Wind power and railway case studies HIPEAC –MCS Workshop · 2015. 5. 7. · Introduction ‐ Off...
Transcript of Wind power and railway case studies HIPEAC –MCS Workshop · 2015. 5. 7. · Introduction ‐ Off...
©2014 IKERLAN. All rights reserved
Towards modular certification of mixed‐criticality product lines based on multicore and virtualization
technology (IEC‐61508)
Wind power and railway case studies
Jon Perez (IK4‐Ikerlan)19th January, Amsterdam
HIPEAC – MCS Workshop
©2014 IKERLAN. All rights reserved
Agenda
IntroductionBasic concepts
Industrial domain (IEC‐61508; fail‐safe)Safety conceptWhat we have learnt
Railway domain (EN‐5012X; fail‐safe)Safety conceptWhat we have learnt
Towards modular certificationOverviewCurrent Limitation(s)Statement of the problemProduct family / lineModular Safety Cases
Questions2
©2014 IKERLAN. All rights reserved
Introduction – Mixed Criticality
3
“Modern electronic systems used in industry (avionics, automotive, etc) combine applications with different security, safety, and real‐time requirements. Systems with such mixed requirements are often referred to as mixed‐criticality systems“
[Baumann, 2011]
“The integration of applications of different criticality (safety, security, real‐time and non‐real time) in a single embedded system is referred as mixed‐criticality system”
[Perez, 2014]
©2014 IKERLAN. All rights reserved
Basic concepts – Different terms
4
AcademiaTemporal isolation, safety, safety‐critical, ….
Industry
IEC‐61508
Fail‐safe / operationalTemporal IndependenceHigh DemandDiagnostic CoverageCompliant Item
Railway....
Automotive....Ind.
Machinery
SPACE....
AVIONICS....
©2014 IKERLAN. All rights reserved
INDUSTRIAL DOMAIN(IEC‐61508)
[1] Perez, Jon et al. "A Safety Certification Strategy for IEC‐61508 Compliant Industrial Mixed‐Criticality Systems Based on Multicore Partitioning." Euromicro DSD/SEAA Verona, Italy, (2014).
[2] Perez, Jon et al. "A Safety Concept for a Wind Power Mixed‐Criticality Embedded System Based on Multicore Partitioning." In Functional Safety in Industry Application, 11th International TÜV Rheinland Symposium, 36. Cologne, Germany, 2014
©2014 IKERLAN. All rights reserved
Introduction ‐ Off‐shore WT
A modern off‐shore wind turbine dependable control system manages [1,2]:I/Os: up to three thousand inputs / outputsFunction & Nodes: several hundreds of functions distributed over several hundred of nodesDistributed: grouped into eight subsystems interconnected with a fieldbusSoftware: several hundred thousand lines of code
[1] Perez, Jon et al. "A Safety Certification Strategy for IEC‐61508 Compliant Industrial Mixed‐Criticality Systems Based on Multicore Partitioning." Euromicro DSD/SEAA Verona, Italy, (2014).
