AMC 20-193 and what it means to you

AMC 20-193, EASA’s official guidance document for certification of multicore software and hardware, was released on 21^st January 2022.

Until the release of AMC 20-193, certification applicants for multicore software and hardware for ED-12C/DO-178C or ED-80/DO-254 projects followed CAST-32A guidance. For applicants certifying under EASA, AMC 20-193 has now superseded CAST-32A. [Edit] The FAA released its AC 20-193 guidance some two years after the release of AMC 20-193, on 8th January 2024, and the guidance is aligned with AMC 20-193 from a technical and certification perspective. As such, all of the insights in this blog that apply to AMC 20-193 also apply to AC 20-193.

We’ve spent some time reviewing the new guidance in order to highlight the differences between AMC 20-193 and CAST-32A. Here are the differences we found:

• Dynamic allocation of software execution – CAST-32A discouraged the use of dynamic allocation mechanisms for software execution (such as task migration) in ED-12C/DO-178C projects. AMC 20-193 states that “justification for using dynamic allocation features within the scope of this AMC may rely on robust and proven limitations that lead to deterministic behavior”. Activities relating to the appropriate use and verification of dynamic allocation of software execution remains outside the scope of the AMC.
• Simultaneous multithreading – guidance was given for certification of systems using simultaneous multithreading in CAST-32A. AMC 20-193 specifically states that this is not a multicore issue and offers no guidance for it. You’ll almost certainly still need to take any simultaneous multithreading into account in your ED-12C/DO-178C developments, but this isn’t covered by AMC 20-193.
• Exemptions – CAST-32A specified some exemptions as to situations in which a multicore ED-12C/DO-178C would not need to meet CAST-32A objectives. AMC 20-193 adds a new exemption for systems where cores are acting as co-processors under the control of another core, such as GPUs whose execution is under the control of a CPU.
• Integrated Modular Avionics (IMA) – AMC 20-193 includes a definition of IMA, which states that in the context of the AMC, an IMA platform meets the robust resource and time partitioning criteria listed in the AMC.
• Other definitions and clarifications – AMC 20-193 clarifies a number of other things that were mentioned in CAST-32A, for example clarifying that a multicore platform includes platform software such as an RTOS or hypervisor, and providing extra definitions for what constitutes a software or hardware component.
• Mitigation of changes to critical configuration settings – CAST-32A’s MCP_Resource_Usage_2 objective provided guidance on the need to mitigate against inadvertent changes to critical platform configuration settings for ED-12C/DO-178C certification of multicore systems. AMC 20-193 does not include such guidance, stating that this objective is already provided in AMC 20-152A (Objective COTS-8 ).
• Use of simulators – AMC 20-193 discourages the use of simulators in its MCP_Software_1 objective.
• Data Coupling Control Coupling – AMC 20-193 clarifies that tasks on one component may execute on other cores, so tasks on the same component may interfere with each other.

Are you working on a multicore ED-12C or DO-178C project, expecting to start one soon, or wanting to evaluate the use of multicore systems for ED-12C/DO-178C? If so, MACH¹⁷⁸ can help you evaluate multicore technologies and provide the evidence you need for certification.