{"id":198353,"date":"2026-04-22T15:34:14","date_gmt":"2026-04-22T15:34:14","guid":{"rendered":"https:\/\/innovationspace.ansys.com\/knowledge\/?post_type=topic&#038;p=198353"},"modified":"2026-04-23T17:16:12","modified_gmt":"2026-04-23T17:16:12","slug":"efficient-development-of-safe-space-software-with-ecss-e-st-40c-and-ecss-q-st-80c-using-scade-suite","status":"publish","type":"topic","link":"https:\/\/innovationspace.ansys.com\/knowledge\/forums\/topic\/efficient-development-of-safe-space-software-with-ecss-e-st-40c-and-ecss-q-st-80c-using-scade-suite\/","title":{"rendered":"Efficient Development of Safe Space Software with ECSS-E-ST-40C and ECSS-Q-ST-80C Using SCADE Suite"},"content":{"rendered":"<p style=\"text-align: center\">\n    <img decoding=\"async\" src=\"https:\/\/innovationspace.ansys.com\/knowledge\/wp-content\/uploads\/sites\/4\/2026\/04\/scade-065-banner.jpeg\" style=\"max-height: 700px !important\" \/><br \/>\n    <em><\/em>\n<\/p>\n<p>This article is part of an ECSS blog series. It gives an overview of the European software standards and details the process of developing, then verifying, safe compliant software. You can find links to each part below:<\/p>\n<ul>\n<li><strong>Part 1<\/strong>: <a href=\"https:\/\/innovationspace.ansys.com\/knowledge\/forums\/topic\/an-introduction-to-space-software-standards-ecss-e-st-40-and-ecss-q-st-80c\/\">An introduction to ECSS-E-ST-40 Rev.1 and ECSS-Q-ST-80C Rev.2<\/a><\/li>\n<li><strong>Part 2 <\/strong>(this blog): Efficient Design and Implementation of Safe Space Software in compliance with ECSS-E-ST-40 Rev.1 and ECSS-Q-ST-80C Rev.2 using SCADE Suite<\/li>\n<li><strong>Part 3<\/strong>: Efficient Verification and Validation of Safe Space Software in compliance with ECSS-E-ST-40 Rev.1 and ECSS-Q-ST-80C Rev.2 using SCADE Suite <\/li>\n<\/ul>\n<p>In this blog, we provide an overview on how to fully satisfy ECSS-E-ST-40C (Rev.1) and ECSS-Q-ST-80C (Rev.2) requirements with a <a href=\"https:\/\/www.ansys.com\/products\/embedded-software\/ansys-scade-suite\">SCADE Suite<\/a> model-based approach for developing space software. <\/p>\n<h3  id=\"MODEL-BASED-DEVELOPMENT-WITH-SCADE\">Model-Based Development with SCADE<\/h3>\n<p>SCADE Suite is a software design product line for embedded control software modeling, verification, and code generation. SCADE Suite provides a user-friendly and intuitive model-based environment for software engineers.<\/p>\n<p>The SCADE Suite product highlights are the following: <\/p>\n<ul>\n<li>Embedded Control Software Design: streamlined development of control systems, logic, and algorithms within an integrated environment. Combines data flow and state machine operators seamlessly, enabling flexibility and precision at any level of design.<\/li>\n<li>Integrated Suite for Prototyping, Modeling, Simulation, Verification and Optimization: efficient debugging and optimization of software models for code size, speed, and performance.<\/li>\n<li>Safe Code Generation: automatic C and Ada qualified code generators (DO-178C\/DO-330, EN 50716, ISO 26262, IEC 61508).<\/li>\n<\/ul>\n<p style=\"text-align: center\">\n    <img decoding=\"async\" src=\"https:\/\/innovationspace.ansys.com\/knowledge\/wp-content\/uploads\/sites\/4\/2026\/04\/scade-065-mbd-overview.svg\" style=\"max-height: 400px !important\" \/><br \/>\n    <em>Model-based software design with safe code generation<\/em>\n<\/p>\n<h4  id=\"SCADE-SUITE-AS-A-MODEL-BASED-DEVELOPMENT-ENVIRONMENT\">SCADE Suite as a model-based development environment<\/h4>\n<p>SCADE Suite enables a model-based development approach:<\/p>\n<ul>\n<li>SCADE Suite models are usually considered design models. They mainly represent the software low-level requirements and software architecture. Such models rely on a formally defined notation.<\/li>\n<li>Models can be managed under configuration control.<\/li>\n<li>Documentation is automatically and directly generated from models: it is correct and up to date by construction.<\/li>\n<li>A syntactic and semantic check is performed automatically to verify that the models respect Scade language syntax and semantics.<\/li>\n<li>Formal verification techniques can be directly applied to models to detect corner case defects (e.g., division by 0) or to prove safety properties.<\/li>\n<li>Time and stack analysis can be conducted to verify, at an early stage of the project, compatibility between the model and the target platform, ensuring execution time and memory requirements are met.