Ada in the French TGV (High Speed Rail) System

Ada in the French TGV (High Speed Rail) System

[Michael Feldman]

On-board with Safety Critical Software: Implementing Safety Critical
Software for High-Speed Railway Transportation

By Marc Richard-Foy, Alsys, and Gilles Legoff, CSEE-Transport

(source: Alsys World Dialogue, vol. 8, no. 2, Summer 1994)

Background

As computer control becomes more and more extensive in our everyday
lives,safety critical software systems are taking on increasing
importance. Hospitals, avionics,and ground transportation systems rely
on safety critical practices to supply their clients with safe, reliable
products and services that inspire confidence.

While software solutions for critical applications are attractive for
their flexibility, they also bring the chance of error. Positive
measures are required in software engineering to reduce the risk of
errors in the development of safety critical software. And, as
applications expand and public expectations for safety increases, a
growing number of industries are developing and enforcing their own
safety critical standards.

The railway industry is a leader in the development of safety critical
systems. Modern rail transport systems contain a diverse combination of
computers controlling non-critical functions such as entertainment
systems and cabin lights, as well as safety critical systems such as
track/train transmission, speed control,and "buried" or ground/embedded
computer signaling.

For managing traffic speed and capacity on its new TGV (Trains a Grand
Vitesse) line between Paris and Lille, and on the Channel link between
France and Great Britain, the French National Railroad (SNCF) uses an
automatic train control system named TVM430. This system displays
instructions for train engineers and checks that these instructions are
properly executed. TVM 430 is a fully automated system that was
developed by CSEE Transport (Compagnie des Signaux). It is comprised of
train- and  ground-based modules, each containing several embedded
68020-based boards communicating over a VME bus.

Development of the TVM 430 for the North line and Channel link, which
opened in 1993, was a five-year development effort for a 20-person
software team. Their goal was to provide the train driver with a system
that would continuously display current track position and speed
limitations on a rail line often reaching speeds of up to 320 km perhour
(200 m.p.h.). Using the critical display of speed limitations, the
driver can ensure that train speed is always lower than the maximum
authorized by signals, points or switches, and the relationship to other
trains on the line.

Safe Ada Programming Puts TVM 430 on the Right Track

When the TVM 430 development effort began in 1988, the CSEE Transport
team (then using Modula-2 for its projects) conducted an extensive study
of industrial languages which led them to select Ada for their project.
They found Ada's key strengths for asignaling and speed control system
included maintainability, portability, and strong typing for safety
applications, as well as similar,ity to their previous development
language.

As an ANSI and ISO standard, Ada is well defined and stable for
developing tools and libraries. It supports object-oriented design for
abstraction and reuse of components and offers a coherent, modular
construction that aids in the detection of errors at an early stageof
development. Moreover, Ada provides safety critical developers with
low-level featuresthat enable basic elements of the target hardware to
be accessed in a logical manner. Theaddress representation clause,
enumerationrepresentation, and unchecked conversionsare some of the
features enabling a program tobe directly mapped to the target
processor.

Control over the visibility of types, operations, and data also provides
a way of limiting the features which may be used by any program unit.
For example, before the generic function UNCHECKED CONVERSION can be
used, it must be made visible by a WITH clause. This exposes potentially
unsafe areas allowing special treatment and testing to ensure that the
safety of the program as a whole is not compromised.

The TVM 430 Development Environment

The TVM 430 system software was completely developed and tested on a
VAX/VMS computer and compiled with an Alsys Ada cross compiler to
implement software on 68000 family-specific boards. The system is
composed of four subsystems, each contributing to the safety critical
solution.

I.The on-board train subsystem displays speed limitations and controls
train speed.

2. The fixed subsystem controls the interface with the tracks,
computations  of maximum speed, and the transmission of speed
limitations to the train through equipment associated with increments of
15 km (10 miles) of track.

3. The parameters subsystem controls field equipment.These tools are
implemented on a VAXStation.

4. The simulator subsystem controls testing and validation of each
subsystem and the global system when there is a modification of either
the system, train characteristics, or the  track. These tools are
implemented on VAX/VMS, IBM PC, and 68000-family-specific boards.

All the subsystems were developed with Ada as the principal language.
The size of the application in lines of code is as follows:

On-board subsystem: 100,000 total, 60,000 Ada Fixed subsystem: 100,000
total, 50,000 Ada Parameters tool: 100,000 total, 50,000 Ada Simulator:
80,000 total, 60,000 Ada

Safety Critical Certification for Transportation

Certification guidelines for safety critical applications stress the
importance of a process based on sound engineering practice. Therefore,
developmental steps for safety critical software must be well understood
and documented, including the Software Development Plan (Controlled
Software Engineering Method) and the Software Verification Plan (Review
Testing and Format Analysis).

Several kinds of testing for safety strategies are required for safety
critical systems. "BlackBox" testing verifies that each function
generates the expected results or observable effect under all possible
conditions. Each function is tested with its typical data values and
alsoat the outer boundaries to check behavior under extreme conditions.
"Glass Box" testing is a more stringent process. Analyzing the structure
of a function ensures that all elements are required and executed, that
all execution paths operate under all conditions, and that all
conditions work correctly to both true and false evaluations.

Development of the TVM 430 project was under the control of a strict
quality assurance plan. Ada, as a general purpose language, contains
features which should not normally beused in safety critical
applications. SinceTVM 430 required total bounding in timeand memory,
the time to execute and amountof memory used by each element of the
program were determined and verified as part ofthe certification
process.

Safety Success with Ada

With the era of safety critical and highly reliable software just
beginning, Ada has proven its advantages for projects such as the
TVM430. As CSEE Transport has experienced, software configuration is
validated earlier in the development phase, Ada software tests are
quicker and easier than other languages, portability from the VAX to a
68000 family microprocessor can be achieved, the quality ofthe software
is enhanced, and ultimately the safety team and the customer are more
confident.

TVM 430 was the first Ada safety software to obtain certification in the
railway industry and the first to be granted certification by an
international committee for the Channel link application). New
transportation projects, such as ATP (Automatic  Train Protection) for
the Korean TGV are making Ada a wise choice for their software safety
critical functions.