Transcript Industrial Vertical

Hypervisor an Off-the-Shelf Based Separation
Concept to Improve Time-to-Revenue
Medical
Hao Meng
China Senior Field Application Engineer
Industrial/Medical Solutions
© 2009 Wind River
Information is Subject to Change without Notification
Agenda
• A medical safety market observation and how adjacent
market segments address cost effective safety
• Time-to-market acceleration by use of OTS (off-theshelf) software
• Hypervisor a separation concept supporting different
levels of criticality
© 2009 Wind River
Information is Subject to Change without Notification
A Medical Safety Market Observation
and How Adjacent Market Segments
Address Cost Effective Safety
© 2009 Wind River
Information is Subject to Change without Notification
The Industrial Market - Trends
Aerospace &
Defense
Power / Energy
Transportation
Openess
Consolidation
Connectivity
Safety / Security
Medical
Process Automation
© 2009 Wind River
Information is Subject to Change without Notification
Control Automation
Overview
Derivative Safety Standards
(from IEC61508)
Safety
IEC61508 meta specification
Part 1...7
ISO TR 15497 MISRA Guidlines
ECSS-E-40A (EMEA Space)
RTCA DO-178B (Aerospace SW)
RTCA DO-254 (Aerospace HW)
NASA-GB-1740 (SW Guidebook)
DIN EN9875 (Maritime)
....
....
• IEC61513 – Nuclear Power
•IEC61513 System Aspect
•IEC61226 classification
•IEC60987 Hardware Requirements
•IEC62138 Software Cat. B&C functions
•IEC60880 Software Cat. A functions
•IEC62061 – Machine Industry
•IEC61508-Part 3 Software
•CENELEC 5012x - Railway
•CENELEC 50126 RAMS
•CENELEC 50128 SW
•CENELEC 50129 HW
•IEC61511 – Process Industry
•IEC61508-Part 3 Software
•IEC60601 (-1 and –2) - Medical
•IEC60601-1 Base
•IEC60601- 2 Device Specific
•IEC62304 Software Livecycle
© 2009 Wind River
Information is Subject to Change without Notification
Situation
Operator
Transportation
Customer
Reduction of
Operational Costs
Process Automation
Compliance to
Safety Standards
Medical
Power / Energy
Additional Features
© 2009 Wind River
Information is Subject to Change without Notification
Safety Requirements / Process
• Architecture
– Perform safety review involving Cert Authority and
customer to confirm architecture
– Propose architectures to reduce development cost
– Concept approval involving Cert Authority
• Requirements
– Determine Safety Requirements
– Determine Diagnostics
• Tools
– Identify qualified tools
© 2009 Wind River
Information is Subject to Change without Notification
Multicore Enabling Tools
Market/User Need
Operations/Deployment
Requirements Definition
*Telelogic
: DOORS
IBM Rational : RequisitePro
High-Level Design
*IBM Rational
*Esterel
Tilcon
KW-Software
System Integration/Test
: Certification Services
: System Safety
: *TUEV
: *Verocel
*Wind River :Test Management
Eclipse
: Rhapsody
: SCADEsuite
: Interface Dev. Suite
: IEC61131-3
Subsystem Integration/Test
LDRA
: Test Bed
*Wind River :Test Management
Low-Level Design/Coding
*Esterel
The Mathworks
KW-Software
Safety
Simulation/Unit Test and Verification
: SCADE Suite
: Simulink, Statemate
: IEC61131-3
IPL
LDRA
: Cantata++
: Test Bed
Code Creation/Generation/Debugging
Wind River Workbench/VxWorks/Linux/Platform Software
Workbench/Eclipse Integrations
© 2009 Wind River
Information is Subject to Change without Notification
Modular Design
Safety Critical
Application
VxWorks CERT
Business Issues
• Cost
• Safety
• Features/
Differentiators
Safety
VxWorks CERT BSP
Processor
Separation
HMI
WRS Linux / VxWorks
WRS Linux / VxWorks
BSP
Processor
© 2009 Wind River
Information is Subject to Change without Notification
Features
Safety Solutions
–
–
–
Safety Critical
Application
VxWorks CERT
–
–
Products + Services–
VxWorks CERT BSP
Services
–
–
–
–
Software Unit Test
Software Integration Testing
Porting to target architecture
Impact Analysis
Execution of tests
Update of Cert Artefacts
BSP Development
Testing
Implementation of Diagnostics
Cert Artefacts
Processor
© 2009 Wind River
Information is Subject to Change without Notification
Time-to-Market Acceleration
by Use of OTS Software
© 2009 Wind River
Information is Subject to Change without Notification
Typical Safety OS Requirements
•
Provision of secure and timely data flow
•
Controlled access to processing facilities
•
Provision of secure data storage and memory management
•
Provision of consistent execution state
