Plan with confidence: Route to a successful Do178c multicore certification

Harold G. Tiedeman, Jr., Technical Fellow, Rockwell Collins
Paul J. Parkinson, Principal Systems Architect, Wind River
Plan With Confidence: Route to a Successful
DO-178C Multi-Core Certification
Moderator:
John McHale, OpenSystems Media
Speakers:

Agenda
 Housekeeping
 Presentation
 Questions and Answers
 Wrap-up

© 2018 WIND RIVER. ALL RIGHTS RESERVED.
PLAN WITH CONFIDENCE:
ROUTE TO A SUCCESSFUL
DO-178C MULTI-CORE
CERTIFICATION
Harold G. Tiedeman, Jr.
Technical Fellow, Rockwell Collins
Paul Parkinson
Principal Systems Architect, Wind River
Web Seminar, September 27, 2018

4 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
 Current state of the art in civil certified processors
– Single core, complex system-on-chip
– Single core active designs
 Partitioned operating systems
– Support multi-DAL software
– Mature and in service, both civil and military systems
 Next logical step: full multi-core with all cores active
– Realize performance and SWaP benefits
– Must prove safety and deterministic behavior
 Never before accomplished
INTRODUCTION

WHAT IS UNIQUE ABOUT MULTI-CORE PROCESSORS?
 Provide increased performance
potential
 Challenges for application isolation
and determinism
 Variation in suitability of designs
for use in avionics
 Shared resources provide multi-
core interference potential
 Analysis of behaviour and worst-
case execution timing (WCET) is
more complex
 Processor design information may
not be available for hardware
analysis
Notional Multi-core Processor Architecture
with Shared L2 Cache
Core #1
L1 I-Cache L1 D-Cache
Core #2
L1 I-Cache L1 D-Cache
L2 Cache
Coherency Module

RELATIONSHIPS AND INDUSTRY INVOLVEMENT
 Engage OEMs, civil, and military certification
authorities
– Start early to help them understand issues
– Agree how to address each one
 Use proprietary relationships
– Operating system (OS) vendors
– System-on-chip (SoC) vendors
 Aligned with the EASA multi-core certification review
item (CRI) and FAA certification authorities software
team CAST-32A position paper
 Engage internal subject matter experts to make the
leap to multi-core systems
 Use of certification authorities and certification
liaisons to help guide efforts

SELECTING THE RIGHT MULTI-CORE PROCESSOR:
MULTICORE FOR AVIONICS (MCFA)
 Rockwell Collins MCFA involvement
– Founding member and executive board member
– Multiple individuals engaged from both
Commercial and Government Systems businesses
 Processor assessments conducted by
Rockwell Collins
– Reviews conducted at supplier’s site
– Based on a set of questions and artifacts
established by MCFA
– Provides insight into vendor’s processes for
development, production, and quality
– Freescale/NXP QorIQ P-Series assessment
completed summer 2011
– Freescale/NXP QorIQ T-Series assessment
completed summer 2016
 FSL became part of NXP Dec 2015
NXP public presentation on MCFA
https://community.nxp.com/docs/DOC-331635

PROCESSING PLATFORM DEFINITION
 Multi-core common processing resource (MCPR)
– Common reusable logical and schematic design
– Can be easily laid out repeatedly as necessary for various form factors
 Includes
– Multi-core processor
– System memory
– DAL A hardware monitor FPGA and software monitors
– Ethernet networking
– Basic I/O (serial and discretes)
– Non-volatile storage (NAND, NOR, nvROM)
 4x existing product line performance

