Mixed-Criticality Cluster Portfolio Analysis...1/06/2015 Overview of Mixed-Criticality Cluster The Mixed-Criticality Cluster, led by DREAMS, was motivated by the desire to provide

Mixed-Criticality Cluster Portfolio Analysis

Haydn Thompson

Report from the Final Mixed-Criticality Workshop

Held on 22nd November 2016 in Barcelona, Spain

November 2016

Communications Networks, Content and Technology Directorate-

General DG CONNECT http://cordis.europa.eu/fp7/ict/embedded-systems-

engineering/home en.html

Mixed-Criticality Systems Cluster Portfolio Analysis

2 1/06/2015

Executive Summary The Mixed-Criticality Systems Workshop was held in Barcelona in November 2016 to bring together the mixed-criticality projects (CONTREX, PROXIMA and DREAMS). This portfolio analysis presents the outcomes of the workshop and also provides some insights and analysis into the achievements of the work. A key aim of the workshop was to present the impact that the projects have already had and the opportunities for future exploitation. The three projects have been strongly driven by use cases covering a variety of industry sectors. These have been used to successfully demonstrate the efficacies of the tools and methodologies developed. The clustering of the projects has allowed the impact of the work to be multiplied and has also led to the development of a mixed-criticality community. This goes beyond the three projects in the cluster and notably the ARTEMIS EMC2 project, also addressing mixed criticality, presented at the meeting. This highlighted significant synergy between the cluster and work performed by ARTEMIS that represents a significant body of European Industrial companies. Road mapping and dissemination has been performed at a joint level and training has been provided for the next generation of engineers. The cluster has also organised several workshops to facilitate technology adoption and a number of joint papers have been produced. Notably the cluster has been working very closely with industry on real-world applications. There has been a strong industry pull for the work and the cluster has been successful in demonstrating key ideas and tools in a number of real applications. Exceptionally the cluster has been very successful in exploitation of the work. This includes usage of new tools and techniques for the development of systems in the aerospace, space and automotive domains, joint consultancy activities, formation of a spin-off company and also adoption of project outcomes into mass market products with already 150K deployments. Looking to the future the technology building blocks created provide a strong basis for future developments in the field and bode well for the sustainability of the mixed-criticality community. Barriers to adoption of the more forward thinking ideas are also being addressed through engagement with the certification authorities to ease the route to certification of future mixed-criticality systems.


3 1/06/2015

Table of Contents

Executive Summary ....................................................................................................................................... 2 Table of Contents .......................................................................................................................................... 3 Overview of Mixed-Criticality Cluster ........................................................................................................... 4 Workshop Introduction ................................................................................................................................. 6 PROXIMA ....................................................................................................................................................... 8

Impact of PROXIMA .................................................................................................................................. 9

Exploitation Stories ................................................................................................................................. 10

Dissemination ......................................................................................................................................... 11

What next? .............................................................................................................................................. 12

CONTREX ..................................................................................................................................................... 13 Impact of CONTREX ................................................................................................................................. 14


Dissemination ......................................................................................................................................... 18

What’s Next ............................................................................................................................................ 18

DREAMS ...................................................................................................................................................... 19 Impact of DREAMS .................................................................................................................................. 20


Dissemination ......................................................................................................................................... 23

What’s Next? ........................................................................................................................................... 23

EMC2 - Embedded Multi-Core systems for Mixed-Criticality applications in dynamic and changeable real-time environments ...................................................................................................................................... 24 Concluding Remarks .................................................................................................................................... 27


4 1/06/2015

Overview of Mixed-Criticality Cluster

The Mixed-Criticality Cluster, led by DREAMS, was motivated by the desire to provide a solution for the effective integration of mixed-criticality systems onto multi-core platforms. This is driven by the trend towards the use of multi-core processors to allow increasingly complex functionality to be implemented and also by the move towards mixing functionalities with different criticalities on the same processor platforms. This is expected to grow in the near future with adoption in a number of safety-critical applications in a variety of sectors such as automotive, aerospace, rail, medical monitoring, etc.

Fig. 1 Mixed-Criticality Cluster

The three projects that composed the Mixed-Criticality Cluster are shown in Fig. 1. The research performed by each of these projects has addressed key challenges that need to be solved in order to allow Europe to create and develop new mixed-criticality applications. Without development of appropriate techniques the integration of mixed-criticality subsystems based on multi- and many-core processors could lead to a significant and potentially unacceptable increase of engineering and certification costs and runtime overheads. The projects within the Mixed-Criticality Cluster addressed the following key challenges:

• Timing • Certification • Inclusion of Extra Functional Properties (e.g. power, thermal modelling) • Development Methods


