How to use COTS components for IEC61508 - Vector...2017/07/18 · IEC 61506 Structure Functional...
Transcript of How to use COTS components for IEC61508 - Vector...2017/07/18 · IEC 61506 Structure Functional...
© Vector Software
How to use COTS components for IEC61508
© Vector Software
Functional Safety and IEC 61508
How to use COTS components for IEC61508
Demo: White Box- and Unit-Test for IEC61508
Q&A
Agenda
1
2
3
4
© Vector Software
V0.1 | 2017-07-19 © 2017. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Dr. Christof Ebert
Functional Safety and IEC 61508
2 © 2017. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V0.1 | 2017-07-19
Safety and Security Are the Major Challenges across Industries
Functional Safety and IEC 61508
Innovative Products
Others
Connectivity
Distributed Development
Efficiencyand Cost
Digital Transformation
Governance and Compliance
ComplexityManagement
Securityand Safety
0%
10%
20%
30%
40%
50%
60%
70%
0% 10% 20% 30% 40% 50% 60% 70%
Mid
-term
challenges
Short-term challenges
Vector Client Survey 2017. Details: www.vector.com/trends. Horizontal axis shows short-term challenges; vertical axis shows mid-term challenges. Sum > 100% due to 3 answers per question. Strong validity with >4% response rate of 1500 recipients from different industries worldwide.
11/20
Safety matters across industries
Exposure of practically all electronic functions
Risk of liability
IEC 61508 is the lead of all safety standards in electronics
Further standards have
been derived and made more extensive, such as ISO 26262
3 © 2017. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V0.1 | 2017-07-19
Safety Needs a Systematic Approach to Mitigate Inherent Risks
Functional Safety and IEC 61508
11/20
Many methods and techniques to select from
High complexity of underlying systems and environment
Risk of uninformed usage
Need for good
guidance and tools
Fault
Failure
Error
Fault
Failure
Error
Fault
Failure
Error
System layer
Hazard
1 X
2 X 3 X
4 X
Cause of the error, e.g. code mistake
Inability to perform the required function
as specified
Incorrect state that may lead to a failure
Eff
ect
1 Fault prevention
Guidelines
Processes
2 Fault detection
Code analysis
Review, Test
3 Fault tolerance
Redundant design
Memory protection
4 Robustness
Redundant shut-off
Fail-operational
4 © 2017. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V0.1 | 2017-07-19
IEC 61506 Structure
Functional Safety and IEC 61508
11/20
IEC 61508 is a Complex Standard which spans the entire Product Life-Cycle
In practice we see the risk of overheads and bureaucracy
when applied in “copy-paste” approach
Risk based approaches to the development of the safety
integrity requirements
Guidelines for the application of parts 2 and 3
Technical
requirements
Development of the overall safety requirements (concept, scope definition, hazard and risk analysis)
7.1 to 7.5
Part 1
Allocation of the safety requirements to the E/E/PE safety-related systems
7.6 Overview of techniques and
measures Realisation phase for E/E/PE safety- related
systems
Realisation phase for safety- related software
Installation and commissioning and safety validation of E/E/PE safety-related systems
7.13 and 7.14
Part 1
Part 2 Part 3
Part 5
Part 7
Part 6
Operation and maintenance, modification and retrofit, decommissioning or disposal of E/E/PE safety-related
systems 7.15 to 7.17
Part 1
Part 1
5 © 2017. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V0.1 | 2017-07-19
Mitigate Safety Risks Across the Life-Cycle
Functional Safety and IEC 61508
11/20
IEC 61508 goal is to reduce risk to a acceptable extent over the entire life-cycle
Safety: Free from unacceptable risks
Risk:
Combination of probability of occurrence of failure and the severity
System Req. Analysis
Component Test
System Design
Component Req. Analysis
Component Implementation
System Integration
Component Integration
Component Design
System Req. Analysis
Component Test
System Design
Component Req. Analysis
Component Implementation
System Integration
Component Integration
Component Design
System Test
System Test
Item Definition
Hazard and Risk Analysis
System Safety Concept
Qualitative Safety Analyses
Quantitative Safety Analyses
Validation
Safety Case
Verification
Project Schedule
Project Manual
DIA
Company Processes
6 © 2017. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V0.1 | 2017-07-19
IEC 61508 is Part of the Global Standards Framework
Functional Safety and IEC 61508
11/20
ISO/TS 16949 ISO 9001
Product Development Process
Process Maturity
Application of methodological Frameworks Automotive SPICE® or CMMI
Process
- Safety Management - Project Management - Risk Management - Quality Assurance - Requirements-Mgmt. - Configuration-Mgmt. - Test Management - …
Functional Safety with IEC 61508
Methods
- FMEA,FTA
- FMEDA
- Analysis of dependent failures
- ASIL decomposition - …
Technology
- Measures against random HW failures - Measures against systematic failures
(System, HW, SW) - Development of safety concepts - Implementation of safety mechanisms - …
7 © 2017. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V0.1 | 2017-07-19
Success with IEC 61508: Systematically Implement Functional Safety
Functional Safety and IEC 61508
11/20
Products
Technical measures against hardware and software failures to - avoid failures and - make unavoidable failures safe.
