Embed Size (px)
DESCRIPTION
A unified approach to systems engineering for trustworthy systems.
Trustworthy Forever
From Deep Space To Deep Sea
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 2
Eonic Systems (1989-2001) Virtuoso RTOS for parallel DSP, leader in high-end niche
Sold to Wind River Systems in 2001 for 15 mio $
Open License Society (2004 - …) OpenComRTOS (IWT project)
Innovative no-nonsense and formalised approach
Systems/ software engineering with supporting tools
Breakthrough results thanks to Formal Methods
5 to 10x smaller => efficiency, performance
Sponsored by Melexis, Embedded Software Group
ITEA EVOLVE project
R&D costs valued at 2 mio €
In sept 2008, Altreonic as a spin-off of OLS To productise and go commercial
Flanders Drive ASIL project (safety engineering methodology)
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 3
Altreonic NV Owned E.Verhulst, A.Dejonghe, Lancelot Research NV
Team (management in Belgium, development in Ukraïne since 2005) Eric Verhulst - Founder CEO/CTO Annie Dejonghe - Founder CFO/COO Dr. Bernhard Sputh – sr. Engineering manager Hardware subcontractor in India, Pune Strategic partner in China, Shanghai Liaison office in JP.
R&D projects: EVOLVE: evolutionary/incremental certification/verification OPENCOSS: certification framework automotive/railway/aerospace D100LIVES: developing a 100yrs processing device (ARM, ATMEL, NXP, IMEC, …)
Product lines: OpenComRTOS Designer Safe Virtual Machine (for C) StarFish SIL3/4 capable controllers (engineering stage)
GoedelWorks systems engineering platform in beta
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 5
To provide the embedded market with development environments and with embedded hardware for generating applications where high-reliability and trustworthiness are “built-in” into the design as part of the development process.
Trustworthy = Safety => dependability / physical quality
Security => freedom from malicious faults/ data theft
Usability => intuitive and pleasant to use /emotional
Privacy => your data is your own
Trustworthy = higher added value
Application domains: Ultra low power embedded devices
Distributed sensing and control
Many/multicore devices
Parallel supercomputing
Fault tolerant/ safety critical systems
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 6
Growing need for trustworthy technology: Electronics + SW replacing mechanical parts
Being “embedded” everywhere: part of our life
Initially mainly driven by safety: Lives at stake
High economic cost
“drive by wire” (e.g. Flanders Drive ASIL project)
Increasingly shifting to notion of TRUST
Essential question: how to develop trustworthy products in a cost-efficient way?
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 7
Support the whole engineering process in a unified way from early requirements capturing till the final application giving a “push button high reliability” experience at a reduced life cycle cost
Apply formalisation to tackle complexity Apply Formal Methods to prove correctness
=> GoedelWorks integrated development portal
Maximising the commercial potential by applying its own methodology and tools for the developing of trustworthy controllers in volume.
=> OpenComRTOS: trusted runtime layer
=> StarFish: Altreonic’s customizable controllers
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 9
Formalisation to deeply understand the problem domain
to find better, leaner and cleaner solutions
to find better architectures
to improve reuse
to get it right the first time
Our methods: Unified semantics
Speak the same language from early requirements capturing till final product / system is put to use
Interacting Entities A common, yet very scalable and modular architectural model
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 10
0
50
100
150
200
250
300Traditional
Bottom-up Process
Base cost Cost of change
0
50
100
150
200
250
300Formalised
Engineering Process
Base cost Cost of change
First time right
= Less residual errors
= Higher reliability
= Less costs
Testing will only demonstrate absence of certain errors.
Formal verification can prove absence of any errors.
