Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Company Logo
Towards Modular Certification of Mixed-Criticality Systems (IEC-61508)
Jon Pérez
July 2nd, 2014
Company Logo07.05.2015 2
Overview
1. Objective: pave the way towards the competitive development of mixed criticality product families (IEC-61508)
2. Why?
1. Mixed-Criticality provides multiple advantages (reduction of cost, size, weight, power; increase scalability and reliability) but difficulties arise with regard to safety certification standards
2. Safety certification costs and efforts are high
3. A safety product could be efficiently constructed by re-using certified ‘building blocks’ (IEC-61508 compliant items) -> Reusability
4. Safety products are in many cases specific instances of a safety ‘product family’. There is a need to deal with variability of products so that the certification cost of each instance is as low as possible
Company Logo
Context
Different standards, different names for similar concepts: ‘compliant item’(IEC-61508), ‘Safety Element out of Context’ (ISO-26262), ‘Generic application’(EN-5012X), etc. -> Reusability, reduced effort / time / cost / risk, etc.
Mixed-criticality basic ‘building blocks’:
Multicore processor
Hypervisor
Network protocol
Partition (Software)
Complexity management by means of [1][2]:
Partition -> Partition (software)
Segmentation -> Periodic cyclic scheduling with time-slots (hypervisor XtratuM)
Abstraction
07.05.2015 3
[1] H. Kopetz, On the Fault Hypothesis for a Safety-Critical Real-Time System, ser. Lecture Notes in Computer Science. Springer Berlin
Heidelberg, 2006, vol. 4147, ch. 3, pp. 31–42.
[2] Perez, Jon, et al. "A Safety Concept for a Wind Power Mixed-Critically Embedded System Based on Multicore Partitioning." In 11th
International Symposium - Functional Safety in Industrial Applications (TÜV Rheinland). Cologne (Germany), 2014.
Company Logo
Context
07.05.2015 4
RTOS
APP(S)
RTOS
APP(S)
RTOS
APP(S)
RTOS
APP(S)
RTOS
APP(S)
RTOS
APP(S)
RTOS
APP(S)
(Software) Partition
Virtualisation
layer
Hardware layer
CPU cores
Hardware
Hypervisor
RTOS
APP(S)
GPOS
APP(S)
RTOS
APP(S)
Company Logo
Background - Statement of the problem
07.05.2015 5
A modern off-shore wind turbine dependable control system manages [1]: I/Os: up to three thousand inputs / outputs
Function & Nodes: several hundreds of functions distributed over several hundred of nodes
Distributed: grouped into eight subsystems interconnected with a fieldbus
Software: several hundred thousand lines of code
[1] Perez, Jon, et al. "A Safety Concept for a Wind Power Mixed-Critically Embedded System Based on Multicore Partitioning." In 11th
International Symposium - Functional Safety in Industrial Applications (TÜV Rheinland). Cologne (Germany), 2014.
Company Logo
Background - Statement of the problem
07.05.2015 6
[1] Perez, Jon, et al. "A Safety Concept for a Wind Power Mixed-Critically Embedded System Based on Multicore Partitioning." In 11th
International Symposium - Functional Safety in Industrial Applications (TÜV Rheinland). Cologne (Germany), 2014.
Company Logo
Background - Statement of the problem
07.05.2015 7
[1] Perez, Jon, et al. "A Safety Concept for a Wind Power Mixed-Critically Embedded System Based on Multicore Partitioning." In 11th
International Symposium - Functional Safety in Industrial Applications (TÜV Rheinland). Cologne (Germany), 2014.
Company Logo
“Utopia” -> Dreams
07.05.2015 8
+ =
Original certified System,
Sub-system or element
System, sub-system or
element increment New System, sub-system or
element
+ =
Original certified System,
Sub-system or element
System, sub-system or
element changeNew System, sub-system or
element
Company Logo
Proposed solution
Propose strategies for the certification of product families (mixed-criticality) compliant with the standard (IEC-61508)
Provide cross-domain patterns, e.g.
