Post on 16-Feb-2017
System Engineers vs. Software Engineers
“Who needs programmers?
Why do we have to depend on
them to implement our design?”
“Uh boy, not another attempt at Programming with
Pictures…”
Who is in charge, and do we really need programmers?System Architects and Engineers develop the original design
In a traditional environment, there is a “hand off”
to the software engineers- Detailed software design not directly linked to high level design- Design and even architecture may evolve as software development issues arise
- Net effect => can become an us vs. them situation
• Hardware and software engineers develop components to satisfy the requirements.
• Test engineers develop the test environment to verify the requirements.
Model Based System Engineering
System engineers analyze, simulate and validate the system design, and allocate
requirements to components.
Using standard-conforming modeling
tools
Using a standard-conforming model
execution tools
System engineers create the
models
Execution artifacts could include:System behavior, timing and statistics
Models can include both hardware and
software components.
Using standard-based model interchange
Courtesy of Ed Seidewitz
So How does Model-Based Approach Help reduce the us vs. them?Model-based approach, there need not be a “hand off”
- High-level design (produced by system engineers) is represented in a modeling language that supports automated code generation.
- Software engineers are still important: they now focus on providing new or enhanced parameterized building blocks, code-generation capabilities, and infrastructure.
Parameterized, annotated, high-performance building blocks in a software development “stack” can become key to commonality and productivity.
Shift to a Model-Based Approach by a customer was a Wakeup call for us
Major aerospace customer shifted engineers almost completely to model-based engineering
- Simulink, SCADE, etc. with automated code generation
Remaining number of users for “conventional” 3rd-generation compiler with IDE:- Five seats -- their tools group
Some of our traditional users were
disappearing …
Needed to broaden our focus
and develop a deeper software
development “stack”
What exactly is a Software Development Stack?
Modeling ToolsDrawing, Analysis, Simulation, Autocoding (QGen)
Coding ToolsCompiling, Analysis, Scheduling, Debugging
Architecture ToolsDefinition, Analysis, Documentation
Verification ToolsTesting, Analysis, Coverage, Proof
Hardw
are
What is QGen?A qualifiable and
customizable code generator
from Simulink® and Stateflow® to SPARK and
MISRA C
A formal model verifier
for runtime errors and functional properties
An open and extensible frameworkto integrate
heterogeneous models
QGen Main Features- Support for a large subset of Simulink®
- Around 120 blocks, optional checks for MISRA Guidelines for Simulink®- Stateflow® also supported, since early 2015
QGen Main Features- Support for a large subset of Simulink®
- Code generation producing MISRA C and SPARK (formally provable language)
- Readable and traceable code, no performance penalty
QGen Main Features- Support for a large subset of Simulink®
- Code generation producing MISRA C and SPARK (formally provable language)
- Integrated with compilation and testing frameworks- Integration with GNAT Pro compiler for qualified, end-to-end tool chain- Integration with GNATemulator and GNATcoverage for structural coverage analysis (up to MC/DC) without code instrumentation executing embedded object code
QGen Main Features- Support for a large subset of Simulink®
- Code generation producing MISRA C and SPARK (formally provable subset of Ada 2012)
- Integrated with compilation and testing frameworks
- Includes a static model verifier- Focus on safety-critical systems- Finds Run-time errors (divisions by zero, overflows, …)- Finds Logical errors (dead execution paths)- Verifies Functional/safety properties (Simulink® assertions blocks)
QGen Main Features- Support for a large subset of Simulink®
- Code generation producing MISRA C and SPARK (formally provable language)
- Integrated with compilation and testing frameworks
- Includes a static model verifier
- With QGen, you do not need a separate Stateflow modeling standard
Stateflow Safe subset built in: MISRA AC SLSF (guidelines)
QGen Main Features- Support for a large subset of Simulink®
- Code generation producing MISRA C and SPARK (formally provable language)
- Integrated with compilation and testing frameworks
- Includes a static model verifier
- With QGen, you do not need a separate Stateflow modeling standard
Plus relaxing some rules- For example: limits on hierarchical decomposition
QGen Main Features- Support for a large subset of Simulink®
- Code generation producing MISRA C and SPARK (formally provable language)
- Integrated with compilation and testing frameworks
- Includes a static model verifier
- With QGen, you do not need a separate Stateflow modeling standard
