Mixed Criticality Systems – view from the industry side MAXI M Cristia n Airb us Ope ra tio ns S.A.S Da g stuhl Se mina r - 27/ 03/ 2017
Criticality (notions) itic ality is a de sig na tio n o f the le ve l o f a ssura nc e Cr • a g a inst fa ilure ne e de d fo r a syste m c o mpo ne nt. – Sa fe ty inte g rity le ve l SIL • F o r a vio nic s so ftwa re o Be fo re 2012 – DO 178B • Afte r 2012 – DO 178C • DO 178C is a n upda te d ve rsio n o f DO178B • F o r a vio nic s ha rdwa re o DO254 • – De sig n Assura nc e L e ve l DAL •
DAL – Design Assurance Level De te rmine d fro m the sa fe ty a sse ssme nt pro c e ss • a nd ha za rd a na lysis (ARP4761) Failure With Level Objectives Failure Rate condition independence 10 -9 /h A Catastrophic 71 (66) 33 (25) 10 -7 /h B Hazardous 69 (65) 21 (14) 10 -5 /h C Major 62 (57) 8 (2) 10 -3 /h D Minor 26 (28) 5 (0) E No Safety Effect 0 (0) 0 (0) n/a *with inde pe nde nc e = se pa ra tio n o f re spo nsib ilitie s in the • ve r ific ation and validation pr oc e ss
Objectives Distribution in DO-178B 45 DAL A 40 DAL B 35 DAL C 30 DAL D 25 20 15 10 5 0 Planning Dev. Verif. CM QA Cert.
Examples DO-178C Safety Levels e ve ls C&D Sa fe ty- Critic a l L e ve ls A&B Sa fe ty- Critic a l L Anti-missile de fe nse • F ly-b y-wire c o ntro ls • Da ta mining • Auto -pilo t • He a lth mo nito ring • Air-tra ffic Se pa ra tio n Co ntro l • Missio n pla nning a nd • Gla ss Co c kpit I nfo rma tio n Displa y • imple me nta tio n Ra da r • Missio n simula tio n a nd tra ining • Je t E ng ine Co ntro l • Ne two rk-c e ntric o pe ra tio n • I F F (frie nd o r fo e ) • Re a l-time da ta re c o rding a nd • Missile g uida nc e • a na lysis Missile la unc h • Se lf-he a ling c o mmunic a tio n • Missile se lf-de struc t ne two rks • T e le me try • We a po ns ta rg e ting •
System development process
Relations ARP-DO
Why Vestal’s model doesn’t fit to avionics (industry) Vestal Industry Criticality applies to a task The criticality is given to a function (a system-level property) Multiple WCET values for higher One WCET value is given for criticality tasks certification Better CPU usage is obtained through Difficulty in implementation of a the existence of C LO scheduling tasks having different WCETs (partition allocation) Failure in timing assumption of high Spatial isolation doesn’t allow failures criticality tasks result in dropping in a function to affect any other lower criticality tasks function Criticality mode change in the case of Functions are given a certain criticality time violations according to its SIL and any change of its criticality is subject to a new certification procedure
Bridge between MCS research and practice titioning fo r (sa fe ty) a ssura nc e vs. shar ing fo r par • e ffic ie nt re so urc e usa g e IMA – I nte g ra te d Mo dula r Avio nic s • a ult isola tion : a fa ult in a n a pplic a tio n must no t pro pa g a te to o the r F o a pplic a tio ns. Any fa ult must b e ha ndle d e ithe r b y the fa iling a pplic a tio n itse lf o r b y the syste m. Spa tia l isola tion : a pplic a tio ns must e xe c ute in inde pe nde nt physic a l o me mo ry a ddre ss spa c e s. T he syste m must c o ntro l tha t a pplic a tio ns c a nno t a c c e ss a ny me mo ry a re a s tha t ha ve no t b e e n spe c ific a lly a llo c a te d to the m. e mpora l isola tion : the re a l-time b e ha vio r o f a n a pplic a tio n must b e T o c o rre c t inde pe nde ntly o f the e xe c utio n o f o the r a pplic a tio ns. T he a llo c a tio n o f the syste m re so urc e s to a n a pplic a tio n is no t influe nc e d b y o the rs, a nd c a n b e a na lyze d in a inde pe nde nt wa y
IMA Concept Conventional Avionics IMA Avionics FWS (Flight Warning) FW FCDC Avionics Functions FCDC (Flight Computer WBBC Data Concentrator) WBBC (Weight and Balance Backup Computer) Splitting up of avionics functions into applications then integrated on shared IMA resources
IMA Concept Co nve ntio na l a vio nic s: • o Ge ne ra lly spe a king , fo r a g ive n syste m, e a c h supplie r re spo nsib le fo r the de ve lo pme nt o f o ne o r se ve ra l func tio ns pro vide s a c o mpute r o T his me a ns tha t e a c h supplie r pe rfo rms the fo llo wing de ve lo pme nts: I nputs/ Outputs c a rds • Po we r supply c a rd • Pro c e ssing c a rd • Built-in te st e q uipme nt So ftwa re de ve lo pme nt pla tfo rm • Mo dula r a vio nic s: • o I mple me nta tio n o f se ve ra l func tio ns sha ring the c o mpute r re so urc e s Pro c e ssing Re so urc e (CPU time ) • Me mo ry • I nput/ Output c a pa c ity •