Examples: Redundancy, Reuse with AUTOSAR
Processes
All development activities are concerned as well as production and field observation.
Examples: Hazard analysis during concept definition, consistent modeling in PREEvision
People
New roles and skills as well as cultural changes for engineering and management staff.
Examples: Safety engineering skills, safety manager role, safety culture
8
For more information about Vector and our products please visit www.vector.com
Author: Dr. Christof Ebert Vector Germany
© 2017. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V0.1 | 2017-07-19
© Vector Software
™
© 2017 WIND RIVER. ALL RIGHTS RESERVED.
USE OF COTS COMPONENTS FOR IEC 61508
Alex Wilson
Director, Market Development
2 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
DISCLAIMER
The following presentation is intended to outline our general product direction.
It is intended for information purposes only, and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.
The development, release, and timing of any features or functionality described for Wind River® products remains at the sole discretion of Wind River.
The following is confidential and proprietary information of Wind River subject to confidentiality agreements between the recipient and Wind River. In reviewing these materials, the recipient agrees with Wind River that none of the following information may be disclosed by the recipient to any third party without the consent of Wind River and that the recipient may not use any of the following information for any purpose not expressly authorized by Wind River.
HERITAGE
1981: Founded
1993: IPO
2009: An Intel Company
SCALE
1,200 Employees
Presence in 20+ countries
LEADERSHIP
Commercial OS Market Share Leader
Broadest Embedded Software Portfolio
INVESTMENT
30+% of Annual Spend is on R&D
Rich History of M&A
For over 30 years, Wind River has helped the world's technology leaders power generation after generation of
the safest, most secure devices in the world
© 2017 WIND RIVER. ALL RIGHTS RESERVED.
VxWORKS Real Time Operating System
5 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
SAFETY PROFILE FOR VxWORKS
Core Capabilities
Support for ARM, Intel architecture, Power architecture
VxPOD provides portable deterministic container
– Safety isolation of applications
– VxWorks and POSIX APIs
Safety partitioning scheduler
– Time and space partitioning for VxPOD
Access control
– Security and safety partitioning of system resources
6 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
User
Interface
Temp
Control
Pump
Control
Common Platform Common Platform
User
Interface
Chart
Recorder
Common Platform
Pump
Control
Safety Partitioning Module
Sensor
Control
User
Interface
Sensor
Control
VxPOD (RTP SET REUSE)
VxPOD provides portable deterministic container
VxWorks API
POSIX API
RTP and kernel objects
Relative priorities
Absolute time requirement
Agnostic to number of cores
7 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
SAFETY PARTITIONING SCHEDULER
Critical applications get a guaranteed time window to run Core affinity avoids core transfers and brings the predictability needed for safety applications Ability exists to avoid hardware-based inter-core interactions
VxWorks 7 Safety Scheduler
CPU 0 CPU 1 CPU n
Low Criticality Function (e.g., HMI,
logging, system checks)
Kernel Tasks
RTP 6
RTP 5
Medium Criticality Function (e.g.,
communication function)
RTP 1
RTP 2
High Criticality Function (e.g., motor control, emergency
handling)
Kernel Tasks
RTP 3
RTP 4
Time Partition 3
t3 Ticks
Time Partition 2
t2 Ticks
Time Partition 1
t1 Ticks
Time
8 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
ACCESS CONTROL
System calls
– Restricts calls that are allowed
– Any call can be filtered, e.g., open( )
Objects
– Prevents code from accessing public objects not explicitly allowed
– Semaphores, message queues, data, etc.
Resources
– Limits how much memory can be allocated
© 2017 WIND RIVER. ALL RIGHTS RESERVED.
USING COTS TECHNOLOGY FOR CERTIFICATION
10 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
IEC 61508 FUNCTIONAL SAFETY
For Programmable Electronics
Safety Function
Equipment
Under
Control
Safety Function Requirements
What the function does
Safety Integrity Requirements
The likelihood of a safety
function being performed
satisfactorily (SIL)
Equipment Under Control (EUC): Industrial plant, e.g., welding robotics
Safety Function: A function that is carried out by a (safety-related)
system to minimize risks with the goal of achieving and/or maintaining a
secure state for the EUC when a pre-defined dangerous incident is taken
into account
PE
Programmable Electronics (PE): Hardware + software
11 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
WHERE DO WIND RIVER & VECTOR SOFTWARE FIT INTO THE STORY?
Programmable Electronics
PE
Safety Critical
Applications
Safety Profile for
VxWorks RTOS
Safety Profile for
VxWorks BSP
Target Hardware
Wind River COTS
IEC 61508 SIL 3
Wind River
Professional Services
Customer
IEC 61508 SIL 3
Vector Software Test
Tools
Vector Software Test
Tools
12 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Fed
era
ted
2000 2017
VxWorks Cert
DO-178 Level A
IEC-61508 SIL 3
PowerPC
750
PowerPC
74xx
PowerPC
8245
VxWorks Cert
DO-178 Level B
Intel
Pentium III
VxWorks Cert
DO-178 Level A
IEC-61508 SIL 3
PowerPC
MPC8349E
PowerPC
MPC7447
Intel
Core 2 Duo*
* Denotes single core operation
VxWorks Cert
DO-178 Level A
IEC-61508 SIL 3
PowerPC
MPC8349E
PowerPC
MPC7447
Intel
Core 2 Duo*
Intel
Atom*
VxWorks 653
DO-178 Level A
PowerPC
750
PowerPC
74xx
VxWorks 653
DO-178 Level A
PowerPC
750GX
VxWorks 653
DO-178 Level A
PowerPC
MPC8349E
PowerPC
MPC8560
VxWorks 653
DO-178 Level A
PowerPC
MPC8641D*
PowerPC
MPC8270
VxWorks 653
DO-178 Level A
PowerPC
MPC8349E
PowerPC
750GX
VxWorks Cert
DO-178 Level A
IEC-61508 SIL 3
PowerPC
750GX
PowerPC
MPC8548 (e500v2)
PowerPC
8280
VxWorks 653
DO-178 Level A
PowerPC
P4080* (e500mc)
PowerPC
MPC8548 (e500v2)
VxWorks 653
DO-178 Level A
+ FACE
PowerPC
P4080* (e500mc)
VxWORKS RTOS CERTIFICATION HISTORY
VxWorks 653
Multi-core Edition
DO-178 Level A
PowerPC
T2080 (e6500)
13 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Risk based approaches
to the development of the
safety integrity
requirements
Guidelines for the
application of parts 2
and 3
Technical
Requirements
Other
Requirements
Development of the overall safety requirements
(concept, scope definition, hazard and risk
analysis)
7.1 to 7.5
Part 1
Allocation of the safety requirements to the E/E/PE
safety-related systems
7.6
Overview of
techniques and
measures
Definitions and Abbreviations
Part 4
Documentation Clause 5 and
Annex A
Part 1
Management of Functional
Safety Clause 6
Part 1
Functional Safety Assessment
Clause 8
Part 1
Realization phase for
E/E/PE safety-
related systems
Realization phase
for safety-related
software
Installation and commissioning and safety
validation of E/E/PE safety-related systems
7.13 and 7.14
Part 1
Part 2 Part 3
Part 5
Part 7
Part 6
Operation and maintenance, modification and
retrofit, decommissioning or disposal of E/E/PE
safety-related systems 7.15 to 7.17