Plus additional constraints(to further clarify semantics)- Rationale fully clarified in the user guide
QGen Main Features- Support for a large subset of Simulink®
- Code generation producing MISRA C and SPARK (formally provable language)
- Integrated with compilation and testing frameworks
- Includes a static model verifier
- With QGen, you do not need a separate Stateflow modeling standard
- Tool qualification material- Including validation against Simulink® simulation- DO-178C, EN 50128, ISO-26262 TCL3
QGen Competitive Advantages
Safe Simulink subset: ensure that a model is verifiable by constructionDecrease tool deployment costs and system verification costs
QGen Competitive Advantages
Safe Simulink subset: ensure that a model is verifiable by constructionDecrease tool deployment costs and system verification costs
Complete qualification evidenceDecrease verification costs on generated code
QGen Competitive Advantages
Safe Simulink subset: ensure that a model is verifiable by constructionDecrease tool deployment costs and system verification costs
Complete qualification evidenceDecrease verification costs on generated code
Easy to customizeDecrease tool adaptation costs
Can be used to integrate with custom libraries, or other modeling languages such as UML, SysML, …
QGen Competitive Advantages
Safe Simulink subset: ensure that a model is verifiable by constructionDecrease tool deployment costs and system verification costs
Complete qualification evidenceDecrease verification costs on generated code
Easy to customizeDecrease tool adaptation costs
Can be used to integrate with UML, SysML, …
Integrated with verification, compilation and testing toolsDecrease tool integration costs
QGen Competitive Advantages
Safe Simulink subset: ensure that a model is verifiable by constructionDecrease tool deployment costs and system verification costs
Complete qualification evidenceDecrease verification costs on generated code
Easy to customizeDecrease tool adaptation costs
Can be used to integrate with UML, SysML, …
Integrated with verification, compilation and testing toolsDecrease tool integration costs
More practical to useDoes not require Matlab after model is exported
10x faster code generation, with no performance penalties on the generated code
QGen Development History- France- and EU-funded collaborative R&D project
- From October 2011 to October 2015
- 10M Euros total budget
- 19 Partners
- Leader: Continental Automotive France
From command line (does not require Matlab® IDE, ideal for regression testing)
qgenc MyModel.mdl [code-generation-options]
Using QGen
Integrated in Matlab® IDE (ideal for everyday use)
Standard code generation- One file for every atomic subsystem- Variables are global (in .adb/.c files)
Full inlining, to increase performances- A single file for the entire system- All function calls are inlined- Less memory consumption, less memory copy, more optimization
Wrapping to reuse code with different I/O context- Corresponds to Simulink “generate reusable code”- Pass persistent state and I/O data as formal parameters- Allows reusing the same code for multiple I/O contexts
Using QGen Code Generation
Overall Stateflow code generation
/* entering the state machine */ if (!Active) { Active = TRUE; /* Open and enter chart */ s1 = TRUE; /* Enter state s1 */ s1_s11 = TRUE; /* Enter state s11 */ Out1 = 0.0; /* Perform transition for s11a */ s1_s11_s11a = TRUE; /* Enter state s11a */ s1_s12 = TRUE; /* Enter state s12 */ Out2 = 0.0; /* Perform transition for s12a */ s1_s12_s12a = TRUE; /* Enter state s12a */ } else { /* state machine entered previously */
1 2
Overall Stateflow code generation
/* entering the state machine */ if (!Active) { Active = TRUE; /* Open and enter chart */ s1 = TRUE; /* Enter state s1 */ s1_s11 = TRUE; /* Enter state s11 */ Out1 = 0.0; /* Perform transition for s11a */ s1_s11_s11a = TRUE; /* Enter state s11a */ s1_s12 = TRUE; /* Enter state s12 */ Out2 = 0.0; /* Perform transition for s12a */ s1_s12_s12a = TRUE; /* Enter state s12a */ } else { /* state machine entered previously */
1 2
/* entering the state machine */ if (!Active) { Active = TRUE; /* Open and enter chart */ s1 = TRUE; /* Enter state s1 */ s1_s11 = TRUE; /* Enter state s11 */ Out1 = 0.0; /* Perform transition for s11a */ s1_s11_s11a = TRUE; /* Enter state s11a */ s1_s12 = TRUE; /* Enter state s12 */ Out2 = 0.0; /* Perform transition for s12a */ s1_s12_s12a = TRUE; /* Enter state s12a */ } else { /* state machine entered previously */
1 2
Overall Stateflow code generation
1 2
if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ }} if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; }} else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ }}
Overall Stateflow code generation
1 2
if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ }} if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; }} else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ }}
