Top Banner
164

Untitled - EASA

Feb 26, 2023

Download

Documents

Khang Minh
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Untitled - EASA

Research Project EASA.2011/6

MULCORS - Use of Multicore Processors in airborne systems

easa.europa.eu

Page 2: Untitled - EASA

Disclaimer

This study has been carried out for the European Aviation Safety Agency by an external organization and expresses the opinion of the organization undertaking the study. It is provided for information purposes only and the views expressed in the study have not been adopted, endorsed or in any way approved by the European Aviation Safety Agency. Consequently it should not be relied upon as a statement, as any form of warranty, representation, undertaking, contractual, or other commitment binding in law upon the European Aviation Safety Agency.

Ownership of all copyright and other intellectual property rights in this material including any documentation, data and technical information, remains vested to the European Aviation Safety Agency. All logo, copyrights, trademarks, and registered trademarks that may be contained within are the property of their respective owners.

Reproduction of this study, in whole or in part, is permitted under the condition that the full body of this Disclaimer remains clearly and visibly affixed at all times with such reproduced part.

Page 3: Untitled - EASA

Th

T

hales Avionic

The Us

cs

se of M

Dos

Authors

“M

MULtico

T

ssier re

s : Xavier JE

M

EASAMULC

ore pro

THALE

ef. CCC

EAN, Marc

MULCOR

page 1

A 2011CORS”

oCessO

ES AVI

C/12/0

GATTI Gu

RS

1.C31 Projec

ORS in

IONIC

06898

uy BERTHO

Réf. C

ct.

Airbo

CS

– Rev.

ON, Marc F

EAS

CCC/12/0068

orne Sy

. 07

FUMEY

SA

898 – rev. 07

ystems”

Page 4: Untitled - EASA

Th

R

hales Avionic

Revision 00 01 02

03 04

05

06

07

cs

DaNovember

November,November,

December,December,

December,

December,

December,

ate r, 8th 2012 , 20th 2012 , 26th 2012

05th 2012 07th 2012

07th 2012

08th 2012

16th 2012

M

R

Effect AlAlAl

9.3.6.6 &

Non

Al

Al

MULCOR

page 2

REVISION

t on § ll Dll Cll In

C.1..3 A13 U

Rne R

nuA

ll Mfo

ll Mfoco

RS

NS

Draft of the fCreation of tntegration E

ComplementAdding a chaUpgrade list References Reference nu

umber EASAdding ® & Modificationollowing MU

Modificationollowing MUomments

Réf. C

Descrfinal Reporthe documen

EASA remart chapters reapter regardfor Chapter

umber whichSA.2011.C3

™ n of recommULCORS f

n of recommULCORS f

EAS

CCC/12/0068

ription t nt rks, 2012-1egarding Tading the Hyprs Literature

h should th1.

mended guidfinal report pmended guidfinal report p

SA

898 – rev. 07

1-23 asks 1 & 2 pervisor e Review an

e contract

delines presentationdelines presentation

nd

n

n

Page 5: Untitled - EASA

1. 

2. 

3. 

3.13.23.33.4

4. 

4.14.24.3

5. 

6. 

6.16.26.36.46.56.66.76.8

7. 

8. 

9. 

9.19.19.19.19.19.19.19.1

Thales Avio

DISCLAI

ACKNOW

EXECUT

1.  AIMS / O2.  OVERAL

3.  EASA E4.  FINDING

BACKGR

1.  DIGITAL

2.  USE OF C3.  USE OF M

AIMS AN

LITERAT

1.  AVIONIC

2.  OFFICIA

3.  STUDIES

4.  STUDIES

5.  STUDIES

6.  STUDIES

7.  STUDIES

8.  REFERE

METHOD

IMPLEM

RESULTS

1.  REQUIR

1.1.  DETERM1.1.1.  Embe1.1.2.  WCE1.1.3.  Airbo1.1.4.  Robu1.2.  CERTIFIC1.2.1.  Inten

onics

MER 

WLEDGEM

IVE SUMM

OBJECTIVES LL APPROACH

EXPECTATIO

GS ACHIEVEM

ROUND 

L EMBEDDED

COTS PROC

MULTI-CORE

ND OBJECT

TURE REVI

C STANDARD

AL GUIDELIN

S ON PROCES

S ON ROBUST

S ON WCET

S ON MULTIC

S ON HYPERV

ENCE MANUA

DOLOGY 

MENTATION

S AND OUT

REMENTS FOR

MINISM IN EMB

edded AircraT analyzabiliorne Embeddust PartitioniCATION OBJECT

nded Functio

MENTS 

MARY 

H ONS MENTS AND C

D AIRCRAFT

CESSORS IN EE IN EMBED

TIVES 

IEW

DS NES

SSOR EVALU

T PARTITION

CALCULUS CORE PROCE

VISORS AND

AL OF STUDIE

TCOME 

R AN EMBED

BEDDED AIRCRAaft Systems iity ded System ing TIVES FOR EMB

on 

M

CONCLUSION

T SYSTEMS

EMBEDDED ADED AIRCRA

UATION AND

NING 

ESSORS SCHE

OPERATING

ED PROCESS

DDED AIRCR

AFT SYSTEMS

ntegrity

Usage Doma

BEDDED AIRCRA

MULCOR

page 3

NS

AIRCRAFT EAFT EQUIPM

SELECTION

EDULING

G SYSTEMS

SORS

RAFT SYSTEM

ain

AFT SYSTEMS

RS

EQUIPMENT

MENT

N

MS

Réf. C

EAS

CCC/12/0068

SA

898 – rev. 07

10 

10 10 10 11 

12 

12 12 13 

14 

15 

15 16 16 16 17 18 18 18 

20 

21 

23 

23 23 23 25 25 26 27 28 

Page 6: Untitled - EASA

9.19.19.19.19.19.19.29.29.29.29.29.29.29.29.29.29.29.29.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.3

Thales Avio

  BSP1.2.1..1  Hy1.2.1..2  Op1.2.1..3  De1.2.1..4

1.2.2.  Safet1.2.3.  Fores2.  PROCES

2.1.  STRATEG2.1.1.  Selec2.1.2.  Man2.2.  TECHNIC2.2.1.  Focu

  Ins2.2.1..1  Pip2.2.1..2  Vir2.2.1..3  Priv2.2.1..4

2.2.2.  Focu2.2.3.  Focu3.  MULTI-C

3.1.  SUMMA

3.2.  SUMMA

3.3.  BASIC A3.3.1.  Mem

  Un3.3.1..1  Wh3.3.1..2  Dis3.3.1..3  Arc3.3.1..4

3.4.  MULTI‐3.4.1.  A sho

  Fre3.4.1..1  AR3.4.1..2  INT3.4.1..3

3.4.2.  Mult3.4.3.  Acad3.4.4.  Indus3.5.  SOFTWA

3.5.1.  Airbo3.5.2.  Softw

  Pro3.5.2..1  Mu3.5.2..2  Pro3.5.2..3

3.5.3.  The i  Me3.5.3..1  Ma3.5.3..2

3.6.  EXAMPL

3.6.1.  Com  Fre3.6.1..1

3.6.1..1.1  e  e503.6.1..2  Hy3.6.1..3

onics

P or Board Spervisor perating Systevice drivers ty Objectivesseeable ConSORS SELEC

GIC SELECTION

ction criteriaufacturer opCAL SELECTION

s on core arcstruction mopeline issues rtual memoryvate caches s on periphes on hardwaCORE TECHN

ARY OF TASK 1 ARY OF TASK 2 ARCHITECTURE mory sharing ified Memorhat about castributed Arcchitecture naCORE GALAXY O

ort overvieweescale RoadM RoadmapTEL® ROADMti‐core procedemic projectstrial collaboARE SUPPORT F

orne Certifieware definitiocesses and Tultithreadingocesses, kernimpact of muemory Manaapping LES OF REPRESE

munication aeescale QorIQe500 Cohere00mc Cores pervisor 

upport Pack

em

s ditions 

CTION  CRITERIA a regarding thpenness regaN CRITERIA chitecture del

y managemeand scratchperalsare assist for NOLOGY STA

CHARACTERIST

architecturery Access (UMches? chitecture (Damed “SingleOVERVIEW 

w of processodmapp MAP essors manufts around morations FOR EMBEDDED

d Operating on / explanaThreads g nel threads, ulti‐cores ongement 

ENTATIVE MUL

and NetworkQ™ P2020 ncy Module 

M

age 

he manufactarding design

ent pads 

debug and mATE-OF-THE

TICS e MA) 

DA) e Address sp

or roadmap

facturers andulti‐core

D AIRCRAFT SYSystemation 

user threads Software De

TI‐CORE ARCHIking Process

(ECM) and A

MULCOR

page 4

turer situation and tests in

monitoringE-ART

ace, Distribu

d addressed 

YSTEMS

sevelopment

ITECTURES

or

Address Map

RS

onnformation

uted Memory

market segm

p

Réf. C

y” or SADM 

ments

EAS

CCC/12/0068

SA

898 – rev. 07

29 29 30 31 31 32 33 33 33 34 34 34 34 36 37 38 39 40 41 41 41 42 43 43 44 45 46 47 47 47 49 50 52 53 54 54 54 55 55 55 55 56 56 57 58 58 58 59 60 62 

Page 7: Untitled - EASA

9.39.39.39.39.39.39.39.39.39.39.39.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.59.59.59.59.5

Thales Avio

  Ne3.6.1..43.6.1..4.1  Q3.6.1..4.2  P3.6.2.  Low‐

  CO3.6.2..1  Sno3.6.2..2  Co3.6.2..3

3.6.3.  Mult  DS3.6.3..1  TM3.6.3..2

3.6.4.  SoC F4.  MULTI-C

4.1.  INTROD4.2.  PROCES4.2.1.  Summ4.2.2.  Summ4.2.3.  Inter

  Ov4.2.3..1  Int4.2.3..2  Int4.2.3..3

4.2.3..3.1  O4.2.3..3.2  R

  Int4.2.3..44.2.3..4.1  In4.2.3..4.2  R

  Int4.2.3..54.2.3..5.1  R

  Int4.2.3..64.2.3..6.1  R4.2.4.  Share

  Cac4.2.4..1  Co4.2.4..2  Cla4.2.4..3

4.2.4..3.1  C4.2.4..3.2  C

  Co4.2.4..44.2.5.  Cach

  Co4.2.5..14.2.6.  Share

  Sha4.2.6..1  Co4.2.6..2

4.2.7.  Core  Co4.2.7..1

4.2.8.  Perip  Co4.2.8..1

5.  SOFTWA

5.1.  SUMMA

5.2.  SUMMA

5.3.  AIRBOR5.3.1.  Airbo

onics

tworking plaQorIQ™ ProcPeripherals ‐Power MultORTEX®‐A15 Coop Control relink™ Netwti‐core DSP: TP Cores: C66

MS320C66xx™FPGA Hard PCORE FEATU

DUCTION SSOR FEATURES

mary of taskmary of taskrconnect erview erconnect Cerconnect UObjective andRelated selecerconnect fentegrity of trRelated selecerconnect feRelated selecerconnect feRelated seleced caches che Classificantent predicassic cache coCache partitioCache use as rresponding he coherencyrresponding ed services ared Servicerresponding s rresponding pherals rresponding 

ARE ASPECTS

ARY OF TASK 7 ARY OF TASK 8 RNE SOFTWARE

orne Softwar

atform: Freesessor Interco

i‐core IP: ARCores Unit: First Lework: PeriphTexas Instrum6x™ CorePac ™ interconneProcessor SysURES REGAR

S IMPACT ON D

k 3 k 4 

lassification Usage Domaind Definition ction criteria eatures regaransactions sction criteria eatures regaction criteria eatures regaction criteria 

ation criteriaction featureonfigurationoning SRAM selection cr

y mechanismselection cr

s Classificatiselection cr

selection cr

selection crS 

E DEPLOYMENT

re execution

M

scale QorIQ™onnect 

M CORTEX®‐

evel interconeral interconments TMS3

ect: TeraNet™stem: Altera 

RDING CERTI

ETERMINISM

criterian 

rding multi‐cservices in th

rding Worst 

rding Robust

a s s 

iteria ms iteria 

on criteriaiteria 

iteria 

iteria 

ON A MULTI‐C on several c

MULCOR

page 5

™ P4080

‐A15 MPCor

nnectnnect20C6678™

™Cyclone® V

IFICATION

core processhe interconn

Case Execut

t Partitioning

CORE PLATFORM

cores

RS

e™

sor integrityect

tion Time cal

g insurance

M

Réf. C

culus

EAS

CCC/12/0068

SA

898 – rev. 07

63 64 64 65 66 66 67 68 69 70 71 72 72 73 73 73 73 73 75 77 77 79 82 82 83 83 85 86 86 86 87 88 89 89 89 90 91 92 93 93 96 97 98 98 

100 101 101 101 101 101 

Page 8: Untitled - EASA

9.59.59.59.59.59.59.59.59.59.59.59.59.59.59.59.59.59.59.59.59.69.69.69.79.79.79.79.79.89.89.89.99.99.9

10

11

11111111111111

12

Thales Avio

  Mu5.3.1..1  Air5.3.1..2  Par5.3.1..3

5.3.1..3.1  C5.3.1..3.2  D5.3.1..3.3  S5.3.1..3.4  A5.3.1..3.5  A5.3.1..3.6  O5.3.2.  Airbo

  Arc5.3.2..15.3.2..1.1  S5.3.2..1.2  A5.4.  MITIGA

5.4.1.  Summ5.4.2.  Mitig5.4.3.  Time5.4.4.  Airbo5.4.5.  Mon5.4.6.  Airbo6.  FAILURE

6.1.  SUMMA

6.2.  MITIGA

7.  COTS R

7.1.  SUMMA

7.2.  COTS R7.2.1.  Elect7.2.2.  Singl8.  METHOD

8.1.  SUMMA

8.2.  METHO

9.  EASA G

9.1.  SUMMA

9.2.  PROPOS

.  OUTREA

.  CONCLU

.1.  CONCL

.2.  MULTI

.3.  SIGNIFI

.4.  CONCL

.5.  CONCL

.5.1.  ROUTE

.5.2.  ADVAN

.  RECOM

onics

ultitasks scherborne Softwrtitioned sysComponents Deployment Symmetrical AsymmetricaAMP‐SMP‐BMOthers deploorne Equipmchitectural coSymmetrical AsymmetricaATION MEANS mary of taskgation Meane jitter ratio torne Softwaritoring durinorne SoftwarE MITIGATIO

ARY OF TASK 10ATION MEANS RELATED FEA

ARY OF TASK 11RELATED FEATU

tro‐migratione Event EffeD AND TOOL

ARY OF TASK 9 ODS AND TOOLS

GUIDELINE FO

ARY OF TASK 6 SED GUIDELINE

ACH 

USIONS 

LUSIONS WIT

I-CORE PROC

ICANT FEAT

LUSIONS ON R

LUSIONS ON

ES TO COMPLIA

NCED GUIDANC

MMENDATI

eduling featuware migratiotem featureevolution toof partitionsMulti‐procesal Multi‐procMP selectionoyment schemment softwareoncerns Multi Procesal Multi Proce

k 5 s Analysis to total execre WCET evang real‐time ere robustnesON MEANS 0 

ATURES 1 URES ANALYSIS n cts 

LS 

S ANALYSIS OR MULTI-C

TH RESPECT

CESSOR USA

TURES RELAT

ROBUST PAR

SUGGESTED

ANCE

CE 

IONS 

M

ures on from singls o take benefis ssing essing  mes e features

ssing essing 

ution timealuationexecutionss 

CORE PLATFO

TO THE RED

AGE DOMAIN

TED CONCLU

RTITIONING

D MODIFICAT

MULCOR

page 6

le‐core to m

it of multi‐co

ORMS

DUCTION OF

N RELATED CUSIONS

TION TO EAS

RS

ulti‐core plat

ore platform

F COMPLEXIT

CONCLUSIO

SA GUIDANC

Réf. C

tforms

s

TY

NS

CE

EAS

CCC/12/0068

SA

898 – rev. 07

102 103 104 104 105 105 106 106 108 109 109 109 110 111 111 111 112 113 113 113 114 114 114 115 115 115 116 116 118 118 118 121 121 121 

123 

124 

124 125 125 125 126 126 126 

127 

Page 9: Untitled - EASA

121212121212121212

13

14

1414141414

Thales Avio

.1.  PURPO

.2.  PROCES

.3.  USAGE

.4.  CACHE

.5.  OPERA

.6.  SHARE

.7.  CORES

.8.  PERIPH

.9.  FAILUR

.  REFERE

.  APPEND

.1.  REVIEW

.1.1.  REVIEW

.1.2.  MULT

.1.3.  STRUC

.2.  EXAMP

onics

OSE SSOR SELEC

E DOMAINE COHERENC

ATING SYSTE

D SERVICES

S HERALS RE MITIGATI

ENCES 

DIXES 

W OF EXISTI

W OF EASA CMI‐CORE ASPECTCTURING ACTIV

PLE OF PROC

CTION GUIDE

N CY EM & TASKS

ION

ING EASA GM SWCEH‐00TS ALREADY AV

VITIES

CESSOR CLA

M

S ALLOCATIO

GUIDANCE IN

01 VAILABLE IN EA

SSIFICATION

MULCOR

page 7

ONS

N EASA CM

ASA CM SWCE

N

RS

M SWCEH-0

EH‐001 ISS. 1

Réf. C

01 ISS. 1 RE

REV. 1

EAS

CCC/12/0068

EV. 1 

SA

898 – rev. 07

127 129 132 133 134 134 135 135 135 

136 

138 

138 138 142 142 145 

Page 10: Untitled - EASA

1.

ThexonEuof Eu OwdoNoelewitraow Pereq EuSaReOtD-Ge

Thales Avio

DISCLAI

his study hapresses the

nly and the vuropean Avi

warranty, uropean Avi

wnership oocumentatioone of the mectronic or ithout exprademarks, awners.

ersons wishiquest to the

uropean Aviafety Analysesearch Projttoplatz 1 -50679 Coloermany

onics

IMER

as been carr opinion ofviews expreiation Safetrepresentat

iation Safet

of all copyon, data andmaterials pmechanical

ress writtenand register

ing to reprofollowing a

iation Safetsis and Reseject Manage

ogne

ried out for f the organiessed in thety Agency. tion, undery Agency.

yright and d technical iprovided mal, includingn consent fred tradema

oduce in whaddress:

y Agency (Eearch Deparer

M

the Europeization und

e study haveConsequen

rtaking, con

other inteinformationay be used, recording from the E

arks that ma

hole or in p

EASA) rtment

MULCOR

page 8

ean Aviationdertaking the not been antly it shoulntractual, o

ellectual prn, remains v, reproduceor the use

European Aay be conta

part the cont

RS

n Safety Aghe study. It adopted, endld not be reor other co

roperty rigvested to thd or transmof any info

Aviation Saained within

tents of this

Réf. C

gency by anis provideddorsed or inlied upon ammitment

ghts in thishe Europeanmitted, in anormation stoafety Agenn are the p

s study are

EAS

CCC/12/0068

n external od for informn any way aas a stateme

binding in

s material n Aviation ny form or orage and rncy. All loproperty of

invited to s

SA

898 – rev. 07

organizationmation purpapproved byent, as any fn law upon

including Safety Ageby any me

etrieval sysogo, copyrig

their respec

submit a wr

n and poses y the form

n the

any ency. eans, stem, ghts, ctive

ritten

Page 11: Untitled - EASA

2.

ThrecEA Protas Intfur Thof Thin Finex

Thales Avio

ACKNOW

his report ccommendatASA.2011.O

oject MULCsks conduct

terim reportrther describ

hales would the tasks pe

hales acknowthe technic

nally, the auperienced k

onics

WLEDGEM

concludes ttions and OP.30.

CORS - Thted with refe

ts were probed in the R

d like to thanerformed, a

wledges theal matters th

authors of thkey personn

MENTS

the MULCconclusions

he Use of Merence to th

duced at deResults and

nk EASA, band its feedb

e contributiohat were ne

his report renel that were

M

ORS projes per EAS

MULticore prhe required s

edicated milOutcome se

both for funback on inte

on of Xavieecessary to s

ecognize the allocated t

MULCOR

page 9

ect contractSA Specifi

roCessORSsubject and

lestones aloection 8 of t

nding this stuerim provide

er Jean, PHDsupport such

he quality oto the projec

RS

ted with EAications att

S in Airbornscope of th

ong with thethe present

udy project ed reports.

D engineer h a study.

f the input ct.

Réf. C

ASA. It prtached to

ne Systems he contract.

e executionreport.

and for its

that provide

from all sk

EAS

CCC/12/0068

rovides thethe Invitat

was organiz

n of tasks w

contributio

ed a high le

killed techni

SA

898 – rev. 07

e main outption to Te

zed into a s

whose result

n in the rev

evel of expe

ical experts

puts, ender

set of

s are

views

ertise

s and

Page 12: Untitled - EASA

3.

Th

3.1

MU

3.2

Toan Thsurestthe ThdeapHaMu ThSyRi

3.3

Thenthethe

1 M

Thales Avio

EXECUT

his section s

1. AIMS /

ULCORS a To pro

To def

To per

To ide

To sug

And to

2. OVERA

o cover thisnalyze how t

he approachrvey and antablishing re determina

his approachveloper of proach shoardware (AEulti-core pro

his approachystems fromsk Managem

3. EASA E

he objectivenable EASAeir subsequee subject of

MCP : Muti-C

onics

TIVE SUMM

summarizes

OBJECTIV

aims and objovide a surv

fine multi-c

rform inves

entify mitiga

ggest recom

o suggest co

ALL APPR

s study, EAto introduce

h taken in cnalysis of tecommenda

ation of com

h may be coa computi

ould start wEH), takingocessor.

h helps to am Market evment.

EXPECTAT

e of the stuA to have a

ent impact of the use of m

Core Process

MARY

the overall

VES

jectives arevey of Multi

core process

stigations on

ation means

mmendation

omplementa

ROACH

ASA and The safely Mu

conducting the main spations that c

mpliance of C

ompared to ing unit im

with the estag into accou

analyze all volution reg

TIONS

udy was to pbetter undeon the compmulti-core p

sor

M

content of

e i-core proce

sors assessm

n a represen

s, design an

s for multi-c

ary or modi

hales have lti-Core pro

this study wpecific featucan be usedCOTS Mult

another appmplementingablishment

unt design re

the stakes fgarding Hard

provide EAerstanding opliance demprocessors i

MULCOR

page 10

this report a

essors mark

ment & selec

ntative multi

nd usage rul

core proces

fication to E

decided to ocessor in E

was a "Topures of a sed by EASA ti-core Proc

proach, i.e. g COTS Mof requirem

equirements

for Multi-codware and

ASA with suof the state monstration in safety-cri

RS

as a result o

ket availabil

ction criteri

i-core proce

es & limitat

ssor introdu

EASA guid

cut it in 1Embedded A

p-Down" onelection of to complem

cessors with

more bottoMulti-core pments specis in relation

ore ProcessSoftware up

ufficient daof the art cto finally w

itical airbor

Réf. C

of MULCOR

ity

ia

essor

tions

ction

ance

2 steps. EaAircraft Syst

ne, which cCOTS Mul

ment its guidh certificatio

m-up, that wprocessors. ifications fonship with t

or introducp to mitigat

ata, analyseconcepts/feawrite and pune systems.

EAS

CCC/12/0068

RS study.

ach step patems point p

consisted inlti-core Prodance, and bon requirem

would be mIn that co

or the Airbthe use of a

ction in Embtion to be im

es and recomatures relateublish guida.

SA

898 – rev. 07

aves the roaper point.

n starting wcessors, theby applican

ments.

more suited ontext, suchborne Electra selected C

bedded Airmplemented

mmendationed to MCP1

ance materia

ad to

ith a en in nts in

for a h an ronic OTS

rcraft d for

ns to 1 and al on

Page 13: Untitled - EASA

3.4

Thmu Froco AvDi Togufol

.

2 D

Thales Avio

4. FINDIN

his report culti-core pro

om Thales nsidered as

vionics needisplays, IMA

o reach this uideline (EDllowing add Interco

Intercoo

o

Mecha

Operao o

Cache

Core m

Shared

DAL : Design

onics

NGS ACHIE

ontains oneocessor intr

point of V inevitable d

ds to masterA systems, F

goal, ThaleD80 / EASAditional recoonnect anal

onnect UsagThis incluDomain wthe envisiThis is theCertificati

anisms to m

ating SystemTasks or PNeeds for

e manageme

managemen

d services a

Assurance

EVEMENT

e section deroduction.

View introdudue to the m

r multi-coreFlight Cont

es AvionicsA Cert. Memommendatiolysis allowin

ge Domain udes the Mwhich guaraoned usage e key point ion Authori

manage Inter

m or ScheduProcesses alr Hypervisor

ent.

nt.

at COTS dev

Level

M

TS AND C

edicated for

uction of pmarket evolu

e processor trol System,

position ismo SWCEHons for comng defining

definition:Methodologyantees the c

(DAL2) whwhere Airb

ities have to

rconnect Us

uler: llocation r

vice level.

MULCOR

page 11

ONCLUSI

r recommen

processor mution where

introduction, Breaking-

s to proposeH-001 issue: mponent sele

its Domain

y to ensurecompatibilityhatever the Aborne Systemo agree on C

sage Domai

RS

IONS

ndations to

multi-core ine single core

n in certifieSteering Sy

e recommen01, Rev. 1)

ection and imn Usage.

e the comply with currAirborne Sym Provider,

COTS for ac

in.

Réf. C

help build

n Embeddede processors

ed Embeddeystem, FADE

ndations to c) on (Highlymplementat

leteness andent Avionicystem type. Certificatio

cceptability.

EAS

CCC/12/0068

ding a guide

d Aircraft Ss aims to di

ed Aircraft SEC, Avioni

complemeny) Complextion:

d validationcs constrain on Applican.

SA

898 – rev. 07

eline for C

Systems caisappear.

Systems sucics Server, e

nt current EAx COTS with

n of the Unts associate

nt and

OTS

an be

ch as etc.

ASA h the

Usage ed to

Page 14: Untitled - EASA

4.

4.1

EmAiThAv(D Hadebeco

4.2

OnOfCObribri(E Usprepro ThCOme In de COin-ma

Thales Avio

BACKGR

1. DIGITA

mbedded Airborne Softhus, the devailability, M

DAL).

ardware (HWcades, incluen degradedre technolo

2. USE OF

ne major teff The ShelfOTS procesidge to inteidge has bethernet), vid

se of COTeferred andocessing pe

hose COTS OTS as theechanisms e

addition, ivices in the

OTS Multi--house deveanufacturer.

onics

ROUND

AL EMBED

ircraft Systtware must esign, develMaintainab

W) and Sofuding technd. Similarlygy.

F COTS PR

echnologicalf (COTS) p

ssor architecerconnect Been embedddeo, audio,

S multi-cod undisputeerformance r

multi-core ey feature embedded in

internal arceir design.

core designelopment da. Hence diff

DDED AIR

tems are cofulfill the relopment, ce

bility and Sa

ftware (SWnological tray, an equiva

ROCESSOR

l step in throcessors inctures have

Busses and med in the prbus (USB,

re processoed choice frequiremen

processors quite a nu

n the device

chitecture m

n data, undeata, is generficulties aris

M

RCRAFT SY

omposed ofequirementsertificationafety (RAM

W) componenansitions. Yalent level o

RS IN EMB

he Embedden avionics. become momemories (rocessor (likPCI, PCIe,

ors technolfor the fututs and weig

are classifieumber of he.

may not be

erstood as erally not avase when des

MULCOR

page 12

YSTEMS

f Airbornes for safety and opera

MS) objectiv

nts have foYet the conof safety is

BEDDED A

ed Aircraft

ore and mor(like in the ke in the PPetc.) and ot

logy in safure generatght reduction

ed like the chighly inte

e directly a

either ED-80ailable for rsign assuran

RS

Software incritical fun

ation of theves depend

ollowed the nfidence in expected by

AIRCRAF

Equipment

re complex PPC G3 ty

PC G4 typether interfac

fety-critical tion of Airn of digital

current micegrated exe

accessible to

0/DO-254-ureview and nce must be

Réf. C

nstalled on ctionality oe software ding on thei

evolution oRAMS of ty Thales fro

T EQUIPM

was the in

from singleype) up to Me) with otheces.

Airborne borne Embelectronic h

ro-controlleecution uni

o the deve

usable life-cremains pro

e shown and

EAS

CCC/12/0068

n Hardware on the aircra

have to mir Design A

of technolothe overall om the use o

MENT

ntroduction

e CORE reMicro-Conter features s

Software tbedded Syshardware in

er ones as Hits and ass

elopers imp

cycle data, oprietary to

d demonstra

SA

898 – rev. 07

elements. aft. meet ReliabAssurance L

gy over thesystem has

of COTS m

of Comme

quiring extetrollers whesuch as netw

tends to bestems to san avionics.

Highly Comsociated con

plementing

or componeo the compoated.

That

ility, Level

e last s not

multi-

ercial

ernal ere a work

e the atisfy

mplex ntrol

such

ent’s onent

Page 15: Untitled - EASA

4.3

Thfol

Thales Avio

3. USE OF

he introductllowing asp

Providhardwfootpr

Anticio

Expecfactors

o

o

o

Be abl

o

onics

F MULTI-C

tion of COpects:

de a long-tware elemenrint compari

ipate the maA first stesingle-cor

cted from Cs :

Increased Th

(Apa

Increased Le

hoReduce en Fe

the

le to “simplWith, for Software applicatioDAL leve

CORE IN E

TS multi-c

term answents with aning to the cu

ass market oep can be tore by a mult

COTS Multi

performanchere is law

Amdhal Lawarallel

integrationess equipmeost more funnvironmentaewer embede single cor

lify” the useexample,

applicationon implemenel Airborne

M

EMBEDDE

ore process

er to the inn acceptablurrent ones)

obsolescenco be able toti-core with

i-core use i

ce, for predict

w, Gustafson

n ent to realizenctionality.al footprint

dded equipmre equivalen

e of a Multia partitione

n on one conted on anSoftware ap

MULCOR

page 13

ED AIRCR

sors in Emb

ncreasing dle power c).

ce for singleo solve singonly one ac

in Embedde

ting the pern Law) and

e the same

ment, less pnt.

-Core Proceed architectore exchang

n another copplication o

RS

RAFT EQU

bedded Air

demand of onsumption

e-core procegle core obsctive core, o

ed Aircraft

rformance d the numbe

functionalit

power consu

essor thanksture, implemging data wore. Arbitraoffering safe

Réf. C

UIPMENT

rcraft Equip

processing n and weig

essors. solescence others are d

Equipment

ratio regarder of Threa

ty or the sam

umption, les

s to its throumenting a with a low ation can beety for this l

EAS

CCC/12/0068

pment is m

power forght (reduce

by the repldisabled.

t is a comb

ding the nuads that can

me amount

ss dissipati

ughput. high DAL level Air

e made to level.

SA

898 – rev. 07

motivated by

r the embede environme

lacement of

ination of t

umbers of cn be execute

of equipme

on compare

level Airbrborne Softwfavor the H

y the

dded ental

f this

three

cores ed in

ent to

ed to

borne ware High

Page 16: Untitled - EASA

5.

ThanThensaf ThdeSopa Wwhareunme Onev W

AnElesho Th

Thales Avio

AIMS AN

he basis for nd that are anhe objectivenable EASAfety-critical

he study exatermine wh

oftware and artitioned an

e have thenhich were exe new or d

nfavorable feasures mig

ne purpose aluation by

e further di Multi- Comp

platfor

nother objeectronic Haould result i

he study exa Softw

any Su Tools

so as t Verifi

measu

onics

ND OBJEC

r the projectnticipated we of the stu

A to write anl airborne sy

amined diffehich charact

which havend determini

n reduced thxamined in

different frofor the useght be used i

of MULCO the certific

stinguished-core speciflex COTS rms.

ective of Mardware (Cin a proposi

amined otheare aspects upervisor / Hand techniq

to efficientlycation and

uring the Wo

CTIVES

t was to cowithin the neudy was to pnd publish gystems.

ferent Hardwteristics of e negative iistically exe

he scope to adetail in th

om those ofe of the typin each case

ORS was tcation autho

d two classefic criteria th

criteria th

MULCORS CEH)” recoition regard

er aspects suof using mHypervisor ques that may and safelycertificationorst Case E

M

onduct a stuext few yeaprovide EAguidance m

ware (HW) these architimplicationsecuted Airb

a selection oe study so af single corpe in safete to adapt th

o introduceorities in a c

s of evaluathat would bhat are rele

was to uommendatioding specific

uch as: ulti-core prand Operat

ay be used ty execute son implicatioxecution Ti

MULCOR

page 14

udy of the mars, based onASA with sumaterial on t

and Softwatectures wos in terms o

borne Softw

of few candas to highligre processo

ty-critical Ahe type for u

e criteria foertification

tion criteriabe irrelevantevant both

use the EAons in regac recommen

rocessors toting Systemto specify thoftware in pons of hostiime.

RS

multi-core pn public infufficient dathe subject

are (SW) arcould enable of the abilityare.

didates repreght the signiors, whetheAirborne Souse in safety

or multi-corprocess.

: t in a non-m

for multi-

ASA “Certiard to the mndations link

host safetym.

he softwareparallel on ming softwar

Réf. C

processors tformation anata, analyseof the use o

chitectures them to ho

y of the sys

esentative oificant charar the charaoftware, any-critical Ai

re architectu

multi-core co-core and n

fication Mmulti-core ked to the m

y-critical Ai

e requiremenmulti-core pre on multi-

EAS

CCC/12/0068

that are curnd roadmapes and recomof multi-cor

of multi-coost safety-cstems to ho

of various imacteristics oacteristics and whether

Airborne Sof

ures in ord

ontext non-multi-c

Memorandumtechnology

multi-core c

irborne Soft

nts and the processors. -core proce

SA

898 – rev. 07

rrently availp. mmendationre processo

ore processocritical Airbst safe, robu

mplementatiof the groupare favorabl

any mitigaftware.

der to ease

core compu

m for Comy. This anacontext.

tware, inclu

software de

ssors, inclu

lable

ns to ors in

ors to borne ustly

ions, p that le or ation

their

uting

mplex alysis

uding

esign

uding

Page 17: Untitled - EASA

6.

6.1

Thales Avio

LITERAT

1. AVION

SAE ARPSociety ofThis standrestricted

RTCA DORadio TecThis stand

RTCA DORadio TecThis stand

RTCA DORadio TecAviation EThis stand

RTCA DOConsideraRadio TecThis is therequireme

EASA CMAugust 20This certifaddressedhttp://www001%20D

EASA CSAmendmehttp://www25%20Am

onics

TURE REV

IC STAND

P 4754: Certf Automotivdard addressto digital av

O-178B: Sochnical Comdard deals w

O-178C: Sochnical Comdard is an up

O-254 / EURchnical ComEquipment dard deals w

O-297: Integations. chnical Come latest stanents, Robust

M - SWCEH011 fication mem

d in the certiw.easa.euro

Developmen

S-25: Certifient 12 – subw.easa.euro

mdt%2012.p

VIEW

DARDS

tification Cve Engineerses problemvionics syst

ftware Conmmission fo

with quality

ftware Conmmission fopdate of DO

UROCAE EDmmission fo(EUROCA

with design

grated Modu

mmission fondard for IMt Partitionin

H – 001, issu

morandum ification proopa.eu/certifnt%20Assur

ication Specbpart F, Julyopa.eu/agenpdf

M

onsiderationrs (SAE), 19

matic that detems

siderations for Aeronau

of software

siderations for AeronauO-178B

D-80: Desigfor AeronauAE).

quality for h

ular Avioni

for AeronauMA systems ng, Verificat

ue 1: Devel

has been deocess. fication/docrance%20of

cifications ay 2012 cy-measure

MULCOR

page 15

ns for High996.

eal with com

in Airborneutics (RTCAe conception

in Airborneutics (RTCA

gn Assurancutics (RTCA

hardware el

ics (IMA) D

utics (RTCAdevelopmetion and Va

lopment As

eveloped by

cs/certificatif%20Airbor

and Accepta

es/docs/certi

RS

hly-Integrate

mplex embe

e Systems aA), 1992. n, developm

e Systems aA), 2012.

ce GuidanceA) and EUR

lements.

Developmen

A), 2005. nt and expl

alidation, re

ssurance of A

y EASA to h

ion-memorarne%20Elec

able Means

ification-sp

Réf. C

ed or Comp

dded system

and Equipme

ment, test an

and Equipme

e for AirborRopean Orga

nt, Guidance

oitation. It duse of comp

Airborne El

highlight iss

andum/EASctronic%20H

of Complia

ecifications

EAS

CCC/12/0068

plex Aircraft

ms, included

ment Certific

nd integratio

ment Certific

rne Electronganisation fo

e and Certif

deals with hponents.

lectronic H

sues that sh

SA%20CM-Hardware.p

ance for Lar

s/CS-25/CS

SA

898 – rev. 07

ft Systems

d but not

cation.

on.

cation.

nic Hardwarfor Civil

fication

high-level

ardware,

hall be

-SWCEH-pdf

rge Aeropla

-

re.

anes,

Page 18: Untitled - EASA

6.2

6.3

6.4

Thales Avio

2. OFFICI

ARINC-6AeronautiThis guideApplicatio

ARINC-6AeronautiThis guide

3. STUDIE

Forsberg, 25th Digithttp://dx.d

Bob, G.; JArnold, NHandbookFederal Ahttp://www

Faubladie(SoC) on EASA – shttp://wwwaeroplane

Kinnan, Limplemen28th Digithttp://dx.d

4. STUDIE

Rushby Jo1999 FAA-AR-http://www

onics

IAL GUIDE

653 P1 revistical Radio Ieline deals won Executiv

651: Design tical Radio Ieline addres

ES ON PRO

H. & Karlstal Avionicsdoi.org/10.1

Joseph, M.; N.; Bob, M.

k For The SAviation Adm

w.faa.gov/a

er, F. & Ramcommercia

study ref. EAw.easa.euros/Final_Rep

L.M. Use of ntation and tal Avionicsdoi.org/10.1

ES ON RO

ohn, Partitio

-99/58, Offiw.tc.faa.gov

ELINES

sion 3: AvioInc, 2010. with partitio

ve interface

Guidance fInc, 1991. sses softwar

OCESSOR

sson, K. COs Systems C1109/DASC

Brian, P.; K& Dr. RabiSelection Aministrationaircraft/air_c

mbaud, D. Sal of-the-sheASA.2008.Oopa.eu/safetyport_EASA

f multi-core certificatio

s Systems C1109/DASC

BUST PAR

oning in Av

ice of Aviatv/its/worldp

M

onics Applic

ons definitio(APEX) tha

for Integrate

re and hardw

R EVALUA

OTS CPU SeConference, IC.2006.3137

Kirk, L.; Sp, M. nd Evaluat

n - U.S. Depcert/design_

Soc Survey Relf (COTS) OP.04, 2008y-and-resea

A.2008_1.pd

processorson. Conference, IC.2009.5347

RTITIONIN

vionics Arch

tion Researcpac/techrpt/a

MULCOR

page 16

cation Softw

on and scheat is a stand

ed Modular

ware concer

ATION AND

election GuIEEE/AIAA

701

pencer, R.; N

tion Of Micpartment of _approvals/

Report - Safdevices in 8 arch/researcdf

s in avionics

IEEE/AIAA7560

NG

hitectures:

ch, Washingar99-58.pdf

RS

ware Standa

eduling, Opedardized AP

Avionics.

rns in the pr

D SELECT

uidelines forA, 2006, 1-12

Nikhil, G.; D

croprocessoTransporta

/air_softwar

afety Implicairborne cr

ch-projects/d

s systems an

A, 2009, pp.

Requireme

gton DC f

Réf. C

ard Interface

erating SystPI for the em

revious gen

TION

r Safety-Cri2

Daniel, O.; J

ors For Airbtion, 2011

re/media/AR

ations of thritical appli

docs/large-

nd its poten

1.E.4.1 – 1

ents, Mecha

EAS

CCC/12/0068

e.

tem architecmbedded par

neration of I

ritical Appli

Jason, D. L

borne Syste

R_11_2.pdf

he use of sysications

ntial impact

.E.4-6

anisms, and

SA

898 – rev. 07

cture and thrtitions.

IMA.

ications

.; John, S.;

ems

f

stem-on-ch

t on

d Assurance

he

hip

e.

Page 19: Untitled - EASA

6.5

Thales Avio

Wilding MIsolation Proceedinhttp://dl.ac

LittlefieldIntegrated27th Digithttp://dx.d

5. STUDIE

Wilhelm, C.; HeckmThe worstACM Tranhttp://www

Hardy, D.French) , 2PhD Theshttp://tel.a

NowotschEuropeanhttp://doi.

PellizzoniReal-TimeIEEE Tranhttp://dx.d

Moscibrodsystems, 2ProceedinAssociatiohttp://dl.ac

onics

Matthew M.Useful for E

ngs of the cocm.org/cita

d-Lawwill, Jd Modular Atal Avionicsdoi.org/10.1

ES ON WC

R.; Engblommann, R.; Mt-case execuns. Embed. w.cs.fsu.edu

Analyse pi2010

sis, Universiarchives-ouv

h, J. & Pauli Dependablieeecomput

i, R. & Cacce Embeddens. Computdoi.org/10.1

da, T. & Mu2007 ngs of 16th on, 2007, 18cm.org/cita

., David S. HEmbedded onference ontion.cfm?id

J. & KinnanAvionics. 2s Systems C1109/DASC

CET CALC

m, J.; ErmeMitra, T.; Mu

ution-time pComput. Syu/~whalley/

ire cas pour

ité Rennes 1vertes.fr/do

itsch, M., Lle Computintersociety.o

camo, M. Imed Systems, t., IEEE Com1109/TC.200

utlu, O. Me

USENIX Se8:1-18:18 tion.cfm?id

M

Hardin, DavApplicationn Dependab

d=555298.78

n, L., System2008 Conference, IC.2008.4702

CULUS

edahl, A.; Hueller, F.; Pproblem ovyst., ACM, 2/papers/tecs

r processeu

1 cs/00/55/70

everaging Mng Conferenrg/10.1109/

mpact of Pe2010 mputer Soci09.156

emory perfo

ecurity Symp

d=1362903.

MULCOR

page 17

vid A. Grevn Integratioble Comput89914

m considera

IEEE/AIAA2751

Holsti, N.; ThPuaut, I.; Puverview of m2008, 7, 36:s07.pdf

ur multi-cœu

0/58/PDF/H

Multi-core nce, IEEE C/EDCC.201

eripheral-P

iety, 2010, 5

ormance att

posium on U

1362921

RS

ve, Invarianon. 1999 ing for Crit

ations for ro

A, 2008

hesing, S.; Wschner, P.; S

methods and1-36:53

urs disposa

Hardy201012

ComputingComputer So2.27

Processor In

59, 400-415

tacks: denia

USENIX Sec

Réf. C

nt Performa

ical Applica

obust time a

Whalley, DStaschulat, d survey of

ant de cache

209_phd.pd

g Architectuociety, 2012

nterference

5

al of memor

curity Symp

EAS

CCC/12/0068

ance: A stat

ations

and space p

.; Bernat, GJ. & Stenstr

f tools, 2008

es partagés

df

ures in Avio2, 0, 132-14

on WCET A

ry service in

posium, USE

SA

898 – rev. 07

tement of T

partitioning

G.; Ferdinanröm, P.

8

(link in

onics, 201243

Analysis of

n multi-cor

ENIX

Task

g in

nd,

f

re

Page 20: Untitled - EASA

6.6

6.7

6.8

Thales Avio

6. STUDIE

Davis, R. Analysis TACM Comhttp://doi.

7. STUDIE

Krodel, J. IntegratioFederal Ahttp://www

Gu, Z. & ZVirtualizaJournal ofhttp://dx.d

8. REFER

Freescale http://www

Freescale Referencehttp://www(a free acc

Freescale Architectuhttp://cach

Freescale http://cach

ARM, Cohttp://info

ARM, Cohttp://info

onics

ES ON MU

& Burns, ATechniquesmput. Surv., acm.org/10

ES ON HY

& Romanson ConsiderAviation Admw.tc.faa.gov

Zhao, Q. A ation, 2012 f Software Edoi.org/10.4

RENCE MA

Embedded w.freescale

Semicondue Manual, 0w.freescalecount must b

Semiconduure® Procehe.freescale

Semiconduhe.freescale

rtex™-A15ocenter.arm.

reLink™ Cocenter.arm.

ULTICORE

A. A Surveys for MultipACM, 2011

0.1145/1978

PERVISOR

ski, G. Handrations in Iministrationv/its/worldp

State-of-th

Engineering4236/jsea.20

ANUAL OF

Hypervisor.com/infoce

uctor Inc, P401/2012 - R.com/webapbe created t

uctor Inc, ERessors, 09/2

e.com/files/3

uctor Inc, e5e.com/files/3

5 MPCore™.com/help/to

CCI-400 Ca.com/help/to

M

E PROCES

y of Hard Reprocessor Sy1, 43, 35:1-8802.197881

RS AND O

dbook for RIntegrated Mn - U.S. Deppac/techrpt/a

he-Art Surve

g and Applic012.54033

F STUDIED

r Software Uenter/index.j

4080 QorIQRevision. 1 pp/sps/site/pto download

REF 2.0: A2011 – Revi32bit/doc/re

500mc Core32bit/doc/re

™ Technicaopic/com.ar

ache Cohereopic/com.ar

MULCOR

page 18

SSORS SCH

eal-Time Scystems, 200-35:44 14

OPERATIN

Real-Time OModular Avpartment of ar0748.pdf

ey on Real-

cations, 201

D PROCES

User Manua.jsp?topic=%

Q Integrated

prod_summd the referen

A Programmision 0 ef_manual/E

e Referenceef_manual/E

al Referencerm.doc.ddi0

ent Interconrm.doc.ddi0

RS

HEDULIN

cheduling A09

NG SYSTEM

Operating Svionics Systf Transporta

-Time Issue

12, 05, 277

SSORS

al %2FQORIQ

d Multicore

mary.jsp?codnce manual

mer’s Refer

EREF_RM.

e Manual, 0E500MCRM

e Manual R0438g/DDI0

nnect Tech0470g/DDI0

Réf. C

G

Algorithms

MS

Systems Intetems, 2008 ation, 2008

es in Embed

– 291

QSDK%2F1

e Communi

de=P4080 )

ence Manu

pdf

03/2012 – RM.pdf

Revision: r3p0438G_cort

nical Refer0470G_cci4

EAS

CCC/12/0068

and Sched

tegration an

dded System

1331445.htm

ication Proc

ual for Free

Revision 1

3p2, 07/2012tex_a15_r3p

rence Manu400_r1p1_tr

SA

898 – rev. 07

dulability

nd Compon

ms

ml 

cessor Fam

escale Powe

2 p2_trm.pdf

ual, 11/2012rm.pdf

ent

mily

er

2

Page 21: Untitled - EASA

Thales Avio

ARM, ARhttp://info(an accoun

Texas Inst02/2012 http://www

Texas Insthttp://www

onics

RM Architecocenter.arm.nt must be c

truments, T

w.ti.com/lit

truments, Tw.ti.com/lit

cture Refer.com/help/increated to a

TMS320C66

t/ds/sprs691

TMS320C66t/ug/sprugw

M

rence Manundex.jsp?topccess this d

678™ - Mu

c/sprs691c.

6x™ DSP Cw0b/sprugw0

MULCOR

page 19

ual ARMv7-pic=/com.a

document)

lticore Fixe

.pdf

CorePac Us0b.pdf

RS

7-A and ARMarm.doc.sub

ed and Floa

ser Guide, 0

Réf. C

Mv7-R editiset.architect

ating-Point

07/2011

EAS

CCC/12/0068

tion, 2012 cture.referen

t Digital Sig

SA

898 – rev. 07

nce/index.ht

gnal Proces

tml

ssor,

Page 22: Untitled - EASA

7.

Be

Thales Avio

METHOD

esides the or

1. A prelo

o

2. A first

technicompu

3. A secoillustratechni

4. A thircertifi

onics

DOLOGY

rganization

liminary phThe first pplatforms systems anThe seconmulticore deal with focus on context.

t phase wasical criteria uting platfor

ond phase oate those feical selectio

rd phase wcation proc

in tasks des

ase which wpart where win an avion

nd their levnd part thatarchitecturmanufacturspecific po

s prospectivfor processrms in a mo

of the studyeatures on twn criteria.

where we dedures.

M

scribed in s

was dividedwe have defnic context. vel of criticat deals withre. Two kinrer selectionoints of the

ve: we provisors early seore detailed

y refined muwo selected

deduced fr

MULCOR

page 20

ection 8 bel

d in two partfined some Those requ

ality. h processornds of selectn rather tha

e architectu

ided a snapelection. Thdescription

ulti-core fead computing

rom the pr

RS

low, this stu

t requiremen

uirements d

rs selection tion criteriaan the proceure. Those

pshot of the hen we presn.

atures on thg platforms

revious pha

Réf. C

udy was org

nts applicabepend on th

for avionica were explessor itself,criteria are

multi-core sented some

he hardware. We provid

ases additio

EAS

CCC/12/0068

ganized as f

ble to multi-he different

c usage outlored: strate, and techni

e still valid

technologye representa

e and softwded a set of

onal recom

SA

898 – rev. 07

follows:

-core compukinds of di

t of the fielegic criteriaical criteriain a multi

y and basic ative multi-

are aspectsf guidelines

mmendations

uting igital

ld of a that a that icore

non--core

. We s and

s for

Page 23: Untitled - EASA

8.

Thdea b

Than A tha Mooriprores A sec

Thales Avio

IMPLEM

he work releployed in a

better and ea

Task Task 2 Task 3 Task 4 Task 5 Task 6 Task 7 Task 8 Task 9 Task Task Task

he task flownticipated ea

lesson learnan a few (ar

onthly progiginal conteovided and search to ac

task summction 8.

onics

MENTATIO

evant for thia logical maasier referen

1. Pro2. Ch3. De4. Per5. Ide6. Su7. Inv8. Ide9. Ide10. Ex11. An12. Su

w execution arlier than sc

ned from suround 6 task

gress reportent both pr

d amended ctual EASA

mary is prov

ON

is study hasanner. A sumnce of the r

ovide a survharacterize eefine multi-crform invesentify mitig

uggest compvestigate opentify methoentify methoxamine failunalyze COTummary con

followed thcheduled in

uch an organks) in order

ts were prorogrammatialong with needs and d

vided for re

M

s been implemmary of thesults and o

vey of Multessential mucore processtigations onation means

plementary operating systods, tools, lods, tools, m

ure detectionTS-related fenclusion, ma

he logic in Fn the origina

nization forto avoid dis

ovided and c and techneach mont

directions.

eference alo

MULCOR

page 21

emented, bahose tasks aoutcomes ex

ti-core proceulti-core prosors assessmn a represens, design anor modificatem softwarlanguages anmeans and in and recoveatures (Errain results &

Figure 1 aboal plan.

r a similar pspersion of

presented nical. Alsothly progre

ong with the

RS

ased on diffand their arrxposed in se

essors markocessors typment & selentative multnd usage rulation to EASre executionnd Operatininstrumentavery mechanata sheets, S

& recommen

ove with the

project is to issues over

to EASA. worth to ss reports.

e details di

Réf. C

ferent activitrangement iection 8 of t

ket availabilpes features ection criteri-core proceles & limitaSA guidancen related aspng Systems tion for test

nisms featurSEU, Servicndations and

e exception

limit the brr too many p

This led tomention is This was u

scussion in

EAS

CCC/12/0068

ities organizis providedthis present

lity

ria essor

ations e pects for design ting res ce experiend final repo

n of task 7 th

reakdown inpackages.

o few amethat interim

useful to h

n the Result

SA

898 – rev. 07

zed in tasks,d below to a

report.

ce) ort

hat needed t

nto tasks to

endments tom reports welp reorient

ts and Outc

, and allow

to be

o less

o the were t the

come

Page 24: Untitled - EASA

Thales Avio

ArchitectureDrawbac

Task1

Task2

Task3

Task4

ArchitectureDrawbac

Task1

Task2

Task3

Task4

ArchitectureDrawbac

Task1Task1

Task2Task2

Task3Task3

Task4Task4

onics

e – Characteristck – Limitations

All

e – Characteristck – Limitationse – Characteristck – Limitations

AllAll

ticsstics

stics

s

M

T

T

T

SuEvolut

T

T

T

T

T

TT

TT

TT

SuEvolut

T

T

SuEvolut

SuEvolut

TT

TT

Figure 1: T

MULCOR

page 22

Failure MitigatWork arou

Task5

ask10

ask11

upport for Guidtions – Recomm

Task6

Task12

Failure MitigatWork arou

Task5

ask10

ask11

Failure MitigatWork arou

Task5Task5

ask10ask10

ask11ask11

upport for Guidtions – Recomm

Task6

Task12

upport for Guidtions – Recommupport for Guidtions – Recomm

Task6Task6

Task12Task12

Task Work Flow

RS

tion –nd

ance –mendations

tion –ndtion –nd

ance –mendationsance –

mendationsance –

mendations

w

Réf. C

SoSoSoSo

EAS

CCC/12/0068

oftware Architec

Task8

Task7

Task9

oftware Architec

Task8

Task7

Task9

oftware Architecoftware Architec

Task8Task8

Task7Task7

Task9Task9

SA

898 – rev. 07

cture – Issuescture – Issuescture – Issuescture – Issues

Page 25: Untitled - EASA

9.

9.1

9.1

Dedeop Dedewi Foma In de

9.1

Todeno

3 IM

Thales Avio

RESULTS

1. REQUIR

1.1. Determ

eterminism scribed in th

perations, th

epending onterministic ith certificat

or instance, ay not comp

this reportfinitions for It is p

AirborSystemcase o

It is po(AirboEmbednecess

When towardrestric

When Embedpartiti

1.1.1. Emb

o ensure themonstrate t

ominal or de

MA : Integrat

onics

S AND OU

REMENTS

minism in E

is an abstrhe DO-297

he outcome o

n the contexas soon as tion objectiv

a device whply with the

t, we state r “Embeddepossible to rne Softwarm state willof faulty airbossible to porne Softwdded Aircrsary. the Embed

ds the embections on the

the Embeddded Aircrons.

bedded Air

e executionthat the Em

egraded into

ted Modular

UTCOME

S FOR AN

Embedded

ract notion as “The ab

occurs in a

xt, its emboits behaviorves.

hose respone usual requ

that an Emed Aircraft S

ensure there will be cl be predictborne softw

perform a Wware and Eraft System

dded Aircrafedded Airboe Airborne Sdded Aircrafaft System

craft Syste

n integrity ombedded Ao an accepta

Avionic

M

EMBEDD

Aircraft S

that usuallbility to prodspecified pe

odiment mar is ruled by

nse time folirements, su

mbedded ASystem Detee Executioncorrectly extable in non

ware. WCET analyEmbedded

m behavior

ft System prorne SoftwaSoftware deft System isprovider s

ems integrit

of embeddeAircraft Sysable state.

MULCOR

page 23

DED AIRCR

Systems

ly referenceduce a prederiod of tim

ay vary. Yey a set of id

llows a Gauuch as a fin

Aircraft Syserminism”:n Integrityxecuted in n-nominal

ysis (Worst Aircraft S(e.g. mem

rovider hasare(s), he shevelopments destined tshall also e

ty

ed softwarestem mode

RS

RAFT SYS

es several hictable outc

me with som

et in a genedentified law

ussian law wite response

stem is det

y of its Aira nominal situations (

Case ExecuSystem softory access

no visibilithall define a. o host a parensure Rob

e, the Embeduring no

Réf. C

STEMS

high level rcome genera

me degree of

eral case, wws. Those l

where meane time.

erministic i

rborne Softwsituation, aninternal fau

ution Time)tware). Tim

worst case

ty into, or lia Platform

rtitioned syust Partitio

edded Aircron-faulty so

EAS

CCC/12/0068

requiremenally based of repeatabili

we can say tlaws have to

ns and varia

if it fulfills

tware. Thatand the Embults). It doe

) of the embming infore response

imited consUsage Dom

ystem, such oning betw

raft Systemoftware exe

SA

898 – rev. 07

nts; part of on the precety”.

that a systeo be compa

ance are def

s the follow

t means cobedded Air

es not cover

bedded softwmation on

time) may

straints enfomain that de

as in IMA3

ween the ho

m provider mecution rem

it is eding

em is atible

fined

wing

orrect rcraft r the

ware the

y be

orced etails

3, the osted

must mains

Page 26: Untitled - EASA

TothemeSuCo Thfea This ThbeAsshaSo Asto an

Nodeco

Evcuint

Nocois t

IndTh Thevlin

4 N5 IP

Thales Avio

o obtain thise Embeddedechanisms. uch knowleommunicati

he growing atures not ac

hus the propable to prov

he main difhavior uponssurance Leall be mitig

oftware mec

s detailed ina correct tra

ny silent loss

ote: The besign, by exmponent.

ven if coresurrent multiterconnect d

ote: in mostre like in ththe key poin

deed, the inhey enable a

his growing en with ful

nked to man

NDA : Non DiP : Intellectua

onics

s guarantee d Aircraft S

edge can bions, White

complexityccessible fo

perties of sovide guaran

fficulties in n the occur

evel), a morgated or cochanisms.

n part 9.4.2.ansaction ses of transact

ehavior of thxperimental

and periphi-core genedesign.

t multi-corehe P4080 (frnt where all

nterconnect a high level

complexityll informati

nufacturer IP

isclosure Agal Property

with an adSystem prov

be obtainedPapers, Ap

y of COTSor Human, T

ome featuretees on thei

ensuring Errence of inre or less aconfined insi

.3..4, Embeervice in thetions.

he interconnl test or b

herals architeration has

e architecturom Freescal the access

has been buof pipelinin

y makes theion on the P Policy).

reement

M

dequate levevider must a

d through plication no

processor Technical an

s can be pair observabl

Embedded Anternal faulccurate modide the Em

dded Aircrae interconne

nect betweey other me

tecture haveintroduced

ures, from Dale) or a ques are perfo

uilt to sustang and para

e set of all indesign (ful

MULCOR

page 24

el of confidaccumulate

datasheetsotes, Errata

architecturnd IP5 reaso

artially maskle behavior.

Aircraft Syslts and failudel of fault

mbedded Ai

aft System iect. Here “c

en cores, means and p

e been inhed an impo

Dual Core liuad-core likeormed. A ch

ain a higherallelism in tr

nterconnectll informati

RS

ence (accorsufficient k

s, referencesheets, labo

re makes a ons.

ked as long

stem integrures. Therefs has to be rcraft Syste

integrity in correct” me

memory and present as

erited from ortant techn

ike in the Pe in the ARhapter is ded

r bandwidthransaction s

t states highion is not a

Réf. C

rding to theknowledge

e manuals, oratory test

fine grain

g as the COT

ity deal witfore, dependefined. Id

em using d

multi-core ans that the

shared resoa proof to

an existingnological st

2020 (fromM_CORTEdicated to In

h in order toservices.

hly difficult available ev

EAS

CCC/12/0068

e Design Ason the proc

under decampaigns,

description

TS processo

ith the deternding on thedentified faudedicated H

platforms iere is neithe

ources has treach acc

g single-cortep mainly

m Freescale)EX®_A15, tnterconnect

o serve effic

to determinven under d

SA

898 – rev. 07

ssurance Lecessor’s inte

edicated ND, etc.

n of all inte

or manufact

rmination oe DAL (Deults and fail

Hardware an

is closely linr corruption

to be knoweptance of

e processory linked to

), up to an othe intercon Manageme

ciently all co

ne and analydedicated N

evel), ernal

DA4,

ernal

turer

of its esign lures nd/or

nked n nor

wn by f this

r, the o the

octo-nnect ent.

ores.

yze - NDA

Page 27: Untitled - EASA

ThsevintInt

9.1

Wexwh Simof COaltSotak Winsan Than FoW AsWothbo

9.1

WSothe Thdu

Thales Avio

hus, it may veral approterconnect terconnect M

1.1.2. WCE

orst Case ecution timhich is nearl

mple architthe Airbor

OTS procesternative meoftware. Theking into ac

hen the Airstance in an

nd eventually

he lack of innd degrade th

or instance uCET analys

s detailed inCET analysher cores be

ound on thei

1.1.3. Airb

hen the Aioftware, he he Airborne S

his Airborneuring Airbor

onics

be difficultoaches aimeload in ordManagemen

ET analyza

Execution me. Usually,ly impossib

ectures allorne Embeddssors architethod is usee execution

ccount varia

rborne Embn IMA -, he y to the Mo

nformation he approxim

uncertaintysis.

n part 9.4.2ses. Indeed,ecause of pir impact wh

borne Embe

irborne Emhas to definSoftware su

e Embeddedrne Softwar

t to obtain ed at preveder to remant Chapter.

ability

Time analy, the result

ble to determ

ow WCET dded Systemtectures, it ed. A worstn time is mable jitters a

bedded Systshall deter

odule Integr

on the procmation of th

y on the cac

.3..5, the us, the executpotential inthatever the

edded Syst

mbedded Syne what we uppliers.

d System Ure developm

M

guarantees nting inter-ain in a “s

yses aim aof a WCE

mine for rea

determinatiom. That mea

is not post case scena

measured unnd variabili

em providermine and ator.

cessor behahe WCET.

che content

se of multi-tion time ofter-core conconcurrent

tem Usage D

ystem provicall an “Air

Usage Domament and exe

MULCOR

page 25

of correct -core conflisafe” mode

at determinET analysis al life Softw

on using staans the analssible to deario is defin

nder this scity in the du

er has no visprovide su

avior may le

t must lead

-core procesf software onflicts. Morsoftware.

Domain

ider has litrborne Emb

ain details uecution.

RS

transaction icts with de. We plan

ing an uppis an uppe

ware.

atic analysislyzed softwetermine anned from anenario, and

uration Airb

sibility intouch paramet

ead to pessi

to consider

ssors in Emon one core reover, it m

ttle or no vbedded Syst

usage limita

Réf. C

services inedicated meto describe

per bound er approxim

s techniquesware is not en accurate en analysis p

d is further borne Embed

the deployers to the A

imistic estim

ration of ca

mbedded Airdepends on

may be diffic

visibility intem Usage

ations that s

EAS

CCC/12/0068

n a general echanisms, e some app

for a piecemation of th

s using an eexecuted. Yenough moperformed ocorrected wdded System

yed AirbornAirborne Sof

mation of th

ache miss s

rcraft Systen software cult to dete

nto the depDomain” a

shall be tak

SA

898 – rev. 07

case. Thereor limiting

proaches in

e of softwahe exact W

execution mYet on comodel. Todayon the Airbwith paramm operation

e Softwareftware supp

hose param

situations in

ems worsensexecuted on

ermine an u

ployed Airband provide

ken into acc

e are g the n the

are’s CET

model mplex y, an borne eters

ns.

- for pliers

eters

n the

s the n the

upper

borne it to

count

Page 28: Untitled - EASA

Reauen FoEm

Yefor In div

Thdoin WSy

Nocanreqha

9.1

RoThdo

Thales Avio

especting thutomaticallynforced to pr

or instance, mbedded Sy A priv A proc A man A trus

et it shall brbidden inst

the case ovided into tw Some

Softw Other

Modul

he use of momains. Inde

partitioned

e can illustrystem, the h Inside

differe Execu

(rather In case

that a

ote: In a lon be more quirements.

as to be defin

1.1.4. Robu

obust Partitihis is a propone by John

onics

he usage doy perform crevent usag

assembly iystem. Variovilege level cessor confindatory intested piece ofbe proven thtruction.

of multi-Aiwo categorirestrictions

are Supplielimitations

le Integrato

multi-core peed, the presystems) ad

rate examplypervisor (w

e an Airbornent cores. Inution of pror than dyname determiniDAL-A par

ow complexeasily dem

When the Aned as desc

ust Partitio

ioning is deperty of fauRushby for

omain is a checks on e domain vi

nstructions ous protectirestriction,

figuration thegration testf software thhat in spite

rborne Softies: s deal with

ers. s address thor.

processors esence of trdds new par

les of what when requirne Softwarendeed, this socesses insidmically allosm and/or rrtition is not

x multi-coremonstrated Airborne Soribed above

oning

efined in varult containmr the FAA in

M

mandatorthe usage iolations tha

can be forbion means cwhich bloc

hat disables t that checkshat checks a

e of such p

ftware syste

h Airborne

he integrati

is likely toue parallelirameters tha

could be thred);

e installationsituation mide a multi-ocated by throbust partitt allowed to

e processor if Airborneoftware is ue.

rious formument. The rn 2000.

MULCOR

page 26

ry and keydomain aspat impact ro

bidden whecan be highlcks the execthis instrucs the absencat runtime t

protections,

ems, the A

Software d

ion of Airb

o entail chaism betweenat rule softw

hese rules de

n, multiple ight lead to core partiti

he schedulertioning canno be execute

for example Software

unknown, th

ulations in Areference st

RS

y requiremepect. Moreobust partiti

en their use lighted: cution of thetion ce of such inthe absence no failure

irborne Em

developmen

borne Softw

anges in thn pieces of ware deploy

epending on

critical sectdeadlocks.on will be r). not be absoed in paralle

le in a Duae is known he Airborne

ARP4754, Dtudy (Rush

Réf. C

ent. Dedicaover, proteoning.

impacts th

e instruction

nstructions of such insmode can

mbedded Eq

nt and are

ware and h

e Airborne software (i

yment on the

n the proces

tions cannot

pre-allocate

lutely demoel with othe

al-Core procand mana

e Embedded

DO 297, ARhby, 1999) o

EAS

CCC/12/0068

ated tools mection mech

he integrity

n

structions lead to the

quipment u

destined fo

have to be

Embeddedintra and/ore different c

ssor, the sel

t be accesse

ed on the c

onstrated, iter partitions

cessor, this aged to mad Equipmen

RINC 651 anon robust p

SA

898 – rev. 07

may be usehanisms can

of the Airb

execution

sage domai

or the Airb

handled by

d System ur inter-partitcores.

ected Opera

ed in paralle

concerned c

t could be st

Usage Domtch with sa

nt usage Dom

nd ARINC partitioning

ed to n be

borne

of a

in is

borne

y the

usage tions

ating

el by

cores

tated

main afety main

653. was

Page 29: Untitled - EASA

Ro Th

YeknfolGr

In Sta Usthe

Th Wdeon Ro

9.1

Wmu

Thales Avio

obust partiti

he reference

“A partitionpartition

et this genenowledge, nllowing stroreve and Ma

“The beha

IMA systemandard.

sually, robue possible p Is it po If no,

his problem

e have to noal with such

ne or when A

obust partiti By a h

under By the

(DALEmbed

Or dirdone othe co

1.2. Certif

hen taking ust address

onics

ioning is a m

e definition

ned system sn is allocate

ral definitiono direct proonger propeatt Wilding)

avior and pe

ms, an ARI

ust partitionipresence of iossible to gewill interferis refined i

otice that thh requiremeAirborne So

ioning can bhardware mdedicated p

e Operating-A for examdded Systemrectly by thonly if we cnflicts at th

fication obj

into accounthe followin

mandatory r

for robust p

should proved an indepe

commu

on requires oof of robuserty, named):

erformance

INC 653 Tim

ing is ensurinter-core cet rid of thorence actuan part 9.4.2

he property ents even inoftware app

be ensured echanism if

privilege (Sug System allmple) when m. e Airborne

can master this level (thr

ectives for

nt the generng objective

M

requirement

partitioning

vide fault coendent procunications a

an accuratest partitionid the Altern

e of software

me and Spa

red throughonflicts ma

ose channelslly occur th

2.3..6.

of Robust pn the first slications of

f this mechaupervisor orocating prioAirborne S

Software athe temporareads of pro

Embedded

ral certificates:

MULCOR

page 27

t for partitio

is named th

ontainment cessor and aare carried

e model of ing has beennative Gold

e in one parpartitions

ace partition

h an analysisay introduces?

hrough those

partitioninstep of multf different D

anism existsr Hypervisoority to the Software of

at Airborneal executionocesses alloc

d Aircraft S

tion require

RS

oned Airbor

he Gold Sta

equivalent tassociated pon dedicate

faults for An performedd Standard

rtition must ”

ning implem

s of interfere new chann

e channels?

ng is not conti-core proc

DALs are ex

s in the procor mode), Airborne Sdifferent D

Embedded n of each Aication and d

Systems

ements, the

Réf. C

rne Embedd

andard:

to an idealizperipheral aed lines”

Airborne Sod today. In

d (introduce

be unaffect

mentation en

rence channnels. Two su

nfined to IMessor archit

xecuted by th

cessor, if it

oftware witDAL levels i

System levrborne Soft

description)

Airborne E

EAS

CCC/12/0068

ded Systems

ized system and all inter

oftware. Topractice, it

ed by David

ted by softw

nsures the A

nels. In mulub-problem

MA systemtectures lik

the different

is described

th the higheis executed

vel. At this tware applic).

Embedded S

SA

898 – rev. 07

s:

in which ear-partition

o the best ofis preferred

d Hardin, D

ware in othe

Alternative G

lti-core systs occur:

s, as we have in a dual-t cores.

d and acces

est level of Din the Airb

level, it cacation and s

System prov

ach

f our d the Dave

er

Gold

tems,

ve to -core

sible

DAL borne

an be solve

vider

Page 30: Untitled - EASA

NoXX Thco Atpromico

9.1

Thwhor ex

6 B

Thales Avio

Ensure Meet S Sustai

ote that thX.1301/XX

his chapter ade and/or E

t equipmentoviders havitigation tomponents a

1.2.1. Inten

he functionahether it is

Multi-Cercised usin

First aSoftwas the

When Hyper

Then System

All thand Pr

And Airbor(which

BSP : Board S

onics

e Intended FSafety Objein Foreseeab

his chapter .1309, i.e. d

and this repED-80/DO-2

t level and/ve to be co demonstras processor

nded Funct

alities of a ps COTS More, are ng:

a layer of Hare interfacprocessor B

requirrvisor layer

the Om itself,

he requiredrocessor dri

the last rne Softwah is out of th

Support Pac

Function, ectives, ble Conditio

does not developmen

port focus o254 for proc

/or board lecompliant wrate the glrs.

tion

processor, Mono-Core

always

ardware - ce known BSP6,

red, a

Operating

d drivers ivers

one the are layer he scope of

ckage

M

ARM

ARM BSP

ARM based

VxWorks

Network

Time Appl

ons.

replace apnt assurance

on multi-corcessor Hard

evel, Airborwith ED-80lobal comp

f this purpos

MULCOR

page 28

FREES

FREEB

FREEba

Pik

SOPerip

Critical lication

pplicable re as defined

re processordware develo

rne Embedd0/DO-254 pliance wit

se).

RS

PRO

SCALE

PROCSCALE

BSP

HYP

SCALE ased

Operat

keOS

D

OC pherals

AIRBORN

Utilities

requirementby ED-12B

r where EDopment are

ded Systemand ED-12th ED-80/D

Réf. C

OCESSOR

IBM

CESSOR BSPIBM BSP

PERVISOR

IBM based

ting SYSTEM

LynxOS

DRIVERS

Memory / Flash

NE SOFTWA

Avionic

ts such as B/DO-178B

D-12B/DO-1not used by

m providers 2/DO-178 (DO-254 an

EAS

CCC/12/0068

INTEL

P INTEL

BSP

INTEL based

M

Integrity

I/O Drivers

ARE

cs Server

S/HW coB and ED-80

178B for emy processor

and/or Air(B or C) nd/or DO-1

SA

898 – rev. 07

TEXAS

TEXASBSP

TEXASBased

MACS2

USB / PC

IFE

ompliance0/DO-254.

mbedded mmanufactur

rborne Softwand implem178 with

S

S

S

2

CI

with

icro-rer.

ware ment such

Page 31: Untitled - EASA

9.1

A theby BS

9.1

A in hema W

RGWHyLe

Thof Le

Thales Avio

BS1.2.1..1

software lae internal re

y the Hyperv

SP developm

BSP_Ror Hyhardw BSP_Rthese privileUser o

Hy1.2.1..2

software laywhich sevelp masterinanagement i

e consider,

GL n°1hen an Hypypervisor shevel, at least

HYP_with reof extproviduser A

he use of a Hthis dual-co

et us detail t We ar

proces

onics

SP or Board

ayer that adaesources of visor when

ment has to

Remark1: Wypervisor m

ware accelera

Remark2: two Operat

ege to accesor Superviso

ypervisor

yer that acteral Operating the procin shared re

in this repo

pervisor is hall fulfill t the most s

_Remark1: espect to saernal Airbo

ding the deteAirborne Sof

Hypervisor ore processothis: re able to mssor even in

d Support P

apts the Opef the multi-crequired or

fulfill ED-1

When a Hymode to theators, arbite

if two Operting System

ss to programor mode.

s as a Virtuing Systemscessor behaesources acc

ort that the H

required toED-12/DO

tringent Air

we see thaafety and foorne Softwaerministic bftware.

layer is notor can be m

master the cn SMP mod

M

Package

erating Systcore compoby the Ope

12/DO-178

ypervisor is e Operatingers, in order

rating Systems has to bmming of s

ual Machines may be exavior regardcesses.

Hypervisor

o manage thO-178 (B orrborne Softw

at there is aoreseeable care input aubehavior, pe

t mandatormanaged dire

complete bede (during a

MULCOR

page 29

tem to the donent but therating Syste

(B or C) re

not requiredg System to

to fulfill sa

ems are usebe set in thshared resou

e Monitor. Txecuted simrding dedic

level is real

he behaviorr C) requirware.

a relationshconditions, authority is lerformance

ry, for examectly at the

ehavior of Aany one per

RS

dedicated prhe managemem.

equirements

d, privilegeo allow prafety require

ed, for examhe Supervisurces, the se

This softwarmultaneously

ated requir

lize in a SM

r of the interements at

hip betweenas, at least flimited by characterist

mple in a duAirborne So

Airborne Soiod of time

Réf. C

rocessors. Tment of thes

.

d access haogrammingements such

mple, on a dsor or Hypecond one h

re layer emuy. In such a rements like

MP mode ma

erconnect, tthe corresp

the intendefor functionsuch a hyptics and inte

ual core prooftware leve

oftware app, the multi-

EAS

CCC/12/0068

This layer ge resources

as to be giveg of sharedh as determi

dual-core prpervisor mohas to be set

ulates virtuaa configuratike determin

anaging all

the developponding De

ded functionnal operatiopervisor, whegrity neces

ocessor, wheel.

plication(s) -core proces

SA

898 – rev. 07

gives accesss has to be d

en in Supervd resources inism.

rocessor, onode to havet respective

al environmion, its use ism or con

cores.

pment of suesign Assur

n and objecton, the influhile the lattssary to the

ere the beha

running onssor is alloc

es to done

visor like

ne of e the ely in

ments may

nflict

uch a rance

tives uence ter is end-

avior

n the cated

Page 32: Untitled - EASA

9.1

SoSoAi W

Thales Avio

to onlyprocesdedicacore),

We cathe AiarbitraAirborsolutioand pr

HYP_clearlybetweeSoftwa

Op1.2.1..3

oftware thaoftware. Thirborne Soft

e can notice

Real-to

Multi-o

Multi-o

Distribo

onics

y one Airbosses allocatated Airbor

an demonstrirborne Sofation using rne Softwaon the orovides safe

_Remark2: y described en threads oare DAL lev

perating Sy

at manages he operatingtware progr

e various ty

time A multitatime operaa determinquick andthat switcoperating

-user A multi-usame timemultiple p

-tasking vs. A multi-taARINC65running pemptive meach of th

buted A distribuappear to

orne Softwations on corne Softwar

rate that theftware and/o

priorities are applicationly solutione arbitration

if a Hyperto demons

or processevel for man

ystem

computer g system israms require

ypes of Oper

sking operaating systemnistic nature

d predictableches betwee

systems sw

user operatie. Note tha

programs to

single-taskasking oper53 Operatinprogram. Mmultitaskinghe programs

uted operatbe a single

M

are applicatres) or in A

re applicatio

ere are no shor processebased on tions have tn remains th

n between th

rvisor is nostrate the abes in SMP) naging acces

Hardwares a vital coe an operatin

rating Syste

ating systemms often usee of behavioe response ten tasks baswitch tasks b

ing system at Single-usrun at the s

king rating systemng System isulti-tasking

g, the opera.

ting systemprocessor..

MULCOR

page 30

tion runningAMP modeon, which

hared resours or threadsthe DAL leto be execuhe hypervis

he Airborne

ot required,bsence of cor that con

ss priorities

resources omponent ng system t

em such as:

m that aims e specializeor. The mainto events. Tsed on theirbased on clo

allows muser operatinsame time.

m allows ms a Multi-ta

g can be of ating system

m manages

RS

g and the Oe (during omeans that

rce access cs. Or if theevel of theuted at thesor that man Software a

the Airboronflicts (be

nflicts are m to shared r

and proviof the systto function.

at executined schedulinn objective

They have ar priorities ock interrup

ultiple usersng systems

more than onasking one. f two types:m slices the

a group of

Réf. C

Operating Syone period

we have o

conflicts by re are confl

e Airborne same timenages the Inapplications

rne Softwaretween Airbmanaged usiesources.

ides commtem softwar

ng real-timeng algorithmof real-time

an event-drivor external

pts.

s to access have only

ne program A single-ta pre-emptiv

e CPU time

f independe

EAS

CCC/12/0068

ystem realiof time, eaone Operat

analyzing tflicts, they a

Software: e, prioritizanterconnect.

re applicatiborne Softwing, for exa

mon serviceare in a co

e Airborne ms so that the operating iven or time

events whi

a computey one user

to be runniasking systeve or co-ope and dedic

ent cores an

SA

898 – rev. 07

izes the taskach core ruing System

the executioare manageif two DA

ation is nott Usage Dom

ions have tware in AMample, Airb

s for Airbmputer sys

Software. Rhey can achsystems is

e-sharing deile time-sha

er system atbut may a

ing at a timeem has onlyperative. In ates one slo

nd makes t

ks or uns a m per

on of d by

AL-A t the main

to be MP or borne

borne stem.

Real-hieve their

esign aring

t the allow

e; an y one

pre-ot to

them

Page 33: Untitled - EASA

Threq

9.1

Piedricodetypopint Th

9.1

A theimgeA adArpoThcoop No SAproproare 7 P8FM9FF

Thales Avio

Embedo

he developmquired, for I

De1.2.1..4

eces of softiver constitmmunicatiopendent copically an

perating systterrupt hand

he developm

1.2.2. Safe

Complex Ce fact that t

mplementingnerally avaimore quali

ddition, somrchitecture otentially hidhis latter appnsidered to

perating syst

ote that the

AF_Remarkocessor levocessor is ue respected.

PDA : PersonMEA : FailurFPA : Functi

onics

dded They are able to opefficient b

ment of an IMA for exa

evice driver

ftware develtutes an inteons subsystomputer prooperating stem kernel, dling necess

ment of Dev

ety Objectiv

COTS FMEAthe detailed

g the deviceilable to theitative FFPA

me new appmitigation

dden failureproach migogether wittems) and h

design and

k1: if an Fvel, mitigatused. The e.

nal Digital Ase Mode & Efonal Failure

designed toperate with by design.

Operating Sample, ARI

rs

loped to maerface for ctem that theogram whisystem or Ato interact t

sary for any

vice drivers

ves

A8 and, a fod internal are, and also e adequate lA9 approac

proaches cocombined

es, safety efght be the mth their emhardware me

developmen

FMEA and/tion has to equipment p

ssistant ffects AnalysPath Analys

M

o operate ona limited n

System hasINC653 req

ask the comcommunicate hardware ch is also Airborne Stransparentl

y necessary a

has to fulfil

ortiori a COrchitecture because qu

level of detach is generaould be dev

with a Sffects aspect

most pertinenmbedded arc

echanisms (

nt of boards

/or FFPA fbe provid

provider has

sis sis

MULCOR

page 31

n small macnumber of r

s to fulfill Equirements a

mplexity of ting with this connecteoperating

oftware paly with a haasynchrono

ll ED-12/DO

OTS Multi-cis not know

quantitative ail. ally achievavised with rSafety-specits, and softwnt for COTchitecture, (e.g. monito

s or equipm

for a singleded by the s to demon

RS

chines like Presources. T

ED-12/DO-as well.

interactionhe device, ted to. A devsystem speckage or c

ardware devous time-dep

O-178 (B or

core FMEAwn and notdata on fai

able at leasreference tofic analysiware or systS Multi-Coincluding s

oring or prot

ment have to

e or a multequipment

nstrate to th

Réf. C

PDA7’s witThey are ve

178 (B or C

s with Hardthrough thevice driver ecific that computer prvice, and usupendent har

r C) require

A, is difficult accessible ilure modes

t to a certao ED-80/DOs, combinitem architecre processosoftware drtections)..

fulfill ED-

ti-core procprovider a

e authoritie

EAS

CCC/12/0068

th less autonery compact

C) requirem

dware devie specific cis a speciaenables anrogram runually providrdware inter

ements

lt to achievee by the hars and failur

ain level ofO-254 Apping both idcture mitiga

ors as such drivers (e.g.

80/DO-254

cessor is noat board le

es that Safe

SA

898 – rev. 07

nomy. Theyt and extrem

ments and w

ces. The decomputer bualized hardwnother prognning underdes the requrfacing need

e, due in pardware desire rates are

f descriptionpendix B fodentificationation. devices muhypervisor

4 requiremen

ot achievabevel where ty requirem

y are mely

when

evice us or ware-gram, r the uisite ds.

art to igner e not

n. In or an n of

st be rs or

nts.

le at this

ments

Page 34: Untitled - EASA

9.1

Fualrex EnexHI AndeAscothe FuEnexan No In

10H

Thales Avio

1.2.3. Fore

unctional opready addretent via the

nvironmentapected to mIRF10 and L

nalysis of Cvice supplissembly (Cntrolled viae CBA.

unctional opnvironmentapected to m

nd Lightning

ote that the

conclusionRegardingmulti-coreequipmen

Multi-corewith authoand / or eq

The Equipline with S

HIRF : High I

onics

eseeable Co

perating conessed above

software la

al operatingmeet its ch

Lightning in

COTS Multiiers and app

CBA) and ea the introd

perating conal operating

meet its charg Indirect E

design and

n for this chg SEE, MEEe ones. Th

nt provider.

e processororities to dequipment le

pment proviSEE, MEE,

ntensity Rad

onditions

nditions incle under the ayer embedd

g conditionsharacteristicdirect Effec

i-Core behapropriately equipment

duction of h

nditions incg conditionsracteristics affects (LIE)

developmen

hapter E, LIE and e analysis

r behavior remonstrate wevel (we add

ider has to d LIE and H

diated Field

M

lude all intefeature of

ded on such

s include bocs and perfcts (LIE) an

avior in the mitigated vlevels. The

hardware lim

clude all ins include boand perform) and Single

nt of boards

HIRF, therfor SEE h

egarding SEwhat it is codress here m

demonstrateIRF require

MULCOR

page 32

erfaces to/frthe “Intend

h Multi-core

oth normal formance, and Single or

event of anvia software processormitations fo

nterfaces tooth normal

mances, ande or Multipl

s or equipm

re are no difhas to be p

EE has to bovered at prmitigation at

e that mitigements for t

RS

rom the proded Functioe processors

operating cand the abnMultiple E

n SEE is onlre and the rr behavioror HIRF an

o/from the poperating c

d the abnormle Event Eff

ment have to

fferences beprovided by

be known anocessor levt board and

ation at boathe consider

Réf. C

ocessors andon”, this cos.

conditions, wnormal opevent Effects

ly possible rest of the h

under HIRd protection

processors conditions, wmal operatinfects (SEE o

fulfill ED-

etween singy the proce

nd shared, bel and what/ or equipm

ard level andred DAL lev

EAS

CCC/12/0068

d instructionould be con

within whicerating cons (SEE or M

using data hardware aRF and LIns from LIE

and instrucwithin whic

ng conditionor MEE)

80/DO-254

gle core proessor manu

by the equipt has to be c

ment level)

nd / or equipvel of the eq

SA

898 – rev. 07

ns activatedntrolled to s

ch the deviditions suc

MEE).

provided byat Circuit BE can onlyE embedde

ctions activach the devins such as H

4 requiremen

ocessors andufacturer to

pment provcovered at b

pment levelquipment

d. As some

ce is ch as

y the Board y be d on

ated. ce is

HIRF

nts.

d / or o the

vider, board

is in

Page 35: Untitled - EASA

9.2

Pro

Th Strwilife Coco SeKacri

9.2

TotheMomegu Thinf

9.2

Ththe

Thcer

Thco

Thlife

Thter

Thales Avio

2. PROCE

ocessor sele The m

The prhe correspon

rategic criteill to performfe expectanc

onversely, tnsidered pr

everal propoarlsson, 200iteria.

2.1. Strate

o be able to ere is a groost of the tentioning fe

uaranteed pe

his section aformation (e

2.1.1. Selec

he manufacte avionic do

he manufactrtification p

he manufactmmunicatio

he manufactfe expectanc

he manufactrm support

onics

ESSORS SE

ection depenmanufacturer

rocessor desnding select

eria mainly m the requircy and its w

technical serocessor is a

ositions of c06) and (Gr

egic selectio

take the rigowing gap btime, manuew informaterformances

aims at proveventually u

ction criter

CRITERIA

turer has exomain

turer is invoprocess

turer publishons

turer has a scy

turer ensure

ELECTION

nds on two r

sign. tion criteria

deal with tred tests an

will to provid

election crita good one f

criteria havreen, et al.,

on criteria

ght decisionbetween a facturers prtion on the s and determ

viding objeunder NDA

ria regardin

xperience in

olved in the

hes specific

sufficient

es a long

M

N

essential fa

a are named

the opennesd measuremde a long-te

teria aim atfor safety cr

e been intro2011). We

n, some claCOTS procrovide exhaarchitecture

minism as re

ctive criteriA) to ensure

ng the man

POSSIB

Y

Y

c Y

Y

Y

MULCOR

page 33

actors:

strategic an

ss of the mments, for inerm product

t determiniritical and h

oduced in te can sum u

assification ccessor’s arcaustive infoe. Howeverequired in th

ia on the mdeterminism

nufacturer

BLE VALUE

Yes – no

Yes – no

Yes – no

Yes - no

Yes - no

RS

nd technical

manufacturernstance concion for the c

ing, with thhard real-tim

the avionic up those co

criteria deachitecture cormation onr, architectuhe certificat

manufacturerm.

situation

ES

This hcertific

As avinecessensure

long te

Réf. C

l.

r regarding cerning the considered p

he informatime applicati

communityontributions

l with the mcomplexity n the procesural information process

r’s implicati

OBS

ighlights a pcation proce

onic systemary that the

e long term p

erm support

EAS

CCC/12/0068

design infoSER. Theyprocessors.

tion availabions.

y, for instanin the follo

manufactureand its pro

ssor’s functation is neces.

ion to prov

SERVATIONS

public will ess

ms have a loe manufactuproduction

t is required

SA

898 – rev. 07

ormation any also addres

ble, whether

nce (Forsberowing selec

er itself. Indoposed servtionalities wessary to en

ide the requ

S

to pass the

ong life, it isurer is able t

d

nd its ss its

r the

rg & ction

deed, vices. while nsure

uired

s to

Page 36: Untitled - EASA

9.2

Decriagwiex Mo(Siinc

Thinfde

Thinf

Thinf(SE

9.2

Tecobo Wtha

9.2

Than

9.2

Thsev

Thales Avio

2.1.2. Man

esign informitical becauree to comith devices change.

oreover, foringle Eventcluding SEU

CR

he manufactformation osign

he manufactformation o

he manufactformation oEU/MBU)

2.2. Techn

echnical selensidered pr

oth for multi

e introduceat constitute

2.2.1. Focu

he structure nd services u

Ins2.2.1..1

he instructioveral catego

onics

nufacturer

mation on ase it has a s

mmunicate sof equivale

r an avionit Effect) naU/MBU esti

RITERIA

turer providon the proce

turer providon bugs and

turer providon SER

nical selecti

ection criterocessor. Foicore and si

e here a none one main c

us on core a

of a core husually foun

struction m

on set (ISA)ories of inst

openness r

a COTS prostrong impapecific desent function

c componeamed also, bimations. U

des ssor

des errata

des

on criteria

ria aim at ior multicorengle-core p

n-exhaustivcontribution

architectur

has a strongnd in a core

model

) is one majtructions:

M

regarding d

ocessor is nect on the peign informanality, it is

nt, it is necby processo

Usually, man

POSSIBLE

VALUES

Yes – No –under NDA

Yes – No –Under NDA

Yes – No –Under NDA

dentifying ue processorsrocessors, a

e list of genn of the stud

re

g impact onare describ

or interface

MULCOR

page 34

design and t

ecessary to erformance ation that wrelevant to

cessary to pors manufacnufacturers

– A

Collabomandatauthoriprocess

– A

Such inthe collapplica

– A

Usuallyconcern

undesirables, we can dand multico

neric selectdy, are intro

n the executbed here.

e between h

RS

tests inform

certify an of the chip

would be reo favor man

perform specturer SER perform suc

O

oration withtory in ordeity enough esor

nformation ilaboration b

ant and the p

y, manufactning SER o

e features andistinguish gore-specific

tion criteriaoduced and

tion of the

hardware an

Réf. C

mation

avionic plat. Therefore,equired to enufacturers

ecific robus(Software

ch tests on t

OBSERVATIO

h the procesr to provide

evidence of

is mandatorbetween theprocessor m

turers perforn their own

nd correlategeneric seleselection cr

. Multicoreexplained in

embedded

d software.

EAS

CCC/12/0068

atform. Such, the manufensure detewho agree

stness tests,Error Rate)their own fo

ONS

ssor manufae to the certf mastering t

ry and a maje certificatiomanufacturer

rm investign.

ed mitigatioection criterriteria.

e specific sein the next c

software. T

It can be d

SA

898 – rev. 07

h informatiofacturer mayerminism. T

on informa

such as a ) determinaor internal u

acturer is tification the

ajor part of on r

ations

on means onia that are v

election critchapter.

The compon

decomposed

on is y not

Then, ation

SEE ation, use.

n the valid

teria,

nents

d into

Page 37: Untitled - EASA

Usof for Soexex W

Thco

SeinssupInssamThbeThful

ThsuppriInsresor levco

11 N

Thales Avio

Arithmlocks.

Branch Memo Config

MMU Floatin

sually, an inone or mo

rbidden, suc

ome processecution is ternal floati

e consider t

CRITE

he instructiomplete

everal differstruction setpported structions hme length he instructio extended

he instructiolly supporte

he instructiopports hypeivilege levestructions cstricted to suhypervisor

vel by SW nfiguration

NOP : No OP

onics

metical instr

h instructionory instructiguration ins

U or the cachng point ins

nstruction seore ISA. Uch as optim

sors supportgiven to a ing point un

the followin

ERIA

on set is

rent ts are

have the

on set can

on set is ed

on set ervisor el an be upervisor privilege

Peration

ructions. Th

ns, includinions structions. The controllerstructions

et is definedUnder avionized instruc

t a user-defispecific co

nits are integ

ng selection

COMPON

SERVI

Instructiset

Instructiset

Instructiset Instructiset Instructiset

Privilegelevels

Instructiset

M

hey can be d

ng system ca

They are user.

d in a highlynic developctions whose

ined extensioprocessor grated on a

n criteria:

NENT/ICE

ion YesNo

ion Yes

ion Yes

ion Yes

ion Yes

e Yes

ion YesNo

MULCOR

page 35

dedicated to

alls

ed to write

y exhaustivpment conse execution

ion of the ISprovided bSoC.

POSSIBLE

VALUES

s – no information

s – no

s – no

s – no

s – no

s - no

s – no information

RS

o use specifi

to specific

ve way, and straints, then is non-dete

SA. Specifiby the user.

n An instcompledecode

If no, thinstruct

If not, treceivinhas to bThis is implem

n This is preventinstruct

Réf. C

fic platform

configuratio

COTS proce use of sperministic.

c instructio. For instan

OBSE

truction set ete if any nod as a NOP

hen it must tion set is n

the platformng any of thbe documenmandatory

mentation is

an elegant mt the executtions.

