Deploy CORAL 66 to Europe — Royal Radar Establishment 🇬🇧 (Malvern 1966), the Safety-Critical Language Behind Rapier and Sea Wolf, on EU Infrastructure in 2026

In 1966, the Royal Radar Establishment (RRE) in Malvern, Worcestershire, England faced a problem that would shape the next half-century of safety-critical software engineering. Radar systems, missile guidance computers, and avionics were growing in complexity. The programming languages of the era — FORTRAN for scientific calculation, COBOL for business, ALGOL 60 for algorithms — were none of them suitable for embedded real-time systems with hard timing requirements, no operating system, and hardware registers that had to be read and written at precise intervals. The RRE needed something new.

The result was CORAL 66 — Computer On-line Real-time Applications Language. It was designed at Malvern, standardised by the National Physical Laboratory (NPL) in Teddington, Middlesex in 1970, and then adopted across UK defence programmes for the next twenty years. CORAL 66 powered the Rapier surface-to-air missile (British Aerospace), the Sea Wolf close-in weapons system (GEC Marconi), the Lynx helicopter mission systems, and the Nimrod MR2 maritime patrol aircraft's signal processor. When a Rapier battery engaged a target, it was executing CORAL 66 code.

The language's design — rooted in ALGOL 60, extended with coroutines, fixed-point arithmetic, and hardware register access, rigidly constrained against heap allocation and dynamic memory — was not a style preference. It was an engineering necessity for systems where a memory allocator failure meant a missile missed its target. Those constraints, refined over decades of deployment in UK and NATO systems, were eventually codified into the international standard IEC 61508 for functional safety — which today governs railway signalling, automotive braking systems, and industrial control across the European Union.

Royal Radar Establishment Malvern

The Royal Radar Establishment occupies a specific and important position in European computing history. Located in the Malvern Hills of Worcestershire, it was where wartime radar research had been conducted since 1942. By the 1960s, RRE had transitioned from analogue radar to digital signal processing. The computers controlling early warning systems were being programmed in assembly language — tedious, error-prone, and impossible to verify formally.

The RRE team drew primarily on ALGOL 60 — the European language par excellence, designed at a 1958 conference in Zürich involving American, British, German, Danish, and Swiss participants. ALGOL 60's block structure, recursive procedures, pass-by-name parameters, and formal BNF grammar made it the most rigorously defined language of its era. But ALGOL 60 had no facilities for real-time programming: no coroutines, no timing primitives, no direct hardware access, and it assumed dynamic memory allocation that was impractical on the embedded computers of 1966.

CORAL 66 took ALGOL 60's block structure and procedure model and stripped out everything incompatible with embedded real-time deployment, while adding exactly what was needed:

• Coroutines via WAIT and SIGNAL primitives — cooperative multitasking without a scheduler
• Fixed-point arithmetic — INTEGER and REAL with INTEGER(n) fixed-point for deterministic timing
• WORDAT / BYTEAT — direct hardware register read/write by address
• No heap allocation — all storage declared statically or on the stack at procedure entry
• INTERRUPT sections — named interrupt service routines bound to hardware vectors
• SECTION — modules with explicit interface declarations, prefiguring Ada packages by a decade
• CYCLE ... REPEAT — unbounded loops for embedded control systems (not a bug — intentional design for systems that run forever)

The result was a language small enough to implement on 1960s hardware, rigorous enough for safety-critical deployment, and expressive enough to write complete missile guidance software.

CORAL 66 Language Architecture

CORAL 66 programs are organised into SECTION blocks — named compilation units with explicit imports and exports. A minimal CORAL 66 program:

SECTION SENSOR_MONITOR

COMMENT Royal Radar Establishment CORAL 66 — Real-time sensor loop;
COMMENT NPL Standard 1970, IEC 61508 ancestor;

CONSTANT INTEGER MAX_SAMPLES = 256
CONSTANT INTEGER SENSOR_REG  = 16#4000#
CONSTANT INTEGER OUTPUT_REG  = 16#4002#
CONSTANT INTEGER STATUS_REG  = 16#4004#

INTEGER ARRAY samples(1:MAX_SAMPLES)
INTEGER i, count, sum, mean

PROCEDURE read_sensor(INTEGER RESULT value)
  COMMENT Direct hardware register access — no abstraction layer;
  COMMENT WORDAT reads a 16-bit word from physical address;
  value := WORDAT(SENSOR_REG)
ENDPROCEDURE