5 1/06/2015

PROXIMA worked on reliability, analyzability and performance of multi-core systems with a concentration on development of a new technique for proving that time deadlines will be met. Traditional approaches cannot be used so the project worked on a new technique that uses probabilistic analysis. Here the techniques have been promoted to the certification authorities to pave the way for early adoption of this technique in industry. CONTREX worked on techniques to allow different functionalities to be integrated onto multi-core platforms. Here the focus was on design and analysis of power consumption, temperature and timing constraints early in the design before hardware is available. Power consumption and thermal management is particularly important for applicitions that are battery powered, e.g. mobile devices. DREAMS defined an architectural style for networked multi-core chips considering safety, security, real-time support and adaptivity. Here the aim was to quickly adapt functionality to different applications or “product lines” much as they do in the smart phone industry where different variants can be supplied with different functions. This product line approach based on a model driven methodology is targeted at promoting widespread adoption of the technology. The projects were complementary addressing different aspects of mixed-criticality systems. There is a slight overlap between CONTREX and PROXIMA as they both addressed timing analysis, however, importantly PROXIMA developed a radical new approach to timing analysis which addresses multiple sources of jitter that could not be addressed using the more traditional methods adopted in CONTREX. In CONTREX the main focus was on looking at other key extra functional properties: power consumption and temperature, and addressing their interplay at an early design stage to avoid the need for system redesign if key power and thermal requirements are not met. A characteristic of all three projects was that they were strongly driven by industry. It is notable that there are many applications for the technologies with many exploitable outputs being identified and opportunities being realized. In several cases partners had come together to exploit outcomes such as in providing tools and consultancy to major companies based on project outcomes. Notably some of the outcomes had been exploited in 150K black box “minor car crash and vandalism recorders” with plans to exploit the technology in related motorbike applications by Q2 2017. Tools have been developed which are expected to be exploited by industry for development of mixed-criticality systems within 2 to 3 years. The more radical work on new approaches to timing analysis for multi-core and many core systems requires acceptance from appropriate certification bodies before they can be used. Efforts are already underway to engage with the appropriate bodies and it is hoped that acceptance will be achieved in a 5 to 10 year timescale.


6 1/06/2015

Workshop Introduction An introduction was given to the Barcelona Supercomputing Centre by Francisco Cazorla. It was highlighted that the Centre brought together 447 people from 45 countries and had produced 80 PhD Thesis in the last 5 years. The Centre is very active in H2020 projects capturing the 7th highest return in terms of funding within Spain. The activities of the CAOS group were particularly highlighted. This group of 17 people is concentrated on parallel applications and optimisation considering aspects such as power and timing. There are specific strengths in FPGA technology and the group is participating in a number of European projects. A general introduction to the Mixed-Criticality Cluster was then given by Roman Obermaisser. It was highlighted that the previous Workshop had produced a key message for the Cluster which was “Smarter and stronger in an increasingly complex world” and that it was pleasing to see that other definitions were now also being produced by companies such as Siemens giving the mixed-criticality community higher visibility with the general public. The key motivation behind the work of the cluster was to develop approaches that allowed integration of mixed-criticality systems onto multi-core platforms. The cluster had been formed to bring together the three projects to create critical mass to address key challenges. These were to:

1) Address extra-functional requirements in design and development, e.g., time, energy and power budgets, adaptivity, reliability, safety, security, volume, weight, etc.

2) Develop a certification methodology for mixed-criticality systems To achieve these two key aims the following areas were addressed through a combination of software virtualisation and hardware segregation, and via development of a supporting certification methodology.

• Extra-functional properties: In order to produce optimal implementations on multi-core devices it is necessary to ensure that a number of specific properties are satisfied. These extra-functional properties include timeliness, energy efficiency for battery-operated devices and dependable operation in safety-relevant scenarios. There is also a need for short time-to-market and low cost while at the same time adding increasing levels of functionality.

• Timing Analysis: The traditional approaches to timing analysis cannot be used for the increasingly complex multi-core and many core devices being developed. At a fundamental level new approaches need to be developed for temporal and spatial partitioning, which establish fault containment and the absence of unintended side effects between functions.


7 1/06/2015

• Certification: Development of an approach to certification is crucial to allow multi-core devices to be used in safety-critical aerospace, rail and automotive applications.

• Development methods: State-of-the-art model-based design methods still lack of explicit support for modelling of mixed-criticality applications. Modelling and tool support is required to allow spatial and temporal segregation properties at the resource allocation or platform view, and for static or dynamic application to computation, memory and communication resource mapping.

The cluster as a whole had a role to steer and increase the European R&D awareness in the area of distributed mixed-criticality and embedded computing systems via community building. Here the aim was to facilitate the exchange of ideas and also to provide technological building blocks. In addition, efforts towards standardisation have been promoted and this will continue over coming years. A further activity was the development of a research and innovation roadmap for mixed-criticality systems. Over the course of the work the cluster has produced a number of joint publications and has supported the community by organising a number of joint workshops. Internally there have also been 13 joint meetings between the cluster projects. In terms of outreach the cluster has engaged with HiPEAC and has had joint booths at key events such as DATE and the ARTEMIS/ITEA co-summit. The cluster also created the Mixed-Criticality Forum which has produced a number of tutorials for the community on topics such as “what are mixed-criticality systems?”, modular certification, etc. Although the projects have now finished or were coming to a close it was planned to continue the activities of the Forum and some work would be continued in new projects such as SAFEPOWER. Werner Steinhölg gave a brief welcome to the participants and introduced the aims of the day and why the Mixed-Criticality Cluster was important to the activities of the Commission highlighting the drive towards Digitising European Industry. The workshop was divided into 4 sections with a section dedicated to each of the projects PROXIMA, CONTREX and DREAMS, with a fourth section being dedicated to guest presentations from the ARTEMIS EMC2 project, which is also addressing mixed-criticality systems.


