HW/SW Codesign - Mixed-Criticality Systems...HW/SW Codesign - Mixed-Criticality Systems Johannes Obermuller January 24, 2017 Johannes Obermull er Mixed-Criticality Systems January

HW/SW Codesign - Mixed-Criticality Systems

Johannes Obermuller

January 24, 2017

Johannes Obermuller Mixed-Criticality Systems January 24, 2017 1

Overview

1 IntroductionDefinitionMotivationChallenges

2 Techniques for Mixed-Criticality SystemsSchedulingPartitioning/VirtualizationArchitectures for Mixed-Criticality Systems

3 ExamplesTTSoCMemory Hierarchy for Mixed-Criticality Systems

4 Outlook & Conclusion


Introduction


Definition - Mixed-Criticality System (MCS)

Mixed-Criticality System (MCS)

A system where applications of different levels of criticality are executedon a shared computing platform.


Definition - Criticality

Criticality

Criticality is a designation of the level of assurance against failureneeded for a system component. Burns, Davis [1]

example classifications:

safety-critical / non-safety-critical

entertainment / comfort / safety functions

safety-critical / mission-critical / uncritical


Criticality levels in Industry

SILs (Safety Integrity Levels)

ASILs (Automotive SILs)

DALs (Development Assurance Levels)

Some relevant safety standards: IEC 61508, DO-178B, ISO 26262

DO-178B

table from [2]

→ Level has huge influence on development costs!!


Criticality levels in Industry

SILs (Safety Integrity Levels)

ASILs (Automotive SILs)

DALs (Development Assurance Levels)

Some relevant safety standards: IEC 61508, DO-178B, ISO 26262

DO-178B

table from [2]

→ Level has huge influence on development costs!!


Examples of Mixed-Criticality Systems


Motivation


Current Situation

Huge performance increase in computing→ makes novel applications feasible

Results in addition of lots of comfort / infotainment functions→ major differentiator for manufacturers

But at the same time usage of ES in safety-critical areas is increasing→ X-by-wire,...

Example: current premium car [3],[4]

70 computers, ∼ 100 electric motors and 3 km of wiring

functions: driver assistance features, ESP systems, motor control,...

future services: weather and traffic information, stations or foodlocation, breakdown or accident assistance,...

→ more functions integrated, some critical, others less so

similar situation in other domains: aerospace, medical systems,manufacturing equipment,...


Current Situation











Current Situation











Current Situation











Drawbacks of current situation

Car:

tremendous effort in cabling (3 km of cables)

wastes spaceincreases weight (VW Phaeton: 64kg)decreases reliability (connectors & cables are a major problem)

70 ECUs

high hardware cost (30% of overall production cost)inefficient power usage


Proposed Solution


Benefits of integration

Reduced Size, Weight and Power (SWaP)

cf. car: 3 km of wiring, 70 ECUs

Lower hardware cost

Increased reliability

cf. connectors & cables


Motivation - Utilize Multi-core Processors

Multi-core processors are becoming prevalent in Embedded Systems

estimated deployment in industrial applications: 45% [5]

Typically only one core used (in safety-critical applications)

→ want to better utilize them by executing multiple applications (possiblyof different criticality)

But:

need to isolate applications of different criticality

WCET analysis on mult-core is very difficult

→ lots of ongoing research







But:










But:










But:





Motivation - Conclusion

MCS are an increasingly important trend in the design of real-timeand embedded systems

Huge interest from industry

Priority topic on European funded research projects


Challenges


Certification - The ”Lift-Up Effect”

[6]


Multi-core processors

Commercial off-the-shelf (COTS) multi-core platforms are a source ofindeterminism.