EAS

CCC/12/0068

services, su

on registers

cessors imppecific instr

ons can be dnce, this is

ERVATIONS

can be conson-defined iP11

be proven tnot ambiguo

m behavior whe missing inted

if a hypervexpected

mitigation mtion of non-

SA

898 – rev. 07

uch as hardw

s in the core

plement a suructions can

defined and the case w

sidered as instruction i

that the ous

when instructions

visor

means to trusted

ware

e, the

ubset n be

their when

is

Page 38: Untitled - EASA

9.2

Thare

Th

Thfetpa

Thpreon

Thins

Thbe

Thposta

Thales Avio

Pip2.2.1..2

he pipeline e: Fetch:

accordcompoand mbranch

DecodUsuallbe doc

Execuo

o

o The beof the

he correspon

CRIT

he instructiotch several i

arallel

he instructioe-fetch serv

n a branch u

he pre-fetch side a memo

he branch pr disabled

he branch prolicy is confatic/dynami

onics

peline issue

contains all

: fulfilled bding to theonent may b

maintain a loh predictionde and Disply, several icumented, bute: this stag

The Loadseveral comaintaininThe integimprove pThe floati

ehavior of tgenerated a

nding criter

TERIA

on unit can instructions

on unit has avice dependiunit

is limited ory page

rediction ca

rediction figurable c

es

l processing

by the Fetcheir address.be in chargcal instructi

n algorithm.patch: in thisinstructions

but usually ige is fulfilled/Store Unitoncurrent trng causality

ger Arithmeperformanceing point arithe Load-Stactivity by t

ia are:

COMP

s in Ins

a ing Ins

Ins

an B

B

M

g units able

h Unit. It p. Usually, e of pre-fetion queue. T s stage, insts can be decit is not the d by severa

t for data traransactions.y when thereetical and Les. The allocithmetical uore Unit is uthe embedde

PONENT/SER

CE

Pipeline truction uni

Pipeline truction uni

Pipeline truction uni

Pipeline Branch unit

Pipeline Branch unit

MULCOR

page 36

e to execute

picks the init impleme

tch). It can The fetch un

tructions arecoded and dcase.

al processingansactions t. It also use are depen

Logical unitcation is pe

units (FPU)usually comed code.

RVI PO

VA

it Ye

info

it Ye

info

it Ye

info

Ye

info

Ye

info

RS

a program

nstructions tents a pre-also performnit is linked

e read and rdispatched

g units. Wetoward the

sually reordndencies. ts (ALU): u

erformed du

mplex. It is t

OSSIBLE

ALUES

es – no No

ormation

es – no No

ormation

es – no No

ormation

es – no No

ormation

es – no No

ormation

Réf. C

. The usual

to be execu-fetch servim multiple

d to the Bran

routed to thein the same

consider headdress spa

ders read an

usually, thoring the Dis

therefore di

If no, this of the softw

A static branalyze

EAS

CCC/12/0068

l stages foun

uted from aice (althoufetches in nch Unit th

e adequate e cycle. Dis

ere: ace. This unnd writes tr

ose units arspatch stage

ifficult to ha

OBSERVAT

may raise pware execu

ranch predic

SA

898 – rev. 07

nd in a pipe

a storage degh a dedicone clock c

hat impleme

execution uspatch rules

nit may manransactions

re duplicatee.

ave a clear v

TIONS

page faults oution flow

ction is easi

eline

evice cated cycle nts a

units. s can

nage still

ed to

view

out

ier to

Page 39: Untitled - EASA

Thme

Trbe

Intrenex

9.2

Thchhaor A rigtraha Thtra

Thales Avio

he LSU reoremory and I

ransaction re forbidden i

ternal registnamed durinecution

Vir2.2.1..3

he virtual marge of tran

as the sufficiat both leve

MMU usuaghts, and a sanslation ruardware or s

he virtual manslation rul

onics

rders the IO transacti

eordering cain the LSU

ters are ng instructio

rtual memo

memory servnslating virtient access els.

ally containstorage devles. A TLBoftware.

memory is le contains t

ions Loa

an Loa

on R

ory manag

vice is provtual addresrights. On m

ns two compvice, such asB behaves li

defined withe page off

M

Pipeline ad/store uni

Pipeline ad/store uni

Pipeline Renaming

ement

vided by theses into phymulticore pl

ponents: ons the Translike a cache

ith pages fffset, size an

MULCOR

page 37

it Ye

info

it Yespa

info

Ye

info

e Memory Mysical addrlatforms, th

ne dedicatedlation Look

e, so it has

frames. A pnd access rig

RS

es – no No

ormation

s – no – artially

No ormation

es – no No

ormation

Managemenesses, and v

his service c

d to actuallyk aside Buffa replacem

page is defghts. Page s

Réf. C

Transactioindeterminworst casebounded

This optim

nt Unit (MMverifying than be locate

y translate afers (TLB)

ment algorith

fined by itsizes can be

EAS

CCC/12/0068

on reorderinnism whosee performan

mization me

MU). This chat the requed at core, a

addresses anto save loc

hm that is i

ts size and e fixed or va

SA

898 – rev. 07

ng is a sourc impact on

nce has to be

chanism

component uesting softwat platform l

nd check acally the addimplemente

an offset. ariable.

ce of

e

is in ware level

ccess dress d by

The

Page 40: Untitled - EASA

W

TL

Threpalgimha

Thfix

Thpa

9.2

Thscrreainswhthe Thpe W

Priscrco

Prireppo

Thales Avio

e define the

CRITER

LB storage

he TLB placement gorithm is

mplemented ardware or s

he page sizexed or variab

he MMU deages overlap

Pr2.2.1..4

he use of ratchpads. Aal-time appstructions (when accessine cache repl

he size and rformance.

e define the

CRITERIA

ivate cache ratchpad ntents

ivate cache placement

olicy

onics

e following

RIA C

MT

in oftware

MTa

e is ble

M

etects pping

M

ivate cache

hierarchicaA scratchpalications, awhen the song private clacement po

the archite

e following

A COM

and PrivascratArch

Priva

classificatio

COMPONEN

E

MMU TLB archite

MMU TLB repalgorithm

MMU

MMU

es and scra

l memory ad is usuallya classic appoftware’s d

caches and solicy.

ecture of ea

classificatio

MPONENT/SE

CE

ate caches atchpads hitecture

ate cache

M

on criteria:

NT/SERVIC

ecture

placement

tchpads

improves y viewed as proach con

data and insscratchpads

ach cache,

on criteria:

ERVI

and DataL1 or

L P

un

MULCOR

page 38

POSSIBL

TLB (L1/L2, data/instru/unified)

Yes – no –No inform

Fixed –both

Yes – noNo inform

the performa cache wi

nsists of fillstructions al is consider

scratchpad

POSSIBLE V

a – instructior L1+L2 hie

Least RecenPseudo Leasused (documnot)

RS

LE VALUES

hierarch

uction

– both mation

variable

mation

mance of sith its manaling the scrllow it). In red to be bo

and memo

VALUES

on – unifiederarchy

ntly Used st recently

mented or

Réf. C

hy

A softwthe TLBis prefe

– Variabldecreasmiss

If pagessource osecurity

software. Wgement impatchpad wita general wunded. Con

ory have a s

d

LRUpref

PLRdoc

EAS

CCC/12/0068

OBSERVA

ware implemB replacemeerable

le size pageses the numb

s can overlaof indetermy failure

We encounplemented bth the softwway, the timntent predic

strong impa

OBSERVA

U, LFU andferred policRU needs tocumented as

SA

898 – rev. 07

ATIONS

mentation ofent algorith

s use ber of TLB

ap, this is a minism and a

nter caches by softwareware’s dataming variabtion depend

act on softw

ATIONS

d FIFO are tcies for analo be s it is usually

f hm

a

and . For

a and bility ds on

ware

the ysis

y

Page 41: Untitled - EASA

9.2

Mope In the W

This

Them

This traint

Thcome

Thmeag

Thcan

Thales Avio

2.2.2. Focu

ost COTS rformances

many caseeir actions.

e define the

CRITE

he overall ardocumented

he hardwarembeds micro

he hardwareable to initi

ansactions oterconnect

he hardwarentains interemory

he acceleratoemory is proainst SEU/M

he hardwaren be bypass

onics

us on perip

systems o. This is esp

es, such har

e following

ERIA

rchitecture d

e acceleratorocode

e acceleratoriate master on the

e acceleratorrnal

or internal otected MBU

e acceleratorsed

pherals

on chip empecially the

rdware acce

criteria:

COMP

HardwA

r HardwA

r HardwA

r HardwA

HardwA

r Hardw

M

R L F

mbed hardwcase for ne

elerators are

ONENT/SER

ware acceleArchitecture

ware acceleArchitecture

ware acceleArchitecture

ware acceleArchitecture

ware acceleArchitecture

ware accele

MULCOR

page 39

Random Least frequeFIFO

ware acceleretwork proc

e highly co

RVICE

erator e

erator e N

erator e N

erator e N

erator e N

erator N

RS

ently used

rators in oessing devic

onfigurable

POSSIBLE

VALUES

Yes - no

Yes – noNon docume

Yes – noNon docume

Yes – noNon docume

Yes – noNot docume

Yes – noNot docume

Réf. C

impopti

Ranthe com

order to incces.

and are gra

E

S

o

o ented

If yecerti12/D

o ented

If yebe destimon th

o ented

o ented

Pari

o ented

Thisthe hbehaavio

EAS

CCC/12/0068

plemented wimizations fndom replacworst choic

mpletely non

crease the

anted a larg

OBSER

es, this micrified accordDO-178B/C

es, a worst cdetermined imate the octhe intercon

ity or ECC h

s criterion ihardware acavior is incoonic usage

SA

898 – rev. 07

with for streamincement police as it is n analyzable

I/O proces

ge autonom

RVATIONS

rocode has ding to ED-C

case load hain order to cupied bandnect

has to be en

s mandatoryccelerator ompatible w

ng cy is

e

ssing

my in

to be

as to

dwidth

nforced

y when

with an

Page 42: Untitled - EASA

9.2

Moexop W

Thserdeexreg

It itrage

12 G

Thales Avio

2.2.3. Focu

ost COTS ecution… T

perating syst

e define the

CRITE

he processorrvice for intbugging (stecution andgisters view

is possible tace of the tranerated by t

GDB: Gnu D

onics

us on hardw

processorThe usual wtem, debugg

e following

ERIA

r offers a ternal tep by step d internal w)

to have a ansactions the core

DeBugger

ware assist

s provide way to debgers such as

criteria:

COMPON

DebuCor

DebuPlatfo

M

for debug

debug mebug bare ms GDB12 can

NENT/SERVI

CE

g service re level

g service orm level

MULCOR

page 40

and monit

echanisms metal softwa

n be used.

I POSS

Not

Not

RS

toring

that enablare is to us

SIBLE VALU

Yes – no documente

Yes – no documente

Réf. C

e breakpoise the JTAG

ES

ed Thpiesofproits

ed Thdirgeninteest

EAS

CCC/12/0068

int insertioG interface

OBSERV

his is useful ece of embeftware and mocessor behexecution

his is useful rect view of nerated by terconnect lotimation

SA

898 – rev. 07

on, single e. On top o

VATIONS

to validate edded monitor the avior during

to have a f the activitythe core for oad

step of an

a

g

y

Page 43: Untitled - EASA

9.3

Th

9.3

IdeanThmu(FP

9.3

Idetheof thethe EmpremaThmeshu OtproanCO Deproof

Thales Avio

3. MULTI

his chapter c

3.1. Summ

entify the tyny that are anhe multi-corultiple procPGA) and a

3.2. Summ

entify the eem with thethe study. C

e cores are he number of

mphasis shaevent the fuanner. hese would emory, cachut down a c

ther featuresovided with

nd other comOTS IP and

etails in theocessors, wthe report.

onics

I-CORE TE

covers tasks

mary of task

ypes of munticipated inre processorcessor coresany other ty

mary of task

ssential base types of pCharacteristhomogeneof cores or w

all be placedunctions exe

include fehe, data bucore, alter it

s to captureh the procesmponents, owhether it

e spread shewith the deta

ECHNOLO

s 1 and 2

k 1

ulti-core pron the near furs identifieds with otherypes of mult

k 2

sic architectrocessor inttics that mig

ous or heterowhichever ot

d on featureecuted on th

eatures thats or I/O de

ts executing

e in the spressor and anor to controwas develo

eet should bailed explan

M

OGY STAT

ocessors curfuture (i.e. thd should incr airborne hti-core proce

tural characto a spreadsght be takenogeneous, tther criteria

es that diffehe processo

t may enabevices and ag frequency

ead sheet mny features tol the execuped and ver

be limited, snations of th

MULCOR

page 41

TE-OF-THE

rrently avaihe next thre

clude DSPs hardware deessors that t

cteristics or sheet or datn into accouthe memorya the study id

er from thosors from beh

ble interferany featureor dynamic

may include to control tution of anrified in com

such as the he features

RS

E-ART

ilable from ee years). (Digital Sigevices suchthe study m

componenttabase that sunt in such y, cache anddentifies as

se of currenhaving in a

ence betwes intended

cally alter th

the presencthe hardwarny hosted sompliance wi

title or catand their im

Réf. C

the major

gnal Processh as Field-P

may reveal.

ts of each tyshall be dela classificat

d data bus arbeing impo

nt single cordeterminist

een cores dto save ene

he number o

ce of any sore or the daoftware. Thith any DAL

egory of thmplications

EAS

CCC/12/0068

manufactur

sors), devicProgrammab

ype of proclivered to E

ation might iarchitecturesortant.

re processotic and robu

due to comergy that mof executing

oftware or Cata transfershe study shL of ED-12

he feature or being prov

SA

898 – rev. 07

rers, along

ces that comble Gate Ar

cessor and inEASA at theinclude whes of the dev

ors and that ustly partitio

mmon accesmay dynamicg tasks.

COTS IP ths between c

hall identifyB / DO-178

r the numbevided in the

with

mbine rrays

nsert e end ether

vices,

may oned

ss to cally

hat is cores y any 8B.

er of e text

Page 44: Untitled - EASA

9.3

Wthethe Thma Th

WhaemThsm UM(selow SAmefou Ex

FreAR

AndeTharcto

Thales Avio

3.3. Basic A

e can find de different te cores.

he architectastered befo

hree main pr Unifie

Distrib

Single

hen analyziave their mambedded in this architectmall core or

MA multi-cee chapter 9w-end proce

ADM multiemory and cund, for exa

xample of d

eescale P1, RM CORTE

nalyzing prmonstrated

hat means tchitecture aa generic ap Interc

Cache

Share

onics

Architectu

diverse Multypes of me

ture for meore declarin

rocessor famed Memory

buted Archi

e Address sp

ing market pain architecthe chip. ture consumfor embedd

core process9.3.3.1..1), tessors.

-core procecan have acample, in Fr

eployed muUMA P2 family

EX® A8 an

rocessors aat this leve

that we neeand associatpproach basconnect

e

ed resources

ure characte

lti-core procmory acces

emory acceg that the pr

mily ArchiteAccess (UM

itecture (DA

pace, Distrib

processor acture based

mes a lot oded cores

sor architectthis architec

essor architccesses to oreescale, AR

ulti-core arc

nd below

architecture,el of abstraced to conduted featuressed on crite

s

M

eristics

cessor archisses on the o

esses can grocessor can

ectures can MA),

A)

buted Mem

architecture,on the DA

f pins linke this family

ture is organcture can be

tecture is other core mRM or INTE

chitecture:

NVIDIA, A

, we can’ttion.

uct the analcan be con

ria per dom

MULCOR

page 42

itecture regother hand w

generate a ln be used in

be found in

mory (SADM

, we can noA one with

ed to Memy is not add

nized aroune found for

organized armemories usEL® family

DA ATI

t find show

lyze procesnsidered as

main:

RS

arding the owhich is as

lot of diffin a safe env

n the marke

M)

tice that GPa variant th

ory Independressed in th

nd one memr example in

round Coreing bus and

y for their h

w stoppers

sor by procsuitable or

Réf. C

organizationmost impor

culties thatvironment lik

t

PUs from Ahat is each

ndence per his report.

mory which n Freescale

es having thd/or Networigh-end pro

FreescalARM CCORTEINTEL®

or unsuita

cessor, to vnot, so this

EAS

CCC/12/0068

n of cores oortant as the

t we have ike an aircra

ATI or NVDdedicated c

core so th

is shared beand ARM

heir own crk. This archocessors.

SADMle P3, P4, P

CORTEX® AEX® A15 ® Core I7, C

able featur

verify if thes is why Th

SA

898 – rev. 07

on one handorganizatio

to analyzeaft.

DIA for examcore memo

hey are used

etween all cfamily for

ache, dedichitecture ca

M P5 and T famA9,

Core I5

res that can

e corresponhales has mo

d and on of

and

mple ry is

d for

cores their

cated an be

mily

n be

nding oved

Page 45: Untitled - EASA

9.3

In wi

9.3

Th

In thape Thoth

Thales Avio

3.3.1. Mem

this chapteith these arc

Un3.3.1..1

he multi-cor

this type oat this accerformed fro

his type of her hand to

onics

mory sharin

er we propochitectures.

nified Mem

re processor

of architectuess time is dom or to the

architecturemanage com

ng architec

se to presen

mory Access

r architectur

ure, Access directly link

e memory ca

e requires ammunicatio

C

M

cture

nt the differ

s (UMA)

re is organiz

time to theked with than be only o

arbitration mon between

Core 1

C

EXTE

MULCOR

page 43

rent types o

zed around

e memory ihe memory one data per

managemencores and s

BUS

Core 2

RNAL MEMO

RS

of memory a

one memor

is the same bandwidth

r access.

nt on one hsynchroniza

Core n

ORY

Réf. C

accesses and

ry which is

for each prthroughput

and and inttion if requi

EAS

CCC/12/0068

d the key p

shared betw

rocessor but; Read or W

tegrity mecuired.

SA

898 – rev. 07

oints associ

ween all cor

ut we can noWrite opera

chanisms on

iated

res:

otice ation

n the

Page 46: Untitled - EASA

9.3

UMan

ThsamdamoAi

In

13 S

Thales Avio

Wh3.3.1..2

MA architecnd External M

hese cache me data are

ata needs to ode where irborne Soft

multi-core

SMP : Symm

onics

hat about c

cture is upgMemory. T

memories iea, when on

know that one Opera

tware applic

e processor

metrical Multi

caches?

graded introhese memo

introduce one of these the data ite

ating Systemcation in a g

rs we need t

Programmin

M

oducing cacries have th

other kind otwo manipu

em is upgram managesgiven period

to take car

ng

Core 1

EXT

Cache C

MULCOR

page 44

he memoriehe same clas

of problemsulate a dataaded by anos all cores d of time).

re about how

BUS

Core 2

TERNAL MEM

Cache

RS

es; these aress of access

s linked to a item, the other core (

allocating

w Cache M

Coren

MORY

Cache

Réf. C

e high spee time as its

data integrisecond corethis problemthem to p

Memory Co

e

EAS

CCC/12/0068

ed memoriesdedicated c

rity. If two e which ham occurs mprocesses fo

oherency is

SA

898 – rev. 07

s between ccore.

cores shares a copy of

mainly in SMfor one run

assumed

cores

e the f this MP13 nning

Page 47: Untitled - EASA

9.3

In de

A

Wwhbe

Conequarc

Resin

14 G

Thales Avio

Dis3.3.1..3

this Archipending on

local netwo

e can find there memortween cores

ores can be twork. With

uality and pchitecture.

emark: in thngle core pr

GPU : Graph

onics

stributed A

itecture, ean the process

ork realizes

the use of try is embeds and the ou

allowed (dh this kind performanc

his architecrocessor (sep

hics processi

EXT M

Core 1

Cache

I

Architectur

ach core hasor architec

the link bet

this kind ofdded insideutside.

epending onof architec

e of the lo

cture, Memoparate cach

ing Unit)

MEMORY

I/F

M

re (DA)

as the use ture.

tween cores

f architecture the die an

n the implecture, the peocal networ

ory Cache Me and memo

EXT ME

Core 2

Cache

I/F

MULCOR

page 45

of a dedic

s and it is us

re, with or wnd dedicate

emented polerformance rk. We can

Managemenory are dedi

EMORY

F

LOCAL NETWOR

RS

cated memo

sed for data

without cacd per core.

licy) to havof the glob

n also spea

nt is simplifiicated to ea

E

C

C

RK

Réf. C

ory with or

and/or com

ches, mainly A Networ

ve access dirbal processoak about th

ied and occuch core).

XT MEMOR

Core n

ache

I/F

EAS

CCC/12/0068

r without d

mmand trans

y in GPUs1

rk is used t

rectly to theor is directhis being s

curs in the sa

RY

SA

898 – rev. 07

dedicated c

sfer

4 with a vato commun

e data usingtly linked toshared mem

ame way as

cache

ariant icate

g the o the mory

s in a

Page 48: Untitled - EASA

9.3

Thals

In meNe Nopaallthe

Thales Avio

Ar3.3.1..4

his is the lasso have ded

this architeemory shareetwork.

ote: In somart of the glol the transfee selection o

Core 1

Cache

onics

rchitecture

st class of pdicated mem

ecture we ced between

me multi-corobal networers in a clusof a multi-c

EXT M

Core 2

Cache

named “Si

processor armory but the

can notice tcores alloc

re architecturk. In this vster without

core is propo

MEMORY

BUS

Con

Cac

M

ingle Addre

rchitecture y can have

that we havated to this

ure, like in variant of art causing peosed).

ore n

che

MULCOR

page 46

ess space, D

named SADaccess to ot

ve separate cluster. Ex

QorIQ™ frrchitecture,erturbation

LO

Co1

Cac

RS

Distributed

DM where ther core m

clusters. Exchanges be

rom Freescathe bandwto the othe

E

OCAL NETWORK

ore 1

Co2

Cacche

Réf. C

d Memory”

Cores haveemories usi

Each clustertween clust

ale or in ARidth is at le

ers (this poi

EXT MEMOR

K

BUS

re

che

EAS

CCC/12/0068

” or SADM

e their own ing the bus

r can have ters are real

RM, the clueast dimensiint has to b

RY

Core n

Cache

SA

898 – rev. 07

M

cache, theyor the Netw

its own prilized using l

uster bus is ioned to sue verified w

y can work.

ivate local

also stain

when

Page 49: Untitled - EASA

9.3

Than Se

Mult_r

9.3

WonIN

9.3

Thales Avio

3.4. Multi-

his analysis nalysis.

ee Excel File

ticore_processorsoadmap_r2.xlsx

3.4.1. A sh

e speak abon processor rNTEL®. Det

Fr3.4.1..1

onics

-core galax

is based on

e where gal

s

hort overvie

out a short oroadmap frotailed availa

eescale Roa

xy overview

n public avai

laxy overvie

ew of proce

overview duom the threeable inform

admap

M

w

ilable inform

ew has been

essor roadm

ue to the face main actoation on cor

Figure 2: Free(source: 

MULCOR

page 47

mation; info

n developed

map

ct that this cors in the core architectu

scale RoadmapFreescale) 

RS

ormation un

d.

chapter can omputing doures is in th

Réf. C

nder NDA c

only detaileomain those he Excel Spr

EAS

CCC/12/0068

can’t be des

ed accessibl are: Freescread Sheet.

SA

898 – rev. 07

cribed in th

le informaticale, ARM a

his

on and

Page 50: Untitled - EASA

Fir

P1co

P2mafro

P3offup

P4leveigCo

P5nuApco

Se

T intco

Th

X

Thales Avio

rst Genera

1 series is tntrol Airbo

2 series is darkets. It wiom 800 MH

3 series is afers a multi

p to 1.5 GHz

4 series is avel switchinght Power AoreNet™ co

5 series is umerous auxpplications rmplex milit

econd gener

series is bternal archintroller and

hird genera

series: no i

onics

ation

tailored forrne Softwar

designed forill be availa

Hz up to 1.2

a mid-perfoi-core platfoz on the sam

a high perfng and routArchitectureoherency fab

based on xiliary applrage from htary and ind

ration

ased on higitecture is d various oth

ation

information

r gateways, re. It is the e

r a wide varable in speciGHz.

ormance netorm, with s

me chip, con

formance neting. The P4e e500mc cbric..

the high pication prochigh end nedustrial devi

gh performbased on cher accelera

n can be ava

M

Ethernet sentry level p

riety of appial high qua

tworking plsupport for nnected by t

etworking p4 family offcores at freq

performancecessing unittworking coices

mance 64 bitclusters, eaators

ilable for th

MULCOR

page 48

switches, wplatform, ra

plications inality parts,.

latform, desup to four the CoreNet

platform, deffers an extrquencies up

e 64-bit e5ts as well aontrol plane

ts e6500 duach contain

his series.

RS

wireless LANanging from

n the networIt is the mid

signed for sPower Archt™ coheren

esigned forreme multi-p to 1.5 GH

5500 core sas multi core infrastruct

ual-threadedning four du

Réf. C

N access pom 400 to 800

rking, telecd-level platf

switching ahitecture e5ncy fabric.

backbone -core platfoz on the sa

scaling up re operationture, high e

d core withual-threaded

EAS

CCC/12/0068

oints, and g0 MHz devi

com, militartform, with

and routing.500mc core

networkingorm, with suame chip, co

to 2.5 GHzn via the Coend storage

h ALTIVECd cores an

SA

898 – rev. 07

general-purces

ry and indusdevices ran

. The P3 fas at frequen

g and enterpupport for uonnected by

z and alloworeNet™ fanetworking

C function. nd one mem

rpose

strial nging

amily ncies

prise up to y the

wing abric. g and

The mory

Page 51: Untitled - EASA

9.3

ARlot ARCoACCO ARfor

CO4 cHo

COtoplow

CObe

No

Thales Avio

AR3.4.1..2

RM has a stt of microco

RM proposeorelink™. TCE, AMBAORTEX®-A

RM componr use in avio

ORTEX®Acore versionome enterta

ORTEX® Ap boxes, How power ser

ORTEX® Aen designed

o public inf

onics

RM Roadm

trong reputaontrollers im

es a set of This highly A® AXI, AA15 and AR

nents’ archionics and fo

A15 is basedn is design

ainment and

A9 is basedome Mediarver.

A8 is basedd for Smartp

formation a

map

ation as an Implement th

IP for multconfigurab

AHB, AHBRM11, and i

itectures areor further as

d on a 1 to 4ed for usedits 2 core v

d on a 1 to 4a Players, A

d on a singlephones, Net

are availab

Figu

M

IP providerhe ARM IP,

ticore proceble interconB-Lite, and it can conne

e open and ssessment.

4 core produd in Home version is de

4 core produAuto Infotai

e core procetbooks, Set-

ble after CO

ure 3: ARM Roa(source: ARM)

MULCOR

page 49

r and manuf, and it is th

essors: MPCnnection can

APB. It sect up to 4 c

documente

uct, SMP w& Web seresigned for

uct. It is desinment, Res

essor with a-up Boxes, D

ORTEX®A

admap 

RS

facturer of lhe leader on

Core™. It cn support sesupports thcores.

ed. This goe

within a singrvers, WirelSmartphon

signed for Msidential Ga

a FrequencyDigital TV,

A15

Réf. C

ow-power cthis market

contains an everal ARMree kinds o

es in favor

gle processoless Infrastre and Mobi

Mainstreamateways and

y range from Home netw

EAS

CCC/12/0068

consumptiot.

IP for an iM bus protoof cores: C

of being a

or cluster upructure Equile Computi

m Smartphond the 1st g

m 600MHz working and

SA

898 – rev. 07

on processor

interconnecocols: AMBCORTEX®

good candi

p to 2,5 GHzuipment, Diing.

nes, Tabletseneration A

to 1GHz. Itd Printers.

rs. A

ction: BA®

®-A9,

idate

z. Its igital

s, Set ARM

t has

Page 52: Untitled - EASA

9.3

Thales Avio

IN3.4.1..3

onics

NTEL® ROA

ADMAP

Figure

M

e 4: INTEL Road(source: INTEL) 

MULCOR

page 50

dmap 

RS

Réf. C

EAS

CCC/12/0068

SA

898 – rev. 07

Page 53: Untitled - EASA

INpro

INAvint

Thales Avio

NTEL® propopose to giv

INTELo

INTELo

Intel®o

Intel®o

Intel®o

Intel®o

Intel®o

NTEL® doevailable infoternal featur

onics

poses a largve below a q

L® Atom™This serieARM). Thseries: theis only on

L® Core™ This seriegenerationprocessorsvirtualizatshared cac

® Core™ i5: This seriprocessorsIntel® Co

® Core™ i3:This serieprocessors

® Celeron™A CeleronThis serie

® Core™ 2: This seriesome dedicomposed

® Pentium™This serie

esn’t give oformation hares) and aro

e variety ofquick overv

™: es of proceshe current ge D(esktop) ne shared ca

i7: es is dedican is the secs. They emtion). Their che. An exte: ies is similas. Globally

ore™ i7 seri: es is similas, with wors

™: n is a procees contains s

es contains icated to hi

d of 1, 2 and™: es contains s

out any moras a one yeound new co

M

f multicore view of the e

ssors is dedgeneration iand the N(e

ache for all t

ated to a docond one (rmbed the cmemory hi

ension to th

ar to the Iny, the perfoies.

ar to the twse performa

ssor belongsome dual-c

different tygh perform

d 4 cores pro

some low-co

re public inar limitatio

ore perform

MULCOR

page 51

processors existing ser

dicated to es the third oetbook). A the cores.

omestic usereleased in classic INTierarchy is this series is

ntel® Coreormance of

wo previousance.

ging to anotcore process

ypes of procmance and so

ocessors.

ost dual cor

nformation on and is fo

mance.

RS

for domestries

embedded sone with duparticularity

e (desktop late 2011)

TEL® optitwo level ofthe Intel® C

e™ i7, excethose proc

s ones, exce

her series wsors.

cessors, somome dedicat

re processor

than that ccused aroun

Réf. C

ic, professio

systems (onual-core prody is the mem

applicationand is commizations f private cacCore™ i7 E

ept it is cocessors is lo

ept it is on

with limited

me dedicateted to low c

rs.

ollected in nd the new

EAS

CCC/12/0068

onal or emb

n this markeducts. Thermory hierar

ns, gaming…mposed of 2(turbo booche per core

Extreme.

omposed ofower than

nly compos

d capacity an

ed to desktoconsumptio

this short bridge (no

SA

898 – rev. 07

bedded use,

et, the leadre are two mrchy stack: t

…). The cur2, 4 and 6

ost, supporte, and a lev

f 2 and 4 cthose from

ed of dual-

nd a lower

op applicatin. This seri

term Roadminformatio

, We

der is major there

rrent core

t for vel of

cores m the

-core

cost.

ions, ies is

map. on on

Page 54: Untitled - EASA

9.3

This p

Thales Avio

3.4.2. Mult

he multi-corprovided be

Applicat

Desktopgaming a

Multimeapplicati

Safety ap(automomedical,defense,

Automotcritical function

Networkapplicati(mainly and serv

High perindustriaapplicati

Low powembeddeapplicati

onics

ti-core pro

re technologelow:

tion Domai

and application

edia ions

pplicationsotive, , spatial, avionics)

tive (low

nalities)

king ions switches

vers)

rformance al ions

wer ed ions

cessors ma

gy can be u

in Expect

ns

CorrectoperatioNo real

Fast intrequireThe corsoft reareliable

s High leperformRobustnenvironimportaapplica

Low-posoft rea

High bacorrect Becauscontactfeaturesimporta

High baextremeoperatio

Acceptpower c

M

anufacturer

sed in sever

ted charact

t average peons and floal-time guara

teger and flod in image arrespondingal time conse in stream p

evel of integmance. ness under

nmental conant, especiaations.

ower consumal-time cons

andwidth inplatform in

se those appt with the ops, includingant.

andwidth inely fast inteons for digi

able performconsumptio

MULCOR

page 52

rs and addr

ral market s

teristics

erformanceating pointsantees are re

oating pointand video p

g systems mstraints in orprocessing.

grity and ha

aggressivenstraints is vally in spatia

mption, relistraints

n network prntegrity. plications arpen world, sg partitionin

n network preger and floital signal pr

mance whilon.

RS

ressed mar

segments. A

for general s operationsequired.

t calculus, processing.

may considerrder to be

rd real time

very al

iability and

rocessing an

re usually insecurity

ng, are very

rocessing anating pointsrocessing.

e limiting th

Réf. C

rket segmen

A non-exhau

Manuf

. INTELBroadc

r NvidiaInstrumFreesc

e AeroflARM, Texas InfineoaerospParalla(medic

Freesc

nd

n OracleFreescCorp, CMarve

nd s

Texas IntellaSIBM, F

he ARM cInfineoTexas Broadc

EAS

CCC/12/0068

nts

ustive list of

facturers

L®, AMD, Icom Corp

a, AMD, Tements, VIA,cale, Broadc

lex Gaisler (Freescale, Instruments

on (defencepace) ax Semicondcal)

cale, Infineo

e, IntellaSyscale, IBM, BCavium Co

ell, Fujitsu

InstrumentsSys, CaviumFujitsu.

core IPs on, Nvidia, Instrumentscom Corp

SA

898 – rev. 07

f such segm

IBM,

exas ,

com Corp

(spatial), IBM, s, Marvell, and

d

on

s, Broadcom rp, Tilera,

s, m Corp,

Freescale, s,

ments

Page 55: Untitled - EASA

9.3

SeAicocosom In the

Thales Avio

3.4.3. Acad

everal acadeircraft Systere architectncepts can me commer

the state-oe relevant p

MERASuppofor preand it

o o o

JOP:

with asome p

MUSEclose tIndeed

ARAMdeveloEmbed

onics

demic proj

emic projecems. Those tures to enfobe implem

rcial interes

f-the-art of rojects:

ASA, parMorting Analyedictability proposes thA fully FPA SystemWCET anOtawa an

This is a FPa configurabpossible op

E: This proto fault-toled their main

MiS: This poping concedded Aircra

ects around

cts address projects aim

orce determmented on gst.

f academic p

MERASA: ysability) anand WCET

he followingPGA synthe

mC simulatornalyses toold on the pro

PGA impleble determintimizations

oject deals werance. Thisn lock is the

project wasepts that coaft Systems.

M

d multi-cor

multi-corem at introdu

minism and rgeneral purp

projects dea

This projecnd its exten

T analyses og tools : esizable mulr of determils for embeoprietary too

ementation onistic intercfor the inte

with real-tims project’s c

e parallelizat

s launched ould enable .

MULCOR

page 53

re

concerns fucing new hreal-time bepose COTS

aling with p

ct (Multi-Cnsion aim aon a multi-c

lti-core proinist multi-cedded softwol Rapitime

of a multi-cconnect bus erconnect co

me multi-coconcerns artion of criti

by the Gerthe use of

RS

for hard reahardware anehavior on v

S processors

predictabili

Core Executat proposingcore architec

cessor targecore platform

ware. They e.

core processand a pred

onfiguration

ore for spatre close to Ecal operatio

rman governmulti-core

Réf. C

al-time systnd softwarevirtual or sys if process

ty on multi

tion of Harg a set of tocture. The f

eting m are based o

sor executinictable memn.

tial platformEmbedded Aons.

nment in thplatforms i

EAS

CCC/12/0068

tems, include concepts iynthesized psor manufac

i-core platfo

rd Real-Timools and refirst project

on the open

ng java bytmory. This p

ms. They adAircraft Sy

he end of 2in automoti

SA

898 – rev. 07

ding Embedin classic mplatforms. Scturers can

forms, we fo

me Applicatcommendatis finished

n-source lib

ecode. It coproject expl

ddress probstems conce

2011. It aimve, railway

dded multi-Such find

ound

tions tions now

brary

omes lores

lems erns.

ms at y and

Page 56: Untitled - EASA

9.3

In

9.3

9.3

A

15R

Thales Avio

3.4.4. Indu

this chapter

MCFmajorthe Mhttp://

The Mimplemprocessimulaand practors

3.5. Softwa

3.5.1. Airb

wide comm Wind

o

o

Greeno o o

SYSGo

Lynuxo o

DDC-o o

RTOS : Real

onics

ustrial colla

r, we addre

FA (Multi-Cr actors of E

MCFA webs/media.free

Multi-core menting prossors, operators, applicromote opecan be foun

are suppor

borne Certi

munity of acRiver with

VxWorks ED-12B/DVxWorks API suppo

n Hills SoftwIntegrity-GMART, Integrity Mof Operati

GO which prPikeOS a

xWorks whiLynxOS-1LynxOS 1

I which proDEOS, a RHeartOS,

Time Opera

aborations

ss the two m

Core For AEmbedded Aite : scale.com/p

Associationoducts that rating systcation and sen specificand on their

rt for Embe

ified Opera

ctors act in Atwo class oCERT Plat

DO-178B 653 Platfo

orting DO-1

ware which 178B RTOSan ADA ru

Multivisor :ing System

rovides micro-kern

ich provides178a RTOS178 is a FAA

ovides RTOS certia micro-ker

ating System

M

main initiati

Avionics) inAircraft Sys

phoenix.zhtm

n® (MCA)embrace m

ems, compsystem deveations to enwebsite : ht

edded Aircr

ating System

Avionics Emf Operatingtform – Cer

orm – Oper197

provides S15 which oun-time com: an hypervi

nel offering

s S offering viA – accepte

fied up to lernel POSIX

MULCOR

page 54

ives around

nitiative wasstems, a det

tml?c=1965

is an indumulti-core tepilers, developers, andnable multi-ttp://www.m

raft System

m

mbedded Sog System rtified Oper

rating Syste

ffers an ARmpliant withisor that off

both a RTO

ia Virtual Med Reusable

evel A suppX Based cert

RS

d multi-core

s launched ailed list of

20&p=irol-

ustry associaechnology.

velopment d universitiecore produ

multicore-as

ms

oftware, a su

rating Syste

em featured

RINC653 APh ED-12B/Dfers virtualiz

OS and a vir

Machine a vie Software

porting ARItified to ED

Réf. C

:

by Freescaf actors and

-newsArticl

ation that inTheir memtools, deb

es. Their prict developmssociation.o

um-up is giv

em based on

d from VxW

PI DO-178B levzation to he

rtualization

irtualizationComponent

INC653 partD-12B/DO-1

EAS

CCC/12/0068

ale in earlyobjectives c

le&ID=1606

ncludes leadmbers reprebuggers, ESimary objecment. The corg/

ven below:

n VxWorks

Works with

vel A elp hosting a

concept

n concept t (RSC)

rt4 178B up to l

SA

898 – rev. 07

y 2011 withcan be foun

6741&highl

ding compasent vendorSL/EDA toctive is to decomplete li

compliant

h an ARINC

a wide dive

level A

h the nd on

light

anies rs of ools, efine st of

with

C653

ersity

Page 57: Untitled - EASA

Thcer Sodif Mocomu

9.3

9.3

Th

9.3

Muwi Thpropepa

9.3

A Prosoc

Thales Avio

THALo

his is a nonrtified Emb

ome OS profferent temp

ost of thesempatibility ulti-core pro

3.5.2. Softw

Pr3.5.2..1

hreads differ Proces

Procesproces

Proces

Proces

Contexbetwe

Mu3.5.2..2

ulti-threadinithin the con

hese threadogrammingrhaps the m

arallel execu

Pr3.5.2..3

process is tocesses owckets, devic

onics

LES AvioniMACS2, Increment

n-exhaustivbedded Airc

oviders offeporal slots, t

e Operatingwith ED-1

ocessor rega

ware defini

ocesses and

r from tradisses are typ

sses carry css share pro

sses have se

sses interact

xt switchinen processe

ultithreadin

ng is a widntext of a si

ds share thg model promost interestution on a m

ocesses, ke

the "heavieswn resourcece handles,

cs which pran ARIN

tal Certifica

e list of Oraft System

er virtualizathese techni

g System p12B/DO-178arding the c

ition / expl

d Threads

itional multiically indep

onsiderablyocess state a

eparate addr

t only throu

ng between es.

ng

despread prongle proces

he process'ovides deveting applica

multiprocess

rnel thread

st" unit of kes allocated, and wind

M

rovide C653 Oper

ation.

Operating Syms

ation techniiques are m

providers of8B or ARIN

certification

anation

itasking opependent, wh

y more states well as m

ress spaces,

ugh system-

threads in

ogrammingss.

resources,elopers wit

ation of the tsing system.

ds, user thr

kernel schedd by the opows. Proce

MULCOR

page 55

rating Sys

ystem prov

iques to helmainly based

ffer a multiNC653 but

n point of vi

erating systhile threads

e informatiomemory and

, whereas th

-provided in

the same p

g and execu

, but are th a useful technology .

reads

duling. perating syesses do no

RS

tem certifi

viders and O

lp the hostid on what it

i-core apprt without a ew.

tem processexist as sub

on than threaother resou

hreads share

nter-process

process is ty

ution model

able to exabstractionis when it i

stem. Resoot share add

Réf. C

ied up to

Operating S

ing of diffeis called mi

oach of thereal analys

es in that: bsets of a pr

ads, wherearces

e their addre

communic

ypically fas

l that allow

xecute inden of concuris applied to

ources includress space

EAS

CCC/12/0068

level A a

System use

erent Operatmicro-kernel.

eir solutionsis on how

rocess

as multiple t

ess space

cation mech

ster than co

ws multiple

ependently.rrent execuo a single pr

ude memores or file re

SA

898 – rev. 07

and suppor

ed in embed

ting System.

n based onlyw to manage

threads with

anisms

ontext switc

threads to

The threution. Howerocess to en

y, file hanesources ex

rting

dded

ms in

y on e the

hin a

ching

exist

aded ever, nable

ndles, xcept

Page 58: Untitled - EASA

thrfile A Attheop ThThba

9.3

9.3

MupoMuAicoSo ThprospaSinco Mthian This w“MusuhishaBuas bo

16 M17 G

Thales Avio

rough explie in a share

kernel thret least one ken they sha

perating syst

hreads are she kernel is ase their use

3.5.3. The

Me3.5.3..1

ulti-core prower dissipaulti-core prirborne Softntains its o

oftware thre

he benefits ovide greateace. nce they opre than the

M_REM1:is, it is poss

nd safety.

he front sidewritten to o

Memory banually exprestorically la

ard to close tut even if th

long as thottlenecks.

MBps : MegaGbps : Giga-

onics

cit methodsd way. Proc

ead is the "lkernel threaare the samtem's proce

sometimes inot aware

er threads on

impact of m

emory Man

rocessor offation). resents a neftware can bown set of eads within a

of multi-coer system d

perate at lowcommensur

: Most of thsible for on

e bus, whichor read fromndwidth” isessed in MBagged behinthe gap.

hey're succee memory

a-Byte per se-bits per seco

s such as incesses are ty

lightest" unad exists wite memory ss schedule

implementeof them, so

n top of sev

multi-cores

nagement

fers opportu

ew challengbenefit fromexecution ra single phy

ore processdensity, allow

wer frequenrate number

he multi-corne core to sa

h is also knm memory.

the amounBps16 or Gnd improve

essful, if thebandwidth

econd ond

M

heriting fileypically pre

nit of kernel thin each prand file resr is preemp

ed in userspo they are meral kernel t

s on Softwa

unities to in

ge to deal wm such advaesources, reysical CPU

sors are nowing organ

ncies, multir of single-c

res share theaturate the s

nown as the

nt of data thGbps17. Alth

ments in p

e new multiis shared b

MULCOR

page 56

e handles oreemptively m

schedulingrocess. If msources. Ke

ptive.

ace librariemanaged andthreads to b

are Develop

ncrease per

with, how toantages dueesulting in package.

ot limited tonizations to m

i-core procecore process

eir front sidshared mem

memory bu

hat can travhough imprprocessor pe

i-core chipsbetween the

RS

r shared memultitasked

g. multiple kernernel thread

s, thus called scheduledbenefit from

pment

rformance a

o take benee to the comvery low la

o increasedmaximize th

essors use lsors

e bus as wemory bus re

us, is the "h

vel on the movements ierformance,

s implemente cores, the

Réf. C

emory segmd.

nel threads ds are preem

ed user thread in userspa

m multi-proc

and reduce

fit of these mplexity ofatency para

d performanhe productiv

less power

ell as the lassulting in d

highway" up

memory busn memory , the chip m

t significantere will alw

EAS

CCC/12/0068

ments, or ma

can exist wmptively mu

ads. ace. Some imcessor mach

footprint (s

cores, currf parallelizaallel executi

nce. Multi-vity of their

and genera

st level of cadegradation

pon which d

s in a givensystem per

manufacture

tly faster mways exist th

SA

898 – rev. 07

apping the s

within a procultitasked if

mplementathines.

size weight

rently not mation. Each ion of Airb

core procesr available f

ate less heat

ache. Regarof perform

data travels

n period of rformance hers are wor

memory systhe potentia

same

cess, f the

tions

t and

much core

borne

ssors floor

t per

rding mance

as it

time have rking

tems, al for

Page 59: Untitled - EASA

Anincpro OnOnmato Atrepthibaof

9.3

In coregW If deunde Thproetc

Thales Avio

nd as the ncreases, theocessor’s m

ne approacne techniquanaging theautomate th

t Avionics Apresents theis "memory

andwidth resthe Multi-c

Ma3.5.3..2

advanced pres. In our garding avae have intro

Airborne Svelopment

nderstand wtailed know

here are mocessors, anc.) help prog

onics

number of ce performan

memory band

ch per examue which me memory bahis techniqu

Airborne Sye amount ofy bandwidthsource is nocore process

apping

parallel procassignmen

ailable core oduced reco

Software isfor addressi

what are thewledge of th

many dedicand Airbornegrammers to

cores per pnce of mordwidth.

mple can bemitigates thandwidth deue when hos

ystem level,f available mh resource" ow shared amsor.

cessing Airts, this mapresources.

ommendatio

s developeding a multi-

e processes he Airborne

ated tools te Operating o execute th

M

processor anre and mor

e: his limitatioemand verssting high D

, with the umemory bacan be conmong the A

rborne Softwpping can b

ons on this p

d using pr-core compothat can bSoftware.

to help proSystems fo

his mapping

MULCOR

page 57

nd the numre Airborne

on is to intsus its supplDAL level A

use of an Hyandwidth is nfigured on Airborne So

ware, the finbe done by

point in this

rocesses or onent. To sue executed

ogrammersor multi-corg.

