Project Report
On
Comparative Study of Safety Critical
Systems using MPU & Non-MPU
model of FreeRTOS+IO
Submitted in partial fulfillment for the award of
Post Graduate Diploma in Embedded System Design
(PG-DESD) from C-DAC, ACTS Pune
Guided by:
Mr. Babu Krishnamurthy
Presented by:
Mr. Alok Kumar Yadav PRN: 160840130011
Mr. Arjun Gaur PRN: 160840130017
Mr. Kalidas Tate PRN: 160840130043
Mr. Swapnil Mishra PRN: 160840130105
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
CERTIFICATE
TO WHOMSOEVER IT MAY CONCERN
This is to certify that
Mr. Alok Kumar Yadav PRN: 160840130011
Mr. Arjun Gaur PRN: 160840130017
Mr. Kalidas Tate PRN: 160840130043
Mr. Swapnil Mishra PRN: 160840130105
have successfully completed their project on
Comparative Study of Safety Critical
Systems using MPU & Non-MPU model
of FreeRTOS+IO
under the guidance of Mr. Babu Krishnamurthy
Project Guide Project Supervisor
Head of the Department C-DAC, ACTS Pune
Ms. Mita Karajagi
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
Acknowledgement
This project would not have been possible without the immense help and support of
the CDAC faculty as well as our coordinator. We are in debt to Mr. Babu Krishnamurthy, our
project mentor, to guide us through the project with lucid simplicity and skillfulness. We also
express our earnest gratitude to Mr. Rajesh Sola for helping us through the subtlety of topics
related to Programming, this project work would not have been completed without his
enduring support.
Our most heartfelt thanks goes to Mrs. Purvi Parmar(Course Coordinator, PG-DESD)
who gave all the required support and kind coordination to provide all the necessities like
required hardware, internet facility and extra Lab hours to complete the project and
throughout the course up to the last day here in C-DAC ACTS, Pune.
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
Table of Contents
Introduction .................................................................................................................................................5
System Requirements .................................................................................................................................6
Hardware Requirements ............................................................................................................................6
Software Requirements .............................................................................................................................6
Hardware/Software characteristics ...........................................................................................................7
Linux Computer ........................................................................................................................................7
NGX-LPC1769-Xplorer board (Cortex M3 Platform) .............................................................................7
Miscellaneous ...........................................................................................................................................9
LPC-Xpresso IDE .....................................................................................................................................9
Memory Protection .....................................................................................................................................9
The basic question is why to set up MPU???? ........................................................................................10
What’s so great about this set-up??.........................................................................................................11
MPU PORTING ........................................................................................................................................11
Task performed by us ..............................................................................................................................11
Default Memory Map Cortex M3 ...........................................................................................................12
MPU Divided Memory MAP ..................................................................................................................12
MPU Setup Steps Followed ......................................................................................................................13
MPU Setup used by FreeRTOS ...............................................................................................................14
Our MPU Configuration .........................................................................................................................15
FreeRTOS+IO Framework ......................................................................................................................16
Modes of Operation: ...............................................................................................................................16
Polling .................................................................................................................................................16
Interrupt driven Circular Buffer ..........................................................................................................16
Interrupt driven Zero Copy .................................................................................................................16
Interrupt driven character queue .........................................................................................................16
FreeRTOS+IO+LPCOpen Framework ..................................................................................................17
Universal asynchronous receiver/transmitter ..........................................................................................17
LPC1769 PIN Configuration....................................................................................................................18
Pin function select register0 ....................................................................................................................18
Pin function select register 1 ...................................................................................................................18
I2C Pin Configuration register ................................................................................................................19
UARTn Interrupt Enable Register ..........................................................................................................19
UART0/2/3 Register Map .......................................................................................................................20
I²C BUS...................................................................................................................................................21
Case Study .................................................................................................................................................22
References ..................................................................................................................................................24
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
Introduction
Safety-critical systems are those systems whose failure could result in loss of life,
significant property damage, or damage to the environment. There are many well-known
examples in application areas such as medical devices, aircraft flight control, weapons, and
nuclear systems. [1]
These applications can be explained as that while in the process it is not allowed to
have any kind of error, latency more than a particular limit.
Such kind of applications cannot be fulfilled by some regular Real Time OS because
in such regular OS there would be probability to get hang and uncertain performance. For
such applications special kinds of OS is require which can be reliable for such applications
and have almost null probability of failing, robustness. SafeRTOS provide such kind of
performance for such safety critical applications [2]. It is designed for using in application
which needs higher optimized for use in applications where a small code size footprint is
essential [3]. But this OS is not open source.
