© 2019 Green Hills Software Slide 1

Achieving Safety-Critical Determinism with Multicore Processors

Embedded Tech Trends Richard JaenickeJanuary 24-25, 2019 richj@ghs.com

© 2019 Green Hills Software Slide 2

Multicore is Everywhere

Even in Most Regulated Industries

Except Safety-Critical Applications

© 2019 Green Hills Software Slide 3

Strict Determinism is Required for Flight Safety

© 2019 Green Hills Software Slide 4

DAL A is the Strictest Safety Level

DAL A failure rate is 10^-9/h 1 failure every 114,155

years of continuous operation

No single HW failure can result in a catastrophic event

DesignAssurance

Level

Failure condition

Failure Rate

A Catastrophic 10−9/h

B Hazardous 10−7/h

C Major 10−5/h

D Minor 10−3/h

E No Effect n/a

© 2019 Green Hills Software Slide 5

System Complexity Makes Failure Evaluation Difficult

“Lion Air pilots unable to correct for faulty sensor”

© 2019 Green Hills Software Slide 6

Achieving Determinism in a Single-Core World

Avoid Interference between Applications throughPartitioning of Space and Time (ARINC 653)

Memory Space Partitioning Enforced by CPU’s Memory Management Unit (MMU)

Processor Time Partitioning RTOS gives each application a fixed length time window

Flight Mgmt.

File Sys

Crew Alerting

Onboard Maint.

FileSys

Spare Built-In Test

Flight Mgmt.

File Sys

Crew Alerting

Major Frame Repeat Frame

Time

© 2019 Green Hills Software Slide 7

Multicore is More Complex

Multicore must address contention for shared resources

For flight safety, certification authority guidance is in CAST-32A

© 2019 Green Hills Software Slide 8

Simple Approach Doesn’t Work WellTry to have one core responsible for all shared resource access

Possible for I/O, but results in vast under utilization of cores

Impossible for memory controllerwithout running only one core at a time

Master

© 2019 Green Hills Software Slide 9

Memory Access can be Very Unfair

0%

20%

40%

60%

80%

100%

Desired Predicted Actual

Memory Bandwidth Per Core(Core 0 reads & Core 1 writes)

Core 0at DAL ACore 1at DAL C

Actual = measurements on quad-core e500mc

DAL A

DAL C

© 2019 Green Hills Software Slide 10

General Solution is to Enforce QoS All shared access goes through on-chip interconnect, so can enforce it there Set access thresholds for each time window for each core, enforced by the OS

© 2019 Green Hills Software Slide 11

Multiple Layers for Safety Certification

Structural Coverage

Testing

Reviews

Traceability

Analysis

Planning

Faults

© 2019 Green Hills Software Slide 12

DAL-A Requires Complete Traceability

High-Level Requirement

Low-Level Requirement

Low-Level Requirement

Source Code for

Rqmt

Source Code for

Rqmt

© 2019 Green Hills Software Slide 13

DAL-A Requires Huge Testing

High-Level Requirement

Low-Level Requirement

Low-Level Requirement

Source Code for

Rqmt

Source Code for

Rqmt

Test Code for that Reqmt.

Test Code for that Reqmt.

Test Code for that Reqmt.

© 2019 Green Hills Software Slide 14

Test Suites Can Be Huge for Multicore

Multicore

Multicore

Single Core

Single Core

1 10 100 1000 10000

Test Suite

RTOSSource

Lines of Code (000s)

Testing Increases Exponentially for Multicore

250x

© 2019 Green Hills Software Slide 15

Test Suites Can Be Huge for Multicore

Multicore

Multicore

Single Core

Single Core

0 1000 2000 3000 4000 5000

Test SuiteLOC

RTOSSource LOC

Lines of Code (000s)

Testing Increases Exponentially for Multicore

250x

© 2019 Green Hills Software Slide 16

Summary

Deterministic multicore is hard, but achievable Contention for shared resources causes unpredictable delays Must enforce QoS, such as via bandwidth allocation Testing and validation are exponentially harder for multicore

Almost Impossible for System Integrators to do Themselves Use suppliers with the most extensive support for multicore

interference mitigation, testing, and validation suites

© 2019 Green Hills Software Slide 17

See Also

FAA Position Paper: CAST 32A Multicore processorshttps://www.faa.gov/aircraft/air_cert/design_approvals/air_software/cast/cast_papers/media/cast-32A.pdf

Whitepaper: Optimal Multicore Processing for Safety-Critical Applicationshttps://www.curtisswrightds.com/infocenter/white-papers/optimal-multicore-processing-for-safety-critical-applications.html

Website: GHS solutions for Aerospace and Defensehttps://www.ghs.com/AerospaceDefense.html