SCADE Suite in Space Applications at EADS Astrium Space - - PowerPoint PPT Presentation

David Lesens – 09/10/2008

Astrium Space Transportation

SCADE Suite in Space Applications

at EADS Astrium Space Transportation

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p2

Overview

• Introduction
• Historical use of SCADE at EADS Astrium ST
• Why using SCADE?
• The Automatic Transfer Vehicle (ATV)
• M51 and Vega
• R&T preparing the future
• Model transformation
• Assessment of SCADE 6
• Points to be improved
• Conclusion

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p3

Astrium: part of EADS, a global leader in aerospace and defence

Commercial Aircraft Helicopters Missile Systems Military Transport Aircraft Military Air Systems No.1 No.1 Astrium No.3 No.3 No.4 No.2

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p4

Astrium’s activities are based in three key areas

Astrium Services Astrium Satellites Astrium Space Transportation

The European prime contractor for civil and military space transportation and manned space activities A world leader in the design and manufacture of satellite systems At the forefront of satellite services in the secure communications, Earth

• bservation and

navigation fields

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p5

An impressive product and capability portfolio

• Launchers: Ariane, Soyuz, Rockot, Vega
• Ballistic missiles, missile defence
• Future launchers
• Orbital systems: Columbus, ATV, Operations, Atmospheric

re-entry systems

• Propulsion & equipment
• System design, system integration & production

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p6

Overview

• Introduction
• Historical use of SCADE at EADS Astrium ST
• Why using SCADE?
• The Automatic Transfer Vehicle (ATV)
• M51 and Vega
• R&T preparing the future
• Model transformation
• Assessment of SCADE 6
• Points to be improved
• Conclusion

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p7

The classical V development cycle Late detection of errors

Code Design GNC studies Specification Unitary tests Integration Validation Qualification Error Error detection Delay for the error detection Delay for the error correction Data

Spacecraft management

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p8

GNC studies Data Spacecraft management Code Software Model Early validation  Simulation  Proof Validation Automatic test generation Test replay Immediate correction Automatic Code Generation

Unitary & integration testing at model level Fusion of specification & design Qualification

Decrease the number

• f late errors

Reduction of delays and costs

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p9

Model Driven Engineering

A model shall allow :

• The communication between the different teams
• System teams (GNC, vehicle, thermal, operations,…)
• Software teams (architect, specification, design, development,…)
• And also customers and external reviewers
• An early verification via a strong semantic, insuring
• Consistency
• Completeness “Formal” model, and possibility of proof
• Non ambiguity
• Model simulation
• And automatic code generation

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p10

Model or programming language ?

Abstraction & semantic

Scade Simulink Ada C++ C

Matlab or S_functions

Assembly language Binary code

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p11

Overview

• Introduction
• Historical use of SCADE at EADS Astrium ST
• Why using SCADE?
• The Automatic Transfer Vehicle (ATV)
• M51 and Vega
• R&T preparing the future
• Model transformation
• Assessment of SCADE 6
• Points to be improved
• Conclusion

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p12

The Automated Transfer Vehicle (ATV)

• It supplies onward the following services to the ISS:
• Refuelling
• ISS orbit correction,
• Freight delivery,
• ISS trash destruction.
• The ATV mission in 2008
• 9th of March

Launch by Ariane 5

• 3rd of April

Automatic Docking on the ISS

• 5th of September

Dedocking from the ISS

• 29th of September

Deorbitation

• Safety software specified using SCADE V3

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p13

Description of software architecture

Static description

Description of types and constants

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p14

Behavioural description

Description of (very) Simple automaton Description of sequences

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p15

Automatic documentation generation

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p16

Formal proofs on the ATV safety Software

SCADE model Environment description Logical Property Exhaustive verification LESAR tools

The LESAR tool is developed by the VERIMAG laboratory (the same results has now been reached with Prover)

True property Diagnostic

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p17

Examples of proved properties

• Specification of the environment by “regular expressions”
• Use of the “reglo” tool

cam_arm( on, arm, cam_cmd, tc, hltc ) = prefix( [-on, -arm, -cam_cmd, -tc, -hltc]*. [ on, -arm, -cam_cmd, -tc, -hltc]. [-on, -arm, -cam_cmd, -tc, -hltc]*. ~~ ) ;

(the same result has now been reached with SCADE 6 automata)

• Properties
• A “red button” implies eventually a CAM triggering before 4 cycles
• Real time property
• The two MSU chains can not triggered both a CAM at the same time
• Mutual exclusion property

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p18

SCADE V3 on the ATV: Conclusion

• Improvement of the specification quality
• Suppression of ambiguity (formal semantics)
• Early detection of errors by simulation
• Exhaustive proofs of some critical properties

 Formal proof has allowed detecting errors (even if formal proof does not replace tests)

• Why shall we go further?
• Modelling limited to very simple automata
• The ATV code has not been automatically generated

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p19

Overview

• Introduction
• Historical use of SCADE at EADS Astrium ST
• Why using SCADE?
• The Automatic Transfer Vehicle (ATV)
• M51 and Vega
• R&T preparing the future
• Model transformation
• Assessment of SCADE 6
• Points to be improved
• Conclusion

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p20

Other uses

• SCADE V3 has also been used to formalize the

specifications:

• Of the M51 software
• Of the Vega software

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p21

Overview

• Introduction
• Historical use of SCADE at EADS Astrium ST
• Why using SCADE?
• The Automatic Transfer Vehicle (ATV)
• M51 and Vega
• R&T preparing the future
• Model transformation
• Assessment of SCADE 6
• Points to be improved
• Conclusion

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p22

ATV Evolution ? Suborbital flight ?

