# Model Based Development From system engineering with Simulink

Model Based Development: From system engineering with Simulink to software specification with SCADE then to implementation Thierry LE SERGENT FERIA May 4 th, 2004 1 Esterel Technologies, 2004

Agenda 2 4 Model based development 4 Simulink vs. SCADE 4 Principles of Simulink Gateway Esterel Technologies, 2004

Context 4 System design with Simulink 4 Goal: develop software for the Controller Plant to be controlled HW interface Controller: Software to be implemented HW interface Electronic system to be implemented 3 Esterel Technologies, 2004

Software development 4 Traditional method 4 Modelisation in Simulink for simulation 4 Hand coding of the software controller 4 Inconveniences 4 Coherence between Model and Code 4 Round trip is difficult 4 Esterel Technologies, 2004

Model based development 4 First solution 4 Code generation from the Simulink model 4 Advantages: model based a single reference: the Simulink model coherence, fast round trip, etc. 4 Inconvenience: Simulink model not a formal description (see next slides) 4 New solution 4 Assisted translation 6 From Simulink model 6 To formal description language SCADE 6 Then code generation from SCADE 4 Advantages: 6 Model based (fast round trip if translation automatized) 6 Formal software specification No ambiguities, Formal verification, etc. 5 Esterel Technologies, 2004

Workflow System Engineering Software Specification Software Implementation SCADE Specification Simulink model SCADE Simulink Gateway SCADE Implementer SCADE implementation Engineering to specification Specification to implementation C code 6 Esterel Technologies, 2004

Different Tools for Different Purposes 4 SCADE and Simulink are both model based development tools, but they are targeted for different purposes 4 Simulink: Simulation environment 6 Primarily an environment for prototyping. Excellent at quickly representing graphically numerical equations/control laws, and simulating them 6 Extremely flexible. Requires no programming constraint 6 But not designed to generate safe code 4 SCADE: SW Design environment for critical control systems 6 SCADE has been designed from the beginning to meet the strongest embedded software requirements, in particular for safety critical systems in avionics 6 SCADE offers a fully integrated design environment from specification to safe embedded production code certifiable to strict industry standards (DO 178 B) 7 Esterel Technologies, 2004

From Simulink to SCADE Simulink SCADE C code generation & embedding • Modelling of environment (system) + controller • Simulation of the whole system • Validation of the controller model • Code generation 4 The translation must: 4 Explicit some implicit behavior 4 Filter unsafe constructs 4 Compute types and clocks 8 Esterel Technologies, 2004

Pb 1: Simulink initial values 4 Implicitly determined from the content of the sub-system 4 can lead to misunderstandings 4 On this model, only the Unit Delay has an initial value = 3 Gain block has no initial value Simulink sets the output to 0 3 * 2 = 0 !! 9 Esterel Technologies, 2004

Pb 1: SCADE initial values 4 It is mandatory to explicitly set initial output values of an enabled sub-system 4 Independent of the content of the sub-system 4 No automatic change out of control of the designer, so no unexpected calculated values Initial value of the first output Initial value of the second output 10 Esterel Technologies, 2004

Pb 2: Unsafe Operators 4 Simulink 4 Some operators are not usable for the development of critical embedded software because they can result in non deterministic or misleading behavior 4 Simulink blocks: 6 Merge: indeterminist block, except in special cases 6 Goto/From, Data Store : equivalent to global variables, make the design hard to understand not robust for enhancements 6 While loops: could lead to infinite loops 4 SCADE has been designed from the beginning with safety objectives: only safe and deterministic operators exist 4 The SCADE language, based on Lustre academic language makes it impossible to create a non deterministic design 11 Esterel Technologies, 2004

Unsafe Operators: Merge 4 The Merge block combines its inputs into a single output line whose value at any time is equal to the most recently computed output of its driving blocks 4 On this example, both sub-systems are running in parallel and it is not possible to determine which output the Merge block will give, the square or the sinus 4 The Merge block is determinist when all its inputs are strictly exclusives, for example when generated by an action block of the If/Then/Else or Switch/Case blocks y by ewa d te Gat r po ink p Su mul Si 12 Esterel Technologies, 2004

Pb 3: Modularity 4 Simulink 4 “Virtually” modular: only visual grouping 4 Subsystem behaviour depends on this usage within the system 4 No clear subsystem interface definition Þ A subsystem re-used in another project can behave differently, it must be re-validated 4 SCADE 4 Truly modular: a SCADE design is composed of independent node designed separately 4 A node always behaves in the same way, independently of where it is used 4 A SCADE node has a strong interface definition Þ A node can be directly re-used in another project without any additional work 13 Esterel Technologies, 2004

