Omi and technology in ADA and C for reliable safety critical hard real-time systems

Safety-critical systems are characterized by a failure causing grave danger to human life or property: as such their reliability is evidently more critical than is required for conventional real time systems. The ANTI-CRASH project focused particularly on complex embedded safety-critical systems and has now developed a systematic and automated Safety Analysis Methodology (SAM) for analysing safety-critical real time applications. SAM uses the well-established fault tree analysis (FTA) technique, where a fault tree structure is used to represent the systematic propagation of failures or combinations of failures throughout the target safety-critical software. As a result, SAM helps safety analysts to determine critical failures and hazards systematically, reducing the time and cost of certification. SAM presents a systematic method for handling fault trees. FTA uses a top-down approach, so is particularly suitable as developers usually already have a list of well-known hazards as the basis for analysing safety-critical application behaviour. It has also been proved to have a lower cost than conventional formal verification methods. SAM has four modules which systematically guide the analysis. First, the Parser module parses source code to produce an intermediate format, used by the Fault Tree Constructor to produce a complex fault tree template based on simpler templates. The Mitigator simplifies the fault tree using Boolean algebra rules. Then, the Fault Tree is combined with user-defined hazardous conditions and the Hazard Analyser produces a safety report, showing the relationship between the specified events and the code under test. SAM is designed for applications written in ANSI C and is presented via an intuitive graphical user interface (GUI) module. Documentation and a user manual are provided.

With respect to complex embedded safety critical systems, especially for real time systems where system timing is crucial. a new compiler supporting a temporal surface language (TSL) has been developed which is suitable for describing hard real time safety critical applications. Called the surface compiler for temporal logic (SCTL), the technology translates the TSL into a classical logic language and the resulting logic description can be elaborated using existing classical formal verification tools. As specific rules of temporal inference are not needed, SCTL supports temporal information without increasing the complexity of the theorem prover, while also increasing the efficiency of model elaboration. SCTL is being integrated with high order formal tool (HOFT), an advanced verification tool under development. SCTL allows real time hardware/software systems to be represented in a logical model using TSL, a typed logic language extended with special temporal basic primitives to deal with events, properties, time-points, and time intervals. SCTL translates a high order surface logic language into a first order platform logic language and the resulting representation, which has constraints instead of temporal operators, can be elaborated by a theorem prover engine, avoiding the use of specific inference rules for managing time operators. Using a higher order logic language allows both specifications and the corresponding implementations of system components to be formalized in a natural, compact, complete and readable manner. A formal verification tool can then be used to verify and validate the correctness and reliability of a system design with respect to its specification.

With a number of microprocessor architectures (platforms) in use today, the flexibility to change from one target platform to another, in response to market or customer demands, is decisive for competitiveness for application developers. The Architecture Neutral Distribution Format (ANDF) developed allows a software application to be compiled once and then custom-installed for every target platform, reducing the effort and cost of re-targeting. This concept has now been implemented by the ANTI-CRASH projects as ReTargetPoint Technology, which integrates with platform-specific compile-and-develop tools. It has been evaluated using an avionics safety-critical real time application, demonstrating a clear reduction in development effort while simultaneously enhancing code reliability. ReTargetPoint Technology simply plugs in to standard development environments with native compile-and-develop tools, delivering its inherent enhancements while retaining the convenience of developing within an existing environment. For C, an application-dependent configuration designer (ConfigPoint) is used to define any and all operations specific to the target. A C-to-ANDF compiler (producer) helps detect incompatibilities, which can be eliminated or encapsulated in safe-boxes where the target dependency remains clearly visible. Static code checkers (CheckPoint) automatically verify any coding constraints which are application-dependent, such as forbidden recursions. The final step installs the code. For this, a family of configurable code generators (installers) has been developed for all common microprocessor platforms (Intel x86 and MIPS). For embedded applications, special language features and safety critical requirements are being incorporated into the producer and installer.

Reliability and scheduling analysis is used to determine if all tasks of a real time system meet their timing requirements. This is crucial in the development of hard real time safety-critical applications, where timing errors could have serious consequences. As part of the ANTI-CRASH project, which is focused particularly on complex embedded safety-critical systems, a systematic and automated reliability analysis methodology (RAM) has been developed. Based on a set of algorithms which provide rigorous analysis of timing (recently developed in real time scheduling theory), RAM provides feasibility analyses of hard real time applications. It helps real time systems' developers to gain an early, accurate view of application timing requirements from the first phases of design, minimizing errors in subsequent system development and integration phases. RAM supports design-oriented reliability/scheduling. It incorporates an extensive set of analytical algorithms for computing real time related performance metrics, such as worst case response times, and is independent of the specific implementation of the application. The methodology consists of specific phases which implement the algorithms, as well as priority-driven scheduling strategies and real time synchronization protocols. During the input phase, the user specifies the basic characteristics of an application in an Implementation Table, which can contain timing estimations or actual data derived from a monitoring tool. In the pre-processing phase, this table is transformed to a Techniques Table. This presents the data in a form that can be used by a specific scheduling method, with non-regular events and constraints arising from precedence considered from a worst-case perspective. Finally, the scheduling analysis phase checks the feasibility of deadlines and provides alternative solutions and suggestions, so that all deadlines can be met. RAM is presented via an intuitive graphical user interface (GUI) module.