Research Project EASA.2011/6
MULCORS - Use of Multicore Processors in airborne systems
easa.europa.eu
Disclaimer
This study has been carried out for the European Aviation Safety Agency by an external organization and expresses the opinion of the organization undertaking the study. It is provided for information purposes only and the views expressed in the study have not been adopted, endorsed or in any way approved by the European Aviation Safety Agency. Consequently it should not be relied upon as a statement, as any form of warranty, representation, undertaking, contractual, or other commitment binding in law upon the European Aviation Safety Agency.
Ownership of all copyright and other intellectual property rights in this material including any documentation, data and technical information, remains vested to the European Aviation Safety Agency. All logo, copyrights, trademarks, and registered trademarks that may be contained within are the property of their respective owners.
Reproduction of this study, in whole or in part, is permitted under the condition that the full body of this Disclaimer remains clearly and visibly affixed at all times with such reproduced part.
Th
T
hales Avionic
The Us
cs
se of M
Dos
Authors
“M
MULtico
T
ssier re
s : Xavier JE
M
EASAMULC
ore pro
THALE
ef. CCC
EAN, Marc
MULCOR
page 1
A 2011CORS”
oCessO
ES AVI
C/12/0
GATTI Gu
RS
1.C31 Projec
ORS in
IONIC
06898
uy BERTHO
Réf. C
ct.
Airbo
CS
– Rev.
ON, Marc F
EAS
CCC/12/0068
orne Sy
. 07
FUMEY
SA
898 – rev. 07
ystems”
”
Th
R
hales Avionic
Revision 00 01 02
03 04
05
06
07
cs
DaNovember
November,November,
December,December,
December,
December,
December,
ate r, 8th 2012 , 20th 2012 , 26th 2012
05th 2012 07th 2012
07th 2012
08th 2012
16th 2012
M
R
Effect AlAlAl
9.3.6.6 &
Non
Al
Al
MULCOR
page 2
REVISION
t on § ll Dll Cll In
C.1..3 A13 U
Rne R
nuA
ll Mfo
ll Mfoco
RS
NS
Draft of the fCreation of tntegration E
ComplementAdding a chaUpgrade list References Reference nu
umber EASAdding ® & Modificationollowing MU
Modificationollowing MUomments
Réf. C
Descrfinal Reporthe documen
EASA remart chapters reapter regardfor Chapter
umber whichSA.2011.C3
™ n of recommULCORS f
n of recommULCORS f
EAS
CCC/12/0068
ription t nt rks, 2012-1egarding Tading the Hyprs Literature
h should th1.
mended guidfinal report pmended guidfinal report p
SA
898 – rev. 07
1-23 asks 1 & 2 pervisor e Review an
e contract
delines presentationdelines presentation
nd
n
n
1.
2.
3.
3.13.23.33.4
4.
4.14.24.3
5.
6.
6.16.26.36.46.56.66.76.8
7.
8.
9.
9.19.19.19.19.19.19.19.1
Thales Avio
DISCLAI
ACKNOW
EXECUT
1. AIMS / O2. OVERAL
3. EASA E4. FINDING
BACKGR
1. DIGITAL
2. USE OF C3. USE OF M
AIMS AN
LITERAT
1. AVIONIC
2. OFFICIA
3. STUDIES
4. STUDIES
5. STUDIES
6. STUDIES
7. STUDIES
8. REFERE
METHOD
IMPLEM
RESULTS
1. REQUIR
1.1. DETERM1.1.1. Embe1.1.2. WCE1.1.3. Airbo1.1.4. Robu1.2. CERTIFIC1.2.1. Inten
onics
MER
WLEDGEM
IVE SUMM
OBJECTIVES LL APPROACH
EXPECTATIO
GS ACHIEVEM
ROUND
L EMBEDDED
COTS PROC
MULTI-CORE
ND OBJECT
TURE REVI
C STANDARD
AL GUIDELIN
S ON PROCES
S ON ROBUST
S ON WCET
S ON MULTIC
S ON HYPERV
ENCE MANUA
DOLOGY
MENTATION
S AND OUT
REMENTS FOR
MINISM IN EMB
edded AircraT analyzabiliorne Embeddust PartitioniCATION OBJECT
nded Functio
MENTS
MARY
H ONS MENTS AND C
D AIRCRAFT
CESSORS IN EE IN EMBED
TIVES
IEW
DS NES
SSOR EVALU
T PARTITION
CALCULUS CORE PROCE
VISORS AND
AL OF STUDIE
N
TCOME
R AN EMBED
BEDDED AIRCRAaft Systems iity ded System ing TIVES FOR EMB
on
M
CONCLUSION
T SYSTEMS
EMBEDDED ADED AIRCRA
UATION AND
NING
ESSORS SCHE
OPERATING
ED PROCESS
DDED AIRCR
AFT SYSTEMS
ntegrity
Usage Doma
BEDDED AIRCRA
MULCOR
page 3
NS
AIRCRAFT EAFT EQUIPM
SELECTION
EDULING
G SYSTEMS
SORS
RAFT SYSTEM
ain
AFT SYSTEMS
RS
EQUIPMENT
MENT
N
MS
Réf. C
EAS
CCC/12/0068
SA
898 – rev. 07
8
9
10
10 10 10 11
12
12 12 13
14
15
15 16 16 16 17 18 18 18
20
21
23
23 23 23 25 25 26 27 28
9.19.19.19.19.19.19.29.29.29.29.29.29.29.29.29.29.29.29.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.39.3
Thales Avio
BSP1.2.1..1 Hy1.2.1..2 Op1.2.1..3 De1.2.1..4
1.2.2. Safet1.2.3. Fores2. PROCES
2.1. STRATEG2.1.1. Selec2.1.2. Man2.2. TECHNIC2.2.1. Focu
Ins2.2.1..1 Pip2.2.1..2 Vir2.2.1..3 Priv2.2.1..4
2.2.2. Focu2.2.3. Focu3. MULTI-C
3.1. SUMMA
3.2. SUMMA
3.3. BASIC A3.3.1. Mem
Un3.3.1..1 Wh3.3.1..2 Dis3.3.1..3 Arc3.3.1..4
3.4. MULTI‐3.4.1. A sho
Fre3.4.1..1 AR3.4.1..2 INT3.4.1..3
3.4.2. Mult3.4.3. Acad3.4.4. Indus3.5. SOFTWA
3.5.1. Airbo3.5.2. Softw
Pro3.5.2..1 Mu3.5.2..2 Pro3.5.2..3
3.5.3. The i Me3.5.3..1 Ma3.5.3..2
3.6. EXAMPL
3.6.1. Com Fre3.6.1..1
3.6.1..1.1 e e503.6.1..2 Hy3.6.1..3
onics
P or Board Spervisor perating Systevice drivers ty Objectivesseeable ConSORS SELEC
GIC SELECTION
ction criteriaufacturer opCAL SELECTION
s on core arcstruction mopeline issues rtual memoryvate caches s on periphes on hardwaCORE TECHN
ARY OF TASK 1 ARY OF TASK 2 ARCHITECTURE mory sharing ified Memorhat about castributed Arcchitecture naCORE GALAXY O
ort overvieweescale RoadM RoadmapTEL® ROADMti‐core procedemic projectstrial collaboARE SUPPORT F
orne Certifieware definitiocesses and Tultithreadingocesses, kernimpact of muemory Manaapping LES OF REPRESE
munication aeescale QorIQe500 Cohere00mc Cores pervisor
upport Pack
em
s ditions
CTION CRITERIA a regarding thpenness regaN CRITERIA chitecture del
y managemeand scratchperalsare assist for NOLOGY STA
CHARACTERIST
architecturery Access (UMches? chitecture (Damed “SingleOVERVIEW
w of processodmapp MAP essors manufts around morations FOR EMBEDDED
d Operating on / explanaThreads g nel threads, ulti‐cores ongement
ENTATIVE MUL
and NetworkQ™ P2020 ncy Module
M
age
he manufactarding design
ent pads
debug and mATE-OF-THE
TICS e MA)
DA) e Address sp
or roadmap
facturers andulti‐core
D AIRCRAFT SYSystemation
user threads Software De
TI‐CORE ARCHIking Process
(ECM) and A
MULCOR
page 4
turer situation and tests in
monitoringE-ART
ace, Distribu
d addressed
YSTEMS
sevelopment
ITECTURES
or
Address Map
RS
onnformation
uted Memory
market segm
p
Réf. C
y” or SADM
ments
EAS
CCC/12/0068
SA
898 – rev. 07
29 29 30 31 31 32 33 33 33 34 34 34 34 36 37 38 39 40 41 41 41 42 43 43 44 45 46 47 47 47 49 50 52 53 54 54 54 55 55 55 55 56 56 57 58 58 58 59 60 62
9.39.39.39.39.39.39.39.39.39.39.39.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.49.59.59.59.59.5
Thales Avio
Ne3.6.1..43.6.1..4.1 Q3.6.1..4.2 P3.6.2. Low‐
CO3.6.2..1 Sno3.6.2..2 Co3.6.2..3
3.6.3. Mult DS3.6.3..1 TM3.6.3..2
3.6.4. SoC F4. MULTI-C
4.1. INTROD4.2. PROCES4.2.1. Summ4.2.2. Summ4.2.3. Inter
Ov4.2.3..1 Int4.2.3..2 Int4.2.3..3
4.2.3..3.1 O4.2.3..3.2 R
Int4.2.3..44.2.3..4.1 In4.2.3..4.2 R
Int4.2.3..54.2.3..5.1 R
Int4.2.3..64.2.3..6.1 R4.2.4. Share
Cac4.2.4..1 Co4.2.4..2 Cla4.2.4..3
4.2.4..3.1 C4.2.4..3.2 C
Co4.2.4..44.2.5. Cach
Co4.2.5..14.2.6. Share
Sha4.2.6..1 Co4.2.6..2
4.2.7. Core Co4.2.7..1
4.2.8. Perip Co4.2.8..1
5. SOFTWA
5.1. SUMMA
5.2. SUMMA
5.3. AIRBOR5.3.1. Airbo
onics
tworking plaQorIQ™ ProcPeripherals ‐Power MultORTEX®‐A15 Coop Control relink™ Netwti‐core DSP: TP Cores: C66
MS320C66xx™FPGA Hard PCORE FEATU
DUCTION SSOR FEATURES
mary of taskmary of taskrconnect erview erconnect Cerconnect UObjective andRelated selecerconnect fentegrity of trRelated selecerconnect feRelated selecerconnect feRelated seleced caches che Classificantent predicassic cache coCache partitioCache use as rresponding he coherencyrresponding ed services ared Servicerresponding s rresponding pherals rresponding
ARE ASPECTS
ARY OF TASK 7 ARY OF TASK 8 RNE SOFTWARE
orne Softwar
atform: Freesessor Interco
i‐core IP: ARCores Unit: First Lework: PeriphTexas Instrum6x™ CorePac ™ interconneProcessor SysURES REGAR
S IMPACT ON D
k 3 k 4
lassification Usage Domaind Definition ction criteria eatures regaransactions sction criteria eatures regaction criteria eatures regaction criteria
ation criteriaction featureonfigurationoning SRAM selection cr
y mechanismselection cr
s Classificatiselection cr
selection cr
selection crS
E DEPLOYMENT
re execution
M
scale QorIQ™onnect
M CORTEX®‐
evel interconeral interconments TMS3
ect: TeraNet™stem: Altera
RDING CERTI
ETERMINISM
criterian
rding multi‐cservices in th
rding Worst
rding Robust
a s s
iteria ms iteria
on criteriaiteria
iteria
iteria
ON A MULTI‐C on several c
MULCOR
page 5
™ P4080
‐A15 MPCor
nnectnnect20C6678™
™Cyclone® V
IFICATION
core processhe interconn
Case Execut
t Partitioning
CORE PLATFORM
cores
RS
e™
sor integrityect
tion Time cal
g insurance
M
Réf. C
culus
EAS
CCC/12/0068
SA
898 – rev. 07
63 64 64 65 66 66 67 68 69 70 71 72 72 73 73 73 73 73 75 77 77 79 82 82 83 83 85 86 86 86 87 88 89 89 89 90 91 92 93 93 96 97 98 98
100 101 101 101 101 101
9.59.59.59.59.59.59.59.59.59.59.59.59.59.59.59.59.59.59.59.59.69.69.69.79.79.79.79.79.89.89.89.99.99.9
10
11
11111111111111
12
Thales Avio
Mu5.3.1..1 Air5.3.1..2 Par5.3.1..3
5.3.1..3.1 C5.3.1..3.2 D5.3.1..3.3 S5.3.1..3.4 A5.3.1..3.5 A5.3.1..3.6 O5.3.2. Airbo
Arc5.3.2..15.3.2..1.1 S5.3.2..1.2 A5.4. MITIGA
5.4.1. Summ5.4.2. Mitig5.4.3. Time5.4.4. Airbo5.4.5. Mon5.4.6. Airbo6. FAILURE
6.1. SUMMA
6.2. MITIGA
7. COTS R
7.1. SUMMA
7.2. COTS R7.2.1. Elect7.2.2. Singl8. METHOD
8.1. SUMMA
8.2. METHO
9. EASA G
9.1. SUMMA
9.2. PROPOS
. OUTREA
. CONCLU
.1. CONCL
.2. MULTI
.3. SIGNIFI
.4. CONCL
.5. CONCL
.5.1. ROUTE
.5.2. ADVAN
. RECOM
onics
ultitasks scherborne Softwrtitioned sysComponents Deployment Symmetrical AsymmetricaAMP‐SMP‐BMOthers deploorne Equipmchitectural coSymmetrical AsymmetricaATION MEANS mary of taskgation Meane jitter ratio torne Softwaritoring durinorne SoftwarE MITIGATIO
ARY OF TASK 10ATION MEANS RELATED FEA
ARY OF TASK 11RELATED FEATU
tro‐migratione Event EffeD AND TOOL
ARY OF TASK 9 ODS AND TOOLS
GUIDELINE FO
ARY OF TASK 6 SED GUIDELINE
ACH
USIONS
LUSIONS WIT
I-CORE PROC
ICANT FEAT
LUSIONS ON R
LUSIONS ON
ES TO COMPLIA
NCED GUIDANC
MMENDATI
eduling featuware migratiotem featureevolution toof partitionsMulti‐procesal Multi‐procMP selectionoyment schemment softwareoncerns Multi Procesal Multi Proce
k 5 s Analysis to total execre WCET evang real‐time ere robustnesON MEANS 0
ATURES 1 URES ANALYSIS n cts
LS
S ANALYSIS OR MULTI-C
E
TH RESPECT
CESSOR USA
TURES RELAT
ROBUST PAR
SUGGESTED
ANCE
CE
IONS
M
ures on from singls o take benefis ssing essing mes e features
ssing essing
ution timealuationexecutionss
CORE PLATFO
TO THE RED
AGE DOMAIN
TED CONCLU
RTITIONING
D MODIFICAT
MULCOR
page 6
le‐core to m
it of multi‐co
ORMS
DUCTION OF
N RELATED CUSIONS
TION TO EAS
RS
ulti‐core plat
ore platform
F COMPLEXIT
CONCLUSIO
SA GUIDANC
Réf. C
tforms
s
TY
NS
CE
EAS
CCC/12/0068
SA
898 – rev. 07
102 103 104 104 105 105 106 106 108 109 109 109 110 111 111 111 112 113 113 113 114 114 114 115 115 115 116 116 118 118 118 121 121 121
123
124
124 125 125 125 126 126 126
127
121212121212121212
13
14
1414141414
Thales Avio
.1. PURPO
.2. PROCES
.3. USAGE
.4. CACHE
.5. OPERA
.6. SHARE
.7. CORES
.8. PERIPH
.9. FAILUR
. REFERE
. APPEND
.1. REVIEW
.1.1. REVIEW
.1.2. MULT
.1.3. STRUC
.2. EXAMP
onics
OSE SSOR SELEC
E DOMAINE COHERENC
ATING SYSTE
D SERVICES
S HERALS RE MITIGATI
ENCES
DIXES
W OF EXISTI
W OF EASA CMI‐CORE ASPECTCTURING ACTIV
PLE OF PROC
CTION GUIDE
N CY EM & TASKS
S
ION
ING EASA GM SWCEH‐00TS ALREADY AV
VITIES
CESSOR CLA
M
E
S ALLOCATIO
GUIDANCE IN
01 VAILABLE IN EA
SSIFICATION
MULCOR
page 7
ONS
N EASA CM
ASA CM SWCE
N
RS
M SWCEH-0
EH‐001 ISS. 1
Réf. C
01 ISS. 1 RE
REV. 1
EAS
CCC/12/0068
EV. 1
SA
898 – rev. 07
127 129 132 133 134 134 135 135 135
136
138
138 138 142 142 145
1.
ThexonEuof Eu OwdoNoelewitraow Pereq EuSaReOtD-Ge
Thales Avio
DISCLAI
his study hapresses the
nly and the vuropean Avi
warranty, uropean Avi
wnership oocumentatioone of the mectronic or ithout exprademarks, awners.
ersons wishiquest to the
uropean Aviafety Analysesearch Projttoplatz 1 -50679 Coloermany
onics
IMER
as been carr opinion ofviews expreiation Safetrepresentat
iation Safet
of all copyon, data andmaterials pmechanical
ress writtenand register
ing to reprofollowing a
iation Safetsis and Reseject Manage
ogne
ried out for f the organiessed in thety Agency. tion, undery Agency.
yright and d technical iprovided mal, includingn consent fred tradema
oduce in whaddress:
y Agency (Eearch Deparer
M
the Europeization und
e study haveConsequen
rtaking, con
other inteinformationay be used, recording from the E
arks that ma
hole or in p
EASA) rtment
MULCOR
page 8
ean Aviationdertaking the not been antly it shoulntractual, o
ellectual prn, remains v, reproduceor the use
European Aay be conta
part the cont
RS
n Safety Aghe study. It adopted, endld not be reor other co
roperty rigvested to thd or transmof any info
Aviation Saained within
tents of this
Réf. C
gency by anis provideddorsed or inlied upon ammitment
ghts in thishe Europeanmitted, in anormation stoafety Agenn are the p
s study are
EAS
CCC/12/0068
n external od for informn any way aas a stateme
binding in
s material n Aviation ny form or orage and rncy. All loproperty of
invited to s
SA
898 – rev. 07
organizationmation purpapproved byent, as any fn law upon
including Safety Ageby any me
etrieval sysogo, copyrig
their respec
submit a wr
n and poses y the form
n the
any ency. eans, stem, ghts, ctive
ritten
2.
ThrecEA Protas Intfur Thof Thin Finex
Thales Avio
ACKNOW
his report ccommendatASA.2011.O
oject MULCsks conduct
terim reportrther describ
hales would the tasks pe
hales acknowthe technic
nally, the auperienced k
onics
WLEDGEM
concludes ttions and OP.30.
CORS - Thted with refe
ts were probed in the R
d like to thanerformed, a
wledges theal matters th
authors of thkey personn
MENTS
the MULCconclusions
he Use of Merence to th
duced at deResults and
nk EASA, band its feedb
e contributiohat were ne
his report renel that were
M
ORS projes per EAS
MULticore prhe required s
edicated milOutcome se
both for funback on inte
on of Xavieecessary to s
ecognize the allocated t
MULCOR
page 9
ect contractSA Specifi
roCessORSsubject and
lestones aloection 8 of t
nding this stuerim provide
er Jean, PHDsupport such
he quality oto the projec
RS
ted with EAications att
S in Airbornscope of th
ong with thethe present
udy project ed reports.
D engineer h a study.
f the input ct.
Réf. C
ASA. It prtached to
ne Systems he contract.
e executionreport.
and for its
that provide
from all sk
EAS
CCC/12/0068
rovides thethe Invitat
was organiz
n of tasks w
contributio
ed a high le
killed techni
SA
898 – rev. 07
e main outption to Te
zed into a s
whose result
n in the rev
evel of expe
ical experts
puts, ender
set of
s are
views
ertise
s and
3.
Th
3.1
MU
3.2
Toan Thsurestthe ThdeapHaMu ThSyRi
3.3
Thenthethe
1 M
Thales Avio
EXECUT
his section s
1. AIMS /
ULCORS a To pro
To def
To per
To ide
To sug
And to
2. OVERA
o cover thisnalyze how t
he approachrvey and antablishing re determina
his approachveloper of proach shoardware (AEulti-core pro
his approachystems fromsk Managem
3. EASA E
he objectivenable EASAeir subsequee subject of
MCP : Muti-C
onics
TIVE SUMM
summarizes
OBJECTIV
aims and objovide a surv
fine multi-c
rform inves
entify mitiga
ggest recom
o suggest co
ALL APPR
s study, EAto introduce
h taken in cnalysis of tecommenda
ation of com
h may be coa computi
ould start wEH), takingocessor.
h helps to am Market evment.
EXPECTAT
e of the stuA to have a
ent impact of the use of m
Core Process
MARY
the overall
VES
jectives arevey of Multi
core process
stigations on
ation means
mmendation
omplementa
ROACH
ASA and The safely Mu
conducting the main spations that c
mpliance of C
ompared to ing unit im
with the estag into accou
analyze all volution reg
TIONS
udy was to pbetter undeon the compmulti-core p
sor
M
content of
e i-core proce
sors assessm
n a represen
s, design an
s for multi-c
ary or modi
hales have lti-Core pro
this study wpecific featucan be usedCOTS Mult
another appmplementingablishment
unt design re
the stakes fgarding Hard
provide EAerstanding opliance demprocessors i
MULCOR
page 10
this report a
essors mark
ment & selec
ntative multi
nd usage rul
core proces
fication to E
decided to ocessor in E
was a "Topures of a sed by EASA ti-core Proc
proach, i.e. g COTS Mof requirem
equirements
for Multi-codware and
ASA with suof the state monstration in safety-cri
RS
as a result o
ket availabil
ction criteri
i-core proce
es & limitat
ssor introdu
EASA guid
cut it in 1Embedded A
p-Down" onelection of to complem
cessors with
more bottoMulti-core pments specis in relation
ore ProcessSoftware up
ufficient daof the art cto finally w
itical airbor
Réf. C
of MULCOR
ity
ia
essor
tions
ction
ance
2 steps. EaAircraft Syst
ne, which cCOTS Mul
ment its guidh certificatio
m-up, that wprocessors. ifications fonship with t
or introducp to mitigat
ata, analyseconcepts/feawrite and pune systems.
EAS
CCC/12/0068
RS study.
ach step patems point p
consisted inlti-core Prodance, and bon requirem
would be mIn that co
or the Airbthe use of a
ction in Embtion to be im
es and recomatures relateublish guida.
SA
898 – rev. 07
aves the roaper point.
n starting wcessors, theby applican
ments.
more suited ontext, suchborne Electra selected C
bedded Airmplemented
mmendationed to MCP1
ance materia
ad to
ith a en in nts in
for a h an ronic OTS
rcraft d for
ns to 1 and al on
3.4
Thmu Froco AvDi Togufol
.
2 D
Thales Avio
4. FINDIN
his report culti-core pro
om Thales nsidered as
vionics needisplays, IMA
o reach this uideline (EDllowing add Interco
Intercoo
o
Mecha
Operao o
Cache
Core m
Shared
DAL : Design
onics
NGS ACHIE
ontains oneocessor intr
point of V inevitable d
ds to masterA systems, F
goal, ThaleD80 / EASAditional recoonnect anal
onnect UsagThis incluDomain wthe envisiThis is theCertificati
anisms to m
ating SystemTasks or PNeeds for
e manageme
managemen
d services a
Assurance
EVEMENT
e section deroduction.
View introdudue to the m
r multi-coreFlight Cont
es AvionicsA Cert. Memommendatiolysis allowin
ge Domain udes the Mwhich guaraoned usage e key point ion Authori
manage Inter
m or ScheduProcesses alr Hypervisor
ent.
nt.
at COTS dev
Level
M
TS AND C
edicated for
uction of pmarket evolu
e processor trol System,
position ismo SWCEHons for comng defining
definition:Methodologyantees the c
(DAL2) whwhere Airb
ities have to
rconnect Us
uler: llocation r
vice level.
MULCOR
page 11
ONCLUSI
r recommen
processor mution where
introduction, Breaking-
s to proposeH-001 issue: mponent sele
its Domain
y to ensurecompatibilityhatever the Aborne Systemo agree on C
sage Domai
RS
IONS
ndations to
multi-core ine single core
n in certifieSteering Sy
e recommen01, Rev. 1)
ection and imn Usage.
e the comply with currAirborne Sym Provider,
COTS for ac
in.
Réf. C
help build
n Embeddede processors
ed Embeddeystem, FADE
ndations to c) on (Highlymplementat
leteness andent Avionicystem type. Certificatio
cceptability.
EAS
CCC/12/0068
ding a guide
d Aircraft Ss aims to di
ed Aircraft SEC, Avioni
complemeny) Complextion:
d validationcs constrain on Applican.
SA
898 – rev. 07
eline for C
Systems caisappear.
Systems sucics Server, e
nt current EAx COTS with
n of the Unts associate
nt and
OTS
an be
ch as etc.
ASA h the
Usage ed to
4.
4.1
EmAiThAv(D Hadebeco
4.2
OnOfCObribri(E Usprepro ThCOme In de COin-ma
Thales Avio
BACKGR
1. DIGITA
mbedded Airborne Softhus, the devailability, M
DAL).
ardware (HWcades, incluen degradedre technolo
2. USE OF
ne major teff The ShelfOTS procesidge to inteidge has bethernet), vid
se of COTeferred andocessing pe
hose COTS OTS as theechanisms e
addition, ivices in the
OTS Multi--house deveanufacturer.
onics
ROUND
AL EMBED
ircraft Systtware must esign, develMaintainab
W) and Sofuding technd. Similarlygy.
F COTS PR
echnologicalf (COTS) p
ssor architecerconnect Been embedddeo, audio,
S multi-cod undisputeerformance r
multi-core ey feature embedded in
internal arceir design.
core designelopment da. Hence diff
DDED AIR
tems are cofulfill the relopment, ce
bility and Sa
ftware (SWnological tray, an equiva
ROCESSOR
l step in throcessors inctures have
Busses and med in the prbus (USB,
re processoed choice frequiremen
processors quite a nu
n the device
chitecture m
n data, undeata, is generficulties aris
M
RCRAFT SY
omposed ofequirementsertificationafety (RAM
W) componenansitions. Yalent level o
RS IN EMB
he Embedden avionics. become momemories (rocessor (likPCI, PCIe,
ors technolfor the fututs and weig
are classifieumber of he.
may not be
erstood as erally not avase when des
MULCOR
page 12
YSTEMS
f Airbornes for safety and opera
MS) objectiv
nts have foYet the conof safety is
BEDDED A
ed Aircraft
ore and mor(like in the ke in the PPetc.) and ot
logy in safure generatght reduction
ed like the chighly inte
e directly a
either ED-80ailable for rsign assuran
RS
Software incritical fun
ation of theves depend
ollowed the nfidence in expected by
AIRCRAF
Equipment
re complex PPC G3 ty
PC G4 typether interfac
fety-critical tion of Airn of digital
current micegrated exe
accessible to
0/DO-254-ureview and nce must be
Réf. C
nstalled on ctionality oe software ding on thei
evolution oRAMS of ty Thales fro
T EQUIPM
was the in
from singleype) up to Me) with otheces.
Airborne borne Embelectronic h
ro-controlleecution uni
o the deve
usable life-cremains pro
e shown and
EAS
CCC/12/0068
n Hardware on the aircra
have to mir Design A
of technolothe overall om the use o
MENT
ntroduction
e CORE reMicro-Conter features s
Software tbedded Syshardware in
er ones as Hits and ass
elopers imp
cycle data, oprietary to
d demonstra
SA
898 – rev. 07
elements. aft. meet ReliabAssurance L
gy over thesystem has
of COTS m
of Comme
quiring extetrollers whesuch as netw
tends to bestems to san avionics.
Highly Comsociated con
plementing
or componeo the compoated.
That
ility, Level
e last s not
multi-
ercial
ernal ere a work
e the atisfy
mplex ntrol
such
ent’s onent
4.3
Thfol
Thales Avio
3. USE OF
he introductllowing asp
Providhardwfootpr
Anticio
Expecfactors
o
o
o
Be abl
o
onics
F MULTI-C
tion of COpects:
de a long-tware elemenrint compari
ipate the maA first stesingle-cor
cted from Cs :
Increased Th
(Apa
Increased Le
hoReduce en Fe
the
le to “simplWith, for Software applicatioDAL leve
CORE IN E
TS multi-c
term answents with aning to the cu
ass market oep can be tore by a mult
COTS Multi
performanchere is law
Amdhal Lawarallel
integrationess equipmeost more funnvironmentaewer embede single cor
lify” the useexample,
applicationon implemenel Airborne
M
EMBEDDE
ore process
er to the inn acceptablurrent ones)
obsolescenco be able toti-core with
i-core use i
ce, for predict
w, Gustafson
n ent to realizenctionality.al footprint
dded equipmre equivalen
e of a Multia partitione
n on one conted on anSoftware ap
MULCOR
page 13
ED AIRCR
sors in Emb
ncreasing dle power c).
ce for singleo solve singonly one ac
in Embedde
ting the pern Law) and
e the same
ment, less pnt.
-Core Proceed architectore exchang
n another copplication o
RS
RAFT EQU
bedded Air
demand of onsumption
e-core procegle core obsctive core, o
ed Aircraft
rformance d the numbe
functionalit
power consu
essor thanksture, implemging data wore. Arbitraoffering safe
Réf. C
UIPMENT
rcraft Equip
processing n and weig
essors. solescence others are d
Equipment
ratio regarder of Threa
ty or the sam
umption, les
s to its throumenting a with a low ation can beety for this l
EAS
CCC/12/0068
pment is m
power forght (reduce
by the repldisabled.
t is a comb
ding the nuads that can
me amount
ss dissipati
ughput. high DAL level Air
e made to level.
SA
898 – rev. 07
motivated by
r the embede environme
lacement of
ination of t
umbers of cn be execute
of equipme
on compare
level Airbrborne Softwfavor the H
y the
dded ental
f this
three
cores ed in
ent to
ed to
borne ware High
5.
ThanThensaf ThdeSopa Wwhareunme Onev W
AnElesho Th
Thales Avio
AIMS AN
he basis for nd that are anhe objectivenable EASAfety-critical
he study exatermine wh
oftware and artitioned an
e have thenhich were exe new or d
nfavorable feasures mig
ne purpose aluation by
e further di Multi- Comp
platfor
nother objeectronic Haould result i
he study exa Softw
any Su Tools
so as t Verifi
measu
onics
ND OBJEC
r the projectnticipated we of the stu
A to write anl airborne sy
amined diffehich charact
which havend determini
n reduced thxamined in
different frofor the useght be used i
of MULCO the certific
stinguished-core speciflex COTS rms.
ective of Mardware (Cin a proposi
amined otheare aspects upervisor / Hand techniq
to efficientlycation and
uring the Wo
CTIVES
t was to cowithin the neudy was to pnd publish gystems.
ferent Hardwteristics of e negative iistically exe
he scope to adetail in th
om those ofe of the typin each case
ORS was tcation autho
d two classefic criteria th
criteria th
MULCORS CEH)” recoition regard
er aspects suof using mHypervisor ques that may and safelycertificationorst Case E
M
onduct a stuext few yeaprovide EAguidance m
ware (HW) these architimplicationsecuted Airb
a selection oe study so af single corpe in safete to adapt th
o introduceorities in a c
s of evaluathat would bhat are rele
was to uommendatioding specific
uch as: ulti-core prand Operat
ay be used ty execute son implicatioxecution Ti
MULCOR
page 14
udy of the mars, based onASA with sumaterial on t
and Softwatectures wos in terms o
borne Softw
of few candas to highligre processo
ty-critical Ahe type for u
e criteria foertification
tion criteriabe irrelevantevant both
use the EAons in regac recommen
rocessors toting Systemto specify thoftware in pons of hostiime.
RS
multi-core pn public infufficient dathe subject
are (SW) arcould enable of the abilityare.
didates repreght the signiors, whetheAirborne Souse in safety
or multi-corprocess.
: t in a non-m
for multi-
ASA “Certiard to the mndations link
host safetym.
he softwareparallel on ming softwar
Réf. C
processors tformation anata, analyseof the use o
chitectures them to ho
y of the sys
esentative oificant charar the charaoftware, any-critical Ai
re architectu
multi-core co-core and n
fication Mmulti-core ked to the m
y-critical Ai
e requiremenmulti-core pre on multi-
EAS
CCC/12/0068
that are curnd roadmapes and recomof multi-cor
of multi-coost safety-cstems to ho
of various imacteristics oacteristics and whether
Airborne Sof
ures in ord
ontext non-multi-c
Memorandumtechnology
multi-core c
irborne Soft
nts and the processors. -core proce
SA
898 – rev. 07
rrently availp. mmendationre processo
ore processocritical Airbst safe, robu
mplementatiof the groupare favorabl
any mitigaftware.
der to ease
core compu
m for Comy. This anacontext.
tware, inclu
software de
ssors, inclu
lable
ns to ors in
ors to borne ustly
ions, p that le or ation
their
uting
mplex alysis
uding
esign
uding
6.
6.1
Thales Avio
LITERAT
1. AVION
SAE ARPSociety ofThis standrestricted
RTCA DORadio TecThis stand
RTCA DORadio TecThis stand
RTCA DORadio TecAviation EThis stand
RTCA DOConsideraRadio TecThis is therequireme
EASA CMAugust 20This certifaddressedhttp://www001%20D
EASA CSAmendmehttp://www25%20Am
onics
TURE REV
IC STAND
P 4754: Certf Automotivdard addressto digital av
O-178B: Sochnical Comdard deals w
O-178C: Sochnical Comdard is an up
O-254 / EURchnical ComEquipment dard deals w
O-297: Integations. chnical Come latest stanents, Robust
M - SWCEH011 fication mem
d in the certiw.easa.euro
Developmen
S-25: Certifient 12 – subw.easa.euro
mdt%2012.p
VIEW
DARDS
tification Cve Engineerses problemvionics syst
ftware Conmmission fo
with quality
ftware Conmmission fopdate of DO
UROCAE EDmmission fo(EUROCA
with design
grated Modu
mmission fondard for IMt Partitionin
H – 001, issu
morandum ification proopa.eu/certifnt%20Assur
ication Specbpart F, Julyopa.eu/agenpdf
M
onsiderationrs (SAE), 19
matic that detems
siderations for Aeronau
of software
siderations for AeronauO-178B
D-80: Desigfor AeronauAE).
quality for h
ular Avioni
for AeronauMA systems ng, Verificat
ue 1: Devel
has been deocess. fication/docrance%20of
cifications ay 2012 cy-measure
MULCOR
page 15
ns for High996.
eal with com
in Airborneutics (RTCAe conception
in Airborneutics (RTCA
gn Assurancutics (RTCA
hardware el
ics (IMA) D
utics (RTCAdevelopmetion and Va
lopment As
eveloped by
cs/certificatif%20Airbor
and Accepta
es/docs/certi
RS
hly-Integrate
mplex embe
e Systems aA), 1992. n, developm
e Systems aA), 2012.
ce GuidanceA) and EUR
lements.
