CASE STUDY Rail STS Safety Platform

Case Study HITACHI Rail STS Safety Platform

HITACHI Rail STS (Signaling and Transportation Systems) has selected AdaCore’s GNAT Pro Ada Development Environment targeted to ARM, with a specialized run-time library supporting the Ravenscar tasking profile, for the implementation of its CSD rail safety platform (“Calculator of Available Safety”). This case study describes the CSD platform and the technical challenges it raised, and explains how AdaCore’s software development tools helped HITACHI Rail STS overcome these challenges.

The CSD architecture

HITACHI Rail STS specializes in the design of systems ensuring the safe circulation of trains on railway lines and metro networks. In March 2017, it rolled out the management system of the Gare de in as part of a renovation project commissioned by the French national rail company SNCF. This system is supported by a single safety platform that commands 170 switches, 115 light signals and 800 routes at any one time and simultaneously. This platform needs to be safe and secure, and robust in the event of failure.

The solution The solution proposed by HITACHI Rail STS is based on a “2-out-of-3” safety architecture that isolates and periodically executes three instances of the same application in parallel. The signals generated by these instances are pairwise compared by two voters, labeled A and B in Figure 1, with the aim of rejecting inconsistent application signals. This “2-out-of-3” architecture is referred to as a Calculator of Available Safety, or “CSD” in French, short for “Calculateur de Sécurité Disponible”. It is generally represented by independent functional blocks as shown in Figure 1.

Calculator of Available Safety

Figure 1: Generic CSD architecture

Periodically (in each cycle n), each application acquires an input and generates a non-voted output. The non-voted outputs are then pairwise compared by two voters, thus producing safe voted outputs, with redundancy on two channels (A and B). The continuous availability of this platform is based on the duplication and segregation of the functional application and voter blocks. This architecture is robust in the event of a simple failure: 1. The loss of an application block does not prevent the two voters from comparing the signals emitted by the other two application instances, 2. The loss of a voter block does not prevent the second voter from comparing the signals emitted by the three application instances. 3. The loss of a voter or application block is not permanent. A reset enables the failing block to ​ restart and restore the context of the execution of the mission in progress, therefore becoming available again.

Safety is realized through the implementation of various techniques, including in particular: - Use of the Coded Monoprocessor for the voter, guaranteeing pre-calculated execution flow during the stage of building the software. - Periodic self-tests to ensure uncorrupted execution of the application software. These self-tests verify a number of properties: o The ability of the RAM memory (containing the program data) to store and retrieve the data. o Non-corruption of the executable code in memory, o Non-alteration of the functioning of the CPU and associated co-processors, o Non-deviation of the clocks. The design of these types of systems is subject to railway development standards, specifically the CENELEC EN 50128 standard, which defines software development activities for SSIL-4 level critical applications.

Evolution of hardware components This safety architecture was developed in 1970 in partnership with SNCF to manage railway interlocking on the LGV (Ligne à Grande Vitesse) Méditerranée high-speed rail link between Valence and Marseille. At the time, the chosen technical solution for the CSD design was based on proprietary circuit boards equipped with Motorola microprocessors from the 68K family. The software components evolved over time, and Ada was introduced. Under the impetus of new projects, and in particular the OURAGAN system for the Paris Métro (RATP), the software was migrated to more powerful PowerPC MVME 5100 commercial boards, thus demonstrating the portability of the software components of the CSD written in Ada. At the same time, from 2000 onwards, the CSD “wayside” platform on the 68K processor was revised to reduce the size of its hardware components and make it possible to equip rolling stock on-board with an ERTMS (European Rail Traffic Management System) monitoring system under the impetus of the European Community, which wanted to harmonize rail standards across its member states. This on-board platform was revised again in 2005 in order to improve its performance and reduce its resource consumption, based on a Motorola 5485 Coldfire CPU, and to meet the growing computing power requirements of metro systems (Carbone Controller CBTC) and high-speed rail lines (B-Standard ERTMS/TVM).

Figure 2: History of the HITACHI Rail STS Calculator of Availability Safety

Technical challenges of modernization

In 2018, faced with the problem of obsolete equipment and the need for ever increasing computing power, HITACHI Rail STS decided to modernize its safety platform with the ambitious goal of developing a single platform compatible with the constraints imposed by rolling stock (reduced volume, low consumption, low heat dissipation and low EMC radiation) and ground signaling (high volume of information, computing power and interfacing with customers’ Ethernet networks). The first targets were the renovation of the metro lines in the city of Brussels with a CBTC system, and the renovation of the interlocking systems of the first 280 mile-long high-speed rail line in France between Paris and Lyon. This new platform is primarily based on the use of the Zynq Ultrascale Multiprocessor system on-chip (MPSOC) component from Xilinx, which allows combining ARM Cortex A53 and R5 processors (Processing System, or PS) with software functions (Programmable Logic, or PL).