FreeRTOS is an open source RTOS, but for applying this OS for such safety critical
applications, it is not suitable because its functional model, subjected to a full HAZOP.
Normally in typical RTOS single address space is preferred, to make RTOS
deterministic. But drawback is that whole address space is exposed to system, so privileged
as well as unprivileged tasks can access anything in whole address space. That may causes
insecurity to the important data
And also may causes unintentional corruption of privileged task’s data by any
unprivileged task.
As we know data corruption can causes system failure and that system failure starts
from the failure of a small part of a system can cause avalanches of faults and failure in the
system.
To avoid such failure caused due to unintentional data corruption we can provide
some permission to access amount of memory for certain part of the code. Which can be
provided using Memory Protection Unit (MPU).
We have implemented two cases –study to:
Unintended Acceleration problem of Toyota vehicle.
Data Acquisition & Controlling System at Gas Station.
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
System Requirements
Hardware Requirements
The hardware requirement of the project are as follows:
Computer running Linux as its operating system
NGX-LPC1769-Xplorer board (Cortex M3 Platform)
Tera-Term for Serial Port
LPC Link-2 (Debugger)
Miscellaneous
10 pin ribbon cable
UART Cable
Temperature Sensor (I2C Interfaced)
Ultra-Sonic Sensor
Software Requirements
The software requirements for the project are as follows:
LPC-Xpresso IDE
CMSIS Library Support
NXP LPCOpen Framework
FreeRTOS+IO
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
Hardware/Software characteristics
Linux Computer
The development of the project requires a Linux operating system compatible with
LPC-Xpresso IDE.
The implementation of the project requires a Linux operating system with a bare
minimum USB support, UART Support and root privileges.
In this project a dual core processor (x86) running OpenSUSE as its
Operating System was used.
NGX-LPC1769-Xplorer board (Cortex M3 Platform)
For the implementation of Safety Critical Systems using MPU & Non-MPU model
of FreeRTOS+IO, NGX-LPC1769-Xplorer board is used. The characteristics of the board
are as follows:
Controller: LPC1769
On-board Test Led
12MHz crystal
25Mhz crystal for Ethernet
32KHz RTC crystal
On board USB Host / Device support
On board Ethernet Transceiver
On board dual port USB power switch and Over-current protection
On board Micro-SD card holder
On board 10 pin SWD
On board reset switch
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
The most relevant characteristic of the board that qualifies it for the project is the on
board I2C implementation and the USB host/device/OTG support.
LPC-link-2 (Debugger)
LPC-Link-2 is an extensible, stand-alone debug adapter that can be configured to
support various development tools and IDEs by downloadable firmware’s. Available
firmware images include: LPC-Xpresso IDE debugger by NXP. CMSIS-DAP by ARM.
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
Miscellaneous
EPROM is used to store stacked data when error/fault occurs. The EPROM is
present on NGX-LPC1769-Xplorer board.
Temperature Sensor is interfaced with I2C using FreeRTOS+IO Libraries.
Various USB cables are used to connect the board, debugger and the computer.
LPC-Xpresso IDE
LPC-Xpresso is a low-cost development tool platform, available directly from NXP
that provides a quick way to develop advanced applications using NXP's highly efficient and
low-power LPC microcontrollers. This software was used for the firmware development of
the project.
Memory Protection
Processor who has MPU here in our case Cortex M3 works normally if the MPU
is not being activated. But if MPU is activated, then the processor can access only those
memory regions which are mentioned in MPU registers as per its access permissions.
If the memory access violates any access permission, then the Memory Management
faults will be called. Here in Cortex M3 only 8 regions are allowed to create. Regions
are allowed to modify at run time. And if a part of memory is there in two different
regions, then the memory access permission would be as per the latest memory region’s
access permissions
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
In a particular context talking about CORTEX-M3 it supports Memory Protection Unit
(MPU).By proper configuration of MPU, we can setup our address-space’s attribute &
permission. This can be attained by manipulating some special registers provided in
CORTEX-M3. We can define only 8 regions in case of CORTEX-M3.
For example:
MPU->TYPE (This helps us to know whether MPU is present.)
MPU->CTRL (Helps to Enable MPU & Setups MPU during Hard fault & NMI. Moreover it also
provides feasibility to use default map in place which is not covered in the specified region.)
MPU->RBAR (Helps us to set up the regions & there base address.)
MPU->RSAR (Helps us to set up the region’s size, attributes & access permission.)
The basic question is why to set up MPU????
