building functional safety products with wind river … · building functional safety products with...

© 2017 WIND RIVER. ALL RIGHTS RESERVED.

BUILDING FUNCTIONAL SAFETY PRODUCTS WITH WIND RIVER VXWORKS RTOS

Alex Wilson

Director, Market Development

HERITAGE

1981: Founded

1993: IPO

2009: An Intel Company

SCALE

1,200 Employees

Presence in 20+ countries

LEADERSHIP

Commercial OS Market Share Leader

Broadest Embedded Software Portfolio

INVESTMENT

30+% of Annual Spend is on R&D

Rich History of M&A

For over 30 years, Wind River has helped the world's technology leaders power generation after generation of

the safest, most secure devices in the world

3 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

DIGITAL BUSINESS TRANSFORMATION

Business Drivers

New approach for business strategy

Increased efficiency, safety, resource sustainability

Need for smart maintenance approaches

The Use of Technology to Radically Improve the Performance or Reach of Enterprises

4 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

DIGITAL TRANSFORMATION

Business Impact

Data-enabled intelligent systems

Lifecycle costs

Safety while enabling connectivity

Security maintenance

Industrial IoT

The future is software defined …

Functional safety

Cybersecurity

5 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

IEC 61508 FUNCTIONAL SAFETY

For Programmable Electronics

Safety Function

Equipment

Under

Control

Safety Function Requirements

What the function does

Safety Integrity Requirements

The likelihood of a safety

function being performed

satisfactorily (SIL)

Equipment Under Control (EUC): Industrial plant, e.g., welding robotics

Safety Function: A function that is carried out by a (safety-related)

system to minimize risks with the goal of achieving and/or maintaining a

secure state for the EUC when a pre-defined dangerous incident is taken

into account

PE

Programmable Electronics (PE): Hardware + software

6 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

FUNCTIONAL SAFETY APPLIES ACROSS MULTIPLE SEGMENTS

Process Automation Safety Controllers

Safety PLC

Control Automation Robot Controllers

Manufacturing Systems

Transportation Signalling Systems

Control Systems

Energy Production Systems

Distribution Systems

SAFETY

The system must not harm the world

Matures and gets

more stable over time

SECURITY

The world must not harm the system

Becomes more

challenging over time

7 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

© 2017 WIND RIVER. ALL RIGHTS RESERVED.

VxWORKS Real Time Operating System

9 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

VxWORKS CORE PLATFORM

Development Tools

Middleware and Application Support

Network Stack

USB Stack Filesystem Inter-Process

Communication

Operating System

Architecture and BSP Intel, ARM, PPC Atom, QoriQ, … Drivers for Ethernet, USB, …

32 and 64 Bit Uniprocessor and SMP

Compiler & Toolchain

Full Source Code

Workbench 4 IDE

Linux & Windows

10 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

• General Purpose OS

• Extensive Middleware

• Intel, ARM and PPC

• Time & Space Partitioning

Module

• Additional Toolchain for Cert

Kernel build

• Certifiable API Subset

• All VxWorks architectures

• Cert Evidence up to

DO178C Level A and

IEC61508 SIL 3

• Verification Test Harness

• Verified OS Binaries

• Architecture-specific

VxWORKS FOR SAFETY-CRITICAL SYSTEMS

VxWorks Core Platform

Safety Profile

Certification Evidence

11 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

VxWORKS CORE VERSUS SAFETY PROFILE

VxWorks

Safety Profile

OS Libraries

Architecture Adapter

USB Stack

OpenGL Stack

File System

Cert File

system *

Cert Network Stack *

* Cert Filesystem/Network Stack not yet available on VxWorks 7

Cert Subset Libraries

Cert Kernel Architectures

BSPs, Drivers

12 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

CERTIFICATION STANDARDS

Market Standards Area

Industrial IEC 61508 Functional Safety

Automotive ISO 26262 Functional Safety

Nuclear IEC 60880 Safety

Rail EN 50128 Safety

Medical IEC 62304 Safety, Software Lifecycle

Aviation DO-178C Safety

All Markets IEC 27034 Security, Secure Dev. Lifecycle

All Markets IEC 15408 Security, Common Criteria

Industrial IEC 62443 Security for Industrial Devices

13 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

RULES OF THUMB FOR QUALITATIVE REQUIREMENTS

10-9

10-8

10-7

10-6

10-5

ARP4761 EN 5012x IEC 61508

DA

L C

D

AL B

D

AL A

SIL

1

SIL

2

SIL

3

SIL

4

SIL

1

SIL

2

SIL

3

SIL

4

Zones of Similar Qualitative

Requirements

Zone A

Zone B

© 2017 WIND RIVER. ALL RIGHTS RESERVED.

