Thales (Austria)

The standard IEC 61499 claims to be a standard for a distributed control environment consisting of a set of heterogeneous control devices from different vendors. Previous work on the implementation of IEC 61499 pointed out ambiguities in the standard, resulting in different execution behavior of IEC 61499 elements on different control devices. One of the key deficiencies is the lack of a definition for execution models of the device, the resource, and the function blocks. This paper discusses different design and execution issues related to the aforementioned problems for IEC 61499 distributed automation and control systems.

Mixed-criticality systems have become a mainstream in industry and research due to their potential to decrease, size, weight, and power. Often research institutions and industry interpret the term 'mixed criticality' differently. Hence research approaches and solutions are hard to deploy to industry. This paper discusses the background, the current state of research and industrial deployment of mixed-criticality systems from an industrial perspective. It presents the background of criticality, the safety and security processes, and some approaches of applications of research to real systems. The focus of this paper is partitioning, which is the separation of different applications of different criticality, and its impact on performance along with possible optimizations.

This paper provides a possibility to convert existing IEC 61131-3 projects into the newer IEC 61499 standard and therefore offers the use of its modern concepts also for the currently applied standard. Based on a model driven development approach as well as proper concepts and rules an implementation method for a transformation of IEC 61131-3 into IEC 61499 is presented. The transformation process is realized through an IEC 61131-3 and IEC 61499 compliant engineering environment. And an appropriate example model is provided by an IEC 61131-3 convenient development tool. After the transformation an available IEC 61499 development tool is used to check the transformation outcome.

We consider discrete message passing (MP) decoding of low-density parity check (LDPC) codes based on information-optimal symmetric look-up table (LUT). A link between discrete message labels and the associated log-likelihood ratio values (defined in terms of density evolution distributions) is established. This link gives rise to an algebraic structure on the message labels and leads to an interpretation of LUT decoding as a form of quantized belief propagation. We then exploit the algebraic structure for low-complexity LUT decoder designs. Our LUT decoding framework is the first to also apply to irregular LDPC codes by taking into account the degree distribution in a joint LUT design. We exploit the relation between LUT decoding and belief propagation to obtain stability conditions and irregular LDPC code designs optimized for LUT decoding. The resulting decoders outperform floating-point precision min-sum decoders at LUT resolutions as low as 3 bit s for regular codes and 4 bits for irregular codes.

This paper explores virtualization technologies and cloud computing for migrating an existing real-time safety-critical railway use-case from dedicated hardware solutions. Cloud computing is rapidly gaining popularity in many domains as they provide benefits such as higher availability, scalability, and efficient hardware resource utilization. We examine existing virtualization technologies for deploying a (private) Real-Time(RT)-Cloud on COTS server hardware to run an existing railway use-case while meeting stringent safety and security requirements. We base our migration review on comparison and relevant benchmarking of KVM and Xen virtualization technologies for the specific railway requirements. Based on the insights gained, we provide suggestions for using existing virtualization technologies with new RT-cloud components to safely and securely run the railway use-case applications.

This article presents a new formal approach to validation of on-the-fly modification of control software in automation systems. The concept of downtimeless system evolution (DSE) is introduced. The DSE is essentially based on the use of IEC 61499 system architecture and formal modeling and verification of the hardware and software of an automation device. The validation is performed by means of two complimentary techniques: analytic calculations and formal verification by model-checking.

To cope with the need for flexibility of industrial applications, and other customer related requirements, functional control behavior is shifted from hardware to software. This leads to higher software complexity. Therefore, testing of industrial software is a key technique to ensure overall system quality. Based on an analysis of testing approaches in software engineering and requirements in industrial automation system design with IEC 61499 function blocks a new unit testing process is proposed. The implementation of a platform independent test framework for IEC 61499 function blocks shows the applicability of the proposed testing process with representative examples. The presented solution is the first test framework based on the test first development approach to increase the software quality for industrial automation systems.

Creating and implementing fault-tolerant distributed algorithms is a challenging task in highly safety-critical industries. Using formal methods supports design and development of complex algorithms. However, formal methods are often perceived as an unjustifiable overhead. This paper presents the experience and insights when using TLA+ and PlusCal to model and develop fault-tolerant and safety-critical modules for TAS Control Platform, a platform for railway control applications up to safety integrity level (SIL) 4. We show how formal methods helped us improve the correctness of the algorithms, improved development efficiency and how part of the gap between model and implementation has been closed by translation to C code. Additionally, we describe how we gained trust in the formal model and tools by following a specific design process called property-driven design, which also implicitly addresses software quality metrics such as code coverage metrics.

This paper provides a possibility for a semantic correct transformation of existing IEC 61131-3 projects into the newer IEC 61499 standard. Based on a model driven development approach as well as proper concepts and rules this paper describes a suitable way to overcome some semantical problems which occurred during the transformation process. Those semantical problems regard some differences between the libraries of IEC 61131-3 and IEC 61499 as well as the extraction of the actual execution sequence of IEC 61131-3 programs. Both issues are supposed to be solved by auxiliary transformations. One static transformation which converts IEC 61131-3 function blocks into simple function blocks. And one project dependent transformation which extracts the execution order of IEC 61131-3 function block networks.