RS

mber of three Software

telligently sly. Avionics

Airborne So

ypervisor, thcreated andeach core bftware appl

nal step in the Operat

s report.

threads, itucceed in prsimultaneo

to map thes (Greenhi

Réf. C

eaded Airboapplication

schedule jos Airborne ftware.

he "memoryd assigned by the Hypeications run

this processting System

t is possiblrocess or thously, which

hreads ontoills, Wind R

EAS

CCC/12/0068

orne Softwans will be

obs onto thSystems ca

y bandwidthto each corervisor itsenning on the

s is mappinm statically

le to take hread allocatch means w

o the coreRiver, Sysgo

SA

898 – rev. 07

are applicatlimited by

hese procesan be config

h resource"re. The valulf. The meme different c

ng the threador dynamic

benefit of tion, we nee

we need to h

es for INTEo, LynuxWo

tions y the

sors, gured

" that ue of mory cores

ds to cally

this ed to have

EL® orks,

Page 60: Untitled - EASA

9.3

In the

Winttec

RedirINan

9.3

9.3

Thde

Thpla

Tha d

Th

18S19 F20 I

Thales Avio

3.6. Examp

this chaptee different t Netwo Low p High p

e also detaterconnect ichnologies a

emark to prectly by th

NTEL® or nalyzed ‘cas

3.6.1. Com

Fr3.6.1..1

he QorIQ™dicated for

his processoatform.

he QorIQ™dual core at

he P2020 an

Two e

The 6supporfor any

Other

USB21

SoC : SystemFPGA : FieldIP : Intellectu

onics

ples of repr

er we presentargets descrorking power embeprocessing p

ail a SoC18

implementaand services

partition or he compondirectly bye per case’

mmunicatio

eescale Qo

™ P2 platfora wide vari

or delivers d

™ P2 series c1.2 GHz (P

nd P2010 co

e500 Cores

64-bit memort for both y high-relia

memory typ1, SD/MMC

m on Chip d Programmaual Property

resentative

nt a set of Cribed previo

edded systemperformanc

8 FPGA19 fation to the s deployed

virtualize tnent manufay the Operato ensure th

on and Netw

rIQ™ P202

rm series, wiety of appli

dual- and sin

consists of dP2020).

ommunicatio

ory controlDDR2 and

ability syste

pes such as

C and serial

able Gate Ar

M

e multi-core

COTS multiously:

ms es

fabric that programme

in the cores

the cores, thacturer sucating Systehat their cou

working Pr

20

which incluications in t

ngle-core fr

dual- and si

ons process

ler offers fDDR3. It a

m.

flash are su

peripheral i

rray

MULCOR

page 58

e architectu

i-core archit

embeds seer. The objs, interconne

here are Hych as TOPAem provideruld not impa

rocessor

udes the P2the network

requencies u

ingle-core s

sors both ha

future-proofalso suppor

upported thr

interface (S

RS

ures

tectures wh

everal itemsective is toects and per

ypervisors pAZ for Frer, their feaair / reduce

2020 and Pking, telecom

up to 1.2 G

caling from

ave an advan

fing againstrts error cor

rough the 1

SPI).

Réf. C

hose technol

s of ARM o give a conripherals.

provided foeescale Qoratures and c

confidence

P2010 commm, military a

Hz on a 45

m a single co

nced set of f

t memory trrection cod

6-bit local b

EAS

CCC/12/0068

logies are r

core IP20, ncise view

or the multirIQ™ famicharacterist

e in the appl

municationand industri

nm techno

ore at 533 M

features:

technology des, a basel

bus,

SA

898 – rev. 07

epresentativ

but leavesof the diffe

i-core procely or XENtics have tolication safe

s processorial markets.

logy low-po

MHz (P101

migration ine requirem

ve of

s the erent

essor N for o be ety.

rs, is .

ower

1) to

with ment

Page 61: Untitled - EASA

9.3

Thbecacto Thspade Thadlar

In kn

21 U

Thales Avio

3.6.1..1.1 e

he e500 cohtween the cheable mebe routed o

he P2020 suace and extfine mappin

he P2020 inddress spacerger address

such an ECnowledge of

USB : Unive

Figu

onics

e500 Coher

herency moe500v2 co

emory. It alsor dispatche

upports a fleternal addreng within th

ncludes the e through ths maps such

CM, the Airf all the incl

rsal Serial B

ure 5: P2010 : 2(source: Freescal

rency Modu

dule (ECMores and thso providesd to target m

exible 36-biess space. The local 36-b

address trahe mappingh as those of

rborne Embluded featur

us

2020 Overviewe Fact Sheet)

M

ule (ECM)

M) provides he integrate

a flexible smodules on

it physical aThe local adbit (64-Gby

anslation ang of translatf PCI Expre

bedded Systres and mec

MULCOR

page 59

and Addre

a mechanised L2 cachswitch-typethe device.

address mapddress map iyte) address

nd mapping tion windowess or Rapid

tem providechanisms tha

RS

ess Map

sm for I/O-ihe in order e structure f.

p. Conceptuis supportedspace.

units (ATMws. The ATdIO

er has to obat can be di

Réf. C

initiated tranto maintai

for core- an

ually, the add by twelve

MUs) to maTMUs allow

btain from tsabled for s

EAS

CCC/12/0068

ansactions toin coherenc

nd I/O-initia

ddress map ce local acces

ake part of ws the P202

the processosafety requir

SA

898 – rev. 07

o snoop thecy across l

ated transact

consists of lss windows

a larger sy20 to be pa

or manufactrements.

e bus local tions

local s that

stem art of

turer

Page 62: Untitled - EASA

9.3

ThFre

Fig

Thales Avio

e503.6.1..2

he e500mc eescale. It w

gure 6: e500mc(source: Freescale

onics

00mc Core

core (see was released

c PowerPC coree e500mc Reference

es

Figure 6) id in 2008 fo

e overview e Manual)

M

is a recent or the Power

MULCOR

page 60

update of rQUICC se

RS

a long sereries and the

Réf. C

ries of Powe QorIQ™ s

EAS

CCC/12/0068

werPC coreseries.

SA

898 – rev. 07

s developed

d by

Page 63: Untitled - EASA

W

In

Pip

In

Pr

Fe

Lo

Br

Ca

M

Bu

De

Thales Avio

e sum up th

ternal com

peline

struction s

rivilege leve

etch unit

oad/Store U

ranch Unit

aches

MU

us interface

ebug and m

onics

he essential

mponent

et

els

Unit

e

monitoring

features of

Featur

6 stageout-of-

Power

User aGuest

Fetch uPre-fet

Out-of

Static/

SeparaUnifieSnoopCache L1 CacL2 CacL1 Cac

Two leL1TLBL2TLB

Partial

4 Perfo

M

e500mc cor

res

es pipelinef-order execu

r ISA v 2.06

and super-usand non-gu

up to 4 instrtching polic

f-order load

/dynamic br

ated 32k Daed 128k L2 C mechanismpre-filling

che replaceche replaceche implem

evel TranslaB coherencyB managem

l documenta

ormance M

MULCOR

page 61

res in the fo

ution, and i

6 (partially s

ser mode uest mode (u

ructions in cy documen

d/store execu

ranch predic

ata and instrCache

ms for cacheand locking

ement policyement policyments parity

ation Look y ensured re

ment has to b

ation availab

Monitor Regi

RS

ollowing tab

in-order com

supported)

used by the

the same clntation acce

ution (still e

ction

ruction L1 c

e coherencyg mechanismy: LRU y: PLRU protection,

aside Buffeegarding L2be implemen

ble under N

isters counte

Réf. C

ble:

mpletion

hypervisor)

ock cycle ss restricted

ensuring coh

caches

y ms through

L2 Cache i

ers (TLB) ta2TLB contented in the e

NDA

ers may obs

EAS

CCC/12/0068

)

d

herency)

dedicated i

implement E

ables ents embedded s

serve 128 di

SA

898 – rev. 07

nstructions

ECC

software

ifferent eve

ents.

Page 64: Untitled - EASA

9.3

ToTO

TOtec

TOpaBS TOsucfai

Thales Avio

Hy3.6.1..3

o manage itOPAZ whic Securi Messa System Debug

OPAZ is cchnology, it CPUs, Partiti Config TOPA

OPAZ has bara-virtualizSP layer).

OPAZ Hypech as interrilover and e

onics

ypervisor

ts multi-coh manages:ity and sepaaging amongm-level eveng support

considered t initial vers, memory anions are isolguration is f

AZ not addre

been develoation which

ervisor has rupt controllerror manag

Driv

er

re processo

aration g cores nt handling

as a smalsion focusesnd I/O devilated one frofixed until aess the prob

oped for theh offers per

been develler, inter-pa

gement.

Driv

er

Driv

er

M

or family, F

ll hypervisos on static pices can be dom the othea reconfigurblem of mul

e QorIQ™formances a

loped to miartition inter

Dri

ver

Dri

ver

Dri

ver

MULCOR

page 62

Freescale h

or for embpartitioning divided intoer re and systeltiple operat

family andand minima

inimalize “irrupts, byte

Di

Dri

ver

RS

has develop

bedded sys(TOPAZ is o logical par

em reboot ting system

d it uses a cal changes t

intrusivity”e-channels, p

Dri

ver

Driv

er

Réf. C

ed and pro

stems basednot a sched

rtitions

s on 1 CPU

combinationto guest ope

and it offerpower mana

EAS

CCC/12/0068

ovide a Hyp

d on Powduler):

U

n of full-vierating syst

rs a limitedagement, ac

SA

898 – rev. 07

pervisor na

er Architec

rtualizationtems (impac

d set of servctive / stand

amed

cture

n and ct on

vices dby /

Page 65: Untitled - EASA

9.3

ThgoSy Ththe Thstr

Thales Avio

Ne3.6.1..4

he QorIQ™ood candidatystems.

hanks to theeir acceptan

he QorIQ™ream proces

onics

etworking p

™ series is inte to analyz

e MCFA inince process

™ P4080 (seessing.

platform: F

nitially dedze effort to

itiative froms on the Qor

e Figure 7)

M

Freescale Q

dicated to nreach accep

m Freescale rIQ™ series

integrates

MULCOR

page 63

QorIQ™ P4

networking. ptance of su

to help Airs.

eight cores

Figure 7: P40(source: Frees

RS

4080

Yet it is vuch a multi

rcraft Embe

and a large

080 Overviewcale Fact Sheet)

Réf. C

iewed in th-core proce

edded Equip

e set of har

EAS

CCC/12/0068

he avionic cessor in Em

pment prov

rdware acce

SA

898 – rev. 07

community mbedded Air

vider conduc

elerators for

as a rcraft

cting

r fast

Page 66: Untitled - EASA

9.3

In lesfoc Th

Frediv

9.3

ThAc

Th

Peele

22 D23 D24 M25 I

Thales Avio

3.6.1..4.1 Q

QorIQ™ pss documencused on th

he interconn Arbitr

througmaximbytes w

2x102 Periph

differe Debug

eescale is avulging the

3.6.1..4.2 P

he P4080 pcceleration A Initiat Reasse Manag Dispat

he other mai The E

microc The O

interfa

eripherals Inements of th

DMA : DirectDRAM :DynaMMU : MemoI/O : Input / O

onics

QorIQ™ Pr

processor, tnted; this is e interconn

nect implemration and trgh the Frammum of fouwidth. It co

24k Shared Lheral Accesent peripherg facilities:

actively wocore inform

Peripheral

provides a lArchitecture DMA tranemble, encrge packet butch packets

in peripheraEnhanced Lcontroller a

Ocean netwaces. It is co

nternal mehe DPAA.

t Memory Acamic Randomory ManagemOutput

rocessor In

he intercon the case foect and reco

ments the folransfer of t

me Managerur transactioorresponds tL3 cache less Managemrals Aurora inte

orking to bemation on its

ls

large set ofre (DPAA).nsfers from rypt/decryptuffers among ded

als are: Local Bus architectureswork: This ompleted wi

emories inc

ccess m Access Mement Unit

M

nterconnect

nnect is namor the mainommendatio

llowing servransactions r, DMA22 eons may beo a cache livel (CoreNment Units

erface for re

e able to prs internal ar

f periphera. It is composeveral I/O

t and parse p

dicated core

Controller s: UART, flnetwork inith DMA co

lude ECC

emory

MULCOR

page 64

t

med Corenen majority fons to maste

vices: between a engines) ane arbitrated ine. The Cor

Net™ Platfors (PAMU):

eal-time deb

rovide suffirchitecture,

als and I/O’osed of a se

O’s, such as packets

s for proces

(ELBC): lash memornterconnectontrollers.

protection.

RS

et™. Its comfor all maner its behav

set of masnd the slave

in each CoreNet™ prorm Cache)

they play

bug

cient guarathanks to M

’s25. The met of hardwaPCIe or Eth

ssing, with l

This bus cries, I2C ints several P

. Proprietar

Réf. C

mplete archufacturers,

vior.

ter nodes (Ce nodes (DRoreNet™ cyotocol is sai

a role clo

antees on CMCFA.

most importare accelerahernet bus

load-balanc

connects peerfaces, SPIPCIe contro

ry microco

EAS

CCC/12/0068

hitecture is so in this r

Cores, EtheRAM23 con

cycle. A traid to be loss

ose to an M

Corenet™ be

tant one is ators that can

cing if neces

eripherals I interface…ollers and

ode is emb

SA

898 – rev. 07

proprietaryreport, we h

ernet controntroller, I/Oansaction is sless.

MMU24 for

ehavior wit

the Data Pn:

ssary

usually me…

Serial Rap

edded in s

y and have

ollers O). A

128

r the

thout

Path

et in

pidIO

some

Page 67: Untitled - EASA

9.3

ARcoTh W It lev

So ThAr

Thales Avio

3.6.2. Low

RM releasedre processo

his series co

e describe h

is organizedvel.

ome implem

he interfacerchitecture (

onics

w-Power Mu

d the MPCoors. omes as a se

here the CO

d as a cluste

mentations e

with the p(AMBA®)

ulti-core IP

ore™ series

et of several

ORTEX® A

er of up to

mbed sever

peripheral bprotocol: A

M

P: ARM CO

s to provide

l IPs for var

15 MPCore

four cores c

ral clusters,

bus implemeAMBA® AC

Figure 8: ARM(Source: CORT

MULCOR

page 65

ORTEX®-A

an IP of sc

rious compo

e™ (see Fig

connected w

enabling th

ents the latCE.

M CORTEX®‐A1TEX®‐A15 Technica

RS

A15 MPCo

alable, high

onents (core

gure 8) as th

with a Snoo

he use of mo

test version

15 MPCore™ Oval Reference Manua

Réf. C

ore™

hly configur

es, interconn

he most rece

op Control U

ore than fou

of the Adv

verview  al r3p0)

EAS

CCC/12/0068

rable and lo

nect, periph

ent processo

Unit contain

ur cores.

vance Micr

SA

898 – rev. 07

ow-power m

herals)

or in this ser

ning a L2 c

rocontroller

multi-

ries.

cache

Bus

Page 68: Untitled - EASA

9.3

Ma

In

In

P

F

C

M

In

B

9.3

Thsha Th

SnCointacc

Thales Avio

CO3.6.2..1

ains ARM C

nternal com

nstruction

Pipeline

Fetch Unit

Caches

MMU

nterrupts

Bus interfac

Sn3.6.2..2

he Snoop Coared resourc

he Snoop Co Arbitr Manag

implem Suppo AMBA Cache

noop requesontrol Unit.terconnect. cesses can t

onics

ORTEX®-A

CORTEX®

mponent

set

ce

noop Contro

ontrol Unit ce between

ontrol Unit ration and trgement of ments an oport for inter-A® ACE me coherency

sts (request. They are However,

therefore oc

A15 Cores

®-A15 featur

Featur

ARM THUMJAZEL

8 stage

Static/

SeparaLRU r

Two ledata/inHardw

Shared

Direct

ol Unit: Fir

(on Figure the cores.

provides thransport of mthe shared

ptimized ME-cache data

master Interfacceleratio

s from the propagated

this protocccur.

M

res are:

res

v7-A MB™ LLE™ (exe

es pipeline

/dynamic br

ated Data anreplacement

evel Translanstructions. ware translat

d interrupts

connection

rst Level in

8: Non pro

he followingmemory req

d L2 cacheESI protocoand instruct

face with theon through th

cores to thd on the sicol allows s

MULCOR

page 66

ecution of Ja

ranch predic

nd instructiot policy for

ation LookaL2 TLB is

tion table w

managed b

n to the Sno

nterconnect

cessor/Leve

g services: quests for eae, whose siol for cache tion transfee main interhe Accelera

he addresseingle AMBseveral con

RS

ava Bytecod

ction

on 32k L1 call caches

aside Bufferunified.

walk in case

y the Gener

op Control

t

el 2) is the “

ach core ize is confcoherency.

ers. rconnect (Cation Coher

ed space) arBA® ACE ncurrent tran

Réf. C

de)

caches

rs (TLB). L

of L2 TLB

ric Interrupt

Unit

“inter-core

figurable be

Corelink™, dency Port

re thereforemaster intensactions to

EAS

CCC/12/0068

1 TLB is se

miss

t Unit

interconnec

etween 512

described fu

e interleaveerface to tho be interle

SA

898 – rev. 07

eparated

ct”. It is the

2K and 4M

urther)

ed in the Snhe second leaved. Mul

first

M. It

noop level ltiple

Page 69: Untitled - EASA

9.3

ThbyMP ThOlser

Thales Avio

Co3.6.2..3

he connectioy Corelink™PCore™.

his interconlder versionrvices for tr Priorit Latest Transa Hardw

onics

orelink™ N

on between ™. It is a d

nnect implemns are limitransaction mty (quality ot granted firactions mon

ware assist f

Network: Pe

the Snoop dedicated IP

ments the ted to AMBmanagementof service) orst arbitrationitoring andfor atomic a

(source ARM info

M

eripheral in

Control UnP for on ch

AMBA® ABA® AXI t: of transactioon policy in d performanaccess insura

Figure 9: Corocenter ‐ Corelink™

MULCOR

page 67

nterconnec

nit and the mhip network

ACE protocprotocol. I

ons configuthe same do

nce measureance

relink™ Examp CCI400 Cache cohe

RS

ct

main RAM,ks. It may i

col for nodt is a full

ration omain of pr

ements

ple of implemenerent interconnect 

Réf. C

, L3 cache anterconnect

des (masterscrossbar, an

riority

ntation  Technical Referenc

EAS

CCC/12/0068

and periphet several cl

s and slaveand it come

ce Manual)

SA

898 – rev. 07

erals is provlusters of A

es) connecties with a se

vided ARM

ions. et of

Page 70: Untitled - EASA

9.3

Tehig Thco W

Thales Avio

Trust is used

3.6.3. Mult

exas Instrumgh performa

he TMS320nfigurable i

e focus here

onics

Zone impled for hyperv

ti-core DSP

ments propoance image

0C66xx™ sinterconnec

e on the TM

ementing prvisor implem

P: Texas In

oses the TMprocessing

series propoct and a subs

MS320C667

FiguSourc

M

rotections bmentation.

nstruments

S320C66xxand medica

oses high psequent set

78™ octo-co

ure 10: TMS320e: TMS320C6678™

Sign

MULCOR

page 68

between sec

TMS320C

x™ series oal applicatio

processing of IO.

ore DSP pro

0C6678™ archiMulticore Fixed annal Processor – Rev

RS

cure and non

C6678™

of multi-coreons.

capabilities

ocessor (see

tecture overviend Floating‐point Dv C

Réf. C

n-secure tra

e DSPs for m

s with up t

e Figure 10)

ew igital 

EAS

CCC/12/0068

ansactions.

multimedia

to 8 DSP

).

SA

898 – rev. 07

The Trust Z

a infrastructu

cores, a hi

Zone

ures,

ighly

Page 71: Untitled - EASA

9.3

DS Thco Th

Thales Avio

DS3.6.3..1

SP Cores ar

he C66x™ Cre and the i

hey provide Cache Memo Bus in Interru

onics

SP Cores: C

re optimized

CorePac conterconnect

the functioe levels ory managemnterface upt controll

C66x™ Cor

d for vector

ontains the Ct.

nalities we

ment and pr

er

FigureSource: C6

M

rePac

scalar prod

C66x™ DS

classically

rotection

e 11: CorePac o66x™ CorePac User 

MULCOR

page 69

duct operatio

SP and a set

find in a ge

overview Manual rev B

RS

ons.

t of hardwar

eneral purpo

Réf. C

re compone

ose core:

EAS

CCC/12/0068

ents that sta

SA

898 – rev. 07

and between

n the

Page 72: Untitled - EASA

Th

In

Pr

Ca

M

Sh

Bu

9.3

TeMa Thareco

Thales Avio

he main cha

ternal com

rivilege leve

aches

emory Pro

hared SRAM

us interface

TM3.6.3..2

eraNet™ is aster and sl

he connectioe configuramponent.

onics

aracteristics

mponent

els

otection

M controlle

e

MS320C66x

a double saves nodes

on matrix iable. TeraN

of the C66x

Featur

User a

SeparaUnifieAll cacLRU rCache InternaCoreP

Accesscaches

er Multi-This cfetchin

ConfigexcepthighesSlave Dincom

xx™ interc

switch fabriare connect

s available Net™ also p

M

x™ CorePa

res

and Supervis

ated 32k Daed 1M L2 Cches can bereplacement

controllersal DMA chaac

s controls os. There is n

core Sharedontroller imng from MS

gurable bandt L1P cachest priority fiDMA contring transact

connect: Te

ic: it is dected either di

in the Refeprovides a

MULCOR

page 70

ac are:

sor modes

ata and Progache

e partially ort policy for s provide coannels are p

on pages. It no virtual m

d Memory, mplements mSM to L2 or

dwidth mane. Bandwidthirst and resoroller. It is ttions from o

eraNet™

omposed inirectly or th

erence Manlarge set o

RS

gram L1 cac

r fully confiall caches

oherency meprovided for

is implemenmemory man

controlled bmemory pror L1 caches.

nagement imh managem

olving deniathe slave intother master

n Data Terahrough inter

nual. For eaof tracers th

Réf. C

ches

igured as SR

echanisms r data/instru

nted on all inagement in

by an Extentection, add

mplementedment is basedal of serviceterface for ers on the int

aNet™ and rnal bridges

ach master, hat can mo

EAS

CCC/12/0068

RAM

uction move

internal memnside the Co

nded Memodress transla

d for all cachd on arbitrates with timeeach CorePaterconnect.

d Configurats.

the transaconitor the a

SA

898 – rev. 07

es inside the

mories and orePac.

ry Controlleation and pr

he controlletion with

eouts. ac. It receiv

tion TeraNe

ctions’ prioractivity of

e

er. re-

ers

ves

et™.

rities each

Page 73: Untitled - EASA

9.3

To ThcoThthesy Wco

26 D

Thales Avio

3.6.4. SoC

o improve F

his is callentaining cac

he peripherae FPGA. Estem on chi

e propose annected wit The hi Option

DDR : Doubl

onics

FPGA Ha

FPGA devic

ed the Harche levels aal interconnExternal perip.

as an examth a Snoop Cigh-bandwinal coproce

le Data Rate

rd Process

e performan

rd Processoand Snoop Cnect (equivaripherals (e

mple the CyControl Undth intercon

essors and cl

e (for a Dynam

(Source: So

M

or System:

nce, FPGA

or System Control Unialent of Corexternal me

yclone® V it (see Figurnnect for exlassic FPGA

mic Random

Figure 12: AoC FPGA Produc

MULCOR

page 71

: Altera Cy

manufactur

(HPS). It it and AMBrelink™ foremory, Eth

from Alterure 12).The Fxternal DDRA systems

m Access Me

Altera Cyclonect Overview Adva

RS

yclone® V

rers include

includes aBA® interfac

r ARM MPernet contr

ra. It integrFPGA fabri

R26, PCIe, E

mory)

® V SoC FPGA oance Information

Réf. C

e core IP in t

an ARM Mces.

PCore™) haroller, PCIe

ates two Aic is dedicatthernet

overview n Brief, ref AIB-01

EAS

CCC/12/0068

their FPGA

MPCore™

as to be syne) are prov

ARM CORTted to:

1017-1.3)

SA

898 – rev. 07

A devices.

implementa

nthesized invided inside

TEX®-A9 c

ation

nside e the

cores

Page 74: Untitled - EASA

9.4

9.4

In useproma Soto Thcricrime ThbedeMoTh

Thales Avio

4. MULTI

4.1. Introd

this sectioned further ocessor struanufacturer

ome criteria multicore p

his is the citeria are miteria deal echanisms t

he main novtween diffeals with theoreover, the

hus addition

onics

I-CORE FE

duction

n, we plan to establishucture and ’s openness

address theprocessors. case for optmulticore sp

essentiallyto manage th

velty in theerent piecese consequene design of

nal features

we used

EATURES

to provide h a classificconfigurab

s toward the

e technolog

timization pecific. They with intehe parallel e

e use of ms of softwarnces of suchf multi-coremay occur,

In d the Symbo

M

REGARD

a list of usucation of mility, but al

e certificatio

ical evoluti

mechanismey would berconnect aexecution o

ulti-cores inre executed h parallelisme processors

but they wo

the followiol RGL for

MULCOR

page 72

ING CERT

ual servicesmulticore prlso with th

on process.

ion of the pl

ms introducebe irrelevanand sharedof software o

n the Avioin the sam

m inside the s followed tould also be

ng chapter

r Recomme

RS

TIFICATIO

s found in arocessors. T

he available

latform’s in

ed in the cnt for an and componenon each cor

onics domaime period of

Airborne Ethe recent ee relevant in

rs of this reended Guid

Réf. C

ON

a multicore The conside informatio

nternal comp

cores to imnalogous sinnt features e.

in is the prf time on diEmbedded Sevolutions on a single-co

port, de-Line abb

EAS

CCC/12/0068

platform. Tered criterion and mor

mponents but

mprove perfoingle-core p that impl

resence of tifferent cor

System. of embeddeore context

breviation

SA

898 – rev. 07

This list wia deal withre generally

t are not lim

formance. Oplatform. Tlement spe

true parallees. This sec

ed technolo.

ill be h the y the

mited

Other Those ecific

elism ction

gies.

Page 75: Untitled - EASA

9.4

Th

9.4

DeaccThTh

9.4

Seancoof Asan Wbesyfeaof use

9.4

9.4

Thbyarcca An

Thales Avio

4.2. Proces

his chapter d

4.2.1. Sum

etermine whcording to

he study shahe groups m

4.2.2. Sum

elect - in agrnd conduct

mponents inthe device

spects that any important

hile identifhaviors of stems with atures listedinterference in certifia

4.2.3. Inter

Ov4.2.3..1

he Interconny the cores chitecture hse analyses

n interconne Arbitr

o o o

onics

ssor featur

deals with ta

mmary of ta

hether it is ptheir compall describe

may later be

mmary of ta

reement wita detailed

nvolved an. Emphasisare commont variations

fying and the processdeterminist

d in item 2 ace or effect iable and dete

rconnect

verview

nect is the fto the sha

has a strong .

ect usually iration of inc

ArbitratioArbiter inNetwork t

es impact o

asks 3 and 4

ask 3

possible to onents, the

e the criteriaused by EA

ask 4

th EASA - d examinatd the featur

s should agan to many tthat are spe

describing sor groups tic behaviorabove and thidentified berministic s

first shared ared resourc

impact on

implementscoming requon rules nternal logictopology

M

on determin

4

classify thecharacteris

a used to clASA to write

a represention of theres of the prain be on ftypes or groecific to a pr

processor are unsuita

r and in comhe reasons w

by the studysafety-critic

resource beces like cacdeterminism

s the followiuests. This s

c

MULCOR

page 73

nism

e multi-corestics of theilassify the pe guidance

tative procee internal arocessors, dfeatures thaoups only nrocessor or

features, iable for the mpliance witwhy they ar

y that might al airborne

etween coreches, memom and ensu

ing servicesstage depen

RS

e processorsir architectuprocessors material tha

ssor from earchitecturedescribing that are not foneed to be d

group of pr

dentify whuse of the

th the currere unsuitablmake a comsystems sho

es. It interleories and I/ring partitio

s: ds on sever

Réf. C

s listed in thures, their band why that is specific

ach of the ie of that pheir roles inound on modescribed onrocessors sh

hich of theprocessors

nt guidancele should bemponent or ould be iden

eaves the co/O mappedoning, and o

al paramete

EAS

CCC/12/0068

he spread shbehaviors ohose criteriac to each gr

identified pprocessor, n the data aost single cnce in the shall be high

e componens in safety-ce material lie described.r architecturntified and d

oncurrent trd in the addon the comp

ers:

SA

898 – rev. 07

heet into gror other crita were selecroup.

rocessor gridentifying

and control core processtudy reportlighted.

nts, featurecritical airbisted above.. Any other re unsuitabldescribed.

ransactions dress spaceplexity of w

oups teria. cted.

oups g the

flow sors. t, but

es or borne The type e for

sent e. Its worst

Page 76: Untitled - EASA

Thno(us An

MamecoWcac

Thales Avio

Allocaexamp

Allocasource

Suppo Snoop Inter P

he Interconnodes (the cosually MEM

n interconne A Pro

divide A Top

are: o

o

o

An ArrequesaveragGrantMPCo

any intercoechanisms. res, the shahen this is che coheren

onics

ation of theple when theation of a pe and the deort for atomiping mechanProcessors I

nect is in chores and speMORY, shar

ect is usuallotocol: Theed in three ppology: The

Busses: O(we talk apipelined,pipeline sone masteCrossbarsrouting is to interleaSwitch fabridges throuting thbetween thparallel tr

rbitration psted by diffege performaed arbitrat

ore™ interc

onnects are That means

ared caches the case, t

ncy mechan

e physical ere is more path to the estination. Tic operationnisms for caInterruption

harge of inteecific I/O sred caches,

ly charactere different phases: arbite different p

One connectabout multi, allowing steps. In caser when arbis: There is necessary.

ave incominabrics: Thishat are connhe incominghe number ansaction seolicy: The r

ferent masteance and grtion policy onnect).

said to be s each addrand some I/the corresponisms.

M

destinationthan one Mdestination

This dependns, hardwareache coherens (IPI) for i

erleaving - wsuch as Ethslave I/O an

rized by: stages of atration, tranpoint-to-poi

tion links aiple busses)several tran

se of duplicitrating his tone point toUsually, a

ng accesses.s is the intenected to th

g transactionof point-to-ervice. rules that arers at the samanting fair

that is im

cache coheress accesse/O) that maonding cach

MULCOR

page 74

n devices wMEMORY cn. This is ns on the roue locking m

ency inter-core co

when neceshernet contrnd core slav

a transactionsfer and terint connecti

all masters t), thus allo

ansactions tcated bussestransactiono point conlocal arbitr

ermediate tohe master ans inside th-point conne

re applied tome time. Uaccess to thmplemented

erent. Theyed is notifieay store a lohe lines are

RS

when they controller. necessary wuting rules.

mechanisms

ommunicati

sary - the trrollers or Dve interface

on processinrmination. ions betwee

to all slavesowing multito be transfs, the arbitr.

nnection betration modu

opology: poand slave inhis network.ections and

o access seqsually, the ahe requesterd in Core

y implemented to a set ocal copy ofe invalidate

Réf. C

are duplica

when severa

ions

ransaction flMA engine).

ng. Most in

en nodes. T

s. A bus maiple paralleferred at thration modu

tween each ule is provid

oint-to-poinnterfaces. T. This solutthe intercon

quentially aarbitration prs. One exalink™ (see

t either snoof master anf the concerned or update

EAS

CCC/12/0068

ated. This

al paths ex

flows emittees) directed

nterconnect

The most cla

ay be dupliel transfers. he same timule will allo

master andded on each

nt connectioThe arbiter tion is a usunnect perfo

an atomic repolicy is deample is thee ARM C

ooping or shnd slave noned data in ed. Section

SA

898 – rev. 07

is the case

ist between

ed by the mad to slave n

ts protocols

assic topolo

icated on a A bus ma

me in diffeocate one bu

d slave. Thuh slave inter

ons link inteis in charg

ual compromormance thro

esource thatsigned for g

e Least ReceCORTEX®-

hared direcdes (usuallyinternal cac

n 9.4.2.5 ref

e for

n the

aster odes

s are

ogies

chip ay be erent us to

us no rface

ernal ge of mise ough

t was good ently -A15

ctory y the ches. fines

Page 77: Untitled - EASA

Us

Thit fealikint

9.4

N

27 N

Thales Avio

sually interc Inter-c Reserv Acces Monit

he interconnis difficult

atures. Speckely that Aiterconnect d

Int4.2.3..2

Num. C

1 InteArb

2 InteArb

3 InteArb

4 InteArb

5 InteArb

NDA : Non-D

onics

connects procore commuvation statios to configu

toring and d

nect design t for Airbocific NDA27

irborne Emdesigns.

terconnect

Component / service

erconnect biter

erconnect biter

erconnect biter

erconnect biter

erconnect biter

Disclosure Ag

ovide a set ounication mons for semuration regisdebug resour

is a key adorne Embed

7s can be esmbedded Sy

Classificat

C

Arbitradocumavailab

The arbcentral

The arbseveralsimulta

The arbpolicy configu

Possiblconfiguarbitrat(subset

greement

M

of services tmechanisms

aphore impsters for sharces

vantage fordded Systemstablished t

ystem provi

tion criteria

Criteria

ation rules mentation is ble

biter is ized

biter can serl transactionaneously

bitration is urable

le urations for tion policy t of)

MULCOR

page 75

that ease th

plementationared service

r the compem providerto give acceiders will n

a

P

rve ns

r

Round

FixedRobinpriorit

VariabRoundsame

Least policy

RS

he implemen

n es such as cl

etitiveness ors to get coess to somenot have ac

Possible val

Public

Under NDA

No

Yes

No

Mixed

Yes

No

Yes

No

d Robin

d priorities, Rn in the samty domain

ble prioritied Robin in tpriority dom

recently gry

Réf. C

ntation of O

locks, reset.

of processoromplete inf confidentia

ccess to com

ues

A

Cpo

Tusan

Round me

es, the main

anted

EAS

CCC/12/0068

Operating Sy

...

r manufactuformation oal documenmplete info

Obs

Centralized aoint of failu

TDMA arbitsually prefenalyzability

SA

898 – rev. 07

ystems:

urers. Thereon interconntation. Yet ormation on

ervations

arbiter is a sure

tration policerred for a by.

fore, nnect it is

n the

single

cy is better

Page 78: Untitled - EASA

28 T

Thales Avio

6 InteArb

7 InteDevAllo

8 InteDevAllo

9 InteDevAllo

10 InteNetTop

11 InteNetTop

12 InteRou

13 InteRou

TDMA : Time

onics

erconnect biter

erconnect vice ocation

erconnect vice ocation

erconnect vice ocation

erconnect twork pology

erconnect twork pology

erconnect uting

erconnect uting

e Division Mu

Arbiterinformavailab

Devicerules inavailab

Deviceconfigu

Possiblconfigudevice (device(subset

Informnetworavailab

Severafrom oanother

Informroutingavailab

Possiblconfigurouting(subset

ultiple Acces

M

r internal lomation is ble

e allocation nformation ible

e allocation urable

le urations for allocation

e per devicet of)

mation on therk topology ble

al paths exisne node to r

mation on theg rules is ble

le urations for g rules t of)

ss, i.e. acces

MULCOR

page 76

TDMA

Rando

ogic Public

Under

No

is

Public

Under

No

is Yes

No

r

e)

Static

Dynambalanc

Dynamspecif

Rando

e is

Public

Under

No

st Yes

No

e Public

Under

No

r

Static

Dynambalanc

Dynamspecif

Rando

ss restrictions

RS

A28

om Arbitrat

c

r NDA

c

r NDA

mic with locing

mic with a fied state m

om

c

r NDA

c

r NDA

mic with locing

mic with a fied state m

om

s in predefine

Réf. C

tion

Tbefu

ad

achine

Tan

Dcoof

ad

achine

ed periods of

EAS

CCC/12/0068

The static alle the most rurther analy

The interconnalyze if the

Dynamic rouomplicate thf conflicts s

f time

SA

898 – rev. 07

location seerelevant foryses

nnect is easie answer is

uting policiehe determinsituations

ems to r

er to no

es may nation

Page 79: Untitled - EASA

9.4

This onint

9.4

Chtecintcoch

Thales Avio

14 InteProt

15 InteProt

16 InteInteCom

17

InteCacCohMec

18

InteCacCohMec

19 InteCorSyn

Int4.2.3..3

he interconnone of the m

n the overalltegrity

4.2.3..3.1 O

haracterizingchnically aterconnect nstraints rearacterizatio

onics

erconnect tocol

erconnect tocol

erconnect er-Processormmunicatio

erconnect che herency chanisms

erconnect che herency chanisms

erconnect res nchronizatio

terconnect

nection betwmain featurl behavior o

Objective a

g the behavand humanbehavior mestricting ton of the in

Informdifferentransacavailab

Informrelationassembexecutetransacavailab

r on

The intinterrupblockeinterco

Snoopimechandisable

Snoopimechanconfineof core

on

The intprovidesynchrmechan

Usage Dom

ween cores res, new to of the proce

and Definiti

vior of COly difficult

may not bethe accessenterconnect

M

mation on thent kinds of

ctions is ble

mation on then between bly instructied and ctions sent ble

ter-processoptions can bd by the

onnect

ing nism can beed

ing nism can beed to a subses

terconnect es a core onization nism

main

inside a COthis COTS

essor when

ion

OTS a multit. Thus pe

e possible. es to the ibehavior in

MULCOR

page 77

e Public

Under

No

e

ion

Public

Under

No

ors be

Yes

No

No In

e

Yes

No

No In

e set

Yes

No

No In

Yes

No

No In

OTS multi-cprocessor tused in term

i-core proceerforming We define

interconnecn order to en

RS

c

r NDA

c

r NDA

nformation

nformation

nformation

nformation

core procestechnology,ms of perfo

essor intercan analysis

e the Intercct. The objnable further

Réf. C

Tnotimpl

sor, also kn which mayrmance cha

connect in es that requconnect Usjective is tr analyses.

EAS

CCC/12/0068

This may be on real-timeime sub-syslatform

nown as they have a sigaracteristics

every possiuires inforsage Domato reach a

SA

898 – rev. 07

useful to coe from hardtem on the

e “Interconngnificant ims and potent

ible situatiormation on ain as a sean “accepta

onfine d real

nect” mpact tially

on is the

et of able”

Page 80: Untitled - EASA

RGToDoma

ThAi Ex

It intan Th

RGThSo

ThSydeintproha OnVacoopan

Thales Avio

GL n°2o be able toomain shouanufacturer.

he Airborneirborne Emb

xamples of I No mo No mo A shar A cach

can be noterconnect i

nalyses with

he means to Restri Hardw Deep a

GL n°3he Airborneoftware) on

he above recystem Usagvelopment terconnect fovider. Thu

ave a limited

ne importanarious needmponent m

perations mind not shared

onics

o manage thuld be defin.

e Embeddedbedded Syst

Interconnecore than 4 more than onered cache shhe coherent

oticed that internal comout divulgin

demonstratctions on th

ware or softwanalysis of

e Embeddeinterconnec

commendatge Domain

processes afeatures maus, control d impact on

nt feature des such as to

may lead toight be incod by the pro

he behaviorned by the A

d System ptem is comp

ct Usage Domasters can e DMA engihould not bt memory ar

the Intercmponents. Tng confiden

te complianhe Airborne ware controthe intercon

ed System ct accesses i

tion can be to be com

and worst cay not be pomechanismperformanc

ealing with io sustain a o take automompatible wocessor man

M

r of the muAirborne Em

rovider shapliant with t

omain restriinitiate req

ine is allowe accessed rea will not

connect UsaThus it is pontial informa

nce with theEmbedded

ol mechanismnnect featur

provider sin order to c

explained ampliant witcase performossible beca

ms appear toce.

interconnechigh bandwmatic (and

with Avionicnufacturer.

MULCOR

page 78

ulti-core prombedded Sy

all provide the Intercon

ictions couldquest in the wed to be ac

by more thabe shared a

age Domaiossible to deation.

e Interconned System Usms

res

should impcomply with

as follows. th the Intemance analause of the o be the mo

cts is the dywidth for a

silent) deccs usage, esp

RS

ocessor, forystem prov

evidence thnnect Usage

d be: interconnective at one tan 2 masteramong more

in definitioeal with a “b

ect Usage Dsage Domai

plement conh the Interco

On one hanrconnect Ulyses. On thlimited infoost relevant

namic reconspecific cocisions on pecially wh

Réf. C

r each devicvider and va

hat his knowe Domain.

ct at the samtime rs at the same than four

on does noblack-box”

omain are: n

ntrol mechonnect Usag

nd, restrictinUsage Domhe other haormation avt approach.

nfiguration re or to savthe intercoen their spe

EAS

CCC/12/0068

ce, an Interalidated wit

wledge and

me time

me time nodes

ot include interconnec

hanisms (Hge Domain.

ng the Airbmain may imand, a deep vailable from

Their intro

of its internve energy oonnect confecifications

SA

898 – rev. 07

rconnect Uth the proce

d control on

informationct, or to perf

ardware an.

orne Embedmpact softwanalysis of

m the proceoduction sh

nal componon an underfiguration. Sare confide

Usage essor

n the

n on form

nd/or

dded ware f the essor hould

nents. rused Such ential

Page 81: Untitled - EASA

9.4

NeabexHedu ThSycan In sel

Cr

Inthebeav

Thales Avio

4.2.3..3.2 R

evertheless sence of ktreme case ere, only onuring its tran

hales propoystems basen be challen

order to allection take

riteria

formation e interconn

ehavior is vailable

onics

Related sele

it is possiknowledge ooccurs withne master insaction serv

ses to weiged on the dinged by the

llow some pes into accou

on nect

Theis d

Theimptran

It ifromwithtraninte

ection crite

ble to defiof the inter

h black-box is allowed tvice.

ght the criteifferent EDEASA.

parallelism unt the follo

Sub-crit

e interconnedocumented

e interconneplementationnsactions reo

s possible m assemblyh an embednsactions seerconnect

M

eria

ine an Interconnect ininterconnecto request t

eria regardi-80/DO-254

in the Interowing criter

teria

ect protocol

ect protocoln allowsordering

to identifyy code or

dded spy allent on the

MULCOR

page 79

erconnect Unternal featcts. the intercon

ing the imp4 DAL lev

rconnect Uria:

Weight for

DAL A/B

l 3

l s

1

y r l e

2

RS

Usage Domures may l

nnect at on

pact of thesels of these

Usage Doma

Weight for

DAL C/D

3

1

1

Réf. C

ain on blaclead to a p

ne time, and

e criteria oe Embedded

ain, we reco

Observatio

Informatioprotocol ishow transathe intercosome specexist, transdecompos

If it is the reorderingdifficulty tinterconne See RGL Such inforto analyzeservice of instructionMultiple trsent to exeinstruction

EAS

CCC/12/0068

ck-box intepessimistic

d has the e

on the Aviod Systems.

ommend tha

ons

on on the ins useful to dactions are honnect. For cific error cosactions maed.

case, then tg increases tto characterect protocol

n°4 rmation maye the interco

optimized ans. ransactions ecute a singn.

SA

898 – rev. 07

erconnects. definition.

exclusive ac

onics EmbedThis weigh

at the proce

nterconnect determine handled by instance, odes may ay be

transactionsthe rize the .

y be useful onnect assembly

may be gle

The The

ccess

dded hting

essor

s

Page 82: Untitled - EASA

Thales Avioonics

Arbdesc

Rouallodesc

All intecon

Conchasile

bitration cription is a

uting andocation cription are

informaerconnects nfiguration i

nfiguration nged dynamntly

M

rulesavailable

d devicerules

e available

ation onfeatures

s available

can’t bemically and

MULCOR

page 80

s 3

e s

2

n s

3

e d

3

RS

2

2

2

3

Réf. C

This piecea worst cato be deter There are tarbitrationthe unfair The fi

masteequal

The spriorihigh pless pactivi

This critermultiple paccessed rreplicated.This may bcaches and Dynamic aincrease thinterconne See RGL Having cothe intercohas many It decreasehidden funthe opportInterconnedefinition. This is lesDAL, the mthese featuusing benc

RegardingrecommeninterconneconfiguratInterconnerestriction

EAS

CCC/12/0068

e of informaase arbitratiormined.

two kinds on policies: thones.

first one servers trying to access for econd one i

ity assignmepriority mas

perturbed byities of otheria is relevanpaths exist aresources ar. be the case d memory c

allocations he complexiect characte

n°5 omplete infoonnect confiadvantageses the risks nctionality, tunity to optect Usage D.

s critical fomain characures can be ch software

g safety, it isnded to use ect in a stabtion under thect Usage D

ns.

