The Challenges of Developing Embedded Real-Time Aerospace Applications on Next Generation Multi-core Processors Eur Ing Paul Parkinson FIET Principal Systems Architect, A&D Aviation Electronics Europe, Munich, 20-21 March 2016 2016 Wind River. All Rights Reserved.
Agenda Factors influencing processor selection in the avionics market Historical processor selection RTOS safety certification The Challenges of Multi-core processor selection I. Mission-critical systems II. Fast boot III. BIOS certification IV. Multi-core certification Conclusions 2 2016 Wind River. All Rights Reserved.
Processor selection in the avionics market Influencing factors: I. US DOD directive on use of COTS (1994) II. Adoption of Integrated Modular Avionics (IMA) architectures III. Advent of Multicore Processors Impact: Decline of military-grade processors COTS processor obsolescence IMA single-core processor consolidation Fragmentation of multi-core processor selection Republic F-105B with avionics layout Source: US Air Force public domain 3 2016 Wind River. All Rights Reserved.
Historical Processor Selection Selection criteria including, but not limited to: Performance Power dissipation Extended temperature range Longevity Access to processor design information DO-254 / ED-80 hardware safety certification Processors widely-used in avionics include: 750, MPC74xx processors MPC8349E, MPC8548E, MPC8572 and MPC8641D integrated processors 4 2016 Wind River. All Rights Reserved.
RTOS Safety Certification Wind River perspective Wind River ported VxWorks to a multiple processor architectures ARM, MIPS,, SPARC and x86 Different requirements across multiple vertical markets DO-178B / ED-12B Level A software certification Very expensive, and specific to individual processor architecture Cost of certification on all supported architectures would be prohibitive Wind River certification approach First DO-178B / ED-12B Level A certification package on 750 in 2001 COTS certification evidence approach enabled NRE costs to amortised across multiple customers & programmes Reduces cost of certification for each programme Creates a virtuous circle for follow-on programmes 5 2016 Wind River. All Rights Reserved.
Federated VxWorks RTOS Certification History * denotes single core operation 74xx MPC8560 MPC8270 750GX MPC8548 (e500v2) 750 VxWorks 653 750GX VxWorks 653 MPC8349E VxWorks 653 MPC8641D* VxWorks 653 MPC8349E VxWorks 653 P4080* (e500mc) VxWorks 653 P4080* (e500mc) VxWorks 653 + FACE Intel Atom* 8245 Intel Core 2 Duo* Intel Core 2 Duo* MPC8548 (e500v2) 74xx MPC7447 MPC7447 750GX 750 VxWorks Cert Intel Pentium III VxWorks Cert DO-178 Level B MPC8349E VxWorks Cert IEC-61508 SIL 3 MPC8349E VxWorks Cert IEC-61508 SIL 3 8280 VxWorks Cert IEC-61508 SIL 3 2000 2015 6 2016 Wind River. All Rights Reserved.
The Challenge of Multi-core Processor Selection Performance of single-core processors limited by clock speed Transition to multi-core driven by performance demands and processor volumes of commercial market segments Use of multi-core architectures presents challenges for use in safetycritical systems Research into multi-core processor architectures has revealed variation in suitability of individual designs for avionics 7 2016 Wind River. All Rights Reserved.
The Challenge of Multi-core Processor Selection Uncertainty about use of multi-core in avionics compounded by: i. Lack of formal policy on use of multi-core by EASA / FAA (currently only position papers published) ii. iii. iv. Single-core processors nearing end of silicon availability Historical dominance of Power architecture in embedded is declining Increasing performance of ARM processors leading to consideration v. Low power dissipation of Intel 14nm processors leading to consideration 8 2016 Wind River. All Rights Reserved.
The Challenge of Mission-Critical Systems Impact on the success of a mission but not safety of the aircraft Auxiliary systems, sensor payloads, other applications Signal processing and image processing are compute intensive AltiVec vector processing engines on some architectures: Enables performance speed-up via parallel operations VxWorks support for vector processing engines introduced in 2001 Recent QoriQ T208x provides multi-core migration path for AltiVec applications Intel Advanced Vector extensions (AVX ) on Core i7 multi-core Enables consolidation of applications from single-core processors, reducing SWaP VxWorks support for Intel 64-bit, AVX and hyperthreading introduced in 2011 64bit overcomes 32bit 4Gbyte memory limit which can impact sensor applications 9 2016 Wind River. All Rights Reserved.
The Challenge of Fast Boot Start-up time requirement: Recognizably valid pitch and roll data should be available within one second on the affected displays. FAA Advisory Circular AC25-11B, 7 th October 2014 Avionics systems impact: Processor initialisation, run boot loader, load RTOS, start application and display meaningful data all within one second VxWorks support for fast boot Can be achieved on multiple architectures by directly booting VxWorks from flash Can fast boot also be achieved on Intel architectures? 10 2016 Wind River. All Rights Reserved.
VxWorks boot performance on Intel architecture Optimised approach Diagram not to scale Hardware reset Intel FSP + Boot loader VxWorks RTOS Application 600ms Traditional approach Hardware reset BIOS Boot loader VxWorks RTOS Application multiple seconds 11 2016 Wind River. All Rights Reserved.
The Challenge of BIOS Certification Firmware initialisation code Initialises processor before boot loader loads and runs RTOS Needs to be considered as part of DO-178 / ED-12 software certification May be integrated as part of RTOS initialisation code on some architectures BIOS Traditionally used on Intel architectures Often third-party, supplied in binary format, source code not available DO-178 / ED-12 certification may not be feasible Wind River adopted alternative approach for DO-178B Level B certification of EGNOS Intel Firmware Support Package Provides potential for source-level optimisation and certification 12 2016 Wind River. All Rights Reserved.
The Challenge of Multi-core Certification Multi-core certification providing challenges Lack of formal guidance / policy presents risks FAA CAST-32 and EASA MULCORS papers should be taken into consideration Use of multi-core processors will become a necessity End of silicon availability of single-core processors Use of one core initially with spare capacity of unused cores for future growth Use of 4 or 8 core processors not currently addressed CAST-32 Multicore Determinism objectives Require that deactivated core cannot become active unintentionally 13 2016 Wind River. All Rights Reserved.
The Challenge of Multi-core Certification Core deactivation approach is dependent on architecture: 1) Regular read of control registers followed by reset of value when state change detected 2) Regular write to control registers to maintain desired state Processor performance monitoring units May enable state of a core to be determined independently Software implementation processor-specific: Depends on whether core has ability to deactivate another core QorIQ T2080 provides ability for individual core to disable other cores Ability to deactivate individual cores and develop a safety case may require access to detailed technical information 14 2016 Wind River. All Rights Reserved.
Conclusions Avionics market transitioning from single-core to multi-core, driven by demands of commercial markets Silicon advances now presenting a broader range of processors which may be suitable for avionics applications Experience gained on multi-core architectures likely to create a virtuous circle of support of COTS certification solutions leading to further adoption 15 2016 Wind River. All Rights Reserved.
16 2016 Wind River. All Rights Reserved.