Modeling and code generation for safety critical systems
Embedded World Conference 2020
(Co-Authors: Prof. Dr.-Ing. Peter Fromm; )
The design and implementation of embedded safety (multicore) systems is highly challenging without good tool and methodology support, especially for small and medium sized development teams. Safety artifacts like hazard and risks analysis, specifications of safety functions and architectural solutions typically are realized as individual documents without a common repository, making the maintenance hard and error prone. Moreover, reference architectures are rare and design tools typically only cover parts of the design process.
Together with the FZI Research Center for Information Technology and the company HighTec, an innovative modeling and code generation tool for safety related systems has been realized based on the open source Eclipse Modeling Framework (EMF). In this paper, it is demonstrated how the tool unifies architectural and safety aspects and how an entire multicore runtime environment can be generated using EMF. The developed design patterns are described and it is demonstrated how a safety architecture can be realized using a multicore safety controller.
Modeling and Assessment of Safety Critical Systems
Embedded World Conference 2019
(Co-Authors: Prof. Dr.-Ing. Peter Fromm; Victor Pazmino Betancourt; Bo Liu; Prof. Dr.-Ing. Dr. h. c. Jürgen Becker)
With growing complexity of embedded controllers and applications, the design of safety critical systems becomes more and more challenging. Tools and frameworks help to manage such challenges but are often pricy and cover only certain aspects of the overall design or implementation workflow. In previous publications, we introduced a lightweight runtime environment and discussed concepts for separation of signal paths on multicore controllers as well as safety monitoring mechanism. As part of the publicly funded ZIM project “Zukunftstechnologie Multicore – Safe&Secure”, the Darmstadt University of applied sciences cooperates with the FZI Research Center for Information Technology and the company HighTec. One goal within this project is the development of tooling, which incorporates the results of previous research and not only allows modeling and code generation for safety critical systems, but also allows assessment of the safety cases and their mapping to the actual implementation in order to ease qualification. In this paper, we will demonstrate how free frameworks such as Eclipse EMF can be used to implement modelling tools. We will show how user friendly GUIs can be implemented, how safety assessment can be performed and how code can be generated.
Downloads
Paper – Modeling and Assessment of Safety Critical Systems
Safety Architectures on Multicore Processors – Mastering the Time Domain
Embedded World Conference 2018
(Co-Author: Prof. Dr.-Ing. Peter Fromm)
A key architecture for building safe architectures is a strict separation of normal application code (also referred to as QM code) and safety function code, considering a separation not only in the memory and peripheral domain but also in the time domain. Whereas hardware features like memory- or busprotection units allow a comparable simple protection of the memory domain, the supervision of the timing domain is a lot more complex. Race conditions on multicore system are far more likely and complex as compared to a single core system, as we have a true parallel execution of code and more asynchronous architectural patterns. Most safety standards such as IEC61508 [1] and ISO26262 [2] require:
- Alive monitoring
- Real-time monitoring
- Control flow monitoring
In this paper we will describe a typical signal flow on a multicore safety system and based on this architecture introduce an innovative second-level monitoring layer, which is supervising the real-time constraints of the safety and functional monitoring functions. We will demonstrate the use of selected hardware features of the Infineon AURIX and TLF watchdog chip together with the SafetyOS PxROS from the company HighTec and show,
how they can be used in the context of a safety architecture. Furthermore, we will demonstrate the use of a combined watchdog / smart power module, which does not only support an emergency switch-off but also the control of multiple power domains and defined reboot sequences in case of system errors.
