Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Hypervisor an Off-the-Shelf Based Separation Concept to Improve Time-to-Revenue Medical Hao Meng China Senior Field Application Engineer Industrial/Medical Solutions © 2009 Wind River Information is Subject to Change without Notification Agenda • A medical safety market observation and how adjacent market segments address cost effective safety • Time-to-market acceleration by use of OTS (off-theshelf) software • Hypervisor a separation concept supporting different levels of criticality © 2009 Wind River Information is Subject to Change without Notification A Medical Safety Market Observation and How Adjacent Market Segments Address Cost Effective Safety © 2009 Wind River Information is Subject to Change without Notification The Industrial Market - Trends Aerospace & Defense Power / Energy Transportation Openess Consolidation Connectivity Safety / Security Medical Process Automation © 2009 Wind River Information is Subject to Change without Notification Control Automation Overview Derivative Safety Standards (from IEC61508) Safety IEC61508 meta specification Part 1...7 ISO TR 15497 MISRA Guidlines ECSS-E-40A (EMEA Space) RTCA DO-178B (Aerospace SW) RTCA DO-254 (Aerospace HW) NASA-GB-1740 (SW Guidebook) DIN EN9875 (Maritime) .... .... • IEC61513 – Nuclear Power •IEC61513 System Aspect •IEC61226 classification •IEC60987 Hardware Requirements •IEC62138 Software Cat. B&C functions •IEC60880 Software Cat. A functions •IEC62061 – Machine Industry •IEC61508-Part 3 Software •CENELEC 5012x - Railway •CENELEC 50126 RAMS •CENELEC 50128 SW •CENELEC 50129 HW •IEC61511 – Process Industry •IEC61508-Part 3 Software •IEC60601 (-1 and –2) - Medical •IEC60601-1 Base •IEC60601- 2 Device Specific •IEC62304 Software Livecycle © 2009 Wind River Information is Subject to Change without Notification Situation Operator Transportation Customer Reduction of Operational Costs Process Automation Compliance to Safety Standards Medical Power / Energy Additional Features © 2009 Wind River Information is Subject to Change without Notification Safety Requirements / Process • Architecture – Perform safety review involving Cert Authority and customer to confirm architecture – Propose architectures to reduce development cost – Concept approval involving Cert Authority • Requirements – Determine Safety Requirements – Determine Diagnostics • Tools – Identify qualified tools © 2009 Wind River Information is Subject to Change without Notification Multicore Enabling Tools Market/User Need Operations/Deployment Requirements Definition *Telelogic : DOORS IBM Rational : RequisitePro High-Level Design *IBM Rational *Esterel Tilcon KW-Software System Integration/Test : Certification Services : System Safety : *TUEV : *Verocel *Wind River :Test Management Eclipse : Rhapsody : SCADEsuite : Interface Dev. Suite : IEC61131-3 Subsystem Integration/Test LDRA : Test Bed *Wind River :Test Management Low-Level Design/Coding *Esterel The Mathworks KW-Software Safety Simulation/Unit Test and Verification : SCADE Suite : Simulink, Statemate : IEC61131-3 IPL LDRA : Cantata++ : Test Bed Code Creation/Generation/Debugging Wind River Workbench/VxWorks/Linux/Platform Software Workbench/Eclipse Integrations © 2009 Wind River Information is Subject to Change without Notification Modular Design Safety Critical Application VxWorks CERT Business Issues • Cost • Safety • Features/ Differentiators Safety VxWorks CERT BSP Processor Separation HMI WRS Linux / VxWorks WRS Linux / VxWorks BSP Processor © 2009 Wind River Information is Subject to Change without Notification Features Safety Solutions – – – Safety Critical Application VxWorks CERT – – Products + Services– VxWorks CERT BSP Services – – – – Software Unit Test Software Integration Testing Porting to target architecture Impact Analysis Execution of tests Update of Cert Artefacts BSP Development Testing Implementation of Diagnostics Cert Artefacts Processor © 2009 Wind River Information is Subject to Change without Notification Time-to-Market