•
Provision of health monitoring and failure management
•
General provision of computing resources
– to and from applications and I/O devices
– The access of applications to the underlying hardware processing resources
must be managed so that, for example, any deadlines can be met
– The aim here is to secure memory storage from corruption or interference by
other applications or the actions the operating system takes on their behalf
– This concerns the consistency of data and is mostly concerned with the state of
the system after initialization
– covers partial and controlled failures of the system (operating system,
application, hardware)
– This covers provision of any of the services of the OS. A failure of this function
would imply an uncontrolled failure of the OS
© 2009 Wind River
Information is Subject to Change without Notification
Evidence for OS #1
• Field service experience
– Usually information which are difficult to provide
• Testing
– OS’s are extremely “stateful”, there being no “reset to known state”
until reboot
– Hardware-dependence and ambience-dependence of errors means that
small physical differences may hide a problem temporarily
– High rate of changes;
– Usage pattern to be determined and frozen (difficult in the context of
Linux)
– Automated testing tool support such as coverage analysis can be
highly intrusive at the kernel level
– Traceability of tests to the specification
© 2009 Wind River
Information is Subject to Change without Notification
Evidence for OS #2
• Analysis
–
–
–
–
–
–
Manual inspection of design and code for correctness and quality
Code complexity measurements
Checking conformance to coding standards for reliable software
Control and dataflow analysis (which aims to find anomalous code);
Semantic analysis (symbolic execution)
Exception detection, which aims to determine which parts of a program
cannot, may or will raise run-time exceptions such as numeric
overflow, divide by zero and illegal address conditions;
– Compliance analysis (formal proof of correctness against a
specification)
– Worst case execution time analysis of object code
© 2009 Wind River
Information is Subject to Change without Notification
Safety Demonstrated – VxWorks
• Certifiable Sub-profile of
VxWorks 6.6 (RTPs to be
added)
• Used as CERT OS
• In combination w/
Hypervisor
(consolidation of
safe&non-safe aps.)
• As a CERT OS on
safety controller
• Certifiable up to IEC61508
SIL3 and DO-178B Level A
• Certifiable BSP
• Hardware abstraction
• Interface to board
specific safety
functions (E.g. BITS,
HW diagnostic,
Watchdog et.c)
UDP/TCP Cert Stack
VxWorks 6.x
VxWorks CERT
2.x
Communication (AMP)
Communication (AMP)
Certifiable BSP
Board Support
Package (BSP)
HW
HW
• Real-time / Multiprocessing
(RTPs) OS
• Usually not used as CERT OS
• Used as OS for non-safe
application
• Stand-alone or
in combination w/
Hypervisor
• In combination w/
VxWorks CERT and
HW or SW
separation
• Enables innovation by
• Feature richness
• Broad Partner ECO system
support
• BSP
• Hardware abstraction
• Interface to board
specific functions and
devices
• Rich set of standard reference
board BSPs
Hardware or Software Separation
© 2009 Wind River
Information is Subject to Change without Notification
Wind River Solutions
Partner Software Ecosystem
On-Chip Debugging
Wind River Workbench
Wind River
Wind River
General Purpose General Purpose
Platform
Platform
VxWorks Cert
Platform
VxWorks 653
Platform
VxWorks MILS
Platform
CC EAL 4, 4+, 6+
Integrated
Middleware
Wind River
Linux
Integrated
Middleware
Integrated
Middleware
Integrated
Middleware
Integrated
Middleware
VxWorks 6
VxWorks Cert
VxWorks 653
VxWorks MILS
Partner Hardware Ecosystem
Services Practice
© 2009 Wind River
Information is Subject to Change without Notification
Hypervisor a Separation Concept
Supporting Different Levels of
Criticality
© 2009 Wind River
Information is Subject to Change without Notification
Impact on Shared Resources (1)
CPU-time
•
•
Blocking of partitions: due to communication deadlocks;
Wrong allocation of processor execution time, e.g. by using
–
–
–
–
Time triggered scheduling;
Cycling execution scheduling policy;
Fixed priority based scheduling;
Monitoring of processor execution time of software partitions
according to the allocation;
– Program sequence;
– Arrival rate monitoring.