8 1/06/2015

PROXIMA PROXIMA is addressing development techniques for future real-time systems such as cars, aircraft and autonomous vehicles. Electronics, informatics and mechanics are being brought together (mechatronics) in increasingly complex applications, e.g. aircraft, autonomous vehicles, etc. This is being driven by the increasing complexity of hardware and the move towards multi-core processors providing a mixture of non safety-critical and safety-critical functionality operating on the same hardware. The key problem is that it is impossible to use traditional timing analysis methods for certification based on casual modelling for multi-core devices. Measurement based timing analysis is not possible when there are so many sources of jitter as it is not possible to capture all the system complexity. In reality a safe timing bound is required even when it is not possible to know all the low level system details. The PROXIMA approach to addressing this is to use Representative Testing to accommodate high level and low level sources of jitter, e.g. from the cache. To enable this PROXIMA has been developing a new approach exploiting randomisation which is injected into the timing analysis. The system timing properties are then proved using probabilistic and statistical modelling as shown by Fig. 2.

Fig. 2 Overview of PROXIMA Project – Probabilistic Timing Analysis

The Probabilistically Time Analysable (PTA) techniques and tools can be used for multi-core and many core platforms. Randomization is selectively introduced into the timing behaviour of the hardware and software resources to facilitate the use of probabilities to predict the overall timing behaviour of the software and its likelihood of timing failure. PROXIMA has developed a tool chain including a multi-core PTA-compliant processor


9 1/06/2015

implemented on a FPGA and a commercial Operating System and Timing analysis tool. This has been shown to work theoretically and has been implemented and refined on real industrial hardware platforms. Four use cases from avionics, space, rail and automotive have been explored. A study on the feasibility of applying these techniques to Commercial-Off-the-Shelf (COTS) multi-core processors has also been performed. The project has been using the LEON3+FPGA, AURIX (3 core) and P4080 boards using PikeOS and RTEMS. A customised FPGA and industrial tool chain was used for COTS FPGA default hardware. Overall it has been shown that the combination of probabilistic and statistical modelling can be used to provide timing guarantees allowing systems implemented on FPGAs and multi-core processors to be certified.

Impact of PROXIMA A series of presentations on the impacts and outcomes of PROXIMA were given led by Ian Broster of Rapita Systems Ltd. It was noted that the tools developed can be applied within the safety-critical software industry for coverage and testing. The approaches had been applied to industrial platforms in the aerospace, automotive, space and rail domains with emphasis on application to COTS technologies. It was highlighted that the new approaches predicted timings much better than conventional techniques. Additionally, the approach had resulted in other benefits such as the ability to perform software performance sensitivity analysis and mutation testing. This has the advantage of reducing the risk of timing faults being missed. It is also possible to apply time composability and provide robustness to reduce the risk of timing faults being identified later in the integration phase. Already a number of success stories had been produced through work with early adopters. PROXIMA had identified 22 exploitable technologies and 14 opportunities as shown in Fig. 3. Patents relating to the techniques had been applied for by INRIA and BSC.

Fig. 3 Identified Exploitable Outputs for PROXIMA


10 1/06/2015

Exploitation Stories

Forecast Based Interference (FBI) Technique

An early adopter of the FBI technique was Rolls-Royce who had performed a joint Knowledge Transfer Network project with York to use the approach on an engine platform. Interest in the technique had also been shown by BAe Systems and Safran via the project’s Industrial Avionics Working Group. Additionally, an EPSRC research project on Mixed Criticality for CPS had been initiated.

Rapita Verification Suite (RVS) Qualification Kit Productisation

To provide Rapita Verification Suite (RVS) Qualification requires a lot of effort. Using the PROXIMA technology it is possible to automate more of the testing which reduces the overall cost. This enables the move towards semi-automatic testing. Rapita highlighted that they had produced and were already selling a Qualification kit using the technology. Rapita had sold this new approach several times and the first aircraft was already flying that had used this technology for testing. There was also a mature plan to include the PROXIMA timing analysis in the existing RapiTime tool in 2017. The approach to “Time-Bands” results in a much lower instrumentation of code for timing analysis. The multicore tracing tool has already been sold for single core processor applications.

Randomisation Technologies

Randomisation techniques are being developed by the Barcelona Computing Centre for both hardware and software randomisation. Notably these can be used for supporting security in CPS and already talks had begun with SYSGO on security. Rapita and BSC plan to offer a consultancy service for assessing multi-core software in the aerospace and automotive domains.

Cobham Gaisler

Cobham Gaisler had developed a hardware randomisation platform based on the LEON processor for the space domain. A configuration file has been developed for a commercially available board and the company can provide tailored end-user support on a case by case basis. It was noted that the end user ESA has long lead times in projects. Probabilistic timing analysis is seen as a key technology in the space industry


11 1/06/2015

and already there is a research project developing extensions to the platform. It was planned to transfer the RTEMS-SMP that had been developed by UPD (Padua) into the space domain.

SYSGO

SYSGO have announced that they will provide safety and security extensions for PikeOS for the rail industry utilising time composable PikeOS communication ports. It is also planned to perform a PikeOS/RVS integration for the aerospace sector jointly with Rapita.

