By Marc Richard-Foy, Alsys, and Gilles Legoff, CSEE-Transport
(source: Alsys World Dialogue, vol. 8, no. 2, Summer 1994)
As computer control becomes more and more extensive in our everyday
lives, safety critical software systems are taking on increasing
importance. Hospitals, avionics, and ground transportation systems rely
on safety critical practices to supply their clients with safe,
reliable products and services that inspire confidence.
While software solutions for critical
applications are attractive for their flexibility, they also bring the
chance of error. Positive measures are required in software engineering
to reduce the risk of errors in the development of safety critical
software. And, as applications expand and public expectations for
safety increases, a growing number of industries are developing and
enforcing their own safety critical standards.
The railway industry is a leader in the
development of safety critical systems. Modern rail transport systems
contain a diverse combination of computers controlling non-critical
functions such as entertainment systems and cabin lights, as well as
safety critical systems such as track/train transmission, speed
control, and "buried" or ground/embedded computer signaling.
For managing traffic speed and capacity on
its new TGV (Trains a Grand Vitesse) line between Paris and Lille, and
on the Channel link between France and Great Britain, the French
National Railroad (SNCF) uses an automatic train control system named
TVM430. This system displays instructions for train engineers and
checks that these instructions are properly executed. TVM 430 is a
fully automated system that was developed by CSEE Transport (Compagnie
des Signaux). It is comprised of train- and ground-based modules, each
containing several embedded 68020-based boards communicating over a VME
bus.
Development of the TVM 430 for the North line
and Channel link, which opened in 1993, was a five-year development
effort for a 20-person software team. Their goal was to provide the
train driver with a system that would continuously display current
track position and speed limitations on a rail line often reaching
speeds of up to 320 km perhour (200 m.p.h.). Using the critical display
of speed limitations, the driver can ensure that train speed is always
lower than the maximum authorized by signals, points or switches, and
the relationship to other trains on the line.
When the TVM 430 development effort began in 1988, the CSEE Transport
team (then using Modula-2 for its projects) conducted an extensive
study of industrial languages which led them to select Ada for their
project. They found Ada's key strengths for asignaling and speed
control system included maintainability, portability, and strong typing
for safety applications, as well as similar,ity to their previous
development language.
As an ANSI and ISO standard, Ada is well
defined and stable for developing tools and libraries. It supports
object-oriented design for abstraction and reuse of components and
offers a coherent, modular construction that aids in the detection of
errors at an early stageof development. Moreover, Ada provides safety
critical developers with low-level featuresthat enable basic elements
of the target hardware to be accessed in a logical manner. Theaddress
representation clause, enumerationrepresentation, and unchecked
conversionsare some of the features enabling a program tobe directly
mapped to the target processor.
Control over the visibility of types,
operations, and data also provides a way of limiting the features which
may be used by any program unit. For example, before the generic
function UNCHECKED CONVERSION can be used, it must be made visible by a
WITH clause. This exposes potentially unsafe areas allowing special
treatment and testing to ensure that the safety of the program as a
whole is not compromised.
The TVM 430 system software was completely developed and tested on a
VAX/VMS computer and compiled with an Alsys Ada cross compiler to
implement software on 68000 family-specific boards. The system is
composed of four subsystems, each contributing to the safety critical
solution.
- The on-board train subsystem displays speed limitations and controls train speed.
- The fixed subsystem controls the interface with the tracks,
computations of maximum speed, and the transmission of speed
limitations to the train through equipment associated with increments
of 15 km (10 miles) of track.
- The parameters subsystem controls field equipment.These tools are implemented on a VAXStation.
- The simulator subsystem controls testing and validation of
each subsystem and the global system when there is a modification of
either the system, train characteristics, or the track. These tools are
implemented on VAX/VMS, IBM PC, and 68000-family-specific boards.
All the subsystems were developed with Ada as the principal language.
The size of the application in lines of code is as follows:
- On-board subsystem: 100,000 total, 60,000
- Ada Fixed subsystem: 100,000 total, 50,000 Ada
- Parameters tool: 100,000 total, 50,000 Ada
- Simulator: 80,000 total, 60,000 Ada
Certification guidelines for safety critical
applications stress the importance of a process based on sound
engineering practice. Therefore, developmental steps for safety
critical software must be well understood and documented, including the
Software Development Plan (Controlled Software Engineering Method) and
the Software Verification Plan (Review Testing and Format Analysis).
Several kinds of testing for safety
strategies are required for safety critical systems. "BlackBox" testing
verifies that each function generates the expected results or
observable effect under all possible conditions. Each function is
tested with its typical data values and alsoat the outer boundaries to
check behavior under extreme conditions. "Glass Box" testing is a more
stringent process. Analyzing the structure of a function ensures that
all elements are required and executed, that all execution paths
operate under all conditions, and that all conditions work correctly to
both true and false evaluations.
Development of the TVM 430 project was under
the control of a strict quality assurance plan. Ada, as a general
purpose language, contains features which should not normally beused in
safety critical applications. SinceTVM 430 required total bounding in
timeand memory, the time to execute and amountof memory used by each
element of the program were determined and verified as part ofthe
certification process.
With the era of safety critical and highly
reliable software just beginning, Ada has proven its advantages for
projects such as the TVM430. As CSEE Transport has experienced,
software configuration is validated earlier in the development phase,
Ada software tests are quicker and easier than other languages,
portability from the VAX to a 68000 family microprocessor can be
achieved, the quality ofthe software is enhanced, and ultimately the
safety team and the customer are more confident.
TVM 430 was the first Ada safety software to
obtain certification in the railway industry and the first to be
granted certification by an international committee for the Channel
link application). New transportation projects, such as ATP (Automatic
Train Protection) for the Korean TGV are making Ada a wise choice for
their software safety critical functions.