Safety-critical systems and in particular mixed-criticality systems require spatial and temporal separation for their hosted applications and functionalities. Additional constraints are using Commercial Off -- The -- Shelf (COTS) components, portability and determinism. These items are required for economic success for products with low piece numbers and long life-cycles like aircraft. Available embedded processors lack means for spatial separation of Input/Output (I/O) components like an Input/Output Memory Management Unit (IOMMU). The objective of this paper is to provide spatial separation for I/O in COTS mixed-criticality embedded real-time systems like avionics with minimum possible impact on performance (transfer time, transfer rate, Central Processing Unit (CPU) usage). The three main contributions of this paper are: (1) The presented Input/Output Memory Protection Unit (IOMPU) enables to upgrade spatial separation for I/O to a system by using COTS components and Non-Transparent Bridge (NTB) technology. In addition, the IOMPU concept is compatible with existing temporal separation solutions. (2) The paper shows a prototype implementation and a potential use case in context of hardware-based I/O virtualization. (3) The evaluation in this paper demonstrates that the IOMPU concept is practically applicable. The performance overhead (transfer time, transfer rate) is below 0.88%, which is almost negligible, particularly compared to state-of-the-art software-based solutions.

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et a ̀ la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Tissue hypoxia contributes to the pathogenesis of several acute and chronic diseases. Hyperbaric oxygen therapy (HBO) and whole-body warming using low-temperature infrared technology (LIT) are techniques that might improve hypoxemia. Combining HBO and LIT as hyperbaric oxygen therapy combined with low-temperature infrared radiation (HBOIR) might be an approach that results in positive synergistic effects on oxygenation. LIT increases blood flow and could reduce HBO-induced vasoconstriction, and hyperoxia could compensate for the increased metabolic oxygen requirements mediated by LIT. Both LIT and HBO increase the oxygen diffusion distance in the tissues. HBOIR at 0.5 bar has been shown to be safe and feasible. However, physiological responses and the safety of HBOIR at an increased oxygen (O2) partial pressure of 1.4 bar or 2.4 atmospheres absolute (ATA) still need to be determined. The hope is that should HBOIR at an increased oxygen partial pressure of 1.4 bar be safe, future studies to examine its efficacy in patients with clinical conditions, which include peripheral arterial disease (PAD) or wound healing disorders, will follow. The results of pilot studies have shown that HBOIR at an overload pressure is safe and well tolerated in healthy participants but can generate moderate cardiovascular changes and an increase in body temperature. From the findings of this pilot study, due to its potential synergistic effects, HBOIR could be a promising tool for the treatment of human diseases associated with hypoxemia.

Safety cases are the development foundation for safety-critical systems and are often quite complex to understand depending on the size of the system and operational conditions. The recent advent of security aspects complicates the issues further. This paper describes an approach to analysing safety and security in a structured way and creating security-informed safety cases that provide justification of safety taking into particular consideration the impact of security. The paper includes an overview of the structured assurance case concept, a security-informed safety methodology and a layered approach to constructing cases. The approach is applied to a Security Gateway that is used to control data flow between security domains in a separation kernel based operating system in avionics environment. We show that a clear and structured way of presenting a safety case combining safety and security alleviates understanding important interactions taking into account the impact and, hence, increases safety.

The paper describes a layered approach to analysing safety and security in a structured way and creating a security-informed safety case. The approach is applied to a case study - a Security Gateway controlling data flow between two different security domains implemented with a separation kernel based operating system in an avionics environment. We discuss some findings from the case study, show how the approach identifies and ameliorates important interactions between safety and security and supports the development of complex assurance case structures.

The behavior of software is often governed by a large set of configuration settings, distributed over several stacks in the software system. These settings are often manifested as plain text files that exhibit different formats and syntax. Configuration management systems are introduced to manage the complexity of provisioning and distributing configuration in large scale software. Globally patching configuration settings in these systems requires, however, introducing text manipulation or external templating mechanisms, that paradoxically lead to increased complexity and, eventually, to misconfigurations. These issues manifest through crashes or bugs that are often only discovered at runtime. We introduce a framework called Elektra, which integrates a centralized configuration space into configuration management systems to avoid syntax errors and avert the overriding of default values, to increase developer productivity. Elektra enables mounting different configuration files into a common, globally shared data structure to abstract away from the intricate details of file formats and configuration syntax and introduce a unified way to specify and patch configuration settings as key/value pairs. In this work, we integrate Elektra in the configuration management tool Puppet. Additionally, we present a user study with 14 developers showing that Elektra enables significant productivity improvements over existing configuration management concepts. Our study participants performed significantly faster using Elektra in solving three representative scenarios that involve configuration manipulation, compared to other general-purpose configuration manipulation methods.