Airbus

Airbus highlighted that they have a roadmap for the probabilistic tools and are waiting for the technology to be fully commercialised. There is ongoing research at INRIA and Airbus will be presenting the technology at a certification conference. There is also a need to go to the authorities to discuss the approach and both Airbus Defence and Space divisions are lobbying for agencies such as ESA to adopt Probabilistic Timing Analysis.

Dissemination An IEEE Real Time Systems Symposium (RTSS) workshop was planned on Mixed-Criticality Systems and Probabilistic approaches. The project will also be promoted at a Dagstuhl seminar on mixed criticality. Links with HiPEAC had been made and the challenges of Mixed-Criticality Systems will be presented at a HiPEAC event. It was highlighted that the concept of probabilistic timing was initially proposed in 1995 with the first hardware randomisation approaches being reported in 2009. The idea was gaining acceptance and notably in 2015 full sessions were being organised at conferences on the topic. Around 20 experts had attended the PROXIMA Workshops showing a growing community. The project had also produced 7 journal papers.

An area where there had been less interest was the automotive sector, however, this was due to the consortium not having any automotive partners. Denso had shown some interest in the project but it will take time for industry to adopt the technologies. There is a need to persuade people about the new techniques and it is more likely that parts of the technology will be adopted. Although it may be possible to exploit the tools and concepts in other areas the tools and consultancy around them is expensive for applications that are not driven by safety. The area where there may be adoption in the


12 1/06/2015

future is areas where millions of low value sales are made, e.g. washing machine control.

What next? The next steps in the development of the PROXIMA tools and techniques depends on the technology providers. There was a strong pull from the space industry and also interest from aerospace with ongoing agreements being pursued with ESA and the Spanish Ministry. More work is needed to address the rail and automotive sectors. A number of partners had pursued follow–on funding, e.g. INRIA industry transfer funding, and H2020 funding. Airbus had funded a new PhD project in the area.


13 1/06/2015

CONTREX The motivation that drove CONTREX is that currently many systems are developed in isolation with physical segregation of safety-critical and non safety-critical functionality. These systems can be compute and power intensive and in future will be integrated together onto a multi-core platform. This will require sharing of resources, space and time partitioning. In CONTREX although timing was considered, the focus was on power consumption and temperature management. This is particularly important for battery driven systems. A key aim was to represent timing, power and temperature constraints in the early stages of development before hardware is available with the aim of analysing power efficiency and thermal management at design time. Power temperature and battery models are used to model extra-functional properties. Requirements and “contracts” are incorporated into a UML-MARTE meta-model.

Fig. 4 Overview of CONTREX Toolset - Timing, Power and Temperature Analysis By considering timing, energy management and temperature on the multi-core platform at the design phase, as shown in Fig. 4, it is possible to create energy efficient and cost aware designs through analysis and optimization with respect to application demands at different criticality levels. These tools can be used at the early stages of the V development cycle to perform design space exploration. A key advantage is that it is


14 1/06/2015

possible to validate a design early so that developers are not caught out by limitations in system resources. Modelling techniques and a toolset have been produced that goes from design to simulation, to co-simulation with hardware. The CONTREX results integrate into existing model-based design methods and are customizable for different application domains and target platforms. A single model is captured in UML/MARTE with all relevant information pertaining to extra functional properties. Here a set of modelling rules have been defined with extensions added for communications network modelling and mixed-criticality. The UML/MARTE model then triggers all the different forms of analysis to assess performance. These have been used to address a number of real world applications:

– Quadrotor for surveillance – Flight control for remote piloted vehicles – Automotive black box crash detection – Telecoms unit

Specific thermal models have been created for the Xilinx Zynq platform. With these it is possible to compute power consumption and secondary traces of hardware consumption. Using details of the floor plan of chip and material properties of the package it is possible to model the heat discharged from the package. Feedback from this temperature model can be fed back to the power model which allows critical situations such as thermal runaway to be identified.

The project has also considered management of extra functional properties at run time. Models for batteries have been created and virtual sensors can be added within code that allow power consumption to be monitored. This can be used at run time to optimise the priorities of task execution via the BBQ-lite RTM that has been developed for ultra-low power sensors nodes. Notably this is already being exploited in an automotive product using vehicle status and battery charge information to control the run time scheduling of tasks. Power control can also be used to manage the thermal characteristics of the hardware and to avoid thermal hotspots.

Impact of CONTREX Three use cases had been developed to demonstrate various aspects of the CONTREX toolset. The impacts of the CONTREX tools in each of the use cases was presented.


15 1/06/2015

Remotely Piloted Aircraft Avionics Use Case

GMV presented the avionics use case which considered a Flight Control Computer, IMU, GPS, etc. for a 60Kg UAV platform with a range of 100Km. The avionics had been developed to ARINC 653. Partitioning had been used to implement the Input/Output, Navigation, Flight Control Laws and Fault Detection, Isolation and Recovery. The main aim was to develop tools that could be used for design space exploration and to tailor software for light RPAs (less than 150Kg). Here there is a need for a more flexible approach to assess performance more quickly and to allow design space exploration for performance optimisation. The key outcome for GMV was that it is planned to use the CONTREX tools for prototyping and evaluation of new designs. An additional avionics Use Case had also been explored by OFFIS for a Quadrotor application. This demonstrates the partitioning of image processing onto a multi-core while also providing the guidance control for a quadrotor. This had been used for dissemination activities and was also being used as a demonstrator in related ARTEMIS work.

