ERCIM/DECOS WS 2006 · ERCIM/DECOS WS 2006 Euromicro, Dubrovnik, 2006-08-29 Slide 3 ERCIM/DECOS WS 2006 • Information Technologies • Health Physics • Biogenetics, Natural Resources
Post on 26-Sep-2020
1 Views
Preview:
Transcript
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 1
ERCIM/DECOS WS 2006
Validation and Certification of Dependable Embedded Systeme
Erwin Schoitsch, Egbert AlthammerARC Seibersdorf research
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 2
ERCIM/DECOS WS 2006
Contents:
• ARC Seibersdorf research/IT/ITS• DECOS – IP EU-FP6-511764• The Generic Test Bench: Concept, Design,
Workflow, Tool Integration• Certification Support: Modular component-
based certification – the Generic Safety Case• Outlook
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 3
ERCIM/DECOS WS 2006
• Information Technologies• Health Physics• Biogenetics, Natural Resources• Life Sciences• Materials & Production Engineering• Integrated Microsystems Austria• Biomedical Engineering• Intelligent Infrastuctures and Space
Applications• Media Research Studios Salzburg
IT
HPB&L
MP
IMA BEIS
MR
Staff 2005: Ca. 540
Seibersdorf Research: Largest enterprise of ARC – Austrian Research Centers Austria‘s largest independent, contract-oriented research organisation (14 sites, 800 staff)
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 4
ERCIM/DECOS WS 2006IT - Dependable Embedded Systems Group
Co-ordinator of EU Integrated Projects DECOSTT-VisionNode (SensorNode) & SD4SC
Integration of Image Processing and Depen-dable Controls, Smart Cameras and Sensors
Accredited V&V Lab (EN ISO/IEC 17025) Research Topics
Methodology & tools for dependable embedded components and systemsModel based V & V of components & systemsHost-target testing with Hardware-in-the-loop (HIL) / Software-in-the-loop (SIL)RAMSS/Hazard analyses for component based systemsEuropean Projects and Networks on Dependability and Software Process Mgmnt (ENCRESS, AMSD, ISA-EuNet, SPIRE, OLOS, ACRuDA, ESPITI, DECOS, COOPERS… )
TT-VisionNode
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 5
ERCIM/DECOS WS 2006
Integrated Project: DECOS
Project FactsStart: July 1st, 2004, Duration: 3 Years, Budget: 14.3 Mio €, EU Funding: 9 Mio €
ObjectiveDevelopment of fundamental (domain and technology independent)enabling technologies to faciliate paradigm shift fromfederated to integrated designof dependable real-time embedded systems
Dependable Embedded Components and Systems
EU Framework Program 6: PRIORITY [2] [Information Society Technologies]
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 6
ERCIM/DECOS WS 2006
DECOS Consortium (19 members)Industrial Partners: Airbus, AEV, EADS, Infineon, TTTech, Fiat, Profactor, Hella, Liebherr, Thales, EsterelResearch Centers:ARC Seibersdorf (Co-ordinator), SP Swedish Test & Res. InstituteUniversities: TU Vienna, TU Darmstadt, TU Hamburg, Uni Kassel, Uni Kiel, Budapest University
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 7
ERCIM/DECOS WS 2006Electronic Control Systems (Automotive)
State of the Art50 – 100 Electronic Control Units (ECUs) in luxury classcarsHigh number of Cables and ConnectorsSeparate box for each function
DECOS GoalsIntegrated Design Significant reduction of ECUsHW Cost reductionImproved DependabilityProviding prototype components, building blocks and patterns
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 8
ERCIM/DECOS WS 2006
DependabilityState of the Art
Very complex electronic systemsHigh dependability of mechanical components
DECOS GoalSupport of safety-critical systems (time-triggered communication, redundant components)Partitioning of safety-critical and non safety-critical subsystems, integration on one control unitDriver Assistance Systems, X-by-Wire
Industrial Vision: „Aerospace Safety at Automotive Cost“TTP/C TT-E
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 9
ERCIM/DECOS WS 2006Development
Set of certifiable HW and SW components in order to significantly reducethe design, deployment, and life cycle cost of dependable embedded applications and increase dependability.