Developmen
A), 2005. nt and expl
alidation, re
ssurance of A
y EASA to h
ion-memorarne%20Elec
able Means
ification-sp
Réf. C
ed or Comp
dded system
and Equipme
ment, test an
and Equipme
e for AirborRopean Orga
nt, Guidance
oitation. It duse of comp
Airborne El
highlight iss
andum/EASctronic%20H
of Complia
ecifications
EAS
CCC/12/0068
plex Aircraft
ms, included
ment Certific
nd integratio
ment Certific
rne Electronganisation fo
e and Certif
deals with hponents.
lectronic H
sues that sh
SA%20CM-Hardware.p
ance for Lar
s/CS-25/CS
SA
898 – rev. 07
ft Systems
d but not
cation.
on.
cation.
nic Hardwarfor Civil
fication
high-level
ardware,
hall be
-SWCEH-pdf
rge Aeropla
-
re.
anes,
6.2
6.3
6.4
Thales Avio
2. OFFICI
ARINC-6AeronautiThis guideApplicatio
ARINC-6AeronautiThis guide
3. STUDIE
Forsberg, 25th Digithttp://dx.d
Bob, G.; JArnold, NHandbookFederal Ahttp://www
Faubladie(SoC) on EASA – shttp://wwwaeroplane
Kinnan, Limplemen28th Digithttp://dx.d
4. STUDIE
Rushby Jo1999 FAA-AR-http://www
onics
IAL GUIDE
653 P1 revistical Radio Ieline deals won Executiv
651: Design tical Radio Ieline addres
ES ON PRO
H. & Karlstal Avionicsdoi.org/10.1
Joseph, M.; N.; Bob, M.
k For The SAviation Adm
w.faa.gov/a
er, F. & Ramcommercia
study ref. EAw.easa.euros/Final_Rep
L.M. Use of ntation and tal Avionicsdoi.org/10.1
ES ON RO
ohn, Partitio
-99/58, Offiw.tc.faa.gov
ELINES
sion 3: AvioInc, 2010. with partitio
ve interface
Guidance fInc, 1991. sses softwar
OCESSOR
sson, K. COs Systems C1109/DASC
Brian, P.; K& Dr. RabiSelection Aministrationaircraft/air_c
mbaud, D. Sal of-the-sheASA.2008.Oopa.eu/safetyport_EASA
f multi-core certificatio
s Systems C1109/DASC
BUST PAR
oning in Av
ice of Aviatv/its/worldp
M
onics Applic
ons definitio(APEX) tha
for Integrate
re and hardw
R EVALUA
OTS CPU SeConference, IC.2006.3137
Kirk, L.; Sp, M. nd Evaluat
n - U.S. Depcert/design_
Soc Survey Relf (COTS) OP.04, 2008y-and-resea
A.2008_1.pd
processorson. Conference, IC.2009.5347
RTITIONIN
vionics Arch
tion Researcpac/techrpt/a
MULCOR
page 16
cation Softw
on and scheat is a stand
ed Modular
ware concer
ATION AND
election GuIEEE/AIAA
701
pencer, R.; N
tion Of Micpartment of _approvals/
Report - Safdevices in 8 arch/researcdf
s in avionics
IEEE/AIAA7560
NG
hitectures:
ch, Washingar99-58.pdf
RS
ware Standa
eduling, Opedardized AP
Avionics.
rns in the pr
D SELECT
uidelines forA, 2006, 1-12
Nikhil, G.; D
croprocessoTransporta
/air_softwar
afety Implicairborne cr
ch-projects/d
s systems an
A, 2009, pp.
Requireme
gton DC f
Réf. C
ard Interface
erating SystPI for the em
revious gen
TION
r Safety-Cri2
Daniel, O.; J
ors For Airbtion, 2011
re/media/AR
ations of thritical appli
docs/large-
nd its poten
1.E.4.1 – 1
ents, Mecha
EAS
CCC/12/0068
e.
tem architecmbedded par
neration of I
ritical Appli
Jason, D. L
borne Syste
R_11_2.pdf
he use of sysications
ntial impact
.E.4-6
anisms, and
SA
898 – rev. 07
cture and thrtitions.
IMA.
ications
.; John, S.;
ems
f
stem-on-ch
t on
d Assurance
he
hip
e.
6.5
Thales Avio
Wilding MIsolation Proceedinhttp://dl.ac
LittlefieldIntegrated27th Digithttp://dx.d
5. STUDIE
Wilhelm, C.; HeckmThe worstACM Tranhttp://www
Hardy, D.French) , 2PhD Theshttp://tel.a
NowotschEuropeanhttp://doi.
PellizzoniReal-TimeIEEE Tranhttp://dx.d
Moscibrodsystems, 2ProceedinAssociatiohttp://dl.ac
onics
Matthew M.Useful for E
ngs of the cocm.org/cita
d-Lawwill, Jd Modular Atal Avionicsdoi.org/10.1
ES ON WC
R.; Engblommann, R.; Mt-case execuns. Embed. w.cs.fsu.edu
Analyse pi2010
sis, Universiarchives-ouv
h, J. & Pauli Dependablieeecomput
i, R. & Cacce Embeddens. Computdoi.org/10.1
da, T. & Mu2007 ngs of 16th on, 2007, 18cm.org/cita
., David S. HEmbedded onference ontion.cfm?id
J. & KinnanAvionics. 2s Systems C1109/DASC
CET CALC
m, J.; ErmeMitra, T.; Mu
ution-time pComput. Syu/~whalley/
ire cas pour
ité Rennes 1vertes.fr/do
itsch, M., Lle Computintersociety.o
camo, M. Imed Systems, t., IEEE Com1109/TC.200
utlu, O. Me
USENIX Se8:1-18:18 tion.cfm?id
M
Hardin, DavApplicationn Dependab
d=555298.78
n, L., System2008 Conference, IC.2008.4702
CULUS
edahl, A.; Hueller, F.; Pproblem ovyst., ACM, 2/papers/tecs
r processeu
1 cs/00/55/70
everaging Mng Conferenrg/10.1109/
mpact of Pe2010 mputer Soci09.156
emory perfo
ecurity Symp
d=1362903.
MULCOR
page 17
vid A. Grevn Integratioble Comput89914
m considera
IEEE/AIAA2751
Holsti, N.; ThPuaut, I.; Puverview of m2008, 7, 36:s07.pdf
ur multi-cœu
0/58/PDF/H
Multi-core nce, IEEE C/EDCC.201
eripheral-P
iety, 2010, 5
ormance att
posium on U
1362921
RS
ve, Invarianon. 1999 ing for Crit
ations for ro
A, 2008
hesing, S.; Wschner, P.; S
methods and1-36:53
urs disposa
Hardy201012
ComputingComputer So2.27
Processor In
59, 400-415
tacks: denia
USENIX Sec
Réf. C
nt Performa
ical Applica
obust time a
Whalley, DStaschulat, d survey of
ant de cache
209_phd.pd
g Architectuociety, 2012
nterference
5
al of memor
curity Symp
EAS
CCC/12/0068
ance: A stat
ations
and space p
.; Bernat, GJ. & Stenstr
f tools, 2008
es partagés
df
ures in Avio2, 0, 132-14
on WCET A
ry service in
posium, USE
SA
898 – rev. 07
tement of T
partitioning
G.; Ferdinanröm, P.
8
(link in
onics, 201243
Analysis of
n multi-cor
ENIX
Task
g in
nd,
f
re
6.6
6.7
6.8
Thales Avio
6. STUDIE
Davis, R. Analysis TACM Comhttp://doi.
7. STUDIE
Krodel, J. IntegratioFederal Ahttp://www
Gu, Z. & ZVirtualizaJournal ofhttp://dx.d
8. REFER
Freescale http://www
Freescale Referencehttp://www(a free acc
Freescale Architectuhttp://cach
Freescale http://cach
ARM, Cohttp://info
ARM, Cohttp://info
onics
ES ON MU
& Burns, ATechniquesmput. Surv., acm.org/10
ES ON HY
& Romanson ConsiderAviation Admw.tc.faa.gov
Zhao, Q. A ation, 2012 f Software Edoi.org/10.4
RENCE MA
Embedded w.freescale
Semicondue Manual, 0w.freescalecount must b
Semiconduure® Procehe.freescale
Semiconduhe.freescale
rtex™-A15ocenter.arm.
reLink™ Cocenter.arm.
ULTICORE
A. A Surveys for MultipACM, 2011
0.1145/1978
PERVISOR
ski, G. Handrations in Iministrationv/its/worldp
State-of-th
Engineering4236/jsea.20
ANUAL OF
Hypervisor.com/infoce
uctor Inc, P401/2012 - R.com/webapbe created t
uctor Inc, ERessors, 09/2
e.com/files/3
uctor Inc, e5e.com/files/3
5 MPCore™.com/help/to
CCI-400 Ca.com/help/to
M
E PROCES
y of Hard Reprocessor Sy1, 43, 35:1-8802.197881
RS AND O
dbook for RIntegrated Mn - U.S. Deppac/techrpt/a
he-Art Surve
g and Applic012.54033
F STUDIED
r Software Uenter/index.j
4080 QorIQRevision. 1 pp/sps/site/pto download
REF 2.0: A2011 – Revi32bit/doc/re
500mc Core32bit/doc/re
™ Technicaopic/com.ar
ache Cohereopic/com.ar
MULCOR
page 18
SSORS SCH
eal-Time Scystems, 200-35:44 14
OPERATIN
Real-Time OModular Avpartment of ar0748.pdf
ey on Real-
cations, 201
D PROCES
User Manua.jsp?topic=%
Q Integrated
prod_summd the referen
A Programmision 0 ef_manual/E
e Referenceef_manual/E
al Referencerm.doc.ddi0
ent Interconrm.doc.ddi0
RS
HEDULIN
cheduling A09
NG SYSTEM
Operating Svionics Systf Transporta
-Time Issue
12, 05, 277
SSORS
al %2FQORIQ
d Multicore
mary.jsp?codnce manual
mer’s Refer
EREF_RM.
e Manual, 0E500MCRM
e Manual R0438g/DDI0
nnect Tech0470g/DDI0
Réf. C
G
Algorithms
MS
Systems Intetems, 2008 ation, 2008
es in Embed
– 291
QSDK%2F1
e Communi
de=P4080 )
ence Manu
03/2012 – RM.pdf
Revision: r3p0438G_cort
nical Refer0470G_cci4
EAS
CCC/12/0068
and Sched
tegration an
dded System
1331445.htm
ication Proc
ual for Free
Revision 1
3p2, 07/2012tex_a15_r3p
rence Manu400_r1p1_tr
SA
898 – rev. 07
dulability
nd Compon
ms
ml
cessor Fam
escale Powe
2 p2_trm.pdf
ual, 11/2012rm.pdf
ent
mily
er
2
Thales Avio
ARM, ARhttp://info(an accoun
Texas Inst02/2012 http://www
Texas Insthttp://www
onics
RM Architecocenter.arm.nt must be c
truments, T
w.ti.com/lit
truments, Tw.ti.com/lit
cture Refer.com/help/increated to a
TMS320C66
t/ds/sprs691
TMS320C66t/ug/sprugw
M
rence Manundex.jsp?topccess this d
678™ - Mu
c/sprs691c.
6x™ DSP Cw0b/sprugw0
MULCOR
page 19
ual ARMv7-pic=/com.a
document)
lticore Fixe
CorePac Us0b.pdf
RS
7-A and ARMarm.doc.sub
ed and Floa
ser Guide, 0
Réf. C
Mv7-R editiset.architect
ating-Point
07/2011
EAS
CCC/12/0068
tion, 2012 cture.referen
t Digital Sig
SA
898 – rev. 07
nce/index.ht
gnal Proces
tml
ssor,
7.
Be
Thales Avio
METHOD
esides the or
1. A prelo
o
2. A first
technicompu
3. A secoillustratechni
4. A thircertifi
onics
DOLOGY
rganization
liminary phThe first pplatforms systems anThe seconmulticore deal with focus on context.
t phase wasical criteria uting platfor
ond phase oate those feical selectio
rd phase wcation proc
in tasks des
ase which wpart where win an avion
nd their levnd part thatarchitecturmanufacturspecific po
s prospectivfor processrms in a mo
of the studyeatures on twn criteria.
where we dedures.
M
scribed in s
was dividedwe have defnic context. vel of criticat deals withre. Two kinrer selectionoints of the
ve: we provisors early seore detailed
y refined muwo selected
deduced fr
MULCOR
page 20
ection 8 bel
d in two partfined some Those requ
ality. h processornds of selectn rather tha
e architectu
ided a snapelection. Thdescription
ulti-core fead computing
rom the pr
RS
low, this stu
t requiremen
uirements d
rs selection tion criteriaan the proceure. Those
pshot of the hen we presn.
atures on thg platforms
revious pha
Réf. C
udy was org
nts applicabepend on th
for avionica were explessor itself,criteria are
multi-core sented some
he hardware. We provid
ases additio
EAS
CCC/12/0068
ganized as f
ble to multi-he different
c usage outlored: strate, and techni
e still valid
technologye representa
e and softwded a set of
onal recom
SA
898 – rev. 07
follows:
-core compukinds of di
t of the fielegic criteriaical criteriain a multi
y and basic ative multi-
are aspectsf guidelines
mmendations
uting igital
ld of a that a that icore
non--core
. We s and
s for
8.
Thdea b
Than A tha Mooriprores A sec
Thales Avio
IMPLEM
he work releployed in a
better and ea
Task Task 2 Task 3 Task 4 Task 5 Task 6 Task 7 Task 8 Task 9 Task Task Task
he task flownticipated ea
lesson learnan a few (ar
onthly progiginal conteovided and search to ac
task summction 8.
onics
MENTATIO
evant for thia logical maasier referen
1. Pro2. Ch3. De4. Per5. Ide6. Su7. Inv8. Ide9. Ide10. Ex11. An12. Su
w execution arlier than sc
ned from suround 6 task
gress reportent both pr
d amended ctual EASA
mary is prov
ON
is study hasanner. A sumnce of the r
ovide a survharacterize eefine multi-crform invesentify mitig
uggest compvestigate opentify methoentify methoxamine failunalyze COTummary con
followed thcheduled in
uch an organks) in order
ts were prorogrammatialong with needs and d
vided for re
M
s been implemmary of thesults and o
vey of Multessential mucore processtigations onation means
plementary operating systods, tools, lods, tools, m
ure detectionTS-related fenclusion, ma
he logic in Fn the origina
nization forto avoid dis
ovided and c and techneach mont
directions.
eference alo
MULCOR
page 21
emented, bahose tasks aoutcomes ex
ti-core proceulti-core prosors assessmn a represens, design anor modificatem softwarlanguages anmeans and in and recoveatures (Errain results &
Figure 1 aboal plan.
r a similar pspersion of
presented nical. Alsothly progre
ong with the
RS
ased on diffand their arrxposed in se
essors markocessors typment & selentative multnd usage rulation to EASre executionnd Operatininstrumentavery mechanata sheets, S
& recommen
ove with the
project is to issues over
to EASA. worth to ss reports.
e details di
Réf. C
ferent activitrangement iection 8 of t
ket availabilpes features ection criteri-core proceles & limitaSA guidancen related aspng Systems tion for test
nisms featurSEU, Servicndations and
e exception
limit the brr too many p
This led tomention is This was u
scussion in
EAS
CCC/12/0068
ities organizis providedthis present
lity
ria essor
ations e pects for design ting res ce experiend final repo
n of task 7 th
reakdown inpackages.
o few amethat interim
useful to h
n the Result
SA
898 – rev. 07
zed in tasks,d below to a
report.
ce) ort
hat needed t
nto tasks to
endments tom reports welp reorient
ts and Outc
, and allow
to be
o less
o the were t the
come
Thales Avio
ArchitectureDrawbac
Task1
Task2
Task3
Task4
ArchitectureDrawbac
Task1
Task2
Task3
Task4
ArchitectureDrawbac
Task1Task1
Task2Task2
Task3Task3
Task4Task4
onics
e – Characteristck – Limitations
All
e – Characteristck – Limitationse – Characteristck – Limitations
AllAll
ticsstics
stics
s
M
T
T
T
SuEvolut
T
T
T
T
T
TT
TT
TT
SuEvolut
T
T
SuEvolut
SuEvolut
TT
TT
Figure 1: T
MULCOR
page 22
Failure MitigatWork arou
Task5
ask10
ask11
upport for Guidtions – Recomm
Task6
Task12
Failure MitigatWork arou
Task5
ask10
ask11
Failure MitigatWork arou
Task5Task5
ask10ask10
ask11ask11
upport for Guidtions – Recomm
Task6
Task12
upport for Guidtions – Recommupport for Guidtions – Recomm
Task6Task6
Task12Task12
Task Work Flow
RS
tion –nd
ance –mendations
tion –ndtion –nd
ance –mendationsance –
mendationsance –
mendations
w
Réf. C
SoSoSoSo
EAS
CCC/12/0068
oftware Architec
Task8
Task7
Task9
oftware Architec
Task8
Task7
Task9
oftware Architecoftware Architec
Task8Task8
Task7Task7
Task9Task9
SA
898 – rev. 07
cture – Issuescture – Issuescture – Issuescture – Issues
9.
9.1
9.1
Dedeop Dedewi Foma In de
9.1
Todeno
3 IM
Thales Avio
RESULTS
1. REQUIR
1.1. Determ
eterminism scribed in th
perations, th
epending onterministic ith certificat
or instance, ay not comp
this reportfinitions for It is p
AirborSystemcase o
It is po(AirboEmbednecess
When towardrestric
When Embedpartiti
1.1.1. Emb
o ensure themonstrate t
ominal or de
MA : Integrat
onics
S AND OU
REMENTS
minism in E
is an abstrhe DO-297
he outcome o
n the contexas soon as tion objectiv
a device whply with the
t, we state r “Embeddepossible to rne Softwarm state willof faulty airbossible to porne Softwdded Aircrsary. the Embed
ds the embections on the
the Embeddded Aircrons.
bedded Air
e executionthat the Em
egraded into
ted Modular
UTCOME
S FOR AN
Embedded
ract notion as “The ab
occurs in a
xt, its emboits behaviorves.
hose respone usual requ
that an Emed Aircraft S
ensure there will be cl be predictborne softw
perform a Wware and Eraft System
dded Aircrafedded Airboe Airborne Sdded Aircrafaft System
craft Syste
n integrity ombedded Ao an accepta
Avionic
M
EMBEDD
Aircraft S
that usuallbility to prodspecified pe
odiment mar is ruled by
nse time folirements, su
mbedded ASystem Detee Executioncorrectly extable in non
ware. WCET analyEmbedded
m behavior
ft System prorne SoftwaSoftware deft System isprovider s
ems integrit
of embeddeAircraft Sysable state.
MULCOR
page 23
DED AIRCR
Systems
ly referenceduce a prederiod of tim
ay vary. Yey a set of id
llows a Gauuch as a fin
Aircraft Syserminism”:n Integrityxecuted in n-nominal
ysis (Worst Aircraft S(e.g. mem
rovider hasare(s), he shevelopments destined tshall also e
ty
ed softwarestem mode
RS
RAFT SYS
es several hictable outc
me with som
et in a genedentified law
ussian law wite response
stem is det
y of its Aira nominal situations (
Case ExecuSystem softory access
no visibilithall define a. o host a parensure Rob
e, the Embeduring no
Réf. C
STEMS
high level rcome genera
me degree of
eral case, wws. Those l
where meane time.
erministic i
rborne Softwsituation, aninternal fau
ution Time)tware). Tim
worst case
ty into, or lia Platform
rtitioned syust Partitio
edded Aircron-faulty so
EAS
CCC/12/0068
requiremenally based of repeatabili
we can say tlaws have to
ns and varia
if it fulfills
tware. Thatand the Embults). It doe
) of the embming infore response
imited consUsage Dom
ystem, such oning betw
raft Systemoftware exe
SA
898 – rev. 07
nts; part of on the precety”.
that a systeo be compa
ance are def
s the follow
t means cobedded Air
es not cover
bedded softwmation on
time) may
straints enfomain that de
as in IMA3
ween the ho
m provider mecution rem
it is eding
em is atible
fined
wing
orrect rcraft r the
ware the
y be
orced etails
3, the osted
must mains
TothemeSuCo Thfea This ThbeAsshaSo Asto an
Nodeco
Evcuint
Nocois t
IndTh Thevlin
4 N5 IP
Thales Avio
o obtain thise Embeddedechanisms. uch knowleommunicati
he growing atures not ac
hus the propable to prov
he main difhavior uponssurance Leall be mitig
oftware mec
s detailed ina correct tra
ny silent loss
ote: The besign, by exmponent.
ven if coresurrent multiterconnect d
ote: in mostre like in ththe key poin
deed, the inhey enable a
his growing en with ful
nked to man
NDA : Non DiP : Intellectua
onics
s guarantee d Aircraft S
edge can bions, White
complexityccessible fo
perties of sovide guaran
fficulties in n the occur
evel), a morgated or cochanisms.
n part 9.4.2.ansaction ses of transact
ehavior of thxperimental
and periphi-core genedesign.
t multi-corehe P4080 (frnt where all
nterconnect a high level
complexityll informati
nufacturer IP
isclosure Agal Property
with an adSystem prov
be obtainedPapers, Ap
y of COTSor Human, T
ome featuretees on thei
ensuring Errence of inre or less aconfined insi
.3..4, Embeervice in thetions.
he interconnl test or b
herals architeration has
e architecturom Freescal the access
has been buof pipelinin
y makes theion on the P Policy).
reement
M
dequate levevider must a
d through plication no
processor Technical an
s can be pair observabl
Embedded Anternal faulccurate modide the Em
dded Aircrae interconne
nect betweey other me
tecture haveintroduced
ures, from Dale) or a ques are perfo
uilt to sustang and para
e set of all indesign (ful
MULCOR
page 24
el of confidaccumulate
datasheetsotes, Errata
architecturnd IP5 reaso
artially maskle behavior.
Aircraft Syslts and failudel of fault
mbedded Ai
aft System iect. Here “c
en cores, means and p
e been inhed an impo
Dual Core liuad-core likeormed. A ch
ain a higherallelism in tr
nterconnectll informati
RS
ence (accorsufficient k
s, referencesheets, labo
re makes a ons.
ked as long
stem integrures. Therefs has to be rcraft Syste
integrity in correct” me
memory and present as
erited from ortant techn
ike in the Pe in the ARhapter is ded
r bandwidthransaction s
t states highion is not a
Réf. C
rding to theknowledge
e manuals, oratory test
fine grain
g as the COT
ity deal witfore, dependefined. Id
em using d
multi-core ans that the
shared resoa proof to
an existingnological st
2020 (fromM_CORTEdicated to In
h in order toservices.
hly difficult available ev
EAS
CCC/12/0068
e Design Ason the proc
under decampaigns,
description
TS processo
ith the deternding on thedentified faudedicated H
platforms iere is neithe
ources has treach acc
g single-cortep mainly
m Freescale)EX®_A15, tnterconnect
o serve effic
to determinven under d
SA
898 – rev. 07
ssurance Lecessor’s inte
edicated ND, etc.
n of all inte
or manufact
rmination oe DAL (Deults and fail
Hardware an
is closely linr corruption
to be knoweptance of
e processory linked to
), up to an othe intercon Manageme
ciently all co
ne and analydedicated N
evel), ernal
DA4,
ernal
turer
of its esign lures nd/or
nked n nor
wn by f this
r, the o the
octo-nnect ent.
ores.
yze - NDA
ThsevintInt
9.1
Wexwh Simof COaltSotak Winsan Than FoW AsWothbo
9.1
WSothe Thdu
Thales Avio
hus, it may veral approterconnect terconnect M
1.1.2. WCE
orst Case ecution timhich is nearl
mple architthe Airbor
OTS procesternative meoftware. Theking into ac
hen the Airstance in an
nd eventually
he lack of innd degrade th
or instance uCET analys
s detailed inCET analysher cores be
ound on thei
1.1.3. Airb
hen the Aioftware, he he Airborne S
his Airborneuring Airbor
onics
be difficultoaches aimeload in ordManagemen
ET analyza
Execution me. Usually,ly impossib
ectures allorne Embeddssors architethod is usee execution
ccount varia
rborne Embn IMA -, he y to the Mo
nformation he approxim
uncertaintysis.
n part 9.4.2ses. Indeed,ecause of pir impact wh
borne Embe
irborne Emhas to definSoftware su
e Embeddedrne Softwar
t to obtain ed at preveder to remant Chapter.
ability
Time analy, the result
ble to determ
ow WCET dded Systemtectures, it ed. A worstn time is mable jitters a
bedded Systshall deter
odule Integr
on the procmation of th
y on the cac
.3..5, the us, the executpotential inthatever the
edded Syst
mbedded Syne what we uppliers.
d System Ure developm
M
guarantees nting inter-ain in a “s
yses aim aof a WCE
mine for rea
determinatiom. That mea
is not post case scena
measured unnd variabili
em providermine and ator.
cessor behahe WCET.
che content
se of multi-tion time ofter-core conconcurrent
tem Usage D
ystem provicall an “Air
Usage Domament and exe
MULCOR
page 25
of correct -core conflisafe” mode
at determinET analysis al life Softw
on using staans the analssible to deario is defin
nder this scity in the du
er has no visprovide su
avior may le
t must lead
-core procesf software onflicts. Morsoftware.
Domain
ider has litrborne Emb
ain details uecution.
RS
transaction icts with de. We plan
ing an uppis an uppe
ware.
atic analysislyzed softwetermine anned from anenario, and
uration Airb
sibility intouch paramet
ead to pessi
to consider
ssors in Emon one core reover, it m
ttle or no vbedded Syst
usage limita
Réf. C
services inedicated meto describe
per bound er approxim
s techniquesware is not en accurate en analysis p
d is further borne Embed
the deployers to the A
imistic estim
ration of ca
mbedded Airdepends on
may be diffic
visibility intem Usage
ations that s
EAS
CCC/12/0068
n a general echanisms, e some app
for a piecemation of th
s using an eexecuted. Yenough moperformed ocorrected wdded System
yed AirbornAirborne Sof
mation of th
ache miss s
rcraft Systen software cult to dete
nto the depDomain” a
shall be tak
SA
898 – rev. 07
case. Thereor limiting
proaches in
e of softwahe exact W
execution mYet on comodel. Todayon the Airbwith paramm operation
e Softwareftware supp
hose param
situations in
ems worsensexecuted on
ermine an u
ployed Airband provide
ken into acc
e are g the n the
are’s CET
model mplex y, an borne eters
ns.
- for pliers
eters
n the
s the n the
upper
borne it to
count
Reauen FoEm
Yefor In div
Thdoin WSy
Nocanreqha
9.1
RoThdo
Thales Avio
especting thutomaticallynforced to pr
or instance, mbedded Sy A priv A proc A man A trus
et it shall brbidden inst
the case ovided into tw Some
Softw Other
Modul
he use of momains. Inde
partitioned
e can illustrystem, the h Inside
differe Execu
(rather In case
that a
ote: In a lon be more quirements.
as to be defin
1.1.4. Robu
obust Partitihis is a propone by John
onics
he usage doy perform crevent usag
assembly iystem. Variovilege level cessor confindatory intested piece ofbe proven thtruction.
of multi-Aiwo categorirestrictions
are Supplielimitations
le Integrato
multi-core peed, the presystems) ad
rate examplypervisor (w
e an Airbornent cores. Inution of pror than dyname determiniDAL-A par
ow complexeasily dem
When the Aned as desc
ust Partitio
ioning is deperty of fauRushby for
omain is a checks on e domain vi
nstructions ous protectirestriction,
figuration thegration testf software thhat in spite
rborne Softies: s deal with
ers. s address thor.
processors esence of trdds new par
les of what when requirne Softwarendeed, this socesses insidmically allosm and/or rrtition is not
x multi-coremonstrated Airborne Soribed above
oning
efined in varult containmr the FAA in
M
mandatorthe usage iolations tha
can be forbion means cwhich bloc
hat disables t that checkshat checks a
e of such p
ftware syste
h Airborne
he integrati
is likely toue parallelirameters tha
could be thred);
e installationsituation mide a multi-ocated by throbust partitt allowed to
e processor if Airborneoftware is ue.
rious formument. The rn 2000.
MULCOR
page 26
ry and keydomain aspat impact ro
bidden whecan be highlcks the execthis instrucs the absencat runtime t
protections,
ems, the A
Software d
ion of Airb
o entail chaism betweenat rule softw
hese rules de
n, multiple ight lead to core partiti
he schedulertioning canno be execute
for example Software
unknown, th
ulations in Areference st
RS
y requiremepect. Moreobust partiti
en their use lighted: cution of thetion ce of such inthe absence no failure
irborne Em
developmen
borne Softw
anges in thn pieces of ware deploy
epending on
critical sectdeadlocks.on will be r). not be absoed in paralle
le in a Duae is known he Airborne
ARP4754, Dtudy (Rush
Réf. C
ent. Dedicaover, proteoning.
impacts th
e instruction
nstructions of such insmode can
mbedded Eq
nt and are
ware and h
e Airborne software (i
yment on the
n the proces
tions cannot
pre-allocate
lutely demoel with othe
al-Core procand mana
e Embedded
DO 297, ARhby, 1999) o
EAS
CCC/12/0068
ated tools mection mech
he integrity
n
structions lead to the
quipment u
destined fo
have to be
Embeddedintra and/ore different c
ssor, the sel
t be accesse
ed on the c
onstrated, iter partitions
cessor, this aged to mad Equipmen
RINC 651 anon robust p
SA
898 – rev. 07
may be usehanisms can
of the Airb
execution
sage domai
or the Airb
handled by
d System ur inter-partitcores.
ected Opera
ed in paralle
concerned c
t could be st
Usage Domtch with sa
nt usage Dom
nd ARINC partitioning
ed to n be
borne
of a
in is
borne
y the
usage tions
ating
el by
cores
tated
main afety main
653. was
Ro Th
YeknfolGr
In Sta Usthe
Th Wdeon Ro
9.1
Wmu
Thales Avio
obust partiti
he reference
“A partitionpartition
et this genenowledge, nllowing stroreve and Ma
“The beha
IMA systemandard.
sually, robue possible p Is it po If no,
his problem
e have to noal with such
ne or when A
obust partiti By a h
under By the
(DALEmbed
Or dirdone othe co
1.2. Certif
hen taking ust address
onics
ioning is a m
e definition
ned system sn is allocate
ral definitiono direct proonger propeatt Wilding)
avior and pe
ms, an ARI
ust partitionipresence of iossible to gewill interferis refined i
otice that thh requiremeAirborne So
ioning can bhardware mdedicated p
e Operating-A for examdded Systemrectly by thonly if we cnflicts at th
fication obj
into accounthe followin
mandatory r
for robust p
should proved an indepe
commu
on requires oof of robuserty, named):
erformance
INC 653 Tim
ing is ensurinter-core cet rid of thorence actuan part 9.4.2
he property ents even inoftware app
be ensured echanism if
privilege (Sug System allmple) when m. e Airborne
can master this level (thr
ectives for
nt the generng objective
M
requirement
partitioning
vide fault coendent procunications a
an accuratest partitionid the Altern
e of software
me and Spa
red throughonflicts ma
ose channelslly occur th
2.3..6.
of Robust pn the first slications of
f this mechaupervisor orocating prioAirborne S
Software athe temporareads of pro
Embedded
ral certificates:
MULCOR
page 27
t for partitio
is named th
ontainment cessor and aare carried
e model of ing has beennative Gold
e in one parpartitions
ace partition
h an analysisay introduces?
hrough those
partitioninstep of multf different D
anism existsr Hypervisoority to the Software of
at Airborneal executionocesses alloc
d Aircraft S
tion require
RS
oned Airbor
he Gold Sta
equivalent tassociated pon dedicate
faults for An performedd Standard
rtition must ”
ning implem
s of interfere new chann
e channels?
ng is not conti-core proc
DALs are ex
s in the procor mode), Airborne Sdifferent D
Embedded n of each Aication and d
Systems
ements, the
Réf. C
rne Embedd
andard:
to an idealizperipheral aed lines”
Airborne Sod today. In
d (introduce
be unaffect
mentation en
rence channnels. Two su
nfined to IMessor archit
xecuted by th
cessor, if it
oftware witDAL levels i
System levrborne Soft
description)
Airborne E
EAS
CCC/12/0068
ded Systems
ized system and all inter
oftware. Topractice, it
ed by David
ted by softw
nsures the A
nels. In mulub-problem
MA systemtectures lik
the different
is described
th the higheis executed
vel. At this tware applic).
Embedded S
SA
898 – rev. 07
s:
in which ear-partition
o the best ofis preferred
d Hardin, D
ware in othe
Alternative G
lti-core systs occur:
s, as we have in a dual-t cores.
d and acces
est level of Din the Airb
level, it cacation and s
System prov
ach
f our d the Dave
er
Gold
tems,
ve to -core
sible
DAL borne
an be solve
vider
NoXX Thco Atpromico
9.1
Thwhor ex
6 B
Thales Avio
Ensure Meet S Sustai
ote that thX.1301/XX
his chapter ade and/or E
t equipmentoviders havitigation tomponents a
1.2.1. Inten
he functionahether it is
Multi-Cercised usin
First aSoftwas the
When Hyper
Then System
All thand Pr
And Airbor(which
BSP : Board S
onics
e Intended FSafety Objein Foreseeab
his chapter .1309, i.e. d
and this repED-80/DO-2
t level and/ve to be co demonstras processor
nded Funct
alities of a ps COTS More, are ng:
a layer of Hare interfacprocessor B
requirrvisor layer
the Om itself,
he requiredrocessor dri
the last rne Softwah is out of th
Support Pac
Function, ectives, ble Conditio
does not developmen
port focus o254 for proc
/or board lecompliant wrate the glrs.
tion
processor, Mono-Core
always
ardware - ce known BSP6,
red, a
Operating
d drivers ivers
one the are layer he scope of
ckage
M
ARM
ARM BSP
ARM based
VxWorks
Network
Time Appl
ons.
replace apnt assurance
on multi-corcessor Hard
evel, Airborwith ED-80lobal comp
f this purpos
MULCOR
page 28
FREES
FREEB
FREEba
Pik
SOPerip
Critical lication
pplicable re as defined
re processordware develo
rne Embedd0/DO-254 pliance wit
se).
RS
PRO
SCALE
PROCSCALE
BSP
HYP
SCALE ased
Operat
keOS
D
OC pherals
AIRBORN
Utilities
requirementby ED-12B
r where EDopment are
ded Systemand ED-12th ED-80/D
Réf. C
OCESSOR
IBM
CESSOR BSPIBM BSP
PERVISOR
IBM based
ting SYSTEM
LynxOS
DRIVERS
Memory / Flash
NE SOFTWA
Avionic
ts such as B/DO-178B
D-12B/DO-1not used by
m providers 2/DO-178 (DO-254 an
EAS
CCC/12/0068
INTEL
P INTEL
BSP
INTEL based
M
Integrity
I/O Drivers
ARE
cs Server
S/HW coB and ED-80
178B for emy processor
and/or Air(B or C) nd/or DO-1
SA
898 – rev. 07
TEXAS
TEXASBSP
TEXASBased
MACS2
USB / PC
IFE
ompliance0/DO-254.
mbedded mmanufactur
rborne Softwand implem178 with
S
S
S
2
CI
with
icro-rer.
ware ment such
9.1
A theby BS
9.1
A in hema W
RGWHyLe
Thof Le
Thales Avio
BS1.2.1..1
software lae internal re
y the Hyperv
SP developm
BSP_Ror Hyhardw BSP_Rthese privileUser o
Hy1.2.1..2
software laywhich sevelp masterinanagement i
e consider,
GL n°1hen an Hypypervisor shevel, at least
HYP_with reof extproviduser A
he use of a Hthis dual-co
et us detail t We ar
proces
onics
SP or Board
ayer that adaesources of visor when
ment has to
Remark1: Wypervisor m
ware accelera
Remark2: two Operat
ege to accesor Superviso
ypervisor
yer that acteral Operating the procin shared re
in this repo
pervisor is hall fulfill t the most s
_Remark1: espect to saernal Airbo
ding the deteAirborne Sof
Hypervisor ore processothis: re able to mssor even in
d Support P
apts the Opef the multi-crequired or
fulfill ED-1
When a Hymode to theators, arbite
if two Operting System
ss to programor mode.
s as a Virtuing Systemscessor behaesources acc
ort that the H
required toED-12/DO
tringent Air
we see thaafety and foorne Softwaerministic bftware.
layer is notor can be m
master the cn SMP mod
M
Package
erating Systcore compoby the Ope
12/DO-178
ypervisor is e Operatingers, in order
rating Systems has to bmming of s
ual Machines may be exavior regardcesses.
