Applying Model-Based Design and Automatic Production Code Generation to Safety-Critical System Development

<div class="htmlview paragraph">Model-based software development and automatic production code generation have become increasingly established in recent years. The aerospace industry and other industries, such as automotive, have widely adopted and successfully deployed these methods in many different series production programs worldwide. This brought various benefits, such as a reduction in development times and improved quality due to more precise specifications, and early verification and validation by means of simulation.</div> <div class="htmlview paragraph">Model-based development is a general purpose development approach which can be applied to a wide variety of applications. Safety-critical systems, like found in aerospace applications to a large extent, but also found increasingly more often in other industries, like automotive or medical devices, pose special additional requirements to this process.</div> <div class="htmlview paragraph">This paper describes how model-based design and automatic production code generation can be applied to the development of safety-critical software.</div>

<div class="section abstract"><div class="htmlview paragraph">PEPS (Passive Entry and Passive Start) system is gradually becoming a main stream option in automotive keyless entry application, which improves the convenience and vehicle anti-theft performance. Based on the complex functions and safety technical requirements of the PEPS controller, and due to the development method of the model-based system design widely used in the automotive electronics industry, this paper presents a model-based on the development of PEPS controller method, which introduces the process of modeling and automatic code generation for the PEPS controller. Through Simulink/Stateflow of PEPS controller using logic system modeling, the PEPS controller complex system functions are divided into different function layers with each functional layer modeling respectively, and implement logic function design by the graphical language. Based on the model, it describes the process of model debugging and validation, the coverage analysis of the model, MIL (Model In the Loop) testing and SIL (Software In the Loop) testing. Based on the automatic code generation tool called TargetLink software supplied by dSPACE Company and called Simulink/Embedded Coder supplied by MathWorks Company, automatic generated production code of the PEPS controller is achieved. This paper also describes the comparison of the process of generating C-code by Embedded Coder and TargetLink. In the case of ensuring the quality of the code generation, the model-based design method also contributes a lot to improve work efficiency, shorten the development cycle, reduce development costs, and enhance the quality and security of product.</div></div>

Wind energy has the advantages of wide distribution, renewable, and non-polluting, so it is receiving more and more attention from more and more countries. As more and more wind power systems are integrated into the grid, it has an impact on the stability of the grid. To keep the power system stable, there is an urgent need for a grid simulator that can simulate various behaviors of the grid and test the reliability of the wind turbine before grid integration. Inverters, especially multilevel inverters, as the core part of the grid simulator, have been widely studied by scholars in recent years. However, compared to conventional inverters, multilevel inverters are characterized by high code development effort, great difficulty, and a long development period. In this paper, we adopt an automatic DSP code generation method with MATLAB hardware support package and give a complete system design method and development flow based on MATLAB and TMSF28335 automatic code generation. Finally, we take the closed-loop three-level MMC inverter as an example, propose an equalization algorithm suitable for automatic code generation for the capacitor-voltage balancing part, and verify the feasibility of the DSP automatic code generation in a multilevel inverter development. The feasibility of DSP automatic code generation in the development of a multilevel inverter is verified. The experimental results show that the proposed equalization algorithm with variable reference coefficient and DSP automatic code generation method can be used in the development of a multilevel inverter, which can improve development efficiency and reduce development costs.

<div class="htmlview paragraph">A number of factors are driving a change in how the automotive industry develops software. Some of these factors include: increasing complexity of the software; increasing quantity of software in the vehicle; reduced resources of development time, engineers, money; and the emergence of software-based safety-critical systems. To address these issues, the automotive industry, as well as a number of other embedded industries, are moving to a model-based software design process. The goals of the model-based process are to reduce the overall cost and time of the development process while increasing the quality of the software. These goals will be accomplished by re-aligning the emphasis of the engineering effort to earlier in the design process and by automating as much of the design process as is possible.</div> <div class="htmlview paragraph">This paper will present a number of the key steps in the software design process, describing the objective of each step and listing a number of issues that need to be addressed. This should provide a good overview of a model-based software design process with enough detail to provide a sense for the scope of the problem.</div> <div class="htmlview paragraph">Some of the particular steps that will be described include: modeling style guides, automatic code generation, model checking, automatic test vector generation, rapid prototyping/hardware-in-the-loop, schedulability analysis, networked applications, and configuration management.</div>

