As a safety device CROME is subject to strict constraints in order to fullfil Safety Integrity Level (SIL) requirements. The system uses a Xilinx Zynq 7020 SoC, for all computation.
CROME uses the FPGA section of the Zynq for all safety critical functions, while the dual ARM cores (referred to it as PS) run a custom made Linux OS that is primarily used for communication with a SCADA supervision system and data logging. As shown in the picture bellow, the OS is called CROMiX 18 and it runs a user application that lunches three processes:
- A demon that manage the downstream and upstream between the FPGA section (up to 200 x 64bits parameters) and the processors
- A demon to communicate with the Supervision through a custom TCP/IP homemade protocol called ROMULUS
- A demon that manage the non-safety critical calculations or tasks such as the data compression, the data storage, events generation …
The PL (the FPGA section of the SoC) runs all mission critical functions and calculations. Decisions are taken every 100ms based on majority voting mechanism :
As a safety related system, CROME has several boot modes. It is capable to boot through the SD CARD or a remote TFTP/PXE server. If both first options are not available, the system will boot from a second local backup image stored into the QSPI memory and an eMMC.
All the picture have been extracted from Hamza's presentation as the CERN SoC Working group : https://indico.cern.ch/event/882283/contributions/3736639/attachments/2028905/3398176/CROME_SoC_meeting_2020_7.pdf