<\/li>\n<li>Target compatibility with SCADE Suite KCG-generated code can also be verified on a representative code sample (using SCADE Suite Compiler Verification Kit), to anticipate potential issues with the cross-compiler used to generate the target EOC.<\/li>\n<li>Code is automatically and directly generated from models with the KCG qualified Code Generator: the source code complies with the semantics of the input model.<\/li>\n<li>SCADE Suite generated code can be wrapped in an RTOS task, thus implementing the needed cyclic function.<\/li>\n<li>The Certification Kit provides all the evidence that is needed to qualify SCADE Suite KCG at DO-330\/ TQL-1, IEC 61508 T3, EN 50716 T3 and ISO 26262 TCL 3.<\/li>\n<\/ul>\n<p>SCADE Suite also integrates a testing environment with <a href=\"https:\/\/www.ansys.com\/products\/embedded-software\/ansys-scade-test\">SCADE Test<\/a>:<\/p>\n<ul>\n<li>Models can be exercised by simulation to dynamically verify their behavior according to upper-level requirements.<\/li>\n<li>Model coverage analysis can be performed to assess how thoroughly the model was tested and to detect unintended functions in the model.<\/li>\n<\/ul>\n<p>SCADE Suite applies these &#8220;golden rules&#8221;:<\/p>\n<ul>\n<li><strong>Share unique and accurate specifications<\/strong>.<\/li>\n<li><strong>Do things once<\/strong>: do not rewrite descriptions from one activity to another.<\/li>\n<li><strong>Do things right in the first place<\/strong>: detect errors in the early stages of a project.<\/li>\n<\/ul>\n<p>SCADE Suite allows significant savings in time spent on verification because models can be verified as soon as they are available (even in parts) thus avoiding situations where code must be developed before any verification can start and every error that is detected requires a lengthy change cycle.<\/p>\n<p>SCADE Suite models formalize a significant part of the Software Architectural Design and Software Detailed Design. The model is written and maintained once in the project and shared among team members. Expensive and error-prone rewriting is thus avoided; interpretation errors are minimized. All members of the project team, from the specification team to the review and testing teams, can share models as a reference.<\/p>\n<h4  id=\"SCADE-MODELING-AND-SAFETY-BENEFITS\">SCADE modeling and safety benefits<\/h4>\n<p>SCADE Suite strongly supports safety at model level because:<\/p>\n<ul>\n<li>The Scade language is rigorously defined. Its interpretation does not depend on readers or any tool. It relies on more than 25 years of academic research (<a href=\"https:\/\/en.wikipedia.org\/wiki\/Esterel\">Esterel<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Lustre_(programming_language)\">Lustre<\/a>).<\/li>\n<li>The Scade language is simple. It relies on very few basic concepts and simple combination rules of these concepts.<\/li>\n<li>Control structures remain at a high level of abstraction. For example, array operations in SCADE Suite are expressed as such and do not require low-level loops and indexes. There is no need for goto&#8217;s, no need for the creation of memory at runtime, no way to incorrectly access memory through pointers or an index out of bounds in an array. Moreover, these principles are reflected in the generated code out of SCADE Suite KCG.<\/li>\n<li>The Scade language contains features oriented towards safety like strong typing, mandatory initialization of flows.<\/li>\n<li>SCADE Suite models are deterministic. A system is deterministic if it always reacts in the same way to the same inputs occurring with the same timing. In contrast, a non-deterministic system can react in different ways to the same inputs, the actual reaction depending on internal choices or computation timing.<\/li>\n<li>The Scade language provides a simple and clean expression of concurrency at functional level (data flows express dependencies between operators). Within a model, this avoids the traditional problems of deadlocks and race conditions.<\/li>\n<li>SCADE Suite performs the complete verification of language syntactic and semantic rules, such as type and clock consistency, initialization of data flows, or causality in models.<\/li>\n<\/ul>\n<h3  id=\"SOFTWARE-DEVELOPMENT-ACTIVITIES-WITH-SCADE-SUITE\">Software Development Activities with SCADE Suite<\/h3>\n<h4  id=\"OVERVIEW-OF-SOFTWARE-DEVELOPMENT-ACTIVITIES\">Overview of Software Development Activities<\/h4>\n<p>A typical SCADE Suite software development process is a combination of Model-Based Development together with qualified code generation and SCADE verification tools. The following figure shows the software-related processes where SCADE tools are used.