© 2009 wind river information is subject to change without notification hao meng china senior field...

© 2009 Wind River

Information is Subject to Change without Notification

Hao MengChina Senior Field Application Engineer

Industrial/Medical Solutions

Hypervisor an Off-the-Shelf Based Separation Concept to Improve Time-to-Revenue

Medical

© 2009 Wind River


Agenda

• A medical safety market observation and how adjacent market segments address cost effective safety

• Time-to-market acceleration by use of OTS (off-the-shelf) software

• Hypervisor a separation concept supporting different levels of criticality

© 2009 Wind River


A Medical Safety Market Observation and How Adjacent Market Segments

Address Cost Effective Safety

© 2009 Wind River


The Industrial Market - Trends

Transportation

Power / Energy

Medical

Control Automation

Process Automation

OpenessConsolidationConnectivity

Safety / Security

Aerospace & Defense

© 2009 Wind River


Overview

SafetyIEC61508 meta specification

Part 1...7

ISO TR 15497 MISRA GuidlinesECSS-E-40A (EMEA Space)

RTCA DO-178B (Aerospace SW)RTCA DO-254 (Aerospace HW)

NASA-GB-1740 (SW Guidebook)DIN EN9875 (Maritime)

....

....

Derivative Safety Standards(from IEC61508)

• IEC61513 – Nuclear Power•IEC61513 System Aspect•IEC61226 classification•IEC60987 Hardware Requirements•IEC62138 Software Cat. B&C functions•IEC60880 Software Cat. A functions

•IEC62061 – Machine Industry•IEC61508-Part 3 Software

•CENELEC 5012x - Railway•CENELEC 50126 RAMS•CENELEC 50128 SW•CENELEC 50129 HW

•IEC61511 – Process Industry•IEC61508-Part 3 Software

•IEC60601 (-1 and –2) - Medical•IEC60601-1 Base•IEC60601- 2 Device Specific•IEC62304 Software Livecycle

© 2009 Wind River


Situation Operator Customer

Reduction of Operational Costs

Compliance to

Safety Standards

Additional Features

Power / Energy

Process Automation

Transportation

Medical

© 2009 Wind River


Safety Requirements / Process

• Architecture– Perform safety review involving Cert Authority and

customer to confirm architecture– Propose architectures to reduce development cost– Concept approval involving Cert Authority

• Requirements – Determine Safety Requirements– Determine Diagnostics

• Tools – Identify qualified tools

© 2009 Wind River


Eclipse

Code Creation/Generation/Debugging

Requirements Definition System Integration/Test

Operations/Deployment

Safety : Certification Services: System Safety: *TUEV: *Verocel

*Wind River :Test Management

Market/User Need

Low-Level Design/Coding

High-Level Design

Simulation/Unit Test and Verification

Subsystem Integration/Test

*Telelogic : DOORSIBM Rational : RequisitePro

*IBM Rational : Rhapsody*Esterel : SCADEsuiteTilcon : Interface Dev. SuiteKW-Software : IEC61131-3

*Esterel : SCADE SuiteThe Mathworks : Simulink, StatemateKW-Software : IEC61131-3

IPL : Cantata++LDRA : Test Bed

LDRA : Test Bed*Wind River :Test Management

Workbench/Eclipse Integrations

Wind River Workbench/VxWorks/Linux/Platform Software

Multicore Enabling Tools

© 2009 Wind River


Modular Design

Safety Critical

Application

VxWorks CERT

Processor

VxWorks CERT BSP

HMI

WRS Linux / VxWorks

Business Issues• Cost• Safety• Features/

Differentiators

WRS Linux / VxWorks BSP

Processor

Separation

Safety

Features

Confidential Information

© 2008 Wind River Systems, Inc.

Safety Solution – Automation, Medical, Transport (IEC61508 / CENELEC 50128, FDA, IEC62304)

VxWorks

Automation Platform (SIL2)

Transport (SIL2)Driver Desk

VxWorks PID

SOAP, XML, OPC, CAN

IEC 61131-3 + Customer Control/Safety Applications

External Communication, Lightweight SCADA

Integrated Graphics, Consumer Connectivity

KW-SW, Acontis, Rockwell, Tilcon

Wind River Partner ECO System

Freescale (8349E)

Safety - CPU 1

VxWorks 6.6 CERT

IEC 61508 Safety & Control

SIL 1/SIL 2 - No Time Separation

Safety Applications

Intel ATOM N270/945GME

Non Safe - CPU 2

Linux (PCD, GPP) or VxWorks

Esterel

Medical Therapy (Class 2-3)-NA Driven – FDA 510(k)

-EMEA Driven – IEC 62304

Automation, Transport, Medical Medical

VxWorks

Freescale (8349E)

