Lessons from the battlefield
30 November 2010
Designers of industrial equipment are learning from other markets to take advantage of the latest technologies without having to go through long certification processes. Jens Wiegand discusses the trend
Safety and reliability are increasing concerns when designing industrial equipment, from the factory floor to medical equipment. As the pressure on development time and cost increases, designers are looking for ways to make the processes more efficient; but at the same time they want to add new features and conform to new homologation or safety standards.
Emerging standards such as CENELEC EN50126, EN50128, EN50129, and the European Train Control System (ETCS) are making design times longer and less predictable because more certification needs to be done, with different requirements for different countries. With new communication systems in transport and automation systems, certification is more complex and time consuming.
This is a complex combination of requirements that can no longer be met with the traditional approach of custom hardware and software, so commercial off-the-shelf (COTS) solutions are increasingly being adopted. At the same time there are millions of lines of code that have been proven in the field over many years, so designers want to be able to include this legacy code in new developments. Using pre-tested and proven functions is a key way to reduce design time and the time-to-revenue of a complete system.
One of the key trends emerging across many industrial segments is the need for time and space separation of functions.
Traditionally this has been provided through separate hardware boards running separate software stacks; but this is increasingly costly to develop and maintain. Now it is possible for unicore and multi-core processors coupled with new virtualisation software to separate the safety-critical functions, allowing legacy code to run on one processor with noncritical code running on another, all under the control and protection of a robust hypervisor.
This virtualisation model has been increasingly popular in the aerospace and military industries. These designs have moved to COTS boards and separation kernels over the last few years and these systems are now emerging into front-line service. Of course, these systems have to conform to highly specialised reliability standards such as DO-178 and ARINC 653, which means that developers must demonstrate high levels of confidence in system performance. This involves a multitude of test cases and test artefacts and applied tools, often provided by commercial software suppliers such as Wind River and its ecosystem of partners, to demonstrate the high levels of safety inherent in the system’s design and implementation.
The developments are also optimised for the long-term needs of markets where the same designs can be in use for years.
The same techniques are now being adopted in industrial standards. Embedded software suppliers can use their experience in high-reliability applications to bring high levels of safety to the industrial market without the penalty of long design times and costly implementations.
Using a commercial real-time operating system in combination with a hypervisor on mainstream unicore or multi-core processor boards provides design flexibility. Meanwhile, the pre-assessed artefacts and test cases that run on these platforms for the industrial segments help to speed up development time and the certification process. It avoids costly re-runs and bug fixes, moving an inflexible hardware-centric product life cycle process to a highly flexible software oriented life cycle process. This allows modularity, reusability, and maintainability, which in turn allows device manufacturers to focus on innovation and faster time-to-revenue.
Networking is an increasingly important part of any industrial design. Equipment on the factory floor is being linked together.
Similarly, medical equipment has to be able to communicate with other systems in the hospital or home. In both cases it is vital that communications are reliable and secure.
However, networking stacks are notorious for being a point of external access to a system.
The communication also has to be securely transmitted to prevent snooping and intrusion, particularly when using Ethernet or connecting to the wider Internet. The control industry is facing an increasing amount of cyber attacks, shifting security scrutiny from the finance and defence industries to the control industry.
Even with an established fieldbus protocol, separating the network stack can enhance reliability. It also allows communications to be quickly and reliably upgraded to higher speeds or new versions of the network standard, without having to rewrite the rest of the system code. As a result, software vendors are providing certified network stacks that run on high-performance multicore processors from companies such as Intel, Freescale Semiconductor, Cavium, and NetLogic.
This alone is not enough to achieve certification, as the whole system has to be certified. Nonetheless, a certifiable stack running on an isolated core with clearly defined communication paths can dramatically reduce the certification time.
Even if the communications code crashes or is compromised, the rest of the system is protected and the affected processor core can be restarted without having to implement a global reboot or, worse, field servicing by a technician.
The increased computing power of multicore processors and their improvement in performance, power, and price over previous unicore processors has created the possibility of consolidating various disparate systems onto a single device. Leveraging innovations in virtualisation technology such as high-performance, deterministic hypervisors, multi-core processors can host real-time safety-critical systems and general purpose operating systems. Combining different functions and different levels of criticality on one device with time and space separation is a key paradigm shift. Vehicle control units (VCU) or human-machine interface (HMI) platforms combined with safety functions are good examples of this shift. As a result, the control and user interface functionality can be combined or consolidated on a single platform, and the HMI can be implemented on a core that is entirely separate from the control and safety critical elements of the design. This allows for new features, functions, and interfaces such as 3D graphics without a major recertification of the entire system. It also makes the equipment easier and safer to use.
The time and space separation further allows users to employ general-purpose operating systems (GPOS) such as Linux on a separate core from the safety-critical code.
This allows designers to access a broad ecosystem of software that they can modify for their own applications without compromising the core functionality. It speeds up development and helps to reduce costs.
This combination of multi-core processors and commercial software offers considerable flexibility in safety-critical designs for the transportation or energy markets. For example, in a vehicle control unit, one core can be running a hypervisor with a real-time operating system while another can be running a “bare metal” implementation of a small safety application or a more complex safety application using a certified real-time operating system. It prevents the same root cause of failure from compromising the whole system.
There are a number of reasons why this approach is being adopted by companies such as Bombardier, Alstom, and Siemens for transportation systems.
Firstly, transportation systems are often large contracts that span many years. There are extensive penalties if these projects overrun, as well as inreasing pressure on costs and schedule for the existing contracts.
Developers can no longer take many years to bring a system to market nor can they overspend the budget with impunity.
Secondly, new train and tram developments are also using more and more electronics, including automatic train protection systems, automatic train operations, and driver and passenger information systems. On top of these are the new emerging video and Internet data services being offered to passengers, which drive convergence of control and passenger comfort information.
These factors are now driving the use of COTS hardware and software rather than companies developing these technologies inhouse.
They need to meet the specific needs of the transportation market in reliability, long-term support over the 20 or 30 years of the equipment’s life, and compliance with safety regulations.
As virtualisation and multi-core devices have moved from the PC arena to the embedded world, the opportunities for increasing the safety and efficiency of industrial designs have increased.
Commercial software vendors are combining their experience in various industrial segments with the lessons of the aerospace industry, aiming to provide the tools to create and certify robust, reliable implementations across a range of applications. This has led to higher-quality system designs without dramatically increasing the project time or cost, allowing for the usage of legacy and open source code while providing more flexibility for upgrading and enhancing industrial equipment.
The author is General Manager for Industrial Solutions, Wind River
Contact Details and Archive...