Hypervisor - Virtualisation platform for separation of safety functions with different Safety Integrity Levels
Hypervisor, Virtualisierungsplattform zur Trennung von
Sicherheitsfunktionen verschiedener
Safety Integrity Level (SIL)
Remote sensing and control of an irrigation system using a distributed wirele...
Safetronic\'08: Hypervisor (common speech Wind River - TüV SüD)
1. Hypervisor
Virtualisierungsplattform zur Trennung von
Sicherheitsfunktionen verschiedener
Safety Integrity Level (SIL)
Andreas Buchwieser (Wind River GmbH)
Andreas Bärwald (TÜV SÜD Automotive GmbH)
safetronic.’08 - München, 04.11.2008
2. Agenda
• Motivation
• Relevant Safety Standards
• Use Cases
• Definitions
• Hypervisor Technology
• Spatial Separation
• Temporal Separation
• Typical Steps
• Outlook
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
3. Motivation: example body controller (1)
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
4. Motivation: example body controller (2)
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
5. Relevant Safety Standards: IEC 61508
• Adequate Independence
”Adequate independence between the safety functions of the
different safety integrity levels can be shown in the design. The
justification for independence shall be documented.”
[source: IEC 61508 part 3: 1998]
• ”It shall be demonstrated either (1) that independence is achieved
both in the spatial and temporal domain, or (2) that any violation
of independence is controlled.”
[source: IEC 61508-3, ED.2. Version 4:2007, Dated: 2007]
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
6. Relevant Safety Standards: EN 50128
• „..Wenn unterschiedliche Softwarekomponenten unterschiedliche
Software-Sicherheitsanforderungsstufen haben, so müssen diese
in der Software-Architekturspezifikation beschrieben werden.“
• „Die Software Architektur muss den sicherheitsrelevanten Teil der
Anwendung minimieren.“
• „..Softwareteile müssen so betrachtet werden, als würden sie der
höchsten Software-Anforderungsstufe angehören, es sei denn, die
Unabhängigkeit...ist klar ersichtlich“
[source:EN 50128, Dated: 2001]
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
7. Relevant Safety Standards: ISO 26262
ISO/CD 26262-6 Annex D
“Freedom from interference by software partitioning”
Goal:
The objective is to prevent propagation of a failure in one software partition to
any other software partition
Micro controller
Task A.1 Task B.1
Task A.2 Task B.2
Task A.n Task B.n
Partition A Partition B
Operating system
Hardware
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
8. Impact on shared resources (1)
CPU-time
• Blocking of partitions: due to communication deadlocks;
• Wrong allocation of processor execution time, e.g. by using
– Time triggered scheduling;
– Cycling execution scheduling policy;
– Fixed priority based scheduling;
– Monitoring of processor execution time of software partitions
according to the allocation;
– Program sequence;
– Arrival rate monitoring.
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
9. Impact on shared resources (2)
Memory
• Memory protection mechanisms;
• Verification of safety-related data;
• Offline analysis of code and data of other partitions;
• Restricted access to memory;
• Static analysis; and
• Static allocation
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
10. Impact on shared resources (3)
I/O and communication
• Failure of communication peer: communication peer is not
available;
• Blocking access to data bus
• Continuous transmission of messages (babbling idiot)
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
11. Hypervisor
Separation Concept
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
12. Motivation for Separation
• Standardised Approach for Separation
• Limit Software Development Costs
Certification of safety critical parts only
• Flexibility
third party deliveries can be easily integrated by OEM
• Maintenance
less safety-relevant areas can be influenced through maintenance
• Reusability
Legacy code, Architectural approach
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
13. Use Case Separation
Safety Related
Application
Functions
Safe OS
Hardware - Target Platform
Virtualization
Virtual Board 1 Virtual Board 2
Safety Related
Application
Functions
Safe OS COTS OS
Virtualization Mechanism - WR Hypervisor
Hardware - Target Platform
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
14. Use Case Integration
Safety Related
Functions Application
Safe OS COTS
Hardware - Target Platform 1 Hardware - Target Platform 2
Virtualization
Virtual Board 1 Virtual Board 2
Safety Related
Application
Functions
Safe OS COTS OS
Virtualization Mechanism - WR Hypervisor
Hardware - Target Platform
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
15. Definitions
• Virtualization
Abstraction of computer resources, hiding the physical
characteristics
• Hypervisor
Configurable supervisor program with both separation and
scheduling that provides virtualization through software
• Virtual Board (Software Partition in ISO/CD 26262-6)
Environment for one operating system or bare application; has
physical and/or virtual hardware controlled by the Hypervisor
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
16. Hypervisor Technology
Virtual Board 1 Virtual Board 2 Virtual Board 3
CPU Memory Ethernet1 CPU Memory Serial CPU Memory Ethernet2
Hypervisor
Physical Board
CPU Memory Ethernet Serial
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
17. Non-interference on a single computer
• Independence of execution
Software elements will not adversely interfere with each other’s
execution behaviour such that a dangerous failure would occur
– Spatial Domain
data used by a one element must not be changed by another
element, in particular a non-safety related element
– Spatial separation
• MMU & I/OMMU to separate memory domains and I/O
domains
• VMMU to set up a system of virtual boards
• Safe Inter Process Communication (SIPC)
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
18. Spatial Separation
Virtual Board 1 Virtual Board 2 Virtual Board 3
Application Application User Mode
Application Linux VxWorks Privileged
Mode
CPU Mem Eth CPU Mem ATA CPU Mem Serial
Wind River Hypervisor VMMU Interrupt Exception
System
Mode
Virtual Boards communication I/O resources Configuration
Physical Board
Serial ATA Ethernet Memory Core
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
19. Non-interference on a single computer
• Independence of execution
Software elements will not adversely interfere with each other’s execution
behaviour such that a dangerous failure would occur
– Temporal Domain
one element must not cause another element to function incorrectly by
taking too high a share of the available processor execution time, or
by blocking execution of the other element by locking a shared
resource of some kind
– Temporal separation
• Deterministic scheduling
– Scheduling policy (time slice, priority)
• Exception Handling
• Cache and DMA Management
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
20. Temporal Separation
VB 2 VB 2 VB 3 VB 2
Spare Time
VB 1 VB 1 VB 1 VB 1
System Tick
Minor Frame
Major Frame
Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)