SA

898 – rev. 07

ation allowson situation

of he fair and

ves all o provide aneach. is based on ents. Thus sters are y the r cores. nt when

and/or whenre

for shared controllers.

rules ity of rization.

ormation onfigurations . to have and it givestimize the

Domain

r lower cteristics ofdetermined.

s the le he

Domain

s

n

n

n

s

f d

Page 83: Untitled - EASA

Inthedeav

We

Thales Avio

formation e interconn

esign is vailable

Weights:

onics

on nect

Thetopo

Theor d

Thestatintehidd

Theinteandmec

1: informa

e inology is doc

e arbiter is distributed

e manufacted thaerconnect eden mechan

e interconernal waitind chanisms

ative _

M

nterconnectcumented

centralized

cturer hasat theembeds nonisms

nnect hasng queuescontention

2: Nice to

MULCOR

page 81

t 3

d 1 / 3

s e o

3

s s n

3

have (Shou

RS

2

1 / 2

3

2

uld) _ 3: Ma

Réf. C

This ensurinterconnedeterminatanalyses. See RGL

This criterdetermine may exist If the arbitit, those pain the InterDomain. For low Dbe analyzesoftware b

A partiallyarbiter comcharacterizbehavior. Indeed, it min which stargeting dsequential arbitration Neverthelearbitrator rwhen the ifull crossbbetween coand sharedSee RGL This limitshidden funweaken cointegrity a

It may brinto charactebehavior.

andatory (S

EAS

CCC/12/0068

res simpler ect behaviortion during

n°5

rion is impowhich parain the interctration resouaths may be

erconnect U

DALs, this toed using extbenches.

y or fully cemplicates thzation of int

may enableseveral mastdifferent slal access to thn resource.

ess, a centraremains necinterconnecbar to avoid ores and bed resources.n°6

s the risks onctionalitiesomputing pland other req

ng additionerize the int

Shall)

SA

898 – rev. 07

r further

ortant to allel paths connect. urces allowe authorizedsage

opology canternal

entralized he terconnect

e situations ters

aves have he

alized cessary ct is not a

contention etween cores

of having s that latform quirements.

al difficultyterconnect

w d

n

s

.

y

Page 84: Untitled - EASA

RGTrdis

RGFoDoma

RGTocen

9.4

9.4

Fadiffai

In errprointSy

RGWInass

Thlim 29 S

Thales Avio

GL n°4ransactions rsable interc

GL n°5or Safety, womain restranufacturer

GL n°6o avoid conntralized m

Int4.2.3..4

4.2.3..4.1 I

ailures occurfferent coreilures: Silent Silent

many caserors (failureovide evideterconnect

ystem provid

GL n°7e recommetegrity Ansistance of P

he Interconnmited the tec

SEU : Single

onics

reordering i

connect reor

we recommerictions thatassurances

ntention beanaged arbi

terconnect

Integrity of

rring duringes if they a

loss of a tratransaction

es, such evees are silent)ence that thintegrity a

der and the

end that thnalysis perProcessor M

nect Usage Dchnical and

e Event Upse

increases thrdering mec

end to use tht means thethat the int

etween coreitration whe

features re

f transactio

g transactionare not mit

ansaction. Hn corruption

ents would l). During thhis kind of analysis. Thprocessor m

he Interconnrformed unManufacture

Domain dethuman effo

et

M

he difficultychanisms to

he interconne Airborne erconnect c

es, and beten the interc

egarding m

ons services

n services mtigated (see

Here, ‘silent due to a tra

lead to faulhe certificatf faults cannhis analysismanufacture

nect Usagender Airborer.

termination ort.

MULCOR

page 82

y to characteo ensure a

nect in a staEmbedded

configuratio

tween coresconnect is n

multi-core p

s in the inte

may have ane RGL n°7

t’ means wiansaction co

lty executiotion processnot occur os should beer inside the

e Domain rne Embed

should ena

RS

erize the intbetter assur

able configd System pron cannot be

s and sharenot a full cro

processor in

erconnect

n impact on7). We can

ithout signaollision or a

on of the ems, the Airboron the Airbe performede Interconne

determinatidded Syste

able an inter

Réf. C

terconnect prance in the

uration undrovider shoue changed d

ed resourceossbar.

ntegrity

the executin consider f

ling an erroan external e

mbedded sorne Embeddborne Embed jointly byect Usage D

ion should m Provide

rconnect int

EAS

CCC/12/0068

protocol, wee transaction

nder the Inteould obtain dynamically

es, we reco

ion integrityfor instance

or. event (such

oftware withded Systemedded Systey the Airbo

Domain.

contain aner responsib

tegrity analy

SA

898 – rev. 07

e recommenn manageme

erconnect Ufrom proce

y and silently

ommend to

y of software the follow

as a SEU29

hout raisingm provider h

em. This isorne Embed

n Interconbility with

ysis with

nd to ent.

Usage essor y.

o use

re on wing

9).

g any as to s the dded

nnect the

Page 85: Untitled - EASA

9.4

W

Cr

Intheintav

We

RGWint

9.4

Thextim

Thales Avio

4.2.3..4.2 R

e can derive

riteria

formation e interconntegrity is

vailable

Weights:

GL n°8e recommeterconnect p

Int4.2.3..5

he interconnecution tim

ming variab

onics

Related sele

e the follow

on nect

Theis tr

Thetrandetesucheve

In cthe propconexte

1: informa2: Nice to 3: Mandat

end that the protocol tha

terconnect

nect designme in a worbility of Ai

ection crite

wing selectio

Sub-crit

e interconneransaction lo

e interconnensaction corection mechh as parity ontual intern

case of interinterconnecpagate an er

ncerned coreernal monito

ative have (Shou

tory (Shall)

Interconneat shall prov

features re

n and behavrst case sceirborne Em

M

eria

on and asses

teria

ect protocol ossless

ect embeds rruption hanisms, or ECC for

nal storage

rnal failure, ct can rror to the e and/or an or

uld)

ect Usage Dvide lossless

egarding W

vior are detenario has t

mbedded Sy

MULCOR

page 83

ssment crite

Weight for

DAL A/B

3

2

3

Domain detes transaction

Worst Case

termining fto be correystem servi

RS

eria:

Weight for

DAL C/D

3

2

2

ermination ns.

Execution

factors for Wected with pices includi

Réf. C

O

This becomif the intertransaction See RGL

This is a cmeans for some intermay be hidprovider.

If it is the possible tointerconneparticular if no propathe concersanctionedincrease relevel.

should cont

Time calcu

WCET anaparameters ing interco

EAS

CCC/12/0068

Observatio

mes a killinrconnect canns silently

n°8

classic fault internal sto

rnal storagedden from t

case, it migo consider thect integritycore. In casagation occrned core cod. This is a meliability at

ntain analysi

ulus

alyses. Indethat take in

onnect acce

SA

898 – rev. 07

ons

ng criterion n lose

detection orage. Yet e resources the platform

ght be he

y toward a se of failureurs, only

ould be means to platform

is regarding

eed, a measnto account

esses. Howe

m

e,

g the

sured t the ever,

Page 86: Untitled - EASA

ocDethe Th

Ascocoest Thlev

RGThcoser

RGThtakva

RGWtimthe

Thales Avio

currences oetermining ceir value.

he presence The ar The ar The in The de The sn

s explainednflict situatmplex (for timate tight

he Interconnvel.

GL n°9he Interconnnflict situatrvices.

GL n°10he Interconnking into acariability on

GL n°11e recomme

ming variabe Interconne

onics

of inter-corecorrection p

of conflictirbitration rurbiter topolonterconnect evices allocnooping traf

d in sectiontions in a ginstance a c

tly the timin

nect Usage D

nect Usagetions in ord

nect Usage

ccount pessitransaction

end that obility on tranect Usage D

e conflicts iparameters

ing situationules for incoogy (centraltopology th

cation rules ffic that ens

n 9.4.2.3..3 eneral caseconflict occ

ng variabilit

Domain ma

e Domain dder to give t

e Domain dimistic timinn services.

servations nsactions seDomain hyp

M

introduce adfor intercon

ns depends ooming requelized or disthat determinthat are use

sures cache

dealing wiis technica

curring betwty of each tr

ay be used t

definition stighter boun

definition sng hypothes

and tests pervices shoupothesis.

MULCOR

page 84

dditional vannects requ

on: ests tributed) annes the paraed when a recoherency

ith the inteally and humween many ransaction s

to bring the

should liminds for thei

should prevsis when it

performed buld be valid

RS

ariability inests require

d its internaallel paths esource is d

erconnect umanly difficsimultaneoervice so pe

complexity

t the numbir impact on

vent all occis not possi

by the Airbdated by the

Réf. C

n the duratioes an estima

al logic

duplicated, s

usage domacult. When us transactiessimistic h

y of this ana

ber and then the timing

currences oble to deter

borne Embee processor

EAS

CCC/12/0068

ons of transation of an u

such as a DD

ain, determithe conflic

ions), it mahypotheses h

alysis back t

e complexitg variability

of undesirabrmine bound

edded Systemanufactur

SA

898 – rev. 07

saction servupper boun

DR controll

ining inter-cting situatioay be difficuhave to be d

to an accept

ty of inter-y of transac

ble conflictds on the tim

em Providerer accordin

vices. nd on

ler

-core on is ult to done.

table

-core ction

ts by ming

er on ng to

Page 87: Untitled - EASA

9.4

Cr

Inthewobeav

Trservame

We

Thales Avio

4.2.3..5.1 R

riteria

formation e interconnorst case ehavior is vailable

ransaction rvice timin

ariability caeasured

Weights:

onics

Related sele

on nect

Thea trabe btakicon

Thea trabe baccositu

ng an be

Thehardmeathe tran

Theintemecobsthe

ThemanconworvariservInteDom

1: informa2: Nice to 3: Mandat

ection crite

Sub-crit

e timing varansaction sebounded wiing into acc

nflict situatio

e timing varansaction sebounded takount specifi

uations

e platform edware assisasuring in etime variab

nsaction serv

e platform eernal monitochanisms therve conflicinterconnec

e processor nufacturer i

nfirm observrst case timiiability for tvice under erconnect Umain restricative have (Shou

tory (Shall)

M

eria

teria

riability of ervice can thout ount ons

riability of ervice can king into ic conflict

embeds t for ach core

bility of vices

embeds oring hat can cts inside ct

s able to vations on ing transaction

Usage ctions.

uld)

MULCOR

page 85

Weight for

DAL A/B

3

2

2

2

3

RS

Weight for

DAL C/D

2

2

2

2

2

Réf. C

O

This is cleThe absensimplest cainterconne

This criterprevious oauthorize ssituations Usage Domdefinition Using intecomponentimers is mfine grain transactionvariabilityHaving admechanismis a good fhelp to ensconflictingcomplete eThe lack ointerconnefilled by stbetween thand the maof such councoveredinvalidate

EAS

CCC/12/0068

Observatio

early a killinnce of confliase in whic

ect is used.

rion is weakone. It is reqsome confliin the Intermain so thais less restr

ernal hardwants, such as mandatory tmeasures fon service tim

y. dditional moms in the intfeature. Thesure the covg situations enough. of informatiect design htrong collabhe platform anufacturer

ollaboration d situations

the analysi

SA

898 – rev. 07

ons

ng criterion.icts is the h an

ker than the quired to icting connect

at its rictive. are integrated o perform or ming

onitoring terconnect eir use may verage of was

on on has to be boration provider . Absence may lead tothat could s.

.

o

Page 88: Untitled - EASA

9.4

Propa

ThExde Thasscothr Topesitdeaccfor

9.4

ThPa

9.4

Thlarpetw Th

Thales Avio

Int4.2.3..6

oviding Robartition deplo At mo Severa

considexecut

he first casexisting guidscription is

he second csociated wiuplings berough sequ

o ensure Rrformed un

tuations is termine whceptable regr WCET cal

4.2.3..6.1 R

he selectionartitioning e

4.2.4. Shar

he use of shrge cache arformance i

wo levels of p

he use of a s Share

partiti

onics

terconnect

bust Partitiooyment. We

ost one partial partitionder that the tion shall be

e is closed delines such

provided in

case is morith differenttween emb

uences of in

Robust partinder the rest

limited dohether the tigarding the lculus. Thu

Related sele

n criteria pnforcement

red caches

hared cachearea that coincreases caprivate cach

shared cached cache coning requi

features re

oning on a me consider tition may be

ns may be Airborne E

e protected

to Robust Ph as ARINn section 9.5

re complex.t partitions.bedded partter-core con

itioning, cotrictions im

own to an iming variapartition’s s RGL n°9

ection crite

proposed int.

s is classic ould not bean be expeches inside e

e in Embedcontent prirements. W

M

egarding R

multi-core Athe followine activated aactivated sEmbedded from Airbo

PartitioningC 653 Tim5.3.1..3.3 th

Indeed, co. Inter-coretitions. Intnflicts.

onflicting smposed by th

acceptable ability introdmodel of fa, RGL n°10

eria

n section 9

outside thee integratedcted from theach core.

dded Aircrafrediction. T

We develop t

MULCOR

page 86

Robust Part

Airborne Emng cases: at one time

simultaneouEquipment

orne Softwa

g enforcememe and Spahat deals wi

oncurrent tre conflicts oterference

situations hhe Interconn

level. Idenduced by th

aults. This f0 and RGL

9.4.2.3..5.1

e Embeddedd (for costs he use of a s

ft Systems rThis featurthis feature

RS

titioning in

mbedded Sy

on the Airbusly on diff

“system sore)

ent on singlace partitionth Symmetr

ransactions occurring d(i.e. occurr

have to be nect Usage ntified conhe conflict feature is clo

n°11 are a

for WCE

d Aircraft Sand size r

shared cache

requires a sore addressein the next

Réf. C

surance

ystem raise

borne Embeferent coreoftware” is

le-core Airbning seem rical Multi-P

coming frouring transarences of f

analyzed. Domain so

flict situatican be bouose to correpplicable.

T calculus

Systems. Indeasons) inse. Usually,

olution to thes WCET section.

EAS

CCC/12/0068

es issues tha

edded Equips. For simseen as a

borne Embrelevant. AProcessing.

om differenaction collifault propa

Such an ao that the seions must unded, and ection param

s are relev

deed, it alloside each cit is comple

he followingcalculabili

SA

898 – rev. 07

at depend on

pment. plicity, we partition (a

edded SystA more deta.

nt cores maisions introagation) oc

analysis canet of conflicbe analyzeif that boun

meters defin

ant for Ro

ows the use ore. Signifieted with on

g problems:ity and ro

n the

can as its

tems. ailed

ay be duce

ccurs

n be cting

ed to nd is

nition

obust

of a ficant ne or

: obust

Page 89: Untitled - EASA

Se

FuCl

Moop

9.4

NU

M

37

38

39

40

30 M

Thales Avio

CacheSEU/Mprovid

Concusharedaccess

everal cache Fully a N-way

cache Direct

ully associatassic replac Least Pseud Most R First I Rando

odern COTptimizations

Ca4.2.4..1

U

M COMP

7 SHAR

ARCH

8 SHAR

PART

9 SHAR

PART

0 SHAR

MBU : Multip

onics

e content inMBU30 are ded in sectiourrent acced cache havses to shared

e organizatioassociative:y set associlines.

t mapped ca

tive and N-wcement policRecently Uo Least RecRecently Usn First Out

om TS processo, for instanc

ache Classif

PONENT/SER

VICE

RED CACHE

HITECTURE

RED CACHE

TITIONING

RED CACHE

TITIONING

RED CACHE

ple Bits Upse

ntegrity. Aslikely to o

on 9.6. esses impacve to appead memory.

ons exist, in: Each memative cache

ache: Each m

way associacies are:

Used cently Usedsed

ors usuallyce to improv

fication cri

RC

E E

THE SH

CACHE

SEVERA

WRITE

E IT IS PO

PARTIT

SHARE

WAY

E IT IS PO

PARTIT

SHARE

LINES

E IT IS PO

et

M

s for privatoccur. Such

ct. We conar in the In

ncluding: mory row ma

: Each mem

memory row

ative caches

d:

y implemenve streams p

iteria

CRITERIA

HARED

E HAS

AL READ AN

PORTS

OSSIBLE TO

TION A

D CACHE P

OSSIBLE TO

TION A

D CACHE P

OSSIBLE TO

MULCOR

page 87

e caches, ah events ha

nsider that nterconnect

ay be storedmory row m

w may be st

s implement

nt one or mprocessing.

PO

ND

NO

O

ER NO

O

ER NO

O

RS

a shared cacave to be m

potential reUsage Dom

d anywhere may be store

tored in a si

t a replacem

more of th

OSSIBLE VA

YES

NO

O INFORMA

YES

NO

O INFORMA

YES

NO

O INFORMA

YES

Réf. C

che is usualmitigated fo

estrictions omain in the

in the cacheed in any w

ngle cache

ment policy

ose replace

ALUES

ATION

ATION

ATION

EAS

CCC/12/0068

lly a large ollowing re

on concurre same way

e. way of some

line.

that has to

ement polic

OBSERV

USUALLY, CACHES HA

READ THAN

PORTS

IF YES, TH

APPROACH

KNOWN AS

EFFICIENT

IF YES, TH

SA

898 – rev. 07

cache in wecommendat

rent accessey as concur

specific se

be documen

cies with s

VATIONS

SHARED

AVE MORE

N WRITE

IS

H IS

S THE MOST

T

IS

which tions

es to rrent

ets of

nted.

some

T

Page 90: Untitled - EASA

41

42

9.4

In sofestThdeUsof de(th Cafea

Mofea

Thales Avio

SRAM

1 SHAR

CACH

2 SHAR

CACH

Co4.2.4..2

a general cftware exectimation of he absence terminationsually, the e

the combtermining a

he possible c

ache contenatures: Instruc

been e Data c

dynam Instruc

oreover, caatures: Cache

data/in Shared

import

onics

M BEHAVIO

RED CACHE

HE LOCKING

RED CACHE

HE LOCKING

ontent pred

case, sharedcuted on eacthe WCET of reliable

n. exact cachebinatorial ean Abstract contents of

nt prediction

ction cacheexplored. cache conte

mically deterction/Data c

ache conten

e conflict nstructions d code (esptant to estim

R CONFIG

SHARE

SRAM

E G

IT IS PO

ONE CO

SOME O

CONTE

CACHE

E G

IT IS PO

ONE CO

SOME O

CORE’S

THE CA

diction featu

d cache conch core. It cfor some em

e informatio

content prexplosion eCache Staeach cache

n algorithms

e content pr

ent predictiormined. Thuconflict pred

nt prediction

prediction. in the share

pecially sharmate how fa

M

GURE A

D CACHE IN

M

OSSIBLE FO

ORE TO LOC

OF ITS

ENT IN THE

E

OSSIBLE FO

ORE TO LOC

OF ANOTHE

S CONTENT

ACHE

ures

ntent predictcan be noticmbedded soon on cach

ediction is nntailed by te. This is alines) durin

s (for privat

rediction. T

on. This feaus the set ofdiction. Thi

n algorithm

That meed cache thared libraries

ar shared co

MULCOR

page 88

N NO

OR

CK

NO

OR

CK

ER

T IN NO

tion is onlyced that cacoftware. he content

not achievathe multip

an approximng the possi

te and share

This is poss

ature is mof read/writeis feature oc

ms supportin

eans identifat will be fus, OS and l

ode loading

RS

NO

O INFORMA

YES

NO

O INFORMA

YES

NO

O INFORMA

y possible wche content

may lead

able for a laple executimated repreible executi

ed caches) h

sible when

ore difficult e addresses hccurs in uni

ng shared c

fication ofrther invalidlanguage ruby one core

Réf. C

ATION

ATION

ATION

when we haprediction i

to pessimis

arge cache -ion paths. esentation oons of the e

have to take

execution p

because lohas to be apfied caches

caches have

f situationsdated by an

untimes) impe will be pro

EAS

CCC/12/0068

REMOVES O

SOURCE OF

INDETERM

IF YES, TH

VIOLATION

ROBUST

PARTITION

ave a full viis a means t

stic hypoth

-shared or pCurrent m

of the possibembedded s

e into accoun

paths in the

oad/store adpproximated

e to addres

s where onother core. pact determofitable to o

SA

898 – rev. 07

ONE

F

MINISM

IS IS A

N OF

NING

isibility intoto give a tig

heses in W

private- becmethods aimble cache software.

nt the follow

e software h

ddresses mad first.

s the follow

one core l

mination. Thother cores.

o the ghter

CET

cause m at states

wing

have

ay be

wing

loads

his is

Page 91: Untitled - EASA

Thcacalgbede Thlacrec

9.4

W

Thvis

9.4

It mIn foris pa It pareqall

9.4

Wscride Yebe

31 S

Thales Avio

he interestedches partaggorithms mtween eachployed in th

he use of shck of backcommendat

Cla4.2.4..3

e highlight Cache Cache

hose mechansibility into

4.2.4..3.1 C

may be posan N-way a

r one core),allowed to

artitioning m

can be notartitioning dquests it. It lows them t

4.2.4..3.2 C

hen a shareratchpad. Itentifying ca

et each core enforced.

SRAM : Stat

onics

d reader mgés, 2010)

may offer bh core in itshe industria

hared cacheskground otions on thei

assic cache

here two cle partitionine configurati

nisms may the softwar

Cache parti

sible to alloassociative , or over wao allocate dmay be enfor

ticed that a deals with c

may be lato access the

Cache use a

ed cache mts content wache manage

e may initiat

ic Random A

may refer tofor a detailetter results program.

al world.

s in Embeddn their usir usage “as

e configurat

lassic mechang ion as SRA

address the re deployed

itioning

ocate specifcache, this

ays (one wadata/instructrced to allo

partitionedcache line ater accessede concerned

as SRAM

may be conwill be fully ement reque

te cache ma

Access Mem

M

(Hardy, Aled algoriths when theHowever,

ded Aircraftse in hards a shared ca

tions

anisms or c

AM31

problem ofd in parallel

fic areas of apartitioning

ay of all setstions in its cate disjoin

d cache wilallocations: d, read and d addresses.

nfigured parmanaged b

ests explicit

anagement r

ory

MULCOR

page 89

Analyse pirehm. It can be programmto the best

ft Systems sd real-timeache” (that

onfiguration

f cache conton the Airb

a shared cacg may be ens is reservedreserved c

nt sections o

ll not exacta cache linmodified b

rtially or toby softwaretly initiated

requests. A

RS

e cas pour be noticed

mer explicitt of our kno

seems to be systems,means with

ns that are u

tent predictiborne Embe

che to one cnforced overd for one cocache area.of a shared c

tly behave ne can be loby other cor

otally as SR. Predicting

d by softwar

coherent m

Réf. C

processeur that shared

tly introducowledge, su

a long-termthus we

hout any con

usually avai

ion even whedded System

core. This isr sets (all wore). In bothAn adequa

cache to eac

like N privoaded in oneres, given th

RAM, it simg cache contre.

management

EAS

CCC/12/0068

multi-coeud cache conces synchrouch algorith

m solution. Hdo not pr

ntrol on its c

ilable for sh

hen the progm.

s called cachways of one h cases, the ate configuch core.

vate cachese core’s parhat their m

mulates thetent in this

t of the shar

SA

898 – rev. 07

urs disposanntent prediconization pohms are not

Hence thererovide specontent).

hared cache

grammer ha

he partitionset are reseconcerned

uration of c

s. Indeed, crtition onlyemory map

e behaviorsituation m

red cache h

nt de ction oints t yet

e is a ecific

s:

as no

ning. erved core

cache

cache y if it pping

of a means

as to

Page 92: Untitled - EASA

RGWco(hyde

9.4

I

Rc

C

We

Thales Avio

GL n°12e recommenfiguration ypervisor foployed simu

Co4.2.4..4

Criteria

nformationthe cache

behavior available

estrictive cconfiguratiare availab

Cache disabis possibl

Weights:

onics

end that ro

for cachefor exampleultaneously

orrespondin

a

n on e is e

Therepldoc

It exalgoleaspoliThemulpara

cache ions ble

Thepartper

Thecontota

bling le

It isthe

1: informa

obust partite partitionie) if shared y on differen

ng selection

Sub-crit

e available lacement po

cumented

xist a cacheorithm that st one replacicy e cache can ltiple transaallel

e cache can titioned per way

e cache can nfigured partally as a SRA

s possible toshared cach

ative

M

tioning for ing mechancache is co

nt cores and

n criteria

teria

olicies are

e prediction supports at cement

serve actions in

be set and/or

be tially or AM

o disable he

2: N

MULCOR

page 90

shared cacnisms or sonfigured a

d use shared

Weight for

DAL A/B

3

3

1

2

1

3

Nice to hav

RS

che shouldshould be as SRAM wd cache.

Weight for

DAL C/D

2

2

1

2

1

2

ve

Réf. C

d be enforcenforced b

when partiti

O

This critercache contwith a cachSRAM. Optimizedpolicies m

This may rthe cache rbeen optimsome operThis informduring the Domain deavailable ttook for thThis informto simulateprivate caccache. Cacmay be eaThis confiwhen the cfinely man

It should ba shared caplatform dperformanbehavior c

3: Man

EAS

CCC/12/0068

ced by defby softwarioned Oper

Observatio

rion is mandtent has to b

che not conf

d cache replmay be propr

raise a featureplacemen

mized to accrations. mation may

e Interconneefinition – ithen marginhe usage Domation maye the behavches inside che content

asier. iguration macache contenaged by so

be demandeache when t

does not neence gain or wcan’t be manndatory

SA

898 – rev. 07

fining hardwre managemating Syste

ons

datory if be predictedfigured as

lacement rietary.

ure when nt policy hascelerate

y be useful ect Usage if it is not n will be omain y be useful ior of a private prediction

ay be usefuent has to beoftware.

ed to turn ofthe ed its when naged.

ware ment

em is

d

s

l e

ff

Page 93: Untitled - EASA

9.4

Caonmaso me Th

Wgu ImcacrefcoCobuinv Coadinttheto In traem

Thales Avio

4.2.5. Cach

ache coherene same datay also be Ithat their d

emory – ma

here are two Invali

o

o

Updato

o

e usually euarantee no m

mplementingche cohereferenced byntaining a

onversely, dusses and fvalidate loc

ommon diredditional traftroduce a hem or not) bpropagate c

an Embedansactions smbedded so

onics

he coheren

ency mechaa. Usually I/O internal data is markaintains an u

o families ofidate protoc

The accesand requiselected fiThis classline invalimay entai

te protocolsThe accesones contransparenThis classthe interco

encounter Inmodificatio

g a cache cency is cally a dedicate

cache line.distributed cfilters accesal copies).

ectories usffic only to

higher traffibut memorycorrectly thi

dded Aircraservice insidoftware and

cy mechan

anisms are rit concerns cache mem

ked as deprup-to-date v

f coherencycols: ssed cache lire a load first by the cs of protocoidation is cl additional

s: ssed cache lntaining thently. s of protocoonnect, thus

Invalidate pon for multip

oherence prled Directoed compone. It filters mcache coherssed addres

age entailsnodes that

ic (snoops ay transactiois traffic.

aft Systemsde the inter

d Robust Pa

M

nisms

required in the cores i

mories. Modrecated. On

version of th

y protocols:

line is markto the main

cache replacols is usuallycheaper thanl traffic (N r

ine is update cache li

ols has an as traffic on t

protocols inple valid da

rotocol canory-based cent, the commemory acrency is callsses. When

an additioactually req

are propagaons are serv

s usage, caconnect andartitioning

MULCOR

page 91

architecturinternal cacdifying the ne centralizehe data.

ked as invaln memory.

cement policy easier to in cache linereloads com

ted. Then aine are au

advantage: athe intercon

n today’s arata in cache.

n be done incoherence. mmon directccesses andled Snoopinn they noti

onal duratiquire cacheated to all n

ved faster, a

ache coherd inside eacinsurance.

RS

re that integches, shareddata in oneed storage r

idated in al. Moreovercy. implement e update). H

mpared to on

an update reutomatically

a cache accennect may b

rchitectures.

n a centraliMemory a

tory. This cd signals thng-based coice a confl

on on trane coherency nodes withos long as th

rency mainlch core. ThThe usage

Réf. C

grates severd caches and place shallresource –

l locations. r, the invali

and offers bHowever inne update).

equest is broy updated.

ess will alwbe easier to c

s associated

zed or a diareas that acomponent me correspon

oherency. Elict, they s

nsactions serequests. G

out determihe interconn

ly impacts his impacts t

and limita

EAS

CCC/12/0068

ral storage d the main l signal the most of the

Further acclidated cach

better perfon case of m

oadcasted toFurther a

ways hit witcontrol.

d with MES

istributed ware markedmaintains tnding node

Each node spsignal them

ervice. Yet Globally, snining whethnect has eno

the timingthe WCET

ations on c

SA

898 – rev. 07

devices hosmemory, bother resou

e time the m

cesses will he line may

ormances (cmultiple relo

o all nodes. access will

thout reques

SI protocol

way. Centrald as sharedthe list of nes of an accpies the add

mselves (usu

they limitnooping requher they reqough bandw

g variabilitcalculabilit

ache coher

sting but it urces main

miss y be

cache ad it

The l hit

sting

that

lized d are nodes cess. dress ually

t the uests quire width

ty of ty of ency

Page 94: Untitled - EASA

meto of It cac

9.4

Inthecomaav

Inthecoonanav

We

Thales Avio

echanisms mconfine cacmaintaining

can also beches access

Co4.2.5..1

Criteria

formation e cache herency anagement

vailable

formation e cache herency im

n timing nalyses is vailable

Weights:

onics

may be addche cohereng it itself un

e noticed thses and thus

orrespondin

a

on

t is

Cacmecdisa

Cacmaya suplat

on

mpact

It isacceimpcohtrancach

It isacceimpcohtraninte

1: informa2: Nice to 3: Mandat

dressed in thncy traffic bnder some li

hat snoops slow down

ng selection

Sub-crit

che coherenchanisms shabled

che cohereny be partitioubset of nodtform

s possible toeptable bou

pact of cachherency traffnsactions in hes

s possible toeptable bou

pact of cachherency traffnsactions sererconnect

ative have

tory

M

he Interconnbut do not guimitations.

managemen the core ac

n criteria

teria

ncy hould be

ncy traffic oned inside des on the

o provide unds for the e fic on core private

o provide unds for the e fic on rvice in the

MULCOR

page 92

nect Usage uarantee an

ent inside eccesses to it

Weight for

DAL A/B

3

2

3

3

RS

Domain. Mny data cohe

each core mts private ca

Weight for

DAL C/D

1

1

2

2

Réf. C

Many platforerency. The

may use somaches.

O

Cache cohespecially partitionedno shared cores. See RGL This criterespecially provide sobetween sothe same awithout imcores. This critercache cohebe able to on core tradeterminis See RGL This critercache cohebe able to on transacdeterminis See RGL

EAS

CCC/12/0068

rms offer tosoftware m

me bandwi

Observatio

herency mayin the case

d systems wdata or area

n°13 rion is interewhen we h

ome cache come cores eairborne sofmpacting the

rion is manderency is acmanage tim

ansaction ansm.

n°14 rion is manderency is acmanage tim

ction and so sm

n°15

SA

898 – rev. 07

o disable anmay be in ch

dth for inte

ons

y be uselessof

when there isa between

esting have to coherency executing ftware e other

datory whenctivated to ming impactnd so

datory whenctivated to ming impact

nd/or harge

ernal

s,

s

n

t

n

t

Page 95: Untitled - EASA

RGWOp

RGWpri

RGWit f

9.4

Then

9.4

Num

20

21

Thales Avio

GL n°13e recommenperating Sys

GL n°14e recommeivate cache

GL n°15e recommenfor the corre

4.2.6. Shar

he Airborne ncounter the Interru Core a Timer Watch Power Suppo

Sh4.2.6..1

m Comp

ser

0 Intecont

1 Cloc

onics

nd, preventstems is dep

nd, when c- finding up

nd confininect executio

red service

Embedded following oupt generatiand processr configuratihdog configr supply andort for atomi

hared Servi

ponent/ rvice

errupt troller

Ainsu

cking Es

ting undesirployed on e

cache coherepper bounds

ng cache cohon of embed

s

d Equipmentones: ion and routor clock conions

gurations d reset ic operation

ces Classifi

C

Access restrnterrupt conupervisor is

Each core haource or PL

M

rable behavach core wi

ency is enas on cache c

herency trafdded softwa

t is in charg

ting to coresnfigurations

ns

ication crit

Criteria

iction to thentroller for ts possible

as its privateLL circuit

MULCOR

page 93

vior, disablinith no share

able, boundicoherency t

ffic betweenare.

ge of provid

s s

teria

e the

e clock

RS

ng cache coed memory b

ing the timitraffic impac

n the concer

ding shared

Possible

Ye

no

No infor

Ye

No

Réf. C

oherency mebetween cor

ing variabilct -.

rned cores a

services am

e values

es

o

rmation

es

o

EAS

CCC/12/0068

echanism wres.

lity when co

and periphe

mong the cor

Obs

SA

898 – rev. 07

when partitio

ore access t

erals that req

res. Usually

servations

oned

to its

quire

y, we

Page 96: Untitled - EASA

22

23

24

25

26

27

28

29

30

31

32

Thales Avio

2 Cloc

3 Cloc

4 Cloc

5 Power

6 Power

7 Power

8 Tim

faci

9 Tim

faci

0 Tim

faci

1 Tim

faci

2 Tim

faci

onics

cking Tc

cking

Tmcru

cking Tac

r supply Tcc

r supply Tc

r supply Tm

mer ilities

E

mer ilities

Tc

mer ilities

Te

mer ilities

T

mer ilities

Tc

There is a sincores

There is a prmechanism tconfiguratiountime

The mappingavailable PLconfigurable

The power scan be protecores corrup

The core cancores

The core canmode by oth

Each core ha

Timers can bclock source

Timers can bexternal cloc

Timers can g

Timers havecircuit

M

ngle clock f

rotection that preventn to be corr

g between LL and corese

source of eacted from o

ption

n be halted b

n be set in sher cores

as a private

be fed by the

be fed by anck source

generate int

e their own c

MULCOR

page 94

for all

t a PLL rupted at

s is

ach core other

by other

sleep

timer

he same

n

terrupts

clock

RS

No infor

Ye

no

No infor

Ye

no

No infor

Ye

no

No infor

Ye

no

No infor

Ye

no

No infor

Ye

no

No infor

Ye

no

No infor

Ye

no

No infor

Ye

no

No infor

Ye

no

No infor

Ye

no

Réf. C

rmation

es

o

rmation

es

o

rmation

es

o

rmation

es

o

rmation

es

o

rmation

es

o

rmation

es

o

rmation

es

o

rmation

es

o

rmation

es

o

rmation

es

o

EAS

CCC/12/0068

If yes, a pmechanisproposed

If yes, a pmechanisproposed

SA

898 – rev. 07

protection sm must be d

protection sm must be d

Page 97: Untitled - EASA

33

34

35

36

AlthePaser CoaccAiam

RGWcorel

ThclasucWthaof

Thales Avio

3 Re

faci

4 Re

faci

5 Watc

tim

6 Watc

tim

ll those serve adequate artitioning arvices may

onfigurationcesses are firborne Emb

mong superv

GL n°16e recommenfiguration ly on a sing

he case of hassical usagcceed only hen concurrat might leareservation

onics

eset ilities

Ito

eset ilities

A

chdog mers

Tp

chdog mers

Itwc

vices can beconfiguratio

and executihave its beh

n registers thfiltered by tbedded Sysvisors execu

end restricof shared

le static con

hardware suge, for semif they are nrent accesse

ad to a high n stations.

t is possibleon one core

A core can r

There is oneper core

t is possiblewatchdog cocore

e configureon registerson integrityhavior chan

hat are locathe MMU. stem servicuted on each

ting to hyservices. M

nfiguration

upport for amaphore imnot interleaves occur to tnumber of

M

e to perform

reset anothe

e watchdog t

e to restrict onfiguration

ed by all cos. In the Emy insurance

nged by an a

ated in the sAn adequates with suph cores may

ypervisor oMultiple inst

that is deter

atomic opermplementatio

ved with onthe same timretries, or e

MULCOR

page 95

m a reset

er core

timer

a n to one

ores, providembedded Aie. Indeed, aalteration of

shared spacete configurapervisor priy still lead to

or supervisotances of prmined at de

rations (alsoon, consistne or more ome, one or meven to dead

RS

No infor

Ye

no

No infor

Ye

no

No infor

Ye

no

No infor

Ye

no

No infor

ed their meircraft Systea core whof those servi

e are mappeation of theivileges. Hoo faulty exe

or (when privileged sesign time.

o named ress in perforothers. more operatdlocks, wou

Réf. C

rmation

es

o

rmation

es

o

rmation

es

o

rmation

es

o

rmation

emory mappems contextse softwareices.

ed in the ade MMU mayowever, nonecution of th

hypervisor oftware run

servation strming two

tion may faiuld have to

EAS

CCC/12/0068

If yes, a pmechanisintroduce

If no, thisindetermi

ping allowst, this may e execution

ddress spaceay restrict thn-consistenthe embedde

doesn’t enning on ea

tations) is pconsecutiv

il. Some exbe studied

SA

898 – rev. 07

protection sm must be ed

s is a sourceinism

them to acweaken Ro

n relies on

e. Thus softwhose accesset configurat

ed software.

exist) levelach core sh

particular. Te accesses

treme situatto allow the

e of

ccess obust such

ware es to tions

the hould

Their that

tions e use

Page 98: Untitled - EASA

RGWsha

9.4

It ressercoa hlev

We

RGWabau

32 P

Thales Avio

GL n°17e recommeared reserva

Co4.2.6..2

Criteria

is possible strict sharervices nfigurationhigh privilevel

Weights:

GL n°18e recommenle to reset

uthorization

PLL : Phase

onics

end that imation station

orrespondin

a

to ed

n to ege

AccintePLLpowrestsupwithacceperiOneanopriv

1: informa2: Nice to 3: Mandat

nd, in multit another cto perform

Locked Loo

mplementations.

ng selection

Sub-crit

cesses to theerrupt controL32, shared wwer sources.tricted to theervisor/hyphout impactesses to othipherals e core canno

other core atvilege level

ative have

tory

i-core conficore. Onlythis reset.

p

M

on of sema

n criteria

teria

e shared oller, watchdog, ... can be e

pervisor ting

her

ot reset t user

igurations, n Hyperviso

MULCOR

page 96

aphores sho

Weight for

DAL A/B

3

3

not to authoor or Supe

RS

ould take in

Weight for

DAL C/D

2

3

orize one coervisor (if

Réf. C

n account p

O

An adequaMMU mayrestrictionshould notrestriction See RGL

Reset signfollowing explicit resprivileged determinedor events toperationssignals. See RGL

ore, under Uhypervisor

EAS

CCC/12/0068

potential de

Observatio

ate configury provide su

n. Yet the mt entail acce

ns on other p

n°16

nals can oftevarious evesets can be

d software, id whether striggered bys might enta

n°18

USER privilr doesn’t e

SA

898 – rev. 07

eadlocks du

ons

ration of theuch apping ess peripherals.

en be raisedents. Even irestricted tot shall be

some errors y user-level ail reset

lege level, texist) have

ue to

e

d f o

to be e the

Page 99: Untitled - EASA

9.4

Thwi

In mires

RGW

MeemtheA cen

RGWlevsin

Thales Avio

4.2.7. Core

he cores supithin two me Inter-c Shared

the Embedight be the stricted to): As a p

it) When

GL n°19e recommen

1. The us2. The co3. The A

softwa

emory mapmbed one Me feature of

non-coherntralized m

GL n°20e recommenvel – when ngle configu

onics

es

pport the exechanisms: core interrupd memory

dded Aircrasame as a

protection m

the destina

nd that:

se of inter-conditions th

Airborne Emare deploye

pping is deMMU per cof coherency rent configemory prote

nd that the the Hypervuration for t

xecution of

pts

aft Systemsany external

mechanism

ation core is

core interruphat rule the umbedded Syd on each c

efined in thore. Thus, mmaintenanc

guration maection servi

configuratiovisor does nothe whole p

M

f multiple so

context, thl interrupt.

(a core can

actively wa

pts should buse of inter-ystem providores comply

he Memorymemory mace between aay weakenices may be

on of MMUot exist – inlatform.

MULCOR

page 97

oftware ins

he use of inIt is accep

n interrupt a

aiting for be

be restricted-core interruder should y with these

y Managemapping definall MMU.

n Robust Pe protected a

Us should ben order to pr

RS

tances in p

nter-core inptable under

another core

eing interru

d to supervisupts should provide ev

e rules.

ment Unit (Mnition is dis

Partitioningagainst non-

e performedrove that sp

Réf. C

arallel. The

nterrupts (por some con

e if it detect

upted.

sor or hyperbe docume

idence that

MMU). Mustributed am

. However-coherent M

d only at thepatial isolati

EAS

CCC/12/0068

ey may (exp

oint-to-poinnditions inc

ts a faulty e

rvisor. ented.

all instanc

ulti-core plamong the co

r, platformMMU config

e Hypervisoion enforcem

SA

898 – rev. 07

plicitly) inte

nt or broadcluding (but

execution in

es of privil

atforms usuores. This ra

ms that progurations.

or or Supervment relies

eract

cast) t not

nside

eged

ually aises

ovide

visor on a

Page 100: Untitled - EASA

9.4

Inintemco

Mmaprnoco

We

9.4

Sethe Shsto(thconua t Thinttracosoftra

Thales Avio

Co4.2.7..1

Criteria

ter-core terrupts

mission can ntrolled

emory apping can

rotected agaon-coherentnfiguration

Weights:

4.2.8. Perip

everal feature main mem

haring the morage resourhis is space ntrollers ma

umber of acctask is slow

hese side-efternal read/wansactions hntiguously ftware. Thu

ansaction.

onics

orrespondin

a

be

Integenrestor a

n be ainst t ns

Theservprot

1: informa

pherals

res dealing mory from th

main memorrce can be partitioningay in some cessing masdowned wi

ffects are duwrite buffer

have been inserviced i

us its wors

ng selection

Sub-crit

er-core interneration can tricted to a sa hypervisor

ere is a centrvice of memtection unit

ative

with sharedhose concer

ry means shpartitioned

g). We do ncases incre

sters (see (Mith a factor o

ue to the intrs, internal nterleaved innside the mst case tim

M

n criteria

teria

rrupts be

supervisor r

ralized mory

2: N

d peripheralrning I/O.

haring the pwhen nece

not considerease the timMoscibrodaof 2.9 while

ternal strucscheduling n the intercmemory co

ming variabi

MULCOR

page 98

Weight for

DAL A/B

3

2

Nice to hav

ls have to b

physical stoessary: disjor this featur

ming variabia & Mutlu, 2e the concur

cture of a Doptimized

onnect. Thuontroller. Tility has to

RS

Weight for

DAL C/D

3

1

ve

e considere

orage resouroint memore in this seclity of a tra2007) for anrrent task is

DDR. It contfor contigu

us, contiguoThis phenomo be determ

Réf. C

O

This criterprevent intfrom beingairborne sounpredictaSee RGL

Having a cmitigates tcoherent cdistributermechanismSee RGL

ed. We distin

rces and thery areas canction. Sharinansaction win illustratios not).

tains severauous read/wrous accessesmenon can

mined and

EAS

CCC/12/0068

Observatio

rion is mandnter-core integ emitted byoftware in aable way n°19

centralized the risk of nconfiguratior memory prms. n°20 3: Mandato

nguish featu

e memory cn be allocatng accessesith a factor

on: on a dua

al banks, eawrite transac

s sent by a cnnot be conapplied for

SA

898 – rev. 07

ons

datory to errupts y the an

protection non-on of rotection

ory

ures concer

controllers. ted to each s to the memhigher than

al-core platf

ach bank hations. Incomcore may nontrolled byr each mem

rning

The core

mory n the form,

aving ming ot be

y the mory

Page 101: Untitled - EASA

RGWmeWtra

Shfea

Liktheproen

RGWHysho

Clma

Totw

Thales Avio

GL n°21e recommeemory to pre recomme

ansactions s

hared I/O features occur Acces

can apwhen

Initiatexecut

ke shared seeir use is motocol, othe

nsured.

GL n°22e recommeypervisor orould be doc

assically, sanagement m I/O em

chargebuffercompl

I/O diaccess

I/O mtransacomm

oday’s expewo others for

onics

end that therovide tighteend that Wohould be en

features dear when the cs simultane

pply: storagit is not pose specific ption to be ab

ervices, conmore complers are acc

end that acr Superviso

cumented in

shared I/O’smethods are

mulation. Oe of propagr (the superlete I/O (theirect accessses. The supmanager coctions are

munication s

erience in shr an Embed

e Interconneer bounds oorst Case Rncapsulated

aling with ccores concueously read ge areas havssible ensurprotocols oble to fulfill

ncurrent acclex then conessed from

ccesses to or level – in the Interco

s accesses e:

On each coregating I/O arvisor/hypere supervisor. On each c

pervisor/hypore. One c

encapsulaervice.

hared I/O mded Aircraf

M

ect Usage Dn timing va

Response Tinside them

configuratiourrently perf

and/or writve to be pare that concu

operations. Hl correctly t

cesses to shanfiguration

m a read and

shared I/Oif the Hypeonnect Usag

are manage

e, the superaccesses to trvisor impler/hypervisorore, the suppervisor doeore is dedated inside

managementft Systems u

MULCOR

page 99

Domain shoariability of Time shouldm.

on are simiform the folte buffers. Hrtitioned wiurrent accesHere, unintthe concerne

ared I/O maof shared

d/or write

O dealing wervisor levege Domain.

ed by the s

rvisor/hyperthe physicaements in itr leaves I/Opervisor/hypes not interc

dicated to Ie inter-core

t is not suffusage.

RS

ould specifymemory tra

d be determ

ilar to sharellowing actiHere classiith some cosses will occterrupted aced protocol

ay occur simservices. Sbuffer. Thu

with configel does not

supervisor o

rvisor emulaal I/O. This ts own driv manageme

pervisor concept further I/O transace message

ficient to re

Réf. C

fy atomic acansactions,.

mined for th

ed servicesions: c rules of timponent cocur in disjoiccess is req.

multaneouslome I/O ar

us atomic a

guration shexists – ac

or the hype

ates a virtuainterface m

ver the corrent to the Ainfigures theaccesses. tions. For

es that are

ecommend o

EAS

CCC/12/0068

ccess patter

hese pattern

s configurat

time and spontrolling thint time winquired durin

ly from diffre accessedaccess patte

hould be reccess patter

ervisor. The

alized I/O imay be a simresponding irborne Soft

e MMU to e

the remaine propagat

one method

SA

898 – rev. 07

rns to the m

ns and Mem

tion. Additi

ace partitioheir access,ndows. ng the prot

ferent cores.d according erns have t

estricted torns to these

e three exis

nterface. It mple read/wprotocols),

ftware) enable direc

ning cores, ted throug

d rather than

main

mory

ional

oning , and

tocol

. Yet to a

o be

o the e I/O

sting

is in write or a

t I/O

I/O gh a

n the

Page 102: Untitled - EASA

9.4

MmaI/Oiso

We

Thales Avio

Co4.2.8..1

Criteria

emory apping alloO per I/O olation

Weights:

onics

orrespondin

ows All in dI/O part

1: informa2: Nice to 3: Mandat

ng selection

Sub-crit

I/O may bedifferent pag

managemetitioned by t

ative have

tory

M

n criteria

teria

e accessed ges so that nt can be the MMU

MULCOR

page 100

Weight for

DAL A/B

2

RS

Weight for

DAL C/D

1

Réf. C

It is preferI/O per I/O Yet this is I/O controplatform s

EAS

CCC/12/0068

Observation

rable to havO.

not mandatol is providesoftware.

