Ada Safety Critical

download Ada Safety Critical

of 6

Transcript of Ada Safety Critical

  • 8/8/2019 Ada Safety Critical

    1/6

    Ada in Safety Critical ApplicationsA. W elz, LITEF Gmb H, L6rrac her Str. 18, 7800 Freiburg, FRG

    1 INTRODUCTIONThis paper reviews a LITEF internal study about the use of Ada in safetycritical real t ime avionic systems. T he study is par t of the develo pme nt ofthe Inertial Measurement Unit (IMU), a fl ight control subsystem of theEuropean Fighter Aircraft (EFA). The study's goal was to establishprogramming rules and examinate support tools and methods for thedev elop me nt of safe A da program s fo r flight critical systems.Th e study was divided into following parts:1: Definition of safety related to Ada.2: Derivation of Ad a programm ing rules with the above definition and

    adjus tme nt with a lready existing rules.3: Classification of the Ada programm ing rules found in 2.4: Exam ination of appropriate Ad a test programs with the above Ad a

    programm ing rules an d confirmation of the rules.5: E xa ~n at io n of tools and methods for safe Ada.2 MOTIVATIONFor the EF A project the A da language is mandatori ly required for thesoftware implementation of all operational aircraft software. Currentlyassembly language is used most for such systems and typical assertionsagainst the Ada language in safety critical applications are:

    Ada is unsafe because the language is too complex.Ada tasking is unsafe because Ada tasking is too complex.Ad a tasking is not deterministic and therefore unsafe.In Ada there is an unsafe kind of "erroneous execution".Th e A da exception mech anism is unsafe.Th e language Ada is extremely inefficient and A da compilers have lotsof bugs.

    Therefore the EFA Joint Team ordered a study (called "Safe Ada Study"[1]) to investigate ways to apply A da avoiding features of the language tha tare consid ered to b e poten tially "unsafe".

  • 8/8/2019 Ada Safety Critical

    2/6

    194

    3 D E F I N I T I O N " AD A S A FE T Y~A t r ans l a t i on o f t he av i on ic te rm " safet y" i n t o t he A da t e rm i no l ogy , i nacco rdance w i t h t he cu r ren t i m p l em en t a t i on p rac t i ce o f s a fe t y c r i t i ca lsof tware , i s ( [1] Appendix A) :1: T h e p r o g r a m ' s m e m o r y r e q u i r e m e n t s a r e k n o w n b e f o r e r u n t im e .2 : T h e p r o g r a m c o n t a i n s n o a c t io n t h a t h a s a n u n p r e d i c t a b l e o v e r h e a d i n

    execu t i on t i m e .3 : T h e p r o g r a m a n d a ll i ts c o m p o n e n t s h a v e a d e t e r m i n is t ic b e h a v i o r f o r

    eve ry poss i b l e i npu t o f da t a . A l l b ranches i n t he p rog ram a re exp l i c i t .T h e p r o g r a m is v e r if ia b l e so t h a t n o e r r o r c a n o c c u r a t r u n t im e - n om a t t e r w h e t h e r i t is d e te c t a b l e o r n o t.

    4 : Th e p rog ram i s sou rce l eve l t r anspa re n t . Th a t m e ans i t i s w r i t t en i n ac o n s i st e n t a n d r e a d a b l e w a y . T h e p r o g r a m d o e s n o t m a k e u s e o fd i f fe ren t fea tures to express the same th ing . Al l ac t ions a re v i s ib le .

    4 AD A P R O G R A M M I N G R U L E SW i t h t he a i d o f t he above -m en t i oned r equ i rem en t s , i t i s poss i b l e t o ex t r ac tA da p rog ram m i ng ru l e s by i den t i f i ca t ion o f a ll " sa fe ty con t rad ic t ions" i n t heA L R M . T h i s m e t h o d r e s u l t s i n a l o t o f r u l e s , w h i c h a d a p t t h e A d as y n t a x / s e m a n t ic s to t h e s a f e ty r e q u i re m e n t s . F o r e x a m p l e t h e f o ll o w in g E F Arule 1 :

    A ccess t ypes sha l l no t be u sed .r e s u lt s f r o m t h e s t at ic m e m o r y r e q u i r e m e n t .

