1 / 34

Hao Meng China Senior Field Application Engineer Industrial/Medical Solutions

Hypervisor an Off-the-Shelf Based Separation Concept to Improve Time-to-Revenue Medical. Hao Meng China Senior Field Application Engineer Industrial/Medical Solutions. Agenda. A medical safety market observation and how adjacent market segments address cost effective safety

sahkyo
Télécharger la présentation

Hao Meng China Senior Field Application Engineer Industrial/Medical Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hypervisor an Off-the-Shelf Based Separation Concept to Improve Time-to-Revenue Medical Hao MengChina Senior Field Application Engineer Industrial/Medical Solutions

  2. Agenda • A medical safety market observation and how adjacent market segments address cost effective safety • Time-to-market acceleration by use of OTS (off-the-shelf) software • Hypervisor a separation concept supporting different levels of criticality

  3. A Medical Safety Market Observation and How Adjacent Market Segments Address Cost Effective Safety

  4. The Industrial Market - Trends Aerospace & Defense Transportation Control Automation Power / Energy Process Automation Openess Consolidation Connectivity Safety / Security Medical

  5. Overview Derivative Safety Standards (from IEC61508) • IEC61513 – Nuclear Power • IEC61513 System Aspect • IEC61226 classification • IEC60987 Hardware Requirements • IEC62138 Software Cat. B&C functions • IEC60880 Software Cat. A functions • IEC62061 – Machine Industry • IEC61508-Part 3 Software • CENELEC 5012x - Railway • CENELEC 50126 RAMS • CENELEC 50128 SW • CENELEC 50129 HW • IEC61511 – Process Industry • IEC61508-Part 3 Software • IEC60601 (-1 and –2) - Medical • IEC60601-1 Base • IEC60601- 2 Device Specific • IEC62304 Software Livecycle Safety IEC61508 meta specification Part 1...7 ISO TR 15497 MISRA Guidlines ECSS-E-40A (EMEA Space) RTCA DO-178B (Aerospace SW) RTCA DO-254 (Aerospace HW) NASA-GB-1740 (SW Guidebook) DIN EN9875 (Maritime) .... ....

  6. Situation Operator Customer Reduction of Operational Costs Transportation Process Automation Compliance to Safety Standards Medical Power / Energy Additional Features

  7. Safety Requirements / Process • Architecture • Perform safety review involving Cert Authority and customer to confirm architecture • Propose architectures to reduce development cost • Concept approval involving Cert Authority • Requirements • Determine Safety Requirements • Determine Diagnostics • Tools • Identify qualified tools

  8. Multicore Enabling Tools Market/User Need Operations/Deployment Requirements Definition System Integration/Test *Telelogic : DOORS IBM Rational : RequisitePro Eclipse Safety : Certification Services :System Safety : *TUEV : *Verocel *Wind River :Test Management High-Level Design *IBM Rational : Rhapsody *Esterel : SCADEsuite Tilcon : Interface Dev. Suite KW-Software : IEC61131-3 Subsystem Integration/Test LDRA : Test Bed *Wind River :Test Management Low-Level Design/Coding Simulation/Unit Test and Verification *Esterel : SCADE Suite The Mathworks : Simulink, Statemate KW-Software : IEC61131-3 IPL : Cantata++ LDRA : Test Bed Code Creation/Generation/Debugging Wind River Workbench/VxWorks/Linux/Platform Software Workbench/Eclipse Integrations

  9. Modular Design Safety Critical Application VxWorks CERT Safety • Business Issues • Cost • Safety • Features/ Differentiators VxWorks CERT BSP Separation Processor HMI WRS Linux / VxWorks Features WRS Linux / VxWorks BSP Processor

  10. Safety Solutions • Software Unit Test • Software Integration Testing • Porting to target architecture Safety Critical Application • Impact Analysis • Execution of tests • Update of Cert Artefacts VxWorks CERT Products + Services • BSP Development • Testing • Implementation of Diagnostics • Cert Artefacts VxWorks CERT BSP Services Processor

  11. Time-to-Market Acceleration by Use of OTS Software

  12. Typical Safety OS Requirements Provision of secure and timely data flow to and from applications and I/O devices Controlled access to processing facilities The access of applications to the underlying hardware processing resources must be managed so that, for example, any deadlines can be met Provision of secure data storage and memory management The aim here is to secure memory storage from corruption or interference by other applications or the actions the operating system takes on their behalf Provision of consistent execution state This concerns the consistency of data and is mostly concerned with the state of the system after initialization Provision of health monitoring and failure management covers partial and controlled failures of the system (operating system, application, hardware) General provision of computing resources This covers provision of any of the services of the OS. A failure of this function would imply an uncontrolled failure of the OS

