ERCIM/DECOS WS 2006 · ERCIM/DECOS WS 2006 Euromicro, Dubrovnik, 2006-08-29 Slide 3 ERCIM/DECOS WS...

ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29

Slide 1

ERCIM/DECOS WS 2006

Validation and Certification of Dependable Embedded Systeme

Erwin Schoitsch, Egbert AlthammerARC Seibersdorf research


Slide 2

ERCIM/DECOS WS 2006

Contents:

• ARC Seibersdorf research/IT/ITS• DECOS – IP EU-FP6-511764• The Generic Test Bench: Concept, Design,

Workflow, Tool Integration• Certification Support: Modular component-

based certification – the Generic Safety Case• Outlook


Slide 3

ERCIM/DECOS WS 2006

• Information Technologies• Health Physics• Biogenetics, Natural Resources• Life Sciences• Materials & Production Engineering• Integrated Microsystems Austria• Biomedical Engineering• Intelligent Infrastuctures and Space

Applications• Media Research Studios Salzburg

IT

HPB&L

MP

IMA BEIS

MR

Staff 2005: Ca. 540

Seibersdorf Research: Largest enterprise of ARC – Austrian Research Centers Austria‘s largest independent, contract-oriented research organisation (14 sites, 800 staff)


Slide 4

ERCIM/DECOS WS 2006IT - Dependable Embedded Systems Group

Co-ordinator of EU Integrated Projects DECOSTT-VisionNode (SensorNode) & SD4SC

Integration of Image Processing and Depen-dable Controls, Smart Cameras and Sensors

Accredited V&V Lab (EN ISO/IEC 17025) Research Topics

Methodology & tools for dependable embedded components and systemsModel based V & V of components & systemsHost-target testing with Hardware-in-the-loop (HIL) / Software-in-the-loop (SIL)RAMSS/Hazard analyses for component based systemsEuropean Projects and Networks on Dependability and Software Process Mgmnt (ENCRESS, AMSD, ISA-EuNet, SPIRE, OLOS, ACRuDA, ESPITI, DECOS, COOPERS… )

TT-VisionNode


Slide 5

ERCIM/DECOS WS 2006

Integrated Project: DECOS

Project FactsStart: July 1st, 2004, Duration: 3 Years, Budget: 14.3 Mio €, EU Funding: 9 Mio €

ObjectiveDevelopment of fundamental (domain and technology independent)enabling technologies to faciliate paradigm shift fromfederated to integrated designof dependable real-time embedded systems

Dependable Embedded Components and Systems

EU Framework Program 6: PRIORITY [2] [Information Society Technologies]


Slide 6

ERCIM/DECOS WS 2006

DECOS Consortium (19 members)Industrial Partners: Airbus, AEV, EADS, Infineon, TTTech, Fiat, Profactor, Hella, Liebherr, Thales, EsterelResearch Centers:ARC Seibersdorf (Co-ordinator), SP Swedish Test & Res. InstituteUniversities: TU Vienna, TU Darmstadt, TU Hamburg, Uni Kassel, Uni Kiel, Budapest University


Slide 7

ERCIM/DECOS WS 2006Electronic Control Systems (Automotive)

State of the Art50 – 100 Electronic Control Units (ECUs) in luxury classcarsHigh number of Cables and ConnectorsSeparate box for each function

DECOS GoalsIntegrated Design Significant reduction of ECUsHW Cost reductionImproved DependabilityProviding prototype components, building blocks and patterns


Slide 8

ERCIM/DECOS WS 2006

DependabilityState of the Art

Very complex electronic systemsHigh dependability of mechanical components

DECOS GoalSupport of safety-critical systems (time-triggered communication, redundant components)Partitioning of safety-critical and non safety-critical subsystems, integration on one control unitDriver Assistance Systems, X-by-Wire

Industrial Vision: „Aerospace Safety at Automotive Cost“TTP/C TT-E


Slide 9

ERCIM/DECOS WS 2006Development

Set of certifiable HW and SW components in order to significantly reducethe design, deployment, and life cycle cost of dependable embedded applications and increase dependability.

Simulink models

Code

SCADE modelMarked PIM

PSM

Platform Independent

Code

MiddlewarePI

DECOS architecture APIPI

Config file

HW Res.

