SCADE® for Safe EN-50128

Embedded Safety Critical

Software Applications

May 20th, 2021

Bruno PRIVAT
Agenda

1. Main Challenges for Rail Transportation and Embedded Systems/Software

2. Introducing the SCADE product
3. SCADE usage in Rail Transportation
4. SCADE Benefits & ROI

2
Best-of-breed simulation across all major physics

SEMICONDUCTOR MISSION-CRITICAL
FLUIDS STRUCTURES ELECTROMAGNETICS POWER EMBEDDED SOFTWARE OPTICAL

Market leader across individual physics with industry-leading platform

MATERIALS
INFORMATION

PLATFORM

3
The rail transportation industry is facing many challenges

Ensuring Functional
Safety and Security

Reducing CO2 Optimizing Overall

emissions System Performance

Reducing Physical Managing inter-

Verification Costs operability

4
Ansys Systems & Platform

MISSION-CRITICAL EMBEDDED SOFTWARE

& MBSE: Model-Based
OPTICAL
System & Software
For SW Control and Embedded HMI

FUNCTIONAL SAFETY ANALYSIS

MBSA: Model-Based Safety Analysis
For Safety-Critical Electronic and Electrical (E/E) and
Software (SW) Controlled Systems.

DIGITAL TWIN
Build, Validate & Deploy Simulation-Based Digital Twins
Create simulation-based
PLATFORM digital twins–digital representations of
assets with real-world or virtual sensor inputs.

5
In the embedded software business, safety is not an option.

Personal
Computers Failure
Is KEY in the
Annoying SAFETY Embedded
Software Business
Embedded Failure
Computers

Catastrophic

Safety Critical Software development must comply to Certifications Standards in

Automotive, A&D, Nuclear, Military, Medical, Industry

6
Safety-critical embedded software has a huge development cost
The cost increases with the EN 50128 Safety Integrity Levels (SIL)
SIL 0 SIL 1 SIL 2 SIL 3 SIL 4
Level
Cost Cost Cost Cost Cost
Comparative Base SIL 1 SIL 2 SIL 3
Baseline
Cost* +10% +36% +80% +30%
Cost 100 110 150 270 350+
(*): Comparative Software Development Cost per SIL
Level, including Testing / Empirical data

Transportation systems and, in particular, railway systems, are

growing markets that increasingly rely on software for command,
communication, and control. Due to the impact of errors and
accidents in this environment, software is developed to strict
standards such as EN 50128. The standard is very specific on the use
of good programming practices, tools, and techniques.
In many cases the techniques/practices are highly recommended, if
not mandatory, at the most critical levels (SIL 3/4)
EN 50128 requirements for embedded SW

7
Our Mission: Providing unique R.O.I for your Safety Critical Development

Reduction in Embedded SW Development Costs

Acceleration of Embedded Software Certification

Reduction in functional safety analysis time & T2M

8
Agenda

1. Main Challenges for Rail Transportation and Embedded Systems/Software

2. Introducing the SCADE product
3. SCADE usage in Rail Transportation
4. SCADE Benefits & ROI

9
 The solution for safe embedded software is SCADE
The SCADE story in key dates
Created for Safety
Safety Critical Application Development Environment
Formally defined Portable and Full traceability
Embedded control Embedded HMI design Embedded ARINC 661 HMI synchronous Platform between System
design and code and code generation design and code generation language independent & Design levels
generation

Code SCADE
SCADE SCADE
generation Display
Solution
tool Suite for A661

Synchronous Qualified Push-Button Code Generators

Language 1999 2006 2010 2012 2019 2019
Research

Model-Based 2019
Systems SCADE
Engineering Architect

Validation tool SCADE SCADE ISO 26262 & DO-178B/C

Systems/Software AUTOSAR
Test architecture tool and Vision
avionics solutions
AI-based perception
SCADE-based code
validation tool
validation tool

Esterel foundation 20+ Years Ansys acquisition EN 50128 IEC 61508

of experience

10
 With Ansys SCADE

MODEL = CODE
With Traditional MBD Solutions
MODEL ≠ CODE
11
 With Ansys SCADE

MODEL = CODE
NO SIL
NO NEED
NO CODE BACK-TO- NO CODE
FOR SAFE
REVIEWS BACK COVERAGE
SUBSET
TESTING

12
SCADE is agnostic to

• Any Operating System, Real-Time Operating System

• Any C or Ada Compiler

• Any Processor

• Any Hardware Target

• Any GPU
•…

13
Ansys SCADE for Model-Based Software Design

• Model-based design tool for safety and

performance-critical embedded software
systems
• Embedded Controls, Displays, HMIs
• Fully integrated toolchain across the “V-cycle”
• Portable & certified C/Ada code generation:
‐ EN 50128 up to SIL 3/4 - Rail Transportation
‐ DO-178B/C up to DAL A - Aerospace/Defense
‐ ISO 26262 certification up to ASIL D – Automotive
‐ IEC 61508 up to SIL 3 – Industrial & Energy
• SCADE provides native requirements traceability support
‐ DOORS, Jama, Polarion, PTC