In today’s scenario data acquisition & safety critical systems are emerging trends, and they
deal mostly with lot of data which is used to decide various factors & depending on them
necessary steps are taken.
Suppose if we are deal with flight monitoring system and some portion of memory is
responsible to hold the critical data, which describes about the tilt of the flight or engine
status.
What if any task tries to overwrite the data due some referencing problem (due to improper
usage of pointer)
The basic idea is to make the environment more constrained & extract robustness from it.
Proceeding with our set-up.
We have started our work with simple FreeRTOS with Non-MPU support, Here there is very
minimal protection, as the address is unified.
Every task sees the same address space & each task can access the entire address space.
Moreover despite of different/separate stack space, problems of stack overflow are evident
and the checks provided by the developer aren’t robust.
Peripherals & devices have full access which makes the system unreliable in matter of
access. This motivated us to go forward and use FreeRTOS with MPU support.
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
What’s so great about this set-up??
We have greater control over the regions.
Restricted environment, any illegal memory access results in Memory management
fault.
Kernel code/data is isolated.
Devices can be isolated or protected.
Each task is assigned a protected stack region which is isolated, task cannot see the
entire address space in this set-up.
System call API -> Transformed to MPU wrapped System call API.
MPU PORTING
Task performed by us
Porting FreeRTOS +IO to MPU port of FreeRTOS+IO and LPCopen Framework
Updating Linker Script as per our configuration.
Changing not portable files (platform specific)
Adding System Call APIs ->Using MPU wrapper.
Setting up MPU regions according to configuration which works robustly
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
Default Memory Map Cortex M3
Figure 1: Default Memory Map Cortex M3
MPU Divided Memory MAP
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
MPU Setup Steps Followed
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
MPU Setup used by FreeRTOS
Region
Number
Region Use
Access Permissions
0
Whole Flash
Executable, Read Only privileged and unprivileged access
1
General
Peripherals
Not Executable, Read Write privileged and unprivileged
access
2
Task Specific
Memory Region 1
Defined in task declaration
3
Task Specific
Memory Region 2
Defined in task declaration
4
Task Specific
Memory Region 3
Defined in task declaration
5
Task Stack
Not Executable, Read/Write privileged and unprivileged
access.
6
Kernel Flash
Executable, Read Only privileged access and no
unprivileged access.
7
Kernel RAM
Not Executable, Read/Write privileged access and no
unprivileged access.
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
Our MPU Configuration
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
FreeRTOS+IO Framework
FreeRTOS+IO provides a Linux/POSIX like open (), read ( ), write ( ), IOCtl () type
interface to peripheral driver libraries.
It sits between a peripheral driver library and a user application to provide a single,
common, interface to all supported peripherals across all supported platforms.
The current board support package implementation(s) support UART, I2C and SPI
operation, in both polled and interrupt driven modes.
Modes of Operation:
Polling
R/W -> Most Basic R/W where busy wait states are used instead of interrupts.
Interrupt driven Circular Buffer
Read only -> the received data is placed into the buffer and ISR reads the data& remove
it from the buffer.
Interrupt driven Zero Copy
Write ->ISR transmits data directly from write buffer, with no additional RAM
requirement.
Interrupt driven character queue
R/W -> A queue is maintained to buffer data between an ISR and R/W operation.
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
FreeRTOS+IO+LPCOpen Framework
LPCOpen is developed by NXP to make portability much easier, the FreeRTOS+IO
framework have used CMSIS-based driver library.
In case of LPCOpen, it has included CMSIS along with BSP & HAL.
It also provides startup code which detects the board and does the necessary
initializations.
To make the work more efficient & portable we have tried to include LPCOpen into the
FreeRTOS+IO framework & replaced appropriate board and chip level calls with it.
Universal asynchronous receiver/transmitter
A universal asynchronous receiver/transmitter (UART ), is a computer hardware device
for asynchronous serial communication in which the data format and transmission
speeds are configurable. The electric signaling levels and methods (such as differential
signaling, etc.) are handled by a driver circuit external to the UART.
