator (KCG) isqualified (Tool Class T3)
• Avoid the burden of verifying that the generated documents exactly represent the models; the SCADE LifeCycle Reporter isqualified (Tool Class T2)
• Avoid the burden of verifying that the target object code exactlyoperates as the C-code; the SCADE Suite Compiler VerificationKit (CVK) verifies the target compatibility of the generated code (including: compiler, hardware)
50 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Safety Case
Safety Case: the documented demonstration that the product complies with the specified safety requirements
It shall contain:• Evidence of Quality Management
• Evidence of Safety Management
• Evidence of functional and technical safety
• Conditions of use
SCADE Suite KCG Certification Kit provides a large portion of evidence of Safety Management (software part of the system)
51 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
SIL 2 & SIL 3/4 Software DevelopmentsSIL 4 applications are mainly Signaling applications that include: Interlocking, Traffic management, Train detection, etc.
SIL 2 applications are mainly in trains (Traction control, Braking system, Network management, etc.) , in Tunnels (Fire detection, etc.), in Platform equipment, etc.
SIL 2, compared to SIL 3/4, requires less formal development and V&V techniques, weaker test coverage criterion (Branch instead of DC) , less independence of team members
SCADE MBD approach provides benefits to SIL 2 and SIL 3/4 developments:
Level No SIL CostSIL 2Cost
SIL 3/4Cost
Cost Reference 100 150 300
Cost with SCADE MBD
100 115 170
Savings with SCADE MBD
- 25% 45%
52 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
Conclusion
A Model Based approach is an efficient solution to manage the main objectives established by the EN 50128:2011 standard:• Architecture and Components
• Documentation and Traceability
• Configuration Management and Project Management
• Verification
• Certification
Should you need more support, please, feel free to require our2 days Classroom Training Course: « Realization of a Railway Application Compliant with the EN 50128:2011 Standard withANSYS SCADE® »• This course has been created by Jean-Louis Boulanger, CERTIFER and
Esterel Technologies
53 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential
And more…
54 © 2014 ANSYS, Inc. October 23, 2014 ANSYS Confidential