Abstract-Mixed-criticality cyber physical system provides great advantages in terms of cost, dependability, scalability and competitiveness. However, especially due to shared resources, the certification of these kind of systems is still challenging. Furthermore if the power management is integrated in the system, compliance with safety and security is even more complex. This paper presents the safety concept of a railway signalling use-case, considering a mixed-criticality object controller which includes a power management approach. The paper presents a proposal of using degraded modes and a safety/security analysis of low power techniques. The concept has been positively assessed by an independent certification body.
I. INTRODUCTION
The complexity of industrial cyber physical systems (CPS) is increasing continuously. EU industries developing critical real time CPSes (safety, mission or business critical) such as automotive, aerospace, railway, etc. face a relentless demand for increased safety, security, more intelligence, connectivity, better performance, energy efficiency and cost-size volume reduction. Multicore processors are an attractive solution on this direction, they offer increased performance rates with reduced cost, size, weight and energy consumption. Interestingly, their high performance makes them a key enabler of the integration of multiple applications on a single chip. These applications may sometimes have different criticality levels (safety, security, real-time), which leads to mixed-criticality systems. Mixedcriticality systems provide great advantages such as, power, cost, size and weight reduction, reliability increase and scalability. But, unfortunately, their safety certification according to industrial standards involves many challenges. Shared resources such as time, space or power couple the execution behaviour across cores. Due to their increasing complexity and lack of rigorous guidelines (e.g. CAST32A [1] ) there is a demanding task to provide the necessary argumentation for technical safety requirements (spatial/temporal independence) and process compliance.
Moreover, if power management is considered as a key issue in safety related CPSes, the certification task becomes even more challenging. As well as time and space, power is also an important resource shared among applications running in a mixed-criticality system. The lack of power management and optimization techniques can lead to a reduction in the availability of the system and the expected lifetime (e.g. battery powered industrial applications). Furthermore, an incorrect handling of energy can violate mixed-criticality guarantees, because the battery should not drain out before a critical task completes execution [2] , [3] . In fact, the relation of power management with safety is not straightforward. The application of low power techniques could jeopardize safety requirements. With the objective of covering the lack of proposals considering both safety and power management features in multicore processors, these are the main contributions of the safety/security concept presented in the paper:
• The definition of a safety and security concept for an integrated mixed-criticality railway signalling casestudy on top of multicore processor, successfully assessed by a certification authority (according CEN-ELEC EN 5012x [4] and IEC 61508 [5] ).
• The formulation of a certification cognizant power management approach, using degraded modes and making a specific safety/security analysis of low power techniques.
The rest of the paper is structured as follows. Section 2 gives an overview about mixed-criticality CPSes and railway use-case. Section 3 describes the safety concept of the object controller including both federated and integrated architectures. Section 4 explains the power management approach followed in the safety concept. The security concept is presented in section 5. Finally, section 6 exposes the main conclusions.
II. BACKGROUND AND RELATED WORK

A. Mixed-criticality CPS
Multicore processors enable the integration of multiple applications, possibly of different safety and security criticality, on a single hardware platform. Even though this integration overcomes the main limitations of traditional federated architecture (especially in terms of scalability and cost), mixedcriticality CPSes safety and security analysis involves new demands. Their safety certification implies a great challenge coming from the multicore inherent unpredictable architecture, because shared resources such as time, space or power couple the execution behaviour across cores. To help in certification process, there are specific domain related standards for functional safety certification, but most of them are based on the generic international IEC 61508. In case of railway domain CENELEC EN 5012x standards covers the life cycle process for safety relevant systems. However, with the aim of simplicity some sections of this safety concept make reference to IEC 61508.
Even if explicit guidance is not provided, many works on certification of mixed-criticality systems uses multicore partitioning and/or virtualization techniques [6] . The partitions or virtual machines, that are isolated among them on the temporal and spatial domains, provide functional and physical isolation. An embedded hypervisor is the most commonly implemented partitioning technique. This virtualization layer allows running several independent execution environments in a single computational platform. In recent years, embedded hypervisor has been increasingly used in avionics systems, industrial automation, and railway systems [7] , [8] , [9] . Integration and connectivity characteristics are desirable features for many systems, but these attributes have also an important drawback: the exposition of the system to malicious attacks or sabotage. IEC 62443 standard [10] provides an integrated approach for IT security certification for industrial automation and contributes checking potential vulnerabilities and developing effective protective measures.
