Integration of generic operating systems in partitioned architectures

Tese de mestrado, Engenharia Informática (Arquitectura, Sistemas e Redes de Computadores), Universidade de Lisboa, Faculdade de Ciências, 2009The Integrated Modular Avionics (IMA) specification defines a partitioned environment hosting multiple avionics functions of different criticalities on a shared computing platform. ARINC 653, one of the specifications related to the IMA concept, defines a standard interface between the software applications and the underlying operating system. Both these specifications come from the world of civil aviation, but they are getting interest from space industry partners, who have identified common requirements to those of aeronautic applications. Within the scope of this interest, the AIR architecture was defined, under a contract from the European Space Agency (ESA). AIR provides temporal and spatial segregation, and foresees the use of different operating systems in each partition. Temporal segregation is achieved through the fixed cyclic scheduling of computing resources to partitions. The present work extends the foreseen partition operating system (POS) heterogeneity to generic non-real-time operating systems. This was motivated by documented difficulties in porting applications to RTOSs, and by the notion that proper integration of a non-real-time POS will not compromise the timeliness of critical real-time functions. For this purpose, Linux is used as a case study. An embedded variant of Linux is built and evaluated regarding its adequacy as a POS in the AIR architecture. To guarantee safe integration, a solution based on the Linux paravirtualization interface, paravirt-ops, is proposed. In the course of these activities, the AIR architecture definition was also subject to improvements. The most significant one, motivated by the intended increased POS heterogeneity, was the introduction of a new component, the AIR Partition OS Adaptation Layer (PAL). The AIR PAL provides greater POS-independence to the major components of the AIR architecture, easing their independent certification efforts. Other improvements provide enhanced timeliness mechanisms, such as mode-based schedules and process deadline violation monitoring.A especificação Integrated Modular Avionics (IMA) define um ambiente compartimentado com funções de aviónica de diferentes criticalidades a coexistir numa plataforma computacional. A especificação relacionada ARINC 653 define uma interface padrão entre as aplicações e o sistema operativo subjacente. Ambas as especificações provêm do mundo da aviónica, mas estão a ganhar o interesse de parceiros da indústria espacial, que identificaram requisitos em comum entre as aplicações aeronáuticas e espaciais. No âmbito deste interesse, foi definida a arquitectura AIR, sob contrato da Agência Espacial Europeia (ESA). Esta arquitectura fornece segregação temporale espacial, e prevê o uso de diferentes sistemas operativos em cada partição. A segregação temporal é obtida através do escalonamento fixo e cíclico dos recursos às partições. Este trabalho estende a heterogeneidade prevista entre os sistemas operativos das partições (POS). Tal foi motivado pelas dificuldades documentadas em portar aplicações para sistemas operativos de tempo-real, e pela noção de que a integração apropriada de um POS não-tempo-real não comprometerá a pontualidade das funções críticas de tempo-real. Para este efeito, o Linux foi utilizado como caso de estudo. Uma variante embedida de Linux é construída e avaliada quanto à sua adequação como POS na arquitectura AIR. Para garantir uma integração segura, é proposta uma solução baseada na interface de paravirtualização do Linux, paravirt-ops. No decurso destas actividades, foram também feitas melhorias à definição da arquitectura AIR. O mais significante, motivado pelo pretendido aumento da heterogeneidade entre POSs, foi a introdução de um novo componente, AIR Partition OS Adaptation Layer (PAL). Este componente proporciona aos principais componentes da arquitectura AIR maior independência face ao POS, facilitando os esforços para a sua certificação independente. Outros melhoramentos fornecem mecanismos avançados de pontualidade, como mode-based schedules e monitorização de incumprimento de metas temporais de processos.ESA/ITI - European Space Agency Innovation Triangular Initiative (through ESTEC Contract 21217/07/NL/CB-Project AIR-II) and FCT - Fundação para a Ciência e Tecnologia (through the Multiannual Funding Programme

Integration of Data Distribution Service and distributed partitioned systems

[EN] Avionics systems are complex and time-critical systems that are progressively adopting more flexible (though equally robust) architectural designs. Although a number of current avionics systems follow federated architectures, the Integrated Modular Avionics (IMA) paradign is becoming the dominant style in the more modern developments. The reason is that the IMA concept promotes modular designs where applications with different levels of criticality can execute in an isolated manner in the same hardware. This approach complies with the requirements of cost, safety, and weight of the avionics systems. FACE standard (Future Airborne Capability Environment) defines the architectural baseline for easing integration in avionics systems, including the communication functions across distributed components. As specified in FACE, middleware will be integrated into avionics systems to ease development of portable components that can interoperate effectively. This paper describes the usage of publish-subscribe middleware (precisely, DDS - Data Distribution Service for real-time systems) into a fully distributed partitioned system. We describe, from a practical point of view, the integration of the middleware communication overhead into the hierarchical scheduling (as compliant with ARINC 653) to allow the usage of middleware in the partitions. We explain the design of a realiable communication setting, exemplified on a distributed monitoring application in a partitioned environment. The obtained implementation results show that, given the stable communication overhead of the middleware, it can be integrated in the time windows of partitions.This work has been partly supported by the Spanish Ministry of Economy and Competitiveness through projects REM4VSS (TIN 2011-28339) and M2C2 (TIN2014-56158-C4-3-P).Garcia-Valls, M.; Domínguez-Poblete, J.; Eddine Touahria, I.; Lu, C. (2018). Integration of Data Distribution Service and distributed partitioned systems. Journal of Systems Architecture. 83:23-31. https://doi.org/10.1016/j.sysarc.2017.11.00123318

