Automatic Code Generation for Safety-Critical Systems dSPACE

The vehicles of the future will contain more and more safety-critical systems. Because of frequent changes, automatic code generators are increasingly being used in software development. The current safety standard for vehicle development, IEC61508, is designed for manual software development and provides very little support for selecting and using code generators for software in safety-critical systems. The approach used by ATENA Engineering is based on experience and standards from aviation and uses dSPACE’s TargetLink for automatic generation of code for safety-critical systems. Dipl.-Inform. Michael Jungmann is a software developer at MTU Aero Engines GmbH in Munich, where he is responsible for software development processes and tools for the projects of the subsidiary, ATENA Engineering GmbH. phase include static analysis and dynamic testing of functionality. The activities to be performed in each phase differ only very slightly in the individual standards. However, all standards have one thing in common: The objective of safety can be achieved only by systematically performing all the activities. Taken on its own, no individual step within this process allows the quality of the developed software to be assessed. 2 Automatic Code Generation in the Development Process The automotive industry is increasingly using automatic code generators for software development. In contrast, they are hardly ever used in safety-critical systems. Firstly, very special requirements are imposed on the code for safety-critical systems. And secondly, many software suppliers are only just beginning to apply appropriate development standards and cannot tackle the introduction of automatic code generation at the same time. The initial impetus for extending automatic code generation to safety-critical systems will come from software producers who have detailed experience of using the appropriate software development processes in other fi elds. Through close cooperation with its parent company MTU Aero Engines GmbH, ATENA Engineering has decades of experience in developing safety-critical systems in the aviation sector to fall back on. For example, MTU Aero Engines GmbH has developed and produced the engine controllers for a number of European aviation projects, and is still actively involved in such work. The aircraft engine controllers are multichannel electronic control units (ECUs) with between 4 and 10 processors. The response times needed for control are in a range of 1 Safety-Critical Systems and Their Software The number of safety-critical systems in vehicles is rapidly increasing. Up to only a few years ago, the failure of a computer system in a vehicle would in the worst case mean the loss of a function, but in the systems of the future, the wrong reaction to a fault will frequently be a safety hazard for the vehicle’s occupants and other road users. To minimize the dangers of such systems, special development standards and processes have been designed for use in safety-critical applications. The established standard in automotive electronics is IEC61508 [1]. This is a generic safety standard that requires the defi nition of more detailed standards for specifi c industries and projects. Software engineering studies have shown that the RTCA DO178B [2] software development standard, originally defi ned for the aviation industry, is also a suitable detailed standard that corresponds to the IEC61508 safety standard [3 et al]. The software development process according to RTCA DO-178B is organized according to the well-known V-cycle (see fi g. 1). The left side of the V-cycle describes the implementation path, starting out from high-level requirements and becoming more detailed at every step through to the creation of actual production code, while the right side represents the verifi cation path, in which each verifi cation phase is shown opposite its corresponding implementation phase. In any study of automatic code generation, the main focus is on the coding and unit testing phases. The unit or module test phase is for verifi cation of the production code and of the smallest functional blocks in the executable software. The verifi cation activities in this Figure 1: The V-cycle for software-development Dipl.-Math. Michael Beine is TargetLink product manager at dSPACE GmbH in Paderborn.