Regarding power management, power consumption on CPSes comes from static power consumption (due to the leakage current) and dynamic power consumption (due to switching activity). In order to reduce static power consumption, the different components can be set in a low power mode or switched-off using power gating technique [11] , [12] . With the objective to reduce dynamic power consumption, voltage (also affects static power consumption) [13] and/or frequency scaling [14] and clock gating techniques [15] , [16] can be implemented. To manage the implementation of these kind of techniques power mode management techniques can be used [17] . Their objective is to switch the operating mode in order to reduce power consumption. To apply this kind of methods, the system must use components with multiple operation modes (e.g. sleep mode) or with voltage/frequency scaling capability. Some of the techniques integrate power modes with dynamic voltage/frequency scaling (DVFS) and other proposals combine dynamic voltage/frequency scaling with power gating methods [18] or switch between different runtime models [19] . Anyway (to the knowledge of the authors) the safety/security certification of those approaches has not been covered so far.
In this context the H2020 SAFEPOWER [20] project aims to enable the development of cross-domain mixed-criticality systems with low power and safety requirements by a reference architecture orchestrating different local power-management techniques based on safe and secure built-in low-power services. The SAFEPOWER safety-concept approach is based on the methodology defined in FP7-MULTIPARTES [21] and FP7-PROXIMA [22] . The argumentation of the impact of the low-power techniques into a COTS multicore and Xilinx Zynq platform [23] is based on the modular safety-cases and linking analysis performed in FP7-DREAMS project [24] .
B. Railway object controller
The railway use case consists on a trackside signalling SIL 4 system, composed of the interlocking, the object controller, and a set of controlled trackside equipment connected by wired and wireless communication networks (Fig. 1 ).
• The railway interlocking system sends required information to the object controller in accordance with 
The safety function "Command management" shall perform, according to the information received from the interlocking, the operation of trackside elements. SR RS 1 2
The safety function "Safety system initialization" ensures 'safe state' during 'no power' and 'system initialization' states. SR RS 1 3-5 The safety function of trackside elements ensure that the element is operating according to the command ordered by the interlocking SR RS 1 6
The safety function "Emergency action" activates the 'safe state'. SR RS 1 7 The safety function "Safe system rearm" ensures that the emergency action shall only be deactivated if the state 'Emergency' and the interlocking sends an authorization signal. SR RS 1 8
The 'safe state' consists on de-energization of output 'safety relay(s)'. SR RS 1 9
The embedded system "maximum safety response time" shall not be greater than 1.5s.
The safety function "object state supervision" shall perform the supervision of trackside elements.
commands received from a signalling command system.
• The object controller, according to the information received from the main interlocker, manages trackside equipment and ensures the safe movement of rail traffic in its controlled area. In addition, it sends information about the state of the trackside field elements to the interlocking system.
• Typically the object controller manages the following trackside equipment: Railway signals, train detection devices, movable elements, level crossings and train protection related devices. In this use-case three of them are considered: lineside signals, powered points and level crossings.
The case-study is focused on an object controller which performs part of the functionality of the interlocking in a distant location, close to a group of track equipment. For this reason, a potential battery powered object controller is envisioned. It includes two main safety functions: object control and object state supervision. There is also a non-safety critical function for monitoring purposes. Considering the safety functions the safety requirements are derived (SR RS) and most relevant are gathered in Table I . All the safety functions shall be developed with techniques and measures appropriate to SIL 4, according to EN 5012x standards.
III. SAFETY CONCEPT
Multicore based low power safety solutions are not "common practice" in industry. In order to reduce the conceptual gap, the strategy to present the safety concept is divided into two steps: first, using a federated approach and then focusing on an integrated and mixed-criticality architecture. 
