Multi-core System Architecture for Safety-critical Control Applications

Gang Li

Publikation: AfhandlingPh.d.-afhandling


With rapid industrial development, safety-critical control applications are increasing in size and complexity. This has resulted in serious challenges for the development of a safety-critical system. E.g., nowadays applications usually have a set of components with different safety integrity levels (SIL). The certification cost of each component is in the direct proportion to its SIL. In order to integrate such applications into one platform, all components have to be certified to the highest SIL, if no sufficient isolation is provided between each other. Consequently, it increases the total certification cost. Meanwhile, hardware platforms with improved processing power are required to execute the applications of larger size.

To tackle the two issues mentioned above, the state of the art approaches are using more Electronic Control Units (ECU) in a federated architecture or increasing the frequency of a processor. In a typical federated architecture, each component of a specific SIL can be allocated on a dedicated ECU, and thus is isolated from components on other ECUs. However, using more ECUs has weaknesses such as error-prone inter-processor (off-chip) connections, large hardware weight and size, and high power consumption. Increasing the frequency of a processor is becoming painful now due to the explosive power consumption. Furthermore, components integrated into a single-core processor have to be certified to the highest SIL, due to that no isolation is provided in a traditional single-core processor. A promising alternative to improve processing power and provide isolation is to adopt a multi-core architecture with on-chip isolation. In general, a specific multi-core architecture can facilitate the development and certification of safety-related systems, due to its physical isolation between cores, low power consumption, on-chip interconnection and natural support to on-chip hardware diversity and redundancy at the inter-core level.

The objective of this dissertation is to propose a multi-core system architecture for safety-critical control applications with reduced certification cost. Partitioning architecture is definitely employed to provide sufficient temporal and spatial isolation between components with different SILs in the multi-core architecture, aiming to support modular certification. It prevents failure propagation between isolated components.

The dissertation focuses on partitioning design of both multi-core hardware and software architectures, in order to minimize efforts and cost of system certification at the integration time. Hardware architecture design concentrates on a firmware architecture on SoC platforms, providing separated hardware execution environments for the software executing on top. Software architecture design concentrates on software multi-core architectures, a multi-core real-time separation kernel and a paravirtualized hypervisor (trusted computing base). From a safety point of view, the multi-core system architecture shall be simple and certifiable, besides provide isolation between its hosted components. The isolation is a good base to implement safety patterns such as redundancy, diagnostics and diversity.

A separation kernel HARTEXsafety and a paravirtualized hypervisor RodosVisosc are proposed to provide isolation mechanisms for small fine-gained applications and large coarse-grained applications respectively. The HARTEXsafety is extended from a single-processor real-time kernel HARTEX, aiming to enable isolation at the task level and support multi-core platforms. The RodosVisorsc is a paravirtualized version from a full virtualization hypervisor RodosVisor, targeting minimized code size, overhead and complexity. It provides isolation between its hosting virtual machines (e.g., general-purpose operating systems, real-time kernels or bare-metal applications).

The proposed multi-core hardware and software architectures are evaluated by the ARTEMIS project RECOMP (Reduced Certification Cost for Trusted Multi-Core Platforms) which this PhD project is a part of, and are tested by a case study (Safe Stop Demonstrator) provided by a local company Danfoss Drives
StatusUdgivet - 2013

Fingeraftryk Dyk ned i forskningsemnerne om 'Multi-core System Architecture for Safety-critical Control Applications'. Sammen danner de et unikt fingeraftryk.