Hypervisor
o manage thO-178 (B orrborne Softw
at there is aoreseeable care input aubehavior, pe
t mandatormanaged dire
complete bede (during a
MULCOR
page 29
tem to the donent but therating Syste
(B or C) re
not requiredg System to
to fulfill sa
ems are usebe set in thshared resou
e Monitor. Txecuted simrding dedic
level is real
he behaviorr C) requirware.
a relationshconditions, authority is lerformance
ry, for examectly at the
ehavior of Aany one per
RS
dedicated prhe managemem.
equirements
d, privilegeo allow prafety require
ed, for examhe Supervisurces, the se
This softwarmultaneously
ated requir
lize in a SM
r of the interements at
hip betweenas, at least flimited by characterist
mple in a duAirborne So
Airborne Soiod of time
Réf. C
rocessors. Tment of thes
.
d access haogrammingements such
mple, on a dsor or Hypecond one h
re layer emuy. In such a rements like
MP mode ma
erconnect, tthe corresp
the intendefor functionsuch a hyptics and inte
ual core prooftware leve
oftware app, the multi-
EAS
CCC/12/0068
This layer ge resources
as to be giveg of sharedh as determi
dual-core prpervisor mohas to be set
ulates virtuaa configuratike determin
anaging all
the developponding De
ded functionnal operatiopervisor, whegrity neces
ocessor, wheel.
plication(s) -core proces
SA
898 – rev. 07
gives accesss has to be d
en in Supervd resources inism.
rocessor, onode to havet respective
al environmion, its use ism or con
cores.
pment of suesign Assur
n and objecton, the influhile the lattssary to the
ere the beha
running onssor is alloc
es to done
visor like
ne of e the ely in
ments may
nflict
uch a rance
tives uence ter is end-
avior
n the cated
9.1
SoSoAi W
Thales Avio
to onlyprocesdedicacore),
We cathe AiarbitraAirborsolutioand pr
HYP_clearlybetweeSoftwa
Op1.2.1..3
oftware thaoftware. Thirborne Soft
e can notice
Real-to
Multi-o
Multi-o
Distribo
onics
y one Airbosses allocatated Airbor
an demonstrirborne Sofation using rne Softwaon the orovides safe
_Remark2: y described en threads oare DAL lev
perating Sy
at manages he operatingtware progr
e various ty
time A multitatime operaa determinquick andthat switcoperating
-user A multi-usame timemultiple p
-tasking vs. A multi-taARINC65running pemptive meach of th
buted A distribuappear to
orne Softwations on corne Softwar
rate that theftware and/o
priorities are applicationly solutione arbitration
if a Hyperto demons
or processevel for man
ystem
computer g system israms require
ypes of Oper
sking operaating systemnistic nature
d predictableches betwee
systems sw
user operatie. Note tha
programs to
single-taskasking oper53 Operatinprogram. Mmultitaskinghe programs
uted operatbe a single
M
are applicatres) or in A
re applicatio
ere are no shor processebased on tions have tn remains th
n between th
rvisor is nostrate the abes in SMP) naging acces
Hardwares a vital coe an operatin
rating Syste
ating systemms often usee of behavioe response ten tasks baswitch tasks b
ing system at Single-usrun at the s
king rating systemng System isulti-tasking
g, the opera.
ting systemprocessor..
MULCOR
page 30
tion runningAMP modeon, which
hared resours or threadsthe DAL leto be execuhe hypervis
he Airborne
ot required,bsence of cor that con
ss priorities
resources omponent ng system t
em such as:
m that aims e specializeor. The mainto events. Tsed on theirbased on clo
allows muser operatinsame time.
m allows ms a Multi-ta
g can be of ating system
m manages
RS
g and the Oe (during omeans that
rce access cs. Or if theevel of theuted at thesor that man Software a
the Airboronflicts (be
nflicts are m to shared r
and proviof the systto function.
at executined schedulinn objective
They have ar priorities ock interrup
ultiple usersng systems
more than onasking one. f two types:m slices the
a group of
Réf. C
Operating Syone period
we have o
conflicts by re are confl
e Airborne same timenages the Inapplications
rne Softwaretween Airbmanaged usiesources.
ides commtem softwar
ng real-timeng algorithmof real-time
an event-drivor external
pts.
s to access have only
ne program A single-ta pre-emptiv
e CPU time
f independe
EAS
CCC/12/0068
ystem realiof time, eaone Operat
analyzing tflicts, they a
Software: e, prioritizanterconnect.
re applicatiborne Softwing, for exa
mon serviceare in a co
e Airborne ms so that the operating iven or time
events whi
a computey one user
to be runniasking systeve or co-ope and dedic
ent cores an
SA
898 – rev. 07
izes the taskach core ruing System
the executioare manageif two DA
ation is nott Usage Dom
ions have tware in AMample, Airb
s for Airbmputer sys
Software. Rhey can achsystems is
e-sharing deile time-sha
er system atbut may a
ing at a timeem has onlyperative. In ates one slo
nd makes t
ks or uns a m per
on of d by
AL-A t the main
to be MP or borne
borne stem.
Real-hieve their
esign aring
t the allow
e; an y one
pre-ot to
them
Threq
9.1
Piedricodetypopint Th
9.1
A theimgeA adArpoThcoop No SAproproare 7 P8FM9FF
Thales Avio
Embedo
he developmquired, for I
De1.2.1..4
eces of softiver constitmmunicatiopendent copically an
perating systterrupt hand
he developm
1.2.2. Safe
Complex Ce fact that t
mplementingnerally avaimore quali
ddition, somrchitecture otentially hidhis latter appnsidered to
perating syst
ote that the
AF_Remarkocessor levocessor is ue respected.
PDA : PersonMEA : FailurFPA : Functi
onics
dded They are able to opefficient b
ment of an IMA for exa
evice driver
ftware develtutes an inteons subsystomputer prooperating stem kernel, dling necess
ment of Dev
ety Objectiv
COTS FMEAthe detailed
g the deviceilable to theitative FFPA
me new appmitigation
dden failureproach migogether wittems) and h
design and
k1: if an Fvel, mitigatused. The e.
nal Digital Ase Mode & Efonal Failure
designed toperate with by design.
Operating Sample, ARI
rs
loped to maerface for ctem that theogram whisystem or Ato interact t
sary for any
vice drivers
ves
A8 and, a fod internal are, and also e adequate lA9 approac
proaches cocombined
es, safety efght be the mth their emhardware me
developmen
FMEA and/tion has to equipment p
ssistant ffects AnalysPath Analys
M
o operate ona limited n
System hasINC653 req
ask the comcommunicate hardware ch is also Airborne Stransparentl
y necessary a
has to fulfil
ortiori a COrchitecture because qu
level of detach is generaould be dev
with a Sffects aspect
most pertinenmbedded arc
echanisms (
nt of boards
/or FFPA fbe provid
provider has
sis sis
MULCOR
page 31
n small macnumber of r
s to fulfill Equirements a
mplexity of ting with this connecteoperating
oftware paly with a haasynchrono
ll ED-12/DO
OTS Multi-cis not know
quantitative ail. ally achievavised with rSafety-specits, and softwnt for COTchitecture, (e.g. monito
s or equipm
for a singleded by the s to demon
RS
chines like Presources. T
ED-12/DO-as well.
interactionhe device, ted to. A devsystem speckage or c
ardware devous time-dep
O-178 (B or
core FMEAwn and notdata on fai
able at leasreference tofic analysiware or systS Multi-Coincluding s
oring or prot
ment have to
e or a multequipment
nstrate to th
Réf. C
PDA7’s witThey are ve
178 (B or C
s with Hardthrough thevice driver ecific that computer prvice, and usupendent har
r C) require
A, is difficult accessible ilure modes
t to a certao ED-80/DOs, combinitem architecre processosoftware drtections)..
fulfill ED-
ti-core procprovider a
e authoritie
EAS
CCC/12/0068
th less autonery compact
C) requirem
dware devie specific cis a speciaenables anrogram runually providrdware inter
ements
lt to achievee by the hars and failur
ain level ofO-254 Apping both idcture mitiga
ors as such drivers (e.g.
80/DO-254
cessor is noat board le
es that Safe
SA
898 – rev. 07
nomy. Theyt and extrem
ments and w
ces. The decomputer bualized hardwnother prognning underdes the requrfacing need
e, due in pardware desire rates are
f descriptionpendix B fodentificationation. devices muhypervisor
4 requiremen
ot achievabevel where ty requirem
y are mely
when
evice us or ware-gram, r the uisite ds.
art to igner e not
n. In or an n of
st be rs or
nts.
le at this
ments
9.1
Fualrex EnexHI AndeAscothe FuEnexan No In
10H
Thales Avio
1.2.3. Fore
unctional opready addretent via the
nvironmentapected to mIRF10 and L
nalysis of Cvice supplissembly (Cntrolled viae CBA.
unctional opnvironmentapected to m
nd Lightning
ote that the
conclusionRegardingmulti-coreequipmen
Multi-corewith authoand / or eq
The Equipline with S
HIRF : High I
onics
eseeable Co
perating conessed above
software la
al operatingmeet its ch
Lightning in
COTS Multiiers and app
CBA) and ea the introd
perating conal operating
meet its charg Indirect E
design and
n for this chg SEE, MEEe ones. Th
nt provider.
e processororities to dequipment le
pment proviSEE, MEE,
ntensity Rad
onditions
nditions incle under the ayer embedd
g conditionsharacteristicdirect Effec
i-Core behapropriately equipment
duction of h
nditions incg conditionsracteristics affects (LIE)
developmen
hapter E, LIE and e analysis
r behavior remonstrate wevel (we add
ider has to d LIE and H
diated Field
M
lude all intefeature of
ded on such
s include bocs and perfcts (LIE) an
avior in the mitigated vlevels. The
hardware lim
clude all ins include boand perform) and Single
nt of boards
HIRF, therfor SEE h
egarding SEwhat it is codress here m
demonstrateIRF require
MULCOR
page 32
erfaces to/frthe “Intend
h Multi-core
oth normal formance, and Single or
event of anvia software processormitations fo
nterfaces tooth normal
mances, ande or Multipl
s or equipm
re are no difhas to be p
EE has to bovered at prmitigation at
e that mitigements for t
RS
rom the proded Functioe processors
operating cand the abnMultiple E
n SEE is onlre and the rr behavioror HIRF an
o/from the poperating c
d the abnormle Event Eff
ment have to
fferences beprovided by
be known anocessor levt board and
ation at boathe consider
Réf. C
ocessors andon”, this cos.
conditions, wnormal opevent Effects
ly possible rest of the h
under HIRd protection
processors conditions, wmal operatinfects (SEE o
fulfill ED-
etween singy the proce
nd shared, bel and what/ or equipm
ard level andred DAL lev
EAS
CCC/12/0068
d instructionould be con
within whicerating cons (SEE or M
using data hardware aRF and LIns from LIE
and instrucwithin whic
ng conditionor MEE)
80/DO-254
gle core proessor manu
by the equipt has to be c
ment level)
nd / or equipvel of the eq
SA
898 – rev. 07
ns activatedntrolled to s
ch the deviditions suc
MEE).
provided byat Circuit BE can onlyE embedde
ctions activach the devins such as H
4 requiremen
ocessors andufacturer to
pment provcovered at b
pment levelquipment
d. As some
ce is ch as
y the Board y be d on
ated. ce is
HIRF
nts.
d / or o the
vider, board
is in
9.2
Pro
Th Strwilife Coco SeKacri
9.2
TotheMomegu Thinf
9.2
Ththe
Thcer
Thco
Thlife
Thter
Thales Avio
2. PROCE
ocessor sele The m
The prhe correspon
rategic criteill to performfe expectanc
onversely, tnsidered pr
everal propoarlsson, 200iteria.
2.1. Strate
o be able to ere is a groost of the tentioning fe
uaranteed pe
his section aformation (e
2.1.1. Selec
he manufacte avionic do
he manufactrtification p
he manufactmmunicatio
he manufactfe expectanc
he manufactrm support
onics
ESSORS SE
ection depenmanufacturer
rocessor desnding select
eria mainly m the requircy and its w
technical serocessor is a
ositions of c06) and (Gr
egic selectio
take the rigowing gap btime, manuew informaterformances
aims at proveventually u
ction criter
CRITERIA
turer has exomain
turer is invoprocess
turer publishons
turer has a scy
turer ensure
ELECTION
nds on two r
sign. tion criteria
deal with tred tests an
will to provid
election crita good one f
criteria havreen, et al.,
on criteria
ght decisionbetween a facturers prtion on the s and determ
viding objeunder NDA
ria regardin
xperience in
olved in the
hes specific
sufficient
es a long
M
N
essential fa
a are named
the opennesd measuremde a long-te
teria aim atfor safety cr
e been intro2011). We
n, some claCOTS procrovide exhaarchitecture
minism as re
ctive criteriA) to ensure
ng the man
POSSIB
Y
Y
c Y
Y
Y
MULCOR
page 33
actors:
strategic an
ss of the mments, for inerm product
t determiniritical and h
oduced in te can sum u
assification ccessor’s arcaustive infoe. Howeverequired in th
ia on the mdeterminism
nufacturer
BLE VALUE
Yes – no
Yes – no
Yes – no
Yes - no
Yes - no
RS
nd technical
manufacturernstance concion for the c
ing, with thhard real-tim
the avionic up those co
criteria deachitecture cormation onr, architectuhe certificat
manufacturerm.
situation
ES
This hcertific
As avinecessensure
long te
Réf. C
l.
r regarding cerning the considered p
he informatime applicati
communityontributions
l with the mcomplexity n the procesural information process
r’s implicati
OBS
ighlights a pcation proce
onic systemary that the
e long term p
erm support
EAS
CCC/12/0068
design infoSER. Theyprocessors.
tion availabions.
y, for instanin the follo
manufactureand its pro
ssor’s functation is neces.
ion to prov
SERVATIONS
public will ess
ms have a loe manufactuproduction
t is required
SA
898 – rev. 07
ormation any also addres
ble, whether
nce (Forsberowing selec
er itself. Indoposed servtionalities wessary to en
ide the requ
S
to pass the
ong life, it isurer is able t
d
nd its ss its
r the
rg & ction
deed, vices. while nsure
uired
s to
9.2
Decriagwiex Mo(Siinc
Thinfde
Thinf
Thinf(SE
9.2
Tecobo Wtha
9.2
Than
9.2
Thsev
Thales Avio
2.1.2. Man
esign informitical becauree to comith devices change.
oreover, foringle Eventcluding SEU
CR
he manufactformation osign
he manufactformation o
he manufactformation oEU/MBU)
2.2. Techn
echnical selensidered pr
oth for multi
e introduceat constitute
2.2.1. Focu
he structure nd services u
Ins2.2.1..1
he instructioveral catego
onics
nufacturer
mation on ase it has a s
mmunicate sof equivale
r an avionit Effect) naU/MBU esti
RITERIA
turer providon the proce
turer providon bugs and
turer providon SER
nical selecti
ection criterocessor. Foicore and si
e here a none one main c
us on core a
of a core husually foun
struction m
on set (ISA)ories of inst
openness r
a COTS prostrong impapecific desent function
c componeamed also, bimations. U
des ssor
des errata
des
on criteria
ria aim at ior multicorengle-core p
n-exhaustivcontribution
architectur
has a strongnd in a core
model
) is one majtructions:
M
regarding d
ocessor is nect on the peign informanality, it is
nt, it is necby processo
Usually, man
POSSIBLE
VALUES
Yes – No –under NDA
Yes – No –Under NDA
Yes – No –Under NDA
dentifying ue processorsrocessors, a
e list of genn of the stud
re
g impact onare describ
or interface
MULCOR
page 34
design and t
ecessary to erformance ation that wrelevant to
cessary to pors manufacnufacturers
– A
Collabomandatauthoriprocess
– A
Such inthe collapplica
– A
Usuallyconcern
undesirables, we can dand multico
neric selectdy, are intro
n the executbed here.
e between h
RS
tests inform
certify an of the chip
would be reo favor man
perform specturer SER perform suc
O
oration withtory in ordeity enough esor
nformation ilaboration b
ant and the p
y, manufactning SER o
e features andistinguish gore-specific
tion criteriaoduced and
tion of the
hardware an
Réf. C
mation
avionic plat. Therefore,equired to enufacturers
ecific robus(Software
ch tests on t
OBSERVATIO
h the procesr to provide
evidence of
is mandatorbetween theprocessor m
turers perforn their own
nd correlategeneric seleselection cr
. Multicoreexplained in
embedded
d software.
EAS
CCC/12/0068
atform. Such, the manufensure detewho agree
stness tests,Error Rate)their own fo
ONS
ssor manufae to the certf mastering t
ry and a maje certificatiomanufacturer
rm investign.
ed mitigatioection criterriteria.
e specific sein the next c
software. T
It can be d
SA
898 – rev. 07
h informatiofacturer mayerminism. T
on informa
such as a ) determinaor internal u
acturer is tification the
ajor part of on r
ations
on means onia that are v
election critchapter.
The compon
decomposed
on is y not
Then, ation
SEE ation, use.
n the valid
teria,
nents
d into
Usof for Soexex W
Thco
SeinssupInssamThbeThful
ThsuppriInsresor levco
11 N
Thales Avio
Arithmlocks.
Branch Memo Config
MMU Floatin
sually, an inone or mo
rbidden, suc
ome processecution is ternal floati
e consider t
CRITE
he instructiomplete
everal differstruction setpported structions hme length he instructio extended
he instructiolly supporte
he instructiopports hypeivilege levestructions cstricted to suhypervisor
vel by SW nfiguration
NOP : No OP
onics
metical instr
h instructionory instructiguration ins
U or the cachng point ins
nstruction seore ISA. Uch as optim
sors supportgiven to a ing point un
the followin
ERIA
on set is
rent ts are
have the
on set can
on set is ed
on set ervisor el an be upervisor privilege
Peration
ructions. Th
ns, includinions structions. The controllerstructions
et is definedUnder avionized instruc
t a user-defispecific co
nits are integ
ng selection
COMPON
SERVI
Instructiset
Instructiset
Instructiset Instructiset Instructiset
Privilegelevels
Instructiset
M
hey can be d
ng system ca
They are user.
d in a highlynic developctions whose
ined extensioprocessor grated on a
n criteria:
NENT/ICE
ion YesNo
ion Yes
ion Yes
ion Yes
ion Yes
e Yes
ion YesNo
MULCOR
page 35
dedicated to
alls
ed to write
y exhaustivpment conse execution
ion of the ISprovided bSoC.
POSSIBLE
VALUES
s – no information
s – no
s – no
s – no
s – no
s - no
s – no information
RS
o use specifi
to specific
ve way, and straints, then is non-dete
SA. Specifiby the user.
n An instcompledecode
If no, thinstruct
If not, treceivinhas to bThis is implem
n This is preventinstruct
Réf. C
fic platform
configuratio
COTS proce use of sperministic.
c instructio. For instan
OBSE
truction set ete if any nod as a NOP
hen it must tion set is n
the platformng any of thbe documenmandatory
mentation is
an elegant mt the executtions.
EAS
CCC/12/0068
services, su
on registers
cessors imppecific instr
ons can be dnce, this is
ERVATIONS
can be conson-defined iP11
be proven tnot ambiguo
m behavior whe missing inted
if a hypervexpected
mitigation mtion of non-
SA
898 – rev. 07
uch as hardw
s in the core
plement a suructions can
defined and the case w
sidered as instruction i
that the ous
when instructions
visor
means to trusted
ware
e, the
ubset n be
their when
is
9.2
Thare
Th
Thfetpa
Thpreon
Thins
Thbe
Thposta
Thales Avio
Pip2.2.1..2
he pipeline e: Fetch:
accordcompoand mbranch
DecodUsuallbe doc
Execuo
o
o The beof the
he correspon
CRIT
he instructiotch several i
arallel
he instructioe-fetch serv
n a branch u
he pre-fetch side a memo
he branch pr disabled
he branch prolicy is confatic/dynami
onics
peline issue
contains all
: fulfilled bding to theonent may b
maintain a loh predictionde and Disply, several icumented, bute: this stag
The Loadseveral comaintaininThe integimprove pThe floati
ehavior of tgenerated a
nding criter
TERIA
on unit can instructions
on unit has avice dependiunit
is limited ory page
rediction ca
rediction figurable c
es
l processing
by the Fetcheir address.be in chargcal instructi
n algorithm.patch: in thisinstructions
but usually ige is fulfilled/Store Unitoncurrent trng causality
ger Arithmeperformanceing point arithe Load-Stactivity by t
ia are:
COMP
s in Ins
a ing Ins
Ins
an B
B
M
g units able
h Unit. It p. Usually, e of pre-fetion queue. T s stage, insts can be decit is not the d by severa
t for data traransactions.y when thereetical and Les. The allocithmetical uore Unit is uthe embedde
PONENT/SER
CE
Pipeline truction uni
Pipeline truction uni
Pipeline truction uni
Pipeline Branch unit
Pipeline Branch unit
MULCOR
page 36
e to execute
picks the init impleme
tch). It can The fetch un
tructions arecoded and dcase.
al processingansactions t. It also use are depen
Logical unitcation is pe
units (FPU)usually comed code.
RVI PO
VA
it Ye
info
it Ye
info
it Ye
info
Ye
info
Ye
info
RS
a program
nstructions tents a pre-also performnit is linked
e read and rdispatched
g units. Wetoward the
sually reordndencies. ts (ALU): u
erformed du
mplex. It is t
OSSIBLE
ALUES
es – no No
ormation
es – no No
ormation
es – no No
ormation
es – no No
ormation
es – no No
ormation
Réf. C
. The usual
to be execu-fetch servim multiple
d to the Bran
routed to thein the same
consider headdress spa
ders read an
usually, thoring the Dis
therefore di
If no, this of the softw
A static branalyze
EAS
CCC/12/0068
l stages foun
uted from aice (althoufetches in nch Unit th
e adequate e cycle. Dis
ere: ace. This unnd writes tr
ose units arspatch stage
ifficult to ha
OBSERVAT
may raise pware execu
ranch predic
SA
898 – rev. 07
nd in a pipe
a storage degh a dedicone clock c
hat impleme
execution uspatch rules
nit may manransactions
re duplicatee.
ave a clear v
TIONS
page faults oution flow
ction is easi
eline
evice cated cycle nts a
units. s can
nage still
ed to
view
out
ier to
Thme
Trbe
Intrenex
9.2
Thchhaor A rigtraha Thtra
Thales Avio
he LSU reoremory and I
ransaction re forbidden i
ternal registnamed durinecution
Vir2.2.1..3
he virtual marge of tran
as the sufficiat both leve
MMU usuaghts, and a sanslation ruardware or s
he virtual manslation rul
onics
rders the IO transacti
eordering cain the LSU
ters are ng instructio
rtual memo
memory servnslating virtient access els.
ally containstorage devles. A TLBoftware.
memory is le contains t
ions Loa
an Loa
on R
ory manag
vice is provtual addresrights. On m
ns two compvice, such asB behaves li
defined withe page off
M
Pipeline ad/store uni
Pipeline ad/store uni
Pipeline Renaming
ement
vided by theses into phymulticore pl
ponents: ons the Translike a cache
ith pages fffset, size an
MULCOR
page 37
it Ye
info
it Yespa
info
Ye
info
e Memory Mysical addrlatforms, th
ne dedicatedlation Look
e, so it has
frames. A pnd access rig
RS
es – no No
ormation
s – no – artially
No ormation
es – no No
ormation
Managemenesses, and v
his service c
d to actuallyk aside Buffa replacem
page is defghts. Page s
Réf. C
Transactioindeterminworst casebounded
This optim
nt Unit (MMverifying than be locate
y translate afers (TLB)
ment algorith
fined by itsizes can be
EAS
CCC/12/0068
on reorderinnism whosee performan
mization me
MU). This chat the requed at core, a
addresses anto save loc
hm that is i
ts size and e fixed or va
SA
898 – rev. 07
ng is a sourc impact on
nce has to be
chanism
component uesting softwat platform l
nd check acally the addimplemente
an offset. ariable.
ce of
e
is in ware level
ccess dress d by
The
W
TL
Threpalgimha
Thfix
Thpa
9.2
Thscrreainswhthe Thpe W
Priscrco
Prireppo
Thales Avio
e define the
CRITER
LB storage
he TLB placement gorithm is
mplemented ardware or s
he page sizexed or variab
he MMU deages overlap
Pr2.2.1..4
he use of ratchpads. Aal-time appstructions (when accessine cache repl
he size and rformance.
e define the
CRITERIA
ivate cache ratchpad ntents
ivate cache placement
olicy
onics
e following
RIA C
MT
in oftware
MTa
e is ble
M
etects pping
M
ivate cache
hierarchicaA scratchpalications, awhen the song private clacement po
the archite
e following
A COM
and PrivascratArch
Priva
classificatio
COMPONEN
E
MMU TLB archite
MMU TLB repalgorithm
MMU
MMU
es and scra
l memory ad is usuallya classic appoftware’s d
caches and solicy.
ecture of ea
classificatio
MPONENT/SE
CE
ate caches atchpads hitecture
ate cache
M
on criteria:
NT/SERVIC
ecture
placement
tchpads
improves y viewed as proach con
data and insscratchpads
ach cache,
on criteria:
ERVI
and DataL1 or
L P
un
MULCOR
page 38
POSSIBL
TLB (L1/L2, data/instru/unified)
Yes – no –No inform
Fixed –both
Yes – noNo inform
the performa cache wi
nsists of fillstructions al is consider
scratchpad
POSSIBLE V
a – instructior L1+L2 hie
Least RecenPseudo Leasused (documnot)
RS
LE VALUES
hierarch
uction
– both mation
variable
mation
mance of sith its manaling the scrllow it). In red to be bo
and memo
VALUES
on – unifiederarchy
ntly Used st recently
mented or
Réf. C
hy
A softwthe TLBis prefe
– Variabldecreasmiss
If pagessource osecurity
software. Wgement impatchpad wita general wunded. Con
ory have a s
d
LRUpref
PLRdoc
EAS
CCC/12/0068
OBSERVA
ware implemB replacemeerable
le size pageses the numb
s can overlaof indetermy failure
We encounplemented bth the softwway, the timntent predic
strong impa
OBSERVA
U, LFU andferred policRU needs tocumented as
SA
898 – rev. 07
ATIONS
mentation ofent algorith
s use ber of TLB
ap, this is a minism and a
nter caches by softwareware’s dataming variabtion depend
act on softw
ATIONS
d FIFO are tcies for analo be s it is usually
f hm
a
and . For
a and bility ds on
ware
the ysis
y
9.2
Mope In the W
This
Them
This traint
Thcome
Thmeag
Thcan
Thales Avio
2.2.2. Focu
ost COTS rformances
many caseeir actions.
e define the
CRITE
he overall ardocumented
he hardwarembeds micro
he hardwareable to initi
ansactions oterconnect
he hardwarentains interemory
he acceleratoemory is proainst SEU/M
he hardwaren be bypass
onics
us on perip
systems o. This is esp
es, such har
e following
ERIA
rchitecture d
e acceleratorocode
e acceleratoriate master on the
e acceleratorrnal
or internal otected MBU
e acceleratorsed
pherals
on chip empecially the
rdware acce
criteria:
COMP
HardwA
r HardwA
r HardwA
r HardwA
HardwA
r Hardw
M
R L F
mbed hardwcase for ne
elerators are
ONENT/SER
ware acceleArchitecture
ware acceleArchitecture
ware acceleArchitecture
ware acceleArchitecture
ware acceleArchitecture
ware accele
MULCOR
page 39
Random Least frequeFIFO
ware acceleretwork proc
e highly co
RVICE
erator e
erator e N
erator e N
erator e N
erator e N
erator N
RS
ently used
rators in oessing devic
onfigurable
POSSIBLE
VALUES
Yes - no
Yes – noNon docume
Yes – noNon docume
Yes – noNon docume
Yes – noNot docume
Yes – noNot docume
Réf. C
impopti
Ranthe com
order to incces.
and are gra
E
S
o
o ented
If yecerti12/D
o ented
If yebe destimon th
o ented
o ented
Pari
o ented
Thisthe hbehaavio
EAS
CCC/12/0068
plemented wimizations fndom replacworst choic
mpletely non
crease the
anted a larg
OBSER
es, this micrified accordDO-178B/C
es, a worst cdetermined imate the octhe intercon
ity or ECC h
s criterion ihardware acavior is incoonic usage
SA
898 – rev. 07
with for streamincement police as it is n analyzable
I/O proces
ge autonom
RVATIONS
rocode has ding to ED-C
case load hain order to cupied bandnect
has to be en
s mandatoryccelerator ompatible w
ng cy is
e
ssing
my in
to be
as to
dwidth
nforced
y when
with an
9.2
Moexop W
Thserdeexreg
It itrage
12 G
Thales Avio
2.2.3. Focu
ost COTS ecution… T
perating syst
e define the
CRITE
he processorrvice for intbugging (stecution andgisters view
is possible tace of the tranerated by t
GDB: Gnu D
onics
us on hardw
processorThe usual wtem, debugg
e following
ERIA
r offers a ternal tep by step d internal w)
to have a ansactions the core
DeBugger
ware assist
s provide way to debgers such as
criteria:
COMPON
DebuCor
DebuPlatfo
M
for debug
debug mebug bare ms GDB12 can
NENT/SERVI
CE
g service re level
g service orm level
MULCOR
page 40
and monit
echanisms metal softwa
n be used.
I POSS
Not
Not
RS
toring
that enablare is to us
SIBLE VALU
Yes – no documente
Yes – no documente
Réf. C
e breakpoise the JTAG
ES
ed Thpiesofproits
ed Thdirgeninteest
EAS
CCC/12/0068
int insertioG interface
OBSERV
his is useful ece of embeftware and mocessor behexecution
his is useful rect view of nerated by terconnect lotimation
SA
898 – rev. 07
on, single e. On top o
VATIONS
to validate edded monitor the avior during
to have a f the activitythe core for oad
step of an
a
g
y
9.3
Th
9.3
IdeanThmu(FP
9.3
Idetheof thethe EmpremaThmeshu OtproanCO Deproof
Thales Avio
3. MULTI
his chapter c
3.1. Summ
entify the tyny that are anhe multi-corultiple procPGA) and a
3.2. Summ
entify the eem with thethe study. C
e cores are he number of
mphasis shaevent the fuanner. hese would emory, cachut down a c
ther featuresovided with
nd other comOTS IP and
etails in theocessors, wthe report.
onics
I-CORE TE
covers tasks
mary of task
ypes of munticipated inre processorcessor coresany other ty
mary of task
ssential base types of pCharacteristhomogeneof cores or w
all be placedunctions exe
include fehe, data bucore, alter it
s to captureh the procesmponents, owhether it
e spread shewith the deta
ECHNOLO
s 1 and 2
k 1
ulti-core pron the near furs identifieds with otherypes of mult
k 2
sic architectrocessor inttics that mig
ous or heterowhichever ot
d on featureecuted on th
eatures thats or I/O de
ts executing
e in the spressor and anor to controwas develo
eet should bailed explan
M
OGY STAT
ocessors curfuture (i.e. thd should incr airborne hti-core proce
tural characto a spreadsght be takenogeneous, tther criteria
es that diffehe processo
t may enabevices and ag frequency
ead sheet mny features tol the execuped and ver
be limited, snations of th
MULCOR
page 41
TE-OF-THE
rrently avaihe next thre
clude DSPs hardware deessors that t
cteristics or sheet or datn into accouthe memorya the study id
er from thosors from beh
ble interferany featureor dynamic
may include to control tution of anrified in com
such as the he features
RS
E-ART
ilable from ee years). (Digital Sigevices suchthe study m
componenttabase that sunt in such y, cache anddentifies as
se of currenhaving in a
ence betwes intended
cally alter th
the presencthe hardwarny hosted sompliance wi
title or catand their im
Réf. C
the major
gnal Processh as Field-P
may reveal.
ts of each tyshall be dela classificat
d data bus arbeing impo
nt single cordeterminist
een cores dto save ene
he number o
ce of any sore or the daoftware. Thith any DAL
egory of thmplications
EAS
CCC/12/0068
manufactur
sors), devicProgrammab
ype of proclivered to E
ation might iarchitecturesortant.
re processotic and robu
due to comergy that mof executing
oftware or Cata transfershe study shL of ED-12
he feature or being prov
SA
898 – rev. 07
rers, along
ces that comble Gate Ar
cessor and inEASA at theinclude whes of the dev
ors and that ustly partitio
mmon accesmay dynamicg tasks.
COTS IP ths between c
hall identifyB / DO-178
r the numbevided in the
with
mbine rrays
nsert e end ether
vices,
may oned
ss to cally
hat is cores y any 8B.
er of e text
9.3
Wthethe Thma Th
WhaemThsm UM(selow SAmefou Ex
FreAR
AndeTharcto
Thales Avio
3.3. Basic A
e can find de different te cores.
he architectastered befo
hree main pr Unifie
Distrib
Single
hen analyziave their mambedded in this architectmall core or
MA multi-cee chapter 9w-end proce
ADM multiemory and cund, for exa
xample of d
eescale P1, RM CORTE
nalyzing prmonstrated
hat means tchitecture aa generic ap Interc
Cache
Share
onics
Architectu
diverse Multypes of me
ture for meore declarin
rocessor famed Memory
buted Archi
e Address sp
ing market pain architecthe chip. ture consumfor embedd
core process9.3.3.1..1), tessors.
-core procecan have acample, in Fr
eployed muUMA P2 family
EX® A8 an
rocessors aat this leve
that we neeand associatpproach basconnect
e
ed resources
ure characte
lti-core procmory acces
emory acceg that the pr
mily ArchiteAccess (UM
itecture (DA
pace, Distrib
processor acture based
mes a lot oded cores
sor architectthis architec
essor architccesses to oreescale, AR
ulti-core arc
nd below
architecture,el of abstraced to conduted featuressed on crite
s
M
eristics
cessor archisses on the o
esses can grocessor can
ectures can MA),
A)
buted Mem
architecture,on the DA
f pins linke this family
ture is organcture can be
tecture is other core mRM or INTE
chitecture:
NVIDIA, A
, we can’ttion.
uct the analcan be con
ria per dom
MULCOR
page 42
itecture regother hand w
generate a ln be used in
be found in
mory (SADM
, we can noA one with
ed to Memy is not add
nized aroune found for
organized armemories usEL® family
DA ATI
t find show
lyze procesnsidered as
main:
RS
arding the owhich is as
lot of diffin a safe env
n the marke
M)
tice that GPa variant th
ory Independressed in th
nd one memr example in
round Coreing bus and
y for their h
w stoppers
sor by procsuitable or
Réf. C
organizationmost impor
culties thatvironment lik
t
PUs from Ahat is each
ndence per his report.
mory which n Freescale
es having thd/or Networigh-end pro
FreescalARM CCORTEINTEL®
or unsuita
cessor, to vnot, so this
EAS
CCC/12/0068
n of cores oortant as the
t we have ike an aircra
ATI or NVDdedicated c
core so th
is shared beand ARM
heir own crk. This archocessors.
SADMle P3, P4, P
CORTEX® AEX® A15 ® Core I7, C
able featur
verify if thes is why Th
SA
898 – rev. 07
on one handorganizatio
to analyzeaft.
DIA for examcore memo
hey are used
etween all cfamily for
ache, dedichitecture ca
M P5 and T famA9,
Core I5
res that can
e corresponhales has mo
d and on of
and
mple ry is
d for
cores their
cated an be
mily
n be
nding oved
9.3
In wi
9.3
Th
In thape Thoth
Thales Avio
3.3.1. Mem
this chapteith these arc
Un3.3.1..1
he multi-cor
this type oat this accerformed fro
his type of her hand to
onics
mory sharin
er we propochitectures.
nified Mem
re processor
of architectuess time is dom or to the
architecturemanage com
ng architec
se to presen
mory Access
r architectur
ure, Access directly link
e memory ca
e requires ammunicatio
C
M
cture
nt the differ
s (UMA)
re is organiz
time to theked with than be only o
arbitration mon between
Core 1
C
EXTE
MULCOR
page 43
rent types o
zed around
e memory ihe memory one data per
managemencores and s
BUS
Core 2
RNAL MEMO
RS
of memory a
one memor
is the same bandwidth
r access.
nt on one hsynchroniza
Core n
ORY
Réf. C
accesses and
ry which is
for each prthroughput
and and inttion if requi
EAS
CCC/12/0068
d the key p
shared betw
rocessor but; Read or W
tegrity mecuired.
SA
898 – rev. 07
oints associ
ween all cor
ut we can noWrite opera
chanisms on
iated
res:
otice ation
n the
9.3
UMan
ThsamdamoAi
In
13 S
Thales Avio
Wh3.3.1..2
MA architecnd External M
hese cache me data are
ata needs to ode where irborne Soft
multi-core
SMP : Symm
onics
hat about c
cture is upgMemory. T
memories iea, when on
know that one Opera
tware applic
e processor
metrical Multi
caches?
graded introhese memo
introduce one of these the data ite
ating Systemcation in a g
rs we need t
Programmin
M
oducing cacries have th
other kind otwo manipu
em is upgram managesgiven period
to take car
ng
Core 1
EXT
Cache C
MULCOR
page 44
he memoriehe same clas
of problemsulate a dataaded by anos all cores d of time).
re about how
BUS
Core 2
TERNAL MEM
Cache
RS
es; these aress of access
s linked to a item, the other core (
allocating
w Cache M
Coren
MORY
Cache
Réf. C
e high spee time as its
data integrisecond corethis problemthem to p
Memory Co
e
EAS
CCC/12/0068
ed memoriesdedicated c
rity. If two e which ham occurs mprocesses fo
oherency is
SA
898 – rev. 07
s between ccore.
cores shares a copy of
mainly in SMfor one run
assumed
cores
e the f this MP13 nning
9.3
In de
A
Wwhbe
Conequarc
Resin
14 G
Thales Avio
Dis3.3.1..3
this Archipending on
local netwo
e can find there memortween cores
ores can be twork. With
uality and pchitecture.
emark: in thngle core pr
GPU : Graph
onics
stributed A
itecture, ean the process
ork realizes
the use of try is embeds and the ou
allowed (dh this kind performanc
his architecrocessor (sep
hics processi
EXT M
Core 1
Cache
I
Architectur
ach core hasor architec
the link bet
this kind ofdded insideutside.
epending onof architec
e of the lo
cture, Memoparate cach
ing Unit)
MEMORY
I/F
M
re (DA)
as the use ture.
tween cores
f architecture the die an
n the implecture, the peocal networ
ory Cache Me and memo
EXT ME
Core 2
Cache
I/F
MULCOR
page 45
of a dedic
s and it is us
re, with or wnd dedicate
emented polerformance rk. We can
Managemenory are dedi
EMORY
F
LOCAL NETWOR
RS
cated memo
sed for data
without cacd per core.
licy) to havof the glob
n also spea
nt is simplifiicated to ea
E
C
C
RK
Réf. C
ory with or
and/or com
ches, mainly A Networ
ve access dirbal processoak about th
ied and occuch core).
XT MEMOR
Core n
ache
I/F
EAS
CCC/12/0068
r without d
mmand trans
y in GPUs1
rk is used t
rectly to theor is directhis being s
curs in the sa
RY
SA
898 – rev. 07
dedicated c
sfer
4 with a vato commun
e data usingtly linked toshared mem
ame way as
cache
ariant icate
g the o the mory
s in a
9.3
Thals
In meNe Nopaallthe
Thales Avio
Ar3.3.1..4
his is the lasso have ded
this architeemory shareetwork.
ote: In somart of the glol the transfee selection o
Core 1
Cache
onics
rchitecture
st class of pdicated mem
ecture we ced between
me multi-corobal networers in a clusof a multi-c
EXT M
Core 2
Cache
named “Si
processor armory but the
can notice tcores alloc
re architecturk. In this vster without
core is propo
MEMORY
BUS
Con
Cac
M
ingle Addre
rchitecture y can have
that we havated to this
ure, like in variant of art causing peosed).
ore n
che
MULCOR
page 46
ess space, D
named SADaccess to ot
ve separate cluster. Ex
QorIQ™ frrchitecture,erturbation
LO
Co1
Cac
RS
Distributed
DM where ther core m
clusters. Exchanges be
rom Freescathe bandwto the othe
E
OCAL NETWORK
ore 1
Co2
Cacche
Réf. C
d Memory”
Cores haveemories usi
Each clustertween clust
ale or in ARidth is at le
ers (this poi
EXT MEMOR
K
BUS
re
che
EAS
CCC/12/0068
” or SADM
e their own ing the bus
r can have ters are real
RM, the clueast dimensiint has to b
RY
Core n
Cache
SA
898 – rev. 07
M
cache, theyor the Netw
its own prilized using l
uster bus is ioned to sue verified w
y can work.
ivate local
also stain
when
9.3
Than Se
Mult_r
9.3
WonIN
9.3
Thales Avio
3.4. Multi-
his analysis nalysis.
ee Excel File
ticore_processorsoadmap_r2.xlsx
3.4.1. A sh
e speak abon processor rNTEL®. Det
Fr3.4.1..1
onics
-core galax
is based on
e where gal
s
hort overvie
out a short oroadmap frotailed availa
eescale Roa
xy overview
n public avai
laxy overvie
ew of proce
overview duom the threeable inform
admap
M
w
ilable inform
ew has been
essor roadm
ue to the face main actoation on cor
Figure 2: Free(source:
MULCOR
page 47
mation; info
n developed
map
ct that this cors in the core architectu
scale RoadmapFreescale)
RS
ormation un
d.
chapter can omputing doures is in th
p
Réf. C
nder NDA c
only detaileomain those he Excel Spr
EAS
CCC/12/0068
can’t be des
ed accessibl are: Freescread Sheet.
SA
898 – rev. 07
cribed in th
le informaticale, ARM a
his
on and
Fir
P1co
P2mafro
P3offup
P4leveigCo
P5nuApco
Se
T intco
Th
X
Thales Avio
rst Genera
1 series is tntrol Airbo
2 series is darkets. It wiom 800 MH
3 series is afers a multi
p to 1.5 GHz
4 series is avel switchinght Power AoreNet™ co
5 series is umerous auxpplications rmplex milit
econd gener
series is bternal archintroller and
hird genera
series: no i
onics
ation
tailored forrne Softwar
designed forill be availa
Hz up to 1.2
a mid-perfoi-core platfoz on the sam
a high perfng and routArchitectureoherency fab
based on xiliary applrage from htary and ind
ration
ased on higitecture is d various oth
ation
information
r gateways, re. It is the e
r a wide varable in speciGHz.
ormance netorm, with s
me chip, con
formance neting. The P4e e500mc cbric..
the high pication prochigh end nedustrial devi
gh performbased on cher accelera
n can be ava
M
Ethernet sentry level p
riety of appial high qua
tworking plsupport for nnected by t
etworking p4 family offcores at freq
performancecessing unittworking coices
mance 64 bitclusters, eaators
ilable for th
MULCOR
page 48
switches, wplatform, ra
plications inality parts,.
latform, desup to four the CoreNet
platform, deffers an extrquencies up
e 64-bit e5ts as well aontrol plane
ts e6500 duach contain
his series.
RS
wireless LANanging from
n the networIt is the mid
signed for sPower Archt™ coheren
esigned forreme multi-p to 1.5 GH
5500 core sas multi core infrastruct
ual-threadedning four du
Réf. C
N access pom 400 to 800
rking, telecd-level platf
switching ahitecture e5ncy fabric.
backbone -core platfoz on the sa
scaling up re operationture, high e
d core withual-threaded
EAS
CCC/12/0068
oints, and g0 MHz devi
com, militartform, with
and routing.500mc core
networkingorm, with suame chip, co
to 2.5 GHzn via the Coend storage
h ALTIVECd cores an
SA
898 – rev. 07
general-purces
ry and indusdevices ran
. The P3 fas at frequen
g and enterpupport for uonnected by
z and alloworeNet™ fanetworking
C function. nd one mem
rpose
strial nging
amily ncies
prise up to y the
wing abric. g and
The mory
9.3
ARlot ARCoACCO ARfor
CO4 cHo
COtoplow
CObe
No
Thales Avio
AR3.4.1..2
RM has a stt of microco
RM proposeorelink™. TCE, AMBAORTEX®-A
RM componr use in avio
ORTEX®Acore versionome enterta
ORTEX® Ap boxes, How power ser
ORTEX® Aen designed
o public inf
onics
RM Roadm
trong reputaontrollers im
es a set of This highly A® AXI, AA15 and AR
nents’ archionics and fo
A15 is basedn is design
ainment and
A9 is basedome Mediarver.
A8 is basedd for Smartp
formation a
map
ation as an Implement th
IP for multconfigurab
AHB, AHBRM11, and i
itectures areor further as
d on a 1 to 4ed for usedits 2 core v
d on a 1 to 4a Players, A
d on a singlephones, Net
are availab
Figu
M
IP providerhe ARM IP,
ticore proceble interconB-Lite, and it can conne
e open and ssessment.
4 core produd in Home version is de
4 core produAuto Infotai
e core procetbooks, Set-
ble after CO
ure 3: ARM Roa(source: ARM)
MULCOR
page 49
r and manuf, and it is th
essors: MPCnnection can
APB. It sect up to 4 c
documente
uct, SMP w& Web seresigned for
uct. It is desinment, Res
essor with a-up Boxes, D
ORTEX®A
admap
RS
facturer of lhe leader on
Core™. It cn support sesupports thcores.
ed. This goe
within a singrvers, WirelSmartphon
signed for Msidential Ga
a FrequencyDigital TV,
A15
Réf. C
ow-power cthis market
contains an everal ARMree kinds o
es in favor
gle processoless Infrastre and Mobi
Mainstreamateways and
y range from Home netw
EAS
CCC/12/0068
consumptiot.
IP for an iM bus protoof cores: C
of being a
or cluster upructure Equile Computi
m Smartphond the 1st g
m 600MHz working and
SA
898 – rev. 07
on processor
interconnecocols: AMBCORTEX®
good candi
p to 2,5 GHzuipment, Diing.
nes, Tabletseneration A
to 1GHz. Itd Printers.
rs. A
ction: BA®
®-A9,
idate
z. Its igital
s, Set ARM
t has
9.3
Thales Avio
IN3.4.1..3
onics
NTEL® ROA
ADMAP
Figure
M
e 4: INTEL Road(source: INTEL)
MULCOR
page 50
dmap
RS
Réf. C
EAS
CCC/12/0068
SA
898 – rev. 07
INpro
INAvint
Thales Avio
NTEL® propopose to giv
INTELo
INTELo
Intel®o
Intel®o
Intel®o
Intel®o
Intel®o
NTEL® doevailable infoternal featur
onics
poses a largve below a q
L® Atom™This serieARM). Thseries: theis only on
L® Core™ This seriegenerationprocessorsvirtualizatshared cac
® Core™ i5: This seriprocessorsIntel® Co
® Core™ i3:This serieprocessors
® Celeron™A CeleronThis serie
® Core™ 2: This seriesome dedicomposed
® Pentium™This serie
esn’t give oformation hares) and aro
e variety ofquick overv
™: es of proceshe current ge D(esktop) ne shared ca
i7: es is dedican is the secs. They emtion). Their che. An exte: ies is similas. Globally
ore™ i7 seri: es is similas, with wors
™: n is a procees contains s
es contains icated to hi
d of 1, 2 and™: es contains s
out any moras a one yeound new co
M
f multicore view of the e
ssors is dedgeneration iand the N(e
ache for all t
ated to a docond one (rmbed the cmemory hi
ension to th
ar to the Iny, the perfoies.
ar to the twse performa
ssor belongsome dual-c
different tygh perform
d 4 cores pro
some low-co
re public inar limitatio
ore perform
MULCOR
page 51
processors existing ser
dicated to es the third oetbook). A the cores.
omestic usereleased in classic INTierarchy is this series is
ntel® Coreormance of
wo previousance.
ging to anotcore process
ypes of procmance and so
ocessors.
ost dual cor
nformation on and is fo
mance.
RS
for domestries
embedded sone with duparticularity
e (desktop late 2011)
TEL® optitwo level ofthe Intel® C
e™ i7, excethose proc
s ones, exce
her series wsors.
cessors, somome dedicat
re processor
than that ccused aroun
Réf. C
ic, professio
systems (onual-core prody is the mem
applicationand is commizations f private cacCore™ i7 E
ept it is cocessors is lo
ept it is on
with limited
me dedicateted to low c
rs.
ollected in nd the new
EAS
CCC/12/0068
onal or emb
n this markeducts. Thermory hierar
ns, gaming…mposed of 2(turbo booche per core
Extreme.
omposed ofower than
nly compos
d capacity an
ed to desktoconsumptio
this short bridge (no
SA
898 – rev. 07
bedded use,
et, the leadre are two mrchy stack: t
…). The cur2, 4 and 6
ost, supporte, and a lev
f 2 and 4 cthose from
ed of dual-
nd a lower
op applicatin. This seri
term Roadminformatio
, We
der is major there
rrent core
t for vel of
cores m the
-core
cost.
ions, ies is
map. on on
9.3
This p
Thales Avio
3.4.2. Mult
he multi-corprovided be
Applicat
Desktopgaming a
Multimeapplicati
Safety ap(automomedical,defense,
Automotcritical function
Networkapplicati(mainly and serv
High perindustriaapplicati
Low powembeddeapplicati
onics
ti-core pro
re technologelow:
tion Domai
and application
edia ions
pplicationsotive, , spatial, avionics)
tive (low
nalities)
king ions switches
vers)
rformance al ions
wer ed ions
cessors ma
gy can be u
in Expect
ns
CorrectoperatioNo real
Fast intrequireThe corsoft reareliable
s High leperformRobustnenvironimportaapplica
Low-posoft rea
High bacorrect Becauscontactfeaturesimporta
High baextremeoperatio
Acceptpower c
M
anufacturer
sed in sever
ted charact
t average peons and floal-time guara
teger and flod in image arrespondingal time conse in stream p
evel of integmance. ness under
nmental conant, especiaations.
ower consumal-time cons
andwidth inplatform in
se those appt with the ops, includingant.
andwidth inely fast inteons for digi
able performconsumptio
MULCOR
page 52
rs and addr
ral market s
teristics
erformanceating pointsantees are re
oating pointand video p
g systems mstraints in orprocessing.
grity and ha
aggressivenstraints is vally in spatia
mption, relistraints
n network prntegrity. plications arpen world, sg partitionin
n network preger and floital signal pr
mance whilon.
RS
ressed mar
segments. A
for general s operationsequired.
t calculus, processing.
may considerrder to be
rd real time
very al
iability and
rocessing an
re usually insecurity
ng, are very
rocessing anating pointsrocessing.
e limiting th
Réf. C
rket segmen
A non-exhau
Manuf
. INTELBroadc
r NvidiaInstrumFreesc
e AeroflARM, Texas InfineoaerospParalla(medic
Freesc
nd
n OracleFreescCorp, CMarve
nd s
Texas IntellaSIBM, F
he ARM cInfineoTexas Broadc
EAS
CCC/12/0068
nts
ustive list of
facturers
L®, AMD, Icom Corp
a, AMD, Tements, VIA,cale, Broadc
lex Gaisler (Freescale, Instruments
on (defencepace) ax Semicondcal)
cale, Infineo
e, IntellaSyscale, IBM, BCavium Co
ell, Fujitsu
InstrumentsSys, CaviumFujitsu.
core IPs on, Nvidia, Instrumentscom Corp
SA
898 – rev. 07
f such segm
IBM,
exas ,
com Corp
(spatial), IBM, s, Marvell, and
d
on
s, Broadcom rp, Tilera,
s, m Corp,
Freescale, s,
ments
9.3
SeAicocosom In the
Thales Avio
3.4.3. Acad
everal acadeircraft Systere architectncepts can me commer
the state-oe relevant p
MERASuppofor preand it
o o o
JOP:
with asome p
MUSEclose tIndeed
ARAMdeveloEmbed
onics
demic proj
emic projecems. Those tures to enfobe implem
rcial interes
f-the-art of rojects:
ASA, parMorting Analyedictability proposes thA fully FPA SystemWCET anOtawa an
This is a FPa configurabpossible op
E: This proto fault-toled their main
MiS: This poping concedded Aircra
ects around
cts address projects aim
orce determmented on gst.
f academic p
MERASA: ysability) anand WCET
he followingPGA synthe
mC simulatornalyses toold on the pro
PGA impleble determintimizations
oject deals werance. Thisn lock is the
project wasepts that coaft Systems.
M
d multi-cor
multi-corem at introdu
minism and rgeneral purp
projects dea
This projecnd its exten
T analyses og tools : esizable mulr of determils for embeoprietary too
ementation onistic intercfor the inte
with real-tims project’s c
e parallelizat
s launched ould enable .
MULCOR
page 53
re
concerns fucing new hreal-time bepose COTS
aling with p
ct (Multi-Cnsion aim aon a multi-c
lti-core proinist multi-cedded softwol Rapitime
of a multi-cconnect bus erconnect co
me multi-coconcerns artion of criti
by the Gerthe use of
RS
for hard reahardware anehavior on v
S processors
predictabili
Core Executat proposingcore architec
cessor targecore platform
ware. They e.
core processand a pred
onfiguration
ore for spatre close to Ecal operatio
rman governmulti-core
Réf. C
al-time systnd softwarevirtual or sys if process
ty on multi
tion of Harg a set of tocture. The f
eting m are based o
sor executinictable memn.
tial platformEmbedded Aons.
nment in thplatforms i
EAS
CCC/12/0068
tems, include concepts iynthesized psor manufac
i-core platfo
rd Real-Timools and refirst project
on the open
ng java bytmory. This p
ms. They adAircraft Sy
he end of 2in automoti
SA
898 – rev. 07
ding Embedin classic mplatforms. Scturers can
forms, we fo
me Applicatcommendatis finished
n-source lib
ecode. It coproject expl
ddress probstems conce
2011. It aimve, railway
dded multi-Such find
ound
tions tions now
brary
omes lores
lems erns.
ms at y and
9.3
In
9.3
9.3
A
15R
Thales Avio
3.4.4. Indu
this chapter
MCFmajorthe Mhttp://
The Mimplemprocessimulaand practors
3.5. Softwa
3.5.1. Airb
wide comm Wind
o
o
Greeno o o
SYSGo
Lynuxo o
DDC-o o
RTOS : Real
onics
ustrial colla
r, we addre
FA (Multi-Cr actors of E
MCFA webs/media.free
Multi-core menting prossors, operators, applicromote opecan be foun
are suppor
borne Certi
munity of acRiver with
VxWorks ED-12B/DVxWorks API suppo
n Hills SoftwIntegrity-GMART, Integrity Mof Operati
GO which prPikeOS a
xWorks whiLynxOS-1LynxOS 1
I which proDEOS, a RHeartOS,
Time Opera
aborations
ss the two m
Core For AEmbedded Aite : scale.com/p
Associationoducts that rating systcation and sen specificand on their
rt for Embe
ified Opera
ctors act in Atwo class oCERT Plat
DO-178B 653 Platfo
orting DO-1
ware which 178B RTOSan ADA ru
Multivisor :ing System
rovides micro-kern
ich provides178a RTOS178 is a FAA
ovides RTOS certia micro-ker
ating System
M
main initiati
Avionics) inAircraft Sys
phoenix.zhtm
n® (MCA)embrace m
ems, compsystem deveations to enwebsite : ht
edded Aircr
ating System
Avionics Emf Operatingtform – Cer
orm – Oper197
provides S15 which oun-time com: an hypervi
nel offering
s S offering viA – accepte
fied up to lernel POSIX
MULCOR
page 54
ives around
nitiative wasstems, a det
tml?c=1965
is an indumulti-core tepilers, developers, andnable multi-ttp://www.m
raft System
m
mbedded Sog System rtified Oper
rating Syste
ffers an ARmpliant withisor that off
both a RTO
ia Virtual Med Reusable
evel A suppX Based cert
RS
d multi-core
s launched ailed list of
20&p=irol-
ustry associaechnology.
velopment d universitiecore produ
multicore-as
ms
oftware, a su
rating Syste
em featured
RINC653 APh ED-12B/Dfers virtualiz
OS and a vir
Machine a vie Software
porting ARItified to ED
Réf. C
:
by Freescaf actors and
-newsArticl
ation that inTheir memtools, deb
es. Their prict developmssociation.o
um-up is giv
em based on
d from VxW
PI DO-178B levzation to he
rtualization
irtualizationComponent
INC653 partD-12B/DO-1
EAS
CCC/12/0068
ale in earlyobjectives c
le&ID=1606
ncludes leadmbers reprebuggers, ESimary objecment. The corg/
ven below:
n VxWorks
Works with
vel A elp hosting a
concept
n concept t (RSC)
rt4 178B up to l
SA
898 – rev. 07
y 2011 withcan be foun
6741&highl
ding compasent vendorSL/EDA toctive is to decomplete li
compliant
h an ARINC
a wide dive
level A
h the nd on
light
anies rs of ools, efine st of
with
C653
ersity
Thcer Sodif Mocomu
9.3
9.3
Th
9.3
Muwi Thpropepa
9.3
A Prosoc
Thales Avio
THALo
his is a nonrtified Emb
ome OS profferent temp
ost of thesempatibility ulti-core pro
3.5.2. Softw
Pr3.5.2..1
hreads differ Proces
Procesproces
Proces
Proces
Contexbetwe
Mu3.5.2..2
ulti-threadinithin the con
hese threadogrammingrhaps the m
arallel execu
Pr3.5.2..3
process is tocesses owckets, devic
onics
LES AvioniMACS2, Increment
n-exhaustivbedded Airc
oviders offeporal slots, t
e Operatingwith ED-1
ocessor rega
ware defini
ocesses and
r from tradisses are typ
sses carry css share pro
sses have se
sses interact
xt switchinen processe
ultithreadin
ng is a widntext of a si
ds share thg model promost interestution on a m
ocesses, ke
the "heavieswn resourcece handles,
cs which pran ARIN
tal Certifica
e list of Oraft System
er virtualizathese techni
g System p12B/DO-178arding the c
ition / expl
d Threads
itional multiically indep
onsiderablyocess state a
eparate addr
t only throu
ng between es.
ng
despread prongle proces
he process'ovides deveting applica
multiprocess
rnel thread
st" unit of kes allocated, and wind
M
rovide C653 Oper
ation.
Operating Syms
ation techniiques are m
providers of8B or ARIN
certification
anation
itasking opependent, wh
y more states well as m
ress spaces,
ugh system-
threads in
ogrammingss.
resources,elopers wit
ation of the tsing system.
ds, user thr
kernel schedd by the opows. Proce
MULCOR
page 55
rating Sys
ystem prov
iques to helmainly based
ffer a multiNC653 but
n point of vi
erating systhile threads
e informatiomemory and
, whereas th
-provided in
the same p
g and execu
, but are th a useful technology .
reads
duling. perating syesses do no
RS
tem certifi
viders and O
lp the hostid on what it
i-core apprt without a ew.
tem processexist as sub
on than threaother resou
hreads share
nter-process
process is ty
ution model
able to exabstractionis when it i
stem. Resoot share add
Réf. C
ied up to
Operating S
ing of diffeis called mi
oach of thereal analys
es in that: bsets of a pr
ads, wherearces
e their addre
communic
ypically fas
l that allow
xecute inden of concuris applied to
ources includress space
EAS
CCC/12/0068
level A a
System use
erent Operatmicro-kernel.
eir solutionsis on how
rocess
as multiple t
ess space
cation mech
ster than co
ws multiple
ependently.rrent execuo a single pr
ude memores or file re
SA
898 – rev. 07
and suppor
ed in embed
ting System.
n based onlyw to manage
threads with
anisms
ontext switc
threads to
The threution. Howerocess to en
y, file hanesources ex
rting
dded
ms in
y on e the
hin a
ching
exist
aded ever, nable
ndles, xcept
thrfile A Attheop ThThba
9.3
9.3
MupoMuAicoSo ThprospaSinco Mthian This w“MusuhishaBuas bo
16 M17 G
Thales Avio
rough explie in a share
kernel thret least one ken they sha
perating syst
hreads are she kernel is ase their use
3.5.3. The
Me3.5.3..1
ulti-core prower dissipaulti-core prirborne Softntains its o
oftware thre
he benefits ovide greateace. nce they opre than the
M_REM1:is, it is poss
nd safety.
he front sidewritten to o
Memory banually exprestorically la
ard to close tut even if th
long as thottlenecks.
MBps : MegaGbps : Giga-
onics
cit methodsd way. Proc
ead is the "lkernel threaare the samtem's proce
sometimes inot aware
er threads on
impact of m
emory Man
rocessor offation). resents a neftware can bown set of eads within a
of multi-coer system d
perate at lowcommensur
: Most of thsible for on
e bus, whichor read fromndwidth” isessed in MBagged behinthe gap.
hey're succee memory
a-Byte per se-bits per seco
s such as incesses are ty
lightest" unad exists wite memory ss schedule
implementeof them, so
n top of sev
multi-cores
nagement
fers opportu
ew challengbenefit fromexecution ra single phy
ore processdensity, allow
wer frequenrate number
he multi-corne core to sa
h is also knm memory.
the amounBps16 or Gnd improve
essful, if thebandwidth
econd ond
M
heriting fileypically pre
nit of kernel thin each prand file resr is preemp
ed in userspo they are meral kernel t
s on Softwa
unities to in
ge to deal wm such advaesources, reysical CPU
sors are nowing organ
ncies, multir of single-c
res share theaturate the s
nown as the
nt of data thGbps17. Alth
ments in p
e new multiis shared b
MULCOR
page 56
e handles oreemptively m
schedulingrocess. If msources. Ke
ptive.
ace librariemanaged andthreads to b
are Develop
ncrease per
with, how toantages dueesulting in package.
ot limited tonizations to m
i-core procecore process
eir front sidshared mem
memory bu
hat can travhough imprprocessor pe
i-core chipsbetween the
RS
r shared memultitasked
g. multiple kernernel thread
s, thus called scheduledbenefit from
pment
rformance a
o take benee to the comvery low la
o increasedmaximize th
essors use lsors
e bus as wemory bus re
us, is the "h
vel on the movements ierformance,
s implemente cores, the
Réf. C
emory segmd.
nel threads ds are preem
ed user thread in userspa
m multi-proc
and reduce
fit of these mplexity ofatency para
d performanhe productiv
less power
ell as the lassulting in d
highway" up
memory busn memory , the chip m
t significantere will alw
EAS
CCC/12/0068
ments, or ma
can exist wmptively mu
ads. ace. Some imcessor mach
footprint (s
cores, currf parallelizaallel executi
nce. Multi-vity of their
and genera
st level of cadegradation
pon which d
s in a givensystem per
manufacture
tly faster mways exist th
SA
898 – rev. 07
apping the s
within a procultitasked if
mplementathines.
size weight
rently not mation. Each ion of Airb
core procesr available f
ate less heat
ache. Regarof perform
data travels
n period of rformance hers are wor
memory systhe potentia
same
cess, f the
tions
t and
much core
borne
ssors floor
t per
rding mance
as it
time have rking
tems, al for
Anincpro OnOnmato Atrepthibaof
9.3
In coregW If deunde Thproetc
Thales Avio
nd as the ncreases, theocessor’s m
ne approacne techniquanaging theautomate th
t Avionics Apresents theis "memory
andwidth resthe Multi-c
Ma3.5.3..2
advanced pres. In our garding avae have intro
Airborne Svelopment
nderstand wtailed know
here are mocessors, anc.) help prog
onics
number of ce performan
memory band
ch per examue which me memory bahis techniqu
Airborne Sye amount ofy bandwidthsource is nocore process
apping
parallel procassignmen
ailable core oduced reco
Software isfor addressi
what are thewledge of th
many dedicand Airbornegrammers to
cores per pnce of mordwidth.
mple can bemitigates thandwidth deue when hos
ystem level,f available mh resource" ow shared amsor.
cessing Airts, this mapresources.
ommendatio
s developeding a multi-
e processes he Airborne
ated tools te Operating o execute th
M
processor anre and mor
e: his limitatioemand verssting high D
, with the umemory bacan be conmong the A
rborne Softwpping can b
ons on this p
d using pr-core compothat can bSoftware.
to help proSystems fo
his mapping
MULCOR
page 57
nd the numre Airborne
on is to intsus its supplDAL level A
use of an Hyandwidth is nfigured on Airborne So
ware, the finbe done by
point in this
rocesses or onent. To sue executed
ogrammersor multi-corg.
RS
mber of three Software
telligently sly. Avionics
Airborne So
ypervisor, thcreated andeach core bftware appl
nal step in the Operat
s report.
threads, itucceed in prsimultaneo
to map thes (Greenhi
Réf. C
eaded Airboapplication
schedule jos Airborne ftware.
he "memoryd assigned by the Hypeications run
this processting System
t is possiblrocess or thously, which
hreads ontoills, Wind R
EAS
CCC/12/0068
orne Softwans will be
obs onto thSystems ca
y bandwidthto each corervisor itsenning on the
s is mappinm statically
le to take hread allocatch means w
o the coreRiver, Sysgo
SA
898 – rev. 07
are applicatlimited by
hese procesan be config
h resource"re. The valulf. The meme different c
ng the threador dynamic
benefit of tion, we nee
we need to h
es for INTEo, LynuxWo
tions y the
sors, gured
" that ue of mory cores
ds to cally
this ed to have
EL® orks,
9.3
In the
Winttec
RedirINan
9.3
9.3
Thde
Thpla
Tha d
Th
18S19 F20 I
Thales Avio
3.6. Examp
this chaptee different t Netwo Low p High p
e also detaterconnect ichnologies a
emark to prectly by th
NTEL® or nalyzed ‘cas
3.6.1. Com
Fr3.6.1..1
he QorIQ™dicated for
his processoatform.
he QorIQ™dual core at
he P2020 an
Two e
The 6supporfor any
Other
USB21
SoC : SystemFPGA : FieldIP : Intellectu
onics
ples of repr
er we presentargets descrorking power embeprocessing p
ail a SoC18
implementaand services
partition or he compondirectly bye per case’
mmunicatio
eescale Qo
™ P2 platfora wide vari
or delivers d
™ P2 series c1.2 GHz (P
nd P2010 co
e500 Cores
64-bit memort for both y high-relia
memory typ1, SD/MMC
m on Chip d Programmaual Property
resentative
nt a set of Cribed previo
edded systemperformanc
8 FPGA19 fation to the s deployed
virtualize tnent manufay the Operato ensure th
on and Netw
rIQ™ P202
rm series, wiety of appli
dual- and sin
consists of dP2020).
ommunicatio
ory controlDDR2 and
ability syste
pes such as
C and serial
able Gate Ar
M
e multi-core
COTS multiously:
ms es
fabric that programme
in the cores
the cores, thacturer sucating Systehat their cou
working Pr
20
which incluications in t
ngle-core fr
dual- and si
ons process
ler offers fDDR3. It a
m.
flash are su
peripheral i
rray
MULCOR
page 58
e architectu
i-core archit
embeds seer. The objs, interconne
here are Hych as TOPAem provideruld not impa
rocessor
udes the P2the network
requencies u
ingle-core s
sors both ha
future-proofalso suppor
upported thr
interface (S
RS
ures
tectures wh
everal itemsective is toects and per
ypervisors pAZ for Frer, their feaair / reduce
2020 and Pking, telecom
up to 1.2 G
caling from
ave an advan
fing againstrts error cor
rough the 1
SPI).
Réf. C
hose technol
s of ARM o give a conripherals.
provided foeescale Qoratures and c
confidence
P2010 commm, military a
Hz on a 45
m a single co
nced set of f
t memory trrection cod
6-bit local b
EAS
CCC/12/0068
logies are r
core IP20, ncise view
or the multirIQ™ famicharacterist
e in the appl
municationand industri
nm techno
ore at 533 M
features:
technology des, a basel
bus,
SA
898 – rev. 07
epresentativ
but leavesof the diffe
i-core procely or XENtics have tolication safe
s processorial markets.
logy low-po
MHz (P101
migration ine requirem
ve of
s the erent
essor N for o be ety.
rs, is .
ower
1) to
with ment
9.3
Thbecacto Thspade Thadlar
In kn
21 U
Thales Avio
3.6.1..1.1 e
he e500 cohtween the cheable mebe routed o
he P2020 suace and extfine mappin
he P2020 inddress spacerger address
such an ECnowledge of
USB : Unive
Figu
onics
e500 Coher
herency moe500v2 co
emory. It alsor dispatche
upports a fleternal addreng within th
ncludes the e through ths maps such
CM, the Airf all the incl
rsal Serial B
ure 5: P2010 : 2(source: Freescal
rency Modu
dule (ECMores and thso providesd to target m
exible 36-biess space. The local 36-b
address trahe mappingh as those of
rborne Embluded featur
us
2020 Overviewe Fact Sheet)
M
ule (ECM)
M) provides he integrate
a flexible smodules on
it physical aThe local adbit (64-Gby
anslation ang of translatf PCI Expre
bedded Systres and mec
w
MULCOR
page 59
and Addre
a mechanised L2 cachswitch-typethe device.
address mapddress map iyte) address
nd mapping tion windowess or Rapid
tem providechanisms tha
RS
ess Map
sm for I/O-ihe in order e structure f.
p. Conceptuis supportedspace.
units (ATMws. The ATdIO
er has to obat can be di
Réf. C
initiated tranto maintai
for core- an
ually, the add by twelve
MUs) to maTMUs allow
btain from tsabled for s
EAS
CCC/12/0068
ansactions toin coherenc
nd I/O-initia
ddress map ce local acces
ake part of ws the P202
the processosafety requir
SA
898 – rev. 07
o snoop thecy across l
ated transact
consists of lss windows
a larger sy20 to be pa
or manufactrements.
e bus local tions
local s that
stem art of
turer
9.3
ThFre
Fig
Thales Avio
e503.6.1..2
he e500mc eescale. It w
gure 6: e500mc(source: Freescale
onics
00mc Core
core (see was released
c PowerPC coree e500mc Reference
es
Figure 6) id in 2008 fo
e overview e Manual)
M
is a recent or the Power
MULCOR
page 60
update of rQUICC se
RS
a long sereries and the
Réf. C
ries of Powe QorIQ™ s
EAS
CCC/12/0068
werPC coreseries.