SCADEUML

SimulinkGateway

Wrappers SCADECG

VIATRA

Simulink models

Code

SCADE modelMarked PIM

PSM

Platform Independent

Code

MiddlewarePI

DECOS architecture APIPI

Config file

HW Res.

SCADEUML

SimulinkGateway

Wrappers SCADECG

VIATRA

Methodologies + Tools for “Composable & Integrated”Design of Systems

Requirements: Functionality, Dependability, Performance (Temporal) Model-based

Reusable SW, HW & middleware componentsAutomated Generation and ConfigurationSW→HW Allocation, Scheduling (predictable)SW building blocks and (PIM) patterns

Component Oriented V&V Test BenchFramework including methodologies and toolsModular certification


Slide 10

ERCIM/DECOS WS 2006

C-Compiler/Linker(make)

TTPplanTTPbuild

VIATRA

SCADE

plain C,Simulink,…

UML orVIATRA

GMEDECOS Tool-ChainCRD – Cluster Resource DescriptionDAS – Distributed Application

SubsystemPIM – Platform Independent ModelPSM – Platform Specific ModelPIL – Platform Interface LayerGME – Generic Modelling

Environment (VanderbiltUniversity)

VIATRA – VIsual Automated (Model) Transformations (Budapest University of Technology and Economics - BUTE)

SCADE – Safety-Critical ApplicationDevelopment Environment(Esterel Technologies)

TTP – Time-Triggered Protocol(TTTech)

DAS-PIMCRD BehaviourModel

PreparatorySteps

AllocationJobs→Nodes

Addit. Info(job size

etc.)

CandidatePSM

MessageScheduling

JobScheduling

Configu-ration

PIL-Binding(Generation)

Bound PIL(Code)

SoftwareModel

CodeGeneration

Jobs Code(+ Wrapper)

Deployment

Executables

Code libs(services,

…)

Configuration SW-Development/V&V

Design

Test(Simulation,Verification)

(Different) model-based approaches for:


Slide 11

ERCIM/DECOS WS 2006

Diagnosis and Maintenance

Reduction of fault-not-found ratio at the service stations and thus reducing associated warranty/repair costs and Strengthen the customer’s trust in the product by providing an:

Integrated diagnostic infrastructureMaintenance oriented fault modelOut of Norm AssertionsMonitoring and dissemination of diagnosticinformation


Slide 12

ERCIM/DECOS WS 2006DECOS Application Areas

AutomotiveAerospaceRailwaysIndustrial ControlMedical SystemsAutonomousSystems


Slide 13

ERCIM/DECOS WS 2006DECOS Application: AerospaceFlap Control Demonstration System for Airbus Outer Flap System


Slide 14

ERCIM/DECOS WS 2006DECOS Application: AutomotiveHardware in the Loop –HiL- Demonstrator

Traffic Jam AssistantDoor Control SystemHeading Control Adaptive Lighting


Slide 15

ERCIM/DECOS WS 2006DECOS Application: Industrial ControlVibration Control Demonstration System for Nano Imprinting Machines

Objectives:Suppression of critical vibrations

in high-end nano-imprinting machinesfor next-generation Sensors,

Microoptics, Bio- and Nanotechnology.


Slide 16

ERCIM/DECOS WS 2006

Generic Test Bench

Concept, Design, Workflow


Slide 17

ERCIM/DECOS WS 2006

The DECOS Generic Test Bench guides designers throughthe verification and validation process and helps in identifying and carrying out validation and verificationactivities as part of the safety case and certificationprocesses (= certifiability; Certification outside scope of DECOS). In detail, this means ….

Following functional safety standards (IEC 61508 and relatedsectoral standards, e.g. EN 50129, ISO WD 26262 Automotive,…) and their requirements and processesConstituting a framework: Defining a workflow from requirementsto V&V, generation of modular (component-based) safety casesIntegrating combined know-how of the DECOS community on methods, tools, test house-, assessment/evaluation capabilities


Slide 18

ERCIM/DECOS WS 2006

PIL for conn. unitsDAS jobs + PIL APIs

PIM DAS 1 Resource-layer spec.

incl.PIL descr.

