Community Research and Development Information Service - CORDIS

FP7

CertMod Report Summary

Project ID: 335866
Funded under: FP7-JTI
Country: France

Final Report Summary - CERTMOD (Certified Code Generation of Model-Based Modelica Controllers)

Executive Summary:
The Clean Sky consortium aims to demonstrate substantial environmental and economic benefits of more electric aircraft systems technologies. The design and validation of such highly integrated systems urge the need for more co-operative development processes involving aircraft, engine, and equipment manufacturers.
The design process has to be supported through advanced modelling and simulation capabilities. Therefore, a goal of the Clean Sky consortium is to define standardized modeling methods and tools in each phase of the energy system design process. In particular, models that span the full operating region shall be directly usable in control systems of the aircraft, in order to improve significantly the behavior.

Project Context and Objectives:
In the Clean Sky consortium, several members are working on modelling and simulation of aircraft systems with the multi-domain modelling language Modelica (www.Modelica.org). The final goal is to not only utilize these models for design and evaluation, but also to directly use Modelica controller models for generation of certified code in embedded systems. On one hand this will improve the system design process, since controllers developed in Modelica will not need to be coded manually in a different language. On the other hand, advanced nonlinear controllers could possibly be certified and thus applied on-board an aircraft.
The tasks carried in the CertMod project include:
1. The definition of the requirements about the type of models that shall be handled (with examples in the area of Systems for Green Operations ITD).
2. The definition of the requirements so that the models identified in 1) can be automatically transformed to C-code by a code generator that is qualified according to DO-178B Level A for civilian aircrafts.
3. The identification of a subset of the Modelica language (version 3.3) and of symbolic transformation and compiler techniques so that the requirements of 1) and 2) can be fulfilled.
4. The implementation of a prototype.
5. The support of the evaluation of the prototype.

Project Results:
Targeted controllers share some common properties as they manipulate only discrete data and do not represent physical models. Furthermore, the discrete equations have to be based on the synchronous language elements introduced in Modelica 3.3. Indeed, the discrete equations provided by previous Modelica versions may not provide the high assurance level required for safety-related code generation. These properties allow for restricting the Modelica language to be treated for these parts. In a Modelica model, once a block for is identified for code generation, the certifiable part of the model is identified as the block itself and all blocks used by it. They must in turn share the properties of a certified model as well as the blocks they depend on. Finally, a certified model must be standalone, meaning that it must not have undefined parameters or variables once flattened and can be instantiated as is. This restriction is motivated by the fact that they are intended to be embedded as is, and must hence be dimensioned for the target hardware.
The defined subset of Modelica 3.3 can be summarized as follows:
• Parts that are included as is (or with minor restrictions):
o Equations in a clocked discrete-time partition, expression-level operators. Point-wise expressions on arrays are part of the selected subset;
• Parts that are allowed with restrictions:
o Class definitions with inheritance (extends), Component instantiation with modifications;
• Parts that are not included:
o Equations in continuous-time or not clocked partitions, arrays with dynamic sizes, continuous-time operators, state machines, algorithm sections in non-Function blocks.
The selected Modelica subset must be formalized which is a necessary step to reach the DO-178C goals. The issue categories that can be drawn from the previous analysis are:
• The highly open structure of models that allow for a lot of different instances of a model,
• A rich expression language that need be thoroughly described,
• The modularity of Modelica is not well formalized yet.
A formalization of the subset of the Model language that fulfills the expressed needs has been developed The subset is given as a formal grammar that describes precisely the selected language constructs of the subset.
The subset contains all types of class declarations with some restriction on user specifier. Equations in the Modelica subset are required to live in the synchronous world, which restricts the kind of equations that are possible. Basically, only equations defining clocks and clocked equations are allowed. Modelica functions do not have equations but instead an algorithm section which contains procedural statements. These statements are similar to C statements. In the Modelica subset, we somewhat restricted the possible statements to make memory usage and loop size statically computable, which is a quite strong requirement for embedded software. The allowed expressions are merely the ones that are possible to appear in clocked partitions in standard Modelica. Restrictions are set on the array operations, there is no string type support in the subset and ranges and comprehension are possible only when statically evaluable. In addition to the language constructs, corresponding rules for type-checking, clock-checking and name resolution are given. Static evaluation is also formalized. This is a theoretical work delivered in a mathematical form.
As a result, this work provides a well-defined, deterministic language that can be used as input for a certified code generator.
A prototype of code generator has been developed that takes the Modelica subset as input and produces C code. The prototype does not take the full Modelica language, and only generates syntax errors instead of appropriate error messages. The prototype provides a limited support of the standard library and allows for block instantiation. Therefore, models with hierarchy are also accepted.
The prototype is based on the SCADE Suite KCG code generator. The subset is translated into the kernel language which is the bulk of the Scade language. The prototype benefits of the architecture of the certified code generator. The development of the specific part related to the Modelica subset follows the same rules as for the rest of the tool. In particular, the design has been developed prior to the implementation. The prototype is therefore a strong basis for a certified development of an actual certified code generator.

Potential Impact:
The Clean Sky project aims at demonstrate substantial environmental and economic benefits of more electric aircraft systems technologies. The development can be actually done on a full virtual basis, mixing the plant description in Modelica as well as the controllers that interact with that environment. Once proper controllers are designed, they can be automatically generated in C.
In that context, results of CertMod participate in the integration of the development and validation process, reducing cost of development and time to market, while increasing quality of produced embedded software.
Furthermore, work done in the context of Clean Sky can be applied to other domains where Modelica is used, extending the benefits of the approach to these domains, such as automotive or IoT.

The results of the project have been presented at the Modelica Conference 2015, which make them available to the users of the Modelica language. There were presented during the “Safety and Formal” session and the article is publicly available on the Modelica site

List of Websites:
Publication link: https://www.modelica.org/events/modelica2015/proceedings/html/sessions/session_8C.html

Bruno Pagano, Scientific Dir. (bruno.pagano@ansys.com), Xavier Fornari, Product Manager, (xavier.fornari@ansys.com)

Reported by

ESTEREL TECHNOLOGIES SA
France
Follow us on: RSS Facebook Twitter YouTube Managed by the EU Publications Office Top