A composable real-time architecture for replicated railway applications

Triple-modular-redundant applications are widely used for fault-tolerant safety–critical computation. They have strict timing requirements for correct operation. We present an architecture which provides composability and mixed-criticality to support integration and to ease certification of such safety–critical applications. In this architecture, an additional layer is required for the sharing/partitioning of resources. This potentially jeopardizes the synchronization necessary for the triple-modular-redundant applications.We investigate the effects of different (unsynchronized) scheduling methods for the resource-sharing layer in this architecture and conclude that an out-of-the-box solution, which guarantees the technical separation between applications with fast reaction time requirements is only feasible when executing at most one instance of a triple-modular-redundant application per CPU-core for single and multi-core CPUs. Only when accepting changes in the applications or the applications’ synchronization mechanisms, are more flexible solutions with good performance and resource utilization available.