HW/SW-Integration(mapping PIM->PSM)

PSM

PIM DAS k…

…

PIL modulesPIL APIs


Node 1 (component)

„PIL pool“(verified)

DAS 1 modules DAS k modules

Deployment

… PIL for conn. unitsDAS jobs + PIL APIs


Node n

WP4.2 (Verification of architecture and components)

selection/configuration (verified)

Tool-Chain Validation

Test Bench View:A Framework forV&V&C

DECOS will considerably simplifySystem Validation andCertification !

Verify actualapplicationdeployment in a workflow-like manner(DASs, components)


Slide 19

ERCIM/DECOS WS 2006Concept1

Overall scope definition2

Hazard and riskanalysis3

Overall safetyrequirements4

Safety requirementsAllocation5

Overalloperation andmaintenance

planning6

Overall operation andmaintenance

planning7

Overall installation andcommissioning

planning8

Overall planningSafety-related

systems:E/E/P E S

9Realisation

(see E&E&P E Ssafety

lifecycle)

Safety-relatedsystems:E/E/P E S

10

Realisation

External riskreductionfacilities

11

Realisation

Overall installationand commissioning12

Overall safetyvalidation13

Overall operation,Maintenance and repair14

Decommissioningor disposal16

Overall modificationand retrofit15

Back to appropriateOverall safety lifecycle

phase

IEC 61508 (Generic), ISO WD 26262 (Automotive)

Functional SafetyLife Cycle Processes


Slide 20

ERCIM/DECOS WS 2006(Generic) Test Bench Conceptual Framework

'AUT': Artefact Under Test

DECOS Test Bench

Requirements V&V Activities

V&VMethods

Test CaseGeneration

V&V Tools

Evidences

Other sources(e.g. Domain)

DECOS artefactStandard(s)

AUT incarnation

Certificationarguments

Validation Plan (V-Plan)

Safety Case

PositiveResults

Feedback toDeveloper

NegativeResults


Slide 21

ERCIM/DECOS WS 2006

Overview Test Process


Slide 22

ERCIM/DECOS WS 2006

Integration of V&V tools (1)

Defining V&V-Activities

V&V-Activities

DOORS Database

DOORS Modules

V-Plan

External Tools

Tool Integration

V&V-Methods/Tools1:1

Executing V&V-Activities

Entering data

Status change

Tool Support

Definingintegration level


Slide 23

ERCIM/DECOS WS 2006Test Bench Framework – Nested V-Plans

Safety criticalDistr. Appl. Syst. – Partitioning-HW, SW-IF (Comm.‘s)


Slide 24

ERCIM/DECOS WS 2006

Generic Test Bench

Tool Integration


Slide 25

ERCIM/DECOS WS 2006

Test Bench system properties

Loosely coupled set of V&V toolsTechnologically heterogenous environmentComplex interaction patternsNeed for

Application logicTool interaction


Slide 26

ERCIM/DECOS WS 2006Manual integration

TelelogicDOORS

MailServer

DocumentRepository(DOORS)

ManualProcessing Tool 3

Tool 2

Tool 1


Slide 27

ERCIM/DECOS WS 2006EMI Hardware Test and SimulationExample for manual integration

test input sent to lab via e-mail + links to data

detailed DUT (Device Under Test) descriptionEMC phenomena to be tested

DUT provided by user (customer) to labtest equipment set up accordingto inputtests executed 'manually' at labtest result and the test report returned by e-mail

Format of input and results standardised


Slide 28

ERCIM/DECOS WS 2006

Manual integrationLimited automationV&V process logic handling needs an expertTool interfacing is not solvedA large amount of manual work

Message oriented middleware (MQ) and workflow basedautomation is promising!


Slide 29

ERCIM/DECOS WS 2006

Message Queue - based integration

DOORS

JBoss

Queue 1.

Queue 2.

Queue n.

MQ server

Set of V&V tools

VIATRA server

Xformation 1.

Xformation 2.

Xformation j.

VIATRA

Tool 1.Tool 2.

Tool j.


