MultiPARTES: Multi-core partitioning and virtualization for easing the certification of mixed-criticality systems

doi:10.1016/j.micpro.2014.09.004

Microprocessors and Microsystems

Volume 38, Issue 8, Part B, November 2014, Pages 921-932

https://doi.org/10.1016/j.micpro.2014.09.004 Get rights and content

Abstract

The consumer market is continuously pushing for smarter, faster, more durable and cheaper products with ever more complex and sophisticated functionality. Other fields such as safety–critical and dependable applications are not unaware of these requirements, and even impose others (e.g. certification). In the current multi-core era, industry and research entities are facing the important challenge of fulfilling all these requirements, which often impose the necessity for integrating components with different levels of dependability in a single hardware platform. In this scenario, new concerns appear with respect to safety certification of the resulting mixed-criticality systems (e.g. temporal and spatial isolation). This article describes the research effort that is being conducted within the FP7 MultiPARTES project, which is one of the initiatives launched by the European Commission to explore new solutions for developing certifiable mixed-criticality systems using heterogeneous multi-cores. The article explains the proposed development toolset for such systems, presents a proof-of-concept implementation and shows its applicability in a real-world application that needs to be certified, namely a wind-power turbine.

Introduction

Currently there is an increasingly important trend for using mixed-criticality systems, where multiple components with different dependability, real-time and certification assurance levels (e.g. safety–critical and consumer functionality) are integrated into a shared computing platform [1]. The reasons behind the trend for mixed criticality are mainly non-functional: reducing costs, volume, weight and power consumption, and can be found in a multitude of different domains such as industrial control, airborne, automotive systems and space avionics, to cite only the most notable ones.

Certification is the process of issuing a certificate to indicate conformance with a standard, set of guidelines or some similar document. It is mandatory for some types of safety systems, whose failure may cause injury or death to human beings or important environmental damages. In order to meet the requirements imposed by major certification bodies (e.g. to establish fault containment in the shared computing platform and avoid unintended side-effects between the components that are being integrated), the use of mechanisms for temporal and spatial partitioning in mixed-criticality systems is mandatory. For example, it is of utmost importance to guarantee that a failure affecting the in-flight entertainment system on a plane does not affect the engine control system. Partitions must thus encapsulate system resources temporally (e.g. latency, jitter, duration of availability during a scheduled access) and spatially (e.g. preventing a partition from altering the code or private data of other partitions). This is precisely the purpose of the Integrated Modular Avionics (IMA) paradigm [2] and the architectural guidelines in the AUTOSAR automotive initiative [3].

Hence, mixed-criticality systems allow for dealing with ever greater complex designs, which can indeed be partitioned and developed separately and later integrated without having to consider all possible interactions that may occur among them, which give rise to most of the safety concerns and verification costs. This type of systems supports composability, as their applications can be assembled in various combinations, without the need to modify them. In addition, the target type of the systems is real-time, as their correctness depends not only on the validity of their outputs, but also on the time when they are produced.

At the same time mixed-criticality systems are proliferating, and computing platforms are migrating from single-core to multi-core and, in the future, many-core architectures [4], [5], [6], [7]. It is estimated that multi-cores will be used in about 45% of industrial applications by 2015, up to 95% of which will combine different mixed-criticality levels [8]. Multi-cores and many-cores open new opportunities to develop robust mixed-criticality systems at a competitive price, but they also create new challenges that must firstly be addressed. The fact is that most of the existing commercial multi-core processors have not been designed with a focus on hard real-time but on the maximal average performance, thus posing multiple temporal isolation challenges [9], [10]. In order to guarantee the predictability required by highly critical applications, nowadays it is common to sacrifice most of the performance delivered by a multi-core processor and use only one of its cores [11]. Therefore, it becomes essential to develop new methods and techniques to enable the exploitation of the computing benefits offered by multi-cores, while coping with their associated complexity and particularities (e.g. the need for communication and synchronisation between cores). The European Commission has launched several research projects in the context of its FP7 and Artemis programs to come up with new solutions to this problem. These include MultiPARTES [12], RECOMP [13], ACROSS [14], CERTAINTY [15], parMERASA [16], T-CREST [17] and VIRTICAL [18].

