RVS 3.18 Launched
Solid Sands partners with Rapita Systems
Danlaw Acquires Maspatechnologies - Expanding Rapita Systems to Spain
Rapita co-authored paper wins ERTS22 Best paper award
Why mitigating interference alone isn’t enough to verify timing performance for multicore DO-178C projects
There are how many sources of interference in a multicore system?
Supporting modern development methodologies for verification of safety-critical software
Flexible licensing software fit for modern working
DO-178C Guidance: Introduction to RTCA DO-178 certification
MATLAB® Simulink® MCDC coverage and WCET analysis
Code coverage for Ada, C and C++
AMC 20-193
Aerospace Tech Week Europe 2023
Aeromart Montreal 2023
Certification Together International Conference
EASA® and the FAA™ have been developing guidelines for development of multi-core systems for DO-178 aerospace projects. These include the EASA Certification Review Item – Multi-core Processor (CRI MCP), CAST-32A and AMC 20-193. Acceptable Means of Compliance documents (AMCs) produced by EASA, and the FAA's equivalent, Advisory Circulars, provide guidance for compliance with airworthiness regulations without creating or changing existing regulatory requirements.
AMC 20-193 is a joint effort by EASA and the FAA that supplements the guidance in position paper "CAST-32A: Multi-core Processors". AMC 20-193 builds on industry advancements that are aiding the certification process for multicore processors (MCPs) and recommends best practices to consider when dealing with MCPs, including considerations for dynamic allocation and multicore interference mitigation. AC 20-193, the FAA's equivalent of AMC 20-193, is expected to be released soon and closely mirror EASA's AMC 20-193.
Background
Multicore processors are increasingly used within avionics systems, and this trend is likely to continue. These processors offer increased performance compared to single core processors and allow more functionality to be included within hardware. They can also contain other embedded functions such as memory management and embedded security, reducing the chip count for a system. Furthermore, as single-core processors are used in so few other industries, their future supply is a serious concern for avionics suppliers.
Whilst MCPs offer a great deal of advantages, their behavior is harder to verify due to the presence of interference channels.
Interference channels can be caused by a variety of factors, including contention over shared hardware resources. This interference can have a significant effect on timing behavior, raising critical safety concerns. Consequently, conventional DO-178C and DO-297 guidance (designed for single-core systems) is insufficient to verify the behavior of MCPs, hence the need for additional guidance such as CAST-32A and AMC 20-193.
AMC 20-193 vs CAST-32A Webinar
CAST-32A
In response to the increasing use of MCPs and the need to meet compliance guidelines in projects using MCPs, the Certification Authorities Software Team (CAST) published Position Paper CAST-32A named ‘Multicore Processors’ (often referred to as just ‘CAST-32A’). This paper identifies topics that could impact the safety, performance and integrity of airborne software systems executing on MCPs and provides objectives intended to guide the production of safe multicore avionics systems.
You can find out more about more about CAST-32A here
A(M)C 20-193 vs. CAST-32A
We’ve spent some time reviewing the new guidance in order to highlight the differences between AMC 20-193 and CAST-32A. Here are the differences we found:
- Dynamic allocation of software execution – CAST-32A discouraged the use of dynamic allocation mechanisms for software execution (such as task migration) in ED-12C/DO-178C projects. AMC 20-193 states that “justification for using dynamic allocation features within the scope of this AMC may rely on robust and proven limitations that lead to deterministic behavior”. Activities relating to the appropriate use and verification of dynamic allocation of software execution remains outside the scope of the AMC.
- Simultaneous multithreading – guidance was given for certification of systems using simultaneous multithreading in CAST-32A. AMC 20-193 specifically states that this is not a multicore issue and offers no guidance for it. You’ll almost certainly still need to take any simultaneous multithreading into account in your ED-12C/DO-178C developments, but this isn’t covered by AMC 20-193.
- Exemptions – CAST-32A specified some exemptions as to situations in which a multicore ED-12C/DO-178C would not need to meet CAST-32A objectives. AMC 20-193 adds a new exemption for systems where cores are acting as co-processors under the control of another core, such as GPUs whose execution is under the control of a CPU.
- Integrated Modular Avionics (IMA) – AMC 20-193 includes a definition of IMA, which states that in the context of the AMC, an IMA platform meets the robust resource and time partitioning criteria listed in the AMC.
- Other definitions and clarifications – AMC 20-193 clarifies a number of other things that were mentioned in CAST-32A, for example clarifying that a multicore platform includes platform software such as an RTOS or hypervisor, and providing extra definitions for what constitutes a software or hardware component.
- Mitigation of changes to critical configuration settings – CAST-32A’s
MCP_Resource_Usage_2objective provided guidance on the need to mitigate against inadvertent changes to critical platform configuration settings for ED-12C/DO-178C certification of multicore systems. AMC 20-193 does not include such guidance, stating that this objective is already provided in AMC 20-152A (ObjectiveCOTS-8). - Use of simulators – AMC 20-193 discourages the use of simulators in its
MCP_Software_1objective. - Data Coupling Control Coupling – AMC 20-193 clarifies that tasks on one component may execute on other cores, so tasks on the same component may interfere with each other.
Rapita Systems have a unique solution to help you meet AMC 20-193 and CAST-32A objectives including analyzing software timing behavior within the context of multicore interference. Taking advantage of this solution will provide a head start in adhering to the guidelines that will be provided in the upcoming AMC 20-193. Find out more about Rapita’s solution here.
