

Content | Call for Papers | Impressum |

# Embedded multi-core systems for mixed criticality applications in dynamic and changeable real-time environments

### Welcome

- 1. Message from Programme Officer
- 2. Message from the Project Coordinator

## Work Package Reports

- 3. Report from Work Package 1
- 4. Report from Work Package 4
- 5. Report from Work Package 7

## **Related Activities**

- 6. EMC<sup>2</sup> presented as "Success Story" at ECSEL Austria Autumn 2014
- 7. Safety & Security Workgroup creation
- 8. EMC<sup>2</sup> co-hosting DECSoS Workshop at SAFECOMP 2014

## **Technical Reports**

- 9. SoCRocket The Space TLM Framework
- 10. Time synchronization for distributed safety critical systems

## **Guest Article**

11. parMERASA FP7 Project

## **General Information**

12. Call for Papers INDIN'15 Conference





## Message from Programme Officer, Georgi Kuzmanov



Georgi Kuzmanov ECSEL Programme Officer for EMC<sup>2</sup>

Dear EMC<sup>2</sup> Innovators,

Welcome aboard in one of the most daring endeavors of the Embedded Systems Industry in Europe. It is surely no secret that *EMC*<sup>2</sup> is by far the largest ever project targeting the Multi Core processing paradigm in the context of Safety Critical Embedded Systems. Its multi-million budget spread over almost hundred partners reflects the strong commitment of European industry and academia to significantly impact our lives through pioneering innovations using cutting-edge technologies. The exuberant arsenal of such technologies has been developed during the past few years mainly in projects funded by the AR-TEMIS programme.

ARTEMIS proved to be the largest programme ever that has supported research and innovation for Multi Core Embedded Systems and Safety Critical Systems and *EMC*<sup>2</sup> is the natural emanation of thousands of man-months of efforts in those two strategic domains.

An important result of those efforts was the critical mass you have created for sustainable excellence in innovation. Therefore, *EMC*<sup>2</sup> is expected not only to focus and exploit the collective energy of numerous past projects, but also to prove indisputably your excellence in innovation. Do not forget that your excellence is Europe's excellence!

The challenges of *EMC*<sup>2</sup> are proportional to its size - they are huge in terms of technology, but are also of mammoth size in terms of work organization and management. None in our community so far has dared to realize a project of such a scale. Hence, it is our responsibility, altogether, to prove that this is not only doable but it is also an economically efficient and impactful effort. Therefore, I would appreciate if you all recognize ECSEL JU, the successor of ARTEMIS JU, as the 100th partner of the project rather than as the "Big Brother watching you". After all, we have the common goal of bringing Innovation in Safety Critical Multi Core Embedded Systems to a level that will positively affect European industrial competitiveness and citizens' lives. I am a strong believer in this noble goal and am eager to be excited by the first EMC<sup>2</sup> results very soon.

In conclusion, let me wish you success with an appeal:

Daringly innovate for Europe! Georgi Kuzmanov

## Message from the Project Coordinator, Werner Weber



Werner Weber Infineon AG

**EMC<sup>2</sup>, A Platform Project** on Embedded Microcontrollers in Applications of Mobility, Industry and the Internet of Things





#### Intention of the EMC<sup>2</sup> project

The *EMC*<sup>2</sup> project (Embedded multi-core systems for mixed criticality applications in dynamic and changeable real-time environments) plans to develop innovative and sustainable service-oriented architectures for mixed criticality applications in dynamic and changeable real-time environments. It focuses on the industrialization of European research results and builds on the outcomes of several previous ARTEMIS (e.g. ARROWHEAD, INDEXYS, ACROSS, CESAR, MBAT, SMECY, CRYSTAL, VETESS, SAFECER, SCALOPES and RECOMP), European (e.g. FP7 IMC-AESOP, GENESYS, ENTRA, FLEXTILES, DESYRE, MERASA/parMERASA and EURO-MILS) and National projects.

Embedded systems are the key innovation driver to improve almost all sensor-based systems with new and cheaper functionalities. Furthermore, they strongly support today's information society as inter-system communication enabler. Boundaries of application domains are alleviated and ad-hoc connections and interoperability play an increasing role. At the same time, multi-core and many-core computing platforms are becoming available on the market promising a breakthrough for system (and application) integration, efficiency and performance. The project heads for cost efficient integration of different applications with different levels of safety and security on a single computing platform in an open context.

The *EMC*<sup>2</sup> project expects to facilitate a positive step-change in the EU's ability to deploy and use Embedded Systems across many important European market sectors, in particular automotive, avionics, space, industrial control and factory automation, healthcare, internet of things (IoT) and machine-to-machine communication areas. Multicore processors are expected to govern the technical solutions in the embedded systems market in

these domains, since – in comparison with legacy single core processors - they provide increased performance, reduction of size, weight and power consumption and at the same time increase safety and security.

*EMC*<sup>2</sup> will reinforce and sustain European excellence in multi-core embedded systems and components, while opening up new potential markets of complex heterogeneous Systems of Systems and Connected Things. *EMC*<sup>2</sup> will significantly strengthen Europe's economy and contribute to the strategic objective of the Artemis Joint Undertaking of promoting the cross-fertilization and reuse of technology results in different application domains.

To achieve these demanding expectations,  $EMC^2$  is a platform project that fosters better contacts between the European players and intends to encourage partnerships for future technology and product developments.  $EMC^2$  will cluster the power for innovation of 99 partners from the Embedded Systems industry and research from 16 European countries. It will entail about 800 person years and a total budget of about 93 million euros.

## EMC<sup>2</sup> to develop innovation relevant to all European industrial domains

This huge European competence and critical mass encourages the unique  $EMC^2$  service-oriented architecture approach for mixed criticality applications in dynamic and changeable realtime environments to force the breakthrough and deployment of Multi-Core technology in almost all application domains –Space, Transport, Medical, Energy, and Industry – where real-time and mixed-criticality are an issue.  $EMC^2$  project structure consisting of 12 technical work packages being accompanied by a management work package has been optimized to produce both technology and application oriented innovations.









