© 2015 Wind River. All Rights Reserved.
Exploring Multicore for safety-critical Avionics Applications Stefan Harwarth Field Application Engineer
essei TechDay, Oberpfaffenhofen 13 October 2015
2 © 2015 Wind River. All Rights Reserved.
About Wind River
3 © 2015 Wind River. All Rights Reserved.
HERITAGE
1981: Founded
1993: IPO
2009: Acquired
SCALE
1,900 Employees
42,000 Developers
LEADERSHIP
45% Commercial Market Share
Broadest Portfolio
INVESTMENT
30+% of Annual Spend Is on R&D
Rich History of M&A
For over thirty years, Wind River has helped the world's most recognizable brands power generation after generation of embedded devices.
Vision
Power intelligent connected products that enrich the quality, safety, and security of people’s lives every day.
4 © 2015 Wind River. All Rights Reserved.
5 © 2015 Wind River. All Rights Reserved.
Wind River Aerospace & Defense Customers and Programs
Airbus
BAE Systems
Boeing
Elbit Group
Finmeccanica
General Dynamics
GE Aviation
Harris
Honeywell
IAI
ITT
LIG Nex1
L-3 Communications
Lockheed Martin
Mitsubishi
NASA
NEC
Northrop Grumman
OKI Electric
Rafael
Raytheon
Rockwell Collins
Saab
Sagem
Samsung Thales
Shanghai Avionics
Thales
Land
Abrams
Bowman
Bradley
Challenger
FCS
GIG
HIMARS
JTRS
MLRS
Patriot
Sea
Aegis
Astute
DDG-1000
Halifax
Harpoon
KDX-I
Phalanx
Tomahawk
Type 45
U212
Military Air
A330 MRTT
A400M
C-130
F-22
F-35
Global Hawk
KC-767
nEUROn
Typhoon
X-47B
Space
ARES
Curiosity
FTB1
GAIA
ISS
Mars Rovers
Odyssey
Orion
Pathfinder
PROBA
Commercial
Airbus A3xx
Airbus A350
Airbus A380
Boeing 7x7
Boeing 747
Boeing 777
Boeing 787
EC 225
EGNOS
WAAS
6 © 2015 Wind River. All Rights Reserved.
Multicore System Issues
Contention makes it difficult to prove that timing constraints are met
Most SoC uses hardware that is shared between cores
Designs and effects of sharing are often unavailable
Sharing effects may change as SoC microcode is updated
Addressing these issues can involve additional cert effort
Performance and certification costs depend on matching the choice of
strategies of the multicore hardware and the software application
7 © 2015 Wind River. All Rights Reserved.
Multicore Safety Concerns
7
Multicore concerns for safety are assumed to be understood
Hardware shared resources:
- Caches
- Memory controllers
- Interconnect
- I/O devices via interconnect
- Hyperthreading resources
Possible mitigations:
- avoid sharing completely
- avoid sharing at the same time
- share at the same time (WCET computation assumed to be possible)
8 © 2015 Wind River. All Rights Reserved.
OS Architectures
AEROSPACE
9 © 2015 Wind River. All Rights Reserved.
OS
Core 2 Core 1
OS
Supervisor
Supervised AMP
SMP
OS
Core 1 Core 2
OS
Core 2 Core 1
OS
Unsupervised AMP
OS
Core 2 Core 1
OS
Hypervisor
Virtualization
Possible OS architectures
10 © 2015 Wind River. All Rights Reserved.
Architecture Characteristics
AMP
One OS per Core
Reuse of certified OS
Mix of OS
Manual configuration per core required
No IPC included
Supervised AMP
One OS per Core
Protected Supervisor layer
Centralized multicore configuration
IPC possible
AMP + Hypervisor
One OS per Core
Virtualization of resources
Protected Hypervisor layer
IPC handled by Hypervisor
SMP or BMP
Distributed Applications on single OS
Black box config
Full resource sharing possible
Load Balancing or BMP
11 © 2015 Wind River. All Rights Reserved.
AMP Scheduling
t
Core 0
Core 1
Core 2
Partition2
Partition1
Partition2
Partition1
Partition2
timeframe n n+1 n+2
Partition1
Partition1
timeframe n n+1 n+2
Partition1
Partition2
Partition2
Partition2
Partition3
Partition3
Partition3 Partition3 Partition3 Partition3
SMP Scheduling
Partition1
See EASA MULCORS Report for details
12 © 2015 Wind River. All Rights Reserved.
Considerations for AMP and SMP
AMP with Hypervisor SMP with Core Affinity
and Time Partitions
Mix of AMP/SMP
using Hypervisor
Pro - legacy application
reuse
- Heterogeneous
environment
- Easier upgrades
- Limited resource
contention
- Better use of available
resources
- Maximize use of
resources
- Support new and
legacy designs
Con - Increased certification
complexity
- Potential performance
compromises
- Redesign of legacy
applications
- Moderate certification
complexity
- Additional certification
complexity
Comments Certification emphasis on
Tools, System Design and
added runtime control for
shared resources
Designs may be more
complex and changing
designs may be difficult
Requires additional
runtime control for shared
resources
13 © 2015 Wind River. All Rights Reserved.
AEROSPACE
Use Cases
14 © 2015 Wind River. All Rights Reserved.
Use Case 1: Migration
Step 1
Re-host on new Hardware
15 © 2015 Wind River. All Rights Reserved.
Use Case 1: Migration
Step 2
Re-deploy
16 © 2015 Wind River. All Rights Reserved.
Use Case 2: Asset bridging
Step 1
Re-use with Virtualization
17 © 2015 Wind River. All Rights Reserved.
Use Case 2: Asset bridging
Step 2
Re-deploy
18 © 2015 Wind River. All Rights Reserved.
Use Case 3: Multicore Partition
SMP Guest OS and ARINC 653 Part 1 Supplement 4
19 © 2015 Wind River. All Rights Reserved.
AEROSPACE
VxWorks 653 3.0 Multicore Edition
350 avionics programs
200 customers
75 aircraft
20 © 2015 Wind River. All Rights Reserved.
VxWorks 653 3.0 Multicore Edition Safety Architecture
21 © 2015 Wind River. All Rights Reserved.
• Single schedule configuration for Multicore System
• System Integrators can schedule multiple Partitions in one Time Window
• Optional core synchronisation
1 2 Core 0
Core 1 3 4
Sync points
Major frame
1 2 1 2
3 4 3 4
Scheduled Partitions
VxWorks 653 3.0 Multicore Time Scheduler
22 © 2015 Wind River. All Rights Reserved.
FMS
DO-297 Role Separation
Multi-Core Hardware Platform
XML Compiler/Checker
DO-178B Qualified Development Tool
Platform
Supplier
System
Integrator
XML Config
File
Binary Configuration Data
XML Config
File
XML Config
File
XML Config
File
XML Tables
XML Config
File
Application
Suppliers
XML Tables XML Tables XML Tables Nav
Display
XML Tables
XML Business
Rules
23 © 2015 Wind River. All Rights Reserved.
Contact
Robert Kauth Senior Account Manager
Steinheilstraße 10 85737 Ismaning
Phone: 089/9624 45 242 Mail: [email protected]
Stefan Harwarth Field Application Engineer
Steinheilstraße 10 85737 Ismaning
Phone: 089/9624 45 214 Mail: [email protected]