Simulink models
Code
SCADE modelMarked PIM
PSM
Platform Independent
Code
MiddlewarePI
DECOS architecture APIPI
Config file
HW Res.
SCADEUML
SimulinkGateway
Wrappers SCADECG
VIATRA
Simulink models
Code
SCADE modelMarked PIM
PSM
Platform Independent
Code
MiddlewarePI
DECOS architecture APIPI
Config file
HW Res.
SCADEUML
SimulinkGateway
Wrappers SCADECG
VIATRA
Methodologies + Tools for “Composable & Integrated”Design of Systems
Requirements: Functionality, Dependability, Performance (Temporal) Model-based
Reusable SW, HW & middleware componentsAutomated Generation and ConfigurationSW→HW Allocation, Scheduling (predictable)SW building blocks and (PIM) patterns
Component Oriented V&V Test BenchFramework including methodologies and toolsModular certification
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 10
ERCIM/DECOS WS 2006
C-Compiler/Linker(make)
TTPplanTTPbuild
VIATRA
SCADE
plain C,Simulink,…
UML orVIATRA
GMEDECOS Tool-ChainCRD – Cluster Resource DescriptionDAS – Distributed Application
SubsystemPIM – Platform Independent ModelPSM – Platform Specific ModelPIL – Platform Interface LayerGME – Generic Modelling
Environment (VanderbiltUniversity)
VIATRA – VIsual Automated (Model) Transformations (Budapest University of Technology and Economics - BUTE)
SCADE – Safety-Critical ApplicationDevelopment Environment(Esterel Technologies)
TTP – Time-Triggered Protocol(TTTech)
DAS-PIMCRD BehaviourModel
PreparatorySteps
AllocationJobs→Nodes
Addit. Info(job size
etc.)
CandidatePSM
MessageScheduling
JobScheduling
Configu-ration
PIL-Binding(Generation)
Bound PIL(Code)
SoftwareModel
CodeGeneration
Jobs Code(+ Wrapper)
Deployment
Executables
Code libs(services,
…)
Configuration SW-Development/V&V
Design
Test(Simulation,Verification)
(Different) model-based approaches for:
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 11
ERCIM/DECOS WS 2006
Diagnosis and Maintenance
Reduction of fault-not-found ratio at the service stations and thus reducing associated warranty/repair costs and Strengthen the customer’s trust in the product by providing an:
Integrated diagnostic infrastructureMaintenance oriented fault modelOut of Norm AssertionsMonitoring and dissemination of diagnosticinformation
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 12
ERCIM/DECOS WS 2006DECOS Application Areas
AutomotiveAerospaceRailwaysIndustrial ControlMedical SystemsAutonomousSystems
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 13
ERCIM/DECOS WS 2006DECOS Application: AerospaceFlap Control Demonstration System for Airbus Outer Flap System
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 14
ERCIM/DECOS WS 2006DECOS Application: AutomotiveHardware in the Loop –HiL- Demonstrator
Traffic Jam AssistantDoor Control SystemHeading Control Adaptive Lighting
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 15
ERCIM/DECOS WS 2006DECOS Application: Industrial ControlVibration Control Demonstration System for Nano Imprinting Machines
Objectives:Suppression of critical vibrations
in high-end nano-imprinting machinesfor next-generation Sensors,
Microoptics, Bio- and Nanotechnology.
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 16
ERCIM/DECOS WS 2006
Generic Test Bench
Concept, Design, Workflow
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 17
ERCIM/DECOS WS 2006
The DECOS Generic Test Bench guides designers throughthe verification and validation process and helps in identifying and carrying out validation and verificationactivities as part of the safety case and certificationprocesses (= certifiability; Certification outside scope of DECOS). In detail, this means ….
Following functional safety standards (IEC 61508 and relatedsectoral standards, e.g. EN 50129, ISO WD 26262 Automotive,…) and their requirements and processesConstituting a framework: Defining a workflow from requirementsto V&V, generation of modular (component-based) safety casesIntegrating combined know-how of the DECOS community on methods, tools, test house-, assessment/evaluation capabilities
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 18
ERCIM/DECOS WS 2006
PIL for conn. unitsDAS jobs + PIL APIs
PIM DAS 1 Resource-layer spec.
incl.PIL descr.