PROCEDURE process_samples
  sum := 0
  FOR i := 1 TO count DO
    sum := sum + samples(i)
  ENDFOR
  mean := sum DIV count
  WORDAT(OUTPUT_REG) := mean
ENDPROCEDURE

PROCEDURE initialise
  count := 0
  FOR i := 1 TO MAX_SAMPLES DO
    samples(i) := 0
  ENDFOR
  WORDAT(STATUS_REG) := 16#0001#  COMMENT Set READY bit
ENDPROCEDURE

initialise

CYCLE
  read_sensor(samples(count + 1))
  count := count + 1
  IF count >= MAX_SAMPLES THEN
    process_samples
    count := 0
  ENDIF
  WAIT(10)  COMMENT Yield for 10 ms — cooperative coroutine scheduling
REPEAT

ENDSECTION

The CYCLE ... REPEAT construct is central to CORAL 66 programming: embedded control systems do not exit. A WAIT(n) call yields control for n timer ticks, enabling cooperative multitasking between concurrent SECTION processes.

Coroutines and the WAIT/SIGNAL Model

CORAL 66's concurrency model is based on coroutines — a concept introduced in Conway's 1963 paper "Design of a Separable Transition-Diagram Compiler" and implemented in SIMULA 67 the following year by Ole-Johan Dahl and Kristen Nygaard 🇳🇴 at Norsk Regnesentral in Oslo. The RRE team adapted coroutines for interrupt-driven real-time systems:

SECTION RADAR_TRACKER

COMMENT Coroutine-based target tracking;
COMMENT Two concurrent tasks: data acquisition and track processing;

INTEGER target_x, target_y, target_velocity
BOOLEAN new_data_available, track_valid

PROCEDURE acquire_data
  CYCLE
    WAIT(RADAR_INTERRUPT)  COMMENT Suspend until hardware interrupt
    target_x := WORDAT(RADAR_X_REG)
    target_y := WORDAT(RADAR_Y_REG)
    new_data_available := TRUE
    SIGNAL(TRACKER)        COMMENT Resume tracker coroutine
  REPEAT
ENDPROCEDURE

PROCEDURE process_track
  CYCLE
    WAIT(TRACKER)          COMMENT Suspend until signalled by acquirer
    IF new_data_available THEN
      COMMENT Kalman filter update — fixed-point arithmetic
      target_velocity := compute_velocity(target_x, target_y)
      track_valid := TRUE
      new_data_available := FALSE
    ENDIF
  REPEAT
ENDPROCEDURE

ENDSECTION

The WAIT(event) / SIGNAL(event) pattern — suspend on condition, resume on signal — is architecturally identical to what modern operating systems call condition variables. Linux pthread_cond_wait, Go channels, and Rust async/await are all expressing the same synchronisation primitive that the RRE team embedded in CORAL 66 in 1966.

The Rapier Missile System

The most significant CORAL 66 deployment was the Rapier surface-to-air missile system, developed by British Aerospace (later BAE Systems) for the British Army and Royal Air Force. Rapier's fire control computer — which tracked targets via radar, computed intercept trajectories, and guided the missile to within lethal distance of an incoming aircraft — was programmed in CORAL 66.

Rapier was exported to numerous NATO allies and operated through the Falklands War (1982), the Gulf War (1991), and remained in UK service until 2012. The guidance algorithms running on CORAL 66 were responsible for flight safety in live operational conditions. This was not a laboratory demonstration: CORAL 66 code was responsible for lethal autonomous weapon guidance in combat conditions.

The engineering constraints imposed by Rapier's fire control computer directly shaped CORAL 66:

• No dynamic allocation: A garbage collector pause during missile guidance is unacceptable. All CORAL 66 memory is statically allocated or stack-allocated with bounded lifetime.
• Fixed-point arithmetic: Floating-point hardware was expensive and slow on 1960s–1970s embedded processors. CORAL 66's INTEGER(n) fixed-point type gave precise decimal semantics without a floating-point unit.
• Deterministic timing: CYCLE ... WAIT(n) ... REPEAT loops give exact timing guarantees. No scheduler jitter, no OS interruption.
• Interrupt service routines as first-class constructs: Hardware interrupts from radar returns and tracking sensors were bound directly to named CORAL 66 procedures.