This article focuses on the FP7 MultiPARTES project. It describes the most remarkable advances that have been made within this project, which range from a set of hardware and software methods for supporting the building of mixed-criticality systems with temporal and spatial separation to a methodology for easing the design of multi-core based mixed-criticality systems. At hardware level MultiPARTES uses a specifically designed heterogeneous multi-core platform that combines high-performance X86 cores and highly-reliable SPARC-LEON3 cores, interconnected by means of a predictable Time-Triggered Network-on-Chip (TTNoC) [19], [20]. At software level, MultiPARTES relies on a virtualization layer, which is offered by the XtratuM [21], to guarantee safe and efficient sharing of the underlying hardware platform among a number of temporally and spatially separated partitions. The article is completed with a case study drawn from a real-world wind power application that illustrates the contributions brought about by MultiPARTES to the certification of mixed-criticality systems.

The remainder of this article is organised as follows. After summing up the key concepts and related work in Section 2, Section 3 outlines the MultiPARTES approach. Then, Sections 4 MultiPARTES hardware platform, 5 MultiPARTES virtualization layer: XtratuM describe the MultiPARTES hardware platform and virtualization layer respectively, while Section 6 explains the proposed development toolset. Finally, Section 7 presents the wind power case study and Section 8 discusses the concluding remarks and future work.

Section snippets

Background and related work

This section introduces some important aspects related to mixed-criticality systems, with special focus on system partitioning and virtualization. In addition, it sums up the most significant advances in this field.

The FP7 MultiPARTES approach

The main objective of the FP7 MultiPARTES project is to provide execution environments and tools to support the development and certification of mixed-criticality applications on partitioned and virtualized embedded multi-core platforms. The aims of the MultiPARTES project can be summarised as follows:

•
Support the development of mixed-criticality systems.
•
Enforce the mechanisms to build applications (partitions) that are temporally and spatially isolated.
•
Provide means for the independent

MultiPARTES hardware platform

This section outlines the general architecture of the MultiPARTES multi-core platform. As shown in Fig. 1, this comprises two heterogeneous components: a commercial Intel dual-core ATOM and an FPGA-resident custom-made triple-core LEON3 processor.

These hardware platforms have been selected on the basis that the Atom dual core is widely used in industry, and considering that two of the project demonstrators (video surveillance and wind turbine control) currently use this platform. On the other

MultiPARTES virtualization layer: XtratuM

XtratuM [21], [37] is a hypervisor that uses para-virtualization techniques to build a virtualization layer. Para-virtualization is a technique that achieves high performance and low complexity. The para-virtualized model offers potential performance benefits when a guest operating system or application is aware that it is running within a virtualized environment, and it has been modified to exploit this. One potential downside of this approach is that such modified guests cannot ever be

MultiPARTES development toolset

The development of mixed-criticality virtualized multi-core systems poses new challenges that are the subject of active research work. There is an additional complexity: it is now required to identify a set of partitions, and allocate applications to partitions. In this task a number of issues have to be considered, such as the criticality level of the application, security and dependability requirements, the operating system used by the application, time requirements and specific hardware

Towards certification with MultiPARTES: wind-power turbine case-study

This section is aimed at discussing the benefits that a MultiPARTES-based solution would bring with respect to the Galileo wind turbine dependable control solution currently used by Alstom Renewables (formerly Alstom Wind and Ecotecnia).

A modern off-shore wind turbine dependable control system manages up to three thousand inputs/outputs, several hundreds of functions (safety and non safety related) are distributed over several hundred nodes grouped into eight subsystems interconnected with a

Conclusions and future work

This paper presented the approach followed in the MultiPARTES FP7 project to support mixed-criticality integration for embedded systems based on virtualization techniques for heterogeneous multicore processors.