<\/p>\n<p style=\"text-align: center\">\n    <img decoding=\"async\" src=\"https:\/\/innovationspace.ansys.com\/knowledge\/wp-content\/uploads\/sites\/4\/2026\/04\/scade-065-software-related-process-support.svg\" style=\"max-height: 400px !important\" \/><br \/>\n    <em> <\/em>\n<\/p>\n<p>Support of software related processes with SCADE  development environment<\/p>\n<p>Traceability requirements within the software engineering process (as defined in ECSS-ST-E-40C \u00a75.2) requires: <\/p>\n<ul>\n<li>traceability between the requirements and the software components<\/li>\n<li>traceability between the architecture and the detailed design<\/li>\n<li>traceability between code and the design and requirements<\/li>\n<li>traceability between source code and object code<\/li>\n<li>traceability between the unit tests and software requirements, design and code<\/li>\n<\/ul>\n<p>These are further detailed in sections below. <\/p>\n<h4  id=\"SOFTWARE-REQUIREMENTS-AND-ARCHITECTURE-ENGINEERING-PROCESS\">Software Requirements and Architecture Engineering Process<\/h4>\n<p><strong>Software Requirements Specification<\/strong><\/p>\n<p>In ECSS-E-ST-40C, the Software Related System Requirement Process represents the connection between the space system processes and the software processes. <\/p>\n<p>Within this process, the software requirements shall be established as part of the Technical Specification (ECSS-E-ST-40C \u00a75.4.2.1). In addition, ECSS-Q-ST-80C \u00a76.3.2.1 requires the analysis of the Requirements Baseline (RB) to fully and unambiguously define the software requirements in the technical specification.<\/p>\n<p>The TS shall consider as well:<\/p>\n<ul>\n<li>all results from safety, dependability and software security analyses (ECSS-Q-ST-80C \u00a76.3.2.2, \u00a76.3.2.3),<\/li>\n<li>all non-functional requirements required to comply with the RB for example performance, robustness, reliability, maintainability, etc. (ECSS-Q-ST-80C \u00a76.3.2.4).<\/li>\n<\/ul>\n<p>The Software Requirements analysis phase produces the Technical Specification (TS) which includes the Software Requirements Specification (SRS) and a preliminary Interface Control Document (ICD).<\/p>\n<p><strong>Software Architectural Design<\/strong><\/p>\n<p>The first step in the design process is to define the global application architecture, considering the architecture components that will be modeled in SCADE Suite and the ones that will be manually coded.<\/p>\n<p>The application is decomposed functionally into its main components. The characteristics of these components serve as a basis for allocating their refinement in terms of techniques (Scade, C, &#8230;) and development team. Among those characteristics, one must consider, for a software component:<\/p>\n<ul>\n<li>The type of processing (<em>e.g., <\/em>decision logic, byte encoding).<\/li>\n<li>The volume of communication it has with other components.<\/li>\n<li>The interaction it has with hardware or the operating system (<em>e.g., <\/em>direct memory access, interrupt handling).<\/li>\n<li>Its activation conditions (e.g., initialization) and frequency (e.g., 100 Hz).<\/li>\n<\/ul>\n<p style=\"text-align: center\">\n    <img decoding=\"async\" src=\"https:\/\/innovationspace.ansys.com\/knowledge\/wp-content\/uploads\/sites\/4\/2026\/04\/scade-065-software-design-process.svg\" style=\"max-height: 300px !important\" \/><br \/>\n    <em>Software design process with SCADE Suite<\/em>\n<\/p>\n<p>SCADE Suite is well-adapted to the functional parts of the software, such as decision logic, filtering, or control. It may be less appropriate for low-level software such as hardware drivers, interrupt handlers, and encoding\/decoding routines which may be implemented in C or Rust.<\/p>\n<p>As explained in ECSS-E-ST-40C \u00a75.4.3.1a, &#8220;<em>The supplier shall transform the requirements for the software item into an architecture<\/em>&#8230;&#8221;. Both the SysML notation of <a href=\"https:\/\/www.ansys.com\/products\/embedded-software\/ansys-scade-architect\">SCADE Architect<\/a> and the Scade language of SCADE Suite support the description of software architectural design. <\/p>\n<p>SCADE Architect and SCADE Suite allow:<\/p>\n<ul>\n<li>the description of the top-level structure of the architecture,<\/li>\n<li>the identification of the software components and their interfaces,<\/li>\n<li>a hierarchical structure definition,<\/li>\n<li>the support of the static and dynamic design aspects of the software architecture,<\/li>\n<li>software units&#8217; description in SCADE Suite using the synchronization between SCADE Architect and SCADE Suite.