D. Powell, J. Arlat, L. Beus-Dukic, A. Wellings, A. Bondavalli, and F. Di Giandomenico. Ultra-dependable and real-time systems: The GUARDS approach. In 3rd CABERNET Plenary Workshop, IRISA, Campus de Beaulieu, Rennes, France, April 16-18 1997.

Ultra-Dependable and Real-Time Systems: The GUARDS Approach

Powell, D. and Arlat, J. and Beus-Dukic, L. and Wellings, A. and Bondavalli, A. and Di Giandomenico, F.


Most ultra-dependable real-time computing architectures developed in the past have been specialised to meet the particular requirements of the application domain for which they were targeted. This specialisation has led to very costly, inflexible, and often hardware-intensive solutions that, by the time they are developed, validated and certified for use in the field, can already be out-of-date in terms of their underlying hardware and software technology. This problem is exacerbated in some application domains since the systems in which the real-time architecture is embedded may be deployed for several decades, i.e., almost an order of magnitude longer than the typical lifespan of a generation of computing technology.

A consortium of European companies and academic partners has recently been set up to design and develop a Generic Upgradable Architecture for Real-time Dependable Systems (GUARDS ), together with an associated development and validation environment. The end-user companies in the consortium all currently deploy ultra-dependable real-time embedded computers in their systems, but with very different requirements and constraints resulting from the diversity of their application domains: nuclear submarine, railway and space systems. The overall aim of the GUARDS project is to significantly decrease the lifecycle costs of such embedded systems. The intent is to be able to configure instances of the GUARDS generic architecture that can be shown to meet the very diverse requirements of these (and other) critical real-time application domains.

To minimise cost and to maximise flexibility, the architecture favours the use of commercial off-the-shelf (COTS) hardware and software components, with application-transparent fault-tolerance implemented primarily by software. The architecture aims to be tolerant of permanent and temporary, internal and external, physical faults and should provide confinement or tolerance of software design faults. A three-pronged approach is being followed to reduce the cost of validation and certification of instances of the architecture: design for validation so as to focus validation obligations on a minimum set of critical components; re-use of already-validated components in different instances; and the support of system and application components of different criticalities.

Drawing on experience from systems such as SIFT [Melliar-Smith & Schwartz 1982], MAFT [Kieckhafer et al. 1988], FTPP [Harper & Lala 1990] and Delta-4 [Powell 1994], the generic architecture is currently defined along three axes [Powell 1997]:

o the channel axis: channels provide the primary hardware fault containment regions; it should be possible to configure instances of the architecture with 1 to 4 channels;

o the intra-channel or multiplicity axis: multiple resources can be provided in each channel either for increased performance and/or for use as secondary fault containment regions;

o the integrity axis: spatial and temporal firewalls will be implemented to enforce a Biba-like integrity policy [Biba 1977] to protect critical components from residual design faults in less-critical components.

As stated previously, the GUARDS architecture favours the use of commercial off-the-shelf components. However, some parts of the architecture must necessarily be purpose-designed:

o the inter-channel communication network, needed to ensure inter-channel synchronisation and interactive consistency;

o the output data consolidation system, needed to combine redundant logical outputs into error-free physical effects in the controlled process;

o the basic operating system services for fault-tolerance, firewalling and real-time scheduling of replicated computation.

To comply with the basic GUARDS requirements of genericity and upgradability, the latter operating system services will be developed using a server-based operating system based on micro-kernel technology.


Development of Generic Architectures for Fault Tolerant Real Time Systems

BibTeX Entry

 author = {Powell, D. and Arlat, J. and Beus-Dukic, L. and Wellings, A. and Bondavalli, A. and Di Giandomenico, F.},
 title = {Ultra-Dependable and Real-Time Systems: The {GUARDS} Approach},
 booktitle = {3rd CABERNET Plenary Workshop},
 address = {IRISA, Campus de Beaulieu, Rennes, France},
 month = {April 16-18},
 year = {1997}}

Corresponding Author
email: email-img

Server START WebServer Manager
Update Time 26 Jan 2018 at 01:16:26
Maintainer notify-email-img
Dependable Computing Research Lab
Dependable Computing Research Lab
Start Conference Manager
Conference Systems