Downloads
Paper – Safety Architectures on Multicore Processors – Mastering the Time Domain
A Monitoring Based Safety Architecture for Multicore Microcontrollers
Embedded World Conference 2017
(Co-Author: Prof. Dr.-Ing. Peter Fromm)
Separation in the data-, resource- and timedomain is a big challenge on multicore microcontrollers as,depending on the architecture, resources like peripherals or memory are shared between the cores. In the resulting software architecture – which often becomes very complex and fragile – changes are hard to be incorporated. Together with an industrial partner, an innovative runtime environment, which is based on the ideas of Adaptive AUTOSAR has been developed and implemented on an AURIX TC29x multicore controller. It combines high performance with good usability and a strict separation of signals in the data- and time domain. In order to ensure the integrity of signals, this concept has been extended by implementing a safety harness, which consists of four monitoring blocks, supervising sensor-data-input, actuator-output, logicfunction-calculation and system health. The developed architecture supports a clear traceability between safety requirements and monitoring code. The execution of safety functions is clearly separated from the application code. The structure of the monitoring logic is easily maintainable, including defining flexible escalation strategies in case of system errors.
Downloads
Paper -A Monitoring Based Safety Architecture for Multicore Microcontrollers
🇩🇪 Warp 3 zwischen allen Kernen – Entwicklung einer schnellen und sicheren Multicore RTE
Embedded Software Engineering Congress 2016
(Co-Author: Prof. Dr.-Ing. Peter Fromm)
Multicore Mikrocontroller bringen aufgrund ihrer Komplexität 
besondere Herausforderungen, wie die Inter-Core Kommunikation und den Schutz von Ressourcen vor unerlaubtem Zugriff mit sich.
Zudem ist die Parametrisierung und Nutzung immer leistungsfähigerer und umfangreicherer Peripherie komplex und fordert den Anwender somit zusätzlich.
In Kooperation mit einem Industriepartner wurde eine innovative Laufzeitumgebung entwickelt, die eine hohe Performance mit guter Usability kombiniert und eine konsequente Trennung der Runnables sowohl in der Speicher als auch in der Zeitdomäne ermöglicht. In Erweiterung zu existierenden Lösungen, wie dem Autosar Virtual Function Bus, wird die direkte Anbindung und Skalierung von Peripheriesignalen und Kommunikationsprotokollen unterstützt. Hiermit ist es z.B. möglich, Teile des Steuergeräts durch Simulationen zu ersetzen und damit agile Entwicklungsprozesse wie z.B. Continuous Integration zu unterstützen.
Downloads
Paper – Warp 3 zwischen allen Kernen
Präsentation – Warp 3 zwischen allen Kernen
Functional Safety on Multicore Microcontrollers for Industrial Applications
Embedded World Conference 2016
(Co-Author: Prof. Dr.-Ing. Peter Fromm)
Besides the gain in performance, a strong motivation for the introduction of multicore microcontrollers is the realization of safety architectures. Together with an industrial partner it was investigated if safety critical applications, which require a PL d according to ISO 13849, running until now on redundant discrete microcontrollers can be replaced with an architecture running on a single AURIX multicore controller. In this paper, we compare a state of the art multicore architecture with the traditional solution of using redundant controllers. The focus is put on the question, how we can achieve a safe separation of the cores, memories and peripherals? Besides the separation in the data and resource domain, detection and escalation of errors are crucial components to achieve the required performance level. The investigations have been performed on an AURIX TC27x multicore microcontroller utilizing the safe-RTOS PXROS-HR.
Downloads
Paper – Functional Safety on Multicore Microcontrollers for Industrial Applications
Presentation – Functional Safety on Multicore Microcontrollers for Industrial Applications
🇩🇪Sicherheit auf allen Kernen
Embedded Software Engineering Congress 2015
(Author: Prof. Dr.-Ing. Peter Fromm, Co-Authors: Thomas Barth, Mario Cupelli)
Multi-Core Controller bieten neben einem Performance gewinn auch die Möglichkeit, redundante Applikationen auf einem einzelnen Chip zu realisieren.Da die physikalische Kopplung zwischen den einzelnen Core’s jedochdeutlich „enger“ ist als bei diskreten Mehrcontrollerlösungen,werden besondere Anforderungen an die Softwarearchitektur, das Speicherlayout, das Betriebssystem und an die Treiberschicht gestellt.