Integration of Mixed Criticality Systems on MultiCores: Limitations, Challenges and Way ahead for Avionics

Transcription

1 Integration of Mixed Criticality Systems on MultiCores: Limitations, Challenges and Way ahead for Avionics TecDay 13./14. Oct Dietmar Geiger, Bernd Koppenhöfer 1

2 COTS HW Evolution - Single-Core Multi-Core Reassuringly excellent. Single Multi Intel Core I7 Moore s Law Source: Wikipedia, Die freie Enzyklopädie, , 2

3 Challenge From Single-Core to Multi-Core MPC8548 Reassuringly excellent. Proven - predictable Time Partitioning Only one SW is running at a given time P4080 Is this still predictable? Parallel Execution We can not predict the exact timing Source: 3

4 3.5 Worst Case Execution Time computation: Now we can execute the instruction Oh we forgot.. Memory Fetch Memory Page not open Memory Contention Fabric Contention Write buffer full L2 cache dirty L2 cache miss L1 cache miss This will not work!!!

5 Multi-Core Processor (MCP) Research what is going on in Europe? Selection of EU research projects on MCPs in Safety-critical Applications *) *) Automotive, Avionics, Industrial Manufacturing and Logistics, Internet of Things, Space ACROSS: EU funding; 04/2010 to 09/2013; 16 Partner; Total Budget 16 M RECOMP: EU funding; 04/2010 to 03/2013; 41 Partner; Total Budget 26 M ARAMIS: National (German) funding; 12/2011 to 11/2014; Total Budget 37 M EMC 2 : EU funding; 04/2014 to 03/2017; 98 Partner; Total Budget 100 M Other Multi-Core Activities: MCFA (Multi-Cores for Avionics Working Group); since September 2011: AUSTIN, Texas--Freescale Semiconductor (NYSE:FSL) has formed a working group with top North American and European commercial avionics manufacturers to define their information requirements for advanced Freescale multicore processors being used in commercial avionics applications.

6 Avionics System Evolution: From Single to Many Cores Processors ~2020 Equipment 1 Equipment 2 Equipment 3 IMA IMA-G2 App 1 Physical partitioning App 2 App 3 App 1 App 2 App 3 App 1 App 2 App 3 Single CORE Real Time OS Federated Architecture Limitation: Weight, Power, Size Single CORE Robust Partitioning via ARINC 653 OS Segregation in space and time domain Limitation: Performance Dual/Multi CORE A653-1 OS AMP model Challenge: Certification IMA: Integrated Modular Avionics AMP (Asymmetric Multi-processing): Each individual functional process is permanently allocated to a separate core and each core has its own operating system. 6

7 Integrated Modular Avionics (IMA) / Open Architecture Computing Platform Computing platform without applications Small size & low weight Low power consumption High computing power Various I/O types Allows integration of different applications CERTIFICATION - DO254 / DO178C - DO297?? 7

8 IMA Certification Challenges Highly integrated, complex system Higher risk for development errors and unintended effects Development of a finite test suite it is not practical (or impossible) Numerical methods for characterizing errors are not available Independence between functions, systems or items may be required to satisfy safety or regulatory requirements For catastrophic failure conditions common cause events must be precluded Independence must be shown by Common Cause Analysis Guidance: ARP 4754A However, for economical reasons we want to integrate and certify (parts of) independent aircraft functions/systems in one computing platform Guidance: DO297 8

9 DO297 suggestions wrt. shared resources Use partitioning Resources may be shared by the method of access time (acc. to ARINC653) Problem: A shared resource has the potential to become a single point of failure Solution: Use robust SW partitioning A SW partition must not contaminate the code, I/O or data storage areas of other partitions A SW partition is allowed to consume shared processor resources only during its allocated time A SW partition shall only consume its allocation of shared I/O resources Failures of SW unique to one SW partition must not cause adverse effects on other SW partitions Approved Method: Time and Space Partitioning Works on SingleCore but on MultiCore? 9

10 DO297 suggestions wrt. shared resources (2) The objective of robust partitioning is to provide the same level of functional, if not physical, isolation and protection as on federated architectures (DO ) Overview of certification process (DO ) Task 1: Module Acceptance Verification of the partitioning of the Computing Platform Without detailed knowledge of the applications Task 2: indiv. Application SW/HW Acceptance Task 3: IMA System Acceptance Task 4: Aircraft integration of IMA System (including validation and verification) Task 5:.. Change Task 6:.. Reuse Incremental Certification Certification of IMA is not an easy task It gets even worse if State-of-the-art COTS MCPs are used 10