SECTION INTERCEPT_COMPUTER

COMMENT Rapier fire control — simplified intercept geometry;
COMMENT Real system had many more sections and higher precision;

CONSTANT INTEGER(8) MISSILE_SPEED     = 550    COMMENT m/s, 8-bit fraction
CONSTANT INTEGER(8) GUIDANCE_INTERVAL =   4    COMMENT 4ms guidance cycle
CONSTANT INTEGER    MAX_RANGE         = 6800   COMMENT metres

INTEGER(8) target_range, target_bearing, target_elevation
INTEGER(8) missile_range, missile_bearing, missile_elevation
INTEGER(8) intercept_bearing, intercept_elevation

INTERRUPT target_track_irq AT 16#FFE0# DO
  target_range     := WORDAT(TARGET_RANGE_REG)
  target_bearing   := WORDAT(TARGET_BEARING_REG)
  target_elevation := WORDAT(TARGET_ELEVATION_REG)
  SIGNAL(GUIDANCE)
ENDINTERRUPT

PROCEDURE guidance_law
  CYCLE
    WAIT(GUIDANCE)
    IF target_range < MAX_RANGE THEN
      intercept_bearing   := compute_lead_bearing(target_bearing, target_range)
      intercept_elevation := compute_lead_elevation(target_elevation, target_range)
      WORDAT(AZIMUTH_CMD_REG)   := intercept_bearing
      WORDAT(ELEVATION_CMD_REG) := intercept_elevation
    ENDIF
  REPEAT
ENDPROCEDURE

ENDSECTION

From CORAL 66 to IEC 61508

CORAL 66's deployment in safety-critical systems over two decades generated the empirical evidence base for what good safety-critical software engineering looked like. That experience — articulated through UK Defence Standards DEF STAN 00-55 (Requirements for Safety Related Software in Defence Equipment) and DEF STAN 00-56 (Safety Management Requirements for Defence Systems) — directly contributed to the development of IEC 61508, the international standard for functional safety of electrical/electronic/programmable electronic safety-related systems.

CORAL 66 (RRE Malvern, 1966)
│
├─ UK Defence Standard DEF STAN 00-55 (1991)
│   Safety-critical software requirements
│   Direct descendant of CORAL 66 deployment lessons
│
├─ RTL/2 (ICI, UK, 1972) — J.G.P. Barnes
│   CORAL 66 successor, influence on Ada requirements
│
├─ MASCOT (RRE/RSRE, 1975)
│   Modular Approach to Software Construction, Operation and Test
│   Companion methodology to CORAL 66 for concurrent systems
│
├─ CHILL (ITU Geneva, 1980)
│   CORAL 66 influence via real-time telecom requirements
│   Used in telephone exchanges across Europe
│
├─ Ada (DoD/ANSI/ISO, 1983) — Jean Ichbiah 🇫🇷 (CII Honeywell Bull, Paris)
│   UK MoD's CORAL 66 experience shaped Ada requirements (1977 tender)
│   Packages ≈ CORAL 66 SECTIONs
│   Tasks ≈ CORAL 66 coroutines
│
└─ IEC 61508 (IEC, Geneva, 1998/2010)
    Functional Safety of E/E/PE Safety-Related Systems
    Mandatory across EU: railways (EN 50128), automotive (ISO 26262),
    industrial machinery (Machinery Directive 2006/42/EC, CEN EN 62061)

The path from a Malvern radar laboratory in 1966 to the EU Machinery Directive governing every industrial robot sold in Europe is direct: CORAL 66 → DEF STAN 00-55 → IEC 61508 → EU harmonised standards.

EU Regulatory Angles

EU Cyber Resilience Act 2024 — Memory Safety: The EU Cyber Resilience Act (CRA), published in October 2024, requires products with digital elements placed on the EU market to be designed with security by default. The CRA's technical guidance specifically addresses memory safety — heap buffer overflows, use-after-free vulnerabilities, and memory corruption — as the primary attack vector class to be mitigated. CORAL 66's architecture provides these properties by design: no heap allocation means no heap overflows, no dynamic memory means no use-after-free, bounded stack allocation means stack overflows are detectable at compile time. CORAL 66 prefigured the CRA's memory safety requirements by 58 years.

