Review
Improving integrity of embedded computers in control

https://doi.org/10.1016/S1367-5788(03)00006-3Get rights and content

Abstract

This paper gives an overview of a holistic project dealing with the consistent design of embedded control systems falling into the first level of safety integrity requirements (SIL l) (IEC, 1998). It shows how existing methods can be adapted and reasonably employed, whenever possible, without having to resort to new innovations. Firstly, the hardware issues are dealt with and extensively elaborated, particularly the peripheral interfaces with integrated processing capabilities. Secondly, the proven correct real-time operating system executing on its own dedicated processor is briefly addressed, and finally, programming issues including descriptions of the specific programming language, time bounded handling of exceptions, and how to deal with temporal overload.

Introduction

Computer control systems are increasingly being used in safety critical applications where the integrity of the systems depends substantially on them. Any failures could have severe consequences: they may result in massive material losses or endanger human safety.

Dependability, being an inherent requirement in the design of control systems, is usually insufficiently supported. Techniques intended to improve dependability are predominantly based on testing, and the quality achieved depends mainly on the experience and the intuition of the designers.

This approach, however, is inadequate. It is necessary to consider the safety measures for such systems already in the early design phases, which means that common commercial off-the-shelf control computers are usually unsuitable for safety critical applications.

In the late 1980s, the International Electrotechnical Commission (IEC) started the standardisation of safety issues in computer control (IEC, 1998). They identified four safety integrity levels, SIL 4 being the most critical. This paper, however, is concerned with applications falling into the least demanding first level which already allows employment of computer control systems based on generic microprocessors.

It is desirable that these systems should formally be proven correct or even safety licensed. Owing to the complexity of the software-based computer control systems, however, this is very difficult if not impossible to achieve.

Instead, in this paper we present certain contributions to several areas of control systems design, with the aim of improving both functional and temporal correctness. The implementation of long standing, but often neglected viable solutions will be shown, rather than devising new methods and techniques. As verification of functional correctness is more established than that of temporal correctness, although equally important, special emphasis will be given to the latter.

In Section 2 it will be shown how system integrity can be improved by certain hardware design measures, providing an adequate platform for safety critical control systems. A proven correct operating system with run-time schedulability checking based on this hardware architecture will be briefly mentioned in Section 3. Section 4 is in more detail dealing with programming issues, from the safe language properties to the handling of exceptions and dynamic overload. Finally, in Section 5 it is shown how the requirements of the SIL 1 compliant systems are matched by the features resulting from our project.

Because of the wide scope it was not possible to present the details of the implementation. Instead, more general descriptions of the topics are given; interested reader will be referred to the original works throughout the paper.

Section snippets

Hardware design

Hardware architectures and their implementations provide the lowest level of control system design which must be inherently as safe as possible. It is not enough that the hardware platform is tested after it is built; support for integrity must be considered an important guideline in its design.

In our laboratory, several hardware prototypes have been designed and built; most of them are based on an asymmetrical multiprocessor system architecture.

Briefly, it consists of two types of processors:

Operating system

In asynchronous real-time control systems concurrent processing is typically based on the task concept. To support tasks, the operating system kernel and a corresponding co-processor, on which the kernel is running, need to provide some basic tasking functions like initialisation, activation, termination, synchronisation, suspension and resumption.

Since there is generally more than one ready task, processor scheduling and dispatching must be organised. To achieve this, the feasible earliest

Programming

The next subsequent layer in the control application design is programming of tasks. For this purpose, languages and tools should be used, which to the highest extent prevent the programmer to use the programming means that could potentially endanger temporal predictability and system’s integrity.

According to the standard IEC 61508, for SIL 1 application specific and inherently safe static languages can be used. In (Halang & Frigeri, 1998), and based on IEC (1998), only safe subsets of Ada 95,

Discussion

In Halang and Frigeri (1998), the authors present a table of real-time functionalities enhancing safety, regarding additional language constructs, operating system services and tools for program verification, to comply with SIL 1 requirements. In our project, we provided support for many of the these features from the former two groups. Below, a list of those is given.

  • -

    Supervision of the occurrence of events within time windows: by cyclic implementation of the ASIC hardware interrupt

Conclusions

This paper does not introduce many novel solutions to improve the integrity of embedded control systems classified for the lowest safety integrity level as defined by IEC. Its main contribution is to demonstrate how already established principles can improve safety.

Apart from providing solutions to resolve problems that occur during execution, when designing a safety critical application it is also important to try and prevent the potential causes of errors, non-determinism and

References (27)

  • Black, A. P. (1983). Exception handling: The case against. Technical report TR 82-01-02. Department of Computer...
  • Colnarič, M., & Verber, D. (2000). Design and programming of peripheral interfaces for embedded real-time control...
  • Colnarič, M., & Verber, D. (2001). Dealing with tasking overload in object oriented real-time applications design....
  • Colnarič, M., Verber, D., & Halang, W. A. (1995). Supporting high integrity and behavioural predictability of hard...
  • M Colnarič et al.

    Implementation of embedded hard real-time systems

    International Journal of Real-Time Systems

    (1998)
  • Colnarič, M., Halang, W. A., & Tol, R. M. (1994). Hardware supported hard real-time operating system kernel....
  • Cooling, J. (1993). Task scheduler for hard real-time embedded systems. Proceedings of Int’l workshop on systems...
  • Cristian, F. (1989). Exception handling. In T. Anderson (Ed.), Dependability of resilient computers. Oxford: Blackwell...
  • Dijkstra, E. W., & Feijen, W. H. J. (1984). Een methode van programmeren. Academic...
  • DIN. (1981). DIN 66 253: Programming language PEARL, Part 1: Basic PEARL....
  • Halang, W. A., & Frigeri, A. H. (1998). Methods and languages for safety related real-time programming. In W. D....
  • Halang, W. A., & Stoyenko, A. D. (1991). Constructing predictable real-time systems. Boston-Dordrecht-London: Kluwer...
  • IEC. (1989). Binary floating-point arithmetic for microprocessor systems. IEC...

    • Cited by (0)

    View full text
    Copyright © 2003 Elsevier Ltd. All rights reserved.