COTS SW Dedication Introduction and Concept 정세진 Dependable Software Laboratory Konkuk Univ.
NP-5652/TR-106439 The process overview of NP-5652 Performing combination of 4 methods to dedicate Targeting direct items Identify item program being procured Does item perform a safety function? Yes Is item being procured as a basic component? Commercial grade item No* Basic Component Procure item nonsafety related Procure item as a basic compoent Documented Safety Function(s)(by FMEA) Identify and Document Critical Characteristics Physical Performance Product/part identification, Hardware, Device interfaces Accuracy Functionality Environmental Conditions Select Acceptance Method(s) Combination of two or more methods Dependability Built-in Quality Configuration Control Operating History Method 1. Special Tests and Inspections Method 2. Survey of Commercial Supplier Method 3. Source Verification Method 4. Item/Vendor Performance Conduct acceptance activities. Evaluate and document results 2
NUREG/CR-6421 process overview The overview of NUREG/CR-6421 process Preliminary phase of criteria Identify safety function of SW Determine safety category of target COTS SW Detailed acceptance criteria Apply acceptance criteria accordance with safety category 3
LINTING 4
Linting Linter program checks static errors or potential errors and coding style guideline violations variables being used before being set division by zero conditions that are constant calculations whose result is likely to be outside the range of values representable in the type used Mixed lananguage Coding style check Etc 일반적으로 FPGA 개발에서는 RTL design 에적용됨 5
RTL Linting RTL linting is kinds of static analyzer for RTL design + rule checking There are several linting tools Leda of Synopsys SpyGlass lint of atrenta in synopsys Ascent Lint of Real Intent VHDL rule checker of Sigasi HAL of cadence => Cadence Circuit Design Tools 에서사용할수있음 They checks with their own rules and user defined rules also Ascent Lint of Real Intent FSM state reachability and coding issues Legal but dubious modeling indicating probable errors Differences between simulation and synthesis semantics Naming and RTL coding conventions Subset restrictions to enforce modeling clarity and reduce complexity Opportunities to improve simulation performance Operations with hidden or expensive implementation costs Downstream tool flow issues Network and connectivity checks for clocks, resets, and tri-state-driven signals Module partitioning rules Design testability 6
RTL Linting Rules 상용도구들의자세한규칙에대한내용은접근불가 Functional safety standard 에의한 safety lifecycle 에서 verification phase 에 static analysis 포함 ModelSim 에서는몇몇규칙에대해서 optional 하게제공 when Module ports are NULL. when assigning to an input port when referencing undeclared variables/nets in an instantiation Microsemi Libero SoC 11.5, Synopsys Synplify Pro 에서 linting 혹은 static analysis 를수행한다는것을 data sheet, white paper, guideline 에서찾아볼수없었음 7
NUREG/CR-7006 NUREG/CR-7006 is the Review Guidelines for Field-Programmable Gate Arrays in Nuclear Power Plant Safety Systems It is design practice and guidelines for developing FPGA based NPP safety systems Providing design practice guidelines for improving safety of FPGA Explain FPGA design about potentially unsafe It contains board-level (Hardware) design issue and HDL (Verilog, VHDL) design issues NUREG/CR-7006 uses framework of NUREG/CR-6463 Reliability Robustness Traceability Maintainability 8
NUREG/CR-7006 Design Entry Example Reliability If and Case Statements All of branches in if, case statements should be specified explicitly Maintainability Vendor-Specific Intellectual Property Cores Using IP Core library is able to reduce development cost and improve efficiency However, using in safety critical system should be avoided, because it makes hard to verify the system 9
Structural Analysis about FBD for safety critical software NUREG/CR-6463 기반의 Guideline 및 Rule Checker Reliability Correct Control Flow Correct Variables and Functions Type Conversion Maintainability Drawing Diagram Defining Variables Abstraction Verilog/VHDL 등에없는 keyword 사용에대해추가적인제약사항필요 Data type 에서도없는 keyword 가존재 (e.g. ANY_DURATION TIME, LTIME) NuDE 환경에서 FBD Rule checker 를 FPGA 에사용할때의영향 HDL 에존재하지않는 KEYWORD (Data type 등 ) 사용제약추가필요 변환기에서 7006 의내용적용이필요 10
IP CORE LIBRARY 11
IP Core Library IP (Intellectual Property) Core in FPGA Design, cell, chip, logic 등다시사용할수있는것들 복잡한시스템의설계를간단히하기위해미리정의한기능과회로의라이브러리 Vendor, 3 rd party 등에서제공 Microsemi 에서는 Libero SoC 안의 Smart Design tool 에서 IP Core 사용을제공 RTL code 도이용가능 12