    D u r i n g t h e L I T E F s tu d y i t w a s f o u n d t h a t so m e o f t h e E F A r u le s c a n b es l igh t l y m o d i f i ed w i t hou t i n j u r i ng any sa fe t y r equ i rem en t . Fo r exam pl e t hefo l l ow i ng EFA ru l e 8 :

    A c t i ons sha l l no t r a i se a p rede f i ned excep t i on .w a s c h a n g e d t o :

    A l l poss ib l e excep t ions sha l l be han d l ed w i t h de f i ned e f fec t s ont h e p r o g r a m e x e c u t i o n .

    Th i s ru l e w as m od i f i ed , because i t re su l ts i n a ve ry i ne f f ic i en t p rog ra m m i ngs t y le w i t h exp l i c it r ange t e s ti ng . A l so t he A da t a sk i ng and m ach i ne codei n s e r t io n r e s tr ic t io n s w h e r e m o d i f ie d . T h e w h o l e d e s c r i p ti o n o f E F A r u le sa n d L I T E F c h a n g e s is b e y o n d t h e s c op e o f t h is p a p e r ([1 ] A p p e n d i x A , [2 ]) .

  • 8/8/2019 Ada Safety Critical

    3/6

    195

    5 C L A S S IF IC A T I O N AD A P R O G R A M M I N G R U L E SThe resul t ing ru le s could be sp l i t in to two c la s ses :( 1 ) Ru l e s wh i c h de s c ri be t he s e que n t i a l e xe c u t i on o f t he p r og r a m

    ( ' s e que nc e o f s t a t e me n t s ' i n t he s e ns e o f Ada ) .( 2) Ru l e s wh i c h de s c ri be the pa r a l le l exe c u t i on o f t he p r ogr a m ( ' ta s k i ng '

    i n t he s e ns e o f Ada ) .6 T E ST P R O G R A M STh e s e c on d s t e p i n de f i n ing a nd ve ri f y ing A da p r og r a mm i ng r u l e s us esr e l e va n t pa r t s o f a typ i c a l A da a v i on ic s p r ogr a m. Th e a s s e mb l e r ou t pu t o ft h i s p r o g r a m i s e x a m i n e d f o r i m p l i c i t c o n t r a d i c t i o n s t o t h e s a f e t yr e qu i r e me n t s wh i c h le a ds t o a c onf i r ma t i on o r t o a m od i f i c a t ion o f t hea bove r u l e s . I t i s na t u r a l t ha t t h i s me t hod i s on l y a pp l i c a b l e i f a s t a b l eve r s i on o f t he p r o j e c t Ada c ompi l e r ha s be e n de f i ne d .A f u r t he r i mp r ove m e nt o f th i s m e t hod i s a mor e o r l e ss c om pl e t e s e t o f t e s tp r ogr a ms wi t h a l l pos s i b l e Ada l a ngua ge e l e me n t s . Th i s wa s t he me t hodus e d i n t he LI TEF s t udy [ 2 ] . On l y t h i s me t hod i s a b l e t o f i nd a l l pos s i b l es a f et y r is ks o f a spe c if ic p r o j e c t Ada c ompi l e r. Th e m e t ho d ha s a l s o t hea dva n t a ge t ha t i t de l i ve r s c ode - t a b l e s ( Ada - - > As s e mbl e r ) wh i c h c a n beus e d i n a l a t e r ve r i fi c a ti on p r oc es s . W i t h a n o p t i mi z i ng A da c ompi l e r ,howe ve r t he s e t a b l e s s hou l d be ha nd l e d wi t h g r e a t c a r e .A no t he r ve r y us e f u l ou t c om e f r om a na l yz ing t he s e t a b l e s a r e r u l e s f o re f fi c ie n t A da p r ogr a ms . I n t he L I T E F s tudy , i t wa s f ound t ha t t he s e r u l e sa r e , i n pa r t, t h e s a m e a s the s a f e t y r u l e s ( wh i c h i s on t h e o t he r ha n d a p r oo ft ha t s a f e ty ne e d no t b e c on t r a d i c to r y t o e f fi ci enc y) .7 T O O L S A N D M E T H O D S F O R S A F E A D ACr i t i ca l for the r ea l sa fe ty of the dev e lop ed so f tware i s the s t r i c t supe rvi s iono f t h e a d h e r e n c e t o t h e A d a p r o g r a m m i n g r u le s. A s m e n t i o n e d a b o v e t h e r ea re two c la s ses of ru le s for supe rvi s ion:- Se q ue n t i a l r u l e s- Pa ra l l e l ru le sI t is c l e a r t ha t e a c h o f the s e c l as s es o f ru l e s ne e d s t o be a pp l i e d d i f f er e n t ly :

