In mid-2019 Arm introduced the runtime system for Functional Safety (FuSa RTS) - a safety-certified set of software components essential for software development on Arm Cortex-M devices. The following figure highlights FuSa RTS components in an embedded system.
Arm FuSa RTS includes a robust real-time operating system (FuSa RTX RTOS), an independent processor abstraction layer (FuSa CMSIS-Core), a verified FuSa C library and FuSa event recorder for RTOS awareness and event tracking.
The benefits provided with FuSa RTS were well received by users and we are glad see it being adopted in a wide variety of medical, automotive, and industrial applications.
Modern microcontrollers based on Arm's Cortex-M architecture can be very powerful and often have flexible built-in communication peripherals such as CAN, ethernet, and wireless interfaces, as well as LCD graphics support, and others.
Often, it could be very beneficial to use just one microcontroller with a single core for executing both safety-related functions (for example insulin pump control, emergency stop button) as well as for executing functionalities that are not critical from the safety perspective (Bluetooth communication for logging, LCD display for user notifications).
For such an approach to work, it must be ensured that the non-safety part (or the part with lower integrity level) does not impact the operation of the safety critical part (or the part with higher integrity level) of an application.
We have analyzed different concepts on how this could be best supported for FuSa RTS projects. And after months of extensive implementation, validation and documentation work, we are very glad to introduce process isolation feature in our upcoming FuSa RTS release that will enable such use cases (expected in Q2 2021).
Combining software components with different software requirements (or software integrity levels) on a single MCU shows the following benefits:
The upcoming FuSa RTS release implements a set of features to protect critical parts of an application against software flaws that may exist in other parts of an application:
A Memory Protection Unit (MPU) is available on many Cortex-M devices and enables restricted access to memory regions and peripherals. It is used to implement spatial isolation between application processes.
In FuSa RTX, an RTOS thread gets assigned to an MPU protected zone and then can access only memory regions specified in it and cannot accidentally modify critical RTOS kernel data or thread objects located in other protected memory regions. It is possible to allocate shared regions and use them for data exchange across different threads. The concept is shown on the following figure.
CMSIS-Zone simplifies the system partitioning and allows the definition of MPU protected zones in a user-friendly graphical environment.
In addition, safety classes enable access control to RTOS objects allocated with the RTX kernel. All RTOS objects including threads are assigned to a safety class value. The threads that belong to a lower safety class cannot modify RTOS objects of a higher safety class. Therefore, the safety critical parts of the application should be assigned to a higher safety class.
All RTOS threads share the computing time of the processor. So its use must be controlled to avoid undesired impact on execution of safety-critical functions (temporal isolation).
In FuSa RTS each thread can maintain its own thread watchdog. In case of timing violations, a thread watchdog alert is raised. The following figure shows an example:
When a failure occurs (for example HardFault, memory access violation, or thread watchdog alert), FuSa RTS blocks the execution of uncritical parts or to proceed to a safety state. The RTOS kernel can suspend thread execution, for example for threads in a lower safety class. This can be used to recover execution of the critical thread operation. With FuSa RTS, we provide an example demonstrating the concept.
Arm's runtime system for Functional Safety (FuSa RTS) already enables and greatly simplifies the use of CMSIS-RTOS and related components in safety-critical systems. With the introduction of process isolation capabilities such as MPU Protected Zones, Safety Classes, Thread Watchdogs, and System Recovery, users will be able to safely execute both critical and uncritical functionalities on a single microcontroller core.
Contact us for additional information, evaluation and price requests about Arm FuSa RTS and related development tools.
Request more info