NIS2 Directive — Critical Infrastructure Software: NIS2 (EU) 2022/2555 places mandatory security requirements on operators of essential services including energy, transport, water, and digital infrastructure. The coroutine-based isolation in CORAL 66 — where each SECTION runs as a separate coroutine with defined interfaces — maps directly to NIS2's requirement for compartmentalisation and isolation of critical system components. No shared mutable state between sections means a compromise of one component cannot propagate state corruption to another.

IEC 61508 / EN 50128 — EU Railway and Automation: IEC 61508 is mandated by the EU Machinery Directive (2006/42/EC) and its successor the Machinery Regulation (EU) 2023/1230, effective July 2023. EN 50128 (railway software) and EN 62061 (industrial machinery safety) implement IEC 61508 requirements across the EU single market. Software that demonstrates IEC 61508 SIL 2 or SIL 3 compliance is required for level crossings, metro signalling (ERTMS/ETCS), and industrial robots across all 27 EU member states. The design principles codified in IEC 61508 — no dynamic allocation, bounded execution time, structured concurrency, absence of undefined behaviour — are precisely the principles CORAL 66 implemented by necessity in 1966.

GDPR Art. 25 — Data Minimisation by Architecture: CORAL 66's static memory model means every piece of data in a CORAL 66 program has a known lifetime bounded by its enclosing SECTION. There is no garbage collector retaining references to data structures beyond their logical lifetime. In a GDPR Art. 25 (data protection by design and by default) context, a system without heap allocation is trivially auditable for data retention: when a procedure returns, its stack frame — and all data in it — is provably released.

Modernising CORAL 66 for EU Cloud Deployment

CORAL 66 compilers are not widely available in 2026. The language's primary deployment context — cross-compiled to run on bare-metal embedded processors with custom BSPs — does not translate directly to containerised EU cloud deployment. However, several paths exist for running CORAL 66-derived systems on modern infrastructure:

Path 1: CORAL 66 to C Transpilation

The most practical approach is transpiling CORAL 66 source to C, which can then be compiled with any C toolchain. The structural mapping is direct:

/* CORAL 66 SECTION → C compilation unit with static storage */
/* CORAL 66 WORDAT(addr) → memory-mapped I/O via mmap or /dev/mem */
/* CORAL 66 WAIT/SIGNAL → POSIX condition variables or semaphores */
/* CORAL 66 INTERRUPT → sigaction() signal handlers */

#include <stdint.h>
#include <pthread.h>
#include <semaphore.h>

/* CORAL 66: CONSTANT INTEGER MAX_SAMPLES = 256 */
#define MAX_SAMPLES 256

/* CORAL 66: INTEGER ARRAY samples(1:MAX_SAMPLES) — static, no heap */
static int32_t samples[MAX_SAMPLES + 1]; /* 1-indexed */
static int32_t count = 0;
static int32_t sum   = 0;
static int32_t mean  = 0;

static sem_t guidance_event;

/* CORAL 66: INTERRUPT target_track_irq AT 0xFFE0 */
static void target_track_handler(int sig) {
    /* Read from hardware-mapped register */
    count = (count < MAX_SAMPLES) ? count + 1 : 1;
    samples[count] = read_sensor_register();
    sem_post(&guidance_event); /* CORAL 66: SIGNAL(GUIDANCE) */
}

/* CORAL 66: PROCEDURE process_samples */
static void process_samples(void) {
    sum = 0;
    for (int i = 1; i <= count; i++) sum += samples[i];
    mean = (count > 0) ? sum / count : 0;
}

/* CORAL 66: CYCLE ... WAIT(GUIDANCE) ... REPEAT */
void *guidance_loop(void *arg) {
    for (;;) {
        sem_wait(&guidance_event); /* CORAL 66: WAIT(GUIDANCE) */
        if (count >= MAX_SAMPLES) {
            process_samples();
            count = 0;
        }
        write_output_register(mean);
    }
    return NULL;
}

Path 2: CORAL 66 Simulation via Docker

For EU cloud deployment, CORAL 66 programs transpiled to C containerise cleanly:

FROM debian:bookworm-slim AS builder

RUN apt-get update && apt-get install -y \
    gcc \
    make \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /src

# CORAL 66 transpiled sources (C output from transpiler)
COPY coral_src/ ./coral_src/
COPY Makefile .

# Compile CORAL 66 → C → binary
# Static allocation enforced: -fno-exceptions -fno-rtti
# Memory-safe flags mirror CORAL 66's design constraints
RUN gcc -O2 -Wall -Wextra \
    -fstack-protector-strong \
    -fno-common \
    -static \
    coral_src/*.c \
    -lpthread \
    -o coral_service

FROM debian:bookworm-slim

RUN apt-get update && apt-get install -y \
    libpthread-stubs0-dev \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app
COPY --from=builder /src/coral_service .