  • 8/8/2019 Ada Safety Critical

    4/6

    196

    7 . 1 T o o l s f o r S e q u e n t i a l R u l e sT his type o f ru l e s cou ld be fu r the r subd iv ided in to two g roups :(1.1 ) R u les which desc r ibe the s t a ti c beh av io r o f the p rog ram ( l ike a

    ru le "Al l con s t ra in ts shal l be s ta tic" ).(1 .2 ) R u les which desc r ibe the dynam ic beh av io r o f the p rog ram ( l ike

    a ru le "Al l p rog ram pa ths shou ld be covered" ) .T h e f i rs t t ype o f ru l e c an eas i ly be checked w i th a spec ia l Ad a pa r se r . T h i sh a d a l r e a d y b e e n d e v e l o p e d b y L I T E F f o r a r e l a te d p r o je c t .

    A l s o o n t h e c o m m e r c i a l m a r k e t t h e r e a r e s o m e t o o l s f o r su c h s e q u e n t i a lt es ti n g. F o r E F A t h e S P A R K t o o l [4 ] h a s b e e n s e l e ct e d. T h e d i s ad v a n t a g eof th i s too l s i s t ha t i t on ly suppor t s a ve ry sm al l subse t o f Ada . T h i s k ind o ftoo l r e l i e s on fo rm al te s t m e thods , wh ich on ly works wi th a 'PA SC A L ' l i kes u b s et o f A d a , a n d n e e d s a d d i t i o n a l s p e c ia l A d a c o m m e n t s ( so c a l l e da n n o t a t i o n s ) t o h e l p t h e t o o l i n u n d e r s t a n d i n g t h e s e m a n t i c s o f A d a .T h e s e c o n d t y p e o f r u l e n e e d s d y n a m i c t e s t i n g , w h i c h m e a n s t h a t t h ep r o g r a m is t e st e d d u r i n g e x e c u ti o n . T h e r e a r e t w o m a j o r p r o b l e m s w i t h th i st e s t m e t h o d :

    T e s t i n p u t p a t t e r n a n d / o r t e s t s t r a t e g i e s f o r t h e p r o g r a m m u s t b egenera ted .

    - T h e p r o g r a m fl o w m u s t b e c o n t r o l le d b y a d d i t i o n a l A d a c o n t r o l c o d eor wi th the a id of a specia l t r igger s ta te analyzer .

    T h e r e a r e s o m e t o o l s o n t h e m a r k e t w h i c h p e r f o r m t h e s e f u n c ti o n s b u t a l lt o o l s a r e b a s e d o n a d d i t i o n a l A d a c o n t r o l c o d e w h i ch w i ll d e st ro y t h e r e a lt i m e b e h a v i o r o f t h e o r i g in a l p r o g r a m [5 ].F o r t h is r e a so n , L I T E F h a s d e v e l o p e d s p e c i a l t ri g g er s ta t e h a r d w a r e w h i c hcan con t ro l an av ion ic t a rge t even dur ing f l igh t cond i t ions . S tud ies fo rspec ia l p re - and p os tp rocess ing too ls a re cu r ren t ly un der deve lop m en t .

    7 .2 T o o l s f o r P a r a l l e l R u l e sR u les o f th i s type a re ve ry d i ff icu l t t o con t ro l .inves t iga ted in the info rm at io n s tudies ( [6],[7] ,[8] ).

