Co-engineering techniques and tools for safety-security-performance have yet to significantly take off for a variety of reasons. AQUAS aims to bridge the many resistances between specialists domains and bring co-engineering into mainstream practice. Demonstrators from across many domains are key for the leverage needed to achieve this and to prove validity and value. AQUAS has five domains which like the consortium were selected for balance, with differing focal points in the product life cycle. They cover transport infrastructure, health, satellite systems and manufacturing.
All use cases are based on Cyber-Physical System and at least two of them (ATM, Railways) deal with the design of typical “constituent systems” of System of System (SoS). Also some SoS concerns (e.g., long lifetime, evolution after entry into service, multiple stakeholders) are shared by all 5 domains.
These 5 domains are represented by:
- Air Traffic Management
- Medical Devices
- Rail Carriage Mechanisms
- Industrial Drive
- Space Multicore Architectures
1. Air Traffic Management
This domain consists of two use cases in order to address a wider scope of co-engineering axes. The use cases are complementary as they have a different subfocus.
The use-case based on the radio-navigation beacon is mainly focused on performance and safety issues.
“Performance” is expected to improve during the initial and later lifecycle phases: design, validation, verification, followed by the same processes for the evolution/upgrade of the systems.
2. Medical Devices
Control of Physiological parameters by means of automatic drug infusion is a relatively new research area, highly directed to the Operating Room (O.R.) activities. Due to the fact that the use of such technology is very promising, the expected rate of growth in sales is very high.
The market size of the above mentioned subsector is formed by two basic families of Medical Equipment in direct relationship: Multiparameter Vital Signs Monitoring, and Infusion Pumps. Up till now, these two types of devices have existed relatively apart, but there is currently a trend towards providing automatic features to perform new and advanced highly critical activities using a combination of the two. Thus the potential market for the family of products emerging from an AQUAS solution is the union of the two markets.
In this context, RGB has developed and CE marked a neuromuscular transmission (NMT) device for Hospital Operating Room critical care performance. This device is using a very innovative technology to support the anaesthesiologist in controlling muscle relaxation during an operating room intervention. Muscle Relaxation is, together with depth of anaesthesia and pain the three key parameters to be controlled by the anaesthesiologist. The company is now confronted with the challenge to develop a closed-loop controller for muscle relaxation that will perform in AUTOMATIC PILOT mode. This is the Use Case we propose within AQUAS.
The proposed Use Case has the following alignment with AQUAS goals:
Safety, Security and Performance considerations.
- Model of SW (control algorithm) embedded in existing NMT controller HW to reduce development time and costs.
- Model of patient to avoid clinical trials in the first stage.
- Tools to comply with requirements specification and validation processes of the V-Model in Development cycle.
- Communication between the different components of the system must be secure, with robust communication protocols that do not compromise the integrity of the system.
- Use of verification and validation tools to gain performance evidence in test cases which cover most possible real situations in real life.
As result of the mentioned work, it will be possible to detect and propose improvements in standardization issues. In particular:
- Norms related to interoperability between medical devices such as IEEE11073 (section on remote control and security)
- SW development of Medical Equipment (EN 62304),
- Co-lateral norm EN 60601-1-10 applied in Closed –Loop control systems.
This type of Medical application has a great deal of things in common with regards to Space and Transport Use Cases, in terms of:
- Technology for model-based engineering
- Managing Complexity, Safety & Security
- Managing Diversity
- Increase yield, robustness and reliability, generate system openness
Norms applicable to different sectors can be compared to gain insight and generate improvements.
3. Rail Carriage Mechanisms
With the increase of the urban population worldwide, more automation and safety are required by railway transportation systems. Existing metro installations can’t be slightly enlarged (platforms, trains, cars). The current solution to this problem, the reduction of the time interval between trains, requires the adoption of (semi-) automatic metros for the most crowded lines. However these automatic trains have to stop at predefined positions on platforms in front of so-called platform screen doors, ensuring optimal passengers transfer between train and platform while avoiding passengers to fall on tracks at peak hours. Interim systems have to be developed to ensure continuous exploitation while introducing new automated features. All non-automatic worldwide metros are directly targeted by this engineering process.
ClearSy has developed several safety systems controlling the opening and closing of the Platform Screen Doors (PSD) installed in Metro stations in order to insure passengers’ protection. These systems have the advantage of being independent of the train signalling and automatic operating systems; they can be installed in a Metro which is already in service. They offer a speed of execution which seems instantaneous (simultaneous opening of train doors and PSD). Safe functioning is guaranteed by the Level 3 and 4 SIL Standards depending on the system, such as Lines 1 and 13 of the Paris Metro and Lines 2 and 3 of the Sao Paulo Metro. PSD are deployed all over the world in particular on driverless new lines, and also on modernized existing lines. ClearSy has developed independent systems, without necessity to install CBTC, and for controlling automatic platform gates with a short delay of 300 milliseconds.
ClearSy develops both hardware and software of these systems in conformance with EN50126, 8&9 standards, including devices for fine-tuning sensors and supervision facilities. Being operated remotely, these systems have to provide both safety and security functions that require cross-domain skills and knowledge, and dedicated/diverse engineering tooling. The case-study proposed will be used to test the technology within AQUAS, in line with safety, security and performance requirements, as railways systems have to deliver a function with a given level of safety/security and within a time window. Feedback will be provided to system engineering teams of ClearSy.
4. Industrial Drive
In the last years cybersecurity related requirements and aspects get more impact on safety critical systems and components. According to the IHS report from 2014 the world market for discrete machine-safety components was estimated to be worth $3.4 billion in 2012. In Asia machine-safety revenues are projected to grow more quickly at 12.4% compound annual growth rate (CAGR) to 2017 versus 6.8% CAGR for the American market Safety standards are not yet established in countries like China, but they are on their way, it seems likely they will be based on European standards, which is beneficial for European vendors operating in Asia.
A part of this machine-safety components market has to support security related requirements too.
Motion Control products cover a large variety of variable frequency inverters for synchronous and asynchronous motors ranging from standard electric motor systems and servomotors for Motion Control applications including linear and torque motors to motors for use in hazardous explosion areas, to high voltage, DC and customized electric motor systems.
The Industrial Drive use case focuses on a generic commercial motion control platform solution for permanent magnetic synchronous motors (PMSM). Typical application is within e.g. tooling machines. Since this application is based on a generic control reference platform it is also possible to target applications in similar domains like Electric Drive Trains in automotive.
The large variety of communication and sensor interfaces of such embedded systems adds significant security challenges to the safety mechanisms already implemented in today’s commercial industrial control products, where the most relevant standards are IEC 61508 and IEC 61800. Industrial automation systems are more and more moving away from an isolated operation island towards interconnected systems, in order to let companies make fast and cost efficient decisions, based on accurate and up-to-date information about the processes under control.
The use case originates from the Artemis SESAMO project, where safety and security interdependencies were in focus. Besides safety and security also real-time performance is an essential criterion within this cost driven and competitive domain. This makes the Industrial Drive a perfect demonstration example for the technology developed within AQUAS.
5. Space Multicore Architectures
The proposed AQUAS developments present an excellent potential for its application in a high reliability market as the space one. In order to provide a first overview of a concrete direct application, the case of the application of AQUAS to the Earth Observation market is outlined here:
The earth observation market has been rocketing up since the beginning of the century. According with Euroconsult figures, the market was around 200M$ in the year 2000, reached 1,100M$ in 2010 and is foreseen to be over 4,000M$ by 2019. This growth has been built through a permanent increase in the number of earth observation missions launched as well as the number of countries that have either developed or bought their own earth observation systems. The estimate is that from the 26 present countries, the club of “EO Owners” will nearly double to up to 41 countries by 2019.
The countries that have entered the club of the Earth Observation Satellite Owners range from Taiwan (Formosat-2) to Chile (Ssot), Thailand (Theos) or Kazakhstan (Ersss). This means that the market is clearly opening to the medium sized countries and to those that can be considered developing countries.
In addition to this, the traditional military usage of the EO resources has changed completely, as today; more than 40% of the market is covered by civilian or enterprise applications. This proportion is going to increase in favour of the civilian and, very specially, of the enterprise usage of the Earth Observation resources, as more and more private initiatives make use of earth imagery either for their direct business (as GIS related services), or as part of ancillary services (as for Critical Installations monitoring).
Design of data handling systems and data processing systems for space applications is currently introducing technologies quite new to the space market as multi-core processors or SoC. In the space business, the SoC are newcomers that are entering the market at an extremely slow speed, especially when compared with the promised advantages that such systems may bring in terms of performances improvement. The main reason for this small adoption ratio is the criticality of the space borne systems and the associated validation and certification procedures. One of the elements blocking this certification is the lack of adequate tools for managing the complexity and mixed criticality of such systems. There is a lack of methodologies and tools to support the exploitation of these new technologies in the scope of systems which are compliant to the strict requirements of performance under critical conditions, safety, timeliness, security and reliability peculiar to the space applications.
The target of this Use Case is to proof the validity of the different architectures and a related development methodologies and tool chains proposed by AQUAS project and previous projects such as OPENCoss and NSafeCer, opening new application domains to the use of multicores. This use case will be clearly targeted to a final product application in the EO domain and, therefore, it must be guaranteed not only compliance with the functional requirements, but also, to the applicable space standards such as the European Cooperation for Space Standardization (ECSS) family of standards for Space Software (ECSS-Q-80 and ECSS-E-40) peculiar to space applications, pushing forward these requirements pointing to the larger flexibility provided by heterogeneous systems.
The use case of TASE is mainly focalized in including multicore architectures capable of in-flight reconfiguration in actual payload data processing equipment for video processing in Earth Observation missions. The target is to replace legacy designs in present flight missions using multicore improved performances to overcome the limitations imposed by classic ASIC designs. To achieve this, TASE will define the requirements derived from actual mission scenarios in terms of performances, safety, security and certification needs and will support the architecture definition and validation activities. Once selected the architectures, TASE will implement them in the available processing modules based on the multicore elements both HW and SW. the reconfigurability of the proposed solution brings into the Use Case the need to manage variability and lifecycle for the different versions and evolutions of the SW and the synthetized HW taking into account that some of these versions will be loaded and modified during flight operation of the satellite.
This Use Case will be focused on the multicore architectures presently available in the market and the possibilities of implementing them in Space Worth systems that are capable of withstanding the space environment and that can follow the stringent design rules specified for Space equipment. In the same way, in-flight reconfiguration techniques either by SW modifications for LEON processor based architectures or by FPGA reconfiguration for Zinq platformswill be covered.
The core of the proposed architectures will be the processor selected by the European Space Agency for the next generation of data handling systems for space applications, i.e. the LEON3 FT which is based on a SPARC-V8 RISC architecture. This processor will be used as base to implement the Scalable Sensor Data Processor Breadboard (SSDP) architecture already under development for ESA to satisfy the needs of the applications that request the fast processing of a high amount of data for smart sensors to be used in future space exploration missions. This architecture combines fixed point DSP IP with a LEON controller. The inherent scalability of the Network-on-chip (NoC) architecture, as well as the efficient combination of GPP and DSP processor cores are very interesting for future large and ultra-powerful processor ASICs, however, a strict validation and certification strategy will be key to allow the widespread usage of such a powerful device in different scenarios with very different criticality constraints.