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 11
OpenVE ©
Formalized modelling
Simulation
Code generation
OpenComRTOS ©
Formally developed
Runtime support for
concurrency and
communication
StarFish Controller
©
Control & processing platform
SIL enabled with support for fault tolerance
GoedelWorks ©
Formalised requirements &
specifications capturing
Project repository
User Applications
Test harness
Modeling
Meta-models
Unifying Repository
Unified architectural paradigm: Interacting Entities
Unified Semantics
OpenTracer ©
Visual Tracing
System Debugger
©
System Level Debugger
SafeVirtualMachine
©
Virtual Machine for C
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 12
Phase1 Phase2 Phase4 Phase3
Packaging Specs
Hardware Specs
System and Safety Specifications Analysis
Software Specs
Software Architectural Design
Software Implementation Verification and Test
System Specifications (Normal Case) Test Cases Fault Cases
System Maintenance System
Requirements
Requirements Capturing
System Requirements
System Validation
Specifications Capturing
System Development
System Integration
System Validation
Domain Specific Specifications Test Cases Fault Cases
Domain Specific Architectural Design Test procedures
Domain Specific Beta release Test results User manual
System Released Design Code System Test Results
System Released Source Code & Distribution Validation Results
System Updates
Safety Specs
System Architecture
System Architecting
System Integration
System Maintenance
System Architecture
FMEA
FTEA
ASIL process flow identified 2800 process requirements!
Cost : + ++ ++ ++ +++ +++++ +++++++ ++++++ ++++++++++ of issues
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 13
Is an integrated set of tools, facilitating the development of high-reliability and safety critical products and systems. Integration is key in achieving reliability and trustworthiness
OpenComRTOS Designer suite of tools: OpenComRTOS: unique network-centric formally developed Real Time Operating System, 5 KB(!), unique heterogeneous support – write code once, run anywhere – scalable.
Open VE, a visual programming and development environment for developing and simulating real-time embedded applications
OpenCookbook is a web-hosted environment supporting the systems engineering process flow (proof of concept)
Tools: OpenTracer, OpenSystemInspector, Safe Virtual Machine
Being integrated in GoedelWorks SaaS portal
StarFish Scalable, customizable, fault-tolerance capable
controllers supported by OpenComRTOS suite
OpenComRTOS was one of the
three nominees for the:
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 14
14
MARKET Segment Enabler Challenges
Ultra low power - hearing aids - building control - sensors
OCR small code OCR low overhead
Hardware driven market, role of SW not well understood
Distributed control
- smart machines - robotic machines - sensing networks
OCR network heterogeneous support
Inertia from legacy solutions
Fault tolerant systems
- process control - infrastructure - e-vehicles - medical
OCR formal dev OCR triplication GoedelWorks StarFish
Inertia from legacy solutions
Multicore/manycore devices
- handheld devices - set-up boxes
OCR easy to support Hardware driven
Parallel computing - scientific computing - image processing
Intel SCC Niche
• Embedded Systems and Control (src EU):
• Market Size : ~ €188 000 mio with av. growth of 8% until 2020
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 15
REQUIREMENT21
Normal case
Test case
Failure case
SPECIFICATIONS21
Functional
Non-Functional
MODEL(S)21
Architectural
Simulation
Formal
Implementation
DEVLPMNT TASK11
Install
Write-Up Result41PreConditions31
Spec Approved
Verification TASK11PreConditions41
Work Approved
Result51
Validation TASK21
USE CASES
PreConditions51
WP completed
Result61
WorkPackage11
OpenCookbook Systems Grammar 10.11.2009
Design Views21
Process Views21
Test TASK11PreConditions61
Spec Approved
Dev Task Approv
Verif Task Approv
Result71
RELEASE1
Valid Approv
Test Approv
Issues11
ChangeRequest21
CheckPoints11
Standards Statements
Guidelines
Questions
Hints
Answers
Org Specific
Domain Specific
Misc
METHODOLOGY11
Architectural
Simulation
Formal
Implementation
Entity11
SubSystem
Interaction
Function
Interface
Method11
Procedure
Tool
Role
Methodology
GoedelWorks
OpenVE
OpenTracer
StarFish OpenComRTOS suite
Safe Virtual Machine
Covering full value-chain from requirement to hardware to maximise added value and certifiability
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 16
Formalised systems engineering portal for project support
Awareness of safety engineering standards IEC 61508, IEC 62061, ISO DIS 26262, ISO 13849, ISO DIS 25119 and ISO 15998
Organisation specific
Supports all process activities with full traceability
Based on previous OpenCookBook experience
SaaS: no license, but time based
Additional licenses: Encryption of data
Local hosting (via Open Technology License)
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 17
GoedelWorks’ architecture is competitive advantage: Metamodels allow fast customisation
System is “compiled” from specifications
Allows semi-automatic certification
User is guided through complexity of systems engineering process, and project becomes a lot easier to manage and to certify
Project portal = up-to-date database
Plug-ins an API for third party tools and technology Imports Flanders’ Drive ASIL methodology e.a.
