Julien Delange, European Space Agency
Maxime Perrotin, European Space Agency

Introduction

Safety-critical systems design and implementation is very difficult: they must operate correctly and continuously. Misconception or errors may have significant consequences and are potentially mission or life critical. To avoid such issues, failure cases must be clearly identified and handled by software engineers to avoid any propagation from one faulty component to another. For that purpose, several rules and standards are applied during the development process of such systems, from the specifications to the implementation.

However, despite all existing efforts, bugs and errors remain. They are introduced at different levels of the development process: either in the specifications (as in the Mars Climate Orbiter mission - failure was due to a mix-up of metric units) or in the implementation (as in the Ariane 5 launch - wrong assumption was made about a data type so that the system generate an overflow).

To avoid such issues, good design practices must be established and supported by appropriate languages and tools. It would check all system requirements at a high-level and ensure standards compliance enforcement at lower levels. As a result, this would also reduce development cost (system is verified by appropriate tools), ensure the development process reliability and robustness  since requirements and standards are automatically enforced.

Problem statement

Despite all the applicable standards, errors and bugs are still introduced in safety-critical systems. To cope with these issues, system specifications must be verified according its requirements and implementation must be analyzed and validated according to coding standards requirements. However even if tools exist, they are loosely coupled so that it still requires manual adaptation/translation from one tool to another.

For example, when translating system specification into code, developers read system specifications (a text-based document) and try to implement a system based on their own understanding of the expected behaviour. However, this process is a source of errors bugs, in particular:

1. Nothing ensures specifications correctness;
2. The developer can introduce an error
3. The developer potentially misunderstands system specifications.

As a result, even if some tools exist and some are released as open-source software, we need to design a consistent toolset that automates the development process, integrates specifications languages/validation tools and avoids all manual operations.

Approach

First, we propose to capture system architecture with its requirements, properties and constraints using a single modeling language. It would provide an appropriate abstraction level to represent all system aspects with the same notation. However, the language must be chosen carefully because it has to provide an appropriate semantics to represent all system aspects without ambiguity.

From this high-level representation (models), development steps are then automatically processed by appropriate tools. In particular:

1. Specifications validation: tools automatically analyzes models to check system correctness and feasibility. If something is wrong, system designers can fix their design prior to implementation efforts.
2. Implementation and integration with a Real-Time Operating System: specific compilers transform models into implementation code (such as Ada or C). This generated code is automatically compiled and linked against a Real-Time execution platform that supports system entities (tasks, mutexes, etc.)
3. Analysis and monitoring of system execution. System is executed either on the target or a simulator to analyze its performance and behavior correctness and also check safety-critical standards compliance (such as code coverage).

Results

We implement this approach in The Assert Set Of Tools for Engineering [1] (TASTE), which is the outcomes of the European ASSERT[2] project. TASTE [1] aims at providing a complete functional toolchain that provides guidance to engineers for safety-critical system development, from the specifications to the implementation and validation.

Our development approach relies on the Architecture Analysis and Design Language (AADL) [9] to represent the system, its properties and constraints. Designers model system architecture using either the textual or the graphical notation of AADL.

Then, our toolchain:

1. Checks specification correctness using validation tools a. Cheddar [7] or MAST [8], two scheduling analysis tools released under free software b. REAL, an AADL [9] query tool that checks specification correctness
2. Transforms the AADL models into C code using Ocarina[10], an AADL toolsuite released under GPL that has the capability to automatically generate code against established standards such as POSIX, RT-POSIX or ARINC653. The code is then integrated on top of a real-time execution platform: Ocarina[10] actually supports the following free-licensed platforms: RTEMS[12], Xenomai[11], Xtratum[13] and POK[14].
3. Executes the code either on the target or a simulator (such as QEMU), checks:
   a. its performance (using gprof, a performance analysis tools included in the GNU binutils suite [3])
   b. reproduces its behavior (by instrumenting the code and produce a Value Change Dump (VCD) [6] file to be used with GTKWave [5])
   c. produces code coverage reports using the couverture toolset [4] (specific GPL-licensed tools form Adacore that aims at supporting code coverage using a specific tailored version of QEMU).

The use of AADL [9] provides the ability to make this process fully automatic so that engineers do not have to write any line of code manually. In addition, while system fesability and requirements are automatically checked during the development process, these tools also provides useful support and metrics (such as code coverage) that can be used for system certification.

Conclusion

This article provides an overview of existing tools that help engineers in the design of safety-critical systems, either in early phases or in implementation or execution validation. As these tools are loosely-coupled and requires manual efforts to be tailored to the development process of each system, we introduce our approach that smoothly integrates all these tools altogether.

For that purpose, we represent the system architecture with its execution constraints using an appropriate modeling language, AADL. Then, we connect models with identified tools to detect errors as early as possible and validate system implementation. This process also automates the development process, and so, avoids all issues related to manual code production and human errors.

The toolchain we present, TASTE, provides guidance for system design from high-level (requirements enforcement validation, scheduling feasibility) to its implementation (code coverage analysis, system behavior correctness validation, performance evaluation), which is automatically generated from AADL models and integrated into a Real-Time execution platform.

As a result, it strengthen the overall development process, making it more robust and reliable. Moreover, as potential errors are discovered early in the development process and integration issues would likely be reduced, development cost are expected to decrease significantly.

Further work would cover other aspects of safety-critical systems development. In particular, our toolchain could also support additional guidance for safety-critical standards (such as DO178 or ECSS) enforcement by providing documentation generation facilities or additional implementation code validation (coding rules to be checked, etc.).

References

[1] TASTE homepage: http://www.assert-project.net/taste
[2] The ASSERT project: http://www.assert-project.net
[3] GNU binutils: http://www.gnu.org/software/binutils/
[4] The Couverture project : http://www.open-do.org/projects/couverture/
[5] GTKWave : http://gtkwave.sourceforge.net/
[6] Value Change Dump file format - http://ieeexplore.ieee.org/Xplore/login.jsp?url=http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=954909
[7] Cheddar : http://beru.univ-brest.fr/~singhoff/cheddar/
[8] MAST : http://mast.unican.es/
[9] Architecture Analysis and Design Language: http://www.aadl.info
[10] Jérôme Hugues, Bechir Zalila, Laurent Pautet, Fabrice Kordon: Rapid Prototyping of Distributed Real-Time Embedded Systems Using the AADL and Ocarina. IEEE International Workshop on Rapid System Prototyping 2007: 106-112
[11] Xenomai - http://www.xenomai.org
[12] RTEMS - http://www.rtems.com
[13] Xtratum - http://www.xtratum.org/
[14] POK - http://pok.safety-critical.net