Automotive Telematics Use Case

Vodafone presented the automotive telematics use case. A sensing unit, localisation unit and data processing and communication unit had been produced to be used by trucks, cars or motorbikes, to collect data on minor crashes and vandalism for insurance companies. Vodafone utilises a standard V model design flow and the CONTREX tools have been used to allow early evaluation of non-functional properties at design time, and in particular, power consumption which is a major consideration for parked vehicles. The tools had been successfully used to assess the capability of integrating new functionality and it had been possible to add significant extra functionality to units allowing more sophisticated algorithms for crash analysis to be deployed. Other work had also incorporated algorithms to extract image information to consider the occupancy of the vehicle. A node simulator had been created and BBQLite had been adopted for run time management to control power consumption dependent on car and battery charge status. This was already being used in production boxes and 150K boxes had been installed in vehicles. It was also planned to launch a version of the black box for the motorbike market with a target of 2K devices in Q2 2017.

Telecoms Use Case

The telecoms use case had addressed adaptive modulation for wireless Ethernet. For this it is necessary to manage both power and thermal characteristics. Notably before the project it was not possible in existing units to identify what was happening with


16 1/06/2015

respect to power and temperature. This led to products being developed that did not meet power and thermal constraint requirements. This was because the standard development process being used by the company could not capture power modelling. The new simulations developed in CONTREX give much better information. Although this does not quite solve the underlying problem as yet, it does allow the company to perform a more thorough analysis of the telecoms units and provides a much better understanding to engineers.

Exploitation Stories A number of CONTREX partners provided exploitation stories for outcomes from the project.

ST Microelectronics

ST Microelectronics described their exploitation around the iNEMO solution. It was highlighted that the automotive combo sensor market is accelerating. Over 2 million accelerometers were sold in 2014 for telematics applications and the expectation is that this will grow driven by needs for increased functionality and regulation such as the eCall specification in Europe. Also within the automotive use case STM has produced a test chip for image processing to detect the occupancy of the vehicle. It is expected that this increased capability device can be exploited in a number of domains.

GMV

GMV plan to exploit the CONTREX tools in the development of a FCC for future light RPA platforms of less than 150Kg. The existing platforms in the domain are manufactured by large mainstream companies, e.g. Airbus, and as a result are high cost. Here there is an opportunity for smaller companies to make light RPAs that are significantly cheaper. In these applications Size, Weight and Power (SWAP) is a key constraint.

Vodafone

Vodafone have already exploited several results in products. The crash management classification and filtering algorithms developed in CONTREX have been successfully


17 1/06/2015

used to reduce false alarm events. The data collected is now being used to provide extended crash reports to identify the type and severity of an impact. It is also possible to recognise low energy crashes which can be used to identify vandalism and minor collisions when the car is in a parked condition. It is planned to activate this new functionality on 200K devices that are already in the field. The company has worked jointly with POLIMI to develop the software and as a result a start-up has been created to address the motorbike market. The rally cross market (WRX) is also being targeted to gather telemetry and crash information for entertainment. Looking to the future the company is working towards cloud based services. A commercial version of iNEMO is being considered with STM inertial sensors for the new Vodafone box.

EUROTECH

EUROTECH has developed an Internet-of-Things and multi-service gateway for industrial and transportation applications. The company has developed the Kura framework which is already being used in cloud based machine-to-machine integration solutions. In CONTREX the company has developed the RELIAGATE 10-11 multiservice gateway and the Everyware Device Cloud M2M integration platform.

INTECS

INTECS is developing Ethernet over radio technology. The company produces LTE base stations and here there is a need to optimise power consumption while supporting mixed-criticality transmission. The aim is to provide a wireless backhaul link of traffic to the core. Of interest is that the EU is making a Call For Proposals (CFP) for bringing broadband to C&D zones in Europe. In these areas there are few potential customers so there is a reluctance of providers to lay fibre which is expensive. Here VDSL products give close to fibre optic performance making it an interesting lower cost alternative.

IXtronics

IXtronics provides a tool called CAMELView which can be used for modelling and control system design of mechatronic systems. This is used by the automotive industry and the company sees opportunities to sell the CONTREX extensions it has developed in the automotive and aircraft industry.


18 1/06/2015

EDAlab

EDAlabs produces the HIFSuite tool for manipulation. The CONTREX project has been seen as very useful to raise the visibility of the tool.

Intel

During the course of the CONTREX project Intel bought DOCEA (25 people) which produces tools for thermal analysis and management. As part of Intel the company is connecting the tools to SIMICS which has a large user base within the company giving the tools much wider usage. A link to Intel’s CONFLUENT DSE has also been developed which will further integrate the tools into the company’s processes.

Dissemination A number of dissemination activities had been performed targeted at standardisation via the OMG with respect to the UML/MARTE extensions. Other activities had addressed engaging with the community and the project had participated in a number of conferences. CONTREX had been very active organising workshops and training on the toolset.

