安全关键型应用程序和分区共享中任务的 SIL 分配规则

发布于 2024-10-05 12:03:26 字数 273 浏览 2 评论 0原文

考虑到由多个任务组成的安全关键型应用程序,我有以下问题:

应用程序中是否可以包含不同 SIL 的任务,或者所有任务都具有相同的 SIL?我知道在 HW 中,可能存在某个 SIL 的系统实际上由不同 SIL 的子组件组成。 IEC 61508-2 第 7.4.3 节提出了将不同 SIL 的子系统组合起来形成比组合部件具有更高 SIL 的系统的规则。

如果可以的话,组合的规则是什么?参考资料非常有帮助。 例如,SIL 2 的任务可以作为 SIL 3 任务的输入吗?

谢谢,祝你好运,

Considering a safety-critical application, composed of several tasks, I have the following question:

Is it possible to have tasks of different SILs in an application, or are all tasks the same SIL? I know that in HW it is possible to have a system of a certain SIL actually composed of subcomponents of different SIL. IEC 61508-2, sec 7.4.3 presents the rules to combine subsystems of different SILs to form a system of a greater SIL than the composing parts.

If it is possible, what are the rules to combine? References are very helpful.
For example, can a task of SIL 2 be the input for a task of SIL 3?

Thanks and good luck,

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

夜司空 2024-10-12 12:03:26

是的,这是可能的。我建议阅读最新版本的 IEC 61508 (IEC 61508-3:2010) 附录 F 的第 3 部分,“在单台计算机上实现软件元素之间互不干扰的技术”,它只有 5 页,但信息量很大。它概述了实现具有不同 SIL 级别的软件模块的空间和时间独立性的方法。

正如本链接前面所述,PikeOS 和 Vxworks 等操作系统应该提供这种分区;我确实知道已通过 IEC 61508 认证的 SafeRTOS 确实提供了这种类型的分区作为标准。

Yes it is possible. I recommend reading part 3 of latest version of IEC 61508 (IEC 61508-3:2010) Appendix F, ‘Techniques for achieving non-interference between software elements on a single computer”, it’s only 5 pages, but very informative. It outlines methods for achieving spatial and temporal independence of software modules with differing SIL levels.

As said earlier in this link, operating systems such as PikeOS and Vxworks should provide this partitioning; I do know SafeRTOS, which has been certified to IEC 61508, does provide this type of partitioning as standard.

与之呼应 2024-10-12 12:03:26

您应该查看基于 ARINC 653(和 DO-297)或同等标准的系统。基于分区的操作系统就是为了满足这种需求而设计的。我的意思是 PikeOS、VxWorks、Integrity ...

You should look at systems based on ARINC 653 (and DO-297) or equivalent. Partition-based OSes are designed to answered this kind of need. I mean PikeOS, VxWorks, Integrity ...

乜一 2024-10-12 12:03:26

正如我所说:符合 ARINC 653 的 RTOS(用于飞机)正是针对这一目标。 DO-178B(相当于 IEC 61508 或 ISO 26262 或 Def-Stan 55/56)要求分区之间的空间和时间分段或不同的软件保证级别(对您而言,SIL 级别)。您可能会找到适合您的特定市场的等效系统。
对于链接不同级别,低级别层和通信通道存在固有的困难。您必须在更高级别的安全性/可靠性(意味着最难获得)上证明系统的确定性。因此,通信不能被阻塞,RTOS 必须经过更高级别的认证,...在基于分区的 RTOS 中考虑到了这一点,例如 ARINC 653 等效项。
您还可能在 MILS Linux 或虚拟化系统(= XEN、OKL 内核等虚拟机管理程序)方面取得成功

As I said : ARINC 653 compliant RTOS (for aircraft) is exactly targeted towards this goal. DO-178B (the equivalent to IEC 61508 or ISO 26262 or Def-Stan 55/56) require a segmentation in space and time between partitions or different software assurance level (for you, SIL level). You may find equivalent systems for your specific market.
For linking different levels, there are inherent difficulties from the low level layers and communication channel. You will have to prove the determinism of your system at the higher level of security/safety/reliability (meaning the most difficult to obtain). Thus, communication could not be blocking, RTOS have to be certified to the higher level, ... This is taken into account in partition based RTOS, like ARINC 653 equivalent.
You may also have success with MILS Linux or virtualized systems (= hypervisors like XEN, OKL kernels)

东京女 2024-10-12 12:03:26

即使独立安全评估员会深入分析您的代码,您也可以将具有不同 SIL 级别的软件模块组合起来。原则很简单:您必须证明较低的 SIL 模块无法影响较高的 SIL 模块。为了实现这一点,您必须记住,较低的 SIL 函数可以调用较高的 SIL 函数,但必须严格避免相反的情况。
在这种情况下,要在具有不同 SIL 级别的两个模块之间交换数据,您需要第三个模块,其 SIL 级别等于提供给两个 API 来交换数据的较高级别。
例子:
- SIL3 任务 (T1) 实现故障安全应用协议。
- SIL0 任务 (T2) 实现 TCP/IP 堆栈,用作应用协议的传输层。
当然,T1和T2必须双向交换数据。
您需要第三个任务(T3),至少是SIL3,它提供任务间通信API(例如一些队列管理功能)。这样无论T1还是T2都只调用T3(即SIL3)的函数来交换数据。

这种机制的一个典型例子是航空电子应用中使用的所谓“黑板”。

You can combine SW modules with different SIL level, even if the Indipendent Safety Assessor will analyse you code deeply. The principle is simple: you have to demonstrate that a lower SIL module can't influence a greater SIL module. To achieve this, you have to keep in mind that a lower- SIL-function can call a greater-SIL-function, but the opposite must be strictly avoided.
In this scenario, to exchange data between two modules with different SIL level, you need a third module with a SIL level equal to the higher that provides to both the API to exchange data.
Example:
- a SIL3 task (T1) implements a fail-safe application protocol.
- a SIL0 task (T2) implements the TCP/IP stack, used as transport layer of the application protocol.
Of course, T1 and T2 have to exchange data in both direction.
You need a third task (T3), at least SIL3, that provides the inter-task communication API (e.g. some queues management functions). In this way either T1 than T2 call only the functions of T3 (that is SIL3) to exchange data.

A typical example of this kind of mechanism is the so called "blackboard", used in avionics application.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文