[2] Perez, Jon et al. "A Safety Concept for a Wind Power Mixed‐Criticality Embedded System Based on Multicore Partitioning." In Functional Safety in Industry Application, 11th International TÜV Rheinland Symposium, 36. Cologne, Germany, 2014
6
©2014 IKERLAN. All rights reserved
Introduction – Context Diagram
7
ETHERCAT
Safety Non Safety Related
HMI & COMS
Supervision
Safety Protection
Speed Sensor (s) Sensor (s) Activators Subsystems
< Safety Chain >
Safety Relay
Output relay pitch control
©2014 IKERLAN. All rights reserved
Safety Concept – The approach…
8
DUAL PROCESSOR – 1oo2 SINGLE PROCESSOR – 1oo2, partitioned, heterogeneous quad‐core
Safety concept based on ‘common practice in industry’
Serves as a reference, not detailed
Analogous safety concept using heterogeneous multicore and hypervisor
The MultiPARTES contribution
©2014 IKERLAN. All rights reserved
Safety Concept (A – ‘Traditional’)
9
DUAL‐PROCESSOR – 1oo2
Supervision
ETHERCAT
Safety Relay
Speed Sensor (s)
Safety Protection
P0
P1
WDG
HMI
COM SERVER
DIAG
Safety Protectio
n
P0
Safety Relay
SCPU
DIAG
WDG P0
Safety techniques (IEC‐61508 SIL3)• 1oo2• HFT=1 and DC >= 90%• Dual diverse sensors• Dual independent safety relays connectedin serial• Dual Diverse Processors:
o ‘P0’ safety functions onlyo ‘P1’ mixed functionalitieso ‘P0/P1’ independent safety relayo Local diagnosis and reciprocalcomparison by software (‘P0/P1’)
• Communication: EtherCAT and ‘safetyover EtherCAT’
©2014 IKERLAN. All rights reserved
Safety Concept (B – ‘Multicore partitioning’) 1/3
PARTITIONED
ETHERCAT
Speed Sensor (s)
SCPU
Safety Relay
Safety Protection
DIAG
WDG WDG
DIAG
Safety Protection
Safety Relay
COM SERVER
HMI
P0 P0
Supervision
Processor + Hypervisor
Is it feasible to developed a ‘partitioned’solution?:• Usage of a certifiable hypervisor• System partitioning (safety, real‐time andnon real‐time partitions)• Interference freeness of non‐safetypartition with safety partitions, and lowercriticality levels with higher criticality levels
10
©2014 IKERLAN. All rights reserved
Safety Concept (B – ‘Multicore partitioning’) 2/3
11
LEON3 FT + HYPERVISOR X86 + HYPERVISOR
X86 + HYPERVISOR
ETHERCAT
Speed Sensor (s)
P0
SCPU
Safety Relay
WDG
Safety Relay
COM SERVER
HMI
DIAG
Safety Protection
DIAG
WDG P0
Safety Protection
Supervision
LEON3 FT + HYPERVISOR
Supervision
Processor
‘Partitions’ mapped to a multicoreprocessor:• Heterogeneous quad core• Dual diverse cores for safety partitions• Partitioning and multicore allocationenables resource usage and performancemaximization while ensuring interferencefreeness
SAFETY CPU SINGLE PROCESSOR QUAD CORE PARTITIONED – 1oo2
©2014 IKERLAN. All rights reserved
Safety Concept (B – ‘Multicore partitioning’) 3/3
12
SAFETY CPU SINGLE PROCESSOR QUAD CORE PARTITIONED – 1oo2
x86 + Hypervisor
x86 + Hypervisor
ETHERCAT
Speed Sensor (s)
Safety Relay
WDG
Safety Relay
COM SERVER
HMI
DIAG
Safety Protection
WDGP0
Supervision
ProcessorExternal Shared Memory
External Shared Memory 2
CLK WD_B
CLK
Watchdog Device
L2 Cache
L1 Cache
L1 Cache
Core Device
CLK WD_A
Watchdog Device
IODevice
IODevice
P0
PCIe
SCPU
GW AHB/PCIe
AHB BU
S
Perio
dic
Interrup
t
RT Control
LEON3 FT + Hypervisor
LS M
EM
LEON3 FT + Hypervisor
Safety Protection
DIAGLS M
EM
©2014 IKERLAN. All rights reserved
Lessons learnt
Mixed‐criticality paradigm based on COTS multicore and partitioning provides multiple potential benefits but certification is a challenge
It is possible for fail‐safe systems to achieve SIL3 IEC‐61508 / Pld ISO‐13849 with multicore and partitioning
Temporal independence (IEC‐61508):
Temporal isolation simplifies the safety argumentation but …. Temporal independence does not necessarily require temporal isolation
