Development of Safety-Critical Sofware Using Automatic Code Generation

In future cars, mechanical and hydraulic components will be replaced by new electronic systems (x-by-wire). A failure of such a system constitutes a safety hazard for the passengers as well as for the environment of the car. Thus electronics and in particular software are taking over more responsibility and safety-critical tasks. To minimize the risk of failure in such systems safety stan- dards are applied for their development. The safety standard IEC 61508 has been established for automo- tive electronic systems.

At the same time, automatic code generation is increas- ingly being used for automotive software development. This is to cope with today?s increasing requirements concerning cost reduction and time needed for ECU de- velopment combined with growing complexity.

However, automatic code generation is hardly ever used today for the development of safety-critical systems. Reasons for this are the specific requirements on the code as well as inadequate experience in the develop- ment of safety-critical software itself.

This paper deals with the application of automatic code generation for the development of safety-critical sys- tems. It describes the role and benefits of automatic code generation in a safety-critical software develop- ment process. The requirements imposed on an auto- matic code generator by a safety standard such as the IEC 61508 are examined. The pros and cons of using a certified code generator and possible alternatives are discussed. The benefits and know-how gained from many years of experience in developing software ac- cording to safety standards such as RTCA DO-178B in the aerospace industry is taken into consideration.

The paper uses dSPACE's production code generator TargetLink as an example. The use of TargetLink at ATENA Engineering for the development of IEC 61508 SIL 3 software is described. The experiences and ac- complishments made at ATENA are shown.