IP Core using example in Smart Design 13
IP Core Library Generally, direct core is provided with release note, handbook, data sheet, V&V report, etc. CoreDDR is a high-performance SDRAM controller that is optimized for Microsemi FPGAs and designed to simplify system design while maximizing memory bandwidth and overall system performance Accordance with NUREG/CR-7006, IP core library is not recommended to use in safety systems 만약사용한다면, dedication 의대상이라고볼수있음 검증된 IP Core library 를사용해야함 14
IP Core Library 전체시스템 15
IP Core Library Library 로제공되는 controller 16
Vendor (Chip) specific macro libraries 각벤더 (chip) 별로합성, P&R 등의편의성을이유로 macro libraries 를지원 Dedication 대상이라기보다는대상 vendor 의 IDE 나 Synthesis 도구의 V&V 과정에서확인되어야할대상으로생각 17
OTHER STANDARDS ABOUT DEDICATION 18
Other Standards In addition to, there are some standards about COTS dedication TR-107330 : Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants, 1996 TR-107339 : Evaluating Commercial Digital Equipment for High Integrity Applications A Supplement to EPRI Report TR-106439, 1997 106439 보충 TR-104159 : Experience with the Use of Programmable Logic Controllers in Nuclear Safety Applications PLC 를대상으로 dedication 경험 NP-7218 : Guideline for Sampling in the Commercial Grade Item Acceptance Process, 1992 TR-017218 : Guideline for Sampling in the Commercial-Grade Item Acceptance Process (Revision of NP-7218), 1999 Sampling guideline => 전자 / 전기기기들을대상으로특별시험적용시에 sampling 가이드라인 19
Other Standards TR-103699 V1-2 : Programmable Logic Controller Qualification Guidelines for Nuclear Applications, 1994 PLC qualification guideline : 106439 의기반? TR-1025243 : Plant Engineering : Guidelines for the Acceptance of Commercial-Grade Design and Analysis Computer Programs Used in Nuclear Safety-Related Applications, 2013 NP-6406 : Guidelines for the Technical Evaluation of Replacement Items in Nuclear Power Plants (NCIG-11), 1989 TR-1008256 : Plant Support Engineering : Guidelines for the Technical Evaluation of Replacement Items in Nuclear Power Plants (Revision of NP- 6406), 2006 NP-5652 의 technical evaluation 부분에대한추가적인가이드라인 NP-6895 : Guidelines for the Safety Classification of Systems Components, and Parts Used in Nuclear Power Plant Applications (NCIG-17), 1991 20
Other Standards ASME NQA-1 TR-112579 : Critical Characteristics for Acceptance of Seismically Sensitive Items, 2007 Seismically sensitive 한제품들의 critical characteristics 에대해설명 TR-1016157 : Plant Support Engineering: Information for Use in Conducting Audits of Supplier Commercial Grade Item Dedication Programs NUREG-6294 : Design Factors for Safety-Critical Software, 1994 21
However Evaluation of Guidance for Tools Used to Develop Safety-Related Digital Instrumentation and Control Software for Nuclear Power Plants by NRC Task 1 Report : Survey of the State of Practice Survey of concerning the use of software tools Task 2 Report : Analysis of the State of Practice, 2014, 350 pages 여러산업표준들에대해 detailed analysis 수행, Task 3 Report : Technical Basis for Regulatory Guidance, 2015, 80 pages Technical basis for software tool regulatory guidance for review and acceptance of software tools 각종산업 (auto, railway, nuclear, aerospace, aviation), 각종기관 (NRC, IEEE, IEC, IAEA, EPRI, NIST, AECL, NASA, etc) 의 regulatory guideline, practice, experience, standard, TR 을통하여 safety-related or safety system 개발에사용되는 software tool 의 selection, evaluation, acceptance 등 the safety assessment of software tool 에대한내용정리및분석, regulatory guidance 를위한기초제공목적 TR-1025243 : Plant Engineering : Guidelines for the Acceptance of Commercial- Grade Design and Analysis Computer Programs Used in Nuclear Safety-Related Applications, 2014 Computer program 의 dedication 에대해내용제공 22
Common Position Licensing of safety critical software for nuclear reactors It is Common position of international nuclear regulators and authorized technical support organisations Common technical positions on a set of important licensing issues Task force, which contains 7 countries, establish documents for licensing issues of safety critical software (Licensing issues of safety critical software for nuclear reactors) Belgium, Germany, Canada, Spain, United Kingdom, Sweden, Finland In the later, the U.S. NRC has participated in the meetings of the task force National regulations may have additional requirements or different requirements, but hopefully in the end no essential divergence with the common positions. 23