    T h e g e n e r a l c a s e i s

  • 8/8/2019 Ada Safety Critical

    5/6

    197

    N e v e r t h e l e s s , f o r " si m p l e" a v i o n i c a p p l i c a ti o n s p u r p o s e s , t h e r e a r e a l r e a d ys u f fi c ie n t m e t h o d s t o v e r if y o r c o n t r o l t h e a b o v e - m e n t i o n e d r u le s . A t y p ic a la v i o n i c a p p l i c a t i o n c o n s i s t s o f d i f f e r e n t t a s k s wh i c h a r e c o n t r o l l e d b y as c h e d u l e r m e c h a n i s m . T h i s s c h e d u l e r c a n e a s il y b e i m p l e m e n t e d w i t h t h ea i d o f a n A d a r e n d e z v o u s [3 ]. F o r t h is s p e c ia l k i n d o f A d a t a s k i n g s y s te mt h e f o l l o w i n g m e t h o d s w h e r e i n v e s t i g a t e d :

    A m e t h o d w h i c h u s e s a e q u iv a l en c e r e p r e s e n t a ti o n o f A d a r e n d e z v o u sa n d p e t r i n e t s. T h i s m e t h o d h a s t h e a d v a n t a g e t h a t a lo t o f c o m m e r c i a lt o o ls f o r p e t r i n e t s a l r e a d y e x i st a n d t h e o n ly p r o b l e m i s t h e c o n v e r s i o no f A d a c o d e t o t h e a p p r o p r i a te n e t r e p r e s en t a ti o n .

    - A m e t h o d w h i c h u s e s p a r a l le l - p r o l o g w h i c h i s a e x t e n s io n o f p r o l o gw i t h p a r a l l e l c o m m u n i c a t i o n . W i t h t h i s l a n g u a g e t h e a b o v e - m e n t i o n e ds c h e d u l e r m e c h a n i s m c a n b e v e r i f i e d w i t h o u t a n e x t e n s i v e s t o c h a s t i cs i m u l a t i o n a s n e e d e d w i t h t h e p e t r i n e t s .

    8 C O N C L U S I O NT h e l a n g u a g e A d a is n o l e ss s a fe t h a n o t h e r l a n g u a g e s . B e c a u s e o f i ts s t ro n gt y p i n g , t h e p r e d e f i n e d e x c e p t i o n m e c h a n i s m a n d t h e s t a n d a r d i z e d t a s k i n gf e a t u r e s , i t h a s a n e v e n g r e a t e r a d v a n t a g e c o m p a r e d t o o t h e r l a n g u a g e s .T h e r e a r e r e a s o n a b l e a l t e r n a t i v e s t o r e s t r i c t i n g A d a t o a ' P A S C A L s u b s e t 'a s re q u i r e d i n t h e E F A S a f e A d a S tu d y. W i t h s o m e p r e c i se r u le s , A d af u lf il ls a ll r e q u i r e m e n t s o f s a f e ty c r it ic a l a v i o n ic a p p l i c a ti o n s . T h e a d h e r e n c et o th e s e s a f e ty r u l es c a n b e c o n t r o l l e d w i t h a p p r o p r i a t e t o o ls a n d m e t h o d s .9 R E F E R E N C E D D O C U M E N T S[1 ] F l i g h t C o n t r o l S y s t e m S a f e t y C r i ti c al S o f t w a r e S t u d y / E F J - S T Y - E F A -

    020-0005 / I s sue 1 / 30 O c to be r 87[2 ] S a f e A d a & C o m p i l e r S tu d y f o r E F A I M U / A . W e l z / I n t e r n a l

    L I T E F R e p o r t / R e v i s io n 1 .0 0-0 4.[3 ] S t u d y L I T E F E x e c u t iv e i n A d a ( L E A ) / P h a s e 1 -3 / A . W e l z /

    I n t e r n a l L I T E F R e p o r t / 1 6.2 .8 9.[4 ] S P A R K - T h e S P A D E A d a K e r n e l / C a r r e e t a l / J u ly 1 98 9 / H M S O

    L o n d o n / S e c o n d E d i t i o n[5] L D R A T E S T B E D A D A / U s e r D o c u m e n ta t i o n & T e c hn ic a l D e s cr ip -

    t io n / L i v e r p o o l D a t a R e s e a r c h A s s o c i a t e s L t d . / 1 98 5

  • 8/8/2019 Ada Safety Critical

    6/6

    198

    [6] Veri fying G ene ra l Safe ty Proper t ies of A da Tasking Programs / Lau raK. Di l lon / IE EE Transact ions on Software Eng ineer ing / Vo l 16. No.1 / January 1990