14
Safety Critical Application Development Environment

Embedded Controls Systems Embedded Displays / HMIs

15
 Model-based SW with EN 50128 certified code generation
Embedded Systems & Software System System Safety Analysis System Simulation & Digital Twins
System & SW Architecture Architecture
Architecture

System & Software

Requirements
Auto Auto
SW Components / MiL/PiL/HiL

Critical Embedded Critical Embedded

SW Design Control Software HMI Software
Simulation Test / MiL
Auto

Auto Auto Embedded Control & HMI

Software Testing
Certified Automatic C code
EN 50128
Code Generation
SIL 3/4
Auto

Application Application Application

System Level

Task Management Task Management Task Management

Platform Integration Test / PiL/HiL
System Services System Services System Services
RTOS & HW
Microkernel Microkernel Microkernel
Multi-rate / Multi-core
HW

Core 0 Core 1 Core n

16
 SCADE Ecosystem
Interoperability with Tools & Standards Presagis VAPS / VAPS XT
IBM Rhapsody ENSCO Idata
Sparx Enterprise Architect Adobe Photoshop
Mathworks Simulink Dassault Systèmes MagicDraw W3C SVG

Import
Import/ Import
Co-simulate Export Microsoft Word
IBM DOORS / DOORS NG Traceability Microsoft Excel
Jama PDF / HTML
Siemens Polarion
Dassault Systèmes Reqtify
Generate
FMI/FMU 2.0
Import/
AUTOSAR Export
FACE Generate IBM RTRT
AADL Test Harnesses
LDRA TestBed
ASAM ASAP2
Vector VectorCAST
HIL Mamouth
Hardware-in-the-Loop

Integrate / Deploy

National Instruments VeriStand QNX OS Krono-Safe ASTERIOS

Partners dSPACE MicroAutoBox Green Hills Software Integrity CoreAVI (OpenGL)
Tools Wind River VxWorks Hightec PXROS (Infineon AURIX)
Standards Sysgo PikeOS Kalray
DDCi Deos RTI DDS

17
Agenda

1. Main Challenges for Rail Transportation and Embedded Systems/Software

2. Introducing the SCADE product
3. SCADE usage in Rail Transportation
4. SCADE Benefits & ROI

18
Our Customers in Rail Transportation
SCADE is used in many Railways Applications

On-Board Control & Protection Interlocking Train Detection

• ETCS • Interlocking systems • Axle counters
• CBTC • Control Centers: Fault reporting • Vacancy detection
• Emergency braking, overspeed and Interlocking Displays Radar positioning
protection, vehicle speed control, • Level Crossing Protection
ATP/ATO
• Satellite-based locomotive control
• OpenETCS specifications

Platform - Cabin Mechatronic Control Systems Driver Machine Interfaces

• Doors opening • Train Traction and Braking • Driver Machine Interfaces
• Departure interlocks • On-board Displays
• Train Radio Control Panel
• Display Front End Simulator
• Track Simulator
 SCADE Usage Overview by Country in Rail Transportation
British Rail Cambrian Line RBC
CBTC Carbonne Controller
St Pancras High Speed Train
Station Interlocking
French Rail Network (RFF) Complete Swedish Rail Ester Line
Interlocking System ATP and track system Interlocking and Train Control
Generic ERTMS Axle counter
Generic Interlocking PAING Cottus Bahnhof interlocking
Paris subway Warsaw Railway Russian Railways (RZD)
OpenETCS DMI
Marseille subway OpenETCS Specifications
Kazakhstan Almaty Metro CBTC
Onboard and Wayside ATP

Korean-railways (CBTC Onboard and

Porto Subway Interlocking Wayside ATP, Korean Radio-based TCS)
OpenETCS (phase I)
RBC (Radio Block Center) of LTE-R system

Generic Interlocking Product Line

Train identification system based on Radar
Beijing Subway (Line 14, 7, Chang Ping Yi
Zhuang)
Beijing Subway Lines Yi Zhuang
FITSCO Train Controller
Sao Paulo Subway DOORS Guangzhou (ATP, interlocking)
Opening and Departure Hong Kong subway Interlocking
Interlocks Nanjing Subway Line Ningtian
Ankara subway interlocking Program iCMTC
Singapore Subway Train Taipei Subway CBTC & Interlocking
Data Management
Agenda