Acceleration by Use of OTS Software © 2009 Wind River Information is Subject to Change without Notification Typical Safety OS Requirements • Provision of secure and timely data flow • Controlled access to processing facilities • Provision of secure data storage and memory management • Provision of consistent execution state • Provision of health monitoring and failure management • General provision of computing resources – to and from applications and I/O devices – The access of applications to the underlying hardware processing resources must be managed so that, for example, any deadlines can be met – The aim here is to secure memory storage from corruption or interference by other applications or the actions the operating system takes on their behalf – This concerns the consistency of data and is mostly concerned with the state of the system after initialization – covers partial and controlled failures of the system (operating system, application, hardware) – This covers provision of any of the services of the OS. A failure of this function would imply an uncontrolled failure of the OS © 2009 Wind River Information is Subject to Change without Notification Evidence for OS #1 • Field service experience – Usually information which are difficult to provide • Testing – OS’s are extremely “stateful”, there being no “reset to known state” until reboot – Hardware-dependence and ambience-dependence of errors means that small physical differences may hide a problem temporarily – High rate of changes; – Usage pattern to be determined and frozen (difficult in the context of Linux) – Automated testing tool support such as coverage analysis can be highly intrusive at the kernel level – Traceability of tests to the specification © 2009 Wind River Information is Subject to Change without Notification Evidence for OS #2 • Analysis – – – – – – Manual inspection of design and code for correctness and quality Code complexity measurements Checking conformance to coding standards for reliable software Control and dataflow analysis (which aims to find anomalous code); Semantic analysis (symbolic execution) Exception detection, which aims to determine which parts of a program cannot, may or will raise run-time exceptions such as numeric overflow, divide by zero and illegal address conditions; – Compliance analysis (formal proof of correctness against a specification) – Worst case execution time analysis of object code © 2009 Wind River Information is Subject to Change without Notification Safety Demonstrated – VxWorks • Certifiable Sub-profile of VxWorks 6.6 (RTPs to be added) • Used as CERT OS • In combination w/ Hypervisor (consolidation of safe&non-safe aps.) • As a CERT OS on safety controller • Certifiable up to IEC61508 SIL3 and DO-178B Level A • Certifiable BSP • Hardware abstraction • Interface to board specific safety functions (E.g. BITS, HW diagnostic, Watchdog et.c) UDP/TCP Cert Stack VxWorks 6.x VxWorks CERT 2.x Communication (AMP) Communication (AMP) Certifiable BSP Board Support Package (BSP) HW HW • Real-time / Multiprocessing (RTPs) OS • Usually not used as CERT OS • Used as OS for non-safe application • Stand-alone or in combination w/ Hypervisor • In combination w/ VxWorks CERT and HW or SW separation • Enables innovation by • Feature richness • Broad Partner ECO system support • BSP • Hardware abstraction • Interface to board specific functions and devices • Rich set of standard reference board BSPs Hardware or Software Separation © 2009 Wind River Information is Subject to Change without Notification Wind River Solutions Partner Software Ecosystem On-Chip Debugging Wind River Workbench Wind River Wind River General Purpose General Purpose Platform Platform VxWorks Cert Platform VxWorks 653 Platform VxWorks MILS Platform CC EAL 4, 4+, 6+ Integrated Middleware Wind River Linux Integrated Middleware Integrated Middleware Integrated Middleware Integrated Middleware VxWorks 6 VxWorks Cert VxWorks 653 VxWorks MILS Partner Hardware Ecosystem Services Practice © 2009 Wind River Information is