Distributed real-time fault tolerance in a virtualized separation kernel

Computers are increasingly being placed in scenarios where a computer error could result in the loss of human life or significant financial loss. Fault tolerant techniques must be employed to prevent an error from resulting in a fault causing such losses. Two types of errors that are common in real-time and embedded system are soft errors, i.e. data bit corruption, and timing errors, such as missed deadlines. Purely software based techniques to address these types of errors have the advantage of not requiring specialized hardware and are able to use more readily available commercial off-the-shelf hardware. Timing errors are addressed using Adaptive Mixed-Criticality, a scheduling technique where higher criticality tasks are given precedence over those of lower criticality when it is impossible to guarantee the schedulability of all tasks. While mixed-criticality scheduling has gained attention in recent years, most approaches assume a periodic task model and that the system has a single criticality level which dictates the available budget to all tasks. In practice these assumptions do not hold: different types of tasks are better served by different scheduling approaches and only a subset of high critical tasks might require additional capacity to meet deadlines. In the latter case, this occurs when a process has experienced a fault and requires additional capacity to perform the recovery. In this thesis, soft errors are addressed using a novel real-time fault tolerance method based on a virtualized separation kernel. Instead of executing redundant copies of an application on separate machines, the applications are consolidated onto one multi-core processor and use hardware virtualization extensions to partition the applications. This allows new recovery schemes to be explored. In addition, the maximum recovery time is sufficiently bounded to ensure recovery occurs in a timely manner without affecting the normal execution of the application. A virtualized separation kernel in combination with Adaptive Mixed-Criticality techniques creates a fault tolerant system that predictably detects and recovers from timing and soft errors

Predictable migration and communication in the Quest-V multikernal

Quest-V is a system we have been developing from the ground up, with objectives focusing on safety, predictability and efficiency. It is designed to work on emerging multicore processors with hardware virtualization support. Quest-V is implemented as a ``distributed system on a chip'' and comprises multiple sandbox kernels. Sandbox kernels are isolated from one another in separate regions of physical memory, having access to a subset of processing cores and I/O devices. This partitioning prevents system failures in one sandbox affecting the operation of other sandboxes. Shared memory channels managed by system monitors enable inter-sandbox communication. The distributed nature of Quest-V means each sandbox has a separate physical clock, with all event timings being managed by per-core local timers. Each sandbox is responsible for its own scheduling and I/O management, without requiring intervention of a hypervisor. In this paper, we formulate bounds on inter-sandbox communication in the absence of a global scheduler or global system clock. We also describe how address space migration between sandboxes can be guaranteed without violating service constraints. Experimental results on a working system show the conditions under which Quest-V performs real-time communication and migration.National Science Foundation (1117025

Mixed-Criticality Scheduling with I/O

This paper addresses the problem of scheduling tasks with different criticality levels in the presence of I/O requests. In mixed-criticality scheduling, higher criticality tasks are given precedence over those of lower criticality when it is impossible to guarantee the schedulability of all tasks. While mixed-criticality scheduling has gained attention in recent years, most approaches typically assume a periodic task model. This assumption does not always hold in practice, especially for real-time and embedded systems that perform I/O. For example, many tasks block on I/O requests until devices signal their completion via interrupts; both the arrival of interrupts and the waking of blocked tasks can be aperiodic. In our prior work, we developed a scheduling technique in the Quest real-time operating system, which integrates the time-budgeted management of I/O operations with Sporadic Server scheduling of tasks. This paper extends our previous scheduling approach with support for mixed-criticality tasks and I/O requests on the same processing core. Results show the effective schedulability of different task sets in the presence of I/O requests is superior in our approach compared to traditional methods that manage I/O using techniques such as Sporadic Servers.Comment: Second version has replaced simulation experiments with real machine experiments, third version fixed minor error in Equation 5 (missing a plus sign

