Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2009 Wind River Information is Subject to Change without Notification Hao Meng China Senior Field Application Engineer Industrial/Medical Solutions Hypervisor.

Published byEthan Fields Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2009 Wind River Information is Subject to Change without Notification Hao Meng China Senior Field Application Engineer Industrial/Medical Solutions Hypervisor."— Presentation transcript:

1 © 2009 Wind River Information is Subject to Change without Notification Hao Meng China Senior Field Application Engineer Industrial/Medical Solutions Hypervisor an Off-the-Shelf Based Separation Concept to Improve Time-to-Revenue Medical

2 © 2009 Wind River Information is Subject to Change without Notification Agenda A medical safety market observation and how adjacent market segments address cost effective safety Time-to-market acceleration by use of OTS (off-the- shelf) software Hypervisor a separation concept supporting different levels of criticality

3 © 2009 Wind River Information is Subject to Change without Notification A Medical Safety Market Observation and How Adjacent Market Segments Address Cost Effective Safety

4 © 2009 Wind River Information is Subject to Change without Notification The Industrial Market - Trends Transportation Power / Energy Medical Control Automation Process Automation Openess Consolidation Connectivity Safety / Security Aerospace & Defense

5 © 2009 Wind River Information is Subject to Change without Notification Overview Safety IEC61508 meta specification Part 1...7 ISO TR 15497 MISRA Guidlines ECSS-E-40A (EMEA Space) RTCA DO-178B (Aerospace SW) RTCA DO-254 (Aerospace HW) NASA-GB-1740 (SW Guidebook) DIN EN9875 (Maritime).... Derivative Safety Standards (from IEC61508) IEC61513 – Nuclear Power IEC61513 System Aspect IEC61226 classification IEC60987 Hardware Requirements IEC62138 Software Cat. B&C functions IEC60880 Software Cat. A functions IEC62061 – Machine Industry IEC61508-Part 3 Software CENELEC 5012x - Railway CENELEC 50126 RAMS CENELEC 50128 SW CENELEC 50129 HW IEC61511 – Process Industry IEC61508-Part 3 Software IEC60601 (-1 and –2) - Medical IEC60601-1 Base IEC60601- 2 Device Specific IEC62304 Software Livecycle

6 © 2009 Wind River Information is Subject to Change without Notification Situation OperatorCustomer Reduction of Operational Costs Compliance to Safety Standards Additional Features Power / Energy Process Automation Transportation Medical

7 © 2009 Wind River Information is Subject to Change without Notification Safety Requirements / Process Architecture –Perform safety review involving Cert Authority and customer to confirm architecture –Propose architectures to reduce development cost –Concept approval involving Cert Authority Requirements –Determine Safety Requirements –Determine Diagnostics Tools –Identify qualified tools

8 © 2009 Wind River Information is Subject to Change without Notification Eclipse Code Creation/Generation/Debugging Requirements Definition System Integration/Test Operations/Deployment Safety: Certification Services : System Safety : *TUEV : *Verocel *Wind River :Test Management Market/User Need Low-Level Design/Coding High-Level Design Simulation/Unit Test and Verification Subsystem Integration/Test *Telelogic: DOORS IBM Rational : RequisitePro *IBM Rational: Rhapsody *Esterel : SCADEsuite Tilcon: Interface Dev. Suite KW-Software: IEC61131-3 *Esterel : SCADE Suite The Mathworks: Simulink, Statemate KW-Software: IEC61131-3 IPL: Cantata++ LDRA : Test Bed *Wind River :Test Management Workbench/Eclipse Integrations Wind River Workbench/VxWorks/Linux/Platform Software Multicore Enabling Tools

9 © 2009 Wind River Information is Subject to Change without Notification Modular Design Safety Critical Application VxWorks CERT Processor VxWorks CERT BSP HMI WRS Linux / VxWorks Business Issues Cost Safety Features/ Differentiators WRS Linux / VxWorks BSP Processor Separation Safety Features

10 © 2009 Wind River Information is Subject to Change without Notification Safety Solutions –Software Unit Test –Software Integration Testing –Porting to target architecture –Impact Analysis –Execution of tests –Update of Cert Artefacts –BSP Development –Testing –Implementation of Diagnostics –Cert Artefacts Safety Critical Application VxWorks CERT Processor VxWorks CERT BSP Products + Services Services

11 © 2009 Wind River Information is Subject to Change without Notification Time-to-Market Acceleration by Use of OTS Software