SA
898 – rev. 07
s developed
d by
W
In
Pip
In
Pr
Fe
Lo
Br
Ca
M
Bu
De
Thales Avio
e sum up th
ternal com
peline
struction s
rivilege leve
etch unit
oad/Store U
ranch Unit
aches
MU
us interface
ebug and m
onics
he essential
mponent
et
els
Unit
e
monitoring
features of
Featur
6 stageout-of-
Power
User aGuest
Fetch uPre-fet
Out-of
Static/
SeparaUnifieSnoopCache L1 CacL2 CacL1 Cac
Two leL1TLBL2TLB
Partial
4 Perfo
M
e500mc cor
res
es pipelinef-order execu
r ISA v 2.06
and super-usand non-gu
up to 4 instrtching polic
f-order load
/dynamic br
ated 32k Daed 128k L2 C mechanismpre-filling
che replaceche replaceche implem
evel TranslaB coherencyB managem
l documenta
ormance M
MULCOR
page 61
res in the fo
ution, and i
6 (partially s
ser mode uest mode (u
ructions in cy documen
d/store execu
ranch predic
ata and instrCache
ms for cacheand locking
ement policyement policyments parity
ation Look y ensured re
ment has to b
ation availab
Monitor Regi
RS
ollowing tab
in-order com
supported)
used by the
the same clntation acce
ution (still e
ction
ruction L1 c
e coherencyg mechanismy: LRU y: PLRU protection,
aside Buffeegarding L2be implemen
ble under N
isters counte
Réf. C
ble:
mpletion
hypervisor)
ock cycle ss restricted
ensuring coh
caches
y ms through
L2 Cache i
ers (TLB) ta2TLB contented in the e
NDA
ers may obs
EAS
CCC/12/0068
)
d
herency)
dedicated i
implement E
ables ents embedded s
serve 128 di
SA
898 – rev. 07
nstructions
ECC
software
ifferent eve
ents.
9.3
ToTO
TOtec
TOpaBS TOsucfai
Thales Avio
Hy3.6.1..3
o manage itOPAZ whic Securi Messa System Debug
OPAZ is cchnology, it CPUs, Partiti Config TOPA
OPAZ has bara-virtualizSP layer).
OPAZ Hypech as interrilover and e
onics
ypervisor
ts multi-coh manages:ity and sepaaging amongm-level eveng support
considered t initial vers, memory anions are isolguration is f
AZ not addre
been develoation which
ervisor has rupt controllerror manag
Driv
er
re processo
aration g cores nt handling
as a smalsion focusesnd I/O devilated one frofixed until aess the prob
oped for theh offers per
been develler, inter-pa
gement.
Driv
er
Driv
er
M
or family, F
ll hypervisos on static pices can be dom the othea reconfigurblem of mul
e QorIQ™formances a
loped to miartition inter
Dri
ver
Dri
ver
Dri
ver
MULCOR
page 62
Freescale h
or for embpartitioning divided intoer re and systeltiple operat
family andand minima
inimalize “irrupts, byte
Di
Dri
ver
RS
has develop
bedded sys(TOPAZ is o logical par
em reboot ting system
d it uses a cal changes t
intrusivity”e-channels, p
Dri
ver
Driv
er
Réf. C
ed and pro
stems basednot a sched
rtitions
s on 1 CPU
combinationto guest ope
and it offerpower mana
EAS
CCC/12/0068
ovide a Hyp
d on Powduler):
U
n of full-vierating syst
rs a limitedagement, ac
SA
898 – rev. 07
pervisor na
er Architec
rtualizationtems (impac
d set of servctive / stand
amed
cture
n and ct on
vices dby /
9.3
ThgoSy Ththe Thstr
Thales Avio
Ne3.6.1..4
he QorIQ™ood candidatystems.
hanks to theeir acceptan
he QorIQ™ream proces
onics
etworking p
™ series is inte to analyz
e MCFA inince process
™ P4080 (seessing.
platform: F
nitially dedze effort to
itiative froms on the Qor
e Figure 7)
M
Freescale Q
dicated to nreach accep
m Freescale rIQ™ series
integrates
MULCOR
page 63
QorIQ™ P4
networking. ptance of su
to help Airs.
eight cores
Figure 7: P40(source: Frees
RS
4080
Yet it is vuch a multi
rcraft Embe
and a large
080 Overviewcale Fact Sheet)
Réf. C
iewed in th-core proce
edded Equip
e set of har
EAS
CCC/12/0068
he avionic cessor in Em
pment prov
rdware acce
SA
898 – rev. 07
community mbedded Air
vider conduc
elerators for
as a rcraft
cting
r fast
9.3
In lesfoc Th
Frediv
9.3
ThAc
Th
Peele
22 D23 D24 M25 I
Thales Avio
3.6.1..4.1 Q
QorIQ™ pss documencused on th
he interconn Arbitr
througmaximbytes w
2x102 Periph
differe Debug
eescale is avulging the
3.6.1..4.2 P
he P4080 pcceleration A Initiat Reasse Manag Dispat
he other mai The E
microc The O
interfa
eripherals Inements of th
DMA : DirectDRAM :DynaMMU : MemoI/O : Input / O
onics
QorIQ™ Pr
processor, tnted; this is e interconn
nect implemration and trgh the Frammum of fouwidth. It co
24k Shared Lheral Accesent peripherg facilities:
actively wocore inform
Peripheral
provides a lArchitecture DMA tranemble, encrge packet butch packets
in peripheraEnhanced Lcontroller a
Ocean netwaces. It is co
nternal mehe DPAA.
t Memory Acamic Randomory ManagemOutput
rocessor In
he intercon the case foect and reco
ments the folransfer of t
me Managerur transactioorresponds tL3 cache less Managemrals Aurora inte
orking to bemation on its
ls
large set ofre (DPAA).nsfers from rypt/decryptuffers among ded
als are: Local Bus architectureswork: This ompleted wi
emories inc
ccess m Access Mement Unit
M
nterconnect
nnect is namor the mainommendatio
llowing servransactions r, DMA22 eons may beo a cache livel (CoreNment Units
erface for re
e able to prs internal ar
f periphera. It is composeveral I/O
t and parse p
dicated core
Controller s: UART, flnetwork inith DMA co
lude ECC
emory
MULCOR
page 64
t
med Corenen majority fons to maste
vices: between a engines) ane arbitrated ine. The Cor
Net™ Platfors (PAMU):
eal-time deb
rovide suffirchitecture,
als and I/O’osed of a se
O’s, such as packets
s for proces
(ELBC): lash memornterconnectontrollers.
protection.
RS
et™. Its comfor all maner its behav
set of masnd the slave
in each CoreNet™ prorm Cache)
they play
bug
cient guarathanks to M
’s25. The met of hardwaPCIe or Eth
ssing, with l
This bus cries, I2C ints several P
. Proprietar
Réf. C
mplete archufacturers,
vior.
ter nodes (Ce nodes (DRoreNet™ cyotocol is sai
a role clo
antees on CMCFA.
most importare accelerahernet bus
load-balanc
connects peerfaces, SPIPCIe contro
ry microco
EAS
CCC/12/0068
hitecture is so in this r
Cores, EtheRAM23 con
cycle. A traid to be loss
ose to an M
Corenet™ be
tant one is ators that can
cing if neces
eripherals I interface…ollers and
ode is emb
SA
898 – rev. 07
proprietaryreport, we h
ernet controntroller, I/Oansaction is sless.
MMU24 for
ehavior wit
the Data Pn:
ssary
usually me…
Serial Rap
edded in s
y and have
ollers O). A
128
r the
thout
Path
et in
pidIO
some
9.3
ARcoTh W It lev
So ThAr
Thales Avio
3.6.2. Low
RM releasedre processo
his series co
e describe h
is organizedvel.
ome implem
he interfacerchitecture (
onics
w-Power Mu
d the MPCoors. omes as a se
here the CO
d as a cluste
mentations e
with the p(AMBA®)
ulti-core IP
ore™ series
et of several
ORTEX® A
er of up to
mbed sever
peripheral bprotocol: A
M
P: ARM CO
s to provide
l IPs for var
15 MPCore
four cores c
ral clusters,
bus implemeAMBA® AC
Figure 8: ARM(Source: CORT
MULCOR
page 65
ORTEX®-A
an IP of sc
rious compo
e™ (see Fig
connected w
enabling th
ents the latCE.
M CORTEX®‐A1TEX®‐A15 Technica
RS
A15 MPCo
alable, high
onents (core
gure 8) as th
with a Snoo
he use of mo
test version
15 MPCore™ Oval Reference Manua
Réf. C
ore™
hly configur
es, interconn
he most rece
op Control U
ore than fou
of the Adv
verview al r3p0)
EAS
CCC/12/0068
rable and lo
nect, periph
ent processo
Unit contain
ur cores.
vance Micr
SA
898 – rev. 07
ow-power m
herals)
or in this ser
ning a L2 c
rocontroller
multi-
ries.
cache
Bus
9.3
Ma
In
In
P
F
C
M
In
B
9.3
Thsha Th
SnCointacc
Thales Avio
CO3.6.2..1
ains ARM C
nternal com
nstruction
Pipeline
Fetch Unit
Caches
MMU
nterrupts
Bus interfac
Sn3.6.2..2
he Snoop Coared resourc
he Snoop Co Arbitr Manag
implem Suppo AMBA Cache
noop requesontrol Unit.terconnect. cesses can t
onics
ORTEX®-A
CORTEX®
mponent
set
ce
noop Contro
ontrol Unit ce between
ontrol Unit ration and trgement of ments an oport for inter-A® ACE me coherency
sts (request. They are However,
therefore oc
A15 Cores
®-A15 featur
Featur
ARM THUMJAZEL
8 stage
Static/
SeparaLRU r
Two ledata/inHardw
Shared
Direct
ol Unit: Fir
(on Figure the cores.
provides thransport of mthe shared
ptimized ME-cache data
master Interfacceleratio
s from the propagated
this protocccur.
M
res are:
res
v7-A MB™ LLE™ (exe
es pipeline
/dynamic br
ated Data anreplacement
evel Translanstructions. ware translat
d interrupts
connection
rst Level in
8: Non pro
he followingmemory req
d L2 cacheESI protocoand instruct
face with theon through th
cores to thd on the sicol allows s
MULCOR
page 66
ecution of Ja
ranch predic
nd instructiot policy for
ation LookaL2 TLB is
tion table w
managed b
n to the Sno
nterconnect
cessor/Leve
g services: quests for eae, whose siol for cache tion transfee main interhe Accelera
he addresseingle AMBseveral con
RS
ava Bytecod
ction
on 32k L1 call caches
aside Bufferunified.
walk in case
y the Gener
op Control
t
el 2) is the “
ach core ize is confcoherency.
ers. rconnect (Cation Coher
ed space) arBA® ACE ncurrent tran
Réf. C
de)
caches
rs (TLB). L
of L2 TLB
ric Interrupt
Unit
“inter-core
figurable be
Corelink™, dency Port
re thereforemaster intensactions to
EAS
CCC/12/0068
1 TLB is se
miss
t Unit
interconnec
etween 512
described fu
e interleaveerface to tho be interle
SA
898 – rev. 07
eparated
ct”. It is the
2K and 4M
urther)
ed in the Snhe second leaved. Mul
first
M. It
noop level ltiple
9.3
ThbyMP ThOlser
Thales Avio
Co3.6.2..3
he connectioy Corelink™PCore™.
his interconlder versionrvices for tr Priorit Latest Transa Hardw
onics
orelink™ N
on between ™. It is a d
nnect implemns are limitransaction mty (quality ot granted firactions mon
ware assist f
Network: Pe
the Snoop dedicated IP
ments the ted to AMBmanagementof service) orst arbitrationitoring andfor atomic a
(source ARM info
M
eripheral in
Control UnP for on ch
AMBA® ABA® AXI t: of transactioon policy in d performanaccess insura
Figure 9: Corocenter ‐ Corelink™
MULCOR
page 67
nterconnec
nit and the mhip network
ACE protocprotocol. I
ons configuthe same do
nce measureance
relink™ Examp CCI400 Cache cohe
RS
ct
main RAM,ks. It may i
col for nodt is a full
ration omain of pr
ements
ple of implemenerent interconnect
Réf. C
, L3 cache anterconnect
des (masterscrossbar, an
riority
ntation Technical Referenc
EAS
CCC/12/0068
and periphet several cl
s and slaveand it come
ce Manual)
SA
898 – rev. 07
erals is provlusters of A
es) connecties with a se
vided ARM
ions. et of
9.3
Tehig Thco W
Thales Avio
Trust is used
3.6.3. Mult
exas Instrumgh performa
he TMS320nfigurable i
e focus here
onics
Zone impled for hyperv
ti-core DSP
ments propoance image
0C66xx™ sinterconnec
e on the TM
ementing prvisor implem
P: Texas In
oses the TMprocessing
series propoct and a subs
MS320C667
FiguSourc
M
rotections bmentation.
nstruments
S320C66xxand medica
oses high psequent set
78™ octo-co
ure 10: TMS320e: TMS320C6678™
Sign
MULCOR
page 68
between sec
TMS320C
x™ series oal applicatio
processing of IO.
ore DSP pro
0C6678™ archiMulticore Fixed annal Processor – Rev
RS
cure and non
C6678™
of multi-coreons.
capabilities
ocessor (see
tecture overviend Floating‐point Dv C
Réf. C
n-secure tra
e DSPs for m
s with up t
e Figure 10)
ew igital
EAS
CCC/12/0068
ansactions.
multimedia
to 8 DSP
).
SA
898 – rev. 07
The Trust Z
a infrastructu
cores, a hi
Zone
ures,
ighly
9.3
DS Thco Th
Thales Avio
DS3.6.3..1
SP Cores ar
he C66x™ Cre and the i
hey provide Cache Memo Bus in Interru
onics
SP Cores: C
re optimized
CorePac conterconnect
the functioe levels ory managemnterface upt controll
C66x™ Cor
d for vector
ontains the Ct.
nalities we
ment and pr
er
FigureSource: C6
M
rePac
scalar prod
C66x™ DS
classically
rotection
e 11: CorePac o66x™ CorePac User
MULCOR
page 69
duct operatio
SP and a set
find in a ge
overview Manual rev B
RS
ons.
t of hardwar
eneral purpo
Réf. C
re compone
ose core:
EAS
CCC/12/0068
ents that sta
SA
898 – rev. 07
and between
n the
Th
In
Pr
Ca
M
Sh
Bu
9.3
TeMa Thareco
Thales Avio
he main cha
ternal com
rivilege leve
aches
emory Pro
hared SRAM
us interface
TM3.6.3..2
eraNet™ is aster and sl
he connectioe configuramponent.
onics
aracteristics
mponent
els
otection
M controlle
e
MS320C66x
a double saves nodes
on matrix iable. TeraN
of the C66x
Featur
User a
SeparaUnifieAll cacLRU rCache InternaCoreP
Accesscaches
er Multi-This cfetchin
ConfigexcepthighesSlave Dincom
xx™ interc
switch fabriare connect
s available Net™ also p
M
x™ CorePa
res
and Supervis
ated 32k Daed 1M L2 Cches can bereplacement
controllersal DMA chaac
s controls os. There is n
core Sharedontroller imng from MS
gurable bandt L1P cachest priority fiDMA contring transact
connect: Te
ic: it is dected either di
in the Refeprovides a
MULCOR
page 70
ac are:
sor modes
ata and Progache
e partially ort policy for s provide coannels are p
on pages. It no virtual m
d Memory, mplements mSM to L2 or
dwidth mane. Bandwidthirst and resoroller. It is ttions from o
eraNet™
omposed inirectly or th
erence Manlarge set o
RS
gram L1 cac
r fully confiall caches
oherency meprovided for
is implemenmemory man
controlled bmemory pror L1 caches.
nagement imh managem
olving deniathe slave intother master
n Data Terahrough inter
nual. For eaof tracers th
Réf. C
ches
igured as SR
echanisms r data/instru
nted on all inagement in
by an Extentection, add
mplementedment is basedal of serviceterface for ers on the int
aNet™ and rnal bridges
ach master, hat can mo
EAS
CCC/12/0068
RAM
uction move
internal memnside the Co
nded Memodress transla
d for all cachd on arbitrates with timeeach CorePaterconnect.
d Configurats.
the transaconitor the a
SA
898 – rev. 07
es inside the
mories and orePac.
ry Controlleation and pr
he controlletion with
eouts. ac. It receiv
tion TeraNe
ctions’ prioractivity of
e
er. re-
ers
ves
et™.
rities each
9.3
To ThcoThthesy Wco
26 D
Thales Avio
3.6.4. SoC
o improve F
his is callentaining cac
he peripherae FPGA. Estem on chi
e propose annected wit The hi Option
DDR : Doubl
onics
FPGA Ha
FPGA devic
ed the Harche levels aal interconnExternal perip.
as an examth a Snoop Cigh-bandwinal coproce
le Data Rate
rd Process
e performan
rd Processoand Snoop Cnect (equivaripherals (e
mple the CyControl Undth intercon
essors and cl
e (for a Dynam
(Source: So
M
or System:
nce, FPGA
or System Control Unialent of Corexternal me
yclone® V it (see Figurnnect for exlassic FPGA
mic Random
Figure 12: AoC FPGA Produc
MULCOR
page 71
: Altera Cy
manufactur
(HPS). It it and AMBrelink™ foremory, Eth
from Alterure 12).The Fxternal DDRA systems
m Access Me
Altera Cyclonect Overview Adva
RS
yclone® V
rers include
includes aBA® interfac
r ARM MPernet contr
ra. It integrFPGA fabri
R26, PCIe, E
mory)
® V SoC FPGA oance Information
Réf. C
e core IP in t
an ARM Mces.
PCore™) haroller, PCIe
ates two Aic is dedicatthernet
overview n Brief, ref AIB-01
EAS
CCC/12/0068
their FPGA
MPCore™
as to be syne) are prov
ARM CORTted to:
1017-1.3)
SA
898 – rev. 07
A devices.
implementa
nthesized invided inside
TEX®-A9 c
ation
nside e the
cores
9.4
9.4
In useproma Soto Thcricrime ThbedeMoTh
Thales Avio
4. MULTI
4.1. Introd
this sectioned further ocessor struanufacturer
ome criteria multicore p
his is the citeria are miteria deal echanisms t
he main novtween diffeals with theoreover, the
hus addition
onics
I-CORE FE
duction
n, we plan to establishucture and ’s openness
address theprocessors. case for optmulticore sp
essentiallyto manage th
velty in theerent piecese consequene design of
nal features
we used
EATURES
to provide h a classificconfigurab
s toward the
e technolog
timization pecific. They with intehe parallel e
e use of ms of softwarnces of suchf multi-coremay occur,
In d the Symbo
M
REGARD
a list of usucation of mility, but al
e certificatio
ical evoluti
mechanismey would berconnect aexecution o
ulti-cores inre executed h parallelisme processors
but they wo
the followiol RGL for
MULCOR
page 72
ING CERT
ual servicesmulticore prlso with th
on process.
ion of the pl
ms introducebe irrelevanand sharedof software o
n the Avioin the sam
m inside the s followed tould also be
ng chapter
r Recomme
RS
TIFICATIO
s found in arocessors. T
he available
latform’s in
ed in the cnt for an and componenon each cor
onics domaime period of
Airborne Ethe recent ee relevant in
rs of this reended Guid
Réf. C
ON
a multicore The conside informatio
nternal comp
cores to imnalogous sinnt features e.
in is the prf time on diEmbedded Sevolutions on a single-co
port, de-Line abb
EAS
CCC/12/0068
platform. Tered criterion and mor
mponents but
mprove perfoingle-core p that impl
resence of tifferent cor
System. of embeddeore context
breviation
SA
898 – rev. 07
This list wia deal withre generally
t are not lim
formance. Oplatform. Tlement spe
true parallees. This sec
ed technolo.
ill be h the y the
mited
Other Those ecific
elism ction
gies.
9.4
Th
9.4
DeaccThTh
9.4
Seancoof Asan Wbesyfeaof use
9.4
9.4
Thbyarcca An
Thales Avio
4.2. Proces
his chapter d
4.2.1. Sum
etermine whcording to
he study shahe groups m
4.2.2. Sum
elect - in agrnd conduct
mponents inthe device
spects that any important
hile identifhaviors of stems with atures listedinterference in certifia
4.2.3. Inter
Ov4.2.3..1
he Interconny the cores chitecture hse analyses
n interconne Arbitr
o o o
onics
ssor featur
deals with ta
mmary of ta
hether it is ptheir compall describe
may later be
mmary of ta
reement wita detailed
nvolved an. Emphasisare commont variations
fying and the processdeterminist
d in item 2 ace or effect iable and dete
rconnect
verview
nect is the fto the sha
has a strong .
ect usually iration of inc
ArbitratioArbiter inNetwork t
es impact o
asks 3 and 4
ask 3
possible to onents, the
e the criteriaused by EA
ask 4
th EASA - d examinatd the featur
s should agan to many tthat are spe
describing sor groups tic behaviorabove and thidentified berministic s
first shared ared resourc
impact on
implementscoming requon rules nternal logictopology
M
on determin
4
classify thecharacteris
a used to clASA to write
a represention of theres of the prain be on ftypes or groecific to a pr
processor are unsuita
r and in comhe reasons w
by the studysafety-critic
resource beces like cacdeterminism
s the followiuests. This s
c
MULCOR
page 73
nism
e multi-corestics of theilassify the pe guidance
tative procee internal arocessors, dfeatures thaoups only nrocessor or
features, iable for the mpliance witwhy they ar
y that might al airborne
etween coreches, memom and ensu
ing servicesstage depen
RS
e processorsir architectuprocessors material tha
ssor from earchitecturedescribing that are not foneed to be d
group of pr
dentify whuse of the
th the currere unsuitablmake a comsystems sho
es. It interleories and I/ring partitio
s: ds on sever
Réf. C
s listed in thures, their band why that is specific
ach of the ie of that pheir roles inound on modescribed onrocessors sh
hich of theprocessors
nt guidancele should bemponent or ould be iden
eaves the co/O mappedoning, and o
al paramete
EAS
CCC/12/0068
he spread shbehaviors ohose criteriac to each gr
identified pprocessor, n the data aost single cnce in the shall be high
e componens in safety-ce material lie described.r architecturntified and d
oncurrent trd in the addon the comp
ers:
SA
898 – rev. 07
heet into gror other crita were selecroup.
rocessor gridentifying
and control core processtudy reportlighted.
nts, featurecritical airbisted above.. Any other re unsuitabldescribed.
ransactions dress spaceplexity of w
oups teria. cted.
oups g the
flow sors. t, but
es or borne The type e for
sent e. Its worst
Thno(us An
MamecoWcac
Thales Avio
Allocaexamp
Allocasource
Suppo Snoop Inter P
he Interconnodes (the cosually MEM
n interconne A Pro
divide A Top
are: o
o
o
An ArrequesaveragGrantMPCo
any intercoechanisms. res, the shahen this is che coheren
onics
ation of theple when theation of a pe and the deort for atomiping mechanProcessors I
nect is in chores and speMORY, shar
ect is usuallotocol: Theed in three ppology: The
Busses: O(we talk apipelined,pipeline sone masteCrossbarsrouting is to interleaSwitch fabridges throuting thbetween thparallel tr
rbitration psted by diffege performaed arbitrat
ore™ interc
onnects are That means
ared caches the case, t
ncy mechan
e physical ere is more path to the estination. Tic operationnisms for caInterruption
harge of inteecific I/O sred caches,
ly charactere different phases: arbite different p
One connectabout multi, allowing steps. In caser when arbis: There is necessary.
ave incominabrics: Thishat are connhe incominghe number ansaction seolicy: The r
ferent masteance and grtion policy onnect).
said to be s each addrand some I/the corresponisms.
M
destinationthan one Mdestination
This dependns, hardwareache coherens (IPI) for i
erleaving - wsuch as Ethslave I/O an
rized by: stages of atration, tranpoint-to-poi
tion links aiple busses)several tran
se of duplicitrating his tone point toUsually, a
ng accesses.s is the intenected to th
g transactionof point-to-ervice. rules that arers at the samanting fair
that is im
cache coheress accesse/O) that maonding cach
MULCOR
page 74
n devices wMEMORY cn. This is ns on the roue locking m
ency inter-core co
when neceshernet contrnd core slav
a transactionsfer and terint connecti
all masters t), thus allo
ansactions tcated bussestransactiono point conlocal arbitr
ermediate tohe master ans inside th-point conne
re applied tome time. Uaccess to thmplemented
erent. Theyed is notifieay store a lohe lines are
RS
when they controller. necessary wuting rules.
mechanisms
ommunicati
sary - the trrollers or Dve interface
on processinrmination. ions betwee
to all slavesowing multito be transfs, the arbitr.
nnection betration modu
opology: poand slave inhis network.ections and
o access seqsually, the ahe requesterd in Core
y implemented to a set ocal copy ofe invalidate
Réf. C
are duplica
when severa
ions
ransaction flMA engine).
ng. Most in
en nodes. T
s. A bus maiple paralleferred at thration modu
tween each ule is provid
oint-to-poinnterfaces. T. This solutthe intercon
quentially aarbitration prs. One exalink™ (see
t either snoof master anf the concerned or update
EAS
CCC/12/0068
ated. This
al paths ex
flows emittees) directed
nterconnect
The most cla
ay be dupliel transfers. he same timule will allo
master andded on each
nt connectioThe arbiter tion is a usunnect perfo
an atomic repolicy is deample is thee ARM C
ooping or shnd slave noned data in ed. Section
SA
898 – rev. 07
is the case
ist between
ed by the mad to slave n
ts protocols
assic topolo
icated on a A bus ma
me in diffeocate one bu
d slave. Thuh slave inter
ons link inteis in charg
ual compromormance thro
esource thatsigned for g
e Least ReceCORTEX®-
hared direcdes (usuallyinternal cac
n 9.4.2.5 ref
e for
n the
aster odes
s are
ogies
chip ay be erent us to
us no rface
ernal ge of mise ough
t was good ently -A15
ctory y the ches. fines
Us
Thit fealikint
9.4
N
27 N
Thales Avio
sually interc Inter-c Reserv Acces Monit
he interconnis difficult
atures. Speckely that Aiterconnect d
Int4.2.3..2
Num. C
1 InteArb
2 InteArb
3 InteArb
4 InteArb
5 InteArb
NDA : Non-D
onics
connects procore commuvation statios to configu
toring and d
nect design t for Airbocific NDA27
irborne Emdesigns.
terconnect
Component / service
erconnect biter
erconnect biter
erconnect biter
erconnect biter
erconnect biter
Disclosure Ag
ovide a set ounication mons for semuration regisdebug resour
is a key adorne Embed
7s can be esmbedded Sy
Classificat
C
Arbitradocumavailab
The arbcentral
The arbseveralsimulta
The arbpolicy configu
Possiblconfiguarbitrat(subset
greement
M
of services tmechanisms
aphore impsters for sharces
vantage fordded Systemstablished t
ystem provi
tion criteria
Criteria
ation rules mentation is ble
biter is ized
biter can serl transactionaneously
bitration is urable
le urations for tion policy t of)
MULCOR
page 75
that ease th
plementationared service
r the compem providerto give acceiders will n
a
P
rve ns
r
Round
FixedRobinpriorit
VariabRoundsame
Least policy
RS
he implemen
n es such as cl
etitiveness ors to get coess to somenot have ac
Possible val
Public
Under NDA
No
Yes
No
Mixed
Yes
No
Yes
No
d Robin
d priorities, Rn in the samty domain
ble prioritied Robin in tpriority dom
recently gry
Réf. C
ntation of O
locks, reset.
of processoromplete inf confidentia
ccess to com
ues
A
Cpo
Tusan
Round me
es, the main
anted
EAS
CCC/12/0068
Operating Sy
...
r manufactuformation oal documenmplete info
Obs
Centralized aoint of failu
TDMA arbitsually prefenalyzability
SA
898 – rev. 07
ystems:
urers. Thereon interconntation. Yet ormation on
ervations
arbiter is a sure
tration policerred for a by.
fore, nnect it is
n the
single
cy is better
28 T
Thales Avio
6 InteArb
7 InteDevAllo
8 InteDevAllo
9 InteDevAllo
10 InteNetTop
11 InteNetTop
12 InteRou
13 InteRou
TDMA : Time
onics
erconnect biter
erconnect vice ocation
erconnect vice ocation
erconnect vice ocation
erconnect twork pology
erconnect twork pology
erconnect uting
erconnect uting
e Division Mu
Arbiterinformavailab
Devicerules inavailab
Deviceconfigu
Possiblconfigudevice (device(subset
Informnetworavailab
Severafrom oanother
Informroutingavailab
Possiblconfigurouting(subset
ultiple Acces
M
r internal lomation is ble
e allocation nformation ible
e allocation urable
le urations for allocation
e per devicet of)
mation on therk topology ble
al paths exisne node to r
mation on theg rules is ble
le urations for g rules t of)
ss, i.e. acces
MULCOR
page 76
TDMA
Rando
ogic Public
Under
No
is
Public
Under
No
is Yes
No
r
e)
Static
Dynambalanc
Dynamspecif
Rando
e is
Public
Under
No
st Yes
No
e Public
Under
No
r
Static
Dynambalanc
Dynamspecif
Rando
ss restrictions
RS
A28
om Arbitrat
c
r NDA
c
r NDA
mic with locing
mic with a fied state m
om
c
r NDA
c
r NDA
mic with locing
mic with a fied state m
om
s in predefine
Réf. C
tion
Tbefu
ad
achine
Tan
Dcoof
ad
achine
ed periods of
EAS
CCC/12/0068
The static alle the most rurther analy
The interconnalyze if the
Dynamic rouomplicate thf conflicts s
f time
SA
898 – rev. 07
location seerelevant foryses
nnect is easie answer is
uting policiehe determinsituations
ems to r
er to no
es may nation
9.4
This onint
9.4
Chtecintcoch
Thales Avio
14 InteProt
15 InteProt
16 InteInteCom
17
InteCacCohMec
18
InteCacCohMec
19 InteCorSyn
Int4.2.3..3
he interconnone of the m
n the overalltegrity
4.2.3..3.1 O
haracterizingchnically aterconnect nstraints rearacterizatio
onics
erconnect tocol
erconnect tocol
erconnect er-Processormmunicatio
erconnect che herency chanisms
erconnect che herency chanisms
erconnect res nchronizatio
terconnect
nection betwmain featurl behavior o
Objective a
g the behavand humanbehavior mestricting ton of the in
Informdifferentransacavailab
Informrelationassembexecutetransacavailab
r on
The intinterrupblockeinterco
Snoopimechandisable
Snoopimechanconfineof core
on
The intprovidesynchrmechan
Usage Dom
ween cores res, new to of the proce
and Definiti
vior of COly difficult
may not bethe accessenterconnect
M
mation on thent kinds of
ctions is ble
mation on then between bly instructied and ctions sent ble
ter-processoptions can bd by the
onnect
ing nism can beed
ing nism can beed to a subses
terconnect es a core onization nism
main
inside a COthis COTS
essor when
ion
OTS a multit. Thus pe
e possible. es to the ibehavior in
MULCOR
page 77
e Public
Under
No
e
ion
Public
Under
No
ors be
Yes
No
No In
e
Yes
No
No In
e set
Yes
No
No In
Yes
No
No In
OTS multi-cprocessor tused in term
i-core proceerforming We define
interconnecn order to en
RS
c
r NDA
c
r NDA
nformation
nformation
nformation
nformation
core procestechnology,ms of perfo
essor intercan analysis
e the Intercct. The objnable further
Réf. C
Tnotimpl
sor, also kn which mayrmance cha
connect in es that requconnect Usjective is tr analyses.
EAS
CCC/12/0068
This may be on real-timeime sub-syslatform
nown as they have a sigaracteristics
every possiuires inforsage Domato reach a
SA
898 – rev. 07
useful to coe from hardtem on the
e “Interconngnificant ims and potent
ible situatiormation on ain as a sean “accepta
onfine d real
nect” mpact tially
on is the
et of able”
RGToDoma
ThAi Ex
It intan Th
RGThSo
ThSydeintproha OnVacoopan
Thales Avio
GL n°2o be able toomain shouanufacturer.
he Airborneirborne Emb
xamples of I No mo No mo A shar A cach
can be noterconnect i
nalyses with
he means to Restri Hardw Deep a
GL n°3he Airborneoftware) on
he above recystem Usagvelopment terconnect fovider. Thu
ave a limited
ne importanarious needmponent m
perations mind not shared
onics
o manage thuld be defin.
e Embeddedbedded Syst
Interconnecore than 4 more than onered cache shhe coherent
oticed that internal comout divulgin
demonstratctions on th
ware or softwanalysis of
e Embeddeinterconnec
commendatge Domain
processes afeatures maus, control d impact on
nt feature des such as to
may lead toight be incod by the pro
he behaviorned by the A
d System ptem is comp
ct Usage Domasters can e DMA engihould not bt memory ar
the Intercmponents. Tng confiden
te complianhe Airborne ware controthe intercon
ed System ct accesses i
tion can be to be com
and worst cay not be pomechanismperformanc
ealing with io sustain a o take automompatible wocessor man
M
r of the muAirborne Em
rovider shapliant with t
omain restriinitiate req
ine is allowe accessed rea will not
connect UsaThus it is pontial informa
nce with theEmbedded
ol mechanismnnect featur
provider sin order to c
explained ampliant witcase performossible beca
ms appear toce.
interconnechigh bandwmatic (and
with Avionicnufacturer.
MULCOR
page 78
ulti-core prombedded Sy
all provide the Intercon
ictions couldquest in the wed to be ac
by more thabe shared a
age Domaiossible to deation.
e Interconned System Usms
res
should impcomply with
as follows. th the Intemance analause of the o be the mo
cts is the dywidth for a
silent) deccs usage, esp
RS
ocessor, forystem prov
evidence thnnect Usage
d be: interconnective at one tan 2 masteramong more
in definitioeal with a “b
ect Usage Dsage Domai
plement conh the Interco
On one hanrconnect Ulyses. On thlimited infoost relevant
namic reconspecific cocisions on pecially wh
Réf. C
r each devicvider and va
hat his knowe Domain.
ct at the samtime rs at the same than four
on does noblack-box”
omain are: n
ntrol mechonnect Usag
nd, restrictinUsage Domhe other haormation avt approach.
nfiguration re or to savthe intercoen their spe
EAS
CCC/12/0068
ce, an Interalidated wit
wledge and
me time
me time nodes
ot include interconnec
hanisms (Hge Domain.
ng the Airbmain may imand, a deep vailable from
Their intro
of its internve energy oonnect confecifications
SA
898 – rev. 07
rconnect Uth the proce
d control on
informationct, or to perf
ardware an.
orne Embedmpact softwanalysis of
m the proceoduction sh
nal componon an underfiguration. Sare confide
Usage essor
n the
n on form
nd/or
dded ware f the essor hould
nents. rused Such ential
9.4
NeabexHedu ThSycan In sel
Cr
Inthebeav
Thales Avio
4.2.3..3.2 R
evertheless sence of ktreme case ere, only onuring its tran
hales propoystems basen be challen
order to allection take
riteria
formation e interconn
ehavior is vailable
onics
Related sele
it is possiknowledge ooccurs withne master insaction serv
ses to weiged on the dinged by the
llow some pes into accou
on nect
Theis d
Theimptran
It ifromwithtraninte
ection crite
ble to defiof the inter
h black-box is allowed tvice.
ght the criteifferent EDEASA.
parallelism unt the follo
Sub-crit
e interconnedocumented
e interconneplementationnsactions reo
s possible m assemblyh an embednsactions seerconnect
M
eria
ine an Interconnect ininterconnecto request t
eria regardi-80/DO-254
in the Interowing criter
teria
ect protocol
ect protocoln allowsordering
to identifyy code or
dded spy allent on the
MULCOR
page 79
erconnect Unternal featcts. the intercon
ing the imp4 DAL lev
rconnect Uria:
Weight for
DAL A/B
l 3
l s
1
y r l e
2
RS
Usage Domures may l
nnect at on
pact of thesels of these
Usage Doma
Weight for
DAL C/D
3
1
1
Réf. C
ain on blaclead to a p
ne time, and
e criteria oe Embedded
ain, we reco
Observatio
Informatioprotocol ishow transathe intercosome specexist, transdecompos
If it is the reorderingdifficulty tinterconne See RGL Such inforto analyzeservice of instructionMultiple trsent to exeinstruction
EAS
CCC/12/0068
ck-box intepessimistic
d has the e
on the Aviod Systems.
ommend tha
ons
on on the ins useful to dactions are honnect. For cific error cosactions maed.
case, then tg increases tto characterect protocol
n°4 rmation maye the interco
optimized ans. ransactions ecute a singn.
