Towards Modular Certification of Mixed-Criticality Systems ... · 07.05.2015 Company Logo 2 Overview 1. Objective: pave the way towards the competitive development of mixed criticality

Company Logo

Towards Modular Certification of Mixed-Criticality Systems (IEC-61508)

Jon Pérez

July 2nd, 2014

Company Logo07.05.2015 2

Overview

1. Objective: pave the way towards the competitive development of mixed criticality product families (IEC-61508)

2. Why?

1. Mixed-Criticality provides multiple advantages (reduction of cost, size, weight, power; increase scalability and reliability) but difficulties arise with regard to safety certification standards

2. Safety certification costs and efforts are high

3. A safety product could be efficiently constructed by re-using certified ‘building blocks’ (IEC-61508 compliant items) -> Reusability

4. Safety products are in many cases specific instances of a safety ‘product family’. There is a need to deal with variability of products so that the certification cost of each instance is as low as possible

Company Logo

Context

Different standards, different names for similar concepts: ‘compliant item’(IEC-61508), ‘Safety Element out of Context’ (ISO-26262), ‘Generic application’(EN-5012X), etc. -> Reusability, reduced effort / time / cost / risk, etc.

Mixed-criticality basic ‘building blocks’:

Multicore processor

Hypervisor

Network protocol

Partition (Software)

Complexity management by means of [1][2]:

Partition -> Partition (software)

Segmentation -> Periodic cyclic scheduling with time-slots (hypervisor XtratuM)

Abstraction

07.05.2015 3

[1] H. Kopetz, On the Fault Hypothesis for a Safety-Critical Real-Time System, ser. Lecture Notes in Computer Science. Springer Berlin

Heidelberg, 2006, vol. 4147, ch. 3, pp. 31–42.

[2] Perez, Jon, et al. "A Safety Concept for a Wind Power Mixed-Critically Embedded System Based on Multicore Partitioning." In 11th

International Symposium - Functional Safety in Industrial Applications (TÜV Rheinland). Cologne (Germany), 2014.

Company Logo

Context

07.05.2015 4

RTOS

APP(S)

RTOS

APP(S)

RTOS

APP(S)

RTOS

APP(S)

RTOS

APP(S)

RTOS

APP(S)

RTOS

APP(S)

(Software) Partition

Virtualisation

layer

Hardware layer

CPU cores

Hardware

Hypervisor

RTOS

APP(S)

GPOS

APP(S)

RTOS

APP(S)

Company Logo

Background - Statement of the problem

07.05.2015 5

A modern off-shore wind turbine dependable control system manages [1]: I/Os: up to three thousand inputs / outputs

Function & Nodes: several hundreds of functions distributed over several hundred of nodes

Distributed: grouped into eight subsystems interconnected with a fieldbus

Software: several hundred thousand lines of code



Company Logo


07.05.2015 6



Company Logo


07.05.2015 7



Company Logo

“Utopia” -> Dreams

07.05.2015 8

+ =

Original certified System,

Sub-system or element

System, sub-system or

element increment New System, sub-system or

element

+ =




element changeNew System, sub-system or

element

Company Logo

Proposed solution

Propose strategies for the certification of product families (mixed-criticality) compliant with the standard (IEC-61508)

Provide cross-domain patterns, e.g.

Diagnosis strategy

I/O sever, comm server, etc

Modular safety cases for hypervisor, COTS multicore processor and network

07.05.2015 9

+ =




element increment New System, sub-system or

element

+ =




element changeNew System, sub-system or

element

Company Logo

Example – Diagnosis strategy pattern

IEC-61508: SIL3 HFT=1 -> DC > 90%

Diagnosis strategy pattern (high level) Hardware: The hardware provides autonomous diagnosis (e.g., IEC- 61508-2

Table A.9 Power Failure Monitor (PFM)) and diagnosis components to be commanded by software (e.g., IEC-61508-2 Table A.10 watchdog)

Hypervisor: The hypervisor health monitoring and diagnosis partitions should support platform related diagnosis (e.g., IEC-61508-2 Table A.5 signature of a double word) and diagnosis that requires privileged mode

Partition: The partition should be self contained and should provide safety life-cycle related techniques (e.g., IEC-61508-3 Table A.4 defensive programming) and platform independent diagnosis (e.g., IEC-61508-2 Table A.7 input comparison voting) abstracted from the details of the underlying platform

System: The system architect specifies and integrates additional diagnosis partitions required to develop a safe product taking into consideration all safety manuals

Qualified tools: Qualified tools should support off-line constraints and coherency checks

07.05.2015 10

Company Logo

Example – Digital I/O server

Problem: Safety related and non-safety related partitions require to command ‘Digital Output(s)’

In a ‘product family’ the number of requested outputs and ownership might increase

In order to enable the reuse of partitions, they should be abstracted from the platform specific details to command digital outputs (e.g. Registers)

I/O server pattern: The system design might be simplified if partitions command ‘digital outputs’ logically

abstracted (using partition ports) from the processor specific control of ‘digital outputs’ and associated diagnosis (e.g. Register diagnosis, Time-outs, etc.)

I/O Server “Compliant item” (software partition): The ‘I/O server’ provides a “Safe digital output command” safety function, SIL3 IEC-61508

/ SIL4 EN-50128.

The ‘I/O server’ partition manages a configurable number of digital outputs, each of them commanded by one communication port, and performs basic diagnosis such as register diagnosis, configurable timeout, etc.

The configuration of the ‘I/O server’ and connection of communication ports is performed off-line (qualified tools)

The ‘I/O server’ relies on the safety related functions (e.g. Safe virtualization of resources) provided by the hypervisor (modular safety case of hypervisor)

07.05.2015 11

Company Logo

Example – Communication I/O server

Problem: Safety related and non-safety related partitions require to communicate (networks)

In a ‘product family’ the number of functions that require communication might increase, mixing safety and non-safety related communication requirements

In a ‘product family’ the underlying communication network might be replace (e..g EtherCAT -> TTEthernet)

In order to enable the reuse of partitions, they should be abstracted from the platform specific details to manage the network (e.g. Registers)

Communication server pattern: The system design might be simplified if partitions communicate logically abstracted (using

partition ports) from the processor specific control of the network and associated diagnosis (e.g. Register diagnosis, Time-outs, etc.)

Communication Server “Compliant item” (software partition): The ‘communication server’ manages a network protocol (black or white channel).

The ‘communication server’ partition switches information from/to communication ports / network, and can perform basic diagnosis

The configuration of the ‘Communication server’ and connection of communication ports is performed off-line (qualified tools)

If white channel, the ‘Communication server’ relies on the safety related functions (e.g. Safe virtualization of resources) provided by the hypervisor (modular safety case of hypervisor and modular safety case of network)

07.05.2015 12

Company Logo

Summary

Objective: pave the way towards the competitive development of mixed criticality product families (IEC-61508)

By means of:

Definition of strategies for the certification of mixed-criticality ‘product families’

Definition of cross-domain patterns (example solutions to well known / repetitive problems)

Definition of modular safety cases for hypervisor, multicore processor and network communication

07.05.2015 13

Company Logo07.05.2015 14

Documents

Towards Modular Certification of Mixed-Criticality Systems ... · 07.05.2015 Company Logo 2 Overview 1. Objective: pave the way towards the competitive development of mixed criticality