Diagnosis strategy
I/O sever, comm server, etc
Modular safety cases for hypervisor, COTS multicore processor and network
07.05.2015 9
+ =
Original certified System,
Sub-system or element
System, sub-system or
element increment New System, sub-system or
element
+ =
Original certified System,
Sub-system or element
System, sub-system or
element changeNew System, sub-system or
element
Company Logo
Example – Diagnosis strategy pattern
IEC-61508: SIL3 HFT=1 -> DC > 90%
Diagnosis strategy pattern (high level) Hardware: The hardware provides autonomous diagnosis (e.g., IEC- 61508-2
Table A.9 Power Failure Monitor (PFM)) and diagnosis components to be commanded by software (e.g., IEC-61508-2 Table A.10 watchdog)
Hypervisor: The hypervisor health monitoring and diagnosis partitions should support platform related diagnosis (e.g., IEC-61508-2 Table A.5 signature of a double word) and diagnosis that requires privileged mode
Partition: The partition should be self contained and should provide safety life-cycle related techniques (e.g., IEC-61508-3 Table A.4 defensive programming) and platform independent diagnosis (e.g., IEC-61508-2 Table A.7 input comparison voting) abstracted from the details of the underlying platform
System: The system architect specifies and integrates additional diagnosis partitions required to develop a safe product taking into consideration all safety manuals
Qualified tools: Qualified tools should support off-line constraints and coherency checks
07.05.2015 10
Company Logo
Example – Digital I/O server
Problem: Safety related and non-safety related partitions require to command ‘Digital Output(s)’
In a ‘product family’ the number of requested outputs and ownership might increase
In order to enable the reuse of partitions, they should be abstracted from the platform specific details to command digital outputs (e.g. Registers)
I/O server pattern: The system design might be simplified if partitions command ‘digital outputs’ logically
abstracted (using partition ports) from the processor specific control of ‘digital outputs’ and associated diagnosis (e.g. Register diagnosis, Time-outs, etc.)
I/O Server “Compliant item” (software partition): The ‘I/O server’ provides a “Safe digital output command” safety function, SIL3 IEC-61508
/ SIL4 EN-50128.
The ‘I/O server’ partition manages a configurable number of digital outputs, each of them commanded by one communication port, and performs basic diagnosis such as register diagnosis, configurable timeout, etc.
The configuration of the ‘I/O server’ and connection of communication ports is performed off-line (qualified tools)
The ‘I/O server’ relies on the safety related functions (e.g. Safe virtualization of resources) provided by the hypervisor (modular safety case of hypervisor)
07.05.2015 11
Company Logo
Example – Communication I/O server
Problem: Safety related and non-safety related partitions require to communicate (networks)
In a ‘product family’ the number of functions that require communication might increase, mixing safety and non-safety related communication requirements
In a ‘product family’ the underlying communication network might be replace (e..g EtherCAT -> TTEthernet)
In order to enable the reuse of partitions, they should be abstracted from the platform specific details to manage the network (e.g. Registers)
Communication server pattern: The system design might be simplified if partitions communicate logically abstracted (using
partition ports) from the processor specific control of the network and associated diagnosis (e.g. Register diagnosis, Time-outs, etc.)
Communication Server “Compliant item” (software partition): The ‘communication server’ manages a network protocol (black or white channel).
The ‘communication server’ partition switches information from/to communication ports / network, and can perform basic diagnosis
The configuration of the ‘Communication server’ and connection of communication ports is performed off-line (qualified tools)
If white channel, the ‘Communication server’ relies on the safety related functions (e.g. Safe virtualization of resources) provided by the hypervisor (modular safety case of hypervisor and modular safety case of network)
07.05.2015 12
Company Logo
Summary
Objective: pave the way towards the competitive development of mixed criticality product families (IEC-61508)
By means of:
Definition of strategies for the certification of mixed-criticality ‘product families’
Definition of cross-domain patterns (example solutions to well known / repetitive problems)
Definition of modular safety cases for hypervisor, multicore processor and network communication
07.05.2015 13
Company Logo07.05.2015 14