    [7] Cri t ica l Rac es in A da Programs / G era ld M. K aram et a l / IE EETran sactions on Software Eng ineer ing / Vol. 15 No. 11 / N ove m ber1989

    [8] S tarvation and Cri t ica l Ra ce Analyzer for A da / G era ld M. K aram etal / IE E E T ransaction s on Software En gine ering / Vol. 16 No. 8 /August 1990


Safety Critical Research

Safety Critical Research

ADA Railings - Safety Rail Source

ADA Railings - Safety Rail Source

Elevator Safety and ADA Upgrades - cpd.wwu.edu

Elevator Safety and ADA Upgrades - cpd.wwu.edu

Critical Safety

Critical Safety

Safety Critical Software Engineering Safety Critical Software Engineering.

Safety Critical Software Engineering Safety Critical Software Engineering.

Safety Critical Systems

Safety Critical Systems

Safety Critical Elements Managament

Safety Critical Elements Managament

Safety Analysis of Safety-Critical Software for Nuclear ...se.kaist.ac.kr/ekjee/paper/SAFECOMP2007-gypark.pdf · Safety Analysis of Safety-Critical Software for Nuclear Digital Protection

Safety Analysis of Safety-Critical Software for Nuclear ...se.kaist.ac.kr/ekjee/paper/SAFECOMP2007-gypark.pdf · Safety Analysis of Safety-Critical Software for Nuclear Digital Protection

Critical Thinking by Ada Roseti

Critical Thinking by Ada Roseti

CMPE 233: Human Factors Safety Critical Interactive …srikur/files/Lecture8a.pdfCMPE 233: Human Factors Human Reliability Safety Critical Interactive Systems Safety Critical Systems

CMPE 233: Human Factors Safety Critical Interactive …srikur/files/Lecture8a.pdfCMPE 233: Human Factors Human Reliability Safety Critical Interactive Systems Safety Critical Systems

Safety-Critical Systems

Safety-Critical Systems

Safety Critical Software Solutions for Mission Critical Systems Software and Systems Engineering Safety Critical Software Solutions for Mission Critical.

Safety Critical Software Solutions for Mission Critical Systems Software and Systems Engineering Safety Critical Software Solutions for Mission Critical.

Design Considerations in Safety Critical Systemsdevans/7343/PresentationSlides...What is a safety-critical system? A safety-critical system is a system whose failure or malfunctioning

Design Considerations in Safety Critical Systemsdevans/7343/PresentationSlides...What is a safety-critical system? A safety-critical system is a system whose failure or malfunctioning

Safety Critical Systems - Safety

Safety Critical Systems - Safety

!!!IJSS Safety Critical

!!!IJSS Safety Critical

NASA Training Techniques for Safety Critical … T. Hutt Spaceflight Training Management Office Page 1 NASA Training Techniques for Safety Critical Operations 1. Defining Safety Critical

NASA Training Techniques for Safety Critical … T. Hutt Spaceflight Training Management Office Page 1 NASA Training Techniques for Safety Critical Operations 1. Defining Safety Critical

Copyright © 2001 Praxis Critical Systems Limited Roderick Chapman and Peter Amey Praxis Critical Systems Practical Experiences of Safety-Critical Ada.

Copyright © 2001 Praxis Critical Systems Limited Roderick Chapman and Peter Amey Praxis Critical Systems Practical Experiences of Safety-Critical Ada.

Safety Critical Systems - Design

Safety Critical Systems - Design

Analysis of Safety-Critical & Mission-Critical Systems Using ASIS An Interface to the Ada 95 Compilation Environment Mr. Currie Colket Chair, ACM/SIGAda/ASIS.

Analysis of Safety-Critical & Mission-Critical Systems Using ASIS An Interface to the Ada 95 Compilation Environment Mr. Currie Colket Chair, ACM/SIGAda/ASIS.

HRT-HOOD: A Structured Design Method for Hard Real-Time Ada Systems (Real-Time Safety Critical Systems)

HRT-HOOD: A Structured Design Method for Hard Real-Time Ada Systems (Real-Time Safety Critical Systems)