Safety - CPU 1

VxWorks 6.6 CERT

DO-178B Safety & Control


Linux

BT, WiFi, Consumer Connectivity

OR

Tilcon

Non-Safe Applications

© 2009 Wind River


Safety Solutions

–Software Unit Test–Software Integration Testing–Porting to target architecture

–Impact Analysis –Execution of tests–Update of Cert Artefacts

–BSP Development –Testing–Implementation of Diagnostics–Cert Artefacts

Safety Critical

Application

VxWorks CERT

Processor

VxWorks CERT BSP

Products + Services

Services

© 2009 Wind River


Time-to-Market Acceleration by Use of OTS Software

© 2009 Wind River


Typical Safety OS Requirements

• Provision of secure and timely data flow – to and from applications and I/O devices

• Controlled access to processing facilities– The access of applications to the underlying hardware processing resources must be managed so that, for

example, any deadlines can be met

• Provision of secure data storage and memory management– The aim here is to secure memory storage from corruption or interference by other applications or the

actions the operating system takes on their behalf

• Provision of consistent execution state– This concerns the consistency of data and is mostly concerned with the state of the system after

initialization

• Provision of health monitoring and failure management – covers partial and controlled failures of the system (operating system, application, hardware)

• General provision of computing resources– This covers provision of any of the services of the OS. A failure of this function would imply an

uncontrolled failure of the OS

© 2009 Wind River


Evidence for OS #1

• Field service experience– Usually information which are difficult to provide

• Testing– OS’s are extremely “stateful”, there being no “reset to known state” until

reboot– Hardware-dependence and ambience-dependence of errors means that

small physical differences may hide a problem temporarily– High rate of changes;– Usage pattern to be determined and frozen (difficult in the context of Linux)– Automated testing tool support such as coverage analysis can be highly

intrusive at the kernel level– Traceability of tests to the specification

© 2009 Wind River


Evidence for OS #2

• Analysis– Manual inspection of design and code for correctness and quality– Code complexity measurements– Checking conformance to coding standards for reliable software– Control and dataflow analysis (which aims to find anomalous code);– Semantic analysis (symbolic execution)– Exception detection, which aims to determine which parts of a

program cannot, may or will raise run-time exceptions such as numeric overflow, divide by zero and illegal address conditions;

– Compliance analysis (formal proof of correctness against a specification)

– Worst case execution time analysis of object code

© 2009 Wind River


Safety Demonstrated – VxWorks

VxWorks 6.x

HW

Board Support Package (BSP)

VxWorks CERT 2.x

Certifiable BSP

HW

Communication (AMP) Communication (AMP)

• Certifiable Sub-profile of VxWorks 6.6 (RTPs to be

added)• Used as CERT OS

• In combination w/ Hypervisor (consolidation of safe&non-safe aps.) • As a CERT OS on safety controller

• Certifiable up to IEC61508 SIL3 and DO-178B Level A

• Certifiable BSP • Hardware abstraction• Interface to board specific safety functions (E.g. BITS, HW diagnostic, Watchdog et.c)

• Real-time / Multiprocessing (RTPs) OS• Usually not used as CERT OS

• Used as OS for non-safe application

• Stand-alone or in combination w/ Hypervisor• In combination w/ VxWorks CERT and HW or SW separation

• Enables innovation by• Feature richness• Broad Partner ECO system

support

• BSP • Hardware abstraction• Interface to board specific functions and devices • Rich set of standard reference board BSPs

Hardware or Software Separation

UDP/TCP Cert Stack

© 2009 Wind River


Wind River Solutions

Wind River General Purpose

Platform

Wind River Linux

Integrated Middleware

VxWorks CertPlatform

VxWorks Cert


VxWorks 653 Platform

VxWorks 653


VxWorks MILS Platform

VxWorks MILS


CC EAL 4, 4+, 6+

Partner Software Ecosystem

Services Practice

Wind River General Purpose

Platform

VxWorks 6


Wind River Workbench On-Chip Debugging

Partner Hardware Ecosystem

© 2009 Wind River


Hypervisor a Separation Concept Supporting Different Levels of

Criticality

© 2009 Wind River


Impact on Shared Resources (1)

CPU-time• Blocking of partitions: due to communication deadlocks;• Wrong allocation of processor execution time, e.g. by using

– Time triggered scheduling;

– Cycling execution scheduling policy;

– Fixed priority based scheduling;

– Monitoring of processor execution time of software partitions according to the allocation;

– Program sequence;

– Arrival rate monitoring.

© 2009 Wind River


Impact on Shared Resources(2)

Memory• Memory protection mechanisms;• Verification of safety-related data;• Offline analysis of code and data of other partitions;• Restricted access to memory;• Static analysis; and• Static allocation

© 2009 Wind River


Impact on Shared Resources(3)

I/O and Communication• Failure of communication peer: communication peer is not

available• Blocking access to data bus• Continuous transmission of messages (babbling idiot)

© 2009 Wind River


Motivation for Separation

• Standardised Approach for Separation

• Limit Software Development Costs

– Certification of safety critical parts only

• Flexibility– Third party deliveries can be easily integrated by OEM

• Maintenance– Less safety-relevant areas can be influenced through

maintenance

• Reusability– Legacy code, Architectural approach

© 2009 Wind River


Case Study: Separation

Business Concern(s)• Cost• Safety• Features/

Differentiators

Usage Scenario(s)• Certification• Consolidation• Usability

Safety Critical

Application

VxWorks CERT

or “bare metal”

