Dynamic lockstep processors for applications with functional safety relevance

© 2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.Lockstep processing is a recognized technique for helping to secure functional-safety relevant processing against, for instance, single upset errors that might cause faulty execution of code. Lockstepping processors does however bind processing resources in a fashion not beneficial to architectures and applications that would benefit from multi-core/-processors. We propose a novel on-demand synchronizing of cores/processors for lock-step operation featuring post-processing resource release, a concept that facilitates the implementation of modularly redundant core/processor arrays. We discuss the fundamentals of the design and some implementation notes on work achieved to date

A Safety-First Approach to Memory Models.

Sequential consistency (SC) is arguably the most intuitive behavior for a shared-memory multithreaded program. It is widely accepted that language-level SC could significantly improve programmability of a multiprocessor system. However, efficiently supporting end-to-end SC remains a challenge as it requires that both compiler and hardware optimizations preserve SC semantics. Current concurrent languages support a relaxed memory model that requires programmers to explicitly annotate all memory accesses that can participate in a data-race ("unsafe" accesses). This requirement allows compiler and hardware to aggressively optimize unannotated accesses, which are assumed to be data-race-free ("safe" accesses), while still preserving SC semantics. However, unannotated data races are easy for programmers to accidentally introduce and are difficult to detect, and in such cases the safety and correctness of programs are significantly compromised. This dissertation argues instead for a safety-first approach, whereby every memory operation is treated as potentially unsafe by the compiler and hardware unless it is proven otherwise. The first solution, DRFx memory model, allows many common compiler and hardware optimizations (potentially SC-violating) on unsafe accesses and uses a runtime support to detect potential SC violations arising from reordering of unsafe accesses. On detecting a potential SC violation, execution is halted before the safety property is compromised. The second solution takes a different approach and preserves SC in both compiler and hardware. Both SC-preserving compiler and hardware are also built on the safety-first approach. All memory accesses are treated as potentially unsafe by the compiler and hardware. SC-preserving hardware relies on different static and dynamic techniques to identify safe accesses. Our results indicate that supporting SC at the language level is not expensive in terms of performance and hardware complexity. The dissertation also explores an extension of this safety-first approach for data-parallel accelerators such as Graphics Processing Units (GPUs). Significant microarchitectural differences between CPU and GPU require rethinking of efficient solutions for preserving SC in GPUs. The proposed solution based on our SC-preserving approach performs nearly on par with the baseline GPU that implements a data-race-free-0 memory model.PhDComputer Science and EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/120794/1/ansingh_1.pd

Space shuttle avionics system

The Space Shuttle avionics system, which was conceived in the early 1970's and became operational in the 1980's represents a significant advancement of avionics system technology in the areas of systems and redundacy management, digital data base technology, flight software, flight control integration, digital fly-by-wire technology, crew display interface, and operational concepts. The origins and the evolution of the system are traced; the requirements, the constraints, and other factors which led to the final configuration are outlined; and the functional operation of the system is described. An overall system block diagram is included

Holistic System Design for Deterministic Replay.

Deterministic replay systems record and reproduce the execution of a hardware or software system. While it is well known how to replay uniprocessor systems, it is much harder to provide deterministic replay of shared memory multithreaded programs on multiprocessors because shared memory accesses add a high-frequency source of non-determinism. This thesis proposes efficient multiprocessor replay systems: Respec, Chimera, and Rosa. Respec is an operating-system-based replay system. Respec is based on the observation that most program executions are data-race-free and for programs with no data races it is sufficient to record program input and the happens-before order of synchronization operations for replay. Respec speculates that a program is data-race-free and supports rollback and recovery from misspeculation. For racy programs, Respec employs a cheap runtime check that compares system call outputs and memory/register states of recorded and replayed processes at a semi-regular interval. Chimera uses a sound static data race detector to find all potential data races and instrument pairs of potentially racing instructions to transform an arbitrary program to make it data-race-free. Then, Chimera records only the non-deterministic inputs and the order of synchronization operations for replay. However, existing static data race detectors generate excessive false warnings, leading to high recording overhead. Chimera resolves this problem by employing a combination of profiling, symbolic analysis, and dynamic checks that target the sources of imprecision in the static data race detector. Rosa is a processor-based ultra-low overhead (less than one percent) replay solution that requires very little hardware support as it essentially only needs a log of cache misses to reproduce a multiprocessor execution. Unlike previous hardware-assisted systems, Rosa does not record shared memory dependencies at all. Instead, it infers them offline using a Satisfiability Modulo Theories (SMT) solver. Our offline analysis is capable of inferring interleavings that are legal under the Sequentially Consistency (SC) and Total Store Order (TSO) memory models.PhDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/102374/1/dongyoon_1.pd

Formally designing and implementing cyber security mechanisms in industrial control networks.

This dissertation describes progress in the state-of-the-art for developing and deploying formally verified cyber security devices in industrial control networks. It begins by detailing the unique struggles that are faced in industrial control networks and why concepts and technologies developed for securing traditional networks might not be appropriate. It uses these unique struggles and examples of contemporary cyber-attacks targeting control systems to argue that progress in securing control systems is best met with formal verification of systems, their specifications, and their security properties. This dissertation then presents a development process and identifies two technologies, TLA+ and seL4, that can be leveraged to produce a high-assurance embedded security device. The method presented in this dissertation takes an informal design of an embedded device that might be found in a control system and 1) formalizes the design within TLA+, 2) creates and mechanically checks a model built from the formal design, and 3) translates the TLA+ design into a component-based architecture of a native seL4 application. The later chapters of this dissertation describe an application of the process to a security preprocessor embedded device that was designed to add security mechanisms to the network communication of an existing control system. The device and its security properties are formally specified in TLA+ in chapter 4, mechanically checked in chapter 5, and finally its native seL4 architecture is implemented in chapter 6. Finally, the conclusions derived from the research are laid out, as well as some possibilities for expanding the presented method in the future

