Kostiantyn Leontiiev, Technical Director October, 2018, Dallas, USA 11 th International FPGA Workshop

Transcription

1 Radiy experience with RadICS Platform SIL 3 certification: adaptation of FPGA V-model to IEC requirements and using FIT to validate FMEDA results. Kostiantyn Leontiiev, Technical Director October, 2018, Dallas, USA 11 th International FPGA Workshop

2 Agenda FPGA V-Model adaptation HW Fault Insertion Testing (FIT) SW FIT Conclusions 2

3 FPGA development V-model adaptation 3

4 IEC requirements to system safety lifecycle model IEC defines a lifecycle for safety-related systems, but we needed to adopt it for our product. See: IEC , Section IEC , Section Informative inputs The primary input IEC IEC IEC AN-615 IEEE 1012 Development of the Radiy FPGAbased Safety Controller lifecycle Radiy s experience in design and V&V of FPGA based safety-related systems for Ukrainian NPPs 4

5 IEC recommendations for FPGA based system safety lifecycle IEC provides a reference lifecycle model of the ASIC development lifecycle (see IEC , Figure 3). IEC defines techniques and measures to avoid introducing faults during design with user programmable integrated circuits - FPGA/PLD/CPLD (see IEC , Annex F). 5

6 IEC recommendations for FPGA based system safety lifecycle IEC defines strict process and technical requirements for the development of Hardware Description Languages Programmed Devices in order to achieve the reliability required for safety I&C systems. 6

7 Altera FPGA Development V-model AN-615 describes a design flow that Altera recommends for the development of functional safety systems in order to satisfy the requirements of IEC

8 Radiy FPGA Development V-model FPGA Requirements Specification D5.1 PAD + D5.4 UAL DRS FIT, IT, VT, EQ D8.21 ED DD FPGA Architecture Test Plan Validation Testing Logical Module Design FBL D 8.11 FBL DD Design Test Plan Testing FBL FT Bitstream Generation Bitstream Generation Coding D8.12 FBL code Gate Level Simulation (Timing accurate) Logical Module Integration ED D8.21 ED DD Design Test Plan Testing ED FT Static Timing Analysis ED STA Coding D8.22 ED code ED TS Synthesis ED Synthesis ED LLS Place and Route ED Place and Route 8

9 Radiy FPGA-based Safety Controller lifecycle PCD D1.0 V1 FSC EQ SRS RR D3.8 FSC EQ SRS D3.7 V18 FSC EQ D4.7 (D4.8) V2 FSC SRS RR D3.2 FSC SRS D3.1 V17 FSC Validation D4.0, D4.1 (D4.2) V19 V3 FSC PAD RR D5.2 FSC PAD D5.1 V16 FSC IT D10.1, D10.2 (D10.3) UAL DRS RR D5.5 UAL DRS D5.4 V5 FMEDA Report D7.24 HW V4 HW Design RR D6.5 ED V6 ED AD RR D8.25.x HW FIT D7.26 (D10.4) HW Design D6.1, D6.3, D6.4 ED AD D8.21.x V15 FBL V7 FBL DD RR D8.15 FBL DD D8.11 V8 FBL VHDL SCA/CRR D8.13 FBL VHDL Code D8.12 V9 FBL FT D9.11 (D9.12) V20 - Product for V&V - Output V&V document (Review & Analysis Reports) - Tests including test specifications and Reports - V&V activities AFBL ED ED DD RR D8.25.X AFBL DD RR D8.35 V10 AFBLD DD D8.31 V22 AFBL VHDL SCA/CRR D8.33 AFBL VHDL Code D8.32 ED DD. Data protocols and packages D ED DD D8.21.X V11 ED VHDL SCA/CRR D8.23.X ED VHDL Code D8.22.X Netlist Files Floor plan Files V21 V12 V13, V14 LLS&TS D9.21.X (D9.23.X ) STA D9.21.X (D9.24.X ) ED VHDL FT D9.21.X (D9.22.X) AFBL FT D9.31 (D9.32) AFBL Application Functional Block Library AD Architecture Description; CRR Code Review Report; DD Detailed Description; ED Electronic Design; EQ Equipment Qualification; FBL Function Block Language; FIT Fault Insertion Testing; FMEDA Failure Mode, Effect, and Diagnostics Analysis; FSC FPGA-based Safety Controller; FT Functional Testing; HW Hardware; IT Integration Testing; LLS&TS Logic (Gate) Level Simulation & Timing Simulation PAD Product Architecture Document; PCD Product Concept Document; RPCT Radiy Platform Configuration Tool; RR Review Report; SCA Static Code Analysis; SRS Safety Requirements Specification; STA Static Timing Analysis; 9