2 years of dissecting standards => 3800 requirements, 100 Work Products
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 19
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 21
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 22
Formalised but straightforward approach
Full integration of tools from requirements to final applications is unique
OpenComRTOS is a unique programming system, a unique network-centric RTOS, quasi-universal
Formally developed and verified
Scalable yet very small: typically 2 to 5 kiB/node
Real-time communication support
Heterogeneous target support
OpenComRTOS nominated embedded award
Capable of fault-tolerance (at affordable cost)
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 23
Formalised systems engineering portal for project support
Formalised but straightforward approach
Full integration of tools from requirements to final applications is unique
OpenComRTOS is a unique programming system, a unique network-centric RTOS, quasi-universal
Formally developed and verified
Scalable yet very small: typically 2 to 5 kiB/node
Real-time communication support
Heterogeneous target support
OpenComRTOS nominated embedded award
Capable of fault-tolerance (at affordable cost)
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 24
Result of formal modeling (TLA+)
Events, semaphores, FIFOs, Ports, resources, mailbox, memory pools, etc. are all variants of a generic HUB
A HUB has 4 functional parts: Synchronisation point between Tasks
Stores task’s waiting state if needed
Predicate function: defines synchronisation conditions and lifts waiting state of tasks
Synchronisation function: functional behavior after synchronisation: can be anything, including passing data
All HUBs operate system-wide, but transparently: Virtual Single Processor programming model
Possibility to create application specific hubs & services! => a new concurrent programming model
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 25
W
L
W
L
Count
Synchronising
Predicate
Owner Task
CeilingPriority
Buffer List
Predicate Action
Generic Hub (N-N)
T T
TThreshold
Synchronisation
Data needs to
be buffered
Prioity Inheritance
For semaphores
Synchronisation
Waiting Lists
For resources
Similar to Guarded Actions or a pragmatic superset of CSP
The generic hub as metamodel
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 26
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 27
Code size figures (in Bytes) obtained for our different ports, -Os
Dormant ports: MLX16 (2K), Xilinx MB (5K), Leon3(5K), CoolFlux DSP(2K)
• Up to 10x smaller than traditional design (thanks to formal development) • Less power, less memory, easier to verify, scalable ...
CPU Type Codesize
ARM-Cortex-M3 2.5 – 4.0kB
XMOS-XS1 5.0 – 7.5kB
PowerPC e600 7.1 – 9.8kB
TI-C66x (DSP) 5.1 – 7.7kB
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 28
Ultra low power: CoolFlux DSP core (24bit, Harvard)
Code size full kernel: 2000w PM + 750w data
Interrupt latency: IRQ to ISR: < 112 cycles
IRQ to task: < 877 cycles
Multicore capable
Single chip multicore Intel SCC 48core “super computer on chip + NoC switch” (in development)
Heterogeneous networked targets: Win32+Linux+ARM+MicroBlaze+XMOS+LEON3+ … demo programmed as single target
28
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 29
Ultra low power: SoC, 2K instructions on CoolFlux DSP of NXP
E.g. hearing aids
Sensor and actuator networks Small code size
Power saving modes, wake up by interrupt
System wide routing
Distributed control Network support is built in
Easy to integrate redundancy
Easy to distribute control and I/O
No more binding glue, no more middleware layers
Parallel “supercomputing” Parallel heterogeneous DSP networks
PPC and TI C66XX DSP multicore, multi-chip, multi-board, …
29
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 30
Goal: CPU independent programming
Low memory needs (embedded!)