12 © 2009 Wind River Information is Subject to Change without Notification Typical Safety OS Requirements Provision of secure and timely data flow –to and from applications and I/O devices Controlled access to processing facilities –The access of applications to the underlying hardware processing resources must be managed so that, for example, any deadlines can be met Provision of secure data storage and memory management –The aim here is to secure memory storage from corruption or interference by other applications or the actions the operating system takes on their behalf Provision of consistent execution state –This concerns the consistency of data and is mostly concerned with the state of the system after initialization Provision of health monitoring and failure management –covers partial and controlled failures of the system (operating system, application, hardware) General provision of computing resources –This covers provision of any of the services of the OS. A failure of this function would imply an uncontrolled failure of the OS

13 © 2009 Wind River Information is Subject to Change without Notification Evidence for OS #1 Field service experience –Usually information which are difficult to provide Testing –OS’s are extremely “stateful”, there being no “reset to known state” until reboot –Hardware-dependence and ambience-dependence of errors means that small physical differences may hide a problem temporarily –High rate of changes; –Usage pattern to be determined and frozen (difficult in the context of Linux) –Automated testing tool support such as coverage analysis can be highly intrusive at the kernel level –Traceability of tests to the specification

14 © 2009 Wind River Information is Subject to Change without Notification Evidence for OS #2 Analysis –Manual inspection of design and code for correctness and quality –Code complexity measurements –Checking conformance to coding standards for reliable software –Control and dataflow analysis (which aims to find anomalous code); –Semantic analysis (symbolic execution) –Exception detection, which aims to determine which parts of a program cannot, may or will raise run-time exceptions such as numeric overflow, divide by zero and illegal address conditions; –Compliance analysis (formal proof of correctness against a specification) –Worst case execution time analysis of object code

15 © 2009 Wind River Information is Subject to Change without Notification Safety Demonstrated – VxWorks VxWorks 6.x HW Board Support Package (BSP) VxWorks CERT 2.x Certifiable BSP HW Communication (AMP) Certifiable Sub-profile of VxWorks 6.6 (RTPs to be added) Used as CERT OS In combination w/ Hypervisor (consolidation of safe&non-safe aps.) As a CERT OS on safety controller Certifiable up to IEC61508 SIL3 and DO-178B Level A Certifiable BSP Hardware abstraction Interface to board specific safety functions (E.g. BITS, HW diagnostic, Watchdog et.c) Real-time / Multiprocessing (RTPs) OS Usually not used as CERT OS Used as OS for non-safe application Stand-alone or in combination w/ Hypervisor In combination w/ VxWorks CERT and HW or SW separation Enables innovation by Feature richness Broad Partner ECO system support BSP Hardware abstraction Interface to board specific functions and devices Rich set of standard reference board BSPs Hardware or Software Separation UDP/TCP Cert Stack

16 © 2009 Wind River Information is Subject to Change without Notification Wind River Solutions Wind River General Purpose Platform Wind River Linux Integrated Middleware VxWorks Cert Platform VxWorks Cert Integrated Middleware VxWorks 653 Platform VxWorks 653 Integrated Middleware VxWorks MILS Platform VxWorks MILS Integrated Middleware CC EAL 4, 4+, 6+ Partner Software Ecosystem Services Practice Wind River General Purpose Platform VxWorks 6 Integrated Middleware Wind River Workbench On-Chip Debugging Partner Hardware Ecosystem

17 © 2009 Wind River Information is Subject to Change without Notification Hypervisor a Separation Concept Supporting Different Levels of Criticality

18 © 2009 Wind River Information is Subject to Change without Notification Impact on Shared Resources (1) CPU-time Blocking of partitions: due to communication deadlocks; Wrong allocation of processor execution time, e.g. by using –Time triggered scheduling; –Cycling execution scheduling policy; –Fixed priority based scheduling; –Monitoring of processor execution time of software partitions according to the allocation; –Program sequence; –Arrival rate monitoring.

