



"This project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 644080."



# SAFURE

SAFety and secURity by



## METRICS: a Measurement Environment for Time Critical Systems

*Sylvain Girbal, Thales Research & Technology  
HiPEAC 18, Manchester, 22<sup>nd</sup>-24<sup>th</sup> January 2018*

dEsign for interconnected mixed-critical cyber-physical systems

# Safety-Critical & Time-Critical Context

## Performance Requirements

- Exponential increase of performance requirements
- Unsustainable with classical single-core embedded solutions
- Multi-core architectures → promising candidate with regards to Size, Weight and Power (SWaP)
- Multi-core are oriented toward the consumer electronic market

## Compliance with regulation standards → Certification

- Spatial partitioning:** No application or task should be able to access / **alter** the **data** of another application or task.
- Time partitioning:** No application or task should be able to **delay** another application or task.



How to ensure a sufficient level of **time determinism** with multi-core COTS architectures?

# Target Architecture & Environment

## PikeOS RTOS from SYSGO AG

- Real-Time Operating System
- Separation Micro-Kernel
- Partitioned Environment
- Virtualization

## ARM Juno BOARD

- A hi-performance bi-core out-of-order ARM-v8 Cortex A72 core cluster
- A more predictive quad-core in-order ARM-v8 Cortex A53 core cluster
- Multi-core COTS not specifically designed for real time systems with a large set of **shared hardware resources**



# The Challenge of Timing Interferences

## Using multi-core COTS in Safety Critical Systems

- Successfully faces the exponential increase of performance requirements
- But focuses on **best-effort** performance, not on **worst-case** performance

## The problem: inter-core timing interferences

- Multi-core → shared hardware resources
- Concurrent accesses to these resources are involving some **arbitration mechanisms** at hardware level
- Hardware contention is introducing unpredictable **timing interference** appearing as extra time delays
- Breaking the **time isolation** principles



How to measure **timing interferences** in real systems?  
Can we **correlate** with **hardware resource** accesses?

# METRICS: a Measurement Environment for Time Critical Systems

## Features

- Running on top of the PikeOS RTOS
- Providing accurate measurement of timing and hardware resource accesses
- Rely on hardware time base & performance monitor counters
- Minimizing timing intrusiveness
- Ability to observe timing interference

## Software Architecture

- Driver
- Library
- Collector
- SHM
- Instrumented Syscalls



# Driving Example: Drone Swarm Application

## Description

- Control-command application guiding a set of 4 quadri-copters along a pre-set track

## Software Architecture

- Route Generator
- Drone Control (x4)
  - Kinematic model of a drone
  - Controlling velocity and heading
  - Dynamic model controlling DC motors
- Display



How is this particular deployment sensitive to **timing interferences**?

# Collecting raw performance data with METRICS



# Collecting raw performance data with METRICS

```
jlerhun : minicom - Konsole
File Edit View Bookmarks Settings Help
[ 29.910] x[m]:y[m]:theta[deg] 166: 10: 17 150: 9: -27 124: 12: 47 88: 27: -57
[ 30.110] x[m]:y[m]:theta[deg] 168: 10: 17 151: 8: -27 125: 14: 47 89: 25: -57
[ 30.310] x[m]:y[m]:theta[deg] 170: 11: 17 153: 7: -27 126: 15: 47 91: 23: -57
[ 30.510] x[m]:y[m]:theta[deg] 171: 11: 17 155: 6: -27 128: 17: 47 92: 22: -57
[ 30.710] x[m]:y[m]:theta[deg] 173: 12: 0 157: 6: 7 129: 18: 47 93: 20: -57
[ 30.910] x[m]:y[m]:theta[deg] 175: 11: -11 159: 7: 30 130: 20: 47 94: 18: -57
[ 31.110] x[m]:y[m]:theta[deg] 177: 11: -13 160: 8: 35 132: 21: 47 95: 17: -57
[ 31.310] x[m]:y[m]:theta[deg] 179: 10: -13 162: 9: 33 133: 22: 47 96: 15: -57
[ 31.510] x[m]:y[m]:theta[deg] 181: 10: -12 164: 10: 32 135: 24: 47 97: 13: -57
[ 31.710] x[m]:y[m]:theta[deg] 183: 10: -12 166: 11: 32 136: 25: 47 98: 12: -57
[ 31.910] x[m]:y[m]:theta[deg] 185: 9: -12 167: 12: 32 137: 27: 47 99: 10: -57
[ 32.110] x[m]:y[m]:theta[deg] 187: 9: -12 169: 13: 32 139: 28: 47 100: 8: -57
[ 32.310] x[m]:y[m]:theta[deg] 189: 8: -12 171: 14: 32 140: 30: 47 101: 7: -57
[ 32.510] x[m]:y[m]:theta[deg] 191: 8: -12 172: 15: 32 141: 31: 47 102: 5: -57
[ 32.710] x[m]:y[m]:theta[deg] 193: 8: 5 174: 16: 32 143: 32: -1 104: 4: 3
MONITORING collector Data dump triggered!
SCHED_BOOT collector back to booting mode
SCHED_BOOT collector Will send data through muxa:metrics.
SCHED_BOOT collector Communication use handshake mechanisms
SCHED_BOOT collector CORE 0: total=21866, saved=300. Sending data...!CORE=0,total=21866,count=300
0x09f03004;0;0x8500000f;69039666030;0;0;0;1537687018;2897053611;1586778003;479058620;121503542;121558541;19650
0x09f03005;0;0x03080060;68680555863;0;0;0;1521422842;2537943443;1569990818;474014535;120273458;120327886;19651
0x09f03005;0;0x83080060;69039673430;0;0;0;1537690220;2897061014;1586781289;479059884;121504101;121559103;19652
0x09f03005;0;0x05000010;69039674186;0;0;0;1537690493;2897061766;1586781566;479060031;121504125;121559127;19653
0x09f03005;0;0x05000013;69039674768;0;0;0;1537690647;2897062348;1586781722;479060119;121504141;121559143;19654
0x09f03005;0;0x85000013;69039674926;0;0;0;1537690801;2897062506;1586781878;479060204;121504157;121559159;19655
0x09f03005;0;0x05000013;69039675078;0;0;0;1537690955;2897062658;1586782034;479060289;121504173;121559175;19656
0x09f03005;0;0x85000013;69039675238;0;0;0;1537691111;2897062818;1586782190;479060374;121504189;121559191;19657
0x09f03005;0;0x03030009;69039675389;0;40000;40000000;1537691254;2897062969;1586782336;479060456;121504204;121559206;19658
0x09f03005;0;0x83030009;69039769034;0;40000;40000000;1537719742;2897156615;1586810837;479080697;121506858;121561870;19659
0x09f03005;0;0x03030002;69040490614;40000;0;0;1538040455;2897878199;1587151555;479190889;121516925;121571945;19660
0x09f03005;0;0x83030002;69040523053;40000;0;0;1538069134;2897910633;1587180246;479211195;121519607;121574637;19661
0x09f03005;0;0x85000010;69040523415;0;0;0;1538069404;2897910996;1587180522;479211338;121519631;121574661;19662
0x09f03006;0;0x03080060;68681383401;0;0;0;1521805252;2538770981;1570393362;474167312;120289562;120344018;19663
0x09f03006;0;0x83080050;69040531729;0;0;0;1538072588;2897919313;1587183789;479212614;121520202;121575234;19664
0x09f03006;0;0x05000011;69040532646;0;0;0;1538072861;2897920226;1587184066;479212761;121520226;121575258;19665
0x09f03006;0;0x05000013;69040533063;0;0;0;1538073015;2897920643;1587184222;479212849;121520242;121575274;19666
0x09f03006;0;0x85000013;69040533222;0;0;0;1538073169;2897920802;1587184378;479212934;121520258;121575290;19667
0x09f03006;0;0x05000013;69040533375;0;0;0;1538073323;2897920955;1587184534;479213019;121520274;121575306;19668
R   : xxxx-xxxxxxxxx - 30/07/2017
Thales Research & Technology France
Template trp version 8.0.2 / template : 87211168-GRP-EN-003
OPEN
```

# Configurations & METRICS Automation

|                                                 |             |
|-------------------------------------------------|-------------|
| Application deployments                         | 4           |
| Single-core, AMP, SMP, Hybrid                   |             |
| Buffer size                                     | 3           |
| Fitting in L1, Fitting in L2, Not Fitting       |             |
| Cache Policies                                  | 2           |
| Flushing / Not Flushing between time partitions |             |
| <b>Hardware Counter Selection</b>               |             |
| 6 selected among 41 pre-selected                | $C_41^6$    |
| <b>Number of runs</b>                           | 1000        |
| For statistical significance                    |             |
| <b>TOTAL RUNS</b>                               | 108 Billion |

- Need to **reduce the Design Space**
- **Automation** necessary

## Studying correlation between counters

- More than 100GB of raw data
- Around 14 days of runtime



# Rendering performance data collected with METRICS



# Timing Histograms



# Resource access histograms & Timing VS access correlograms



# Resource access histograms & Timing VS access correlograms



# Access VS access correlograms



Réf. : xxxx-xxxxxx

Thales Research & Technology France

Template trp version 8,0,2 / template : 87211168-GRP-EN-003

OPEN

THALES

# Access VS access correlograms



# Rendering system call: repartition and distribution



# METRICS: a Measurement Environment for Time Critical Systems



## Measurement Environment

- Controlled accuracy and intrusiveness
- Can be turned into a RTE at the cost of more intrusiveness

## Features

- Multiple hardware target
- Characterizing interference channels
- Visualization to guide expert's analysis

# SAFURE Grant Agreement No. 644080

**"This project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 644080."**

"This work was supported by the Swiss State Secretariat for Education, Research and Innovation (SERI) under contract number 15.0025. The opinions expressed and arguments employed herein do not necessarily reflect the official views of the Swiss Government."

If you need further information, please contact the coordinator:

TECHNIKON Forschungs- und Planungsgesellschaft mbH

Burgplatz 3a, 9500 Villach, AUSTRIA

Tel: +43 4242 233 55 Fax: +43 4242 233 55 77

E-Mail: [coordination@safure.eu](mailto:coordination@safure.eu)

The information in this document is provided "as is", and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability.