www.thalesgroup.com
International Conference on
Integrated Modular Avionics – Moscow
1) Ensuring robust partitioning in multicore platforms for IMA Systems
2) Versatile & Reconfigurable Inputs/Outputs for IMA Systems
2012-10-29
2/2/
ENSURING ROBUST
PARTITIONING IN MULTICORE
PLATFORMS FOR IMA SYSTEMS
3/3/ From federated to IMA systems
4/4/ From physical to logical fault isolation
� Federated systems
� Physical fault confinement
� Integrated systems
� Logical fault confinement: robust partitioning
5/5/ Integrated Modular Avionics: Mandatory requirements
� Robust partitioning
� Platform determinism
� Platform limitations for WCET scenario definition
Why ensuring robust partitioning is difficult on mu lticore platforms ?
6/6/ Multicore for IMA, “good properties”
� How could Avionics Platforms take benefit of multicore processors ?
� Allow all cores to be used whatever the level of criticality
� Minimize porting effort and re-certification of legacy applications
� Compatibility with ARINC 653 and ARINC 664 guidelines for APEX and Network partitioning
� Incremental certification
Digital avionic systems confidence have never regre ssed during technological steps
7/7/ Robust partitioning in ARINC 653 on single core
� Current process
� Time and space partitioning
� Disjoint memory areas for each partitions
� Full allocation of processing resources to one process in one partition at one time
� Targets the Alternative Gold Standard for Robust Partitioning
8/8/ Partitions deployment on Multicore
� Symmetrical Multi Processing :
� Time and space partitioning remains unchanged at pa rtition level
� Inter-process conflicts impacts WCET
� Requires parallelization of single-core application s
Constraints are shared between Function Supplier and Platform Supplier
9/9/
� Asymmetrical Multi Processing :
� Inter partition and applications conflicts when acc essing shared resources
� Backward compatibility with legacy applications
Partitions deployment on Multicore
Main constraints are at Platform Provider level
10/10/ Partitioning issues on COTS multicore platforms
� Timing issues and inter-core conflicts
� Transaction collisions in the interconnect
� Shared caches
� Shared I/O
� Limited knowledge of the interconnect features
� Nearly impossible to determine all situations of collisions
� Hardware mechanisms to avoid transaction collisions impact average performances
Alternative Gold Standard seems difficult to ensure if the hardware has not been developed for it
11/11/ Gold Standard enforcement
� Direct proof of robust partitioning
� Requires a generic model of faults for partitions
� A priori, we have to consider all couples of faults to ensure no propagation
� We have to consider many possible sequences of conf licts
� Fault propagation result from sequences of inter-co re conflicts
� For each fault, we determine the set of resulting conflicts classes
� For each fault, we determine the set of causing conflicts classes
� If those two sets are disjoint, robust partitioning is proven
Highly complex analysis that have never been perfor med
12/12/ Model of multicore platform
� Abstract representation of the platform internal ac tivity
� We have to deal with the lack of information
� Model refinement with the available information
� We can represent conflicts situations
� Simultaneous presence of two transactions in one component
13/13/ Core refinement
� Core Software
� Can be a hypervisor, its execution is local
� Core controller
� Internal controllers, memory protection units, exception and interrupts generator
� Local Memory
� Internal caches and scratchpads
� Partitions
� Transactions generator
14/14/ Interconnect refinement
� Each component has a pool of transactions it can handle
� This enables to represent many behaviors inside the interconnect
� Black box sub-components cannot be refined
15/15/ Conclusion
� The use of multicore in avionics requires new metho ds to enforce robust partitioning
� ARINC 653 time partitioning is not applicable
� Inter-partition true parallelism
� Concurrent transactions management in the interconnect with few visibility on its behavior
� Incremental certification objectives
� Two strategies to enforce robust partitioning:
� Control transactions flow emission in the core with the hypervisor
� Represent transactions flow management in the interconnect
� Those two strategies are complementary to authorize parallelism in partitioned systems
16/16/
VERSATILE INPUTS / OUTPUTS
FOR IMA SYSTEMS
17/17/ Outline
� Introduction and problematic
� Our approach: versatility
� CALYPSO: first integrated versatile
input prototype
� First Experimental Results
18/18/ Outline
� Introduction and problematic
� Our approach: versatility
� CALYPSO: first integrated versatile
input prototype
� First Experimental Results
19/19/ Definition
Definition: Input/Output Interface:
Set of functional blocks which allows interaction between Actuators, Sensors or Loads and an Information Processing System.
CPUI/O
Processor
Network
RAM
NVM
ROM
I/O interface
I/O interface
I/O interface
� Offer ways
� to communicate
� to sense
� to act
20/20/ Current Avionics Architecture
Data Processing Unit
� 100 Discrete I/Os
� 20 A429
� 2 Analog Acquisitions
Remote Data Concentrator
� 30 Discrete I/Os
� 5 A429
� 6 LVDT
� 20 Various Analog acquisitions� Temperature, DC Voltage…
Flight Control Management
� 10 Discrete I/Os
� A429 (# 50 IN, # 20 OUT)
� 10 LVDT
� 10 Analog acquisitions …
What makes these computers different?
