Safety Critical Software for Autonomous Mining Systems
As the uptake of autonomous systems in the mining industry accelerates, the need to develop more robust and reliable control systems is becoming apparent. These control systems are invariably complex in nature and are always underpinned by equally complex software. Model Based Software Development techniques used in the Defence and Automotive sectors offer a powerful methodology for critical automation challenges in mining.
Electronic control systems and software have been present in safety/mission critical applications in the defence and automotive industries for some years. In the aerospace sector standards such as RTCA DO-178C provide guidance for the development of software in airborne systems while the automotive industry has drawn upon the functional safety practices outlined in IEC 61508 for System Integrity Level (SIL) 3 products. Common to these standards, and their counterparts in the medical space, is the use of design assurance practices to explore and mitigate potential systems hazards and address weaknesses in system implementation methodologies.
Under these standards, hazards analysis and other systems engineering techniques are used to formulate a design architecture that is then encapsulated in a set of requirements describing the solution, usually in text format. These requirements are then synthesised into lines of code by the software team. While design reviews and progressive testing are used to examine the outputs, the synthesis process itself is still highly dependent upon the skills of the team.
As system complexity and code size increases, review and test effort also increases leading to longer timeframes and larger team sizes. When the code is finally released support then becomes the next issue to be addressed. Amendments to system logic, the identification of latent bugs and hardware platforms going ‘end of life’ can all mean that further modifications are required with the coincident risk of new faults being introduced into the design.
Model Based Development
Model based systems engineering (MBSE) techniques have been around for some two decades but their use in safety critical design is relatively recent. The increasing availability of certified automatic code generation tools to realise these designs has helped to drive their adoption in a number of aerospace applications.
Rather than working solely from a detailed text specification of the required solution, MBSE uses markup languages such as UML to create graphical representations of the system and its operation. While these tools are more usually associated with the description of high level applications they can also be used to describe hard, real-time, embedded control systems. An example of a sequence diagram for an automatic teller machine interaction is shown below.
Example of a UML Sequence Diagram (visual-paradigm.com)
Timing elements can be added to the sequence diagram as well as other notations (e.g. textual requirements) to provide an intuitive description of system operation. This visual representation provides a more direct and comprehensible description of system operation which in turn allows for wider review of the proposed system design prior to implementation.
The use of a graphical markup language also makes possible the use of automated code development tools and this is where Model Based Software Development comes in. Tools such as IBM’s Rational Rhapsody take the UML source and use this to generate lines of code in languages such as C, C++, ADA and JAVA. This code can then be compiled to any one of a number of hardware platforms including microcontrollers and FPGA devices. The process can be thought as being similar to the conversion of textual code into object and then binary files as is done by existing compilers.
The advantages of this approach are obvious. Reviews for safety and operation are undertaken at a higher level, the documentation created is simpler to understand while design changes are more readily implemented. The generation of intermediate code also allows for any one of a number of hardware targets to be used. Obsolescence issues are dealt with through changes to the underlying target and compiler leaving the original design unchanged.
Testing the System
Given its use in safety/mission critical applications much work has gone into ensuring that code created in a model based environment is both robust and readily testable. Testing of the model itself can be undertaken in early stages (before hardware is available) through model simulation using test stimuli and other models representing the behaviour of the broader system. This is known as Model in the Loop testing (MIL).
As the design progresses actual code can be generated and tested to confirm the performance of algorithms using readily available hardware simulators. This provides Software in the Loop (SIL) verification. The final step is to compile the code and run it on the target hardware to provide Hardware in the Loop (HIL) verification. It is at this point that reference results taken from the original MIL simulations can be compared to HIL outputs to verify correct operation. An example of the process is shown below.
The ability to provide this closed loop verification combined with certified compilers and operating systems such as SafeRTOS makes it possible to build a traceable product that meets the design assurance requirements of the various standards.
Elements and testing of model based software development 1
Perhaps as a legacy of its application in the defence sector, Model Based design also has the ability to break the development process itself into a series of ‘vertical slices’. Each of these slice are in effect sub models which are progressively built up (released) and then combined to build the whole. This allows elements of the systems to be partitioned and managed separately – something which is often required where different levels of security are involved. This same vertical slicing works well with modern AGILE software methodologies.
Where to now?
Model Based Development is seeing increasing use in aerospace, defence and automotive applications where complex safety critical and mission critical products are needed. Reduced development times and an ability to better manage through life costs are further advantages of the methodology.
As the mining industry now contemplates the concept of fully automated “zero entry” mines, there will still be a need to develop high assurance control software that delivers deterministic, reliable and safe operations. With its manifold advantages, Model Based Software Development is an approach worthy of deeper consideration for use in this new and challenging autonomous environment.
Brad Phillips is a member of the Institute of Engineers Australia and Director Business Development – Consumer & Industrial at Hydrix.
Hydrix provides specialised technology development services to the Mining, Medical and Defence sectors with a particular focus on safety critical and first-of-type technologies.
1. “A Model-Based Reference Workflow for the Development of Safety-Critical Software”.