Traceability back to subset-026 #3
Comments
|
As a general remark, we have (nobody really has) not used the commenting features of SCADE fully that also allow to propagate comments to code. This remark is independently of the question how much sense this would make in a model- based V&V and certification approach which would require integration of SCADE based development and V&V process into a to-be-defined overall process. (Cert Kit needed)
The source is the model. The C- code is only an intermediate step. If you need traceability to the code, it will be primarily with with the model
The level of direct traceability between model and code depends on the KCG options. I did not check, but probably line 39ff are inlined beaches the use chose “expansion” as a KCG option. However I do not agree with some of the statements. We are not “thinking code” but “thinking model”. I do not see a need for 1:1 mapping between SRS (subsub) paragraphs and model level functions. This would have been topic of a process which has not been defined upfront.
|
Oh. So you do not do that...?
While I generally do understand this attitude, I believe for someone without access to SCADE (me, for instance) checking out the generated code is about the only viable way to get an idea of what you are currently doing.
So you are essentially saying: The KCG is conformant with [insert list of safe software standards] in their highest levels. Therefore, its output always behaves in the exact same way as its input and there is no need for traceability. Why does the KCG produce code in the first place, then? An executable binary would be just fine.
Well, but how do you know if some required functionality is already in the model (perhaps redundantly) or still missing? I.e. how do you track your spec coverage? And how do you think verification will work without this? |
|
Dear Moritz, the traceability is a very important item in terms of SIL 4 certification. An i fully agree that following the "open proof" concept it should be respected as well the full transparency. In the current project status we are aware that this part is missing due to the lack of ressources. Since we shift all priorities to completentess of the ETCS System Model Utrecht - Amsterdam proof of concept. This was a project consoritum decision. That means that we are aware of open gaps for the full traceability. Therefore we will be prepared to close n this gaps in a follow up project (Shift2Rail) since we are allocated all our remaining ressources in the openETCS project to completete functionality until end of this year. Therefore i consider your input as a very valuable and should be documentated as open issues and work for the follow up project. Since the follow up project will definitevely focus on a SIL 4 certifiable Corridor A prototype. We really appreciate your support according to our current preparation of contenct in the follow up project. Thank you very much |
Of course it is also possible to annotate the model directly with remarks and comments that get generated as comments into the C- code, but for lack of resources we don’t do it systematically even if it is a requirement expressed from the project leader.
By the way, you can always use SCADE without a license as long as you just review the models. The source is the model. The C- code is only an intermediate step. If you need traceability to the code, it will be primarily with with the model
SCADE generates target agnostic C (or Ada or SPARK) code because it needs to be portable and target- independent. Actually, the SCADE simulator generates a binary…. (SCADE simulation is a software- in- the- loop simulator)
What I am trying to say is that this kind of coverage is done at model level. Granularity of model is not necessarily the same as SRS granularity. There may be N:N relationships, not just 1:1. If we would go to a vital system, the setting would have to be selected according to the requirements imposed by the applicable norm and process. SCADE itself does not impose a specific process. It is the other way round. Maybe you know the attached document, I was a co-author of the first versions. It is of course not a SW development plan in the sense of CENELEC, but gives a high-level introduction to using SCADE in a EN50128 process. Jakob
|
|
Moritz, to invest your time in a fruitful way (not trying to find your way through code that has indeed, as Baseliyos said, not been generated from a model that is well- linked to the requirements due to project priorities), can I propose to take a selected component and run the exercise of a review (including traceability)? More concretely: We select a module, and work constructively until you are satisfied with all your questions, as far as possible in the time/ resource contrasts we have ? If we select the module “small enough”, but representative it could be a good input to the follow- on project.
|
|
The motivation behind my initial question was certainly not to blame you for all sorts of weaknesses in your model / code. Rather, I am still trying to compile suitable project artifacts for a scientific article on our toolchain.
Well, if you have the resources to do this, it would be more than welcome. Judging from @BaseliyosJacob's recent statements, I was of the opinion that WP3 is working at its limits and there is absolutely no time to assist anyone concerned with less important tasks. |
|
Yes we don’t feel blamed, I just felt that trying to understand code generated from SCADE requires to start from the model. I can ask @Mairamou to assist you, she is not funded by the project and could spare some part of her time on helping you. As we want to invest anyway in setting up a SIL4 process (as part of our exploitation efforts) it is a sensible investment. She will however need some guidance as her background on certification processes is zero. There are also some parts of the model that are more mature (and better annotated) than others. You could consider starting there. I would also have wished to work more on higher- level and process questions in order to get much closer to SIL4 objectives, but we are all stuck in trying to compensate for the resources that have already been used in earlier phases/ or that just broke away.
|
|
Please note, that calculateTrainPosition already has been linked with the SRS via the Scade Requirements Gateway / Reqtify by using the requirements generated by @morido tools. So, there is at least this example. |
|
Hello Uwe, thanks! "There are also some parts of the model that are more mature (and better annotated) than others. You could consider starting there. “, I meant calculateTrainPosition.
|
|
for my 50ct on this, I also found it is hard to add traceability when a single line of specification maps into a multitude of operators and on the other hand whether top/wrapping operators should receive traces for the sake of understanding. But I also guess this will be one of the outcomes of this project to see how stric you have to formalize a process and coding once contributors are from a multitude environments and hierachies. |
|
@UweSteinkeFromSiemens, @T12z Thanks for your hints on packages which contain links to their respective requirements. However, I believe this information does not survive KCG's transformation into C. At least none of the files that I checked contained anything useful. Specifically I looked into:
Do not hate me for still "thinking code", instead of "thinking model" here. But my intention is to trace a line of C code back to a requirement - which is why this issue is in the [srcAndBinary] repository rather than in [modelling].
Well, I guess you would need a properly defined process which addresses such issues. The status quo of not adding traceability information at all because of this is certainly the worst of all possible solutions. Ultimately this may severely limit the reusability of your model for any follow-up projects / industrial applications. Side note 1: Side note 2: |
|
the trick is to tick the box “progagate to c” at the Notes/ Comments properties settings
|
|
For calculateTrainPosition, the option “progagate to c” is set for some components. I'm not sure, if this serves to propagate notes and traceability information to C code too. |
Consider lines 39ff in ToStaffResponsible_Conditions.c. Apparently, these conditions are based on 4.6.2[2].[t]2.[r][7] and 4.6.3[2].[t]*. However, I cannot see any hint for those origins in the source. Is there a chance to include the respective traceability data as comments in the generated files?
Apart from this, I would expect the actual conditions, as they are mentioned in the spec (i.e. the stuff below 4.6.3[2].[t]*), to be modelled in separate functions since the are meant to be reused for other mode transitions as well. However, in lines 39ff they are all inlined. Was this a deliberate design choice or does the KCG perform such kinds of "optimizations"?
The text was updated successfully, but these errors were encountered: