The transition from conventional federated architectures to integrated architectures enables the integration of functionalities with different criticality concerning safety, security and real-time on a single embedded computing platform. The trend towards multi-core and many-core architectures has further contributed to this tendency, providing benefits regarding cost-size-weight. Multi-core architectures are designed for offering the maximum average performance at the cost of increasing complexity and interferences. Partitioning solutions such as hypervisors (e.g., XtratuM, PikeOS) are commonly used to tackle the challenges related to these architectures. They limit the impact of changes and faults to reduced areas of the system, also called partitions, enabling reusability and reducing the complexity. Partitions can be designed, developed and certified individually with different levels of criticality (e.g., Safety Integrity Level (SIL) 1 to 4 according to IEC 61508). However, although partitioned multi-core architectures provide the benefits mentioned before, they imply many challenges to certification such as the assessment of the temporal independence, which leads to a significant increase in the engineering and certification cost. Furthermore, an embedded system may require distributed subsystems with communication networks (such as EtherCAT) to satisfy the computational resource demands, ensure fault-tolerance and satisfy the installation requirements. The broad trend of the integration of functionalities with different criticality on a single embedded computing platform involves the implementation of safe and predictable communication systems with temporal segregation between different criticality. Therefore, communication networks represent certification challenges such as guaranteeing the non-interference between safety-critical and non safety-critical communications. This dissertation presents the modular safety concepts for an IEC 61508 compliant generic hypervisor, partition, commercial-off-the-shelf (COTS) multi-core device and mixed-criticality network. A modular safety case (MSC) defines the safety-related arguments and evidences that a system must fulfil in order to be compliant with a safety standard. The MSCs defined throughout this thesis have been assessed by a certification body within the context of the European research project DREAMS. Besides, this dissertation defines the linking analysis for commercial technologies such as XtratuM hypervisor, Zynq-7000 multi-core device and TTEthernet and EtherCAT networks. A linking analysis describes the way in which a commercial system fulfils the safety-related requirements identified in the generic modular safety cases.
As a result of the definition of the modular safety cases and associated analysis of the IEC 61508 safety standard, the remarkable components that imply challenges in the development and certification of today’s mixed-criticality embedded computing platforms have been identified. In addition, it is detected that the measures and diagnostic techniques recommended by the IEC 61508 safety standard are mostly geared to single-core architectures where a resource cannot be shared among more than one component. These measures and diagnostic techniques are not at all applicable to today’s mixed-criticality systems where sharing a resource among more than one component is a common task. For example, in multi-core architectures a memory area can be accessed simultaneously by more than one component (e.g., CPUs), leading to interferences that may jeopardise the safety of the system. In order to give a solution to those challenges, the dissertation presents several generic cross-domain patterns for commonly occurring problems in the development of mixed-critical systems. These patterns are analysed, defined and implemented in a wind turbine case study based on the DREAMS architecture style. This case study provides a realistic system scenario where the solutions generated in this dissertation are integrated and evaluated.