Open Architecture Platforms for Avionics Applications: Challenges in Safety Critical Systems and possible solutions

Similar documents
PikeOS: Multi-Core RTOS for IMA. Dr. Sergey Tverdyshev SYSGO AG , Moscow

Applying Multi-core and Virtualization to Industrial and Safety-Related Applications

Making Multicore Work and Measuring its Benefits. Markus Levy, president EEMBC and Multicore Association

MULCORS-UseofMULticore procesorsinairbornesystems

Java Environment for Parallel Realtime Development Platform Independent Software Development for Multicore Systems

Memory Access Control in Multiprocessor for Real-time Systems with Mixed Criticality

Parameters for Efficient Software Certification

ARINC 653. An Avionics Standard for Safe, Partitioned Systems

Multicore partitioned systems based on hypervisor

Advanced Core Operating System (ACOS): Experience the Performance

Virtual Platforms Addressing challenges in telecom product development

Developing reliable Multi-Core Embedded-Systems with NI Linux Real-Time

Memory Isolation in Many-Core Embedded Systems

White Paper. Freescale s Embedded Hypervisor for QorIQ P4 Series Communications Platform

High Performance or Cycle Accuracy?

7a. System-on-chip design and prototyping platforms

White Paper 40-nm FPGAs and the Defense Electronic Design Organization

FPGA Prototyping Primer

Xeon+FPGA Platform for the Data Center

Industrial Application of MultiPARTES

evm Virtualization Platform for Windows

ISOLATING UNTRUSTED SOFTWARE ON SECURE SYSTEMS HYPERVISOR CASE STUDY

Bare-Metal, RTOS, or Linux? Optimize Real-Time Performance with Altera SoCs

A Data Centric Approach for Modular Assurance. Workshop on Real-time, Embedded and Enterprise-Scale Time-Critical Systems 23 March 2011

Packet Sniffer using Multicore programming. By B.A.Khivsara Assistant Professor Computer Department SNJB s KBJ COE,Chandwad

Networking Virtualization Using FPGAs

Notes and terms of conditions. Vendor shall note the following terms and conditions/ information before they submit their quote.

Model-based system-on-chip design on Altera and Xilinx platforms

Multiprocessor System-on-Chip

Design and Implementation of the Heterogeneous Multikernel Operating System

HIPEAC Segregation of Subsystems with Different Criticalities on Networked Multi-Core Chips in the DREAMS Architecture

IC-EMC Simulation of Electromagnetic Compatibility of Integrated Circuits

Certification Authorities Software Team (CAST) Position Paper CAST-13

Open Source Software

MPSoC Virtual Platforms

How To Design A Single Chip System Bus (Amba) For A Single Threaded Microprocessor (Mma) (I386) (Mmb) (Microprocessor) (Ai) (Bower) (Dmi) (Dual

Mixed-Criticality: Integration of Different Models of Computation. University of Siegen, Roman Obermaisser

IMA for space Status and Considerations

What s New in Mike Bailey LabVIEW Technical Evangelist. uk.ni.com

Boeing B Introduction Background. Michael J. Morgan

Embedded Systems: map to FPGA, GPU, CPU?

- Nishad Nerurkar. - Aniket Mhatre

Cisco Unified Computing System and EMC VNX5300 Unified Storage Platform

Resource Efficient Computing for Warehouse-scale Datacenters

Seven Challenges of Embedded Software Development

Decomposition into Parts. Software Engineering, Lecture 4. Data and Function Cohesion. Allocation of Functions and Data. Component Interfaces

Intel Data Direct I/O Technology (Intel DDIO): A Primer >

XtratuM hypervisor redesign for LEON4 multicore processor

Client/Server Computing Distributed Processing, Client/Server, and Clusters

Architectures and Platforms

Performance Evaluation of 2D-Mesh, Ring, and Crossbar Interconnects for Chip Multi- Processors. NoCArc 09

