Säkerhetskritiska standarder och FPGA / FPGA and safety critical standards

Stymne, Petter

January 2013

IEC 61508, ISO 26262, DO-254 och CENELEC EN 5012x är alla standarder för utveckling av säkerhetskritiska system. Dessa fyra är applicerbara på bilar upp till 3.5 ton (ISO 26262), flyg (DO-254), tåg (Cenelec EN 5012x) samt IEC 61508 vilket är en standard för flertalet industrigrenar. När ett säkerhetskritiskt system skall implementeras i en FPGA så kan problem uppstå. Detta för att en FPGA ibland räknas till hårdvara men utvecklingen följer samma mönster som mjukvaruutveckling. Detta examensarbetes huvuduppgift är att klargöra hur de olika standarderna ser på FPGA utveckling samt verifiering med hjälp av utökad funktionell verifiering. Uppsatsen är uppdelad i två delar. Den första delen behandlar de säkerhetskritiska standarderna. Vi kommer att gå igenom dessa för att få en översikt samt visa vilka skillnader likheter som finns. Hur ställer de sig till FPGA, hårdvara eller mjukvara. Del två går igenom ett projekt i enlighet med IEC 61508, inklusive metoder för funktionell verifiering ingå. Dessa metoder är ABV (Assertion Based Verification) samt täckningsgrad för verifieringen. Har vi verifierat tillräckligt och vilka krav ställs på ett projekt enligt IEC 61508. I den här delen går vi även igenom hur de olika standarderna ser på FPGA:er samt några rekommendationer gällande FPGA utveckling och säkerhetskritiska system.

FPGA

ISO 26262

DO-254

IEC 61508

CENELEC EN 5012x

SystemVerilog

Specifying Safety-Critical Heterogeneous Systems Using Contracts Theory

Westman, Jonas

January 2016

Requirements engineering (RE) is a well-established practice that is also emphasized in safety standards such as IEC 61508 and ISO 26262. Safety standards advocate a particularly stringent RE where requirements must be structured in an hierarchical manner in accordance with the system architecture; at each level, requirements must be allocated to heterogeneous (SW, HW, mechanical, electrical, etc.) architecture elements and trace links must be established between requirements. In contrast to the stringent RE in safety standards, according to previous studies, RE in industry is in general of poor quality. Considering a typical RE tool, other than basic impact analysis, the tool neither gives feedback nor guides a user  when specifying, allocating, and structuring requirements. In practice, for industry to comply with the stringent RE in safety standards, better support for RE is needed, not only from tools, but also from principles and methods. Therefore, a foundation is presented consisting of an underlying theory for specifying heterogeneous systems and complementary principles and methods to specifically support the stringent RE in safety standards. This foundation is indeed suitable as a base for implementing guidance- and feedback-driven tool support for such stringent RE; however, the fact is that the proposed theory, principles, and methods provide essential support  regardless if tools are used or not. The underlying theory is a formal compositional contracts theory for heterogeneous systems. This contracts theory embodies the essential RE property of separating requirements on a system from assumptions on its environment. Moreover, the contracts theory formalizes the stringent RE effort of structuring requirements hierarchically with respect to the system architecture. Thus, the proposed principles and methods for supporting the stringent RE in safety standards are well-rooted in formal concepts and conditions, and are thus, theoretically sound. Not only that, but the foundation is indeed also tailored to be enforced by both existing and new tools considering that the support is based on precise mathematical expressions that can be interpreted unambiguously by machines. Enforcing the foundation in a tool entails support that guides and gives feedback when specifying heterogeneous systems in general, and safety-critical ones in particular. / Kravhantering är en väletablerad praxis som ocksåbetonas i säkerhetsstandarder såsom IEC 61508 och ISO 26262. Säkerhetsstandarder förespråkar en särskilt noggrann kravhantering där krav skall struktureras på ett hierarkiskt sätt i enlighet med systemarkitekturen; på varje nivå så skall krav allokeras till heterogena (SW, HW, mekaniska, elektriska, etc.) arkitekturelement och spårlänkar skall upprättas mellan kraven. I motsats till den noggranna kravhanteringen i säkerhetsstandarder så är kravhantering i industrin av allmänt dålig kvalitet enligt tidigare studier. Ett typisk kravverktyg ger inte mycket mer stöd än grundläggande konsekvensanalyser, d.v.s.\ verktyget ger varken återkoppling eller vägledning för att formulera, allokera, och strukturera krav. Bättre stöd behövs för att industrin i praktiken skall kunna förverkliga den noggranna kravhanteringen i säkerhetsstandarder -- inte bara stöd från verktyg, men också från kravhanteringsprinciper och metoder. Därför presenteras ett fundament bestående av en underliggande teori för specifiering av heterogena system, samt kompletterande principer och metoder för att stödja den noggranna kravhanteringen i säkerhetsstandarder. Detta fundament är lämplig som en bas för att kunna implementera verktyg som ger återkoppling och vägledning för kravhantering; likväl så ger den föreslagna teorin, principerna och metoderna essentiellt stöd oavsett om verktyg används eller inte. Den underliggande teorin är en kompositionell och formell kontraktsteori för heterogena system. Denna kontraktsteori ger konkret form åt den centrala kravhanteringsegenskapen att separera kraven på ett system från antaganden på dess omgivning. Dessutom så formaliserar kontraksteorin den noggranna uppgiften att hierarkiskt strukturera krav i enlighet med systemarkitekturen. Således så är de föreslagna principerna och metoderna för att stödja den noggranna kravhanteringen i säkerhetsstandarder välförankrade i formella begrepp och villkor och är därmed också teoretiskt sunda. Det erbjudna stödet är dessutom välanpassat för att kunna verkställas av såväl befintliga som nyaverktyg med tanke på att stödet är grundat på exakta matematiska uttryck som kan tolkas entydigt av maskiner. Verkställandet av fundamentet av ett verktyg medför stöd i form av vägledning och återkoppling vid specifiering av heterogena system i allmänhet, och säkerhetskritiska sådana i synnerhet. / <p>QC 20160909</p> / ESPRESSO

