# Triple-Triple Redundant Reliable Onboard Computer Based on Multicore Microcontrollers G. Kahe<sup>1\*</sup> 1. Assistant Professor, Aerospace Research Institute, Tehran, IRAN #### Abstract The flight control system must meet extremely high levels of functional integrity and availability. The control algorithm is processed by onboard computer (OBC). To meet the reliability requirements for onboard computers, various type of redundancy must be employed. In this paper, we concerned with the triple modular redundancy (TMR) for an onboard computer with aerospace application. In the proposed architecture, control inputs and system states are measured using designated sensors. According to the acquired data, mission scenario and control algorithm are processed by the processing unit. Thereafter, the results are applied to the system by actuators. TMR technology in component level is used to improve the reliability of OBC according to the system requirements. All of the constituent modules of OBC, comprising processing unit, bus interface, sensor, actuators, and IO devices, benefits from triple redundancy. The case study shows that the similar architecture is used for high reliable flight computer of passenger airplanes except that our architecture is based on the available multicore microcontrollers. The reliability of the designed onboard computer is evaluated analytically, which indicates that the proposed OBC can meet the reliability requirements. Keywords: Onboard Computer, Triple Modular Redundancy, Reliability ## 1. Introduction The onboard computer (OBC) is at the core of any aerospace system such as satellite, spacecraft, and aircraft. In aircraft, the typical flight control computer not only drives the primary flight control surfaces, but also provides finer control for stability. Given the criticality of this function, these computers are often used in a dual or triple redundant configuration, providing that these additional components be properly employed and subject to strict compliance to safety standards for software and hardware such as DO-178C and DO-254. In addition to the aerospace applications, reliable OBCs are extensively used in various applications including banks, stock exchanges, telecommunication providers, railways. Various companies introduce their fault-tolerant OBCs to this high demand market. Despite an extensive research in this era and development of diverse product for safety critical applications, related papers and documents have covered only the generals and have rarely published the details. Transaction servers, which are used in bank and stock exchanges, are required to be highly available. As an example, the VAXft (Virtual Address Extension, fault tolerant) was a family of reliable minicomputers developed and manufactured by Digital Equipment Corporation (DEC) based on VAX instruction set architecture [1]. Two layered software products, VAXft System Services and VMS Volume Shadowing, were required to support the fault-tolerant features of the VAXft. NonStop is a series of server computers introduced to market in 1976 by Tandem Computers Inc. The production line was later owned by Compaq (from 1997) and Hewlett-Packard (since 2003). To circumvent single points of failure, the NonStop servers are equipped with some redundant components. The HP Integrity NonStop computers are based on the Intel Itanium processor platform which feature a massively parallel processing (MPP) architecture and provide linear scalability. Average availability levels of 99.999% have been observed for NonStop servers [2]. In [3, 4], the abundant on-chip processor cores are exploited for redundant hardware in transaction processing, which provides native support for error detection and recovery against soft errors. Their experimental evaluations confirm the effectiveness of the proposed redundant architecture in achieving low cost reliable computing against soft errors with moderate performance, area and power overheads. Radiation hardening is a costly technology to make electronic components and systems resistant to damage or malfunctions caused by ionizing radiation <sup>\*.