  13. Evidence for OS #1 Field service experience Usually information which are difficult to provide Testing OS’s are extremely “stateful”, there being no “reset to known state” until reboot Hardware-dependence and ambience-dependence of errors means that small physical differences may hide a problem temporarily High rate of changes; Usage pattern to be determined and frozen (difficult in the context of Linux) Automated testing tool support such as coverage analysis can be highly intrusive at the kernel level Traceability of tests to the specification

  14. Evidence for OS #2 Analysis Manual inspection of design and code for correctness and quality Code complexity measurements Checking conformance to coding standards for reliable software Control and dataflow analysis (which aims to find anomalous code); Semantic analysis (symbolic execution) Exception detection, which aims to determine which parts of a program cannot, may or will raise run-time exceptions such as numeric overflow, divide by zero and illegal address conditions; Compliance analysis (formal proof of correctness against a specification) Worst case execution time analysis of object code

  15. Safety Demonstrated – VxWorks • Real-time / Multiprocessing • (RTPs) OS • Usually not used as CERT OS • Used as OS for non-safe application • Stand-alone or • in combination w/ • Hypervisor • In combination w/ • VxWorks CERT and • HW or SW • separation • Enables innovation by • Feature richness • Broad Partner ECO system support • BSP • Hardware abstraction • Interface to board • specific functions and • devices • Rich set of standard reference board BSPs VxWorks 6.x • Certifiable Sub-profile of • VxWorks 6.6 (RTPs to be added) • Used as CERT OS • In combination w/ • Hypervisor • (consolidation of • safe&non-safe aps.) • As a CERT OS on • safety controller • Certifiable up to IEC61508 • SIL3 and DO-178B Level A • Certifiable BSP • Hardware abstraction • Interface to board • specific safety • functions (E.g. BITS, • HW diagnostic, • Watchdog et.c) UDP/TCP Cert Stack VxWorks CERT 2.x Communication (AMP) Communication (AMP) Certifiable BSP Board Support Package (BSP) HW HW Hardware or Software Separation

  16. Wind River Solutions Wind River Workbench On-Chip Debugging Wind River General Purpose Platform Wind River General Purpose Platform Integrated Middleware Integrated Middleware VxWorks 6 Wind River Linux Partner Software Ecosystem VxWorks Cert Platform VxWorks 653 Platform VxWorks MILS Platform CC EAL 4, 4+, 6+ Integrated Middleware Integrated Middleware Integrated Middleware VxWorks Cert VxWorks 653 VxWorks MILS Partner Hardware Ecosystem Services Practice

  17. Hypervisor a Separation Concept Supporting Different Levels of Criticality

  18. Impact on Shared Resources (1) CPU-time Blocking of partitions: due to communication deadlocks; Wrong allocation of processor execution time, e.g. by using Time triggered scheduling; Cycling execution scheduling policy; Fixed priority based scheduling; Monitoring of processor execution time of software partitions according to the allocation; Program sequence; Arrival rate monitoring.

  19. Impact on Shared Resources(2) Memory Memory protection mechanisms; Verification of safety-related data; Offline analysis of code and data of other partitions; Restricted access to memory; Static analysis; and Static allocation

  20. Impact on Shared Resources(3) I/O and Communication Failure of communication peer: communication peer is not available Blocking access to data bus Continuous transmission of messages (babbling idiot)

  21. Motivation for Separation Standardised Approach for Separation Limit Software Development Costs Certification of safety critical parts only Flexibility Third party deliveries can be easily integrated by OEM Maintenance Less safety-relevant areas can be influenced through maintenance Reusability Legacy code, Architectural approach

  22. Case Study: Separation Medical • Business Concern(s) • Cost • Safety • Features/ Differentiators • Usage Scenario(s) • Certification • Consolidation • Usability • Preserve certification efforts (IEC 61508, DO178B, FDA 510(k), IEC 62304 • Innovate in new environment • Industrial, Medical, Energy Safety Critical Application Control, HMI VxWorks CERT or “bare metal” WRS Linux / VxWorks Wind River Hypervisor (Certifiable) Single or Multicore Processor

  23. Case Study: Product Management Medical • Business Issues • Cost • Features/ Differentiators • Life-Cycle Management • Usage Scenarios • Consolidation • Reliability • Usability • Streamline Product-Life-Cycle Management Process • Manage Obsolescence • Focus on core competences • Transport, Energy, Medical Visualization Data Aquisition Graphics Windows VxWorks WR Linux WR Hypervisor Single or Multicore Processor

  24. Definitions Virtualization - Abstraction of computer resources, hiding the physical characteristics Hypervisor - Configurable supervisor program with both separation and scheduling that provides virtualization through software Virtual Board (Software Partition in ISO/CD 26262-6) - Environment for one operating system or bare application; has physical and/or virtual hardware controlled by the Hypervisor