SA

898 – rev. 07

ns

ve a control

tory since ed by

Page 103: Untitled - EASA

9.5

Th

9.5

In in arcCrmuacqwoThcoall

9.5

Idedeon Thfochy

9.5

9.5

Exim

Thales Avio

5. SOFTW

his chapter d

5.1. Summ

combinatiocombinatio

chitectures iriteria for thulti-processquired and ould be besthe study shares that wolocating a si

5.2. Summ

entify the mvelopment

n the represe

his chapter cus on Air

ypervisor pri

5.3. Airbor

5.3.1. Airb

xecuting anmplemented

Multita schesevera

ClientAirborclassicIntergiinstanbeen d

onics

WARE ASP

deals with ta

mary of task

on with the on with thinto groupshis groupining would incorporate

t suited. all identify would be moingle critica

mary of task

methods, tooand implem

entative pro

deals with rborne Softivileges) in

rne Softwa

borne Softw

n Airborne under paraltasking: Theduler. Thisal Airborne t-Server: Sorne Softwacally used iniciels like Cce message

designed to

PECTS

asks 7 and 8

k 7

steps listed he hardware.

ng might incbe used, w

ed to execu

whether theost safe andal task to eac

k 8

ols, languagmentation ocessors and

multi-corestware in gethe case of

are deploym

ware execut

Software llel schemes

he Airborne s model is Software.

ome servicere, executen distributeCORBA proes encapsulaprovide rea

M

8

above, idene of each p

clude such whether theute on the p

ere are partid effective fch processo

ges and operf safety-crit

d any softwa

s features reeneral and f partitioned

ment on a m

tion on seve

on severals. Two modSoftware isimplement

es are impled on anothd Airborne opose servication to facal-time perfo

MULCOR

page 101

ntify and anprocessor g

factors as ere are suitprocessor an

cular ways for each ty

or.

rating systetical softwaare / COTS

elated to soplatform s

d systems, e

multi-core p

eral cores

l cores ondels are posss decomposted in all o

emented in her core, reSoftware aces to ease cilitate methformances.

RS

nalyze the sogroup and,

whether sytable certifind for whic

to allocate ype of proc

ems that woare to execuIP that they

oftware exesoftware (thspecially IM

platform

a multi-cosible: ed in parall

operating sy

servers thaequests thosnd relies onthe develop

hod and arg

Réf. C

oftware archif possible

ymmetric, aiable operach types of

tasks or paressor and /

ould be mosute in parally include.

cution on ahat is gran

MA systems

ore platform

elizable tasystems that

at are deployse servers an Remote Prpment of suguments pa

EAS

CCC/12/0068

hitectures the, classify

asymmetric ating systemf processing

rts of tasks / or operati

st suitable folel with rob

a multi-corented the sus.

m is possi

sks that willt support th

oyed on speas a client.

Procedure Cuch Airbornassing. Som

SA

898 – rev. 07

hat may be those softw

or ‘bare-mms that mayg the proces

to the proceing system,

or specificabust partitio

e processor.pervisor an

ible when

l be activatehe executio

cific cores. . This mod

Calls techniqne Software

me of them h

used ware

metal’ y be ssors

essor e.g.

ation, oning

. We nd/or

it is

ed by on of

The del is ques. e, for have

Page 104: Untitled - EASA

9.5

Thanpromoprodif Fomo Proschsinin theto mi Tofol

Ththe UsDeimrecanpaare It prothealgalg

Thales Avio

Mu5.3.1..1

he classic apnd threads (ocesses). Pore threads ogrammingfferent threa

or simplicityodels includ

ocesses andheduling alngle-core alwhich orde

e Allocationthe definit

igrations of

o be acceptllowing pro Feasib

period Predic

schedu

he second preir estimate

sually, pre-eeadline Firs

mplementatiocommends

nd associateartitioning. Ie not compa

has been properties, fore case for dygorithms, thgorithms are

onics

ultitasks sc

pproach for(we use UNrocesses (oare execut

g because itads.

y, we talk de two kind

d threads aclgorithms fogorithms, m

er and whenn Problem. tion of twof tasks amon

table for anoperties: bility: Thered (if any) anctability: Thuled) does n

roperty is crd WCET w

emptive andst) are prefeon is easiersuch an alg

ed schedulinIndeed coopatible with r

roven that pr instance G

dynamic prihe problem e predictabl

cheduling fe

r a multitaskNIX terminor partitionsted in the t enables th

about tasks of tasks: p

tivation depfor single amulti-core on tasks will That means

o categoriesng the cores

n Embedde

e shall be and the deadlhe Responsnot increase

ritical. Indewill meet its

d priority bferred for sir and worstgorithm to sng algorithmperative prorobust partit

pre-emptiveGlobal Rateiority algoriremains eq

le.

M

eatures

ked system nology. In As) are execusame addrehe definitio

ks rather thperiodic and

pends on a snd multi-co

ones have tobe executeds they have s of algorith.

ed Aircraft

a schedulingine of each se Time ofe if the exec

eed, it ensurdeadline co

based schedngle-core pcase perfo

chedule proms may als

ogramming itioning enfo

e and fixed e Monotonicthms, such

quivalent to

MULCOR

page 102

m is the hieraARINC 653uted from iess space.on of share

han processd sporadic (

scheduling ore process

o solve the Pd. Moreove to decide o

thms: globa

Systems s

g test that dtask.

f the set ofcution time o

res that a setonsidering th

duling algorprocessors bormance canocesses insiso be usedintroduces morcement.

d priority mc or Globalas Global Esingle-core

RS

archical mo3, the equivisolated meThe use of

ed objects t

ses and thr(with a mini

algorithm. sors: (BlakePriority Pror, multi-coron which coal and part

system, a s

depends on

f tasks (i.e.of one task

t of tasks whe real exec

rithms (for because then easily be ide a partitio

as long asmany funct

multi-core scl Deadline MEarliest Dee algorithms

Réf. C

odel based ovalent compemory areasf threads isthat can di

eads. Usuaimal inter-a

One can ree, Dreslinskoblem. That re schedulinore a task witioned, res

cheduling a

the Worst

the time idecreases

hose scheducution time

instance Ray check thecomputed. on. Cooperas the systemional depen

cheduling alMonotonic. adline Firsts, thus pre-e

EAS

CCC/12/0068

on processeponents ares. Inside a s quite flexirectly be a

ally, parallearrival time)

ead the folloki, & Mudgt means theyng algorithmwill be execuspectively a

algorithm s

Case Exec

in which a

ule has beenof tasks.

ate Monotoe previous pFor instanc

rative program does notndencies bet

lgorithms sHowever t

t. In the casemptive an

SA

898 – rev. 07

es (or partite partitionsprocess, on

xible in paraccessed by

el programm).

owing survege, 2009).y have to dems have to suted. This lallowing or

shall verify

ution Time

ll tasks wil

n validated

onic, or Earproperties, ce, ARINCamming mot require rotween tasks

still verify tthis is no lose of partitiod priority b

tion) s and ne or rallel y the

ming

ey on Like

ecide solve leads r not

y the

e, the

ll be

with

rliest their 653 odels obust s that

those onger oned

based

Page 105: Untitled - EASA

GlIndalgmato

RGWbe

9.5

WSo

It pla Cocoaccdeexco

RGWpro

Momeres

RGWme

Thales Avio

lobal scheddeed, all tasgorithm. Thay be a NP-be bounded

GL n°23e recommen decided at

Air5.3.1..2

hen portingoftware deve The A A Wor

can also beatform if its

oncerning thoperative tacesses. In aveloper doeecuted in prrect if the c

GL n°24e recommeotected by s

oreover, thechanisms strictions im

GL n°25e recommeechanisms i

onics

duling algorsk sets schehe opposite -hard probled, and they m

nd the use oDesign Tim

rborne Sof

g multitaskeeloper has t

Airborne Sofrst Case Ex

e noticed ths tasks have

he first requasks model

a sequential es not explparallel by critical sect

end, when Asemaphores

he executiosuch as ca

mposed on th

end that muin order to b

rithms haveedulable und

is not trueem. Howevmanipulate

of partitioneme and forbi

ftware migr

ed Airborneto be sure thftware execu

xecution Tim

hat multitask dependenc

uirement, c. Indeed, suexecution, icitly writedifferent tation was pro

Airborne Sos in case of c

n of multiache coherehe Platform

ultitasked Abe complian

M

e an advander a partitie. Moreoverver, they hav

larger data

ed schedulinidden at Ru

ration from

e Softwarehat: ution will st

me will be c

ked airbornies requirin

care has to buch an implthis is corre it. Howev

asks, resultinotected by a

oftware is acooperative

itasked Airency. The

m or Equipm

Airborne Sofnt with the I

MULCOR

page 103

ntage over pioned algorir, global algve drawbacstructures w

ng algorithmun Time.

m single-cor

from a sin

till be correcalculated fo

ne softwareng a specific

be taken if lementationect: during aer, in a mung in an er

a semaphore

a multitaskee programm

rborne Softuse of suc

ment usage.

ftware desiInterconnect

RS

partitioned ithm will begorithms saks. They enwhose cost

ms and stati

re to multi-

ngle-core to

ect or each task

may not bec execution

f the Airborn usually rea critical seulti-core exerroneous exe.

ed one thatming.

tware on sch mechan

gn should mt Usage Dom

Réf. C

algorithmse schedulabave the costntail task mimay be pro

ic allocation

-core platfo

o a multi-co

k or process

e efficientlyorder.

rne Softwaremoves protction, no precution, thixecution. Y

t critical sec

everal coreisms might

minimize thmain.

EAS

CCC/12/0068

s: they are ble by the eqt of a static

migrations wohibitive.

n of tasks to

orms

ore platform

.

y executed

re is implemtections in re-emption wis critical se

Yet the exec

ctions shou

es may reqt not be c

he use of c

SA

898 – rev. 07

more efficquivalent glc allocation

whose costs h

o cores that

m, the Airb

on a multi-

mented withcritical sectwill occur iection mighcution woul

uld be expli

quire additicompatible

cache coher

cient. lobal that have

t will

borne

-core

hin a tions if the ht be ld be

icitly

ional with

ency

Page 106: Untitled - EASA

FeW

9.5

Thad Wterprochis

9.5co

ThSy(seco Cuwiancoeffpreco Froint

Towh

Thales Avio

eatures regaorst Case E

Pa5.3.1..3

his section ddresses all s

hen we adrminology: ocesses. Proarge of devin charge of

5.3.1..3.1 Cre platform

his section ystem supplee Figure 1re processo

urrent desigith minor m

nother singlencept woulfort. In addeviously SWmpatibility.

om the Avtegration so A sing A priv A virtu

oday, experhich design

onics

arding the sExecution Ti

artitioned sy

is a generisystems wh

ddress IMAAirborne Soocesses are

veloping parf developin

Componentms

presents olier) of par13) to take ors in IMA P

gns for Airbmodificatione-core platfld represendition, the W Airborne.

vionics Emboftware layegle OS instavate OS instualization la

rience gainestrategy is

second requime calculu

ystem featu

ic one not hether partiti

A Avionics oftware is cexecuted in

rtitions. Theg the Platfo

ts evolution

our view (artitioned Avbenefit of

Platforms

borne Softwns (i.e. comform). Indet a large dtrend woul

e Software,

bedded Syser. At this leance shared tance per coayer hosting

ed in multithe best sui

M

uirement wius on multi-c

ures

only focusioning is im

Embeddedcomposed on the same ae Operating

orm softwar

n to take be

as a Avionvionics modthe introdu

ware shouldmparable to eed, a largedesign and ld be to prwhile keepi

stem supplievel of abstr

among all tore g several op

-core architted for avio

MULCOR

page 104

ill be covercore platfor

sing on IMmplemented

d Systems, f one or moaddress spag System prre.

enefit of m

nics Embeddule adapta

uction of m

d not changa migratio

e change inimplementaromote reuing up back

ier’s point raction, therthe cores

perating sys

tecture is donics Airbor

RS

red in part rms.

MA (Integrausing ARIN

we addresore partitionace among orovider (it m

multi-

dded ation

multi-

e, or on to this ation

use of kward

of view, thre are possib

stems in ded

deemed notrne Softwar

Figu

Réf. C

9.8 dealing

ated ModulNC653 Ope

ss partitionns which areone partitionmay be the P

he most “flble designs:

dicated virtu

t sufficient re.

ure 13: HW/SW

EAS

CCC/12/0068

g with tools

lar Avionicerating Syst

ning regardie composedn. Function Platform Pr

flexible” co:

ual machine

to allow d

W Architecture fIMA module

SA

898 – rev. 07

s for proces

cs), this sectems or not.

ing ARINCd of one or m

suppliers arovider him

omponent is

es.

determinatio

for a future mue

ssing

ction

C653 more are in

mself)

s the

on of

ulticore 

Page 107: Untitled - EASA

9.5

Onthe

ThOSCo

9.5

A Figfeaaccoc

SM

SoimSigapco

Thales Avio

5.3.1..3.2 D

ne stake in e parallel ex Intra-p

and ha(SMP)

Inter-pcore w(AMP

here is a thiS managingore. We don

5.3.1..3.3 S

Symmetricgure 14). Inatures covecessing to thcur inside th

MP partition Respe

modifi There

ome Airbormplementatio

gnal Proceplications rmpatibility

onics

Deploymen

the introduxecution of partition paras an exclus). partition pawith true paP). ird case namg all Cores n’t address t

Symmetrica

al Multi-Prnside a partiered in parthe shared rehe same par

ns deploymeect of ARIfications to t

is no true p

rne Softwaron. Exampl

essing applirunning on seems poss

nt of partitio

uction of mucode on difrallelism. Tsive access

arallelism. Tarallelism b

med Boundsimultaneo

this case in

al Multi-pr

rocessing (Sition, procest 9.5.3.1 aresources. Trtition), but

ent has the fINC 653 tthe guidelinparallelism b

re applicatiles of suchications. HEmbedded

sible with m

Fig

M

ons

ulti-core in fferent coresThe extreme

to platform

The extremebetween par

d Multi-procously, but ethis docume

rocessing

SMP) deplosses may bee valid in this does no it brings ad

following gtime and

nes. between par

ons are, beh airborne

However, thAirborne S

minor chang

ure 14: Exampl

MULCOR

page 105

partitioneds. This para

e scenario om resources.

e scenario ortitions. Th

cessing wheach Airborent: it can b

oyment meae executed ithis contex

ot impact timdditional co

good properspace part

rtitions.

ecause of tsoftware ap

his is not Systems su

ges, but high

le of a SMP dep

RS

d Embeddedallelism can ccurs whenThis is call

occurs whehis is called

hich consist rne Softwarbe considere

ans that partn parallel o

xt. There mme and spaconstraints on

ties: titioning re

their architepplicationsthe case

uch as utilitihly inefficie

ployment of pa

Réf. C

d Aircraft Soccur at tw

n one partitiled the Sym

en each partd the Asymm

in having are applicatied as a subs

titions are an different c

may be interce partitioninn the functio

equirement

ectures, goare Flight

for many ies. For thont.

artitions

EAS

CCC/12/0068

Systems is thwo level of aion is activa

mmetrical M

tition are ametrical M

a single insion is lockeset of the pre

activated oncores. Integr-processes ng (becauseon suppliers

is possibl

od candidat Managemlegacy air

ose applicat

SA

898 – rev. 07

he masterinabstraction: ated on all c

Multi-proces

activated onMulti-proces

stantiation oed to a speevious ones

n each core grity and W

conflicts we those confs

le without

ates for parent System

rborne softwtions, backw

ng of

cores ssing

n one ssing

of an ecific s.

(see CET

when flicts

any

rallel ms or

ware ward

Page 108: Untitled - EASA

9.5

Ancoseq

Re

Go

Re

Hopreen

9.5

Todethe

Thales Avio

5.3.1..3.4 A

n Asymmetre in parallquential

emark: for I

ood properti It does

Embedexistin(e.g. pperfor

It scal

emark, for I

ARIN ARIN

API co

owever, Robesence of e

nforcement a

5.3.1..3.5 A

oday's experployment rae approach i

onics

Asymmetri

trical Multi-lel with oth

IMA, ARIN

ies of an AMs not changdded Systemng single-copartition 1 rmance. es with the

MA Avioni

NC 653 spacNC 653 time

ontext.

bust Partitioeventual unat the highe

AMP-SMP-

rience in muather than ois left to the

cal Multi-p

-Processingher partition

NC 653 guid

MP deployme the modelm. Thus theore configur

shall finis

increase of

ics Embedd

e partitionine partitionin

oning has toncontrolled st level of c

-BMP selec

ulti-core forothers. The e platform p

Figu

M

processing

g (AMP) dens (see Fig

delines are s

ment are: l of sequente backwardrations. Thesh before p

f the number

ded System

ng requestedng is ensure

o be ensureinter-core

criticality.

ction

r Embeddedfollowing t

provider.

re 15: Example

MULCOR

page 106

eployment mgure 15).Th

still valid

tial partitiond compatibie precedencpartition 2

r of cores

d inside an ed between

ed between conflicts m

d Aircraft Stable gives

e of an AMP de

RS

means that hus scheduli

ns that are elity of lega

ce rules relastarts to p

API contexn partitions

Cores. As pmay not be

Systems doea compariso

ployment of pa

Réf. C

one partitioing of proc

executed inscy Airborne

ated to interprovide vali

xt can be ensdeployed o

presented incompatible

es not seem on of those

artitions

EAS

CCC/12/0068

on is deplocesses insid

side a Singlne Software r-partition cid data…)

sured betweon the same

n the sectioe with Rob

m sufficient tapproaches

SA

898 – rev. 07

yed on a side a partitio

le core Aviois closer to

communicatdo not im

een all Coree core insid

n 9.4.2.3..6ust Partitio

to recommes. The choic

ingle on is

onics o the tions

mpact

es. de an

6, the oning

end a ce of

Page 109: Untitled - EASA

AM

SM

Thales Avio

MP It can

avioni AMP

some d

MP SMP a

platfor SMP

perfor

Criterion

Reliability

Robust Painsurance

Performanon partitio(comparedsingle-coreplatform)

Airborne Integration

onics

be noticedic Airborne offers a bedifficulties

approach nerm. offers a b

rmance and

y

artitioning

nce gain ons d to a e similar

Software n

d that the aSoftware,

etter perforin the demo

eeds to be t

better capabless freedom

SMP

Potential to a higintegratio

Time PartitioninRobust Pabe ensuswitchingcore syPartition timing upto be dete

Significanincrease that can (e.g. Managem

Slight applicatiobecause performan

M

an AMP ap

rmance charonstration o

aken into a

bility to imm to implem

decrease gher level

on

and Spng (and tartitioning)

ured. Partig requires inynchronizat

switchpper bound ermined

nt performafor partit

be parallelFl

ment System

increase on integra

of individnce increase

MULCOR

page 107

pproach offe

racteristics of robust par

account by A

mplement rment modifi

AMP

due of

Increto recinsidrestarcore whol

pace thus can

ition nter-tion. hing has

Spacbe Howpartitenforbetwexecuon di This Robube en

ance tions ized light

m)

No increpartit

of ation dual e

SigniAirbointeg

RS

ers more co

close to alrtitioning,

Airborne So

robust partfications

P

ease if it is cover from

de a corting the co

rather thle platform

ce partitionimple

wever, tioning irced

ween puted simultaifferent core

approach ust Partitionsured

perfease insidtion

ificant incrorne S

gration

Réf. C

ompatibility

lready exist

oftware dev

titioning, bu

B

possible a failure

ore by oncerned han the

SlA

ning can emented.

time is not anymore

partitions aneously es

requires oning to

S

formance de one

Dne

rease of Software

IS

EAS

CCC/12/0068

y with exist

ting system

veloper to ta

but at the

BMP

Same advlimitations AMP

Same probl

Depending number executing th

Increase oSoftware in

SA

898 – rev. 07

ting single-

ms, but pres

ake benefit f

price of lo

antages anas SMP an

em as AMP

on thof cor

he partition

of Airbornntegration

-core

sents

from

ower

nd nd

P

he es

ne

Page 110: Untitled - EASA

9.5

In ho AdSywico SuSofropro

Reap

Thales Avio

BackwardcompatibilmultitaskeAirborne S

Porting eff

5.3.1..3.6 O

the deployosting up to

dditional “rystem deploith other pare platform

uch a deplooftware withom “n” coroportion of

emark: In Iproach can’

onics

lity of ed Software

fort

Others depl

ment schemDAL-A or

restrictions”oyed on a martitions (see).

oyment restrh Time and res down toDAL-A / D

IMA system’t be used an

Figu

Care has the progris coopersection acbe explici

Main efunction smay havtheir Airbto suppexecution

loyment sc

mes presenteDAL-B lev

” can be brmulti-core pe Figure 16

riction allowSpace parti

o “one”). TDAL-B Airb

ms where hnd so confli

ure 16: Example

M

to be takeamming morative. Critccesses havitly protecte

effort is suppliers. T

ve to redeborne Softwport para

n

hemes

ed before, wvel.

rought at throcessor do

6: partitions

ws Robust itioning but

This methodborne Softw

hosted Airbicts have to

e of a restricted

MULCOR

page 108

en if odel tical

ve to ed

ComcompexecuFuncbe re

by They sign

ware allel

Mainplatfohas Partitindepcalcu

we covered

his level, fooes not allos 1 and 2 ar

Partitionint this restricd expects reware remains

borne Softwo be manage

d partitions de

RS

mplete bpatibility ution

ctional portequired

n effort form provito providetioning pendent ulus method

d alternative

or example,w a DAL-Are DAL-A a

g to be ensction introdueduction ofs small insid

ware is maed.

ployment sche

Réf. C

backward in the

model. ing may

Sf

is by der. He

Robust and

WCET dology

Efp

es using all

SysGo’s wA partition tand execute

sured for Duces a signi

f performande the modu

ainly at DA

eme

EAS

CCC/12/0068

Same probfor multi-co

Effort requfunction suplatform pr

cores of th

with its Pikto be sched

ed on an eq

DAL-A / Dificant loss

nce to be acule.

AL-A / DA

SA

898 – rev. 07

lem as SMore partition

uired both buppliers anovider

e platform

keOS Operaduled in parquivalent sin

AL-B Airbof perform

cceptable if

AL-B level,

MP ns

by nd

each

ating rallel ngle-

borne mance

f the

this

Page 111: Untitled - EASA

Toare

9.5

Aiis sofkn

RGWthr

RGWforUs

9.5

Fepade

9.5

Wwhall“dsamprihoint ThcanSMno

Thales Avio

oday’s expee necessary

5.3.2. Airb

irborne Equprotected bftware deve

nowledge on

GL n°26e recommenreads or task

GL n°27e recommenr the Operasage Domai

Ar5.3.2..1

eatures concartition deploployed.

5.3.2..1.1 S

e talk abouhen a singlel cores (see

deployed onme service mivate cache)

osted by a deter-core com

he notion ofn be more p

MP privilegon-disjoint e

onics

erience in Eor if all cor

borne Equip

uipment softby a dedicaeloper (he mn its behavio

nd, if SMP ks are static

nd, if the A

ating Systemin.

rchitectural

cerning theoyment on

Symmetrica

ut a symmete instance of Figure 17)

n all cores” may be exe), even withedicated cor

mmunication

f symmetricprecisely deed software

execution en

mbedded Ares may be u

pment soft

ftware usualated privilegmay integror and its ar

mode is selcally allocat

Avionics Sofm is selecte

l concerns

e architectua multi-core

al Multi Pr

tric architecf the platfor). It can be may be am

ecuted locallh private dare, and servn.

c architectuefined as fole has all its nvironment

M

Aircraft Systused whatev

ware featu

lly refers toge level. Tate existingrchitecture.

lected by thted to cores

ftware Behaed, the use

re of Platfoe platform.

rocessing

cture (also crm softwarenoticed tha

mbiguous. Fly on each cata. Other svice request

ure for privillows: services exon each cor

MULCOR

page 109

tems seemsver the leve

ures

o an operatinThe platformg COTS so

he platform pto achieve

avior is notof a Hyper

form or EquThey depen

called Symme is deployeat the notioor instancecore (i.e. froservices mats occur thro

ileged softw

xecuted undre.

RS

s not be enoel of critical

ng system am providerlutions) but

provider fordeterminism

t known by rvisor to ma

uipment sond on the co

metric Multd on

on of , the om a y be ough

ware

der a Fig

Réf. C

ough to stateity.

and/or to a hmay not bet he is supp

r the Operatm and repea

the platformaster the be

oftware are ores on whi

ti-Processin

ure 17: Exampl(source: Freesca

EAS

CCC/12/0068

te whether s

hypervisor e the Airboposed to ha

ating Systematability.

m supplier ehavior of t

close to oich the platf

ng-SMP – I

le of symmetricale white paper on 

SA

898 – rev. 07

such restrict

whose inteorne Equipmave a suffic

m that proce

and AMP mthe Intercon

ones concerform softwa

n the literat

cal OS deploymSMP/AMP/BMP)

tions

grity ment cient

sses,

mode nnect

rning are is

ture)

ment 

Page 112: Untitled - EASA

AncoA frodema

9.5

Windon Eahyoncoopbestapla MoaccThcla

Thales Avio

n executionnsider two and B, and

om the dupfined its mapping.

5.3.2..1.2 A

e talk abodependent i

n different co

ach privilegypervisor) isne core, the res. This d

perating syst taken at t

arted as matform early

oreover, I/Ocessed con

hose featureassically res

onics

n environmecores A and

d execute soplicated servemory map

Asymmetri

out asymminstances ofores (for ins

ged softwars executed imemory madeploymenttems with mthe boot seaster and wy initializati

O features ncurrently es are coversolved throu

ent refers tod B. The prome servicevices on copping. Thus

cal Multi P

metric archif privilegedstance, see

re instancein its own capping is not allows thminimal moequence becwill be in ion and star

may occur by differe

red in the nugh I/O virt

M

o virtual merivileged soes inside sucore B. How

it has acce

Processing

tectures (od software aFigure 18).

e (operatingcontext. Thot visible fro

he reuse ofodifications.cause one c

charge ofrting its fello

when sharent operatinnext sectionualization.

MULCOR

page 110

emory mapoftware maych pages. T

wever, core ess to the in

or Asymmetare execute

g system ohat means orom the othef single-cor. Care has tcore will b

f performinows.

red I/O’s arng systemsn as they ar

RS

pping on phy define locThus, the se

B shares tnformation

trical Multed

or on er re to be ng

re s. re Figur

Réf. C

hysical memal (and disjrvices on c

the environmused by co

ti Processi

re 18: Example (source: Freescale w

EAS

CCC/12/0068

mory. For inoint) memo

core A are anment underore A to def

ing -AMP)

of asymmetricwhite paper SMP‐A

SA

898 – rev. 07

nstance, weory pages inactually isolr which corfine its mem

) when sev

c architecture AMP‐BMP)

e can nside lated re A mory

veral

Page 113: Untitled - EASA

9.5

Th

9.5

In idenecostu

9.5

Thuseanintfolnofor

C

Va

Se

Co

Ca

Sh

Int

Thales Avio

5.4. Mitiga

his chapter d

5.4.1. Sum

each case entify whetgative effencerned, im

udy may ide

5.4.2. Miti

here are quite of such t

nd/or transater-core intllowing tabl

ot preclude ur each of tho

OTS Multi

ariability of

ervice/transa

ores intercon

ache archite

hared servic

ter-core inte

onics

ation mean

deals with ta

mmary of ta

where a cther or not ct by mean

mposing rulentify.

igation Mea

te a few featechnology

action conflterrupts, acle, together use of the aose features

i-Core Feat

f Exec. Time

action confl

nnect switc

ecture struct

es

errupts

ns

ask 5

ask 5

component there are

ns of, for ees or limita

ans Analys

atures in thein safety-c

licts, core iccess to per with suggectual solutios.

tures

e WCmeamon

licts Softor p

h Inter

ture Mul(e.grestrCachand

SimProgmuspriv

Acc(ruleor re

M

or feature any feasiblexample, arations on th

is

e design of critical systinterconnecripherals, p

ested recomon that mig

Miti

ET strategyasurement annitoring.

tware-controrocesses.

rconnect Us

lti-core-rela. one cache rictions on the consistenprivileged s

milar to Airbgramming Ist be offeredvileged softw

ept interrupes to implemestrictions o

MULCOR

page 111

is not suitale measurerchitectural

he use of th

COTS multems. Thesect switches,programmin

mmendationsght be devel

igation me

y for assessmnd continuo

olled sched

sage Domai

ated cache mway per co

the use of shncy verifiedsoftware.

orne SoftwaInterface (Ad via a trusteware.

pt only whenment wait-foon the use o

RS

able for uss that mighl mitigationhe feature co

ti-core proce include: v, cache arcng languags on mitigatoped by the

ans

ment, ous

duling of tas

in Definitio

managementore or hared cached by trusted

are APIs), servic

ed and

n expected for-interruptof inter-

Réf. C

e in safetyht be used n, work-arouoncerned or

cessors that variability ochitecture stes. These tion means te computing

Tools measu

ks

on.

t

es).

Similafor tconsis

ces

t)

EAS

CCC/12/0068

y-critical airto mitigate

ound, disablr any other

must be mof executio

structures, sfeatures arthat can be g platform d

Comm

may be useurement.

ar approachthe controstency.

SA

898 – rev. 07

rborne syste the particling the fear means tha

astered to aon time, sershared servre listed inused. This

designer to c

ments

ed for

h can be uol of MM

tems, cular ature

at the

allow rvice

vices, n the does cater

used MU

Page 114: Untitled - EASA

Ac

Pr

OntheAiinaSoTh In (inarcsucmoacc Foleaadres Thach

9.5

A de Thon

Thales Avio

ccess to per

ogramming

ne of the preir use in irborne Softability to deoftware. Thehis is mainly

the case ofncluding muchitecture), ch processodeling, havceptable lev

or Multi-corast achieved

dditional meset cases) to

he followinhievable. Th

5.4.3. Time

Channel Instined to ho

his interferen: A the

implem Via m

expect

onics

ipherals

g languages

rincipal featsafety-critic

ftware is runemonstrate e mitigationy based on a

f single-corultiple level

already ledsors. Howeve allowed vel of confid

re processord, i.e. usingeasurementso allow an a

ng is suggehe recomm

e jitter rati

nterference ost single or

ence channe

eoretical amentation in

measurementted jitter, or

proc

Sharmemtrustdireconf

Deteprocemp

tures of mucal airbornn directly oa stable W

n means thaa straightfor

re [mono]-pls of cachesd to difficuever, measua demonstrdence.

rs, this featu the same bs, includingassessment o

sted as mitended appro

io to total e

Analysis sr multiple A

el analysis s

analysis ofn the architets based on r

M

cessors inter

red I/O’s comory space ted and privctly or via cfiguration ta

ermine adeqcessing progptive versus

lti-core prone systems on the multi

WCET, whicat are suggerward step-b

processors, ), and built-lties in the urements cation of WC

ure is a bit mbasic approag under abnof the robus

tigation meoach consis

execution ti

should be pAirborne Sof

should allow

f available ecture), orselected be

MULCOR

page 112

rrupts.

onfigurationshould be a

vileged softwconfiguratioables.

quate strateggramming (co-operativ

ocessors thatis the incr

i-core archich can be rested to hanby-step app

their intern-in parallelideterminat

ombined wCET to be a

more stringach as for m

normal condstness of suc

eans when sts of four m

ime

performed ftware.

w determin

informati

enchmarks

RS

n and/or shaallocated byware, eitheron controlle

gy for multi(e.g. pre-ve).

t have a trereased varitecture. The

relied upon ndle such d

proach to W

nal complexism (e.g. instion of a fowith assessachieved wi

gent, hence mono-core pditions (intech measurem

determinismain axes th

in any case

nation of a m

ion (from

implementi

Réf. C

ared

r d

i-

mendous imability in te negative efor certific

difficulties aWCET determ

xity of cachstruction ex

ormal WCEments, relyith an upper

a more “relprocessors, perrupt triggements.

m, hence ahat must be a

e whether t

maximum e

device m

ng worst ca

EAS

CCC/12/0068

mpact and cthe executieffect of th

cation of ruare briefly mination.

he architectuxecution basET for softwying also r bound lim

lative” WCEpossibly co

ering, simul

an absoluteaddressed:

the multi-c

execution ti

manufacturer

ase perturba

SA

898 – rev. 07

consequenceion time, w

his feature isuntime Airbexposed be

ure in particsed on pipelware runninon architec

mit value wit

ET should bomplementelated failure

e WCET is

core platform

ime jitter, b

r and on

ations regar

e for when s the

borne elow.

cular lined g on cture th an

be at ed by es or

s not

m is

based

the

rding

Page 115: Untitled - EASA

Asrat

9.5

Wusiin (de

9.5

ExanThproco

9.5

Asexunsof

Thales Avio

A com

s those mettio.

5.4.4. Airb

CET for eaing above jthe presenc

efined acco

5.4.5. Mon

xecution timnd records ohis monitorioviding thames in addi

Firobalsco

Seboexap

5.4.6. Airb

s the aboveecution tim

nacceptable ftware robu

onics

mbination of

thods are b

borne Softw

ach Airborneitter ratio ince of other rding to tim

nitoring dur

me should bef minimum ing could b

at backgrouition to the prstly during

bserved. Thiso to ident

orrections toecondly, durounded withxecution (plpplication ex

borne Softw

e described me jitter in

spurious reustness versu

f the two me

ased on en

ware WCET

e Software ncluding maselected be

me jitter ratio

ring real-ti

e monitoredand maxim

be limited und tasks arpartition swg the develis should leatify scenario the WCETring run timh acceptableatform rese

xceeds the t

ware robust

method is some rem

esets (platfous resets sh

M

ethods abov

ngineering j

T evaluatio

could be evargins. Valienchmarks o).

ime executi

d (e.g. usingmum values)

to the critire assessed

witching codopment phaad to complios that we

T analysis anme operatioe margins) et) of Airboarget limit.

tness

largely bamote cases corm or Airboould be imp

MULCOR

page 113

ve.

udgment, a

on

valuated as oidation of fiimplementi

ion

g built-in ch). ical paths i

d as not beide that insurase to collelementary vere not cornd jitter rati

on, once theto impleme

orne Softwa

ased on engcould causeorne Softwaplemented.

RS

additional m

on a mono-inal WCET ing worst c

hecks that ex

dentified foing affectedres partitionect data relvalidation orrectly coveio whenevere jitter ratioent detectioare (softwa

gineering jue the WCare). A gen

Réf. C

margins sho

processor invalue couldase perturb

xecution tim

or an Airbod by jitter. ning. It has tative to thef the jitter rered by anr necessary.

o is consideon mechanisre reset) w

udgment, it ET to be eeral strategy

EAS

CCC/12/0068

ould be add

n a first stepd be done b

bations on o

me does not

orne SoftwThis run t

two main obe actual exratio determnalysis, and.

ered stable (sms able to

when an Air

t might be exceeded, ty and princ

SA

898 – rev. 07

ded to this j

p, and correby measuremother proces

exceed WC

are applicaime monitobjectives: ecution tim

mined aboved to implem

(i.e. sufficieo stop procerborne Softw

considered then leadin

ciple of airb

jitter

ected ment ssors

CET,

ation, oring

me as e, but ment

ently essor ware

that ng to borne

Page 116: Untitled - EASA

9.6

Th

9.6

Exfaire- Thunshaexaff

9.6

Th In is anatt Thlev Thmafau

RGWfau

Thales Avio

6. FAILUR

his chapter d

6.1. Summ

xamine wheilures within-start and re

he study shanits and deteall identify ception hanfected softw

6.2. Mitiga

he architectu

associationexpected th

nd also shalltached to th

he generatiovel: partition

he Interconanagement. ult detection

GL n°28e recommeult containe

onics

RE MITIG

deals with ta

mary of task

ether the arn the proce

ecover in the

all determinection of dwhich kind

ndling and ware partitio

ation mean

ure of multi

n with the tehat the Interl not propage same Inte

on of excepn, processor

nnect shall The notion

n.

end, for miter between c

GATION M

ask 10

k 10

rchitectures ssors or thee event of a

ne which mivision by

ds of failurewhat the re

on, the proce

ns

i-core proce

emporal Intrconnect shgate any abnerconnect.

ptions and tr, I/O.

act as a n of partition

igation meacores.

M

MEANS

of multi-coeir associatea failure bein

multi-core przero and en

e detection aesponse of essing core,

essors is org

terconnect bhall not jeopnormal even

the recovery

fault contaning has als

ans, that the

MULCOR

page 114

ore processed hardwareng detected

rocessors innsure that ware possiblethe proces

, the entire p

ganized arou

behavior depardize the nts initiated

y actions sh

ainer with so to be ext

e Interconn

RS

sors may afe and the ab

d.

ncorporate fwatchdog tie, whether thsor is to erprocessor o

und the Inte

efined throuintrinsic pr

d by a proce

hall be con

respect to tended dow

nect Usage D

Réf. C

ffect the abbility of the

features sucimers can bhe processorror detectior any other

erconnect.

ugh the Interrocessor detessor to the

nsidered at

each procn to the I/O

Domain sho

EAS

CCC/12/0068

bility of a se system to

ch as memobe incorporors incorporon, e.g. shumeans.

rconnect Utection of aothers or a

the fault co

cessor incluO interfaces

ould be def

SA

898 – rev. 07

ystem to dmake it saf

ory managemated. The srate any formutting down

sage Domaabnormal ev

group of ot

ontainment

uding their with associ

fined to act

etect fe, to

ment study m of n the

in, it vents thers

area

I/O iated

as a

Page 117: Untitled - EASA

9.7

Th

9.7

Anfoumoprowhev

9.7

ThCOincbeof tra

Thales Avio

7. COTS R

his chapter d

7.1. Summ

nalyze the pund to deterore frequenocessors. Thhether such ents and co

7.2. COTS

he followingOTS procescludes eitheen known otransistors

ansistors int

onics

RELATED

deals with ta

mary of task

processor arrmine whet

nt failures ohis shall ineffects wourrect the err

S related fe

g major conssors for useer microconover the pas

on a singltegration is t

FEATURE

ask 11

k 11

rchitecturesther multi-cor different

nclude failuruld be detecrors produc

atures anal

ncerns are e in Embedntrollers anst few yearsle chip. Froto double ev

Figure 

M

ES

s and examiore processt or more res due to rctable and wed.

lysis

determiningdded Aircrad multi-cor. Those conom Moore'svery 12 to 1

19: an exampl

MULCOR

page 115

ine any prosors in genewidespread

radiation indwhether the

g factors foaft Systems.re processoncepts weres law the c18 months.

le of technolog(Source: INTEL

RS

blems or preral or partid types of duced effec

e processors

or the selec The concers, together

e made posscapability o

gy evolution, upL) 

Réf. C

rocessor errcular types failures tha

cts such as incorporate

ction of comept of Syster with heterible thanks

of technolog

p to 2022 

EAS

CCC/12/0068

rata that havof them mi

an the currSEU (single any mean

mplex and hems On Chirogeneous pto high-dengy in term

SA

898 – rev. 07

ve already bight suffer frent single e event ups

ns to detect

highly comip (SoC), wperipherals,nsity integras of numbe

been from core

sets), such

mplex which , has ation er of

Page 118: Untitled - EASA

ThachSutra18a n

ToAiSobebe

9.7

Thuse45be Thfigobcoco

RGWRe

9.7

Seis tecto

Thales Avio

he benefits ohieving bet

ub Micron (Dansistors of 8nm, 13nm anumber of f Low-p Better Highe Packag Design Devic

o date, a coircraft SysteoCs, withoufore going low:

7.2.1. Elec

his phenomeed continuonm it can blow 28 nm)

his becomesgures wouldbsolescence mmercial ampatible w

GL n°29e recomme

eliability da

7.2.2. Sing

ensitivity to a serious c

chnologies, 28 nm tech

onics

of such techtter performDSM) CMOsmaller sizeand below a

features andpower desigr Signal/Power Density anging and tesn to Cost ope parameter

onservative ems was to

ut further cofarther tow

ctro-migrat

enon tends ously at mabe reduced ).

s insufficiend be more and newly

aircraft is ofith such des

end, for m

ata delivered

gle Event E

atmosphericoncern forno signific

hnology. Fir

hnology aremance and lOS technoloe and fasterare envision

d challengesgn and tempwer Integritynd Design Csting of largptimal appror variability

approach iuse comple

onsiderationward DSM

tion

to reduce taximum tem

to about 1

nt for their of the ord

y required ff the order signs, analy

multi-core pd by the com

ffects

ic radiationr embeddedant degradarst results ar

M

e to integratelow-power ogy used forr switching ned, compa arose with

perature suscy and qualitComplexityge chips, oach,

y due to leak

in the desigex to highly

n of technolowith techno

the useful limperature ra

0 years, an

use in Emder of 15 yfunctions), of every 1

ysis in progr

processor smponent ma

n such as Sind Airborne ation is obsere expected

MULCOR

page 116

e more andconsumptior multi-corerates. Tran

ared to the csuch techn

ceptibility,ty,

y,

kage

gn of embey-complex ogy concernologies dow

ife durationange (105°Cnd down to

mbedded Airyears. For Embedded 0 years, whress for 28 n

selection, tanufacturer.

ngle Event Software. Eerved. Com

d during yea

RS

more transon. An illuse processorsnsistor sizescurrently usology:

edded compmicro-procns. Howevewn to lowe

n of an SoCC) and frequ

less than f

rcraft Systeother reasoAircraft S

hich would nm.

that selecti

Upsets (SEExperience

mponent manar 2013. Err

Réf. C

istors into sstration is ts. Deep subm, see Figureed sizes of

plex and cressors and

er various asr sizes. Tw

C (figures fouency rangefive years fo

ems for whons (procur

Systems renmake 90, 4

on criteria

EUs) and Mhas shown

nufacturers or Correctin

EAS

CCC/12/0068

smaller silicthe Deep [amicron teche 19, down 90nm and 4

ritical real-tmicrocontrospects shou

wo example

or 90nm tece, are aroun

for consume

hich the reqrement cos

newal for o45, 32 nm

a should in

Multiple Bit n that for 9

are currentng Codes (E

SA

898 – rev. 07

con areas, wand Very Dhnology is uto 35nm, 2545nm. How

time Embedollers, so-ca

uld be addres are addre

chnology, wnd 15 yearser grade qu

quired reliabsts, componon-board typtechnology

nclude Intr

Upsets (MB90nm or 45tly testing dECC) have b

while Deep] using 5nm,

wever

dded alled essed essed

when s, for uality

bility nents pical

y still

insic

BUs) 5 nm down been

Page 119: Untitled - EASA

imthe Howisee

RGW(m

33 S

Thales Avio

mplemented e COTS dev

owever, it iith or withoems to be av

GL n°30e recomme

manufacturer

SER : Softwa

onics

in the desigvice. Some

s anticipateout ECC capvailable on

end, for mur presents S

are Error Ra

gn made witCOTS mult

ed that accepabilities welectro-mig

ulti-core proSEE under S

te

M

th Single-coti-core proc

ess to informill be only pgration effec

ocessor selSER33 wordi

MULCOR

page 117

ore microprcessors now

mation frompossible viacts on the u

ection, thating) deliver

RS

rocessors, in feature EC

m manufactua Non-Discl

useful life du

t selection red by the c

Réf. C

ncluding relCC mechanis

urers on intlosure Agreuration.

criteria shoomponent m

EAS

CCC/12/0068

lying upon sms inside.

ternal memeements (ND

ould includmanufacture

SA

898 – rev. 07

ECC intern

ory architecDA). More

de SEE anaer.

nal to

cture data

alysis

Page 120: Untitled - EASA

9.8

Th

9.8

Ide17posofme

9.8

Mobycocothema MeCO

Asprotec A meprocer Thde

Thales Avio

8. METHO

his chapter d

8.1. Summ

entify whic78B verificaossible) wheftware archeasurement

8.2. Metho

ost of the vy the ED-12re processontrolled unemselves unastering com

ethods suppOTS Multi-C WCET Misce Proces Usage Test m Misce

s already adocessors ischnology.

