Considering your company’s area of activity, what was your motivation to participate in H2020 project ADMORPH?

Thales Nederland B.V. has been involved in the development of surveillance systems, both for civil and military purposes, since the early days of radar technology. This gives the company the know-how to build all kinds of surveillance systems, ranging from short-range 2D radars to long-range 3D radar systems from which stealthy targets cannot hide, and sophisticated multifunction radars using active phased array. Apart from radar systems, Thales Nederland B.V. also manufactures passive infrared surveillance systems, meant for radar silent operations.

These systems provide crucial situational awareness for command and control decisions, which can have far reaching impact on the vehicles carrying the surveillance systems, their crew and their surroundings. Because of this, the data on which these decisions are made needs to be highly accurate and reliable. To achieve this the surveillance systems have to be able to rely on trustworthy and robust real-time data processing. This requirement combined with the promise of the ADMORPH approach to achieve fault tolerance sparked our interest to participate in this project.

The ADMORPH project foresees the following three use cases: autonomous aerospace systems, radar surveillance systems and subway transportation systems. Can you explain in more detail the use case that you contributed to the project or in which you are more involved? Which challenges does it raise?

Figure 1: Example of a modern phased array radar system

The radar surveillance systems use case provides a laboratory set-up of a highly simplified radar processing chain running on a realistic processing platform, utilizing lightweight container virtualization in combination with an orchestration framework, where software updates are automatically identified and installed in a secure way using an update framework. In this use case, our primary interest is the coordination language to specify adaptive systems alongside adaptive runtimes. This approach ensures formal guarantees and facilitates comprehensive testing of the processing chain and the runtime system itself.

The challenge in this use case is to see if the ADMORPH approach can be applied to an application which’ components run distributed on an embedded networked multi-node system, instead of on multiple cores on an embedded system on chip (SOC).

The project started just before the COVID-19 pandemic and is now nearing completion. How do you feel the pandemic affected the project development (if at all)?

At the beginning of the project, the pandemic mainly hindered effective exchange of information between project partners, which was solved by using online collaboration tools. However, these forms of communication do not completely replace face-to-face communication.

Another area in which we were affected was when we needed to ramp up the size of the team to implement the demonstrator of the use case. Due to the restrictions on being allowed to meet each other it was more difficult to hire staff for the project, and once hired, introducing them to the way of work and the contents of the project was less effective than expected because all processes regarding information transfer were still oriented towards face-to-face transfer and had to be adapted to online means of communication on the spot. This took both extra time and proved to be less effective than the existing means.

Despite being less effective, it surprised us in a positive way how much still could be achieved using online tools, once they were properly in place. Working with techniques like this, while not completely replacing face-to-face information exchange, can certainly be a valuable addition to collaborating teams, especially once the project members are familiarized with each other.

As the project comes to an end, how would you describe the state of integration of ADMORPH technologies in the use case you are working on?

The level of integration with the AMDORPH architecture is a good fit. We recognize the same levels for control, monitoring and adaptation, and the update framework that has been selected and instantiated as part of the ADMORPH runtime system has been integrated successfully in the demonstrator. The level of integration with the actual ADMORPH technologies is low, as was to be expected: the main set of ADMORPH technologies, despite being very interesting, were either outside the scope of our use case or were developed for systems characterized by utilizing embedded multi-core SOCs, so in that context we did not expect a direct match for our system of multiple networked nodes.

The primary ADMORPH technology of interest for our use case, the coordination language, appeared to be less of a match than expected. This was not due to differences in the runtime environment, distributing components over multiple cores appeared to be similar enough when compared to distributing them over multiple nodes, nor a lack of features in the coordination language, but more to the assumption about the nature of the components that comprise the application. Where the coordination language has been designed for components utilizing stream based communication, the radar processing chain is built on components that are communicating state machines, invaliding formal guarantees that come with stream based processing.

Looking ahead, which of the ADMORPH results you see with more potential for exploitation? Do you plan to exploit any of them?

Even though the coordination language in its current form cannot be applied directly to model an application consisting of communicating state machines like the radar processing chain application, there are certainly some aspects that are interesting for further exploration within the context of our use case. Having non-functional aspects, like latency requirements, security levels or even multiple implementations of a single component, as part of the design model is something we already have identified as something we might need and the ADMORPH approach could certainly be used as inspiration of how to apply this in our own development environment. Especially the elegant solution to model the state of a component as part of the design, thus enabling relocation with retention of state, is something we will probably look in to.