  25. Hypervisor Technology Virtual Board 1 Virtual Board 2 Virtual Board 3 CPU Memory Ethernet1 CPU Memory Serial CPU Memory Ethernet2 Hypervisor Physical Board Ethernet CPU Memory Serial

  26. Non-Interference on a Single Computer Independence of ExecutionSoftware elements will not adversely interfere with each other’s execution behaviour such that a dangerous failure would occur Spatial Domaindata used by a one element must not be changed by another element, in particular a non-safety related element Spatial separation MMU & I/OMMU to separate memory domains and I/O domains VMMU to set up a system of virtual boards Safe Inter Process Communication (SIPC)

  27. Spatial Separation Virtual Board 2 Virtual Board 1 Virtual Board 3 User Mode Application Application Linux VxWorks Application Privileged Mode CPU Mem ATA CPU Mem Eth CPU Mem Serial Wind River Hypervisor VMMU Interrupt Exception System Mode Configuration Virtual Boards Communication I/O resources Physical Board Serial ATA Ethernet Memory Core

  28. Non-Interference on a Single Computer Independence of ExecutionSoftware elements will not adversely interfere with each other’s execution behaviour such that a dangerous failure would occur Temporal Domain one element must not cause another element to function incorrectly by taking too high a share of the available processor execution time, or by blocking execution of the other element by locking a shared resource of some kind Temporal Separation Deterministic scheduling Scheduling policy (time slice, priority) Exception Handling Cache and DMA Management

  29. Temporal Separation VB 2 VB 2 VB 3 Spare Time VB 2 VB 1 VB 1 VB 1 VB 1 System Tick Minor Frame Major Frame

  30. Hardware Certification Diagnostic measures -> Software Safety Requirements (SSR) Allocation SSRs Hypervisor BSP SafeOS BSP Safety Application Implementation Hypervisor BSP Partitioning claim Hypervisor and Hypervisor BSP Implementation SafeOS BSP Consideration Safety Manual Hypervisor and Hypervisor BSP Implementation Safety Application Consideration Safety Manual SafeOS and SafeOS BSP System Safety Manual Typical Steps Virtualization Hardware Virtual Board 1

  31. Outlook Next Version of IEC 61508, Part3 specifies technics for separation (Annex G) Virtualisation techniques are deployed in Aerospace (e.g 787, A380, A400, C130-AMP...) (ARINC653, DO178B, DO297 / ED124) Multi Core CPUs Shared Resources (Cache, Bus, RAM, I/O devices) Parallel Computing (SMP, AMP) Device virtualization Directed I/O

  32. Safety Solution – Automation, Medical, Transport (IEC61508 / CENELEC 50128, FDA, IEC62304) Transport (SIL2) Driver Desk Automation Platform (SIL2) • Medical Therapy (Class 2-3) • NA Driven – FDA 510(k) • EMEA Driven – IEC 62304 Non-Safe Applications Automation, Transport, Medical Medical Esterel Wind River Partner ECO System Tilcon KW-SW, Acontis, Rockwell, Tilcon IEC 61131-3 + Customer Control/Safety Applications Safety Applications External Communication, Lightweight SCADA Integrated Graphics, Consumer Connectivity OR VxWorks PID SOAP, XML, OPC, CAN VxWorks 6.6 CERT IEC 61508 Safety & Control VxWorks 6.6 CERT DO-178B Safety & Control Linux BT, WiFi, Consumer Connectivity VxWorks VxWorks Linux (PCD, GPP) or VxWorks Freescale (8349E) Freescale (8349E) Freescale / Intel Safety - CPU 1 Safety - CPU 1 Non Safe - CPU 2 SIL 1/SIL 2 - No Time Separation SIL 1/SIL 2 - No Time Separation

  33. Safety Solution – Automation, Medical, Transport (IEC61508 / CENELEC 50128, FDA, IEC62304) Transport (SIL2) Driver Desk Automation Platform (SIL2) • Medical Therapy (Class 2-3) • NA Driven – FDA 510(k) • EMEA Driven – IEC 62304 Non-Safe Applications Automation, Transport, Medical Medical Esterel Wind River Partner ECO System Tilcon KW-SW, Acontis,Rockwell, Tilcon IEC 61131-3 + Customer Control/Safety Applications Safety Applications External Communication, Lightweight SCADA Integrated Graphics, Consumer Connectivity OR VxWorks PID SOAP, XML, OPC, CAN VxWorks 6.6 CERT IEC 61508 Safety & Control VxWorks 6.6 CERT DO-178B Safety & Control Linux BT, WiFi, Consumer Connectivity VxWorks VxWorks Linux (PCD, GPP) or VxWorks WRS Hypervisor Freescale / Intel CPU 1 (Single Core or Multi Core) SIL 1/SIL 2 -Time Separation

More Related