How to use COTS components for IEC61508 - Vector...2017/07/18 · IEC 61506 Structure Functional...

© Vector Software

How to use COTS components for IEC61508

© Vector Software

Functional Safety and IEC 61508

How to use COTS components for IEC61508

Demo: White Box- and Unit-Test for IEC61508

Q&A

Agenda

1

2

3

4

V0.1 | 2017-07-19 © 2017. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.

Dr. Christof Ebert


2 © 2017. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V0.1 | 2017-07-19

Safety and Security Are the Major Challenges across Industries


Innovative Products

Others

Connectivity

Distributed Development

Efficiencyand Cost

Digital Transformation

Governance and Compliance

ComplexityManagement

Securityand Safety

0%

10%

20%

30%

40%

50%

60%

70%

0% 10% 20% 30% 40% 50% 60% 70%

Mid

-term

challenges

Short-term challenges

Vector Client Survey 2017. Details: www.vector.com/trends. Horizontal axis shows short-term challenges; vertical axis shows mid-term challenges. Sum > 100% due to 3 answers per question. Strong validity with >4% response rate of 1500 recipients from different industries worldwide.

11/20

Safety matters across industries

Exposure of practically all electronic functions

Risk of liability

IEC 61508 is the lead of all safety standards in electronics

Further standards have

been derived and made more extensive, such as ISO 26262

http://www.vector.com/trends


Safety Needs a Systematic Approach to Mitigate Inherent Risks


11/20

Many methods and techniques to select from

High complexity of underlying systems and environment

Risk of uninformed usage

Need for good

guidance and tools

Fault

Failure

Error

Fault

Failure

Error

Fault

Failure

Error

System layer

Hazard

1 X

2 X 3 X

4 X

Cause of the error, e.g. code mistake

Inability to perform the required function

as specified

Incorrect state that may lead to a failure

Eff

ect

1 Fault prevention

Guidelines

Processes

2 Fault detection

Code analysis

Review, Test

3 Fault tolerance

Redundant design

Memory protection

4 Robustness

Redundant shut-off

Fail-operational


IEC 61506 Structure


11/20

IEC 61508 is a Complex Standard which spans the entire Product Life-Cycle

In practice we see the risk of overheads and bureaucracy

when applied in “copy-paste” approach

Risk based approaches to the development of the safety

integrity requirements

Guidelines for the application of parts 2 and 3

Technical

requirements

Development of the overall safety requirements (concept, scope definition, hazard and risk analysis)

7.1 to 7.5

Part 1

Allocation of the safety requirements to the E/E/PE safety-related systems

7.6 Overview of techniques and

measures Realisation phase for E/E/PE safety- related

systems

Realisation phase for safety- related software

Installation and commissioning and safety validation of E/E/PE safety-related systems

7.13 and 7.14

Part 1

Part 2 Part 3

Part 5

Part 7

Part 6

Operation and maintenance, modification and retrofit, decommissioning or disposal of E/E/PE safety-related

systems 7.15 to 7.17

Part 1

Part 1


Mitigate Safety Risks Across the Life-Cycle


11/20

IEC 61508 goal is to reduce risk to a acceptable extent over the entire life-cycle

Safety: Free from unacceptable risks

Risk:

Combination of probability of occurrence of failure and the severity

System Req. Analysis

Component Test

System Design

Component Req. Analysis

Component Implementation

System Integration

Component Integration

Component Design

System Req. Analysis

Component Test

System Design

Component Req. Analysis

Component Implementation

System Integration

Component Integration

Component Design

System Test

System Test

Item Definition

Hazard and Risk Analysis

System Safety Concept

Qualitative Safety Analyses

Quantitative Safety Analyses

Validation

Safety Case

Verification

Project Schedule

Project Manual

DIA

Company Processes


IEC 61508 is Part of the Global Standards Framework


11/20

ISO/TS 16949 ISO 9001

Product Development Process

Process Maturity

Application of methodological Frameworks Automotive SPICE® or CMMI

Process

- Safety Management - Project Management - Risk Management - Quality Assurance - Requirements-Mgmt. - Configuration-Mgmt. - Test Management - …