Temporal independence must be met according to IEC‐61508. The lack of complete temporal isolation could reduce the availability of the system but should not jeopardize safety (fault avoidance and control)
The safety‐concept highly depends on the details of the underlying processor
13
©2014 IKERLAN. All rights reserved
RAILWAY DOMAIN(EN‐5012X)
©2014 IKERLAN. All rights reserved
Safety Concept, SIL4 EN‐5012X
15
©2014 IKERLAN. All rights reserved
Lessons learnt
Mixed‐criticality paradigm based on COTS multicore and partitioning provides multiple potential benefits but certification is a challenge
It is possible for fail‐safe systems to achieve up to SIL4 EN‐5012x (in “composite fail‐safety” TMR architecture)
Temporal independence (IEC‐61508):
Temporal isolation simplifies the safety argumentation but …. Temporal independence does not necessarily require temporal isolation
Temporal independence must be met according to IEC‐61508. The lack of complete temporal isolation could reduce the availability of the system but should not jeopardize safety (fault avoidance and control)
The safety‐concept highly depends on the details of the underlying processor
16
©2014 IKERLAN. All rights reserved
TOWARDS MODULAR CERTIFICATION
OF PRODUCT LINES
©2014 IKERLAN. All rights reserved
Overview
1. Objective: pave the way towards the competitive development of mixed criticality product families (IEC‐61508)
2. Why? 1. Mixed‐Criticality provides multiple advantages (reduction of cost, size,
weight, power; increase scalability and reliability) but difficulties arise with regard to safety certification standards
2. Safety certification costs and efforts are high3. A safety product could be efficiently constructed by re‐using certified
‘building blocks’ (IEC‐61508 compliant items) ‐> Reusability4. Safety products are in many cases specific instances of a safety ‘product
family’. There is a need to deal with variability of products so that the certification cost of each instance is as low as possible
18
©2014 IKERLAN. All rights reserved
Current limitations
The absence of guidelines and strategies make the safety‐concept as a whole highly dependable among:
Building blocks: system <‐> partition(s) <‐> hypervisor(s) <‐> processor(s)Analysis becomes interdependent: FMEA, system reaction to errors, fault avoidance techniques, fault‐control techniquesDifficult to manage variability in ‘product family’Cross Domain perspective and reusability
SP1 SPn… P1 Pn…Partitions
Hypevisor
Procesor Core[1] Core[n]…
Hyp[1] Hyp[n]…
Shared Resource[0]
Shared Resource[n]…
19
©2014 IKERLAN. All rights reserved
Product Family ‐ Variability
21
RTOS
APP(S)
RTOS
APP(S)
RTOS
APP(S)
RTOS
APP(S)
RTOS
APP(S)
RTOS
APP(S)
RTOS
APP(S)
(Software) Partition
Virtualisation layer
Hardware layerCPU cores
Hardware
Hypervisor
RTOS
APP(S)
GPOS
APP(S)
RTOS
APP(S)
©2014 IKERLAN. All rights reserved
Modular Safety Case(s)
Generic Safety Partition
Generic Safety Hypervisor
Mixed‐Criticality Network
COTS processor
22
Constraints & Hypotheses:• Interface(s)• Temporal requirements• Dependencies• SRAC• Etc.
Safety‐techniques
Safety‐functions
Safety‐standards
©2014 IKERLAN. All rights reserved
Questions
23
©2014 IKERLAN. All rights reserved
IKERLAN Polo GaraiaC/ Goiru , 920500 Arrasate‐Mondragón
Tel.: 943 71 02 12Fax: 943 79 69 44
IKERLAN Unidad de energíaParque tecnológico de Álava,C/ Juan de la Cierva, 101510 Miñano
Tel.: 945 29 70 32Fax: 943 79 69 44
www.ikerlan.es
ORONA IDeO ‐ Innovation cityPol. Industrial Galarreta, Parcela 10.5, Edificio A320120 Hernani
Tel.: 945 29 70 32Fax: 943 79 69 44
IKERLANPº. J. Mª. Arizmendiarrieta, 220500 Arrasate‐Mondragón
Tel.: 943 71 24 00Fax: 943 79 69 44