SA
898 – rev. 07
erconnects. definition.
exclusive ac
onics EmbedThis weigh
at the proce
nterconnect determine handled by instance, odes may ay be
transactionsthe rize the .
y be useful onnect assembly
may be gle
The The
ccess
dded hting
essor
s
Thales Avioonics
Arbdesc
Rouallodesc
All intecon
Conchasile
bitration cription is a
uting andocation cription are
informaerconnects nfiguration i
nfiguration nged dynamntly
M
rulesavailable
d devicerules
e available
ation onfeatures
s available
can’t bemically and
MULCOR
page 80
s 3
e s
2
n s
3
e d
3
RS
2
2
2
3
Réf. C
This piecea worst cato be deter There are tarbitrationthe unfair The fi
masteequal
The spriorihigh pless pactivi
This critermultiple paccessed rreplicated.This may bcaches and Dynamic aincrease thinterconne See RGL Having cothe intercohas many It decreasehidden funthe opportInterconnedefinition. This is lesDAL, the mthese featuusing benc
RegardingrecommeninterconneconfiguratInterconnerestriction
EAS
CCC/12/0068
e of informaase arbitratiormined.
two kinds on policies: thones.
first one servers trying to access for econd one i
ity assignmepriority mas
perturbed byities of otheria is relevanpaths exist aresources ar. be the case d memory c
allocations he complexiect characte
n°5 omplete infoonnect confiadvantageses the risks nctionality, tunity to optect Usage D.
s critical fomain characures can be ch software
g safety, it isnded to use ect in a stabtion under thect Usage D
ns.
SA
898 – rev. 07
ation allowson situation
of he fair and
ves all o provide aneach. is based on ents. Thus sters are y the r cores. nt when
and/or whenre
for shared controllers.
rules ity of rization.
ormation onfigurations . to have and it givestimize the
Domain
r lower cteristics ofdetermined.
s the le he
Domain
s
n
n
n
s
f d
Inthedeav
We
Thales Avio
formation e interconn
esign is vailable
Weights:
onics
on nect
Thetopo
Theor d
Thestatintehidd
Theinteandmec
1: informa
e inology is doc
e arbiter is distributed
e manufacted thaerconnect eden mechan
e interconernal waitind chanisms
ative _
M
nterconnectcumented
centralized
cturer hasat theembeds nonisms
nnect hasng queuescontention
2: Nice to
MULCOR
page 81
t 3
d 1 / 3
s e o
3
s s n
3
have (Shou
RS
2
1 / 2
3
2
uld) _ 3: Ma
Réf. C
This ensurinterconnedeterminatanalyses. See RGL
This criterdetermine may exist If the arbitit, those pain the InterDomain. For low Dbe analyzesoftware b
A partiallyarbiter comcharacterizbehavior. Indeed, it min which stargeting dsequential arbitration Neverthelearbitrator rwhen the ifull crossbbetween coand sharedSee RGL This limitshidden funweaken cointegrity a
It may brinto charactebehavior.
andatory (S
EAS
CCC/12/0068
res simpler ect behaviortion during
n°5
rion is impowhich parain the interctration resouaths may be
erconnect U
DALs, this toed using extbenches.
y or fully cemplicates thzation of int
may enableseveral mastdifferent slal access to thn resource.
ess, a centraremains necinterconnecbar to avoid ores and bed resources.n°6
s the risks onctionalitiesomputing pland other req
ng additionerize the int
Shall)
SA
898 – rev. 07
r further
ortant to allel paths connect. urces allowe authorizedsage
opology canternal
entralized he terconnect
e situations ters
aves have he
alized cessary ct is not a
contention etween cores
of having s that latform quirements.
al difficultyterconnect
w d
n
s
.
y
RGTrdis
RGFoDoma
RGTocen
9.4
9.4
Fadiffai
In errprointSy
RGWInass
Thlim 29 S
Thales Avio
GL n°4ransactions rsable interc
GL n°5or Safety, womain restranufacturer
GL n°6o avoid conntralized m
Int4.2.3..4
4.2.3..4.1 I
ailures occurfferent coreilures: Silent Silent
many caserors (failureovide evideterconnect
ystem provid
GL n°7e recommetegrity Ansistance of P
he Interconnmited the tec
SEU : Single
onics
reordering i
connect reor
we recommerictions thatassurances
ntention beanaged arbi
terconnect
Integrity of
rring duringes if they a
loss of a tratransaction
es, such evees are silent)ence that thintegrity a
der and the
end that thnalysis perProcessor M
nect Usage Dchnical and
e Event Upse
increases thrdering mec
end to use tht means thethat the int
etween coreitration whe
features re
f transactio
g transactionare not mit
ansaction. Hn corruption
ents would l). During thhis kind of analysis. Thprocessor m
he Interconnrformed unManufacture
Domain dethuman effo
et
M
he difficultychanisms to
he interconne Airborne erconnect c
es, and beten the interc
egarding m
ons services
n services mtigated (see
Here, ‘silent due to a tra
lead to faulhe certificatf faults cannhis analysismanufacture
nect Usagender Airborer.
termination ort.
MULCOR
page 82
y to characteo ensure a
nect in a staEmbedded
configuratio
tween coresconnect is n
multi-core p
s in the inte
may have ane RGL n°7
t’ means wiansaction co
lty executiotion processnot occur os should beer inside the
e Domain rne Embed
should ena
RS
erize the intbetter assur
able configd System pron cannot be
s and sharenot a full cro
processor in
erconnect
n impact on7). We can
ithout signaollision or a
on of the ems, the Airboron the Airbe performede Interconne
determinatidded Syste
able an inter
Réf. C
terconnect prance in the
uration undrovider shoue changed d
ed resourceossbar.
ntegrity
the executin consider f
ling an erroan external e
mbedded sorne Embeddborne Embed jointly byect Usage D
ion should m Provide
rconnect int
EAS
CCC/12/0068
protocol, wee transaction
nder the Inteould obtain dynamically
es, we reco
ion integrityfor instance
or. event (such
oftware withded Systemedded Systey the Airbo
Domain.
contain aner responsib
tegrity analy
SA
898 – rev. 07
e recommenn manageme
erconnect Ufrom proce
y and silently
ommend to
y of software the follow
as a SEU29
hout raisingm provider h
em. This isorne Embed
n Interconbility with
ysis with
nd to ent.
Usage essor y.
o use
re on wing
9).
g any as to s the dded
nnect the
9.4
W
Cr
Intheintav
We
RGWint
9.4
Thextim
Thales Avio
4.2.3..4.2 R
e can derive
riteria
formation e interconntegrity is
vailable
Weights:
GL n°8e recommeterconnect p
Int4.2.3..5
he interconnecution tim
ming variab
onics
Related sele
e the follow
on nect
Theis tr
Thetrandetesucheve
In cthe propconexte
1: informa2: Nice to 3: Mandat
end that the protocol tha
terconnect
nect designme in a worbility of Ai
ection crite
wing selectio
Sub-crit
e interconneransaction lo
e interconnensaction corection mechh as parity ontual intern
case of interinterconnecpagate an er
ncerned coreernal monito
ative have (Shou
tory (Shall)
Interconneat shall prov
features re
n and behavrst case sceirborne Em
M
eria
on and asses
teria
ect protocol ossless
ect embeds rruption hanisms, or ECC for
nal storage
rnal failure, ct can rror to the e and/or an or
uld)
ect Usage Dvide lossless
egarding W
vior are detenario has t
mbedded Sy
MULCOR
page 83
ssment crite
Weight for
DAL A/B
3
2
3
Domain detes transaction
Worst Case
termining fto be correystem servi
RS
eria:
Weight for
DAL C/D
3
2
2
ermination ns.
Execution
factors for Wected with pices includi
Réf. C
O
This becomif the intertransaction See RGL
This is a cmeans for some intermay be hidprovider.
If it is the possible tointerconneparticular if no propathe concersanctionedincrease relevel.
should cont
Time calcu
WCET anaparameters ing interco
EAS
CCC/12/0068
Observatio
mes a killinrconnect canns silently
n°8
classic fault internal sto
rnal storagedden from t
case, it migo consider thect integritycore. In casagation occrned core cod. This is a meliability at
ntain analysi
ulus
alyses. Indethat take in
onnect acce
SA
898 – rev. 07
ons
ng criterion n lose
detection orage. Yet e resources the platform
ght be he
y toward a se of failureurs, only
ould be means to platform
is regarding
eed, a measnto account
esses. Howe
m
e,
g the
sured t the ever,
ocDethe Th
Ascocoest Thlev
RGThcoser
RGThtakva
RGWtimthe
Thales Avio
currences oetermining ceir value.
he presence The ar The ar The in The de The sn
s explainednflict situatmplex (for timate tight
he Interconnvel.
GL n°9he Interconnnflict situatrvices.
GL n°10he Interconnking into acariability on
GL n°11e recomme
ming variabe Interconne
onics
of inter-corecorrection p
of conflictirbitration rurbiter topolonterconnect evices allocnooping traf
d in sectiontions in a ginstance a c
tly the timin
nect Usage D
nect Usagetions in ord
nect Usage
ccount pessitransaction
end that obility on tranect Usage D
e conflicts iparameters
ing situationules for incoogy (centraltopology th
cation rules ffic that ens
n 9.4.2.3..3 eneral caseconflict occ
ng variabilit
Domain ma
e Domain dder to give t
e Domain dimistic timinn services.
servations nsactions seDomain hyp
M
introduce adfor intercon
ns depends ooming requelized or disthat determinthat are use
sures cache
dealing wiis technica
curring betwty of each tr
ay be used t
definition stighter boun
definition sng hypothes
and tests pervices shoupothesis.
MULCOR
page 84
dditional vannects requ
on: ests tributed) annes the paraed when a recoherency
ith the inteally and humween many ransaction s
to bring the
should liminds for thei
should prevsis when it
performed buld be valid
RS
ariability inests require
d its internaallel paths esource is d
erconnect umanly difficsimultaneoervice so pe
complexity
t the numbir impact on
vent all occis not possi
by the Airbdated by the
Réf. C
n the duratioes an estima
al logic
duplicated, s
usage domacult. When us transactiessimistic h
y of this ana
ber and then the timing
currences oble to deter
borne Embee processor
EAS
CCC/12/0068
ons of transation of an u
such as a DD
ain, determithe conflic
ions), it mahypotheses h
alysis back t
e complexitg variability
of undesirabrmine bound
edded Systemanufactur
SA
898 – rev. 07
saction servupper boun
DR controll
ining inter-cting situatioay be difficuhave to be d
to an accept
ty of inter-y of transac
ble conflictds on the tim
em Providerer accordin
vices. nd on
ler
-core on is ult to done.
table
-core ction
ts by ming
er on ng to
9.4
Cr
Inthewobeav
Trservame
We
Thales Avio
4.2.3..5.1 R
riteria
formation e interconnorst case ehavior is vailable
ransaction rvice timin
ariability caeasured
Weights:
onics
Related sele
on nect
Thea trabe btakicon
Thea trabe baccositu
ng an be
Thehardmeathe tran
Theintemecobsthe
ThemanconworvariservInteDom
1: informa2: Nice to 3: Mandat
ection crite
Sub-crit
e timing varansaction sebounded wiing into acc
nflict situatio
e timing varansaction sebounded takount specifi
uations
e platform edware assisasuring in etime variab
nsaction serv
e platform eernal monitochanisms therve conflicinterconnec
e processor nufacturer i
nfirm observrst case timiiability for tvice under erconnect Umain restricative have (Shou
tory (Shall)
M
eria
teria
riability of ervice can thout ount ons
riability of ervice can king into ic conflict
embeds t for ach core
bility of vices
embeds oring hat can cts inside ct
s able to vations on ing transaction
Usage ctions.
uld)
MULCOR
page 85
Weight for
DAL A/B
3
2
2
2
3
RS
Weight for
DAL C/D
2
2
2
2
2
Réf. C
O
This is cleThe absensimplest cainterconne
This criterprevious oauthorize ssituations Usage Domdefinition Using intecomponentimers is mfine grain transactionvariabilityHaving admechanismis a good fhelp to ensconflictingcomplete eThe lack ointerconnefilled by stbetween thand the maof such councoveredinvalidate
EAS
CCC/12/0068
Observatio
early a killinnce of confliase in whic
ect is used.
rion is weakone. It is reqsome confliin the Intermain so thais less restr
ernal hardwants, such as mandatory tmeasures fon service tim
y. dditional moms in the intfeature. Thesure the covg situations enough. of informatiect design htrong collabhe platform anufacturer
ollaboration d situations
the analysi
SA
898 – rev. 07
ons
ng criterion.icts is the h an
ker than the quired to icting connect
at its rictive. are integrated o perform or ming
onitoring terconnect eir use may verage of was
on on has to be boration provider . Absence may lead tothat could s.
.
o
9.4
Propa
ThExde Thasscothr Topesitdeaccfor
9.4
ThPa
9.4
Thlarpetw Th
Thales Avio
Int4.2.3..6
oviding Robartition deplo At mo Severa
considexecut
he first casexisting guidscription is
he second csociated wiuplings berough sequ
o ensure Rrformed un
tuations is termine whceptable regr WCET cal
4.2.3..6.1 R
he selectionartitioning e
4.2.4. Shar
he use of shrge cache arformance i
wo levels of p
he use of a s Share
partiti
onics
terconnect
bust Partitiooyment. We
ost one partial partitionder that the tion shall be
e is closed delines such
provided in
case is morith differenttween emb
uences of in
Robust partinder the rest
limited dohether the tigarding the lculus. Thu
Related sele
n criteria pnforcement
red caches
hared cachearea that coincreases caprivate cach
shared cached cache coning requi
features re
oning on a me consider tition may be
ns may be Airborne E
e protected
to Robust Ph as ARINn section 9.5
re complex.t partitions.bedded partter-core con
itioning, cotrictions im
own to an iming variapartition’s s RGL n°9
ection crite
proposed int.
s is classic ould not bean be expeches inside e
e in Embedcontent prirements. W
M
egarding R
multi-core Athe followine activated aactivated sEmbedded from Airbo
PartitioningC 653 Tim5.3.1..3.3 th
Indeed, co. Inter-coretitions. Intnflicts.
onflicting smposed by th
acceptable ability introdmodel of fa, RGL n°10
eria
n section 9
outside thee integratedcted from theach core.
dded Aircrafrediction. T
We develop t
MULCOR
page 86
Robust Part
Airborne Emng cases: at one time
simultaneouEquipment
orne Softwa
g enforcememe and Spahat deals wi
oncurrent tre conflicts oterference
situations hhe Interconn
level. Idenduced by th
aults. This f0 and RGL
9.4.2.3..5.1
e Embeddedd (for costs he use of a s
ft Systems rThis featurthis feature
RS
titioning in
mbedded Sy
on the Airbusly on diff
“system sore)
ent on singlace partitionth Symmetr
ransactions occurring d(i.e. occurr
have to be nect Usage ntified conhe conflict feature is clo
n°11 are a
for WCE
d Aircraft Sand size r
shared cache
requires a sore addressein the next
Réf. C
surance
ystem raise
borne Embeferent coreoftware” is
le-core Airbning seem rical Multi-P
coming frouring transarences of f
analyzed. Domain so
flict situatican be bouose to correpplicable.
T calculus
Systems. Indeasons) inse. Usually,
olution to thes WCET section.
EAS
CCC/12/0068
es issues tha
edded Equips. For simseen as a
borne Embrelevant. AProcessing.
om differenaction collifault propa
Such an ao that the seions must unded, and ection param
s are relev
deed, it alloside each cit is comple
he followingcalculabili
SA
898 – rev. 07
at depend on
pment. plicity, we partition (a
edded SystA more deta.
nt cores maisions introagation) oc
analysis canet of conflicbe analyzeif that boun
meters defin
ant for Ro
ows the use ore. Signifieted with on
g problems:ity and ro
n the
can as its
tems. ailed
ay be duce
ccurs
n be cting
ed to nd is
nition
obust
of a ficant ne or
: obust
Se
FuCl
Moop
9.4
NU
M
37
38
39
40
30 M
Thales Avio
CacheSEU/Mprovid
Concusharedaccess
everal cache Fully a N-way
cache Direct
ully associatassic replac Least Pseud Most R First I Rando
odern COTptimizations
Ca4.2.4..1
U
M COMP
7 SHAR
ARCH
8 SHAR
PART
9 SHAR
PART
0 SHAR
MBU : Multip
onics
e content inMBU30 are ded in sectiourrent acced cache havses to shared
e organizatioassociative:y set associlines.
t mapped ca
tive and N-wcement policRecently Uo Least RecRecently Usn First Out
om TS processo, for instanc
ache Classif
PONENT/SER
VICE
RED CACHE
HITECTURE
RED CACHE
TITIONING
RED CACHE
TITIONING
RED CACHE
ple Bits Upse
ntegrity. Aslikely to o
on 9.6. esses impacve to appead memory.
ons exist, in: Each memative cache
ache: Each m
way associacies are:
Used cently Usedsed
ors usuallyce to improv
fication cri
RC
E E
THE SH
CACHE
SEVERA
WRITE
E IT IS PO
PARTIT
SHARE
WAY
E IT IS PO
PARTIT
SHARE
LINES
E IT IS PO
et
M
s for privatoccur. Such
ct. We conar in the In
ncluding: mory row ma
: Each mem
memory row
ative caches
d:
y implemenve streams p
iteria
CRITERIA
HARED
E HAS
AL READ AN
PORTS
OSSIBLE TO
TION A
D CACHE P
OSSIBLE TO
TION A
D CACHE P
OSSIBLE TO
MULCOR
page 87
e caches, ah events ha
nsider that nterconnect
ay be storedmory row m
w may be st
s implement
nt one or mprocessing.
PO
ND
NO
O
ER NO
O
ER NO
O
RS
a shared cacave to be m
potential reUsage Dom
d anywhere may be store
tored in a si
t a replacem
more of th
OSSIBLE VA
YES
NO
O INFORMA
YES
NO
O INFORMA
YES
NO
O INFORMA
YES
Réf. C
che is usualmitigated fo
estrictions omain in the
in the cacheed in any w
ngle cache
ment policy
ose replace
ALUES
ATION
ATION
ATION
EAS
CCC/12/0068
lly a large ollowing re
on concurre same way
e. way of some
line.
that has to
ement polic
OBSERV
USUALLY, CACHES HA
READ THAN
PORTS
IF YES, TH
APPROACH
KNOWN AS
EFFICIENT
IF YES, TH
SA
898 – rev. 07
cache in wecommendat
rent accessey as concur
specific se
be documen
cies with s
VATIONS
SHARED
AVE MORE
N WRITE
IS
H IS
S THE MOST
T
IS
which tions
es to rrent
ets of
nted.
some
T
41
42
9.4
In sofestThdeUsof de(th Cafea
Mofea
Thales Avio
SRAM
1 SHAR
CACH
2 SHAR
CACH
Co4.2.4..2
a general cftware exectimation of he absence terminationsually, the e
the combtermining a
he possible c
ache contenatures: Instruc
been e Data c
dynam Instruc
oreover, caatures: Cache
data/in Shared
import
onics
M BEHAVIO
RED CACHE
HE LOCKING
RED CACHE
HE LOCKING
ontent pred
case, sharedcuted on eacthe WCET of reliable
n. exact cachebinatorial ean Abstract contents of
nt prediction
ction cacheexplored. cache conte
mically deterction/Data c
ache conten
e conflict nstructions d code (esptant to estim
R CONFIG
SHARE
SRAM
E G
IT IS PO
ONE CO
SOME O
CONTE
CACHE
E G
IT IS PO
ONE CO
SOME O
CORE’S
THE CA
diction featu
d cache conch core. It cfor some em
e informatio
content prexplosion eCache Staeach cache
n algorithms
e content pr
ent predictiormined. Thuconflict pred
nt prediction
prediction. in the share
pecially sharmate how fa
M
GURE A
D CACHE IN
M
OSSIBLE FO
ORE TO LOC
OF ITS
ENT IN THE
E
OSSIBLE FO
ORE TO LOC
OF ANOTHE
S CONTENT
ACHE
ures
ntent predictcan be noticmbedded soon on cach
ediction is nntailed by te. This is alines) durin
s (for privat
rediction. T
on. This feaus the set ofdiction. Thi
n algorithm
That meed cache thared libraries
ar shared co
MULCOR
page 88
N NO
OR
CK
NO
OR
CK
ER
T IN NO
tion is onlyced that cacoftware. he content
not achievathe multip
an approximng the possi
te and share
This is poss
ature is mof read/writeis feature oc
ms supportin
eans identifat will be fus, OS and l
ode loading
RS
NO
O INFORMA
YES
NO
O INFORMA
YES
NO
O INFORMA
y possible wche content
may lead
able for a laple executimated repreible executi
ed caches) h
sible when
ore difficult e addresses hccurs in uni
ng shared c
fication ofrther invalidlanguage ruby one core
Réf. C
ATION
ATION
ATION
when we haprediction i
to pessimis
arge cache -ion paths. esentation oons of the e
have to take
execution p
because lohas to be apfied caches
caches have
f situationsdated by an
untimes) impe will be pro
EAS
CCC/12/0068
REMOVES O
SOURCE OF
INDETERM
IF YES, TH
VIOLATION
ROBUST
PARTITION
ave a full viis a means t
stic hypoth
-shared or pCurrent m
of the possibembedded s
e into accoun
paths in the
oad/store adpproximated
e to addres
s where onother core. pact determofitable to o
SA
898 – rev. 07
ONE
F
MINISM
IS IS A
N OF
NING
isibility intoto give a tig
heses in W
private- becmethods aimble cache software.
nt the follow
e software h
ddresses mad first.
s the follow
one core l
mination. Thother cores.
o the ghter
CET
cause m at states
wing
have
ay be
wing
loads
his is
Thcacalgbede Thlacrec
9.4
W
Thvis
9.4
It mIn foris pa It pareqall
9.4
Wscride Yebe
31 S
Thales Avio
he interestedches partaggorithms mtween eachployed in th
he use of shck of backcommendat
Cla4.2.4..3
e highlight Cache Cache
hose mechansibility into
4.2.4..3.1 C
may be posan N-way a
r one core),allowed to
artitioning m
can be notartitioning dquests it. It lows them t
4.2.4..3.2 C
hen a shareratchpad. Itentifying ca
et each core enforced.
SRAM : Stat
onics
d reader mgés, 2010)
may offer bh core in itshe industria
hared cacheskground otions on thei
assic cache
here two cle partitionine configurati
nisms may the softwar
Cache parti
sible to alloassociative , or over wao allocate dmay be enfor
ticed that a deals with c
may be lato access the
Cache use a
ed cache mts content wache manage
e may initiat
ic Random A
may refer tofor a detailetter results program.
al world.
s in Embeddn their usir usage “as
e configurat
lassic mechang ion as SRA
address the re deployed
itioning
ocate specifcache, this
ays (one wadata/instructrced to allo
partitionedcache line ater accessede concerned
as SRAM
may be conwill be fully ement reque
te cache ma
Access Mem
M
(Hardy, Aled algoriths when theHowever,
ded Aircraftse in hards a shared ca
tions
anisms or c
AM31
problem ofd in parallel
fic areas of apartitioning
ay of all setstions in its cate disjoin
d cache wilallocations: d, read and d addresses.
nfigured parmanaged b
ests explicit
anagement r
ory
MULCOR
page 89
Analyse pirehm. It can be programmto the best
ft Systems sd real-timeache” (that
onfiguration
f cache conton the Airb
a shared cacg may be ens is reservedreserved c
nt sections o
ll not exacta cache linmodified b
rtially or toby softwaretly initiated
requests. A
RS
e cas pour be noticed
mer explicitt of our kno
seems to be systems,means with
ns that are u
tent predictiborne Embe
che to one cnforced overd for one cocache area.of a shared c
tly behave ne can be loby other cor
otally as SR. Predicting
d by softwar
coherent m
Réf. C
processeur that shared
tly introducowledge, su
a long-termthus we
hout any con
usually avai
ion even whedded System
core. This isr sets (all wore). In bothAn adequa
cache to eac
like N privoaded in oneres, given th
RAM, it simg cache contre.
management
EAS
CCC/12/0068
multi-coeud cache conces synchrouch algorith
m solution. Hdo not pr
ntrol on its c
ilable for sh
hen the progm.
s called cachways of one h cases, the ate configuch core.
vate cachese core’s parhat their m
mulates thetent in this
t of the shar
SA
898 – rev. 07
urs disposanntent prediconization pohms are not
Hence thererovide specontent).
hared cache
grammer ha
he partitionset are reseconcerned
uration of c
s. Indeed, crtition onlyemory map
e behaviorsituation m
red cache h
nt de ction oints t yet
e is a ecific
s:
as no
ning. erved core
cache
cache y if it pping
of a means
as to
RGWco(hyde
9.4
I
Rc
C
We
Thales Avio
GL n°12e recommenfiguration ypervisor foployed simu
Co4.2.4..4
Criteria
nformationthe cache
behavior available
estrictive cconfiguratiare availab
Cache disabis possibl
Weights:
onics
end that ro
for cachefor exampleultaneously
orrespondin
a
n on e is e
Therepldoc
It exalgoleaspoliThemulpara
cache ions ble
Thepartper
Thecontota
bling le
It isthe
1: informa
obust partite partitionie) if shared y on differen
ng selection
Sub-crit
e available lacement po
cumented
xist a cacheorithm that st one replacicy e cache can ltiple transaallel
e cache can titioned per way
e cache can nfigured partally as a SRA
s possible toshared cach
ative
M
tioning for ing mechancache is co
nt cores and
n criteria
teria
olicies are
e prediction supports at cement
serve actions in
be set and/or
be tially or AM
o disable he
2: N
MULCOR
page 90
shared cacnisms or sonfigured a
d use shared
Weight for
DAL A/B
3
3
1
2
1
3
Nice to hav
RS
che shouldshould be as SRAM wd cache.
Weight for
DAL C/D
2
2
1
2
1
2
ve
Réf. C
d be enforcenforced b
when partiti
O
This critercache contwith a cachSRAM. Optimizedpolicies m
This may rthe cache rbeen optimsome operThis informduring the Domain deavailable ttook for thThis informto simulateprivate caccache. Cacmay be eaThis confiwhen the cfinely man
It should ba shared caplatform dperformanbehavior c
3: Man
EAS
CCC/12/0068
ced by defby softwarioned Oper
Observatio
rion is mandtent has to b
che not conf
d cache replmay be propr
raise a featureplacemen
mized to accrations. mation may
e Interconneefinition – ithen marginhe usage Domation maye the behavches inside che content
asier. iguration macache contenaged by so
be demandeache when t
does not neence gain or wcan’t be manndatory
SA
898 – rev. 07
fining hardwre managemating Syste
ons
datory if be predictedfigured as
lacement rietary.
ure when nt policy hascelerate
y be useful ect Usage if it is not n will be omain y be useful ior of a private prediction
ay be usefuent has to beoftware.
ed to turn ofthe ed its when naged.
ware ment
em is
d
s
l e
ff
9.4
Caonmaso me Th
Wgu ImcacrefcoCobuinv Coadinttheto In traem
Thales Avio
4.2.5. Cach
ache coherene same datay also be Ithat their d
emory – ma
here are two Invali
o
o
Updato
o
e usually euarantee no m
mplementingche cohereferenced byntaining a
onversely, dusses and fvalidate loc
ommon diredditional traftroduce a hem or not) bpropagate c
an Embedansactions smbedded so
onics
he coheren
ency mechaa. Usually I/O internal data is markaintains an u
o families ofidate protoc
The accesand requiselected fiThis classline invalimay entai
te protocolsThe accesones contransparenThis classthe interco
encounter Inmodificatio
g a cache cency is cally a dedicate
cache line.distributed cfilters accesal copies).
ectories usffic only to
higher traffibut memorycorrectly thi
dded Aircraservice insidoftware and
cy mechan
anisms are rit concerns cache mem
ked as deprup-to-date v
f coherencycols: ssed cache lire a load first by the cs of protocoidation is cl additional
s: ssed cache lntaining thently. s of protocoonnect, thus
Invalidate pon for multip
oherence prled Directoed compone. It filters mcache coherssed addres
age entailsnodes that
ic (snoops ay transactiois traffic.
aft Systemsde the inter
d Robust Pa
M
nisms
required in the cores i
mories. Modrecated. On
version of th
y protocols:
line is markto the main
cache replacols is usuallycheaper thanl traffic (N r
ine is update cache li
ols has an as traffic on t
protocols inple valid da
rotocol canory-based cent, the commemory acrency is callsses. When
an additioactually req
are propagaons are serv
s usage, caconnect andartitioning
MULCOR
page 91
architecturinternal cacdifying the ne centralizehe data.
ked as invaln memory.
cement policy easier to in cache linereloads com
ted. Then aine are au
advantage: athe intercon
n today’s arata in cache.
n be done incoherence. mmon directccesses andled Snoopinn they noti
onal duratiquire cacheated to all n
ved faster, a
ache coherd inside eacinsurance.
RS
re that integches, shareddata in oneed storage r
idated in al. Moreovercy. implement e update). H
mpared to on
an update reutomatically
a cache accennect may b
rchitectures.
n a centraliMemory a
tory. This cd signals thng-based coice a confl
on on trane coherency nodes withos long as th
rency mainlch core. ThThe usage
Réf. C
grates severd caches and place shallresource –
l locations. r, the invali
and offers bHowever inne update).
equest is broy updated.
ess will alwbe easier to c
s associated
zed or a diareas that acomponent me correspon
oherency. Elict, they s
nsactions serequests. G
out determihe interconn
ly impacts his impacts t
and limita
EAS
CCC/12/0068
ral storage d the main l signal the most of the
Further acclidated cach
better perfon case of m
oadcasted toFurther a
ways hit witcontrol.
d with MES
istributed ware markedmaintains tnding node
Each node spsignal them
ervice. Yet Globally, snining whethnect has eno
the timingthe WCET
ations on c
SA
898 – rev. 07
devices hosmemory, bother resou
e time the m
cesses will he line may
ormances (cmultiple relo
o all nodes. access will
thout reques
SI protocol
way. Centrald as sharedthe list of nes of an accpies the add
mselves (usu
they limitnooping requher they reqough bandw
g variabilitcalculabilit
ache coher
sting but it urces main
miss y be
cache ad it
The l hit
sting
that
lized d are nodes cess. dress ually
t the uests quire width
ty of ty of ency
meto of It cac
9.4
Inthecomaav
Inthecoonanav
We
Thales Avio
echanisms mconfine cacmaintaining
can also beches access
Co4.2.5..1
Criteria
formation e cache herency anagement
vailable
formation e cache herency im
n timing nalyses is vailable
Weights:
onics
may be addche cohereng it itself un
e noticed thses and thus
orrespondin
a
on
t is
Cacmecdisa
Cacmaya suplat
on
mpact
It isacceimpcohtrancach
It isacceimpcohtraninte
1: informa2: Nice to 3: Mandat
dressed in thncy traffic bnder some li
hat snoops slow down
ng selection
Sub-crit
che coherenchanisms shabled
che cohereny be partitioubset of nodtform
s possible toeptable bou
pact of cachherency traffnsactions in hes
s possible toeptable bou
pact of cachherency traffnsactions sererconnect
ative have
tory
M
he Interconnbut do not guimitations.
managemen the core ac
n criteria
teria
ncy hould be
ncy traffic oned inside des on the
o provide unds for the e fic on core private
o provide unds for the e fic on rvice in the
MULCOR
page 92
nect Usage uarantee an
ent inside eccesses to it
Weight for
DAL A/B
3
2
3
3
RS
Domain. Mny data cohe
each core mts private ca
Weight for
DAL C/D
1
1
2
2
Réf. C
Many platforerency. The
may use somaches.