Functional Safety with IEC 61508

Methods

- FMEA,FTA

- FMEDA

- Analysis of dependent failures

- ASIL decomposition - …

Technology

- Measures against random HW failures - Measures against systematic failures

(System, HW, SW) - Development of safety concepts - Implementation of safety mechanisms - …


Success with IEC 61508: Systematically Implement Functional Safety


11/20

Products

Technical measures against hardware and software failures to - avoid failures and - make unavoidable failures safe.

Examples: Redundancy, Reuse with AUTOSAR

Processes

All development activities are concerned as well as production and field observation.

Examples: Hazard analysis during concept definition, consistent modeling in PREEvision

People

New roles and skills as well as cultural changes for engineering and management staff.

Examples: Safety engineering skills, safety manager role, safety culture

8

For more information about Vector and our products please visit www.vector.com

Author: Dr. Christof Ebert Vector Germany

© 2017. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V0.1 | 2017-07-19

http://www.vector.com/

© Vector Software

™

© 2017 WIND RIVER. ALL RIGHTS RESERVED.

USE OF COTS COMPONENTS FOR IEC 61508

Alex Wilson

Director, Market Development

2 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

DISCLAIMER

The following presentation is intended to outline our general product direction.

It is intended for information purposes only, and may not be incorporated into any contract.

It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.

The development, release, and timing of any features or functionality described for Wind River® products remains at the sole discretion of Wind River.

The following is confidential and proprietary information of Wind River subject to confidentiality agreements between the recipient and Wind River. In reviewing these materials, the recipient agrees with Wind River that none of the following information may be disclosed by the recipient to any third party without the consent of Wind River and that the recipient may not use any of the following information for any purpose not expressly authorized by Wind River.

HERITAGE

1981: Founded

1993: IPO

2009: An Intel Company

SCALE

1,200 Employees

Presence in 20+ countries

LEADERSHIP

Commercial OS Market Share Leader

Broadest Embedded Software Portfolio

INVESTMENT

30+% of Annual Spend is on R&D

Rich History of M&A

For over 30 years, Wind River has helped the world's technology leaders power generation after generation of

the safest, most secure devices in the world


VxWORKS Real Time Operating System


SAFETY PROFILE FOR VxWORKS

Core Capabilities

Support for ARM, Intel architecture, Power architecture

VxPOD provides portable deterministic container

– Safety isolation of applications

– VxWorks and POSIX APIs

Safety partitioning scheduler

– Time and space partitioning for VxPOD

Access control

– Security and safety partitioning of system resources


User

Interface

Temp

Control

Pump

Control

Common Platform Common Platform

User

Interface

Chart

Recorder

Common Platform

Pump

Control

Safety Partitioning Module

Sensor

Control

User

Interface

Sensor

Control

VxPOD (RTP SET REUSE)

VxPOD provides portable deterministic container

VxWorks API

POSIX API

RTP and kernel objects

Relative priorities

Absolute time requirement

Agnostic to number of cores


SAFETY PARTITIONING SCHEDULER

Critical applications get a guaranteed time window to run Core affinity avoids core transfers and brings the predictability needed for safety applications Ability exists to avoid hardware-based inter-core interactions

VxWorks 7 Safety Scheduler

CPU 0 CPU 1 CPU n

Low Criticality Function (e.g., HMI,

logging, system checks)

Kernel Tasks

RTP 6

RTP 5

Medium Criticality Function (e.g.,

communication function)

RTP 1

RTP 2

High Criticality Function (e.g., motor control, emergency

handling)

Kernel Tasks

RTP 3

RTP 4

Time Partition 3

t3 Ticks

Time Partition 2

t2 Ticks

Time Partition 1

t1 Ticks

Time


ACCESS CONTROL

System calls

– Restricts calls that are allowed

– Any call can be filtered, e.g., open( )

Objects

– Prevents code from accessing public objects not explicitly allowed

– Semaphores, message queues, data, etc.

