The GUARDS Approach to Safety-Critical Real-Time Systems
by Andrea Bondavalli and Felicita Di Giandomenico
In addition to dependability, cost-effectiveness is a major criterion to be accounted for in the development process of Dependable Computing for Safety Critical Applications (DCSA). However, in the domain of DCSA systems, a large gap exists between costly proprietary architectures targeted at very high dependability and cheap commercial architectures with less stringent requirements. This evidences the lack of an intermediate class of architectures based on an acceptable compromise between the potentially conflicting objectives of high dependability on the one hand and low cost, openness and software intensive applications on the other.
The Esprit Project 20716 GUARDS (February 1996 - January 1999) addresses the design and development of a Generic Upgradable Architecture for Real-time Dependable Systems, together with an associated development and validation environment. The end-user companies in the consortium all currently deploy ultra-dependable real-time embedded computers in their systems, but with very different requirements and constraints resulting from the diversity of their application domains: nuclear submarine, railway and space systems. The overall aim of the GUARDS project is to significantly decrease the lifecycle costs of such embedded systems. The intent is to be able to configure instances of the GUARDS generic architecture that can be shown to meet the very diverse requirements of these (and other) critical real-time application domains.
Five fundamental objectives are being pursued by the GUARDS consortium:
- genericity, to support reusability of hardware and software components in different applications and domains
- dependability, to support the design, verification and validation of dependability properties
- real-time, to accomplish with constraints related to time and scheduling
- ability to be validated
- ability to be certified.
The GUARDS architecture, the core of the GUARDS project, aims at being tolerant to permanent and temporary, internal and external physical faults and should provide confinement or tolerance of software design faults. In order to keep costs low, while maximising flexibility, this architecture hosts commercial off-the-shelf (COTS) hardware and software components, with application-transparent fault-tolerance implemented primarily by software. To reduce the cost of validation and certification of instances of the architecture, three main guidelines have been followed: design for validation so as to restrict the validation to a minimum set of critical components; re-use of already validated components in different instances; and the support of system and application components of different criticalities.
The generic architecture, illustrated in the figure, has been defined along three axes:
- the channel axis: channels provide the primary hardware fault containment regions; it should be possible to configure instances of the architecture with 1 to 4 channels
- the intra-channel or multiplicity axis: multiple resources can be provided in each channel either for increased performance and/or for use as secondary fault containment regions
- the integrity axis: spatial and temporal firewalls will be implemented to protect critical components from residual design faults in less-critical components.
The GUARDS Architecture
Although the GUARDS architecture favours the use of COTS components, some parts of the architecture must necessarily be specifically designed, to comply with the requirements of the applications GUARDS is aimed at. As shown in the figure, they are:
- the inter-channel communication network, needed to ensure inter-channel synchronisation and interactive consistency
- the output data consolidation system, needed to combine redundant logical outputs into error-free physical effects in the controlled process
- the basic operating system services for fault-tolerance, firewalling and real-time scheduling of replicated computations.
To comply with the basic GUARDS requirements of genericity and upgradability, the latter operating system services are being developed using a server-based operating system based on micro-kernel technology.
The GUARDS Consortium
The work reported in this article is being carried out in the framework of ESPRIT project No. 20716 GUARDS. The GUARDS consortium consists of three end-user companies: Technicatome (France), Ansaldo Trasporti (Italy) and Matra Marconi Space France; two technology-provider companies: Intecs Sistemi (Italy), Siemens AG Osterreich PSA (Austria); and three academic partners: LAAS-CNRS (France), Pisa Dependable Computing Centre (Italy) and the University of York (United Kingdom). The authors participate in the GUARDS project as members of the Pisa Dependable Computing Centre.
Andrea Bondavalli - CNUCE-CNR
Tel: +39 50 593 327
Felicita Di Giandomenico - IEI-CNR
Tel: +39 50 593 443