ABSTRACT
Dual modular redundancy (DMR) is not only an established solution for systems with high reliability demands, it is even required in aviation certification standards such as DO-254 [5, Clause 2.3.1]. A safety critical avionic application such as the flight control system is designed with up to 6-fold redundancy and the Avionics Full-Duplex Ethernet (AFDX) communication network is also based on the DMR. Even in the automotive domain, DMR is a well known solution. ISO26262 [3, Part 6, Clause 7.4.13] also suggests heterogeneous or diverse redundancy for safety-critical applications including software which must be redundantly executed on independent hardware components to avoid failure due to hardware errors. We exploit this mandatory software redundancy to master timing errors of critical software with minimum additional overhead.
- Francisco J. Cazorla, Leonidas Kosmidis, Enrico Mezzetti, Carles Hernandez, Jaume Abella, and Tullio Vardanega. 2019. Probabilistic Worst-Case Timing Analysis: Taxonomy and Comprehensive Survey. Comput. Surveys 52, 1 (Feb. 2019), 14:1--14:35. Google ScholarDigital Library
- R. I. Davis, L. Santinelli, S. Altmeyer, C. Maiza, and L. Cucu-Grosjean. 2013. Analysis of Probabilistic Cache Related Pre-emption Delays. In 2013 25th Euromicro Conference on Real-Time Systems. 168--179. Google ScholarDigital Library
- International Organization for Standardization 2018. ISO 26262:2018 - Road vehicles - Functional safety (2 ed.). International Organization for Standardization.Google Scholar
- Colin Ian King. 2021. stress-ng Version 0.11.07 (gcc 9.3, x86_64 Linux 5.6.19-rt12). https://kernel.ubuntu.com/~cking/stress-ng/Google Scholar
- RTCA, Inc. 19. April 2000. Design Assurance Guidance for Airborn Electronic Hardware: RTCA/DO-254.Google Scholar
- Meng Xu and et al. 2019. Holistic Resource Allocation for Multicore Real-Time Systems. In 2019 IEEE RTAS. Google ScholarCross Ref
Recommendations
Timing faults and mixed criticality systems
Dependable and Historic ComputingMany safety-critical embedded systems are subject to certification requirements. However, only a subset of the functionality of the system may be safety-critical and hence subject to certification; the rest of the functionality is non safety-critical ...
Mitigating Timing Error Propagation in Mixed-Criticality Automotive Systems
ISORC '15: Proceedings of the 2015 IEEE 18th International Symposium on Real-Time Distributed ComputingFor mixed-criticality automotive systems, the functional safety standard ISO 26262 stipulates freedom from interference, i.e., Errors should not propagate from low to high criticality tasks. To prevent the propagation of timing errors, the automotive ...
Patterns to implement active protective measures
EuroPLoP '15: Proceedings of the 20th European Conference on Pattern Languages of ProgramsThere are various ways to protect people, environment and other systems from harm caused by machines and system. In this paper, patterns on implementing protective measures applying an active approach are given. The purpose of a protective measure is to ...
Comments