Lukas Miedema, researcher at the University of Amsterdam, presented a poster about his work at ICT OPEN, which took place in Utrecht, Netherlands, on April 19-20, 2023. The presented work, focusing on the Weakly-Hard real-time applications, provides scheduling algorithm that lead to a reduced and minimized application fault rate. The picture shows Lukas and his poster in a preparation session.

Three ADMORPH-related papers were accepted at the WiP track of the 27th Ada-Europe International Conference on Reliable Software Technologies (AEiC 2023). The conference will be in Lisbon, Portugal, from June 13-16, and hence ADMORPH will be well represented. The accepted papers are the following.

The paper entitled “Software-based Security Approach for Networked Embedded Devices”, authored by José Ferreira, Alan Oliveira, André Souto and José Cecílio, from FCUL, addresses intrusion protection, detection and tolerance for safety-critical CPS(oS), providing robustness against cyber-attacks. It presents software-based protection and encryption mechanisms explicitly designed for embedded devices. The proposed architecture is designed to work with low-cost, low-end devices without requiring the usual changes on the underlying hardware. It protects against hardware attacks and supports runtime updates, enabling devices to write data in protected memory.

The second paper, entitled “Cooperative Autonomous Driving in Simulation”, is authored by Gonçalo Costa, José Cecílio and António Casimiro, also from FCUL, and describes ongoing work on the definition, implementation and testing of an architecture for a simulation environment where cooperative autonomous driving protocols can be tested. The goal is to facilitate the testing of distributed protocols for vehicular coordination in realistic autonomous driving scenarios, namely concerning aspects of timeliness, robustness to faults and safety.

Last but not the least, the paper entitled “Achieving Crash Fault Tolerance In Autonomous Vehicle Autopilot Software Stacks Through Safety-Critical Module Rejuvenation”, authored by Federico Lucchetti from the University of Luxembourg, proposes a crash-fault tolerant scheme that enables an autopilot system experiencing a crash failure of one of its sub-modules to execute an emergency trajectory to a safe spot where the autopilot can be rejuvenated.

For three days at the end of February, researchers of two academic partners of the project met at Science Park in Amsterdam. Dolly Sapra and Lukas Miedema from the Parallel Computing Systems group of the University of Amsterdam, and Florian Haas from the Embedded Systems group of the University of Augsburg joined to connect their tools together:

• The Cecile Coordination Compiler
• The Design Space Exploration
• The scheduling and timing analysis tool Faktum
• The Artie Runtime.

These had been developed within the ADMORPH project and span across multiple work packages. With the project approaching its final months, the three researchers pursued their objective of delivering a live demonstration of the interaction of their tools, which represent all the layers in the software stack of the project. Collaboratively pointing at diagrams helped to identify obstacles in the integration, which were dismantled successfully. An application specification provided by Qmedia can now be compiled into the exchange format used throughout the project, and fed to the design space exploration for elaborating the best hardware platform that enables a fault-tolerant real-time execution of the application. The scheduling framework then finds suitable schedules for redundant execution, which are executed by the runtime system. At the end, the graduate student and the both postdocs enjoyed the blinken lights of the demonstrator.

ADMORPH was present at HiPEAC 2023, from January 16 to 18, in Toulouse (France).

On the first day, António Casimiro participated in the MCS: International Workshop on Mixed Critical Systems – Safe and Secure Intelligent CPS and the development cycle in which he briefly presented ADMORPH and some ADMORPH work on the solutions for resilient control.

On the third day of the event we organised the WASOS: Workshop on Adaptive CPSoS, bringing together representatives from several projects in the ICT-01-2019 topic (AMPERE, Adeptness, TEACHING, UP2DATE, SELENE, CPSoSAWARE and ADMORPH), and also a representative of the COSMOS project (ICT-50-2020).

Three posters were also displayed at HiPEAC, a generic one in Collins Aerospace (ADMORPH partner) booth, and two other, featuring the Railway System use case and the Naval use case, in the conference locations dedicated to project posters.

