As computer control becomes more and more extensive in all aspects of everyday life, software systems take on increasing importance. Financial systems depend on software for accounting services and money transfer. Transportation systems rely on software for control of vehicles and infrastructure. Hospitals depend on software for managing patient records and for control of life-support systems. In the late 1980's, six people died due to the software failure of a computer controlled radiation treatment system. It is clear that the safety of much human life and property now depends directly or indirectly on safe software.
Software can provide users with considerable operational flexibility. However, this very flexibility brings with it a greatly increased chance of error. There is now an increasing awareness that strict control is needed to reduce risks of errors in Safety Critical Software, that is, software systems that are critical to human life.
Recent European legislation has produced a number directives designed to ensure safety. Companies are now obliged to guarantee that systems they have produced do not violate safety requirements. Company directors can now be held personally liable for loss of life or property resulting directly or indirectly from unsafe software installed, sold, or included as part of a product sold by the company.
Many industries, including transportation, nuclear energy, and medicine are in the process of setting - or have already set - specific standards for the development, testing and certification of safety critical software. As these standards emerge, the focus is on the use of best practice. In some areas, standards mandate specific techniques for the development of safety critical systems. In all cases, a reasoned justification for the techniques actually used is required.
When software has been written to match all specifications, has been fully tested and documented, it is deemed to be "certifiable." The avionics industry requires that safety critical software be certified according to strict FAA guidelines before it may be used on any commercial airliner. Other industries are in the process of mandating their own certification standards for safety critical systems. Thomson Software Products provides developers of safety critical software with a cost-effective solution to application certification.
The avionics industry has taken the lead in the development of safety critical systems. Before an airplane may carry fare-paying passengers, it must undergo a thorough certification process. Each component of the airplane is assigned a criticality level commensurate with the effect its failure would have on the safety of passengers. The confidence in each component must match the adverse effect that the component would have should it fail. Since many of the components of an airplane are software-controlled, overall safety is critically dependent on the accuracy of the embedded software.
The combined efforts of government and avionics industry representatives have resulted in the publication of D0-178A and D0-178B, documents that provide strict guidelines for the certification of software used in airborne systems and components. An area of key importance is the software language used as the basis for the final installed system. Standards specify that the language must be well defined, have validated tools, enable modular programming, have strong checking properties and be clearly readable. Of all the programming languages widely available today, only Ada provides an appropriate baseline for safety critical software.
Ada has numerous properties that make it a natural choice for the development of safety critical systems.
Because safety critical programs must be totally bounded in time and memory used, the time taken to execute and the amount of memory used by each element of the program must be determined and verified as part of the certification process. The normal runtime system for full Ada is not appropriate for safety critical systems (which use only a subset of the language) because it contains code that is not certifiable. Thus, it is necessary to provide a runtime system appropriate to the level of subset being used.
The C-SMART (Certifiable SMall Ada RunTime) is based on a unified toolset enforcing appropriate Ada subset rules and incorporating a certifiable runtime system. It comprises two main parts:
Various development tools and techniques can be used during the development of safe code. Regardless of tools selected, AdaWorld development environments provide interfaces to allow users to integrate their chosen tools. For example, ASIS (Ada Semantic Interface Specification) and AOI (Ada Open Interface) enable users to access and manipulate information in the Ada development environment.
Thomson Software Products also offers a number of solutions well suited to the construction of a development environment dedicated to safety critical software. This includes all phases of the software development lifecycle from design through test.
A variety of testing strategies must be used to achieve confidence in a safety critical system. The goal of these tests is to check the behavior of a function based on its observable effect. Each function must be tested with typical data values, and also with its data values at the boundaries in order the check the most extreme conditions which might be experienced.
The test and testing environment must be designed to ensure that the tested software is as close to the final configuration as possible. All of the System and Software Requirements must be adequately covered by tests. All Derived Requirements, such as initialization of the stack or set-up of heap addressing registers, must also be tested. To comply with certification criteria, every byte of code must be executed. Thomson Software Products provides a tool, AdaCover, to satisfy this requirement.
A compliance matrix must be produced that records the relationship between documents, code, tests and test results.
The C-SMART Certification Package provides all the documentation necessary for the Ada executive portion of an application, including:
The era of safety critical software is just beginning. Software applications will increase in size and complexity as the move toward automated systems continues to grow in all sectors. Public expectations for safety in products and services will also increase, and a growing number of industries will be forced to develop and enforce their own safety critical standards.
Every company developing software for safety critical applications must prepare itself to meet the challenge of certification, which can result in a number of positive benefits to the enterprise:
Back to the Ada Home Page
Copyright Thomson Software Products 1995. All rights reserved. All brand and product names are trademarks or registered trademarks of their res pective companies. The information contained herein is subject to change wi thout notice.