The next generation of safety-critical systems will undoubtedly use multicore processors as there is an increasing need for performance and the availability of single-core processors is reducing. At the same time, practitioners are recognizing that the certification needs of systems using multi-core are not clear and the techniques available to meet any needs that are produced are limited. Recently, the civil aviation industry has produced some guidance in the form of CAST-32A, however, this is raising more questions than it is answering.

Safety-critical systems need strong guarantees of their timing behaviors which includes evidence of when the timing requirements are met, and then evidence for the loss of availability of certain functions in the other cases. It is crucially important that both the timing requirement and loss of service are commensurate with the system safety function which comes from the application. The challenge in providing such evidence comes from the platform’s shared resources, e.g., caches and buses, and with the introduction of multicore, this has become more complex due to reduced predictability. The unpredictability can be managed through the middleware where the resource management exists, however with appropriate consideration across the three layers during their design and subsequent composition.

The aim of this Dagstuhl Seminar is to bring together practitioners from three disciplines which represent the three layers relevant to safety-critical systems that use multicore to understand: how the safety of a system using multicores may be argued; the achievable evidence that can be produced; and how said systems might then be developed. The seminar will be organized through three strands which represent the three key layers of systems: application; middleware; and the platform.

First, a common understanding among practitioners should be found, for each of the three layers determining a set of properties (describing, e.g., timing, performance, and predictability requirements) needed to provide functional safety and its verification and/or a set of functionalities that can be provided supporting functional safety and its verification. Afterward, it should be determined which of the necessary properties are already covered by the provided functionality and which others can realistically be achieved, e.g., by reducing performance to increase predictability, and what are the related costs, e.g., how much is the performance reduced. Furthermore, it should be discussed what solutions are possible to achieve properties that cannot be guaranteed by current hardware or middleware, and how functional requirements can be reduced without reducing the predictability too much.

It is envisaged the seminar would have many outputs and benefits beyond the ability to informally network across companies, institutions, and domains. The key outputs we aim forwill be: a report highlighting what the industry needs in terms of tools and techniques; the dependencies across the various layers; the establishment of some key research challenges; identification of suitable benchmarks for collaborative and comparative research; and finally a route map towards the efficient and effective achievement of assurance arguments.

Creative Commons BY 4.0

Iain Bate, Thidapat (Tam) Chantem, Louise Harney, Claire Maiza, and Georg von der Brüggen