Wind power and railway case studies HIPEAC –MCS Workshop · 2015. 5. 7. · Introduction ‐ Off...

©2014 IKERLAN. All rights reserved

Towards modular certification of mixed‐criticality product lines based on multicore and virtualization

technology (IEC‐61508)

Wind power and railway case studies

Jon Perez (IK4‐Ikerlan)19th January, Amsterdam

HIPEAC – MCS Workshop


Agenda

IntroductionBasic concepts

Industrial domain (IEC‐61508; fail‐safe)Safety conceptWhat we have learnt

Railway domain (EN‐5012X; fail‐safe)Safety conceptWhat we have learnt

Towards modular certificationOverviewCurrent Limitation(s)Statement of the problemProduct family / lineModular Safety Cases

Questions2


Introduction – Mixed Criticality

3

“Modern electronic systems used in industry (avionics, automotive, etc) combine applications with different security, safety, and real‐time requirements. Systems with such mixed requirements are often referred to as mixed‐criticality systems“

[Baumann, 2011]

“The integration of applications of different criticality (safety, security, real‐time and non‐real time) in a single embedded system is referred as mixed‐criticality system”

[Perez, 2014]


Basic concepts – Different terms

4

AcademiaTemporal isolation, safety, safety‐critical, ….

Industry

IEC‐61508

Fail‐safe / operationalTemporal IndependenceHigh DemandDiagnostic CoverageCompliant Item

Railway....

Automotive....Ind.

Machinery

SPACE....

AVIONICS....


INDUSTRIAL DOMAIN(IEC‐61508)

[1] Perez, Jon et al. "A Safety Certification Strategy for IEC‐61508 Compliant Industrial Mixed‐Criticality Systems Based on Multicore Partitioning." Euromicro DSD/SEAA Verona, Italy, (2014).

[2] Perez, Jon et al. "A Safety Concept for a Wind Power Mixed‐Criticality Embedded System Based on Multicore Partitioning." In Functional Safety in Industry Application, 11th International TÜV Rheinland Symposium, 36. Cologne, Germany, 2014


Introduction ‐ Off‐shore WT

A modern off‐shore wind turbine dependable control system manages [1,2]:I/Os: up to three thousand inputs / outputsFunction & Nodes: several hundreds of functions distributed over several hundred of nodesDistributed: grouped into eight subsystems interconnected with a fieldbusSoftware: several hundred thousand lines of code

[1] Perez, Jon et al. "A Safety Certification Strategy for IEC‐61508 Compliant Industrial Mixed‐Criticality Systems Based on Multicore Partitioning." Euromicro DSD/SEAA Verona, Italy, (2014).

[2] Perez, Jon et al. "A Safety Concept for a Wind Power Mixed‐Criticality Embedded System Based on Multicore Partitioning." In Functional Safety in Industry Application, 11th International TÜV Rheinland Symposium, 36. Cologne, Germany, 2014

6


Introduction – Context Diagram

7

ETHERCAT

Safety Non Safety Related

HMI & COMS

Supervision

Safety Protection

Speed Sensor (s) Sensor (s) Activators Subsystems

< Safety Chain >

Safety Relay

Output relay pitch control


Safety Concept – The approach…

8

DUAL PROCESSOR – 1oo2 SINGLE PROCESSOR – 1oo2, partitioned, heterogeneous quad‐core

Safety concept based on ‘common practice in industry’

Serves as a reference, not detailed

Analogous safety concept using heterogeneous multicore and hypervisor

The MultiPARTES contribution


Safety Concept (A – ‘Traditional’)

9

DUAL‐PROCESSOR – 1oo2

Supervision

ETHERCAT

Safety Relay

Speed Sensor (s)

Safety Protection

P0

P1

WDG

HMI

COM SERVER

DIAG

Safety Protectio

n

P0

Safety Relay

SCPU

DIAG

WDG P0

Safety techniques (IEC‐61508 SIL3)• 1oo2• HFT=1 and DC >= 90%• Dual diverse sensors• Dual independent safety relays connectedin serial• Dual Diverse Processors:

o ‘P0’ safety functions onlyo ‘P1’ mixed functionalitieso ‘P0/P1’ independent safety relayo Local diagnosis and reciprocalcomparison by software (‘P0/P1’)

• Communication: EtherCAT and ‘safetyover EtherCAT’


Safety Concept (B – ‘Multicore partitioning’) 1/3

PARTITIONED

ETHERCAT

Speed Sensor (s)

SCPU

Safety Relay

Safety Protection

DIAG

WDG WDG

DIAG

Safety Protection

Safety Relay

COM SERVER

HMI

P0 P0

Supervision

Processor + Hypervisor

Is it feasible to developed a ‘partitioned’solution?:• Usage of a certifiable hypervisor• System partitioning (safety, real‐time andnon real‐time partitions)• Interference freeness of non‐safetypartition with safety partitions, and lowercriticality levels with higher criticality levels

10



11

LEON3 FT + HYPERVISOR X86 + HYPERVISOR

X86 + HYPERVISOR

ETHERCAT

Speed Sensor (s)

P0

SCPU

Safety Relay

WDG

Safety Relay

COM SERVER

HMI

DIAG

Safety Protection

DIAG

WDG P0

Safety Protection

Supervision

LEON3 FT + HYPERVISOR

Supervision

Processor

‘Partitions’ mapped to a multicoreprocessor:• Heterogeneous quad core• Dual diverse cores for safety partitions• Partitioning and multicore allocationenables resource usage and performancemaximization while ensuring interferencefreeness

