In the project, supervised by Thales TRT, Altreonic ported and further developed VirtuosoNext Designer, providing as an industry’s first fine-grain space and time portioning. The latter enables non-stop hard real-time processing by recovering from runtime faults in microseconds on the selected Freescale T2080 platform.

Linden, BE – 15th June 2017. 

Altreonic NV is a technology driven SME with a focus on trustworthy embedded systems engineering. The company has developed an innovative methodology with supporting environments like GoedelWorks en VirtuosoNext Designer.  The latter has a long history going back 25 years. The current VirtuosoNext Designer is Altreonic’s fifth generation embedded RTOS. In 2005 the RTOS kernel was completely redeveloped using formal techniques resulting in a much smaller footprint.  It delivers substantial performance and productivity gains due to its extremely compact kernel size that can even fit in the on-chip caches. It also supports a modelling and code generation environment that makes parallel and concurrent programming easy to achieve. By generating code as a static image, it eliminates many of the runtime errors that can occur with a more traditional dynamic RTOS. Its packet switching architecture also reduces typical pointer errors providing extra robustness.

For mixed criticality systems however it is important that no fault can bring down the whole system. Many of such faults are trapped by the processor as execution exceptions, for example reading or writing to memory for which the task has no access rights, numerical exceptions like under or overflow, illegal instructions due to bit flips in the registers, etc. In normal cases, such faults will bring the application abruptly to a halt and often require a complete and time-consuming reboot. In many real-time systems, this is not a viable option. Just think about software driven cars, increasingly more autonomous, whereby a reaction time of less than one tenth of a second is needed to recover.

An established technique is to partition the application on the processor. In this approach often a hypervisor is used that fully isolates the applications from each other in memory (“space partitioning”) and in time (by assigning specific timeslots to each partition). Derived from the server domain, this approach is very good for virtualistion of applications with their underlying OS if the real-time requirements are modest. Such an approach also requires substantial amounts of memory. The isse issue remains that when an application fails, the partition requires a complete and time-consuming reboot.

In the NOFIST EuroCPS project Altreonic used a different approach much more suitable for hard real-time embedded applications. In VirtuosoNext, an application is typically composed of multiple but small concurrent tasks, each running in order of priority. The RTOS suite was extended to isolate each task in memory. Upon a fault, only the task is affected and not the whole application. A further extension was to automatically install abort handlers and allow a very fast recovery of the task. Should it be needed, the system’s state can be recovered from the last consistent data. On the Freescale T2080, an 8-core running at 1.8 GHz, this allows a recovery in a few microseconds with an under-limit of 2.6 microseconds.  In practice this means that such faults will go unnoticed providing non-stop capability. The application developer can  also increase the redundancy by having multiple copies of the tasks, eventually running on a different core. Common Mode Failures can further be mitigated by physical redundancy or diversity as VirtuosoNext provides for transparent programming support on heterogeneous targets.

Benchmarks and results

The fine-grain space partitioning implementation of VirtuosoNext is lightweight both in code size and in runtime impact. The code size of VirtuosoNext without Space Partitioning enabled was measured by building the same application using all available Services (compiled with Os).  The T2080 code size only moderately increases with 1280 bytes to 38504 bytes, which is a moderate increase. Note that the code sizes given include the runtime library of the compiler and the system initialisation.

The interrupt latency from IRQ to ISR exhibits a histogram with a spread between 286 and 793 nanoseconds without partitioning, which increases to 819 nanoseconds with partitioning enabled.

The minimal IRQ to task latency was measured at 2.158 microseconds without partitioning, increasing to 2.262 microseconds (partioning enabled). Under the stress test conditions, the worst case latency remained at 3.848 microseconds. This is in the some range as the recovery time for a failing task.

Thales TRT writes in the final report:

“The targeted product was quite early defined. It is mainly an evolution of the VirtuosoNext technology from Altreonic. The well-defined concept on which the technology is based also facilitated the definition of the solution.

The development done during the project permits to enlarge the business opportunities allowing to reach extended application domains with new features. All real-time applications can be targeted especially where dependability is necessary. The low footprint and time response efficiency of the solution are significant advantages with respect to other comparable solutions.

Thanks to its high level experience Altreonic was quite aware of the industrial constraints. The constraints proposed as a starting point for the project can be carried over to other application domains.”

About Altreonic

Altreonic specializes in trustworthy systems and software engineering, using a unified system engineering methodology. The latter is supported by GoedelWorks, an end-to-end systems engineering environment that supports qualification and certification during engineering activities. VirtuosoNext Designer is based on a formally developed network-centric RTOS kernel with supporting tools like Visual Designer for modeling and code generation and Event Tracer for a visual analysis of the application behavior. Altreonic has a long history of supporting customers in the aerospace and defense domains, typically under an “Open Technology License” agreement. The technology is also internally applied to the development of a light weight electric vehicle platform. For more information about Altreonic, visit http://www.altreonic.com.