Professional Documents
Culture Documents
EN 50128 Handbook
EN 50128 Handbook
Methodology Handbook
Efficient Development of Safe Railway
Applications Software with EN 50128
Objectives Using SCADE Suite®
Third Edition
CONTACTS
Headquarters
Esterel Technologies SA
Parc Euclide - 8, rue Blaise Pascal
78990 Elancourt
FRANCE
Phone: +33 1 30 68 61 60
Fax: +33 1 30 68 61 61
Central Europe
© 2009 Esterel Technologies SA. All rights reserved Esterel Technologies SA. SCADE®, SCADE Suite®, KCG®, and SSM® are registered
trademarks of Esterel Technologies.
Abstract
This handbook addresses the issue of cost and productivity improvement in the
development of safe embedded software for railway applications dealing with control
and protection systems. Such projects, driven by the EN 50128 standard, traditionally
require very difficult and precise development and verification efforts. This handbook
first reviews traditional development practices and then covers the optimization of the
development process using the SCADE Suite methodology and tools in conjunction with
the certified SCADE Suite® KCG® 6.1.2 Code Generator. SCADE Suite supports the
automated production of a large part of the safety life-cycle elements. The effects of
using SCADE Suite together with the certified SCADE Suite KCG 6.1.2 Code Generator are
presented in terms of savings in the EN 50128 development and verification activities by
following a step-by-step approach and considering the objectives that have to be met at
each step. The handbook does not intend to impose formal conditions of use. Formal
guidelines can be found in the SCADE KCG Safety Case and in the EE81045C TÜV Report
on the Certificate Z10 07 04 55460 002.
Click to request
Methodology Handbook
SCADE Suite with EN 50128 Objectives
TÜV Certificate
Methodology Handbook
SCADE Suite with EN 50128 Objectives
Table of Contents
1.1 Background 1
1.2 Objectives and Scope 2
Methodology Handbook
i
SCADE Suite with EN 50128 Objectives
5.1 Overview 47
5.2 Verification of the SCADE Software Architecture and Design 48
5.2.1 Verification objectives for Software Architecture and Design 48
5.2.2 Verification methods for Software Architecture and Design 48
5.3 Verification of the SCADE Module Design Specification 49
5.3.1 Verification objectives for the Module Design Specification 49
5.3.2 Scade model accuracy and consistency 49
5.3.3 Compliance with design standard 49
5.3.4 Traceability from Software Module Design to Software Architecture and Design Specification 49
5.3.5 Verifiability 51
5.3.6 Compliance with Software Design Specification and Software Architecture Specification 51
Methodology Handbook
ii
SCADE Suite with EN 50128 Objectives
6. Conclusion 71
Methodology Handbook
iii
SCADE Suite with EN 50128 Objectives
Methodology Handbook
iv
SCADE Suite with EN 50128 Objectives
L is t o f F i gu r e s
Methodology Handbook
v
SCADE Suite with EN 50128 Objectives
Methodology Handbook
vi
SCADE Suite with EN 50128 Objectives
List of Tables
Methodology Handbook
vii
SCADE Suite with EN 50128 Objectives
Methodology Handbook
1-1
SCADE Suite with EN 50128 Objectives
• It allows for identifying problems earlier in the • Certified code generation not only saves
development cycle, since most of the verification writing the code by hand, but also the cost of
activities can be carried out at model level. verifying it.
• It reduces the change cycle time, since • Section 4. This section is devoted to the detailed
modifications can be done at model level and code positioning of SCADE Suite tools, including the
can automatically be regenerated. KCG certified Code Generator in a flow which is
compliant with the EN 50128 life cycle, and to the
precise description of each of the development
1.2 Objectives and Scope steps. It also presents the integration of SCADE
Suite-generated code in an operating system
This document provides a careful explanation of environment, thus allowing the generation of
complete software on the target platform.
the safety issues encountered when developing
embedded safety-related railway applications • Section 5. This section is devoted to a detailed
software and how the use of both proper presentation of the verification activities that are
linked to each of the previous development steps.
modeling techniques and automatic code
This includes the verification of requirements and
generation from models can drastically improve
design, the verification of the coding steps and the
productivity. It is organised as follows: verification of the verification.
• Section 2. This section provides an introduction to • Section 6. This section draws conclusions on the
the regulatory guidelines used when developing benefits of the SCADE Suite methodology when it
safety-related software. It then describes the main is used with SCADE Suite KCG certified Code
challenges in the development of safety-related Generator.
software in terms of specification, verification, and
This document also contains in appendix:
efficiency of the resulting software.