Overall Stateflow code generation
1 2
if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ }} if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; }} else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ }}
Overall Stateflow code generation
1 2
Overall Stateflow code generation
if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ }} if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; }} else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ }}
1 2
Overall Stateflow code generation
if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ }} if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; }} else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ }}
1 2
Overall Stateflow code generation
if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ }} if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; }} else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ }}
The Big Picture: code generation and testing
AdaCore is in the unique position of providing a fully qualifiable end-to-end
model compilation chain
The Big Picture: code generation and testing
MISRA C or SPARK
Embedded Object Code
GNATemulator*for PowerPC, ARM, …
(Virtual)Processor In the LoopTesting
* Already qualified in a DO-178 level A context, both in the US (FAA) and
EU (EASA)
GNATcoverage*
Structural Coverage Analysis (up to MC/DC) without source code instrumentation
Using QGen: Verifying functional properties
If the driver hits the “Brake” or “Clutch” pedals, then the Cruise Control should be
OFF
ON OFF
TRUE ERROR OK
FALSE OK OK
Cruise Control
Brake OR Clutch
Using QGen: Verifying functional properties
If the driver hits the “Brake” or “Clutch” pedals, then the Cruise Control should be
OFF
Using QGen: Verifying functional properties
If the driver hits the “Brake” or “Clutch” pedals, then the Cruise Control should be
OFF
Formalization of safety property
Using Qgen: Verifying functional properties
If the driver hits the “Brake” or “Clutch” pedals, then the Cruise Control should be
OFF
Formalization of safety property
System implementation
QGen: Current Evaluation State- Continually Tested against industrial-grade models
Avionics Automotive SpaceWe currently have customer in:
• The Automotive market (major Tier 1 in Japan)
• The Aerospace and Defense market (major US player in this market)
QGen: Current Evaluation State- Continually Tested against Industrial-Grade models
- Fast Code generation- Units with less than 100 blocks takes less than 1s- Model with 7k blocks: more than 20k SLOC generated in 35s- With additional optimization: 60s
QGen: Current Evaluation State- Continually Tested against Industrial-Grade models
- Fast Code generation
- Practical code generation strategy- Reusable code for Simulink libraries- Flexible parameter handling (struct, flat, globals, …)- No performance penalty (from both a timing and memory perspective
QGen: Current Evaluation State- Continually Tested against Industrial-Grade models
- Fast Code generation
- Practical code generation strategy
- Very readable and traceable code
QGen: Current Evaluation State- Continually Tested against Industrial-Grade models
- Fast Code generation
- Practical code generation strategy
- Very readable and traceable code
- Tight tool integration – A major advantage- Code generator- Compiler- Unit testing platform- Structural coverage without instrumentation- Formal verification
QGen: Current Evaluation State- Continually Tested against Industrial-Grade models
- Fast Code generation
- Practical code generation strategy
- Very readable and traceable code
- Tight tool integration – A major advantage
- DO-178-like Tool Qualification – A major differentiating factor- Provides Full specification of tool behavior- Incldes Review and verification of tool source code (including structural coverage)- Brings a focus on safety to Simulink
Model-Level Debugging
• Model-Level Breakpoints• Stop on event• Stop on signal transition
• Model-Level Data Display• Trace of Signal over Time• Sequence of Events
• Model-Level Stepping• Step one Time increment• Step one Block
Computation/Update• Correlate Model Blocks with:
• Generated Code• Assembly Code
Support for Model-Level Debugging• Will support Simulink 2008b and later• Will support displaying and debugging all blocks supported by QGen
code generator• Will initially support displaying and debugging Simulink blocks
• On Road Map: Stateflow, Truthtables, Lookuptables• No Limitation on depth of subsystem nesting – can drill down as needed• Pricing: Not finalized• Availability: Simulink only: Q3 2016; Simulink + Stateflow: Q1 2017
History and Roadmap2013-2014
Evaluation by Project P* partners
Late 2014
Available for selected customers
Feb 2015
QGen commercial availability
Spring 2015
Stateflow® support
2016
QGen TQL1 Planning Documents
QGen Debugger for Simulink
2017
QGen Debugger for Stateflow and Simulink
2018
QGen TQL1 qualification completed