I. Kristina Lundqvist  
Assistant Professor
  || HOME || RESEARCH || TEACHING || PUBLICATIONS || CV || CONTACT INFORMATION ||
   
 
Research

Software acts as a universal integrator across multiple subsystems to provide multi-mission capability in modern aerospace platforms. The development of this integrating software occurs late in the larger systems development lifecycle. This mismatch in the development and sustaintment of software and the larger aerospace system is one of the largest challenges that we face today. My research focuses on addressing that challenge through the development of frameworks, processes and tools that enable rapid design, development and sustainment of mission-critical real-time embedded systems. The research methodology involves collaborative partnerships across industry, government and academia to successfully transfer new knowledge. These partnerships involve concurrent industry staffed R&D projects, jointly working on live projects or a combination of the two.

Current Projects

Past Projects

  • RTOS for the Next Generation Safety Architecture
    Funding: Ford-MIT Alliance
  • Non-Intrusive Monitoring using SoC approaches
    Funding: Draper Laboratories

The Gurkh Framework

The classical approach to mission critical embedded system development has been to select a proven hardware platform and use software as a means of providing the necessary system capability. A predetermined hardware platform constrains the set of possible system designs as the partitioning of capability between hardware and software components is already made. Also, the evolution of system capabilities is limited to the capabilities of the selected hardware. Hardware software codesign techniques provide a means of rethinking the classical approach by delaying the partitioning of functionality between hardware and software as late as possible in the design cycle. The Gurkh project was stated as a means of providing a tool supported framework for the design development and sustainment of mission critical embedded systems. The project has evolved into a framework that contains a set of tools that can be applied both at the design and validation phases of the system lifecycle. The process of using the Gurkh framework can provide additional insight into rethinking traditional system development processes.

Hi-Five : Holistic Framework for the Verification and Validation for High-Integrity Embedded Systems

Mission critical embedded systems have to be shown to be "adequately" dependable prior to their use in achieving a mission. The traditional approaches that are used achieve the requisite levels of dependability use some mix of human-intensive inspection approaches and exhaustive testing. In order to achieve efficient system development, we use standardized development approaches that phase each of the development activities as a means of reducing uncertainties that are present in any human intensive process. We need to address three areas in the verification and validation process: Specification development, formal method integration and automated test case generation. Specifications serve the dual purpose of communicating critical information to both system developers and testers, and act as a means of checking conformance. Formal methods provide a rigorous, repeatable means of carrying out system verification and validation. Automated test case generation provides a means of eliminating the human-error that is often introduced during the manual test case generation and execution process.

Hi-Five is a three phased project aimed at providing a holistic framework for the verification and validation of high-integrity embedded systems. Phase I of Hi-Five focused on the integration of specification approaches and formal methods by extending the abstract state machine formalism to include time. In Phase II, we target automated test case generation from the extended formalism development in phase I. Phase III will be looking at addressing the issues of integration and regression testing.

Knowledge Transfer across Industry Boundaries

The increased use of software to perform safety-critical functions in automotive systems has led to a consistent call for standardization of development approaches, as well as for certification of the developed system. Architecturally speaking, it is becoming increasingly hard to distinguish between aerospace systems and automotive systems, as the embedded components perform similar functions. The difference between these two classes of systems arises in terms of the product lifecycle and the development cycle time. The shorter development cycle time associated with automotive systems requires the usage of innovative development and certification approaches while retaining the integrity of end product. The knowledge present in certification of aerospace systems needs to be transferred across to the automotive industry. This transfer across industry boundaries makes for a very interesting area of study both from the process and policy standpoints.

RTOS for the Next Generation Safety Architecture

The most widely used paradigms for mission-critical software design is the cyclic executive (CE) approach, where the execution of several processes on the CPU is explicitly and statically interleaved. This leads to a deterministic system from the ground-up, but creates growth inflexibility in that the slightest modification of the system often requires a complete redesign of the predetermined schedule. Generating such a schedule is known to be an NP-hard problem, and does not scale effectively as the number of task increases.

Regular software based operating systems share the microprocessor with application tasks. They not only affect the timing behavior of the system, they use valuable processor resources. We take a radically different approach by implementing a minimal run-time kernel called RavenHaRT. RavenHaRT makes use of priority-based preemptive scheduling techniques to manage the execution of the different concurrent processes. There is therefore no need to pre-generate a fixed schedule, as RavenHaRT controls which process is allowed to run at any given time. An important advantage of such a method is that minor design changes result in small implementation modifications, which is not the case for cyclic executive approaches.

Non-Intrusive Monitoring using SoC approaches

As the complexity of embedded systems grows, proper engineering techniques are crucial to provide the high levels of assurance of resilience and reliability necessary to ensure the public safety. Mission critical systems, such as those used by the NASA for the avionics systems on the space shuttle usually use triple or quad-redundancy. Such a solution, however, may not be economically viable for a mass produced product, such as an automobile. It is therefore important to explore new paradigms for fault detection and resilience that still provide sufficient safety while not being overly cumbersome.

We leveraged system-on-chip approaches to implement a Monitoring Chip (MC) to provide non-intrusive error detection. Such a hardware monitoring scheme presents the advantages of being active concurrently and being functionally decoupled from the monitored task. A formal model of the application software acts as the basis on which the MC monitors the execution behavior of the system. It listens to the calls that the application makes to the RavenHaRT kernel, and retains timing information about execution behavior of the different tasks. When the timing bounds are violated, the MC alerts the system, and enables the system to transition into a predictable failure mode.