Single or Multicore Processor

Wind River Hypervisor (Certifiable)

Control, HMI

WRS Linux / VxWorks

• Preserve certification efforts (IEC 61508, DO178B, FDA 510(k), IEC 62304

• Innovate in new environment

• Industrial, Medical, Energy

Medical

© 2009 Wind River


Business Issues• Cost• Features/

Differentiators• Life-Cycle

Management

Usage Scenarios• Consolidation• Reliability• Usability

Single or Multicore Processor

WR Hypervisor

Case Study: Product Management

• Streamline Product-Life-Cycle Management Process

• Manage Obsolescence• Focus on core

competences• Transport, Energy,

Medical

Visualization

Windows WR Linux

GraphicsData

Aquisition

VxWorks

Medical

© 2009 Wind River


Definitions

• Virtualization - Abstraction of computer resources, hiding the physical characteristics

• Hypervisor - Configurable supervisor program with both separation and scheduling that provides virtualization through software

• Virtual Board (Software Partition in ISO/CD 26262-6) - Environment for one operating system or bare application; has physical and/or virtual hardware controlled by the Hypervisor

© 2009 Wind River


Hypervisor Technology

Virtual Board 2 Virtual Board 3Virtual Board 1

CPU Memory Ethernet1

Physical Board

EthernetMemory SerialCPU

Hypervisor

CPU Memory Ethernet2CPU Memory Serial

© 2009 Wind River


Non-Interference on a Single Computer

• Independence of Execution Software elements will not adversely interfere with each other’s execution behaviour such that a dangerous failure would occur

– Spatial Domaindata used by a one element must not be changed by another element, in particular a non-safety related element

– Spatial separation • MMU & I/OMMU to separate memory domains and I/O domains

• VMMU to set up a system of virtual boards

• Safe Inter Process Communication (SIPC)

© 2009 Wind River


Spatial Separation

User Mode

PrivilegedMode

SystemMode

Virtual Board 1 Virtual Board 2 Virtual Board 3

Wind River Hypervisor

VxWorks

Application

Linux

Application

Application

ConfigurationVirtual Boards

CPU MemCPU Mem ATAEthCPU Mem

Physical Board

ATA Ethernet Memory Core

Serial

VMMU ExceptionInterrupt

Communication

Serial

I/O resources

© 2009 Wind River


Non-Interference on a Single Computer

• Independence of Execution Software elements will not adversely interfere with each other’s execution behaviour such that a dangerous failure would occur

– Temporal Domain one element must not cause another element to function incorrectly by taking too high a share of the available processor execution time, or by blocking execution of the other element by locking a shared resource of some kind

– Temporal Separation• Deterministic scheduling

– Scheduling policy (time slice, priority)• Exception Handling• Cache and DMA Management

© 2009 Wind River


Temporal Separation

VB 1

VB 2

VB 1

VB 2

VB 1

VB 3

VB 1

Major Frame

VB 2S

pa

re T

ime

System Tick

Minor Frame

© 2009 Wind River


• Hardware Certification– Diagnostic measures -> Software Safety Requirements (SSR)

• Allocation SSRs– Hypervisor BSP– SafeOS BSP– Safety Application

• Implementation Hypervisor BSP

• Partitioning claim– Hypervisor and Hypervisor BSP

• Implementation SafeOS BSP– Consideration Safety Manual Hypervisor and Hypervisor BSP

• Implementation Safety Application– Consideration Safety Manual SafeOS and SafeOS BSP

• System Safety Manual

Typical Steps

VirtualBoard 1

VirtualizationHardware

© 2009 Wind River


Outlook

• Next Version of IEC 61508, Part3 specifies technics for separation (Annex G)

• Virtualisation techniques are deployed in Aerospace (e.g 787, A380, A400, C130-AMP...) (ARINC653, DO178B, DO297 / ED124)

• Multi Core CPUs – Shared Resources (Cache, Bus, RAM, I/O devices)– Parallel Computing (SMP, AMP)

• Device virtualization– Directed I/O

© 2009 Wind River



VxWorks



VxWorks PID

SOAP, XML, OPC, CAN




KW-SW, Acontis, Rockwell, Tilcon

Wind River Partner ECO System

Freescale (8349E)

Safety - CPU 1

VxWorks 6.6 CERT



Safety Applications

Freescale / Intel

Non Safe - CPU 2


Esterel




VxWorks

Freescale (8349E)

Safety - CPU 1

VxWorks 6.6 CERT



Linux


OR

Tilcon


© 2009 Wind River



VxWorks



VxWorks PID

SOAP, XML, OPC, CAN




KW-SW, Acontis,Rockwell, TilconWind River Partner ECO System

VxWorks 6.6 CERT


Safety Applications

Freescale / Intel

CPU 1 (Single Core or Multi Core)


Esterel




VxWorks

VxWorks 6.6 CERT


SIL 1/SIL 2 -Time Separation

Linux


OR

Tilcon


WRS Hypervisor

© 2009 wind river information is subject to change without notification hao meng china senior field...

Documents