WP3 - Dynamic runtime environments and services

Objectives

The broad objective of the WP3 is to enhance the European knowledge in mechanisms and architectures for Run-time environments (RTE) that are able to support mixed-critical systems, security techniques, safety and real-time properties. Basis will be the existing RTEs as used in the EMC² Living Labs which are formal or de-facto standards in industry. Technologies include mechanisms such as virtualization, hypervision, monitoring, which need to be adapted to increasing application system dynamics with no loss in effectiveness and minimal loss in efficiency.

Expected results

WP3 will achieve a common understanding of techniques, methodologies and a development of supporting tools to address Dynamic Runtime Environments and Services. The broad expected results is a Runtime Environment (RTE) that guarantees a certain quality of service to the application with respect to available computing resources, real-time properties, availability, failure rates, or freedom from interference for safety-critical applications. Moreover, WP3 will lead to:

A hypervisor (Anaxogors) to support safety and security properties with special attention to real-time properties.
A real-time inter-core communication mechanisms as well as isolation mechanisms.
A Fault-Tolerant Multi-core Library (FaToMLib) targets multi-core architectures. A prototype of the library shall be also delivered along with respective documentation.
An RTE version of Android customized to support EMC² architecture and vision applications.

Work package structure

WP3 is split in 7 thematic tasks.

T3.1: Requirements and specification

Objective of Task 3.1 is to establish a strong and stable link to WP1 and the EMC² Living Labs.

T3.2: Communication services

Communication is a great challenge in mixed critical systems. It is inevitable in practical applications, but opens paths for error propagation both via errors in the communicated information and via non-functional interference, such as blocking of communication channels via resource overutilization. This is particularly relevant in mixed critical systems where system functions with different quality levels and efficiency requirements share the same hardware and communication resources. Task 3.2 shall develop a harmonized communication infrastructure providing robust isolation simple enough for inexpensive certification. Harmonization shall reduce cost and provide portability.

T3.3: Virtualization and isolation

By safety standard requirements, critical applications and non-critical applications must be isolated properly. There are two aspects of isolation: functional isolation and non-function isolation. Existing virtualization provides functional isolation by creating individual address spaces for virtual partitions (i.e. by using the MMU). Non-functional isolation is of particular interest in the safety critical embedded domain. The timing of applications running in one virtual machine must only have a bounded (and preferable minimal) impact on timing in other virtual machines. In EMC², this can be achieved by mapping applications onto individual cores and virtually locking them in, and by corresponding flow control and isolation on the communication network. This is only possible if the communication stack (i.e. core-to-core) itself supports isolation and is closely tailored towards criticality containment.

T3.4: Security mechanisms and services

The main objective of Task 3.4 is the specification and design of the security-oriented features of the RTE/Hypervisor which have to connect the security properties required for the application cases as well as the specific HW security-oriented modules built in the architecture prototype.

T3.5: Safety platform and real-time mechanisms

The main objective of Task 3.5 is the specification and design of the safety-oriented features of the RTE/Hypervisor which have to connect the safety properties required for the application cases as well as the specific HW safety-oriented modules built in one architecture. Results of Task 3.5 will be proposed to standardization bodies, such as AUTOSAR.

T3.6: Dynamic application and platform control

Current safety critical systems avoid dynamic platform control to improve determinism. However, allowing and exploiting dynamic system behaviour can significantly improve platform performance and resource utilization. For the non-critical parts, dynamic change should be supported, as long as the required freedom from interference can be guaranteed. For the critical parts, dynamic control can restitute reliability in case of errors. This task will develop efficient mechanisms of dynamic platform control including resource assignment and configuration, communication flow control and system level performance control.

T3.7: OS support functions

Based on the results from T3.2 to T3.7, OS support functions needed for the RTE extensions shall be defined that are usable in the Living Labs.