2010 Green Hills Software, Inc Slide 1

Size: px

Start display at page:

Download "2010 Green Hills Software, Inc Slide 1"

Annabel Williams
5 years ago
Views:

1 2010 Green Hills Software, Inc Slide 1

!!!"#$%&'()%*+,'-.%&*/"#.0."#."&*.12.##.#*%345,'.*6."#3'* "!!"#$%&'(#)$*+,)-,'#)-.

@-A'*('#&2(.$;'*#60('#-3&+2,-3B7#;-+-.0*<7#-3,2(.*-0+7#.'+'&$;7# 02.

2 !!!"#$%&'()%*+,'-.%&*/"#.0."#."&*.12.##.#*%345,'.*6."#3'* "!!"#$%&'(#)$*+,)-,'#)-./#/'0,120*.'*(#-3#403.0#50*60*07#89# "! :$&2(',#$3#./'#';6',,',#-3,2(.*<#=$*#>?#<'0*(# 02.$;$CA'7#0A-$3-&(7#;',-&0+7#&$3(2;'*# "! 8DDE#F'A'+#!#&'*CG',#,'A'+$H;'3.#.'0;(#!! 7$88.%%9$+*,"#*:'36."*;$%/".%%*<3#.+* "! 9A'*0B-3B#>?I#(0+'(#B*$)./#H'*#<'0*#J$3#0#89KL#60(-(M# "! N*$G.06+'#'A'*<#<'0*#(-3&'#OP?!# "! N*-A0.'+<#/'+,#03,#OQQI#('+=R=23,',# 2010 Green Hills Software, Inc Slide 2

3 To Certify or not to Certify!Forces and Trends!Software Landscape!Why? 2010 Green Hills Software, Inc Slide 3

4 Software is everywhere in our society What s happening?!! Critical infrastructure does not function without software!! Growth of software quantity and complexity!! Society is increasingly risk adverse!! More government regulations!! Economic reasons to create software based products "! Less expensive than physical implementation "! More features "! More flexible and scalable "! Sometimes the primary visible portion of the product 2010 Green Hills Software, Inc Slide 4

5 !! Substantial Increase in Lines of Code!! More Powerful/Capable Microprocessors "! Increase in integrated features "! Capability consolidation "! Multicore!! Incorporating Code From Many Sources "! Larger, distributed development teams, often outsourced and temporary "! Freeware!! Debugging Takes 50% of Product Development Time RESULT: Increased risk!! More safety systems are required 2010 Green Hills Software, Inc Slide 5

6 It s not difficult to appreciate the need for industrial safety certification 2010 Green Hills Software, Inc Slide 6

7 Primary failure causes per phase in the Software Lifecycle Source: HSE Out of Control, Green Hills Software, Inc Slide 7

8 !! Emergency shut-down system in a hazardous chemical process plant!! Computer controlled theatre stage scenery!! Crane safe load indicator!! Railway signaling system!! Variable speed motor drive used to restrict speed as a means of protection!! Dynamic positioning of a ship alongside an offshore oil rig!! Remote network monitoring of a network-enabled process plant 2010 Green Hills Software, Inc Slide 8

9 !! End-user requires it!! Government requirements!! Legal protection!! Internal organization safety & reliability requirements!! Do all industrial end-users need a certified RTOS?!! Do all industrial end-users want a reliable/safe RTOS? 2010 Green Hills Software, Inc Slide 9

10 !! A standard for the effectiveness of safety systems in programmable electronic systems "! Originated in the process control industry "! Basic functional safety standard that covers the complete safety life cycle "! Derivatives later created for specific markets such as railway!! In use since 1998, amendments added since 2000!! New version (2010) now final and mandated soon in new projects!! Used in 60+ countries!! Tested and certified by 3 rd party agencies such as TÜV or Exida 2010 Green Hills Software, Inc Slide 10

11 !! Key Concepts Risk and Safety Function "! Risk is a function of frequency (or likelihood) of the hazardous event and the event consequence severity "! Risk is reduced to a tolerable level by applying Safety Functions!! How do you measure the risk reduction strength of the Safety Function? # SIL (Safety Integrity Level) # SIL = Risk Reduction Level 2010 Green Hills Software, Inc Slide 11

12 !! A SIL is chosen for the Safety System to reduce the probability of failure of the primary system "! A balance between enough safety and "! Costs Safety System SIL Definition When the hinged cover is lifted by 5 mm or more, the motor shall be de-energized and the brake activated so that the blade is stopped within 1 second. The Safety Integrity Level of this safety system shall be SIL Green Hills Software, Inc Slide 12

Primary System Safety System Motor SIL 1 10 100x risk reduction Probability of Failure Acceptable Risk SIL 2 SIL 3 100