</sup> kahe@ari.ac.ir in outer space and high-altitude flights. Most of the semiconductor companies produce a broad range of radiation hardened (RadHard) MIL-PRF-38535/QML compliant products for aerospace and harsh environment applications. Due to the specific fabrication process, low volume production, and extensive development and testing process, the price of radiation-hardened chips is very high and tends to lag behind the most recent developments. For example 32-bit ARM Cortex-M0 microcontroller manufactured with HARDSIL technology VORAGO [5] offering superior radiation performance over 300 K radiation and latch-up immunity for extreme environments, costs about 1 K\$, which is not comparable with 10 \$, which is the price of same commercial type. To bypass the RadHard problems and feature from the most-recent technologies, aerospace centers are going to utilize enabling or emerging commercial devices. Small size, lower power, and lower cost are the main features of commercial device compared to the RadHard ones. Current trends throughout the world space centers, national aeronautical space agency (NASA), European space agency (ESA), and other space sectors, favor the insertion of commercial off-the-shelf (COTS) technologies for space missions. However, the presence of ionizing particle in space environments must be considered for assuring safety and reliability [6, 7]. Redundancy is an available and affordable solution. Redundancy at high-level to lowlevel (system-level to circuit-level) can be employed to meet the reliability and safety requirement for aerospace applications. The "TCLS ARM FOR SPACE" projects were an answer to the Horizon 2020 (H2020) topic "Bottom-up Space Technologies at low TRL". This project target the ARM processors designed for terrestrial applications to be used in space and telecom applications, assessing the radiation tolerance aspects and demonstrating its robustness in a laboratory environment [8]. In aviation industry, the design of avionic embedded systems requires high-dependability. In [9] the dependability of the triple modular redundancy (TMR) hardware for highly reliable aviation embedded system is investigated. Their experimental results confirm that the reliability of the TMR ARM processor is greater than the single one by ten times in some cases. Development and test of a triple modular redundant digital fly-by-wire system implemented with embedded computer PC-104 and real time operating system (RTOS) is presented in [10]. Their evaluations show that COTS embedded computers comprising RTOS can be used in avionic subsystems: They are easy to use, low cost, flexible, and reliable. For small satellites, the size and weight of components are so limited. The new generation lowpower 32-bit MCU has been identified as an ideal candidate for the ADCS in [11]. It not only can handle the computational requirements of the ADCS algorithms, but also includes enough energy-saving features, which will be required on the limited power budget of a CubeSat. Design and implementation of an OBC using COTS components for a small satellite (Aalto-1) is demonstrated in [12]. The Aalto-1 OBC is based on ATMEL ARM 9 processors and is designed to provide a platform for Command and Data Handling System (CDHS) that interfaces with other subsystems of the satellite and controls their operations. An emerging class of small satellite missions demand assured operational lifetime and rapid development on a reasonable budget. The paper [13] describes a "Careful COTS" approach to component selection and testing to meet these requirements. This approach is developed over the course of a number of real successful experiences: low-earth orbit missions. A low cost space qualified computer using thermally and dynamically enhanced commercial computers have been developed at Southwest Research Institute [14]. A packaging technique has been developed and tested in this paper, allowing commercial computers to be used successfully in the severe thermal and vibration environments encountered in some flight missions. Field Programmable Gate Arrays (FPGA) devices are also used to meet the reliability and availability requirements of safety and mission critical applications including industrial, aviation, military and communications applications. TMR solution based on MicroBlaze cores (in Xilinx FPGA) is used to design an OBC for high reliable applications in [15]. This processing subsystem is fault-tolerant, together with the capability to detect and recover from errors. Development of a SmallSat computer system that provides increased tolerance to radiation induced faults through a novel architecture implemented on COTS FPGA is presented in [16]. The fault mitigation approach in this computer involves TMR technology. computer provides increased reliability, computational performance, and power efficiency at a fraction of the cost of existing radiation-hardened computer systems. This computer successfully passed eight high altitude balloon flights to 30 km, and a 2014 sounding rocket flight to 120 km. Xilinx radiation-tolerant FPGAs are successfully used in jet propulsion laboratory (JPL) space missions like the Mars Exploration Rover Mission [17]. In case of Xilinx radiation-tolerant FPGAs, all single-event phenomena are taken into account either through the radiation-tolerant manufacturing and processing steps or through TMR technique. Authors in paper [18, 