•

•

–

–

–

•

•

•

•

•

•

–

–

•

•

•

•

•

ViewPhysical

Logical View

Component

Application Subsystem Physical View

Computational Node

Comm. Network

•

–

–

•

A

B

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•–

–

–

–

–

•

•

•

•

•

•

•

–

–

–

•

–

–

A

B

C

D

E

A

period 1 Start of Cycle

A Observation of

Sensor Input

2 Start of Transmission

of Sensor Data

B Transmission of

Input Data

3 Start of Processing of

Control Algorithm

C Processing of

Control Algorithm

4 Termination of

Processing

D Transmission of

Output Data

5 Start of Output to

Actuators

E Output Operation

at the Actuator

6 Termination of

Output Operation

12

3

4

54

3

2

6

5

Stable

State

Computational or

Comm. Activity

A

B

C

D

E

1

2

3

4

5

6

1

real-time

(a) (b)

•

•

•

–

–

–

–

•

•

•

•

•

•

•

–

–

state is only defined during intervall Δ

πΔ

π

Time

FuturePast

•

–

–

•

–

–

–

•

–

A

B

C

D

E

A

period 12

3

4

54

3

2

6

5

A

B

C

D

E

1

2

3

4

5

6

1

real-time

•

•

–

–

•

–

–

–

•

•

–

–

–

–

–

–

•

•–

–

–

•

Multi-Cluster Systems

Distributed System

Multi-Core Processor

Hypervisor

•

•

•

•

•

Picture: TTA Group

•

–

–

•

–

–

•

–

–

–

•–

–

–

–

–

•

•–

–

–

•–

–

•

•

•

–

–

–

–

•

–

–

–

•

•

•

•

•–

–

•

•

•

•

Goossens, K.; Dielissen, J.; Radulescu, A.: Aethereal network on chip: concepts, architectures, and implementations. In Design & Test of Computers, IEEE 22 (5), pp. 414–421.

•–

–

–

Component Component

Component Component Component Component

Trusted

Resource

Manager

(TRM)

Component

Application-Specific Subsystem

Network

Interface

Time-Triggered Network-on-Chip

Network

Interface

Network

Interface

Network

Interface

Network

Interface

Network

Interface

Network

Interface

Trusted

Subsystem•

•

Fault Containment in the Time Domain

Fault Containment in the Value Domain

TT-NoCandNetwork Interface

• Global time allows coordination of sending activities

• No dynamic arbitration or temporal dependencies between components

• Transmission times are under control of the communication interface.

• Assignment of dedicated slots to each component as basis for protecting data integrity of messages

• Network interface ensures that components write only during assigned slots

• Addressing under control of communication interface

TrustedResourceManager

• The TRM rejects new schedules if collisions would occur (e.g., mutual overwriting of messages). • Assertions can be specified (e.g., to guarantee temporal properties of safety-relevant messages).

•

•

–

–

•

•

–

–

•

•

–

–

•

–

–

•

–

–

•

–

–

•

–

–

•

•

•

Res

earc

h O

. ONERA France

Ikerlan Spain

SINTEF Norway

Fortiss Germany

Un

iv.

Universität Siegen Germany

TU Kaiserslautern Germany

UPV Spain

TEI Greece

Ind

ust

ry

Thales SA France

Alstom Wind S.L. Spain

STMicroelectronics France

TÜV Rheinland Germany

SME

TTTech Austria

RealTime-At-Work France

Virtual Open Systems France

FENTISS Spain

•

•

•

•

•

Network-on-a-Chip

Network-on-a-Chip

MP

SO

C

Network-on-a-Chip

•

•

•

•

•

•

•

–

–

–

–…

17.06.2016

Domain-Independent Core Services for

Mixed-Criticality Systems

Services of

APEX

Services of

IEC 61131

Secure and

Fault-Tolerant .

Global Time .

Base .

Timely and

Secure

Communication

for TSP

Integrated

Resource

Management

for TSP

Timely and

Secure

Execution

for TSP

Diagnosis

Service

Robustness

Services

I/O

Service

Pilot ControlsPID

Controller Sensors Storage

Avionic Flight Control Service

(Safety Critical, Class A)

Entertainment / Multimedia

(Not Safety-Relevant)

Different implementation choices at chip-level and cluster level

HEALTHCARE AVIONICS WIND POWER

Node Node Node NodeSystem Node: Global Res. Manager (GRM)

DREAMS SYSTEM OF NETWORKED MULTI-CORE CHIPS

Tile: System Core

Memory GW

Application Tile Application Tile Application Tile

Tile: System Core

Off-Chip/On-Chip GW

Tile: System Core

I/O

System Node

Off-Chip GW

Local Resource Mngmt.

On-Chip Interconnect

Off-Chip Network Off-Chip Network

DRALOS

Syst

em

Co

mp

on

en

tO

pti

on

al S

ervi

ce

DREAMS Virtualization Layer

Processor Cores

Network Interface

DRALOS

Syst

em

Co

mp

on

en

tO

pti

on

al S

ervi

ce

DRALOS

Optional Service (MW)

Ap

plic

atio

nC

om

po

ne

nt

DRALOS

Optional Service (MW)

Ap

plic

atio

nC

om

po

ne

nt

Core Services

Optional Platform Services

Application Services

Fault-tolerant global time

Timely & secure exec. for TSP

Timely & secure communication for TSP

Integrated resource management for TSP

•

•

•

•

•

ViewPhysical

Logical View

Mes-sage

Component

Application Subsystem

Physical View

Partition

Tile

NoC

Node

Cluster

Off-Chip Network

Criticality Domain

Message-based Interface

•

–

•

•

•

–

•

•

–

•

•

•

•

–

–

•

•

•

•

IEC

61508

Functional Safety

Standard

EN

50126 / 8 / 9

Railways

ISO 15998

Earth Moving

Equipment

ISO

22201

Lifts

ISO

26262

Automotive

IEC

61800-5-2

Electrical

Drivers

IEC

62061

Machinery

ISO

13849

Machinery

IEC

60601

Medical

EN

50156

Furnaces

IEC

61513

Nuclear

IEC

61511

Process Ind

EN

50495

ATEX

Network Cfg. (Msg. Scheduling)

Processor Cfg. (Task Scheduling)

Global Resource

Management Cfg.