Secure Containers. Jan Imagination Technologies HGI Dec, 2014 p1

Memory Architecture and Management in a NoC Platform

Mixed-Criticality Systems Based on Time- Triggered Ethernet with Multiple Ring Topologies. University of Siegen Mohammed Abuteir, Roman Obermaisser

Proactive, Resource-Aware, Tunable Real-time Fault-tolerant Middleware

Agenda. Capacity Planning practical view CPU Capacity Planning LPAR2RRD LPAR2RRD. Discussion. Premium features Future

Parallel Programming Survey

System Software and TinyAUTOSAR

Rapid Modular Software Integration (RMSI)

Introduction to ARTEMIS Strategic Reseach Agenda. June 24, 2015

Figure 1 FPGA Growth and Usage Trends

FPGA Accelerator Virtualization in an OpenPOWER cloud. Fei Chen, Yonghua Lin IBM China Research Lab

on-chip and Embedded Software Perspectives and Needs

GEDAE TM - A Graphical Programming and Autocode Generation Tool for Signal Processor Applications

Qsys and IP Core Integration

Simplify rich applications & hard real-time

EECatalog SPECIAL FEATURE

Agenda. Michele Taliercio, Il circuito Integrato, Novembre 2001

Switch Fabric Implementation Using Shared Memory

The evolving ARINC 653 standard and it s application to IMA

Achieving QoS in Server Virtualization

On-Chip Communications Network Report

Industry Challenges in Embedded Software Development

Safety Analysis and Certification of Open Distributed Systems. P. M. Conmy; Department of Computer Science, University of York, York, YO10 5DD U.K.

Scaling from Datacenter to Client

Four Keys to Successful Multicore Optimization for Machine Vision. White Paper

Developing software for Autonomous Vehicle Applications; a Look Into the Software Development Process

White Paper Utilizing Leveling Techniques in DDR3 SDRAM Memory Interfaces

Building a Scalable Big Data Infrastructure for Dynamic Workflows

How To Improve Performance On A P4080 Processor

WIND RIVER HYPERVISOR

Improving Embedded Software Test Effectiveness in Automotive Applications

Architectures for Distributed Real-time Systems

Chapter 1 Computer System Overview

Scalability and Programmability in the Manycore Era

Virtualization Technologies and Blackboard: The Future of Blackboard Software on Multi-Core Technologies

AN FPGA FRAMEWORK SUPPORTING SOFTWARE PROGRAMMABLE RECONFIGURATION AND RAPID DEVELOPMENT OF SDR APPLICATIONS

Introduction to System-on-Chip

ARM Webinar series. ARM Based SoC. Abey Thomas

Transcription:

Open Architecture Platforms for Avionics Applications: Challenges in Safety Critical Systems and possible solutions First TCRTS Workshop on Certifiable Multicore Avionics Systems (CMAS) Seattle/WA, USA, 13.04.2015 Bernd Koppenhoefer 1

COTS HW Evolution - Single-Core Multi-Core Single Multi Moore s Law Intel Core I7 Source: Wikipedia, Die freie Enzyklopädie, 17.02.2015, https://de.wikipedia.org/wiki/datei:transistor_count_and_moore%27s_law_-_2011.svg 2

Challenge From Single-Core to Multi-Core MPC8548 Proven - predictable P4080 Is this still predictable? Time Partitioning Only one SW is running at a given time Parallel Execution We can not predict the exact timing Source: www.freescale.com 3

Example Freescale P4080 Evaluation Results Source: Leveraging Multi-Core Computing Architectures in Avionics, Jan Nowotsch, Michael Paulitsch Ninth European Dependable Computing Conference, 2012, DOI 10.1109/EDCC.2012.27 Maximum interference of one core by other cores test setup for DDR vs. SRAM (Level 3 Cache) Concurrent access to memory regions (4kB regions, 64B gap, 1 to 8 cores, ) time [µs] 10000 1000 100 10 DDR Key problem: loss of performance higher than gain (factor ~5 for 4 cores) 1 2 3 4 5 6 7 8 # cores time [µs] 1000 100 10 SRAM 1 2 3 4 5 6 7 8 # cores 4