Mobile, dynamic code => “embedded apps”
Allows to reuse legacy binary code on any processor
Results: Selected ARM Thumb1 instruction set of VM target
Compactness
Widely used CPU
< 3 Kbytes of code for VM
Executes binary compiled code
Capable of native execution on ARM targets
VM enhanced with safety support (option): Memory violations
Stack violations
Numerical exceptions
30
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 31 31
Network infrastructure
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 32
GoedelWorks
Structured team work over the internet
REQUIREMENT21
Normal case
Test case
Failure case
SPECIFICATIONS21
Functional
Non-Functional
MODEL(S)21
Architectural
Simulation
Formal
Implementation
DEVLPMNT TASK11
Install
Write-Up Result41PreConditions31
Spec Approved
Verification TASK11PreConditions41
Work Approved
Result51
Validation TASK21
USE CASES
PreConditions51
WP completed
Result61
WorkPackage11
OpenCookbook Systems Grammar 10.11.2009
Design Views21
Process Views21
Test TASK11PreConditions61
Spec Approved
Dev Task Approv
Verif Task Approv
Result71
RELEASE1
Valid Approv
Test Approv
Issues11
ChangeRequest21
CheckPoints11
Standards Statements
Guidelines
Questions
Hints
Answers
Org Specific
Domain Specific
Misc
METHODOLOGY11
Architectural
Simulation
Formal
Implementation
Entity11
SubSystem
Interaction
Function
Interface
Method11
Procedure
Tool
Role
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 33
speed
angle
sin(α)
cos(α)
K1 1/s 1/s
K2
+
-
sin(α)
cos(α)
Phase Detector Low Pass Filter Voltage Control Oscillator
(third party tools)
Simulating the algorithm in a PC doesn’t cost much, but allows to find the issues early on
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 34
OpenVE
After simulation and model checking, select the application architecture and start development
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 35
• Networked control modules do the real work.
• Added value from high reliability and high performance algorithms
• Fault tolerance is a configuration option
Altreonic Inside
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 36
OpenVE:
How are processors
connected ?
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 37
OpenVE How is the application structured ?
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 38
OpenVE
The more code is generated, the less programmingerrors are made
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 39
OpenTracer
Verification and testing is needed to confirm the work was well done
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 40
From idea to prototype in a seamlessly integrated and controlled process
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 41
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 42
OpenComRTOS supports heterogeneous networked and many-core processor systems:
Remapping tasks or RTOS entities requires no source code changes
Timings will differ but logic application remains
Meta-models hide complexity for user
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 43
Altreonic
powered (Status: engineering systems Q4)
OpenComRTOS designer suite
Key characteristics : Scalable performance
High Reliability (SIL3)
Fault Tolerance (SIL4)
Target market : Robotics, Automotive,
Transport, Aerospace,
Machine Control.
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 44
Key characteristics
Allows full access
Fully closed enclosure (IP64 or higher)
Power consumption rated at 7.5 W when using all quadrants @ > 3200 Mips
Application specific mezzanines
Production version will be compact and stacked or use one quadrant as unit
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 45
Key characteristics :
High Reliability (SIL3) → Fault Tolerance (SIL4)
All-in: Traction
Braking
Anti-slip
Stability control
Active suspension
Exploits transparent distributed operation of
OpenComRTOS
Own controllers and e-motor in development
Software and Hardware redundancy enables fault-tolerant controllers in 1-, 2-, 3-, 4-, n-wheel platforms
=> StarFish was designed with such topology in mind
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 46
• Central control moves towards distributed control
• Robot has 42 “feet” = 42 controllers + central
• Original design: 7000 euro hardware
• Our proposal: < 1000 euro + connection to PC and operator console
46
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 47
Innovative no-risk open licensing scheme as well as binary and source code licenses. No runtime royalties.
Binary (only free targets like Win32) Single seat/single site
Source code + Kernel source code and build system
Open Technology license Formal models, design doc, all source code, test suites, porting guide, … of RTOS + code gens + GUI tools
Right to generate extra binary licenses Small royalty
For all Software and all Hardware products
Maintenance/support: 20%/yr/license
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 48
We need hardware that executes (software) specifications
Full system engineering flow support
Enables high-reliability/safety
OpenComRTOS project has proven that a universal concurrent programming paradigm works:
Very small code size, yet very scalable
Heterogeneous for CPU and communication media
Greatly due to formal(ised) development
www.altreonic.com Eric.Verhulst @ altreonic.com
