Télécharger la présentation
La présentation est en train de télécharger. S'il vous plaît, attendez
Publié parGysbert Le bras Modifié depuis plus de 11 années
1
Page 1 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Conception des logiciels critiques dans le domaine spatial Du système au logiciel... Retour dexpérience sur les méthodes formelles David LESENS EADS LAUNCH VEHICLES, Route de Verneuil BP 2, F-78133 Les Mureaux Cedex – France Email : david.lesens@launchers.eads.net
2
Page 2 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Plan EADS LAUNCH VEHICLES Qui nous sommes Méthodologie de développement dun système véhicule Développement Validation Les méthodes formelles de spécification logicielle Pourquoi Comment Retour dexpérience LAutomatic Transfer Vehicle Spécification du logiciel MSU Bilan
3
Page 3 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC EADS : Un acteur majeur de lindustrie aéronautique et de défense n° 3 mondial - n° 1 européen CA 2000* : 24,2 Mds Prise de commandes 2000*: 49,3 Mds * valeur pro forma 0102030405060 Boeing Lockheed-Martin EADS Bae-Systéms Raytheon Northrop Thales
4
Page 4 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC European Aeronautics Defence and Space company LAUNCH VEHICLES
5
Page 5 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Activités phares dEADS LAUNCH VEHICLES Systèmes stratégiques M4 / M5 M51 Maîtrise dœuvre systèmes complets Transport spatial Ariane 4 Ariane 5 ATV Soyuz Lanceurs complémentaires ARD ARES THEMIS Equipements Equipements spatiaux Produits satellites Produits technologiques et divers
6
Page 6 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC 697,7 Millions 50 Millions 295,8 Millions CA 2000 : 1043,5 Millions 67% Transport spatial civil 5% Equipements 28% Lanceurs stratégiques Chiffre daffaires par activité
7
Page 7 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Plan EADS LAUNCH VEHICLES Qui nous sommes Méthodologie de développement dun système véhicule Développement Validation Les méthodes formelles de spécification logicielle Pourquoi Comment Retour dexpérience LAutomatic Transfer Vehicle Spécification du logiciel MSU Bilan
8
Page 8 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Développement dun logiciel spatial Spécification véhicule Conception véhicule Spécification équipements Spécification logicielles Développement Simulateur Développement Gestion de mission Communication Thermique Puissance Propulsion Algorithmes navigation, guidage, control Panneaux solaires Développement I/F
9
Page 9 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Validation du logiciel Le premier vol est un vol de qualification Logiciel réel Simulateurs des équipements Simulateur de lenvironnement Equipements réels Simulation dun vol complet
10
Page 10 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Objectif de la spécification logicielle Capturer le besoin système Spécialistes métiers Servir dentrée à lactivité de développement Cohérence Complétude Référence pour la validation fonctionnelle Exigences validables
11
Page 11 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Plan EADS LAUNCH VEHICLES Qui nous sommes Méthodologie de développement dun système véhicule Développement Validation Les méthodes formelles de spécification logicielle Pourquoi Comment Retour dexpérience LAutomatic Transfer Vehicle Spécification du logiciel MSU Bilan
12
Page 12 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Pourquoi utiliser des méthodes formelles ? Raffinement Etudes SystèmesQualification Spécification Technique Conception Développement Tests Unitaires Intégration Validation Fonctionnelle Diminution des corrections tardives Ecriture des spécifications en méthode formelle Reprise immédiate Spécification « validable » Génération de tests
13
Page 13 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC 1 er objectif des méthodes formelles de spécification Augmenter la formalisation de notre spécification Standard de communication Pour des informaticiens Pour des non informaticiens Différents types dapplication Synchrone et/ou Asynchrone et/ou Algorithmique
14
Page 14 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC 2 nd objectif des méthodes formelles de spécification Détecter les erreurs en phase amont de développement Validation de la spécification Cohérence de la spécification Complétude de la spécification Preuve sur la spécification Test Prototypage rapide Simulation de la spécification
15
Page 15 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC 3 ième objectif des méthodes formelles de spécification Faciliter le raffinement de la spécification vers une conception Réutilisation des tests de simulation de la spécification Ecriture dune conception à laide dune méthode formelle ? Génération de code Séquentiel ou multitâche Langage cible Embarquable ?
16
Page 16 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Et en pratique ? Soyons pragmatiques ! Retour dexpérience Les méthodes formelles sont lourdes à utiliser Utiliser selon les besoins Modélisation statique Type SADT ou SART Vérification de la cohérence des flots de données Modélisation dynamique Mieux comprendre un point dur Simulation / validation Spécification Développement complet Spécification véhicule ou code embarquable Choix de la méthode En support dune spécification ou dune analyse
17
Page 17 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Quelles méthodes « formelles » choisir? Système véhicule Etudes algorithmiques Simulink James SDL, StateCharts Spécification logicielle Conception logicielle Codage Scade Signal Esterel Méthode B Exemples dapplications UML
18
Page 18 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Plan EADS LAUNCH VEHICLES Qui nous sommes Méthodologie de développement dun système véhicule Développement Validation Les méthodes formelles de spécification logicielle Pourquoi Comment Retour dexpérience LAutomatic Transfer Vehicle Spécification du logiciel MSU Bilan
19
Page 19 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Retours dexpérience à EADS Launch Véhicles Spécification système Chaîne de sécurité ATV Sol / Système de communication Pool dordinateurs de bord / bus / liens filaires Système de sécurité (MSU) et logiciel associé Spécification logicielle Architecture du GNC Ariane 5 Cyclique / synchrone Multi-fréquence, condition d activation Séquentiel Ariane 5 Asynchrone couplé au synchrone Logiciel MSU Sécurité ATV / ISS Etudes amont En SDL Etudes amont Rétro ingénierie en SCADE Etudes amont Rétro ingénierie en SDL Développement opérationnel en SCADE
20
Page 20 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC The Automated Transfer Vehicle (ATV) context One of the European contributions to the International Space Station (ISS). It will supply from 2004 onward the following services to the ISS: Refuelling, ISS orbit correction, Freight delivery, ISS trash destruction.
