The demand for ever more capable ADAS and autonomy in cars has led to a proliferation of ECUs and an associated increase in software complexity, communication, and wiring. NVIDIA addresses this challenge with DRIVE® AGX, which combines the functionality of multiple ECUs into a full-stack hardware and software platform supporting ADAS and autonomous driving. NVIDIA DriveOS is responsible for ensuring the isolation of integrated software components of differing criticality levels, enabling this reduction in the number of ECUs and simplification of communication and wiring. To reach the highest level of assurance under ISO 26262 for DriveOS as quickly and efficiently as possible, NVIDIA selected Ada and SPARK.
Now, in collaboration with AdaCore, NVIDIA is publishing an off-the-shelf reference process that enables the automotive community to replicate their success in using Ada and SPARK to develop software to be certified under ISO 26262.
ISO 26262
ISO 26262 is an international standard that addresses functional safety for automotive systems. ISO 26262 covers the entire software development process and requires that development tools used in the production of certified software be qualified for their use. AdaCore’s development and verification tools for Ada, SPARK, and C have been qualified under the ISO 26262 and IEC 61508 functional safety standards.
AdaCore's GNAT Pro compiler and CCG have received TCL3 qualification under ISO 26262 and T3 qualification under IEC 61508. The SPARK Pro verification tool received TCL3 and T2 qualification. All three products have been certified by TÜV SÜD, an independent, globally recognized organization which confirms that products meet national and international standards. The TÜV SÜD certification mark is widely acknowledged and respected as a trusted symbol of quality, safety, and sustainability.
The SPARK Solution
SPARK is a programming language and tool suite that allows specification, development, and formal verification of software in the same language. The design of the SPARK language minimizes defects, allowing developers to develop software more efficiently. Dedicated static analysis tools prove the absence of certain categories of defects and compliance of the code to user-defined specifications.
NVIDIA Chooses SPARK
NVIDIA has complemented its certified ISO 26262 software development process by introducing Ada and SPARK into the development of DriveOS. NVIDIA DriveOS is the operating system and associated software stack designed specifically for developing and deploying autonomous vehicle applications on the NVIDIA DRIVE® AGX autonomous vehicle AI computing platform. Now, in collaboration with AdaCore, NVIDIA is helping the broader automotive software-development community to follow its lead by publishing an off-the-shelf reference process for the use of Ada and SPARK to develop software to be certified under ISO 26262.
DriveOS includes software components that comply with the highest levels of integrity of the automotive functional safety standard ISO 26262. The Ada and SPARK languages are used to complement the development of some of the most critical components of the NVIDIA DRIVE software stack. Achieving certification for this software required establishing a development process that takes advantage of formal methods as well as other safety characteristics of Ada and SPARK.
