Building a Better Bullet Train
The emerging embedded software development model for the next
generation of European high-speed trains offers clear evidence of the viability of mature ANDF
technology.
Riding Thalys, the stylish red flagship of the French TGV high-speed rail system, is a heady experience the first
time you taste its extremely smooth version of ultra high
velocity. Reclining comfortably as the Gallic
countryside streaks past -- with nary a ripple in your glass of
Bordeaux -- thousands of tons of metal and
microchips hurtle you toward Paris at speeds up to 320 kilometers
per hour. Few passengers, however, ever
consider the importance of the embedded software keeping the train on track.
While the software behind Thalys´ neck-snapping speed and sterling
safety record is transparent to most, to the
engineers designing its successor, the ability to create
dependable, failsafe systems on time and within budget
is paramount. Fortunately, one phase of the European Community´s
OMI (Open Microprocessor Initiative)
Program, OMI/SAFE (Safe Ada For Embedded systems), provides a
clear path to more flexible, less
expensive software development for safety-critical real-time
systems like those aboard Thalys.
Initiated in 1997, OMI/SAFE is the third piece of the $1 billion
(US) ESPRIT OMI strategic development program.
One of the primary goals of the overall program is to eliminate
limitations confronting real-time embedded
systems developers as they migrate software to different
microprocessors or microcontrollers.
Successfully completed on September 30, 1999, the OMI/SAFE project
was managed by Poul Munch of Lyngby, Denmark-based software development tools provider
DDC-I.
Other participants included Thomson Services Industry and Crouzet Automatismes of France, automation
solutions providers for the French TGV trains, and Germany´s iXpoint and University of Karlsruhe,
providing software development expertise.
Advanced Informatics of Greece and University of Karlsruhe
subcontractor Advanced Bytes & Rights of Britain
rounded out the project group.
"The OMI/SAFE program was really about giving developers more
flexibility and mobility when they design
systems, leaving them free to move between or even mix programming
languages, and making it less
expensive to migrate software to different processors," says
Munch.
He explains that the OMI/SAFE project in particular was focused on
proving the reliability and usefulness of
existing ANDF technology, as ANDF is considered a pillar of the
larger OMI strategy and the key to genuine software portability.
In short, ANDF is the common, architecturally
neutral representation of programs that have been coded in C, C++,
Ada, Fortran, or Dylan.
The ANDF technology was DDC-I´s SCORE (Safety Critical,
Object-oriented, Real-time Embedded), an
integrated software development environment designed to address
the need for combining reusable software
components, written in different languages, targeting different
microprocessors and developed on different
development platforms.
According to Munch, the scientific objective of the OMI/SAFE
project was to contribute to the definition and
implementation of a complete development process for
safety-critical software -- for real-time embedded
systems -- that assured safety while still guaranteeing maximum
software portability and reusability.
For OMI/SAFE, the project group synthesized three areas of technology and methodology:
- Ada/ANDF technology capable of; supporting coherent,
modular, and reusable
implementation, detection of errors at early stages
of
development, and quick retargeting to other
processors.
- Formal methods and techniques for the verification of
correctness and safety-assurance of
system specifications and design.
- Integrated safety and schedulability analysis methods
An experienced developer of embedded systems for the rail industry, Crouzet Automatismes contributed the
design focus of the project: improving the performance of
the
pantograph, a parallelogram-shaped mechanism
riding atop the train that makes contact with the overhead cables
that provide operating power.
"Within the stringent TGV manufacturing rules, Crouzet
Automatismes also planned to move their software
development from C to Ada 95 using ANDF," Munch says.
Offering more detail about the application, Jean-Jacques
Bardyn of
Crouzet Automatismes explains that the
new automated active damping mechanism developed during OMI/SAFE
will provide more stable contact with
overhead cables for the current generation of TGV trains.
Improved
pantograph performance is also crucial for
the next wave of TGV trains, with a top speed projected at 350
kilometers per hour.
Bardyn adds that the project has been successful in transferring
software originally coded in C to Ada 95 using
SCORE technology. He also expresses satisfaction that the compilers proved so efficient that they were able to
pack the resulting code onto an 8K EPROM, and operate the
retargeted software using just 256 bytes of ROM.
"When we applied the project results to the application prototype
everything worked perfectly. All that remains
now is to build a full-scale prototype for field testing
on an actual TGV train," Bardyn says.
Crouzet Automatismes´ counterpart on the software development side
of the group was the University of Karlsruhe´s Dr. Günter Schumacher, who also represented British
subcontractor Advanced Bytes & Rights.
The basic drive of OMI/SAFE from his perspective was to
conclusively show that new development tools and
compiler technology capable of generating "industrial quality"
software could be generated in a short period of
time. He explains that the project remained true to the larger OMI
goal of software mobility, and that
improvements in development methodology offer the potential for
significant cost savings.
For example, creating new tools and compilers to migrate C code to
Ada 95 happened very rapidly, compared
to what would normally be expected when retargeting software to a
new processor. In his estimation, when the
evaluation delays that a project like OMI/SAFE adds are removed,
it took the equivalent of six months of steady
work by just one programmer to generate the new products.
"OMI/SAFE has proven that Ada/ANDF compiler generating technology
is mature," says Dr. Schumacher.
He also believes that the concept of software mobility underlying
the larger OMI initiative in Europe is sound,
and that industrial developers in the United States -- that have
so far shown a lack of interest in ANDF -- would
be well served to follow the European lead.
"It´s very important to note that the financial benefits
of what
we´ve proven don´t just apply to safety-critical
applications like Thalys, but to all real-time embedded system
software development. I think that once we have
just one or two more successful demonstrations the rest of the
world will take notice," he says.
With two new ANDF retargeting projects similar to the OMI/SAFE
pantograph software development already
proposed, it´s likely just a matter of time before Dr.
Schumacher´s prediction is fulfilled.
"The OMI/SAFE project has proven conclusively that current
Ada/ANDF technology is reliable and useful and
that retargeting is no longer a problem," says DDC-I´s Munch.
"Timing and fault analysis are now an integrated
part of design and test. As a matter of fact, the testing tools
provided actually satisfy one of the strictest testing
guidelines for real-time safety-critical systems, the FAA
RTCA/DO-178B Level A, which is required for all
airborne electronic equipment."
