Инструкция по эксплуатации Bosch Praesideo 4.0
Страница 71
Praesideo 4.0
en | 81
Bosch Security Systems B.V.
IUI-PRAESIDEO_4.0 | V1.0 | 2013.01
Installation and User Instructions
c
details of any software tools used in the preparation
of the program (e.g. high level design tools,
compilers, assemblers).
The list can be composed on request and contains
high level design tools, compilers for various processors,
syntax validation tools, build tools, test tools,
performance validation tools, version control tools, defect
tracking tools.
14.3 Software design
Praesideo is compliant.
In order to ensure the reliability of the VACIE the
following requirements for software design shall apply:
a
the software shall have a modular structure;
The modular structure of the Praesideo software is
documented in the software architecture documents.
b
the design of the interfaces for manually and
automatically generated data shall not permit invalid
data to cause an error in the program execution;
The interfaces between the modules and to external
components are well defined and described in the design
documents and external interface documents (Open
Interface). Asserts are used to validate inputs on
component boundaries.
c
the software shall be designed to avoid the
occurrence of a deadlock in the program flow.
Design guidelines are in place to avoid deadlocks. Multi
threading within components is avoided where feasible
and components have an input command queue for safe
decoupling of threads.
14.4 Program monitoring (see also Annex C)
Praesideo is compliant.
14.4.1 The execution of the program shall be monitored
as under 14.4.2 or 14.4.3. If routines associated with the
main functions of the program are no longer executed,
either or both of the following shall apply:
a
the VACIE shall indicate a system fault (as in 8.3);
Upon activation of a watchdog, a fault is reported after
restart of the failing component indicating the failing unit
and processor. If a restart of the failing component is not
possible, a less detailed fault will be reported. A system
fault is indicated when entering the fault condition.
b
the VACIE shall enter the fault warning condition and
indicate faults of affected supervised functions (as in
8.2.3, 8.2.4, 8.3, 8.4 and 8.5), where only these
functions are affected.
Upon activation of a watchdog, a fault is reported after
restart of the failing component indicating the failing unit
and processor.
14.4.2 If the program executes in one processor, the
execution of the routines in 14.4.1, it shall be monitored
by a monitoring device as in 14.4.4.
All processors used in the Praesideo system are either
guarded by a hardware watchdog or are monitored by a
processor that is guarded by a hardware watchdog.
14.4.3 If the program executes in more than one
processor, the execution of the routines in 14.4.1 shall be
monitored in each processor. A monitoring device as in
14.4.4 shall be associated with one or more processors,
and at least one such processor shall monitor the
functioning of any processor not associated with such a
monitoring device.
All processors are either guarded by a hardware
watchdog or are monitored by a processor that is
guarded by a hardware watchdog:.
The network controller is responsible for monitoring all
processors in the system. Upon failure of one of the
processors, either due to a watchdog failure or due to a
communication failure a fault is generated. Failure of the
network controller itself will cause the system fault output
contact to be de-energized to indicate a system fault.
14.4.4 The monitoring device of 14.4.2 and 14.4.3 shall
have a time-base independent of that of the monitored
system. The functioning of the monitoring device, and the
signaling of a fault warning, shall not be prevented by a
failure in the execution of the program of the monitored
system.
All processors are either guarded by a hardware
watchdog or are monitored by a processor that is
guarded by a hardware watchdog.
Additionally the correct operation of the main processor
of all system elements is validated by adding execution
checks on relevant locations in the code. This to assure
that no important flow is excluded from execution.
The network controller multi-threaded environment is
validated on correct operation by monitoring the threads:
all relevant threads must report to a single thread that is
responsible for resetting the watchdog. If threads do not
report within a given time frame the watchdog feeding
process is halted. This monitoring thread itself is
supervised by a hardware watchdog.
14.4.5 In the event of a system fault as specified in
14.4.1 a) or 14.6, those parts of the VACIE affected shall
enter a safe state not later than the indication of the
system fault. This safe state shall not result in the false
activation of mandatory outputs.
Upon restart of a unit other than the Network Controller,
the unit will be reinitialized and reordered to its expected
state.
Upon restart of the network controller and subsequent
loss of the audio and communication network, all units
will assume a safe state. The network controller orders
the units to their initialization state and is responsive to
new stimuli when restarted.
Information about errors and fatal errors (those resulting
in a reboot) are saved in SRAM for post mortem
analysis. Additionally to the display, a fault indicator can
be supplied that indicates the presence of a fault.
Clause / Requirement
Compliance
Signature