EXPOSE 8080
CMD ["./coral_service"]

# sota.yaml — CORAL 66 service on EU infrastructure
service:
  name: coral-safety-system
  runtime: docker
  region: eu-central-1
  port: 8080

database:
  type: postgres
  version: "17"
  size: small

env:
  CORAL_DATA_RESIDENCY: EU-DE
  IEC61508_COMPLIANCE_MODE: "true"
  GDPR_STATIC_ALLOCATION: "true"

# Deploy CORAL 66-derived service to EU
sota deploy --region eu-central-1

# Verify deployment — static binary: near-zero attack surface
sota status
sota logs --tail 50

A CORAL 66 program compiled to a static C binary produces a container image under 5MB. No runtime dependencies, no dynamic linker, no package manager. Cold starts are measured in tens of milliseconds. The CRA-compliant memory model — no heap, bounded stack — is preserved through the entire transpilation and deployment pipeline.

The Malvern Lineage

The Royal Radar Establishment at Malvern is one of the most productive sites in European computing history, less celebrated than Cambridge or Edinburgh but responsible for a continuous lineage of safety-critical computing innovation:

Royal Radar Establishment (RRE), Malvern, 1966
│
├─ CORAL 66 — real-time embedded language
│   NPL standardisation (Teddington, 1970)
│
├─ MASCOT — concurrent systems methodology (RSRE, 1975)
│   Modular approach to embedded concurrent software
│   Influenced Ada tasking model
│
├─ RRE → RSRE (Royal Signals and Radar Establishment, 1976)
│   → DRA (Defence Research Agency, 1991)
│   → DERA (Defence Evaluation and Research Agency, 1995)
│   → QinetiQ (privatised, 2001, HQ: Farnborough)
│   → Dstl (Defence Science and Technology Laboratory, 2001)
│     Malvern site: still active, IEC 61508 research
│
├─ CORAL 66 operational deployments:
│   ├─ Rapier SAM (British Aerospace, 1971 — service until 2012)
│   ├─ Sea Wolf CIWS (GEC Marconi, 1979)
│   ├─ Lynx helicopter mission systems (Westland, 1971)
│   ├─ Nimrod MR2 signal processor (BAE Systems)
│   └─ Tornado GR1 navigation system (partial, shared with CORAL 66 derivatives)
│
└─ Influence lineage → IEC 61508 → EU Machinery Directive
    Rapier experience → DEF STAN 00-55 (1991)
    DEF STAN 00-55 → IEC 61508 drafting input (1990s)
    IEC 61508 → EN 50128 (railway, mandatory EU)
    IEC 61508 → ISO 26262 (automotive)
    IEC 61508 → EN 62061 (industrial machinery)

RTL/2 (Real-Time Language 2), developed by J.G.P. Barnes at ICI (Imperial Chemical Industries) in the UK in 1972, was a direct successor to CORAL 66. Barnes went on to write the definitive implementation guide for Ada and authored several editions of the standard Ada textbook — a direct intellectual lineage from CORAL 66 through RTL/2 to Ada.

Deploy CORAL 66 to sota.io

# Deploy CORAL 66-derived service to EU infrastructure
# GDPR-compliant by architecture: static allocation, bounded lifetimes
sota deploy --region eu-central-1

# With managed PostgreSQL 17 (EU data residency)
sota deploy --region eu-central-1 --with-postgres

# CORAL 66's static memory model: predictable resource consumption
sota status
sota logs --tail 50

CORAL 66's design constraints — no heap, deterministic timing, explicit hardware interfaces — make it one of the most naturally cloud-deployable language families when transpiled to C: a static binary with no runtime dependencies, sub-10ms cold starts, and resource consumption measurable at compile time. sota.io's EU infrastructure (German data centres, guaranteed EU data residency) provides the GDPR-compliant, NIS2-aligned deployment environment that safety-critical workloads require.

