Experience of an efficient and actual MDE process : design and verification of ATC onboard systems

Since 2002, CS is involved in the conception and the specification of ATC systems for A320, A340, A380, A400M and A350 aircrafts. The ATC module, a ground/onboard communication system, is designed with SDL, a modelling language normalized by the ITU-T and which is described as a UML2-profile, too. The SDL well defined semantic allows to have homogeneous code generators and model simulators: these two technics are used in the process of the ATC projects, giving to the process a very efficient productivity. The automatic code generator generates the C code of the application. The code generator is qualified in accordance to the DO178B requirements (C level). This very strict qualification (development tool qualification) allows to highly reduce the tests effort of the ATC application. Verifications based on tests are realized on the SDL models, through execution simulation. CS uses RTDS, a SDL Z.100 simulator developed by Pragmadev. As well as providing edition and syntax/semantic checking of SDL models, RTDS provides debugging facilities such as breakpoints and step-by-step execution at the model level and a powerful scenarios language which enables to call some directives of the simulator such as MSC generation, internal signals sending, variables printing and so on... In order to improve the quality and effectiveness of the ATC model verification, CS has developed a set of applications that are plugged with the SDL simulator through TCP/IP, in order to interact with the system to be tested. These applications are onboard systems (FM, cockpit HMIs simulations: CDS or MCDU/DCDU) and ATC ground simulations: CPDLC, ADS, A623...). For the parts of the complete application manually coded in C code, the simulator is able to call such services using the XmlRpc protocol. With this complete set of high level and very representative simulation, the process is able to detect and reproduce quite all problems detected very late in traditional processes. In parallel to this actual process, some research actions are leaded in the ATC project area by CS and ENSIETA. To enhance the safety and the maturity of the ATC product, CS and ENSIETA study and develop a way to perform exhaustive verification of ATC models requirements. The technics used is model checking; studies are focused on a way to systematically reduce the combinatory explosion, and to improve the formalism of properties to be verified. The goal is to make this technic an industrial, cost-effective, and certifiable way of verification.