#### Project structure

Technology oriented innovations:

- System Architectures (WP1) will be combined with new explorations of scalability and system compatibility. For a dynamic multi-core multicriticality software platform a system will be provided where multiple applications can share the same Virtual Machine and hardware virtualization will be extended to multicore systems.
- Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems (WP2) will be developed by building on the well-established, rigorous system design and automated flows and extending them towards dynamic, heterogeneous, compute-intensive, and mixed-critical systems.
- Dynamic Runtime Environments and Services (WP3): Existing knowledge in mechanisms and architectures for run-time environments will be

enhanced to support mixed-critical systems, security techniques, safety and real-time properties.

- Multi-core Hardware Architectures and Concepts (WP4) are developed with partial reconfiguration for application specific acceleration opening up a new era of time multiplexed hardware co-processors reducing power and improving efficiency in computational intensive applications. Their functional properties will be delivered as a service through re-configurable multi-core processors.
- System Design Platform, Tools, Models and Interoperability (WP5): Key innovations are generalization of HW/SW co-engineering, operational implementation of several value transversal services bridging the gap between business and engineering by providing a non-monolithic integration framework which generalizes the concept of "Internet of things" for tools and adaptors.





• System Qualification and Certification (WP6): Main innovations are software-based fault-tolerant algorithms and architectures for multi-cores, safety and security assurance methodologies for a holistic approach to system dependability, and scalable verification solutions increasing the level of abstraction for both functional verification and safety qualification.

The application related innovation aspects are treated in six Living Labs (WP7-WP12) which leverage the technological advances listed above.

- Living Lab 1 covers **Automotive (WP7)** applications with related innovations – among others - in highly automated driving, Software Defined radio, energy recuperation in Electric and Hybrid Electrical Vehicles.
- In applications for **Avionics (WP8)** innovations are complete interoperability, implementation of Service Oriented Architecture beyond Data Distribution Services, new hybrid approaches consisting of statically configured high-criticality computers, and safety-critical execution elements in real-time environment.
- Third area is **Space Application (WP9)** targeting to proof the validity of different Multi-Processor Based system architectures and related development methodologies and tool chains, opening new application domains to the use of multicores.
- In **Industrial Manufacturing and Logistics** (WP10) single multi-core designs with potentially variable number of cores can reduce the need for custom Printed Circuit Board layouts.
- The main technological innovations involved in living lab 5 - **Internet of Things (WP11)** - are web real-time communications, ultra-low power ar-

chitecture for sensor networks and synchronized low-latency deterministic networks.

Newsletter M9

• Finally, the **Cross Domain Applications (WP12)** living lab takes results from previous research projects and from the *EMC*<sup>2</sup> technology innovation and uses them in innovative ways to prepare the ground for future multi-core applications.

#### EMC<sup>2</sup> organisation and current status

The organization of the three years *EMC*<sup>2</sup> project relies on three main innovation cycles.

- The first project year is dedicated to requirements and specifications. Purpose of this first phase is to build up state of the art – state of practice based on existing technology at project start.
- 1st innovation cycle (second project year): first integration and evaluation of proposed technical innovation.
- 2nd innovation cycle (third project year): second (and final) integration and evaluation of proposed technical innovation.

*EMC*<sup>2</sup> started on April 1st, 2014. Work is progressing according to plan. The following articles present examples of first results achieved by *EMC*<sup>2</sup> during the first half project year.





## **Report from Work Package 1**



Andreas Eckl TTTech Computer Technik AG

## Service-oriented Architecture - Embedded System Architecture

#### High Level Requirements document completed

A significant amount of research work within the *EMC*<sup>2</sup> project comprises developments and designs for safety-critical or safety-relevant applications in various industrial domains. Examples are found in the automotive domain (i.e. automated driving, advanced driver assistance systems), the aerospace sector (i.e. multicore systems that can be certified according to aerospace standards), space (i.e. novel data communication for space craft and launchers) and many more. What is common to such designs and developments in these industrial domains, is the need for a dedicated requirements capture process, providing traceability of requirements and supporting coverage analysis. Later this is needed in case of certification processes, once development up to product level is completed.

Within *EMC*<sup>2</sup>, the requirements capture process initially foresaw to have requirements simply collected for each individual work package only. Thus a common, project-wide approach initially was not foreseen. However, the *EMC*<sup>2</sup> Project Management Team (PMT) decided to generate a High-Level, project-wide requirements document. Each individual work packa-

ge requirement will so be integrated into the process by constituting a derived requirements document for each work package, where the derived requirements will make reference to the high-level requirements defined in the document for the overall project.

Although not listed as an official deliverable, the *EMC*<sup>2</sup> High Level Requirements document has been launched at the start of the project requirements capture process. It has now been completed and has been released. It forms the basis for the *EMC*<sup>2</sup> project and also documents the project-wide consistence and "single, common origin" of *EMC*<sup>2</sup> requirements and the resulting developments and design work. The individual requirements were collected within a special EXCEL file template, allowing to directly read the data by the DOORS tool in order to support automatic processing of the requirements.

The document is considered consortium confidential.

## Report from Work Package 4

Flemming Christensen, Haris Isakovic, Zden**ě**k Pohl, Mike Bartley, Rolf Meier, Sascha Uhrig

#### Multi-Core Hardware Architectures and Concepts

The overall objective of WP4 is developing and evaluating hardware techniques that enable multi-core processors to execute applications with mixed criticalities. The 25 Partners spend hundreds of manmonths to focus on developing hardware architectures and concepts of hardware designs that help satisfy the needs of embedded mixed criticality multi-core systems. The work package covers the whole process from conceptual design through simulation to testing on FPGA-based emulation platforms that will be developed in WP4.6. The four conceptual tasks are described here.

Task 4.2, led by Flemming Christensen of Sundance





Multiprocessor Technology in the United Kingdom, is responsible for the novel *EMC*<sup>2</sup> CPU architecture and highly scalable multi-core interconnect strategy. The purpose of WP4.2 is to define a system architecture – processors and interconnect – that will support mixed-criticality applications in a multi-core environment, which could also include hardware accelerators. Its goal is to find an optimal balance between performance, power consumption, ease of programming and scalability in number of processing elements - while also minimising the silicon die-area and satisfying mixed-criticality requirements.