Resources

– Limits how much memory can be allocated


USING COTS TECHNOLOGY FOR CERTIFICATION


IEC 61508 FUNCTIONAL SAFETY

For Programmable Electronics

Safety Function

Equipment

Under

Control

Safety Function Requirements

What the function does

Safety Integrity Requirements

The likelihood of a safety

function being performed

satisfactorily (SIL)

Equipment Under Control (EUC): Industrial plant, e.g., welding robotics

Safety Function: A function that is carried out by a (safety-related)

system to minimize risks with the goal of achieving and/or maintaining a

secure state for the EUC when a pre-defined dangerous incident is taken

into account

PE

Programmable Electronics (PE): Hardware + software


WHERE DO WIND RIVER & VECTOR SOFTWARE FIT INTO THE STORY?

Programmable Electronics

PE

Safety Critical

Applications

Safety Profile for

VxWorks RTOS

Safety Profile for

VxWorks BSP

Target Hardware

Wind River COTS

IEC 61508 SIL 3

Wind River

Professional Services

Customer

IEC 61508 SIL 3

Vector Software Test

Tools

Vector Software Test

Tools


Fed

era

ted

2000 2017

VxWorks Cert

DO-178 Level A

IEC-61508 SIL 3

PowerPC

750

PowerPC

74xx

PowerPC

8245

VxWorks Cert

DO-178 Level B

Intel

Pentium III

VxWorks Cert

DO-178 Level A

IEC-61508 SIL 3

PowerPC

MPC8349E

PowerPC

MPC7447

Intel

Core 2 Duo*

* Denotes single core operation

VxWorks Cert

DO-178 Level A

IEC-61508 SIL 3

PowerPC

MPC8349E

PowerPC

MPC7447

Intel

Core 2 Duo*

Intel

Atom*

VxWorks 653

DO-178 Level A

PowerPC

750

PowerPC

74xx

VxWorks 653

DO-178 Level A

PowerPC

750GX

VxWorks 653

DO-178 Level A

PowerPC

MPC8349E

PowerPC

MPC8560

VxWorks 653

DO-178 Level A

PowerPC

MPC8641D*

PowerPC

MPC8270

VxWorks 653

DO-178 Level A

PowerPC

MPC8349E

PowerPC

750GX

VxWorks Cert

DO-178 Level A

IEC-61508 SIL 3

PowerPC

750GX

PowerPC

MPC8548 (e500v2)

PowerPC

8280

VxWorks 653

DO-178 Level A

PowerPC

P4080* (e500mc)

PowerPC

MPC8548 (e500v2)

VxWorks 653

DO-178 Level A

+ FACE

PowerPC

P4080* (e500mc)

VxWORKS RTOS CERTIFICATION HISTORY

VxWorks 653

Multi-core Edition

DO-178 Level A

PowerPC

T2080 (e6500)


Risk based approaches

to the development of the

safety integrity

requirements

Guidelines for the

application of parts 2

and 3

Technical

Requirements

Other

Requirements

Development of the overall safety requirements

(concept, scope definition, hazard and risk

analysis)