4] evaluate the efficiency and performance of a dual-core lockstep ARM for fault-tolerance running FreeRTOS applications. The method was implemented on a dualcore ARM microcontroller embedded into the Zynq-7000 FPGA. Fault injection experiments show that the method can mitigate up to 63% of faults on the FreeRTOS applications. Multicore microcontrollers with lockstep synchronous configuration are explored in [19, 6] to design a fault-tolerance and dependable OBC. As a case study, they demonstrate the design and implementation of a dependable OBC based on dual-core ARM Cortex-A9 processor embedded in FPGA. Their empirical evaluations show the effectiveness of the proposed approach to mitigate around 91% of bit flips injected in the ARM registers. As we seen in the previous discussions, RadHard components for reliable onboard computer are very expensive and hardly available. Therefore, an affordable and accessible method to design a reliable OBC is redundancy. Dual redundant system based on COTS components, as the simplest redundant method, can cover only a limited level of reliability for critical applications [20, 4]. Consequently, to cover the reliability requirement of mission critical aerospace applications, it is necessitate more level of redundancy like TMR. In this paper, we concerned with the triple modular redundancy (TMR) for an onboard computer with aerospace applications. The processing unit, bus interface, sensors, and actuators benefits from TMR technology. Therefore, OBC redundancy is in component level. The reliability of the proposed onboard computer is evaluated, which indicates system reliability improvement according to the predetermined requirements. The paper structure is as follows. In the next Section (Section 2) design of a reliable OBC is described based on TMR architecture. Section 3 describes the case study and then the reliability evaluation is presented in Section 4, and finally conclusions are described in Section 5. ## 2. Reliable Onboard Computer Design In this section, a reliable onboard computer is designed, and according to the available multicore microcontroller, its implementation is described. #### 2.1.OBC Architecture The architecture of an OBC, suitable for small satellite, is shown in Figure 1, which consist of processing unit, interfacing bus, sensors, actuators, and other IO devices. The processing unit covers also the RAM, program and data storage, and timing requirement of the dedicated mission. Control inputs and the system/mission states are measured through input sensors. Mission scenario or the control algorithm is processed based on measurement and then the control outputs are implied to the system using the actuators and other IO devices. Figure 1 . OBC Architecture #### 2.2. TMR Architecture for OBC While dual redundant is the simplest redundant form for reliable systems, triple modular redundancy is the most used one. In the proposed architecture, an onboard computer is designed based on triple modular redundancy (TMR). Figure 2 . Triple Modular Redundant configuration As it can be seen in Figure 2, The redundancy of the onboard computer is in component-level and all modules of the onboard computer, including processing unit, sensors, bus, actuators, and voters are triple redundant. The TMR configuration (Figure 2) is considerably different from the triple redundancy because it employs three identical voters instead of one voter and avoids single point of failure due to the single voter. In this architecture, while two of three systems are healthy, the system is operational. If at least two of three modules fail, the system breaks down and needs recovery. The voting logic is a majority voter, which takes the majority of the inputs Figure 3. Triple cores lock step ARM ARM TCLS CORTEX-R5 consists of three same cores that can run the same program in synchronously lockstep mode. Figure 3 shows the ARM TCLS CORTEX-R5 CPU. This device presents a system-level solution to mitigate soft errors that may occur inside the three redundant cores [6]. Using available multicore microcontrollers, the reliable OBC is designed based on dual and triple core ARMs. In the first approach, the OBC is designed using dual-core lock-step (DCLS) ARM based on TMR technology. As shown in Figure 4, the proposed architecture can tolerate 1-of-3 faulty module for each subsystem. Due to the substantial role of the processing unit, error detection and localization is employed using DCLS ARM, which provide the reconfiguration capabilities of the processing cores. Using available triple cores lock step (TCLS) ARM microcontroller (Figure 3), the onboard computer has been designed based on TMR architecture. The proposed architecture is shown in Figure 5. The onboard computer generally consist of four