AdaCore has over two decades of certification experience in safety-critical domains such as avionics, space and rail. By completing the qualification process for automotive and industrial standards, the company has shown that its high integrity technologies can meet the demanding assurance requirements of the software-intensive industries.

Advertisement

The three development/verification tools qualified for compliance are:

• GNAT Pro, a robust and flexible development environment comprising an industrial-grade toolchain that supports the Ada and C programming languages, either standalone or mixed in a single binary. GNAT Pro comes with a range of development and verification tools, including stack size computation, coding standard verification and a customisable/extensible IDE.
• The Common Code Generator (CCG), which compiles from a SPARK-like Ada subset to C code. CCG allows projects to cross-compile Ada and SPARK applications to any hardware target that provides a C compiler, including targets that do not come with off-the-shelf Ada support.
• SPARK Pro, a toolset based on an Ada language subset that allows developers to formally guarantee properties of source code, such as the absence of certain categories of vulnerabilities (buffer overflow, division by zero, references to uninitialised variables) and to prove custom functional assertions.

Both theGNAT Pro compiler and CCG received TCL3 qualification under ISO 26262, and T3 qualification under IEC 61508. The SPARK Pro verification tool received TCL3 and T2 qualification. All three products have been certified by TÜV SÜD, an independent, globally recognised organisation which confirms that products meet national and international standards. The TÜV SÜD certification mark is widely acknowledged and respected as a trusted symbol of quality, safety, and sustainability.

“The demand for cost-effective tools and methodologies have greatly increased in the automotive and industrial domains over the past few years,” said Quentin Ochem, Lead of Business Development at AdaCore. “The Ada and SPARK languages have emerged as viable alternatives to C for many developers needing higher integrity software. The completion of our safety certification under the corresponding standards demonstrates our commitment to support these industrial projects on their own path to adoption.”

ISO 26262 and IEC 61508
ISO 26262 is a functional safety standard for automotive systems and a derivative of the generic IEC 61508 standard for electrical/electronic/programmable electronic (E/E/PE) systems. It defines an automotive safety lifecycle's phases and their associated activities and uses a risk-based approach to determine Automotive Safety Integrity Levels (ASILs) and the relevant requirements. An analysis of the system's functions focuses on the potential hazards in the event of a failure and the consequences to life and property. The computed ASIL ranges from A (least critical) to D (most critical) and takes into account the estimated probability of the failure being exposed, whether the driver can ameliorate the hazard in response, and the severity of the hazard's occurrence.

ISO 26262 specifies requirements for tool qualification, recognising the benefits from automation in terms of both productivity and accuracy and defines four tool qualification methods:
•    Increased confidence from use,
•    Evaluation of the tool development process,
•    Validation of the software tool, and
•    Development in accordance with a safety standard.

Advertisement

Qualification is based on the calculated Tool Confidence Level (TCL), ranging from 1 (lowest) to 3 (highest). A tool’s TCL is in turn determined by whether / how an error in the tool or its output can lead to a safety hazard (the “Tool Impact”) and the probability of preventing/detecting such errors (“Tool Error Detection”). A tool at TCL1 does not need qualification. TCL2 and TCL3 tools require qualification, with the system’s ASIL determining which qualification methods are most recommended. Tool qualification artifacts include a Software Tool Qualification Plan, Software Tool Documentation, a Software Tool Classification Analysis (which establishes the relevant TCL), and a Software Tool Qualification Report.

IEC 61508 is an international standard for functional safety in E/E/PE systems and is the “umbrella” for domain-specific standards such as ISO 26262. The standard is based on the concepts of a safety life cycle (the engineering processes needed for functional safety) and safety integrity level, or SIL (the level of risk reduction). The SILs range from SIL1 (lowest requirement for risk reduction) to SIL4 (highest). The SILs are defined in terms of probability of failure on demand; e.g. for SIL4 the probability of a dangerous failure per hour of continuous operation is between 10-9 and 10-8.

Software-related requirements are defined in Part 3 of IEC 61508, with the identification of techniques and measures for software development/verification; the specific requirements are based on the SIL. The standard specifies three tool qualification categories:
• T1: the tool is not used to either verify the code or to produce output that is part of the executable (e.g. a text editor)
• T2: the tools may fail to detect an error but does not generate code that is part of the executable (i.e. a verification tool such as a coding standard checker)
• T3: the tool can produce output that is part of the executable (e.g. a compiler)

Tools classified at T2 or T3 must have the appropriate documentation, with T3 requiring additional justification (based on user experience or test cases) that the tool complies with its documentation.

Founded in 1994, AdaCore supplies software development and verification tools for mission-critical, safety-critical and security-critical systems, with its products used to field and maintain a wide range of critical applications in domains such as commercial and military avionics, space, defence systems and air traffic management/control.

Advertisement