21
Page 21 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC ATV safety chain and Collision Avoidance maneuver Health status Reset MSU 1 Safety Chain MSU 2 Sensors Thrusters Responsible of ISS safety by triggering a CAM 2 redundant chains Coded in ADA No ADA exception Single task DPU 1 FTCP DPU 2 DPU 3 Rendezvous monitoring Red button
22
Page 22 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC How the MSU software is specified ? GNC algorithms Algorithms Reference Documents Technical Specification of the MSU SW State automaton MSU SW architecture CAM sequencer SCADE modeling Non functional requirements Functional requirements FrameMaker editor +
23
Page 23 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Contains of the MSU SW SCADE model Navigation Monitoring Control Activation condition Data flow description Post-CAM CAM Hierarchical decomposition FBY 2 Data ageing Synchronous and cycle architecture
24
Page 24 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Formal semantics Validation of a SCADE specification Formal proof Specification Complete Coherent Implementable No ambiguous Easy to understand (graphic) Well accepted by the participants Semantics verifier Executable specification Spec validation Code generation Simulation Validation improprement Exhaustiveness Automatic
25
Page 25 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Formal proofs on the MSU SW TS SCADE model SCADE model Environment description Environment description Logical Property Logical Property Exhaustive verification LESAR tools True property Diagnostic LESAR tool is developed by the VERIMAG laboratory
26
Page 26 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Properties description Use of synchronous observer, specified In SCADE In LUSTRE Using regular expression Observed software Environment Properties Inputs Outputs Environment oracle Properties oracle
27
Page 27 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Proof by model checking Construction of a mathematical model of the SCADE model Computation of the reachable states Comparison with the forbidden states Forbidden states Initial states SCADE model SCADE model Mathematical model
28
Page 28 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Property examples A CAM test can only be triggered by a red button signal true_after_false( CAM_TEST_TRIG ) RED_BUTTON No assertion is required from the environment to satisfy this property. When the initialisation of the two MSU chains is correct, they can not triggered both a CAM at the same time #( MSU1_CAM_TRIG, MSU2_CAM_TRIG ) It is satisfied only when the initialisation of the 2 MSU is correct cam_arm( SWITCH_ON_MSU1, ARM_MSU1, SWITCH_ON_MSU2, ARM_MSU2, RED_BUTTON ) on1arm1on2arm2 InitS1S1 S2S2 S3S3 S4S4
29
Page 29 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Conclusion on formal method use for ATV Improve the quality of the TS of the MSU Software Improve the quality of the TS of the MSU Software - Description of a MSU cyclic and synchronous architecture - Formal semantics (no ambiguity, no incoherence). Data flow / Activation condition. Data obsolescence description - MSU SW TS easy to understand - Semantics verification / Formal proof Not usable for a complex software Not usable for a complex software - Non adapted for asynchronous software - Limited to small, cyclic, synchronous software - Start of the MSU software design
30
Page 30 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Complex software (1): level of description ? Data update Communication system Algorithms GNC TCTMTC Data update Algorithms TM cmd ack Synchronous specificationAsynchronous specification Communication system GNC
31
Page 31 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Measurement Bus frame Software Complex software (2): synchronous hypothesis (1) Algo Cmd Cycle n Cycle n-1Cycle n+1 Algo period Algo
32
Page 32 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Complex software (2): synchronous hypothesis (2) Bus frame Software Measurement Cmd Algo Cycle n Cycle n-1Cycle n+1 Algo period
33
Page 33 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Algo Complex software (2): synchronous hypothesis (3) Bus frame Software Measurement Cmd Cycle n Cycle n-1Cycle n+1 Algo period
34
Page 34 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Plan EADS LAUNCH VEHICLES Qui nous sommes Méthodologie de développement dun système véhicule Développement Validation Les méthodes formelles de spécification logicielle Pourquoi Comment Retour dexpérience LAutomatic Transfer Vehicle Spécification du logiciel MSU Bilan
35
Page 35 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Conclusion: Comment utiliser les méthodes formelles En rétro-ingénierie Développement dun modèle formel A partir dune spécification logicielle Pour analyser un point particulier Trois étapes en développement Spécification Quand débuter le développement ?Maturité du besoin Précision de la description ?Positionnement dans le cycle Validation de la spécification Nouvelle activité à planifier et à financer Raffinement vers du code Evolution du cycle de développement
36
Page 36 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Prospectives (1) Amélioration des techniques utilisées Des techniques de spécification Mixer synchrone et asynchrone Raffiner de lasynchrone vers du synchrone... Des techniques de preuve Spécification des propriétés Puissance des outils... Des techniques de conception Langages de compilation Architectures multi-tâches...
37
Page 37 11/2001 This document is the property of EADS LAUNCH VEHICLES and shall not be communicated to third parties and/or reproduced without prior written agreement. Its contents shall not be disclosed. - EADS LAUNCH VEHICLES - 2001 PSLC Prospectives (2) Amélioration de la méthodologie Etendre lapproche formelle au système véhicule Utilisation par des non informaticiens Raffinement Rendre systématique lapproche formelle Utilisation dans les futures projets Systèmes critiques et moins critiques Culture dentreprise
Présentations similaires
© 2024 SlidePlayer.fr Inc.
All rights reserved.