13 Primary System Safety System Motor SIL x risk reduction Probability of Failure Acceptable Risk SIL 2 SIL ,000x risk reduction 1,000 10,000x risk reduction SIL 4 10, ,000x risk reduction 2010 Green Hills Software, Inc Slide 13

14 !! SIL3 is considered the highest level of risk reduction achievable with a single programmable system!! SIL4 is achieved only through hardware redundancy of SIL 3 components 2010 Green Hills Software, Inc Slide 14

15 !! Customers certify entire systems hardware and software components!! Customers present their case to TÜV and prove their SIL claim "! Product specs, documentation "! Development process and traceability "! Test results "! Use in market "! Pre-certified components 2010 Green Hills Software, Inc Slide 15

16 Pre-certified trusted components can be re-used while justifying a certification claim Typical certification requires approximately 5 12 months and costs $X00,000 to $X,000, Green Hills Software, Inc Slide 16

17 System Development Phase System Requirements Software Planning & Architecture Design Software Component Design Coding 2010 Green Hills Software, Inc Slide 17

18 2010 Green Hills Software, Inc Slide 18

19 2010 Green Hills Software, Inc Slide 19

!! Generates Executable Test Harness "! Consists of test driver and stubs linked with unit(s) under test for unit and integration testing.!! Test Case Generation "!

20 !! Generates Executable Test Harness "! Consists of test driver and stubs linked with unit(s) under test for unit and integration testing.!! Test Case Generation "! Build test cases automatically or specify input data and expected results via the GUI or with scripts.!! Test Execution "! Tests can be executed on the host, with the Green Hills simulator, or directly on the target utilizing the MULTI tools.!! Coverage Summary "! Provides a color-coded view of your source code, reflecting code that is completely covered, partially covered, or uncovered.!! Automates Regression Testing Fully Tested Applications Application Source Code Test Planning Test Case Creation Simulation Environment Creation Test Execution Report Generation Metrics Code Coverage Regression Testing Full Test Documentation 2010 Green Hills Software, Inc Slide 20

21 Protected partitions 2010 Green Hills Software, Inc Slide 21

!! INTEGRITY system architecture provides partitions (with different criticality)!! Customer develops hardware devices and Yellow boxes (Safety Core)!

22 !! INTEGRITY system architecture provides partitions (with different criticality)!! Customer develops hardware devices and Yellow boxes (Safety Core)!! Gray is non-critical software, fully independent partition(s), in both space and time domain!! Blue is certified INTEGRITY!! Green is a certified Safety BSP!! SBSP contains safety integrity functions for Customer Safety Core!! No User tasks in Kernel Space 2010 Green Hills Software, Inc Slide 22

23 1.! Initialization (Triggered by RTOS boot) "! Fixed interface definition "! Initialize peripherals and setup memory (mappings for Pure Virtual Drivers) "! Service the hardware watchdog 2.! Interrupts/callbacks (Triggered by hardware and scheduler) 3.! App services (Triggered by Safety Core via kernel API, using IODevices) "! Peripherals (I2C, UART, Field Buses, PCI, CLOCK etc) "! Safety Integrity Functions, such as:!!!!!! PBIT (Boot Loader) CBIT (Safety Image) Enter failsafe state Unhandled exceptions/interrupts Deal with interrupt flooding Detection of hardware/software problems 2010 Green Hills Software, Inc Slide 23

!! Customer s Safety Core triggers execution of the CBIT tests "! From its own partition (time domain) and task priority "! Safety Core determines frequency and amount of testing!

24 !! Customer s Safety Core triggers execution of the CBIT tests "! From its own partition (time domain) and task priority "! Safety Core determines frequency and amount of testing!! Continuous Built-In Tests (CBIT): "! Non-destructive tests on variable RAM! Safety Library: Abraham, Galpat, Walkpat algorithms "! CRC-32 on invariable RAM:!!! Code and Read-only data Exception Vectors MMU page table entries "! Peripheral access 2010 Green Hills Software, Inc Slide 24

25 H.'".+*70,8.*E'/6.'%*F$"%,9.G* 2010 Green Hills Software, Inc Slide 25

26 !! INTEGRITY separation architecture enables you to partition your certification approach! Create and deploy a mix of applications at various safety levels using INTEGRITY s proven separation capabilities! Multiple safety levels on a single microprocessor and single instance of INTEGRITY! Without INTEGRITY, if a part of the system needs to be SIL3, ALL of parts of the system must be certified SIL3!! Without the ability to partition your certification approach, you will need more time and money, will increase system design complexity and Re-Certification costs will be much higher 2010 Green Hills Software, Inc Slide 26

27 !! Questions!! For further information: "! Tel: +31 (0) "! Green Hills Software, Inc Slide 27