P04 RT,,,,,,,,,,,, Development of Dependable RT-Middleware Noriaki Ando, Geoffrey Biggs, Yoshihiro Nakabo, Daichi Mizuguchi, Kiyoshi Fujiwara, Isao Hara, Tetsuo Kotoku, AIST, Masayoshi Kondo, Mitsuhiro Toyoda, Akihiro Ikezoe, Hiroyki Nakamoto, Yasutoshi Kusama, Masayuki Nagase, SEC Co.,Ltd., Hajime Saito, General Robotix, Inc., Takeshi Sakamoto, Global Assist Co., Ltd. Abstract Dependable RT-Middleware (d-rtm) is implemented to realize component based safety RT-system development in this paper. RT-system which can be harmful to human beings should be dependable and be guaranteed its safety. The d-rtm, which provides RT-Component framework with safety functionalities, is developed according to the IEC 61508 standard for functional safety. Its safety concepts, safety requirement specifications are shown with examples of actual coding with d-rtm. Key Words: Functional safety, dependable systems, RT-Middleware, RT-Component 1. RT RT (Functional Safety) ( : Safety Related System, SRS) (E/E/PES: Electric/Electronic/Programable Electronic IEC 61508[1] RT IEC 61508 (SIL: Safety Integrity Level) [2] 3 RT (Dependable RT-Middleware: d-rtm) d-rtm IEC61508 d-rtm d-rtm Non-safety related systems RTC RTC RTC Communication middleware LwRTC LwRTC LwRTC RT-Middleware Communication middleware Certified real-time OS Safety related systems (certified) Fig.1 RTC based non-srs and LwRTC based SRS architecture. 2. IEC61508 IEC61508 RT P04(
1 Concept 2 Overall scope definition 3 Hazard and risk analysis 4 Overall safety requirements 5 Safety requirements allocation 6 Overall operation and maintainane 7 Overall Overall safety validation 8 Overall installation and commissioning 9 Safaety related systems:e/e/pes Realization (see E/E/PES safety lifecycle) 10 Safety related systems: other technology Realization 11 External risk reduction facilities Realization 12 Overall installation and commisioning 13 Overall safety validation Back to appropriate overall safety lifecycle phase 14 Overall operation, maintenance and repair 15 Overall modification and retrofit 16 Decommissioning or disposal Fig.3 Safety Development Lifecycle. (IEC 1 646/98) RTC Specification d-rtm LightweightRTC Execution Semantics Introspection OpenRTM SDOPackage Fig.2 Supported packages of OMG RTC specification by OpenRTM-aist and RTMSafety. 2 1 RTM (d-rtm) [2]( 1) RT : OpenRTM-aist[4], OpenRTM.NET[5] ( OpenRTM ) [3] [3] LightweigtRTC 2 2 OMG RTC d-rtm OMG RTC 2 3 (LightweightRTC, Execution Semantics, Introspection) 1 (SDOPackage) OpenRTM (RT ) d-rtm d-rtm LightweightRTC Execution Semantics 3. IEC 61508 3 ( ) 3 1, 4 5 3 1 ( 3 1 (Concept) ) d-rtm RTC 1) d-rtm Package, 2) Library Package, 3) Network (N/W) Protocol Library 3 RT OpenRTMaist d-rtm 4 P04(2
d-rtm Package LightweightRTC RTC Library d-rtm OS RTC N/W Protocol Library RTC RTC CORBA CDR (Common Data Representation) RTC RTC RTC RTC RTC LwRTC LwRTC LwRTC LwRTC OpenRTM CORBA OS (a) Conventional RT-Middleware RTMSafety Protocol Library Self check Safety Function Library Safety Function Safety OS Communication with non-safety RTC (b) d-rtm Monitoring Fig.4 Structure comparison between OpenRTM-aist and d-rtm. d-rtm (10 ) SIL3 RTC RTC 3 2 45 ( 3 4 (Overall safety requirements) ) RTC d- RTM RTC OS OS IEC61508 3 3 OS RTC Table 1 d-rtm specification µitron, QNX Neutorino RTOS Safe Kernel C RT + 1 16 0 8 /RTC, InPort/OutPort 1 OutPort 4 µitron: 5ms 1s, QNX: 1ms 1s ( 3 5 (Safety requirements allocation) ) 1 9 RTC RTC Action Activity RTC RTObject RTObject Data Port Data Port Execution Context Execution Context 4. d-rtm OS µitron OS QNX Neutrino RTOS Safe Kernel IEC61508 SIL3 C ( ) C d-rtm 1 d-rtm RT RTC ComponentAction RTC RTC (EC) 5 Component Action on execute C ( MyRtc ) InPort read() P04(
RT Product Only product specific evidence is newly prepared by developer. Original Software Certification Body RTM Safety OS Certified Software of these parts are provided by OS vendor and RTM safety Certification ReturnCode_t MyRtc_on_execute( void ) { : ( ) retval = InPort_read(&gsDataPort_Input, temp, sizeof(temp), &datainfo); retval = Marshalizer_demarshalUShort(temp, &position, datainfo.byteorder, &data); : ( ) return RTC_OK; } Fig.5 An example of on execute function implementation. ReturnCode_t MyRtc_create(MyRtc_t* pself, const ObjectKey_t* psrtcid, const ObjectKey_t* psdataportids) { /* RTC ID */ pself->psrtcid = psrtcid; /* DataPort */ pself->psdataportids = psdataportids; /* */ pself->oninitialize = InputRtc_on_initialize; pself->onfinalize = InputRtc_on_finalize; pself->onstartup : ( ) Fig.7 Certification process by using certified OS and d-rtm. = InputRtc_on_startup; Fig.6 An example of RT-Component construction function. Marshalizer demarshallushort() unsigend short data API OpenRTM d-rtm C C++ OpenRTM 6 RTC OpenRTM 4 1 d-rtm 3 () 7 OS d-rtm OS 5. d-rtm d-rtm IEC61508 [1] Functional safety of electrical / electronic / programmable electronic safety-related systems, IEC 61508, 2005 [2],, Geoffrey BIGGS,, RT, 2010 (SI2010), pp.87-88, 2010.12 [3] OMG Specification, Robotic Technology Component Specification, formal/08-04-04 [4] OpenRTM-aist, http://www.openrtm.org [5] OpenRTM.NET, http://www.sec.co.jp/robot P04(4