The major outcomes of the project are the MultiPARTES virtualization layer based on XtratuM, an open source hypervisor designed as a generic virtualization layer for heterogeneous multicore and the methodology, a multi-core heterogeneous hardware platform and a toolset to deal with

Acknowledgements

Research under the MultiPARTES project has received funding from the European Union 7th Framework Programme (FP7) under Grant agreement no. 287702. The work at Universidad Politécnica de Madrid and Universidad Politécnica de Valencia has also been partially funded by the Spanish Ministerio de Educación y Ciencia, project HI-PARTES (High Integrity Partitioned Embedded Systems), TIN2011-28567-C03 in the Plan Nacional de I+D+i. The work at IK4-IKERLAN has also been partially funded by the Spanish

References (49)

European Commission, “Mixed Criticality Systems”, Report from the Workshop on Mixed Criticality Systems,...
RTCA DO-297 Integrated Modular Avionics (IMA) Development Guidance and Certification...
H. Heinecke, J. Bortolazzi, K.-P. Schnelle, J.-L. Maté, H. Fennel, T. Scharnhorst, in: Baden (Ed.), AUTOSAR – An...
M. Vaidehi et al.
Multicore applications in real time systems
J. Res. Ind.
(2008)
S. Balacco, C. Rommel, Next Generation Embedded Hardware Architectures: Driving Onset of Project Delays, Costs Overruns...
M.S. Mollison, J.P. Erickson, J.H. Anderson, S.K. Baruah, J.A. Scoredos, Mixed-criticality real-time scheduling for...
X. Jean, M. Gatti, G. VBerthon, M. Fumey, The use of multicore processors in airborne systems, MULCORS Project, Thales...
R. Ernst, Certification of trusted MPSoC platforms, in: Proceedings of the 10th International Forum on Embedded MPSoC...
O. Kotaba, J. Nowotsch, M. Paulitsch, S.M. Petters, H. Theilingx, Multicore in real-time systems temporal isolation...
R. Nevalainen, O. Slotosch, D. Truscan, U. Kremer, V. Wong, Impact of multicore platforms in hardware and software...

S. Peiro, M. Masmano, I. Ripoll, A. Crespo, PaRTiKle OS, a replacement of the core of RTLinux, in: Proc. of the...

MultiPARTES: Multi-cores Partitioning for Trusted Embedded Systems....

RECOMP: Reduced Certification Costs Using Trusted Multi-core Platforms....

ACROSS: ARTEMIS CROSS-Domain Architecture....

CERTAINTY: Certification of Real Time Applications Designed for Mixed Criticality....

parMERASA: Multi-Core Execution of Parallelised Hard Real-Time Applications Supporting Analysability....

T-CREST: Time-Predictable Multi-Core Architecture for Embedded Systems....

VIRTICAL: SW/HW Extensions for Heterogenous Multicore Platforms....

C. Paukovits, H. Kopetz, Concepts of switching in the time-triggered network-on-chip, 14th IEEE Int. Conference on...

A. Crespo, I. Ripoll, M. Masmano, S. Peiró, Partitioned embedded architecture based on hypervisor: the XtratuM...

G.J. Popek et al.

Formal requirements for virtualizable third generation architectures

Commun. ACM

(1974)

R. Uhlig et al.

Intel virtualization technology

IEEE Comput.

(2005)

Advanced Micro Devices, AMD Virtualization (AMD-V) Technology, 2010. <http://www.amd.com/us/solutions/servers/...

Cited by (27)