A. Common Practice Approach
This section describes the distributed architecture of the decentralized railway signalling object controller, which represents the system level safety concept. This approach is not described in detail as it only serves as a baseline for developing the integrated mixed-criticality safety concept (III-B). In order to safely perform the SIL 4 safety requirement SR RS 1, the safety computing node of the Object Controller is implemented as 'composite fail safety' by means of triple module redundant (TMR) computing nodes as depicted in Fig. 2 . The TMR safety architecture is achieved by three parallel implementations of the same Object Controller logic and a comparison of the outputs. This architecture allows to identify any discrepancies among the replicated nodes. Each computing node has an instance of the safety software application and satisfies the safety features gathered in Table II . The safety relays participate on the "Emergency action" safety function (requirement SR RS 1 6) and 'safe state' activation (requirement SR RS 1 8), according the safety features of Table II-C/E. Additionally safety measures shall be considered at life-cycle (Table II-A) and software development (Table II-D) . Furthermore, hardware and software diagnostic measures (Table II-H) with Diagnostic Coverage (DC) ≥ 99% must be implemented as required by the standards to achieve a Hardware Fault Tolerance (HFT) of 2.
Federated architectures involve the design of multiple dependable railway object controllers (computing nodes) and associated off-chip communication buses that lead to bigger reliability challenges (e.g., Electromagnetic Compatibility (EMC) sensitivity, increased number of connector and cables, etc.) and to bandwidth and quality of service limitations. On the other hand, the addition of new functionalities leads to the appending of new subsystems that is further restricted by the limited scalability, flexibility and extensibility. All together require high maintenance and upgrade costs in addition to the costs involved by all the material of subsystems (e.g. cables and connectors).
B. Mixed-Criticality Approach
With the aim of overcoming the limitations of the federated approach, the object controller is integrated together with the non-safety related application in a single platform (Fig. 3) , in this case using the Zynq-7000 platform [23] . Note that at system level the TMR safety architecture remains in a federated fashion since the IEC 61508 standard explicitly limits the highest integrity level that can be claimed for safety functions with on-chip redundancy to SIL 3 (IEC 61508-2 [5] ). Accordingly, the standard mandates that to achieve SIL 4 the redundancy must be implemented off-chip. Before describing the safety concept, a fault hypothesis [25] , [26] , [27] is formulated encompassing the following assumptions:
• Up to SIL 4 software (EN 50128) and methodology (EN 50126, EN 50128 and EN 50129).
• The SAFEPOWER SCPU (single Fault-Containment Region (FCR)):
• SIL 3 IEC 61508 compliant item, also compliant with EN 5012x • Permanent failure rate: 10-100 FIT • Transient failure rate: 100.000 FIT
• The hypervisor provides freedom from interference among partitions. It can fail in an arbitrary failure mode when it is affected by a fault.
• A partition can fail in an arbitrary failure mode when it is affected by a fault, both in the temporal as well as in the spatial domain.
Using a certified hypervisor, the safety critical and the nonsafety critical partitions are mapped each one to a independent ARM core of Zynq. Partitioning and multicore allocation enables resource usage and performance maximization, while ensuring interference freeness between safety and non-safety partitions and among safety partitions (Fig. 4) . The certified hypervisor provides the services to safely access the shared resource (e.g., memory, peripherals, etc.).
The object control and supervision functionality is executed on first ARM and there are different partitions to perform the whole object controller application. There is a Master Partition which switches between operational modes (section IV). The non-safety functionality, which is executed on second ARM, includes the Non-critical monitoring routines. As stated on IEC 61508, when safety functions with different criticality levels are integrated, then the system must be certified according the highest SIL, unless enough evidence of independence between them is demonstrated and documented (IEC 61508-3 paragraph 7.4.2.9 / EN 50128 paragraph 9.4.9). So, the integrated solution requires additional safety measures compared to the federated architecture. At node level it must be considered that external communication is replaced by internal communication, the isolation between software applications is more compromised and new diagnostic techniques are required. To complete the safety measures of the Table II, additional safety techniques are required. This analysis is equivalent to the one developed in [9] , so the present study will focus on the implications of power management feature for safety (section IV), which supposes the main contribution of the paper.
