developing safety-critical systems with gnat pro & vxworks · some standards addressing...
TRANSCRIPT
Trend 1: Increased Software Complexity
1980 1990 1996 1999
Advanced Interconnect
Advanced Networking
High Availability
Memory Management
Multiprocessing
File System
Network
Kernel
Advanced Interconnect
Advanced Networking
High Availability
Memory Management
Multiprocessing
File System
Network
KernelKernelKernel
Application and KernelApplication and Kernel100 000 lines of code100 000 lines of code
Application and KernelApplication and Kernel1 000 000+ lines of code1 000 000+ lines of code
Trend 2: Need to Certify Military Avionics
Example: RTCA DO-178B & EUROCAE/ED-12B (civil avionics)
Other examples: Def-Stan 055
Failure ConditionFailure ConditionFailure ConditionFailure ConditionFailure ConditionFailure ConditionFailure ConditionFailure Condition Software LevelSoftware LevelSoftware LevelSoftware LevelSoftware LevelSoftware LevelSoftware LevelSoftware Level
Catastrophic Level A
Hazardous/Severe - Major Level B
Major Level C
Minor Level D
No Effect Level E
Typical Avionic System Architecture
Designed as a federated architecture of dedicated black-boxes
App 1App 1 App 2App 2 App 4App 4App 3App 3
Level B Level A
Level C Level D
This Architecture is Inherently Robust
The Apps are physically protected from one another.If an App fails, it does not affect the others.
App 1App 1 App 2App 2 App 4App 4App 3App 3
Level B Level A
Level C Level D
This Architecture is Inherently Robust
Furthermore you can restart the App after it failed
App 1App 1 App 2App 2 App 4App 4
Level B Level A
Level C
App 3App 3
Level D
This Architecture is EXPENSIVE EXPENSIVE to BuildIn terms of
• COST, POWER, WEIGHTAdding Apps means Adding boxes
App 1App 1 App 2App 2 App 4App 4App 3App 3
Level B Level A
Level C Level D
App 5App 5Level E
App 7App 7
Level C
App 8App 8
Level A
… And is EXPENSIVE EXPENSIVE to Maintain
Integrated Modular Avionics (IMA)
►A new architecture model has been developed
►Common processing subsystems• Allows multiple apps to share computing resources• Reduces the number of boards in a plane
►Software abstraction• Isolate the application from the underlying HW architecture• Reduce the impact of HW obsolescence
TARGETTARGET
IMA: Conceptual View
App 1App 1 App 2App 2 App 4App 4App 3App 3
Software Abstraction LayerSoftware Abstraction Layer
ProcessorProcessor
Level B Level A
Level CLevel D
Before IMA
►Kernel & App in single address space►Protection achieved by means of physical partitioning
App 1App 1 App 2App 2 App 4App 4App 3App 3
Level B Level A
Level C Level D
KernelKernel
ProcessorProcessorKernelKernel
ProcessorProcessorKernelKernel
ProcessorProcessorKernelKernel
ProcessorProcessor
Software Support for IMA
Apps must be partitioned (protected from one another)
►Spatial Partitioning• Memory protection• Resource protection
►Temporal Partitioning• CPU protection
►Some standards addressing software support from IMA:• E.g. ARINC 653, RTCA/DO-255, EUROCAE WG-60
Protection
An App cannot starve other Apps by keeping all the CPU to itself
Temporal Protection
An App cannot exhaust all the kernel resourcesResource Protection
An illegal memory access by an App cannot bring down the whole system
Memory Protection
Product FamiliesSafety Critical
Non Safety-Critical
PhysicalPartitioning
SoftwarePartitioning
GNAT ProGNAT Pro
VxWorks 5.xVxWorks 5.x
GNAT ProGNAT Pro
VxWorks AEVxWorks AE
GNAT Pro HighGNAT Pro High--Integrity EditionIntegrity Edition
VxWorks/CertVxWorks/Cert
GNAT Pro HighGNAT Pro High--Integrity EditionIntegrity Edition
VxWorks AE653VxWorks AE653
VxWorks Certifiable Kernels
►VxWorks/Cert• DO-178B Level A certifiable multitasking RTOS
►VxWorks AE653 (ARINC 653)• DO-178B Level A certifiable multitasking RTOS• Spatial Partitioning (memory protection, resource protection)• Temporal Partitioning (ARINC 653 scheduler)
TARGETTARGET
ProcessorProcessor
VxWorks AE653 Architecture
Core OSCore OS
PartitionPartitionOSOS
App 1App 1 App 2App 2 App 3App 3
PartitionPartitionOSOS
PartitionPartitionOSOS
Partition OS
► Partition OS threads are called vThreads
► vThreads run as user-level threads
► Priority-based preemptive scheduler
► Partition OS provides the following APIs to the app within the partition:
• ARINC 653 API
• POSIX API
• VxWorks API
TARGETTARGET
ProcessorProcessor
Core OSCore OS
PartitionPartitionOSOS
App 1App 1 App 2App 2 App 3App 3
PartitionPartitionOSOS
VxWorks 5.xVxWorks 5.xor or
VxWorks/CertVxWorks/Certmicrokernelmicrokernel
PartitionPartitionOSOS
vThreads
► vThreads do not address kernel objects in other partitions
► vThreads service API calls from the app
► vThreads allocate resources owned by the partition to the app
► vThreads pass on kernel calls which need to be serviced by the Core OS
• But only after the input parameters have been validated
• The message-passing implementation between the Partition & Core OS is
private
Core OS: VxWorks AE Technology