Common Position This documents consists of involved issues, common positions, recommended practices about each licensing issues It provides 23 issues about licensing 1.1 Safety Demonstration 1.2 System Classes, Function Categories and Graded Requirements for Software 1.3 Reference Standards 1.4 Pre-existing Software (PSW) 1.5 Tools 1.6 Organizational Requirements 1.7 Software Quality Assurance Program and Plan 1.8 Security 1.9 Formal Methods 1.10 Independent Assessment 1.11 Graded Requirements for Safety Related Systems (New and Pre-existing Software) 1.12 Software Design Diversity 1.13 Software Reliability 1.14 Use of Operating Experience 1.15 Smart Sensors and Actuators 2.1 Computer Based System Requirements 2.2 Computer System Architecture and Design 2.3 Software Requirements, Architecture and Design 2.4 Software Implementation 2.5 Verification 2.6 Validation and Commissioning 2.7 Change Control and Configuration Management 2.8 Operational Requirements 24
The END END 25
FUNCTIONAL SAFETY 26
IEC 61508 Functional Safety 전자, 전기시스템의기능안전을위한표준 특정분야에구애받지않은전반적인요구사항 E/E/PE safety-related system 의기능안전성을달성하기위해필요한관리및기술적활동을명시 Safety Life Cycle 기능안전달성을위한활동을체계적으로관리하기위해제안및채택 7.5 전체안전요구사항 : Hazard & Risk analysis 를통해 E/E/PE safety-related system, 기타기술안전관련시스템, 외부리스크감소설비에대하여안전기능요구사항및완전무결성요구사항의측면에서전체안전요구사항에대한명세서를개발함으로써기능안전성을달성 각위험원에대해요구되는기능안전성을확보하기위해서필요한안전기능들이명시되어야함 리스크감소측면에서, 안전무결성요구사항 (SIL) 이각안전기능에대해명시되어야한다 61508-3 requirements 중소프트웨어개발 7.4.2.11 표준화된소프트웨어또는기존에개발된소프트웨어가설계단계에서활용된다면, 해당소프트웨어를분명하게파악해야한다. 소프트웨어안전요구사항명세를만족하는데대한소프트웨어적합성은그근거가제시되어야한다. 개발에사용되는언어, 컴파일러, 형상관리도구, V&V 도구세트는 SIL 에따라선택되어야한다 SIL 수준에따라확증인증서를보유한번역기 / 컴파일러를가져야함 충족되지못하면그타당성을문서화되어야함 부록으로정적분석의몇몇항목에대해표로표시하고있음 27
Functional Safety Certification SIL(Safety Integrity Level) : 제품의안전기능에요구되는신뢰도수준 Using Performance Measures, probability of the safety function operation 28
Functional Safety Certification Standards for providing the requirements for the functional safety system IEC 61508 : functional safety of electrical, electronic, and programmable electronic equipment IEC 61513 : for NPP system IEC 60880 : for category A software IEC 62138 : for category A software ISO 26262 : for automotive 29
IEC 60880 고려사항 Software tool 선택은 ( 개발에사용되는 ) 60880 의 1~12 chapter 의요구사항을만족하거나 15 chapter 의 assessment 를만족해야함 => dedication 관점과비슷하게사용됨 60880 의전체적인내용과 dedication 에서사용하고있는그런 critical characteristics 를통한 criteria 와잘매핑을시켜보면서두개의연관성에대해고려해보고생각할수있을것으로판단됨 적용되어야하는 assessment수준은 tool의 type에따라달라짐 1. compiler, translator 2. verification tools 3. os 4. development support systems (e.g. word processor?) 5. version control tool (e.g. svn) 각각의분류에따른수준에대한언급부족 Compiler, translator 의 optimization Should be avoided 사용한다면, 컴파일결과에대해 test, verification, validation 반드시수행 30
COMMON POSITION EXAMPLE 31
1.4 Pre-existing Software Issues Involved Issues involved A set of issues about licensing Issues about 1.4 pre-existing software The functional behavior and non-functional qualities of the PSW is often not clearly specified and documented It is not certain that developing under safety life cycle like IEC 60880 The operational experience of the PSW are not often enough to compensate for the lack of knowledge on the PSW (information about product and development process) 32
1.4 Pre-existing Software Common Position Common Position A set of common positions on the basis for licensing and evidence which should be sought by task forces Common positions about 1.4 pre-existing software The functions that have to be performed by PSW, shall be clearly and unambiguously specified The code version of PSW shall be clearly identified The interfaces (the user or other software) shall be clearly identified The PSW shall have been developed and maintained according to QA standards and software development process Documentation and source code shall be available if modification Documents of quality assurance plan and development process shall be available Conditions for accepting Verify the functions performed by the PSW about requirements specification The PSW functions shall be validated by testing Defects which are found during validation shall be analyzed 33
1.4 Pre-existing Software Recommended Practices Recommended Practices Consensus on best design and licensing recommended practices by task forces Recommended Practices about 1.4 pre-existing software Operational experience may be regarded as evidence to validation or verification 34
Example of Certification by IEC 61508 This product receives IEC-61508 SIL2 certification 내압방폭구조로서폭발위험지역에설치하여가연성, CO2, CO, N2O 가스를연속적으로감지 35
TI development process SafeTI software development process receive functional safety ceritification 36