The WP4.2 team is a well-balanced mix of people from Europe's best semiconductor manufacturers, a number of SMEs, and several universities that are leaders in research into multiprocessing systems. Flemming adds: Sundance was founded 25 years ago to explore embedded multiprocessing and I have been waiting a long time to see it happen. It is a privilege to be involved in defining the heart of a new generation of CPUs that focus on multiprocessing.

Task 4.3 investigates communication concepts on three abstraction levels: chip, device, and system level respectively. The task is led by Haris Isakovic of Vienna University of Technology, a research partner with a long heritage in cyber-physical systems and real-time communications. The scope of the task is divided into three overlapping thematic units. The first unit is concerned with on-chip interconnections which explore communication methods within multi-core systems with mixed-criticality constraints. The second unit handles chip to chip communication, as well as interconnection of devices within a system. Finally, last unit studies virtualization methods for peripheral devices, and interaction with peripheral devices on a system level such that mixed-criticality conditions are satisfied.

The project objectives are directly reflected in the tasks goals. In particular, to achieve reliable com-

munication under conditions of mixed-criticality and to provide a dynamically adaptable system interaction. Task WP 4.3 is closely related to other task within WP4, as well as to the demonstrator work packages where the technology will be evaluated in real world applications. WP 4.3 involves highly respected research institutions, industrial leaders in on-chip, inter-chip and system level communication. Task WP 4.3 also involves a group of specialized companies with a unique know-how background, as well as renowned industrial application partners.

Task 4.4 adds the increased availability and dynamic reconfiguration techniques to the EMC<sup>2</sup> platform. The partners Thales Alenia Space España and Fundación Tecnalia Research & Innovation, both oriented to space industry applications, are developing support for dynamic reconfiguration in *EMC*<sup>2</sup> platform for fault detection and redundancy. Politecnico di Torino and Infineon Technologies AG are focused on fault detection, health monitoring and dynamic reconfiguration for increased availability in EMC<sup>2</sup> architecture while Chalmers University of Technology is working on reconfigurability techniques for physical separation to achieve performance isolation and fault-containment. The Institute of Information Theory and Automation provides as an early result the reference design for the Asymmetric Multiprocessing (AMP) on ZYNQ with EdkDSP Accelerators on Xilinx ZC702 Board (see http://sp.utia.cz/index.php?ids=results&id=Utia\_ EdkDSP\_145\_ZC702). The design implements three CPU cores AMP architecture with evaluation version of 4x8 SIMD EdkDSP floating-point datapath reconfigurable accelerators.

**Task 4.5** is led by Test and Verification solutions, a leading international supplier of products and services in hardware verification and software testing. Other contributing partners are Infineon Technologies AG , NXP Germany. USTAV TEORIE INFOR-MACE a AUTOMATIZACE AV CR v.v.i. , SELEX ES , Politecni-





co Torino, Thales Alenia Space España, and University of Bristol.

The context for task 4.5 is as follows: The state-ofthe art in verification of multi- and many-core systems is not sufficiently advanced. The huge complexities that arise from interaction of processors, the interconnects themselves and between memory accesses, all in the context of mixed criticality applications, require the development of new verification methodologies that extend the state of the art beyond the current SoC level. Development includes both formal and simulation-based approaches and combinations of these to arrive at a methodology that is effective and efficient in practice, and paves the way to certification.

**T4.5** focuses on establishing the overall system properties at the software/hardware interface. This includes the guarantees the hardware needs to provide to reliably support mixed criticality systems and the properties the software needs to satisfy to operate safely on the given hardware architecture. Approaches include formal methods and assertion-based techniques that monitor the system at runtime. This is particularly challenging for large-scale mixed critically systems on multi-core architectures with dynamic features for reconfiguration and restart. Moreover, a multi-core embedded software real-time debugging approach will be investigated.

The Task 4.5 team is a well-balanced mix of engineers and organisation from Europe's best semiconductor manufacturers, a number of SMEs, and universities that are leaders in research into multiprocessing systems. Mike Bartley of Test and Verification solutions added "As our systems become more complex then so does the verification challenge. This project will enable to deal with the particular challenges posed by multi- and many-core systems".

**Task 4.6** is collecting the technical output of tasks 4.2 to 4.5. The goal is to implement the resulting techniques in several demonstrator platforms. These

demonstrator platforms will be provided to the living labs as foundations for their application demonstrators but also used for internal performance analysis and feasibility studies. The task is lead by Rolf Meyer from TU-Braunschweig, E.I.S. supported through the other members of the task 4.6 team from companies and research institutions all over Europe.

Contact: Sascha Uhrig, TU Dortmund, sascha.uhrig@ tu-dortmund.de

## **Report from Work Package 7**

Thomas Soderqvist, Volvo

#### Living Lab – Automotive Applications

*EMC*<sup>2</sup> Living Lab WP7 on Automotive Applications is driven by the overarching business needs to assure high product quality for automotive embedded systems facing an exponential growth in embedded systems complexity, while at the same time meeting tight cost constraints and facing the need to further reduce time-to-market.

Taking into account the critical role of embedded electronic vehicular architecture, EMC<sup>2</sup> Living Lab WP7 Automotive Applications work package focuses on advancing the state of the art for automotive embedded systems to address these overarching business needs. Increasingly the functionality of vehicles, e.g. passenger cars as well as commercial vehicles such as trucks and buses, is implemented in embedded electronics and software with the business and technical needs derived from a broad scope of applications and standards within functional safety, active and passive safety, communications both internal and external to the vehicle, regulations for emissions, fuel consumption, etc. The automotive embedded systems tends to reach the upper limit in terms of complexity and together with new safety critical applications of various criticality level the automotive partners in the WP7 aims to investigate whether multi core processing is the means for increase the quality and capacity in the automotive systems as well to





investigate which new opportunities that we can gain. The driving sources for the business and technical needs in the WP7 are the automotive use cases within different technical areas. The six automotive use cases a wide range of topics:

- Novel ADAS following large-scale software integration and full exploitation of available resources.
- Development, deployment and practical evaluation of Vehicle to Vehicle (V2V) and Vehicle to Infrastructure (V2I) applications.
- *EMC*<sup>2</sup> Electronics Power Management: Requirement collection, concept development and HW demonstration.
- Master the next challenges on the road to fully autonomous driving by optimizing the use of HW/SW resources of the proposed multi-core embedded cloud and exploiting them in a real-life autonomous driving scenario.
- Next-generation hybrid powertrains that are built following model-based engineering and new programming paradigms, and are supported by simulation.
- To develop a semi-formal language modelling approach to the safety critical systems and their safety requirements in order to produce a virtual concept representing the architectural structure and the outcomes of the functional safety analysis.
- Demonstrator development realizing and evaluating an integration of mixed criticality applications using mainly COTS.
- Harvest the potential of multicores for mixed-critical applications in the next generation of an Electrical and/or Electronic (E/E) architecture for commercial vehicles.

One example of expected benefits by utilizing multicore within automotive electronic architecture is illustrated in the following figure. By replacing a number of specialized single core control units with fewer and more powerful computational multicore units, able to execute multiple applications at mixed-criticality level, we expect that the problems, following from constantly increasing number of control units, can be managed.



Vision around multi-core mixed-criticality in the automotive domain

The work to develop technology for the use cases takes place partly in the technology work packages WP1-WP6 and partly within each use case. In the technology WPs more of general technology will be developed, i.e. technology that, if feasible, can be adapted to a use case. In the use case all use case partners join forces to develop specific technology dedicated to the use case.

In WP7 LL Automotive we have in all six use cases until now worked with establishment of the technical scope. That means that we have identified and described the business needs and high level requirements. We are currently preparing the refined use case descriptions where more detailed planned





work within each use case sub-tasks is specified. We have also started to plan of how we will evaluate the feasibility of the technical solutions when applying them to the use cases. In general, within the use case teams, we have as well already began to develop technology for the use case specific topics. In our bi-weekly WP7 online meetings we are discussing, among other topics, the preparation of our first deliverable, D7.1 'Use case descriptions, reguirements and evaluation plans' (due M12), which soon will be available as an early first draft version. Furthermore we are discussing a number of preliminary use case demonstrators for dissemination of the project results at the upcoming Artemis reviews as well as at public and partner internal occasions.

# EMC<sup>2</sup> presented as "Success Story" at ECSEL Austria Autumn 2014 Conference



Erwin Schoitsch Austrian Institute of Technology

Austria was the first country in Europe that founded a national "ARTEMIS Austria" (and "ENIAC Austria") association to collaborate and harmonize the Austrian efforts in the ARTEMIS and ENIAC work programmes, calls and projects, and to keep contacts to the Austrian public authorities (BMVIT, Federal Ministry of Transport, Innovation and Technology; FFG Austrian Research Promotion Agency). With the rise of EC-SEL, Austria was again the first country to join forces of both associations and to create an EPoSS branch building "ECSEL Austria", which was already present



ECSEL Austria organized its 2014 Conference in Vienna from Sept. 16 – 17, 2014. This date in the end proved not to be beneficial because ECSEL Call 1 ended Sept. 17, 17:00, but was originally expected for Sept. 10 or 11, so that the conference should have taken part after the deadline.

More than 70 international experts were welcomed at the event. Besides representatives of Austrian institutes in the field of microelectronics and critical software, representatives of the ECSEL Joint Undertaking in Brussels, ECSEL-Germany, ARTEMIS Office, Process IT Sweden and CEA-Leti France also took part in the event.

An important part of the conference was the session presenting selected ARTEMIS, ENIAC and EPoSS projects of the FP7 period as "success stories" of the three ETPs (European Technology Platforms) ARTE-MIS-IA, AENEAS and EPoSS, where significant Austrian contributions and impact for Austria have been/ are generated:

- EPT300/EPPL, J. Massoner/Infineon (ENIAC)
- CRYSTAL, Ch. El Salloum/AVL (ARTEMIS)
- ADOSE, E. Schoitsch/AIT (EPoSS)
- EMC<sup>2</sup>, A. Eckel/TTTech (ARTEMIS)
- DEWI, W. Rom/VIF (ARTEMIS)
- BattMan, M. Schrems/AMS (ENIAC)

*EMC*<sup>2</sup> was presented by Andreas Eckel from partner TTTech, co-leader of WP1 and responsible for an important task in WP1, the collection of requirements from all so-called "Living Labs" (WP 7 – WP 12), i.e. domain specific or cross-domain application areas to implement and validate the results of the technology work packages (WP 1 – WP 6). He presented the major challenges of the *EMC*<sup>2</sup> system approach, from "quasi-static" single multi-core SoC to "dynamic changes in a closed system" of networked multi-





cores up to "dynamic changes in an open system (or system-of-systems)" of highly connected multi-core systems with variable configurations, adaptability



Conferens impressions

and evolving functionality. It highlighted the impact of *EMC*<sup>2</sup>. The project started just a few months ago – the success at this stage was that this largest ARTEMIS project was successfully implemented, really an incredible task with 99 partners and more than 90 Mio € overall budget. A high degree of responsibility had to be distributed among the work package leaders and co-leaders, and the organizational structure supporting collaboration across the work package and domain boundaries. The presentation was based on the original, generic *EMC*<sup>2</sup> presentation of Knut Hufeld who led the proposal phase. The presentation is available on the ECSEL Austria Web Site www. ecsel-austria.net/eventsfull/events/ecsel-austria-conference.html.

After looking back on these highlights, the conference examined the new opportunities that arise from the new ECSEL structure. One area that was emphasized is the exchange of experiences with the European research programme and the corresponding processes in the individual countries. The European guest speaker Alun Foster (ARTEMIS/ECSEL JU) presented the ECSEL status in "Status of roadmap preparation and timing for the calls 2015 – 2016/17", Jerker Delsing from Process.IT (ARTEMIS Center of Innovation Excellence) informed on ECSEL Sweden, J. Lugert (Siemens, EPoSS) on ECSEL Germany. D. Vierbauch and C. Hopp explained the upcoming funding and legislative procedures for 2015 which imply some changes.

