Safety Architectures on Multicore Processors – Mastering the Time Domain
Embedded World Conference 2018

(Co-Author: Prof. Dr.-Ing. Peter Fromm)

A key architecture for building safe architectures is a strict separation of normal application code (also referred to as QM code) and safety function code, considering a separation not only in the memory and peripheral domain but also in the time domain. Whereas hardware features like memory- or busprotection units allow a comparable simple protection of the memory domain, the supervision of the timing domain is a lot more complex. Race conditions on multicore system are far more likely and complex as compared to a single core system, as we have a true parallel execution of code and more asynchronous architectural patterns. Most safety standards such as IEC61508 [1] and ISO26262 [2] require:

  • Alive monitoring
  • Real-time monitoring
  • Control flow monitoring

In this paper we will describe a typical signal flow on a multicore safety system and based on this architecture introduce an innovative second-level monitoring layer, which is supervising the real-time constraints of the safety and functional monitoring functions. We will demonstrate the use of selected hardware features of the Infineon AURIX and TLF watchdog chip together with the SafetyOS PxROS from the company HighTec and show,
how they can be used in the context of a safety architecture. Furthermore, we will demonstrate the use of a combined watchdog / smart power module, which does not only support an emergency switch-off but also the control of multiple power domains and defined reboot sequences in case of system errors.

Paper - Safety Architectures on Multicore Processors – Mastering the Time Domain


A Monitoring Based Safety Architecture for Multicore Microcontrollers
Embedded World Conference 2017

(Co-Author: Prof. Dr.-Ing. Peter Fromm)

Separation in the data-, resource- and timedomain is a big challenge on multicore microcontrollers as,depending on the architecture, resources like peripherals or memory are shared between the cores. In the resulting software architecture – which often becomes very complex and fragile – changes are hard to be incorporated. Together with an industrial partner, an innovative runtime environment, which is based on the ideas of Adaptive AUTOSAR has been developed and implemented on an AURIX TC29x multicore controller. It combines high performance with good usability and a strict separation of signals in the data- and time domain. In order to ensure the integrity of signals, this concept has been extended by implementing a safety harness, which consists of four monitoring blocks, supervising sensor-data-input, actuator-output, logicfunction-calculation and system health. The developed architecture supports a clear traceability between safety requirements and monitoring code. The execution of safety functions is clearly separated from the application code. The structure of the monitoring logic is easily maintainable, including defining flexible escalation strategies in case of system errors.

Paper -A Monitoring Based Safety Architecture for Multicore Microcontrollers


?? Warp 3 zwischen allen Kernen - Entwicklung einer schnellen und sicheren Multicore RTE
Embedded Software Engineering Congress 2016

(Co-Author: Prof. Dr.-Ing. Peter Fromm)

Multicore Mikrocontroller bringen aufgrund ihrer Komplexität banner_referent_2016besondere Herausforderungen, wie die Inter-Core Kommunikation und den Schutz von Ressourcen vor unerlaubtem Zugriff mit sich.
Zudem ist die Parametrisierung und Nutzung immer leistungsfähigerer und umfangreicherer Peripherie komplex und fordert den Anwender somit zusätzlich.

In Kooperation mit einem Industriepartner wurde eine innovative Laufzeitumgebung entwickelt, die eine hohe Performance mit guter Usability kombiniert und eine konsequente Trennung der Runnables sowohl in der Speicher als auch in der Zeitdomäne ermöglicht. In Erweiterung zu existierenden Lösungen, wie dem Autosar Virtual Function Bus, wird die direkte Anbindung und Skalierung von Peripheriesignalen und Kommunikationsprotokollen unterstützt. Hiermit ist es z.B. möglich, Teile des Steuergeräts durch Simulationen zu ersetzen und damit agile Entwicklungsprozesse wie z.B. Continuous Integration zu unterstützen.

Paper - Warp 3 zwischen allen Kernen
Präsentation - Warp 3 zwischen allen Kernen


Functional Safety on Multicore Microcontrollers for Industrial Applications
Embedded World Conference 2016

(Co-Author: Prof. Dr.-Ing. Peter Fromm)

Besides the gain in performance, a strong motivation for the introduction of multicore microcontrollers is the realization of safety architectures. Together with an industrial partner it was investigated if safety critical applications, which require a PL d according to ISO 13849, running until now on redundant discrete microcontrollers can be replaced with an architecture running on a single AURIX multicore controller. In this paper, we compare a state of the art multicore architecture with the traditional solution of using redundant controllers. The focus is put on the question, how we can achieve a safe separation of the cores, memories and peripherals? Besides the separation in the data and resource domain, detection and escalation of errors are crucial components to achieve the required performance level. The investigations have been performed on an AURIX TC27x multicore microcontroller utilizing the safe-RTOS PXROS-HR.

Paper - Functional Safety on Multicore Microcontrollers for Industrial Applications
Presentation - Functional Safety on Multicore Microcontrollers for Industrial Applications


??Sicherheit auf allen Kernen
Embedded Software Engineering Congress 2015

(Author: Prof. Dr.-Ing. Peter Fromm, Co-Authors: Thomas Barth, Mario Cupelli)

Multi-Core Controller bieten neben einem Performance gewinn auch die Möglichkeit, redundante Applikationen auf einem einzelnen Chip zu realisieren.Da die physikalische Kopplung zwischen den einzelnen Core’s jedochdeutlich „enger“ ist als bei diskreten Mehrcontrollerlösungen,werden besondere Anforderungen an die Softwarearchitektur, das Speicherlayout, das Betriebssystem und an die Treiberschicht gestellt.