USING VXWORKS FOR FUNCTIONAL SAFETY

15 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

Simple Safe / non-Safe use case

Segregated non-Safe application

All resources under the control of VxWorks Safety profile.

SIMPLE SAFETY SYSTEM

VxWorks Safety Profile used Natively

Safety

Application

SIL 3

VxWorks Safety Profile

Non-Safe

Application

Intel FuSa / Cyclone V SoC

Core 0 Core 1 Core 2 Core 3

16 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

Intel FuSa

Safety Certified VxWorks Hypervisor

Core 0 Core 1 Core 2 Core 3

Safety

Application

SIL 3

Safety

Application

SIL 3

Single safety application per core

Separated non-Safe application

Device redirect by Hypervisor/Hardware

Performance impacts easily measured against single core

Non-Safe

Application

VxWorks

Safety Profile

VxWorks

Safety Profile

Wind River

Linux

VIRTUALIZATION CONFIGURATION

Non-Safe

Application

VxWorks

17 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

Multiple cores per application

Separated safety applications

Separated non-Safe application

FUTURE CONFIGURATION FOR VIRTUALIZATION

Safety

Application

SIL 3

Safety

Application

SIL 3

VxWorks Safety Profile VxWorks Safety Profile

Intel FuSa

Safety Certified VxWorks Hypervisor

Core 0 Core 1 Core 2 Core 3

© 2017 WIND RIVER. ALL RIGHTS RESERVED.

USING COTS TECHNOLOGY FOR CERTIFICATION

19 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

WHERE DO WIND RIVER & INTEL FIT INTO THE STORY?

Programmable Electronics

PE

Safety Critical

Applications

Safety Evidence for

VxWorks

Safety Evidence for

Drivers & Middleware

Target Hardware

Wind River COTS

IEC 61508 SIL 3

Wind River

Professional Services

Customer

IEC 61508 SIL 3

Intel Functional Safety CPU

20 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

Risk based approaches

to the development of the

safety integrity

requirements

Guidelines for the

application of parts 2

and 3

Technical

Requirements

Other

Requirements

Development of the overall safety requirements

(concept, scope definition, hazard and risk

analysis)

7.1 to 7.5

Part 1

Allocation of the safety requirements to the E/E/PE

safety-related systems

7.6

Overview of

techniques and

measures

Definitions and Abbreviations

Part 4

Documentation Clause 5 and

Annex A

Part 1

Management of Functional

Safety Clause 6

Part 1

Functional Safety Assessment

Clause 8

Part 1

Realization phase for

E/E/PE safety-

related systems

Realization phase

for safety-related

software

Installation and commissioning and safety

validation of E/E/PE safety-related systems

7.13 and 7.14

Part 1

Part 2 Part 3

Part 5

Part 7

Part 6

Operation and maintenance, modification and

retrofit, decommissioning or disposal of E/E/PE

safety-related systems 7.15 to 7.17

Part 1

Part 1

WIND RIVER ENGAGEMENT IN THE OVERALL FRAMEWORK

21 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

VxWORKS SAFETY MANUAL

Guidance for VxWorks usage in a certified environment

Standards

IEC 61508

Cert authority

– TÜV

– Determines compliance with standards

Best Practices

Installation instructions

Build environment

User interface

BSP

Processor

Error handling

Guidelines

APIs

– RTPs

– DKMs

– VIP

– VSBs

Restrictions

TPs, DKMs, VIP, VSB

Hazard Mitigation

Failure mode and effect analysis (FMEA)

Partitioning Safe inter-process communications

Hardware hazards

Wind River is the industry leader, with over 45% market

share and deep corporate support with our parent

company, Intel.

Safety systems minimize risks for failures

Connected safety systems provide value

VxWorks provides proven basis for Functional Safety

SUMMARY

19 © 2017 WIND RIVER. ALL RIGHTS RESERVED.

™