IV. POWER MANAGEMENT
As stated before, today more and more CPSes require power management and the most common methods are cited in section II-A. Even if these techniques can be used to reduce the energy consumption, when implementing them on safety critical systems, their impact on the overall system safety must be considered. Low-power features must comply with safety standard requirements (e.g., IEC 61508) in both: (1) the product life-cycle or functional safety management (to avoid systematic design faults) and (2) techniques and measures to control failures during operation (to control physical random faults). For certification issues the system predictability is essential, so it is necessary to use pre-established configurations no matter which low power technique is used. The Zynq-7000 SoC provides several power management capabilities. On the one hand, the platform enables the implementation of basic low power techniques like processor frequency scaling or clock gating. On the other hand, for power monitoring, different performance counters (e.g., ARM Performance Monitoring Units (PMU), AXI Performance Monitor) are supported which can be used to estimate systems power consumption. In addition, special sensors can be use to enable more accurate measurements (e.g., XADC Monitoring, TI Fusion Power Designer).
The application of low power techniques could jeopardize safety requirements. As an example, a widely used frequency scaling technique changes the temporal behaviour of the system, generating a potential risk of deadline misses or interferences between different criticality applications. Equally, delays inserted by clock or power gating could suppose a source of uncertainty, if the proper measures are not taken. Moreover, the implementation of these techniques and consequently their implication for safety depend to a large extent on the specific platform. The approach followed in the presented safety concept includes a Failure Mode and Effect Analysis (FMEA) for each function considering its specific implementation on Zynq-7000 platform. To complete the study, safety arguments related with each function are also determined. These safety arguments are presented in DREAMS project safety case [28] in order to demonstrate that safety properties are satisfied for a given application in a given environment. Taking into account the generic modular safety case is based on Zynq-7000 [29] and considering the effects of low power techniques, four safety arguments are identified (temporal independence, configuration, safe power up and safe shutdown) and their related FMEA table is developed. This FMEA based analysis leads to identify the failure detection methods which allow the safety implementation of the low power techniques. Although the complete analysis is performed in SAFEPOWER (introduced in section II-A), as an example, table III shows the FMEA analysis of the ARM frequency scaling technique. All the detection methods are recommending techniques for hardware safety integrity in IEC 61508-2.
To deal with power management in safety critical application, the second part of the power management approach is focused on the use of degraded modes. This technique, called also Graceful degradation, is specified in IEC 61508-7 as a technique to address system failures in Software Architecture Design. The Graceful degradation is highly recommended in SIL4 (IEC 61508-3) . Its objective is to maintain the more critical system functions available, despite failures, by dropping the less critical functions. In this case, the same method is used but with the purpose of allowing lower power consumption and as a support to work in different power modes. Thus, this method ensures that if there are insufficient resources to carry out all the system functions or the safety margins are jeopardized, the safety critical partitions are prioritized in preference to the non-critical ones. Each of these operational modes includes a predefined and predictable configuration of active partitions and its own verified scheduling schema to fulfil the compliance with safety requirements. Three operational modes are defined within the railway use-case, a fully functional mode and two degraded modes:
• Normal mode or Fully Functional mode. The whole set of applications executes normally without any low power feature activated.
• Degraded mode1 or Safety-critical Functional mode. Non-safety-critical related functionality is disabled switching-off the non-critical partition and the second CPU hosting it. Regarding security, it is working on Top Energy Mode without any limitation.
• Degraded mode2 or Wait for Event Low Power Functional mode. The non-safety partition is also switchedoff and, additionaly, the whole active processing part is executed on decreased frequency mode. Moreover, a more relaxed security feature is implemented (Low Energy Mode security).