HW/SW-Integration(mapping PIM->PSM)
PSM
PIM DAS k…
…
PIL modulesPIL APIs
PIL for conn. unitsDAS jobs + PIL APIs
Node 1 (component)
„PIL pool“(verified)
DAS 1 modules DAS k modules
Deployment
… PIL for conn. unitsDAS jobs + PIL APIs
PIL for conn. unitsDAS jobs + PIL APIs
Node n
WP4.2 (Verification of architecture and components)
selection/configuration (verified)
Tool-Chain Validation
Test Bench View:A Framework forV&V&C
DECOS will considerably simplifySystem Validation andCertification !
Verify actualapplicationdeployment in a workflow-like manner(DASs, components)
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 19
ERCIM/DECOS WS 2006Concept1
Overall scope definition2
Hazard and riskanalysis3
Overall safetyrequirements4
Safety requirementsAllocation5
Overalloperation andmaintenance
planning6
Overall operation andmaintenance
planning7
Overall installation andcommissioning
planning8
Overall planningSafety-related
systems:E/E/P E S
9Realisation
(see E&E&P E Ssafety
lifecycle)
Safety-relatedsystems:E/E/P E S
10
Realisation
External riskreductionfacilities
11
Realisation
Overall installationand commissioning12
Overall safetyvalidation13
Overall operation,Maintenance and repair14
Decommissioningor disposal16
Overall modificationand retrofit15
Back to appropriateOverall safety lifecycle
phase
IEC 61508 (Generic), ISO WD 26262 (Automotive)
Functional SafetyLife Cycle Processes
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 20
ERCIM/DECOS WS 2006(Generic) Test Bench Conceptual Framework
'AUT': Artefact Under Test
DECOS Test Bench
Requirements V&V Activities
V&VMethods
Test CaseGeneration
V&V Tools
Evidences
Other sources(e.g. Domain)
DECOS artefactStandard(s)
AUT incarnation
Certificationarguments
Validation Plan (V-Plan)
Safety Case
PositiveResults
Feedback toDeveloper
NegativeResults
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 21
ERCIM/DECOS WS 2006
Overview Test Process
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 22
ERCIM/DECOS WS 2006
Integration of V&V tools (1)
Defining V&V-Activities
V&V-Activities
DOORS Database
DOORS Modules
V-Plan
External Tools
Tool Integration
V&V-Methods/Tools1:1
Executing V&V-Activities
Entering data
Status change
Tool Support
Definingintegration level
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 23
ERCIM/DECOS WS 2006Test Bench Framework – Nested V-Plans
Safety criticalDistr. Appl. Syst. – Partitioning-HW, SW-IF (Comm.‘s)
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 24
ERCIM/DECOS WS 2006
Generic Test Bench
Tool Integration
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 25
ERCIM/DECOS WS 2006
Test Bench system properties
Loosely coupled set of V&V toolsTechnologically heterogenous environmentComplex interaction patternsNeed for
Application logicTool interaction
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 26
ERCIM/DECOS WS 2006Manual integration
TelelogicDOORS
MailServer
DocumentRepository(DOORS)
ManualProcessing Tool 3
Tool 2
Tool 1
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 27
ERCIM/DECOS WS 2006EMI Hardware Test and SimulationExample for manual integration
test input sent to lab via e-mail + links to data
detailed DUT (Device Under Test) descriptionEMC phenomena to be tested
DUT provided by user (customer) to labtest equipment set up accordingto inputtests executed 'manually' at labtest result and the test report returned by e-mail
Format of input and results standardised
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 28
ERCIM/DECOS WS 2006
Manual integrationLimited automationV&V process logic handling needs an expertTool interfacing is not solvedA large amount of manual work
Message oriented middleware (MQ) and workflow basedautomation is promising!
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 29
ERCIM/DECOS WS 2006
Message Queue - based integration
DOORS
JBoss
Queue 1.
Queue 2.
Queue n.
MQ server
Set of V&V tools
VIATRA server
Xformation 1.
Xformation 2.
Xformation j.
VIATRA
Tool 1.Tool 2.
Tool j.
