GeminiX
GeminiX is specifically designed to aid the realization of redoundable safety critical systems adopting the “composite fail-safe with fail-safe comparison” approach.
GeminiX Platform consists of:
A complete Platform Documentation Package and Application Conditions, which describe and certify the compliance for applications up to SIL4 according to the EN50126/128/129 and IEC61508 standards.
A HW 2oo2 diverse reference architecture, that can be duplicated for reliability.
A real-time OS-like environment, GeminiX–OS, certified as a SIL4 Generic Product on its own and also certified several times into clients’ products. It is independent from the specific hardware, and includes its own complete Documentation Package.
A VHDL Source Code, which implements diagnostic routines and generic I/O, independent from the specific hardware, certified as a SIL4 Generic Product.
Several Reference Designs, implemented using different CPUs (Intel, AMD, ARM, …) and different bus architectures.
The following picture, instead, shows how GeminiX pre-assessed resources can be reused to boost the development of a SIL4 System:
GeminiX offers the following key features:
Available with different CPUs for Low-End and High-End applications, and in different form factors
Highly integrated electronic design
Fully conduction cooled: -40°C ÷ +71°C operational (-40°C ÷ +85°C storage)
Ruggedised design
1.0kV (min) insulation between A & B galvanic areas
3.5kV (min) insulation between A & B areas versus chassis
FPGA and CPU HW diversity
128kB shared memory supporting GeminiX inter-processor communication and synchronisation
Cross channel data link implementing GeminiX redundancy features
Internal voltage diagnostic
Remote power diagnostic
8kB FRAM
2x Ethernet 10/100/1000 per CPU-A
2x Ethernet 10/100/1000 per CPU-B
Up to 2x RS232 per CPU-A
Up to 2x RS232 per CPU-B
16 bit multiplexed I/O bus for remote I/O boards I/F (CPU-A)
16 bit multiplexed I/O bus for remote I/O boards I/F (CPU-B)
The main GeminiX components are:
GeminiX Platform
GeminiX-Platform is GeminiX Documentation Package together with its Application Conditions. It describes and certifies the compliance for applications up to SIL4 according to the EN50126, EN50128, EN50129 and IEC61508 standards. It includes requirements:
for the Hardware architecture
for the Software architecture
on how to handle random faults
on how to handle systematic faults
on how to detect random and systematic faults
on the system behaviour after the detection of faults
GeminiX-Platform also defines a Checklist for the Application, which includes requirements to be fulfilled by both:
the given Application Software
the given Application Hardware
In the following, table, the documentation plan provided with GeminiX is listed, together with the corresponding phase foreseen by the regulations:
| Document Title | IEC 61508 Phase | EN 50126 Phase | EN 50128 Phase |
| GeminiX Concept Description | 5 | 5 | – |
| GeminiX Documentation plan | 7 | 6 | 1 |
| GeminiX Safety Plan | 7 | 6 | 1 |
| GeminiX Quality Plan | 7 | 6 | 1 |
| GeminiX Configuration Management Plan | 7 | 6 | 1 |
| GeminiX-Platform Coding Conventions | 7 | 6 | 1 |
| GeminiX-Platform Architecture | 9 | 6 | – |
| GeminiX-Platform Hazard Analysis | 9 | 6 | – |
| GeminiX-Platform Safety Concept Requirements | 9 | 6 | – |
| Safety Assessment Report Safety Concept for Embedded Virtual Platform (GeminiX) | 9 | 6 | – |
| GeminiX-Tools General Requirements | 10.1 | 6 | 2 |
| GeminiX-Cores Requirements Specification | 10.1 | 6 | – |
| GeminiX-OS Requirements Specification | 10.1 | 6 | 2 |
| GeminiX-OS Requirements Verification Report | 10.1 | 6 | 2 |
| GeminiX-Cores Requirements Test Specification | 10.1 | 6 | – |
| GeminiX-Cores Requirements Verification Report | 10.1 | 6 | – |
| GeminiX-OS Requirements Test Specification | 10.1 | 6 | 2 |
| GeminiX-OS Quality Assurance Plan | 10.2 | 6 | 1 |
| GeminiX-OS Quality Assurance Verification Report | 10.2 | 6 | 1 |
| GeminiX-Cores Verification Plan | 10.2 | 6 | – |
| GeminiX-OS Verification Plan | 10.2 | 6 | 1 |
| GeminiX-Cores Validation Plan | 10.2 | 6 | – |
| GeminiX-Cores Quality Assurance Plan | 10.2 | 6 | – |
| GeminiX-OS Validation Plan | 10.2 | 6 | 1 |
| GeminiX-OS Module Test plan | 10.2 | 6 | 1 |
| GeminiX-OS SW Integration Test plan | 10.2 | 6 | 1 |
| GeminiX-OS HW/SW Integration Test plan | 10.2 | 6 | 1 |
| GeminiX-Cores Architecture specification | 10.3 | 6 | – |
| GeminiX-OS Architecture Specification | 10.3 | 6 | 3 |
| GeminiX-Cores Design Specification | 10.3 | 6 | – |
| GeminiX-OS Design Specification | 10.3 | 6 | 3 |
| GeminiX-OS Interface Specification | 10.3 | 6 | 3 |
| GeminiX-OS Integration Test Specification | 10.3 | 6 | 3 |
| GeminiX-OS HW/SW Integration Test Specification | 10.3 | 6 | 3 |
| GeminiX-Cores Module Design specification | 10.3 | 6 | – |
| GeminiX-Cores Design and Architecture Verification Report | 10.3 | 6 | – |