Slide 30

ERCIM/DECOS WS 2006Remarks on Tooling

Both fields increasingly become standards-basedProduction quality Free & Open Source solutionsJBoss or Websphere? - selling points of commercial productsare typically ‘enterprise’ features and services

Model transformationsSystem integration makes them necessaryTestbench: extensive usage of transformationsTool for model transformations: VIATRA2 (BUTE)Proof of concept ‘transformation service’ under development


Slide 31

ERCIM/DECOS WS 2006

Integration of initial set of V&V tools (2)Sample List for first step:

SCADE MTC* (Model test Coverage, Esterel)VIATRA* (PIM Checker)LDRA* (Static and Dynamic Testing, Functional Testing (basic test case generation))PROPANE (SWIFI)ITEM (Risk/Hazard Analysis – FMECA, FTA)

Methodology: Pre- and Post-Transformations (ontology-based, tool VIATRA2):

Transformation of Input Data Transformation of Output Data


Slide 32

ERCIM/DECOS WS 2006

V&V Process,

Certification Process Support(Generic Safety Case(s) as an example)


Slide 33

ERCIM/DECOS WS 2006Modular (component-based) Safety Case:

Safety Case is an argumentation to convince a licensing authority that a product is “sufficiently safe”Generic Safety Case covers safety issues relevant for any product based on DECOS services

If possible, show safety of DECOS architecture once and for allCan be reused for Safety Case of a DECOS based productAssuming fulfillment of requirements of DECOS architecture, components and core services (to be proven by subprojects)

Generic Safety Case is based on EN 50129:2003 – similar structure in all IEC 61508 related standards

[Eriksson, 2005] H. Eriksson; Review, Comparison, and Consolidation of Relevant Safety-Related Standards; DECOS_4.1-005; 2005-04-11


Slide 34

ERCIM/DECOS WS 2006

SubsystemsSubsystems&&

ComponentsComponents(e.g. PLC(e.g. PLC’’s)s)

Railways: EN 50128, 50129Railways: EN 50128, 50129

Standalone & and application Standalone & and application sector standardssector standards

Standalone

ISO/IEC 62061:ISO/IEC 62061:Machinery sectorMachinery sector

IEC 61511:IEC 61511:Process sectorProcess sector

Medical sectorMedical sectorIEC 60601IEC 60601

IEC 61513:IEC 61513:Nuclear sectorNuclear sector

Sector implementations

Compliance to IEC 61508

IEC IEC 6150861508

IEC IEC 6150861508

IEC 61131:IEC 61131:PLC sectorPLC sector

ISO WD 26262:ISO WD 26262:Automotive sectorAutomotive sector


Slide 35

ERCIM/DECOS WS 2006

Definition of System Boundary (1)(logical)DAS 2 job

1

DAS 1 job 1

DAS 1 job 2

DAS 2 job 2

DAS 1 job 3

DAS 2 job 3

DAS 1 job 4

DAS 2 job 4

Msg

Msg

MsgMsg

Msg

Msg

Msg

Msg

Msg

DECOS High Level Services

Coreservices

DECOS high-level services:

• Encapsulated Execution

Environment• Virtual networks • Gateways• Diagnosis service• Fault Tolerance Layer


Slide 36

ERCIM/DECOS WS 2006Definition of System Boundary (2) (hardware)

Communication Controller

Basic Connector UnitCommunication

NetworkInterface

Safety-Crit. Connector Unit Complex Connector Unit

Applications

JobJob Job

Applications

JobJob Job

PlatformInterface

CoreServices

Appl. Prog. Interface

Allocation Layer

VN, Gateways,Diagnosis

VN, Gateways,Diagnosis

Symbols:

Push Pull

Time Triggered

Bus medium

Safety Critical Subsystem Non Safety Critical Subsystem


Slide 37

ERCIM/DECOS WS 2006Modular (component-based) Safety Case:

As a modular safety case, the safety case for a complete DECOS system will consist of the following parts:Safety Case for the DECOS core services – to demonstrate the dependability of the DECOS core servicesSafety Case for DECOS nodes – to demonstrate the dependability of the DECOS nodesSafety Case for a DECOS application – to demonstrate the dependability of an application based on the DECOS architecture


Slide 38

ERCIM/DECOS WS 2006

As a Generic Safety Case it will not be presented to any licensing authority; it might be used as a template to demonstrate the dependability of the DECOS node.

Therefore the intention of this Generic Safety Case is to direct the DECOS project to those safety issues which will be important when the licensing of any product based on the technology developed within the DECOS project will eventually be required, andto provide a template for the final Safety Case for certification.

