Roman Obermaisser

End-to-End Real-Time Communication in Mixed-Criticality Systems Based on Networked Multicore Chips

Mixed-criticality systems combine applications at different levels of criticality on the same platform. Today, mixed-criticality integration is addressed individually at different integration levels such as the operating system, the chip-level and the cluster-level. Since many mixed-criticality systems span all of these integration levels, a system perspective of mixed-criticality applications is required. The access to remote resources located on another chip needs to be relayed via gateways involving gateways between on-chip and off-chip networks (i.e., vertical integration) and gateways between different types of off-chip networks (i.e., horizontal integration). This paper introduces a system model with gateways for end-to-end channels over hierarchical, heterogeneous and mixed-criticality networks. We focus on the timing of end-to-end channels, as well as the interoperability across gateways.

Simulation environment for Time-Triggered Ethernet

Time-Triggered Ethernet (TTEthernet) is an SAE standard of a real-time Ethernet extension, which supports real-time requirements, fault isolation and mixed criticality applications. TTEthernet supports different communication mechanisms ranging from best-effort messaging with a high channel utilization to predictable real-time messaging based on a time-triggered communication schedule. This paper presents a simulation framework for TTEthernet-based systems, which supports the analysis and validation of TTEthernet-based applications at early development stages. We introduce generic model building blocks (e.g., TTEthernet switches, TTEthernet end systems, fault injectors), which can be instantiated, configured and extended to model distributed embedded applications. In particular, these building blocks can be configured to support application-specific time-triggered schedules and communication topologies. The fault injector allows to evaluate the reliability in the presence of messages failures with given failure modes and failure rates. We demonstrate the simulation environment in an example scenario with two TTEthernet switches, multiple end systems and injected faults.

A Modular Safety Case for an IEC-61508 Compliant Generic Hypervisor

The development of mixed-criticality systems that integrate several functionalities of different criticality levels (e.g., SIL1-4 according to IEC-1508) on the same embedded computing platform provide benefit in terms of cost, size, weight, reliability and scalability. The soaring demand for high performance mixedcriticality system has contributed to their capabilities expansion. This upward trend is subject to certification processes with different levels of rigorousness, which lead to prohibitive cost. This paper presents the modular safety concept of an IEC-61508 generic hypervisor where the minimum reasonable safety arguments and evidences are defined. Additionally, the use of the modularity approach limits the impact of changes to a reduced area of the safety case, enabling in turn the reusability of the safety cases parts. The work described in this paper has been reviewed and approved by a certification body, within the context of a European research project.

Architectures for mixed-criticality systems based on networked multi-core chips

Mixed-criticality architectures with support for modular certification make the integration of application subsystems with different safety assurance levels both technically and economically feasible. Strict segregation of these subsystems is a key requirement to avoid fault propagation and unintended side-effects due to integration. Also, mixed-criticality architectures must deal with the heterogeneity of subsystems that differ not only in their criticality, but also in the underlying computational models and the timing requirements. Non safety-critical subsystems often demand adaptability and support for dynamic system structures, while certification standards impose static configurations for safety-critical subsystems. Several aspects such as time and space partitioning, heterogeneous computational models and adaptability were individually addressed at different integration levels including distributed systems, the chip-level and software execution environments. However, a holistic architecture for the seamless mixed-criticality integration encompassing distributed systems, multi-core chips, operating systems and hypervisors is an open research problem. This paper describes the state-of-the-art of mixed-criticality systems and discusses the ongoing research within the European project DREAMS on a hierarchical mixed-criticality platform with support for strict segregation of subsystems, heterogeneity and adaptability.

Time-Triggered Extension Layer for On-Chip Network Interfaces in Mixed-Criticality Systems

The increasing trend towards mixed-criticality in different domains demands a platform in which the physical integration of subsystems with different criticalities is accommodated. A fundamental prerequisite for such a platform is to establish temporal and spatial segregation between different subsystems in order to eliminate the interference on safety-critical functions, caused by non-safety-critical ones. Furthermore, as mixed-criticality systems often comprise heterogeneous subsystems, the platform shall support different timing models (e.g., periodic and sporadic activities). This paper introduces an extension layer for the Network Interface (NI) of a network-on-a-chip in order to establish the temporal and spatial partitioning over the entire chip. We describe how chip-wide temporally aligned activities of different NIs in combination with resource allocations assure the absence of interference for time-triggered messages and bounded latencies for rate-constrained messages. The chip-wide configuration of the NIs establishes guarding windows for time-triggered messages and traffic shaping of rate-constrained messages.

