New-Tech Europe | December 2016 | Didital Edition

the semiconductor product lifecycles which primarily target the much larger commercial market segments. The advances made by semiconductor manufacturers now present a much broader range of viable processor choices for avionics applications than was available in the past. Although there currently appears to be some uncertainty about the best choice of processor for safety-critical avionics programmes, it is likely that positive experiences gained by early adopters on multi-core programmes will result in a virtuous circle of support, further adoption and success, in a similar way to single-core avionics programmes of previous decades generated a rich supplier ecosystem of COTS avionics certification solutions. References [1] “Microprocessor Evaluations for Safety-Critical, Real-Time Applications: Authority for Expenditure No. 43 Phase 5 Report”, US Federal Aviation Administration. DOT/FAA/AR- 11/5, May 2011. https://www.faa.gov/ aircraft/air_cert/design_approvals/ air_software/media/11-5.pdf [2] Product Longevity – Archived (September 2014), NXP website. http://www.nxp.com/pages/product- l ongev i t y- a r ch i ved - s ep t embe r - 2014:LONGEVITY-ARCHIVED [3] “Advancing Moore’s Law – The Road to 14nm”, presentation, Intel website, 11th August 2014. http://www.intel.com/content/www/ us/en/silicon-innovations/advancing- moores-law-in-2014-presentation. html [4] QorIQ T2080 Family Reference Manual, T2080RM Rev 1, NXP, May 2015. h t t ps : / /www. nxp . com/webapp / Download?colCode=T2080RM [5] DO-254 Safety Solutions, Altera website, https://www.altera.com/solutions/ industry/military/applications/do-254/ mil-do-254.html

The route to multi-core certification currently presents a challenge to avionics programmes due to lack of formal policy / guidance published by FAA and EASA. However, the EASA MULCORS research report and FAA CAST-32 position paper should be taken into consideration when planning a safety-critical multi-core avionics project. Programmes may wish to consider the use of a multi-core processor in their next hardware platform even if their current processing requirements do not exceed that provided by a single core, in order to provide adequate processing capacity to meet future processing requirements. The selection of a multi-core processor may also become a necessity due to the lack of availability of single core processors as mentioned earlier. Similarly, some programmes may wish to use multi-core processors which have more than two cores, as 4-core and 8-core devices are now relatively common. However, CAST-32 does not consider multi-core processors with more than two active cores. Certifying multi-core processors will require substantial research and certification leadership to extend the guidance in the MULCORS and CAST-32 papers. In both of the above scenarios, programmes will need to be able to utilise certain processor cores and deactivate the unused cores. To meet the multi-core determinism objectives of CAST-32, programmes will need to demonstrate that a deactivated core cannot unexpectedly become active and interfere with the operation of the processor’s other cores. This could either use an approach of regularly reading control registers which are critical to safe operation and resetting the register value in the event of a change of state being detected; or by regularly overwriting the control registers to ensure that the desired state is maintained. Some processors

may also provide performance monitoring units which enable the state of an individual core to be determined independently. The software implementation of core deactivation is processor-specific, and depends on whether individual processor architecture provides the ability for a core to be able to write to a control register to deactivate another core or not. For example, on the PowerPC QorIQ T2080™ processor, deactivation of an individual core can be achieved by setting the relevant bit field in the Core Disable Register during Pre-Boot Initialisation or when the core is in boot hold off mode, and once a core has been deactivated it can only be re-enabled via power-on, hard reset or core reset [4]. The ability of safety-critical avionics programmes to be able to deactivate individual cores and develop a safety- case which includes robust arguments for the deterministic operation of the process may depend on the ability to obtain detailed technical information on the design and operation of the processor from the semiconductor manufacturer. Some companies may make this information publicly available, while others may only provide certain levels of information under non-disclosure agreement. For programmes undertaking DO-254 hardware certification, this will be a particularly important requirement, and will need to ensure that the selected semiconductor manufacturer will provide access to the required information, even if they do not formally support DO-254 certification in the way as companies such as Altera [5]. Conclusions The avionics market is currently undergoing a significant transition from single-core to multi-core processor architectures, being driven by demands for greater system functionality and

New-Tech Magazine Europe l 51