<\/li>\n<li>The SCADE LifeCycle ALM Gateway supports the allocation of the requirements for the software item to the software components, down to the software unit level.<\/li>\n<\/ul>\n<p>SCADE Suite Semantic Checker (a module of SCADE Suite KCG) allows SCADE users to verify the consistency of the data flows between the software components.<\/p>\n<p>&#8220;<em>The software architecture design shall also describe the behaviour of the software, by means of description techniques using automata and scenarios<\/em>&#8221; ECSS-E-ST-40C \u00a75.4.3.4a. <\/p>\n<p>In SCADE Architect, the dynamic behavior can be described using behavioral diagrams (Activity diagram, Sequence diagram, State Machine diagram and Use Case diagram). Specific information (e.g., timing, scheduling, &#8230;) can be captured in the model using annotations. In SCADE Suite, the Scade language allows the description of the design behavior using state machines. The Scade language allows SCADE users to rigorously combine state machines and data flows.<\/p>\n<p>Specific analyses can be implemented directly via scripting using the SADE Suite model API. Data can also be formatted and exported for processing by dedicated tools. <\/p>\n<p>The Software Architectural Design phase prepares the framework for the detailed design phase: defining the top-level functions while ensuring consistency of their interfaces.<\/p>\n<p style=\"text-align: center\">\n    <img decoding=\"async\" src=\"https:\/\/innovationspace.ansys.com\/knowledge\/wp-content\/uploads\/sites\/4\/2026\/04\/scade-065-adcs-suite-model-1.svg\" style=\"max-height: 300px !important\" \/><br \/>\n    <em><\/em>\n<\/p>\n<p>Top-level view of a simple Attitude Determination and Control System<\/p>\n<h4  id=\"SOFTWARE-DESIGN-AND-IMPLEMENTATION-ENGINEERING-PROCESS\">Software Design and Implementation Engineering Process <\/h4>\n<p><strong>Detailed Design of each software component<\/strong><\/p>\n<p>Once the SCADE Suite architecture is defined, the logical models are refined to develop a detailed design for each software component. The objective of this activity is to produce a set of complete and consistent SCADE Suite Detailed Design models (ECSS-E-ST40C \u00a75.5.2.3a).<\/p>\n<p>The Scade language includes both a graphical and a textual representation. It supports a modeling style that brings together capabilities to design complex decision logic, filtering, and control. These elements can be combined without restriction while the modularity of the design is continuously supported. This language efficiently supports good practices for the development of high-integrity software such as encapsulation (modularity), strong typing, concurrency and re-use of components (interface definition, genericity, libraries). <\/p>\n<p>SCADE Suite Modeler allows SCADE users to develop the detailed design models including their static, dynamic and behavioral aspects. Formality of the Scade language ensures a non-ambiguous implementation of the dynamic behavior (ECSS-E-ST-40C \u00a75.5.2.3a).<\/p>\n<p>Regarding timing aspects, ECSS-E-ST-40C \u00a75.5.2.5b requires justification for all timing and synchronization mechanisms. The Scade language provides a simple and clean expression of concurrency at functional level (data flows express dependencies between operators). Within a model, this avoids the traditional problems of deadlocks and race conditions.<\/p>\n<p>There is no need to develop multiple tasks with complex and error-prone synchronization mechanisms.<\/p>\n<p>Finally, the Detailed Design Review (DDR) activity is supported by the documentation of the SCADE Detailed Design that can be automatically generated from the SCADE Suite model with the SCADE LifeCycle Reporter. SCADE Model Change supports incremental reviews.<\/p>\n<p>Reusable components and library management<\/p>\n<p>If SCADE Suite models are reused by the SCADE user for several projects, these SCADE Suite models can be packaged as library components, considering the following:<\/p>\n<ul>\n<li>Library components are usually identified during the design process of a given application and can be considered in most cases as implementation choices, not necessarily described in the software requirements of the application.<\/li>\n<li>Good practice consists in defining software requirements for these library components as a separate document and in developing and verifying the components from these requirements. <\/li>\n<li>When a library is shared between several applications, a self-contained development package may be considered, including its own set of life cycle documentation (requirements, design data, verification reports, &#8230;).