O
Cache cohespecially partitionedno shared cores. See RGL This criterespecially provide sobetween sothe same awithout imcores. This critercache cohebe able to on core tradeterminis See RGL This critercache cohebe able to on transacdeterminis See RGL
EAS
CCC/12/0068
rms offer tosoftware m
me bandwi
Observatio
herency mayin the case
d systems wdata or area
n°13 rion is interewhen we h
ome cache come cores eairborne sofmpacting the
rion is manderency is acmanage tim
ansaction ansm.
n°14 rion is manderency is acmanage tim
ction and so sm
n°15
SA
898 – rev. 07
o disable anmay be in ch
dth for inte
ons
y be uselessof
when there isa between
esting have to coherency executing ftware e other
datory whenctivated to ming impactnd so
datory whenctivated to ming impact
nd/or harge
ernal
s,
s
n
t
n
t
RGWOp
RGWpri
RGWit f
9.4
Then
9.4
Num
20
21
Thales Avio
GL n°13e recommenperating Sys
GL n°14e recommeivate cache
GL n°15e recommenfor the corre
4.2.6. Shar
he Airborne ncounter the Interru Core a Timer Watch Power Suppo
Sh4.2.6..1
m Comp
ser
0 Intecont
1 Cloc
onics
nd, preventstems is dep
nd, when c- finding up
nd confininect executio
red service
Embedded following oupt generatiand processr configuratihdog configr supply andort for atomi
hared Servi
ponent/ rvice
errupt troller
Ainsu
cking Es
ting undesirployed on e
cache coherepper bounds
ng cache cohon of embed
s
d Equipmentones: ion and routor clock conions
gurations d reset ic operation
ces Classifi
C
Access restrnterrupt conupervisor is
Each core haource or PL
M
rable behavach core wi
ency is enas on cache c
herency trafdded softwa
t is in charg
ting to coresnfigurations
ns
ication crit
Criteria
iction to thentroller for ts possible
as its privateLL circuit
MULCOR
page 93
vior, disablinith no share
able, boundicoherency t
ffic betweenare.
ge of provid
s s
teria
e the
e clock
RS
ng cache coed memory b
ing the timitraffic impac
n the concer
ding shared
Possible
Ye
no
No infor
Ye
No
Réf. C
oherency mebetween cor
ing variabilct -.
rned cores a
services am
e values
es
o
rmation
es
o
EAS
CCC/12/0068
echanism wres.
lity when co
and periphe
mong the cor
Obs
SA
898 – rev. 07
when partitio
ore access t
erals that req
res. Usually
servations
oned
to its
quire
y, we
22
23
24
25
26
27
28
29
30
31
32
Thales Avio
2 Cloc
3 Cloc
4 Cloc
5 Power
6 Power
7 Power
8 Tim
faci
9 Tim
faci
0 Tim
faci
1 Tim
faci
2 Tim
faci
onics
cking Tc
cking
Tmcru
cking Tac
r supply Tcc
r supply Tc
r supply Tm
mer ilities
E
mer ilities
Tc
mer ilities
Te
mer ilities
T
mer ilities
Tc
There is a sincores
There is a prmechanism tconfiguratiountime
The mappingavailable PLconfigurable
The power scan be protecores corrup
The core cancores
The core canmode by oth
Each core ha
Timers can bclock source
Timers can bexternal cloc
Timers can g
Timers havecircuit
M
ngle clock f
rotection that preventn to be corr
g between LL and corese
source of eacted from o
ption
n be halted b
n be set in sher cores
as a private
be fed by the
be fed by anck source
generate int
e their own c
MULCOR
page 94
for all
t a PLL rupted at
s is
ach core other
by other
sleep
timer
he same
n
terrupts
clock
RS
No infor
Ye
no
No infor
Ye
no
No infor
Ye
no
No infor
Ye
no
No infor
Ye
no
No infor
Ye
no
No infor
Ye
no
No infor
Ye
no
No infor
Ye
no
No infor
Ye
no
No infor
Ye
no
Réf. C
rmation
es
o
rmation
es
o
rmation
es
o
rmation
es
o
rmation
es
o
rmation
es
o
rmation
es
o
rmation
es
o
rmation
es
o
rmation
es
o
rmation
es
o
EAS
CCC/12/0068
If yes, a pmechanisproposed
If yes, a pmechanisproposed
SA
898 – rev. 07
protection sm must be d
protection sm must be d
33
34
35
36
AlthePaser CoaccAiam
RGWcorel
ThclasucWthaof
Thales Avio
3 Re
faci
4 Re
faci
5 Watc
tim
6 Watc
tim
ll those serve adequate artitioning arvices may
onfigurationcesses are firborne Emb
mong superv
GL n°16e recommenfiguration ly on a sing
he case of hassical usagcceed only hen concurrat might leareservation
onics
eset ilities
Ito
eset ilities
A
chdog mers
Tp
chdog mers
Itwc
vices can beconfiguratio
and executihave its beh
n registers thfiltered by tbedded Sysvisors execu
end restricof shared
le static con
hardware suge, for semif they are nrent accesse
ad to a high n stations.
t is possibleon one core
A core can r
There is oneper core
t is possiblewatchdog cocore
e configureon registerson integrityhavior chan
hat are locathe MMU. stem servicuted on each
ting to hyservices. M
nfiguration
upport for amaphore imnot interleaves occur to tnumber of
M
e to perform
reset anothe
e watchdog t
e to restrict onfiguration
ed by all cos. In the Emy insurance
nged by an a
ated in the sAn adequates with suph cores may
ypervisor oMultiple inst
that is deter
atomic opermplementatio
ved with onthe same timretries, or e
MULCOR
page 95
m a reset
er core
timer
a n to one
ores, providembedded Aie. Indeed, aalteration of
shared spacete configurapervisor priy still lead to
or supervisotances of prmined at de
rations (alsoon, consistne or more ome, one or meven to dead
RS
No infor
Ye
no
No infor
Ye
no
No infor
Ye
no
No infor
Ye
no
No infor
ed their meircraft Systea core whof those servi
e are mappeation of theivileges. Hoo faulty exe
or (when privileged sesign time.
o named ress in perforothers. more operatdlocks, wou
Réf. C
rmation
es
o
rmation
es
o
rmation
es
o
rmation
es
o
rmation
emory mappems contextse softwareices.
ed in the ade MMU mayowever, nonecution of th
hypervisor oftware run
servation strming two
tion may faiuld have to
EAS
CCC/12/0068
If yes, a pmechanisintroduce
If no, thisindetermi
ping allowst, this may e execution
ddress spaceay restrict thn-consistenthe embedde
doesn’t enning on ea
tations) is pconsecutiv
il. Some exbe studied
SA
898 – rev. 07
protection sm must be ed
s is a sourceinism
them to acweaken Ro
n relies on
e. Thus softwhose accesset configurat
ed software.
exist) levelach core sh
particular. Te accesses
treme situatto allow the
e of
ccess obust such
ware es to tions
the hould
Their that
tions e use
RGWsha
9.4
It ressercoa hlev
We
RGWabau
32 P
Thales Avio
GL n°17e recommeared reserva
Co4.2.6..2
Criteria
is possible strict sharervices nfigurationhigh privilevel
Weights:
GL n°18e recommenle to reset
uthorization
PLL : Phase
onics
end that imation station
orrespondin
a
to ed
n to ege
AccintePLLpowrestsupwithacceperiOneanopriv
1: informa2: Nice to 3: Mandat
nd, in multit another cto perform
Locked Loo
mplementations.
ng selection
Sub-crit
cesses to theerrupt controL32, shared wwer sources.tricted to theervisor/hyphout impactesses to othipherals e core canno
other core atvilege level
ative have
tory
i-core conficore. Onlythis reset.
p
M
on of sema
n criteria
teria
e shared oller, watchdog, ... can be e
pervisor ting
her
ot reset t user
igurations, n Hyperviso
MULCOR
page 96
aphores sho
Weight for
DAL A/B
3
3
not to authoor or Supe
RS
ould take in
Weight for
DAL C/D
2
3
orize one coervisor (if
Réf. C
n account p
O
An adequaMMU mayrestrictionshould notrestriction See RGL
Reset signfollowing explicit resprivileged determinedor events toperationssignals. See RGL
ore, under Uhypervisor
EAS
CCC/12/0068
potential de
Observatio
ate configury provide su
n. Yet the mt entail acce
ns on other p
n°16
nals can oftevarious evesets can be
d software, id whether striggered bys might enta
n°18
USER privilr doesn’t e
SA
898 – rev. 07
eadlocks du
ons
ration of theuch apping ess peripherals.
en be raisedents. Even irestricted tot shall be
some errors y user-level ail reset
lege level, texist) have
ue to
e
d f o
to be e the
9.4
Thwi
In mires
RGW
MeemtheA cen
RGWlevsin
Thales Avio
4.2.7. Core
he cores supithin two me Inter-c Shared
the Embedight be the stricted to): As a p
it) When
GL n°19e recommen
1. The us2. The co3. The A
softwa
emory mapmbed one Me feature of
non-coherntralized m
GL n°20e recommenvel – when ngle configu
onics
es
pport the exechanisms: core interrupd memory
dded Aircrasame as a
protection m
the destina
nd that:
se of inter-conditions th
Airborne Emare deploye
pping is deMMU per cof coherency rent configemory prote
nd that the the Hypervuration for t
xecution of
pts
aft Systemsany external
mechanism
ation core is
core interruphat rule the umbedded Syd on each c
efined in thore. Thus, mmaintenanc
guration maection servi
configuratiovisor does nothe whole p
M
f multiple so
context, thl interrupt.
(a core can
actively wa
pts should buse of inter-ystem providores comply
he Memorymemory mace between aay weakenices may be
on of MMUot exist – inlatform.
MULCOR
page 97
oftware ins
he use of inIt is accep
n interrupt a
aiting for be
be restricted-core interruder should y with these
y Managemapping definall MMU.
n Robust Pe protected a
Us should ben order to pr
RS
tances in p
nter-core inptable under
another core
eing interru
d to supervisupts should provide ev
e rules.
ment Unit (Mnition is dis
Partitioningagainst non-
e performedrove that sp
Réf. C
arallel. The
nterrupts (por some con
e if it detect
upted.
sor or hyperbe docume
idence that
MMU). Mustributed am
. However-coherent M
d only at thepatial isolati
EAS
CCC/12/0068
ey may (exp
oint-to-poinnditions inc
ts a faulty e
rvisor. ented.
all instanc
ulti-core plamong the co
r, platformMMU config
e Hypervisoion enforcem
SA
898 – rev. 07
plicitly) inte
nt or broadcluding (but
execution in
es of privil
atforms usuores. This ra
ms that progurations.
or or Supervment relies
eract
cast) t not
nside
eged
ually aises
ovide
visor on a
9.4
Inintemco
Mmaprnoco
We
9.4
Sethe Shsto(thconua t Thinttracosoftra
Thales Avio
Co4.2.7..1
Criteria
ter-core terrupts
mission can ntrolled
emory apping can
rotected agaon-coherentnfiguration
Weights:
4.2.8. Perip
everal feature main mem
haring the morage resourhis is space ntrollers ma
umber of acctask is slow
hese side-efternal read/wansactions hntiguously ftware. Thu
ansaction.
onics
orrespondin
a
be
Integenrestor a
n be ainst t ns
Theservprot
1: informa
pherals
res dealing mory from th
main memorrce can be partitioningay in some cessing masdowned wi
ffects are duwrite buffer
have been inserviced i
us its wors
ng selection
Sub-crit
er-core interneration can tricted to a sa hypervisor
ere is a centrvice of memtection unit
ative
with sharedhose concer
ry means shpartitioned
g). We do ncases incre
sters (see (Mith a factor o
ue to the intrs, internal nterleaved innside the mst case tim
M
n criteria
teria
rrupts be
supervisor r
ralized mory
2: N
d peripheralrning I/O.
haring the pwhen nece
not considerease the timMoscibrodaof 2.9 while
ternal strucscheduling n the intercmemory co
ming variabi
MULCOR
page 98
Weight for
DAL A/B
3
2
Nice to hav
ls have to b
physical stoessary: disjor this featur
ming variabia & Mutlu, 2e the concur
cture of a Doptimized
onnect. Thuontroller. Tility has to
RS
Weight for
DAL C/D
3
1
ve
e considere
orage resouroint memore in this seclity of a tra2007) for anrrent task is
DDR. It contfor contigu
us, contiguoThis phenomo be determ
Réf. C
O
This criterprevent intfrom beingairborne sounpredictaSee RGL
Having a cmitigates tcoherent cdistributermechanismSee RGL
ed. We distin
rces and thery areas canction. Sharinansaction win illustratios not).
tains severauous read/wrous accessesmenon can
mined and
EAS
CCC/12/0068
Observatio
rion is mandnter-core integ emitted byoftware in aable way n°19
centralized the risk of nconfiguratior memory prms. n°20 3: Mandato
nguish featu
e memory cn be allocatng accessesith a factor
on: on a dua
al banks, eawrite transac
s sent by a cnnot be conapplied for
SA
898 – rev. 07
ons
datory to errupts y the an
protection non-on of rotection
ory
ures concer
controllers. ted to each s to the memhigher than
al-core platf
ach bank hations. Incomcore may nontrolled byr each mem
rning
The core
mory n the form,
aving ming ot be
y the mory
RGWmeWtra
Shfea
Liktheproen
RGWHysho
Clma
Totw
Thales Avio
GL n°21e recommeemory to pre recomme
ansactions s
hared I/O features occur Acces
can apwhen
Initiatexecut
ke shared seeir use is motocol, othe
nsured.
GL n°22e recommeypervisor orould be doc
assically, sanagement m I/O em
chargebuffercompl
I/O diaccess
I/O mtransacomm
oday’s expewo others for
onics
end that therovide tighteend that Wohould be en
features dear when the cs simultane
pply: storagit is not pose specific ption to be ab
ervices, conmore complers are acc
end that acr Superviso
cumented in
shared I/O’smethods are
mulation. Oe of propagr (the superlete I/O (theirect accessses. The supmanager coctions are
munication s
erience in shr an Embed
e Interconneer bounds oorst Case Rncapsulated
aling with ccores concueously read ge areas havssible ensurprotocols oble to fulfill
ncurrent acclex then conessed from
ccesses to or level – in the Interco
s accesses e:
On each coregating I/O arvisor/hypere supervisor. On each c
pervisor/hypore. One c
encapsulaervice.
hared I/O mded Aircraf
M
ect Usage Dn timing va
Response Tinside them
configuratiourrently perf
and/or writve to be pare that concu
operations. Hl correctly t
cesses to shanfiguration
m a read and
shared I/Oif the Hypeonnect Usag
are manage
e, the superaccesses to trvisor impler/hypervisorore, the suppervisor doeore is dedated inside
managementft Systems u
MULCOR
page 99
Domain shoariability of Time shouldm.
on are simiform the folte buffers. Hrtitioned wiurrent accesHere, unintthe concerne
ared I/O maof shared
d/or write
O dealing wervisor levege Domain.
ed by the s
rvisor/hyperthe physicaements in itr leaves I/Opervisor/hypes not interc
dicated to Ie inter-core
t is not suffusage.
RS
ould specifymemory tra
d be determ
ilar to sharellowing actiHere classiith some cosses will occterrupted aced protocol
ay occur simservices. Sbuffer. Thu
with configel does not
supervisor o
rvisor emulaal I/O. This ts own driv manageme
pervisor concept further I/O transace message
ficient to re
Réf. C
fy atomic acansactions,.
mined for th
ed servicesions: c rules of timponent cocur in disjoiccess is req.
multaneouslome I/O ar
us atomic a
guration shexists – ac
or the hype
ates a virtuainterface m
ver the corrent to the Ainfigures theaccesses. tions. For
es that are
ecommend o
EAS
CCC/12/0068
ccess patter
hese pattern
s configurat
time and spontrolling thint time winquired durin
ly from diffre accessedaccess patte
hould be reccess patter
ervisor. The
alized I/O imay be a simresponding irborne Soft
e MMU to e
the remaine propagat
one method
SA
898 – rev. 07
rns to the m
ns and Mem
tion. Additi
ace partitioheir access,ndows. ng the prot
ferent cores.d according erns have t
estricted torns to these
e three exis
nterface. It mple read/wprotocols),
ftware) enable direc
ning cores, ted throug
d rather than
main
mory
ional
oning , and
tocol
. Yet to a
o be
o the e I/O
sting
is in write or a
t I/O
I/O gh a
n the
9.4
MmaI/Oiso
We
Thales Avio
Co4.2.8..1
Criteria
emory apping alloO per I/O olation
Weights:
onics
orrespondin
ows All in dI/O part
1: informa2: Nice to 3: Mandat
ng selection
Sub-crit
I/O may bedifferent pag
managemetitioned by t
ative have
tory
M
n criteria
teria
e accessed ges so that nt can be the MMU
MULCOR
page 100
Weight for
DAL A/B
2
RS
Weight for
DAL C/D
1
Réf. C
It is preferI/O per I/O Yet this is I/O controplatform s
EAS
CCC/12/0068
Observation
rable to havO.
not mandatol is providesoftware.
SA
898 – rev. 07
ns
ve a control
tory since ed by
9.5
Th
9.5
In in arcCrmuacqwoThcoall
9.5
Idedeon Thfochy
9.5
9.5
Exim
Thales Avio
5. SOFTW
his chapter d
5.1. Summ
combinatiocombinatio
chitectures iriteria for thulti-processquired and ould be besthe study shares that wolocating a si
5.2. Summ
entify the mvelopment
n the represe
his chapter cus on Air
ypervisor pri
5.3. Airbor
5.3.1. Airb
xecuting anmplemented
Multita schesevera
ClientAirborclassicIntergiinstanbeen d
onics
WARE ASP
deals with ta
mary of task
on with the on with thinto groupshis groupining would incorporate
t suited. all identify would be moingle critica
mary of task
methods, tooand implem
entative pro
deals with rborne Softivileges) in
rne Softwa
borne Softw
n Airborne under paraltasking: Theduler. Thisal Airborne t-Server: Sorne Softwacally used iniciels like Cce message
designed to
PECTS
asks 7 and 8
k 7
steps listed he hardware.
ng might incbe used, w
ed to execu
whether theost safe andal task to eac
k 8
ols, languagmentation ocessors and
multi-corestware in gethe case of
are deploym
ware execut
Software llel schemes
he Airborne s model is Software.
ome servicere, executen distributeCORBA proes encapsulaprovide rea
M
8
above, idene of each p
clude such whether theute on the p
ere are partid effective fch processo
ges and operf safety-crit
d any softwa
s features reeneral and f partitioned
ment on a m
tion on seve
on severals. Two modSoftware isimplement
es are impled on anothd Airborne opose servication to facal-time perfo
MULCOR
page 101
ntify and anprocessor g
factors as ere are suitprocessor an
cular ways for each ty
or.
rating systetical softwaare / COTS
elated to soplatform s
d systems, e
multi-core p
eral cores
l cores ondels are posss decomposted in all o
emented in her core, reSoftware aces to ease cilitate methformances.
RS
nalyze the sogroup and,
whether sytable certifind for whic
to allocate ype of proc
ems that woare to execuIP that they
oftware exesoftware (thspecially IM
platform
a multi-cosible: ed in parall
operating sy
servers thaequests thosnd relies onthe develop
hod and arg
Réf. C
oftware archif possible
ymmetric, aiable operach types of
tasks or paressor and /
ould be mosute in parally include.
cution on ahat is gran
MA systems
ore platform
elizable tasystems that
at are deployse servers an Remote Prpment of suguments pa
EAS
CCC/12/0068
hitectures the, classify
asymmetric ating systemf processing
rts of tasks / or operati
st suitable folel with rob
a multi-corented the sus.
m is possi
sks that willt support th
oyed on speas a client.
Procedure Cuch Airbornassing. Som
SA
898 – rev. 07
hat may be those softw
or ‘bare-mms that mayg the proces
to the proceing system,
or specificabust partitio
e processor.pervisor an
ible when
l be activatehe executio
cific cores. . This mod
Calls techniqne Software
me of them h
used ware
metal’ y be ssors
essor e.g.
ation, oning
. We nd/or
it is
ed by on of
The del is ques. e, for have
9.5
Thanpromoprodif Fomo Proschsinin theto mi Tofol
Ththe UsDeimrecanpaare It prothealgalg
Thales Avio
Mu5.3.1..1
he classic apnd threads (ocesses). Pore threads ogrammingfferent threa
or simplicityodels includ
ocesses andheduling alngle-core alwhich orde
e Allocationthe definit
igrations of
o be acceptllowing pro Feasib
period Predic
schedu
he second preir estimate
sually, pre-eeadline Firs
mplementatiocommends
nd associateartitioning. Ie not compa
has been properties, fore case for dygorithms, thgorithms are
onics
ultitasks sc
pproach for(we use UNrocesses (oare execut
g because itads.
y, we talk de two kind
d threads aclgorithms fogorithms, m
er and whenn Problem. tion of twof tasks amon
table for anoperties: bility: Thered (if any) anctability: Thuled) does n
roperty is crd WCET w
emptive andst) are prefeon is easiersuch an alg
ed schedulinIndeed coopatible with r
roven that pr instance G
dynamic prihe problem e predictabl
cheduling fe
r a multitaskNIX terminor partitionsted in the t enables th
about tasks of tasks: p
tivation depfor single amulti-core on tasks will That means
o categoriesng the cores
n Embedde
e shall be and the deadlhe Responsnot increase
ritical. Indewill meet its
d priority bferred for sir and worstgorithm to sng algorithmperative prorobust partit
pre-emptiveGlobal Rateiority algoriremains eq
le.
M
eatures
ked system nology. In As) are execusame addrehe definitio
ks rather thperiodic and
pends on a snd multi-co
ones have tobe executeds they have s of algorith.
ed Aircraft
a schedulingine of each se Time ofe if the exec
eed, it ensurdeadline co
based schedngle-core pcase perfo
chedule proms may als
ogramming itioning enfo
e and fixed e Monotonicthms, such
quivalent to
MULCOR
page 102
m is the hieraARINC 653uted from iess space.on of share
han processd sporadic (
scheduling ore process
o solve the Pd. Moreove to decide o
thms: globa
Systems s
g test that dtask.
f the set ofcution time o
res that a setonsidering th
duling algorprocessors bormance canocesses insiso be usedintroduces morcement.
d priority mc or Globalas Global Esingle-core
RS
archical mo3, the equivisolated meThe use of
ed objects t
ses and thr(with a mini
algorithm. sors: (BlakePriority Pror, multi-coron which coal and part
system, a s
depends on
f tasks (i.e.of one task
t of tasks whe real exec
rithms (for because then easily be ide a partitio
as long asmany funct
multi-core scl Deadline MEarliest Dee algorithms
Réf. C
odel based ovalent compemory areasf threads isthat can di
eads. Usuaimal inter-a
One can ree, Dreslinskoblem. That re schedulinore a task witioned, res
cheduling a
the Worst
the time idecreases
hose scheducution time
instance Ray check thecomputed. on. Cooperas the systemional depen
cheduling alMonotonic. adline Firsts, thus pre-e
EAS
CCC/12/0068
on processeponents ares. Inside a s quite flexirectly be a
ally, parallearrival time)
ead the folloki, & Mudgt means theyng algorithmwill be execuspectively a
algorithm s
Case Exec
in which a
ule has beenof tasks.
ate Monotoe previous pFor instanc
rative program does notndencies bet
lgorithms sHowever t
t. In the casemptive an
SA
898 – rev. 07
es (or partite partitionsprocess, on
xible in paraccessed by
el programm).
owing survege, 2009).y have to dems have to suted. This lallowing or
shall verify
ution Time
ll tasks wil
n validated
onic, or Earproperties, ce, ARINCamming mot require rotween tasks
still verify tthis is no lose of partitiod priority b
tion) s and ne or rallel y the
ming
ey on Like
ecide solve leads r not
y the
e, the
ll be
with
rliest their 653 odels obust s that
those onger oned
based
GlIndalgmato
RGWbe
9.5
WSo
It pla Cocoaccdeexco
RGWpro
Momeres
RGWme
Thales Avio
lobal scheddeed, all tasgorithm. Thay be a NP-be bounded
GL n°23e recommen decided at
Air5.3.1..2
hen portingoftware deve The A A Wor
can also beatform if its
oncerning thoperative tacesses. In aveloper doeecuted in prrect if the c
GL n°24e recommeotected by s
oreover, thechanisms strictions im
GL n°25e recommeechanisms i
onics
duling algorsk sets schehe opposite -hard probled, and they m
nd the use oDesign Tim
rborne Sof
g multitaskeeloper has t
Airborne Sofrst Case Ex
e noticed ths tasks have
he first requasks model
a sequential es not explparallel by critical sect
end, when Asemaphores
he executiosuch as ca
mposed on th
end that muin order to b
rithms haveedulable und
is not trueem. Howevmanipulate
of partitioneme and forbi
ftware migr
ed Airborneto be sure thftware execu
xecution Tim
hat multitask dependenc
uirement, c. Indeed, suexecution, icitly writedifferent tation was pro
Airborne Sos in case of c
n of multiache coherehe Platform
ultitasked Abe complian
M
e an advander a partitie. Moreoverver, they hav
larger data
ed schedulinidden at Ru
ration from
e Softwarehat: ution will st
me will be c
ked airbornies requirin
care has to buch an implthis is corre it. Howev
asks, resultinotected by a
oftware is acooperative
itasked Airency. The
m or Equipm
Airborne Sofnt with the I
MULCOR
page 103
ntage over pioned algorir, global algve drawbacstructures w
ng algorithmun Time.
m single-cor
from a sin
till be correcalculated fo
ne softwareng a specific
be taken if lementationect: during aer, in a mung in an er
a semaphore
a multitaskee programm
rborne Softuse of suc
ment usage.
ftware desiInterconnect
RS
partitioned ithm will begorithms saks. They enwhose cost
ms and stati
re to multi-
ngle-core to
ect or each task
may not bec execution
f the Airborn usually rea critical seulti-core exerroneous exe.
ed one thatming.
tware on sch mechan
gn should mt Usage Dom
Réf. C
algorithmse schedulabave the costntail task mimay be pro
ic allocation
-core platfo
o a multi-co
k or process
e efficientlyorder.
rne Softwaremoves protction, no precution, thixecution. Y
t critical sec
everal coreisms might
minimize thmain.
EAS
CCC/12/0068
s: they are ble by the eqt of a static
migrations wohibitive.
n of tasks to
orms
ore platform
.
y executed
re is implemtections in re-emption wis critical se
Yet the exec
ctions shou
es may reqt not be c
he use of c
SA
898 – rev. 07
more efficquivalent glc allocation
whose costs h
o cores that
m, the Airb
on a multi-
mented withcritical sectwill occur iection mighcution woul
uld be expli
quire additicompatible
cache coher
cient. lobal that have
t will
borne
-core
hin a tions if the ht be ld be
icitly
ional with
ency
FeW
9.5
Thad Wterprochis
9.5co
ThSy(seco Cuwiancoeffpreco Froint
Towh
Thales Avio
eatures regaorst Case E
Pa5.3.1..3
his section ddresses all s
hen we adrminology: ocesses. Proarge of devin charge of
5.3.1..3.1 Cre platform
his section ystem supplee Figure 1re processo
urrent desigith minor m
nother singlencept woulfort. In addeviously SWmpatibility.
om the Avtegration so A sing A priv A virtu
oday, experhich design
onics
arding the sExecution Ti
artitioned sy
is a generisystems wh
ddress IMAAirborne Soocesses are
veloping parf developin
Componentms
presents olier) of par13) to take ors in IMA P
gns for Airbmodificatione-core platfld represendition, the W Airborne.
vionics Emboftware layegle OS instavate OS instualization la
rience gainestrategy is
second requime calculu
ystem featu
ic one not hether partiti
A Avionics oftware is cexecuted in
rtitions. Theg the Platfo
ts evolution
our view (artitioned Avbenefit of
Platforms
borne Softwns (i.e. comform). Indet a large dtrend woul
e Software,
bedded Syser. At this leance shared tance per coayer hosting
ed in multithe best sui
M
uirement wius on multi-c
ures
only focusioning is im
Embeddedcomposed on the same ae Operating
orm softwar
n to take be
as a Avionvionics modthe introdu
ware shouldmparable to eed, a largedesign and ld be to prwhile keepi
stem supplievel of abstr
among all tore g several op
-core architted for avio
MULCOR
page 104
ill be covercore platfor
sing on IMmplemented
d Systems, f one or moaddress spag System prre.
enefit of m
nics Embeddule adapta
uction of m
d not changa migratio
e change inimplementaromote reuing up back
ier’s point raction, therthe cores
perating sys
tecture is donics Airbor
RS
red in part rms.
MA (Integrausing ARIN
we addresore partitionace among orovider (it m
multi-
dded ation
multi-
e, or on to this ation
use of kward
of view, thre are possib
stems in ded
deemed notrne Softwar
Figu
Réf. C
9.8 dealing
ated ModulNC653 Ope
ss partitionns which areone partitionmay be the P
he most “flble designs:
dicated virtu
t sufficient re.
ure 13: HW/SW
EAS
CCC/12/0068
g with tools
lar Avionicerating Syst
ning regardie composedn. Function Platform Pr
flexible” co:
ual machine
to allow d
W Architecture fIMA module
SA
898 – rev. 07
s for proces
cs), this sectems or not.
ing ARINCd of one or m
suppliers arovider him
omponent is
es.
determinatio
for a future mue
ssing
ction
C653 more are in
mself)
s the
on of
ulticore
9.5
Onthe
ThOSCo
9.5
A Figfeaaccoc
SM
SoimSigapco
Thales Avio
5.3.1..3.2 D
ne stake in e parallel ex Intra-p
and ha(SMP)
Inter-pcore w(AMP
here is a thiS managingore. We don
5.3.1..3.3 S
Symmetricgure 14). Inatures covecessing to thcur inside th
MP partition Respe
modifi There
ome Airbormplementatio
gnal Proceplications rmpatibility
onics
Deploymen
the introduxecution of partition paras an exclus). partition pawith true paP). ird case namg all Cores n’t address t
Symmetrica
al Multi-Prnside a partiered in parthe shared rehe same par
ns deploymeect of ARIfications to t
is no true p
rne Softwaron. Exampl
essing applirunning on seems poss
nt of partitio
uction of mucode on difrallelism. Tsive access
arallelism. Tarallelism b
med Boundsimultaneo
this case in
al Multi-pr
rocessing (Sition, procest 9.5.3.1 aresources. Trtition), but
ent has the fINC 653 tthe guidelinparallelism b
re applicatiles of suchications. HEmbedded
sible with m
Fig
M
ons
ulti-core in fferent coresThe extreme
to platform
The extremebetween par
d Multi-procously, but ethis docume
rocessing
SMP) deplosses may bee valid in this does no it brings ad
following gtime and
nes. between par
ons are, beh airborne
However, thAirborne S
minor chang
ure 14: Exampl
MULCOR
page 105
partitioneds. This para
e scenario om resources.
e scenario ortitions. Th
cessing wheach Airborent: it can b
oyment meae executed ithis contex
ot impact timdditional co
good properspace part
rtitions.
ecause of tsoftware ap
his is not Systems su
ges, but high
le of a SMP dep
RS
d Embeddedallelism can ccurs whenThis is call
occurs whehis is called
hich consist rne Softwarbe considere
ans that partn parallel o
xt. There mme and spaconstraints on
ties: titioning re
their architepplicationsthe case
uch as utilitihly inefficie
ployment of pa
Réf. C
d Aircraft Soccur at tw
n one partitiled the Sym
en each partd the Asymm
in having are applicatied as a subs
titions are an different c
may be interce partitioninn the functio
equirement
ectures, goare Flight
for many ies. For thont.
artitions
EAS
CCC/12/0068
Systems is thwo level of aion is activa
mmetrical M
tition are ametrical M
a single insion is lockeset of the pre
activated oncores. Integr-processes ng (becauseon suppliers
is possibl
od candidat Managemlegacy air
ose applicat
SA
898 – rev. 07
he masterinabstraction: ated on all c
Multi-proces
activated onMulti-proces
stantiation oed to a speevious ones
n each core grity and W
conflicts we those confs
le without
ates for parent System
rborne softwtions, backw
ng of
cores ssing
n one ssing
of an ecific s.
(see CET
when flicts
any
rallel ms or
ware ward
9.5
Ancoseq
Re
Go
Re
Hopreen
9.5
Todethe
Thales Avio
5.3.1..3.4 A
n Asymmetre in parallquential
emark: for I
ood properti It does
Embedexistin(e.g. pperfor
It scal
emark, for I
ARIN ARIN
API co
owever, Robesence of e
nforcement a
5.3.1..3.5 A
oday's experployment rae approach i
onics
Asymmetri
trical Multi-lel with oth
IMA, ARIN
ies of an AMs not changdded Systemng single-copartition 1 rmance. es with the
MA Avioni
NC 653 spacNC 653 time
ontext.
bust Partitioeventual unat the highe
AMP-SMP-
rience in muather than ois left to the
cal Multi-p
-Processingher partition
NC 653 guid
MP deployme the modelm. Thus theore configur
shall finis
increase of
ics Embedd
e partitionine partitionin
oning has toncontrolled st level of c
-BMP selec
ulti-core forothers. The e platform p
Figu
M
processing
g (AMP) dens (see Fig
delines are s
ment are: l of sequente backwardrations. Thesh before p
f the number
ded System
ng requestedng is ensure
o be ensureinter-core
criticality.
ction
r Embeddedfollowing t
provider.
re 15: Example
MULCOR
page 106
eployment mgure 15).Th
still valid
tial partitiond compatibie precedencpartition 2
r of cores
d inside an ed between
ed between conflicts m
d Aircraft Stable gives
e of an AMP de
RS
means that hus scheduli
ns that are elity of lega
ce rules relastarts to p
API contexn partitions
Cores. As pmay not be
Systems doea compariso
ployment of pa
Réf. C
one partitioing of proc
executed inscy Airborne
ated to interprovide vali
xt can be ensdeployed o
presented incompatible
es not seem on of those
artitions
EAS
CCC/12/0068
on is deplocesses insid
side a Singlne Software r-partition cid data…)
sured betweon the same
n the sectioe with Rob
m sufficient tapproaches
SA
898 – rev. 07
yed on a side a partitio
le core Aviois closer to
communicatdo not im
een all Coree core insid
n 9.4.2.3..6ust Partitio
to recommes. The choic
ingle on is
onics o the tions
mpact
es. de an
6, the oning
end a ce of
AM
SM
Thales Avio
MP It can
avioni AMP
some d
MP SMP a
platfor SMP
perfor
Criterion
Reliability
Robust Painsurance
Performanon partitio(comparedsingle-coreplatform)
Airborne Integration
onics
be noticedic Airborne offers a bedifficulties
approach nerm. offers a b
rmance and
y
artitioning
nce gain ons d to a e similar
Software n
d that the aSoftware,
etter perforin the demo
eeds to be t
better capabless freedom
SMP
Potential to a higintegratio
Time PartitioninRobust Pabe ensuswitchingcore syPartition timing upto be dete
Significanincrease that can (e.g. Managem
Slight applicatiobecause performan
M
an AMP ap
rmance charonstration o
aken into a
bility to imm to implem
decrease gher level
on
and Spng (and tartitioning)
ured. Partig requires inynchronizat
switchpper bound ermined
nt performafor partit
be parallelFl
ment System
increase on integra
of individnce increase
MULCOR
page 107
pproach offe
racteristics of robust par
account by A
mplement rment modifi
AMP
due of
Increto recinsidrestarcore whol
pace thus can
ition nter-tion. hing has
Spacbe Howpartitenforbetwexecuon di This Robube en
ance tions ized light
m)
No increpartit
of ation dual e
SigniAirbointeg
RS
ers more co
close to alrtitioning,
Airborne So
robust partfications
P
ease if it is cover from
de a corting the co
rather thle platform
ce partitionimple
wever, tioning irced
ween puted simultaifferent core
approach ust Partitionsured
perfease insidtion
ificant incrorne S
gration
Réf. C
ompatibility
lready exist
oftware dev
titioning, bu
B
possible a failure
ore by oncerned han the
SlA
ning can emented.
time is not anymore
partitions aneously es
requires oning to
S
formance de one
Dne
rease of Software
IS
EAS
CCC/12/0068
y with exist
ting system
veloper to ta
but at the
BMP
Same advlimitations AMP
Same probl
Depending number executing th
Increase oSoftware in
SA
898 – rev. 07
ting single-
ms, but pres
ake benefit f
price of lo
antages anas SMP an
em as AMP
on thof cor
he partition
of Airbornntegration
-core
sents
from
ower
nd nd
P
he es
ne
9.5
In ho AdSywico SuSofropro
Reap
Thales Avio
BackwardcompatibilmultitaskeAirborne S
Porting eff
5.3.1..3.6 O
the deployosting up to
dditional “rystem deploith other pare platform
uch a deplooftware withom “n” coroportion of
emark: In Iproach can’
onics
lity of ed Software
fort
Others depl
ment schemDAL-A or
restrictions”oyed on a martitions (see).
oyment restrh Time and res down toDAL-A / D
IMA system’t be used an
Figu
Care has the progris coopersection acbe explici
Main efunction smay havtheir Airbto suppexecution
loyment sc
mes presenteDAL-B lev
” can be brmulti-core pe Figure 16
riction allowSpace parti
o “one”). TDAL-B Airb
ms where hnd so confli
ure 16: Example
M
to be takeamming morative. Critccesses havitly protecte
effort is suppliers. T
ve to redeborne Softwport para
n
hemes
ed before, wvel.
rought at throcessor do
6: partitions
ws Robust itioning but
This methodborne Softw
hosted Airbicts have to
e of a restricted
MULCOR
page 108
en if odel tical
ve to ed
ComcompexecuFuncbe re
by They sign
ware allel
Mainplatfohas Partitindepcalcu
we covered
his level, fooes not allos 1 and 2 ar
Partitionint this restricd expects reware remains
borne Softwo be manage
d partitions de
RS
mplete bpatibility ution
ctional portequired
n effort form provito providetioning pendent ulus method
d alternative
or example,w a DAL-Are DAL-A a
g to be ensction introdueduction ofs small insid
ware is maed.
ployment sche
Réf. C
backward in the
model. ing may
Sf
is by der. He
Robust and
WCET dology
Efp
es using all
SysGo’s wA partition tand execute
sured for Duces a signi
f performande the modu
ainly at DA
eme
EAS
CCC/12/0068
Same probfor multi-co
Effort requfunction suplatform pr
cores of th
with its Pikto be sched
ed on an eq
DAL-A / Dificant loss
nce to be acule.
