Using Generic Software Components for Safety-Critical Embedded Systems – An Engineering Framework Felix Bräunling, Robert Hilbrich, Simon Wegener, Isabella Stilkerich, Daniel Kästner To cite this version: Felix Bräunling, Robert Hilbrich, Simon Wegener, Isabella Stilkerich, Daniel Kästner. Using Generic Software Components for Safety-Critical Embedded Systems – An Engineering Framework. 10th European Congress on Embedded Real Time Software and Systems (ERTS 2020), Jan 2020, Toulouse, France. hal-02479141 HAL Id: hal-02479141 https://hal.archives-ouvertes.fr/hal-02479141 Submitted on 14 Feb 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Using Generic Software Components for Safety-Critical Embedded Systems – An Engineering Framework Felix Braunling¨ ,∗ Robert Hilbrich,y Simon Wegener,z Isabella Stilkerich,x and Daniel Kastner¨ z Abstract units. In order to tap their potential and maximize resource utilization, software components have to be Modern software development in the automotive do- tightly integrated and optimized specifically for each main would be unthinkable without leveraging reusable hardware platform. This optimization step is referred software components. Such generic software compo- to as adaptation and often conducted manually. nents have to be configured and tailored for each specific With more software components sharing common re- target application. Nowadays, complexity has reached sources of a microcontroller, ensuring their isolation a point where developing generic software components against undesired interferences is essential in order to and manually adapting each component for each variant maintain the reliability and safety of the system. There- in the product family is error-prone and no longer eco- fore, the adaptation needs to ensure isolation between nomically feasible. In this article we propose an engi- tightly integrated software components. This can be neering framework for automated adaptation of generic achieved by controlling access to both memory and CPU software components which focuses on temporal and time, thereby supporting error containment. spatial integrity. The framework is built around a generic methodology and leverages specialized software 1.1 Problem Statement tools to determine an allocation of software components to the resources of an embedded system and to ensure Software engineering for safety-critical embedded sys- memory integrity. We use a quadcopter example, ex- tems is currently conducted in a “per-project” fashion. ecuted on the Infineon AURIXTM TC277 processor un- Depending on the setup of the system architecture in der the AUTOSAR operating system to illustrate our ap- different projects, it may be necessary to distribute soft- proach. ware components across a network of microcontrollers or to run them on different microcontroller derivatives. 1 Introduction Unfortunately, due to the complexity and the lack of proper engineering tools, software components are of- Safety-critical embedded systems represent a special ten developed specifically to match the requirements of class of computerized control systems. The interplay a particular project. They are allocated manually to of their software and hardware parts realizes complex the resources in the system’s hardware architecture and functions, such as engine control or vehicular guid- adapted manually to make best use of the capabilities of ance. Undetected errors in the implementation of a the microcontrollers. Especially for safety-critical sys- function may jeopardize human lives, hence the addi- tems, ensuring an isolated execution of software com- tional attribute safety-critical. Implementing the nec- ponents requires additional configuration and analysis essary software correctly, satisfying all safety require- steps which are specific to the microcontroller and thus ments and maximizing hardware resource utilization in often conducted manually as well. a cost-sensitive and competitive market poses a sig- While the “per-project” approach may be sufficient nificant challenge for established software engineering for a small number of projects, it still requires a lot methods and tools. of manual effort and reduces the reusability of soft- A recent example for the increasing capabilities of mi- ware components. With more and more control func- crocontrollers are embedded multicore processors con- tions in safety-critical devices being implemented in taining multiple and possibly heterogeneous execution software, the need for reusability and adaptability for different hardware platforms increases, which renders ∗Felix Braunling¨ is with Method Park Engineering Gmbh, Ger- many [email protected] the “per-project” approach no longer economically sus- yRobert Hilbrich is with Deutsches Zentrum fur¨ Luft- und Raum- tainable. The question arises, how software components fahrt e.V. (DLR), Germany [email protected] for safety-critical embedded systems can be developed zSimon Wegener and Daniel Kastner¨ are with Ab- in a generic and reusable way, so that they can be used in sInt Angewandte Informatik, Germany fswegener, [email protected] multiple projects, but without reducing resource utiliza- xIsabella Stilkerich is with Schaeffler Technologies AG, Germany tion or jeopardizing their isolation properties and mem- [email protected] ory safety. 1 1.2 General Approach 2 Conceptual Overview The authors argue that the level of reusability can be Figure1 depicts the simplified workflow of our frame- significantly improved with a model-based development work. It is based on the idea of a strictly top-down en- of generic software components in combination with an gineering approach combined with the correctness by automated adaptation toolkit to handle project-specific construction methodology [8] and supports the engineer hardware properties and safety requirements. by automating the synthesis and validation of crucial en- gineering artifacts. In general, software components are concerned with Based on a model of the functional architecture, the the implementation of specific features of the system. systems engineer creates a model of the envisioned By using abstraction layers, they can be developed in system architecture. This model contains a selection a platform agnostic manner and organized as a library of generic software components from a library and a of generic software components for later use in mul- project-specific hardware platform. The feasibility of tiple projects. As a result of adopting a formalized the chosen hardware platform with respect to the tech- and model-based development approach, these generic nical and safety-related requirements of the particular functions can be automatically tailored and adapted to project can be automatically validated by constructing a the specific requirements of a project. In particular, deployment for the selected software components (see this approach facilitates automated software deployment Section6). If a valid deployment cannot be found, ei- in combination with automated platform-specific code ther the hardware platform or the selection of software generation as well as automated configuration and vali- components need to be modified. Then, sound seman- dation of isolation properties. This “feature-based” soft- tic code analysis is applied to all software code to en- ware development is not entirely new [3,5]. However, sure sufficient isolation and memory protection, both of the authors believe that the state of practice and the ca- which are essential to ensure the correctness of the sys- pabilities of available tools for this purpose have not tem (see Section7). Finally, data and code of software yet reached the level of maturity needed for the devel- components are automatically mapped to the isolation opment of multi-platform safety-critical embedded sys- partitions of their microcontroller (see Section8). tems. The essential parts of the framework are described in more detail in the next sections. However, this paper is 1.3 Contribution not intended to provide a thorough and detailed descrip- tion for each of the tools used in the framework. Instead In this paper, the authors present the results of the de- it focuses on their contribution for an automated devel- velopment of an engineering framework aiding system opment process based on generic software components. architects and software engineers. Software for embed- ded systems relies on mature development tools in or- 3 I4Copter der to cope with complexity and to satisfy all (safety) To illustrate our approach, we will use the I4Copter requirements. Therefore, the framework combines and flight controller as an overarching example. The extends the tools ASSIST, Astree´ and cAMP. By provid- I4Copter is a research project developing a quadcopter ing interoperability between these tools and enhancing as an example for hard real-time systems and control them with new functionality, the framework is able to systems [37, 36]. While the quadcopter software was automate the integration and tailoring