modules: processing unit (microcontroller), bus, sensors (input devices), and actuators (output devices). The microcontroller consists of a central processing unit (CPU), program and data memory, and I/O circuitry. To prevent the single point of failure, all modules, including bus, sensors, actuators, microcontroller, and voters, have triple redundancy configuration. In case of any detected fails, it alarms the supervisor and tries to recover itself to the healthy and normal condition. In the processing unit, the failure detection is covered using voting the outputs of the three synchronous cores and the recovering process is done through restarting the corresponding failed processor core. Communication bus also features from triple redundancy, which is controlled/monitored by a supervisor. Similar to the previous design, the processing module benefits from error detection and localization capability. In addition, using TCLS ARM, the processing module can tolerate 1-of-3 faulty core in each microcontroller. Bus interface also has triple redundancy. RS-422 is used as the physical layer and data link and data transmission layer must be designed and implemented to support TMR technique. A supervisor monitors the bus operation. Sensor and actuators have also redundant structure. According to the mission scenario and control algorithm, various types of sensors including, attitude and navigation, environmental and monitoring sensors must be employed. The more critical ones are configured in redundant structure based on TMR. The system output are derived through the actuators, which are configured in redundant architecture. Figure 4. OBC with TMR architecture using DCLS ARM Figure 5. OBC with TMR architecture using TCLS ARM ## 3. Case Study The Boeing 777 flight computers control electric and electro hydraulic actuators using electrically transmitted commands. The 777 fly-by-wire (FBW) system provides manual and automatic control of the airplane in the pitch, roll, and yaw axes (see Figure 6 and Figure 7). Figure 6. Boeing 777 Flight Control System [21] Figure 7 . Airplane control/aerodynamics/structure/pilot Interactions Concept Diagram Pilot commands are electrically transmitted and processed for application to the primary flight control surfaces. Two elevators and a horizontal stabilizer are used for control in the pitch axis. Roll control is achieved with two ailerons and two flaperons, and is augmented with fourteen spoilers. The spoilers also provide speed brake control. Yaw control is provided with a single, tabbed rudder [21]. The primary flight control surfaces are illustrated in Figure 8. Figure 8 . Boeing 777 Primary Flight Controls Surfaces [21] The flight control system for airplane must meet extremely high levels of functional integrity and availability. The flight control system for the Boeing 777 airplane is the NASA Fly-By-Wire (FBW) system [22, 23] which provide the numerical integrity and functional availability requirements for high reliable computers and is very similar to the proposed architecture in this paper. The heart of the FBW system is the use of triple redundancy for all hardware resources (see Figure 9) including processing unit, airplane electrical power, hydraulic power (actuators), and communication path (bus) [24]. This is the feature, which is also applied to the proposed architecture in this paper. As it can be seen in Figure 9, sensors (air data inertial reference and other www.IJRRS.com sensors), actuators (primary surface actuators), interfacing bus (triplex ARINC 629 flight control buses), and processing unit (primary flight computer) features from TMR technology. It is similar with the architecture proposed in this paper in Figure 4 and Figure 5 in which the constituent modules of the OBC, including processing unit, sensors, bus, actuators, and voters are triple redundant. Figure 9 . NASA FBW Architecture [25] The Primary Flight Computer (PFC) is the central computation element of the FBW system. The TMR concept also is applied to the each PFC architectural design [24]. Further, the N-version dissimilarity issue is integrated to the TMR concept of the PFC. The PFCs consist of three similar channels (of the same part number), and each channel contains three dissimilar computation lanes [24]. The N-version software dissimilarity experiment at UCLA [26] and in the avionics industry led Boeing to the selection of the triple-dissimilarity for the PFC architecture in the processors and the associated processor interface hardware designs. It is comparable with the proposed architecture in this paper in Figure 4 and Figure 5 in which the TMR technology applied in CPU level using the available multicourse microcontrollers. Figure 10. Primary Flight Computer Architecture [24] Four ACEs (Figure 