Green Hills Platform for Industrial Safety

Click here for larger view

Click here for larger view

The industrial control and process automation industry has strict requirements for control and automation device safety and security due to the possible consequences associated with catastrophic system failures. The software that controls plant processes and automation systems must have the utmost reliability and go through stringent analysis and testing before being deployed.

Developing and deploying software for these devices has traditionally been a time consuming and expensive process. The Green Hills Platform for Industrial Safety provides a complete solution for building the software components of safe, secure, and reliable systems, even those that require certification up to the demanding IEC/EN 61508 Safety Integrity Level 4 (SIL4). The Platform’s approach is equally applicable to products developed for the automotive, rail, and nuclear industries.

The Green Hills Platform for Industrial Safety provides a complete, integrated, end-to-end solution for covering every aspect of product development from product and certification planning, to training, to architectural roadmap and full system development, to IEC/EN 61508 certification if required.

Click here to see larger view

• a safety-approved off-the-shelf (OTS) real-time operating system
• integrated operating system middleware
• highly integrated development and verification tool set for all phases of the software life cycle, including software changes
• system/software consulting, development, and certification support services

Green Hills and its Platform for Industrial Safety partners are recognized leaders in supplying products and services related to embedded systems development and certification with a long history in the medical, avionics, defense, and industrial automation industries.

The Green Hills solution provides a complete cost-effective, end-to-end risk-managed product development solution covering every aspect of the product development life cycle from product and certification planning, to training, to architectural roadmap and full system development, to final certification.

IEC 61508 safety integrity levels
The INTEGRITY® royalty-free real-time operating system (RTOS) provides the foundation for the Platform. For applications requiring IEC/EN 61508 certifications, a TÜV certified IEC/EN 61508 SIL3 (Safety Integrity Level 3) RTOS kernel is available. IEC/EN 61508 is an international standard for the functional safety of electrical/electronic, programmable electronic systems (PES). This standard is well established in the industrial process control and automation industry, and is finding a foothold in the automotive, heavy machinery, mining and related industries where safety and reliability are paramount.

IEC/EN 61508 SIL levels are defined for system components in terms of probability of a dangerous failure and the corresponding required risk reduction. SIL3 is considered the highest level of risk reduction achievable using a single programmable electronic system. The standard allows for independent assessment of subsystems and components. It is possible to classify subsystems and components into the following categories:

• Safety Critical: a single fault can result in a dangerous failure
• Safety Relevant: a single fault in combination with a second fault can result in a dangerous failure
• Interference Free: faults can not cause a dangerous failure

Safety Critical components require the most scrutiny and tend to be the most expensive in terms of time, cost, and certification effort. Safety Relevant and Interference Free components require correspondingly less scrutiny and associated cost. For software components, the requirements of IEC/EN 61508 are met by employing a rigorous, systematic development process which emphasizes requirements traceability, criticality analysis, validation, and verification procedures.

The IEC 61508 safety standard is also the meta-standard for other published standards such as EN 50128 for railway (CENELEC), IEC 60601 for medical, IEC 61513 for nuclear, and IEC 61511 for the process industry, making the Green Hills Platform for Industrial Safety directly applicable to these industry sectors.

	INTEGRITY’s application partitioning capabilities support secure, controlled access between internal application components with different safety levels, and between the internal components and interfaces with the device environment (SIL3 certified scope indicated in yellow).

INTEGRITY has been deployed in a wide range of safety-critical systems, including multiple DO-178B level A certified systems, FDA-approved Class II/III medical devices, and IEC 61508 SIL 3 certified systems. The INTEGRITY IEC 61508 SIL3 certified kernel has been developed according to a systematic development process based on ISO 9001/90003/12207 quality management processes and procedures as well as the IEC 61508 life cycle. This process emphasizes requirements traceability, design control, risk analysis, and validation. The resulting life cycle documentation and records, as well as source code, are optionally available to support the developer’s development and certification activities.

INTEGRITY architecture
INTEGRITY is the first RTOS to provide complete support for industrial automation and control applications containing software of multiple levels of safety criticality (Safety Critical, Safety Relevant, Interference Free) running concurrently on a single microprocessor. INTEGRITY allows multiple software applications to share a common hardware platform and allows developers to design applications such that an error or failure in one application cannot negatively impact the operation of other applications.

INTEGRITY achieves this secure application separation by providing the developer with capabilities for complete time, space, and resource partitioning between applications. With this architecture it is possible to divide application software into components at various criticality levels and be assured that a failure in a non-critical component— such as a non-critical display or communication stack—cannot cause a failure in a critical component— such as a process controller. The INTEGRITY Safety Manual provides guidelines on usage of INTEGRITY in safety system applications and outlines the robust set of Application Programming Interfaces (APIs) that are available for use.

Scalability
For devices designed with limited resources, the velOSity™ real-time operating system (the core kernel of INTEGRITY) is configured to run on microprocessors that do not support the virtual memory management unit (MMU), minimizing the memory footprint required while optimizing code execution speed. velOSity applications are 100% API compatible with INTEGRITY, providing a scalable, compatible software environment for the device manufacturer that is developing a range of devices and wants the utmost in code reuse, portability and target processor independence.

INTEGRITY is fully integrated with a complete range of feature-rich middleware components for interaction with other applications and systems in the industrial device environment.