1. Main Challenges for Rail Transportation and Embedded Systems/Software

2. Introducing the SCADE product
3. SCADE usage in Rail Transportation
4. SCADE Benefits & ROI

22
Huge savings in software development with SCADE
Non-Safety
SIL 1 SIL 2 SIL 3 SIL 4
Level Related
Cost Cost Cost Cost Cost
Comparative SIL 1 SIL 2 SIL 3
Baseline Base +10%
Cost* +36% +80% +30%
Cost 100 110 150 270 350+
Cost with
100 100 120 160 175
SCADE
Savings with
SCADE
- 10% 20% 40% 50%
(*): Comparative Software Development Cost per SIL
Level, including Testing / Empirical data

Up to 50% ROI versus Manual Coding or versus

Alternative Non Certified Model-Based Tools, due to
qualified toolsets and elimination of debug, review
and V&V activities
SCADE and the EN 50128 System and Software V-Model
SCADE and the EN 50128 System and Software V-Model
System Development Phase
System
Software Planning Phase Software Assessment Plan Software Maintenance Phase
Software

Software Requirement Phase Software Validation Phase

Overall Software Test Report
Software Validation Report

HW/SW Architecture Phase HW/SW Integration Phase

SCADE SW Architecture Phase SCADE SCADE Integration Phase

SCADE Architecture Design Model Testing SCADE Integration Test Results
→ Generated Documentation Preparation SCADE Coverage Results
SCADE Phase
Requirements to SCADE Component
Architecture Allocation Matrix Design Phase SCADE Test Cases SCADE Component Testing Phase
SCADE Design Model → SCADE Detailed Design Document (Components + SCADE Component Test Results
Requirements to SCADE Model Traceability Matrix Integration) SCADE Coverage Results
Requirements to
Test Cases
Traceability Matrix

SCADE Component Coding Phase

SCADE Component Generated code
SCADE Compiler Verification Kit Results
 A typical model-based EN-50128 flow without SCADE

Requirements

SW Detailed Design Verification

Model reviews
Verification
Authorized subset Model Simulation
Manual coding Verification
or Code review &
compliance to Verification
Automatic code generation Back-to-Back
model
testing
Source Code

Compiler Low level testing

Unit testing

Object Code High level testing

Integration testing

26
 We could get rid of … a few things …. Thanks to SCADE

Requirements

SW Detailed Design Verification

Model reviews
Verification
Authorized subset Model Simulation
Manual coding Verification
or Code review &
compliance to Verification
Automatic code generation Back-to-Back
model
testing
Source Code

Low level testing

Unit testing

Object Code High level testing

Integration testing

27
 SCADE-enabled EN-50128 SIL4 optimized workflow

Requirements

Cert. Model Report Verification

Model reviews
Verification
Corporate coding Model Simulation
standard

Certified
automatic code generation ✓ No need for additional tools
✓ Generate EN-50128 SIL4 certifiable code
Source Code ✓ Reduce development costs
✓ Reduce time-to market

Object Code High level testing

Integration testing

28
Unique Benefits for Certification

• SCADE products and solutions are developed specifically to address critical system
and software applications
• SCADE Suite and Display KCG code generators are certifiable according to the
following international safety standards:
‐ EN 50128 certification up to SIL 3/4 – Rail Transportation
‐ IEC 61508 certification up to SIL 3 – Industrial & Energy
• IEC 60880 full compliance – Nuclear Instrumentation & Control
• IEC 62304 full compliance – Medical Systems
• EN 13849 full compliance – Industrial Machines Safety
‐ DO-178C qualification up to Level A – A&D
‐ ISO 26262 certification up to ASIL D – Automotive
• Same products qualified at the highest level of safety across 6 market segments by 10
safety authorities, worldwide
 Multiple EN 50128 SCADE Suite
and Display KCG Tool certifications
by TÜV

The Simulink/Stateflow code generators are not certified at such levels*

* Note from MathWorks website: “Embedded Coder and Code Inspector

were not developed using an IEC 61508–compliant process. Using certified
tools does not ensure the safety of the software or the system under
consideration.”
EN 50128 Methodology Handbooks
Efficient Development of Safe Railway Applications Software with EN 50128 Objectives