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 30
ERCIM/DECOS WS 2006Remarks on Tooling
Both fields increasingly become standards-basedProduction quality Free & Open Source solutionsJBoss or Websphere? - selling points of commercial productsare typically ‘enterprise’ features and services
Model transformationsSystem integration makes them necessaryTestbench: extensive usage of transformationsTool for model transformations: VIATRA2 (BUTE)Proof of concept ‘transformation service’ under development
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 31
ERCIM/DECOS WS 2006
Integration of initial set of V&V tools (2)Sample List for first step:
SCADE MTC* (Model test Coverage, Esterel)VIATRA* (PIM Checker)LDRA* (Static and Dynamic Testing, Functional Testing (basic test case generation))PROPANE (SWIFI)ITEM (Risk/Hazard Analysis – FMECA, FTA)
Methodology: Pre- and Post-Transformations (ontology-based, tool VIATRA2):
Transformation of Input Data Transformation of Output Data
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 32
ERCIM/DECOS WS 2006
V&V Process,
Certification Process Support(Generic Safety Case(s) as an example)
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 33
ERCIM/DECOS WS 2006Modular (component-based) Safety Case:
Safety Case is an argumentation to convince a licensing authority that a product is “sufficiently safe”Generic Safety Case covers safety issues relevant for any product based on DECOS services
If possible, show safety of DECOS architecture once and for allCan be reused for Safety Case of a DECOS based productAssuming fulfillment of requirements of DECOS architecture, components and core services (to be proven by subprojects)
Generic Safety Case is based on EN 50129:2003 – similar structure in all IEC 61508 related standards
[Eriksson, 2005] H. Eriksson; Review, Comparison, and Consolidation of Relevant Safety-Related Standards; DECOS_4.1-005; 2005-04-11
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 34
ERCIM/DECOS WS 2006
SubsystemsSubsystems&&
ComponentsComponents(e.g. PLC(e.g. PLC’’s)s)
Railways: EN 50128, 50129Railways: EN 50128, 50129
Standalone & and application Standalone & and application sector standardssector standards
Standalone
ISO/IEC 62061:ISO/IEC 62061:Machinery sectorMachinery sector
IEC 61511:IEC 61511:Process sectorProcess sector
Medical sectorMedical sectorIEC 60601IEC 60601
IEC 61513:IEC 61513:Nuclear sectorNuclear sector
Sector implementations
Compliance to IEC 61508
IEC IEC 6150861508
IEC IEC 6150861508
IEC 61131:IEC 61131:PLC sectorPLC sector
ISO WD 26262:ISO WD 26262:Automotive sectorAutomotive sector
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 35
ERCIM/DECOS WS 2006
Definition of System Boundary (1)(logical)DAS 2 job
1
DAS 1 job 1
DAS 1 job 2
DAS 2 job 2
DAS 1 job 3
DAS 2 job 3
DAS 1 job 4
DAS 2 job 4
Msg
Msg
MsgMsg
Msg
Msg
Msg
Msg
Msg
DECOS High Level Services
Coreservices
DECOS high-level services:
• Encapsulated Execution
Environment• Virtual networks • Gateways• Diagnosis service• Fault Tolerance Layer
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 36
ERCIM/DECOS WS 2006Definition of System Boundary (2) (hardware)
Communication Controller
Basic Connector UnitCommunication
NetworkInterface
Safety-Crit. Connector Unit Complex Connector Unit
Applications
JobJob Job
Applications
JobJob Job
PlatformInterface
CoreServices
Appl. Prog. Interface
Allocation Layer
VN, Gateways,Diagnosis
VN, Gateways,Diagnosis
Symbols:
Push Pull
Time Triggered
Bus medium
Safety Critical Subsystem Non Safety Critical Subsystem
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 37
ERCIM/DECOS WS 2006Modular (component-based) Safety Case:
As a modular safety case, the safety case for a complete DECOS system will consist of the following parts:Safety Case for the DECOS core services – to demonstrate the dependability of the DECOS core servicesSafety Case for DECOS nodes – to demonstrate the dependability of the DECOS nodesSafety Case for a DECOS application – to demonstrate the dependability of an application based on the DECOS architecture
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 38
ERCIM/DECOS WS 2006
As a Generic Safety Case it will not be presented to any licensing authority; it might be used as a template to demonstrate the dependability of the DECOS node.