<div class="section abstract"><div class="htmlview paragraph">In the last few years, we have seen a tremendous increase in the rise in product complexity due to advances in technology and aircraft system functionality enhancement. The Model-based Design (MBD) process has helped manage the complexity of these systems while making product development faster by bringing more effective tools and methods to the entire process. Developing software using MBD has required extensive, sophisticated tool-chains that allow for efficient rapid controls prototyping, automatic code generation, and advanced validation and verification techniques using model-in-the-loop (MIL), software-in-the-loop (SIL), and hardware-in-the-loop (HIL) for both component testing and integration testing. However, the MBD process leads to generation of large volumes of data artifacts and work-products throughout the V-Cycle. The various components of these environments, from models to parameters to tests, can be inundating, and variants and versions of these artifacts lead to even larger amounts of data. These artifacts have traditionally been managed with Configuration Management systems and Product Lifecycle Management (PLM) tools, but the process of managing the links and information about this data (aka metadata) has been a difficult task for many companies. Many companies have limited or very poor integration between their PLM systems and their development tools for MBD. In order to effectively use the MBD tools in the development process, it is necessary to be able to manage this data and metadata in an efficient manner that relates directly to the engineering tools and methods</div><div class="htmlview paragraph">This paper will discuss some of the major data artifacts and work products that are inherent in the MBD process. We will show the critical requirements to enable reuse of this data, in respect to both the actual MBD tools and the development and testing process leading to version control and variant management of these artifacts. A new Data Management environment has been built to support MBD systems given these requirements, and this system's approach to these issues will be shown. Examples for Test Management, Model Management, and Parameter Management will be discussed, along with the underlying needs to connect to Requirement Systems and provide process traceability. Further, we will discuss integration with standard PLM and Application Lifecycle Management (ALM) tools and processes, providing a useable MBD data-management solution to increase process efficiency and provide effective management of data.</div></div>

<div class="htmlview paragraph">Bringing a new automotive electronic control unit (ECU) to market is a multi-phase process. Generally speaking, the phases are engineering analysis, rapid prototyping, software implementation, test and calibration. A variety of engineering staff and tools are used as the ECU progresses through the development process. However, the use of different tools may require non-value-added steps to translate data and results from one process phase to another. This lack of integration introduces the potential for errors, adds delay and costs to projects, and makes it difficult to trace the behavior of the final product back to the original requirements.</div> <div class="htmlview paragraph">Model-Based Design addresses many of the integration problems through use of executable specification models and automatic code generation. However, connecting the design effectively to the prototype vehicle provides additional integration challenges since it requires specialized hardware interfaces and target-specific software device drivers.</div> <div class="htmlview paragraph">This paper describes how two sets of tools used together can meet these challenges and deliver the final product without inefficient transitions through ECU development phases. It is written around the implementation of a fuel control algorithm, from control strategy concept to final in-vehicle calibration. This paper first shows how in-vehicle rapid prototyping helps developers select the best algorithm candidate and then how embedded software can be automatically generated and tested: first in the lab, then on the dyno, then in the vehicle. Finally the paper describes how to calibrate the control system parameters based on the models and generated code.</div>

<div class="section abstract"><div class="htmlview paragraph">We introduce a framework that aims at automating significant parts of the design flow in a typical scenario for embedded application development in the automotive domain. Given a specification model of a new automotive feature captured in Matlab-Simulink, the framework allocates new functions onto the devices of the hardware architecture such as ECUs and buses considering already deployed functions and the distributed nature of embedded systems used in the automotive industry. The framework is motivated by the iterative design process in industrial practice and subdivided into several steps. In the task creation process a balanced task structure is derived automatically from the specification model. Automatic code generation and execution time analysis for each task demands a semantics- preserving restructuring process of the Matlab-Simulink model. The task structure and the generated software tasks serve as input for the automated design space exploration process which has the goal to find a cost-optimized extension of the existing target hardware and an allocation of tasks on this modified target hardware. This allocation is sufficient to guarantee both system-level timing requirements and deadlines extracted from the Matlab-Simulink specification model. Engineers may guide the complete process by running it iteratively and tighten the constraints based on their expert knowledge. This semi-automatic user-driven and transparent optimization process helps to increase acceptance by engineers. For evaluation an industrial-motivated case study of a lane-change driver assistance system and an adaptive cruise control has been used.</div></div>