Partition window assignment in hierarchically scheduled time-partitioned distributed real-time systems with multipath flows
2022, Journal of Systems Architecture
Citation Excerpt :
In mixed-criticality systems it is necessary to have total independence among partitions with the aim that the processes of specification, design, implementation, safety certification (in those systems that require it) and execution are totally independent throughout the different system components [6–9]. In the European project MultiPARTES [10] for example, a set of tools was proposed for the development of mixed criticality systems based on partitioning, from hardware and software architectures to partition management tools. The ARINC 653 standard defines temporal partitioning, where partitions are executed periodically.
Time and space partitioning techniques are implemented in the development of safety-critical applications to ensure isolation among components. A suitable arrangement of the execution of such partitions is a key challenge so that applications meet the timing requirements imposed to software. In this work, the effect of window sizes and context switch overheads in the partition window configuration is studied, with the aim of analyzing their impact when the response-time analysis and priority assignment techniques are applied. Then, a heuristic algorithm is proposed, in order to obtain a partition window configuration that enables the schedulability of partition-based safety critical systems. This algorithm is evaluated in synthetic test scenarios and it is also applied to a safety-critical use-case in the railway domain.
Priority assignment in hierarchically scheduled time-partitioned distributed real-time systems with multipath flows
2022, Journal of Systems Architecture
The increasing complexity in the design of industrial embedded systems represents a challenge in the development of scheduling algorithms for such systems, which are essential to guarantee that they meet their deadlines even in the worst-case situation. In this work, we propose a new collection of non-iterative priority assignment algorithms for multipath flows within hierarchical schedulers based on state-of-the-art scheduling algorithms, which have been adapted to this complex system model. They are applied to an industrial railway use case that has motivated this work, and then their performance is evaluated in different general synthetic scenarios, with the aim of providing a view on how they behave in a wider range of system configurations.
Safe and secure software updates on high-performance mixed-criticality systems: The UP2DATE approach
2021, Microprocessors and Microsystems
Over-The-Air Software Updates (OTASU) are gaining popularity on the safety-critical domain. The motivation behind this trend is twofold. On the one hand, the ability of adding new functionality and services to the system without a complete redesign makes product makers more competitive and improves user experience. On the other hand, the increasing connectivity of emerging embedded devices makes OTASU a crucial cyber-security demand to keep the system up-to-date with latest security patches. However, the application of OTASU in the safety-critical domain is not straightforward, as they are not contemplated by current functional safety standards. The UP2DATE European H2020 project, seeks to provide solutions to cope with the challenging requirements of safety and security standards with respect to software updates. This paper gives an overview of UP2DATE, its foundations and the initial description of its safe and secure architecture that builds around composability and modularity on heterogeneous high-performance platforms.
An end-to-end framework for safe software development
2018, Microprocessors and Microsystems
Citation Excerpt :
In the following, we describe some of them. In the MultiPARTES project, tools and solutions for building trusted embedded systems have been introduced [27]. These systems have mixed criticality components allocated on multi-core platforms.
It is largely recognized that the architectures of embedded systems are becoming more and more complex both at hardware and software levels. Despite the significant advances in the development tools, developing the software of such systems while ensuring their safety is still a difficult task. In this paper, we propose an end-to-end programming framework to ease the development of safe software systems. The programming framework, supported by a proper methodology and workflow, make it possible to design safe/secure software that implements functional requirements while respecting multiple non-functional requirements and mastering architectural complexity, time-to-market and cost. The programming framework is based on five concepts: (1) model-based system engineering: MBSE, (2) design-by-contract approach, (3) formal analysis of models based on symbolic execution, (4) code generation, and (5) static and dynamic code analysis. The effectiveness of the methodology has been demonstrated through multiple use-cases. The framework is realized using CEA LIST (http://www-list.cea.fr/en/) open-source development platforms: Papyrus, Frama-C, and UNISIM-VP. These platforms are results of many research and industrial projects such as FP7-SafeAdapt¹, FUI-EQUITAS², FP7-STANCE³, CATRENE-OpenES⁴, FSN-SESAM Grids⁵, and H2020-VESSEDIA⁶.
Integration of Data Distribution Service and distributed partitioned systems
2018, Journal of Systems Architecture
Citation Excerpt :
The operating system kernel applies a deterministic scheduling algorithm based on a static schedule (defined in a static configuration file) that indicates the time windows that are assigned to each partition. This is defined in different operating systems that are ARINC 653 compliant such as VxWorks [22] or the MultiPartes approach [29]. The assignment of time windows to partitions (or virtual machines) defines a hierarchical scheduling model.
Avionics systems are complex and time-critical systems that are progressively adopting more flexible (though equally robust) architectural designs. Although a number of current avionics systems follow federated architectures, the Integrated Modular Avionics (IMA) paradign is becoming the dominant style in the more modern developments. The reason is that the IMA concept promotes modular designs where applications with different levels of criticality can execute in an isolated manner in the same hardware. This approach complies with the requirements of cost, safety, and weight of the avionics systems. FACE standard (Future Airborne Capability Environment) defines the architectural baseline for easing integration in avionics systems, including the communication functions across distributed components. As specified in FACE, middleware will be integrated into avionics systems to ease development of portable components that can interoperate effectively. This paper describes the usage of publish-subscribe middleware (precisely, DDS – Data Distribution Service for real-time systems) into a fully distributed partitioned system. We describe, from a practical point of view, the integration of the middleware communication overhead into the hierarchical scheduling (as compliant with ARINC 653) to allow the usage of middleware in the partitions. We explain the design of a realiable communication setting, exemplified on a distributed monitoring application in a partitioned environment. The obtained implementation results show that, given the stable communication overhead of the middleware, it can be integrated in the time windows of partitions.
The AXIOM platform for next-generation cyber physical systems
2017, Microprocessors and Microsystems
Citation Excerpt :
The AXIOM project (Agile, eXtensible, fast I/O Module) provides a general framework focusing on easily mapping applications to multi-board processing platforms [8,9]. Unlike other research efforts (such as CONTREX [10], DREAMS [11], EMC2 [12], MultiPARTES [13]) that focus mainly on the mixed-criticality applications, AXIOM provides a generic platform with its complete application development suite. Despite the existence of many FPGA-based boards, to the best of our knowledge our approach is the first that combines all the features (especially parallel programmability, connectivity and scalability).
Cyber-Physical Systems (CPSs) are widely used in many applications that require interactions between humans and their physical environment. These systems usually integrate a set of hardware-software components for optimal application execution in terms of performance and energy consumption. The AXIOM project (Agile, eXtensible, fast I/O Module), presented in this paper, proposes a hardware-software platform for CPS coupled with an easy parallel programming model and sufficient connectivity so that the performance can scale-up by adding multiple boards. AXIOM supports a task-based programming model based on OmpSs and leverages a high-speed, inexpensive communication interface called AXIOM-Link. The board also tightly couples the CPU with reconfigurable resources to accelerate portions of the applications. As case studies, AXIOM uses smart video surveillance, and smart home living applications.