Therefore the intention of this Generic Safety Case is to direct the DECOS project to those safety issues which will be important when the licensing of any product based on the technology developed within the DECOS project will eventually be required, andto provide a template for the final Safety Case for certification.
Note: No detailed Safety Evidence – Subproject responsibility
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 39
ERCIM/DECOS WS 2006Top level functional requirements for a DECOS node are:
to correctly connect the Jobs and the Communication Controller, which is broken down into:
to provide correct synchronisation with the DECOS networkto provide guaranteed transmission timesto provide fault encapsulationto guarantee the integrity of the transmitted informationgeneral functional requirements
to correctly execute the Fault Tolerance Services to correctly restart a job or a node within a predefined time interval to inform the DECOS network on the DECOS node statusto inform the Jobs on the DECOS node statusto inform the concerned Jobs on faults detected by the Fault Tolerance Services
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 40
ERCIM/DECOS WS 2006Analysis for Generic Safety Case based upon the following
Functional Requirements:DECOS Architecture Claims; Requirements Specification Optimised Fault-tolerance Layer; Requirements Specification Platform Interface (PIL and PIL API);Requirement Specification Virtual Communication Links and Gateways; Requirements specification Encapsulated Execution Environment; Collection of Requirements for Validation of Dependability; Guideline for the Application of IEC 61508 and Consolidated Criteria;
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 41
ERCIM/DECOS WS 2006Top Level Safety Requirements:
All the functional requirements identified shall be satisfied with a Safety Integrity Level of SIL 4 or equivalent.
Note: the required hardware reliability for a given application for higher SILs may only be realised e.g. by redundant nodes.The correct functioning of a node shall not be disturbed by EMI
All functional requirements mapped to safety requirementsCertain requirements are not applicable for Generic Safety Case: generic part is not an application, pre-competitive research, not a final product. (e.g. safety management Plan, QM Plan, environmental or application specific hazards)
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 42
ERCIM/DECOS WS 2006Details: Generic Safety Case (EN 50129)
Quality management Report (not available in pre-competitive Research)Safety Management Report (no application, research only – not
available) – hint for product development!!TECHNICAL SAFETY REPORT – Key Elements
5.2 Assurance of Correct Functional Operation5.2.1 System Architecture Description5.2.2 Definition of Interfaces
• 5.2.2.1 Man-Machine Interfaces• 5.2.2.2 System Interfaces
5.2.3 Fulfilment of System Functional Requirements Specific.5.2.4 Fulfilment of System Safety Requirements Specification5.2.5 Assurance of Correct Hardware Functionality5.2.6 Assurance of Correct Software Functionality
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 43
ERCIM/DECOS WS 2006TECHNICAL SAFETY REPORT – Key Elements (2) discussed in context of
requirements (Latin… N/A for generic safety case)
5.3 Effects of Faults5.3.1 Single Faults5.3.2 Independence of Items5.3.3 Detection of Single Faults5.3.4 Action Following Detection5.3.5 Effects of Multiple Faults5.3.6 Defence against Systematic Faults
5.4 Operation with External Influences5.4.1 Climatic conditions – N/A (application dependent)5.4.2 Mechanical conditions – N/A5.4.3 Altitude N/A5.4.4 Electrical conditions N/A5.4.5 Protection against unauthorised access 5.4.6 More severe conditions N/A (application dependent)
5.5 Safety-Related Application Conditions5.6 Safety Qualification Tests
5.6.1 Requirements5.6.2 Results
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 44
ERCIM/DECOS WS 2006ConclusionsThe arguments presented in the previous parts of the Safety Case show that a DECOS node is adequately safe to be part of a safety-relevant system (subject to compliance with the specified application conditions).
This is guaranteed by the following principles and services:Fault-tolerant clock synchronisation;Predictable, deterministic and timely transport of messages;Strong fault isolation (fault encapsulation);Fault tolerance service.The assumed properties of the DECOS high level servicesThe software of the DECOS node is SIL 4.
ERCIM/DECOS WS 2006Euromicro, Dubrovnik, 2006-08-29
Slide 45
ERCIM/DECOS WS 2006
Discussion
DECOS project: http://www.decos.atARC-Sr, IT: http://www.smart-systems.atBecome a DECOS Interest Group Member for free: access to certainDECOS documents – mail to erwin.schoitsch@arcs.ac.at
top related