| GeminiX-OS Design and Architecture Verification Report | 10.3 | 6 | 3 |
| GeminiX-OS Module Design Specification | 10.3 | 6 | 4 |
| GeminiX-OS Module Test Specification | 10.3 | 6 | 4 |
| GeminiX-OS Module Verification Report | 10.3 | 6 | 4 |
| GeminiX-OS Source Code | 10.3 | 6 | 5 |
| GeminiX-Cores Source Code | 10.3 | 6 | – |
| GeminiX-Tools Source Code | 10.3 | 6 | 5 |
| GeminiX-Cores Source Code Verification Report | 10.3 | 6 | – |
| GeminiX-OS Source Code Verification Report | 10.3 | 6 | 5 |
| GeminiX-OS Module Test Report | 10.3 | 6 | 6 |
| GeminiX-OS SW Integration Test Report | 10.4 | 6 | 7 |
| GeminiX-OS HW/SW Integration Test Report | 10.4 | 6 | 7 |
| GeminiX-OS Integration Verification Report | 10.4 | 6 | 7 |
| GeminiX-Cores Integration Verification Report | 10.5 | 6 | – |
| GeminiX-OS User Manual | 10.5 | 6 | 10 |
| GeminiX-Cores User Manual | 10.5 | 6 | – |
| GeminiX-Tools TargetIT User Manual | 10.5 | 6 | 10 |
| GeminiX-Tools DefendIT User Manual | 10.5 | 6 | 10 |
| GeminiX-OS Requirements Test Report | 10.6 | 6 | 8 |
| GeminiX-OS Validation Report | 10.6 | 6 | 8 |
| GeminiX-Cores Validation Report | 10.6 | 6 | – |
| GeminiX-Tools Validation Report | 10.6 | 6 | 8 |
| GeminiX-OS Safety Case | – | 9 | 8 |
| GeminiX-OS Safety Assessing Reports | 10.6 | 9 | 12 |
| GeminiX-Cores Assessing Report | 10.6 | 9 | – |
| GeminiX-OS Change records | 15 | 13 | 11 |
| GeminiX-Cores Change records | 15 | 13 | – |
| GeminiX-Tools Change records | 15 | 13 | 11 |
GeminiX Platform defines a safety computer architecture based on diverse CPU (hardware diversity). The selection of the CPUs is mainly driven by performances and environmental requirements as well as by the foreseen interfaces. A & B nodes are fully insulated and fulfil all the requirements derived from IS 402, IEC 61508, EN 50155 and EN 50129 standards.
The following figure shows a typical block diagram of the safety-related part of a GeminiX computer.
GeminiX Reference Architecture
The typical GeminiX-based computer is implemented according to the following diagram:
A & B CPUs manage:
Independent processing (GeminiX-OS)
System Memories
Configuration Peripherals
PCIe Root complex or Parallel bus master
GeminiX-Cores manage:
Inter-node communication channel
Safety watchdog with independent time base
HW-assisted DES-Accelerator
I/O addresses accesses Passive Supervisor
Redundancy management engine
Power monitoring engine
I/O: MAC, GPIO, RS422/485, 232 cores
CPU-C is a “standard” optional COTS computer running a Standard OS (Linux) , which manages:
Communication protocols management (no safety layers)
Diagnostic
The Custom vital I/O subsystem can be different for each solution and is designed and adapted according to the requirements of the different generic applications.
GeminiX-OS
GeminiX-OS is a generic low-level software implementing a real-time OS-like environment independent from the specific hardware, compliant to the GeminiX Platform, which has been certified by its own as a SIL4 Generic Product.
GeminiX-OS is composed by:
A library API
A composite fail safety paradigm, coupled with:
- GeminiX Embedded Virtual Platform HW
- A framework for I/O devices support
- A build and configuration environment
- A safe user’s application configuration environment
Its Main features are:
Multi state static scheduler
Isochronous IRQ handler to manage high rate I/O
Cross-check and cross-communication API
Subset of APEX ARINC 653 API to be used by Custom Application SW
Safety code calculation routines
Safe Loader
High coverage diagnostic routines
Drivers for generic I/O
Drivers and HW/SW API
Safe Configuration Infrastructure
MISRA-C 2012, with coding rules and diagnostic coverage suitable for IEC61508 and EN50128 up to SIL4
HW segregation of tasks both in time and space
SW Defensive Programming (e.g. assertion, data check before use)
Controlled execution flow (token passing)
64-bit code protection of firmware on non-volatile memories (CBC-MAC calculated on each 1 Kbyte block)
Complete Documentation Package following safety standards
Complete Test Environment
Stand-alone self-booting executable
Embedded Safe Configuration infrastructure
Extremely low latency response for hard real time applications
High coverage diagnostic routine for on-line testing
GeminiX-Cores
GeminiX-Cores HW includes (V)HDL source code that implements some safety related measures:
A passive Memory Protection Unit, to implement task spatial segregation
A time-window Watchdog, to implement task time segregation
A cross communication channel, with synchronization capabilities
A DES signature calculator
A cross-power monitor
A bus monitor
GeminiX-Cores implements also some generic (no safety related) I/O:
A MAC core, to implement Ethernet interface
An UART core, to implement RS232, RS485 or RS422 interface
A LED controller
A GPIO interface
The following figure sets out a typical block diagram of the Core FPGAs.