Shared resources that cause temporal unpredictability:

Caches

Memory

I/O

→ application in one core can affect temporal behaviour of application inanother core

→ can lead to prohibitive certification costs


Fundamental Challenges

Heterogenity

Dissimilar requirements in terms of timing: firm, soft, hard,non-realtime

Different models of computation: dataflow, time-triggered messaging,distributed shared memory

Fundamental research question Burns, Davis [1]

reconcile the conflicting requirements of:

partitioning (for safety assurance)

sharing (for efficient resource usage)


Fundamental Challenges

Heterogenity

Dissimilar requirements in terms of timing: firm, soft, hard,non-realtime

Different models of computation: dataflow, time-triggered messaging,distributed shared memory

Fundamental research question Burns, Davis [1]

reconcile the conflicting requirements of:

partitioning (for safety assurance)

sharing (for efficient resource usage)


Techniques for Mixed-Criticality Systems


Scheduling

Focus of much theoretical research on MCSUses criticality-specific WCETs

Assumption: the higher the criticality level of a task, the morepessimistic its WCET

Many standard scheduling results not applicable for MCS

But not much intersection with HW/SW-Codesign.

Further Reading

Good Survey in ”Mixed Criticality Systems - A Review”[1]


Scheduling

Focus of much theoretical research on MCSUses criticality-specific WCETs

Assumption: the higher the criticality level of a task, the morepessimistic its WCET

Many standard scheduling results not applicable for MCS

But not much intersection with HW/SW-Codesign.

Further Reading

Good Survey in ”Mixed Criticality Systems - A Review”[1]


Partitioning

Strong isolation of applications/partitions:

Execution of one partition MUST NOT beinfluenced by execution of another partition.

Spatial partitioning

Protect one partitions’s memory and access to resources from otherpartitions.

Resources: CPU, memory, network, I/O devices, Interrupts,...

Temporal partitioning

Eliminate temporal interference between partitions.

→ partition the CPU time (and access to resources) among applications

Major benefit of partitioning: reduced certification costs


Partitioning











Partitioning











Partitioning











Partitioning











Partitioning











Architectures for Mixed-Criticality Systems


Federated Architecture

Applications are executed on separate processors:

→ partitioning of shared network necessary


Federated Architecture

Applications are executed on separate processors:

→ partitioning of shared network necessary


Partitioning of the Network

Another instance of the fundamental MCS challenge

partition the use of the network to enhance safety

share the capacity of the network to reduce cost

Partitioning by Arbitration: e.g. TDMA

Enforced by Architectural Approaches[7]:
















Federated Architecture - Example

Figure: Federated Architecture in a car [8]


Federated Architecture - Problems

one device per function

more and more functions added

results in excessive resource consumption

premium car: 70-100 ECUs

is being replaced by integrated architectures

enabled by more powerful (multi-core) processors


Evolution of Architectures


Integrated Architecture

Applications are executed on a shared processor:

Problem: Partitioning much harder


Integrated Architecture

Applications are executed on a shared processor:

Problem: Partitioning much harder

→ Solution: use of a Separation Kernel/Hypervisor (Virtualization)


Separation/Partitioning Kernel

Partitioning Kernel - MILS architecture

”The overall security of a distributed system rests partly on the physicalseparation of its components and partly on the critical functions performedby some of those components. The role which I propose for a securitykernel is simply that it should re-create, within a single sharedmachine, an environment which supports the various components of thesystem, and provides the communications channels between them, in sucha way that individual components of the system cannot distinguishthis shared environment from a physically distributed one.”[9]

→ a hypervisor is one possible implementation of the concept of apartitioning kernel


Virtualization

Hypervisor (aka. Virtual Machine Monitor (VMM))

”computer software, firmware, or hardware, that creates and runs virtualmachines” (Wikipedia)

Type-1 (native / bare-metal) Type-2 (hosted)


Virtualization: Type-1 vs. Type-2 Performance

Figure: Number of mode-switches for a syscall (Type-1 vs. Type-2 Hypervisor)

→ hybrids exist:

Linux KVM

FreeBSD’s bhyve


Virtualization: Options

Type-1 vs. Type-2

Full virtualization vs. para-virtualization vs. binary translation

→ in MCS: mostly type-1 with para-virtualization

highest performance

OS sources often available

But also full virtualization becoming possible by added HW support



Type-1 vs. Type-2



highest performance





Type-1 vs. Type-2



highest performance




Main problems prohibiting full virtualization [10]

instruction set is not virtualizable

memory management

interrupt handling

I/O device handling

→ necessary HW Support: Supervisor Mode, MMU, EPT, IOMMU,...