<\/li>\n<\/ul>\n<p><strong>Software Coding and Testing Phase<\/strong><\/p>\n<p>Software Coding<\/p>\n<p>ECSS-E-ST-40C \u00a75.5.3.1a requires to develop and document the coding of each software unit. SCADE Suite KCG code generator automatically generates the complete code that implements the software detailed design that was defined in formal notation for both data flows and state machines. <\/p>\n<p style=\"text-align: center\">\n    <img decoding=\"async\" src=\"https:\/\/innovationspace.ansys.com\/knowledge\/wp-content\/uploads\/sites\/4\/2026\/04\/scade-065-software-coding-process.svg\" style=\"max-height: 250px !important\" \/><br \/>\n    <em>Software coding process with SCADE Suite<\/em>\n<\/p>\n<p>The SCADE Detailed Design model completely defines the expected behavior of the generated code. The code generation options define the implementation choices for the software. However, these options never complement nor alter the behavior of the model.<\/p>\n<p>In addition, the generated code has the following properties:<\/p>\n<ul>\n<li>The code is portable and  <a href=\"https:\/\/en.wikipedia.org\/wiki\/ANSI_C\">ISO C<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/MISRA_C\">MISRA C<\/a> and <a href=\"https:\/\/en.wikipedia.org\/wiki\/CERT_Coding_Standards\">CERT C<\/a> compliant.<\/li>\n<li>Memory allocation is fully static (no dynamic memory allocation).<\/li>\n<li>There is no recursive call.<\/li>\n<li>Only bounded loops are allowed, since they use static values known at code generation time.<\/li>\n<li>Execution time is bounded.<\/li>\n<li>No dynamic address calculation is performed (no pointer arithmetic).<\/li>\n<li>There are no implicit conversions and no expression with side-effects (no <code>i++<\/code>, no <code>a += b<\/code>, no side-effect in function calls).<\/li>\n<li>No functions are passed as arguments.<\/li>\n<\/ul>\n<p>To support automated code integration and compilation a Python Integration Toolbox is provided.<\/p>\n<p>Various code generation options can be used to tune the generated code to a particular target and project constraints. <\/p>\n<p>Software Unit Testing<\/p>\n<p>ECSS-E-ST-40C \u00a75.5.3.2a and \u00a75.5.3.2b require to develop and document the test procedures and data for testing each software unit and to test each software unit ensuring that it satisfies its requirements and document the test results. <\/p>\n<p>Within the SCADE model-based development environment, unit testing is performed by simulation at model level using SCADE Test Environment for Host (TEH). Model simulation allows exercising the behavior of the model. Its main purpose is to provide repeatable evidence of compliance of the model to the requirements from which the model was developed. Moreover, model simulation is an efficient way to detect functional issues very early in the software design and\/or upper-level requirements. <\/p>\n<p>SCADE TEH provides an integrated environment that allows the creation and management of simulation cases and their execution. First, the simulation cases and procedures are developed by the user from the Technical Specification (TS). Second, SCADE TEH executes the simulation cases and produces a qualified test execution report.<\/p>\n<p style=\"text-align: center\">\n    <img decoding=\"async\" src=\"https:\/\/innovationspace.ansys.com\/knowledge\/wp-content\/uploads\/sites\/4\/2026\/04\/scade-065-scade-test-report.png\" style=\"max-height: 600px !important\" \/><br \/>\n    <em>SCADE Test Report<\/em>\n<\/p>\n<p><strong>Software Integration Process<\/strong><\/p>\n<p>ECSS-E-ST-40C \u00a75.5.4.2a states that &#8220;<em>The supplier shall integrate the software units and software components, and test them, as the aggregates are developed, in accordance with the integration plan, ensuring that each aggregate satisfies the requirements of the software item and that the software item is integrated at the conclusion of the integration activity<\/em>&#8220;. <\/p>\n<p>The integration of a SCADE application is about:<\/p>\n<ul>\n<li>SCADE Suite module integration<\/li>\n<li>Interface with the external environment (Inputs\/Outputs)<\/li>\n<li>Integration of external data and code<\/li>\n<li>Scheduling and tasking.<\/li>\n<\/ul>\n<p>Interface to physical sensors and\/or to data buses is usually handled by drivers. These drivers are usually not developed in Scade but in C or assembly language.