10 Radiy FPGA-based Safety Controller lifecycle PCD D1.0 V1 FSC EQ SRS RR D3.8 FSC EQ SRS D3.7 V18 FSC EQ D4.7 (D4.8) V2 FSC SRS RR D3.2 FSC SRS D3.1 V17 FSC Validation D4.0, D4.1 (D4.2) V19 V3 FSC PAD RR D5.2 FSC PAD D5.1 V16 FSC IT D10.1, D10.2 (D10.3) UAL DRS RR D5.5 UAL DRS D5.4 V5 FMEDA Report D7.24 HW V4 HW Design RR D6.5 ED V6 ED AD RR D8.25.x HW FIT D7.26 (D10.4) HW Design D6.1, D6.3, D6.4 ED AD D8.21.x V15 FBL V7 FBL DD RR D8.15 FBL DD D8.11 V8 FBL VHDL SCA/CRR D8.13 FBL VHDL Code D8.12 V9 FBL FT D9.11 (D9.12) V20 - Product for V&V - Output V&V document (Review & Analysis Reports) - Tests including test specifications and Reports - V&V activities AFBL ED ED DD RR D8.25.X AFBL DD RR D8.35 V10 AFBLD DD D8.31 V22 AFBL VHDL SCA/CRR D8.33 AFBL VHDL Code D8.32 ED DD. Data protocols and packages D ED DD D8.21.X V11 ED VHDL SCA/CRR D8.23.X ED VHDL Code D8.22.X Netlist Files Floor plan Files V21 V12 V13, V14 LLS&TS D9.21.X (D9.23.X ) STA D9.21.X (D9.24.X ) ED VHDL FT D9.21.X (D9.22.X) AFBL FT D9.31 (D9.32) AFBL Application Functional Block Library AD Architecture Description; CRR Code Review Report; DD Detailed Description; ED Electronic Design; EQ Equipment Qualification; FBL Function Block Language; FIT Fault Insertion Testing; FMEDA Failure Mode, Effect, and Diagnostics Analysis; FSC FPGA-based Safety Controller; FT Functional Testing; HW Hardware; IT Integration Testing; LLS&TS Logic (Gate) Level Simulation & Timing Simulation PAD Product Architecture Document; PCD Product Concept Document; RPCT Radiy Platform Configuration Tool; RR Review Report; SCA Static Code Analysis; SRS Safety Requirements Specification; STA Static Timing Analysis; 10

11 HW FIT 11

12 HW FIT (1) Goal: - To confirm\test FMEDA results; - to check the functionality of system self-diagnostics through detection or non-detection of inserted fault; - to check behavior of the module after fault insertion (mode of operation, information on the indication board unit); Fault Insertion Testing includes next steps: Hardware Design Electronic Design FMEDA Approach: - FIT is based on the FMEDA results which are transferred to the FIT Specification for each module. Inputs: - STC-WP-QA-18 Hardware FIT Procedure; - Circuit Diagrams; - Bills of materials; - Mechanical and Assembly drawings; - FSC module. FMEDA symptoms List of faults FIT Plan and Specification FIT Report 12

13 HW FIT (2) An example of FIT test case for DIM (Test FIT Test Specification and Report. All FIT cases are Case: FIT.DIM.05). traceable to FMEDA. 13

14 HW FIT (3) Example of FIT testing Module with inserted faults Control Panel for faults activation Example of inserted faults 14

