Post on 12-May-2021
•
•
–
–
–
•
•
•
•
•
•
–
–
•
•
•
•
•
ViewPhysical
Logical View
Component
Application Subsystem Physical View
Computational Node
Comm. Network
•
–
–
•
A
B
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•–
–
–
–
–
•
•
•
•
•
•
•
–
–
–
•
–
–
A
B
C
D
E
A
period 1 Start of Cycle
A Observation of
Sensor Input
2 Start of Transmission
of Sensor Data
B Transmission of
Input Data
3 Start of Processing of
Control Algorithm
C Processing of
Control Algorithm
4 Termination of
Processing
D Transmission of
Output Data
5 Start of Output to
Actuators
E Output Operation
at the Actuator
6 Termination of
Output Operation
12
3
4
54
3
2
6
5
Stable
State
Computational or
Comm. Activity
A
B
C
D
E
1
2
3
4
5
6
1
real-time
(a) (b)
•
•
•
–
–
–
–
•
•
•
•
•
•
•
–
–
state is only defined during intervall Δ
πΔ
π
Time
FuturePast
•
–
–
•
–
–
–
•
–
A
B
C
D
E
A
period 12
3
4
54
3
2
6
5
A
B
C
D
E
1
2
3
4
5
6
1
real-time
•
•
–
–
•
–
–
–
•
•
–
–
–
–
–
–
•
•–
–
–
•
Multi-Cluster Systems
Distributed System
Multi-Core Processor
Hypervisor
•
•
•
•
•
Picture: TTA Group
•
–
–
•
–
–
•
–
–
–
•–
–
–
–
–
•
•–
–
–
•–
–
•
•
•
–
–
–
–
•
–
–
–
•
•
•
•
•–
–
•
•
•
•
Goossens, K.; Dielissen, J.; Radulescu, A.: Aethereal network on chip: concepts, architectures, and implementations. In Design & Test of Computers, IEEE 22 (5), pp. 414–421.
•–
–
–
Component Component
Component Component Component Component
Trusted
Resource
Manager
(TRM)
Component
Application-Specific Subsystem
Network
Interface
Time-Triggered Network-on-Chip
Network
Interface
Network
Interface
Network
Interface
Network
Interface
Network
Interface
Network
Interface
Trusted
Subsystem•
•
Fault Containment in the Time Domain
Fault Containment in the Value Domain
TT-NoCandNetwork Interface
• Global time allows coordination of sending activities
• No dynamic arbitration or temporal dependencies between components
• Transmission times are under control of the communication interface.
• Assignment of dedicated slots to each component as basis for protecting data integrity of messages
• Network interface ensures that components write only during assigned slots
• Addressing under control of communication interface
TrustedResourceManager
• The TRM rejects new schedules if collisions would occur (e.g., mutual overwriting of messages). • Assertions can be specified (e.g., to guarantee temporal properties of safety-relevant messages).
•
•
–
–
•
•
–
–
•
•
–
–
•
–
–
•
–
–
•
–
–
•
–
–
•
•
•
Res
earc
h O
. ONERA France
Ikerlan Spain
SINTEF Norway
Fortiss Germany
Un
iv.
Universität Siegen Germany
TU Kaiserslautern Germany
UPV Spain
TEI Greece
Ind
ust
ry
Thales SA France
Alstom Wind S.L. Spain
STMicroelectronics France
TÜV Rheinland Germany
SME
TTTech Austria
RealTime-At-Work France
Virtual Open Systems France
FENTISS Spain
•
•
•
•
•
Network-on-a-Chip
Network-on-a-Chip
MP
SO
C
Network-on-a-Chip
•
•
•
•
•
•
•
–
–
–
–…
17.06.2016
Domain-Independent Core Services for
Mixed-Criticality Systems
Services of
APEX
Services of
IEC 61131
Secure and
Fault-Tolerant .
Global Time .
Base .
Timely and
Secure
Communication
for TSP
Integrated
Resource
Management
for TSP
Timely and
Secure
Execution
for TSP
Diagnosis
Service
Robustness
Services
I/O
Service
Pilot ControlsPID
Controller Sensors Storage
Avionic Flight Control Service
(Safety Critical, Class A)
Entertainment / Multimedia
(Not Safety-Relevant)
Different implementation choices at chip-level and cluster level
HEALTHCARE AVIONICS WIND POWER
Node Node Node NodeSystem Node: Global Res. Manager (GRM)
DREAMS SYSTEM OF NETWORKED MULTI-CORE CHIPS
Tile: System Core
Memory GW
Application Tile Application Tile Application Tile
Tile: System Core
Off-Chip/On-Chip GW
Tile: System Core
I/O
System Node
Off-Chip GW
Local Resource Mngmt.
On-Chip Interconnect
Off-Chip Network Off-Chip Network
DRALOS
Syst
em
Co
mp
on
en
tO
pti
on
al S
ervi
ce
DREAMS Virtualization Layer
Processor Cores
Network Interface
DRALOS
Syst
em
Co
mp
on
en
tO
pti
on
al S
ervi
ce
DRALOS
Optional Service (MW)
Ap
plic
atio
nC
om
po
ne
nt
DRALOS
Optional Service (MW)
Ap
plic
atio
nC
om
po
ne
nt
Core Services
Optional Platform Services
Application Services
Fault-tolerant global time
Timely & secure exec. for TSP
Timely & secure communication for TSP
Integrated resource management for TSP
•
•
•
•
•
ViewPhysical
Logical View
Mes-sage
Component
Application Subsystem
Physical View
Partition
Tile
NoC
Node
Cluster
Off-Chip Network
Criticality Domain
Message-based Interface
•
–
•
•
•
–
•
•
–
•
•
•
•
–
–
•
•
•
•
IEC
61508
Functional Safety
Standard
EN
50126 / 8 / 9
Railways
ISO 15998
Earth Moving
Equipment
ISO
22201
Lifts
ISO
26262
Automotive
IEC
61800-5-2
Electrical
Drivers
IEC
62061
Machinery
ISO
13849
Machinery
IEC
60601
Medical
EN
50156
Furnaces
IEC
61513
Nuclear
IEC
61511
Process Ind
EN
50495
ATEX
Network Cfg. (Msg. Scheduling)
Processor Cfg. (Task Scheduling)
Global Resource
Management Cfg.