<\/p>\n<p>SCADE Suite module integration and testing<\/p>\n<p>A module refers here to the code generated by SCADE Suite KCG from a SCADE Suite component. <\/p>\n<p>There are two alternatives for generating code: <\/p>\n<ul>\n<li>Generating all code in one run, using the &#8220;multi-root operators&#8221; SCADE Suite KCG option. <\/li>\n<li>Generating code for each root operator separately and then integrating all C or Ada generated codes into the application. <\/li>\n<\/ul>\n<p>The first alternative is highly recommended unless there is a major reason for not using it. It is the safest and cleanest way to integrate the different root nodes. It is also highly recommended as a means for performing verification and validation of the global behavior. The second alternative requires a strict coding and integration process with additional verification activities to check the consistency of the interfaces and of the integration:<\/p>\n<p>Depending on the selected code generation process, the user must manage the integration of one or several SCADE Suite modules with the rest of the software application. The integration strategy and testing must be defined and performed by the SCADE user.<\/p>\n<p>Integration of external code<\/p>\n<p>SCADE Suite allows referencing external code in models. Scade includes the concept of imported constants, types, and functions. The declaration of these external data is performed at model level in Scade whereas their definition is given in C language.<\/p>\n<p>For model simulation purposes, SCADE Test automatically compiles and links external code when the path names of the source files are given in the project settings.<\/p>\n<p>Scheduling and tasking<\/p>\n<p>Scheduling must be addressed in the preliminary design phase, but for the sake of simplicity it is described below.<\/p>\n<p>The SCADE Suite execution semantics is based on a cycle-based execution model. This model can be represented with the following figure.<\/p>\n<p style=\"text-align: center\">\n    <img decoding=\"async\" src=\"https:\/\/innovationspace.ansys.com\/knowledge\/wp-content\/uploads\/sites\/4\/2026\/04\/scade-065-suite-execution-semantics.svg\" style=\"max-height: 150px !important\" \/><br \/>\n    <em>SCADE Suite execution semantics<\/em>\n<\/p>\n<p>The software application samples the inputs from the environment and sets them as inputs for the SCADE Suite generated code. The main SCADE Suite function of the generated code is called. When code execution ends, the calculated outputs can be used to act upon the environment. The software application is ready to start another cycle.<\/p>\n<p>A bare metal implementation is straightforward; the cycle can be started in different ways:<\/p>\n<ul>\n<li>Polling: a new cycle is started immediately after the end of the previous one in an infinite loop.<\/li>\n<li>Event triggered: a new cycle is started when a new start event occurs.<\/li>\n<li>Time triggered: a new cycle is started regularly, based on a clock signal.<\/li>\n<\/ul>\n<p>The SCADE generated code can be simply included in an infinite loop, waiting or not for an event or a clock signal to start a new cycle.<\/p>\n<p><!-- HTML generated using hilite.me --><\/p>\n<div style=\"background: #ffffff;overflow:auto;width:auto;background:none;border:none;padding:.2em .6em\">\n<pre style=\"margin: 0;line-height: 125%\"><span><\/span>begin_loop\r\nwaiting <span style=\"font-weight: bold\">for<\/span> an event (usually clock signal)\r\nsetting SCADE Suite inputs\r\ncalling SCADE Suite<span style=\"font-weight: bold\">-<\/span>generated main function\r\nusing SCADE Suite outputs\r\nend_loop\r\n<\/pre>\n<\/div>\n<p>A SCADE Suite design can be easily integrated into an RTOS task as shown below. The infinite loop construct is replaced by a task. This task is activated by the start event of the design, which can be a periodic alarm or a user activation.<\/p>\n<p style=\"text-align: center\">\n    <img decoding=\"async\" src=\"https:\/\/innovationspace.ansys.com\/knowledge\/wp-content\/uploads\/sites\/4\/2026\/04\/scade-065-scade-suite-code-integration-1.svg\" style=\"max-height: 500px !important\" \/><br \/>\n    <em>SCADE Suite code integration<\/em>\n<\/p>\n<p>This architecture can be designed by hand for any RTOS. The SCADE Code Integration Toolbox allows to automate code production and integration, and examples are provided for different commercial OS.<\/p>\n<p>Note that concurrency is expressed functionally in SCADE Suite models and that SCADE Suite KCG considers data flow dependencies to generate sequential code. There is no need for the user to spend time sequencing parallel flows, neither during modeling nor during implementation. There is no need to develop multiple tasks with complex and error-prone synchronization mechanisms. Other code, such as hardware drivers, may run in separate tasks, provided they do not interfere with the SCADE Suite generated code.