© 2009 Wind River
Information is Subject to Change without Notification
Impact on Shared Resources(2)
Memory
•
•
•
•
•
•
Memory protection mechanisms;
Verification of safety-related data;
Offline analysis of code and data of other partitions;
Restricted access to memory;
Static analysis; and
Static allocation
© 2009 Wind River
Information is Subject to Change without Notification
Impact on Shared Resources(3)
I/O and Communication
•
•
•
Failure of communication peer: communication peer is not
available
Blocking access to data bus
Continuous transmission of messages (babbling idiot)
© 2009 Wind River
Information is Subject to Change without Notification
Motivation for Separation
• Standardised Approach for Separation
• Limit Software Development Costs
– Certification of safety critical parts only
• Flexibility
– Third party deliveries can be easily integrated by OEM
• Maintenance
– Less safety-relevant areas can be influenced through
maintenance
• Reusability
– Legacy code, Architectural approach
© 2009 Wind River
Information is Subject to Change without Notification
Case Study: Separation
Business Concern(s)
• Cost
• Safety
• Features/
Differentiators
Usage Scenario(s)
• Certification
• Consolidation
• Usability
Safety Critical
Application
Control, HMI
VxWorks CERT
or “bare metal”
WRS Linux / VxWorks
Wind River Hypervisor (Certifiable)
Single or Multicore Processor
Medical
• Preserve certification
efforts (IEC 61508,
DO178B, FDA 510(k), IEC
62304
• Innovate in new
environment
• Industrial, Medical,
Energy
© 2009 Wind River
Information is Subject to Change without Notification
Case Study: Product Management
Business Issues
• Cost
• Features/
Differentiators
• Life-Cycle
Management
Usage Scenarios
• Consolidation
• Reliability
• Usability
Visualization
Data
Aquisition
Graphics
Windows
VxWorks
WR Linux
WR Hypervisor
Single or Multicore Processor
Medical
• Streamline Product-LifeCycle Management
Process
• Manage Obsolescence
• Focus on core
competences
• Transport, Energy,
Medical
© 2009 Wind River
Information is Subject to Change without Notification
Definitions
• Virtualization - Abstraction of computer resources,
hiding the physical characteristics
• Hypervisor - Configurable supervisor program with
both separation and scheduling that provides
virtualization through software
• Virtual Board (Software Partition in ISO/CD 26262-6) Environment for one operating system or bare
application; has physical and/or virtual hardware
controlled by the Hypervisor
© 2009 Wind River
Information is Subject to Change without Notification
Hypervisor Technology
Virtual Board 1
CPU
Memory
Ethernet1
Virtual Board 2
CPU
Memory
Serial
Virtual Board 3
CPU
Memory
Ethernet2
Hypervisor
Physical Board
CPU
Memory
© 2009 Wind River
Information is Subject to Change without Notification
Ethernet
Serial
Non-Interference on a Single Computer
• Independence of Execution
Software elements will not adversely interfere with each other’s
execution behaviour such that a dangerous failure would occur
– Spatial Domain
data used by a one element must not be changed by another element,
in particular a non-safety related element
– Spatial separation
• MMU & I/OMMU to separate memory domains and I/O domains
• VMMU to set up a system of virtual boards
• Safe Inter Process Communication (SIPC)
© 2009 Wind River
Information is Subject to Change without Notification
Spatial Separation
Virtual Board 1
Virtual Board 2
Virtual Board 3
Application
Application
User Mode
Linux
VxWorks
Privileged
Mode
Application
CPU
Mem
CPU
Eth
Wind River Hypervisor
Virtual Boards
Mem
ATA
Mem
Interrupt
VMMU
Communication
CPU
I/O resources
Exception
Configuration
Physical Board
Serial
ATA
Ethernet
Memory
Serial
Core
© 2009 Wind River
Information is Subject to Change without Notification
