1. Field of the Invention
This invention pertains to an apparatus for independently verifying the proper execution of computer programs and protection of memory stored data to effect isolation of multiple softwares executed on a single central processor.
2. Description of the Prior Art
Most safety critical applications, such as aircraft flight control systems, have been implemented in analog hardware to avoid potential hazards that could result from faulty software execution.
Unlike functions implemented in analog hardware, software functions are effectively time-shared with other software functions executed on the same computer. Accordingly, individual software functions are difficult to isolate. Various techniques have been used to help verify proper execution of software.
Monitoring of software execution and protection of data has been traditionally accomplished in the software itself. Examples of the software associated monitoring are the heartbeat monitor and the software ticket check. In the heartbeat monitor, the software outputs a pulse at regular intervals to verify real-time operation. However, it is possible that a software or hardware failure will also continue to output the monitor pulse. With a software ticket check monitor, each module outputs a ticket in the form of a binary word or flag to indicate its execution. The monitor module attempts to verify the software's execution through the receipt of the tickets. These techniques are therefore under the direct control of the same processor they were designed to monitor. Therefore, it is difficult to ascertain whether software performing critical safety related functions is executing properly or that program data has not been altered.
Traditionally, software is divided into small functional blocks of executable code called software modules. Each software module can be categorized as critical, essential or non-critical in accordance with definitions contained in Radio Technical Commission for Aeronautics DO-178. When a software package containing modules that fall into more than one of these software categories is executed by a common processor, some method of isolation is required to provide clear and distinct partitioning of the software criticality categories. Otherwise, the criticality of all the modules within the package default to that of the most critical of the group relative to documentation, testing, and verification requirements.
In order to fully isolate software of different criticality levels, two basic problems must be solved.
1. Execution Verification--Software execution must be verified to protect against the possibility of a noncritical software module erroneously disturbing program flow thereby causing the proper calling sequence or the execution rate of critical modules to be affected.
2. Data Isolation Verification--Critical data must be protected to prevent noncritical software from erroneously altering the scratch pad memory locations.
Thus, a substantive problem in implementing flight safety functions in software is verifying that critical software modules, in a multi-criticality software package, are fully executed in the proper sequence with uncontaminated data.
The Real-Time Software Monitor and Write Protect Controller of the present invention verifies software execution in an independent manner. It isolates and protects critical data from software of lower criticality levels, thereby allowing separation of software within a single processing system into the three levels of criticality as described in Radio Technical Commission for Aeronautics (RTCA) document DO-178. The present invention verifies that the software executes in the proper sequence and that the entire software task is completed within a specified time.