developing safety-critical systems with gnat pro & vxworks · some standards addressing...

Developing Safety-Critical Systems

with GNAT Pro & VxWorks

Trend 1: Increased Software Complexity

1980 1990 1996 1999

Advanced Interconnect

Advanced Networking

High Availability

Memory Management

Multiprocessing

File System

Network

Kernel

Advanced Interconnect

Advanced Networking

High Availability

Memory Management

Multiprocessing

File System

Network

KernelKernelKernel

Application and KernelApplication and Kernel100 000 lines of code100 000 lines of code

Application and KernelApplication and Kernel1 000 000+ lines of code1 000 000+ lines of code

Trend 2: Need to Certify Military Avionics

Example: RTCA DO-178B & EUROCAE/ED-12B (civil avionics)

Other examples: Def-Stan 055

Failure ConditionFailure ConditionFailure ConditionFailure ConditionFailure ConditionFailure ConditionFailure ConditionFailure Condition Software LevelSoftware LevelSoftware LevelSoftware LevelSoftware LevelSoftware LevelSoftware LevelSoftware Level

Catastrophic Level A

Hazardous/Severe - Major Level B

Major Level C

Minor Level D

No Effect Level E

Typical Avionic System Architecture

Designed as a federated architecture of dedicated black-boxes

App 1App 1 App 2App 2 App 4App 4App 3App 3

Level B Level A

Level C Level D

This Architecture is Inherently Robust

The Apps are physically protected from one another.If an App fails, it does not affect the others.


Level B Level A

Level C Level D

This Architecture is Inherently Robust

Furthermore you can restart the App after it failed

App 1App 1 App 2App 2 App 4App 4

Level B Level A

Level C

App 3App 3

Level D

This Architecture is EXPENSIVE EXPENSIVE to BuildIn terms of

• COST, POWER, WEIGHTAdding Apps means Adding boxes


Level B Level A

Level C Level D

App 5App 5Level E

App 7App 7

Level C

App 8App 8

Level A

… And is EXPENSIVE EXPENSIVE to Maintain

Integrated Modular Avionics (IMA)

►A new architecture model has been developed

►Common processing subsystems• Allows multiple apps to share computing resources• Reduces the number of boards in a plane

►Software abstraction• Isolate the application from the underlying HW architecture• Reduce the impact of HW obsolescence

TARGETTARGET

IMA: Conceptual View


Software Abstraction LayerSoftware Abstraction Layer

ProcessorProcessor

Level B Level A

Level CLevel D

Before IMA

►Kernel & App in single address space►Protection achieved by means of physical partitioning


Level B Level A

Level C Level D

KernelKernel

ProcessorProcessorKernelKernel



ProcessorProcessor

Software Support for IMA

Apps must be partitioned (protected from one another)

►Spatial Partitioning• Memory protection• Resource protection

►Temporal Partitioning• CPU protection

►Some standards addressing software support from IMA:• E.g. ARINC 653, RTCA/DO-255, EUROCAE WG-60

Protection

An App cannot starve other Apps by keeping all the CPU to itself

Temporal Protection

An App cannot exhaust all the kernel resourcesResource Protection

An illegal memory access by an App cannot bring down the whole system

Memory Protection

Product FamiliesSafety Critical

Non Safety-Critical

PhysicalPartitioning

SoftwarePartitioning

GNAT ProGNAT Pro

VxWorks 5.xVxWorks 5.x

GNAT ProGNAT Pro

VxWorks AEVxWorks AE

GNAT Pro HighGNAT Pro High--Integrity EditionIntegrity Edition

VxWorks/CertVxWorks/Cert

GNAT Pro HighGNAT Pro High--Integrity EditionIntegrity Edition

VxWorks AE653VxWorks AE653

VxWorks Certifiable Kernels

►VxWorks/Cert• DO-178B Level A certifiable multitasking RTOS

►VxWorks AE653 (ARINC 653)• DO-178B Level A certifiable multitasking RTOS• Spatial Partitioning (memory protection, resource protection)• Temporal Partitioning (ARINC 653 scheduler)

TARGETTARGET

ProcessorProcessor

VxWorks AE653 Architecture

Core OSCore OS

PartitionPartitionOSOS




Partition OS

► Partition OS threads are called vThreads

► vThreads run as user-level threads

► Priority-based preemptive scheduler

► Partition OS provides the following APIs to the app within the partition:

• ARINC 653 API

• POSIX API

• VxWorks API

TARGETTARGET

ProcessorProcessor

Core OSCore OS




VxWorks 5.xVxWorks 5.xor or

VxWorks/CertVxWorks/Certmicrokernelmicrokernel


vThreads

► vThreads do not address kernel objects in other partitions

► vThreads service API calls from the app

► vThreads allocate resources owned by the partition to the app

► vThreads pass on kernel calls which need to be serviced by the Core OS

• But only after the input parameters have been validated

• The message-passing implementation between the Partition & Core OS is

private

Core OS: VxWorks AE Technology

► Allocation of system resources to partitions

► Detection of attempted violations to partition

boundaries

► Kernel protection (user/supervisor protection)