Figure 3: Details of the Zynq Ultrascale MPSOC from Xilinx

The “application” and “voter” CSD functions are housed in the PS and PL parts of this component respectively, enabling the development of a compact yet powerful “ZYNQ” CSD. This platform comprises three proprietary CCTEP boards (“Compact board for ATP processing”), each equipped with a ZYNC Ultrascale MPSOC:

Calculator of Available Safety (ZYNQ)

Figure 4: ZYNC CSD architecture

The main activities defined by HITACHI Rail STS to achieve this objective are as follows: 1. Conduct logic synthesis for the CPU 68K in order to house the “voter” function of the CSD in the PS part of this component, enabling reuse of the coded monoprocessor production chain of the existing voter software, 2. Port the existing application software, developed in Ada 95, to an ARM A53 processor in the PL part.

Solution/implementation

The constraints imposed by porting the application software to an ARM processor led HITACHI Rail STS to contact AdaCore in order to identify possible solutions, including the choice of an Ada development environment (compiler, run-time library, toolset) targeted to an ARM processor. Discussions quickly led to the identification of several solutions: 1. Choosing between three Ada runtimes that were already adapted by AdaCore for a ZYNC target: a. A ZFP (Zero Foot Print) runtime that was certifiable but did not support Ada tasking, b. An SFP (Small Foot Print) Ravenscar runtime that was certifiable and supported Ada tasking, with the restrictions imposed by the Ravenscar profile, c. A full but non-certifiable Ravenscar runtime.

2. Choosing between two ARM-targeted compilers: a. An ARM cross compiler on a Windows host targeted to the ARMv7 - 32-bit instruction set, b. An ARM cross compiler on a Linux host targeted to an extended ARMv8 - 64-bit instruction set.

Several factors led HITACHI Rail STS to choose the SFP Ravenscar runtime combined with a compiler hosted on Linux. In particular: 1. The possibility of certifying the runtime for SSIL-4 software if necessary, 2. The possibility of accessing the list of Known Problem Reports (KPR) for the tools. AdaCore maintains this list and makes it available to customers. 3. Access to a POSIX/Linux development environment which, combined with Ada compilation tools, facilitates a smooth workflow, 4. The possibility of reusing tools from the Linux ecosystem, and in particular: a. GIT, for managing the source code, b. SSH, for setting up a compiler server and enabling user projects to produce their own applications by reusing a qualified compilation chain with complete hardware abstraction, thanks to the definition of a generic Software API. 5. Access to various AdaCore tools, and most especially: a. GNATcheck, for coding standard enforcement, including complexity metrics. b. GNATemulator, making it possible to emulate an ARMv8 execution unit on a host system. This tool was very useful for developing and perfecting the CPU self-test function for a new ARM target, as it eliminated the requirement to use the actual target.

Development of the CSD platform began in 2017 with the design of a new CCTEP circuit board. The porting of the CSD software components quickly followed, as did risk analysis and validation. One result was the creation of a documentary plan containing 200 references. The primary goal of HITACHI Rail STS was to obtain EN 50128 certification for this new platform by the end of 2020. From then on, it will be the new, cross-functional safety platform for use on HITACHI Rail STS’s “Wayside” and “On-Board” projects.

About HITACHI Rail STS France Hitachi Rail STS France manages the regional operations for Hitachi Rail STS across Northern and Western Europe, Northern Africa, China and Korea. Roughly 800 engineers and technicians are involved in R&D, Engineering, Project Management, Manufacturing and Maintenance: – HITACHI Rail STS France – Hitachi Rail STS Spain – Hitachi Rail STS France Branch – Hitachi Rail STS Sweden – Hitachi Rail STS Beijing – Hitachi Rail STS Hong Kong – Hitachi Rail STS France Korean Branch – Hitachi Rail STS France Moroccan Branch Founded in 1902, Hitachi Rail STS France has developed the signaling and train control systems that contribute to the constant improvement in railway safety and capacity on main lines and mass transit railway systems all over the world. In major international railway projects, in particular in Europe, Asia, Africa and South America, clients have called on Hitachi Rail STS France for its ability to deliver fail-safe systems on time and on budget. Being in close proximity to its clients, relying on an international presence in Western and Northern Europe and Asia, Hitachi Rail STS France can manage projects efficiently and accept their challenges, anticipating needs and offering innovative solutions.

About AdaCore

Founded in 1994, AdaCore supplies software development and verification tools for mission-critical, ​ safety-critical and security-critical systems. Four flagship products highlight the company’s offerings:

● The GNAT Pro development environment, a complete toolset for designing, implementing, ​ and managing applications that demand high reliability and maintainability, ● The CWE-Compatible CodePeer advanced static analysis tool, an automatic Ada code ​ reviewer and validator that can detect and eliminate errors both during development and retrospectively on existing software, ● The SPARK Pro verification environment, a toolset providing full formal verification oriented ​ toward high-assurance systems with stringent safety and/or security requirements, and ● The QGen model-based development tool suite for safety-critical control systems, providing ​ a qualifiable and customizable code generator and static verifier for a safe subset of Simulink® and Stateflow® models.

Over the years customers have used AdaCore products to field and maintain a wide range of critical applications in domains such as commercial and military avionics, railway, automotive, space, defense systems, air traffic management/control, medical devices, and financial services. AdaCore has an extensive and growing worldwide customer base; see www.adacore.com/industries/ for further information.

AdaCore products are non-proprietary open technology and come with expert online support provided by the developers themselves. The company has North American headquarters in New York and European headquarters in Paris. www.adacore.com