Checking SCADE Models for Correct Usage of Physical Units Rupert Schlick 1 , Wolfgang Herzner 1 , Thierry Le Sergent 2 1 ARC Seibersdorf research, division Information Technology {rupert.schlick, wolfgang.herzner}@arcs.ac.at 2 Esterel Technologies thierry.lesergent@esterel-technologies.com Abstract. Mismatches of units and of scales of values in physical calculations are disastrous, but rather common, in the development of embedded control systems. They can be as plain as mixing feet and metres, or as hidden as a wrong exponent in a complex calculation formula. These errors can be found by a checking algorithm, following some simple rules, if information on the units of the used variables is provided. This paper describes a developer friendly ap- proach of providing this checking functionality in SCADE, a model-based graphical development tool for safety-critical embedded applications. 1 Key words: physical units, safety, verification, error detection, dependable em- bedded systems, model based software development, SCADE, DECOS 1 Introduction Control systems usually have to deal with physical quantities like time, tempera- ture, length, speed or electrical current. Simply using numeric standard data types like real or float paves the way for typical programming errors like mixing scales (e.g. adding seconds and milliseconds), using wrong operators (v : m*s), swapping oper- ands (v : s/m) etc. The most well known/notorious example is the loss of the mars climate orbiter in 1999 [11], lost due to a unit conversion mistake not found during testing. But earth bound safety critical applications are prone to this family of errors as well. While several methods and tools are available for various programming languages to cope with such problems (see section 5), for data-flow oriented modelling lan- guages like Simulink [17] or SCADE [13], which are increasingly used in the domain of embedded systems, this is less the case. In particular, SCADE is especially appro- priate for development of safety-critical applications, due to its strict temporal execu- tion model, various included testing and verification tools like a model checker and a qualified C-code generator. Since in DECOS, which aims at development support of 1 This work is partially funded by DECOS (Dependable Embedded COmponents and Systems), an integrated project funded by the EU within priority “Information Society Technologies (IST)” in the sixth EU framework programme (contract no. FP6-511 764).