Development of Safety-Critical Software Using Automatic Code Generation 2004-01-0708
In future cars, mechanical and hydraulic components will be replaced by new electronic systems (x-by-wire). A failure of such a system constitutes a safety hazard for the passengers as well as for the environment of the car. Thus electronics and in particular software are taking over more responsibility and safety-critical tasks. To minimize the risk of failure in such systems safety standards are applied for their development. The safety standard IEC 61508 has been established for automotive electronic systems.
At the same time, automatic code generation is increasingly being used for automotive software development. This is to cope with today's increasing requirements concerning cost reduction and time needed for ECU development combined with growing complexity.
However, automatic code generation is hardly ever used today for the development of safety-critical systems. Reasons for this are the specific requirements on the code as well as inadequate experience in the development of safety-critical software itself.
This paper deals with the application of automatic code generation for the development of safety-critical systems. It describes the role and benefits of automatic code generation in a safety-critical software development process. The requirements imposed on an automatic code generator by a safety standard such as the IEC 61508 are examined. The pros and cons of using a certified code generator and possible alternatives are discussed. The benefits and know-how gained from many years of experience in developing software according to safety standards such as RTCA DO-178B in the aerospace industry is taken into consideration.
The paper uses dSPACE's production code generator TargetLink as an example. The use of TargetLink at ATENA Engineering for the development of IEC 61508 SIL 3 software is described. The experiences and accomplishments made at ATENA are shown.