In order to avoid an adverse effect of the power management in safety, predictable performance must be ensured. Static scheduling plans allow the pre-validation of the safety requirements in all operating modes and the online decisions for power management are only oriented to change between these modes. Moreover, the use of an certified hypervisor ensures the safe changes between validated scheduling plans, avoiding temporal interferences and concurrent accesses to device peripherals. The transition between operational modes enables the advanced thermal, power and energy management without affecting system safety. Considering a generic approach, the transitions between the described operational modes are defined in Fig. 5 . The system starts in Fully Functional mode where all functionality is provided without any low power feature activated. The Master Partition is the responsible of managing the activation/deactivation of operational modes and the transitions between them. The selection of the criteria determines the rules that control the transition between the normal mode and the two degraded modes. Depending on the system requirements and limits, the rules are configurable. In this case, the main objective is power management, but it could also be thermal management or a combination of them. As an alternative approach, the logic of transition can also answer purely functional and application specific characteristics, i.e. an expected time interval without activity, etc. The functional criterion can also be combined with power management and/or thermal management. Power/temperature based transition management requires on-chip monitoring of these parameters. It must be taken into account that it is not mandatory for temperature and power sensors to be safety certified. In any case, their performance can compromise availability rather than safety, because at component level the worst case is considered.
V. SECURITY ANALYSIS
This preliminary security analysis follows the methodology proposed by OWASP foundation [30] which allows customizing a security solution based on standard technologies, with the aim of covering the essential security requirements described in IEC 62443 series [10] . The objective is to make a first attempt for a system that is not mature and considering that safety is the main purpose. It is also an approach to assess the implication of power management feature in security. As required by ISA 62443-1-1/62443-2-1, the definition of security objectives enables the identification of essential services and functions. Considering the undesirable scenarios and the related security threats, next security objectives are determined: Trusted data exchange, Availability of communication, Restricted access, Authorized use of the system, Trusted updates and Trusted auxiliary devices. For every security objective, a list of attack paths are defined and analysed regarding attack potential and damage potential. Attack potential is depicted in the elapsed time to perform an attack, the needed expertise, type of information obtained, ease of access to target, and the needed equipment/resources to perform the attack. Damage potential is defined by personal damage level, operative damage and financial damage. Combining all these features a risk value is obtained for every threat. This process is performed following the OWASP Risk Rating Methodology [30] . Due to limited space, the complete analysis is not included, but it is presented within the safety concept in SAFEPOWER project. As a result the security requirements (Table IV) Security and power management may find situations with confronting requirements. So it becomes essential to clearly separate and define operations related with security that could be carried out under low energy restrictions, that is, to define the minimum set of requirements that will cover the identified security functionalities. In this sense, two security modes of functioning are proposed, top and low energy. In low energy mode strictly not necessary security functions are disabled.
VI. CONCLUSION
This paper has contributed with a safety concept definition for a mixed-criticality CPS integration on a COTS multicore considering power management approach. This work covers the lack of proposals combining safety and low power features in certification of multicore processors. The work has been reviewed and positively assessed by a certification body Software components shall have at least one password, and the default one should only be known by administrator. This way, a minimum authentication mechanism shall be used by the different elements of the system. SCR RS 2 2 Every action from a user shall require a secure log-in, in order to guarantee a correct authentication in the system SCR RS 2 3 Every software component as well as the system itself shall have a session time-out for inactivity. Once this time-out is triggered, the password shall be requested to operate again SCR RS 2 4
Only a super-user shall have rights to manage the configuration of the system (user management, hardware installation, etc) SCR RS 2 5 All the communications between the Object Controller and the Interlocking shall be performed through a firewall. Rules shall be added in order to allow only the strictly necessary connections and block those that are not necessary SCR RS 2 6 Every piece of data that is sensible shall be transmitted and save encrypted SCR RS 2 7 Auser policy shall be defined to identify every type of users that can operate the system and their associated and permitted actions SCR RS 2 8 The software installed in the system shall be correctly managed in a repository using at least a Control Version System. It shall be possible to come back to a previous software configuration according to IEC 61508 and EN 5012x safety standards on the scope of a research project. The use of degraded modes and the consideration of safety arguments are the innovative proposals to tackle the issue of power management in mixed-criticality safety CPSes. The safety compliance is ensured using predictable power modes and applying safety measures according to standards. Finally, the performed security concept allows an early identification of risks and the related requirements and countermeasures, considering also a low power scenario.