DREAMS Chip
DREAMS Chip
DREAMS Chip
DREAMS Chip
Linking Interface (Interaction between Components)
Configuration of Resources by GRM
MON
NI
LRM LRS
Processor Core or Processor Cluster
MON
NI
LRM LRS
Memory (e.g., DRAM)
Network Cfg. (Msg. Scheduling)
Configuration for Memory Scheduling
MON
NI
LRM LRS
I/O (e.g., DRAM)
Network Cfg. (Msg. Scheduling)
Configuration for I/O Scheduling
NI
Gate
way
Core
Network Cfg.
Network Cfg. (Msg. Scheduling)
Processor Cfg. (Task Scheduling)
MON
NI
LRM LRS
Processor Core or Processor Cluster
GRM
DREAMS Chip
DREAMS System of Networked Multi-Core Chips
NoC
Off-Chip Networks
•
•
•
•
•
•
6/17/2016
Hypervisors and OS for different criticalities (e.g.,
XtratuM, pikeOS, KVM)
On-chip and off-chip networks for different criticalities (e.g.,
Spidergon, TTNoC, TTE)
Processor cores for different criticalities (e.g., PPC, ARM)
Cro
ss-D
om
ain
Em
bed
de
d
Syst
em A
rch
itec
ture GENESYS
ACROSS
RECOMP
Secu
rity
OVERSEE
TERESA
TRESCCA
Safe
ty-C
riti
cal M
ult
i-C
ore
A
rch
itec
. an
d C
erti
fica
tio
n
ARAMIS
RECOMP
SAFECER
De
velo
pm
en
t M
eth
od
s
CESAR
CRYSTAL
VERDE
Re
sou
rce
Ma
nag
emen
t &
D
yna
mic
Re
con
figu
rati
on
FRESCOR
DiVA
Integrate existing components for
different criticalities
Technological result:DREAMS Architecture
Cross-domain architectural style for mixed-criticality systems
Platform of networked multi-core chips
Modelling and develop-ment methods for mixed-critiality systems and product lines
Certification methods Industrial Demonstrators in
three domains
Mix
ed
-Cri
tica
lity
at C
hip
-Lev
el
CERTAIN-TY
MULTI-PARTES
VIRTICAL
Pro
du
ct L
ine
s
MoSiS
VARIES
Re
al-T
ime
Mo
de
ling
an
d
Tim
ing
An
aly
sis PEGASE
TIMMO-2-USE
SCARLETT
Interface to Related Projects
Mixed-criticality community Standards Roadmaps Awareness and expertise
through training
Results of Horizontal Actions
Research and development closing technolo-gical gaps (e.g., end-to-end communication with time and space partitioning, modular safety-case for mixed-critiality product lines)
Integration and consolidation of existing components (e.g., hypervisors, off-chip/on-chip networks, models)
Demonstration in multiple domains Horizontal activities
Embedded Components
Simulation and timing analysis tools (e.g., OPNET, RTaW-Sim)
Networks of Excellence
HYCON
HIPEAC EMSIG Other Mixed-Criticality Projects Call 10
PROXIMA CONTREX
Actors
• SAFEPOWER Background:
Integrated Architecture –
Multicore
Processor
App.NApp.4
App.3App.2
App.1
Federated Architecture –
Multiple interconnected
single-core Processors
App.2App.1
Integrated Architecture –
Partitioned single-core
Processor
App.2App.1 App.N
+Low PowerReal-time, partioning, reliability, security, etc.
SAFEPOWER Architecture1. Power-aware adaptive execution service for CERTS2. Power-aware adaptive communication service for CERTS3. Power, energy and temperature extensions of health monitors4. Power, energy and temperature adaptat ion services for CERTS
Safety/Security
Standardse.g.,
61508
Architectural Properties
1. Key Properties for CRTES such real-time, time/space parti tioning, reliability and security +
2. Low power, energy and temperature
SAFEPOWER Architectural
Services
Railway Mixed-Criticality and Low-Power Use Case
Aerospace Mixed-Criticality and Low-Power Use Case
Cross-Domain SAFEPOWER Public Demonstrator
Application
Platform 3 (Virtual or Physical)
Platform 2 (Virtual or Physical)
Platform 1 (Virtual or Physical)
Hypervisor with low-power techniques for safety-critical
systems (e.g., XtratuM extension)
Power-aware board with power, energy and temperature measurement and management
Low-power fault-tolerance
services
Low-power scheduling
services
Power/energy scaling (DVFS, multi-
voltage, etc.)
Low-power monitoring
and diagnostic HW
Core peripheral
gating
Low-power on-chip network for safety-critical systems
(e.g., extended TTNoC, extended Nostrum)
Processor cores
(e.g., ARM, LEO N)
Input/output
Health and resource
monitoringSW
HW
WP3
WP2
WP2WP4
Security Services
• Autonomous object
controllers on the
railway signalling
network.
• Increased payload
fraction with low-power
mixed criticality systems
PublicDemonstrator
•
•
•
•