Reducing certification costs of safety critical multi-processor architectures has become a key concern for many designers. One of the challenges unique to a multi-processor architecture is how to share data between the processors, especially when processors have different Safety Integrity Level (SIL) designs. The mixed criticality requires guarantees that the shared data used in higher SIL Safety Functions is correct, timely and can be trusted. However, the design must also be flexible, allowing for modifications and upgrades throughout the product’s life time.
Design of multi-processor communication systems can be time consuming and costly. It is not always possible to obtain accurate data relating to the characteristics of the physical communication layer, in many cases a black channel approach is required. Procuring safety certified communication stacks and middleware can be expensive.
Maintaining the system safety certification during modifications and upgrades can also be costly, especially where the shared communication channels form part of the safety case. The risk being that where communication channels are shared between processors of differing SIL’s, a relatively simple upgrade to a non-safety critical processor would require the complete system to be recertified.
Designing a high integrity yet flexible multi-processor communication system is complex, resource intensive and, if you don’t get it right, can significantly increase your cost of ownership over the product’s life time.
WITTENSTEIN high integrity systems solution is SAFEXchange, a fusion of a Data Distribution Service, to maintain flexibility and isolation between producers and consumers of data, and IEC 61784-3, to maintain integrity of the data items shared. Our approach is to protect the data shared, not the communication channel itself. This allows SAFEXchange to be used in conjunction with black channel communication mediums. SAFEXchange is supplied as an add-on plugin for OPENRTOS and SAFERTOS.
Data Distribution Service
Our Data Distribution Service is based on a Producer and Consumer model, where Producers publish data onto the network and Consumers can register to access the data. Producers and Consumers are completely decoupled from each other. Consumers are not aware of how or where the data is produced. The only information they share is a unique identifier for the stream of data items. New Producers and Consumers can be added to the system without affecting the safety case, providing the bandwidth of the black channel is adequate. The safety case is built around the Consumers of the data items. All Consumers are responsible for verifying the correctness and timeliness of the data items. If the integrity of the data items cannot be guaranteed, then an error will be passed to the application.
The integrity of the data is maintained during transmission by following the requirements defined within IEC 61784-3. Producers wrap data items with an additional protocol before passing the data packet onto the underlying communication stack. The Consumer uses this protocol to verify the integrity and timeliness of each data item. Each data item has a life time relative to the Consumer; this guards against data becoming stale. If a data item on a specific Consumer is not updated with verified data within its life time, the data item becomes stale and the application is notified.
SAFEXChange guards against Incorrect Addressing, Corruption, Delay, Repetition, Incorrect Sequence, Loss and Masquerade of messages as defined by IEC 61784-3.