UARTs are commonly used in conjunction with communication standards such
as TIA (formerly EIA) RS-232, RS-422 or RS-485. A UART is usually an individual (or part of
an) integrated circuit (IC) used for serial communications over a computer or peripheral
device serial port. UARTs are now commonly included in microcontrollers. A dual UART,
or DUART, combines two UARTs into a single chip. Similarly, a quadruple UART or QUART,
combines four UARTs into one package, such as the NXP 28L194. An octal UART
or OCTART combines eight UARTs into one package, such as the Exar XR16L788 or the
NXP SCC2698. A related device, the Universal Synchronous/Asynchronous
Receiver/Transmitter (USART) also supports synchronous operation
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
LPC1769 PIN Configuration
Pin function select register0
Pin function select register 1
PG-DESD CDAC, ACTS PUNE
IMPLEMENTATION OF USB TO I2S BRIDGE
I2C Pin Configuration register
UARTn Interrupt Enable Register
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
UART0/2/3 Register Map
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
I²C BUS
I²C (Inter-Integrated Circuit), pronounced I-squared-C, is a multi-master, multi-slave, single-
ended, serial computer bus invented by Philips Semiconductor (now NXP Semiconductors). It is
typically used for attaching lower-speed peripheral ICs to processors and microcontrollers in
short-distance, intra-board communication. Alternatively I²C is spelled I2C (pronounced I-two-
C) or IIC (pronounced I-I-C).
Since October 10, 2006, no licensing fees are required to implement the I²C protocol. However,
fees are still required to obtain I²C slave addresses allocated by NXP.
Several competitors, such as Siemens AG (later Infineon Technologies AG, now Intel mobile
communications), NEC, Texas Instruments, STMicroelectronics (formerly SGS-Thomson),
Motorola (later Freescale, now merged with NXP), Nordic Semiconductor and Intersil, have
introduced compatible I²C products to the market since the mid-1990s.
SMBus, defined by Intel in 1995, is a subset of I²C, defining a stricter usage. One purpose of
SMBus is to promote robustness and interoperability. Accordingly, modern I²C systems
incorporate some policies and rules from SMBus, sometimes supporting both I²C and SMBus,
requiring only minimal reconfiguration either by commanding or output pin use.
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
GE
Case Study
We have carried to two-case studies to understand and ensure that MPU setup is robust
and reliable.
Unintended Acceleration problem of Toyota vehicle.
Data Acquisition & Controlling System at Gas Station.
Tank level Study
Task
Priority
Reason for Task
Level Calculation Task
med
This task determines the level
of the oil in tanker and sends
this level to Control task
through a Queue.
Display Task
low
This task displays the critical
values of Temperature and level
to the operators.
Debug Task
low
This is the optional task that is
crerated if we want to debug the
reason of failure of the system.
Faulty Task
low
This task injects the fault and
causes stack overflow and data
corruption.
Temperatuture Task
High
This task takes input from the
temperarture sensor and sends it
to control task through a queue.
Control Task
High
This task is the most important
task and controls the whole
system and its functioning.
In this study we have used I2C based temperarture sensor along with ultrasonic Sensor so as to take
the readings of the temperature data and level data. The critical data is passed to the control task
though the message queues and the control task recieves it and decides what has to be done.
Toyota Study
Problems with TOYOTA Spaghetti Code:
Toyota code has:
9,273 – 11,528 global variables.
“In the Camry software a majority of all data objects (82%) is declared with unlimited
scope and accessible to all executing tasks.”
6,971 instances in which scope could be “local static”
1,086 instances in which scope could be “file static”
NASA identified a specific concurrency defect
Shared global variables not all “volatile”
Shared globals not always access with interrupts masked
Toyota ETCS uses recursion
No mitigation for stack overflow
No bug tracking system
Our MPU port removes all these errors to a maximum instance. Provides Error detection and
correction mechanisms.
No stack overflow can occur (traceable and detectable at the time of debugging and
testing itself)
No global variable access by unprivileged tasks.
No invalid memory region access as regions are defined prior to task creation.
Bug tracking System through EEPROM (Black box) usage.
No unlimited scope objects.
PG-DESD CDAC, ACTS PUNE
Comparative Study of Safety Critical Systems using MPU & Non-MPU model of FreeRTOS+IO
References
[1] John C. Knight “Safety Critical Systems: Challenges and Directions”
[2] “SafeRTOS official site”, http://www.highintegritysystems.com/safertos/upgradefrom-
freertos-to-safertos/
[3] "FreeRTOS official site", http://www.freertos.org
[4] http://docs.lpcware.com/lpcopen/v1.03/
[5] http://www.lpcware.com/content/project/nxpusblib
[6] http://www.lpcware.com/LPCXpresso
[7] https://web.archive.org/web/20060702004954/http://www.semicon
ductors.philips.com/acrobat download/various/I2CBUS.pdf
[8] http://www.linux-usb.org/devices.html
[9] https://lwn.net/Kernel/LDD3/
[10] http://www.opensourceforu.com/
PG-DESD CDAC, ACTS PUNE