15 SW FIT Fragment of a human readable description of the Application Logic "z_description_channel_01": { "desc fields": "Version;IsCommand;Address;BinCode;MnemoCode;Comment", "desc ": "1;true;0000; C;APPSTART 12;", "desc ": "1;false;;;;FB's initialization code", "desc ": "1;false;;;;Initialization of or (fbtype LOGIC, opcode 1, instance 0, opcode:1:params:2:1:2, non RAM)", "desc ": "1;false;;;;OperandCount (i_oprd_quant) = 2", "desc ": "1;false;;;;BusWidth (i_bus_width) = 1", "desc ": "1;false;;;;Config (i_conf) = 2", "desc ": "1;true;0002;DA ;WRFBC OR.0[0], #2;i_oprd_quant <= 2", "desc ": "1;true;0005;E ;WRFBC OR.0[1], #1;i_bus_width <= 1", "desc ": "1;true;0008;7A ;WRFBC OR.0[2], #2;i_conf <= 2", "desc ": "1;false;;;;End of FB's initialization code section", "desc ": "1;true;000B;60C0;STOP ;set address of application logic code start", Human redable description is NOT uploaded into LM Data frame is uploaded into LM Corresponding data frame "z_frame_0003": { "data0000": " c da e a c0 61c0 b ", "data0010": "89c0 b cac ac ", "data0020": "b b c0 b fbc0 b f100 d2c4 b400", "data0030": "5140 d2c5 b d2c cbc0 d2c6 b f d2c6 a180 e1b6", "data0040": " c ", "data01f0": " e2 54b d53f", "frameindex": 3 }, CRC64 checksum 15

16 SW FIT (1) Goal: - to ensure that the FSC Logic Module (LM) detects errors in configuration data uploaded into FSC using diagnostics subsystem and appropriate actions are performed in accordance with error types; - to ensure that the RPCT Outputs Verification Tool (ROVT) detects and reports errors in configuration data during UAL Build verification before uploading configuration data into FSC; Approach: - FIT is based on the FSC FMEDA and RPCT FMEA results. Inputs: - UAL DRS; - RPCT SRS; - FSC module. 16

17 SW FIT (2) Radiy IDE RadICS Platform 17

18 SW FIT (3) 8. Find and Replace the selected command with the command that contains SE in the Data Frame: Fragment of the configuration file before error seeding wt_verification bts z_frame_0003": { "data0000": " c da e a c0 61c0 b ", "data0010": "89c0 b cac ac ", "data0020": "b b c0 b fbc0 b f100 d2c4 b400", "data0030": "5140 d2c5 b d2c cbc0 d2c6 b f d2c6 a180 e1b6", "data0040": " c ", "data01f0": " e2 54b d53f", "frameindex": 3 } Fragment of the configuration file after error seeding wt_verification bts z_frame_0003": { "data0000": " c da e a c0 61c0 b ", "data0010": "89c0 b cac ac ", "data0020": "b b c0 b fbc0 b f100 d2c4 b400", "data0030": "5140 d2c5 b d2c cbc0 d2c6 b f d2c6 a180 e1b6", "data0040": " c ", "data01f0": " e2 54b d53f ", "frameindex": 3 } 18

19 Conclusions SLC model shall be adopted for FPGA-based product and justified Require full understanding of the product from the independent expert and V&V team members Take into account reaction of the whole system when you insert fault FIT activities take a lot of time but brings good results 19

20 RadICom Platform Overview Product Highlights FPGA-based Developed for non-1e systems Based on SIL 3 certificated RadICS digital I&C Platform Cost-effective solution Modules are compatible with RadICS Platform (same dimensions, connectors, latches ) Comprehensive, tried-and-tested I/Os Flexible redundancy management Comprehensive on-line diagnostic (SIL2) Fast response time (5 milliseconds) RPCT support. Possibility to change application logic configuration online via Tuning interface. 20

21 Thank you for your attention! Public Company «Research and Production Corporation «Radiy» 29 Geroyiv Stalingrada Street, Kirovograd, Ukraine,