Multi-Core Processor (MCP) Research what is going on in Europe? Selection of EU research projects on MCPs in Safety-critical Applications *) *) Automotive, Avionics, Industrial Manufacturing and Logistics, Internet of Things, Space ACROSS: EU funding; 04/2010 to 09/2013; 16 Partner; Total Budget 16 M RECOMP: EU funding; 04/2010 to 03/2013; 41 Partner; Total Budget 26 M ARAMIS: National (German) funding; 12/2011 to 11/2014; Total Budget 37 M EMC 2 : EU funding; 04/2014 to 03/2017; 98 Partner; Total Budget 100 M Other Multi-Core Activities: MCFA (Multi-Cores for Avionics Working Group); since September 2011: AUSTIN, Texas--Freescale Semiconductor (NYSE:FSL) has formed a working group with top North American and European commercial avionics manufacturers to define their information requirements for advanced Freescale multicore processors being used in commercial avionics applications. http://www.businesswire.com/news/home/20110914005110/en/freescale-collaborates-avionics-manufacturers-facilitate-certification-systems 5

ACROSS Proposed a new Cross Reference Architecture for safety-critical Multi-Core Processors Based on deterministic communication services between cores Developed a FPGA-based implementation (@ Altera Stratix IV) Generic Multi-Processor System on Chip Architecture Avionics domain: Demonstration of efficiency of new architecture with safety-critical application Situation Awareness for Helicopters Unfortunately, no commercial chip manufacturer wants to implement the new architecture 6

ACROSS Generic Multi-Processor System on Chip Architecture non-standardized solution based on fragment switches. Component based design approach (as is best practice in aerospace industry) Computation services segregated from communication services (trusted network) Maximized segregation of functions/services (ideally: one function per processing node) 7

RECOMP (Reduced Certification Costs for trusted Multi-Core Platforms) Investigated of several COTS Multi-Core Processor Architectures wrt. avionics certification Developed a Matrix with chip-internal interference channels Result: Usage of COTS Multi-Core processor is only possible with restrictions and mitigations 8

ARAMIS Investigated the implementation of chip-internal monitoring Complete functionality integrated in a single Multi-Core Chip (Freescale P4080) Avionics domain: Demonstration of efficiency of monitoring with an sample safety-critical radar application Sense & Avoid Application ported from a implementation using 8 DSPs to 4 Cores of P4080 Bandwidth monitoring guarantees calculation-integrity 9

ARAMIS SENSE and AVOID Demonstrator 10

EMC 2 (Embedded Multi-Core Systems for Mixed Criticality Applications in dynamic and changeable Real-time Environments) Investigates alternatives to limitations in CAST-32 SW applications from one system only two active MCP cores Avionics domain: Demonstration of an extended MCP-internal Safety-net based monitoring approach Using a Helicopter Terrain AWareness System (HTAWS) implementation on a Freescale P5020 11

EMC 2 Planned Tasks @ Avionics Domain 1. Implement HTAWS at one e5500 core and a Stress Application at other e5500 core 2. Search for MCP specific features (e.g. coherency fabrics which ensures that cache contend is exchanged between different cores) which may introduce interference channels between cores. 3. Investigate, if interference effects between cores can be detected by monitoring of MCP s internal resources (e.g. memory access rate) via external monitoring processor 4. Implement mitigation for some of the detectable effects 12

EMC 2 MCP-internal Monitoring Use on-chip debug facilities to implement a bandwidth and timing monitoring 13