Adaptive mappings for mouse-replacement interfaces

Users of mouse-replacement interfaces may have difficulty conforming to the motion requirements of their interfacesystem. We have observed users with severe motor disabilities who controlled the mouse pointer with a head tracking interface. Our analysis shows that some users may be able to move in some directions easier than other directions. We propose several mouse pointer mappings that adapt to the user's movement abilities. These mappings will take into account the user's motions in two-or three-dimensions to move the mouse pointer in the intended direction

Adaptive mouse-replacement interface control functions for users with disabilities

We discuss experiences employing a video-based mouse-replacement interface system, the Camera Mouse, at care facilities for individuals with severe motion impairments and propose adaptations of the system. Traditional approaches to assistive technology are often inflexible, requiring users to adapt their limited motions to the requirements of the system. Such systems may have static or difficult-to-change configurations that make it challenging for multiple users to share the same system or for users whose motion abilities slowly degenerate. As users fatigue, they may experience more limited motion ability or additional unintended motions. To address these challenges, we propose adaptive mouse-control functions to be used in our mouse-replacement system. These functions can be changed to adapt the technology to the needs of the user, rather than making the user adapt to the technology. We present observations of an individual with severe cerebral palsy using our system.National Science Foundation (IIS-0713229, IIS-0855065, IIS-0910908

Structure and Thermochemistry of Perrhenate Sodalite and Mixed Guest Perrhenate/Pertechnetate Sodalite.

Treatment and immobilization of technetium-99 (99Tc) contained in reprocessed nuclear waste and present in contaminated subsurface systems represents a major environmental challenge. One potential approach to managing this highly mobile and long-lived radionuclide is immobilization into micro- and meso-porous crystalline solids, specifically sodalite. We synthesized and characterized the structure of perrhenate sodalite, Na8[AlSiO4]6(ReO4)2, and the structure of a mixed guest perrhenate/pertechnetate sodalite, Na8[AlSiO4]6(ReO4)2-x(TcO4)x. Perrhenate was used as a chemical analogue for pertechnetate. Bulk analyses of each solid confirm a cubic sodalite-type structure (P4̅3n, No. 218 space group) with rhenium and technetium in the 7+ oxidation state. High-resolution nanometer scale characterization measurements provide first-of-a-kind evidence that the ReO4- anions are distributed in a periodic array in the sample, nanoscale clustering is not observed, and the ReO4- anion occupies the center of the sodalite β-cage in Na8[AlSiO4]6(ReO4)2. We also demonstrate, for the first time, that the TcO4- anion can be incorporated into the sodalite structure. Lastly, thermochemistry measurements for the perrhenate sodalite were used to estimate the thermochemistry of pertechnetate sodalite based on a relationship between ionic potential and the enthalpy and Gibbs free energy of formation for previously measured oxyanion-bearing feldspathoid phases. The results collected in this study suggest that micro- and mesoporous crystalline solids maybe viable candidates for the treatment and immobilization of 99Tc present in reprocessed nuclear waste streams and contaminated subsurface environments

Functional Connectivity in Tactile Object Discrimination—A Principal Component Analysis of an Event Related fMRI-Study