We take this opportunity to thank colleagues from the EU Projects mentioned above, who participated in the WASOS workshop.

Considering your company’s area of activity, what was your motivation to participate in H2020 project ADMORPH?
QMA focuses on developing technology and security management systems in the Railway segment, including Metro. The railway is an extensive system with variable topology, and the control system must adequately respond to all changes that could affect the availability or quality of the services provided. We are therefore looking for technologies, tools and procedures that would enable the adaptation of the control system to influences that cannot be predicted during the system development phase. An example of such an influence is threats from cyberspace.

The ADMORPH project foresees the following three use cases: autonomous aerospace systems, radar surveillance systems and subway transportation systems. Can you explain in more detail the use case that you contributed to the project or in which you are more involved? Which challenges does it raise?
In the project, we apply ADMORPH tools to the control and supervision system, which is a superstructure on top of the track and train systems for the safe movement of trains.

For operation on the metro route to run smoothly, it is necessary for the supervision and control system to continuously receive relevant information about the status of the individual parts of the system that are in the stations and on the trains. If the flow of information is disrupted, the affected part or the entire system goes into a safe state. A safe state means reducing traffic or even stopping it. Therefore, such a situation needs to be prevented or its effects minimized.

In the UseCase, we use ADMORH tools to create a system that, after identifying a threat to the quality of services provided, reconfigures the system to a state that ensures the continuity of service provision. At the same time, it will transmit information about the situation to the centre responsible for the system’s operation. After receiving the patch, the system can perform ourselves update without downtime.

The requirement for robustness, safety and the ability to adapt to new situations during the system’s operation was essential.

The project started just before the COVID-19 pandemic and is now nearing completion. How do you feel the pandemic affected the project development (if at all)?
The pandemic initially affected our ability to communicate F2F experiences and knowledge with project partners, but we managed to eliminate this with tools for team collaboration. What we could not eliminate, however, was the limited possibility of disseminating our own outputs to the segment in which we operate. Our cooperation with the metro operator was affected by the COV-19 restrictions, and we failed to prepare the environment for the operational verification of the developed platform on the metro train.

As the project comes to an end, how would you describe the state of integration of ADMORPH technologies in the use case you are working on?
We have managed to integrate technologies that are important for us in terms of future use. For example, in the UseCase, we have verified them to the extent that it will be possible to perform operational verification in a real environment. Although it won’t be directly on the train, the involvement in cyberspace will undoubtedly provide enough opportunities to verify the concept.

Looking ahead, which of the ADMORPH results you see with more potential for exploitation? Do you plan to exploit any of them?
In the project, we managed to integrate the CECILE toolchain with the PikeOS hypervisor and create a platform for control and surveillance systems used in an environment with an increased risk of cyber attacks. Furthermore, the tools and procedures we apply will enable quick adaptation of the system to identified vulnerability threats, which is one of the basic requirements of patch management control systems.
Although operational deployment still requires a lot of effort, especially in certification to railway and security standards, the platform we have designed is robust and flexible enough to meet current and future security requirements.

Christoph Kuehbacher from the University of Augsburg has defended his PhD thesis entitled Analyzable Dataflow Executions With Adaptive Redundancy.

In his thesis, he has developed a runtime environment (RTE) for the fault-tolerant execution of dataflow applications modelled as directed acyclic graphs. The RTE is able to adaptively select an appropriate level of redundancy and runs on various multi- and manycore architectures. The tasks of such applications are then scheduled regarding their dependencies, the required levels of redundancy, and the specified deadline of the application. The work was developed in the scope of the ADMORPH project, more specifically as part of the activities on Work Package 2 (Task 2.3) and Work Package 3 (Task 3.3).

Lukas Miedema and Clemens Grelck had their paper entitled “Strategy Switching: Smart Fault-Tolerance for Weakly-Hard Resource-Constrained Real-Time Applications” accepted at the International Conference on Software Engineering and Formal Methods (SEFM). The paper is also available within the conference proceedings.

The paper proposes a new approach for applying fault-tolerance, named strategy switching, to deal with single event upsets (SEUs) on Commercial off The Shelf (COTS) hardware. Strategy switching minimizes the effective unmitigated fault-rate by switching which tasks are to be run under a fault-tolerance scheme at runtime.