In accordance with the requirements of railway software safety standard EN 50128:2011, AdaCore has extended the T3 qualification of its GNAT Pro Ada for PowerPC ELF toolchain to include that product’s C compiler. The qualification work was performed for Alstom, an international company specializing in safety-critical railway systems. It was validated by the Independent Safety Assessor CERTIFER. T3 qualification for the C compiler complements the earlier T3 qualification for the toolchain’s Ada compiler. T3 is the highest qualification level in EN 50128.
The qualification of the C compiler involved several activities:
- Running the SolidSands SuperTest C conformance test suite and the Free Software Foundation’s GCC testsuite,
- Analyzing the problem reports related to the specific version of the C compiler and correcting several issues that were identified as critical, and
- Demonstrating correct integration of the C code with the main application written in Ada.
“With both compilers now qualified under the most demanding tool qualification requirements of EN 50128, Alstom can have full confidence in the quality of the code that is generated”
“Alstom and AdaCore enjoy a longstanding relationship, and as a supplier of qualified Ada tools we have supported Alstom on a variety of safety-critical railway programs in the past,” said Jamie Ayre, Commercial Director at AdaCore. “Since most systems these days are written in multiple languages, including C for a variety of functions, it made sense to qualify the C compiler in GNAT Pro at the same T3 classification as the Ada compiler. With both compilers now qualified under the most demanding tool qualification requirements of EN 50128, Alstom can have full confidence in the quality of the code that is generated, and in knowing that we will continue to provide top-tier support in response to any questions or issues.”
About CENELEC EN 50128
CENELEC EN 50128:2011 is a European standard governing the development, deployment and maintenance of safety-related software for railway control and protection applications. It defines several software safety integrity levels, or SILs, ranging from 0 (lowest, or not safety-related) to 4 (highest), along with guidance on the usage of a number of techniques and measures during the software life cycle processes, based on the SIL of the application. This guidance can range from not recommended (for example, the use of dynamic software reconfiguration at SIL1 through SIL4) to mandatory. The techniques and measures cover a wide range of software engineering activities and include top-down design methods, modularity, verified components and component libraries, configuration management and change control, and appropriate consideration of organization and personnel competency issues.
EN 50128 defines procedures for qualifying a tool and thereby allowing that tool to be used to replace a manual activity. The objective is to provide evidence that potential tool failures do not adversely affect safety, and the standard identifies three classes of tools and the requirements associated with justifying their usage. Class T1 comprises tools that have no effect on verification or on the final executable code. Class T2 comprises verification tools, where a failure may result in an error not being detected but will not affect the final executable code. Class T3 comprises development tools such as compilers, in which a failure could result in faulty code in the executable.