<\/p>\n<h3  id=\"ECSS-Q-ST-80C-SPACE-PRODUCT-ASSURANCE-SOFTWARE-PRODUCT-ASSURANCE\">ECSS-Q-ST-80C (Space product assurance &#8211; Software product assurance)<\/h3>\n<p>ECSS-Q-ST-80C brings additional requirements related to the software development, among them: <\/p>\n<p><strong>Modeling and coding standards<\/strong>: &#8220;<em>modelling standards for automatic code generation tools shall be defined and applied&#8221; <\/em>and <em>&#8220;adherence to modelling standards shall be verified&#8221; <\/em>ECSS-Q-ST-80C \u00a76.2.8. <\/p>\n<p>Along with the SCADE tools, a SCADE Suite Software Modeling Standard is provided, giving a set of modeling rules seeking software completeness, accuracy, consistency, verifiability, traceability, and maintainability. This standard is delivered to the user as a template and needs to be customized for a given project. The rules can be modified, deleted or completed by the user. In addition, the modeling rules that can be automated are natively implemented within the SCADE Suite Modeler and can be verified automatically using SCADE Suite Rule Checker.<\/p>\n<p>In addition, ECSS-Q-ST-80C \u00a76.3.4 requires the definition of coding standards. As mentioned above, when using SCADE Suite, all verification activities are performed at model level. The qualification strategy of SCADE Suite KCG allows its users to generate source code without verifying it. Moreover, SCADE Suite KCG generates a safe subset of the C language, that is <a href=\"https:\/\/en.wikipedia.org\/wiki\/ANSI_C\">ISO C<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/MISRA_C\">MISRA C<\/a> and <a href=\"https:\/\/en.wikipedia.org\/wiki\/CERT_Coding_Standards\">CERT C<\/a> compliant.<\/p>\n<p><strong>Handling of critical software: <\/strong>The supplier is requested to justify and apply measures to assure the dependability and safety of critical software (ECSS-Q-ST-80C \u00a76.2.3.2a). Examples of such measures given in \u00a76.2.3.2a are following:<\/p>\n<ul>\n<li>defensive programming techniques, such as input verification and consistency checks; <\/li>\n<li>use of a &#8220;safe subset&#8221; of programming language; <\/li>\n<li>use of formal design language for formal proof; <\/li>\n<li>100 % code branch coverage at unit testing level; <\/li>\n<li>full inspection of source code; <\/li>\n<li>use of dynamic code verification techniques,<\/li>\n<li>etc.<\/li>\n<\/ul>\n<p>With that regard, SCADE Suite allows to support the achievement of such objectives as:<\/p>\n<ul>\n<li>SCADE Suite Development Environment provides a SCADE Software Modeling Standard which includes robustness rules. Rules that can be automated are natively implemented within the SCADE Suite Modeler and can be verified automatically using SCADE Suite Rule Checker.<br \/>\nThis modeling standard is customizable by the SCADE user who can modify\/complement the proposed set of rules.<\/li>\n<li>SCADE Suite KCG generates a safe subset of the C language, that is MISRA-C and Cert-C compliant.<\/li>\n<li>SCADE Suite Design Verifier (a formal verification assistant) allows SCADE users to formally express Proof Objectives from safety requirements and assess them, thus providing a productive way to find bugs early in the SCADE Suite modeling process. SCADE Design Verifier automatically produces a counter example in case a Proof Objective is not satisfied by the SCADE Suite model under consideration.<\/li>\n<li>SCADE Test Model Coverage supports the measurement of the model coverage while the coverability assistant allows the user to perform coverability analysis early in the development process and thus accelerating the achievement of the model coverage goals.<\/li>\n<li>SCADE LifeCycle Reporter and SCADE Model Change support SCADE Model inspection.<\/li>\n<li>SCADE Test Environment for Host (TEH) supports dynamic verification of the SCADE Models by exercising them on host using requirement-based test cases and procedures.