Real Time Safety ERAU the FAA Research 2007-2009 CEH Tools Qualification Contract DTFACT-07-C-00010 Dr. Andrew J. Kornecki, Dr. Brian Butka Embry Riddle Aeronautical University Dr. Janusz Zalewski Florida Gulf Coast University FAA SW&CEH Conference Denver, CO August 20, 2008 ERAU College of Engineering page 1
Real Time Safety Outline Contract DTFACT-07-C-00010 “A Study on Tool Qualification for Complex Electronic Hardware”, Mar 15, 2007 – May 14, 2009 o Introduction o CEH Tools and Development Process o Tool Qualification o Concerns and Possible Solutions o Conclusions and Future Work ERAU College of Engineering page 2
Real Time Safety Introduction: CEH Tools Project � ERAU/FGCU Project: “A Study on Tool Qualification for Complex Electronic Hardware” with an objective to produce report on the state of art in the CEH tool market and the programmable logic tool qualification issues � Explore safety issues in the assessment and qualification of tools used in developing complex electronic hardware (CEH) for the aircraft � Typical devices are programmable logic devices (PAL, PLA, GAL, FPGA, ASIC, etc.) used as components of programmable electronic hardware � RTCA DO-254, “Design Assurance Guidance for Airborne Electronic Hardware”, Section 11.4, “Tool Assessment and Qualification” is the starting point ERAU College of Engineering page 3
Real Time Safety Literature Study � Perspectives: o A broad view of the issues in designing CEH (26) o A focus on safety issues in avionics applications related to safety critical aspects of CEH (6) o An industry practices in qualification of CEH tools and compliance with DO-254 standard (18) � Literature review points: o Plan to develop and verify PLD programs in the same way as software programs o Plan the safety argument from the start, and build up evidence throughout development o Use mature tools, amenable to qualification and supported throughout the project life time o Investigate the use of formal notations and analysis techniques to increase verifiability o Do not use programmable logic hardware just to avoid developing safety-critical software ERAU College of Engineering page 4
Real Time Safety What is a tool? � RTCA DO-254/ED-80 provides guidance for design assurance of airborne electronic hardware defining design assurance, lifecycle, processes (planning, design, V&V, CM, assurance, certification liaison), and the lifecycle data � No clear definition of a tool in the RTCA DO-254 or associated CAST papers; paraphrasing DO-178B: “A computer program or a hardware device used to help develop, test, analyze, produce or modify hardware component, subsystem, system or its documentation” � A tool reduces, eliminates, or automates the objectives of the design or verification process ERAU College of Engineering page 5
Real Time Safety RTCA DO-254 � DO-254 distinguishes between two primary types of tools : o Design Tools - Tools whose output is part of hardware design and thus can introduce errors. For example, an ASIC router or a tool that creates a board or chip layout based on a schematic or other detailed requirement (used to generate the hardware item or the hardware design, thus an error in the tool could introduce an error in the hardware item) o Verification Tools - Tools used to ensure performance against predetermined standards or requirements. These tools do not introduce errors, but may fail to detect them. For example, an analog or digital circuit simulator or an automated test that measures actual circuit performance. (used to verify the hardware item, an error in the tool may cause the tool to fail to detect an error in the hardware item or hardware design) ERAU College of Engineering page 6
Real Time Safety CEH Tools Issues � ASIC/FPGA tools have a thick layer of abstraction between the user Verilog or VHDL input and the tools output: the tool interprets the input, synthesizes/optimizes the logic, creates net lists, and translates the net list into a hardware layout � Synthesis includes typically the optimization of logic, timing, and power aspects - a black box, with design as an input and “synthesized” design as an output � FPGA/CPLD vendors are interested in developing software required to take a design (schematic or HDL) into a form that can be used to program a circuit – they offer cost-effective entry-level design environments (complete packages with design entry, simulators, libraries, and the back end) � Tool industry is dynamic and hardware keeps evolving, the software developers for back-end tools have to attend to two primary activities, developing libraries for new EDA tools and simulators, while creating better fitters and routers for new hardware with more resources and more complex architectures � Evolving interchange standards such as EDIF and Verilog/VHDL help standardize interfaces to CAD tools and simulators in form of EDIF-compatible library of design elements using Verilog or VHDL to implement the models necessary for simulation environment ERAU College of Engineering page 7
Real Time Safety 2. Identify the process 1. Identify the tool DO-254/ED-80 the tool supports Tools yes 3. Independent Assessment and assessment? Qualification no Process no 4. Tool is design A/B/C or verification A/B? yes 6. Establish yes 7. Basic tool 5. Relevant tool qualification history? qualification baseline and no problem reporting 9. Design tool yes 8. Tool is design tool qualification A/B? 10. Complete no the process ERAU College of Engineering page 8
Real Time Safety Is Tool Qualification Required? � A company working on a design assurance level A project writes a test bench that runs on a simulator and produces a pass/fail output o The test bench automates the verification process and is therefore a tool and thus must be assessed and qualified � Can relevant product service history get us out of tool qualification? o Many design tool suites have hundreds of users doing diverse designs o Relevant service history requires the tracking of problem (bug) reports and their resolution � Traceability data for all functional failure paths � It is rare that all of the necessary data is available ERAU College of Engineering page 9
Real Time Safety Is Tool Qualification Required ? (2) � The other way to avoid tool qualification is if the tool outputs are independently assessed � From DO-254: Independent assessment of a design tool’s output that is generated in whole or in part by the tool may be established by the verification activities performed on the item, such as component, netlist or assembly. In this case, the integrity of the end item does not depend upon the correctness of the design tool output alone ERAU College of Engineering page 10
Real Time Safety Is Tool Qualification Required ? (3) � The correctness of the design tool can be assessed by verification tools and in-system hardware verification tests that are run o Conventional debugging of the hardware using logic analyzers etc. will also assess the correctness of the design tool � It seems that design tools would rarely need to be qualified since it is unlikely that the output of the design tool is used without being verified both in simulation and in hardware ERAU College of Engineering page 11
Real Time Safety CEH: Logic Design Activities � Design Entry: HDL, schematic entry, integration of IP cores � Synthesis: translation HDL design definition into the logical or physical representation for specific hardware platform � Implementation & Configuration: assignment of the logic created during design entry and synthesis into specific physical resources of the target device. � Verification: design verification ranging from simulation to static timing analysis to equivalency checking via formal verification. � Board Level Integration: compatibility of programmable logic design with the entire system. ERAU College of Engineering page 12
Real Time Safety Generic Design Flow Graph Design Entry Behavioral Synthesis Time Analysis Simulation Other Place & Power Verification Route Analysis Time Functional Simulation Simulation Programming Configuration ERAU College of Engineering page 13
Real Time Safety The Concern � It is possible for errors to be introduced that occur while translating the simulated design into hardware � Normal verification techniques will catch most of these errors during hardware verification � But … some circuits are designed to operate only if the hardware is malfunctioning Examples are: o Triply redundant hardware with voting circuits � Used to mitigate failure in one path o Metastability detection circuits � Can be used to detect single-event upsets due to alpha particle radiation � These circuits are difficult to verify in working hardware ERAU College of Engineering page 14
Real Time Safety Example: Triply Redundant Hardware � The synthesis tool can “optimize” the design in an unexpected fashion In A In B Intended Implemented ERAU College of Engineering page 15
Real Time Safety Example: Metastability Sensing Circuits � It is possible to detect metastability by monitoring the Q and Qbar outputs of a single flip-flop Intended Implemented ERAU College of Engineering page 16
Recommend
More recommend