19 © 2009 Wind River Information is Subject to Change without Notification Impact on Shared Resources(2) Memory Memory protection mechanisms; Verification of safety-related data; Offline analysis of code and data of other partitions; Restricted access to memory; Static analysis; and Static allocation

20 © 2009 Wind River Information is Subject to Change without Notification Impact on Shared Resources(3) I/O and Communication Failure of communication peer: communication peer is not available Blocking access to data bus Continuous transmission of messages (babbling idiot)

21 © 2009 Wind River Information is Subject to Change without Notification Motivation for Separation Standardised Approach for Separation Limit Software Development Costs –Certification of safety critical parts only Flexibility –Third party deliveries can be easily integrated by OEM Maintenance –Less safety-relevant areas can be influenced through maintenance Reusability –Legacy code, Architectural approach

22 © 2009 Wind River Information is Subject to Change without Notification Case Study: Separation Business Concern(s) Cost Safety Features/ Differentiators Usage Scenario(s) Certification Consolidation Usability Safety Critical Application VxWorks CERT or “bare metal” Single or Multicore Processor Wind River Hypervisor (Certifiable) Control, HMI WRS Linux / VxWorks Preserve certification efforts (IEC 61508, DO178B, FDA 510(k), IEC 62304 Innovate in new environment Industrial, Medical, Energy Medical

23 © 2009 Wind River Information is Subject to Change without Notification Business Issues Cost Features/ Differentiators Life-Cycle Management Usage Scenarios Consolidation Reliability Usability Single or Multicore Processor WR Hypervisor Case Study: Product Management Streamline Product-Life- Cycle Management Process Manage Obsolescence Focus on core competences Transport, Energy, Medical Visualization WindowsWR Linux Graphics Data Aquisition VxWorks Medical

24 © 2009 Wind River Information is Subject to Change without Notification Definitions Virtualization - Abstraction of computer resources, hiding the physical characteristics Hypervisor - Configurable supervisor program with both separation and scheduling that provides virtualization through software Virtual Board (Software Partition in ISO/CD 26262-6) - Environment for one operating system or bare application; has physical and/or virtual hardware controlled by the Hypervisor

25 © 2009 Wind River Information is Subject to Change without Notification Hypervisor Technology Virtual Board 2Virtual Board 3Virtual Board 1 CPUMemoryEthernet1 Physical Board Ethernet MemorySerialCPU Hypervisor CPUMemoryEthernet2CPUMemorySerial

26 © 2009 Wind River Information is Subject to Change without Notification Non-Interference on a Single Computer Independence of Execution Software elements will not adversely interfere with each other’s execution behaviour such that a dangerous failure would occur –Spatial Domain data used by a one element must not be changed by another element, in particular a non-safety related element –Spatial separation MMU & I/OMMU to separate memory domains and I/O domains VMMU to set up a system of virtual boards Safe Inter Process Communication (SIPC)

27 © 2009 Wind River Information is Subject to Change without Notification Spatial Separation User Mode Privileged Mode System Mode Virtual Board 1 Virtual Board 2 Virtual Board 3 Wind River Hypervisor VxWorks Application Linux Application Configuration Virtual Boards CPU Mem CPUMemATA EthCPUMem Physical Board ATAEthernetMemoryCore Serial VMMU ExceptionInterrupt Communication Serial I/O resources

28 © 2009 Wind River Information is Subject to Change without Notification Non-Interference on a Single Computer Independence of Execution Software elements will not adversely interfere with each other’s execution behaviour such that a dangerous failure would occur –Temporal Domain one element must not cause another element to function incorrectly by taking too high a share of the available processor execution time, or by blocking execution of the other element by locking a shared resource of some kind –Temporal Separation Deterministic scheduling –Scheduling policy (time slice, priority) Exception Handling Cache and DMA Management

29 © 2009 Wind River Information is Subject to Change without Notification Temporal Separation VB 1 VB 2 VB 1 VB 2 VB 1 VB 3 VB 1 Major Frame VB 2 Spare Time System Tick Minor Frame

30 © 2009 Wind River Information is Subject to Change without Notification Hardware Certification –Diagnostic measures -> Software Safety Requirements (SSR) Allocation SSRs –Hypervisor BSP –SafeOS BSP –Safety Application Implementation Hypervisor BSP Partitioning claim –Hypervisor and Hypervisor BSP Implementation SafeOS BSP –Consideration Safety Manual Hypervisor and Hypervisor BSP Implementation Safety Application –Consideration Safety Manual SafeOS and SafeOS BSP System Safety Manual Typical Steps Virtual Board 1 Virtualization Hardware

31 © 2009 Wind River Information is Subject to Change without Notification Outlook Next Version of IEC 61508, Part3 specifies technics for separation (Annex G) Virtualisation techniques are deployed in Aerospace (e.g 787, A380, A400, C130-AMP...) (ARINC653, DO178B, DO297 / ED124) Multi Core CPUs –Shared Resources (Cache, Bus, RAM, I/O devices) –Parallel Computing (SMP, AMP) Device virtualization –Directed I/O