BACKGROUND: Tactile object discrimination is an essential human skill that relies on functional connectivity between the neural substrates of motor, somatosensory and supramodal areas. From a theoretical point of view, such distributed networks elude categorical analysis because subtraction methods are univariate. Thus, the aim of this study was to identify the neural networks involved in somatosensory object discrimination using a voxel-based principal component analysis (PCA) of event-related functional magnetic resonance images. METHODOLOGY/PRINCIPAL FINDINGS: Seven healthy, right-handed subjects aged between 22 and 44 years were required to discriminate with their dominant hand the length differences between otherwise identical parallelepipeds in a two-alternative forced-choice paradigm. Of the 34 principal components retained for analysis according to the 'bootstrapped' Kaiser-Guttman criterion, t-tests applied to the subject-condition expression coefficients showed significant mean differences between the object presentation and inter-stimulus phases in PC 1, 3, 26 and 32. Specifically, PC 1 reflected object exploration or manipulation, PC 3 somatosensory and short-term memory processes. PC 26 evinced the perception that certain parallelepipeds could not be distinguished, while PC 32 emerged in those choices when they could be. Among the cerebral regions evident in the PCs are the left posterior parietal lobe and premotor cortex in PC 1, the left superior parietal lobule (SPL) and the right cuneus in PC 3, the medial frontal and orbitofrontal cortex bilaterally in PC 26, and the right intraparietal sulcus, anterior SPL and dorsolateral prefrontal cortex in PC 32. CONCLUSIONS/SIGNIFICANCE: The analysis provides evidence for the concerted action of large-scale cortico-subcortical networks mediating tactile object discrimination. Parallel to activity in nodes processing object-related impulses we found activity in key cerebral regions responsible for subjective assessment and validation

Blink and Wink Detection for Mouse Pointer Control

A Human-Computer Interaction (HCI) system that is designed for individuals with severe disabilities to simulate control of a traditional computer mouse is introduced. The camera-based system monitors a user’s eyes and allows the user to simulate clicking the mouse using voluntary blinks and winks. For users who can control head movements and can wink with one eye while keeping their other eye visibly open, the system allows complete use of a typical mouse, including moving the pointer, left and right clicking, double clicking, and click-and-dragging. For users who cannot wink but can blink voluntarily the system allows the user to perform left clicks, the most common and useful mouse action. The system does not require any training data to distinguish open eyes versus closed eyes. Eye classification is accomplished online during real-time interactions. The system had an accuracy of 8027/8306 = 96.6 % in classifying sub-images with open or closed eyes and successfully allows the users to simulate a traditional computer mouse

Quest-V: A Virtualized Multikernel for Safety-Critical Real-Time Systems

Abstract—Modern processors are increasingly featuring multiple cores, as well as support for hardware virtualization. While these processors are common in desktop and server-class computing, they are less prevalent in embedded and real-time systems. However, smartphones and tablet PCs are starting to feature multicore processors with hardware virtualization. If the trend continues, it is possible that future real-time systems will feature more sophisticated processor architectures. Future automotive or avionics systems, for example, could replace complex networks of uniprocessors with consolidated services on a smaller number of multicore processors. Likewise, virtualization could be used to isolate services and increase the availability of a system even when failures occur. This paper investigates whether advances in modern processor technologies offer new opportunities to rethink the design of real-time operating systems. We describe some of the design principles behind Quest-V, which is being used as an exploratory vehicle for real-time system design on multicore processors with hardware virtualization capabilities. While not all embedded systems should assume such features, a case can be made that more robust, safetycritical systems can be built to use hardware virtualization without incurring significant overheads. I

Predictable Migrationand CommunicationintheQuest-VMultikernel

Abstract—Quest-V is a system we have been developing from the ground up, with objectives focusing on safety, predictabilityandefficiency.Itisdesignedtoworkonemerging multicore processors with hardware virtualization support. Quest-V is implemented as a “distributed system on a chip ” and comprises multiple sandbox kernels. Sandbox kernels are isolated from one another in separate regions of physical memory, having access to a subset of processing cores and I/O devices. This partitioning prevents system failures in one sandbox affecting the operation of other sandboxes. Shared memory channels managed by system monitors enable inter-sandbox communication. The distributed nature of Quest-V means each sandbox has a separate physical clock, with all event timings being managed by per-core local timers. Each sandbox is responsible for its own scheduling and I/O management, without requiring intervention of a hypervisor. In this paper, we formulate bounds on inter-sandbox communication in the absence of a global scheduler or global system clock. We also describe how address space migration between sandboxes can be guaranteed without violating service constraints.Experimentalresultsonaworkingsystemshow the conditions under which Quest-V performs real-time communication and migration. I