• Contents:
‐ Development and verification steps of EN 50128 compliant software
• Model-based development with SCADE
Suite and SCADE Display
• Simulation and Model Test Coverage
• Formal verification
• Automatic code generation with KCG
• C compiler verification activities
‐ Set of guidelines for developing
efficient models, generating efficient
code, etc.
 Where Time Goes in Embedded Software Projects?
Concept
Project
Phase Workload
Management
Definition
5%
Concept Definition 5% 10%
System Design (Requirements, Functions & System
12% Documentation System Design
Architecture) and Review (Requirements,
7% Functions & System
Systems Requirements allocated to SW (HLRs) 14% Architecture)
Software Design (LLRs) 15% Hardware /
12%
Coding 10% Software
Integration & Systems
Software Unit Testing (Low Level Testing) 10% Testing Requirements
allocated to SW
Software / Software Integration & Testing 7% 10%
(HLRs)
Hardware / Software Integration & Testing 10% 14%
Software / Software
Documentation and Review 7% Integration & Testing
Project Management 10% 7%
TOTAL 100% Software Design
Software Unit
Testing (Low Level (LLRs)
Testing) 15%
Coding
10%
10%

32
 Where Time Goes in Embedded Software Projects?
Reference Cost Breakdown ANSYS Saving
Phase Comments Cost (ANSYS based GAIN
Breakdown process)
Concept Definition 5% 5% 0% Out of our Scope

System Design (Requirements, Functions & Functional & Architectural Definition, 12% 8% 35% Usage of SCADE Architect to model
System Architecture) System Safety Anaylsis function and architecture
Systems Requirements allocated to SW Control Law, Logic definition, HLRs (text, 14% 9% 35% Reuse from SCADE architect
(HLRs) equation…)
Software Design (LLRs) Detailed SW Architecture, Function Design, 15% 18% -20% Detailed SW architecture. Additional
Requirements-based tests creation formalization of SW detailed
specification, requirements traceability
Coding Detailed Coding 10% 2% 85% % of code automatically generated with
SCADE KCG
Software Unit Testing (Low Level Testing) Functional Unit Testing 10% 2% 85% Qualification of Code Generator
suppressed low level testing
Software / Software Integration & Testing Testing of the above 7% 1% 85% SW/SW integration testing fully
automated by SCADE for the application
part
Hardware / Software Integration & Testing Incl. on-target debugging 10% 5% 50% Models already debugged & tested.
Very short late changes cycles. Compiler
verif. Kit automates user context &
application tests on taget
Documentation and Review Design Documentation & Quality review 7% 1% 85% Doc for projet is automatically
generated by SCADE LifeCycle
Project Management 10% 5% 50% Automatic connection with Conf. Mngt
Tool, shortering project duration, better
requirements & traceability
TOTAL - 100% 50 50% -
33
SCADE Benefits and Value Proposition for Rail Transportation
STRATEGIC
• Compliance with Software
Safety Certification and Risks
Mitigation
• Improved Communication &
Collaboration among system
and software teams,
customers, suppliers and
certification authorities
• Improved Long-term
Maintainability of software
34
TECHNICAL
• Automated Production of
readable, portable, high
performance and high quality
Code
• Documentation Quality and
Accuracy
• Early Detection of Design
Flaws
ECONOMICAL
• High Return on Investments
with the qualified code
generators and qualified
testing suite
• Up to 50% development and
V&V costs reduction overall
• Up to 2x increase in time to
market
Why Ansys SCADE is the Solution

Ansys SCADE is the Safety-Critical embedded software leader

FOCUSED TRUSTED PROVEN

150+
More than
This is all we do.
Safety Critical and Mission
Critical software
200
customers worldwide Certified programs

TIME TO MARKET HIGH R.O.I. DRIVEN

2x Average return on investments
related to reduction in development
and test activities cost
Helping customers address new
market challenges: Artificial
speed-up improvement in Intelligence, integration in

50 %
time-to-certification Virtual Reality environments
Up to

35
Why Ansys SCADE is the Solution
SCADE provides a common representation between systems and
Standards software teams sharing models.

SCADE generates portable C or Ada code which is RTOS, hardware &

Portability bus platform independent

Support Ansys has worldwide training and support capabilities in your language

SCADE has been integrated to leading Requirements Management,

Lifecycle Traceability, RTOS, IDEs, Compilers, Testing and Code analysis tools

SCADE users have experienced a 2X speed-up improvement in time-

Results to-certification and a 40% reduction in project development costs!

36
 Ansys SCADE : The True Model-Based Software Leader
for Safety Critical Applications

Leader for Embedded Control and Up to 50% ROI vs Manual Coding or

Display Safety Critical Software Alternative Non Certified Model-
Applications Based Tools

Model-Based Allows Fast Ramp Up Fully Compliant with Rail Standards

for Non Software Experts for Software Design & Architecture

Fully Connected to the Ansys

Certified DO-178C and to most
Simulation Solutions: Autonomy,
vertical standards
Electrification, MBSE

37