System
Mode
Non-Interference on a Single Computer
• Independence of Execution
Software elements will not adversely interfere with each other’s
execution behaviour such that a dangerous failure would occur
– Temporal Domain
one element must not cause another element to function incorrectly by taking
too high a share of the available processor execution time, or by blocking
execution of the other element by locking a shared resource of some kind
– Temporal Separation
• Deterministic scheduling
– Scheduling policy (time slice, priority)
• Exception Handling
• Cache and DMA Management
© 2009 Wind River
Information is Subject to Change without Notification
Temporal Separation
VB 2
VB 1
VB 3
VB 1
System Tick
Minor Frame
Major Frame
© 2009 Wind River
Information is Subject to Change without Notification
VB 2
Spare Time
VB 1
VB 2
VB 1
Typical Steps
•
Hardware Certification
– Diagnostic measures -> Software Safety Requirements (SSR)
•
Allocation SSRs
– Hypervisor BSP
– SafeOS BSP
– Safety Application
•
Implementation Hypervisor BSP
•
Partitioning claim
Virtualization
Hardware
– Hypervisor and Hypervisor BSP
•
Implementation SafeOS BSP
– Consideration Safety Manual Hypervisor and Hypervisor BSP
•
Implementation Safety Application
– Consideration Safety Manual SafeOS and SafeOS BSP
•
System Safety Manual
© 2009 Wind River
Information is Subject to Change without Notification
Virtual
Board 1
Outlook
• Next Version of IEC 61508, Part3
specifies technics for separation (Annex G)
• Virtualisation techniques are deployed in Aerospace
(e.g 787, A380, A400, C130-AMP...) (ARINC653,
DO178B, DO297 / ED124)
• Multi Core CPUs
– Shared Resources (Cache, Bus, RAM, I/O devices)
– Parallel Computing (SMP, AMP)
• Device virtualization
– Directed I/O
© 2009 Wind River
Information is Subject to Change without Notification
© 2009 Wind River
Information is Subject to Change without Notification
Safety Solution – Automation, Medical,
Transport (IEC61508 / CENELEC 50128, FDA, IEC62304)
Transport (SIL2)
Driver Desk
Automation
Platform (SIL2)
Medical Therapy (Class 2-3)
-NA Driven – FDA 510(k)
-EMEA Driven – IEC 62304
Automation, Transport, Medical
Esterel
Non-Safe Applications
Medical
Wind River Partner ECO System
Tilcon
KW-SW, Acontis,
Rockwell, Tilcon
External Communication, Lightweight SCADA
Integrated Graphics, Consumer Connectivity
IEC 61131-3 + Customer
Control/Safety Applications
Safety Applications
VxWorks 6.6 CERT
VxWorks 6.6 CERT
Linux
IEC 61508
Safety & Control
DO-178B
Safety & Control
BT, WiFi, Consumer
Connectivity
VxWorks
VxWorks
Linux (PCD, GPP) or VxWorks
Safety - CPU 1
Safety - CPU 1
Non Safe - CPU 2
Freescale (8349E)
Freescale (8349E)
Freescale / Intel
SIL 1/SIL 2 - No Time Separation
SIL 1/SIL 2 - No Time Separation
© 2009 Wind River
Information is Subject to Change without Notification
OR
VxWorks PID
SOAP, XML, OPC, CAN
Safety Solution – Automation, Medical,
Transport (IEC61508 / CENELEC 50128, FDA, IEC62304)
Transport (SIL2)
Driver Desk
Automation
Platform (SIL2)
Medical Therapy (Class 2-3)
-NA Driven – FDA 510(k)
-EMEA Driven – IEC 62304
Automation, Transport, Medical
Esterel
Non-Safe Applications
Medical
Wind River Partner ECO System
Tilcon
KW-SW, Acontis,Rockwell, Tilcon
External Communication, Lightweight SCADA
Integrated Graphics, Consumer Connectivity
IEC 61131-3 + Customer
Control/Safety Applications
Safety Applications
VxWorks 6.6 CERT
VxWorks 6.6 CERT
Linux
IEC 61508
Safety & Control
DO-178B
Safety & Control
BT, WiFi, Consumer
Connectivity
VxWorks
VxWorks
OR
VxWorks PID
SOAP, XML, OPC, CAN
Linux (PCD, GPP) or VxWorks
WRS Hypervisor
CPU 1 (Single Core or Multi Core)
Freescale / Intel
SIL 1/SIL 2 -Time Separation
© 2009 Wind River
Information is Subject to Change without Notification