PROCESSOR SELECTION
 Freescale Quad-Core T2080 QorIQ SoC has been
chosen for the MCPR
– Process can be iterative as deep dives occur
– Switch from previous plan to use the NXP P-series
 T2080 provides significant processing advantage
– E6500 Core improves integer and floating point
processing (2x improvement)
– About 5.5x DMIPS performance over baseline
processor
 Higher-performance internal SoC interconnect
fabric significantly reduces interference
 Additional I/O controllers provide better mitigation
options to reduce interference
 Performance enhancements, i.e., AltiVec™ and
dual threading at no added power
NXP QorIQ® P4080 Processor (Image: NXP)
NXP QorIQ® T2080 Processor (Image: NXP)
Peripheral Access
Management Unit0
128 KB Backside
L2 Cache
Power Architecture
e500mc Core
32 KB D-Cache 32 KB I-Cache
1024 KB CoreNet
Platform Cache
1024 KB CoreNet
Platform Cache
64-bit DDR2/3 Memory
Controller with ECC
64-bit DDR2/3 Memory
Controller with ECC
CoreNet Coherency Fabric
PAMU PAMU PAMU PAMU
Security Fuse Processor
Security Monitor
2x USB 2.0 w/ULPI
eLBC
Power Management
SD/MMC
2x DUART
1x 12C
SPI, GPIO
SEC
4.0
PME
2.0
Queue
Mgr.
Buffer
Mgr.
Frame Manager
Parse, Classify,
Distribute
10 G
1 G 1 G
1 G 1 G
Frame Manager
Parse, Classify,
Distribute
10 G
1 G 1 G
1 G 1 G
Real-Time Debug
2x DMA
PCIe
PCIe
PCIe
sRIO
sRIO
Watchpoint
Cross Trigger
Perf.
Monitor
Trace
Aurora
18 Lanes, 5 GHz SerDes
Core Complex (CPU, L2 and Frontside CoreNet Platform Cache)
P4080 and P4081 Only
Networking Elements
P4080 and P4040 Only
Accelerators and Memory Control
Basic Peripherals and Interconnect
Peripheral Access
Management Unit
2 MB Banked L2
521 KB
Platform Cache
64-bit DDR2/3
Memory Controller
Coherency Fabric
PAMU PAMU PAMU
Security Fuse Processor
Security Monitor
IFC
Power Management
SDXC/eMMC
2x DUART
4x 12C
SPI, GPIO
2x USB 2.0 + PHY
DCE
1.0
PME
2.1
Security
5.2
(XoR,
CRC)
RMan
Frame Manager
Parse, Classify, Distribute
hIGIG/+
4x 1 / 2.5 / 10 G
DCB
2x 1 / 2.5 G
Real-Time Debug
Watchpoint
Cross Trigger
Perf.
Monitor
Trace
Aurora
Core Complex (CPU, L2, L3 Cache)
Accelerators and Memory Control
Basic Peripherals and Interconnect
Networking Elements
Pre-fetch
32 KB
D-Cache
32 KB
I-Cache
32 KB
D-Cache
32 KB
I-Cache
32 KB
D-Cache
32 KB
I-Cache
32 KB
D-Cache
32 KB
I-Cache
PowerTM
E6500
T1 T2
PowerTM
E6500
T1 T2
PowerTM
E6500
T1 T2
PowerTM
E6500
T1 T2
Peripheral Access Management Unit
Queue
Mgr.
Buffer
Mgr.
8ch
DMA
PCIe
PCIe
PCIe
PCIe
sRIO
sRIO
8ch
DMA
8ch
DMA
SATA2.0
SATA2.0
8-Lane 1- GHz SerDes 8-Lane 1- GHz SerDes

REQUIREMENTS FOR A SAFETY-CRITICAL
OPERATING PLATFORM
 Open architecture reduces system integration costs
 Preserves investment in existing applications
Multiple Guest OS
 Consolidates onto a single platform, reducing size, weight,
and power (SWaP) requirements
Consolidation
 Enables flexible configuration using efficient hardware
virtualization support
Virtualization Support
 Enables hosting of portable POSIX®, ARINC 653, and
FACE™ applications
Open Standards
Flexible Business
Model
 Supports product line approach and multiple customers
without additional licensing overhead
Safety Certification
 Low perceived DO-178C certification risk
 Supports incremental certification

