Jon Bennett, MBDA UK Ltd.
Like many companies in the defence sector, MBDA is adapting to the demands of a rapidly evolving business environment. Principal amongst these is the increasing need to deliver higher levels of system capability in much-reduced timescales—and to achieve this without compromising the integrity of the product.
In 2008, MBDA embarked on an improvement programme with the objective to enhance our ability to deliver highly complex, reliable products in shorter timescales. A cornerstone of this programme is the adoption of Model-Based Design across the organisation, with application in the systems and software and mechanical and electronic domains. In turn, moving to a model-driven approach is part of a wider programme to improve collaboration both within and across our development programmes.
This presentation explains more about the motivation behind the programme, and those aspects considered essential to successfully delivering Model-Based Design in a high-integrity environment. Some key successes are highlighted, as are those areas where there is still work to do.
Andrew Bennett, MathWorks
Systems engineers can take a variety of modelling approaches when designing a system using Model-Based Design. Initially an executable specification is developed, and over time this representation is elaborated to ensure the system meets requirements. When a system needs to meet high-integrity development objectives, the systems engineers should consider the model architecture from the very outset.
Modularisation helps ensure the appropriate infrastructure is in place to enable multiple people to work on the system simultaneously. Modularisation also helps ensure functional components are well defined, leading to robust operation and definition of interfaces. Based on experience with a variety of customers, this presentation compares methods available for model partitioning and componentisation, ways of managing Simulink models using version control tools, and techniques for automating the model management process.
Dave Higham, Delphi Diesel Systems
Delphi is a leading global supplier of electronics and technologies for the automotive, commercial vehicle, and other market segments. As part of its powertrain systems division, Delphi Diesel Systems designs and manufactures components and engine management systems across the spectrum of on- and off-highway applications.
As vehicle systems and systems interaction continue to become more complex, the resulting increases in technological demands are driving evolution in the ECU’s safety architecture and the processes with which engine management systems are designed. From a safety perspective, this has resulted in the need to demonstrate that verified, traceable requirements are successfully validated against criteria defined for system performance and behaviour. With this in mind, the emerging safety standard ISO 26262 has been developed specifically for automotive electrical and electronic systems. Like its parent standard IEC 61508, ISO 26262 is a risk-based approach using the concept of automotive safety integrity levels to identify risks and safety requirements in order to reduce risks from systematic and random hardware failures.
This presentation outlines how Delphi Diesel Systems has applied Model-Based Design for the development of safety-related systems, with the aim of addressing the requirements of ISO 26262. It will demonstrate how model-based development and verification techniques have been adopted throughout the life cycle, enabling Delphi Diesel Systems to align to the requirements of ISO 26262 and maintain efficient operations.
Mark Walker, MathWorks
With Model-Based Design, the systems engineering team develops an early understanding of design constraints, and required behaviour is documented and locked down with automated tests. The low-level implementation and its validation are typically the responsibility of a software team. The software engineering represents a considerable effort and requires close collaboration with the systems engineering work—for example, reuse of tests to verify correct implementation. If the system is in the high-integrity category and therefore working to an externally recognised development standard, many additional activities are required to demonstrate correctness of design and implementation.
These software engineering tasks include software architecture design, implementation to source code, code review, traceability, unit and integration testing, profiling, scheduler design, and coverage measurement. Of course, all of these activities are still needed on projects using Model-Based Design, and the software engineers must deliver them to the project team. Some aspects, such as implementation to source code and code review, can be fully automated. Others, such as software architecture design, testing, and coverage measurement, can be largely achieved at the model level. Traceability, profiling, scheduler design, and code coverage can also be facilitated by Model-Based Design.
This presentation shows how you can use Model-Based Design to efficiently implement the software and demonstrate the implementation correctness for high-integrity applications.
Pierre Lionne, APSYS
The DO-178 standard has long been in use by the aviation community for the development of embedded software. The standard defines objectives to fulfill and activities to perform, but it does not prescribe any particular methodology. With the DO-178C revision, a dedicated Model-Based Supplement has been developed.
This presentation details the DO-178C Model-Based Supplement development process, its scope, and the foundation concepts. It also discusses the main points of the Model-Based Supplement, including the new software development techniques it addresses.
The decision to develop a Model-Based Supplement was driven by feedback from the aviation industry and airworthiness authorities that the rules for using models in the development of embedded software needed clarification. The supplement was written by a subgroup of the Joint RTCA Special Committee 205 and EUROCAE Working Group 71 according to the template elaborated by SC205/WG71. The supplement is not a standalone document; it should be used to complement the core document and any other potential supplements. The aspects of airworthiness certification that pertain to model-based development and verification in conjunction with DO-178/ED-12 are covered. This includes models developed in the system process that are used to define software requirements or software architecture.
Mirko Conrad, MathWorks
Model-Based Design with automatic code generation is an important and established technology for developing high-integrity embedded systems. Increasingly, engineers are using Model-Based Design to achieve early verification, validation, and testing for their projects. MathWorks provides an integrated set of qualified verification and validation tools to support these activities.
For projects working to the DO-178B standard, the verification and validation capabilities for models and generated code are supported by qualification kits. These kits enable the automation of model standards checking, source code reviews, and other key activities. Tool qualification packages are also provided for ISO 26262. They encompass code generation, verification, and validation tools.
This presentation provides an overview of the tool qualification and certification support available in MathWorks tools for Model-Based Design and details how some of the key verification activities required by DO-178B, such as source code reviewing, are achieved through qualified automation.
David Maclay, MathWorks
Object code must be verified against its parent requirements and, increasingly, these parent requirements take the form of a model. The object code is compiled from source code that may be, wholly or in part, generated automatically from this model. With processor-in-the-loop, test cases previously developed for simulation can be directly reused to verify the behaviour of object code executing on a simulator or real embedded hardware.
Processor-in-the-loop uses automatically generated test interface files that match the code interface of the component under test. These test interface files are fully available for inspection and review. The object code under test may be compiled with production settings, or it may include instrumentation, for example, for execution profiling or code coverage. In the former case, the object code under test is the actual code that will be integrated into the production software.
This presentation shows how processor-in-the-loop not only supports verification, but shortens project timescales by allowing rapid iterations of the development cycle. The impact of model changes on object code performance can be measured quickly, and the time required to verify object code against the model is reduced.
The Role of Model-Based Design Software Architecture in Supporting High-Integrity Software Development
Darren Sexton, Ricardo UK Ltd.
This presentation discusses the importance of selecting and enforcing a suitable model architecture to support both practical aspects of developing high-integrity software and the verification and validation activities. It considers the use of libraries and model referencing to break software down into “features” that ease development tasks such as configuration management, team working, and incremental code generation, as well as the effect this has on verification activities such as testing, proving of critical properties, and static checking of code for robustness. Additionally, the presentation shows the value of using naming conventions to support the architecture.