11 4. Authority View DOT/FAA/AR-10/21 MICROPROCESSOR EVALUATIONS FOR SAFETY-CRITICAL, REAL- TIME APPLICATIONS: (Sept 2010) Because complete knowledge of the evaluated devices cannot be acquired, it must be assumed that they will malfunction and/or fail. This research defines safety net as the ability to demonstrate and protect against unintended/misleading device behavior at a level above the microprocessor/soc through an appropriate combination of board and system-level architecture. Possible Safety Net implementations: External monitoring of safety-related behavior Redundancy External watchdogs Architectures that allows run-time correction

12 4.1 Authority View - CAST 32 Limitations: Harmonized between EASA and FAA c. More than Two Active Cores The paper has not yet been extended for MCPs with more than two active cores. d. Single Systems Applicability Additional considerations beyond what is documented in this paper may be required for MCPs used in integrated modular avionics (IMA) applications The Certification Authorities are not currently aware of any MCP hardware and software implementations that would allow applications from more than one system to be partitioned in time on an MCP in the way that time partitioning is currently ensured for the applications of an IMA on a single core processor (SCP). f. Use of any MCP with Only One Core Activated Applicants intending to install an MCP but to only install software on one of the cores should ensure that any core without any software installed on it is deactivated and that any deactivated core does not interfere with the activated core or with the software hosted on it. 12

13 4.1 Authority View - CAST 32 Objectives to be fulfilled 16 objectives have to be fulfilled for determinism including configuration setting, errata data, hypervisors, interference channels, shared memory/cache, shared resources and coherency mechanisms. 6 objectives are defined for Software including SW plans, Verification plan, <incremental verification> applicability of RTCA/DO178C, data and control coupling and robustness testing. 2 objectives are defined for error monitoring and handling including safety net and availability 13

14 usage of state-of-the-art COTS Processors Stay with single Core processors Not really a long term solution Use deterministic MCPs Where is the Chip Vendor / Market (see results of ACROSS project) Use core intrinsic Resources (Cache) only It is not easy to find appropriate applications Does not help at conflicts with external resources Gain in-service experience of COTS MCPs How many hours do we need? In which configuration? No good COTS candidates exist, see results of RECOMP project Use COTS MCPs with System Safety Net Monitoring and mitigation on system level Application specific Use COTS MCPs with HW Safety Net Monitoring of the device function independent of the application on HW-level Versatile approach. However: Further research required, see EMC 2 project 14 14

15 Presentation Title runs here (go to Header & Footer to edit this text) Current Negotiations with Certification Authorities Industry sees CAST 32 as too stringent Negotiations between ASD (AeroSpace and Defence Industries Association of Europe), AIA (Aerospace Industry Association), GAMA, EASA, FAA Proposal prepared 3 Objectives for planning 4 Objectives for resource usage 2 Objectives for SW 1 Objective for Error Handling 1 Objective for Accomplishment Summary Interference channels are still an issue Next Meeting in Köln November October 2015

16 EMC 2 MCP-internal Monitoring Use on-chip debug facilities to implement a bandwidth and timing monitoring Display Monitor Processor (DAL-A) MS Flight Simulator Nexus IF DVI Position, Altitude, Airspeed (ARINC-429) Multicore Processor (Dual Core) Freescale P5020 e5500 core (2.0 GHz) e5500 core (2.0 GHz) GPU AMD E Map data

17 Summary Certification on MulitCore Processors is still an issue Despite several research projects there is still no generic solution Authorities are aware of the issue Very detailed knowledge/investigations necessary Processor resources Interference Channels SW architecture Safety Net seems to be mandatory Possible solution under investigation in frame of EMC2 research project 17 17

18 Thank you for your attention! Questions? Info: Bernd Koppenhoefer Dietmar Geiger Computing Platforms for Sensors Computing Platforms for Sensors Phone.: / Phone.: / Bernd.Koppenhoefer@airbus.com Dietmar.Geiger@airbus.com The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization is prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design

19 Appendix Measurement Results on MultiCores 19

20 Measurements Loading Test Program on Multicore Thread is only allowed to run on Core 2 This program now generates the two measuring threads T2 Thread code contains synchronisation points in order to align execution of both threads Core 2 Test Program Thread 2 As soon as main thread of program has finished, core 2 can run thread2 Core 1 Setup of Target System Kernel T1 Shell Thread is only allowed to run on Core 1 Thread 1 Both cores running in Parallel Loading code to target system with debugger Instruct shell to load Test Program with the desired Parameter As soon as shell was terminated, core 1 can run thread1 Exit command (Terminate shell) t 0 t 20

21 Measurements P5020 Block Diagram Processing cores with L1 Cache & L2 Cache L3 Cache (CPC) 21

22 Conclusion Interferences between cores identified! The execution time increased significantly by another synchronous SW task running in parallel. Setup of DMA causes a slight asynchrony between cores which reduces the interference effects The execution time increased slightly by an independent DMA access to main memory. 4 test setups in combination with different cache settings are compared for influence on the execution time. 22