Contracts

Heterogeneous Systems

Safety

Architecture

Requirements

Specification

Elements

Compositional

IEC 61508

ISO 26262

Kontrakt

Heterogena System

Säkerhet

Arkitektur

Kravhantering

Specifiering

Element

Kompositionell

IEC 61508

ISO 26262

Enabling sil2 safety certified applications for mobile machine oems

Lauer, Peter

26 June 2020

Eaton created a new safety controller architecture to allow our customers to design implement, verify and maintain a SIL-2 safety certified application for compliance with IEC 61508:2010 and ISO 13849 Functional Safety Standards. The new architecture has been implemented in a line of safety controllers SFX12 and SFX20 that extend the line of existing mobile controllers HFX12 to HFX48. The new controllers are targeted for controlling mobile and stationary machine applications with focus on steer by wire and propel by wire.

info:eu-repo/classification/ddc/620

ddc:620

Model-Implemented Fault Injection for Robustness Assessment

Svenningsson, Rickard

January 2011

The complexity of safety-related embedded computer systems is steadilyincreasing. Besides verifying that such systems implement the correct functionality, it is essential to verify that they also present an acceptable level of robustness. Robustness is in this thesis defined as the resilience of hardware, software or systems against errors that occur during runtime. One way of performing robustness assessment is to carry out fault injection, also known as fault insertion testing from certain safety standards. The idea behind fault injection is to accelerate the occurrence of faults in the system to evaluate its behavior under the influence of anticipated faults, and to evaluate error handling mechanisms. Model-based development is becoming more and more common for the development of safety-related software. Thus, in this thesis we investigate how we can benefit from conducting fault injection experiments on behavior models of software. This is defined as model-implemented fault injection in this thesis, since additional model artifacts are added to support the injection of faults that are activated during simulation. In particular, this thesis addresses injection of hardware fault effects (e.g. bit-level errors in microcontrollers) into Simulink® models. To evaluate the method, a fault injection tool has been developed (called MODIFI), that is able to perform fault injection into Simulink behavior models. MODIFI imports tailored fault libraries that define the effects of faults according to an XML-schema. The fault libraries are converted into executable model blocks that are added to behavior models and activated during runtime to emulate the effect of faults. Further, we use a method called minimal cut sets generation to increase the usefulness of the tool. During the work within MOGENTES, an EU 7th framework programme project that focused on model-based generation of test cases for dependable embedded systems, fault injection experiments have been performed on safety related models with the MODIFI tool. Experiments were also performed using traditional fault injection methods, and in particular hardware-implemented fault injection, to evaluate the correlation between the methods. The results reveal that fault injection on software models is efficient and useful for robustness assessment and that results produced with MODIFI appear to be representative for the results obtained with other fault injection methods. However, a software model suppresses implementation details, thus leading to fewer locations where faults can be injected. Therefore it cannot entirely replace traditional fault injection methods, but by performing model-implemented fault injection in early design phases an overview of the robustness of a model can be obtained, given these limitations. It can also be useful for testing of error handling mechanisms that are implemented in the behavior model. / QC 20111205