4) provide the interface between the FBW analog domain (crew controllers, electro hydraulic actuators, and electric actuators) and the FBW digital domain (digital data buses, PFCs, AFDCs, etc.). The ACEs provide excitation and demodulation of all position transducers and the servo loop closure for all flight control surface and the variable feel actuators [21]. Each ACE contains three terminals, which comply with the ARINC629 specification to communicate with the databases. In Direct Mode, the ACEs do not respond to commands on the digital data bus but, instead provide simple analog control laws to command the surface actuators directly. Figure 11 shows the functions performed by the ACEs. Figure 11 . Actuator Control Electronics Overview [24] The Boeing-designed global DATAC bus [27], also known as the ARINC 629 data bus, is used to communicate among all computing systems for the flight control functions in 777 airplanes. Each DATAC bus is isolated, both physically and electrically, from the other two [21]. ## 4. Reliability Evaluation Assuming that the onboard computer is composed of m modules with series configuration, the reliability of a single onboard computer $(R_0)$ is obtained as: $$R_0 = \prod_{i=1}^{m} R_i \tag{1}$$ where $R_i$ is the reliability of each module. Assuming an equal reliability for all modules, we have: $$R_0 = R_M^m \rightarrow R_M = R_0^{1/m}$$ (2) The reliability of TMR architecture is as follows (minimum 2-out-of-3 module must be operational): $$R(R_0, m) = \sum_{i=2}^{3} {3 \choose i} R_0^i (1 - R_0)^{3-i} = 3R_0^2 - 2R_0^3$$ For a TMR architecture with m modules, the reliability is obtained as [28]: International Journal of Reliability, Risk and Safety: Theory and Application / Vol. 1, No. 1, 2018 www.IJRRS.com $$R(R_0, m) = \left(3R_0^{\frac{2}{m}} - 2R_0^{\frac{3}{m}}\right)^m \tag{4}$$ Considering the reliability of majority-voter $R_v$ , the reliability of the TMR onboard computer is obtained as follows: $$R(R_0, R_V, m) = \left(3R_V^2 R_0^{\frac{2}{m}} - 2R_V^3 R_0^{\frac{3}{m}}\right)^m \tag{5}$$ #### 4.1. Results In the proposed architecture, the onboard computer consists of five modules (m=5). The TMR reliability versus module reliability ( $R_M$ ), with m as a parameter, is shown in Figure 12, which indicates that the system reliability increases monotonically with increasing m and close to unity by making an increasingly finer modular breakdown (large m). Figure 13 shows the system reliability versus time with different values of failure rates ( $\lambda$ ). As it can be seen, for high failure rates, the system reliability drops very fast. Figure 12 . System reliability versus module reliability **Figure 13** . System reliability versus time (module count m=5) Design and reliability evaluation of a reliable onboard computer based on multicore microcontrollers has been presented. The selected ARM microcontroller has triple lock step cores, which are beneficial for redundancy and error/fail detection. Analytical results show the reliability improvement of the proposed onboard computer, so that it is suitable for aerospace applications. ## 5. Conclusion A reliable OBC is designed exploiting the TMR technology. Using available multicore ARM (TCLS ARM), the reliable OBC employs component-level redundancy in which all of the constituting modules (processing unit, bus, sensors and actuator, voters, and the other IO devices) are triple redundant. Therefore, it is immune from single point of failures. The case study shows that the proposed architecture is very similar with the Boeing 777 highly reliable flight control computer in which all of its hardware resources (flight computer, control surfaces/actuators, interfacing bus, and inertial/attitude sensor) employ TMR technology but with the new and high-tech available multicore microcontrollers. Evaluation results show that the designed OBC constituting five modules with TMR technology can meet the reliability requirement for aerospace application. ## References - [1] D. Siewiorek and R. Swarz, Reliable Computer Systems: Design and Evaluatuion, Digital Press, 2017. - [2] M. Rausand and H. Arnljot, System reliability theory: models, statistical methods, and applications, vol. 396, John Wiley & Sons, 2004. - [3] C. Zheng, P. Shukla, S. Wang and J. Hu, "Exploring hardware transaction processing for reliable computing in chip-multiprocessors against soft errors," in *IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFT)*, Austin, TX, USA, 2012. - [4] G. Kahe, "Reliable flight computer for sounding rocket with dual redundancy: design and implementation based on COTS parts," *International Journal of System Assurance Engineering and Management*, vol. 8, no. 3, pp. 560-571, 2017. - [5] V. Technologies, "Radiation Hardened ARM® Cortex-M0 Microcontroller," VOGARO Tech., 2017. - [6] X. Iturbe, B. Venu, E. Ozer and S. Das, "A Triple Core Lock-Step (TCLS) ARM® Cortex®-R5 Processor for Safety-Critical and Ultra-Reliable Applications," in 46th Annual IEEE/IFIP International Conference on Dependable Systems www.IJRRS.com - and Networks Workshop (DSN-W), Toulouse, France, 2016. - [7] K. LaBel, M. Gates, A. Moran, P. Marshall, J. Barth, E. Stassinopoulos, C. Seidleck and C. Dale, "Commercial microelectronics technologies for applications in the satellite radiation environment," in *IEEE Aerospace Applications Conference*, Aspen, CO, USA, 1998. - [8] J.