全部博文(230)
分类:
2008-07-27 22:50:14
Ada in the French TGV (High-Speed Rail) System
On-board with Safety Critical Software: Implementing Safety Critical Software for High-Speed Railway Transportation
By Marc Richard-Foy, Alsys, and Gilles Legoff, CSEE-Transport
(source: Alsys World Dialogue, vol. 8, no. 2, Summer 1994)
Background
As computer control becomes more and more extensive in our everyday lives, safety critical software systems are taking on increasing importance. Hospitals, avionics, and ground transportation systems rely on safety critical practices to supply their clients with safe, reliable products and services that inspire confidence.
While software solutions for critical applications are attractive for their flexibility, they also bring the chance of error. Positive measures are required in software engineering to reduce the risk of errors in the development of safety critical software. And, as applications expand and public expectations for safety increases, a growing number of industries are developing and enforcing their own safety critical standards.
The railway industry is a leader in the development of safety critical systems. Modern rail transport systems contain a diverse combination of computers controlling non-critical functions such as entertainment systems and cabin lights, as well as safety critical systems such as track/train transmission, speed control, and "buried" or ground/embedded computer signaling.
For managing traffic speed and capacity on its new TGV (Trains a Grand Vitesse) line between Paris and Lille, and on the Channel link between France and Great Britain, the French National Railroad (SNCF) uses an automatic train control system named TVM430. This system displays instructions for train engineers and checks that these instructions are properly executed. TVM 430 is a fully automated system that was developed by CSEE Transport (Compagnie des Signaux). It is comprised of train- and ground-based modules, each containing several embedded 68020-based boards communicating over a VME bus.
Development of the TVM 430 for the North line and Channel link, which opened in 1993, was a five-year development effort for a 20-person software team. Their goal was to provide the train driver with a system that would continuously display current track position and speed limitations on a rail line often reaching speeds of up to 320 km perhour (200 m.p.h.). Using the critical display of speed limitations, the driver can ensure that train speed is always lower than the maximum authorized by signals, points or switches, and the relationship to other trains on the line.
Safe Ada Programming Puts TVM 430 on the Right Track
When the TVM 430 development effort began in 1988, the CSEE Transport team (then using Modula-2 for its projects) conducted an extensive study of industrial languages which led them to select Ada for their project. They found Ada's key strengths for asignaling and speed control system included maintainability, portability, and strong typing for safety applications, as well as similar,ity to their previous development language.
As an ANSI and ISO standard, Ada is well defined and stable for developing tools and libraries. It supports object-oriented design for abstraction and reuse of components and offers a coherent, modular construction that aids in the detection of errors at an early stageof development. Moreover, Ada provides safety critical developers with low-level featuresthat enable basic elements of the target hardware to be accessed in a logical manner. Theaddress representation clause, enumerationrepresentation, and unchecked conversionsare some of the features enabling a program tobe directly mapped to the target processor.
Control over the visibility of types, operations, and data also provides a way of limiting the features which may be used by any program unit. For example, before the generic function UNCHECKED CONVERSION can be used, it must be made visible by a WITH clause. This exposes potentially unsafe areas allowing special treatment and testing to ensure that the safety of the program as a whole is not compromised.
The TVM 430 Development Environment
The TVM 430 system software was completely developed and tested on a VAX/VMS computer and compiled with an Alsys Ada cross compiler to implement software on 68000 family-specific boards. The system is composed of four subsystems, each contributing to the safety critical solution.
- The on-board train subsystem displays speed limitations and controls train speed.
- The fixed subsystem controls the interface with the tracks, computations of maximum speed, and the transmission of speed limitations to the train through equipment associated with increments of 15 km (10 miles) of track.
- The parameters subsystem controls field equipment.These tools are implemented on a VAXStation.
- The simulator subsystem controls testing and validation of each subsystem and the global system when there is a modification of either the system, train characteristics, or the track. These tools are implemented on VAX/VMS, IBM PC, and 68000-family-specific boards.
All the subsystems were developed with Ada as the principal language. The size of the application in lines of code is as follows:
- On-board subsystem: 100,000 total, 60,000
- Ada Fixed subsystem: 100,000 total, 50,000 Ada
- Parameters tool: 100,000 total, 50,000 Ada
- Simulator: 80,000 total, 60,000 Ada
Safety Critical Certification for Transportation
Certification guidelines for safety critical applications stress the importance of a process based on sound engineering practice. Therefore, developmental steps for safety critical software must be well understood and documented, including the Software Development Plan (Controlled Software Engineering Method) and the Software Verification Plan (Review Testing and Format Analysis).
Several kinds of testing for safety strategies are required for safety critical systems. "BlackBox" testing verifies that each function generates the expected results or observable effect under all possible conditions. Each function is tested with its typical data values and alsoat the outer boundaries to check behavior under extreme conditions. "Glass Box" testing is a more stringent process. Analyzing the structure of a function ensures that all elements are required and executed, that all execution paths operate under all conditions, and that all conditions work correctly to both true and false evaluations.
Development of the TVM 430 project was under the control of a strict quality assurance plan. Ada, as a general purpose language, contains features which should not normally beused in safety critical applications. SinceTVM 430 required total bounding in timeand memory, the time to execute and amountof memory used by each element of the program were determined and verified as part ofthe certification process.
Safety Success with Ada
With the era of safety critical and highly reliable software just beginning, Ada has proven its advantages for projects such as the TVM430. As CSEE Transport has experienced, software configuration is validated earlier in the development phase, Ada software tests are quicker and easier than other languages, portability from the VAX to a 68000 family microprocessor can be achieved, the quality ofthe software is enhanced, and ultimately the safety team and the customer are more confident.
TVM 430 was the first Ada safety software to obtain certification in the railway industry and the first to be granted certification by an international committee for the Channel link application). New transportation projects, such as ATP (Automatic Train Protection) for the Korean TGV are making Ada a wise choice for their software safety critical functions.