Proceedings of the F-8 Digital Fly-By-Wire and Supercritical Wing First Flight's 20th Anniversary Celebration

A technical symposium, aircraft display dedication, and pilots' panel discussion were held on May 27, 1992, to commemorate the 20th anniversary of the first flights of the F-8 Digital Fly-By-Wire (DFBW) and Supercrit- ical Wing (SCW) research aircraft. The symposium featured technical presentations by former key government and industry participants in the advocacy, design, aircraft modification, and flight research program activities. The DFBW and SCW technical contributions are cited. A dedication ceremony marked permanent display of both program aircraft. The panel discussion participants included eight of the eighteen research and test pilots who flew these experimental aircraft. Pilots' remarks include descriptions of their most memorable flight experiences The report also includes a survey of the Gulf Air War, and an after-dinner presentation by noted aerospace author and historian Dr. Richard Hallion

Identification of aircrew tasks for using direct voice input (DVI) to reduce pilot workload in the AH-64D Apache Longbow

Advances in helicopter design continue to saturate the pilot\u27s visual channel and produce remarkable increases in cognitive workload for the pilot. This study investigates the potential implementation of Direct Voice Input (DVI) as an alternative control for interacting with onboard systems of the AH-64D Apache, in an attempt to reduce pilot workload during a hands on the controls and eyes out condition. The intent is to identify AH-64D cockpit tasks performed through Multi Purpose Displays (MPDs) that when converted to DVI will provide the greatest reduction in task execution time and workload. A brief description of applicable AH-64D audio and visual displays are provided. A review of current trends in state-of-the-art voice recognition technology is presented, as well as previous and current voice input cockpit identification studies. To identify tasks in the AH-64D, a methodology was developed consisting of a detailed analysis of the aircraft\u27s mission and on-board systems. A pilot questionnaire was developed and administered to operational AH-64D pilots to assess their input on DVI implementation. Findings indicate DVI would be most useful for displaying selected MPD pages and performing tasks pertaining to the Tactical Situation Display (TSD), weapons, and communications. Six of the candidate DVI tasks were performed in the AH-64D simulator using the manual input method and a simulated voice input method. Two different pilots made objective and subjective evaluations. Task execution times and workload rating were lower using a simulated means of voice input. Overall, DVI shows limited potential for workload reduction and warrants further simulator testing before proceeding to the flight environment

Retrofit Reconfigurable Flight Control System and the F/A-18C

The United States Navy has completed the initial flight test of a Reconfigurable Control Law System (RCLAWS) on the F/A-18C. The purpose of reconfigurable control is to allow for the safe operation of an aircraft that has experienced a sudden change in aircraft dynamics resulting from aircraft damage or flight control effector damage. The RCLAWS utilized during this flight test are novel in that they are designed to augment the production flight control system instead of replacing it. In order to reduce verification and certification requirements, this retrofit reconfigurable methodology supplements pilot commands to compensate for undesirable aircraft dynamics instead of manipulating control surfaces directly. Through comparison of the aircraft’s actual response to model data of the aircraft’s desired response, the RCLAWS determines what commands need to be applied to produce the desired aircraft response. Flight test data have been collected to determine the viability of the in-line retrofit reconfigurable control method. Although flight data indicate a modest improvement within the limited flight test envelope, simulation analysis has indicated that the retrofit RCLAWS provide substantial improvements for more aggressive failures. Simulation shows RCLAWS has proven to reduce the aircrew workload in a recent catastrophic failure present in the F/A-18 community and provide predictable aircraft dynamics for a safe recovery

Reconfigurable integrated modular avionics.

SIGLEAvailable from British Library Document Supply Centre-DSC:DXN028119 / BLDSC - British Library Document Supply CentreGBUnited Kingdo

Automatic control program creation using concurrent Evolutionary Computing

Over the past decade, Genetic Programming (GP) has been the subject of a significant amount of research, but this has resulted in the solution of few complex real -world problems. In this work, I propose that, for some relatively simple, non safety -critical embedded control applications, GP can be used as a practical alternative to software developed by humans. Embedded control software has become a branch of software engineering with distinct temporal, interface and resource constraints and requirements. This results in a characteristic software structure, and by examining this, the effective decomposition of an overall problem into a number of smaller, simpler problems is performed. It is this type of problem amelioration that is suggested as a method whereby certain real -world problems may be rendered into a soluble form suitable for GP. In the course of this research, the body of published GP literature was examined and the most important changes to the original GP technique of Koza are noted; particular focus is made upon GP techniques involving an element of concurrency -which is central to this work. This search highlighted few applications of GP for the creation of software for complex, real -world problems -this was especially true in the case of multi thread, multi output solutions. To demonstrate this Idea, a concurrent Linear GP (LGP) system was built that creates a multiple input -multiple output solution using a custom low -level evolutionary language set, combining both continuous and Boolean data types. The system uses a multi -tasking model to evolve and execute the required LGP code for each system output using separate populations: Two example problems -a simple fridge controller and a more complex washing machine controller are described, and the problems encountered and overcome during the successful solution of these problems, are detailed. The operation of the complete, evolved washing machine controller is simulated using a graphical LabVIEWapplication. The aim of this research is to propose a general purpose system for the automatic creation of control software for use in a range of problems from the target problem class -without requiring any system tuning: In order to assess the system search performance sensitivity, experiments were performed using various population and LGP string sizes; the experimental data collected was also used to examine the utility of abandoning stalled searches and restarting. This work is significant because it identifies a realistic application of GP that can ease the burden of finite human software design resources, whilst capitalising on accelerating computing potential