MultiPARTES Towards Model-Driven Engineering for MixedCriticality Systems: MultiPARTES Approach A. Alonso, C. Jouvray, S. Trujillo, M.A. de Miguel, C. Grepet, J. Simó WICERT 2013, March 22nd Motivation and goals Modern electronic systems used in industry (avionics, automotive, etc) combine applications: – with real-time (hard and soft) & no real-time requirements – with different levels of security – that can be independently qualified (certified) This trend can imply increased validation and certification costs This extra cost can be reduced by: – Isolate the execution of different applications – Methodology with higher abstraction level 2 MultiPARTES goals MultiPARTES – FP7, in the area of ICT – http://www.multipartes.eu MultiPARTES goals: – To develop a multicore platform virtualization layer for critical and secure embedded systems. – To propose a methodology to enforce the rapid development of new applications based on partitioned systems – To develop methods and tools to support the application development 3 Approach Overview Design an embedded system composed by a set of applications Execute this embedded system in a: – Partitioned execution environment – Multi-core platform Supported by a virtualization layer Heterogenous system VL VL Processor Processor – Different processors (+/- predictable, +/- powerful) 4 Hypervisor Hypervisor based system permits to build partitioned systems where partition: – Are temporal & spatial isolated – Use the appropriated OS for each application – Execute mono-core OSs in a multicore platform 5 XtratuM Hypervisor Open source bare-metal hypervisor for critical real-time partitioned systems Uses para-virtualization techniques – Strong temporal isolation: fixed cyclic scheduler – Strong spatial isolation: every partition is executed in processor user mode and does not share memory. – Robust communication mechanisms (ARINC ports) – Robust error management via the Health-Monitor – Devices can be directly managed by partitions. Shared devices can be organized in a IOServer – Resources are allocated statically through a Configuration file (XML) 6 Development process www.multipartes.eu •High level system model:Set of applications and interconnections •Mixed-criticallity •High level model of hardware resources:Types of devices and properties Resources management models Application constraints: criticality, time, device usage resource availability Methodology to enforce the rapid development and production of new applications based on partitioned systems 8 MDE Approach Model Driven Engineering (MDE) approach – facilitates to bridge the gap between design issues and partitioning concerns – Models are the main development artifacts – Annotation for non-functional properties Approach based on several metamodels 9 Toolset Multipartes toolchain with UML profiles 10 Platform model This model defines the relevant properties of the platform 11 HW Platform Metamodel 12 Application model Described using UML Enriched with non-functional annotations – – – – Criticality requirements: in terms of safety levels Time requirements: based on UML MARTE Resource needs requirements: for guaranteeing QoS Device usage requirements 13 Partitioning Information to be used for partitioning Components that must be in the same partition (App) Level of criticality (App) Time requirements granularity (App) Requirements on OS (App) Components that must be executed on a processor (Par) Hardware platform (HW) Defining a metamodel for the partitioning model Requirements on partitioning that relates the platform and the application. Deployment model for code and configuration generation 3 Reference platform A heterogeneous platform based on – One Atom multicore processor (general platform) • Less critical applications • Higher computation capabilities • General Purpose OSs – Two LEON3 synthesized in FPGA • Higher predictability • More critical applications • Lower computation capabilities • Real-time OSs 15 Conclusions Mixed-criticality systems are required for industry and are a challenging topic MultiPARTES approach – Based on an XtratuM: hypervisor that provides spatial and time isolation – MDE: basis to facilitate system development – Tool framework: • Allows to define non-functional requirements related with partitioning • Time and safety requirements are validated • Generation of code and configuration files 16 Questions? More information: http://www.multipartes.eu 17