10 to 20 timeasured WCovide signirtification.

he problem termine app

onics

OD AND T

deals with ta

mary of task

h methods ation of the ether the WChitecture and

or make it

ods and too

verification m2B/DO-178Bors. This render an Opnder contromplexity of

ported by toCore procesT tool basedellaneous trassor driver (e Domain Vmeans, test sellaneous De

ddressed in more diff

me increaseCET, even ificant usef

of WCET cproximation

TOOLS

ask 9

k 9

and tools wAirborne SCET of taskd identify anmore difficu

ols analysis

methods anB industry semains partiperating Syol of a Hype

multi-core

ools that aressors includd on worst cace, monitor(e.g. Hyperv

Verification /scripts, dumebugging an

n this reporficult to ac

e in the WCcomplemen

ful and rel

calculus is ns of the r

M

would be suSoftware hoks could be ny aspects oult.

nd tools alrestandard foricularly tru

ystem envirervisor, whiprocessors.

useful for ide: case executiring or repovisor) seen /early Valid

mmy Airbornnd Measurin

rt, the featuchieve whe

CET variabinted by anliable infor

extremely creal WCET

MULCOR

page 118

uitable and /osted on mu

measured oof particular

eady used tor certificatio

ue when Aironment, anich is ident.

instrumenta

ion path, orting tools,as a tool,

dation tool,ne Softwareng tools.

ure of WCEen executio

lity has beenalysis and rmation on

complex to T. When co

RS

/ or necessaulti-core proor analyzedr processor

o perform soon are also rborne Softnd when thified as of

ation and tes

e,

ET analysion time var

en reported corrected u

n the actua

resolve exaonsidering a

Réf. C

ary in order ocessors. Th

for each tygroups that

oftware veriusable for s

ftware runtimhe multi-cocentral imp

sting of Air

s of Softwariability is

by some stuusing safetyl WCET t

actly. WCEa WCET ca

EAS

CCC/12/0068

to conducthe study shaype of procet might eith

rification acsoftware rume partitioore processportance in

rborne Softw

ware runningincreased

tudies. In thy margins, to be claim

ET estimatioalculus met

SA

898 – rev. 07

t ED-12B / all determinessor hardwher facilitate

tivities requunning on mns are prop

sor featuresthe approac

ware runnin

g on multi-due to suc

hat situationmay no lo

med as par

on methodsthod for hi

DO-ne (if

ware / e that

uired multi-perly s are ch to

ng on

-core ch a

n, the onger rt of

will ighly

Page 121: Untitled - EASA

crialw Wde

Thpato anthaansiganAn Toprothe

ThopthaWSoHotimaccthiTo

34 C

Thales Avio

itical Airboways provid

CET measutails): Based Based

he WCET caath in the Ai

contain infond timing inat the CFG

nnotations. Ignificantly nalysis contanalyse pire c

oday, this kocessors. Toe following OTAW

a largepipelin

aIT: T Bound

Europ

he WCET ptimistic meat it is an upCET. It req

oftware. owever, thisming informcount all pois family ofoday, it is m

RapiTautomanalyspoints

CFG : Contro

onics

orne Softwade an upper

urement me

d on static and on measure

alculus baseirborne Soft

formation thnformation fG can be aIndeed, optdecrease thains in partcas pour pro

kind of meto the best otools that im

WA: This ope support fone behavior

This is a propd-T: This ispean Space A

calculus methods. Thatpper bound

quires the de

s Worst Casmation on thossible statef methods s

more widely

Time: This mated assist sis can be ds of the prog

ol Flow Grap

are, we musr bound of t

ethodologies

nalyses. ements und

ed on staticftware Conthat describe for various annotated wtimizations he real exeticular a caocesseur mu

thods is apof our knowmplement spen-source or ARM, Por prediction,prietary toos a proprietAgency pro

methods bast means they

d. Yet such aetermination

se Scenario he processoes for the prsaves the hu

used in the

proprietaryfor progra

done so that gram that m

ph

M

st have the he real WC

s can be div

der a worst c

analyses retrol Flow Gthe processoperations

with timing mechanism

ecution timeache contenulti-coeurs d

pplied on siwledge, no csuch methodtool is deveowerPC and, cache cont

ol developedtary tool thgrams.

sed on meay estimate aa method can of a Wors

may be difor services. rocessor (bu

uman and teindustry. W

tool is baam analysisthe Worst C

may kill the W

MULCOR

page 119

insurance tCET.

vided in two

case scenari

elies on a mGraph withinsor behavior(processor weights. C

ms such as e while thent analysis disposant d

imple archicomplex muds: eloped at lad INTEL®tent predictid by AbsInthat is maint

asures perfoa WCET wian be furthest Case Sce

fficult to detMoreover, ut correctioechnical cosWe identifie

sed on a hs. It providCase ScenaWCET for f

RS

that the met

o categories

io.

model of the n a Path Enr so that theservices andCare has topipelines t

e estimatedthat may be caches pa

itectures suulticore COT

aboratory IRprocessors

ion... t Angewandtained by T

formed undith some lever correctedenario of inp

termine accWorst Cas

ons may be st of definin

ed the follow

hand definitdes a frameario can be efurther code

Réf. C

thod is pess

s (see (Wilh

processor tnumeratione CFG34 cand eventual Oo be taken that are pred WCET we difficult

artagés, 2010

ch as microTS are supp

RIT located . It impleme

dte InformatTidorum in

er Worst Cvel of confidd to provideput paramet

curately. Inde Scenario done to sim

ng an accurwing tools:

tion of the ework undeensured. Fine optimizati

EAS

CCC/12/0068

simistic, tha

helm, et al.,

to determinn. The procen be accuratOperating Swhen usin

esent insidewon’t. More

to fulfill (r0) for more

rocontrollersported yet. W

at Toulousements severa

tik in GermFinland. It

Case Scenadence, but de pessimisticters for the

deed, it woudefinition h

mplify this rate model

worst caseer which a nally, it detions.

SA

898 – rev. 07

at means it

2008) for m

e the worst essor modeltely determiSystem callng those time the cores eover, a Wrefer to (Hae details).

s and acadeWe can iden

e, France. Ital algorithm

many t is involve

ario are usudo not guarac bounds ontested Airb

uld require ihas to take step). Howeof the platf

e scenario, code cove

ermines the

will

more

case l has ined, s) so ming

will CET ardy,

emic ntify

t has ms for

ed in

ually antee n the

borne

itself into

ever, form.

with erage e key

Page 122: Untitled - EASA

Pro

In havisind

Thales Avio

ocessing a W The im

accessWe re

The imway. W

the case of ave any visibsibility. Thdependently

onics

WCET on ampact of cos will occurfer here to tmpact of coWe refer to

f IMA, we cbility into t

hus the WCy.

a multicore oncurrent ar in the worthe RGL n°oncurrent athe RGL n

consider thathe embeddCET analys

M

processor inaccesses to st case situa°9

accesses to n°21.

at in the caseded Airbornsis method

MULCOR

page 120

ntroduces athe interco

ation may l

the main m

e of incremne Software,d must be

RS

dditional isonnect. Herlead to an o

memory tha

mental certifi, and the syapplied to

Réf. C

sues that are, consider

over approxi

at can be in

ication, the ystem integr

all Airbor

EAS

CCC/12/0068

re linked to:ring that eaimation of t

nterleaved i

platform prrator cannorne Softwa

SA

898 – rev. 07

ach interconthe real WC

n an ineffic

rovider doest suppose it

are applicat

nnect CET.

cient

s not t has tions

Page 123: Untitled - EASA

9.9

Th

9.9

Ideadbegudoaltsha

9.9

EDvepro80 EAonhaonmeag Th

Thales Avio

9. EASA G

his chapter d

9.1. Summ

entify any cddition was

tween tasksuidance mateocuments shthough any all be identi

9.2. Propo

D-80/DO-25rification aocurement d

0/DO-254 §

ASA CM SWn the compleardware itemn integrationethods are areement.

here are a fe Very l Extens Servic Highly Reacti Availa Throu Imply Usage Suspic Intern Config

onics

GUIDELIN

deals with ta

mary of task

cases in whmade to t

s and determerial shall b

hould not bpoints wit

ified in the

osed Guidel

54 currentlyand related data, and se11.2 &11.3)

WCEH-001exity and cr

m related dan with hardwalso open w

ew other fealow probabisive verificace experiency configurabion to envirability of ac

ughput perfostrong inte

e limitationscion of erroal unused fuguration con

NE FOR MU

ask 6

k 6

hich a non-the currentministic behbe identifiedbe suggestedthin those dstudy.)

line

y addresses processes.

ervice expe).

1 iss.1 rev. 1riticality of ata, to archiware and so

without detai

atures with cility to obtaation and rece may not bble features

ronment (EMctual internaormance, noractions wit

s are difficurs and misbunctions (e.ntrol and ch

M

ULTI-COR

favorable ct EASA guhavior. If thd and why thd because tdocuments

design assuGuidance

rience; as c

1 section 9 the highly

itecture, paroftware, coniled directio

complex COin ED-80/D

everse enginbe availables via microcMC, power al failure moot easily preth software,

ult to determbehavior dueg. For manu

hange mana

MULCOR

page 121

RE PLATF

characteristiuidance mahere are sucthis might btheir modifithat cause

urance for Cidentifies

candidates t

provides gucomplex Crtitioning annfiguration ons, and pro

OTS that areDO-254-comneering of Ce or sufficiecode or regisupply, temodes and faiedictable, m, hence requ

mine complee to built-inufacturer’s

agement, exc

RS

FORMS

ic might beaterial, whilh cases, the

be desirable.fication is n

compliance

COTS as beelectronic

to substanti

uidelines onOTS. Thesend system smanagemen

oviding just

e also validmpliant or uCOTS CEH ent due to a sters are ad

mperature, seilure rate is

may lead to suire robust petely (WCETn complexitytest purposecept for erra

Réf. C

made comle still proe suggested . (Modificat

not within the problems

eing part thcomponent ate assuranc

n activities te activities safety aspecnt and serviification is p

for COTS msable life-cyare both imfast-evolvinding to comee) is difficudifficult to ome non-departitioningT, usage doy and lack oes) not knowata, far from

EAS

CCC/12/0068

mpliant if a oviding rob

modificatiotions to EUthe power o for multi-

he overall ht managemece for COT

to be perforextend fromcts, throughice experienpresented to

multi-core pycle data,

mpractical, ng technolo

mplexity, ult to predicobtain, if a

eterminism,g for protectomain, WCMof observabiwn to the en

m user’s con

SA

898 – rev. 07

modificatioust partitioon to the EA

UROCAE RTof EASA alcore proces

ardware deent, compo

TS (refer to

rmed depenm assessmenh consideratnce. Alternao authoritie

processors:

ogy,

ct, any, , tion, MU), ility, nd-user, ntrol.

on or oning ASA TCA lone, ssors

sign, onent

ED-

nding nt of tions ative

es for

Page 124: Untitled - EASA

Thdecugiv(E Assomad

Thales Avio

hough existvelopment

urrent guidanve birth to mASA CM S

s a result ome difficult

dditional gui

Closerbe proalreadand [9relatioswitchwould

The DCOTSfeaturecomplalreadSWCE

COTSHyperthe COmanufcomplthose develoIn addwith th

onics

ing COTS assurance once with a nmodified or SWCEH-00

of this assesties in showidance are i

r cooperatioovided undedy addressed9] of sectioonship with h). In additid require add

Definition, VS multi-coree) is of celiance with

dy addressedEH-001).

S Multi-corr-visor or mOTS Multi-facturer, tholiance with considerati

op such softdition, validhe Usage D

guidance inon COTS Mnew spirit. new guidan

1 Iss. 1 Rev

ssment, thewing complidentified as

on is necesser a Non-Did this issue on 9 in SW particular ion, the conditional gui

Validation ae componeentral impothe develop

d this issue

re processormicro-code) -core hardwough they mthe limitatio

ions on software to thedation of so

Domain defin

M

n ED-80/DMulti-core pAnd, basednce. An assev. 1) is prov

main chariance with cs follows:

ary with theisclosure Awith respec

WCEH-001)features of

nditions for dance, inclu

and Verificant characte

ortance in pment assuwith respec

rs require that are ex

ware. Some may not coons identififtware drivee necessary Dftware drivnition

MULCOR

page 122

DO-254 andprocessors, td on potentiaessment of

vided in App

racteristics certification

e device maAgreement (N

ct to Design). Howeverf such devic

dealing wiuding for no

ation of the eristics andthe master

urance objecct to Usage

software dxecuted to th drivers/hyp

ontain all thied and requers should Design Ass

ver/hyper-vi

RS

d EASA CMthe noveltyal new ideathe currentl

pendix.

of COTS mn requireme

anufacturer,NDA). Then Data and r, this coulces (e.g.: bith such NDon-technica

Usage Domd performanring of thectives. The Domain asp

drivers (so-che highest pper-visors ahe requireduired mitigabe provide

surance Levsor requirem

Réf. C

M SWCEH-of such de

as or approaly available

multi-core pents, hence t

possibly in current EAConfiguratild be moreehavior of

DAs betweel aspects of

main (i.e. limnce, particue device, h

current EApects (Items

called: Opeprivilege leare availabl

routines toation of poted, for exam

vel (DAL) pments shoul

EAS

CCC/12/0068

-001 can bevices suggeaches, this ce EASA gui

processors tthat could b

ncluding proASA guidanion managee specificall

the Intercoen Industry f those agree

mitation in tularly for thhence for tASA guidans [4] and [5

erating Sysevel immedle upfront fo cater withential safetymple, the aper ED-12B/ld be perfo

SA

898 – rev. 07

e used to bests a reviecould be usedance on C

that could rbe candidat

oprietary dance materialement (Itemly addresse

onnect crossand Authorements.

the usage ohe interconthe showingnce material] of section

tem, Kerneiately on tofrom the Ch all aspecty effects. H

applicant sh/C-DO-178rmed consi

build w of ed to OTS

raise e for

ata to l has

ms [3] ed in s-bar rities

of the nnect g of l has

n 9 in

el or op of OTS ts of

Hence hould B/C. stent

Page 125: Untitled - EASA

10

"Tco In chbu ThMoOSintmacer ThSyusa Thprorepma Beif n

Thales Avio

0. OUTREA

This report cmplement i

addition, aracteristics

uilding safet

he proposedore generalS providersterested in anufacturersrtification a

his report haystems. Thuage at a hig

his report aovide illustpresentativeaybe one se

esides, the fneeded:

On thea repotechniknowl

On thmonthperforworks

On theprojecdispera study

onics

ACH

could be usits guidance

we think ts of such dty-critical E

d recommenlly, this reps, system the avioni

s will have authority.

as been writus it can be gh level of c

aims to sumtrations on e of a largeeries) to take

following su

e technical ort might reical issues. ledge for a b

e form of thly meetingsrmed and rehop would

e task implect would be rsion of issuy project wi

ed first-of-ae with speci

that the readevices and Embedded A

ndations areport targets integrators,ic market. to be strong

tten on purptaken as a

criticality.

mmarize theFreescale

e family of e benefit of

uggestions o

content of tequire prereHowever, rbetter under

the study as were deem

eorient the rhave been e

ementation to limit the

ues over tooithin a limit

M

all for whatfic aspects r

ader could into the si

Aircraft Syst

mainly dirthe whole certificatioCollaborati

ger to demo

pose to be rfirst glance

e features tP2020, Qoprocessors,its specific

or lessons l

the report: Tequisite knoreference torstanding of

nd report: Tmed fruitful esearch effoeven more u

methodologe breakdowno many packted amount

MULCOR

page 123

t it was desrelated to C

find someignificant fetems with su

rected to plaavionic comon authorition betweeonstrate the

readable wie at feature

that are comorIQ™ P40, a deeper scharacteris

learned cou

Though expowledge froo available f the report.

Technical el and allowefort towards useful.

gy: A lesson into tasks kages and toof time.

RS

stined for inCOTS multic

e insight ineatures, whuch devices

atform provmmunity (fty) and th

en avionic platform ai

th little baces regarding

mmon to a080 and Astudy wouldstics.

ld be addre

planations am the readeliterature is

exchanges aed Thales to

the actual a

n learned frto less than

o better fit w

Réf. C

n the first pcore proces

nto both thhich have sas.

viders and evfunction supe processocomponentirworthines

ckground in g multi-core

all multi-corARM CORT

d have to f

ssed when a

re provideder prior to es also prov

and reviewso both improand detailed

rom such ann a few (4 towith the exp

EAS

CCC/12/0068

place, that issors.

he understaafety impac

ventual sysppliers, plat

or manufactt providersss (including

n digital Eme processors

re processoTEX®-A15focus on on

applicable t

d whenever entering int

vided in ord

s with EASove the cond expectatio

n organizatio 6 tasks) in

pected achie

SA

898 – rev. 07

s to help EA

anding of mct when use

tem integratform supplturers who

and proceg RAMS) to

mbedded Airs for an avi

ors. Even if5 MPCore™ne processo

to other stu

necessary, to the detai

der to build

SA at dedicntent of the tons of EASA

ion for a simn order to aevement of

ASA

main ed in

ators. liers,

o are essor o the

rcraft ionic

f we ™ as r (or

udies,

such ils of

d that

cated tasks A. A

milar avoid such

Page 126: Untitled - EASA

11

11

Ththeas- Homa

A mesom In likThdifon Th

Thales Avio

. CONCL

.1. CONC

he complexie past few y- or better th

owever a COanufacturer. Acces And/o

possibProces

reduction oeeting requime research

this report,ke Memory,hese featurefferences w

nes.

he managem At Air

o

At Hyo

onics

LUSIONS

CLUSIONS

ity of COTyears, whilehan for COT

OTS compo. Two appros to additio

or mitigationbly combinessor Drivers

of the comired determh.

Thales has Bus, Netw

es are the we can say th

ment can be:rborne Softw

If AirbornSoftware example iapplicatiooffer deter

ypervisor levIn this coThese condeterminis

S WITH RE

S, in particue the level TS without

onent remaioaches wounal data undn of potented with reas (Hypervis

mplexity andministic beh

s put emphawork, Interna

differences hat the cons

: ware Level ne Softwareapplicationis that the

ons to otherrminism forvel

onfigurationnstraints resm and so t

M

ESPECT TO

ular Highlyof demonstsuch increm

ins a COTSld be possibder agreemeial COTS fal-time survor) and/or O

d difficultieavior and t

asis on special Registers

between sstrained mul

behavior isns to cores,allocation o

r cores and r this config

, the Hypereduce the ghe global be

MULCOR

page 124

O THE RE

y Complex tration for dment in com

S componenble to cater ents with thfaults or errveillance anOperating S

es that arostarget levels

ific Multi-C, Clock Masingle-core

ulti-core beh

s well knowwe can dem

of a DAL-Aprogrammi

guration

rvisor is usglobal perfehavior can

RS

EDUCTION

COTS Muldesign assurmplexity.

nt, i.e. it feafor such a c

he COTS marors via Synd detectio

System.

se from thes of perform

Core featurenagement, eand multi-

havior is equ

wn and well monstrate thA softwareing of the a

ed to constformance ofn be demons

Réf. C

N OF COM

ti-Core Prorance shoul

atures proprichallenge: anufacturer stem-level,

on mechanis

use of Mumance integ

es linked to etc. -core deviceuivalent to t

managed, the non-inteapplication

arbiter to fa

rain the behf the multistrated.

EAS

CCC/12/0068

MPLEXITY

ocessors hasld remain a

rietary data

Safety-orie

sms embed

ulti-Core pgrity has be

Shared Res

es, so by mthat of mult

then by alloeraction betwn to one cofavor DAL-

havior of thi-core proc

SA

898 – rev. 07

Y

s increased t least the s

from the C

ented stratedded within

rocessors ween propose

source Acce

managing ttiple single-

ocating Airbween cores

ore, lower DA software

he interconncessor but o

over same

OTS

gies, n the

while ed in

esses

these -core

borne s. An DAL e can

nect. offer

Page 127: Untitled - EASA

11

DeCoforrullim

11

ReMupla Fofolpro

11

MiAiof FoThSoreq Mubeswdetimva

Thales Avio

.2. MULT

efinition, Vore processor Complex les related t

mitations (w

.3. SIGNI

efer to sectiulti-cores thatforms.

or the partillowing stepocessors; su

1) Chara2) Determ3) Incorp4) Collec5) Depen6) Apply

.4. CONC

itigation toirborne Softthe comput

or example, his possibiloftware devquirements

ulti-softwar ensured. F

witching thatterminism s

me lower thalue.

onics

TI-CORE P

Validation anors is requirand Highly

to segregatiwithin a sing

IFICANT F

ion 9.5.4 fohat could p

icular case p by step a

uch an approcterization mination of porated realct data for anding on they necessary

CLUSIONS

o cater for tware level ting platform

defensive lity is not velopers hato meet in o

re architectuFor examplet should be shall be en

han any kno

PROCESSO

nd Verificared. This apy Complex ion constraigle core).

FEATURES

for a summotentially a

of determapproach caoach is alsoof execution

f the Worst c-time monit

assessment oe above assemodificatio

S ON ROBU

the inherenis possible

m.

programmiaccessible

ave only acorder to allo

ures are nowe an essentiminimized sured know

own Maximu

M

OR USAGE

tion of a Upproach is aCOTS. Onents (e.g. seg

S RELATE

ary of mitiaffect the us

mining WCEan be recom

o valid for mn time jittercase exec. Ttoring of acof the proceessment, estons.

UST PART

nt complexwhenever t

ing techniqufor multi-

ccess to anow adequate

w commonial feature ito allow tim

wing given um value, a

MULCOR

page 125

E DOMAIN

Usage Domaalready knowe recommengregation b

ED CONCL

igation mease of COTS

ET, knowinmmended to

multi-core prr of the operTime (WCEctual exec timessor + Airbtablish addi

TITIONING

xity of multhe develop

ues can be -Airborne n allocated e operation

n, hence robis the execume-determincriteria. Foand/or Exec

RS

N RELATE

ain (UD) fown and offendation wouetween core

LUSIONS

ans suggestS multi-core

ng the higo ensure throcessors: rating syste

ET) plus allome versus a

borne Softwitional rules

G

lti-core proper has allow

used to coSoftware eportion of

of the whol

bust partitioution time vnistic behavr example,

cution Time

Réf. C

ED CONCL

or such highered by exisuld be to dies), from th

ed for the es as part o

h variabilithe temporal

m services, owed margiallowed WC

ware operatins or limitatio

ocessors viawed access

ompensate fexecution pf the platfole integrated

oning of Airvariations dvior. Indeedsuch criter

e variations

EAS

CCC/12/0068

LUSIONS

hly complesting certifiistinguish b

he UD rules

various feaof safety-cri

ty of execul determinis

, ins, CET, ng behaviorons,

a functionato and deta

for potentiaplatforms wform with sd system.

rborne Softdue to jitterd, guidance ria can be:

lower than

SA

898 – rev. 07

x COTS Mcation guid

between thes related to l

atures of Ctical compu

ution time,stic behavio

r,

al robustnesailed knowl

al misbehavwhere Airbstrict rules

tware must ing on partis that tempTotal execu

n a bounded

Multi-dance e UD local

OTS uting

, the or of

ss at edge

viors. borne

and

then tition poral ution d low

Page 128: Untitled - EASA

11

11

BeAp Co(Etow Delim Coen Thin deAu

11

Syve SimCM(de

Thales Avio

.5. CONC

.5.1. Rout

esides EASAppendix A),

ollecting daCMR) comwards this e

emonstratiomitations) ve

onsiderationnsures the ro

he route to cproviding

cisions imputhorities (e

.5.2. Adva

ystem safetyrification m

mulated SerM SWCEHeterministic

onics

CLUSIONS

tes to comp

A CM SWC, different ro

ata from themplemented end.

on of compersus Certif

ns on the imobustness of

compliancedesign ass

pacting the de.g. during f

anced guida

y approach bmethods cou

rvice HistorH-001 sectic or probabi

S ON SUGG

pliance

CEH-001 guoutes to rea

e componenby a questi

ponent capfication obje

mmediately f the use of

or a combiurance for developmenfamiliarizati

ance

based on intuld be applie

ry based onion 9 on ilistic), anal

M

GESTED M

uidance thatch complian

nt supplier,ionnaire app

abilities ‘Dectives (inte

surroundinthe device a

ination of rCOTS Mu

nt and certifion meeting

terpretationed to COTS

extensive tCOTS, butyses (e.g. re

MULCOR

page 126

MODIFICA

t can be usence for COT

, starting frproach alrea

Deterministiended funct

ng softwareand providi

routes selectulti-core as fication progs)

n and deployS Multi-Core

testing in lat would depresentativ

RS

ATION TO

ed, and possTS Multi-C

rom Electroady being p

ic behaviortion, safety

e layer, i.e. ng access to

ted by the dpart of a

cesses shou

yment of EDe processor

ab is an apprdeserve movity and stat

Réf. C

EASA GU

sibly improvCore could b

onic Compoput in practi

r, Partitioniaspects and

the Hyper-o the interna

developer arcertificatio

uld be prese

D-80/DO-25s,

roach that isre elaborattistic) and a

EAS

CCC/12/0068

UIDANCE

ved and simbe suggested

onent Manaice seems a

ing assurand foreseeabl

-visor, whoal resources

are some of on process. ented as earl

54 Appendi

s already oftion in ter

acceptable o

SA

898 – rev. 07

mplified (refd.

agement Rea good appr

nce and Ue conditions

se specificas.

the key-aspSuch techn

ly as possib

ix B on adv

ffered by EArms of meoutcomes.

fer to

eport oach

Usage s).

ation

pects nical

ble to

vance

ASA ethod

Page 129: Untitled - EASA

12

Thin In cerSWin ThCO

12

ThReexhe

RGThrouthe

Ra

Thales Avio

2. RECOM

he recommeaircraft / en

the currenrtification

WCEH-001ssection 9.3

he purpose oOTS multi-c

2.1. PURPO

he followingesults and opression acre above.

GL n°31he design ofutines or hae COTS suc

1) variab2) Servic3) Core i4) Cache5) Shared6) Inter-c7) Acces8) Progra

ationale: Fro

onics

MMENDAT

endations prngine airbor

nt EASA aspects of specifies ac.3.

of this Secticore process

OSE

g recommenoutcome anchievable in

f the compuardware mech as:

bility of execces and/or trinterconnecte architecturd services, core interrups to peripheamming lan

om task 5 an

TIONS

ropose to alrne systems

Certificatiof COTS mctivities for

ion is to defsors in airbo

ndations hand 11, Concn order to ca

uting platforechanisms a

cution timeransactions t switch, re structure,

pts, erals, nguages.

nd sections

M

low the usethat have s

on Specificmulti-core p

COTS proc

fine specificorne system

ave been exclusions of apture only

rm embeddiable to hand

, conflicts,

,

9.3 and 11

MULCOR

page 127

e of Commesafety implic

ations (CSprocessors. cessors and

c guidance fms.

xpressed basthis report.the essentia

ing COTS Mdle or mitig

of this repo

RS

ercial Off-Thcations for t

S), there arThe EASAincludes on

for certifica

sed on the c. Recommeal flavor tha

Multi-core pate the pote

ort.

Réf. C

he-Shelf Dithe aircraft.

re no specA AEH Cne paragrap

ation aspects

current studndations arat arose from

processors sential effect

EAS

CCC/12/0068

igital multi-.

cific requireCertificationph on multi-

s associated

dy as exposre written tm the consi

should incorts of signifi

SA

898 – rev. 07

-core proces

ements forn Memoran-core proces

d with the u

sed in sectioo the minimiderations g

rporate softwicant feature

ssors

r the ndum ssors

se of

on 9, mum given

ware es of

Page 130: Untitled - EASA

RGThhaAuusi Ra

RGExthiCO Ra

Thales Avio

GL n°32he routes toardware desuthorities (eing the here

ationale: Fro

GL n°33xisting guidis report, inOTS multi-c

ationale: Fro

onics

o compliancsign incorpoe.g. during feby provide

om task 6 an

dance on COncluding forcore process

om task 6 an

ce with cerorating COTfamiliarizatid recomme

nd sections

OTS (Compr suggestedsors.

nd sections

M

tification reTS Multi-cion meetingndations.

9.4 and 11

plex to Higd simplifica

9.4 and app

MULCOR

page 128

equirementscore processgs), showing

of this repo

ghly-Complations, could

pendix 14.1

RS

s selected asors shouldg that the de

ort

lex), possibd be used a

of this repo

Réf. C

as part of tbe present

evice compl

bly amendedas part of t

ort

EAS

CCC/12/0068

the certificated as earlylexity is ma

d using thethe certifica

SA

898 – rev. 07

ation procesy as possiblastered, poss

e conclusionation proces

ss of le to sibly

ns of ss of

Page 131: Untitled - EASA

12

Infbe

Infde

Thales Avio

2.2. PROC

We reo

o

o

o

o o o

o

We re

C

formation ohavior is av

formation osign is avai

onics

ESSOR SE

ecommend The manucommunicThe openndocumentThe abilitysafety anaThe abilityneeds andThe econoThe manuFor multi-delivered Selection analysis d

ecommend

Criteria

on the intercvailable

on the intercilable

ELECTION

to use selecufacturer’s wcations and ness of the atation (publiy and will t

alyses perfoy to produc

d to provide omic situatiufacturer’s p-core procesby the comcriteria mu

delivered by

to follow th

connect

connect

M

N GUIDE

ction criteriawill to cope press releas

architectureic or under to provide drmed on thee and maintassistance ton and the l

platforms arssor selectio

mponent manst include S

y the compo

he compone

Interc

The interc

The intercreordering

It is possibsent on the

Arbitration

Routing an

All informavailable

There is a silently

The interc

The arbiter

The manufhidden me

The interc

MULCOR

page 129

a guide for p with the ceses,

es proposed NDA)

descriptive, e different ptain the comto obsolesclifespan of tre supportedon, selectionnufacturer SEE analysionent manuf

ent selection

connect feat

onnect prot

onnect protg

ble to identie interconne

n rules desc

nd device al

mation on int

configurati

onnect topo

r is centrali

facturer hasechanisms

onnect has

RS

processor seertification p

by the man

qualitative platforms. mponents ovence in a cothe manufacd by severaln criteria m

s (SER in pfacturer

n criteria def

Sub-c

tures

tocol is docu

tocol implem

ify from an ect

cription is av

llocation ru

terconnects

on that cann

ology is doc

zed or distr

s stated that

internal wa

Réf. C

election (recprocess, cor

nufacturer, t

and qualitat

ver time comooperative mcturer l existing H

must include

processor ma

fine below

criteria

umented

mentation a

assembly co

vailable

les descript

features co

not be chan

cumented

ibuted

the intercon

iting queue

EAS

CCC/12/0068

called belowrresponding

the existing

tive data ab

mpatible wimanner.

Hypervisor aIntrinsic Re

anufacturer

:

allows transa

ode all tran

tion is avail

onfiguration

nged dynam

onnect embe

s and conte

SA

898 – rev. 07

w) g

and availab

ble to suppor

ith avionics

and OS eliability da

r wording)

actions

sactions

able

n is

ically and

eds no

ntion

ble

rt

ata

Page 132: Untitled - EASA

Infint

Infwo

Trva

Infbe

Reare

Ca

Infcoav

Infcoan

Thales Avio

formation otegrity is av

formation oorst case beh

ransaction seariability can

formation ohaviour is a

estrictive cae available

ache disabli

formation oherency maailable

formation oherency imp

nalyses is av

onics

on the intercvailable

on the interchavior is av

ervice timinn be measur

on the cacheavailable

ache configu

ng is possib

on the cacheanagement i

on the cachepact on tim

vailable

connect

connect vailable

ng red

e

urations

ble

e is

e ming

M

mechanism

The interc

The intercmechanism

In case of to the conc

The timingwithout tak

The timingtaking into

The platfothe time va

The platfoobserve co

The procesworst caseInterconne

Shared

The availa

There exisreplaceme

The cache

The cache

The cache

It is possib

Cache C

Cache coh

Cache cohnodes on t

It is possibcoherency

It is possibcoherency

Shared

MULCOR

page 130

ms

Integrity

onnect prot

onnect embms, such as

internal failcerned core

WCET

g variabilityking into ac

g variabilityo account sp

orm embeds ariability of

orm embeds onflicts insid

ssor manufae timing varect Usage D

d Cache fea

able replace

st a cache prent policy

can serve m

can be part

can be con

ble to disabl

Coherency F

herency mec

herency traffthe platform

ble to providy traffic on c

ble to providy traffic on t

Services Fe

RS

tocol is tran

beds transacparity or EC

lure, the int and/or an e

y of a transaccount confl

y of a transapecific conf

hardware af transaction

internal mode the interc

acturer is abriability for

Domain restr

atures

ment polici

rediction alg

multiple tran

titioned per

nfigured part

le the shared

eatures

chanisms m

ffic may be pm

de acceptabcore transac

de acceptabtransactions

eatures

Réf. C

sactions los

ction corruptCC for even

erconnect cexternal mo

action servicflicts situatio

action servicflicts situatio

assist for mens service

onitoring mconnect

ble to confirtransaction rictions.

es are docu

gorithm tha

nsactions in

set and/or p

tially or tota

d cache

ay be disab

partitioned

ble bounds ftions in priv

ble bounds fservice in t

EAS

CCC/12/0068

ssless

ption detectintual interna

can propagaonitor

ce can be boons

ce can be boons

easuring in

mechanisms

rm observatservice und

umented

at supports a

n parallel

per way

ally as a SR

bled

inside a sub

for the impavate caches

for the impathe intercon

SA

898 – rev. 07

on al storage

ates an error

ounded

ounded

each core

that can

tions on der

at least one

RAM

bset of

act of cache

act of cache nnect

r

Page 133: Untitled - EASA

It iserpri

Intbe

Meproco

MeI/O

RGWRe RGW(SE

35 S

Thales Avio

is possible trvices confiivilege leve

ter-core inte controlled

emory mappotected againfiguration

emory mappO isolation

GL n°29 e recomme

eliability da

GL n°30 e recommeER35 using

SER : Softwa

onics

to restrict shiguration to el

errupts emis

ping can beinst non-cohs

ping allows

end, for mata delivered

end, for muprocessor m

are Error Ra

hared a high

ssion can

e herent

s I/O per

multi-core pd by the com

ulti-core promanufacture

te

M

Accesses tpower souwithout im

One core c

Inter-core a hypervis

There is a

All I/O macan be par

processor smponent ma

ocessor seler wording)

MULCOR

page 131

to the shareurces... can bmpacting acc

cannot reset

interrupts gsor

centralized

ay be accessrtitioned by

selection, tanufacturer.

ection, that delivered b

RS

d interrupt cbe restrictedcesses to oth

t another co

generation c

d service of m

sed in differthe MMU

that selecti

t selection by the comp

Réf. C

controller, Pd to the supeher peripher

ore at user pr

can be restri

memory pro

rent pages s

on criteria

criteria shoponent manu

EAS

CCC/12/0068

PLL, sharedervisor/hyprals

privilege lev

icted to a su

otection uni

so that I/O m

a should in

ould includufacturer.

SA

898 – rev. 07

d watchdog,ervisor

vel

upervisor or

it

managemen

nclude Intr

de SEE ana

,

r

nt

insic

alysis

Page 134: Untitled - EASA

12

Threcthe

RGWHyLe RGToDoma RGThSo RGTrdis RGFoDoma RGWInass RGWint

Thales Avio

2.3. USAGE

his section incommendate behavior o

GL n°1 hen an Hypypervisor shevel, at least

GL n°2 o be able toomain shouanufacturer

GL n°3 he Airborneoftware) on

GL n°4 ransactions rsable interc

GL n°5 or Safety, womain restranufacturer

GL n°7 e recommetegrity Ansistance of P

GL n°8 e recommeterconnect p

onics

E DOMAIN

ntroduces htions associaof the interc

pervisor is hall fulfill t the most s

o manage thuld be defin

e Embeddeinterconnec

reordering iconnect reor

we recommerictions thatassurances

end that thnalysis perProcessor M

end that the protocol tha

N

how and whated to the Iconnect of th

required toED-12/DOtringent Air

he behaviorned by the A

ed System ct accesses i

increases thrdering mec

end to use tht means thethat the int

he Interconnrformed unManufacture

Interconneat shall prov

M

hy determiniInterconneche multi-co

o manage thO-178 (B or

rborne Softw

r of the muAirborne Em

provider sin order to c

he difficultychanisms to

he interconne Airborne erconnect c

nect Usagender Airborer.

ect Usage Dvide lossless

MULCOR

page 132

ing the usagct usage Domore processo

he behaviorr C) requirware

ulti-core prombedded Sy

should impcomply with

y to characteo ensure a

nect in a staEmbedded

configuratio

e Domain rne Embed

Domain detes transaction

RS

ge domain omain. This U

or.

r of the interements at

ocessor, forystem prov

plement conh the Interco

erize the intbetter assur

able configd System pron cannot be

determinatidded Syste

ermination ns.

Réf. C

of each multUsage Dom

erconnect, tthe corresp

r each devicvider and va

ntrol mechonnect Usag

terconnect prance in the

uration undrovider shoue changed d

ion should m Provide

should cont

EAS

CCC/12/0068

ti-core procmain is requi

the developponding De

ce, an Interalidated wit

hanisms (Hge Domain.

protocol, wee transaction

nder the Inteould obtain dynamically

contain aner responsib

ntain analysi

SA

898 – rev. 07

cessor, and tired to man

pment of suesign Assur

rconnect Uth the proce

ardware an.

e recommenn manageme

erconnect Ufrom proce

y and silently

n Interconbility with

is regarding

the age

uch a rance

Usage essor

nd/or

nd to ent.

Usage essor y.

nnect the

g the

Page 135: Untitled - EASA

RGThcoser RGThtakva RGWtimthe

12

RGWco(hyde RGWOp RGWpri RGWit f RGWme

Thales Avio

GL n°9 he Interconnnflict situatrvices.

GL n°10 he Interconnking into acariability on

GL n°11 e recomme

ming variabe Interconne

2.4. CACH

GL n°12 e recommenfiguration ypervisor foployed simu

GL n°13 e recommenperating Sys

GL n°14 e recommeivate cache

GL n°15 e recommenfor the corre

GL n°25 e recommeechanisms i

onics

nect Usagetions in ord

nect Usageccount pessi

transaction

end that obility on tranect Usage D

HE COHER

end that rofor cache

for exampleultaneously

nd, preventstems is dep

nd, when c- finding up

nd confininect executio

end that muin order to b

e Domain dder to give t

e Domain dimistic timinn services.

servations nsactions seDomain hyp

RENCY

obust partite partitionie) if shared y on differen

ting undesirployed on e

cache coherepper bounds

ng cache cohon of embed

ultitasked Abe complian

M

definition stighter boun

definition sng hypothes

and tests pervices shoupothesis.

tioning for ing mechancache is co

nt cores and

rable behavach core wi

ency is enas on cache c

herency trafdded softwa

Airborne Sofnt with the I

MULCOR

page 133

should liminds for thei

should prevsis when it

performed buld be valid

shared cacnisms or sonfigured a

d use shared

vior, disablinith no share

able, boundicoherency t

ffic betweenare.

ftware desiInterconnect

RS

t the numbir impact on

vent all occis not possi

by the Airbdated by the

che shouldshould be as SRAM wd cache.

ng cache coed memory b

ing the timitraffic impac

n the concer

gn should mt Usage Dom

Réf. C

ber and then the timing

currences oble to deter

borne Embee processor

d be enforcenforced b

when partiti

oherency mebetween cor

ing variabilct -.

rned cores a

minimize thmain.

EAS

CCC/12/0068

e complexitg variability

of undesirabrmine bound

edded Systemanufactur

ced by defby softwarioned Oper

echanism wres.

lity when co

and periphe

he use of c

SA

898 – rev. 07

ty of inter-y of transac

ble conflictds on the tim

em Providerer accordin

fining hardwre managemating Syste

when partitio

ore access t

erals that req

cache coher

-core ction

ts by ming

er on ng to

ware ment

em is

oned

to its

quire

ency

Page 136: Untitled - EASA

12

RGTocen RGWabau RGWbe RGWpro RGWthr RGWforUs

12

RGWcorel RGWsha

Thales Avio

2.5. OPERA

GL n°6 o avoid conntralized m

GL n°18 e recommenle to reset

uthorization

GL n°23 e recommen decided at

GL n°24 e recommeotected by s

GL n°26 e recommenreads or task

GL n°27 e recommenr the Operasage Domai

2.6. SHARE

GL n°16 e recommenfiguration ly on a sing

GL n°17 e recommeared reserva

onics

ATING SY

ntention beanaged arbi

nd, in multit another cto perform

nd the use oDesign Tim

end, when Asemaphores

nd, if SMP ks are static

nd, if the Aating Systemin.

ED SERVI

end restricof shared

le static con

end that imation station

YSTEM &

etween coreitration whe

i-core conficore. Onlythis reset.

of partitioneme and forbi

Airborne Sos in case of c

mode is selcally allocat

Avionics Sofm is selecte

ICES

ting to hyservices. M

nfiguration

mplementations.

M

TASKS AL

es, and beten the interc

igurations, n Hyperviso

ed schedulinidden at Ru

oftware is acooperative

lected by thted to cores

ftware Behaed, the use

ypervisor oMultiple inst

that is deter

on of sema

MULCOR

page 134

LLOCATIO

tween coresconnect is n

not to authoor or Supe

ng algorithmun Time.

a multitaskee programm

he platform pto achieve

avior is notof a Hyper

or supervisotances of prmined at de

aphores sho

RS

ONS

s and sharenot a full cro

orize one coervisor (if

ms and stati

ed one thatming.

provider fordeterminism

t known by rvisor to ma

or (when privileged sesign time.

ould take in

Réf. C

ed resourceossbar.

ore, under Uhypervisor

ic allocation

t critical sec

r the Operatm and repea

the platformaster the be

hypervisor oftware run

n account p

EAS

CCC/12/0068

es, we reco

USER privilr doesn’t e

n of tasks to

ctions shou

ating Systematability.

m supplier ehavior of t

doesn’t enning on ea

potential de

SA

898 – rev. 07

ommend to

lege level, texist) have

o cores that

uld be expli

m that proce

and AMP mthe Intercon

exist) levelach core sh

eadlocks du

o use

to be e the

t will

icitly

sses,

mode nnect

the hould

ue to

Page 137: Untitled - EASA

12

RGW

RGWlevsin

12

RGWmeWtra RGWHysho

12

RGWfau

Thales Avio

2.7. CORE

GL n°19 e recommen

1 The us2 The co3 The A

softwa

GL n°20 e recommenvel – when ngle configu

2.8. PERIP

GL n°21 e recommeemory to pre recomme

ansactions s

GL n°22 e recommeypervisor orould be doc

2.9. FAILU

GL n°28 e recommeult containe

onics

ES

nd that:

se of inter-conditions th

Airborne Emare deploye

nd that the the Hypervuration for t

PHERALS

end that therovide tighteend that Wohould be en

end that acr Superviso

cumented in

URE MITIG

end, for miter between c

core interruphat rule the umbedded Syd on each c

configuratiovisor does nothe whole p

e Interconneer bounds oorst Case Rncapsulated

ccesses to or level – in the Interco

GATION

igation meacores.

M

pts should buse of inter-ystem providores comply

on of MMUot exist – inlatform.

ect Usage Dn timing va

Response Tinside them

shared I/Oif the Hypeonnect Usag

ans, that the

MULCOR

page 135

be restricted-core interruder should y with these

Us should ben order to pr

Domain shoariability of Time shouldm.

O dealing wervisor levege Domain.

e Interconn

RS

d to supervisupts should provide ev

e rules.

e performedrove that sp

ould specifymemory tra

d be determ

with configel does not

nect Usage D

Réf. C

sor or hyperbe docume

idence that

d only at thepatial isolati

fy atomic acansactions,

mined for th

guration shexists – ac

Domain sho

EAS

CCC/12/0068

rvisor. ented.

all instanc

e Hypervisoion enforcem

ccess patter

hese pattern

hould be reccess patter

ould be def

SA

898 – rev. 07

es of privil

or or Supervment relies

rns to the m

ns and Mem

estricted torns to these

fined to act

eged

visor on a

main

mory

o the e I/O

as a

Page 138: Untitled - EASA

13

RT

SA

AR

RT

Ag

Ag

ARARARBla

Bo

Ch

Cra

Da

Fo

FreFreFreGr

Gu

Gu

Ha

Ha

Jea

Ku

Ma

Mo

No

Pe

Thales Avio

3. REFERE

TCA/DO-178:Softwa

AE/ARP-47544754 :

RINC-653 : AStanda

TCA/DO-297 RTCA/

grou, H., SainMulti-C

grou, H., SainAvionic

RM. (2012). ARM. (2012). CRM. (2012). Cake, G., Dres

IEEE, 2ob, G., Josep

EvaluaTransp

hattopadhyayanalys

aveiro, J. {., time- a

avis, R., & BuTechni

orsberg, H., &12).

eescale. (20eescale. (20eescale. (20een, B., Mar

Evaluau, Z., & Zhao

Journaustavsson, A

Architeardy, D. (201

Univerardy, D. (201

Rennean, X., Gatti,

IMA Syumar, R., Zyu

Mechaahapatra, R.

AuthorDepart

oscibroda, T.(pp. 18

owotsch, J., &Depen

ellizzoni, R., &Embed

onics

ENCES

B :Software are Consider4 : CertificatiCertification

Avionics Applard Interface : Integrated /DO-297 : Intnrat, P., FaurCore Processnrat, P., Gattcs RequiremARM ArchiteCoreLink™ CCortex™-A15slinski, R. G.26(6), 26-37

ph, M., Brian,ation Of Microportation. y, S., Roychois. (pp. 6:1--Rufino, J., &

and space-paurns, A. (200iques for Mu& Karlsson, K

11). EREF 212). e500mc12). P4080 Qrotta, J., Petration of Microo, Q. (2012). al of SoftwareA., Ermedahl,ectures using0). Analyse p

rsit{\'e} Renn0). Analyse p

es 1. , M., Faura, Dystems. uban, V., & Tanisms, Over

N., & Ahmadrity For Expetment of Tran., & Mutlu, O8:1--18:18). U& Paulitsch,

ndable Comp& Caccamo, dded System

Consideratiorations in Airon Consider

n Consideratilication Softw. Modular Avi

tegrated Modra, D., Gatti, sor For Avionti, M., & Toillo

ments. cture Refere

CCI-400 Cac5 MPCore™ , & Mudge, T. , P., Kirk, L., oprocessors

oudhury, A., 6:10). ACM.

& Singhoff, F.artitioned sys09). A Surveyultiprocessor K. (2006). CO

2.0: A Prograc Core RefereQorIQ Integrare, B., Lillestooprocessors A State-of-the Engineerin A., Lisper, B

g UPPAAL. (pire cas poues 1. pire cas pou

D., Pautet, L

Tullsen, D. Mrheads and Sd, S. (2006). nditure No. 4nsportation. . (2007). Me

USENIX AssM. (2012). L

puting ConferM. (2010). Im

ms. IEEE Tran

M

ons in Airborrborne Systerations for Hiions for Highware Standar

ionics (IMA) dular AvionicM., & Toillon

nics. on, P. (2012)

ence Manual che Coherent

Technical RT. (2009). A s

Spencer, R.For Airborne

& Mitra, T. (2

. (2011). Arcstems. SIGBy of Hard ReaSystems. tec

OTS CPU Se

mmer’s Refeence Manuaated Multicorolen, K., Spefor Airborne

he-Art Surveyg and Applic

B., & Pettersspp. 103-113)r processeur

r processeur

., & Robert, T

. (2005). InteScaling. SIGA

Microproces43 Phase 1 R

mory performociation. everaging Mrence, 0, 132mpact of Perns. Comput.,

MULCOR

page 136

rne Systems ems and Equghly-Integrat

hly-Integratedrd Interface.

Developmencs (IMA) Devn, P. (2011).