A particular poster session was dedicated to visit and discuss the past and current ARTEMIS, ENIAC and EPoSS projects with Austrian participation. The posters had an "Austrian Touch" because they high lightened the particular Austrian contributions and benefits (impact) for Austria besides the general description. For this purpose, a new *EMC*<sup>2</sup> poster was designed and presented (see photo below).

The final sessions included a presentation of CEA-LETI and high-lightened its activities and achievements, presented by members of a delegation that visited Austria and attended the conference. Further on, the sessions dealt with key enabling technologies and the associated pilot productions. mKETs is a project aimed at creating a standard definition for pilot productions in Europe. The 300 mm wafer development at Infineon Technologies Austria AG in Villach was analyzed in detail as one of four European reference projects. The initial results of these analyses were presented to the conference participants. All Presentations are to be found on

www.ecsel-austria.net/eventsfull/events/ecsel-austria-conference.html

Erwin Schoitsch, AIT Austrian Institute of Technology

## Safety & Security Workgroup creation

Philippe Dore, CEA

It is commonly agreed that Safety and Security aspects in a mixed-critical system could not be easily addressed in a separate way. In other words to be considered as safe, a system shall exhibit confidentiality, integrity and authenticity properties (privacy). On the other end ensuring data and code privacy rely





on same properties than safety (E.G a strong isolation between modules, tasks or virtual machines).

During "Dynamic runtime environments and services" work package Kickoff meeting in Bristol, It was proposed to organize a workgroup to discuss Safety & Security aspects.

I am pleased to announce today that several partners, even beyond this work package scope, positively answer to CEA's invitation to participate.

Are involved in the Safety & Security Workgroup:

- Austria: AVL List GmbH & VIRTUAL VEHICLE
- Austrian Institute of Technology
- France:CEA
- Germany: Infineon Technologies AG, Technische Universität Braunschweig & Fraunhofer IESE
- Italy: Alenia Aermacchi & MBDA
- Portugal: INESC-ID
- Sweden: SICS AB, Security Lab

This group will be able to address those aspects by both the technology and the use case ends. The main workgroup goals are:

- Translate in technology properties both Safety and Security requirements
- Split those properties between common to both, Safety and Privacy ones
- Give recommendations on various option to bring those properties to a system:
  - How to evaluate architecture features regarding Safety and security
  - What about an evolution path to add those properties to existing RTOS or VM monitors

- Hardware design VS Software certification cost As a starting point this workgroup will meet regular through telephone conferences. Each Telco will focus on a topic suggested by one partner. This partner will first present the topic which will be challenged during the meeting.

All presentations and the meeting minutes will be made available to the project. The intention is that tho-

se outcomes will be useful for everyone involved in Safety and Security activities within the project.

Newsletter M9

EMC<sup>2</sup> co-hosting the ERCIM/EWICS/AR-TEMIS collaborative Dependable Embedded and Cyber-physical Systems and Systems-of-Systems (DECSoS) Workshop at SAFECOMP 2014



Erwin Schoitsch, Austrian Institute of Technology

The annual SAFECOMP Conference (International Conference on Computer Safety, Reliability and Security) is a leading conference in this area, particularly focusing on industrial computer control systems and applications. Since it was established in 1979 by the European Workshop on Industrial Computer Systems, Technical Committee 7 on Reliability, Safety and Security (EWICS TC7), SAFECOMP has contributed to the progress of the state-of-the-art in dependable application of computers in safety-related and safety-critical systems.

SAFECOMP 2014 was the 33rd International Conference on Computer Safety, Reliability and Security, and took place in Florence, Italy, from Sept. 8-12, 2014.

SAFECOMP covers state-of-the-art, experience and new trends in the areas of safety, security and reliability of critical computer applications. SAFECOMP provides ample opportunity to exchange insights and experience on emerging methods, approaches and practical solutions.





As one of the co-located workshops, the Workshop on Dependable Embedded and Cyber-physical Systems and Systems-of-Systems (DECSoS'14) has been organized primarily by AIT (Erwin Schoitsch), together with Amund Skavhaug from NTNU (Trondheim, NorThe *EMC*<sup>2</sup> presentation provided a short overview over *EMC*<sup>2</sup> in general, and particularly addressed WP6, starting with the challenging requirements and state of the art in assurance, qualification and certification of CPS. "Towards Trust Assurance and Certification in



Picturesque conference location

way), and an International Program Committee of 15 experts from the EWICS TC7 (European Workshop on Industrial Computer Systems, TC7, Reliability, Safety and Security) group and SAFECOMP organizers, which did the peer reviews of the papers. The papers are published by Springer in the LNCS series (LNCS 8696). All abstracts are available on the Springer Web Site http://link.springer.com/book/10.1007/978-3-319-10557-4.

The workshop DECSoS'14 comprised the sessions Formal Analysis and Verification, Railway applications: Safety analysis and verification, and Resilience and Trust: Dynamic issues. A presentation based on *EMC*<sup>2</sup> has been given in the last session: Daniel Schneider, Eric Armengaud and Erwin Schoitsch: Towards Trust Assurance and Certification in Cyber-Physical Systems. Cyber-Physical Systems" took into account the key issues of WP 6.2 "Safety and Security – Trust by Design", and of WP 6.3 "Safety and Security – Run Time Certification", discussing the challenges of characteristic *EMC*<sup>2</sup> type adaptive and evolving distributed CPS in this respect and potential approaches ("modular conditional certificates").

Another issue will be the inclusion of new methods and techniques in existing standards in a holistic, integrated manner – a hot topic now, e.g. looking at the IEC TC65 Ad-Hoc Group 1 (AHG1) "Framework toward coordinating safety and security", trying to study and maybe tackle with a new work item or by recommendations how to update

existing standards in their maintenance phase when looking at both, safety and security, their interplay, and at system certification considering both properties in a holistic manner.