<div class="htmlview paragraph">When implementing production software for fixed-point engine control units (ECUs) it is important to consider the code optimization and code verification strategies for the embedded algorithms. System and software engineers work together to design algorithms that satisfy the system performance requirements without significant numerical quantization results. Software engineers and suppliers in mass production environments then implement the design on an embedded system with limited memory and execution speed resources. The primary goals after design are to generate optimized code and verify that the implementation matches the original model’s functional behavior.</div> <div class="htmlview paragraph">Model-Based Design simplifies fixed-point development by providing tools and workflows that support the complete design, implementation, and verification processes. System engineers performing on-target rapid prototyping for fixed-point ECUs benefit from automated scaling workflows that provide an initial fixed-point design. Production software engineers benefit from automated scaling as well, but they then require fine-grain control over fixed-point data specification within their modeling environment for items such as accumulator word size. Eventually a detailed software design is produced.</div> <div class="htmlview paragraph">Automatic code generation is then invoked with options that maximize code efficiency for fixed-point processors. These options include portable ANSI/ISO C optimizations, plus target-specific optimizations. Automated checking tools and workflow advisors help ensure the appropriate optimization settings are enabled. Capabilities exist for fixed-point verification and validation, including bit-accurate fixed-point simulation and automated processor-in-the-loop testing.</div> <div class="htmlview paragraph">The latter is particularly useful when using target-optimized code, because the code cannot be simulated on the host and can only be tested on the actual embedded target.</div> <div class="htmlview paragraph">This paper presents Model-Based Design capabilities and tools that support verification of optimized fixed-point ECU software used in mass production vehicles.</div>

Nanosatellite on-board software is a real-time system that schedules and executes control actions over the platform and the payload subsystems during the mission stages. Its development is a complex task that can be better approached using advanced software engineering techniques as graphical component based modelling and automatic code generation.Nanosat1B is a scientific nanosatellite developed by the Spanish National Institute of Aerospace Technology (INTA) that was launched on July 09. This paper introduces the component base modelling and automatic code generation of Nanosat1B on-board software using a CASE tool named EDROOM. It shows the UML2 diagrams used for specifying the system components, their interfaces and behaviour, emphasizing on their reuse possibilities on the same domain.The paper describes also the main characteristics of the EDROOM tool and analyses the feasibility of its adaptation for automatic Java code generation. The benefits of using the EDROOM automatic Java code generation for nanosatellites on-board software development are also enumerated.

"Software development is an important area in software engineering, which is why a wide range of techniques, methods, and approaches has emerged to facilitate software development automation. This paper presents an analysis and evaluation of tools for automated software development and automatic code generation in order to determine whether they meet a set of quality metrics. Diverse quality metrics were considered such as effectiveness, productivity, safety, and satisfaction in order to carry out a qualitative and quantitative evaluation. The tools evaluated are CASE tools, frameworks, and Integrated Development Environments (IDEs). The evaluation was conducted to measure not only the tools’ ability to be employed, but also their support for automated software development and automatic source code generation. The aim of this work is to provide a methodology and a brief review of the most important works to identify the main features of these works and present a comparative evaluation in qualitative and quantitative terms of quality metrics. This would provide software developers with the information they need to decide the tools that can be useful for them."

Automatic code generation is a standard method in software engineering since it improves the code consistency and reduces the overall development time. In this context, this paper presents a design flow for automatic VHDL code generation of mppSoC (massively parallel processing System-on-Chip) configuration. Indeed, depending on the application requirements, a framework of Netbeans Platform Software Tool named MppSoCGEN was developed in order to accelerate the design process of complex mppSoC. Starting from an architecture parameters design, VHDL code will be automatically generated using parsing method. Configuration rules are proposed to have a correct and valid VHDL syntax configuration. Finally, an automatic generation of Processor Elements and network topologies models of mppSoC architecture will be done for Stratix II device family. Our framework improves its flexibility on Netbeans 5.5 version and centrino duo Core 2GHz with 22 Kbytes and 3 seconds average runtime. Experimental results for reduction algorithm validate our MppSoCGEN design flow and demonstrate the efficiency of generated architectures.