Note: No detailed Safety Evidence – Subproject responsibility


Slide 39

ERCIM/DECOS WS 2006Top level functional requirements for a DECOS node are:

to correctly connect the Jobs and the Communication Controller, which is broken down into:

to provide correct synchronisation with the DECOS networkto provide guaranteed transmission timesto provide fault encapsulationto guarantee the integrity of the transmitted informationgeneral functional requirements

to correctly execute the Fault Tolerance Services to correctly restart a job or a node within a predefined time interval to inform the DECOS network on the DECOS node statusto inform the Jobs on the DECOS node statusto inform the concerned Jobs on faults detected by the Fault Tolerance Services


Slide 40

ERCIM/DECOS WS 2006Analysis for Generic Safety Case based upon the following

Functional Requirements:DECOS Architecture Claims; Requirements Specification Optimised Fault-tolerance Layer; Requirements Specification Platform Interface (PIL and PIL API);Requirement Specification Virtual Communication Links and Gateways; Requirements specification Encapsulated Execution Environment; Collection of Requirements for Validation of Dependability; Guideline for the Application of IEC 61508 and Consolidated Criteria;


Slide 41

ERCIM/DECOS WS 2006Top Level Safety Requirements:

All the functional requirements identified shall be satisfied with a Safety Integrity Level of SIL 4 or equivalent.

Note: the required hardware reliability for a given application for higher SILs may only be realised e.g. by redundant nodes.The correct functioning of a node shall not be disturbed by EMI

All functional requirements mapped to safety requirementsCertain requirements are not applicable for Generic Safety Case: generic part is not an application, pre-competitive research, not a final product. (e.g. safety management Plan, QM Plan, environmental or application specific hazards)


Slide 42

ERCIM/DECOS WS 2006Details: Generic Safety Case (EN 50129)

Quality management Report (not available in pre-competitive Research)Safety Management Report (no application, research only – not

available) – hint for product development!!TECHNICAL SAFETY REPORT – Key Elements

5.2 Assurance of Correct Functional Operation5.2.1 System Architecture Description5.2.2 Definition of Interfaces

• 5.2.2.1 Man-Machine Interfaces• 5.2.2.2 System Interfaces

5.2.3 Fulfilment of System Functional Requirements Specific.5.2.4 Fulfilment of System Safety Requirements Specification5.2.5 Assurance of Correct Hardware Functionality5.2.6 Assurance of Correct Software Functionality


Slide 43

ERCIM/DECOS WS 2006TECHNICAL SAFETY REPORT – Key Elements (2) discussed in context of

requirements (Latin… N/A for generic safety case)

5.3 Effects of Faults5.3.1 Single Faults5.3.2 Independence of Items5.3.3 Detection of Single Faults5.3.4 Action Following Detection5.3.5 Effects of Multiple Faults5.3.6 Defence against Systematic Faults

5.4 Operation with External Influences5.4.1 Climatic conditions – N/A (application dependent)5.4.2 Mechanical conditions – N/A5.4.3 Altitude N/A5.4.4 Electrical conditions N/A5.4.5 Protection against unauthorised access 5.4.6 More severe conditions N/A (application dependent)

5.5 Safety-Related Application Conditions5.6 Safety Qualification Tests

5.6.1 Requirements5.6.2 Results


Slide 44

ERCIM/DECOS WS 2006ConclusionsThe arguments presented in the previous parts of the Safety Case show that a DECOS node is adequately safe to be part of a safety-relevant system (subject to compliance with the specified application conditions).

This is guaranteed by the following principles and services:Fault-tolerant clock synchronisation;Predictable, deterministic and timely transport of messages;Strong fault isolation (fault encapsulation);Fault tolerance service.The assumed properties of the DECOS high level servicesThe software of the DECOS node is SIL 4.


Slide 45

ERCIM/DECOS WS 2006

Discussion

DECOS project: http://www.decos.atARC-Sr, IT: http://www.smart-systems.atBecome a DECOS Interest Group Member for free: access to certainDECOS documents – mail to [email protected]

ERCIM/DECOS WS 2006 · ERCIM/DECOS WS 2006 Euromicro, Dubrovnik, 2006-08-29 Slide 3 ERCIM/DECOS WS...

Documents

Transcript of ERCIM/DECOS WS 2006 · ERCIM/DECOS WS 2006 Euromicro, Dubrovnik, 2006-08-29 Slide 3 ERCIM/DECOS WS...