The workshop provided some insight into the topics, and enabled fruitful discussions during the meeting and afterwards. There were about 30 participants, but floating sometimes between the three parallel workshops (the workshop fee did not distinguish between different workshops, it covered all three of the same day). The mixture of topics is hopefully well balanced, with a certain focus on Software and System Analysis and Verification, and addressed particularly by the ARTEMIS projects MBAT, CRYSTAL and *EMC*<sup>2</sup>, supporting the goal of collaboration and experience exchange between related ARTEMIS projects. They are somehow building on each other's results and achievements, working towards a common CRTP (Collaborative Reference Technology Platform) based





on an IOS Specification (Interoperability Specification). This aims at building a sustainable innovation eco-system around the so-called High-Rel-Cluster of ARTEMIS projects. tionality, of system components and their communication interfaces at a high abstraction level. Embedded in a virtual platform, these models are

The next SAFECOMP 2015 will take place from Sept. 22 – 25, 2015, in Delft, The Netherlands. It is planned to organize again an ERCIM/EWICS/ARTEMIS Workshop on Dependable Embedded and Cyber-physical Systems and Systems-of-Systems on the first day, Sept. 22, 2015.

Erwin Schoitsch, AIT

## SoCRocket – The Space TLM Framework,





Tu-Braunschweig

We TU-Braunschweig, c3e are happy to announce that SoCRocket is finally released to the public. After several years of development we decided to put the core of our TLM2.0 infrastructure and component library online. First developed in an ESA ESTEC study it was successively improved in several projects. Now as part of WP4 in *EMC*<sup>2</sup> we decided to release our foundation.

The Framework itself is a collection of SystemC/TLM2.0 infrastructure based on the OSCI/Accellera SystemC Simulator in combination with GreenLib. The included models are developed after base components freely available in the GRLib from Aeroflex Gaisler.

TLM can be used to describe both, timing and func-



#### System block-diagramm

sufficiently accurate to not only allow early software development and verification in a realistic environment but also functional verification of the modeled hardware. The capability of early designspace exploration is therefore a vital building block of full hardware/software co-design.

In the last 8 Month TU-Braunschweig (c3e) was extending, debugging and stabilizing the Framework as a preparation to publish it to the project consortium with legwork and support by TU-Dortmund. Furthermore confidential components were removed and replaced to smooth some legal issues.

You can find our code and documentation at http:// socrocket.github.io/

Download the core platform for *EMC*<sup>2</sup> partners from https://github.com/socrocket/core.

The code is available under AGPL. Additional repositories or license schemes are available.

Please contact us: TU-Braunschweig, c3e,

- Rolf Meyer, meyer@c3e.cs.tu-bs.de
- Jan Wagner, wagner@c3e.cs.tu-bs.de



14



## Time synchronization for distributed safety critical system



Javier Díaz Seven Solutions

Seven Solutions (7S) is currently leading together with scientific partners as CERN and GSI one of the most ambitious projects for time and frequency distribution.

It is based on White Rabbit (WR), an Open Source Ethernet-based technology to synchronize distributed networks with sub-nanosecond accuracy. This is possible thanks to the extension of well-known network standards, such as Synchronous Ethernet (SyncE) and Precise Time Protocol (PTP, IEEE1588). Nowadays, WR is the most accurate, flexible and the easiest solution for network synchronization over Ethernet. The main features of the WR technology are:

- Sub-nanosecond accuracy synchronization
- It is possible to interconnect thousands of nodes
- Typical distances of 10km between nodes (can be extended to more than 100km)
- Ethernet-based Gigabit rate reliable data transfer
- Fully open hardware, firmware and software
- Multi-vendor commercially produced hardware

The goal of Seven Solutions in *EMC*<sup>2</sup> is to extend WR technology to address distributed safety-critical applications with strong focus on time and frequency dissemination. This goal motivates our contributions in WP1 and WP4, addressing a practical use case for Smart-grid applications in WP11.

WR networks are mainly composed of two types of elements switches and nodes forming a tree-hierarchical model. The WR Switch (WRS) has been designed and produced by 7S and it is the key (and most complex) component of a WR network since it provides the precision time information and distributes the synchronization to all nodes.

Current WRS features are:

- Open Hardware (Published under CERN OHL)
- WR PTP Protocol (PPSi) & SyncE protocols
- Sub-nanosecond accuracy and 20ps jitter
- Virtex-6 FPGA (XC6VLX240T)
- ARM (Atmel AT91SAM9G45) @ 400MHz
- 18/8 x SFP cages
- 32M x 16 DDR2
- Ethernet 10/100 PHY
- 256 MB Nand Flash
- 8 MB SPI Boot Flash
- 5 SMC coaxial Clocks (PPS I/O, 125Mhz I/O, 10Mhz I)
- 1.6 GHz VCO (AD9516-4)







On the other hand, WR nodes are normally composed by a Simple PCIe FMC Carrier (SPEC) board. It is an FMC carrier that inclu-

des a FMC and a SFP connector.

This board is cost-optimized and it is the most commonly used WR node because of being fully compatible with most of FMC cards designed for the WR/ OHWR project (ADC cards, DIO, Fine Delay, etc). SPEC board main features are as follow:

Open Hardware (Published under CERN OHL)

- 1 Xilinx Spartan6 FPGA (XC6SLX45T o XC6S-LX100T)
- 2Gbit DDR3
- 4-lane PCIe (Gennum GN4124)
- FMC slot with low pin count (LPC) connector
- FMC connectivity: all 34 differential pairs connected, 1 GTP transceiver with clock, 2 clock pairs, JTAG
- Simple clocking resources suitable for WR
- SPI 32Mbit flash PROM for multi-boot
- Small Form-factor Pluggable (SFP) cage for fibreoptic transceiver (WR support)

In addition to this, 7S has also contributed to the OHWR initiative with several developments to ease the utilization of this technology. The WR Starting Kit was built to facilitate the incorporation of WR to the world for those that are non-WR-experts. It is a preinstall package that includes:



- 3x LEMO-00 Cable 2m[1]
- 3x LEMO-BNC Adapter (for oscillocope input)
- 1x LC-LC Cable 2m[2]
- Open Hardware (Published under CERN OHL)

Thanks to this package, building a WR network in your own lab becomes a piece of cake.