What’s Next The expectation is that a number of the key technologies developed such as the STM iNEMO board and EUROTECH’s RELIAGATE products will be exploited in many markets with an obvious first candidate being the automotive sector due to already strong existing links. The Vodafone crash recorder boxes will continue to be rolled out on the market and further functionality will be added to provide further services. A new start-up has also been created that will address the motorbike market with Vodafone and opportunities in the rally cross sector are being pursued. The toolset will be used for design space exploration for light RPAs and will be used for analysis of power and thermal constraints for future telecoms applications. The DOCEA tools had now become part of Intel’s internal development and the CAMELView tools will be exploited in the automotive sector. At a research level some of the work will be continued via new projects, e.g. SAFEPOWER.


19 1/06/2015

DREAMS

In mixed-criticality systems there is a pressing requirement to reduce the number of computers and cables while adding more functionality. Increasingly there is a need to integrate functions at different levels of safety. The trend is towards multi-core platforms due to limited scalability of uniprocessors and networked multi-core chips will be used in many domains in the future such as aerospace and rail. There is a need to reduce development cost and time to market for such systems and provide flexibility, adaptability and energy efficiency through integrated resource management. At the same time there is a need to provide higher reliability, security and safety

Fig. 4 Overview of DREAMS Project – Definition of DREAMS Architecture

The aim of DREAMS is to establish a European Reference Architecture for mixed-criticality systems by consolidating and extending platform technologies and development methods. DREAMS is considering multi-core platforms from a hierarchical system perspective for mixed-criticality applications combining both the chip- and cluster-level. A cross-domain architectural style has been defined that supports multiple application domains, e.g., avionics, wind power, healthcare.


20 1/06/2015

The DREAMS model-based development environment and toolchain addresses modelling of mixed-criticality systems, assessment of architecture timing requirements, and assessment of safety requirements and properties (including for hierarchical platforms). The toolchain supports deployments and resource allocation. Other aspects such as business variability and technical variability for product lines are also being developed. An evolutionary optimisation approach is being used for variability exploration, design space exploration, resource allocation, platform configuration and scheduling reconfiguration. Other tools for verification have been produced including a safety checker.

The project has concentrated on architectural style, virtualisation, methodology and tool certification for mixed-critical systems. It has also supported community building and performed roadmapping. For virtualisation the project has developed XtratuM which includes time-triggered communications targeted at ARM and SPARC processors. DREAMS has also produced KVM which turns a Linux Kernel into a hypervisor for ARM. Resource management software has been developed using results from other projects including BETSY, SCARLETT (fault handling reconfiguration) and Reconfigure (which addresses mixed-criticality systems for foreseen and unforeseen changes). This provides secure adaptive fault tolerance based on reconfiguration graphs. Certification and modularity has been considered based on IEC 61508 using modular safety cases in Goal Structured Notation (GSN).

Impact of DREAMS Three demonstrators have been produced. One addressed an avionics subsystem for flight management. Here timing isolation, fault management and performance were considered. Another application investigated a wind turbine application and a third considered safety-critical health monitoring for the medical sector combined with an entertainment system. Here STM has been working on memory/network bandwidth regulation. This was exploited for video applications in the medical domain with regulation based on cache misses. The MemGuard memory tool has been ported to the ARM v7. It has also been ported to the ARM v8 identifying some issues with the architecture in the process. A Linux implementation has also been developed for the Intel CPU and ARM v7.


21 1/06/2015

Exploitation Stories A number of exploitation stories were highlighted. This included exploitation with respect to the use cases explored but also exploitation beyond this in other areas.

TTTech

TTTech provided time-triggered communications for networked multi-cores. The work was also being exploited in the Safe4Rail project funded under Shift2Rail. Additionally, the project had allowed the company to develop the maturity of their TTEthernet product for use on the ESA Ariane 6 rocket which will be deployed in 2020. The DREAMS project was used as part of the de-risking mitigation strategy for this work. There is also interest in network scheduling for real-time IoT in the robotics domain.

ST Microelectronics

STM highlighted that in the health care sector hospital errors are still a leading cause of death being ranked 3rd in the list of causes of death. Networking can be exploited to provide smart alarms, provide monitoring to track patients around a hospital and also to control smart drug delivery systems. The company had produced a wearable battery operated device called the Body Gateway which connects via Bluetooth to a local connection device. From here the data (of varying criticalities) is transferred via TTEthernet. The DREAMS project had produced a proof-of-concept system for the medical domain but there were also potential applications of this in the space and automotive sectors.

VOYSYSmonitor

The VOYSYSmonitor had been developed using the ARM v8-A to bring new functionality. Low level firmware is used combined with the ARM TrustZone. This allows the safe exchange of data between RTOS/GPOS using certifiable firmware. Critically this can switch modes in less than 1 microsecond and the system boot-up is very quick.

Alstom Wind

Alstom had developed an integrated wind turbine controller. In this the wind turbine safety protection functions had been transferred into the DREAMS platform. This makes


22 1/06/2015

it easier to flexibly customise solutions for customers and also to meet certification requests up to SIL3 for wind turbines. This is helping the company evolve products towards stricter IEC 61400 standards that have been adopted in the wind turbine industry while merging functionality into single unit.

