CLEARSY Safety Platform
CLEARSY Safety Platform
> The CLEARSY Safety Platform is a comprehensive and consistent set of hardware, software, and tools easing the development of SIL4 systems. As the vital computer board is already certified, the end-user only needs to focus on the design of its own business application and system.
> CLEARSY Safety Platform is made of:
- A single board vital computer (SIL4) bundled on credit card sized printed circuit board (72.5x45mm). External interfaces and peripherals have to be designed on a dedicated motherboard accordingly to customer requirements. CLEARSY offers support and services to design this custom motherboard.
- A software library that includes all the safety principles required to reach a SIL4 execution level. This library is in charge of performing all the vital built-in health tests. This software library is formally proven with the B formal method.
- A fully integrated toolchain (running on a docker or within a virtual machine) allows building directly the final binary. Thanks to this setup, all the configuration and installation steps related to the tools’ ecosystem are completely avoided.
> The CLEARSY Safety Platform is certified with a SIL4 level (certificate SIL4 CERTIFER n° 9594/0262) against the following standard:
- CENELEC EN50126:2017
- CENELEC EN50128:2011
- CENELEC EN50129:2018
> The safety principles are built-in, both at the software level and at the hardware level and based on a composite failsafe architecture (2oo2 hardware, 4oo4 software).
The software correctness is ensured by mathematical proof. The detection of any divergent behaviour among the two processors and the four instances of the software is handled by the platform. The safety verifications include:
– integrity ofrandom access memory
-integrity of the flash memory
– detection of clock drift
– internal processing circuitry integrity
– runtime configuration of the CPU
A formal process
> The B formal method, at the core of the development process, reduces development, deployment and certification costs. Mathematical proof ensures that the software complies with its specification (functional model) and guarantees the absence of programming errors while avoiding unit testing and integration testing.
Moreover only one functional model is used to produce automatically the redundant software, avoiding the need to have two independent teams for its development.
The CLEARSY Safety Platform targets acquisition and control industrial applications and allows to write complex software based on algorithms.
> It allows the design of cyclic or acyclic applications (input reading, time-constrained software, output command, computation, software algorithms, networking, …) which run directly on the vital computer board.
> This solution is bare metal (running without an operating system) and offers a very fine-grained time management and task scheduling capability. This feature allows the end-user to reach a very short reaction time and avoid the complexity of software development within the framework of a real-time operating system.
> The main function entry point is provided to the end-user. Therefore, there is no constraint exported by the platform to the user application (especially in terms of minimum cycle time). The end-user is completely free of his/her choice in terms of functions/tasks scheduling.
> The CLEARSY Safety Platform is powered by two PIC32MX microcontrollers from Microchip that delivers 80MIPS each.
Development Process with the CLEARSY Safety Platform
To develop a new product based on the CLEARSY Safety Platform the following activities need to be carried out:
>Design of a motherboard with all the required interfaces with the external devices (for example vital and non-vital output, maintenance CPU, network interfaces, …) and also a slot for the vital computer board of the CLEARSY Safety Platform. Thanks to his several years of designing experience, CLEARSY may offer support and service for the design of the motherboard. This architectural choice ensures that the resulting product will be tailored to your need (no unnecessary interface). Such an optimized and compact product cannot be achieved with conventional solutions based on the integration of industrial PLC and modules.
>Design of business-specific software. The single development constraint consists of calling periodically calling some primitive of the underlying vital software library of the CLEARSY Safety Platform. The input is formatted in the B0 language. The end-user is free to write and validate the B0 implementation by its own mean, or he/she can use the Atelier B IDE to generate and proof the B0 against a formal model. This last design strategy will save you the cost of the unit test and will also avoid some of the integration tests (thanks to the formal proof).
> Writing of the safety case and certification of the system.
If you are already using an industrial process to develop vital software (SCADE, ADA, C, …), it is possible to build a custom translator from your output language to B0 so that you can use your existing process to build an application for the CLEARSY Safety Platform.
Thus, the CLEARSY Safety Platform is versatile enough to be adapted to any custom development process.
The vital software library is immune to the content of the custom software written by the end-user. The integrity of the CLEARSY Safety Platform cannot be altered by misuse of the platform.
> CLEARSY Safety Platform has been designed to reach high availability. The predictive duration of the mean time between failure (MTBF) is larger than 12 millions hours (at 40°C).
> For context where this availability is not enough, the vital computer board can be associated with a redundant architecture (active/active or active/passive) to increase even further the availability of the resulting system.
All the items used within the CLEARSY Safety Platform have been developed and are maintained by CLEARSY. Thus, the industrial risk associated with the CLEARSY Safety Platform can be reduced because any component of the platform can be audited or placed under escrow. No third-party tools or code source is used within the CLEARSY Safety Platform. Moreover, the compilation and generation toolchain are compliant with the T3 requirement level per the assessment of an independent accredited assessor.
Proven in use solution
CLEARSY Safety Platform is a proven solution whose fundamental principles have already been deployed by CLEARSY on several systems used in revenue services:
> Platform screen door control system COPPILOT.M (Sao Paulo monorail certificate CERTIFER #8891/200-1 27 february 2017 – SIL4)
> Platform screen door control system (Stockholm City Line – certificate BUREAU VERITAS #63937410 march 2017 – SIL3)
> Vital remote IO system (certificate BUREAU VERITAS #7092509 July 2019 – SIL4)
Besides, Atelier B IDE, which makes it possible to design software from a formal model, is already used by key players in the rail market and runs more than 30% of metro automatic pilots around the world.
Ready for the industry
A starter kit featured with 32x non-vital inputs and 32x non-vitals output is provided with the CLEARSY Safety Platform. This starter kit allows quick prototyping, proof of concept, and ease the learning curve associated with the CLEARSY Safety Platform.
Moreover, CLEARSY can provide support and services to integrate vital hardware circuitries already used in revenue services, reducing the complexity and the risk associated with the design of safety-critical system.
Why choose the CLEARSY Safety Platform
> Ease of the certification process by basing the system on an existing certificate.
> Shorter time to market.
> Efficient use of the B formal method (savings on software unit tests and integration tests)
> Design effort focused only on the end-user specific application
> Software diversification natively supported by the tools and architecture. No need to have two independent software team.
> Possibility of designing a distributed architecture where computing resources are closer to the actuator and sensors
Fit for education
The CLEARSY Safety Platform is being used for education in Europe, Northern and Southern America by Universities and Engineering Schools.
> A education version of the starter kit (called SK0), developed with the support of the French R&D project FUI LCHIP (Low Cost High Integrity Platform), is commercially available since Q4 2017.
> A pedagogical kit (support documentation, exercises, models) allows teachers and researchers to seamlessly initiate courses for students up to Master 2