Industrial Application of MultiPARTES January 21st, 2012 HiPEAC Workshop 2013 Integration of mixed-criticality subsystems on multi-core processors David Gonzalez (dgonzalez@ikerlan.es) 1
Definitions and Problem Statement Criticality level of an application is a classification of how severe a deviation of the intended behavior is. Criticality level of a system is defined as the highest criticality of the jobs executed within it. Supervision and control systems in many sectors typically integrate a multitude of functionalities with potentially different criticality levels. Without appropriate preconditions, the integration of mixed-criticality subsystems can lead to a significant and potentially unacceptable increase of certification efforts. 2
Mixed-Criticality Approach One approach to avoid the increased validation and certification effort is to incorporate mechanisms that establish multiple partitions with strict temporal and spatial separation. The temporal isolation is achieved if the duration of every single action performed by applications in one partition is independent from actions performed by all other partitions. Spatial isolation (inter partition) must prevent all partitions from accessing memory or interfaces that are not in their a-priori known scope. In this approach, subsystems with different levels of criticality can be placed in different partitions and can be verified and validated in isolation. 3
Introducing MultiPARTES MultiPARTES (Multi-cores PARtitioning for Trusted Embedded Systems). European research project funded by the Seventh Framework Program (FP7). Main goal of MultiPARTES is to support the engineering of mixed-criticality embedded systems based on virtualization techniques for heterogeneous multi-core processors. The starting point is XtratuM, an open source hypervisor developed specifically for real-time embedded systems. 4
MultiPARTES Highlights Surveillance Academia Applied Research Industrial scenarios Wind Power Space Highlights: Mixed-Criticality Hypervisor Heterogeneous Multi-Core Methodology and Validation Railways Automotive 5
Wind Power Off-Shore Challenges Off-Shore operation introduces new technological challenges: stringent safety requirements new standards to comply with more demanding requirements in terms of availability, connectivity, security, certifiability, composability, time-to-market These new features have to coexist with the previously existing ones implementing less demanding requirements. Even if mixed-criticality is not a solution for many of the presented challenges, it is an approach to address them from a unique platform, thus reducing the complexity of the system. 6
Wind Turbine Control System (Galileo) WT Heterogeneous Processing Unit Developer WT Heterogeneous Processing Unit Windpark Control Center HMI & Comms Supervision Safety I/O I/O I/O Maintenance Operator WebHMI Maintenance SCADA I/O Park Client Client SCADA 7
Galileo Functionalities Real-Time: Supervision and Control Non Real-Time: Human Machine Interface (HMI) and Communications Galileo 8
Limitations of the current architecture Executes SW with assorted Real Time needs. Executes SW with different criticality levels. Communication middleware not available for RTOS. Cannot be used for safety-related functions (certification would be very difficult). 9
Galileo+ Envisioned Architecture Split current functionalities into two partitions + Add a new separated partition for safety-related functions Partition 1 Partition 2 Partition 3 Human Machine Interface (HMI) Communications with SCADA GPOS Supervisory System RTOS Protection System Other Safety Functions HYPERVISOR CORE 1 CORE 2 CORE 3 HARDWARE PLATFORM 10
Benefits (I) Reduction in: Energy consumption Weight and volume Cost System complexity is reduced, allowing distributed development teams. Safety related functions are isolated, reducing the certification cost. The TSP allows ensuring independence among partitions with different levels of criticality, and enables modular-based independent verification of subsystems. The reduction in the number of prone-to-failure physical components increases reliability. 11
Benefits (II) The validation of the solution can be performed more efficiently, obtaining clear advantages in the integration testing with respect to the situation where subsystems were implemented in different platforms. The real time deterministic communications between subsystems (partitions) is easier, faster and abstracted from the application layer, since the virtualization layer now provides the communication services. The inclusion of third party components does not compromise the safety objectives of the higher criticality partitions. Flexibility to select the most appropriate processor and execution environment (OS) for each partition. 12
Video Surveillance Use Case Digital Video Recorder Next generation of the product Support 3rd party apps Adapt DVR to new markets Benefits Reduces customization / adaptation efforts and time to market Standard DVR device suitable for: Different Markets Partition 1 Partition 2 Digital Video Recorder Linux CORE 1 HYPERVISOR 3rd Party App HARDWARE PLATFORM Linux CORE 2 3rd Party App Different Use Cases 13
Automotive Use Case High-criticality applications for road safety Partition 1 Partition 2 ITS apps (e.g. ecall) Automotive apps (e.g. EPS or ABS) Security Services 3rd Party App RTOS GPOS Secure I/O HYPERVISOR High market value applications Infotainment Comfort HARDWARE PLATFORM 14
Railways Use Case On-board part of European Train Control System (ETCS) Mixed-criticality: SIL4: Emergency brakes management SIL2: Service brakes and warnings management Partition 1 Partition 2 Safe4Rail Warnings and service brakes management Emergency brakes management HMI Communications with other nodes via Ethernet Warnings generation Service brakes activation Sensors and actuators management. Voting algorithms execution for input values calculation and validation. Emergency brakes activation SUPERVISION ETHERNET RTOS RTOS Sensors Node1 Node2 Node3 HW Voter Brakes HYPERVISOR CORE1 Sensors and actuators Several interfaces (ADC, DIO, UART) PARTITION 1 Assigned Interfaces PARTITION 2 Assigned Interfaces Real Time Ethernet Other nodes and HMI 15
Space Use Case The goal is to provide an off-the-shelf framework to combine payload and control applications in a satellite. Partition 1 Partition 2 Payload Application Control and Monitoring Services OS LithOS / RTEMS HYPERVISOR HARDWARE PLATFORM 16
Conclusions The use of heterogeneous multi-core virtualization is an excellent candidate architecture to engineer the next generation of the supervision and control systems. The necessity for this novel approach appears in many industrial sectors. There is an increasing number of virtualization solutions available in the market, but not all of them are suitable for mixed-criticality systems. 17
Eskerrik asko Muchas gracias Thank you Merci beaucoup P.º J.M. Arizmendiarrieta, 2 20500 Arrasate-Mondragón (Gipuzkoa) Tel.: 943 71 24 00 Fax: 943 79 69 44 www.ikerlan.es 18