Compiler Selection for Functional Safety in Robots

What if a compiler is flawed?

If a system developer can demonstrate that as much of its application source code base as possible performs as intended during requirements-based testing, then the likelihood of field failures is low. While this statement is largely true, due to the focus on high-level source code in many applications, such a strategy relies on the compiler’s ability to generate object code that replicates the exact intentions of the developer. But what if the compiler is flawed?

In truth, compilers are generally reliable applications that fulfil their design requirements. And yet those design requirements do not always reflect the needs of a functionally safe system. Looking at the market, many compilers are available, with the final choice resting on numerous key considerations. Primarily, the developer needs confidence that the compiler will not introduce errors into the design.

Many companies use SuperTest to qualify the compiler or library they are already using, but for automation company KUKA, SuperTest is also a decision-making tool that helps it decide, on a project-by-project basis, which C/C++ compiler and standard library to use. While SuperTest is traditionally positioned as a tool for compiler validation, it is important to understand that the C and C++ language specifications define both the compiler language and the standard library. SuperTest validates both.

Headquartered in Augsburg, Germany, KUKA, is a one of the leading suppliers of intelligent automation solutions, ranging from robots, mobile robots, and manufacturing cells, to fully automated networked robotic systems for industries as diverse as automotive, electronics, consumer goods, e-commerce/retail and healthcare. That means the company has many development teams working on different projects, each project having its own unique hardware/software and functional safety requirements. Helping the company’s development teams decide on which C/C++ language variant, compiler, and library combination to use is one of the tasks of KUKA’s Competence Center for Functional Safety.

“If you change the CPU architecture, there is the problem that you may have to do a lot in software regarding the new compiler backends to support it,” said Robert Bertossi, Team Lead for KUKA’s Safety Platform. “We think SuperTest can assist us with that, by helping us assess the available compilers.”

Part of that assessment has to do with ensuring functional safety, which is important for all kinds of robots and critical in the development of collaborative robots (cobots) that interact with humans.

“We need to comply with standards such as IEC 62061 and IEC 61508 for the functional safety of machinery and safety-related systems, which although different to those in the automotive industry, are similar in terms of the required quality measures and tool qualification,” said Christian Hartmann, Manager of KUKA’s Competence Center for Functional Safety.

Among other things, meeting these standards for a specific project means KUKA needs to qualify the selected compilers.

“SuperTest helps us decide whether to recommend that a project team uses, GCC or Clang for example, as well as helping us make decisions about whether to switch to a newer version of the compiler,” said Christian. “If a new GCC or Clang version is released that has some features the project team would like to use, we can run it with SuperTest to discover if it has disadvantages, as well as test the new features. When it comes to evaluating a new standard library, we can use SuperTest to see if the new library’s behavior is similar to the library we used before.”

Noting the difference between the compiler language and standard library is important in light of qualification for safety-critical applications. The compiler handles language implementation and is the tool that generates the target code. For standard library qualification, more will be needed than the library tests suite in SuperTest. The library consists of code that is linked to the application and is actually loaded into the device. For use in safety-critical applications it is needed to provide requirement level traceability from the ISO language specification to the individual tests. To do so, the SuperGuard C Library Safety Qualification Suite is available as an add-on to SuperTest.

Importantly, KUKA also uses SuperTest to make recommendations on which C or C++ language variant a project should use with the selected compiler.

“We can use SuperTest to check whether there are any problems moving to a newer language standard,” said Robert Bertossi. “It allows us to see how well the compiler fares with the new standard to determine whether there are any problems we need to fix beforehand.” SuperTest is one of many different tools KUKA has integrated into its compiler qualification tool chain.

“I was satisfied with the ability to integrate SuperTest, because you can just script around it and call all the executables from the command line,” added Robert. “All you need to supply is the configuration data. As a result, the process itself is heavily automated. Most of the manual labor is in analyzing the results.”

This article was contributed by Solid Sands (Amsterdam). For more information, visit here .