Mixed Criticality Systems view from the industry side MAXI M - - PowerPoint PPT Presentation

Mixed Criticality Systems – view from the industry side

MAXI M Cristia n Airb us Ope ra tio ns S.A.S Da g stuhl Se mina r - 27/ 03/ 2017

Criticality (notions)

• Cr

itic ality is a de sig na tio n o f the le ve l o f a ssura nc e

a g a inst fa ilure ne e de d fo r a syste m c o mpo ne nt.

• SIL

– Sa fe ty inte g rity le ve l

• F
• r a vio nic s so ftwa re
• Be fo re 2012 – DO 178B
• Afte r 2012 – DO 178C
• DO 178C is a n upda te d ve rsio n o f DO178B
• F
• r a vio nic s ha rdwa re
• DO254
• DAL

– De sig n Assura nc e L

e ve l

DAL – Design Assurance Level

• De te rmine d fro m the sa fe ty a sse ssme nt pro c e ss

a nd ha za rd a na lysis (ARP4761)

• *with inde pe nde nc e = se pa ra tio n o f re spo nsib ilitie s in the

ve r ific ation and validation pr

• c e ss

Level Failure condition Objectives With independence Failure Rate A Catastrophic 71 (66) 33 (25) 10-9/h B Hazardous 69 (65) 21 (14) 10-7/h C Major 62 (57) 8 (2) 10-5/h D Minor 26 (28) 5 (0) 10-3/h E No Safety Effect 0 (0) 0 (0) n/a

Objectives Distribution in DO-178B

5 10 15 20 25 30 35 40 45 Planning Dev. Verif. CM QA Cert. DAL A DAL B DAL C DAL D

Examples DO-178C Safety Levels

Sa fe ty- Critic a l L e ve ls C&D

• Anti-missile de fe nse
• Da ta mining
• He a lth mo nito ring
• Missio n pla nning a nd

imple me nta tio n

• Missio n simula tio n a nd tra ining
• Ne two rk-c e ntric o pe ra tio n
• Re a l-time da ta re c o rding a nd

a na lysis

• Se lf-he a ling c o mmunic a tio n

ne two rks

• T

e le me try

• We a po ns ta rg e ting

Sa fe ty- Critic a l L e ve ls A&B

• F

ly-b y-wire c o ntro ls

• Auto -pilo t
• Air-tra ffic Se pa ra tio n Co ntro l
• Gla ss Co c kpit I

nfo rma tio n Displa y

• Ra da r
• Je t E

ng ine Co ntro l

• I

F F (frie nd o r fo e )

• Missile g uida nc e
• Missile la unc h
• Missile se lf-de struc t

System development process

Relations ARP-DO

Why Vestal’s model doesn’t fit to avionics (industry)

Vestal Industry

Criticality applies to a task The criticality is given to a function (a system-level property) Multiple WCET values for higher criticality tasks One WCET value is given for certification Better CPU usage is obtained through the existence of CLO Difficulty in implementation of a scheduling tasks having different WCETs (partition allocation) Failure in timing assumption of high criticality tasks result in dropping lower criticality tasks Spatial isolation doesn’t allow failures in a function to affect any other function Criticality mode change in the case of time violations Functions are given a certain criticality according to its SIL and any change of its criticality is subject to a new certification procedure

Bridge between MCS research and practice

• par

titioning fo r (sa fe ty) a ssura nc e vs. shar ing fo r

e ffic ie nt re so urc e usa g e

• IMA – I

nte g ra te d Mo dula r Avio nic s

• F

a ult isola tion: a fa ult in a n a pplic a tio n must no t pro pa g a te to o the r

a pplic a tio ns. Any fa ult must b e ha ndle d e ithe r b y the fa iling a pplic a tio n itse lf o r b y the syste m.

• Spa tia l isola tion: a pplic a tio ns must e xe c ute in inde pe nde nt physic a l

me mo ry a ddre ss spa c e s. T he syste m must c o ntro l tha t a pplic a tio ns c a nno t a c c e ss a ny me mo ry a re a s tha t ha ve no t b e e n spe c ific a lly a llo c a te d to the m.

• T

e mpora l isola tion: the re a l-time b e ha vio r o f a n a pplic a tio n must b e

c o rre c t inde pe nde ntly o f the e xe c utio n o f o the r a pplic a tio ns. T he a llo c a tio n o f the syste m re so urc e s to a n a pplic a tio n is no t influe nc e d b y

• the rs, a nd c a n b e a na lyze d in a inde pe nde nt wa y

IMA Concept

Splitting up of avionics functions into applications then integrated on shared IMA resources

FW FCDC

Avionics Functions

WBBC

IMA Avionics Conventional Avionics

FWS

(Flight Warning)

FCDC

(Flight Computer Data Concentrator)

WBBC

(Weight and Balance Backup Computer)

IMA Concept

• Co nve ntio na l a vio nic s:
• Ge ne ra lly spe a king , fo r a g ive n syste m, e a c h supplie r

re spo nsib le fo r the de ve lo pme nt o f o ne o r se ve ra l func tio ns pro vide s a c o mpute r

• T

his me a ns tha t e a c h supplie r pe rfo rms the fo llo wing de ve lo pme nts:

• I

nputs/ Outputs c a rds

• Po we r supply c a rd
• Pro c e ssing c a rd
• Built-in te st e q uipme nt So ftwa re de ve lo pme nt pla tfo rm
• Mo dula r a vio nic s:
• I

mple me nta tio n o f se ve ra l func tio ns sha ring the c o mpute r re so urc e s