Part 1
Part 1
WIND RIVER ENGAGEMENT IN THE OVERALL FRAMEWORK
14 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
VxWORKS 7 SAFETY MANUAL
How to safely use Safety Profile for VxWorks 7 in a certified environment
Standards
IEC 61508
Cert authority
– TÜV
– Determines compliance with standards
Best Practices
Installation instructions
Build environment
User interface
BSP
Processor
Error handling
Guidelines
APIs
– RTPs
– DKMs
– VIP
– VSBs
Restrictions
TPs, DKMs, VIP, VSB
Hazard Mitigation
Failure mode and effect analysis (FMEA)
Partitioning (VxPOD)
Safe inter-process communications
Hardware hazards
15 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
MULTI-CORE SYSTEM CERTIFICATION
Safety Systems for Avionics
Multiple levels of criticality
Multiple cores for separation
Time and space partitioning
– ARINC 653 standard
Abstraction interface
– ARINC 653 APIs
– VxWorks APIs
– POSIX APIs
DO-178C certification
Flight Management Application
DAL B
Payload ManagementApplication
DAL A
Comms Application
DAL C
RTOS
Core 0 Core1 Core 2 Core 3
Avionics Bus (MIL-STD-1553, ARINC 429,ARNIC 664, SAE AS6802 …)
Architecture Support Board Support
Multi-core Hardware
Resource Manager (SW Hypervisor) XML Data
16 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
RULES OF THUMB FOR QUALITATIVE REQUIREMENTS
10-9
10-8
10-7
10-6
10-5
ARP4761 EN 5012x IEC 61508
DA
L C
D
AL B
D
AL A
SIL
1
SIL
2
SIL
3
SIL
4
SIL
1
SIL
2
SIL
3
SIL
4
Zones of Similar Qualitative
Requirements
Zone A
Zone B
™
© Vector Software
© Vector Software
Ingo Nickles Sr. Field Application Engineer
Tel.: +49 2152 8088-8082 [email protected]
www.vectorcast.com How to use COTS components for IEC61508
© Vector Software
Vector Software, Inc. founded in 1990
First version of VectorCAST released for Lockheed Martin • DO-178 (Avionic), embedded, class A (highest criticality)
TÜV SÜD Certified for
Global Services • Training, best practice workshops, project delivery
Since 2017 part of Vector Informatik, Stuttgart, Germany
Vector Software – Who we are
VectorCAST
System Testing
Integration Testing
Unit Testing
Coding
Requirements Specification
Architecture
System Design
IEC 61508 ISO 26262 EN 50128 IEC 62304
© Vector Software
Where does VectorCAST Fit in Your Environment?
System Testing
Integration Testing
Unit Testing
Static Code Analysis Coding
Test Driven Development
Auto generate test code
Testing sub-components
Code Coverage
Change-based Testing
Regression Testing
ALM RQM SCM
Design-Tools Development- Tools
Static Analysis ...
Communication
Reporting
VectorCAST
© Vector Software
Demo-Setup: Unit Testing with VectorCAST and VxWorks7
Source File
Source File
Source File
Source File
Source File
Source File
Source File
Source File
Unit – Test Application
Source File
Test Driver
Stubs
Startup Code
Test Data (Input and Expected)
© Vector Software
Live Demo
© Vector Software
Contact
Ingo Nickles Senior Field Application Engineer
Phone: +49 2152 8088-8082 [email protected]
www.vectorcast.com
Dr. Christof Ebert Managing Director Vector Consulting Services GmbH Phone: +49 711 80670 1525 [email protected] www.vector.com/consulting
Alex Wilson Director, Market Development Wind River Phone: +44 1283 792-001 [email protected] www.windriver.com