Problems to be solved for MCS:

Memory Arbitration

Caches: invalidate them at context switches, or partitioned caches

I/O Arbitration

Interrupts

Communication/Networking: TDMA,...


Mixed-Criticality Systems vs. TMR

Figure: Failure containment regions and fault containment modules [11]

MCS/Composability: failure containment regions

TMR: fault containment modules

”The majority of the research in mixed-criticality systems do not considerthe possibility of permanent faults”[12]


Examples


TTSoC - Federated Architecture on a SoC

Figure: TTSoC Architecture [13]


Memory Hierarchy for Mixed-Criticality Systems

Figure: Memory access topology proposed in [14], [15]


Cache Partitioning

Hardware-based

Software-based:

Compiler-basedOS-controlled


Arbiter


Memory Arbitration


Memory Arbitration Performance


Future Outlook

Access to shared HW resources

Time-predictable processor architecturesFlexPRET [16], Patmos [17]

Formal Verification of Hypervisor

seL4 [18], XtratuM [19]

Manycores:

Mixed Criticality on Multicore/Manycore Platforms (DagstuhlSeminar) [20]

MCC EU research project [21]


Future Outlook





Manycores:




Future Outlook





Manycores:




Future Outlook





Manycores:




Take Away Messages


Federated Architecture → Integrated Architecture (Multi-core,Hypervisor)

Fundamental Challenge: Partitioning vs. Sharing


Take Away Messages





Take Away Messages





Discussion

Are MCS an unavoidable result of prevalence of embedded systems andconsumers’ desire for ever more features? Are there alternatives?

When implementing the MILS architecture, what differences remainbetween federated and integrated architectures?


Discussion

Are MCS an unavoidable result of prevalence of embedded systems andconsumers’ desire for ever more features? Are there alternatives?

When implementing the MILS architecture, what differences remainbetween federated and integrated architectures?


Alan Burns and Robert Davis.Mixed criticality systems-a review.Department of Computer Science, University of York, Tech. Rep, 2016.

James H Anderson, Sanjoy Baruah, and Bjorn B Brandenburg.Multicore operating-system support for mixed criticality.In Proceedings of the Workshop on Mixed Criticality: Roadmap toEvolving UAV Certification, 2009.

Alfons Crespo, Alejandro Alonso, Marga Marcos, Juan A. de laPuente, and Patricia Balbastre.Mixed Criticality in Control Systems.IFAC Proceedings Volumes, 47(3):12261–12271, 2014.

Jon Perez, David Gonzalez, Salvador Trujillo, and Ton Trapman.A safety concept for an iec-61508 compliant fail-safe wind powermixed-criticality system based on multicore and partitioning.In Ada-Europe International Conference on Reliable SoftwareTechnologies, pages 3–17. Springer, 2015.

S. Trujillo, A. Crespo, and A. Alonso.Johannes Obermuller Mixed-Criticality Systems January 24, 2017 45

MultiPARTES: Multicore Virtualization for Mixed-Criticality Systems.In 2013 Euromicro Conference on Digital System Design, pages260–265, September 2013.

Arjan Geven.Mixed criticality for complex networked systems.In Mixed Criticality Systems Seminar, 2012.

Peter Puschner.Vo echtzeitsysteme, 2014.

Wolfgang Kastner.Vu dezentrale automation, 2014.

John M Rushby.Design and verification of secure systems, volume 15.ACM, 1981.

Christopher Helpa.State of the art hardware and virtualization extensions.Part of the Seventh Framework Programme Funded by the EC–DGINFSO, pages 1–52, 2012.Johannes Obermuller Mixed-Criticality Systems January 24, 2017 45

Stefan Resch, Andreas Steininger, and Christoph Scherrer.Software Composability and Mixed Criticality for Triple ModularRedundant Architectures.In Matthieu ROY, editor, SAFECOMP 2013 - Workshop SASSUR(Next Generation of System Assurance Approaches for Safety-CriticalSystems) of the 32nd International Conference on Computer Safety,Reliability and Security, page NA, Toulouse, France, September 2013.