Real-time scheduling in multicore : time- and space-partitioned architectures

Tese de doutoramento, Informática (Engenharia Informática), Universidade de Lisboa, Faculdade de Ciências, 2014The evolution of computing systems to address size, weight and power consumption (SWaP) has led to the trend of integrating functions (otherwise provided by separate systems) as subsystems of a single system. To cope with the added complexity of developing and validating such a system, these functions are maintained and analyzed as components with clear boundaries and interfaces. In the case of real-time systems, the adopted component-based approach should maintain the timeliness properties of the function inside each individual component, regardless of the remaining components. One approach to this issue is time and space partitioning (TSP)—enforcing strict separation between components in the time and space domains. This allows heterogeneous components (different real-time requirements, criticality, developed by different teams and/or with different technologies) to safely coexist. The concepts of TSP have been adopted in the civil aviation, aerospace, and (to some extent) automotive industries. These industries are also embracing multiprocessor (or multicore) platforms, either with identical or nonidentical processors, but are not taking full advantage thereof because of a lack of support in terms of verification and certification. Furthermore, due to the use of the TSP in those domains, compatibility between TSP and multiprocessor is highly desired. This is not the present case, as the reference TSP-related specifications in the aforementioned industries show limited support to multiprocessor. In this dissertation, we defend that the active exploitation of multiple (possibly non-identical) processor cores can augment the processing capacity of the time- and space-partitioned (TSP) systems, while maintaining a compromise with size, weight and power consumption (SWaP), and open room for supporting self-adaptive behavior. To allow applying our results to a more general class of systems, we analyze TSP systems as a special case of hierarchical scheduling and adopt a compositional analysis methodology.Fundação para a Ciência e a Tecnologia (FCT, SFRH/BD/60193/2009, programa PESSOA, projeto SAPIENT); the European Space Agency Innovation (ESA) Triangle Initiative program through ESTEC Contract 21217/07/NL/CB, Project AIR-II; the European Commission Seventh Framework Programme (FP7) through project KARYON (IST-FP7-STREP-288195)

Embedded-systems-oriented virtualization framework with functionality farming

Tese de Doutoramento em Engenharia Eletrónica e de ComputadoresUm: O uso de um hipervisor como kernel de separação em arquiteturas integradas está a ser considerado, visto que, um hipervisor não só proporciona separação temporal e espacial, mas também compatibilidade com software legacy. No entanto, nos dias de hoje, a maior parte dos hipervisores baseiam-se em paravirtualização ou dependem de hardware high-end; ambas as abordagens não cumprem os requisitos dos sistema embebidos críticos para a segurança. A paravirtualização, por um lado, não proporciona compatibilidade total com software legacy, sendo necessária a sua modificação e adaptação a uma interface especifica do hipervisor utilizado. Hardware high-end, por outro lado, apesar de proporcionar compatibilidade total com software legacy, dá origem a sistemas de grande dimensão, de elevado peso, com elevado consumo de energia, de elevado custo, etc. Nesta tese, a capacidade da virtualização completa em hardware lowend para resolver as limitações dos hipervisores existentes é investigada. Para isso, um hipervisor baseado em virtualização completa em hardware low-end é descrito e é apresentada uma avaliação da sua performance e do espaço ocupado em memória. Dois: Métodos de desenvolvimentos convencionais não são capazes de acompanhar os requisitos dos sistemas embebidos críticos para segurança de hoje em dia. Nesta tese: (a) é apresentada uma abordagem baseada em modelos já existente, mais especificamente, geração de código baseada em modelos; (b) são descritas as modificações aplicadas a um compilador de modelos já existente por forma a que este suporte novas capacidades; e (c) é apresentada uma avaliação sobre a capacidade da geração de código baseada em modelos de reduzir o esforço de engenharia quando comparada com abordagens convencionais. Três: A maior parte dos sistemas operativos de hoje em dia seguem uma arquitetura monolítica; esta arquitetura, no entanto, está associada a fraca confiabilidade, baixa segurança, esforço de certificação elevado, bem como baixa previsibilidade e escalabilidade. Para colmatar estes problemas, as soluções propostas na literatura apenas contornam a origem do problema, i.e., a elevada dimensão do kernel numa arquitetura monolítica, e não o resolvem diretamente. Nesta tese, functionality farming é proposto para atacar a origem do problema. Functionality farming apenas, no entanto, depende de um esforço de engenharia significativo. Visto isto, esta tese também apresenta FF-AUTO, uma ferramenta capaz de realizar functionality farming de forma semiautomática. Por último, esta tese demonstra como functionality farming é capaz de melhorar o design e a performance de um kernel já existente, e demonstra também como FF-AUTO permite uma redução significativa do esforço de engenharia.First, the use of a hypervisor as the separation kernel on integrated architectures has been considered, as it not only provides time and space partitioning, but it also provides compatibility with legacy software. Nowadays, most hypervisors, however, either rely on paravirtualization or depend on high-end hardware, both of which do not fulfill the requirements of safety-critical embedded systems. Paravirtualization does not provide complete legacy compatibility as it requires legacy software to be modified to fit a hypervisor-specific interface. High-end hardware, on the other hand, even though it provides complete legacy compatibility, it leads to large system size, weight, power consumption, cost, etc. In this thesis, the feasibility of low-end hardware full virtualization to address the limitations of existing hypervisors is investigated. For that, a hypervisor based on low-end hardware full virtualization is described and an evaluation of its performance and footprint is presented. Second, conventional development methods are unable to keep up with the requirements of nowadays and future safety-critical embedded systems. In this thesis: (a) an existing model-driven engineering approach to address the limitations of conventional development methods is presented; more specifically, a model-driven code generation approach; (b) the modifications applied to an existing model compiler in order for it to support new features are described; and (c) an evaluation of whether or not a model-driven code generation approach leads to lower engineering effort when compared to a conventional approach is presented. Third, most operating systems, nowadays, follow a monolithic architecture; this, however, leads to poor reliability, weak security, high certification effort, as well as poor predictability and scalability. To address this problem, the solutions proposed in the literature just work around the source of the problem, i.e., the large size of the kernel in a monolithic architecture, and do not address it directly. In this thesis, functionality farming is proposed to tackle the source of the problem. Functionality farming alone, however, depends on a significant engineering effort. To address this problem, this thesis also presents FF-AUTO, a tool which performs functionality farming semi-automatically. At last, this thesis demonstrates how functionality farming is able to improve the design and the performance of an existing kernel, as well as how FF-AUTO enables a significant reduction of the required engineering effort