Subject to Change without Notification Hypervisor a Separation Concept Supporting Different Levels of Criticality © 2009 Wind River Information is Subject to Change without Notification Impact on Shared Resources (1) CPU-time • • Blocking of partitions: due to communication deadlocks; Wrong allocation of processor execution time, e.g. by using – – – – Time triggered scheduling; Cycling execution scheduling policy; Fixed priority based scheduling; Monitoring of processor execution time of software partitions according to the allocation; – Program sequence; – Arrival rate monitoring. © 2009 Wind River Information is Subject to Change without Notification Impact on Shared Resources(2) Memory • • • • • • Memory protection mechanisms; Verification of safety-related data; Offline analysis of code and data of other partitions; Restricted access to memory; Static analysis; and Static allocation © 2009 Wind River Information is Subject to Change without Notification Impact on Shared Resources(3) I/O and Communication • • • Failure of communication peer: communication peer is not available Blocking access to data bus Continuous transmission of messages (babbling idiot) © 2009 Wind River Information is Subject to Change without Notification Motivation for Separation • Standardised Approach for Separation • Limit Software Development Costs – Certification of safety critical parts only • Flexibility – Third party deliveries can be easily integrated by OEM • Maintenance – Less safety-relevant areas can be influenced through maintenance • Reusability – Legacy code, Architectural approach © 2009 Wind River Information is Subject to Change without Notification Case Study: Separation Business Concern(s) • Cost • Safety • Features/ Differentiators Usage Scenario(s) • Certification • Consolidation • Usability Safety Critical Application Control, HMI VxWorks CERT or “bare metal” WRS Linux / VxWorks Wind River Hypervisor (Certifiable) Single or Multicore Processor Medical • Preserve certification efforts (IEC 61508, DO178B, FDA 510(k), IEC 62304 • Innovate in new environment • Industrial, Medical, Energy © 2009 Wind River Information is Subject to Change without Notification Case Study: Product Management Business Issues • Cost • Features/ Differentiators • Life-Cycle Management Usage Scenarios • Consolidation • Reliability • Usability Visualization Data Aquisition Graphics Windows VxWorks WR Linux WR Hypervisor Single or Multicore Processor Medical • Streamline Product-LifeCycle Management Process • Manage Obsolescence • Focus on core competences • Transport, Energy, Medical © 2009 Wind River Information is Subject to Change without Notification Definitions • Virtualization - Abstraction of computer resources, hiding the physical characteristics • Hypervisor - Configurable supervisor program with both separation and scheduling that provides virtualization through software • Virtual Board (Software Partition in ISO/CD 26262-6) Environment for one operating system or bare application; has physical and/or virtual hardware controlled by the Hypervisor © 2009 Wind River Information is Subject to Change without Notification Hypervisor Technology Virtual Board 1 CPU Memory Ethernet1 Virtual Board 2 CPU Memory Serial Virtual Board 3 CPU Memory Ethernet2 Hypervisor Physical Board CPU Memory © 2009 Wind River Information is Subject to Change without Notification Ethernet Serial Non-Interference on a Single Computer • Independence of Execution Software elements will not adversely interfere with each other’s execution behaviour such that a dangerous failure would occur – Spatial Domain data used by a one element must not be changed by another element, in particular a non-safety related element – Spatial separation • MMU & I/OMMU to separate memory domains and I/O domains • VMMU to set up a system of virtual boards • Safe Inter Process Communication (SIPC) © 2009 Wind River Information is Subject to Change without Notification Spatial Separation Virtual Board 1 Virtual Board 2 Virtual Board 3 Application Application