-L. Poupat, B. Leroy and T. Helfers, "TCLS ARM for Space," in *DASIA (DAta Systems in Aerospace)*, Estonia, 2016. - [9] D.-W. Lee, B.-Y. Kim, W.-J. Ko and J.-W. Na, "A Study on the Triple Module Redundancy ARM processor for the Avionic Embedded System," *The Journal of Advanced Navigation Technology*, vol. 14, no. 1, pp. 87-92, 2010. - [10] J. A. Wang and Z. S. Li, "Development of flight control system Using embedded computer PC-104," in *26th International Congress of the Aeronautical Sciences*, 2008. - [11] M. M. Daffalla, A. TagElsir and A. S. Kajo, "Hardware selection for attitude determination and control subsystem of 1U cube satellite," in *International Conference on Computing, Control, Networking, Electronics and Embedded Systems Engineering (ICCNEEE)*, Khartoum, Sudan, 2015. - [12] E. Razzaghi, "Design and qualification of onboard computer for Aalto-1 CubeSat," MASTER'S THESIS, Luleå University of Technology, 2012. - [13] D. Sinclair and J. Dyer, "Radiation effects and COTS parts in SmallSats," in 27th Annual AIAA/USU Conference on Small Satellites, 2013. - [14] G. Dirks, "Producing a Low Cost, Space Qualified Computer by Ruggedizing Commercial Computer Cards," Southwest Research Institute, Texas, 1992. - [15] X. P. Guide, "MicroBlaze Triple Modular Redundancy (TMR) Subsystem," Xilin Corp., 2017. - [16] B. J. LaMeres, S. Harkness, M. Handley, P. Moholt, C. Julien, T. Kaiser, D. Klumpar, K. Mashburn, L. Springer and G. A. Crum, "RadSat Radiation Tolerant SmallSat Computer System," in *Small Satellite Conference*, 2015. - [17] D. Ratter, "FPGAs on Mars, Xilinx xCell Journal," *Xilinx xCell Journal*, vol. 50, pp. 8-11, 2004. - [18] Á. B. d. Oliveira, G. S. Rodrigues and F. L. Kastensmidt, "Analyzing lockstep dual-core ARM cortex-A9 soft error mitigation in freeRTOS applications," in 30th Symposium on Integrated Circuits and Systems Design: Chip on the Sands (SBCCI'17), NY, USA, 2017. - [19] D. Oliveira, Á. Barros, L. A. Tambara and F. L. Kastensmidt, "Exploring performance overhead versus soft error detection in lockstep dual-core arm Cortex-A9 processor embedded into Xilinx Zynq APSOC," in *International Symposium on Applied Reconfigurable Computing*, Springer, Cham, 2017. - [20] G. Kahe and M. A. Rostami, "Design and Implementation of a Reliable Flight Computer for Sounding Rocket with Dual Redundancy Based on COTS Parts," in *The 4th International Reliability Engineering Conference (IREC)*, Tabriz, IRAN, 2016. - [21] Y. Yeh, "Design considerations in Boeing 777 fly-by-wire computers," in *Third IEEE International High-Assurance Systems Engineering Symposium (Cat. No.98EX231)*, Washington, DC, USA, 1998. - [22] J. Wensley, L. Lamport, J. Goldberg, M. Green, K. Levitt, P. Melliar-Smith, R. Shostak and C. Weinstock, "SIFT: Design and analysis of a fault-tolerant computer for aircraft control," *Proceedings of the IEEE*, vol. 66, no. 10, pp. 1240-1255, Oct 1978. - [23] A. Hopkins, T. Smith and J. Lala, "FTMP—A highly reliable fault-tolerant multiprocess for aircraft," *Proceedings of the IEEE*, vol. 66, no. 10, pp. 1221-1239, 1978. - [24] Y. Yeh, "Triple-triple redundant 777 primary flight computer," in *IEEE Aerospace Applications Conference*, Aspen, CO, USA, 1998. - [25] J.D.Aplin, "Primary flight computers for the Boeing 777," *Microprocessors and Microsystems*, vol. 20, no. 8, pp. 473-478, 1997. - [26] A. Avizienis, M. Lyu and W. Schutz, "In search of effective diversity: a six-language study of fault-tolerant flight control software," in *The Eighteenth International Symposium on Fault-Tolerant Computing*, Tokyo, Japan, 1988. - [27] J. SHAW, H. HERZOG and K. Okubo, "Digital autonomous terminal access communication (DATAC)," in *7th Digital Avionics Systems Conference*, Fort Worth, TX, 1986. - [28] R. E. Lyons and W. Vanderkulk, "The use of triple-modular redundancy to improve computer reliability," *IBM Journal of Research and Development*, vol. 6, no. 2, pp. 200-209, 1962. - [29] X. Iturbe, B. Venu, E. Ozer and S. Das, "A Triple Core Lock-Step (TCLS) ARM® Cortex-R5 Processor for Safety-Critical and Ultra-Reliable Applications," in 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W), Toulouse, France, 2016.