INTRODUCTION:
Transportation systems and, in particular, railway systems, are growing markets that increasingly rely on software for command, communication, and control. Due to the impact of errors and accidents in this environment, software is developed to strict standards such as EN 50128. The standard is very specific on the use of good programming practices, tools, and techniques. In this post, I’ll discuss how a static analysis tool like GrammaTech CodeSonar satisfies various EN 50128 requirements.
Related:
- CodeSonar Achieves ISO 26262, IEC 61508, and EN 50128 Certification
- Certifications and Source Code Compliance
- Software for Railway Control and Protection Systems EN 50128
Source-Code Compliance
The EN 50128 standard is very clear on using good programming techniques such as modularity, components, structure, and object-oriented programming. It also requires the use of design and coding standards, and language subsets such as MISRA C. In fact, these coding standards are mandatory for higher safety-integrity levels SIL 3 and 4. Static analysis tools such as GrammaTech CodeSonar are very good for enforcing coding standards, whether commonly-used standards such as MISRA C or customized versions specific to your application.
Static Analysis
The EN 50128 standard is specific about the use of static analysis tools “using a customizable set of Coding Standards, Control Flow and Data Flow Analysis Rules” and is highly recommend for SIL 1 to 4. Interestingly, the EN 50128 says: “Use the inter-procedural Control Flow Analysis module to find variables in use before being initialized, buffer overflows, resource leaks etc.” As this is a highly recommended practice, it’s clear that static analysis is an important part of the safety critical development toolkit.
Satisfying EN50128 Requirements
The following table illustrates how specific EN 50128 requirements are met with a static analysis tool such as CodeSonar. In many cases the techniques/practices are highly recommended, if not mandatory, at the most critical levels.
Technique |
Reference |
SIL 0 |
SIL 1 |
SIL 2 |
SIL3 |
SIL4 |
Design and Coding Standards |
Table A.4 |
HR |
HR |
HR |
M |
M |
Language Subset |
Table A.4 |
|
|
|
HR |
HR |
Static Analysis |
Table A.5, A.8 |
R |
HR |
HR |
HR |
HR |
Metrics |
Table A.5 |
|
R |
R |
R |
R |
Coding Standard |
Table A.12 |
HR |
HR |
HR |
M |
M |
Coding Style Guide |
Table A.12 |
HR |
HR |
HR |
HR |
HR |
No Dynamic Objects/Variables |
Table A.12 |
|
R |
R |
HR |
HR |
Limited Use of Pointers |
Table A.12 |
|
R |
R |
R |
R |
Limited Use of Recursion |
Table A.12 |
|
R |
R |
HR |
HR |
No Unconditional Jumps |
Table A.12 |
|
HR |
HR |
HR |
HR |
Limited Size and Complexity of Functions/Methods |
Table A.12 |
HR |
HR |
HR |
HR |
HR |
Single Entry/Exit Point for Functions/Methods |
Table A.12 |
R |
HR |
HR |
HR |
HR |
Limited Number of Parameters |
Table A.12 |
R |
R |
R |
R |
R |
Limited Use of Global Variables |
Table A.12 |
HR |
HR |
HR |
M |
M |
Control Flow Analysis |
Table A.19 |
|
HR |
HR |
HR |
HR |
Data Flow Analysis |
Table A.19 |
|
HR |
HR |
HR |
HR |
Walkthrough/Design Reviews |
Table A.19 |
HR |
HR |
HR |
HR |
HR |
Table 1: EN 50128 requirements specifically met by static analysis tools and the recommendation level. References are to specific clauses in EN 50128. Legend: R = recommended, HR = highly recommended, M = mandatory
Supporting Certification
An important part of satisfying the requirements for EN 50128 is not just compliance but documentation to support proof of compliance. Automated software tools, including static analysis, provide reporting that supports the certification effort, and with the additional benefits of risk mitigation and developer time savings, the use of automated tools means quicker time-to-market and development dollars saved.
Certified Tools
GrammaTech CodeSonar is an EN 50128 certified tool, which means that an independent certification body, TÜV SÜD Saar GmbH in this case, has analyzed the functionality of the tool and its development process and certified that it satisfies the requirements to be used in developing safety-critical software. Why is this important? Tools that are used in the development of safety-critical software must be documented and their results analyzed. Tools that are not certified require further scrutiny from the certification bodies, possibly increasing workload and risk on the development team.
CONCLUSION:
Static analysis tools have an important role to play in safety-critical software development. The EN 50128 standard for railway software systems is clear in its requirements and highly recommends static analysis for any system SIL 1 or above. Supporting the certification process with certified tools reduces risk, costs, and time.