A key pattern for building safe architectures is a strict separation of QM and safety code, considering a separation not only in the memory domain but also in the time domain. On a multicore processor, this can be achieved by placing QM code on one core and safety code on another. This approach however brings a couple of challenges.
In previous publications, we have covered separation in the data- and resource-domain, using the MPU and other hardware features in combination with a safe OS.
The timing domain is more complex. On the one hand, certain synchronizations between QM and safety code will be required, e.g. to trigger a monitor function to check the validity of data at the correct time. Introducing such synchronization however tampers the intended separation in the time domain.
In our presentation, we will demonstrate the development of a multicore runtime environment, which is separating QM code from safety function code, but at the same time, allows a safe synchronization and communication between both domains.
A new second level-monitoring layer is supervising the realtime constraints of the monitoring functions, considering the typical requirements of safety standards such as IEC61508 and ISO26262:
- Alive monitoring
- Realtime monitoring
- Controlflow monitoring
We will demonstrate the use of selected hardware features of the Infineon Aurix and TLF watchdog chip together with the SafetyOS PXROS from the company HighTech and show, how they can be used in the context of a safety architecture.
Furthermore, we will demonstrate the use of a combined watchdog / smart power module, which does not only support an emergency switch-off, but also the control of multiple power domains and defined reboot sequences in case of system errors.
I will give this presentation at the 27.02.2018, 12:00 at the embedded world conference 2018 in Nürnberg/Germany.