Pb 4: SW Simulation 4 Simulink 4 The model is interpreted as a Mathematical set of equations, an Ordinary Differential Equations (ODE), solved at each simulation step by the solver 4 Simulation results are highly dependant of the solver (integration algorithm) resulting in different behaviors for different solvers 4 Discrete time does not exist, it is interpreted as piece wise constant continuous time: this is different from SW behavior 4 SCADE 4 Everything in SCADE is based on a cyclic logical time, counted as discrete instants which enables exactly the same behavior as a SW application 4 This is an execution of the generated code (Software In the Loop simulation) 4 No difference between simulation and generated code 14 Esterel Technologies, 2004

Simulink to SCADE translation 4 Filtering unsafe constructs 4 Unsafe blocks translated into undefined imported nodes 4 Interpretation of the Simulink model 4 Discrete time, fixed-step solver 4 Translation of the Controller of the Simulink model a SCADE model with same interface 4 Structure kept: Subsystem Node 4 Graphical look kept: Simulink net view SCADE net view 4 Names kept: variables, operators, … 4 Mapping: Simulink predefined operator SCADE node 6 Configurable mapping to SCADE librarie node (generated node for a few specific cases) 6 Mapping dependant from datatype computed 15 Esterel Technologies, 2004

Simulink model example 16 Esterel Technologies, 2004

Simulink model format 4 Simulink. mdl files: 4 Basically 3 kind of objects: 4 System {…} 6 -> Hierarchy 4 Block {…} 6 List of: “Attribute. Name” = “value” 6 First attribute: “Block. Type” 4 Line {…} 17 Esterel Technologies, 2004

. mdl example System { Name Location … Block { Block. Type Name Position Value } … Block { Block. Type Name Position Operator … } … Line { Src. Block Src. Port Dst. Block Dst. Port } 18 "sys NOT" [107, 120, 513, 367] Constant "Constant" [25, 40, 130, 80] "2. 5 * AA" Logic "Logicaln. Operator" [185, 34, 280, 86] "NOT" "Logicaln. Operator" 1 "Out 1" 1 Esterel Technologies, 2004

Type inference 4 Simulink 4 No data type specified, i. e. all data flows are of type « double » 4 Flat vectors possible almost everywhere (vectorized blocks) 4 Scade: all flows must be typed; 4 Basic types: bool (noted b), int (i), real (r) 4 Tuples 4 For precise software specification, SCADE types must be computed 4 For formal verification, an « int » is very different from a « real » 4 Note: In Simulink, it is possible to specify very precise datatype such as int 8, uint 16, etc. for code generation 4 This coding step should be handled after the software specification phase 4 This step is handled by the new SCADE implementer tool 19 Esterel Technologies, 2004

Principles 20 4 Always compute the smallest types (bool < int < real) 4 Start from the value of the static expressions (also for Matlab variables) 4 “Propagate” the types on the flow 4 Show the result on a decompiled, annotated Simulink model Esterel Technologies, 2004

Configuration file 4 For each Simulink block 4 How propagate the types ? 4 Translation to which SCADE node ? 4 Depend of 4 The Block. Type, and attributes of the block (ex: “operator”=“NOT”, or…) 4 The types inferred for the input 4 First example from Main Configuration File: ( "Block. Type" = "Logic", "Operator" = "NOT" ) { Interface( 1, 1) Type( b -> b) {"SC_ECK_NOT" } // SCADE predefined NOT operator Type( i -> b) { "Lib. Simulink", "SMLK_Not. I" } Type( r -> b) { "Lib. Simulink", "SMLK_Not. R" } } 21 Esterel Technologies, 2004

Resulting SCADE model 4 Note: Parameterization with Matlab variable AA kept 4 Each Matlab variable translated into a SCADE constant 22 Esterel Technologies, 2004

Set of mapping rules 4 When the types input does not match CF rules 4 Choice of the « nearest » rule with larger types 4 Introduction of explicit cast: always from a smaller type to a bigger one 4 Example: 4 SCADE model 23 Esterel Technologies, 2004

Set of mapping rules ( "Block. Type" = "Switch") { Interface( 3( "Threshold"), 1) Type( b, r, b ( r) -> b) { "Lib. Simulink", "SMLK_Switch"} Type( i, r, i ( r) -> i) { "Lib. Simulink", "SMLK_Switch"} Type( r, r, r ( r) -> r) { "Lib. Simulink", "SMLK_Switch"} } 4 The « nearest rule » must be unique ! 4 Non coherent example: Type( i, r -> i) { "Lib 1", "N 1"} Type( r, i -> r) { "Lib 2", "N 2"} 4 Problem if (i, i) inferred for the inputs. The 2 rules are “equally near” 4 A set of rule is « coherent » if the min of any 2 rules is in the set 4 Min computed with b < i < r input per input 4 Error message: add rule « type…. » or remove one of rules « type… » , … 24 Esterel Technologies, 2004