SAFETY CPU SINGLE PROCESSOR QUAD CORE PARTITIONED – 1oo2



12

SAFETY CPU SINGLE PROCESSOR QUAD CORE PARTITIONED – 1oo2

x86 + Hypervisor

x86 + Hypervisor

ETHERCAT

Speed Sensor (s)

Safety Relay

WDG

Safety Relay

COM SERVER

HMI

DIAG

Safety Protection

WDGP0

Supervision

ProcessorExternal Shared Memory

External Shared Memory 2

CLK WD_B

CLK

Watchdog Device

L2 Cache

L1 Cache

L1 Cache

Core Device

CLK WD_A

Watchdog Device

IODevice

IODevice

P0

PCIe

SCPU

GW AHB/PCIe

AHB BU

S

Perio

dic

Interrup

t

RT Control

LEON3 FT + Hypervisor

LS M

EM

LEON3 FT + Hypervisor

Safety Protection

DIAGLS M

EM


Lessons learnt

Mixed‐criticality paradigm based on COTS multicore and partitioning provides multiple potential benefits but certification is a challenge

It is possible for fail‐safe systems to achieve SIL3 IEC‐61508 / Pld ISO‐13849 with multicore and partitioning

Temporal independence (IEC‐61508):

Temporal isolation simplifies the safety argumentation but …. Temporal independence does not necessarily require temporal isolation

Temporal independence must be met according to IEC‐61508. The lack of complete temporal isolation could reduce the availability of the system but should not jeopardize safety (fault avoidance and control)

The safety‐concept highly depends on the details of the underlying processor

13


RAILWAY DOMAIN(EN‐5012X)


Safety Concept, SIL4 EN‐5012X

15


Lessons learnt

Mixed‐criticality paradigm based on COTS multicore and partitioning provides multiple potential benefits but certification is a challenge

It is possible for fail‐safe systems to achieve up to SIL4 EN‐5012x (in “composite fail‐safety” TMR architecture)

Temporal independence (IEC‐61508):

Temporal isolation simplifies the safety argumentation but …. Temporal independence does not necessarily require temporal isolation

Temporal independence must be met according to IEC‐61508. The lack of complete temporal isolation could reduce the availability of the system but should not jeopardize safety (fault avoidance and control)

The safety‐concept highly depends on the details of the underlying processor

16


TOWARDS MODULAR CERTIFICATION

OF PRODUCT LINES


Overview

1. Objective: pave the way towards the competitive development of mixed criticality product families (IEC‐61508)

2. Why? 1. Mixed‐Criticality provides multiple advantages (reduction of cost, size,

weight, power; increase scalability and reliability) but difficulties arise with regard to safety certification standards

2. Safety certification costs and efforts are high3. A safety product could be efficiently constructed by re‐using certified

‘building blocks’ (IEC‐61508 compliant items) ‐> Reusability4. Safety products are in many cases specific instances of a safety ‘product

family’. There is a need to deal with variability of products so that the certification cost of each instance is as low as possible

18


Current limitations

The absence of guidelines and strategies make the safety‐concept as a whole highly dependable among:

Building blocks: system <‐> partition(s) <‐> hypervisor(s) <‐> processor(s)Analysis becomes interdependent: FMEA, system reaction to errors, fault avoidance techniques, fault‐control techniquesDifficult to manage variability in ‘product family’Cross Domain perspective and reusability

SP1 SPn… P1 Pn…Partitions

Hypevisor

Procesor Core[1] Core[n]…

Hyp[1] Hyp[n]…

Shared Resource[0]

Shared Resource[n]…

19


Product Family ‐ Variability

21

RTOS

APP(S)

RTOS

APP(S)

RTOS

APP(S)

RTOS

APP(S)

RTOS

APP(S)

RTOS

APP(S)

RTOS

APP(S)

(Software) Partition

Virtualisation layer

Hardware layerCPU cores

Hardware

Hypervisor

RTOS

APP(S)

GPOS

APP(S)

RTOS

APP(S)


Modular Safety Case(s)

Generic Safety Partition

Generic Safety Hypervisor

Mixed‐Criticality Network

COTS processor

22

Constraints & Hypotheses:• Interface(s)• Temporal requirements• Dependencies• SRAC• Etc.

Safety‐techniques

Safety‐functions

Safety‐standards


Questions

23


IKERLAN Polo GaraiaC/ Goiru , 920500 Arrasate‐Mondragón

Tel.: 943 71 02 12Fax: 943 79 69 44

IKERLAN Unidad de energíaParque tecnológico de Álava,C/ Juan de la Cierva, 101510 Miñano

Tel.: 945 29 70 32Fax: 943 79 69 44

www.ikerlan.es

ORONA IDeO ‐ Innovation cityPol. Industrial Galarreta, Parcela 10.5, Edificio A320120 Hernani

Tel.: 945 29 70 32Fax: 943 79 69 44

IKERLANPº. J. Mª. Arizmendiarrieta, 220500 Arrasate‐Mondragón

Tel.: 943 71 24 00Fax: 943 79 69 44

Wind power and railway case studies HIPEAC –MCS Workshop · 2015. 5. 7. · Introduction ‐ Off...

Documents

Transcript of Wind power and railway case studies HIPEAC –MCS Workshop · 2015. 5. 7. · Introduction ‐ Off...