ERCIM News No.32 - January 1998

The GUARDS Approach to Safety-Critical Real-Time Systems

by Andrea Bondavalli and Felicita Di Giandomenico

In addition to dependability, cost-effectiveness is a major criterion to be accounted for in the development process of Dependable Computing for Safety Critical Applications (DCSA). However, in the domain of DCSA systems, a large gap exists between costly proprietary architectures targeted at very high dependability and cheap commercial architectures with less stringent requirements. This evidences the lack of an intermediate class of architectures based on an acceptable compromise between the potentially conflicting objectives of high dependability on the one hand and low cost, openness and software intensive applications on the other.

The Esprit Project 20716 GUARDS (February 1996 - January 1999) addresses the design and development of a Generic Upgradable Architecture for Real-time Dependable Systems, together with an associated development and validation environment. The end-user companies in the consortium all currently deploy ultra-dependable real-time embedded computers in their systems, but with very different requirements and constraints resulting from the diversity of their application domains: nuclear submarine, railway and space systems. The overall aim of the GUARDS project is to significantly decrease the lifecycle costs of such embedded systems. The intent is to be able to configure instances of the GUARDS generic architecture that can be shown to meet the very diverse requirements of these (and other) critical real-time application domains.

Five fundamental objectives are being pursued by the GUARDS consortium:

The GUARDS architecture, the core of the GUARDS project, aims at being tolerant to permanent and temporary, internal and external physical faults and should provide confinement or tolerance of software design faults. In order to keep costs low, while maximising flexibility, this architecture hosts commercial off-the-shelf (COTS) hardware and software components, with application-transparent fault-tolerance implemented primarily by software. To reduce the cost of validation and certification of instances of the architecture, three main guidelines have been followed: design for validation so as to restrict the validation to a minimum set of critical components; re-use of already validated components in different instances; and the support of system and application components of different criticalities.

The generic architecture, illustrated in the figure, has been defined along three axes:

The GUARDS Architecture

Although the GUARDS architecture favours the use of COTS components, some parts of the architecture must necessarily be specifically designed, to comply with the requirements of the applications GUARDS is aimed at. As shown in the figure, they are:

To comply with the basic GUARDS requirements of genericity and upgradability, the latter operating system services are being developed using a server-based operating system based on micro-kernel technology.

The GUARDS Consortium

The work reported in this article is being carried out in the framework of ESPRIT project No. 20716 GUARDS. The GUARDS consortium consists of three end-user companies: Technicatome (France), Ansaldo Trasporti (Italy) and Matra Marconi Space France; two technology-provider companies: Intecs Sistemi (Italy), Siemens AG Osterreich PSA (Austria); and three academic partners: LAAS-CNRS (France), Pisa Dependable Computing Centre (Italy) and the University of York (United Kingdom). The authors participate in the GUARDS project as members of the Pisa Dependable Computing Centre.

Please contact:

Andrea Bondavalli - CNUCE-CNR
Tel: +39 50 593 327

Felicita Di Giandomenico - IEI-CNR
Tel: +39 50 593 443

return to the contents page