User Mode Linux VxWorks Privileged Mode Application CPU Mem CPU Eth Wind River Hypervisor Virtual Boards Mem ATA Mem Interrupt VMMU Communication CPU I/O resources Exception Configuration Physical Board Serial ATA Ethernet Memory Serial Core © 2009 Wind River Information is Subject to Change without Notification System Mode Non-Interference on a Single Computer • Independence of Execution Software elements will not adversely interfere with each other’s execution behaviour such that a dangerous failure would occur – Temporal Domain one element must not cause another element to function incorrectly by taking too high a share of the available processor execution time, or by blocking execution of the other element by locking a shared resource of some kind – Temporal Separation • Deterministic scheduling – Scheduling policy (time slice, priority) • Exception Handling • Cache and DMA Management © 2009 Wind River Information is Subject to Change without Notification Temporal Separation VB 2 VB 1 VB 3 VB 1 System Tick Minor Frame Major Frame © 2009 Wind River Information is Subject to Change without Notification VB 2 Spare Time VB 1 VB 2 VB 1 Typical Steps • Hardware Certification – Diagnostic measures -> Software Safety Requirements (SSR) • Allocation SSRs – Hypervisor BSP – SafeOS BSP – Safety Application • Implementation Hypervisor BSP • Partitioning claim Virtualization Hardware – Hypervisor and Hypervisor BSP • Implementation SafeOS BSP – Consideration Safety Manual Hypervisor and Hypervisor BSP • Implementation Safety Application – Consideration Safety Manual SafeOS and SafeOS BSP • System Safety Manual © 2009 Wind River Information is Subject to Change without Notification Virtual Board 1 Outlook • Next Version of IEC 61508, Part3 specifies technics for separation (Annex G) • Virtualisation techniques are deployed in Aerospace (e.g 787, A380, A400, C130-AMP...) (ARINC653, DO178B, DO297 / ED124) • Multi Core CPUs – Shared Resources (Cache, Bus, RAM, I/O devices) – Parallel Computing (SMP, AMP) • Device virtualization – Directed I/O © 2009 Wind River Information is Subject to Change without Notification © 2009 Wind River Information is Subject to Change without Notification Safety Solution – Automation, Medical, Transport (IEC61508 / CENELEC 50128, FDA, IEC62304) Transport (SIL2) Driver Desk Automation Platform (SIL2) Medical Therapy (Class 2-3) -NA Driven – FDA 510(k) -EMEA Driven – IEC 62304 Automation, Transport, Medical Esterel Non-Safe Applications Medical Wind River Partner ECO System Tilcon KW-SW, Acontis, Rockwell, Tilcon External Communication, Lightweight SCADA Integrated Graphics, Consumer Connectivity IEC 61131-3 + Customer Control/Safety Applications Safety Applications VxWorks 6.6 CERT VxWorks 6.6 CERT Linux IEC 61508 Safety & Control DO-178B Safety & Control BT, WiFi, Consumer Connectivity VxWorks VxWorks Linux (PCD, GPP) or VxWorks Safety - CPU 1 Safety - CPU 1 Non Safe - CPU 2 Freescale (8349E) Freescale (8349E) Freescale / Intel SIL 1/SIL 2 - No Time Separation SIL 1/SIL 2 - No Time Separation © 2009 Wind River Information is Subject to Change without Notification OR VxWorks PID SOAP, XML, OPC, CAN Safety Solution – Automation, Medical, Transport (IEC61508 / CENELEC 50128, FDA, IEC62304) Transport (SIL2) Driver Desk Automation Platform (SIL2) Medical Therapy (Class 2-3) -NA Driven – FDA 510(k) -EMEA Driven – IEC 62304 Automation, Transport, Medical Esterel Non-Safe Applications Medical Wind River Partner ECO System Tilcon KW-SW, Acontis,Rockwell, Tilcon External Communication, Lightweight SCADA Integrated Graphics, Consumer Connectivity IEC 61131-3 + Customer Control/Safety Applications Safety Applications VxWorks 6.6 CERT VxWorks 6.6 CERT Linux IEC 61508 Safety & Control DO-178B Safety & Control BT, WiFi, Consumer Connectivity VxWorks VxWorks OR VxWorks PID SOAP, XML, OPC, CAN Linux (PCD, GPP) or VxWorks WRS Hypervisor CPU 1 (Single Core or Multi Core) Freescale / Intel SIL 1/SIL 2 -Time Separation © 2009 Wind River Information is Subject to Change without Notification