Vectorization 4 When the input types are vectors 4 Vectorization of the mapping rule 4 Automatic introduction of SCADE textual capsule that apply the operator as many time as necessary, and build the vectors to output 25 Esterel Technologies, 2004

Vectorization capsule node S 2 S_Vect_3_Dead. Band. Un. Symm( Input 1 : [bool , int , real] ; hidden Input 2 : real ; hidden Input 3 : real) returns ( Output 1 : [real , real]) ; var …. let equa S 2 S_Vect_3_Dead. Band. Un. Symm[ , ] _L 0 = Input 1[1] ; _L 1 = Input 1[2] ; _L 2 = Input 1[3] ; _L 3 = Bool. To. Real(_L 0) ; Out_1_1 = Dead. Band. Un. Symmetrical(_L 3 , Input 2 , Input 3) ; _L 4 = real (_L 1) ; Out_2_1 = Dead. Band. Un. Symmetrical(_L 4 , Input 2 , Input 3) ; Out_3_1 = Dead. Band. Un. Symmetrical(_L 2 , Input 3) ; Output 1 = [Out_1_1 , Out_2_1 , Out_3_1] ; tel ; 26 Esterel Technologies, 2004

Type inference algorithm 4 Fix-point algorithm to propagate throughout the model - the arities (size of the vectors), - the types, thanks to the « main » and « user defined » Configuration Files specifying mapping rules. 4 Problems: the loops in the data flow 4 Message « ATI failed » 4 Workaround: the Configuration Files: it is possible to « force the types » thanks to rules in CF 4 Example: “Controller”/ "Unit. Delay" { interface(1, 1) Arity. Type(r -> r) } 4 Vérimag is working on another strategy 4 Constraints resolution algoritm ( « propagation » in both direction of the data flow) 27 Esterel Technologies, 2004

Clock inference (1/3) 4 Simulink 4 Discrete operators: execution based on “sample time” 6 Value representing an actual delay 6 "-1" to represent inheritance of the sample time from the input flow 4 Enable subsystems 6 Excuted while condition signal > 0 4 Triggered subsystems 6 Executed on rising/falling edge of condition signal 4 SCADE 4 clocks derived from a basic clock 4 Condact operator on node 6 Executed if condition signal = TRUE 28 Esterel Technologies, 2004

Clock inference (2/3) 4 Simulink Gateway 4 computes the rate of the SCADE basic clock: 6 GCD of the sample time values. Example: ST 1=1. 75, ST 2=(2. 25, 0. 5) Basic Clock=0. 25 4 generates all required derived clocks 6 SCADE node SMLK_Clock. Gen(period, offset) = (9, 2) for the block with ST 2 4 Encapsulates the SCADE node corresponding to Simulink discrete block with condact activated by the correct generated clock 29 Esterel Technologies, 2004

Clock inference (3/3) 4 Enable and trigger handling 4 Encapsulate the SCADE node with condact activated by signal computed from the condition 6 E. g. : General. Trigger = Rising. Edge(condition); 4 Caution: the generation of the derived clock (by SMLK_Clock. Gen) must be done OUTSIDE Enabled or Triggered subsystems; The « global time » runs always at the same speed 4 Derived clocks generated in a textual capsule at the root node of the model 4 Propagation of the clocks to the discrete blocks through additional parameters to the nodes 30 Esterel Technologies, 2004

From SCADE to Simulink: Simulink Wrapper Back box Simulation Simulink Gateway Original Simulink model “Hybrid model” Generated SCADE model 31 SCADE CG Simulink Wrapper C files Wrapper code (C) Esterel Technologies, 2004 MEX S-function DLL

Simulink Wrapper 4 The SCADE model is integrated into Simulink as an “S-Function” 4 The S-Function is automatically generated : 4 C code generated by the SCADE Code Generator 4 Capsule code generated by the Wrapper 4 Simulation under Simulink: 4 The SCADE node is a black box 4 Next release: also white box co-simulation with SCADE simulator 4 The embeddable code interacts with Simulink environment 4 32 May be used Independently or coupled with Simulink translator Esterel Technologies, 2004

Simulink Gateway project summary 4 Started: February 2000 4 under European project Safe. Air (SNECMA, Airbus, Vérimag, …) 4 Pursued under European project RISE (Audi, TTTech, Vérimag) 4 Matured tool used on industrial projects 4 Example: New Rafale engine developed by Hispano Suiza 4 Several thousands of Simulink blocks 4 Code generated by SCADE KCG for certification this year 33 Esterel Technologies, 2004

- Slides: 33