• Pro c e ssing Re so urc e (CPU time )
• Me mo ry
• I

nput/ Output c a pa c ity

IMA - Example

IMA Concept - Partitioning

• Pa rtitio ning = func tio na l se pa ra tio n o f

a vio nic s a pplic a tio ns

• Spa c e

: SPAT I AL (Me mo ry) pa rtitio ning

• T

ime : T E MPORAL pa rtitio ning

• I

/ Os : Co mmunic a tio n b use s pa rtitio ning

• F

a ult c o nta inme nt

• I

nc re me nta l De ve lo pme nt

• I

nc re me nta l Ve rific a tio n a nd Ce rtific a tio n

• Ro b ust pa rtitio ning a llo ws c o ha b ita tio n o f

so ftwa re o f multiple c ritic a lity le ve ls

IMA Concept : Spatial Partitioning

• E

nsure s re stric te d a c c e sse s to me mo ry a re a s

• Pa rtitio ning b e twe e n
• Avio nic s a pplic a tio ns
• Applic a tio n a nd Co re So ftwa re
• Me mo ry pro te c tio n pro vide d b y me c ha nism

imple me nte d in

• Pro c e sso r ( Po we rPC MMU tha nks to pa g e ta b le s a nd

BAT s )

• CPU b o a rd c hipse t ( De dic a te d Me mo ry Co ntro lle r

Pro te c tio n Re g iste rs )

IMA Concept : Temporal Partitioning

• T

he te mpo ra l pa rtitio ning is e nsure d b y a me c ha nism na me d SL I CE R

• De te rministic sc he duling me tho do lo g y b a se d o n

sta tic c o nfig ura tio n file s

• Uninte rrupte d a c c e ss to c o mmo n re so urc e s during

a ssig ne d time pe rio ds o f pa rtitio ns

Partitions: Major Frames (MAF)

• A pa rtitio n ha s 2 te mpo ra l fe a ture s:
• Pe rio d
• Dura tio n
• A ma jo r fra me (MAF

) o f fixe d dura tio n is pe rio dic a lly re pe a te d

• E

a c h pa rtitio n is a c tiva te d a t le a st o nc e pe r MAF

• MAF

: multiple o f a ll the pa rtitio n pe rio ds

MAF MAF

P1 : Partition 1 P2 : Partition 2 P3 : Partition 3 P1 P1 P1 period P2 period P2 P2 P3 P1 P1 P2 P2 P3 P3 period

Partitions: Minor Frames (MIF)

• A MAF

is c ompose d of one or se ve r al Mino r F

ra me s (MI F s)

• MI

F s dura tio n : fixe d b ut c o nfig ura b le a nd pe rio dic a lly re pe a te d

• Par

tition T ime Window : 0, 1 o r se ve ra l CPU time slic e s within a MI

F

MAF = n * MIF

Process – Properties

• Pro c e ss = Pro g ra mming unit c o nta ine d within a pa rtitio n whic h

e xe c ute s c onc ur

r e ntly with o the r pro c e sse s o f the sa me

pa rtitio n

• E

q uiva le nt o f a syste m’ s ta sk

• No t visib le o utside o f the pa rtitio n
• Cre a te d a nd initia lize d a t pa rtitio n initia liza tio n time
• Sta rte d/ Sto ppe d during pa rtitio n init pro c e ss o r during

NORMAL mo de

• E

a c h pro c e ss ha s a prio rity le ve l, pro c e sse s c a n sha re the sa me prio rity le ve l

• T

he pro c e ss in the re a dy sta te with the hig he st c urre nt prio rity is a lwa ys e xe c uting while the pa rtitio n is a c tive

• Any pro c e ss c a n b e pre e mpte d
• b y a pro c e ss with a hig he r c urre nt prio rity
• b y a pa rtitio n time slic e e xpira tio n
• b y a sync hro no us e rro r e xc e ptio n

Process – Management

• Pro c e ss b e ha vio r ma y b e :
• Sync hro no us (pe rio dic ): pro c e ss pe rio d is a multiple o f the pa rtitio n

pe rio d it b e lo ng s to

• Async hro no us (a pe rio dic )
• Bo th type s o f pro c e sse s c a n c o -e xist in the sa me

pa rtitio n

• Pro c e ss ma na g e me nt is e nsure d b y the sc he dule r

me c ha nism

• Sc he duling a lg o rithm : prio rity pre e mptive

a c c o rding to the pre e mptio n le ve l o f the pa rtitio n

Process – Management

• If a process within a section of code is interrupted by the end of a partition

window (slice), it is guaranteed to be the first to execute when the partition is resumed ( if not preempted by another higher priority process ).

• The execution context is saved and restored upon each process switch.

Process - Time Management

• T

ime c a pa c ity = time g ive n to a pro c e ss to me e t its pro c e ssing re q uire me nts

• De a dline fo r a pe rio dic pro c e ss = re le a se po int + time c a pa c ity
• De a dline fo r a n a pe rio dic pro c e ss =
• c urre nt time + time c a pa c ity whe n pa rtitio n sta tus e nte rs

NORMAL _MODE

• c urre nt time + b udg e t time upo n RE

PL E NISH_APE RI ODI C c a ll

• A de a dline ma y o c c ur e ve n whe n the pro c e ss is no t running

(inside o r o utside the pa rtitio n windo w)

• A de a dline is o nly ha ndle d inside a pa rtitio n windo w o f its o wn

pa rtitio n

• A de a dline misse d sha ll b e a sso c ia te d to a sa nc tio n lo c a l to the

pa rtitio n

Periodic process deadlines

Aperiodic process deadlines

Airbus implication

• MCS re la te d pro je c ts:
• PROXI

MA

• CRYST

AL

• E

MC²

• E

URO-MI L S