Achieving Safety-Critical ... - Embedded Tech Trends - Green Hills Software.pdfEmbedded Tech Trends...
Transcript of Achieving Safety-Critical ... - Embedded Tech Trends - Green Hills Software.pdfEmbedded Tech Trends...
© 2019 Green Hills Software Slide 1
Achieving Safety-Critical Determinism with Multicore Processors
Embedded Tech Trends Richard JaenickeJanuary 24-25, 2019 [email protected]
© 2019 Green Hills Software Slide 2
Multicore is Everywhere
Even in Most Regulated Industries
Except Safety-Critical Applications
© 2019 Green Hills Software Slide 3
Strict Determinism is Required for Flight Safety
© 2019 Green Hills Software Slide 4
DAL A is the Strictest Safety Level
DAL A failure rate is 10^-9/h 1 failure every 114,155
years of continuous operation
No single HW failure can result in a catastrophic event
DesignAssurance
Level
Failure condition
Failure Rate
A Catastrophic 10−9/h
B Hazardous 10−7/h
C Major 10−5/h
D Minor 10−3/h
E No Effect n/a
© 2019 Green Hills Software Slide 5
System Complexity Makes Failure Evaluation Difficult
“Lion Air pilots unable to correct for faulty sensor”
© 2019 Green Hills Software Slide 6
Achieving Determinism in a Single-Core World
Avoid Interference between Applications throughPartitioning of Space and Time (ARINC 653)
Memory Space Partitioning Enforced by CPU’s Memory Management Unit (MMU)
Processor Time Partitioning RTOS gives each application a fixed length time window
Flight Mgmt.
File Sys
Crew Alerting
Onboard Maint.
FileSys
Spare Built-In Test
Flight Mgmt.
File Sys
Crew Alerting
Major Frame Repeat Frame
Time
© 2019 Green Hills Software Slide 7
Multicore is More Complex
Multicore must address contention for shared resources
For flight safety, certification authority guidance is in CAST-32A
© 2019 Green Hills Software Slide 8
Simple Approach Doesn’t Work WellTry to have one core responsible for all shared resource access
Possible for I/O, but results in vast under utilization of cores
Impossible for memory controllerwithout running only one core at a time
Master
© 2019 Green Hills Software Slide 9
Memory Access can be Very Unfair
0%
20%
40%
60%
80%
100%
Desired Predicted Actual
Memory Bandwidth Per Core(Core 0 reads & Core 1 writes)
Core 0at DAL ACore 1at DAL C
Actual = measurements on quad-core e500mc
DAL A
DAL C
© 2019 Green Hills Software Slide 10
General Solution is to Enforce QoS All shared access goes through on-chip interconnect, so can enforce it there Set access thresholds for each time window for each core, enforced by the OS
© 2019 Green Hills Software Slide 11
Multiple Layers for Safety Certification
Structural Coverage
Testing
Reviews
Traceability
Analysis
Planning
Faults
© 2019 Green Hills Software Slide 12
DAL-A Requires Complete Traceability
High-Level Requirement
Low-Level Requirement
Low-Level Requirement
Source Code for
Rqmt
Source Code for
Rqmt
© 2019 Green Hills Software Slide 13
DAL-A Requires Huge Testing
High-Level Requirement
Low-Level Requirement
Low-Level Requirement
Source Code for
Rqmt
Source Code for
Rqmt
Test Code for that Reqmt.
Test Code for that Reqmt.
Test Code for that Reqmt.
© 2019 Green Hills Software Slide 14
Test Suites Can Be Huge for Multicore
Multicore
Multicore
Single Core
Single Core
1 10 100 1000 10000
Test Suite
RTOSSource
Lines of Code (000s)
Testing Increases Exponentially for Multicore
250x
© 2019 Green Hills Software Slide 15
Test Suites Can Be Huge for Multicore
Multicore
Multicore
Single Core
Single Core
0 1000 2000 3000 4000 5000
Test SuiteLOC
RTOSSource LOC
Lines of Code (000s)
Testing Increases Exponentially for Multicore
250x
© 2019 Green Hills Software Slide 16
Summary
Deterministic multicore is hard, but achievable Contention for shared resources causes unpredictable delays Must enforce QoS, such as via bandwidth allocation Testing and validation are exponentially harder for multicore
Almost Impossible for System Integrators to do Themselves Use suppliers with the most extensive support for multicore
interference mitigation, testing, and validation suites
© 2019 Green Hills Software Slide 17
See Also
FAA Position Paper: CAST 32A Multicore processorshttps://www.faa.gov/aircraft/air_cert/design_approvals/air_software/cast/cast_papers/media/cast-32A.pdf
Whitepaper: Optimal Multicore Processing for Safety-Critical Applicationshttps://www.curtisswrightds.com/infocenter/white-papers/optimal-multicore-processing-for-safety-critical-applications.html
Website: GHS solutions for Aerospace and Defensehttps://www.ghs.com/AerospaceDefense.html