R&T: SCADE 6 for future projects

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p23

Overview

• Introduction
• Historical use of SCADE at EADS Astrium ST
• Why using SCADE?
• The Automatic Transfer Vehicle (ATV)
• M51 and Vega
• R&T preparing the future
• Model transformation
• Assessment of SCADE 6
• Points to be improved
• Conclusion

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p24

GNC(*) Mission management GNC(*) prototype System requirement capture UML/SysML Rhapsody SCADE and Ada or C++ KCG Matlab/Simulink

Astrium process

Need of refinement Need of refinement

(*) Guidance, Navigation, Control

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p25

From SysML or AADL to SCADE

AADL SCADE model automatically generated SCADE

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p26

From Simulink to SCADE

Simulink SCADE model automatically generated SCADE

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p27

Conclusion: Will we use automatic model transformation?

• The tools work correctly…
• …but our process of use is today not clear!
• The software model (in SCADE) needs more details than the

system model (in SysML/AADL/)

• Numerical protections
• Telemetry / Telecommand
• Real time aspects
• The software and system architectures are often different

The use of automatic model transformation tools is not foreseen today

(we remain today in a manual refinement process)

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p28

Overview

• Introduction
• Historical use of SCADE at EADS Astrium ST
• Why using SCADE?
• The Automatic Transfer Vehicle (ATV)
• M51 and Vega
• R&T preparing the future
• Model transformation
• Assessment of SCADE 6
• Points to be improved
• Conclusion

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p29

Assessment of SCADE V6 on a case study

Test of the whole software on validation platform ATV main software Ada Automatic code generation with KCG SGS Solar Generation System redeveloped in SCADE V6 (automata & data flows) Our objectives

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p30

Modelling of data flow architecture

The initial architecture in SART The new architecture in SCADE V6

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p31

Modelling of Finite State Machine

Use of powerful hierarchical automata Initial representation

• f FSM

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p32

Modelling of activation condition

Specification of activation condition in SART (Process Activation Table) Formalization of activation condition by SCADE 6 automata

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p33

Modelling of simple mathematical equation

Specification of simple monitoring Modelling of monitoring in SCADE V6

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p34

Assessment of SCADE 6: Conclusion

• A complete functionalities of the ATV has been

redeveloped in SCADE V6

• Architecture and data flows
• Complex hierarchical automata and sequences
• Verified by simulation (coverage checked by MTC)
• Remaining work for 2008
• Test on validation platform
• Integration to our Software Development Environment (SDE)
• Configuration management, traceability
• Windows / Unix

We will be ready to start an operational development in SCADE 6 in 2009

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p35

Overview

• Introduction
• Historical use of SCADE at EADS Astrium ST
• Why using SCADE?
• The Automatic Transfer Vehicle (ATV)
• M51 and Vega
• R&T preparing the future
• Model transformation
• Assessment of SCADE 6
• Points to be improved
• Conclusion

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p36

SCADE 6 has very powerful automata

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p37

… but not very intuitive for reviewers(*)!

State7 State6 State5 State4 State3 State2 State1 <SM1> true

1

true

1 1

*

true

1

*

true

1

*

1

Strong without history Weak without history Synchronized without history Strong with history Weak with history Synchronized with history

(*) Non SCADE users

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p38

Graphical or textual ?

z = (a * x) + (b * y) + c; Some times… a textual description is better … than a graphical one But operators “+”, “-”, “*”, “/”… can not be overloaded  Equations with vectors and matrixes are not naturally written

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p39

The textual editor can be improved!

The layout is modified after saving

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p40

SCADE generates today only C

• A textual description/programming language is

needed

• SCADE and C are not enough
• Automatic Ada code generation would be a solution
• Adapted to embedded software
• Would improve the typing?

POSITION ACCELERATION VELOCITY

Name Type ACCELERATION T_ ACCELERATION POSITION T_POSITION VELOCITY T_ VELOCITY

KCG for Ada is in the Esterel Technologies roadmap

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p41

A library is supplied for integer 8, 16, 32 bits But the user shall developed its own library for simple and double float precisions

Basic data types are missing!

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p42

Use of clock activate

2

A3

MODE MODE3 2

A2

MODE MODE2 2

A1

MODE MODE1

Output1

MODE

Input1 Y1 Y2 Y3

switch (MODE) { case MODE2 : Output1 = A2(Input1); break; case MODE1 : Output1 = A1(Input1); break; case MODE3 : Output1 = A3(Input1); break;

The generated code is very good Too much variables shall be defined

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p43

No multithreading code generation

10 ms 50 ms Frequency 100 Hz Thread end Thread end Thread end Thread end Thread end Thread end Frequency 20Hz Thread end Frequency 10Hz RDV

A Rate Monotonic Scheduling is compatible with the synchronous approach and would be useful

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p44

Overview

• Introduction
• Historical use of SCADE at EADS Astrium ST
• Why using SCADE?
• The Automatic Transfer Vehicle (ATV)
• M51 and Vega
• R&T preparing the future
• Model transformation
• Assessment of SCADE 6
• Points to be improved
• Conclusion

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p45

Conclusion

• SCADE V3 has been successfully used in the past
• On a limited scope
• A full SCADE V6 development is foreseen for future

projects…

• Editor, Simulator
• Model Test Coverage (MTC)
• Design Verifier
• Qualified Code Generator (KCG)
• … with the hope of some improvements / additional

features in future versions!

• Especially Ada qualified code generator

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Astrium Space Transportation

29/04/2010 p46

Thank you for your attention Any question ?

david.lesens@astrium.eads.net