Exploring Multicore for safety-critical Avionics Applications · Exploring Multicore for safety-critical Avionics Applications ... General Dynamics GE Aviation Harris Honeywell

© 2015 Wind River. All Rights Reserved.

Exploring Multicore for safety-critical Avionics Applications Stefan Harwarth Field Application Engineer

essei TechDay, Oberpfaffenhofen 13 October 2015

2 © 2015 Wind River. All Rights Reserved.

About Wind River


HERITAGE

1981: Founded

1993: IPO

2009: Acquired

SCALE

1,900 Employees

42,000 Developers

LEADERSHIP

45% Commercial Market Share

Broadest Portfolio

INVESTMENT

30+% of Annual Spend Is on R&D

Rich History of M&A

For over thirty years, Wind River has helped the world's most recognizable brands power generation after generation of embedded devices.

Vision

Power intelligent connected products that enrich the quality, safety, and security of people’s lives every day.



Wind River Aerospace & Defense Customers and Programs

Airbus

BAE Systems

Boeing

Elbit Group

Finmeccanica

General Dynamics

GE Aviation

Harris

Honeywell

IAI

ITT

LIG Nex1

L-3 Communications

Lockheed Martin

Mitsubishi

NASA

NEC

Northrop Grumman

OKI Electric

Rafael

Raytheon

Rockwell Collins

Saab

Sagem

Samsung Thales

Shanghai Avionics

Thales

Land

Abrams

Bowman

Bradley

Challenger

FCS

GIG

HIMARS

JTRS

MLRS

Patriot

Sea

Aegis

Astute

DDG-1000

Halifax

Harpoon

KDX-I

Phalanx

Tomahawk

Type 45

U212

Military Air

A330 MRTT

A400M

C-130

F-22

F-35

Global Hawk

KC-767

nEUROn

Typhoon

X-47B

Space

ARES

Curiosity

FTB1

GAIA

ISS

Mars Rovers

Odyssey

Orion

Pathfinder

PROBA

Commercial

Airbus A3xx

Airbus A350

Airbus A380

Boeing 7x7

Boeing 747

Boeing 777

Boeing 787

EC 225

EGNOS

WAAS


Multicore System Issues

Contention makes it difficult to prove that timing constraints are met

Most SoC uses hardware that is shared between cores

Designs and effects of sharing are often unavailable

Sharing effects may change as SoC microcode is updated

Addressing these issues can involve additional cert effort

Performance and certification costs depend on matching the choice of

strategies of the multicore hardware and the software application


Multicore Safety Concerns

7

Multicore concerns for safety are assumed to be understood

Hardware shared resources:

- Caches

- Memory controllers

- Interconnect

- I/O devices via interconnect

- Hyperthreading resources

Possible mitigations:

- avoid sharing completely

- avoid sharing at the same time

- share at the same time (WCET computation assumed to be possible)


OS Architectures

AEROSPACE


OS

Core 2 Core 1

OS

Supervisor

Supervised AMP

SMP

OS

Core 1 Core 2

OS

Core 2 Core 1

OS

Unsupervised AMP

OS

Core 2 Core 1

OS

Hypervisor

Virtualization

Possible OS architectures


Architecture Characteristics

AMP

One OS per Core

Reuse of certified OS

Mix of OS

Manual configuration per core required

No IPC included

Supervised AMP

One OS per Core

Protected Supervisor layer

Centralized multicore configuration

IPC possible

AMP + Hypervisor

One OS per Core

Virtualization of resources

Protected Hypervisor layer

IPC handled by Hypervisor

SMP or BMP

Distributed Applications on single OS

Black box config

Full resource sharing possible

Load Balancing or BMP


AMP Scheduling

t

Core 0

Core 1

Core 2

Partition2

Partition1

Partition2

Partition1

Partition2

timeframe n n+1 n+2

Partition1

Partition1

timeframe n n+1 n+2

Partition1

Partition2

Partition2

Partition2

Partition3

Partition3

Partition3 Partition3 Partition3 Partition3

SMP Scheduling

Partition1

See EASA MULCORS Report for details


Considerations for AMP and SMP

AMP with Hypervisor SMP with Core Affinity

and Time Partitions

Mix of AMP/SMP

using Hypervisor

Pro - legacy application

reuse

- Heterogeneous

environment

- Easier upgrades

- Limited resource

contention

- Better use of available

resources

- Maximize use of

resources

- Support new and

legacy designs

Con - Increased certification

complexity

- Potential performance

compromises

- Redesign of legacy

applications

- Moderate certification

complexity

- Additional certification

complexity

Comments Certification emphasis on

Tools, System Design and

added runtime control for

shared resources

Designs may be more

complex and changing

designs may be difficult

Requires additional

runtime control for shared

resources


AEROSPACE

Use Cases


Use Case 1: Migration

Step 1

Re-host on new Hardware


Use Case 1: Migration

Step 2

Re-deploy


Use Case 2: Asset bridging

Step 1

Re-use with Virtualization


Use Case 2: Asset bridging

Step 2

Re-deploy


Use Case 3: Multicore Partition

SMP Guest OS and ARINC 653 Part 1 Supplement 4


AEROSPACE

VxWorks 653 3.0 Multicore Edition

350 avionics programs

200 customers

75 aircraft


VxWorks 653 3.0 Multicore Edition Safety Architecture


• Single schedule configuration for Multicore System

• System Integrators can schedule multiple Partitions in one Time Window

• Optional core synchronisation

1 2 Core 0

Core 1 3 4

Sync points

Major frame

1 2 1 2

3 4 3 4

Scheduled Partitions

VxWorks 653 3.0 Multicore Time Scheduler


FMS

DO-297 Role Separation

Multi-Core Hardware Platform

XML Compiler/Checker

DO-178B Qualified Development Tool

Platform

Supplier

System

Integrator

XML Config

File

Binary Configuration Data

XML Config

File

XML Config

File

XML Config

File

XML Tables

XML Config

File

Application

Suppliers

XML Tables XML Tables XML Tables Nav

Display

XML Tables

XML Business

Rules


Contact

Robert Kauth Senior Account Manager

Steinheilstraße 10 85737 Ismaning

Phone: 089/9624 45 242 Mail: [email protected]

Stefan Harwarth Field Application Engineer

Steinheilstraße 10 85737 Ismaning

Phone: 089/9624 45 214 Mail: [email protected]

Documents

Exploring Multicore for safety-critical Avionics Applications · Exploring Multicore for safety-critical Avionics Applications ... General Dynamics GE Aviation Harris Honeywell