Secure automotive gateway — Secure communication for future cars

The main focus of the paper is to secure the onboard communication of automobiles. The current trend in the automotive domain is to incorporate technologies known from the consumer segment (e.g., WLAN, Ethernet) into the car. This makes it easier for an attacker to attack the on-board networks of the car, even without having physical access. To detect attacks against the automotive networks such as CAN and FlexRay, we introduce the concept of the so called “security gateway” which is part of the automotive architecture and is located on transition points, where different networks connect with each other. A language was created to specify the correct application behavior and to configure the security gateway. Using this representation of the application behavior the security gateway not only detects failures caused by an attacker but also detects failures caused by malfunctions.

Ontology-based runtime reconfiguration of distributed embedded real-time systems

Embedded real-time systems with dynamic resource management capabilities are able to adapt to changing resource requirements, resource availability, the occurrence of faults and environmental changes. This enables better resource utilization, more flexibility and increased dependability. Depending on the application domain, reconfiguration decisions must be found and applied within temporal bounds. Although semantic techniques are used to react to unexpected events in standard IT systems, they exhibit a computational complexity and temporal unpredictability that is not suitable for real-time systems. This paper describes a temporally predictable framework for reconfigurable embedded real-time systems. It uses a service-oriented approach to dynamically reconfigure component interactions. Knowledge about the system structure and semantics is provided in a system ontology with relevant information for embedded realtime systems (e.g., transfer delay times, accuracy of relations). The ontology allows to automatically generate service substitutes by exploiting implicit redundancy in the system. Furthermore, an algorithm is presented that searches the ontology for semantically equivalent implementations of failed services. The process of substitution search and substitute service generation is demonstrated with an example from the automotive domain.

A Modular Safety Case for an IEC 61508 Compliant Generic COTS Processor

The transition from conventional federated architectures to integrated architectures enables integration of functionalities with different criticality levels (e.g., SIL1-4 according to IEC-61508) on the same computing embedded platform. These systems, also called mixed-criticality systems, provide benefits in terms of cost, size, weight, reliability and scalability. However, mixed-criticality systems are subject to rigorous certification processes, which can lead to prohibitive cost. This paper contributes with a generic modular safety concept of an IEC-61508 compliant generic multicore COTS device where the minimum reasonable safety arguments and evidences are defined. Furthermore, the use of the modularity approach limits the impact of changes to a reduced area of the safety case, thus allowing the reusability of its parts. Additionally, this approach enables decoupling the safety arguments of subsystems with different criticality levels (e.g., SIL1-4 according to IEC-61508). The work described in this paper has been reviewed and approved by a certification body, within the context of an European research project.

Deterministic OpenFlow: Performance evaluation of SDN hardware for avionic networks

Due to special requirements avionic networking devices are typically quite expensive. One way to reduce costs is to make use of commercial off the shelf devices and configure them in a way that gives similar performance. In this paper we evaluate the use of OpenFlow in the avionics environment in terms of performance and configuration. The main feature of OpenFlow is fine-grained access to the switchs forwarding plane. While it was primarily designed to offer high configurability and reduction of cost through harmonization of interfaces, in newer versions OpenFlow added support for traffic policing. In OpenFlow this is realized with meters that allow for quality of service enforcement on a hardware level as well as an arbitrary mapping of meters to flows. This paper shows how to make use of OpenFlows meter commands to achieve deterministic behavior and discusses its advantages and shortcomings. We then implement the proposed solution on a commercial off the shelf OpenFlow switch and compare the switching performance to a state of the art avionics switch used in current aircraft.

Trace-based simulation framework combining message-based and shared-memory interactions in a time-triggered platform

Multi-Processor Systems-on-a-Chip (MPSoC) based on time-triggered on-chip networks facilitate fault isolation, temporal predictability and mixed-criticality integration. In mixed-criticality systems, a shared memory can be realized on top of time-triggered message passing to effectively support heterogeneous applications with different interaction paradigms. This paper presents a simulation environment of such an MPSoC combining message-based and shared-memory interactions. We present SystemC simulation building blocks for the application cores, network interfaces and the time-triggered network-on-a-chip. The behavior of the application cores is described by Transaction-Level Modeling (TLM). We generate traces from the application software or from benchmarks, which serve as input for the access to the network interfaces. The simulation framework is evaluated using a realistic case study based on SPLASH-2 and PARSEC application benchmarks. The simulation framework is essential for early validation and design space exploration of mixed-criticality systems. The high abstraction level provided by TLM and traces ensures high simulation speeds.