SELECTING THE RIGHT OS PLATFORM FOR
MULTI-CORE CERTIFICATION
 Wind River safety-critical track
record:
– 2000: VxWorks Cert for federated
applications
– 2002: VxWorks 653 for IMA
applications
 Integrated modular avionics
– Enables many federated systems
to be hosted on a common
computing platform
– Reduces SWaP
 VxWorks 653
– Supports ARINC 653, POSIX®,
VxWorks, and Ada applications
– Provides COTS DO-178
certification packages
– First OS to achieve conformance
certification for FACE™ OSS
Safety Base Profile
VxWorks and VxWorks 653 cumulative design wins
(federated and IMA)
Cumulative Federated Cumulative IMA Projects

SELECTING THE RIGHT OS PLATFORM FOR
MULTI-CORE CERTIFICATION
 High-level design goals for VxWorks 653 Multi-core Edition
• COTS RTCA DO-178C DAL A certification evidence
• Support of multiple DALs on multiple cores
• Perform static configuration and enforcement as per ARINC 653
• Perform fault isolation and containment (health monitors)
• Enable IMA role-based development and delivery as per RTCA DO-297
• Robust partitioning of application and OS environments for ease of updates
and reduced certification burden

VxWorks 653 Application Executive
Multi-Core Hardware Hardware Virtualization Support
Board Support Architecture Support
Avionics Bus (MIL-STD-1553B, ARINC 429, ARINC 664, SAE AS6802…)
XML Configuration Data
Core 1Core 0 Core 2 Core 3
Flight
Management
Application
DAL B
VxWorks
Partition OS
Flight
Display
Application
DAL A
ARINC 653
Guest OS
Sensor
Intelligence
Application
DAL C
VxWorks
Partition OS
New
Applications
DAL E
Linux
Guest OS
Legacy
Applications
DAL E
Legacy
Guest OS
VxWorks 653 Multi-Core Edition system architecture
Virtual Machines
Virtualized partition Guest Operating Systems and applications
Enables consolidation of applications onto common platform
Reduces program migration and lifecycle costs compared to multiple LRUs
Type-1 Hypervisor-based module operating system
Provides lightweight supervision of multiple cores
Utilizes full hardware virtualization assistance
Implements ARINC 653 health management
Independent Build Link and Load (IBLL)
Supports role-based development as per DO-297
XML system configuration and DO-178C qualified XML-to-binary compiler
Minimises impact of change
Significantly reduces cost of incremental certification
SELECTING THE RIGHT OS PLATFORM
FOR MULTI-CORE CERTIFICATION

14 © 2018 WIND RIVER. ALL RIGHTS RESERVED.14 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
COMPLYING WITH FAA CAST-32A
MULTI-CORE OBJECTIVES
 Initial lack of FAA and EASA formal policy on
multi-core processors
 Publication of FAA CAST-32A multi-core objectives in 2016
 Rockwell Collins and Wind River collaborative approach
 Positive feedback on approach from multiple certification agencies

Objective Why It’s Important
MCP_Planning_1: Plans identify MCP software
architecture (including dynamic and IMA aspects).
 The plans provide the overall system
design context for the certifying authority.
MCP_Planning_2: Plans provide a high-level
description of how MCP shared resources and
dynamic features will be used and how the applicant
intends to allocate and verify the use of shared
resources.
 Planning shows that the applicant has
thought through critical multi-core issues
that could impact the execution of the
application software.
MCP_Resource_Usage_1: The applicant has
determined and documented the MCP configuration
settings.
 MCPs are extremely complex and likely
have configuration settings that could
negatively impact system safety.
planned, developed, documented, and verified a
means that ensures that in the event of any of the
critical configuration settings of the MCP being
inadvertently altered, an appropriate means of
mitigation is specified.
 Configuration settings could be
inadvertently modified by software errors
or single event upsets in ways that result
in undefined behavior if not mitigated.

identified the interference channels and has verified the
means of mitigation of the interference.
 Interference channels are a source of
jitter and performance degradation and
may have a significant, negative impact
on the determinism of the processing
system.
identified, allocated, and verified that the available
resources of the MCP and of its interconnect are
sufficient to meet the demands of the integrated
software.
 MCP shared resources could be
oversubscribed by the full collection of
hosted software, resulting in degradation
of expected functionality.
MCP_Software_1: There is verification that all the
hosted software components function correctly and
have sufficient time to complete their execution when
all the hosted software is executing in the intended final
configuration.
 Software applications running
simultaneously on different cores impact
each other’s execution timing and need
to be integrated together to understand
the impacts to operational behavior.

