The route to multi-core certification

currently presents a challenge to

avionics programmes due to lack of

formal policy / guidance published

by FAA and EASA. However, the

EASA MULCORS research report and

FAA CAST-32 position paper should

be taken into consideration when

planning a safety-critical multi-core

avionics project.

Programmes may wish to consider

the use of a multi-core processor in

their next hardware platform even if

their current processing requirements

do not exceed that provided by

a single core, in order to provide

adequate processing capacity to meet

future processing requirements. The

selection of a multi-core processor

may also become a necessity due to

the lack of availability of single core

processors as mentioned earlier.

Similarly, some programmes may wish

to use multi-core processors which

have more than two cores, as 4-core

and 8-core devices are now relatively

common. However, CAST-32 does not

consider multi-core processors with

more than two active cores. Certifying

multi-core processors will require

substantial research and certification

leadership to extend the guidance in

the MULCORS and CAST-32 papers.

In both of the above scenarios,

programmes will need to be able to

utilise certain processor cores and

deactivate the unused cores. To meet

the multi-core determinism objectives

of CAST-32, programmes will need to

demonstrate that a deactivated core

cannot unexpectedly become active

and interfere with the operation of

the processor’s other cores. This could

either use an approach of regularly

reading control registers which are

critical to safe operation and resetting

the register value in the event of a

change of state being detected; or

by regularly overwriting the control

registers to ensure that the desired

state is maintained. Some processors

may also provide performance

monitoring units which enable the

state of an individual core to be

determined independently.

The software implementation of core

deactivation is processor-specific,

and depends on whether individual

processor architecture provides the

ability for a core to be able to write to

a control register to deactivate another

core or not. For example, on the

PowerPC QorIQ T2080™ processor,

deactivation of an individual core can

be achieved by setting the relevant

bit field in the Core Disable Register

during Pre-Boot Initialisation or when

the core is in boot hold off mode, and

once a core has been deactivated it

can only be re-enabled via power-on,

hard reset or core reset [4].

The ability of safety-critical avionics

programmes to be able to deactivate

individual cores and develop a safety-

case which includes robust arguments

for the deterministic operation of the

process may depend on the ability to

obtain detailed technical information

on the design and operation of the

processor from the semiconductor

manufacturer. Some companies

may make this information publicly

available, while others may only

provide certain levels of information

under non-disclosure agreement. For

programmes undertaking DO-254

hardware certification, this will be a

particularly important requirement,

and will need to ensure that the

selected semiconductor manufacturer

will provide access to the required

information, even if they do not

formally support DO-254 certification

in the way as companies such as

Altera [5].

Conclusions

The avionics market is currently

undergoing a significant transition from

single-core to multi-core processor

architectures, being driven by demands

for greater system functionality and

the semiconductor product lifecycles

which primarily target the much larger

commercial market segments. The

advances made by semiconductor

manufacturers now present a much

broader range of viable processor

choices for avionics applications than

was available in the past. Although

there currently appears to be some

uncertainty about the best choice of

processor for safety-critical avionics

programmes, it is likely that positive

experiences gained by early adopters

on multi-core programmes will result

in a virtuous circle of support, further

adoption and success, in a similar way

to single-core avionics programmes

of previous decades generated a rich

supplier ecosystem of COTS avionics

certification solutions.

References

[1]

“Microprocessor Evaluations

for

Safety-Critical,

Real-Time

Applications: Authority for Expenditure

No. 43 Phase 5 Report”, US Federal

Aviation Administration. DOT/FAA/AR-

11/5, May 2011.

https://www.faa.gov/

aircraft/air_cert/design_approvals/

air_software/media/11-5.pdf

[2]

Product Longevity – Archived

(September 2014), NXP website.

http://www.nxp.com/pages/product-

l ongev i t y- a r ch i ved - s ep t embe r -

2014:LONGEVITY-ARCHIVED

[3]

“Advancing Moore’s Law –

The Road to 14nm”, presentation,

Intel website, 11th August 2014.

http://www.intel.com/content/www/

us/en/silicon-innovations/advancing-

moores-law-in-2014-presentation.

html

[4]

QorIQ T2080 Family Reference

Manual, T2080RM Rev 1, NXP, May

2015.

h t t ps : / /www. nxp . com/webapp /

Download?colCode=T2080RM

[5]

DO-254 Safety Solutions,

Altera website,

https://www.altera.com/solutions/

industry/military/applications/do-254/

mil-do-254.html

New-Tech Magazine Europe l 51