IMA - Example
IMA Concept - Partitioning • Pa rtitio ning = func tio na l se pa ra tio n o f a vio nic s a pplic a tio ns o Spa c e : SPAT I AL (Me mo ry) pa rtitio ning o T ime : T E MPORAL pa rtitio ning o I / Os : Co mmunic a tio n b use s pa rtitio ning • F a ult c o nta inme nt • I nc re me nta l De ve lo pme nt • I nc re me nta l Ve rific a tio n a nd Ce rtific a tio n • Ro b ust pa rtitio ning a llo ws c o ha b ita tio n o f so ftwa re o f multiple c ritic a lity le ve ls
IMA Concept : Spatial Partitioning • E nsure s re stric te d a c c e sse s to me mo ry a re a s • Pa rtitio ning b e twe e n o Avio nic s a pplic a tio ns o Applic a tio n a nd Co re So ftwa re • Me mo ry pro te c tio n pro vide d b y me c ha nism imple me nte d in o Pro c e sso r ( Po we rPC MMU tha nks to pa g e ta b le s a nd BAT s ) o CPU b o a rd c hipse t ( De dic a te d Me mo ry Co ntro lle r Pro te c tio n Re g iste rs )
IMA Concept : Temporal Partitioning T he te mpo ra l pa rtitio ning is e nsure d b y a • me c ha nism na me d SL I CE R De te rministic sc he duling me tho do lo g y b a se d o n • sta tic c o nfig ura tio n file s Uninte rrupte d a c c e ss to c o mmo n re so urc e s during • a ssig ne d time pe rio ds o f pa rtitio ns
Partitions: Major Frames (MAF) A pa rtitio n ha s 2 te mpo ra l fe a ture s: • o Pe rio d o Dura tio n A ma jo r fra me (MAF ) o f fixe d dura tio n is pe rio dic a lly re pe a te d • o E a c h pa rtitio n is a c tiva te d a t le a st o nc e pe r MAF o MAF : multiple o f a ll the pa rtitio n pe rio ds P3 period P2 period P1 period P2 P1 P2 P1 P3 P2 P1 P2 P1 P3 MAF MAF P2 : Partition 2 P3 : Partition 3 P1 : Partition 1
Partitions: Minor Frames (MIF) al Mino r F ra me s (MI F s) A MAF is c ompose d of one or se ve r • MAF = n * MIF MI F s dura tio n : fixe d b ut c o nfig ura b le a nd pe rio dic a lly re pe a te d • ime Window : 0, 1 o r se ve ra l CPU time slic e s within a MI F Par tition T •
Process – Properties Pro c e ss = Pro g ra mming unit c o nta ine d within a pa rtitio n whic h • e xe c ute s c onc ur e ntly with o the r pro c e sse s o f the sa me r pa rtitio n E q uiva le nt o f a syste m’ s ta sk • No t visib le o utside o f the pa rtitio n • Cre a te d a nd initia lize d a t pa rtitio n initia liza tio n time • Sta rte d/ Sto ppe d during pa rtitio n init pro c e ss o r during • NORMAL mo de E a c h pro c e ss ha s a prio rity le ve l, pro c e sse s c a n sha re the • sa me prio rity le ve l T he pro c e ss in the re a dy sta te with the hig he st c urre nt prio rity • is a lwa ys e xe c uting while the pa rtitio n is a c tive Any pro c e ss c a n b e pre e mpte d • b y a pro c e ss with a hig he r c urre nt prio rity o b y a pa rtitio n time slic e e xpira tio n o b y a sync hro no us e rro r e xc e ptio n o
Process – Management Pro c e ss b e ha vio r ma y b e : • Sync hro no us (pe rio dic ): pro c e ss pe rio d is a multiple o f the pa rtitio n o pe rio d it b e lo ng s to Async hro no us (a pe rio dic ) o Bo th type s o f pro c e sse s c a n c o -e xist in the sa me • pa rtitio n Pro c e ss ma na g e me nt is e nsure d b y the sc he dule r • me c ha nism Sc he duling a lg o rithm : prio rity pre e mptive • a c c o rding to the pre e mptio n le ve l o f the pa rtitio n
Process – Management If a process within a section of code is interrupted by the end of a partition • window (slice), it is guaranteed to be the first to execute when the partition is resumed ( if not preempted by another higher priority process ). The execution context is saved and restored upon each process switch. •
Process - Time Management T ime c a pa c ity = time g ive n to a pro c e ss to me e t its pro c e ssing • re q uire me nts De a dline fo r a pe rio dic pro c e ss = re le a se po int + time c a pa c ity • De a dline fo r a n a pe rio dic pro c e ss = • o c urre nt time + time c a pa c ity whe n pa rtitio n sta tus e nte rs NORMAL _MODE o c urre nt time + b udg e t time upo n RE PL E NISH_APE RI ODI C c a ll A de a dline ma y o c c ur e ve n whe n the pro c e ss is no t running • (inside o r o utside the pa rtitio n windo w) A de a dline is o nly ha ndle d inside a pa rtitio n windo w o f its o wn • pa rtitio n A de a dline misse d sha ll b e a sso c ia te d to a sa nc tio n lo c a l to the • pa rtitio n
Periodic process deadlines
Aperiodic process deadlines
Recommend
More recommend