Partnership set to ease the safety critical software verification process

4 mins read

Multicore processors are nothing new to electronics designers and have many features which make them attractive in a range of applications. But those developing software for safety critical systems may not view multicore devices with such fondness. The reason? Proving that the software written for multicore processors meets the requirements of the various standards is a complex and time consuming business.

Looking to help those developing safety critical software – particularly for aerospace applications – compliance specialist LDRA has entered a partnership with Green Hills Software to provide a way to trace the behaviour of multicore systems. Both companies claim this is a ‘critical step forward’ in helping to prove regulatory compliance.

Jay Thomas, a technical development manager with LDRA, noted: “When a system is required to meet the needs of safety critical industry standards, generic debug and code trace capabilities are not sufficient. Their overly intrusive nature causes them to affect the performance and behaviour of the software and the system as a whole.

“Satisfying safety critical industry standards – such as DO-178C for aerospace and ISO 26262 for automotive – requires that code be executed and tested to completion on the final system hardware.”

The demand for new ways in which to prove compliance for multicore processor based systems has been building recently. Jim McElroy, LDRA’s vp of marketing explained. “It’s a theme we’ve seen over the last couple of years. Demand is not only coming from those developing operating systems, their hardware partners are also looking to prove functional safety because they are being pushed by their customers.

“Depending on what they are developing,” he continued, “it could be very costly to provide the necessary evidence to the regulatory authority that software development has gone through the correct process.”

The link between LDRA and Green Hills therefore makes a lot of sense –Green Hills has a focus on multicore processors and LDRA has the tools that allow compliance to be demonstrated.

“It is difficult to prove these systems have gone through the correct processes and to provide the necessary evidence,” McElroy noted. “We’re partnering to help solve some of the complexity challenges. In reality, this move is helping our mutual customers – particularly those developing to DO-178B and C – to shorten their software development and verification time and to save money,” McElroy added.

Proving that software written to run on a single core processor is compliant is a challenge in itself. But when the software is deployed onto a multicore device, that challenge grows significantly.

Thomas noted: “When multiple processes run on different cores, collecting structural coverage data efficiently can be hampered by concurrency, reliability and robustness roadblocks.”

McElroy picked up the thread. “There is a lot of inherent complexity in the design methodologies for these applications. On a multicore processor, the software could run in symmetric or asymmetric processing modes. In symmetric processing, the same software runs on all cores. But in asymmetric mode, that changes and there could be one core which controls the others. There is tremendous complexity.

“What the partnership between LDRA and Green Hills has done is to enable developers to match the code to a given core more quickly. It provides them with more flexibility and that means they can run code on whichever core they need to.”

Colour coding in LDRAcover identifies aspects of large functions that achieve coverage, such as decision statements and loops

LDRA’s optimised trace technology captures software runtime dynamics and behaviour from multiple cores. As a result, safety and security critical coverage analysis is safely and efficiently aggregated. This not only happens without any effects on the system’s run time performance, but also without affecting the integrity of the Green Hills multicore application environment. LDRA’s tracing technology is integrated with the Green Hills development tool chain to provide the necessary system analysis and debug capabilities.

LDRA’s tools are being made available to Green Hills users via the MULTI integrated development environment (IDE).

According to Green Hills, the partnership efforts integrate LDRA’s structural coverage solution within MULTI. This unifies management of multicore application development, debug and verification.

With LDRA’s instrumentation support, structural coverage analysis can be captured at the individual core or aggregated to provide a multicore system level view. Results are portrayed graphically, enabling developers to follow the flow of code execution and to assess system behaviour at core and system levels.

Access to LDRA tools means that object code verification for Green Hills compilers is extended to C, C++ and Ada, providing more development flexibility. Data and control coupling also provides more insight into multicore system’s architecture and behaviour, with the flow of control and data across the system available for display.

The move to multicore platforms is not only being made for performance reasons, it’s also being made because of size, weight and power – SWAP – considerations; designers are trying to pack more performance into smaller spaces. According to Green Hills, tools are now available that can automate multicore software development and test, streamlining multicore development and verification. It is this development that allows them to take advantage of SWAP.

According to Thomas, as multicore systems are deployed to meet SWAP requirements, traditional instrumentation and data collection techniques are not viable. “Traditional instrumentation for structural coverage analysis is a combination of precompilation and run time processes,

with instrumentation points recording the points of code that are executed. While this seems logical, the impact on run time performance is significant.

“However, new instrumentation techniques help to eliminate this challenge, enabling the cost effective verification of multicore systems to safety critical standards.”

“Meeting the verification requirements for safety critical industry standards requires that all testing be performed at the system level on the final system hardware and test completeness must be proven through the use of structural coverage analysis. Both objectives are addressed by these techniques.

“This approach takes advantage of an optimised data collection approach that integrates all platform test results and coverage dependencies into a data structure generated by static analysis.”

McElroy commented: “Ours is a lightweight approach that makes sure system performance is not degraded. Our instrumentation technology enables the user to prove which code has been tested on which cores and which code hasn’t been tested. This is particular important when software is being developed to DO-178 B and C standards.”

At what point in the development process the tools will be used depends upon the customer’s work flow. Some companies will perform software verification as part of their ‘sprints’, said McElroy. “But many use LDRA tools every day for quality purposes; to make sure their code is adhering to standards, which might not only be industry standards, but also company defined.”

“Fundamentally,” McElroy noted, “users can invoke the LDRA tools from within the MULTI IDE. Although the main focus for this partnership is on coverage, we have extended that capability to allow other tools to be invoked. So software developers could do static analysis of their code, as well as examine quality and compliance issues. I think we’ll see us continuing to enhance the integration in order to provide more feedback to developers. And I don’t think there’s any other companies doing this,” he concluded.