Software Assurance            Software Hardening            Autonomic Computing

Static Analysis, Safety-Critical Railway Software, and EN 50128

INTRODUCTION:

Transportation systems and, in particular, railway systems, are growing markets that increasingly rely on software for command, communication, and control. Due to the impact of errors and accidents in this environment, software is developed to strict standards such as EN 50128. The standard is very specific on the use of good programming practices, tools, and techniques. In this post, I’ll discuss how a static analysis tool like GrammaTech CodeSonar satisfies various EN 50128 requirements.

Related:


railway-system-02.png

Source-Code Compliance

The EN 50128 standard is very clear on using good programming techniques such as modularity, components, structure, and object-oriented programming. It also requires the use of design and coding standards, and language subsets such as MISRA C. In fact, these coding standards are mandatory for higher safety-integrity levels SIL 3 and 4. Static analysis tools such as GrammaTech CodeSonar are very good for enforcing coding standards, whether commonly-used standards such as MISRA C or customized versions specific to your application.

Static Analysis

The EN 50128 standard is specific about the use of static analysis tools “using a customizable set of Coding Standards, Control Flow and Data Flow Analysis Rules” and is highly recommend for SIL 1 to 4. Interestingly, the EN 50128 says: “Use the inter-procedural Control Flow Analysis module to find variables in use before being initialized, buffer overflows, resource leaks etc.” As this is a highly recommended practice, it’s clear that static analysis is an important part of the safety critical development toolkit. 

Satisfying EN50128 Requirements

The following table illustrates how specific EN 50128 requirements are met with a static analysis tool such as CodeSonar. In many cases the techniques/practices are highly recommended, if not mandatory, at the most critical levels.

Technique

Reference

SIL 0

SIL 1

SIL 2

SIL3

SIL4

Design and Coding Standards

Table A.4

HR

HR

HR

M

M

Language Subset

Table A.4

 

 

 

HR

HR

Static Analysis

Table A.5, A.8

R

HR

HR

HR

HR

Metrics

Table A.5

 

R

R

R

R

Coding Standard

Table A.12

HR

HR

HR

M

M

Coding Style Guide

Table A.12

HR

HR

HR

HR

HR

No Dynamic Objects/Variables

Table A.12

 

R

R

HR

HR

Limited Use of Pointers

Table A.12

 

R

R

R

R

Limited Use of Recursion

Table A.12

 

R

R

HR

HR

No Unconditional Jumps

Table A.12

 

HR

HR

HR

HR

Limited Size and Complexity of Functions/Methods

Table A.12

HR

HR

HR

HR

HR

Single Entry/Exit Point for Functions/Methods

Table A.12

R

HR

HR

HR

HR

Limited Number of Parameters

Table A.12

R

R

R

R

R

Limited Use of Global Variables

Table A.12

HR

HR

HR

M

M

Control Flow Analysis

Table A.19

 

HR

HR

HR

HR

Data Flow Analysis

Table A.19

 

HR

HR

HR

HR

Walkthrough/Design Reviews

Table A.19

HR

HR

HR

HR

HR

Table 1: EN 50128 requirements specifically met by static analysis tools and the recommendation level. References are to specific clauses in EN 50128. Legend: R = recommended, HR = highly recommended, M = mandatory 

Supporting Certification

An important part of satisfying the requirements for EN 50128 is not just compliance but documentation to support proof of compliance. Automated software tools, including static analysis, provide reporting that supports the certification effort, and with the additional benefits of risk mitigation and developer time savings, the use of automated tools means quicker time-to-market and development dollars saved. 

Certified Tools

GrammaTech CodeSonar is an EN 50128 certified tool, which means that an independent certification body, TÜV SÜD Saar GmbH in this case, has analyzed the functionality of the tool and its development process and certified that it satisfies the requirements to be used in developing safety-critical software. Why is this important? Tools that are used in the development of safety-critical software must be documented and their results analyzed. Tools that are not certified require further scrutiny from the certification bodies, possibly increasing workload and risk on the development team.



CONCLUSION:

Static analysis tools have an important role to play in safety-critical software development. The EN 50128 standard for railway software systems is clear in its requirements and highly recommends static analysis for any system SIL 1 or above. Supporting the certification process with certified tools reduces risk, costs, and time.