QNX Oder Safertos Wahl Eines OS Für Safety-Embedded-Projekte Certification and Standards 2

QNX oder SafeRTOS Wahl eines OS für Safety-Embedded-Projekte Certification and Standards 2

Markets QNX Safe RTOS Medical IEC 62304, IEC 60601, ISO 14971 x x Industrial IEC 61508 x x Railways EN 50128, IEC 61508 x x Nuclear IEC 62138, IEC 61513 x x Automotive IEC 61508, ISO 26262 x x Process IEC 61511 x x Aerospace DO178C x Military IEC15408 (EAL) 4+ x Some of the Standards 3

FunctionalSafety Hazard & Risk Analysis

IEC 61508 IEC 60601 ISO 14971

EN 5012x ISO 26262 ISO 61511 IEC 62061 IEC 62304

Railways Cars Industrial Maschinery Medical Automation

The focus is safety integrity level The focus is process

Note: this is black and white picture of a grey world QNX Industrial Kernel = Safe Kernel = Secure Kernel 4 SafeRTOS ≠ FreeRTOS 5

•Memory allocation Under FreeRTOS the required RAM is automatically dynamically allocated at run time. SAFERTOS does not permit dynamic memory allocation •Different API The SAFERTOS function naming convention and function parameter are different to FreeRTOS •Restricted Functionality SAFERTOS supports only the core components of FreeRTOS, therefore some FreeRTOS functionality has been restricted (Mutex are not supported). Safety Integrity Level 6

For customers in safety critical industries, QNX provides a IEC 61508 SIL (Safety Integrity Level) 3 product. This standard is used in environments like transportation or power generation (i.e. things like locomotives or windmills), and provides a high level of assurance that the device will operate properly (a risk reduction factor of 10,000,000- 100,000,000).

SIL-Level NiedrigeAnforderungHohe Anforderung 1 10-100 100’000-1’000’000 2 100-1000 1’000’000-10’000’000 3 1’000-10’000 10’000’000-100’000’000 4 10’000-100’000 100’000’000-1’000’000’000 SIL3 + SIL3 = SIL3 ? 7

Component A Component B SIL3 SIL3 SIL2

x = 0,9999998

The probability of failing is 1 in 5’000’000

The system is SIL2 ERROR –FAULT-FAILURE -MISTAKE 8

To quote the Software Engineering Body of Knowledge

Typically, where the word “defect” is used, it refers to a “fault” as defined below. However, different cultures and standards may use somewhat different meanings for these terms, which have led to attempts to define them. Partial definitions taken from standard (IEEE610.12-90) are:

Error: “A difference…between a computed result and the correct result”

Fault: “An incorrect step, process, or data definition in a computer program”

Failure: “The [incorrect] result of a fault”

Mistake: “A human action that produces an incorrect result” Need to classify bugs types 9

Bohrbug nice, solid, easy to find Example: A bug causing a failure whenever the user enters a negative date of birth

Heisenbug difficult to get hold of, nevere sure were it is Example: Multi-threaded errors.

Mandelbug Fault whose activation and/or error propagation are complex Example: A fault causing failures due to side –effects of other applications fight against failures 10

Software (OS, middleware, application)

Bohrbug Heisenbug Mandelbug

Design Data Retry Restart Debug/Test Reboot diversity diversity operation application

Memory Guardian Time File Protection HAM Protection Protection MMU Watchdog Protection Strategy activity SIL1 // SIL1 >> SIL1 11

Component A SIL1

Component B SIL1 > SIL 1

= 0.9999999999

The probability of failing is 1 in 10’000’000’000 The system is better than SIL1 SafeRTOS 12

pre-emptive real time scheduler

• Supports time sliced round robin scheduling for tasks of equal priority. • Queues • Binary semaphores and counting semaphores • Software timers. • FPU support. • Definition and manipulation of MPU regions on a per task basis. • Run time statistics (SAFERTOS+Trace Introduction) SAFERTOS+Trace 13

SAFERTOS+Trace records the runtime behavior of SAFERTOS, logs selected events from your application and explains the data through more than 20 graphical views, that are interconnected and easy to navigate. QNX -Process Protection 14

The Microkernel design of QNX separates critical OS components into their own protected memory partitions unlike a monolithic system that places them all together QNX –High Availability Manager 15

•Construct custom failure recovery scenrios •Design your system to reconnect instantly and transparently to minimze downtime. QNX -Time Protection 16

The Microkernel also supports CPU time partitions to limit CPU from potential misbehaved or rogue applications and/or services. QNX -File Protection 17

The power-safe file system supports multiple encryption partitions to secure data QNX –Heap and Stack Protection 18

The OS provides features that protect heap and stack buffers from attack including: • Address Space Layout Randomization (ASLR) • Heap cookies • Stack guard pages QNX –Root access Protection 19

Root access is divided into different root level capabilities Processes can be limited to the QNX Abilities they need. QNX –Connectivity Protection 20

The network stack supports industry standard security protocols including TLS, SSL, IPSEC. HW crypto offload QNX –not all components have to be safe 21

62304 Compliant Excluded from Reduced Scope RTOS Certification For Certification

Process File HMI Application Manager Systems

Microkernel Arm, PowerPC, X86 Networking Driver

Non-Safety-Critical Safety-Critical We need to know how safe, how secure and how fast the system must be. And what functionality it must offer. Compare QNX with SafeRTOS 22 SafeRTOS • PRO schmaller Footprint (ROM 6-15K / RAM 500 B / Stack 400 B / Task) • CONTRA eingeschränkter Leistungsumfang grosse Abweichung zu FreeRTOS Toolchain und RTOS nicht aus einer Hand fehlende Benchmarks QNX • PRO Mikrokernel identischer Kernel bei industriellen als auch zertifizierten Produkt Technology erleichtert den Zertifizierungsaufwand Toolchain ist im zertifizierten Produkt enthalten • CONTRA Funktioniert nur auf Prozessoren mit MMU Thanks for your attention

Roland Eggli-Aerni Triadem Solutions AG [email protected] Tel. +41 (0)32 327 36 30