THALES

The main business areas of THALES are aerospace, space, transportation and defence. In all sectors there is a move towards multi-cores and so the company is developing the next generation of products targeting this technology, for instance, combining FMS and I/O into a single unit in the aerospace sector.

FENTISS

FENTISS produce virtualisation technologies and within DREAMS have produced XtratuM. This has been extended from being used in the LEON and x86 platforms to also being used on ARM and PowerPC processors. The company provides communication and network services and also certification templates. The markets for the company are seen as space with the LEON and ARM products, automotive with the ARM product, avionics with the Power PC, and industrial automation with the ARM and x86 processors.

TüV Rheinland

TüV provides testing, inspection and certification services. The key interest in DREAMS was in camera systems that provide safety-related pictures. Here the most important standard for the company is IEC61508 and TüV are promoting DREAMS developments for the 3rd edition of standard.

RealTime–At-Work

RTaW have produced scheduling, configuration and timing analysis algorithms in the DREAMS project that can be used in the avionics, space, industrial automation and automotive sectors.


23 1/06/2015

Dissemination The DREAMS project has disseminated results to the stakeholder community (avionics, healthcare, railway, automotive, systems integrators, scientists, public) via a number of means including national exhibitions, networking sessions at ICT 2015, HIPEAC and via publications. Notably 44 publications had been produced in year 3.

What’s Next? The partners plan to exploit the results in the space, aerospace, automotive and health domains. There are also applications in the wind turbine and rail domains and already work was filtering into projects in these areas. The coverage of processors LEON, ARM, PowerPC and x86 opens up potential applications in a number of sectors.


24 1/06/2015

EMC2 - Embedded Multi-Core systems for Mixed-Criticality applications in dynamic and changeable real-time environments EMC² is an ARTEMIS Joint Undertaking project in the Innovation Pilot Programme “Computing platforms for embedded systems”. The objective of EMC² is to establish multi-core technology across relevant Embedded Systems domains by allowing cost efficient integration of different applications with different levels of safety and security on a single computing platform in an open context. EMC² is addressing dynamic adaptability in open systems, handling of mixed-criticality applications under real-time conditions, scalability and flexibility, full-scale deployment and management of integrated tool chains through the entire lifecycle. The project has 101 industry and research partners from 19 European countries with an effort of around 800 person years and a total budget of about 100 MEuro. EMC² has 6 Technology Work Packages and a number of Living Labs in the automotive, aerospace, space, shipping, railway and logistics domains.

Fig. 4 EMC2 Activities

The main objective of EMC² is to establish multi-core technology across relevant Embedded Systems domains. In total there are 12 Work Packages and the project is addressing an impressive and diverse set of applications provided by its partners.

The main drivers behind EMC2 are the doubling of transistor count according to Moore’s Law, which presents challenges to the industry, and also the commercial need to get to market quickly. The combination of the two often leads to mistakes. Although the front


25 1/06/2015

running applications tend to be in the consumer product domain, where criticality is less of an issue, in industrial applications it is not possible to switch on and off equipment if something goes wrong. In many applications such as automotive, aerospace, and health care there is a need for safe optimisation of QoS to address mixed-criticality applications. In particular, there is a need for highly networked systems to support applications with high traffic, e.g. connected cars. It was noted that solving one problem in a system tends to introduce a new mistake somewhere else. This leads to the question of “which flaws/bugs do we really need to repair?”

There is a need for qualification and certification support for avionics, rail and automotive applications. Here the key interest is in reducing the number of microcontrollers in systems which can currently run to 100’s of processors. The project is looking at a number of use cases. This includes avionics use cases, a heartbeat monitoring system to find abnormal behaviour, and quality control for 3-D inspection where performance had been improved by 300%. A major application had also been developed for seismic processing. Here a ship pulls a number of long lines of processors called streamers with each streamer composed of 100-200 computers. These are used to process the acoustic returns from small explosions that are detonated to find out the structure under the sea. In this application the processing was now being performed between 2-4 times faster. In another medical imaging application work is trying to process brain scans within a few hours in order to make a diagnosis on the same day and avoid bringing the patient back for another hospital visit.

A presentation was made specifically on the activities of EMC2 WP4. This is addressing areas which are particularly in synergy with the Mixed-Criticality Cluster. It was notable that the project is also using the Zynq chip as has been extensively used in the cluster. Here Sundance had developed a Zynq board within EMC2. A number of research areas had been addressed including aspects of virtualisation and verification technologies, dynamic reconfiguration and networking. Key outcomes have been the development of Software Designed Asymmetric Multiprocessing, development of a Heterogeneous On-Chip Time Triggered Network, and a radical approach to synchronisation called White Rabbit. This provides high accuracy <1ns distributed synchronisation for networked systems with jitter down to less than 250ps. This is achieved via an efficient fault tolerant clock distribution mechanism. At the hardware level a “Time of Flight Chip” had been developed for 3D imaging along with a virtual hardware platform. Infineon are leading the work on mixed-criticality hardware and to support this the company has produced an analog mixed-signal power system.

