- Altreonic provides tools and embedded hardware for developing trustworthy and reliable applications.
- Their flagship product is OpenComRTOS, a formally developed real-time operating system that is uniquely small, scalable, and supports heterogeneous targets.
- Altreonic also offers GoedelWorks, an integrated development portal that facilitates a formalized engineering process for safety-critical projects from requirements to deployment.
2. Eonic Systems (1989-2001)
Virtuoso RTOS for parallel DSP, leader in high-end niche
Sold to Wind River Systems in 2001 for 15 mio $
Open License Society (2004 - …)
OpenComRTOS (IWT project)
Innovative no-nonsense and formalised approach
Systems/ software engineering with supporting tools
Breakthrough results thanks to Formal Methods
5 to 10x smaller => efficiency, performance
Sponsored by Melexis, Embedded Software Group
ITEA EVOLVE project
R&D costs valued at 2 mio €
In sept 2008, Altreonic as a spin-off of OLS
To productise and go commercial
Flanders Drive ASIL project (safety engineering methodology)
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 2
3. Altreonic NV
Owned E.Verhulst, A.Dejonghe, Lancelot Research NV
Team (management in Belgium, development in Ukraïne since 2005)
Eric Verhulst - Founder CEO/CTO
Annie Dejonghe - Founder CFO/COO
Dr. Bernhard Sputh – sr. Engineering manager
Hardware subcontractor in India, Pune
Strategic partner in China, Shanghai
Liaison office in JP.
R&D projects:
EVOLVE: evolutionary/incremental certification/verification
OPENCOSS: certification framework automotive/railway/aerospace
D100LIVES: developing a 100yrs processing device (ARM, ATMEL, NXP, IMEC, …)
Product lines:
OpenComRTOS Designer
Safe Virtual Machine (for C)
StarFish SIL3/4 capable controllers (engineering stage)
GoedelWorks systems engineering platform in beta
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 3
4.
5. To provide the embedded market with development environments and with
embedded hardware for generating applications where high-reliability and
trustworthiness are “built-in” into the design as part of the development
process.
Trustworthy =
Safety => dependability / physical quality
Security => freedom from malicious faults/ data theft
Usability => intuitive and pleasant to use /emotional
Privacy => your data is your own
Trustworthy = higher added value
Application domains:
Ultra low power embedded devices
Distributed sensing and control
Many/multicore devices
Parallel supercomputing
Fault tolerant/ safety critical systems
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 5
6. Growing need for trustworthy technology:
Electronics + SW replacing mechanical parts
Being “embedded” everywhere: part of our life
Initially mainly driven by safety:
Lives at stake
High economic cost
“drive by wire” (e.g. Flanders Drive ASIL project)
Increasingly shifting to notion of TRUST
Essential question: how to develop trustworthy
products in a cost-efficient way?
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 6
7. Support the whole engineering process in a unified
way from early requirements capturing till the final
application giving a “push button high reliability”
experience at a reduced life cycle cost
Apply formalisation to tackle complexity
Apply Formal Methods to prove correctness
=> GoedelWorks integrated development portal
Maximising the commercial potential by applying its
own methodology and tools for the developing of
trustworthy controllers in volume.
=> OpenComRTOS: trusted runtime layer
=> StarFish: Altreonic’s customizable controllers
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 7
8.
9. Formalisation
to deeply understand the problem domain
to find better, leaner and cleaner solutions
to find better architectures
to improve reuse
to get it right the first time
Our methods:
Unified semantics
Speak the same language from early requirements capturing till final
product / system is put to use
Interacting Entities
A common, yet very scalable and modular architectural model
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 9
10. Base cost Cost of change Base cost Cost of change
300 300
Traditional Formalised
Bottom-up Process Engineering Process
250 250
First time right Testing will only
200 200 demonstrate absence of
= Less residual errors
certain errors.
= Higher reliability
150 150 Formal verification can
= Less costs prove absence of any
100 100 errors.