• Section 3. This section presents an overview of • Appendix A presents the Clause and Detailed tables
SCADE Suite’s methodology and tools, including of [EN 50128] with comments on the positioning
how SCADE Suite achieves the highest-quality of SCADE Suite and KCG Code Generator.
standards, while reducing costs based on a “correct • Appendix B presents the EN 50128 Certification
by construction” approach and the use of a Report from TÜV Süd.
certified automatic code generator, insisting on the • Appendix C details the Compiler Verification Kit
following points: (CVK).
• A unique and accurate software description • Appendix D provides a reference list.
that allows for the prevention of many
• Appendix E lists all acronyms used in this
specification or design errors can be shared
document and explains key terminology in a
among project participants.
glossary.
• The early identification of most remaining
Note that the content of this document applies
design errors allows them to be fixed in the
requirements/design phase, rather than in the to SCADE Suite 6.x, SCADE Suite KCG 6.1.2,
code testing or integration phase. and CVK 6.1.2.
Click to request
Methodology Handbook
1-2
SCADE Suite with EN 50128 Objectives
Methodology Handbook
2-3
SCADE Suite with EN 50128 Objectives
Methodology Handbook
2-4
SCADE Suite with EN 50128 Objectives
• Use an overall safety life-cycle model (see Figure SwSIL 1 is the lowest level of safety integrity
2.1) as the technical framework for all the activities and SwSIL 4 is the highest level. They are called
from initial concept to final decommissioning. Safety Integrity Levels (SIL) in the rest of this
• Encompass system aspects (all subsystems document. There are also categories of ECUs
including hardware and software) and failure for which no special safety integrity
mechanisms (including random or systematic requirements apply and categories of systems
hardware failures). where the required safety integrity cannot be
• Contain both requirements to prevent failures and reached through measures in the standard. Such
requirements to control failures. systems require additional external measures to
• Specify the techniques and measures that are ensure functional safety. This is described in
necessary to achieve the required safety integrity. Figure 2.1 below. For normative reference,
EN 50128 specifies four levels of safety please check with [EN 50128].
performance for a safety function. These are
called Software Safety Integrity Levels (SwSIL).
The EN 50126 standard details the requirements function. If the safety integrity requirements for
necessary to achieve each SIL. A safety-related
system usually implements more than one safety
Methodology Handbook
2-5
SCADE Suite with EN 50128 Objectives
Methodology Handbook
2-6
SCADE Suite with EN 50128 Objectives
Methodology Handbook
2-7
SCADE Suite with EN 50128 Objectives
software.
2.2.1 Mastering complexity and
scaling
The architecture and functionality of railway
applications may be very large and complex.
interdependencies.
Methodology Handbook
2-8
SCADE Suite with EN 50128 Objectives
Methodology Handbook
2-9
SCADE Suite with EN 50128 Objectives
2.2.7 Allowing for an efficient There are many sources of changes in the
implementation of code on software, ranging from bug fixing to function
target improvement or the introduction of new
functions.
Code that is produced must be simple, When something has to be changed in the
deterministic and efficient. It should require as software, all products of the software life cycle
few resources as possible. It should easily and have to be updated consistently, and all
efficiently be retargetable to new ECUs verification activities must be performed
(Electronic Control Units). accordingly.
Methodology Handbook
2 - 10
SCADE Suite with EN 50128 Objectives
Click to request
Methodology Handbook
2 - 11
SCADE Suite with EN 50128 Objectives
Methodology Handbook
E - 115
SCADE Suite with EN 50128 Objectives
Methodology Handbook
E - 116
SCADE Suite with EN 50128 Objectives
Independence Risk
Separation of responsibilities that ensures the Combination of the frequency, or probability, and the
accomplishment of objective evaluation. (1) For consequence of a specified hazardous event.
software verification process activities, independence is
achieved when the verification activity is performed by Robustness
a person(s) other than the developer of the item being The extent to which software can continue to operate
verified, and a tool(s) may be used to achieve an correctly despite invalid inputs.
equivalence to the human verification activity. (2) For
the software quality assurance process, independence Safety
also includes the authority to ensure corrective action. Freedom from unacceptable levels of risk.
Methodology Handbook
E - 117
SCADE Suite with EN 50128 Objectives
Methodology Handbook
E - 118
SCADE Suite with EN 50128 Objectives
Index
Methodology Handbook
119
SCADE Suite with EN 50128 Objectives
Index
N Scheduling 41
SDS 115
Structural coverage 69
System Architecture Description 28,
Node 19 Semi-formal methods 94 29
Methodology Handbook
120
Request the complete handbook from Esterel
Technologies from our web site
Click to request
Contact Information