Matteo Bordin, P Project
Name: Matteo Bordin
Title: Project P: Towards the qualification of open-source code generators
Abstract:
From flight, to engine, to attitude and orbital control, model-based development using formalisms such as Simulink/Matlab, Scicos/Scilab, UML, etc. is an important component in the engineering of high-integrity embedded systems.
Going from models to target hardware used to be a manual process: the models were part of the requirements and were manually translated into Ada, C/C++ ... or even assembly code. In the case of programming languages such as C/C++ or Ada, a conventional compiler would then generate code for the target hardware.
Today, going from models to C is mostly the responsibility of automatic code generators. This has the potential of reducing the cost of going from models to target hardware. In the context of certification requirements (DO-178/ED-12 for avionics, ISO 26262 for automotive, ECSS-E-ST-40C / Q-ST-80C for space, EN 50128 for railways ...) having an automatic code generator is not enough. The formal assessment of the quality of the generated code (a chore which must be repeated) or of the code generator itself is necessary. The later promises the greatest savings.
The assessment of the code generator quality takes the name of "tool qualification" in DO-178/ED-12, the international standard for the certification of airborne software. The qualification of a code generator in a DO-178/ED-12 context is significant as it requires to develop the tool with a process close to the one used for airborne applications. The qualification of a code generator can be very beneficial as it can be used to replace verification activities on the generated Ada or C source such as consistency with and traceability to requirements. A qualified code generator may also reduce the amounts of tests to be performed.
Technically (in DO-178/ED-12 parlance) a code generator is qualified only in the context of a precise avionics project. A COTS provider can at most deliver a "qualifiable" code generator, meaning that its qualification needs to be finalized by the user in the operational environment. This is because a COTS provider cannot assess that the tool perfectly suits the needs and lifecycle processes of each single user. The cost for developing a qualifiable code generator is extremely high if it incorporates different code generation options, strategies, and parameters. In fact, the greater the number of execution modes in operational use, the greater the code generator complexity, the number of requirements, test cases, and verification activities. On the other hand, flexibility and adaptability is important for COTS tools: only a flexible tool can appeal to a sufficiently large customer base to justify the development of a qualifiable code generator. As a result, the availability of qualifiable, off-the-shelf, code generators is rare.
The goal of Project P, a French state funded R&D project, is to provide an open-source code generation framework capable of generating optimized Ada and C sources from Simulink, Scicos, and other modeling languages while providing open "qualification" material. In this presentation we will describe our approach to qualify our open-source code generator.
The proposed process divides the qualification costs of the code generator between the COTS provider and its user, in compliance with the new document DO-330/ED-215 "Considerations for Tool Qualification". The open-source COTS provider delivers the qualifiable code generator backbone, the qualification data, and the qualification infrastructure in a single package. The open-source COTS provider also delivers a precise model of the process for the incremental re-qualification of the code generator. This process can be applied to develop and integrate new components into the code generator backbone, such as special-purpose optimization strategies, or the support for new modeling elements.
Since (a) the sources of the code generator are delivered with a suitable open-source license, (b) together with its open-source qualification infrastructure, and (c) a qualification process model, the final user (or a service company) can modify specific components of the toolset and re-qualify them in their operational context. This approach lowers the investment required for open-source COTS providers and, thanks to the open-source license, allows the existence of an ecosystem to tune and support specific incarnations of the original code generator backbone.
Up to now, when a code generator and its qualification material are developed in concert, they tend to be "frozen" because the costs of coordinated evolution for the COTS vendor are significant. We call this state-of-affairs "the big freeze". We believe the technical and business approach put forth by Project P can address the "big freeze" and could increase the availability of qualifiable code generators and ultimately reduce the costs for the development of high-integrity embedded systems.
Click here to see the slides
Back to the agenda