International Journal on Software Tools for Technology (2006) 8(4/5): 337–354 DOI 10.1007/s10009-005-0209-6 SPECIAL SECTION ON THE INDUSTRIALIZATION OF FORMAL METHODS: A VIEW FROM FORMAL METHODS 2003 Alan Wassyng · Mark Lawford Software tools for safety-critical software development Published online: 23 September 2005 c  Springer-Verlag 2005 Abstract We briefly present a software methodology for safety-critical software, developed over many years to cope with industrial safety-critical applications in the Canadian nuclear industry. Following this we present discussion on software tools that have been used to support this methodology, and software tools that could be used, but have not been used for a variety of reasons. Based on our experience, we also present and motivate a list of high-level requirements for tools that would facilitate the development of safety-critical software using the presented methods, together with a small number of tools that we believe are worth developing in the future. 1 Introduction Software development is maturing. With that maturity has come the realisation that any particular development methodology will not succeed unless it is well-supported by software tools. There are many diverse software tools available to software developers. Most of these tools are tar- geted at particular tasks. Not many of them provide com- prehensive support for a particular methodology. When they do, they can be extraordinarily successful. For example, al- though UML [28] had no semantic basis, it proved to be extremely successful in industry. The success of UML, to a large extent, can be attributed to the comprehensive tool support that was available for it. Software development for safety-critical systems is generally viewed as costly and time consuming. Software tools are always touted as a means to combat the labour intensive nature of software development, and safety-critical software development in particular. We are convinced that appropriate tool support can, indeed, help us produce A. Wassyng (B ) · M. Lawford The Software Quality Research Laboratory Department of Computing and Software, McMaster University Hamilton, Ontario, Canada L8S 4K1 E-mail: wassyng@mcmaster.ca safety-critical software at reduced costs. What is sometimes lost in the “better, cheaper, faster” mantra of tool proponents is that for safety critical systems, the most important thing is that tool support should also make it easier to see and demonstrate the quality of the software–for the producer, customer and regulator alike. This paper concentrates on software tools for safety- critical software and is based on many years of experience of developing safety-critical software applications, with and without tool support. The emphasis is on software tools that support our methods. The remainder of the paper is organized as follows. Section 2 provides an overview of the software engineer- ing methodology we have used, in enough detail to un- derstand the role and application of tools. Section 3 de- scribes the tools that we believe are essential for making the method practical. Following this, Sect. 4 comments on additional tools that would be useful, but currently have not been implemented or have not been integrated with our methods. A discussion of regulatory requirements on sup- porting tools for safety-critical software in Sect. 5 helps to illustrate why developing tools for safety-critical software presents some unique challenges. Section 6 provides a list of high-level requirements for tools, motivated by our experi- ence, and the last two sections discuss future tools and draw conclusions. 2 A safety-critical software methodology The software methodology we have used on safety-critical projects has been described previously in [20, 33]. It is based primarily on Parnas’ descriptions of a “Rational Design Process” [23, 26] and makes extensive use of tabular expressions [13, 32]. The methodology was developed at Ontario Hydro, now Ontario Power Generation (OPG) Inc. The primary applications were the two independent Shutdown Systems for the Darlington Nuclear Generating Station in Ontario, Canada.