A Concept of a Computer System for the Execution of Safety Critical Licensable Software Programmed in a High Level Language

Abstract

There are already a number of established methods and guidelines, which have proven their usefulness for the development of high integrity software employed for the control of safety critical technical processes. Prior to its application, such software is still subjected to appropriate measures for its verification and validation. However, according to the present state of the art, these measures cannot guarantee the correctness of larger programs with mathematical rigour. Therefore, the licencing authorities do not approve safety relevant systems yet, whose behaviour is exclusively program controlled. In order to provide a remedy for this unsatisfactory situation, the concept of a special computer system is developed, which can carry out safety related functions within the framework of distributed process control systems or programmable logic controllers. It explicitly supports sequence controls, since many automation programs including safety relevant tasks are of that kind. The architecture features full temporal predictability, determinism, and supervision of the program execution and of all other activities of the computer system and supports the software verification method of diverse inverse documentation. The system can be programmed in a high level language and is based on a library of function modules, whose correctness can be mathematically proved. The concept utilises an operating system and a compiler only in a very rudimentary form. Hence, it enables the safety licencing of the software running on the computer system. In the microprogram of this computer, which may be based on the VIPER chip, a minimum operating system is provided, whose only task is to start the execution of runnable subroutines, which are marked in a ready list. As the elementary units of application programming, the set of basic function modules is provided in RaMs. These modules are of application specific nature and generally different for each application area. For the formulation of safety related automation programs these basic functions are only interconnected with each other. The prototype of a tool has been developed allowing to carry through this kind of programming in graphical form.