). Mastering

ARMv7-A ant Interconnec

Reference Masurvey of mu

., Nikhil, G., ee Systems. F

2010). Mode

chitecture, meBED Rev., 8,

al-Time Schechreport, Unelection Guid

erence Manul. re Communiencer, R., GuSystems. y on Real-Ti

cations, 05(0son, P. (201). {\"{O}}sterrr multi-coeur

r multi-coeur

T. (2012). En

erconnectionARCH Compssor EvaluatReport. DOT

mance attack

Multi-core Com2-143. ripheral-Proc, 59(3), 400-

RS

and Equipmuipment Certited or Compd or Complex(1997). ARIN

nt Guidance velopment Gu

A Design Ap

The Behavio

nd ARMv7-Rct Technical anual Revisioulticore proce

et al. (2011).Federal Aviat

eling shared c

echanisms a23-27. eduling Algoiversity of Yo

delines for Sa

ual for Freesc

ication Proceupta, N., et a

me Issues in4), 277-291.0). Towards reichische Crs disposant

rs disposant

nsuring Robu

ns in Multi-Coput. Archit. Ntions For SafT/FAA/AR-06

ks: denial of

mputing Arch

cessor Interfe415.

Réf. C

ent Certificaification. lex Aircraft S

x Aircraft SysNC-653 : Avi

and Certificauidance and pproach For

or Of Multico

R edition. Reference Mon: r3p2. essors. Signa

. Handbook Ftion Adminis

cache and b

nd schedulin

rithms and Sork, Departmafety-Critical

cale Power A

essor Family l. (2011). Ha

n Embedded

WCET Analyomputer Gesde caches p

de caches p

ust Partitioni

ore ArchitectNews, 33, 408fety-critical, R/34, Federal

memory serv

hitectures in

erence on W

EAS

CCC/12/0068

ation. (1992).

Systems. (19stems.

vionics Applic

ation Considd Certification

Predictable

ore Systems

Manual.

al Processin

For The Selestration - U.S

us in multi-c

ng analysis t

Schedulabilityment of Comp

Applications

Architecture®

Reference Mandbook for t

Systems Vir

ysis of Multicsellschaft.

partagés. THE

partagés. THE

ing In Multico

tures: Unders8-419. Real-time Ap Aviation Ad

rvice in multi-

Avionics. Eu

WCET Analys

SA

898 – rev. 07

RTCA/DO-1

996). SAE/AR

cation Softwa

erations. (20n ConsideratiAnd Efficient

To Match

g Magazine,

ection And . Departmen

ores for timin

ool for multic

y Analysis puter Sciences. IEEE, (pp.

® Processors

Manual, Rev.the Selection

rtualization.

core

ESE,

ESE, Univers

ore Platforms

standing

pplications: ministration,

-core system

uropean

sis of Real-Ti

178B

RP-

are

005). ions. t

nt of

ng

core

e. 1-

s.

. 1,. n and

sité

s For

U.S.

ms.

me

Page 139: Untitled - EASA

PitRu

ScSh

SmTeTeUn

VaWi

Wi

Ya

Thales Avio

tter, C. (2008ushby, J. (199

Sciencchoeberl, M., hah, H., Raab

latencymith, J. E., & xas-Instrumexas-Instrume

ngerer, T., Caof Hard

anderLeest, Slding, M. M.,

Embedlhelm, R., En

time pr36:53.

an, J., & Zhan89). IE

onics

8). Time-pred99). Partition

ce Laboratory& Puschner

be, A., & Knoy., (pp. 1-4). Nair, R. (200ents. (2011).ents. (2012).azorla, F., Sad Real-Time S. (2010). AR, Hardin, D. Sdded Applicangblom, J., Eroblem\—ove

ng, W. (2008EEE Compute

dictable memning in Aviony,SRI Internar, P. (2009). Ioll, A. (2011)

05). The Arc. DSP CoreP. TMS320C6ainrat, P., BeApplications

RINC 653 hyS., & Greve, ation IntegratErmedahl, A.erview of me

8). WCET Aner Society.

M

mory arbitratioics Architect

ational, MenlIs Chip-Multi. Priority divi

hitecture of VPac User Gui6678 - Multicoernat, G., Pets Supporting ypervisor., (pp

D. A. (1999)tion. (pp. 287, Holsti, N., T

ethods and su

nalysis for Mu

MULCOR

page 137

on for a Javatures: Requiro Park. NASiprocessing tision: A high

Virtual Machide. ore Fixed antrov, Z., RocAnalyzabilityp. 5.E.2-1 -5). Invariant P7--). IEEE CoThesing, S., urvey of tool

ulti-Core Pro

RS

a chip-multiprements, Me

SA Langley Tthe End of R-speed share

ines. Compu

nd Floating-Pchange, C., ey. IEEE Micr

5.E.2-20). Performance:omputer SocWhalley, D.,s. ACM Tran

ocessors with

Réf. C

processor. (pchanisms, an

Technical Reeal-Time Sched-memory b

uter, 38, 32-3

Point Digital Set al. (2010). ro, 30, 66-75

A Statemeniety. et al. (2008

ns. Embed. C

h Shared L2

EAS

CCC/12/0068

p. 115-122).nd Assurancport Server. heduling? Obus arbitratio

38.

Signal ProceMerasa: Mu.

nt of Task Iso

). The worst-Comput. Sys

Instruction C

SA

898 – rev. 07

ACM. ce. Computer

CG. on with boun

ssor. lticore Execu

olation Usefu

-case executt., 7(3), 36:1

Caches. (pp.

r

ded

ution

ul for

tion---

80-

Page 140: Untitled - EASA

14

14

EAonCoEA In muwidif

14

Re

Ite

[1]

[2]

Thales Avio

4. APPEND

4.1. REVIE

ASA CM SWn DAL andomments anASA CM SW

addition, Culti-processith the one fferent appr

4.1.1. Revie

eview of Se

em Su

] Classifirespecte.g. DArespectcompleSimpleand Comple

] Devicemanualerrata user’s sheets, installa

onics

DIXES

EW OF EX

WCEH-001d Complexind suggestioWCEH-001

COTS Graping capabilavailable fo

roach from o

ew of EASA

ction 9 on C

ummary

fication (wt to criticaliAL and wt exity, e, Comp

Highex)

data (usel, datashe

sheets amanual err

aation manua

XISTING E

1 section 9 ity. Those ons are raise section 9 a

phical Proceities. So it wor COTS. Cother COTS

A CM SWC

COTS and s

Mult

with ity,

with to

.g.: lex

hly-

Multi-c“automclassifiHighlyCompl

er’s eet, and rata and al)

Multi-cmeet objectifor CO

M

EASA GUID

is listing iteitems are

ed along wiare also coll

essors (CGPwas interest

CGP’s are aS.

CEH-001

section 10 o

ti-Core

core are matically” ied as

y lex.

ItsiImdacSCtab

core to same

ives as OTS CEH.

DmCid

MULCOR

page 138

DANCE IN

ems [1] to recollected

ith this recolected.

P’s) are conting to look

addressed by

on CGP’s is

Comme

Identificatiotechnology should be item for an In addition,made betwdevice, baapproach; classificatioSimple/ComComplex, tthe route toare the actibe performe

Data must bmanner as CEH. COTimply new data to be c

RS

N EASA CM

[16] requesd and a suollection. M

nsidered higk at the assoy EASA CM

illustrated

ents & Sug

on of novor of the added as overall asse, a distinctio

ween assessmased on a

followon mplex/Highthen by the o compliancivities recomed?)

be collectedfor any o

TS Multi-Cofeatures wi

collected.

Réf. C

M SWCEH

sting activitummary is

Multi-core as

ghly compleociated guidM SWCEH

in the table

ggestions

velty of thdevice itselpart of thiessment. on should bment of th

descriptivwed by

ahly-

selection oce (i.e. whammended t

d in the samother COTSore does noth respect t

EAS

CCC/12/0068

H-001 ISS. 1

ties documeprovided i

spects alrea

ex devices dance for CG

H-001 sectio

below:

CG

he lf is

be he ve y

as

of at to

Refer SWCEHsection CGP’s known multiple embeddeprocessorun asynchroCGP’s ”viewed “devicescomplex

me S ot to

Refer SWCEHsection 1e. CMonitoriSupplier

SA

898 – rev. 07

1 REV. 1

ented depenin table be

ady addresse

with embedGP’s, comp

on 10 but w

GP

to H-001

10.1. : are

to “use

ed micro-ors that

onously”. are as:

s of high xity”

to H-001 10.3 Item

Continued ing of r Data.

nding elow. ed in

dded pared

with a

Page 141: Untitled - EASA

Ite

[3]

[4]

[5]

[6]

Thales Avio

em Su

] Designavailabnot ava

] Usage (DefiniVerific

] Usage (Valida

] Errata (CapturControl

onics

ummary

n data (whble or whailable)

Domition aation)

Domation)

shere al)

Mult

hen hen

Multi-cdesign may availabstrong proprierestrict

main and

Multi-cUsage Definitcontainspecififeature

main Multi-cUsage V. andimply specifiactiviti

eets and

Multi-cmeet objectifor CO

M

ti-Core

core data

not be ble due to

etary tions.

EMdPss2pncA8Es

core Domain

tion may n more c

es.

Dtitil

core Domain

d V. may more

c ies.

DtViwdeFDafc

dioSe

core to same

ives as OTS CEH.

TirD

MULCOR

page 139

Comme

Electronic Managemendesign dataPart of theshould incsuch as ev254 sectiopossibly necessary, complex MAs alread80/DO-254Experience substantiate

Distinguishthe deviceidentificatiothen veimplementalimits.

Distinguishthe UsageVerificationits UD. Vwhenever tdevice meeensure SafForeseeableDistinguishassessment functional could then [1] as descdevice; animpact of on other System, Saetc.)

This item mitem [2] Derequired foDAL C Sim

RS

ents & Sug

nt Data shoa, if available route to clude dataidence per on 11.2.1

complemincl. f

Multi-core pry allowed section 1

can be ae assurance.

h between ase characteon of the rification

ation wit

h between Ve Domainn of the deValidation the capabilet Intendedfety Objecte h also

of character

be groupecriptive cri

nd the assthose vario

domains fety, Interfa

might be gevice data,

or all COTSmple COTS.

Réf. C

ggestions

Componenould include. complianc

a collectionED-80/DO(1 to 7

ented afor highlyrocessors. d per ED1.3, Servica means t

ssessment oeristics an

limitationsof th

thin thos

Validation o(UD) &

evice versuof UD i

lities of thd Functionstives withinConditions

betweenmulti-cor

ristics thad with itemiteria of thsessment oous feature

(Softwareaces, Perfos

rouped withas it is als

S except fo

EAS

CCC/12/0068

CG

nt de

ce on O-7) as ly

D-ce to

Refer SWCEHsection Items ElectronComponManagem

of nd s,

he se

Refer SWCEHsection 1f. UnFunction

of & us is

he s; in s.

en re at m he of es e, s,

Same aNote tapproachCGP’s isother around: UnintendFunctionversus Domain “IntendeFunction

th so or

Refer SWCEHsection 1e. CMonitoriSupplier

SA

898 – rev. 07

GP

to H-001

10.2 1

nic nent ment.

to H-001 10.3 Item nintended nality

s above. that the h to s just the

way

ded nality

Usage as the

ed nalities”

to H-001 10.3 Item

Continued ing of r Data.

Page 142: Untitled - EASA

Ite

[7]

[8]

[9]

[10

[1

Thales Avio

em Su

] Errata (Assess

] Experie(Errata workar

] ConfiguManage

0] ChangeAnalys

1] ValidatVerific

onics

ummary

shesment)

ence gain

rounds)

uration ement

e Impis

tion ation

Mult

eets Same a

ned Same a

Same a

pact Same a

& Same a

M

ti-Core

as above NM

as above TiEiWd

as above TwptD

as above SRsic

as above RsaR8bcsMgawcs

MULCOR

page 140

Comme

No specifiMulti-Core

This item mitem [13] Experience important Workaroundocumented

This impliwith the possibly incto be proDisclosure

Same as abRelationshishould beimpact onconsidered.

Reference tsuggests a activities. Reference 80/DO-254be sufficiencan be obtasystem-leveMulti-Core generally das hyper-vwith the Opconsideratioshould be p

RS

ents & Sug

c feature.

might be gas part

data. feature is

nds shod.

ies close device m

cluding propovided undAgreement

ove, and: ip with iteme establishn safety

to ED-79A/Asystem-lev

to V & V § 6 guidant, except ained from oel) V & V a

procesdriven via sovisors at thperating Syon on th

provided.

Réf. C

ggestions

with COTS

rouped withof ServicThe mosthat Errat

ould b

cooperationmanufacturer

prietary datder a Non

(NDA).

m [12] Safetyhed as th

must b

ARP-4754Avel V & V

V per EDance shoulif assurancoverall (e.g

activities. ssors aroftware suchhe interfacstem. Henc

hose diver

EAS

CCC/12/0068

CG

S Same as

th ce st ta be

Not spaddresseCGP’s.

on r, ta n-

Refer SWCEHsection 1e. CMonitoriSupplier

ty he be

Same aSee SWCEHsection 1c Vduring Producti

A V

D-ld ce .:

re ch ce ce rs

Not spaddresseCGP, considerSoftwareDrivers. SWCEHsection 1g.

SA

898 – rev. 07

GP

above.

ecifically ed for

to H-001 10.3 Item

Continued ing of r Data.

s above. also

H-001 10.3 Item Variations

on Life..

ecifically ed for

except ration on e

Refer to H-001 10.3 Item

Page 143: Untitled - EASA

Ite

[12

[13

[14

[15

[16

Thales Avio

em Su

2] Safety (Failurefailure functioetc.)

3] Service(identifPSE)

4] Service(validit

5] ArchiteMitigat

6] Partitio

onics

ummary

Analye mod

rates anal failur

e Experienfication

e Experienty of PSE)

ectural tion

oning featur

Mult

ysis des, and res,

Multi-cFailureAnalysnot achiev

nce of

Multi-cmeet objectifor CO

nce Same a

Multi-ctruly in arch

res Multi-ctruly in partitio

M

ti-Core

core e sis may

be able.

SgpwEqpAnfm

core to same

ives as OTS CEH.

IBtSoad

as above S

core are involved

hitectures.

AfCcSsebm

core are involved

S/W oning.

TiAotsrbI

MULCOR

page 141

Comme

Same as general, aperformed, way as forED-80/DO-qualitative preferred mAdditional necessary failure analmore suited

It is importaBoard/LRUtesting canService Eoperating happroach data.

Same as ab

Analysis ofailure or Common classical aSystem Ssoftware layembedded obe considermitigation.

This item mitem [12Analysis ofone of the that device support safrobust partiboth timInput/outpu

RS

ents & Sug

for COTSn FMEA

at least ir PLD. The-254, as approach, s

method. research

to determlysis method for Multi-C

ant to note tU/System, n be accouExperience. hours couldto genera

ove.

of Commonerrors as Mode Ana

activity of afety Anayer (e.g. : Hon the Multred in the

might be g] Safety f robust pamain methcapabilities

fety analysiitioning sho

me, memut partitionin

Réf. C

ggestions

S CEH incannot b

n a similae FFPA pe

a morhould be th

might bmine whichod would bCore.

that hours oi.e. Lab

unted for aSimulate

d then be ante ISE-lik

n Causes opart of thalysis is the overal

alysis. ThHyper-visorti-Core musarchitectur

rouped withAnalysis

artitioning ihod to shows adequatelyis. Note thaould includmory anng

EAS

CCC/12/0068

CG

in be ar er re he

be ch be

Refer SWCEHsection 1b. FailurCommonMode anFailure Ritem ConfigurDevices.

of ab as ed an ke

Refer SWCEHsection 13. Service Experien

Same as

of he

a ll

he r) st re

Refer SWCEHSection a HazMisleadiInformat

th s. is w ly at de nd

Not applicabCGP moment.

SA

898 – rev. 07

GP

to H-001 10.3 Item res due to n Failure nd item h Rate; and

d rable .

to H-001 10.2 Item

Product

nce.

above

to H-001 10.3 Item zardously ing tion.

really le to at the

.

Page 144: Untitled - EASA

14

ExIf CoMo ExIn trama ExIn CPnoanpromiim

14

A anan

Do

Sy

Sa

Thales Avio

4.1.2. Mult

xtract from ia COTS m

omplex: ore than on

xtract from icase of a

aining suppanufacturer

xtract from ithe case of

PU functionot limited tond determiniocessing, iniddleware,

mpact, safety

4.1.3. Struc

tentative grn allocation nalysed as fo

omain

ystem

afety

onics

ti-Core asp

item [1]: microcontro

e Central Pr

item [3]: highly com

port are n’s private da

item [5]: f multi-corenalities usino: multi-proism, Very Lnternal mempartitioning

y requireme

cturing act

rouping of Eof guidanc

ollows, toge

Reference 001 Section

[5] Usa(Validity) [10] ChAnalysis [15] Archit[16] Partiti

[1] Allocat[5] Usa(Validity) [12] Safety

ects alread

oller has an

rocessing U

mplex COTot sufficienata should b

e processor ng the multiocessing straLong Instrumory/cache g impact, unt impact, a

ivities

EASA CM Sce to Hardwether with co

to SWCn 9 Items

age Dom

hange Im

tecture ioning

tion of DALage Dom

y Analysis

M

dy available

ny of the fo

Unit (CPU) a

TS microconnt to addrbe requested

usage, an ai-core desigategy, simu

uction Wordmanagemenusage domaand impact o

SWCEH-00ware, Softwompliance o

CEH- Multi

main

mpact

Mustcompinclufor [16] Partit. Renotesbelowtable.

L main

Refernotesbelowtable.

MULCOR

page 142

e in EASA

following ch

are embedd

ntroller, if ress the asd and establ

assessment gn should beultaneous md (VLIW), Snt, softwareain impacton the WCE

01 section 9ware, System

of Multi-co

i-Core Co

t ply uding

item

tioningefer to s w .

[11EDtheactSugHaSys

r to s w .

Itembe esscha

RS

CM SWCE

haracteristic

ded and they

the compospects abolished.

of all specie performed

multi-threadiSingle Instre impact on, external ET strategy

9 activities um and Safetre:

mments &

1] ValidatioD-79(A)/ARe industry ivities. ggestion is rdware V stem V & V

m [10] Chanlisted with

sential to ange.

Réf. C

EH-001 Iss.

cs, it shoul

y use the sam

onent manuve, then a

ific multi-cod. This asseing, parallelruction Muln the OperatDatabus im.

under the vaty and to o

Suggestions

n & VerificRP-4754(A),

standard re

to make the& V per E

V per ED-79

nge Impact h the Safeassess safe

EAS

CCC/12/0068

. 1 Rev. 1

ld be class

me bus (wh

ufacturer’s paccess to

ore functionessment mal internal bltiple Data (ting Systemmpact, timi

arious itemsother transve

s

cation is ref, which is eserved for

e differenceED-80/DO-

9A/ARP-47

Analysis mety domain fety impact

SA

898 – rev. 07

ified as Hi

hich

public data the compo

nalities or uay include bus managem(SIMD), Ve

m and associng requirem

s [1] to [16]erse domain

ferring to typically

r System

e between -254 and 54A.

might also as it is

t of the

ighly

and onent

usual but is ment ector iated ment

into ns is

Page 145: Untitled - EASA

So

Ha

C/

Q/

V&

Thales Avio

oftware

ardware

/M

/A

&V

onics

[15] Archit[16] Partiti

[8] Errata w[10] ChAnalysis [15] Archit[16] Partiti

[1] DesClassificati[2] Device [3] Design [4] Usa(Definition[6] Errata s[7] Er(Assessme[8] Errata w[10] ChAnalysis [13] Servi(identify.) [14] Servi(validity)

[9] Manageme[10] ChAnalysis

[3] Design

[11] VVerificatio

tecture ioning

workaroundhange Im

tecture ioning

scription ion data data

age Domn) sheets (captrrata shnt) workaroundhange Im

ice Experi

ice Experi

Configuraent hange Im

data

Validation on

M

d mpact

MustcompparticconsihypervisorRefernotesbelowtable.

for

main

ture) heets

d mpact

ience

ience

MustcompCOTMultiis baHWRefernotesbelowtable.

ation

mpact

MustcompRefernotesbelowtable.

MustcompRefernotesbelowtable.

& Mustcomp

MULCOR

page 143

t ply in cular idering r-

r. r to s w .

Thehavrelaand

t ply as S i-Core

asically

r to s w .

[11add[3] of desmastil

t ply r to s w .

No

t ply r to s w .

SeeHa

t ply

See&V

RS

e “hyper-vve a fuationship tod [16].

1] Validatided with resDesign datdetail that

sign assuranay be embedll seen as H/

one.

e commentrdware.

e commentsV at system

Réf. C

visor” softwundamental o those activ

on & Verspect to ED-ta is rarely a

become unce. Note tdded in that /W from the

s made abo

s made abovand hardwa

EAS

CCC/12/0068

ware driveinvolvem

vities: [8], [

rification c-80/DO-254available to

useful to buthat some t H/W. Howe outside.

ove with r

ve with respare levels.

SA

898 – rev. 07

er would ment in [10], [15]

could be 4 V & V. the level

uild H/W firmware

wever it is

espect to

pect to V

Page 146: Untitled - EASA

No[1]de[3]pa[5]the[8][10an[15sol

Thales Avio

otes : ] Encompavice. ] Design d

articularly w] Usage Doe main featu] Errata wor0] Change

nd Software 5] Architecle Hardware

onics

ss Allocatio

data is listwhen actual omain (Valiure to be subrkaround is Impact Anain addition ture and [1e domain.

on of DAL

ted in bothlife-cycle didity) is listbstantiated listed in bo

alysis is assto Hardwar6] Partition

M

L related to

h Hardwaredesign data ited in both by those tw

oth Hardwarsociated wire. It could

ning are liste

MULCOR

page 144

o Safety an

e and Quais not availaSystem and

wo domains.re and Softwith Configualso be listeed in Syste

RS

nd Classific

ality Assuraable. d Safety do. ware withou

uration maned in the Sam, Safety a

Réf. C

cation based

ance, whos

mains as U

ut any doubagement an

afety domainand Softwar

EAS

CCC/12/0068

d on a Des

se combina

Usage Doma

bt. nd is listed n. re domains,

SA

898 – rev. 07

scription of

ation is us

ain validatio

in both Sy

, i.e. outside

f the

seful,

on is

stem

e the

Page 147: Untitled - EASA

1

InT

ID

1

2

Thales Avionic

4.2. EXAMPL

n regard to the mTexas plus the A

QorIQ™ CORTEX TMS320C Altera – C

D Crite

1 ARBITRATI

DOCUMENT

AVAIL

2 THE ARB

CENTRA

cs

LE OF PROCES

multi-core proceltera Cyclone V– P4080 – Frees

X® A15 MPCoreC6678™ – TexaCyclone V

eria F

ION RULES

TATION IS

ABLE

BITER IS

ALIZED

MU

p

SSOR CLASSI

essors criteria, w: scale e™ – ARM as Instruments

Freescale – QorP4080

No

Partially

ULCORS

page 145

FICATION

we propose to est

SADM

rIQ™ ARM

Int

It is t

Corethe

N/A

Noar

Réf. C

tablish a classifi

M – CORTEX®MPCore™

terconnect featu

Partially the case for periaccesses throug

elink™, but not e snoop control

A for the snoop cunit

o for Corelink™rbiter per periphe

EASA

CCC/12/006898 –

ication of the thr

® A15 TI –

ures

ipheral gh inside unit

ontrol

™: an eral

No

rev. 07

ree first architec

TMS320C6678

N/A

o: An arbiter per peripheral

ctures that is Fre

UMA

™ Altera

No for t

To be defor peri

eescale, ARM an

a – Cyclone V

he snoop controunit

efined by the useipheral accesses

N/A

nd

ol

er

Page 148: Untitled - EASA

ID

3

4

5

6

7

8

Thales Avionic

D Crite

3

THE ARBI

SERVE SE

TRANSAC

SIMULTAN

4 THE ARBI

POLIC

CONFIGU

5

POSSI

CONFIGUR

FOR ARBIT

POLICY (SU

6 ARBITER I

LOGIC INFO

IS AVAI

7

DEV

ALLOCATIO

INFORMA

AVAIL

8 DEV

ALLOCA

CONFIGU

cs

eria F

ITER CAN

EVERAL

CTIONS

NEOUSLY

Y

TRATION

CY IS

URABLE

IBLE

RATIONS

TRATION

UBSET OF)

INTERNAL

ORMATION

LABLE

VICE

ON RULES

ATION IS

ABLE

VICE

TION IS

URABLE

MU

p

Freescale – QorP4080

Yes: up to 4 transper bus cyc

N/A

N/A

N/A

N/A

N/A

ULCORS

page 146

rIQ™ ARM

sactions le

Coprior

FixeRecethe

Réf. C

M – CORTEX®MPCore™

Yes

SCU: N/A orelink™: Yes, srities are configu

ed priorities withently Granted posame priority do

N/A

N/A

N/A

EASA

CCC/12/006898 –

® A15 TI – T

tatic urable

Yescon

h Least olicy in omain

FN/A in

rev. 07

TMS320C6678

Yes

s: static prioritiesnfigurable for bus

masters

Fixed priorities n the same prior

domain

N/A

N/A

N/A

™ Altera

s s S

rity

a – Cyclone V

Yes

SCU: N/A

N/A

N/A

Page 149: Untitled - EASA

ID

9

1

1

1

1

Thales Avionic

D Crite

9

POSSI

CONFIGUR

FOR DE

ALLOCA

(DEVIC

DEVI

(SUBSE

10

INFORMA

THE NET

TOPOLO

AVAIL

11 SEVERAL

EXIST FR

NODE TO A

12 INFORMA

THE ROUTI

IS AVAIL

13

POSSI

CONFIGUR

FOR ROUTI

(SUBSE

cs

eria F

IBLE

RATIONS

EVICE

ATION

CE PER

ICE) ET OF)

ATION ON

TWORK

OGY IS

ABLE

L PATHS

ROM ONE

ANOTHER

ATION ON

ING RULES

LABLE

IBLE

RATIONS

ING RULES ET OF)

MU

p

Freescale – QorP4080

N/A

No

N/A

N/A

N/A

ULCORS

page 147

rIQ™ ARM

C

Réf. C

M – CORTEX®MPCore™

N/A

SCU: N/A Corelink™: cross

SCU: N/A Corelink™: No

Thissin

EASA

CCC/12/006898 –

® A15 TI – T

sbar

Yes, iavail

d

o

s criteria is irrelengle path betwee

rev. 07

TMS320C6678

N/A

interconnect matlable in the publdocumentation

No

evant because then two nodes in t

™ Altera

trix ic S

here is always onthe interconnect

a – Cyclone V

SCU: N/A

N/A

ne

Page 150: Untitled - EASA

ID

1

1

1

1

1

Thales Avionic

D Crite

14

INFORMA

THE DIFF

KIND

TRANSAC

AVAIL

15

INFORMA

THE REL

BETWEEN A

INSTRU

EXECUTE

TRANSACTI

AVAIL

16

THE IN

PROCES

INTERRUPT

BE BLOCKE

INTERCO

17 SNOO

MECHANIS

DISAB

18

SNOO

MECHANIS

CONFINE

SUBSET O

cs

eria F

ATION ON

FERENT

S OF

TIONS IS

ABLE

ATION ON

LATION

ASSEMBLY

UCTION

ED AND

IONS SENT

ABLE

NTER-SSORS

TIONS CAN

ED BY THE

ONNECT

PING

M CAN BE

BLED

PING

M CAN BE

ED TO A

OF CORES

MU

p

Freescale – QorP4080

No

No

No

Yes

Yes

ULCORS

page 148

rIQ™ ARM

Coredesc

Réf. C

M – CORTEX®MPCore™

SCU: No elink™: Yes, thecribed in the AM

ACE protocol specifications

N/A

N/A

Yes

No

EASA

CCC/12/006898 –

® A15 TI – T

ey are MBA®

rev. 07

TMS320C6678

No

No

N/A

N/A

N/A

™ Altera

S

a – Cyclone V

SCU: No

No

N/A

N/A

N/A

Page 151: Untitled - EASA

ID

1

2

2

2

2

Thales Avionic

D Crite

19

THE INTER

PROVIDES

SYNCHRON

MECHA

20

ACC

RESTRICTIO

INTER

CONTROL

THE SUPER

POSSI

21

EACH COR

PRIVATE

SOURCE O

CIRC

22 THERE IS A

CLOCK F

COR

23

THERE

PROTEC

MECHANI

PREVENT

CONFIGUR

BE CORRU

RUNT

cs

eria F

RCONNECT

S A CORE

NIZATION

ANISM

ESS

ON TO THE

RUPT

LLER FOR

RVISOR IS

IBLE

RE HAS ITS

E CLOCK

OR PLL

CUIT

NobeTh

A SINGLE

FOR ALL

RES

E IS A

CTION

SM THAT

T A PLL

ATION TO

UPTED AT

TIME

MU

p

Freescale – QorP4080

N/A

Yes, in the Mconfiguratio

o, there are threee mapped on eighhe clock source i

PLL are configustartup, so theyprotected at run

ULCORS

page 149

rIQ™ ARM

Share

MU on

e PLL to ht cores. is shared

No

ured at y are ntime

Réf. C

M – CORTEX®MPCore™

N/A

ed resources fea

Yes, in the MMconfiguration

o, all cores sharesame clock sign

Yes

N/A

EASA

CCC/12/006898 –

® A15 TI – T

atures

U

e the nal

rev. 07

TMS320C6678

N/A

N/A

N/A

N/A

N/A

™ Alteraa – Cyclone V

N/A

N/A

N/A

N/A

Page 152: Untitled - EASA

ID

2

2

2

2

2

2

3

Thales Avionic

D Crite

24

THE MA

BETW

AVAILABLE

CORE

CONFIGU

25

THE POWE

OF EACH C

BE PROTEC

OTHER

CORRU

26 A CORE

HALTED B

COR

27 A CORE CA

IN SLEEP M

OTHER

28 EACH COR

PRIVATE

29 TIMERS CA

BY THE SAM

SOUR

30 TIMERS CA

BY AN EX

CLOCK S

cs

eria F

APPING

WEEN

E PLL AND

ES IS

URABLE

R SOURCE

CORE CAN

TED FROM

CORES

PTION

CAN BE

BY OTHER

RES

AN BE SET

MODE BY

CORES

RE HAS A

E TIMER

AN BE FED

ME CLOCK

RCE

AN BE FED

XTERNAL

SOURCE

MU

p

Freescale – QorP4080

Yes

N/A

N/A

N/A

Yes

Yes

Yes

ULCORS

page 150

rIQ™ ARM

Ye

Réf. C

M – CORTEX®MPCore™

N/A

N/A

N/A

es, but located inshared space

Yes

N/A

EASA

CCC/12/006898 –

® A15 TI – T

n the Yes,

rev. 07

TMS320C6678

N/A

N/A

N/A

but located in thshared space

Yes

N/A

™ Altera

he

Timerwithin th

Their mcores

a – Cyclone V

N/A

N/A

N/A

No

rs are provided he FPGA fabricmapping on the is user defined

.

Page 153: Untitled - EASA

ID

3

3

3

3

3

3

3

Thales Avionic

D Crite

31 TIMER

GENER

INTERR

32 TIMERS HA

OWN CLOCK

33 IT IS POSS

PERFORM

ON ONE

34 A CORE CA

ANOTHE

35 THERE

WATCHDO

PER C

36

IT IS POSS

RESTR

WATCH

CONFIGUR

ONE C

37

THE SHARE

OR SCRATC

SEVERAL R

WRITE P

cs

eria F

RS CAN

RATE

RUPTS

AVE THEIR

K CIRCUIT

SIBLE TO

A RESET

E CORE

AN RESET

R CORE

IS ONE

OG TIMER

CORE

SIBLE TO

RICT A

HDOG

ATION TO

CORE

ED CACHE

CHPAD HAS

READ AND

PORTS

Y

MU

p

Freescale – QorP4080

Yes

N/A

Yes

Yes

Yes

N/A

Yes, four read poone write po

ULCORS

page 151

rIQ™ ARM

Sha

orts and ort

decbank

daa

Réf. C

M – CORTEX®MPCore™

Yes

N/A

Yes

N/A

N/A

N/A

ared cache featu

Yes, the cache icomposed in fouks that contain seata banks and canaccessed in paral

EASA

CCC/12/006898 –

® A15 TI – T

Yes,

ures

is ur tag everal n be llel

rev. 07

TMS320C6678

Yes

N/A

Yes

N/A

but located in thshared space

N/A

N/A

™ Altera

Timerwithin th

Their mcores

he

a – Cyclone V

rs are provided he FPGA fabricmapping on the is user defined

N/A

N/A

N/A

N/A

N/A

.

Page 154: Untitled - EASA

ID

3

3

4

4

4

4

Thales Avionic

D Crite

38 IT IS POSS

PARTITION

CACHE P

39 IT IS POSS

PARTITION

CACHE PE

40

IT IS POSS

CONFIG

SHARED C

SRA

41

IT IS POSS

ONE CORE

SOME O

CONTENT

CAC

42

IT IS POSS

ONE CORE

SOME OF A

CORE’S CO

THE CA

43 THE INSTR

SET IS CO

cs

eria F

SIBLE TO

A SHARED

ER WAY

SIBLE TO

A SHARED

ER LINES

SIBLE TO

GURE A

CACHE IN

AM

Ye(6

IBLE FOR

TO LOCK

OF ITS

T IN THE

CHE

IBLE FOR

TO LOCK

ANOTHER

ONTENT IN

ACHE

RUCTION

OMPLETE

MU

p

Freescale – QorP4080

Yes

No

es with configura4K, 256K, 1M)

cache

Yes, cache lockpossible line pe

N/A

N/A

ULCORS

page 152

rIQ™ ARM

able size for each

Nos

king is er line

Réf. C

M – CORTEX®MPCore™

N/A

No

o, but the L2 memsystems can emb

internal RAM

No

N/A

Core features

N/A

EASA

CCC/12/006898 –

® A15 TI – T

Irr

mory bed

The Memor

a

Irr

rev. 07

TMS320C6678

relevant criteria

Multicore Sharery (MSM) is alreshared SRAM

relevant criteria

N/A

™ Altera

ed eady

a – Cyclone V

N/A

N/A

N/A

N/A

N/A

N/A

Page 155: Untitled - EASA

ID

4

4

4

4

4

4

Thales Avionic

D Crite

44

SEVERAL D

INSTRUCT

ARE SUPP

45 INSTRUCTI

THE SAME

46

THE INSTR

SET CA

EXTENDED

INSTRUCTI

BE DEF

47 THE INSTR

SET IS F

SUPPO

48

THE INSTR

SET SUP

HYPERV

PRIVILEG

49

INSTRUCT

BE RESTRI

SUPERVI

HYPERV

PRIVILEGE

SW CONFIG

cs

eria F

DIFFERENT

TION SETS

PORTED N

ONS HAVE

E LENGTH

RUCTION

AN BE

D (MICRO-IONS CAN

FINED)

RUCTION

FULLY

RTED

NofeA

RUCTION

PPORTS

VISOR

GE LEVEL

Yobt

IONS CAN

ICTED TO

ISOR OR

VISOR

LEVEL BY

GURATION

MU

p

Freescale – QorP4080

No, only Power I2.06 support

Yes

N/A

o, but the non sueatures are documAliases are also d

for some asseminstruction

Yes, hypervisor ptained with a sys

instruction

N/A

ULCORS

page 153

rIQ™ ARM

SA™ v ted

THU

Yth

upported mented. defined mbly ns

privilege stem call n

coph

Réf. C

M – CORTEX®MPCore™

Yes: ARM v7,UMB™, JAZEL

ISA supported

No

Yes, this is possibhrough coproces

instructions

N/A

Yes, the controprocessor can proypervisor privile

N/A

EASA

CCC/12/006898 –

® A15 TI – T

, LLE™ d

No, onIS

ble sor

ol ovide ege

No, o

rev. 07

TMS320C6678

nly TMS320C66SA is supported

N/A

N/A

Yes

only two privileglevels

N/A

™ Altera

x™ Yes: ARMand JAZ

s

Yes, tthroug

in

ge

a – Cyclone V

M v7, THUMB™ZELLE™ ISA arsupported

No

this is possible gh coprocessor nstructions

N/A

N/A

N/A

™ re

Page 156: Untitled - EASA

ID

5

5

5

5

5

5

Thales Avionic

D Crite

50

THE INSTR

UNIT CAN

SEVE

INSTRUCT

PARAL

51

THE INSTR

UNIT HAS

FETCH SE

DEPENDIN

BRANCH

52 THE PRE-F

LIMITED I

MEMORY

53 THE BR

PREDICTIO

DISAB

54

THE BR

PREDICTIO

IS CONFIG

STATIC/D

55 THE LSU R

THE MEMO

IO TRANS

cs

eria F

RUCTION

N FETCH

RAL

TIONS IN

LLEL

RUCTION

S A PRE-ERVICE

NG ON A

H UNIT

FETCH IS

INSIDE A

Y PAGE

RANCH

ON CAN BE

BLED

RANCH

ON POLICY

GURABLE

DYNAMIC

REORDERS

ORY AND

SACTIONS

MU

p

Freescale – QorP4080

Yes, up to fo

Yes

N/A

Yes

Yes

Yes

ULCORS

page 154

rIQ™ ARM

our

Réf. C

M – CORTEX®MPCore™

N/A

Yes

N/A

Yes

N/A

N/A

EASA

CCC/12/006898 –

® A15 TI – T

Yes,

rev. 07

TMS320C6678

8 instructions pfetch

N/A

N/A

N/A

N/A

N/A

™ Altera

er

a – Cyclone V

N/A

N/A

N/A

N/A

N/A

N/A

Page 157: Untitled - EASA

ID

5

5

5

5

Thales Avionic

D Crite

56 TRANSA

REORDERIN

DISAB

57

INTER

REGISTE

RENAMED

INSTRU

EXECU

58

THE MCENTRAL

DISTRIBUTE

THE C

59 TLB STO

CHARACTE

cs

eria F

ACTION

NG CAN BE

BLED

RNAL

ERS ARE

D BEFORE

UCTION

UTION

MU IS

LIZED OR

ED AMONG

ORES

O

Lo

ORAGE

ERISTICS

L

v

MU

p

Freescale – QorP4080

N/A

Yes

One MMU per coadditional filte

addresses througocal Access Win

platform lev

L1 data/instructioL2 unified TL

Fixed 4K pagesvariable 4K to 4G

ULCORS

page 155

rIQ™ ARM

ore, but er on gh the ndows at vel

Oma

on TLB LB s, and G pages

L1 d

Tranth

FixedVaria

sup

Réf. C

M – CORTEX®MPCore™

N/A

Yes

One MMU per coanaged by the C

coprocessor

data/instructionsL2 unified TLB

nslation Table stohe cache or the m

memory d 4K pages in Lable 4K to 16M pport for Large P

2M and 1G

EASA

CCC/12/006898 –

® A15 TI – T

ore P15

One MUn

virtual

s TLB B ored in

main

1 TLB pages,

Pages

Program

rev. 07

TMS320C6678

N/A

N/A

Memory Protectinit (no memory lization service)

core

mmable pages s

™ Altera

ion

per One M

sizes

a – Cyclone V

N/A

Yes

MMU per core

N/A

Page 158: Untitled - EASA

ID

6

6

6

6

6

6

Thales Avionic

D Crite

60

THE TREPLAC

ALGORI

IMPLEME

HARDWA

SOFTW

61 THE PAGE

FIXED OR V

62 THE MMUPAGES OVE

63 PRIVATE CA

SCRATC

CONTE

64 PRIVATE

REPLAC

POLI

65 THE OV

ARCHITEC

DOCUM

cs

eria F

TLB

EMENT

THM IS

ENTED IN

ARE OR

WARE

s

Co

E SIZE IS

VARIABLE

U DETECTS

RLAPPING

ACHE AND

CHPADS

ENTS

32

E CACHE

EMENT

ICY

VERALL

CTURE IS

ENTED

PAc

MU

p

Freescale – QorP4080

Hardware fordata/instruction

software for unifTLB

oherency L1/L2 by hardwar

Both

Yes

2k data, 32 K insL1

256k unified

Least Recently

Hard

Partially for Datcceleration Arch

(network streprocessing

ULCORS

page 156

rIQ™ ARM

r L1 n TLB, fied L2

ensured re

HameTL

Tra

Fixed

struction

L2 32k

Used L

dware accelerat

ta Path hitecture eam g)

Irr

Mprov

for

Réf. C

M – CORTEX®MPCore™

ardware replacemechanism: when LB miss occurs,MMU performs

anslation Table W

d in L1, variable

N/A

k data, 32k instru

east Recently U

tors for network

relevant criteria: CORTEX® A1

MPCore™ IP is nvided with I/O der network proces

EASA

CCC/12/006898 –

® A15 TI – T

ment a L2 the a Walk

Softwthe m

e in L2

uction

32K daBoth

partiallA storebe writ

sed The cathe rep

k processing fea

The 5 not evices ssing

Netwomul

Publ

rev. 07

TMS320C6678

are managementmemory protectio

unit

Variable

N/A

ata, 32K instructcan be configur

ly or fully as SRe instruction cantten in L1 data ca

ache is one way,placement policy

trivial

atures

ork coprocessor alticore navigatorlic documentatio

available

™ Altera

t of on

tion red

RAM nnot ache

32k data

, so y is Least

and r. on

To be dtime

a – Cyclone V

N/A

N/A

N/A

a, 32k instruction

recently Used

defined at designe by the user

n

n

Page 159: Untitled - EASA

ID

6

6

6

6

Thales Avionic

D Crite

66 THE HAR

ACCELE

EMBEDS MI

67

THE HAR

ACCELE

CONTAINS I

MEMO

68

THE ACCE

INTERNAL

IS PROT

AGAINST S

69 THE HAR

ACCELERA

BE BYPA

cs

eria F

RDWARE

ERATOR

ICROCODE M

RDWARE

ERATOR

INTERNAL

ORY

LERATOR

MEMORY

TECTED

EU/MBU

A

RDWARE

ATOR CAN

ASSED

Yne

MU

p

Freescale – QorP4080

Yes, in the FrManager. This mi

is proprietar

Yes

All internal memprotected with

Yes: for network uetwork controllemapped on the PPCIe bus rather

DPAA

ULCORS

page 157

rIQ™ ARM

ame icrocode ry

mory is ECC

usage, a er can be PCI or r than

Réf. C

M – CORTEX®MPCore™

EASA

CCC/12/006898 –

® A15 TI – T

AssumRx c

Yes: foa netwbe ma

rev. 07

TMS320C6678

med yes, as there core and a Tx cor

Yes

N/A

for a network usawork controller capped on the PC

™ Altera

is a re

age, can

CIe

a – Cyclone V

Page 160: Untitled - EASA

ID

7

7

7

7

Thales Avionic

D Crite

70

IT IS POSS

DEBUG ON

CORE WI

AFFECTI

OTHE

71

IT IS POSS

DEBUG O

COR

SYNCHRO

72

IT IS POSS

HAVE A TR

THE TRANS

GENERATED

COR

73

TH

MANUFACT

EXPERIENC

AVIONIC

cs

eria F

SIBLE TO

A SINGLE

ITHOUT

ING THE

ERS

Yem

JTcp(

J

SIBLE TO

ON ALL

RES

ONOUSLY

SIBLE TO

RACE OF

SACTIONS

D BY EACH

RES

Pagiv

HE

TURER HAS

CE IN THE

DOMAIN

MU

p

Freescale – QorP4080

es, internal perfomonitors on eachTAG interrupt avore per core, GDrovided with TO(Freescale hyperHyperTRK libraJTAG debug on

TOPAZ©

N/A

artially: Aurora ives a limited vie

Corenet™ acti

Yes

ULCORS

page 158

rIQ™ ARM

S

ormance h core, vailable

DB stub OPAZ© rvisor), ary for top of

©

PerACo

interface ew of the ivity

YMacr

timincl

Manufa

Réf. C

M – CORTEX®MPCore™

upport for debu

rformance moniARM v7 debug uoreSight™ interf

N/A

Yes: Program Trarocell, which is

me transaction trluded in CoreSig

facturer related

N/A

EASA

CCC/12/006898 –

® A15 TI – T

ug

tors, unit, face

Yes ustrace p

ace a real-acer

ght™.

Yes ustrace p

criteria

rev. 07

TMS320C6678

sing the Debug aproprietary solut

N/A

sing the Debug aproprietary solut

Yes

™ Altera

and tion

and tion

a – Cyclone V

N/A

N/A

N/A

No

Page 161: Untitled - EASA

ID

7

7

7

7

7

Thales Avionic

D Crite

74

TH

MANUFAC

INVOLVED

CERTIFIC

PROCESS

STUDIED PL

75

TH

MANUFAC

PUBLISHES

COMMUNI

76

TH

MANUFACT

A SUFFICIE

EXPECT

77

TH

MANUFAC

ENSURES

TERM SU

78

TH

MANUFAC

PROV

INFORMA

THE PRO

DESI

cs

eria F

HE

TURER IS

D IN THE

CATION

FOR THE

LATFORM

HE

CTURER

S SPECIFIC

ICATIONS

HE

TURER HAS

ENT LIFE

TANCY

HE

CTURER

A LONG

UPPORT

HE

CTURER

IDES

ATION ON

CESSOR

IGN

MU

p

Freescale – QorP4080

Yes

Yes

Yes

N/A

Partially under

ULCORS

page 159

rIQ™ ARM

NDA P

fu

Réf. C

M – CORTEX®MPCore™

N/A

No

Yes

N//A

Partially, with thnctional descrip

EASA

CCC/12/006898 –

® A15 TI – T

he tion

rev. 07

TMS320C6678

N/A

No

Yes

N/A

Yes

™ Alteraa – Cyclone V

N/A

No

Yes

N/A

Partially

Page 162: Untitled - EASA

ID

7

8

Thales Avionic

D Crite

79

TH

MANUFAC

PROV

INFORMA

BUGS AND

80

TH

MANUFAC

PROV

INFORMA

SER (SEU

cs

eria F

HE

CTURER

IDES

ATION ON

D ERRATA

HE

CTURER

IDES

ATION ON

U/MBU)

MU

p

Freescale – QorP4080

Yes

Partially under

ULCORS

page 160

rIQ™ ARM

NDA

Réf. C

M – CORTEX®MPCore™

N/A

N/A

EASA

CCC/12/006898 –

® A15 TI – T

rev. 07

TMS320C6678

N/A

N/A

™ Alteraa – Cyclone V

N/A

N/A

Page 163: Untitled - EASA

Intentionally left blank

Page 164: Untitled - EASA

Postal address Visiting address Tel Fax Mail Web