Liebherr uses the Ansys development environment for embedded software

On the safe side with SCADE

When it comes to using safety-critical embedded software at Liebherr - as is the case in many application areas and development centers at various factories - Ansys SCADE is used. Ansys SCADE, a development environment for model-based solutions, serves as a platform for the realization of safety-critical embedded software and CADFEM provides comprehensive support.

For example, in Bischofshofen, Austria, the Liebherr competence center for wheel loaders uses Ansys SCADE to ensure the reliability and efficiency of these construction machines. Founded in 1960, the plant now employs around 1,000 people. The wheel loaders they develop and manufacture embody decades of experience and a high level of expert knowledge of these machines.

Embedded software for safety-critical applications

In order to meet the high customer requirements for construction machines, in addition to mechanical engineering components, both the electronics hardware and the integrated software (embedded software) play a decisive role. Safety-relevant functions in particular must be implemented with reliable hardware and appropriate software. In the case of the hardware, failures of individual elements are compensated for by redundant design, for example, in order to prevent harm to people, machines and the environment. The embedded software of the microcontroller allows access to the system and the application at any time so that it never behaves unexpectedly or, in the worst case, even “freezes”.

At Liebherr in Bischofshofen, Dipl.-Ing. Georg Walkner is responsible for the steadily growing development area of embedded software for the wheel loader division. He has been working at this location for ten years and, together with eight other colleagues, implements the software in accordance with the requirements as part of the formal development process. In addition, two test engineers complement the development team.

SCADE history with Liebherr

About 15 years ago, Liebherr conducted an intensive analysis of the available solutions for the realization of safety-critical embedded software. The company ultimately opted for SCADE because this solution combined several benefits:

a modularized software development,
an integrated software development process, and
a significant reduction in development times and costs.

Another benefit is that application or software specialists are not necessarily required to implement the software, nor are domain-specific language skills necessary. This means that customer requirements can be implemented quickly and in a targeted manner. The cross-location function libraries, which significantly accelerate new developments, also contribute to this.

Ansys SCADE development environment

About ten years ago (2012), SCADE software, which includes several products, was added to the Ansys product family. The design of the system and software architecture is done with SCADE Architect, although the architecture can be directly synchronized with an embedded software implementation in SCADE Suite. SCADE Suite enables modular implementation of both simple and very complex command and control functions using graphical programming. The heart of SCADE is the automatic code generator KCG, which is used to convert the model-based representation into C or ADA code. To complete the virtual software development process, the correct functionality can be verified and validated using SCADE Test and the completeness of test coverage using Model Coverage. The SCADE product range is supplemented by SCADE LifeCycle. This module enables the connection to requirement management systems as well as automatic reporting.

The modules of Ansys SCADE — The individual modules of Ansys SCADE for the development of embedded software | ® Liebherr-Werk Bischofshofen GmbH

Linking hardware and software

“To understand how the application software of a wheel loader works,” says Georg Walkner, “you first have to understand how the software interacts with the inputs and outputs of the hardware as well as how it exchanges information with other systems.” The application software is based on cyclic activation. This means that it is triggered either by certain events or by a specified time frame.

Interaction and exchange with other systems — Interaction of the software with the inputs and outputs of the hardware as well as the exchange with other systems | ® Liebherr-Werk Bischofshofen GmbH

In complex systems, numerous sensor variables and information must be taken into account. The resulting number of inputs and outputs to be linked can quickly grow into the hundreds. Liebherr decided early on to use a common embedded system platform for the various products such as earthmovers, cranes, or excavators. As Georg Walkner explains, “the predevelopment department provides us with a hardware platform that is equipped with a specially developed framework called PMElink. This allows us to easily link the inputs and outputs of hardware and software, meaning that the individual Liebherr locations can concentrate on implementing their product-specific applications.”

“The software we develop for our wheel loaders is divided into two areas: software with and without safety aspects,” Georg Walkner continues. “Today, a wheel loader is largely controlled ‘by-wire’ (or electronically using a joystick). This ranges from controlling the drive train to controlling the mast or the attachment tool, such as a spoon handle. These are all safety-critical functions, as is controlling the parking brake.” In contrast, comfort, monitoring, and statistical information are not part of the safety-relevant area. But all software components are realized with Ansys SCADE. The functions are divided into safety-critical and non-safety-critical as part of the hardware integration with PMElink.

Current challenges and future developments

During the more than ten years of using SCADE at Liebherr, the development environment has of course evolved considerably, especially due to the integration into the Ansys portfolio. Thus, with SCADE Test, a framework for the model-based testing of applications has been improved. Here, a distinction is made between application and module tests and test coverage analyses (model coverage). “The application and module tests verify the correct functionality of the individual program components, with the test specifications themselves being developed by a test engineer,” reports experienced developer and tester Georg Walkner. “Afterwards, the test coverage analysis shows whether there are still fragments of the application that have not been tested. If this is the case, the test specification must be extended again.”

Other innovations that Liebherr will be working on in the coming years involve Model-Based Systems Engineering (MBSE), which will gradually advance the digitalization of the development process. Although digital behavioral models of components and systems pose numerous challenges, they allow software to be tested in the digital test field using methods such as software-in-the-loop. “Being a rather small site in Bischofshofen where the different developers know each other well, it makes sense to initially implement the topic of MBSE using a demonstrator as a proof-of-concept. State space models can then be derived from FEM or CFD simulation models, for example, so that they can then be controlled with our control software as part of the system simulation.”

Model-Based Systems Engineering (MBSE) optimizes development processes | ® Liebherr-Werk Bischofshofen GmbH

Another piece of the puzzle in the digitalization of the development process is the connection of requirements management systems to the Ansys SCADE development environment. “The function that can be used in SCADE to establish traceability between requirements and software implementation has been known to us for a long time,” explains Georg Walkner. “However, the flexibility in terms of which elements of an implementation could be referenced was previously somewhat limited. Today, new constructs and features are available in SCADE that allow granular references to SCADE elements, which greatly helps us in implementing traceability.”

We are well positioned in terms of cybersecurity

The use of SCADE in many Liebherr locations has resulted in the formation of a SCADE community that regularly exchanges information on current challenges. “The ever-increasing proportion of software in products will certainly increase the importance of SCADE once again in the coming years,” Georg Walkner concludes. “Likewise, the growing cybersecurity requirements as digital product services will increase the importance of safety-critical embedded software development. At Liebherr, we consider ourselves to be very well positioned for the future. This is due to our extensive experience in the use of Ansys SCADE and the additional functionalities that have become available with the new versions.”