Safety Platform Released for Safety-Critical Applications in the Railways and Avionics Market
At Avionics Europe on 25 March 2010, MEN Mikro Elektronik debuted a triple-redundant single-board computer in lock-step architecture for building up safe computer systems. Wind River provides support with board support packages (BSPs) for its safety certification operating systems, VxWorks DO-178B and VxWorks 61508. Additionally, Sysgo has ported its safety platform PikeOS.
Guaranteed safety in hardware
Developed originally as a safe computer for controlling the freight load system of the Airbus A400M, the computer assembly D602 is now also available as COTS hardware for CompactPCI systems. It is used in safety-critical applications in airplanes (up to DAL-A) and in trains (up to SIL 4).
By building up a lock-step architecture, software overhead is kept low, because virtually the hardware components are visible only once for the programming. D602 provides complete triple redundancy of the hardware components on a single board for the safe operation of critical systems and at the same time high availability. Both the 900MHz PowerPC 750 and the main memory with three times 512MB are built up to be redundant. Critical functions like voters are implemented as IP cores in the FPGA which also has a triple-redundant structure. By using voters it is ensured that at least two of the three redundant components provide the same result in order to guarantee safety. The system remains completely operational even if one of the three redundant components fails, providing the required availability.
The redundancy of further components like the Flash banks, the PSUs and the clock oscillators, as well as the additional ECC protection for the Flash and the FRAM, increase availability.
The D602 also provides two PMC slots, one of which is used for an AFDX connection. Both PMC modules are accessible at the front in the standard version, but offer also the possibility to access them via rear I/O when used in a conductive cooling system.
Proven airworthiness included
D602 has been developed according to DO-254 and is airworthy in a safety-critical environment up to DAL-A. Additional diagnosis mechanisms (BITE, e.g., extensive self tests) help to detect latent errors before they lead to a system error, increasing safety and availability. For the same purpose, the design is oriented towards strictly deterministic operation avoiding interrupts and DMA.
PikeOS from Sysgo and several VxWorks operating systems platforms targeting safety-critical deployments are now available. In addition to the general purpose real-time operating system (RTOS) VxWorks 6.6, Wind River also supplies VxWorks platforms that support safety certifications up to DO-178B and EUROCAE ED-12B Level A, and to DAL-A or IEC 61508 SIL 4.