DREAMS Chip

DREAMS Chip

DREAMS Chip

DREAMS Chip

Linking Interface (Interaction between Components)

Configuration of Resources by GRM

MON

NI

LRM LRS

Processor Core or Processor Cluster

MON

NI

LRM LRS

Memory (e.g., DRAM)

Network Cfg. (Msg. Scheduling)

Configuration for Memory Scheduling

MON

NI

LRM LRS

I/O (e.g., DRAM)

Network Cfg. (Msg. Scheduling)

Configuration for I/O Scheduling

NI

Gate

way

Core

Network Cfg.

Network Cfg. (Msg. Scheduling)

Processor Cfg. (Task Scheduling)

MON

NI

LRM LRS

Processor Core or Processor Cluster

GRM

DREAMS Chip

DREAMS System of Networked Multi-Core Chips

NoC

Off-Chip Networks

•

•

•

•

•

•

6/17/2016

Hypervisors and OS for different criticalities (e.g.,

XtratuM, pikeOS, KVM)

On-chip and off-chip networks for different criticalities (e.g.,

Spidergon, TTNoC, TTE)

Processor cores for different criticalities (e.g., PPC, ARM)

Cro

ss-D

om

ain

Em

bed

de

d

Syst

em A

rch

itec

ture GENESYS

ACROSS

RECOMP

Secu

rity

OVERSEE

TERESA

TRESCCA

Safe

ty-C

riti

cal M

ult

i-C

ore

A

rch

itec

. an

d C

erti

fica

tio

n

ARAMIS

RECOMP

SAFECER

De

velo

pm

en

t M

eth

od

s

CESAR

CRYSTAL

VERDE

Re

sou

rce

Ma

nag

emen

t &

D

yna

mic

Re

con

figu

rati

on

FRESCOR

DiVA

Integrate existing components for

different criticalities

Technological result:DREAMS Architecture

Cross-domain architectural style for mixed-criticality systems

Platform of networked multi-core chips

Modelling and develop-ment methods for mixed-critiality systems and product lines

Certification methods Industrial Demonstrators in

three domains

Mix

ed

-Cri

tica

lity

at C

hip

-Lev

el

CERTAIN-TY

MULTI-PARTES

VIRTICAL

Pro

du

ct L

ine

s

MoSiS

VARIES

Re

al-T

ime

Mo

de

ling

an

d

Tim

ing

An

aly

sis PEGASE

TIMMO-2-USE

SCARLETT

Interface to Related Projects

Mixed-criticality community Standards Roadmaps Awareness and expertise

through training

Results of Horizontal Actions

Research and development closing technolo-gical gaps (e.g., end-to-end communication with time and space partitioning, modular safety-case for mixed-critiality product lines)

Integration and consolidation of existing components (e.g., hypervisors, off-chip/on-chip networks, models)

Demonstration in multiple domains Horizontal activities

Embedded Components

Simulation and timing analysis tools (e.g., OPNET, RTaW-Sim)

Networks of Excellence

HYCON

HIPEAC EMSIG Other Mixed-Criticality Projects Call 10

PROXIMA CONTREX

Actors

• SAFEPOWER Background:

Integrated Architecture –

Multicore

Processor

App.NApp.4

App.3App.2

App.1

Federated Architecture –

Multiple interconnected

single-core Processors

App.2App.1

Integrated Architecture –

Partitioned single-core

Processor

App.2App.1 App.N

+Low PowerReal-time, partioning, reliability, security, etc.

SAFEPOWER Architecture1. Power-aware adaptive execution service for CERTS2. Power-aware adaptive communication service for CERTS3. Power, energy and temperature extensions of health monitors4. Power, energy and temperature adaptat ion services for CERTS

Safety/Security

Standardse.g.,

61508

Architectural Properties

1. Key Properties for CRTES such real-time, time/space parti tioning, reliability and security +

2. Low power, energy and temperature

SAFEPOWER Architectural

Services

Railway Mixed-Criticality and Low-Power Use Case

Aerospace Mixed-Criticality and Low-Power Use Case

Cross-Domain SAFEPOWER Public Demonstrator

Application

Platform 3 (Virtual or Physical)

Platform 2 (Virtual or Physical)

Platform 1 (Virtual or Physical)

Hypervisor with low-power techniques for safety-critical

systems (e.g., XtratuM extension)

Power-aware board with power, energy and temperature measurement and management

Low-power fault-tolerance

services

Low-power scheduling

services

Power/energy scaling (DVFS, multi-

voltage, etc.)

Low-power monitoring

and diagnostic HW

Core peripheral

gating

Low-power on-chip network for safety-critical systems

(e.g., extended TTNoC, extended Nostrum)

Processor cores

(e.g., ARM, LEO N)

Input/output

Health and resource

monitoringSW

HW

WP3

WP2

WP2WP4

Security Services

• Autonomous object

controllers on the

railway signalling

network.

• Increased payload

fraction with low-power

mixed criticality systems

PublicDemonstrator

•

•

•

•