50 50
0 0
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 10
12. Phase1 Phase2 Phase3 Phase4
Cost : + ++ ++ ++ +++ +++++ +++++++ ++++++ ++++++++++
of issues
System System System System
Requirements Specifications System Development Integration Validation Maintenance
Capturing Capturing Architecting
FMEA Safety
FTEA Specs
Packaging
Specs
Hardware
Specs
System and Software Software System System
System System Software System
Safety Architectural Implementation Validation Maintenance
Requirements Architecture Specs Integration
Specifications Design Verification
Analysis and Test
System System System Domain Specific Domain Specific Domain Specific System System System
Requirements Specifications Architecture Specifications Architectural Beta Released Released Updates
(Normal Case) Design release Design Code Source Code
Test Cases & Distribution
Test Cases Test Test results System
Fault Cases procedures Test Results Validation
Fault Cases Results
User manual
ASIL process flow identified 2800 process requirements!
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 12
13. Is an integrated set of tools, facilitating the
development of high-reliability and safety critical
products and systems. Integration is key in achieving
reliability and trustworthiness
OpenComRTOS Designer suite of tools:
OpenComRTOS: unique network-centric formally developed Real Time Operating
System, 5 KB(!), unique heterogeneous support – write code once, run anywhere –
scalable.
Open VE, a visual programming and development environment for developing and
simulating real-time embedded applications
OpenCookbook is a web-hosted environment supporting the systems engineering
process flow (proof of concept)
Tools: OpenTracer, OpenSystemInspector, Safe Virtual Machine
Being integrated in GoedelWorks SaaS portal OpenComRTOS was one of the
three nominees for the:
StarFish
Scalable, customizable, fault-tolerance capable
controllers supported by OpenComRTOS suite
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 13
14. MARKET Segment Enabler Challenges
Ultra low power - hearing aids OCR small code Hardware driven market,
- building control OCR low overhead role of SW not well
- sensors understood
Distributed - smart machines OCR network Inertia from legacy
control - robotic machines heterogeneous solutions
- sensing networks support
Fault - process control OCR formal dev Inertia from legacy
tolerant - infrastructure OCR triplication solutions
systems - e-vehicles GoedelWorks
StarFish
- medical
Multicore/manycore - handheld devices OCR easy to support Hardware driven
devices - set-up boxes
Parallel computing - scientific computing Intel SCC Niche
- image processing
• Embedded Systems and Control (src EU):
• Market Size : ~ €188 000 mio with av. growth of 8% until 2020
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 14
15. Covering full value-chain from requirement to
hardware to maximise
added value and certifiability
MODEL(S)21 METHODOLOGY11
REQUIREMENT21 SPECIFICATIONS21
Architectural Architectural
Simulation Simulation
CheckPoints11
Normal case Formal Formal
Functional
Standards Statements Test case Implementation Implementation
Non-Functional
Guidelines Failure case
Questions
Hints
Entity11 Design Views21
Methodology
Answers Method11
Org Specific
Domain Specific
Misc SubSystem
Procedure
Interaction
Tool
Function
WorkPackage11 Role
Interface
GoedelWorks DEVLPMNT TASK11
Process Views21
Issues11
Install
Result41 Validation TASK21 Result61
PreConditions31 Write-Up PreConditions51
USE CASES
ChangeRequest21 Spec Approved WP completed
RELEASE1
PreConditions41 Verification TASK11
PreConditions61
Result51 Test TASK11 Valid Approv
Test Approv
Work Approved
Spec Approved Result71
Dev Task Approv
Verif Task Approv
OpenCookbook Systems Grammar 10.11.2009
OpenVE
OpenComRTOS suite StarFish
Safe Virtual
Machine
OpenTracer
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 15
16. Formalised systems engineering portal for project
support
Awareness of safety engineering standards
IEC 61508, IEC 62061, ISO DIS 26262, ISO 13849, ISO DIS
25119 and ISO 15998
Organisation specific
Supports all process activities with full traceability
Based on previous OpenCookBook experience
SaaS: no license, but time based
Additional licenses:
Encryption of data
Local hosting (via Open Technology License)
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 16
17. GoedelWorks’ architecture is competitive advantage:
Metamodels allow fast customisation
System is “compiled” from specifications
Allows semi-automatic certification
User is guided through complexity of systems
engineering process, and project becomes a lot easier
to manage and to certify
Project portal = up-to-date database
Plug-ins an API for third party tools and technology
Imports Flanders’ Drive ASIL methodology e.a.
2 years of dissecting standards => 3800 requirements, 100 Work Products
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 17
18.
19. 26-May-11 Altreonic NV – From Deep Space to Deep Sea - 19
20.
21. 26-May-11 Altreonic NV – From Deep Space to Deep Sea - 21
22. Formalised but straightforward approach
Full integration of tools from requirements to final
applications is unique
OpenComRTOS is a unique programming system, a
unique network-centric RTOS, quasi-universal
Formally developed and verified
Scalable yet very small: typically 2 to 5 kiB/node
Real-time communication support
Heterogeneous target support
OpenComRTOS nominated embedded award
Capable of fault-tolerance
(at affordable cost)
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 22
23. Formalised systems engineering portal for project
support
Formalised but straightforward approach
Full integration of tools from requirements to final
applications is unique
OpenComRTOS is a unique programming system, a
unique network-centric RTOS, quasi-universal
Formally developed and verified
Scalable yet very small: typically 2 to 5 kiB/node
Real-time communication support
Heterogeneous target support
OpenComRTOS nominated embedded award
Capable of fault-tolerance (at affordable cost)
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 23
24. Result of formal modeling (TLA+)
Events, semaphores, FIFOs, Ports, resources, mailbox, memory
pools, etc. are all variants of a generic HUB
A HUB has 4 functional parts:
Synchronisation point between Tasks
Stores task’s waiting state if needed
Predicate function: defines synchronisation conditions and lifts waiting
state of tasks
Synchronisation function: functional behavior after synchronisation: can
be anything, including passing data
All HUBs operate system-wide, but transparently:
Virtual Single Processor programming model
Possibility to create application specific hubs & services!
=> a new concurrent programming model
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 24
25. The generic hub as metamodel
Data needs to
be buffered Buffer List
CeilingPriority
Prioity Inheritance
For resources Owner Task
For semaphores Count
Predicate Action
Synchronisation
Synchronising
Predicate
Synchronisation
W W
L L
Waiting Lists T T
Threshold T
Generic Hub (N-N)
Similar to Guarded Actions or a pragmatic superset of CSP
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 25
26. 26-May-11 Altreonic NV – From Deep Space to Deep Sea - 26
27. • Up to 10x smaller than traditional design (thanks to formal
development)
• Less power, less memory, easier to verify, scalable ...
CPU Type Codesize
ARM-Cortex-M3 2.5 – 4.0kB
XMOS-XS1 5.0 – 7.5kB
PowerPC e600 7.1 – 9.8kB
TI-C66x (DSP) 5.1 – 7.7kB
Code size figures (in Bytes) obtained for our different ports, -Os
Dormant ports: MLX16 (2K), Xilinx MB (5K), Leon3(5K), CoolFlux DSP(2K)
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 27
28. Ultra low power:
CoolFlux DSP core (24bit, Harvard)
Code size full kernel: 2000w PM + 750w data
Interrupt latency:
IRQ to ISR: < 112 cycles
IRQ to task: < 877 cycles
Multicore capable
Single chip multicore
Intel SCC 48core “super computer on chip + NoC switch” (in
development)
Heterogeneous networked targets:
Win32+Linux+ARM+MicroBlaze+XMOS+LEON3+ … demo
programmed as single target
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 28
29. Ultra low power:
SoC, 2K instructions on CoolFlux DSP of NXP
E.g. hearing aids
Sensor and actuator networks
Small code size
Power saving modes, wake up by interrupt
System wide routing
Distributed control
Network support is built in
Easy to integrate redundancy
Easy to distribute control and I/O
No more binding glue, no more middleware layers
Parallel “supercomputing”
Parallel heterogeneous DSP networks
PPC and TI C66XX DSP multicore, multi-chip, multi-board, …
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 29
30. Goal:
CPU independent programming
Low memory needs (embedded!)
Mobile, dynamic code => “embedded apps”
Allows to reuse legacy binary code on any processor
Results:
Selected ARM Thumb1 instruction set of VM target
Compactness
Widely used CPU
< 3 Kbytes of code for VM
Executes binary compiled code
Capable of native execution on ARM targets
VM enhanced with safety support (option):
Memory violations
Stack violations
Numerical exceptions
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 30
32. GoedelWorks
Structured team work
over the internet
MODEL(S)21 METHODOLOGY11
REQUIREMENT21 SPECIFICATIONS21
Architectural Architectural
Simulation Simulation
CheckPoints11
Normal case Formal Formal
Functional
Standards Statements Test case Implementation Implementation
Non-Functional
Guidelines Failure case
Questions
Hints
Entity11 Design Views21
Answers Method11
Org Specific
Domain Specific
Misc SubSystem
Procedure
Interaction
Tool
Function
WorkPackage11 Role
Interface
Process Views21
DEVLPMNT TASK11
Issues11
Install
Result41 Validation TASK21 Result61
PreConditions31 Write-Up PreConditions51
USE CASES
ChangeRequest21 Spec Approved WP completed
RELEASE1
PreConditions41 Verification TASK11
PreConditions61
Result51 Test TASK11 Valid Approv
Test Approv
Work Approved
Spec Approved Result71
Dev Task Approv
Verif Task Approv
OpenCookbook Systems Grammar 10.11.2009
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 32
33. Phase Detector Low Pass Filter Voltage Control Oscillator
sin(α) speed
+
K1 1/s 1/s angle
-
cos(α)
K2
sin(α)
cos(α)
(third party tools)
Simulating the algorithm in
a PC doesn’t cost much, but
allows to find the issues
early on
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 33
34. After simulation
and model
checking, select
the application
architecture and
OpenVE start development
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 34
35. • Networked control modules do the real work.
• Added value from high reliability and high performance algorithms
• Fault tolerance is a configuration option
Altreonic Inside
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 35
36. OpenVE:
How are processors
connected ?
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 36
37. OpenVE How is the application structured ?
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 37
38. The more code is
generated, the
less
programmingerror
s are made
OpenVE
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 38
39. Verification and
testing is
needed to
confirm the
work was well
done
OpenTracer
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 39
40. From idea to prototype in a seamlessly
integrated and controlled process
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 40
41. 26-May-11 Altreonic NV – From Deep Space to Deep Sea - 41
42. OpenComRTOS supports heterogeneous
networked and many-core processor systems:
Remapping tasks or RTOS entities requires no
source code changes
Timings will differ but logic application remains
Meta-models hide complexity for user
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 42
43. Key characteristics :
Scalable performance
High Reliability (SIL3)
Fault Tolerance (SIL4)
Target market :
Robotics, Automotive,
Transport, Aerospace,
Machine Control.
Altreonic
powered
(Status: engineering systems Q4)
OpenComRTOS
designer suite
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 43
44. Key characteristics
Allows full access
Fully closed enclosure (IP64 or higher)
Power consumption rated at 7.5 W when
using all quadrants @ > 3200 Mips
Application specific mezzanines
Production version will be compact and
stacked or use one quadrant as unit
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 44
45. Key characteristics :
High Reliability (SIL3) → Fault Tolerance (SIL4)
All-in:
Traction
Braking
Anti-slip
Stability control
Active suspension
Exploits transparent distributed
operation of
OpenComRTOS
Own controllers and e-motor in
development
Software and Hardware redundancy
enables fault-tolerant controllers in 1-, 2-,
3-, 4-, n-wheel platforms
=> StarFish was designed with such
topology in mind
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 45
46. • Central control moves towards distributed control
• Robot has 42 “feet” = 42 controllers + central
• Original design: 7000 euro hardware
• Our proposal: < 1000 euro + connection to PC and
operator console
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 46
47. Innovative no-risk open licensing scheme as well as
binary and source code licenses. No runtime royalties.
Binary (only free targets like Win32)
Single seat/single site
Source code
+ Kernel source code and build system
Open Technology license
Formal models, design doc, all source code, test suites,
porting guide, … of RTOS + code gens + GUI tools
Right to generate extra binary licenses
Small royalty
For all Software and all Hardware products
Maintenance/support: 20%/yr/license
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 47
48. We need hardware that executes (software)
specifications
Full system engineering flow support
Enables high-reliability/safety
OpenComRTOS project has proven that a universal
concurrent programming paradigm works:
Very small code size, yet very scalable
Heterogeneous for CPU and communication media
Greatly due to formal(ised) development
www.altreonic.com
Eric.Verhulst @ altreonic.com
26-May-11 Altreonic NV – From Deep Space to Deep Sea - 48