Fault Injection

Model-Implemented Fault Injection

Robustness

Assessment

ISO 26262

ISO 61508

Software

Embedded Systems

Inbäddad systemteknik

Approches de sûreté de fonctionnement sur Ethernet temps réel : application à une nouvelle génération d’ascenseur / Safety approaches for real time Ethernet : application to new lift generation

Soury, Ayoub

11 April 2018

La conception d’un réseau de communication de sécurité basée sur l’Ethernet temps réel répondant aux exigences de la norme PESSRAL, dérivée de l’IEC 61508, constitue la base de notre travail. Afin d’atteindre cet objectif, nous mettons en oeuvre des mécanismes permettant de réduire la probabilité d’erreur et d’atteindre les niveaux d’intégrité de sécurité (SIL) par l’utilisation d’un système électronique déterministe. Avec un seul canal de communication, notre système doit être capable d’intégrer des fonctions critiques et non critiques sans remettre en cause la certification du système.Lors de cet engagement nous proposons un système de communication industrielle basé sur l’Ethernet temps réel. Les interfaces de communication proposées répondent aux exigences de réactivité, de déterminisme pour garantir les contraintes temporelles imposées par le processus et la norme. Pour assurer la sécurité fonctionnelle des interfaces, nous avons proposé une surcouche de type "safety" qui implémente des fonctions de sécurité selon le concept du canal noir défini dans l’IEC 61508. En nous basant sur ces propriétés, nous avons réussi à classifier les solutions temps réel à base d’Ethernet en trois classes en fonction du temps de cycle. La surcouche "safety", basée sur la redondance de données, a permis de renoncer à la solution de redondance physique. Cette redondance de données duplique le temps de cycle initial du réseau qui satisfait néanmoins aux conditions de sécurité et temporelles de la norme. / The design of a communication network with a real-time Ethernet-based security that meets the requirements of the PESSRAL standard, derived from IEC 61508, is the basis of our work. In order to achieve this goal, we implement mechanisms reducing the residual error probability and achieving Safety Integrity Levels (SIL) via a deterministic electronic system. Through a single communication channel, our system must be able to integrate critical and non-critical functions without compromising the system certification.According to this commitment, we suggest an industrial communication system based on real-time Ethernet. The proposed communication interfaces meet the requirements of responsiveness and determinism in order to guarantee the temporal constraints imposed by the process and the standard. To ensure the functional safety of the interfaces, we have proposed a "safety" overlay that implements security functions according to the concept of the black channel defined in IEC 61508. Based on these properties, we have managed to classify the Ethernet-based real-time solutions into three classes in terms of cycle time. The overlay "safety", based on the redundancy of data, made it possible to give up the solution of physical redundancy. This data redundancy duplicates the initial cycle time of the network, which nonetheless satisfies the security and time conditions of the standard.

Pessral

Iec 61508

Système de communication industrielle

Ethernet Temps réel

Réactivité

Déterminisme

Pessral

Iec61508

Industrial communication system

Real-Time Ethernet

Determinism

Functional safety

004

Samočinné testování mikrokontrolerů / Self-Testing of Microcontrollers

Denk, Filip

January 2019

This Master's thesis deals with functional safety of electronic systems. Specifically, it focuses on self-testing of the microprocessor and its peripherals at the software level. The main aim of the thesis is to design and implement a set of functions written in programming language C or assembly language, which automatically test the selected areas of the microcontroller. Resources and methods used in the implemented solution also aim to meet the requirements according to the safety standard IEC 60730-1, Annex H, Software Class B. The microcontroller NXP LPC55S69 was chosen as a hardware platform. It consists of two ARM Cortex-M33 cores. As a result, the example application is provided, which uses implemented test functions at the run-time. Example application also contains a graphical user interface with fault injection ability.