► Allocation of system resources to partitions
► Detection of attempted violations to partition
boundaries
► Kernel protection (user/supervisor protection)
► Overrun protection: stack, heap, CPU
lockouts
► Resource reclamation: heap, stack, code &
data memory
► ARINC 653 Partition Scheduler
► Support for inter-partition communication via
distributed messaging
TARGETTARGET
ProcessorProcessor
VxWorks AE653VxWorks AE653
PartitionPartitionOSOS
App 1App 1 App 2App 2 App 3App 3
PartitionPartitionOSOS
PartitionPartitionOSOS
TARGETTARGET
ProcessorProcessor
ARINC 653 Scheduler
Core OSCore OS
PartitionPartitionOSOS
D1D1 D2D2 D3D3
PartitionPartitionOSOS
PartitionPartitionOSOS
D1D1task1task1 D1D1
task2task2
D2D2task1task1 D2D2
task2task2
D3D3task1task1 D3D3
task2task2
WindView showing ARINC-653 scheduling of 3 protection domains with different timeslot allocations
Time slots for all 3 Protection Domains
GNAT Pro High-Integrity Edition (HIE)
►Choice of 3 profiles:• Profile 1: No Ada run-time (no tasking)• Profile 2: Ravenscar tasking• Profile 3: User-defined
►Upwardly compatible with the SPARK profile• The high-integrity subset of Ada by Praxis
GNAT Pro: A Single Visual Environment
TargetTargetDevelopmentDevelopment
HostHostDevelopmentDevelopment
Beta: JuneFCS: Q4
NEWNEW
GNAT Pro HIE: 3 Profiles
Profile 1: No Ada RunNo Ada Run--TimeTime• No Ada tasking• Use VxWorks tasks directly
Ada ApplicationAda Application
VxWorks/CertVxWorks/Cert
No Ada run-time
Profile 2: RavenscarRavenscar• Safe Ada 95 tasking• Minimal Ada run-time
Ada ApplicationAda Application
VxWorks/CertVxWorks/Cert
Minimal Ada run-time
Profile 3: UserUser--defineddefined• Pick & choose• Certify what you need
VxWorks/CertVxWorks/Cert
UserUser--selected featuresselected features
Ada ApplicationAda Application
Profile 2: Ravenscar Tasking
► Ravenscar Ada 95 tasking subset• Defined in Ravenscar, UK in 1997, to be part of the next Ada 0Y standard• Satisfies the certification requirements of safety-critical real-time systems• Allows schedulability analysis (in particular RMA)
► These design objectives are part of certifiable VxWorks kernels
► Only ~200 Ada SLOCs required to implement Ravenscar on top of VxWorks
► Very efficient & compact implementation
Profile 3: Extend the Ada Subset Allowed
►Profile 3 allows users to define their your own Ada subset
►Why is that useful?
►To certify an existing application • It may be cheaper to customize the Ada subset and certify it
• Rather than recode the application to meet existing Ada profiles
• Especially if you do not have to certify at the highest integrity level
Example: Allowing Integer Exponentiation
functionfunction F (X, N : F (X, N : Integer) Integer) return return Integer Integer
isisY : Integer := X + 1;Y : Integer := X + 1;
beginbeginreturn return Y ** NY ** N;;
endend F;F;
stwu 1,-8(1)mflr 0stw 0,12(1)addi 3,3,1bl system__system__exnexn__intint____exnexn_integer_integerlwz 0,12(1)mtlr 0addi 1,1,8blr
-- GNAT Pro run-time unit implementing integer "**"package System.Exn_Int is
pragma High_Integrity;function Exn_Integer Left : Integer; Right : Natural) return Integer;
end System.Exp_Int;
GNAT Pro HIEGNAT Pro HIEcompilercompiler
Ada source Assembly
TARGETTARGET
ProcessorProcessor
AE653 Supports Heterogeneous Apps
VxWorks AE653VxWorks AE653
VxWorksVxWorksCertCert
HIE AdaHIE AdaAppApp
No runtimeNo runtimeprofileprofile
HIE AdaHIE AdaAppApp
RavenscarRavenscarprofileprofile
VxWorksVxWorksCertCert
Ravenscar RTRavenscar RT
HIE Ada HIE Ada AppApp
UserUser--defineddefinedprofileprofile
VxWorksVxWorksCertCert
UserUser--selectedselectedfeaturesfeatures
VxWorksVxWorksCertCert
HIE AdaHIE AdaAppApp
No runtimeNo runtimeprofileprofile
ARINC 653ARINC 653APIAPI
Full AdaFull AdaAppApp
VxWorksVxWorks5.55.5
Full Ada 95Full Ada 95runrun--timetime
VxWorksVxWorks5.55.5
CCAppApp
POSIXPOSIXAPIAPI
VxWorksVxWorks5.55.5
CCAppApp
TARGETTARGET
VxWorksVxWorks5.55.5
CCAppApp
ProcessorProcessor
AE653 Memory Protection Model
VxWorks AE653VxWorks AE653
task1task2task2
VxWorksVxWorksCertCert
HIE AdaHIE AdaAppApp
No runtimeNo runtimeprofileprofile
HIE AdaHIE AdaAppApp
RavenscarRavenscarprofileprofile
VxWorksVxWorksCertCert
Ravenscar RTRavenscar RT
Other applications unaffected!
AE653 kernel unaffected!
Invalid memory access!Invalid memory access!
task2suspended
AE653 Memory Protection Model
What happens when a task tries to access protected memory?
►A hardware exception is generated
►The kernel sends a signal to the errant task
► If no signal handler available, the task will be suspended
This prevents an errant pointer access from corrupting another application
GNAT Pro & VxWorks: Key Points
►DO-178B certifiable solution up to LEVEL A
►Supporting the development of IMA applications
►With a tightly integrated, friendly & tool-rich environment
GNAT Pro HIE & VxWorksGNAT Pro HIE & VxWorksThe solution of choice for safetyThe solution of choice for safety--critical systemscritical systems