<div class="htmlview paragraph">A constant challenge for the mobility engineering is to build correctly, the right product at the right time, cost and quality. This challenge gives opportunities to adopt new paradigms in system development, especially in generation, migration and tests of controller codes. This work presents the automatic generation, migration, and tests of real time code to an embedded controller. This is part of the Attitude and Orbit Control System (AOCS) for the Multi-Mission Platform (MMP) of the National Institute for Space Research (INPE). The modeling and simulation paradigm associated with automatic code generation makes possible the migration of a real time embedded controller code to a wide variety of target processors and/or Real Time Operating Systems (RTOS) using the same controller model. The MATRIXx (XMath/SystemBuild/AutoCode/DocumentIt) modeling and simulation environment was used to analyze and design the controller and generate its real time code. For that, the whole control system was modeled including its sensors, actuators, controller, plant dynamics and external environment. After the controller design was considered satisfactory, its model was used to generate a real time source code capable to be embedded in a target processor. The ANSI C generated real time code with the RTEMS RTOS were migrated to an emulator of the ERC32 SPARC target. Tests have shown that the software controller results comply with the pointing and stabilization requirements of the MMP ACS.</div>

<div class="htmlview paragraph">Automatic code generation from models is actively used at Caterpillar for powertrain and machine control development. This technology was needed to satisfy the industry's demands for both increased software feature content, and its added complexity, and a short turn-around time. A pilot development effort was employed initially to roll out this new technology and shape the deployment strategy. As a result of a series of successful projects involving rapid prototyping and production code generation, Caterpillar will deploy MathWorks modeling and code generation products as their department-wide production development capability.</div> <div class="htmlview paragraph">The data collected indicated a reduction of person hours by a factor of 2 to 4 depending on the project and a reduction of calendar time by a factor of greater than 2.</div> <div class="htmlview paragraph">This paper discusses the challenges, results, and lessons learned, during this pilot effort from the perspectives of both Caterpillar and The MathWorks.</div>

Automatic code generation based on Coloured Petri Net (CPN) models is challenging because CPNs allow for the construction of abstract models that intermix control flow and data processing, making translation into conventional programming constructs difficult.We introduce Process-Partitioned CPNs (PP-CPNs) which is a subclass of CPNs equipped with an explicit separation of process control flow, message passing, and access to shared and local data. We show how PP-CPNs caters for a four phase structure-based automatic code generation process directed by the control flow of processes. The viability of our approach is demonstrated by applying it to automatically generate an Erlang implementation of the Dynamic MANET On-demand (DYMO) routing protocol specified by the Internet Engineering Task Force (IETF).

The increasing reliance on automatic code generation integrated with Generative AI technology has raised new challenges for cybersecurity defense against code injection, insecure code templates, and adversarial manipulation of an AI model. These risks make developing advanced frameworks imperative to ensure secure, reliable, and privacy-preserving code generation processes. The paper presents a novel Hybrid Artificial Neural Network (ANN)-Interpretive Structural Modeling (ISM) Framework to alleviate the cybersecurity risks associated with the automatic code generation using Generative AI. The proposed framework integrates the predictive capability of ANN and structured analysis of ISM for the identification, evaluation, and treatment of common vulnerabilities and risks in automatic code generation. We first conduct a multivocal literature review (MLR) to identify cybersecurity risks and generative AI practices for addressing these risks in automatic code generation. Then we conduct a questionnaire survey to identify and validate the identified risks and practices. An expert panel review was then assigned for the process of ANN-ISM. The ANN model can predict potential security risks by learning from historical data and code generation patterns. ISM is used to (1) structure and visualize (2) relations between identified risks and mitigation approaches and (3) offer a combined, multi-layered risk management methodology. We then perform an in-depth examination of the framework with a case study of an AI-based code generation company. We further determine its practicality and usefulness in real-world settings. The case study results show that the framework efficiently handles the primary cybersecurity challenges, such as injection attacks, code quality, backdoors, and lack of input validation. The analysis characterizes the maturity of several mitigation practices and areas for improvement for security integration with automatic code generation functionality. Advanced risk mitigation is enabled in the framework across multiple process areas, where techniques such as static code analysis, automated penetration testing, and adversarial training hold much promise. The Hybrid ANN-ISM Mechanism is a stable and flexible solution for cybersecurity risk reduction in automatic code generation environments. The coupling of ANN and ISM, in terms of predictive analysis and structured risk management, respectively, contributes effectively towards the security of AI-based code generation tools. More research is required to improve the scalability, privacy preserving, and dynamic integration of the framework with cybersecurity threat intelligence.