Next generation of WR nodes for *EMC*<sup>2</sup> project In the framework of *EMC*<sup>2</sup> project, Seven Solutions is developing two new no-

des based on Artix and Zynq FPGAs devices. Seven is focusing on providing WR with robustness by adding redundancy features as key feature for dependable solutions. For this purpose, 7S is working on the integration of redundancy protocols to achieve zero-time recovery in WR networks and exploring cascade and parallel network topologies. This translates to concrete contributions on the different *EMC*<sup>2</sup> packages:

- In WP1 we contribute with the development of deterministic network architecture for mixedcriticality systems. Software, hardware as well as topologies for deterministic communication schemes are under development.
- In WP4, We explore how the concept of Quality of Service would be extended in the framework of deterministic Ethernet-based communications and how this can be applied for mixed-criticality systems. Time synchronization and frequency distribution are considered an example of critical data to be handled as key information for many distributed control activities.





- Finally in WP11, we participate in the Internet of Things domain (LL5) with task UC5.5, Synchronized low-latency deterministic networks. The focus here is to provide time information for highly scalable Smart-grid systems and industrial automation over wide areas applications.

As reference platform for *EMC*<sup>2</sup> project, a Zynq-based board will be used. This is currently being designed and it integrates the latest Xilinx Zynq Z-7015 device with a Dual ARM® Cortex<sup>™</sup>-A9 and containing an Artix FPGA-logic with 74K logic cells. It has also been designed with ultra-high stable oscillator and PLLs to provide a significant better short term stability. 7S is working on the integration of a redundancy protocols like High-availability Seamless Redundancy (HSR, IEC 62439-3) to achieve zero-time recovery and extend HSR features to time and frequency distribution using WR ring networks.

## Guest Article: parMERASA FP7 Project

EC FP-7 project parMERASA - Multi-Core Execution of Parallelised Hard Real-Time Applications Supporting Analysability





Sascha Uhrig, Technical University of Dortmund Theo Ungerer, University of Augsburg

parMERASA project (Oct. 1, 2011 until Sept. 30, 2014)

provides a timing analysable system of parallel hard real-time applications running on a scalable multicore processor. parMERASA goes one step beyond real-time demands of single-threaded systems: It targets future complex control algorithms by parallelising hard real-time programs to run on predictable multi-/many-core processors. As result parMERASA project has shown that an average as well as a worstcase performance increase can be reached by parallelising hard real-time applications onto multi-core hardware, but parMERASA has also shown emerging pitfalls and limitations.

A pattern supported parallelization approach was developed at University of Augsburg to guide the parallelisation of legacy software and allow usage of standard tools. The approach eases sequential to parallel program transformation by developing and supporting suitable parallel design patterns and algorithmic skeletons that are analyzable with WCET tools. The approach was applied to successfully parallelise four industrial use cases: 3D Path Planning (3DPP) algorithm intended for airborne collision avoidance and Stereo Navigation algorithm intended for aircraft localization (Honeywell International s.r.o.), diesel engine management system (DENSO AUTO-MOTIVE Deutschland GmbH), and the control code of a large crawler crane (BAUER Maschinen GmbH).

parMERASA target applications rely on incremental qualification that allows each system component to be subject to formal certification (including timing analysis) in isolation and independently of other components, with obvious benefits for cost, time and effort. As a result, the multi-core architecture has to provide mechanisms to guarantee time and space isolation among applications. To that end, Barcelona Supercomputing Center developed two novel concepts: parallel Software Partitions (pSWPs) and Guarantee Resource Partitions (GRPs) that provide incremental qualification for parallel hard real-time applications. pSWP guarantees that parallel tasks





belonging to one application cannot affect the timing (and functional) behaviour of parallel tasks belonging to other applications. GRP defines a hardware execution environment composed of a cluster of processor resources in which pSWPs run, providing the desirable time isolation properties.

Hierarchical NoC Architecture

The supporting multi-core system software is based on a common RTOS kernel library developed at University of Augsburg. The kernel library provides timing-analysable synchronization primitives, context management as basis for domain-specific scheduling, as well as memory management and

# $GRP_1$ $GRP_2$ $M_1$ $M_2$ $M_2$ $M_3$ $M_4$ $M_4$ $GRP_3$ $GRP_4$

Mesh Architecture



#### Hierarchical NoC Architecture

The GRP property of the parMERASA multi-core architecture is implemented as clusterised two-level hierarchical NoC architecture composed of a treebased first-level NoC to connect cores and a busbased second-level NoC to connect clusters and also as mesh-based NoC that allows to define GRPs fulfilling the time isolation requirements. Here, virtual clusters defined by grouping adjacent cores in rectangular shapes and a suitable routing can form GRPs.

In order to reduce latencies and impact of interferences when multiple cores want to access the memory, the parMERASA multi-core architecture relies on data caches. A predictable cache coherence mechanism has been developed by Technical University of Dortmund - the On-Demand Coherent Cache (ODC2) that guarantees coherent and interference-free accesses to shared data accessed inside critical regions and between barriers. interrupt handling. Run-time environments for automotive, avionics, and construction machinery domains are implemented as domain specific RTE services on top of the common RTOS kernel to support the parallelised applications.

The static WCET analysis tool OTAWA of University of Toulouse was enhanced by modelling the parME-RASA multi-core processor and extended with support for timing analysis of parallel programs. Source code annotations for parallelisation analysis were defined that are based on the parallel design patterns.

Tools developed by Rapita Systems Ltd. comprise the On-target timing and WCET analysis tool Rapi-Time enhanced for parallel programs; the On-target code coverage tool RapiCover with support for code coverage for parallel programs; the Constraint verification tool RapiCheck for constraint checking





of parallel programs; a Dependency analysis tool to assist with the parallelisation of existing sequential software and a Visualisation and profiling tool for paaware parallelization of 3DPP application achieved a static WCET speedup by OTAWA of 2.81 and a measurement-based WCET speedup by RapiTime of 4.58



parMERASA tool chain for parallelising sequential hard real-time applications

rallel programs. Barcelona Supercomputing Center developed a mapping tool to statically allocate tasks to cores of the parMERASA multi-core.