View all citing articles on Scopus

Dr. Salvador Trujillo is Software Production Area Manager at IK4-Ikerlan. Previously, he was associated researcher in the Department of Computer Science at the University of the Basque Country from 2002, with research visits to D. Batory at the University of Texas at Austin and D. Muthig at the Fraunhofer IESE. He is Ph.D. for his work on Feature Oriented Model Driven Product Lines in 2007. He is author of several peer-reviewed scientific publications in software engineering conferences like ICSE, WWW, ICWE, GPCE, SPLC, ECMFA, etc. His further research interests are the integration of model-driven and product-line techniques. He also holds an Executive MBA degree from ESEUNE Business School. He is currently leading a research team on embedded systems methodologies within the embedded group where advanced systems and software engineering paradigms (such as Model-Driven Development, Model-Based Systems Engineering and Product Lines) are applied to dependable embedded systems. He is participating within FP7 TERESA on safety, MDD and product-lines and he is leading green energy and railway control system projects applying these paradigms in practice, also with publications on the topic. He is project manager of the FP7 MultiPARTES project.

Alfons Crespo is Professor of the Department of Computer Engineering of the Technical University of Valencia. He received the PhD in Computer Science from the Technical University of Valencia, Spain, in 1984. He held the position of Associate professor in 1986 and full Professor in 1991. He leads the group of Industrial Informatics and has been the responsible of several European and Spanish research projects. His main research interest include different aspects of the real-time systems (scheduling, hardware support, scheduling and control integration, ...). He has published more than 60 papers in specialized journals and conferences in the area of real-time systems.

Alejandro Alonso received his Ph. D. in Computer Science in 1985. He became full professor of computer science. He belongs to the Department of Telematic Systems Engineering at the School of Telecommunication Engineering of the Universidad Politecnica de Madrid. His current research interests are in real-time and embedded systems, including design methods, software architectures, resource management, and operating systems. He has participated in several EU funded projects, as well as national government and industry funded research projects. His recent research activities include the development of a component for managing QoS and resources in embedded systems, and mixed-criticality systems, based on hypervisors. He is active member of ACM, IFAC, IEEE and Ada-Europe.

Dr. Jon Pérez is a Researcher at IKERLAN researchcenter. He is currently head of the embedded systems research line and works in the design and development of safety-critical embedded systems, for example SIL4 railway signaling (ERTMS/ETCS). He is a certified TÜV Functional Safety engineer for the design of hardware and software based on the IEC-61508 standard. He has received a B. Eng in Industrial and Robotics at Mondragon University, a M.Sc. in Electronics & Electrical Engineering with distinction at the University of Glasgow and he finished his doctoral studies in Computer Science at Technische Universität Wien (TU Wien) in the field of safety-critical embedded systems.

View full text