MCP_Software_2: Verification that the data and
control coupling is correct during software requirement-
based testing.
 Data and control coupling across cores is
more complex than coupling across
partitions on a single-core processor and
may result in unintended behavior if not
verified to be correct.
MCP_Error_Handling_1: Identification of the effects of
failures that may occur within the MCP and plan,
design, implement, and verify means by which to detect
and handle those failures in a fail-safe manner.
 The high level of integration of device
functions and peripheral interfaces
typically found within multi-core SoC
designs drives a need for more built-in-
test and monitoring for desired behavior.
MCP_Accomplishment_Summary_1: The applicant
has summarized in their SAS, HAS, or other deliverable
documentation how they have met each of the
objectives of this document.
 Provides a reference for the evidence
developed to build assurance that the
MCP system design is appropriate for
safety-critical use.

MULTI-CORE CERTIFICATION APPROACH—
EXECUTION FLOW
 Much of the multi-core–specific
certification effort executes in
parallel with typical engineering
development flow
 Feedback loops need to exist
– Interference research may drive
system or software requirements
– Changes in system functional
requirements may drive new
interference channels or alter
existing channels
Research Processor Design
Assess Non-Determinism &
Mitigation Techniques
Create CAST-32A Plan
Define Configuration
Analyze Interference Channels &
Mitigate Impacts
Perform Partitioning & Shared
Memory Analyses
Capture CAST-32A
Accomplishments in HAS/SAS
Functional
System
Requirements
Develop
System
Verify System

MULTI-CORE CERTIFICATION APPROACH—
DETERMINISM ANALYSIS
 Determinism analysis addresses many CAST-32A concerns
 The determinism analysis is split into five activities:
– Configuration analysis
– Interference channel analysis
– Partition analysis
– Shared memory analysis
– Errata analysis
 Configuration analysis documents SoC settings
 Interference channel analysis quantifies the behavior of the SoC
 Partition/share memory analysis ensures that the software
architecture results in robust behavior
 Errata analysis demonstrates maturity of the platform and addresses
reported problems

RESULTS AND SUMMARY
 Analysis of SoC processors is extremely complex
 Interference in multi-core platforms is real and impactful, but it can
be measured, characterized, and mitigated
– For the chosen SoC, the behavior and impacts are consistent with
expectations
– Behavior is extremely dependent on SoC configuration and usage
– It is also dependent on application resource usage
 Final configuration rests with the integrator, but the approach
taken can minimize those responsibilities
– Analysis tools and integration guides make that job even easier
 Certification is progressing with SOI4 submittal later this year and
TSO early next year

FURTHER INFORMATION
 Rockwell Collins and Wind River resources:
https://resources.windriver.com/wind-river-rockwell-collins
 Continue the conversation in our next web seminar:
– Certifying Avionics COTS Hardware & Software to DAL A
http://bit.ly/certify-cots

Q&A

BACKUP SLIDES

Audience Q & A
Harold G. Tiedeman, Jr.,
Technical Fellow,
Rockwell Collins
Paul J. Parkinson,
Principal Systems Architect,
Wind River

Thanks for joining us
Event archive available at:
http://ecast.opensystemsmedia.com/
E-mail us at: jgilmore@opensystemsmedia.com

Plan with confidence: Route to a successful Do178c multicore certification

More Related Content

What's hot (19)

Similar to Plan with confidence: Route to a successful Do178c multicore certification (20)

More from ICTperspectives (20)

Recently uploaded (20)

Plan with confidence: Route to a successful Do178c multicore certification