Networking support
A complete suite of seamlessly integrated networking and communications products is provided for use with INTEGRITY. INTEGRITY supports a variety of wired, wireless, and industrial networking communications protocols as well as the latest secure communications protocols. These protocol stacks and security components can be placed in secure partitions with access given to only entitled applications.

USB
High-performance USB solutions provide both host and device (function) support and include numerous class drivers and example applications (source code provided for stacks and drivers).

File systems
INTEGRITY’s file system framework model, commonly referred to as a virtual file system (VFS) framework, is provided to make it easy to add and remove support for various file systems. The VFS server provides file system support for UNIX-like file systems, DOS/FAT 12/16/32, ISO 9660, Wear Leveling Flash File Systems, and others.

Embedded Databases
Support for several embedded in-memory databases allows users to store and access complex data content using structured store and query methods. The database solutions for INTEGRITY range from those with extremely small footprints, to distributed databases with real-time updates, to full blown SQL compliant databases.

Graphics and video support
INTEGRITY offers extensive support for embedded graphics development spanning the deeply embeddable to advanced OpenGL compatible 3D graphics environments.

The Green Hills Platform for Industrial Safety incorporates best-in-class tools to aid in all stages of the software development life cycle.

	The MULTI integrated development environment (IDE) includes the industry’s most powerful and proven tools for developing embedded software with maximum reliability, maximum performance, and minimum code size.

Green Hills Software’s MULTI integrated development environment
Green Hills Software’s MULTI® integrated development environment (IDE) provides the industry’s most powerful and proven tools for developing embedded software with total reliability, maximum performance, and minimum code size. With MULTI’s sophisticated, intuitive capabilities, you can develop, debug, and optimize code more quickly, significantly reducing both development cost and time. MULTI supports more target processors, operating systems, and third-party tools than any other IDE—making it ideal for enterprise-wide use. By using a common set of development tools across projects, industrial device developers can more easily share code or move between projects without compromising productivity. With MULTI, you can develop code in C, C++, EC++, MISRA C and Ada 95.

Telelogic’s Rhapsody SysML/UML modeling & code generation
Telelogic’s Rhapsody Model-driven Development Environment based on SysML (System Modeling Language) and UML 2.0 (Unified Modeling Language) helps software teams move from requirements through system architecture phase with advanced modeling tools. Rhapsody is capable of fully modeling system architectures across any discipline and allows the execution, implementation and testing of those models in an easy push button environment. Tightly integrated with MULTI and INTEGRITY, Rhapsody can generate code for INTEGRITY-based systems from the models created with UML. You can also debug Rhapsody models side-by-side with generated source code in MULTI.

Esterel Technologies’ SCADE software modeling & IEC 61508 certified code generation
Esterel Technologies’ SCADE Gateway for Rhapsody bridges SysML, UML and safety-critical software development, thus enabling a complete workflow from high-level system requirements down to IEC 61508 certified generated code. An IEC 61508 certified SCADE KCG C code generator can produce code for the INTEGRITY RTOS at any time in the development cycle. Using a pre-validated code generator eliminates the need for low level unit testing for this code. SCADE is also ideal for final development of the algorithmic safety critical functions of a system (e.g., a control function). High level SysML/UML models can be imported from Rhapsody and refined in the SCADE graphical modeling/simulation environment.

Vector Software’s VectorCAST software test & code coverage
Vector Software’s VectorCAST line of products reduce the burden placed on individual industrial device developers by automating and standardizing application component level testing—the "next generation" of intelligent test tools. VectorCAST is a world class integrated software test solution that automates the tasks associated with testing software components for C/C++, Embedded C++, and Ada 83/Ada 95 programs. Automation includes: complete test harness construction, test generation, test execution, code coverage analysis, regression testing and static measures for code complexity and basis path analysis. VectorCAST is integrated with both INTEGRITY and MULTI.

The Platform for Industrial Safety offers comprehensive services for the industrial control and automation industry. In addition to Telelogic, Esterel Technologies, and Vector Software, Green Hills Software has partnered with exida.com, a leader in the field of safety systems methodology, to provide another layer of safety, reliability, and automation expertise to our customers—bringing the end-to-end services you need to develop highly reliable embedded software for your device and meet a range of certification requirements.

Product development services offered include:

• Analysis and reports—Functional safety management, safety life cycle, FMEA, FMEDA, HAZOP, cyber-security
• Automation solutions for safety critical problems
• Equipment certification assistance for IEC and CENELEC electrotechnical standards
• Custom engineering for functional safety
• Training: FMEA, FMEDA, HAZOP, IEC 61508; Certified Functional Safety Expert (CFSE) exam preparation

Tools and RTOS support (INTEGRITY, velOSity, MULTI, Rhapsody, VectorCAST, SCADE)

• Tools training
• Quick start consulting—delivery, installation, configuration
• Best practices assessment for use of tools
• Product customization
• Custom development—model development, device drivers and Board Support Packages (BSP)
• Life cycle documentation/process support

• Esterel Technologies: www.ghs.com/partners/Esterel_partner.html and www.esterel-technologies.com
• exida: www.ghs.com/partners/exida_partner.html and www.exida.com
• Vector Software: www.ghs.com/partners/vector_partner.html and www.vectorcast.com
• IBM Rational Rhapsody: www.ghs.com/partners/telelogic_partner.html and www-01.ibm.com/software/awdtools/rhapsody/

» IEC 61508 frequently asked questions