ReTiF: A declarative real-time scheduling framework for POSIX systems

This paper proposes a novel framework providing a declarative interface to access real-time process scheduling services available in an operating system kernel. The main idea is to let applications declare their temporal requirements or characteristics without knowing exactly which underlying scheduling algorithms are offered by the system. The proposed framework can adequately handle such a set of heterogeneous requirements configuring the platform and partitioning the requests among the available multitude of cores, so to exploit the various scheduling disciplines that are available in the kernel, matching application requirements in the best possible way. The framework is realized with a modular architecture in which different plugins handle independently certain real-time scheduling features. The architecture is designed to make its behavior customization easier and enhance the support for other operating systems by introducing and configuring additional plugins

Selection of a new hardware and software platform for railway interlocking

The interlocking system is one of the main actors for safe railway transportation. In most cases, the whole system is supplied by a single vendor. The recent regulations from the European Union direct for an “open” architecture to invite new game changers and reduce life-cycle costs. The objective of the thesis is to propose an alternative platform that could replace a legacy interlocking system. In the thesis, various commercial off-the-shelf hardware and software products are studied which could be assembled to compose an alternative interlocking platform. The platform must be open enough to adapt to any changes in the constituent elements and abide by the proposed baselines of new standardization initiatives, such as ERTMS, EULYNX, and RCA. In this thesis, a comparative study is performed between these products based on hardware capacity, architecture, communication protocols, programming tools, security, railway certifications, life-cycle issues, etc

Escalonar sistemas de tempo-real de alta críticalidade

Cyclic executives are used to schedule safety-critical real-time systems because of their determinism, simplicity, and efficiency. One major challenge of the cyclic executive model is to produce the cyclic scheduling timetable. This problem is related to the bin-packing problem [34] and is NP-Hard in the strong sense. Unnecessary context switches within the scheduling table can introduce significant overhead; in IMA (Integrated Modular Avionics), cache-related overheads can increase task execution times up to 33% [18]. Developed in the context of the Software Engineering Master’s Degree at ISEP, the Polytechnic Institute of Engineering in Porto Portugal, this thesis contains two contributions to the scheduling literature. The first is a precise and exact approach to computing the slack of a job set that is schedule policy independent. The method introduces several operations to update and maintain the slack at runtime, ensuring the slack of all jobs is valid and coherent. The second contribution is the definition of a state-of-the-art preemptive scheduling algorithm focused on minimizing the number of system preemptions for real-time safety-critical applications within a reasonable amount of time. Both contributions have been implemented and extensively tested in scala. Experimental results suggest our scheduling algorithm has similar non-preemptive schedulability ratio than Chain Window RM [69], yet lower ratio in high utilizations than Chain Window EDF [69] and BB-Moore [68]. For ask sets that failed to be scheduled non-preemptively, 98-99% of all jobs are scheduled without preemptions. Considering the fact that our scheduler is preemptive, being able to compete with non-preemptive schedulers is an excellent result indeed. In terms of execution time, our proposal is multiple orders of magnitude faster than the aforementioned algorithms. Both contributions of this work are planned to be presented at future conferences such as RTSS@Work and RTAS