Quantitative performance results of the project include general average speedups measured on the par-MERASA simulator, static WCET speedups calculated by OTAWA, and measurement-based WCET speedups determined by RapiTime tool. For example, the WCET- for a 16 thread application configuration. Statically calculated WCET with 2, 4, and 8 cores and different techniques to access shared data are shown in the following figure. All values are normalised to single-core WCET. Magic implements a perfect cache coherence and represents the theoretical maximum performance from a cache coherence point of view. parMERASA ODC<sup>2</sup> is nearly reaching this maximum performance while conventional techniques are far behind.

For the diesel engine management system three levels of parallelism were investigated. Intra-runnable



the pattern-based approach. A measurement-based WCET speedup of 2.3 was reached on 4 cores for one runnable. Intratask parallelism was reached by mapping runnables of a task on different cores with the par-MERASA mapping tool. A static WCET speedup of 3.3 was estimated by OTAWA on 4 cores for a single task. Inter-task parallelism was exploited with timed implicit communication.

WCET with multiple cores and different techniques for sharing data





all tasks on 8 cores. If intra- and inter-task parallelism were combined (one task was distributed over 2 cores) the static WCET speedup increased to 5.97 on 8 cores.

The WCET-aware parallelization of crawler crane control code showed that multi-core platforms are applicable also for control-based applications and a static WCET speedup of 2.38 can be reached with 4 cores.

The overall experience suggests that parallelizing real-world hard real-time applications which execute successful on single-core reach moderate speedups on multicores.

The scalability of such algorithms is limited. In particular static WCET speedups suffer from pessimism caused by global memory accesses in a multicore. parMERASA approach paved the way for future hard real-time high-performance parallel embedded system applications. More complex control algorithms than today can be applied and such newly developed control algorithms should be scalable and able to utilize the performance increase offered by multi- and many-core processors.

We believe that parMERASA can provide a suitable baseline for *EMC*<sup>2</sup> techniques. The developed architecture, runtime software, tools and parallelisation patterns could be extended to meet the mixed criticality requirements of future complex embedded platforms in dynamic and changeable environments. Project coordinator: Prof. Dr. Theo Ungerer, University of Augsburg, project website: http://www.parmerasa. eu/

The project has been funded by European Community under grant agreement number 287519.





## IEEE International Conference on Industrial Informatics INDIN'15 22-24 July 2015, Cambridge, UK

**Special Session on:** "Embedded Multi-Core Systems for Mixed Criticality Applications in Dynamic and Changeable Real-Time Environments"

#### organized by:

- Dr. George Dimitrakopoulos, Harokopio University of Athens, Greece
- Dipl.-Ing. Erwin Schoitsch, Austrian Institute of Technology GmbH, Austria
- Dr. Werner Weber, Infineon Technologies AG, Germany

Cyber-physical systems (CPS) are the key innovation driver to improve almost all mechatronic products with cheaper and even new functionalities. Furthermore, they strongly support today's information society as inter-system communication enabler. Consequently boundaries of application domains are alleviated and ad-hoc connections and interoperability play an increasing role.

At the same time, multi-core and many-core computing platforms are becoming available on the market and provide a breakthrough for system (and application) integration. A major industrial challenge arises facing (cost) efficient integration of different applications with different levels of safety and security on interconnected computing platforms in an open context.

#### Topics of interest include, but are not limited to:

- 1. Architectures and platforms for embedded (cyber-physical) systems
- 2. Application Models and Design Tools for Mixed-Critical, Multi-Core CPS
- 3. Dynamic runtime environments and services
- 4. Multi-core hardware architectures and concepts
- 5. System design platform, tools, models and interoperability
- 6. Applications of multi-core cyber-physical systems: avionics, automotive, space, cross-domain and other applications
- 7. Safety and security co-engineering in open dynamic CPS
- 8. Next generation embedded/cyber-physical systems
- 9. Standardization, qualification and certification issues of complex critical CPS







#### Submission instructions:

A manuscript submitted to the Special Session of INDIN 2015 must be in the IEEE double format with single space 10p fonts and figures included in the text, so the length of the manuscript of 8 pages long in PDF format can be evaluated. For your convenience you may download the WORD template.doc from the conference website: http://www.INDIN2015.org

#### Deadlines:

- Reception of full paper: February 1, 2015
- Paper acceptance notification: April 10,2015
- Camera ready paper reception: May 17, 2015

#### **Program Committee:**

- Dr. Hyun Cho, Systemite AB, Sweden
- Dr. Loïc Cudennec, CEA France
- Dr. George Dimitrakopoulos, Harokopio University of Athens, Greece
- Dr. Jens Eliasson, Luleå University of Technology, Sweden
- Kim Gruettner, OFFIS, Germany
- D. Matthieu Lemerre, CEA France
- Dr. Marios Logothetis, University of Piraeus, Greece
- Prof. Pericles Loucopoulos, The University of Manchester, UK
- Dr. Stéphane Louise, CEA France
- Dr. Christos Michalakelis, Harokopio University of Athens, Greece
- Dr. Daniel Schneider, Fraunhofer Institute, Germany
- Dipl.-Ing. Erwin Schoitsch, Austria
- Prof. Sascha Uhrig, TU Dortmund, Germany
- Dr. Werner Weber, Infineon Technologies AG, Germany







Project:

## EMC<sup>2--</sup> Embedded Multi-Core systems for Mixed Criticality applications in dynamic and changeable real-time environments

## ARTEMIS Grant Agreement Number: 621429

Project Coordinator: Infineon Technologies AG Dr. Werner Weber IFAG BEX RDE RDF Am Campeon 1-12 85579 Neubiberg Germany

Contact: werner.weber@infineon.com

#### Editorial:

- Sascha Uhrig, TU-Dortmund
- Albert Cohen, INRIA
- Luis Miguel Pinho, CISTER
- Rafael Zalman, Infineon Technologies AG
- Mafijul Islam, Volvo

Contact: emc2\_newsletter@list.emdesk.eu

#### Layout, Design:

- Lajos Herpay, TU-Dortmund