In this work, we present an initial step towards enabling TT scheduling on a real COTS multicore platform P4080. It takes into account inter-core interferences in the on-chip network and the memory sub-system. We propose an approach comprising a runtime mechanism and an offline phase. For the runtime mechanism, we propose two servers running on each core-processing time server and memory access server implemented using built-in hardware monitors. Jointly, the two servers on each core, enforce slot-level offline computed server budget reservations, thereby limiting the maximum inter-core interferences introduced and experienced by each task considering different inter-core interference latencies. In the offline phase, we propose a procedure that can be used by any offline scheduler to compute the bound on variability in execution time of each task while allowing different slot-level memory access server budget reservations. We also did a preliminary bare-metal implementation of our proposed runtime mechanism on a real COTS multicore platform P4080. Overall, our proposed method facilitates integration of COTS multicore platforms in TT systems, while maintaining features of TT architecture like slot-level determinism, clock synchronization, etc.

Abstract This paper presents the results of evaluations on the redistribution of internal forces from the span to the support area using nonlinear finite element calculations. The motivation is the internalization of bridges, particularly the reconstruction of single‐span beams arranged in a row to a continuous beam system. When integralizing a bridge, it can be assumed that the existing bridge is designed according to standards, which are no longer valid. If the integralized bridge is loaded and designed according to the new standard, the problem may be that the existing structure has insufficient reinforcement. For single‐span bridges, the flexural reinforcement in the span may be considered critical. The degree of reinforcement in the support area can then be adjusted individually, which offers the possibility of transferring internal forces from the span to the support area if they cannot be fully absorbed by the existing reinforcement.

In the focus of the certMILS project are cyber physical systems (CPS). These combine physical and software elements and, with the advances of industry, such automated solutions increasingly take over critical tasks in all areas of our society. Smart grids, safety-critical transport systems and in general industrial control systems – CPS can take on many faces but are commonly characterized by their complexity. CPS are composed of specialized parts and COTS elements, typically by different parties. Due to CPS’ criticality, there is a high need for assurance in the correct (safe and secure) operation of the entire systems and, consequently, they are often subject to regulations. That is, the components and/or complete systems must be certified according to standards, applicable to the respective sector. For instance, the IEC 62443 series of standards deals with complete industrial automation and control systems, the ISO 27000 series with information security management systems (processes), and the Common Criteria (CC) with subsystems of IT products. Even though these different frameworks share some common principles, a diversity of approaches prevails. It is not always easily reconciled. The present report provides an overview of the various standards applicable to different critical applications. It points out that the regulative situation is sometimes unsatisfactorily incomplete or conflicting where different standards apply. Prerequisite for the certification according to any standard is a successful evaluation according to its principles. The rigor of such evaluations will normally increase with increasing criticality of the application, but is in practice eventually a trade-off between assurance needs and economic feasibility. A common theme of security evaluations of CPS is therefore the desire to derive assurance for composed systems from that established for their components (subsystems). The objective here is that the results of the component’s evaluation can be reused to render the evaluation of complex systems economically feasible, or possible at all. In particular, their evaluation/certification would not need to be repeated from scratch if one or more system components are changed. To this end, one of the relevant and broadly applied industry standards, the CC knows the concept of compositional evaluation. However, despite the rather generic formulation of this CC aspect, and the promise that it holds, it has hardly found application. The issues that hinder its success are described by the present document, as well as an alternative method, intended for smart cards and similar applications, that received more attention but likewise suffers from shortcomings. In summary, the benefit of the CC compositional evaluation approach is minor for low assurance evaluations. Very high assurance cannot be gained as it foresees a limited transfer of design documentation. This is owed to the fact that component developers will not always easily share these secrets. MILS systems, that borrow their name to this project, arose from the requirement to gain assurance in the security properties of computers. They feature a layered structure in which security-critical functions are concentrated in a part, called the separation kernel, which is intentionally small enough to permit evaluation with great rigour. In applications, such as CPS, these layers are always combined with other elements, such as the hardware platform or software running on top of the separation kernel. At first glance, MILS systems seem to lend themselves to compositional evaluation, as they are well structured and characterized by strong security policies. However, the various conceivable applications of compositional evaluation suggested by MILS applications still pose challenges for the existing methods if high assurance is required. It is the purpose of the present report to describe the different approaches and what they have to offer for this type of system.

We describe compositional architectures and certifications in the research project certMILS. Compositional architectures enable re-use of certified COTS (commercial off-the-shelf) components with a well-defined delegation of responsibilities between component developers and system integrators during cyber physical system design and certification. We show how we used a Common Criteria certified MILS (Multiple Independent Levels of Safety / Security) platform for compositional designs and IEC 62443-4-1/62443-4-2 security evaluations and certifications for composed systems from the domains of smart grid, railway, and subway, that are safety- and security-critical.

This deliverable summarizes consortium experience and expectations for a number of tools that can support high-assurance development for embedded systems.