High performance, low power consumption and small footprint requirements imposed by the embedded market on the processor industry is causing a definite move away from single-core processors to multicore processors. Multicore processors have been deemed as the future of Size, Weight, and Power (SWaP) constrained applications like military and avionics. They provide higher performance (MHz/W) at lower power. They also allow consolidation of multiple functions/ applications onto a single platform.

IMA and Certification

Figure 1. Dual-Dual Command Monitor lane AFCS architecture with single core processors.

Modern avionics systems are moving from federated systems to Integrated Modular Avionics (IMA) where multiple applications with mixed criticality reside on the same computing platform[7]. The IMA concept is detailed out in a set of standards like DO 297[1], and implementation guidelines like ARINC 653[5] and ARINC651[6]. A safety-critical avionics system has to be certified by the Federal Aviation Administration (FAA) in the United States or the European Aviation Safety Agency (EASA) in Europe, covering both hardware and software. The standard RTCA/ DO-254 (ED-80)[1] provides guidance for the development of airborne electronic hardware, and the standard RTCA/DO-178C (ED-12C)[2] provides guidance for the development of airborne software.

Advantages of multicore platforms in terms of performance, power, and size make them ideal for IMA applications. One of the application areas could be the dual redundant two channel command monitor lane architecture of Automatic Flight Control Systems. A typical IMA backplane is divided into Channel A and Channel B powered by independent power supply modules for redundancy. Four processing elements are required to host Channel A command and Channel A monitor, and Channel B command and Channel B monitor processes for primary AFCS, and similarly four processing elements for backup AFCS. Both IMA cabinets have to be connected with the interconnecting digital bus. So, we need four IMA cabinets and 8 processing elements to implement the above architecture, as shown in Figure 1.

Figure 2. Dual-Dual Command Monitor lane AFCS architecture with multicore processors.

With the introduction of multicore processing elements, Channel A command and Channel B monitor applications can be hosted on one computing platform P-1, and Channel B command and Channel A monitor can be hosted on the second computing platform P-2. It is then possible to implement Dual- Dual architecture with two IMA cabinets and four processing elements as shown in Figure 2, thus reducing the overall weight by 50%. Also, with increased processing power available, custom I/O processing modules can be integrated with the processing elements for handling memory and intensive signal processing, thereby reducing the external and cabling requirements. However, the isolation requirements of the functions hosted should be met, and robust partitioning needs to be ensured in the integrated environment.

Robust Partitioning

In IMA, robust partitioning, to achieve fault containment, has traditionally been implemented in the federated architecture with dedicated hardware per application or function. With the introduction of IMA and multicore, the robust partitioning property needs to be addressed and ensured[8].

Robust partitioning, or separation, is the central concept to avoid influences between different applications in space and time. Space relates to access of memory regions or I/O interfaces. An example of space partitioning support is a memory management unit (MMU). It maps the partitions to memory regions and enforces access pattern according to a defined configuration. With means of time partitioning it can be guaranteed that one function’s changing demand for hardware resources will never prevent another function from obtaining a specific minimum level of service. Furthermore it can be ensured that the timing of a function’s access to these resources will not be affected by variable demand or failure of another function.

Figure 3. SMP software configuration.

It shall be noted that the guarantee of partitioning in an IMA (e.g., enforced and supported by operating system and hardware) generally needs to be assured with a probability of the highest (most demanding) application running on this hardware and operating system. Partitioning isolates faults by means of access control and usage quota enforcement for resources in software.

For safety-critical embedded systems, quality requirements usually refer to timing or safety attributes. In some cases, security attributes play an important role as well. Timing attributes often consist of deadlines for specific tasks, which must be met under all circumstances. This leads to the requirement of fully deterministic system behavior.

Certification Challenges

Adopting multicore platforms in IMA systems where multiple partitions are executing on different cores in parallel will bring in significant challenges as described in the following sections.

Robust Partitioning — Time

Temporal separation is fundamentally violated for multicore as there are multiple applications executing in parallel. The inter-chip interconnect may violate temporal separation at the microscopic level. The scheduling policy should ensure that interferences between parallel executions are controlled, known, and hence bounded for deterministic behavior. Specific challenges are scheduling strategy and configuration across cores such that interference patterns are controlled and bounded.

Robust Partitioning — Space (Memory and I/O)

Figure 4. AMP software configuration.

Because there are multiple applications executing in parallel, there is a fundamental violation of space partitioning as processor resources like chip interconnect are shared. In order to achieve spatial separation, memory and I/O contention should be controlled and monitored by the scheduling policy or other mechanisms. The impact of many implicit resources like chip interconnect need to be studied in the hardware architecture level for achieving deterministic behavior.

Specific challenges include:

  1. Scheduling policy and configuration to control resource (memory and I/O) contention;
  2. Software mechanisms to manage concurrent access to shared resources like real-time locking protocols.

Inter-Partition / Inter-Core Communication

Communication and synchronization are not restricted to partitions that execute serially. Synchronization is required between parallel executing cores. Inter-core communication is facilitated by hardware features like doorbell interrupts. This can also be accomplished by software. This communication needs to be deterministic and synchronized.

Worst Case Execution Time

In addition to the complexities for WCET estimation for single core processors, analysis multicore processors need to model and account for the following:

  1. Interference patterns between the parallel tasks in different cores due to memory and I/O contention. A detail of hardware arbitration of shared resources is generally not available for COTS hardware.
  2. Impact of implicit shared resources like interconnects. This information is generally not available for COTS processors and is a source of error.
  3. Impact of cache management policy.
  4. Interleaving by the inter-chip interconnects of the concurrent transaction flows in order to maximize the global average bandwidth.