See Also

• Deploy CHILL to Europe — CCITT/ITU Geneva 🇨🇭 (1980). CHILL (CCITT High Level Language) was designed for real-time telecom systems — telephone exchange software across Europe. CORAL 66 and CHILL share a common lineage: both draw on ALGOL 60 with real-time extensions, both were designed for systems where dynamic memory allocation is forbidden, and CHILL explicitly acknowledged CORAL 66 as a predecessor in its 1980 specification.
• Deploy Ada to Europe — Jean Ichbiah 🇫🇷 (CII Honeywell Bull, Paris, 1983). The UK Ministry of Defence's experience with CORAL 66 directly shaped the requirements for Ada: the 1977 MoD tender for a common language for defence systems was the result of decades of CORAL 66 deployment. Ada packages parallel CORAL 66 sections; Ada tasks parallel CORAL 66 coroutines. RTL/2, the CORAL 66 successor by J.G.P. Barnes, was the direct intellectual bridge to Ada.
• Deploy SPARK Ada to Europe — Praxis High Integrity Systems 🇬🇧 (Bath, 1988). SPARK is the formally verifiable subset of Ada used in EU aerospace (Airbus A380 flight control), UK railway signalling (Network Rail), and medical devices (MHRA-regulated). The IEC 61508 compliance path for safety-critical EU systems typically runs from CORAL 66-era requirements through Ada to SPARK. The entire lineage traces to Malvern.
• Deploy ALGOL to Europe — ALGOL 60 Committee 🇩🇪🇨🇭🇩🇰🇳🇱 (Zürich 1958 / Paris 1960). CORAL 66's block structure, BEGIN...END syntax, and procedure model are directly derived from ALGOL 60. The European academics who designed ALGOL 60 — Peter Naur 🇩🇰, Adriaan van Wijngaarden 🇳🇱, Edsger Dijkstra 🇳🇱 — created the formal foundation that made CORAL 66's precision possible.
• Deploy BCPL to Europe — Martin Richards 🇬🇧 (Cambridge Mathematical Laboratory, 1967). BCPL and CORAL 66 were designed in the same year (1966–1967) in the same country (England) to solve adjacent problems: BCPL for portable systems software, CORAL 66 for embedded real-time. BCPL's typeless memory model (the ancestor of C) is the opposite of CORAL 66's strictly typed deterministic approach — the two languages represent the two poles of systems programming that converged in C and Ada respectively.
• All languages on sota.io

Why sota.io for CORAL 66 Deployments

sota.io is the EU-native PaaS for developers who need European infrastructure — not as an afterthought, but as a technical requirement.

CORAL 66's design principles — static allocation, deterministic timing, bounded resource consumption — align precisely with sota.io's deployment model. A CORAL 66 program transpiled to a static C binary deploys to sota.io with a Dockerfile under 5MB, cold starts under 10ms, and resource usage predictable from the source code. The IEC 61508 compliance properties preserved through transpilation — no heap, no undefined behaviour, bounded lifetime of all data — satisfy the EU Cyber Resilience Act's memory safety requirements and NIS2's compartmentalisation requirements out of the box.

The language designed in a Malvern radar laboratory in 1966 — whose safety principles were refined through two decades of missile guidance software and eventually codified into the IEC 61508 standard governing every industrial robot, railway signalling system, and automotive brake controller sold in the EU today — deploys cleanly to EU-native infrastructure in 2026.

# Deploy CORAL 66 to EU — the language whose design principles
# are now mandatory across all EU safety-critical systems.
sota deploy --region eu-central-1

CORAL 66 was developed at the Royal Radar Establishment (RRE), Malvern, Worcestershire, England in 1966. The language was standardised by the National Physical Laboratory (NPL), Teddington, Middlesex in 1970. The RRE subsequently became the Royal Signals and Radar Establishment (RSRE), then the Defence Research Agency (DRA), then the Defence Evaluation and Research Agency (DERA), splitting in 2001 into QinetiQ (commercial) and Dstl (Defence Science and Technology Laboratory), both retaining Malvern sites. RTL/2, the direct successor to CORAL 66, was developed by J.G.P. Barnes at ICI in 1972; Barnes subsequently wrote the definitive Ada implementation guide and contributed to Ada standardisation. IEC 61508 was first published in 1998 and revised in 2010 by the International Electrotechnical Commission (IEC), Geneva 🇨🇭.