32 © 2009 Wind River Information is Subject to Change without Notification

33 © 2009 Wind River Information is Subject to Change without Notification Safety Solution – Automation, Medical, Transport (IEC61508 / CENELEC 50128, FDA, IEC62304) VxWorks Automation Platform (SIL2) Transport (SIL2) Driver Desk VxWorks PID SOAP, XML, OPC, CAN IEC 61131-3 + Customer Control/Safety Applications External Communication, Lightweight SCADA Integrated Graphics, Consumer Connectivity KW-SW, Acontis, Rockwell, Tilcon Wind River Partner ECO System Freescale (8349E) Safety - CPU 1 VxWorks 6.6 CERT IEC 61508 Safety & Control SIL 1/SIL 2 - No Time Separation Safety Applications Freescale / Intel Non Safe - CPU 2 Linux (PCD, GPP) or VxWorks Esterel Medical Therapy (Class 2-3) -NA Driven – FDA 510(k) -EMEA Driven – IEC 62304 Automation, Transport, MedicalMedical VxWorks Freescale (8349E) Safety - CPU 1 VxWorks 6.6 CERT DO-178B Safety & Control SIL 1/SIL 2 - No Time Separation Linux BT, WiFi, Consumer Connectivity OR Tilcon Non-Safe Applications

34 © 2009 Wind River Information is Subject to Change without Notification Safety Solution – Automation, Medical, Transport (IEC61508 / CENELEC 50128, FDA, IEC62304) VxWorks Automation Platform (SIL2) Transport (SIL2) Driver Desk VxWorks PID SOAP, XML, OPC, CAN IEC 61131-3 + Customer Control/Safety Applications External Communication, Lightweight SCADA Integrated Graphics, Consumer Connectivity KW-SW, Acontis,Rockwell, TilconWind River Partner ECO System VxWorks 6.6 CERT IEC 61508 Safety & Control Safety Applications Freescale / Intel CPU 1 (Single Core or Multi Core) Linux (PCD, GPP) or VxWorks Esterel Medical Therapy (Class 2-3) -NA Driven – FDA 510(k) -EMEA Driven – IEC 62304 Automation, Transport, MedicalMedical VxWorks VxWorks 6.6 CERT DO-178B Safety & Control SIL 1/SIL 2 -Time Separation Linux BT, WiFi, Consumer Connectivity OR Tilcon Non-Safe Applications WRS Hypervisor

Download ppt "© 2009 Wind River Information is Subject to Change without Notification Hao Meng China Senior Field Application Engineer Industrial/Medical Solutions Hypervisor."

Similar presentations

MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.

MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.
MDI 2010, Oslo, Norway Behavioural Interoperability to Support Model-Driven Systems Integration Alek Radjenovic, Richard Paige The University of York,

MDI 2010, Oslo, Norway Behavioural Interoperability to Support Model-Driven Systems Integration Alek Radjenovic, Richard Paige The University of York,
Threads, SMP, and Microkernels

Threads, SMP, and Microkernels
System Integration Verification and Validation

System Integration Verification and Validation
Software Construction

Software Construction
Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-

Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-
Computer Systems/Operating Systems - Class 8

Computer Systems/Operating Systems - Class 8
OS Fall ’ 02 Introduction Operating Systems Fall 2002.

OS Fall ’ 02 Introduction Operating Systems Fall 2002.
INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.

INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.
1: Operating Systems Overview

1: Operating Systems Overview
Ritu Varma Roshanak Roshandel Manu Prasanna

Ritu Varma Roshanak Roshandel Manu Prasanna
Chapter 13 Embedded Systems

Chapter 13 Embedded Systems
Figure 1.1 Interaction between applications and the operating system.

Figure 1.1 Interaction between applications and the operating system.
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.

Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.

Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
MultiPARTES Towards Model-Driven Engineering for Mixed- Criticality Systems: MultiPARTES Approach A. Alonso, C. Jouvray, S. Trujillo, M.A. de Miguel, C.

MultiPARTES Towards Model-Driven Engineering for Mixed- Criticality Systems: MultiPARTES Approach A. Alonso, C. Jouvray, S. Trujillo, M.A. de Miguel, C.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Similar presentations

Ads by Google