FIPES, Fault-Tolerant and Isolated Partitions Embedded Software


Technology abstract

A Portuguese company, in the scope of the internal D3 Decommissioning Device project, developed a software for Leon3 processors that can easily be adapted. It will reach a criticality classification B with a modular, secure and partitioned environment. It warrants a secure interface with the hardware, without compromising software execution. It can be adapted to applications where safety, reliability and modularity is important.

Technology Description

The FIPES Software was developed based on the XtratuM hypervisor. This way, the software could be portioned into three partitions:
-       Hardware Partition: Developed in C language using the RTEMS Operating System. It was developed to exclusively interact with the hardware. It allows the other partitions to transfer data to the hardware with the using of the Inter-partition Communication (IPC), provided by the XtratuM hypervisor, warranting a physically separated memory access. This partition was developed to cover the serial protocols like UART, SPI, UART, MIL-STD-1553B, CAN.
The MIL-STD-1553B was implemented to cover the ECSS Standard, allowing the Data Block transfer.
-       Application Partition: Developed in Ada language, using the Ork Real-Time Kernel. It was developed to manage all the D3 application operations. It was implemented using event-driven state machines. This partition is independent of the hardware, and the interface with it is done by the using of the IPC.
It was developed to cover sending of Telemetry and receiving of Telecommands using the ECSS Standard CCSD.
-       FDIR Partition: Developed in C, it was implemented to manage the partitions initialization and to detect and recover from a possible failure of one of the partitions of the system.
The FIPES software was implemented to cover 2 copies of the software. One copy is disabled by default, and can be replaced using the procedure to upload a new software. The other copy is the currently running software. The running software can be switched any time, with the sending of the command to the effect. In that case, the FDIR partition will check the software integrity, and switch to the new software if it was successfully uploaded.

Innovations & Advantages

The FIPES Software was designed to be modular, reliable and robust, reaching the software criticality level B.
With the using of the XtratuM hypervisor and all its mechanisms, it is easy to modify completely one partition without compromising the integrity of the others. With the using of the partitions all the resources are not shared, except with the using of the IPC Mechanism.
The software development was done to allow the hardware switching, without much software changes. It can be reused and adapted for other applications without much effort The number of applications to use FIPES is huge, since the software is modular. It was developed to be focused on space applications, such as satellites, decommissioning devices, intelligent motors, because this systems needs to be fault-tolerant, fault-Isolated, and need to be auto-recovered.
However, the space, is not the only target. This software can be used on any other application that needs reliability, such as aeronautics, automotive, etc.
Any partition can be developed (or modified), using any kind of language, and to use any real-time kernel, or even none, if desired.

Further Information

Current and Potential Domains of Application

Safety Critical devices, which require a reliable and safety critical operation.