Avionics System Evolution: From Single to Many Cores Processors 1980 2005 ~2020 Equipment 1 Equipment 2 Equipment 3 IMA IMA-G2 14 App 1 Physical partitioning App 2 App 3 Single CORE Real Time OS Federated Architecture Limitation: Weight, Power, Size App 1 App 2 App 3 Single CORE Robust Partitioning via ARINC 653 OS Segregation in space and time domain Limitation: Performance IMA: Integrated Modular Avionics AMP (Asymmetric Multi-processing): Each individual functional process is permanently allocated to a separate core and each core has its own operating system. App 1 App 2 Dual/Multi CORE A653-1 OS AMP model App 3 Challenge: Certification

Integrated Modular Avionics (IMA) / Open Architecture Computing Platform Computing platform without applications Small size & low weight Low power consumption High computing power Various I/O types Allows integration of different applications CERTIFICATION - DO254 / DO178C - DO297?? 15

IMA Certification Challenges Highly integrated, complex system Higher risk for development errors and unintended effects Development of a finite test suite it is not practical (or impossible) Numerical methods for characterizing errors are not available Independence between functions, systems or items may be required to satisfy safety or regulatory requirements For catastrophic failure conditions common cause events must be precluded Independence must be shown by Common Cause Analysis However, for economical reasons we want to integrate and certify (parts of) independent aircraft functions/systems in one computing platform Guidance: ARP 4754A Guidance: DO297 16

DO297 suggestions wrt. shared resources Use partitioning Resources may be shared by the method of access time (acc. to ARINC653) Problem: A shared resource has the potential to become a single point of failure Solution: Use robust SW partitioning A SW partition must not contaminate the code, I/O or data storage areas of other partitions A SW partition must not consume shared processor resources only during its allocated time A SW partition shall only consume its allocation of shared I/O resources Failures of SW unique to one SW partition must not cause adverse effects on other SW partitions Approved Method: Time and Space Partitioning 17

DO297 suggestions wrt. shared resources (2) The objective of robust partitioning is to provide the same level of functional, if not physical, isolation and protection as on federated architectures (DO297 2.3.3) Overview of certification process (DO297 4.1) Task 1: Module Acceptance Verification of the partitioning of the Computing Platform Without detailed knowledge of the applications Task 2: indiv. Application SW/HW Acceptance Task 3: IMA System Acceptance Task 4: Aircraft integration of IMA System (including validation and verification) Task 5:.. Change Task 6:.. Reuse Certification of IMA is not an easy task It gets even worse if State-of-the-art COTS MCPs are used Incremental Certification 18

Alternatives @ usage of state-of-the-art COTS Processors Stay with single Core processors Not really a long term solution Use deterministic MCPs Where is the Chip Vendor / Market (see results of ACROSS project) Use core intrinsic Resources (Cache) only It is not easy to find appropriate applications Does not help at conflicts with external resources Gain in-service experience of COTS MCPs How many hours do we need? In which configuration? No good COTS candidates exist, see results of RECOMP project Use COTS MCPs with System Safety Net Monitoring and mitigation on system level Application specific Use COTS MCPs with HW Safety Net Monitoring of the device function independent of the application on HW-level Versatile approach. However: Further research required, see EMC 2 project 19

Wish List for Future Open Architecture Platform Use MPC based platform with one Application (and one OS?) per core HW/SW Services provided for robust partitioning For higer DAL level use HW based safety net with external processor Reduced verification cost by Incremental Verification Certification done in Final Configuration Update requires recertification and impact analysis 20

Summary Open Architectures may help to save cost for integration, certification and maintaining systems Powerful HW Platforms required Certification issues of state-of-the-art processors (MCPs) still not solved To overcome this limitations very detailed knowledge and additional measures necessary 21

Info: Thank you for your attention! Questions? Bernd Koppenhoefer Dietmar Geiger Computing Platforms for Sensors Computing Platforms for Sensors Phone.: +49 731 / 392 5354 Phone.: +49 731 / 392 4190 Bernd.Koppenhoefer@cassidian.com Dietmar Geiger@cassidian.com The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design. 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information