Abhilash Thekkilakattil, Alan Burns, Radu Dobrin, and SasikumarPunnekkat.Mixed criticality systems: Beyond transient faults.In Proc. 3rd Workshop on Mixed Criticality Systems (WMC), RTSS,pages 18–23, 2015.

A. Wasicek, C. El-Salloum, and H. Kopetz.A System-on-a-Chip Platform for Mixed-Criticality Applications.In 2010 13th IEEE International Symposium onObject/Component/Service-Oriented Real-Time DistributedComputing, pages 210–216, May 2010.


Bekim Cilku and Peter Puschner.Towards temporal and spatial isolation in memory hierarchies formixed-criticality systems with hypervisors.Proc. ReTiMiCS, RTCSA, pages 25–28, 2013.

B. Cilku, A. Crespo, P. Puschner, J. Coronel, and S. Peiro.A TDMA-Based arbitration scheme for mixed-criticality multicoreplatforms.In 2015 International Conference on Event-based Control,Communication, and Signal Processing (EBCCSP), pages 1–6, June2015.

M. Zimmer, D. Broman, C. Shaver, and E. A. Lee.FlexPRET: A processor platform for mixed-criticality systems.In 2014 IEEE 19th Real-Time and Embedded Technology andApplications Symposium (RTAS), pages 101–110, April 2014.

Martin Schoeberl, Pascal Schleuniger, Wolfgang Puffitsch, FlorianBrandner, Christian W. Probst, Sven Karlsson, and Tommy Thorn.


Towards a Time-predictable Dual-Issue Microprocessor: The PatmosApproach.In Philipp Lucas, Lothar Thiele, Benoit Triquet, Theo Ungerer, andReinhard Wilhelm, editors, Bringing Theory to Practice: Predictabilityand Performance in Embedded Systems, volume 18, pages 11–21,Grenoble, France, March 2011. Philipp Lucas, Lothar Thiele, BenoitTriquet, Theo Ungerer, and Reinhard Wilhelm.

Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick,David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt,Rafal Kolanski, Michael Norrish, et al.sel4: Formal verification of an os kernel.In Proceedings of the ACM SIGOPS 22nd symposium on Operatingsystems principles, pages 207–220. ACM, 2009.

David Sanan, Andrew Butterfield, and Mike Hinchey.Separation kernel verification: The xtratum case study.In Working Conference on Verified Software: Theories, Tools, andExperiments, pages 133–149. Springer, 2014.


Sanjoy K Baruah, Liliana Cucu-Grosjean, Roabert I Davis, and ClaireMaiza.Mixed criticality on multicore/manycore platforms (dagstuhl seminar15121).In Dagstuhl Reports, volume 5. Schloss Dagstuhl-Leibniz-Zentrum fuerInformatik, 2015.

Mixed criticality embedded systems on many-core platforms.


More Definitions

A system containing computer hardware and software that can executeseveral applications of different criticality. (Wikipedia)

[...] is the integration of components with different levels of criticality ontoa common hardware platform. (Alan Burns and Robert I. Davis)

Systems where applications of different security or safety-criticality sharethe same hardware. (Varun Sethi & Michael Paulitsch)

Integration of functions with different safety assurance levels using ashared computing platform. (Roman Obermaisser)

Systems composed of a mixture of safety-critical and non-critical parts, asfor example when an aircraft contains a passenger entertainment systemthat is isolated from the safety-critical flight systems.


More Definitions (ctd.)

A mixed criticality system is ”an integrated suite of HW, OS, middlewareservices and application software that supports the concurrent execution ofsafety-critical, mission-critical, and non-critical software within a single,secure computing platform”, i.e. a system containing computer hardwareand software that executes concurrently several applications of differentcriticality (such as safety-critical and non-safety critical).


Documents

HW/SW Codesign - Mixed-Criticality Systems...HW/SW Codesign - Mixed-Criticality Systems Johannes Obermuller January 24, 2017 Johannes Obermull er Mixed-Criticality Systems January