<\/li>\n<\/ul>\n<p>For more details about the verification activities, refer to part 3 of this blog series. <\/p>\n<p><strong>Basic Metrics: <\/strong>ECSS-Q-ST-80C \u00a77.1.5a and \u00a77.1.6a require metric collection and analysis to give the customer insights about the level of quality reached. Among the basic metric that shall be used:<\/p>\n<ul>\n<li>size (code) and complexity (design, code): SCADE Suite KCG computes metrics on selected parts of a SCADE Model and generates the results in XML format. The tool produces the metrics for each object it applies to (operator, state machine, complete model, etc.), and the result can be used for complexity analyses of the SCADE Model. SCADE Suite KCG Metrics comes with a set of predefined metrics like:\n<ul>\n<li>Total number of constants of a model, total number of diagrams of a model <\/li>\n<li>Number of inputs and outputs of an operator<\/li>\n<li>Depth of state machines, number of transitions in a state machine<\/li>\n<li>etc.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>In addition, Python files can be used to specify additional metrics to be computed.<\/p>\n<ul>\n<li>test coverage: SCADE LifeCycle ALM Gateway supports the allocation of SCADE test cases and procedures to the requirements baseline. SCADE Test Model Coverage is used to measure coverage of SCADE Suite models by SCADE test cases. These support the assessment of test coverage.<\/li>\n<li>number of failures: provided by SCADE TEH which generates a compliance report with passed and failed tests.<\/li>\n<\/ul>\n<h3  id=\"ABOUT-THE-AUTHOR\">About the author<\/h3>\n<h4  id=\"\"><\/h4>\n<table style=\"max-width: 1000px;border: none !important\">\n<tr>\n<td style=\"padding: 0px 10px;min-width: 150px;border: none !important\">\n<p style=\"text-align: center\">\n    <img decoding=\"async\" src=\"https:\/\/innovationspace.ansys.com\/knowledge\/wp-content\/uploads\/sites\/4\/2026\/04\/scade-065-author.png\" style=\"max-height: 150px !important\" \/><br \/>\n                <em><\/em>\n<\/p>\n<\/td>\n<td style=\"padding: 0px 10px;min-width: 150px;border: none !important\">\n<p><strong>Amina MEKKI-MOKHTAR<\/strong> (<a href=\"https:\/\/www.linkedin.com\/in\/dr-amina-mekki-mokhtar-58a7b383\/\">LinkedIn<\/a>) is a Safety Manager and Senior Software Safety Expert at Synopsys. She is an active member of several safety standardization committees working on IEC 61508-3, ISO 26262, ISO PAS 8800, ISO\/IEC TS 22440, DO-178C and its supplements, etc. She has experience in software safety, software architecture, certification, model-based development, safety analyses, safety audits, and tool qualification. She has an engineering degree in computer science, master&#8217;s degree in cyber security and PhD in dependable computing.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"template":"","class_list":["post-198353","topic","type-topic","status-publish","hentry","topic-tag-ecss-e-st-40c","topic-tag-ecss-q-st-80c","topic-tag-safety","topic-tag-scade","topic-tag-space","topic-tag-space-product-assurance-standard","topic-tag-space-software-engineering"],"aioseo_notices":[],"acf":[],"custom_fields":[{"0":{"_edit_lock":["1776964612:1769"],"_edit_last":["1769"],"_aioseo_title":[null],"_aioseo_description":[null],"_aioseo_keywords":["a:0:{}"],"_aioseo_og_title":[null],"_aioseo_og_description":[null],"_aioseo_og_article_section":[""],"_aioseo_og_article_tags":["a:0:{}"],"_aioseo_twitter_title":[null],"_aioseo_twitter_description":[null],"filter_by_optics_product":["Lumerical"],"_filter_by_optics_product":["field_64fb192ba3121"],"application_name":[""],"_application_name":["field_64a80903c8e15"],"family":[""],"_family":["field_64a809229a857"],"siebel_km_number":[""],"_siebel_km_number":["field_63ecbffce60db"],"salesforce_km_number":[""],"_salesforce_km_number":["field_63ecc018e60dc"],"km_published_date":[""],"_km_published_date":["field_64c77704499dd"],"product_version":[""],"_product_version":["field_64c776cb4fd2e"],"_bbp_forum_id":["27825"],"_bbp_topic_id":["198366"],"_bbp_author_ip":["87.190.19.71"],"_bbp_last_reply_id":["0"],"_bbp_last_active_id":["198354"],"_bbp_last_active_time":["2026-04-22 15:34:14"],"_bbp_reply_count":["0"],"_bbp_reply_count_hidden":["0"],"_bbp_voice_count":["0"],"_btv_view_count":["38"],"_bbp_likes_count":["1"]},"test":"solution"}],"_links":{"self":[{"href":"https:\/\/innovationspace.ansys.com\/knowledge\/wp-json\/wp\/v2\/topics\/198353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/innovationspace.ansys.com\/knowledge\/wp-json\/wp\/v2\/topics"}],"about":[{"href":"https:\/\/innovationspace.ansys.com\/knowledge\/wp-json\/wp\/v2\/types\/topic"}],"version-history":[{"count":8,"href":"https:\/\/innovationspace.ansys.com\/knowledge\/wp-json\/wp\/v2\/topics\/198353\/revisions"}],"predecessor-version":[{"id":198366,"href":"https:\/\/innovationspace.ansys.com\/knowledge\/wp-json\/wp\/v2\/topics\/198353\/revisions\/198366"}],"wp:attachment":[{"href":"https:\/\/innovationspace.ansys.com\/knowledge\/wp-json\/wp\/v2\/media?parent=198353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}