7.1 to 7.5

Part 1

Allocation of the safety requirements to the E/E/PE

safety-related systems

7.6

Overview of

techniques and

measures

Definitions and Abbreviations

Part 4

Documentation Clause 5 and

Annex A

Part 1

Management of Functional

Safety Clause 6

Part 1

Functional Safety Assessment

Clause 8

Part 1

Realization phase for

E/E/PE safety-

related systems

Realization phase

for safety-related

software

Installation and commissioning and safety

validation of E/E/PE safety-related systems

7.13 and 7.14

Part 1

Part 2 Part 3

Part 5

Part 7

Part 6

Operation and maintenance, modification and

retrofit, decommissioning or disposal of E/E/PE

safety-related systems 7.15 to 7.17

Part 1

Part 1

WIND RIVER ENGAGEMENT IN THE OVERALL FRAMEWORK


VxWORKS 7 SAFETY MANUAL

How to safely use Safety Profile for VxWorks 7 in a certified environment

Standards

IEC 61508

Cert authority

– TÜV

– Determines compliance with standards

Best Practices

Installation instructions

Build environment

User interface

BSP

Processor

Error handling

Guidelines

APIs

– RTPs

– DKMs

– VIP

– VSBs

Restrictions

TPs, DKMs, VIP, VSB

Hazard Mitigation

Failure mode and effect analysis (FMEA)

Partitioning (VxPOD)

Safe inter-process communications

Hardware hazards


MULTI-CORE SYSTEM CERTIFICATION

Safety Systems for Avionics

Multiple levels of criticality

Multiple cores for separation

Time and space partitioning

– ARINC 653 standard

Abstraction interface

– ARINC 653 APIs

– VxWorks APIs

– POSIX APIs

DO-178C certification

Flight Management Application

DAL B

Payload ManagementApplication

DAL A

Comms Application

DAL C

RTOS

Core 0 Core1 Core 2 Core 3

Avionics Bus (MIL-STD-1553, ARINC 429,ARNIC 664, SAE AS6802 …)

Architecture Support Board Support

Multi-core Hardware

Resource Manager (SW Hypervisor) XML Data


RULES OF THUMB FOR QUALITATIVE REQUIREMENTS

10-9

10-8

10-7

10-6

10-5

ARP4761 EN 5012x IEC 61508

DA

L C

D

AL B

D

AL A

SIL

1

SIL

2

SIL

3

SIL

4

SIL

1

SIL

2

SIL

3

SIL

4

Zones of Similar Qualitative

Requirements

Zone A

Zone B

© Vector Software

Ingo Nickles Sr. Field Application Engineer

Tel.: +49 2152 8088-8082 [email protected]

www.vectorcast.com How to use COTS components for IEC61508

© Vector Software

Vector Software, Inc. founded in 1990

First version of VectorCAST released for Lockheed Martin • DO-178 (Avionic), embedded, class A (highest criticality)

TÜV SÜD Certified for

Global Services • Training, best practice workshops, project delivery

Since 2017 part of Vector Informatik, Stuttgart, Germany

Vector Software – Who we are

VectorCAST

System Testing

Integration Testing

Unit Testing

Coding

Requirements Specification

Architecture

System Design

IEC 61508 ISO 26262 EN 50128 IEC 62304

© Vector Software

Where does VectorCAST Fit in Your Environment?

System Testing

Integration Testing

Unit Testing

Static Code Analysis Coding

Test Driven Development

Auto generate test code

Testing sub-components

Code Coverage

Change-based Testing

Regression Testing

ALM RQM SCM

Design-Tools Development- Tools

Static Analysis ...

Communication

Reporting

VectorCAST

© Vector Software

Demo-Setup: Unit Testing with VectorCAST and VxWorks7

Source File

Source File

Source File

Source File

Source File

Source File

Source File

Source File

Unit – Test Application

Source File

Test Driver

Stubs

Startup Code

Test Data (Input and Expected)

© Vector Software

Contact

Ingo Nickles Senior Field Application Engineer

Phone: +49 2152 8088-8082 [email protected]

www.vectorcast.com

Dr. Christof Ebert Managing Director Vector Consulting Services GmbH Phone: +49 711 80670 1525 [email protected] www.vector.com/consulting

Alex Wilson Director, Market Development Wind River Phone: +44 1283 792-001 [email protected] www.windriver.com

How to use COTS components for IEC61508 - Vector...2017/07/18 · IEC 61506 Structure Functional...

Documents

Transcript of How to use COTS components for IEC61508 - Vector...2017/07/18 · IEC 61506 Structure Functional...