Инструкция по эксплуатации Bosch Praesideo 4.0

Praesideo 4.0

en | 81

Bosch Security Systems B.V.

IUI-PRAESIDEO_4.0 | V1.0 | 2013.01

Installation and User Instructions

c

details of any software tools used in the preparation

of the program (e.g. high level design tools,

compilers, assemblers).

The list can be composed on request and contains

high level design tools, compilers for various processors,

syntax validation tools, build tools, test tools,

performance validation tools, version control tools, defect

tracking tools.

14.3 Software design

Praesideo is compliant.

In order to ensure the reliability of the VACIE the

following requirements for software design shall apply:
a

the software shall have a modular structure;

The modular structure of the Praesideo software is

documented in the software architecture documents.

b

the design of the interfaces for manually and

automatically generated data shall not permit invalid

data to cause an error in the program execution;

The interfaces between the modules and to external

components are well defined and described in the design

documents and external interface documents (Open

Interface). Asserts are used to validate inputs on

component boundaries.

c

the software shall be designed to avoid the

occurrence of a deadlock in the program flow.

Design guidelines are in place to avoid deadlocks. Multi

threading within components is avoided where feasible

and components have an input command queue for safe

decoupling of threads.

14.4 Program monitoring (see also Annex C)

Praesideo is compliant.

14.4.1 The execution of the program shall be monitored

as under 14.4.2 or 14.4.3. If routines associated with the

main functions of the program are no longer executed,

either or both of the following shall apply:
a

the VACIE shall indicate a system fault (as in 8.3);

Upon activation of a watchdog, a fault is reported after

restart of the failing component indicating the failing unit

and processor. If a restart of the failing component is not

possible, a less detailed fault will be reported. A system

fault is indicated when entering the fault condition.

b

the VACIE shall enter the fault warning condition and

indicate faults of affected supervised functions (as in

8.2.3, 8.2.4, 8.3, 8.4 and 8.5), where only these

functions are affected.

Upon activation of a watchdog, a fault is reported after

restart of the failing component indicating the failing unit

and processor.

14.4.2 If the program executes in one processor, the

execution of the routines in 14.4.1, it shall be monitored

by a monitoring device as in 14.4.4.

All processors used in the Praesideo system are either

guarded by a hardware watchdog or are monitored by a

processor that is guarded by a hardware watchdog.

14.4.3 If the program executes in more than one

processor, the execution of the routines in 14.4.1 shall be

monitored in each processor. A monitoring device as in

14.4.4 shall be associated with one or more processors,

and at least one such processor shall monitor the

functioning of any processor not associated with such a

monitoring device.

All processors are either guarded by a hardware

watchdog or are monitored by a processor that is

guarded by a hardware watchdog:.

The network controller is responsible for monitoring all

processors in the system. Upon failure of one of the

processors, either due to a watchdog failure or due to a

communication failure a fault is generated. Failure of the

network controller itself will cause the system fault output

contact to be de-energized to indicate a system fault.

14.4.4 The monitoring device of 14.4.2 and 14.4.3 shall

have a time-base independent of that of the monitored

system. The functioning of the monitoring device, and the

signaling of a fault warning, shall not be prevented by a

failure in the execution of the program of the monitored

system.

All processors are either guarded by a hardware

watchdog or are monitored by a processor that is

guarded by a hardware watchdog.

Additionally the correct operation of the main processor

of all system elements is validated by adding execution

checks on relevant locations in the code. This to assure

that no important flow is excluded from execution.

The network controller multi-threaded environment is

validated on correct operation by monitoring the threads:

all relevant threads must report to a single thread that is

responsible for resetting the watchdog. If threads do not

report within a given time frame the watchdog feeding

process is halted. This monitoring thread itself is

supervised by a hardware watchdog.

14.4.5 In the event of a system fault as specified in

14.4.1 a) or 14.6, those parts of the VACIE affected shall

enter a safe state not later than the indication of the

system fault. This safe state shall not result in the false

activation of mandatory outputs.

Upon restart of a unit other than the Network Controller,

the unit will be reinitialized and reordered to its expected

state.

Upon restart of the network controller and subsequent

loss of the audio and communication network, all units

will assume a safe state. The network controller orders

the units to their initialization state and is responsive to

new stimuli when restarted.

Information about errors and fatal errors (those resulting

in a reboot) are saved in SRAM for post mortem

analysis. Additionally to the display, a fault indicator can

be supplied that indicates the presence of a fault.

Clause / Requirement

Compliance

Signature