EMC2 had also performed a survey of the state-of-the-art of mixed-criticality systems. This had covered techniques used, safety-related standards and both academic and industry use cases. Here a CPS definition of mixed-criticality systems had been defined


26 1/06/2015

along with a classification of systems. A survey paper had been produced based on analysis of over 200 papers. It was noted that many papers in the scheduling domain reference a paper from Burns and Davis on WCET which is conservative in its approach. The survey had also looked at behavioural models, mixed-criticality certification, architecture separation techniques, and different hardware approaches: single-core, multi-core and many-core.

A presentation was also given describing the Sippo WebRTC Application Controller that had been developed for the EMC2 IoT Living Lab. This is an open source JavaScript project with a target for deployment on low cost, multi-core devices utilising Android. A video communication application had been developed for a Quadcore Cortex A9. The WebWorkers API has been defined by the W3C. This Web browser is currently undergoing standardisation and is designed to be used on multi-core CPUs.


27 1/06/2015

Concluding Remarks The Mixed-Criticality Cluster comprising DREAMS, CONTREX and PROXIMA addressed key aspects of mixed-criticality systems as shown below. Aspect Project Addressing Synergy/Opportunity Extra Functional Properties

• CONTREX addressed timing but also other physical properties of system components such as power consumption, temperature and reliability.

• PROXIMA concentrated on timing analysis but there are relationships to power and temperature

The approaches to timing analysis developed by PROXIMA could be combined with the power consumption, temperature and reliability techniques of CONTREX to provide an “optimised” system solution considering trade-offs and attainment of multiple objectives.

Modelling • CONTREX developed models for extra-functional properties, e.g. power and thermal.

The models developed are designed to be modular to be integrated into tool chains. Thus it should be possible to integrate these into both PROXIMA and DREAMS.

Compositional Reasoning

• DREAMS, CONTREX and PROXIMA all used compositional reasoning and system construction, but in slightly different ways.

Synergies between the three approaches exist.

Probabilistic Timing Analysis

• PROXIMA developed a probabilistic approach to timing analysis of multi-core and many-core architectures.

The new approach could be exploited for system certification with universal application to FPGAs, multi-cores and many cores given the proviso that the platform is “compliant”.

Hardware Design

• PROXIMA developed adapted hardware to assist with Probabilistic Timing Analysis.

This work supports the adoption of probabilistic timing analysis by definition of a compliant platform. This could be exported to other projects.

Cross-domain architectural style for mixed-criticality systems

• DREAMS has defined an architectural style that supports multiple integration levels, cluster, multi-core chip, and hypervisor for a mixed-criticality system.

The opportunity here is to use this for exploitation at a wider level in multiple sectors.

Embedded RTOS

• DREAMS developed a RTOS to support partitioning

• PROXIMA developed a RTOS to support randomisation

There may be an opportunity to combine both approaches in the future into a single RTOS.

Table 1 Aspects Addressed by the Mixed-Criticality Systems Cluster, Synergies and Opportunities


28 1/06/2015

The projects were complementary addressing different aspects of mixed-criticality systems covering certification barriers, challenges of optimising performance and managing the complexity of design for multi-core applications. The outcomes of the cluster are many and should lead to the ability to design new mixed-criticality systems in a more time and cost effective way. It will also allow developers to provide better performance from systems while at the same time considering a number of extra functional properties. Critically the new approach to timing analysis has the promise of allowing future systems based on multi-core devices to be certified in safety-critical applications. There are many synergies between the projects and this leads to opportunities for future joint work or comparison of results. These opportunities are highlighted in the last column of Table 1. Notably there is a slight overlap in topics being addressed between CONTREX and PROXIMA in the sense that they are both looking at timing analysis. CONTREX has adopted a more traditional technique to timing analysis, however, the focus has been on looking at the interplay with power consumption and temperature. In PROXIMA a new statistical approach to timing analysis has been developed with supporting tools. Although adoption of such a technique would be a major change for industry it has the promise of allowing future systems based on multi-core devices to be certified in safety-critical applications. Here there is still a need for more work to gain acceptance of the techniques from the certification bodies although there is strong pull for this from the space industry. The outcomes from the projects have been already demonstrated in a number of real applications. Here a significant number of use cases have been used to test the efficacy of the tools and also validate them in applications that are close to industrial exploitation. This is reflected in the large number of exploitation opportunities identified by the three projects in the cluster. Exceptionally the cluster has also been very successful in getting adoption of project outcomes into products which are mass market with already 150K deployments in the automotive domain. Other tools and techniques were also being deployed for development of aerospace and wind turbine applications. A number of joint exploitation activities were underway and a new spin-off company had been performed to exploit ideas in the motorbike market. At a cluster level the projects have performed joint road mapping and joint dissemination. Training has been provided to students to educate the next generation of engineers and workshops have been run to facilitate technology adoption. The Mixed-Criticality Community is growing and becoming more established and this is evident from the analysis performed in the survey paper by EMC2. The work on use cases has also raised the profile of the work further within industry, demonstrating the efficacies of the tools and methodologies developed.

Documents

Mixed-Criticality Cluster Portfolio Analysis...1/06/2015 Overview of Mixed-Criticality Cluster The Mixed-Criticality Cluster, led by DREAMS, was motivated by the desire to provide