� Different sensors/actuators
���� Different I/Os
Need for Versatility
21/21/ Outline
� Introduction and problematic
� Our approach: versatility
� CALYPSO: first integrated versatile
input prototype
� First Experimental Results
22/22/ Introducing Versatile Interface
Current Computer/RDC:
� Dedicated interfaces
���� Functionalities limited by hardware
���� In case of new specifications:
� new design
� validation
� certification
23/23/ Introducing Versatile Interface
Versatile Computer:
� Only one type of interface
� Reduced surface
� Easier design
� Easier reuse
� Scalability
Current Computer/RDC:
� Dedicated interfaces
���� Functionalities limited by hardware
���� In case of new specifications:
� new design
� validation
� certification
Versatiliy offers extended functionalities
24/24/
Versatile Interface as a differential Interface
� Discrete Inputs:• DSI Ground/Open
• DSI Vdd/Open
� Digital buses:• A429
Channels individually configurable to interface usual Inputs:
� Differential analog acquisitions:• DC Analog Voltage
• LVDT acquisition
• Current Monitoring
• LVDT excitation Monitoring
Versatile Interface as a Single Ended Interface
Versatile Interface Capabilities
75%-100% of CPIOM/RDC/FCC inputs type
25/25/ Current Interface Principle
Current Input Interface
� Each stage is specifically designed
� Static hardware
26/26/ Versatile Interface Principle
Versatile Interface
� Some stages can be programmed
27/27/ Versatile Interface Principle
Versatile Interface
� Analog Resources� Input Impedance
� Gain
� Offset
� Single Ended/Differential
…
� Digital Resources� Filtering
� Comparison Thresholds
� Timing controls
� Specific algorithms
…
28/28/ Complete Interface Architecture
29/29/ Outline
� Introduction and problematic
� Our approach: versatility
� CALYPSO: first integrated versatile
input prototype
� First Experimental Results
30/30/ ASIC CALYPSO: Characteristics
� Content of the mock-up ASIC:
� 1 analog front end for test purposes (channel 0).
� 1 ADC for test purposes (ADC0).
� 1 complete channel with 2 configurable analog front ends (Channels 1a and 1b), 1 mux and 1 ADC.
� To be implemented in next version:
� Instrumentation amplifier
� Basic digital data processing
� Parallel� Serial data output
� Serial configuration management
31/31/ ASIC CALYPSO: Capabilities
� Theoretical Capabilities:
� DSI GND/OPEN
� DSI 28V/OPEN
� A429 LS (ADC not fast enough)
� ANI ±10V
� LVDT
� For analog acquisitions: error correction thanks to references switching.
COMPOLDSI COMDSI
PDOWN
COMREF1 or
COMREF2 or
COMREF3 or
COMREF4
OFFSETGND OFFSETLINE CHANNELS
CONFIGURATION
X X X 1 0 Offset Correction
0 0 1 0 1 Analog Acquisition/
LVDT/A429
1 1 0 0 1 Discrete Ground/Open
0 1 0 0 1 Discrete Vdd/Open
X 0 0 X X DO NOT USE:
ABNORMAL
CONFIGURATION CAN
CAUSE PERMANENT
DAMAGE
ANY OTHER CONFIGURATION
32/32/ Outline
� Introduction and problematic
� Our approach: versatility
� CALYPSO: first integrated versatile
input prototype
� First Experimental Results
33/33/ ASIC CALYPSO: Results
� Exemple: DSI Vdd/Open
34/34/ Experimental results : DSI Gnd/Open
Vthdown Vthup
100 LSB
GND
Open
GND
Open
� Configurable thresholds for maximum flexibility
� Compatible with ABD100, Gulfstream Specs…
� Good distinction between states
� Strong immunity to ground fluctuation (hard point)
� Sinus, 30V pp @200Hz
35/35/ ASIC CALYPSO: Results
� Exemple: Analog Acquisition
36/36/ ASIC CALYPSO: Results
� Exemple: Analog Acquisition with dynamic error corr ection
Parameters of the interface can change:
���� Dynamic error correction
� We digitize the signal with its errors
� Not rejected common mode
� Offsets errors
� Gains errors…
� We inject references voltage to this signal
� We deduce interface parameters
We finally get signal without errors
37/37/ Dynamic error correction: experimental results
� Example:
� Input voltage� Sinewave
� 3V @30Hz
� An important error (30%) isintroduced on the gain
EXPERIMENTAL MEASUREMENTS
Smart error correction removes this error
Versatile interface manages to retrieve the correct signal
38/38/ Dynamic error correction: experimental results
±0.7%
From ±7% error, down to ±0.7% thanks to dynamic error correctiondown less than ±0,1% with the industrial ASIC
EXPERIMENTAL MEASUREMENTS
39/39/ Conclusion
Experimental results
� Very consistent with theoretical results
� Very consistent with simulation
� our models are correct and can be used for rapid error or misbehavior investigation
� Advanced functionalities are promising:
� Capability to change gains, offsets and impedances
� Discrete interfacing, with programmable pull (up or down)
� Immunity to important ground fluctuation (tested und functional)
� Dynamic error correction for precision voltage acqu isitions
� No sensitivity to temperature or process drifts
40/40/ VERSATILITY BROUGHT TO THE NEXT STEP
� Parts Number Reduced
�Maintenance
�Less spare parts
�Availability
� Hardware scalability
�Flexible
�Design simplified
41/41/
Thanks for your attention !
Source: http://asrs.arc.nasa.giv/publications/callback/cb_330.htm
42/42/
Proprietary Notice
This presentation includes THALES Avionics Proprietary Information and Background Intellectual Property Rights.
This presentation, in whole or in part, is confidential and shall not be used or disclosed without THALES Avionics prior written
authorization