► Overrun protection: stack, heap, CPU

lockouts

► Resource reclamation: heap, stack, code &

data memory

► ARINC 653 Partition Scheduler

► Support for inter-partition communication via

distributed messaging

TARGETTARGET

ProcessorProcessor






TARGETTARGET

ProcessorProcessor

ARINC 653 Scheduler

Core OSCore OS


D1D1 D2D2 D3D3



D1D1task1task1 D1D1

task2task2

D2D2task1task1 D2D2

task2task2

D3D3task1task1 D3D3

task2task2

WindView showing ARINC-653 scheduling of 3 protection domains with different timeslot allocations

Time slots for all 3 Protection Domains

GNAT Pro High-Integrity Edition

The Ada 95 Solution to Develop Safety-Critical Systems

GNAT Pro High-Integrity Edition (HIE)

►Choice of 3 profiles:• Profile 1: No Ada run-time (no tasking)• Profile 2: Ravenscar tasking• Profile 3: User-defined

►Upwardly compatible with the SPARK profile• The high-integrity subset of Ada by Praxis

GNAT Pro: A Single Visual Environment

TargetTargetDevelopmentDevelopment

HostHostDevelopmentDevelopment

Beta: JuneFCS: Q4

NEWNEW

GNAT Pro HIE: 3 Profiles

Profile 1: No Ada RunNo Ada Run--TimeTime• No Ada tasking• Use VxWorks tasks directly

Ada ApplicationAda Application


No Ada run-time

Profile 2: RavenscarRavenscar• Safe Ada 95 tasking• Minimal Ada run-time



Minimal Ada run-time

Profile 3: UserUser--defineddefined• Pick & choose• Certify what you need


UserUser--selected featuresselected features


Profile 2: Ravenscar Tasking

► Ravenscar Ada 95 tasking subset• Defined in Ravenscar, UK in 1997, to be part of the next Ada 0Y standard• Satisfies the certification requirements of safety-critical real-time systems• Allows schedulability analysis (in particular RMA)

► These design objectives are part of certifiable VxWorks kernels

► Only ~200 Ada SLOCs required to implement Ravenscar on top of VxWorks

► Very efficient & compact implementation

Profile 3: Extend the Ada Subset Allowed

►Profile 3 allows users to define their your own Ada subset

►Why is that useful?

►To certify an existing application • It may be cheaper to customize the Ada subset and certify it

• Rather than recode the application to meet existing Ada profiles

• Especially if you do not have to certify at the highest integrity level

Example: Allowing Integer Exponentiation

functionfunction F (X, N : F (X, N : Integer) Integer) return return Integer Integer

isisY : Integer := X + 1;Y : Integer := X + 1;

beginbeginreturn return Y ** NY ** N;;

endend F;F;

stwu 1,-8(1)mflr 0stw 0,12(1)addi 3,3,1bl system__system__exnexn__intint____exnexn_integer_integerlwz 0,12(1)mtlr 0addi 1,1,8blr

-- GNAT Pro run-time unit implementing integer "**"package System.Exn_Int is

pragma High_Integrity;function Exn_Integer Left : Integer; Right : Natural) return Integer;

end System.Exp_Int;

GNAT Pro HIEGNAT Pro HIEcompilercompiler

Ada source Assembly

TARGETTARGET

ProcessorProcessor

AE653 Supports Heterogeneous Apps


VxWorksVxWorksCertCert

HIE AdaHIE AdaAppApp

No runtimeNo runtimeprofileprofile


RavenscarRavenscarprofileprofile


Ravenscar RTRavenscar RT

HIE Ada HIE Ada AppApp

UserUser--defineddefinedprofileprofile


UserUser--selectedselectedfeaturesfeatures




ARINC 653ARINC 653APIAPI

Full AdaFull AdaAppApp

VxWorksVxWorks5.55.5

Full Ada 95Full Ada 95runrun--timetime


CCAppApp

POSIXPOSIXAPIAPI


CCAppApp

TARGETTARGET


CCAppApp

ProcessorProcessor

AE653 Memory Protection Model


task1task2task2





RavenscarRavenscarprofileprofile


Ravenscar RTRavenscar RT

Other applications unaffected!

AE653 kernel unaffected!

Invalid memory access!Invalid memory access!

task2suspended

AE653 Memory Protection Model

What happens when a task tries to access protected memory?

►A hardware exception is generated

►The kernel sends a signal to the errant task

► If no signal handler available, the task will be suspended

This prevents an errant pointer access from corrupting another application

GNAT Pro & VxWorks: Key Points

►DO-178B certifiable solution up to LEVEL A

►Supporting the development of IMA applications

►With a tightly integrated, friendly & tool-rich environment

GNAT Pro HIE & VxWorksGNAT Pro HIE & VxWorksThe solution of choice for safetyThe solution of choice for safety--critical systemscritical systems

developing safety-critical systems with gnat pro & vxworks · some standards addressing...

Documents