AL-A / DA
SA
898 – rev. 07
lem as SMore partition
uired both buppliers anovider
e platform
keOS Operaduled in parquivalent sin
AL-B Airbof perform
cceptable if
AL-B level,
MP ns
by nd
each
ating rallel ngle-
borne mance
f the
this
Toare
9.5
Aiis sofkn
RGWthr
RGWforUs
9.5
Fepade
9.5
Wwhall“dsamprihoint ThcanSMno
Thales Avio
oday’s expee necessary
5.3.2. Airb
irborne Equprotected bftware deve
nowledge on
GL n°26e recommenreads or task
GL n°27e recommenr the Operasage Domai
Ar5.3.2..1
eatures concartition deploployed.
5.3.2..1.1 S
e talk abouhen a singlel cores (see
deployed onme service mivate cache)
osted by a deter-core com
he notion ofn be more p
MP privilegon-disjoint e
onics
erience in Eor if all cor
borne Equip
uipment softby a dedicaeloper (he mn its behavio
nd, if SMP ks are static
nd, if the A
ating Systemin.
rchitectural
cerning theoyment on
Symmetrica
ut a symmete instance of Figure 17)
n all cores” may be exe), even withedicated cor
mmunication
f symmetricprecisely deed software
execution en
mbedded Ares may be u
pment soft
ftware usualated privilegmay integror and its ar
mode is selcally allocat
Avionics Sofm is selecte
l concerns
e architectua multi-core
al Multi Pr
tric architecf the platfor). It can be may be am
ecuted locallh private dare, and servn.
c architectuefined as fole has all its nvironment
M
Aircraft Systused whatev
ware featu
lly refers toge level. Tate existingrchitecture.
lected by thted to cores
ftware Behaed, the use
re of Platfoe platform.
rocessing
cture (also crm softwarenoticed tha
mbiguous. Fly on each cata. Other svice request
ure for privillows: services exon each cor
MULCOR
page 109
tems seemsver the leve
ures
o an operatinThe platformg COTS so
he platform pto achieve
avior is notof a Hyper
form or EquThey depen
called Symme is deployeat the notioor instancecore (i.e. froservices mats occur thro
ileged softw
xecuted undre.
RS
s not be enoel of critical
ng system am providerlutions) but
provider fordeterminism
t known by rvisor to ma
uipment sond on the co
metric Multd on
on of , the om a y be ough
ware
der a Fig
Réf. C
ough to stateity.
and/or to a hmay not bet he is supp
r the Operatm and repea
the platformaster the be
oftware are ores on whi
ti-Processin
ure 17: Exampl(source: Freesca
EAS
CCC/12/0068
te whether s
hypervisor e the Airboposed to ha
ating Systematability.
m supplier ehavior of t
close to oich the platf
ng-SMP – I
le of symmetricale white paper on
SA
898 – rev. 07
such restrict
whose inteorne Equipmave a suffic
m that proce
and AMP mthe Intercon
ones concerform softwa
n the literat
cal OS deploymSMP/AMP/BMP)
tions
grity ment cient
sses,
mode nnect
rning are is
ture)
ment
AncoA frodema
9.5
Windon Eahyoncoopbestapla MoaccThcla
Thales Avio
n executionnsider two and B, and
om the dupfined its mapping.
5.3.2..1.2 A
e talk abodependent i
n different co
ach privilegypervisor) isne core, the res. This d
perating syst taken at t
arted as matform early
oreover, I/Ocessed con
hose featureassically res
onics
n environmecores A and
d execute soplicated servemory map
Asymmetri
out asymminstances ofores (for ins
ged softwars executed imemory madeploymenttems with mthe boot seaster and wy initializati
O features ncurrently es are coversolved throu
ent refers tod B. The prome servicevices on copping. Thus
cal Multi P
metric archif privilegedstance, see
re instancein its own capping is not allows thminimal moequence becwill be in ion and star
may occur by differe
red in the nugh I/O virt
M
o virtual merivileged soes inside sucore B. How
it has acce
Processing
tectures (od software aFigure 18).
e (operatingcontext. Thot visible fro
he reuse ofodifications.cause one c
charge ofrting its fello
when sharent operatinnext sectionualization.
MULCOR
page 110
emory mapoftware maych pages. T
wever, core ess to the in
or Asymmetare execute
g system ohat means orom the othef single-cor. Care has tcore will b
f performinows.
red I/O’s arng systemsn as they ar
RS
pping on phy define locThus, the se
B shares tnformation
trical Multed
or on er re to be ng
re s. re Figur
Réf. C
hysical memal (and disjrvices on c
the environmused by co
ti Processi
re 18: Example (source: Freescale w
EAS
CCC/12/0068
mory. For inoint) memo
core A are anment underore A to def
ing -AMP)
of asymmetricwhite paper SMP‐A
SA
898 – rev. 07
nstance, weory pages inactually isolr which corfine its mem
) when sev
c architecture AMP‐BMP)
e can nside lated re A mory
veral
9.5
Th
9.5
In idenecostu
9.5
Thuseanintfolnofor
C
Va
Se
Co
Ca
Sh
Int
Thales Avio
5.4. Mitiga
his chapter d
5.4.1. Sum
each case entify whetgative effencerned, im
udy may ide
5.4.2. Miti
here are quite of such t
nd/or transater-core intllowing tabl
ot preclude ur each of tho
OTS Multi
ariability of
ervice/transa
ores intercon
ache archite
hared servic
ter-core inte
onics
ation mean
deals with ta
mmary of ta
where a cther or not ct by mean
mposing rulentify.
igation Mea
te a few featechnology
action conflterrupts, acle, together use of the aose features
i-Core Feat
f Exec. Time
action confl
nnect switc
ecture struct
es
errupts
ns
ask 5
ask 5
component there are
ns of, for ees or limita
ans Analys
atures in thein safety-c
licts, core iccess to per with suggectual solutios.
tures
e WCmeamon
licts Softor p
h Inter
ture Mul(e.grestrCachand
SimProgmuspriv
Acc(ruleor re
M
or feature any feasiblexample, arations on th
is
e design of critical systinterconnecripherals, p
ested recomon that mig
Miti
ET strategyasurement annitoring.
tware-controrocesses.
rconnect Us
lti-core-rela. one cache rictions on the consistenprivileged s
milar to Airbgramming Ist be offeredvileged softw
ept interrupes to implemestrictions o
MULCOR
page 111
is not suitale measurerchitectural
he use of th
COTS multems. Thesect switches,programmin
mmendationsght be devel
igation me
y for assessmnd continuo
olled sched
sage Domai
ated cache mway per co
the use of shncy verifiedsoftware.
orne SoftwaInterface (Ad via a trusteware.
pt only whenment wait-foon the use o
RS
able for uss that mighl mitigationhe feature co
ti-core proce include: v, cache arcng languags on mitigatoped by the
ans
ment, ous
duling of tas
in Definitio
managementore or hared cached by trusted
are APIs), servic
ed and
n expected for-interruptof inter-
Réf. C
e in safetyht be used n, work-arouoncerned or
cessors that variability ochitecture stes. These tion means te computing
Tools measu
ks
on.
t
es).
Similafor tconsis
ces
t)
EAS
CCC/12/0068
y-critical airto mitigate
ound, disablr any other
must be mof executio
structures, sfeatures arthat can be g platform d
Comm
may be useurement.
ar approachthe controstency.
SA
898 – rev. 07
rborne syste the particling the fear means tha
astered to aon time, sershared servre listed inused. This
designer to c
ments
ed for
h can be uol of MM
tems, cular ature
at the
allow rvice
vices, n the does cater
used MU
Ac
Pr
OntheAiinaSoTh In (inarcsucmoacc Foleaadres Thach
9.5
A de Thon
Thales Avio
ccess to per
ogramming
ne of the preir use in irborne Softability to deoftware. Thehis is mainly
the case ofncluding muchitecture), ch processodeling, havceptable lev
or Multi-corast achieved
dditional meset cases) to
he followinhievable. Th
5.4.3. Time
Channel Instined to ho
his interferen: A the
implem Via m
expect
onics
ipherals
g languages
rincipal featsafety-critic
ftware is runemonstrate e mitigationy based on a
f single-corultiple level
already ledsors. Howeve allowed vel of confid
re processord, i.e. usingeasurementso allow an a
ng is suggehe recomm
e jitter rati
nterference ost single or
ence channe
eoretical amentation in
measurementted jitter, or
proc
Sharmemtrustdireconf
Deteprocemp
tures of mucal airbornn directly oa stable W
n means thaa straightfor
re [mono]-pls of cachesd to difficuever, measua demonstrdence.
rs, this featu the same bs, includingassessment o
sted as mitended appro
io to total e
Analysis sr multiple A
el analysis s
analysis ofn the architets based on r
M
cessors inter
red I/O’s comory space ted and privctly or via cfiguration ta
ermine adeqcessing progptive versus
lti-core prone systems on the multi
WCET, whicat are suggerward step-b
processors, ), and built-lties in the urements cation of WC
ure is a bit mbasic approag under abnof the robus
tigation meoach consis
execution ti
should be pAirborne Sof
should allow
f available ecture), orselected be
MULCOR
page 112
rrupts.
onfigurationshould be a
vileged softwconfiguratioables.
quate strateggramming (co-operativ
ocessors thatis the incr
i-core archich can be rested to hanby-step app
their intern-in parallelideterminat
ombined wCET to be a
more stringach as for m
normal condstness of suc
eans when sts of four m
ime
performed ftware.
w determin
informati
enchmarks
RS
n and/or shaallocated byware, eitheron controlle
gy for multi(e.g. pre-ve).
t have a trereased varitecture. The
relied upon ndle such d
proach to W
nal complexism (e.g. instion of a fowith assessachieved wi
gent, hence mono-core pditions (intech measurem
determinismain axes th
in any case
nation of a m
ion (from
implementi
Réf. C
ared
r d
i-
mendous imability in te negative efor certific
difficulties aWCET determ
xity of cachstruction ex
ormal WCEments, relyith an upper
a more “relprocessors, perrupt triggements.
m, hence ahat must be a
e whether t
maximum e
device m
ng worst ca
EAS
CCC/12/0068
mpact and cthe executieffect of th
cation of ruare briefly mination.
he architectuxecution basET for softwying also r bound lim
lative” WCEpossibly co
ering, simul
an absoluteaddressed:
the multi-c
execution ti
manufacturer
ase perturba
SA
898 – rev. 07
consequenceion time, w
his feature isuntime Airbexposed be
ure in particsed on pipelware runninon architec
mit value wit
ET should bomplementelated failure
e WCET is
core platform
ime jitter, b
r and on
ations regar
e for when s the
borne elow.
cular lined g on cture th an
be at ed by es or
s not
m is
based
the
rding
Asrat
9.5
Wusiin (de
9.5
ExanThproco
9.5
Asexunsof
Thales Avio
A com
s those mettio.
5.4.4. Airb
CET for eaing above jthe presenc
efined acco
5.4.5. Mon
xecution timnd records ohis monitorioviding thames in addi
Firobalsco
Seboexap
5.4.6. Airb
s the aboveecution tim
nacceptable ftware robu
onics
mbination of
thods are b
borne Softw
ach Airborneitter ratio ince of other rding to tim
nitoring dur
me should bef minimum ing could b
at backgrouition to the prstly during
bserved. Thiso to ident
orrections toecondly, durounded withxecution (plpplication ex
borne Softw
e described me jitter in
spurious reustness versu
f the two me
ased on en
ware WCET
e Software ncluding maselected be
me jitter ratio
ring real-ti
e monitoredand maxim
be limited und tasks arpartition swg the develis should leatify scenario the WCETring run timh acceptableatform rese
xceeds the t
ware robust
method is some rem
esets (platfous resets sh
M
ethods abov
ngineering j
T evaluatio
could be evargins. Valienchmarks o).
ime executi
d (e.g. usingmum values)
to the critire assessed
witching codopment phaad to complios that we
T analysis anme operatioe margins) et) of Airboarget limit.
tness
largely bamote cases corm or Airboould be imp
MULCOR
page 113
ve.
udgment, a
on
valuated as oidation of fiimplementi
ion
g built-in ch). ical paths i
d as not beide that insurase to collelementary vere not cornd jitter rati
on, once theto impleme
orne Softwa
ased on engcould causeorne Softwaplemented.
RS
additional m
on a mono-inal WCET ing worst c
hecks that ex
dentified foing affectedres partitionect data relvalidation orrectly coveio whenevere jitter ratioent detectioare (softwa
gineering jue the WCare). A gen
Réf. C
margins sho
processor invalue couldase perturb
xecution tim
or an Airbod by jitter. ning. It has tative to thef the jitter rered by anr necessary.
o is consideon mechanisre reset) w
udgment, it ET to be eeral strategy
EAS
CCC/12/0068
ould be add
n a first stepd be done b
bations on o
me does not
orne SoftwThis run t
two main obe actual exratio determnalysis, and.
ered stable (sms able to
when an Air
t might be exceeded, ty and princ
SA
898 – rev. 07
ded to this j
p, and correby measuremother proces
exceed WC
are applicaime monitobjectives: ecution tim
mined aboved to implem
(i.e. sufficieo stop procerborne Softw
considered then leadin
ciple of airb
jitter
ected ment ssors
CET,
ation, oring
me as e, but ment
ently essor ware
that ng to borne
9.6
Th
9.6
Exfaire- Thunshaexaff
9.6
Th In is anatt Thlev Thmafau
RGWfau
Thales Avio
6. FAILUR
his chapter d
6.1. Summ
xamine wheilures within-start and re
he study shanits and deteall identify ception hanfected softw
6.2. Mitiga
he architectu
associationexpected th
nd also shalltached to th
he generatiovel: partition
he Interconanagement. ult detection
GL n°28e recommeult containe
onics
RE MITIG
deals with ta
mary of task
ether the arn the proce
ecover in the
all determinection of dwhich kind
ndling and ware partitio
ation mean
ure of multi
n with the tehat the Interl not propage same Inte
on of excepn, processor
nnect shall The notion
n.
end, for miter between c
GATION M
ask 10
k 10
rchitectures ssors or thee event of a
ne which mivision by
ds of failurewhat the re
on, the proce
ns
i-core proce
emporal Intrconnect shgate any abnerconnect.
ptions and tr, I/O.
act as a n of partition
igation meacores.
M
MEANS
of multi-coeir associatea failure bein
multi-core przero and en
e detection aesponse of essing core,
essors is org
terconnect bhall not jeopnormal even
the recovery
fault contaning has als
ans, that the
MULCOR
page 114
ore processed hardwareng detected
rocessors innsure that ware possiblethe proces
, the entire p
ganized arou
behavior depardize the nts initiated
y actions sh
ainer with so to be ext
e Interconn
RS
sors may afe and the ab
d.
ncorporate fwatchdog tie, whether thsor is to erprocessor o
und the Inte
efined throuintrinsic pr
d by a proce
hall be con
respect to tended dow
nect Usage D
Réf. C
ffect the abbility of the
features sucimers can bhe processorror detectior any other
erconnect.
ugh the Interrocessor detessor to the
nsidered at
each procn to the I/O
Domain sho
EAS
CCC/12/0068
bility of a se system to
ch as memobe incorporors incorporon, e.g. shumeans.
rconnect Utection of aothers or a
the fault co
cessor incluO interfaces
ould be def
SA
898 – rev. 07
ystem to dmake it saf
ory managemated. The srate any formutting down
sage Domaabnormal ev
group of ot
ontainment
uding their with associ
fined to act
etect fe, to
ment study m of n the
in, it vents thers
area
I/O iated
as a
9.7
Th
9.7
Anfoumoprowhev
9.7
ThCOincbeof tra
Thales Avio
7. COTS R
his chapter d
7.1. Summ
nalyze the pund to deterore frequenocessors. Thhether such ents and co
7.2. COTS
he followingOTS procescludes eitheen known otransistors
ansistors int
onics
RELATED
deals with ta
mary of task
processor arrmine whet
nt failures ohis shall ineffects wourrect the err
S related fe
g major conssors for useer microconover the pas
on a singltegration is t
FEATURE
ask 11
k 11
rchitecturesther multi-cor different
nclude failuruld be detecrors produc
atures anal
ncerns are e in Embedntrollers anst few yearsle chip. Froto double ev
Figure
M
ES
s and examiore processt or more res due to rctable and wed.
lysis
determiningdded Aircrad multi-cor. Those conom Moore'svery 12 to 1
19: an exampl
MULCOR
page 115
ine any prosors in genewidespread
radiation indwhether the
g factors foaft Systems.re processoncepts weres law the c18 months.
le of technolog(Source: INTEL
RS
blems or preral or partid types of duced effec
e processors
or the selec The concers, together
e made posscapability o
gy evolution, upL)
Réf. C
rocessor errcular types failures tha
cts such as incorporate
ction of comept of Syster with heterible thanks
of technolog
p to 2022
EAS
CCC/12/0068
rata that havof them mi
an the currSEU (single any mean
mplex and hems On Chirogeneous pto high-dengy in term
SA
898 – rev. 07
ve already bight suffer frent single e event ups
ns to detect
highly comip (SoC), wperipherals,nsity integras of numbe
been from core
sets), such
mplex which , has ation er of
ThachSutra18a n
ToAiSobebe
9.7
Thuse45be Thfigobcoco
RGWRe
9.7
Seis tecto
Thales Avio
he benefits ohieving bet
ub Micron (Dansistors of 8nm, 13nm anumber of f Low-p Better Highe Packag Design Devic
o date, a coircraft SysteoCs, withoufore going low:
7.2.1. Elec
his phenomeed continuonm it can blow 28 nm)
his becomesgures wouldbsolescence mmercial ampatible w
GL n°29e recomme
eliability da
7.2.2. Sing
ensitivity to a serious c
chnologies, 28 nm tech
onics
of such techtter performDSM) CMOsmaller sizeand below a
features andpower desigr Signal/Power Density anging and tesn to Cost ope parameter
onservative ems was to
ut further cofarther tow
ctro-migrat
enon tends ously at mabe reduced ).
s insufficiend be more and newly
aircraft is ofith such des
end, for m
ata delivered
gle Event E
atmosphericoncern forno signific
hnology. Fir
hnology aremance and lOS technoloe and fasterare envision
d challengesgn and tempwer Integritynd Design Csting of largptimal appror variability
approach iuse comple
onsiderationward DSM
tion
to reduce taximum tem
to about 1
nt for their of the ord
y required ff the order signs, analy
multi-core pd by the com
ffects
ic radiationr embeddedant degradarst results ar
M
e to integratelow-power ogy used forr switching ned, compa arose with
perature suscy and qualitComplexityge chips, oach,
y due to leak
in the desigex to highly
n of technolowith techno
the useful limperature ra
0 years, an
use in Emder of 15 yfunctions), of every 1
ysis in progr
processor smponent ma
n such as Sind Airborne ation is obsere expected
MULCOR
page 116
e more andconsumptior multi-corerates. Tran
ared to the csuch techn
ceptibility,ty,
y,
kage
gn of embey-complex ogy concernologies dow
ife durationange (105°Cnd down to
mbedded Airyears. For Embedded 0 years, whress for 28 n
selection, tanufacturer.
ngle Event Software. Eerved. Com
d during yea
RS
more transon. An illuse processorsnsistor sizescurrently usology:
edded compmicro-procns. Howevewn to lowe
n of an SoCC) and frequ
less than f
rcraft Systeother reasoAircraft S
hich would nm.
that selecti
Upsets (SEExperience
mponent manar 2013. Err
Réf. C
istors into sstration is ts. Deep subm, see Figureed sizes of
plex and cressors and
er various asr sizes. Tw
C (figures fouency rangefive years fo
ems for whons (procur
Systems renmake 90, 4
on criteria
EUs) and Mhas shown
nufacturers or Correctin
EAS
CCC/12/0068
smaller silicthe Deep [amicron teche 19, down 90nm and 4
ritical real-tmicrocontrospects shou
wo example
or 90nm tece, are aroun
for consume
hich the reqrement cos
newal for o45, 32 nm
a should in
Multiple Bit n that for 9
are currentng Codes (E
SA
898 – rev. 07
con areas, wand Very Dhnology is uto 35nm, 2545nm. How
time Embedollers, so-ca
uld be addres are addre
chnology, wnd 15 yearser grade qu
quired reliabsts, componon-board typtechnology
nclude Intr
Upsets (MB90nm or 45tly testing dECC) have b
while Deep] using 5nm,
wever
dded alled essed essed
when s, for uality
bility nents pical
y still
insic
BUs) 5 nm down been
imthe Howisee
RGW(m
33 S
Thales Avio
mplemented e COTS dev
owever, it iith or withoems to be av
GL n°30e recomme
manufacturer
SER : Softwa
onics
in the desigvice. Some
s anticipateout ECC capvailable on
end, for mur presents S
are Error Ra
gn made witCOTS mult
ed that accepabilities welectro-mig
ulti-core proSEE under S
te
M
th Single-coti-core proc
ess to informill be only pgration effec
ocessor selSER33 wordi
MULCOR
page 117
ore microprcessors now
mation frompossible viacts on the u
ection, thating) deliver
RS
rocessors, in feature EC
m manufactua Non-Discl
useful life du
t selection red by the c
Réf. C
ncluding relCC mechanis
urers on intlosure Agreuration.
criteria shoomponent m
EAS
CCC/12/0068
lying upon sms inside.
ternal memeements (ND
ould includmanufacture
SA
898 – rev. 07
ECC intern
ory architecDA). More
de SEE anaer.
nal to
cture data
alysis
9.8
Th
9.8
Ide17posofme
9.8
Mobycocothema MeCO
Asprotec A meprocer Thde
Thales Avio
8. METHO
his chapter d
8.1. Summ
entify whic78B verificaossible) wheftware archeasurement
8.2. Metho
ost of the vy the ED-12re processontrolled unemselves unastering com
ethods suppOTS Multi-C WCET Misce Proces Usage Test m Misce
s already adocessors ischnology.
10 to 20 timeasured WCovide signirtification.
he problem termine app
onics
OD AND T
deals with ta
mary of task
h methods ation of the ether the WChitecture and
or make it
ods and too
verification m2B/DO-178Bors. This render an Opnder contromplexity of
ported by toCore procesT tool basedellaneous trassor driver (e Domain Vmeans, test sellaneous De
ddressed in more diff
me increaseCET, even ificant usef
of WCET cproximation
TOOLS
ask 9
k 9
and tools wAirborne SCET of taskd identify anmore difficu
ols analysis
methods anB industry semains partiperating Syol of a Hype
multi-core
ools that aressors includd on worst cace, monitor(e.g. Hyperv
Verification /scripts, dumebugging an
n this reporficult to ac
e in the WCcomplemen
ful and rel
calculus is ns of the r
M
would be suSoftware hoks could be ny aspects oult.
nd tools alrestandard foricularly tru
ystem envirervisor, whiprocessors.
useful for ide: case executiring or repovisor) seen /early Valid
mmy Airbornnd Measurin
rt, the featuchieve whe
CET variabinted by anliable infor
extremely creal WCET
MULCOR
page 118
uitable and /osted on mu
measured oof particular
eady used tor certificatio
ue when Aironment, anich is ident.
instrumenta
ion path, orting tools,as a tool,
dation tool,ne Softwareng tools.
ure of WCEen executio
lity has beenalysis and rmation on
complex to T. When co
RS
/ or necessaulti-core proor analyzedr processor
o perform soon are also rborne Softnd when thified as of
ation and tes
e,
ET analysion time var
en reported corrected u
n the actua
resolve exaonsidering a
Réf. C
ary in order ocessors. Th
for each tygroups that
oftware veriusable for s
ftware runtimhe multi-cocentral imp
sting of Air
s of Softwariability is
by some stuusing safetyl WCET t
actly. WCEa WCET ca
EAS
CCC/12/0068
to conducthe study shaype of procet might eith
rification acsoftware rume partitioore processportance in
rborne Softw
ware runningincreased
tudies. In thy margins, to be claim
ET estimatioalculus met
SA
898 – rev. 07
t ED-12B / all determinessor hardwher facilitate
tivities requunning on mns are prop
sor featuresthe approac
ware runnin
g on multi-due to suc
hat situationmay no lo
med as par
on methodsthod for hi
DO-ne (if
ware / e that
uired multi-perly s are ch to
ng on
-core ch a
n, the onger rt of
will ighly
crialw Wde
Thpato anthaansiganAn Toprothe
ThopthaWSoHotimaccthiTo
34 C
Thales Avio
itical Airboways provid
CET measutails): Based Based
he WCET caath in the Ai
contain infond timing inat the CFG
nnotations. Ignificantly nalysis contanalyse pire c
oday, this kocessors. Toe following OTAW
a largepipelin
aIT: T Bound
Europ
he WCET ptimistic meat it is an upCET. It req
oftware. owever, thisming informcount all pois family ofoday, it is m
RapiTautomanalyspoints
CFG : Contro
onics
orne Softwade an upper
urement me
d on static and on measure
alculus baseirborne Soft
formation thnformation fG can be aIndeed, optdecrease thains in partcas pour pro
kind of meto the best otools that im
WA: This ope support fone behavior
This is a propd-T: This ispean Space A
calculus methods. Thatpper bound
quires the de
s Worst Casmation on thossible statef methods s
more widely
Time: This mated assist sis can be ds of the prog
ol Flow Grap
are, we musr bound of t
ethodologies
nalyses. ements und
ed on staticftware Conthat describe for various annotated wtimizations he real exeticular a caocesseur mu
thods is apof our knowmplement spen-source or ARM, Por prediction,prietary toos a proprietAgency pro
methods bast means they
d. Yet such aetermination
se Scenario he processoes for the prsaves the hu
used in the
proprietaryfor progra
done so that gram that m
ph
M
st have the he real WC
s can be div
der a worst c
analyses retrol Flow Gthe processoperations
with timing mechanism
ecution timeache contenulti-coeurs d
pplied on siwledge, no csuch methodtool is deveowerPC and, cache cont
ol developedtary tool thgrams.
sed on meay estimate aa method can of a Wors
may be difor services. rocessor (bu
uman and teindustry. W
tool is baam analysisthe Worst C
may kill the W
MULCOR
page 119
insurance tCET.
vided in two
case scenari
elies on a mGraph withinsor behavior(processor weights. C
ms such as e while thent analysis disposant d
imple archicomplex muds: eloped at lad INTEL®tent predictid by AbsInthat is maint
asures perfoa WCET wian be furthest Case Sce
fficult to detMoreover, ut correctioechnical cosWe identifie
sed on a hs. It providCase ScenaWCET for f
RS
that the met
o categories
io.
model of the n a Path Enr so that theservices andCare has topipelines t
e estimatedthat may be caches pa
itectures suulticore COT
aboratory IRprocessors
ion... t Angewandtained by T
formed undith some lever correctedenario of inp
termine accWorst Cas
ons may be st of definin
ed the follow
hand definitdes a frameario can be efurther code
Réf. C
thod is pess
s (see (Wilh
processor tnumeratione CFG34 cand eventual Oo be taken that are pred WCET we difficult
artagés, 2010
ch as microTS are supp
RIT located . It impleme
dte InformatTidorum in
er Worst Cvel of confidd to provideput paramet
curately. Inde Scenario done to sim
ng an accurwing tools:
tion of the ework undeensured. Fine optimizati
EAS
CCC/12/0068
simistic, tha
helm, et al.,
to determinn. The procen be accuratOperating Swhen usin
esent insidewon’t. More
to fulfill (r0) for more
rocontrollersported yet. W
at Toulousements severa
tik in GermFinland. It
Case Scenadence, but de pessimisticters for the
deed, it woudefinition h
mplify this rate model
worst caseer which a nally, it detions.
SA
898 – rev. 07
at means it
2008) for m
e the worst essor modeltely determiSystem callng those time the cores eover, a Wrefer to (Hae details).
s and acadeWe can iden
e, France. Ital algorithm
many t is involve
ario are usudo not guarac bounds ontested Airb
uld require ihas to take step). Howeof the platf
e scenario, code cove
ermines the
will
more
case l has ined, s) so ming
will CET ardy,
emic ntify
t has ms for
ed in
ually antee n the
borne
itself into
ever, form.
with erage e key
Pro
In havisind
Thales Avio
ocessing a W The im
accessWe re
The imway. W
the case of ave any visibsibility. Thdependently
onics
WCET on ampact of cos will occurfer here to tmpact of coWe refer to
f IMA, we cbility into t
hus the WCy.
a multicore oncurrent ar in the worthe RGL n°oncurrent athe RGL n
consider thathe embeddCET analys
M
processor inaccesses to st case situa°9
accesses to n°21.
at in the caseded Airbornsis method
MULCOR
page 120
ntroduces athe interco
ation may l
the main m
e of incremne Software,d must be
RS
dditional isonnect. Herlead to an o
memory tha
mental certifi, and the syapplied to
Réf. C
sues that are, consider
over approxi
at can be in
ication, the ystem integr
all Airbor
EAS
CCC/12/0068
re linked to:ring that eaimation of t
nterleaved i
platform prrator cannorne Softwa
SA
898 – rev. 07
ach interconthe real WC
n an ineffic
rovider doest suppose it
are applicat
nnect CET.
cient
s not t has tions
9.9
Th
9.9
Ideadbegudoaltsha
9.9
EDvepro80 EAonhaonmeag Th
Thales Avio
9. EASA G
his chapter d
9.1. Summ
entify any cddition was
tween tasksuidance mateocuments shthough any all be identi
9.2. Propo
D-80/DO-25rification aocurement d
0/DO-254 §
ASA CM SWn the compleardware itemn integrationethods are areement.
here are a fe Very l Extens Servic Highly Reacti Availa Throu Imply Usage Suspic Intern Config
onics
GUIDELIN
deals with ta
mary of task
cases in whmade to t
s and determerial shall b
hould not bpoints wit
ified in the
osed Guidel
54 currentlyand related data, and se11.2 &11.3)
WCEH-001exity and cr
m related dan with hardwalso open w
ew other fealow probabisive verificace experiency configurabion to envirability of ac
ughput perfostrong inte
e limitationscion of erroal unused fuguration con
NE FOR MU
ask 6
k 6
hich a non-the currentministic behbe identifiedbe suggestedthin those dstudy.)
line
y addresses processes.
ervice expe).
1 iss.1 rev. 1riticality of ata, to archiware and so
without detai
atures with cility to obtaation and rece may not bble features
ronment (EMctual internaormance, noractions wit
s are difficurs and misbunctions (e.ntrol and ch
M
ULTI-COR
favorable ct EASA guhavior. If thd and why thd because tdocuments
design assuGuidance
rience; as c
1 section 9 the highly
itecture, paroftware, coniled directio
complex COin ED-80/D
everse enginbe availables via microcMC, power al failure moot easily preth software,
ult to determbehavior dueg. For manu
hange mana
MULCOR
page 121
RE PLATF
characteristiuidance mahere are sucthis might btheir modifithat cause
urance for Cidentifies
candidates t
provides gucomplex Crtitioning annfiguration ons, and pro
OTS that areDO-254-comneering of Ce or sufficiecode or regisupply, temodes and faiedictable, m, hence requ
mine complee to built-inufacturer’s
agement, exc
RS
FORMS
ic might beaterial, whilh cases, the
be desirable.fication is n
compliance
COTS as beelectronic
to substanti
uidelines onOTS. Thesend system smanagemen
oviding just
e also validmpliant or uCOTS CEH ent due to a sters are ad
mperature, seilure rate is
may lead to suire robust petely (WCETn complexitytest purposecept for erra
Réf. C
made comle still proe suggested . (Modificat
not within the problems
eing part thcomponent ate assuranc
n activities te activities safety aspecnt and serviification is p
for COTS msable life-cyare both imfast-evolvinding to comee) is difficudifficult to ome non-departitioningT, usage doy and lack oes) not knowata, far from
EAS
CCC/12/0068
mpliant if a oviding rob
modificatiotions to EUthe power o for multi-
he overall ht managemece for COT
to be perforextend fromcts, throughice experienpresented to
multi-core pycle data,
mpractical, ng technolo
mplexity, ult to predicobtain, if a
eterminism,g for protectomain, WCMof observabiwn to the en
m user’s con
SA
898 – rev. 07
modificatioust partitioon to the EA
UROCAE RTof EASA alcore proces
ardware deent, compo
TS (refer to
rmed depenm assessmenh consideratnce. Alternao authoritie
processors:
ogy,
ct, any, , tion, MU), ility, nd-user, ntrol.
on or oning ASA TCA lone, ssors
sign, onent
ED-
nding nt of tions ative
es for
Thdecugiv(E Assomad
Thales Avio
hough existvelopment
urrent guidanve birth to mASA CM S
s a result ome difficult
dditional gui
Closerbe proalreadand [9relatioswitchwould
The DCOTSfeaturecomplalreadSWCE
COTSHyperthe COmanufcomplthose develoIn addwith th
onics
ing COTS assurance once with a nmodified or SWCEH-00
of this assesties in showidance are i
r cooperatioovided undedy addressed9] of sectioonship with h). In additid require add
Definition, VS multi-coree) is of celiance with
dy addressedEH-001).
S Multi-corr-visor or mOTS Multi-facturer, tholiance with considerati
op such softdition, validhe Usage D
guidance inon COTS Mnew spirit. new guidan
1 Iss. 1 Rev
ssment, thewing complidentified as
on is necesser a Non-Did this issue on 9 in SW particular ion, the conditional gui
Validation ae componeentral impothe develop
d this issue
re processormicro-code) -core hardwough they mthe limitatio
ions on software to thedation of so
Domain defin
M
n ED-80/DMulti-core pAnd, basednce. An assev. 1) is prov
main chariance with cs follows:
ary with theisclosure Awith respec
WCEH-001)features of
nditions for dance, inclu
and Verificant characte
ortance in pment assuwith respec
rs require that are ex
ware. Some may not coons identififtware drivee necessary Dftware drivnition
MULCOR
page 122
DO-254 andprocessors, td on potentiaessment of
vided in App
racteristics certification
e device maAgreement (N
ct to Design). Howeverf such devic
dealing wiuding for no
ation of the eristics andthe master
urance objecct to Usage
software dxecuted to th drivers/hyp
ontain all thied and requers should Design Ass
ver/hyper-vi
RS
d EASA CMthe noveltyal new ideathe currentl
pendix.
of COTS mn requireme
anufacturer,NDA). Then Data and r, this coulces (e.g.: bith such NDon-technica
Usage Domd performanring of thectives. The Domain asp
drivers (so-che highest pper-visors ahe requireduired mitigabe provide
surance Levsor requirem
Réf. C
M SWCEH-of such de
as or approaly available
multi-core pents, hence t
possibly in current EAConfiguratild be moreehavior of
DAs betweel aspects of
main (i.e. limnce, particue device, h
current EApects (Items
called: Opeprivilege leare availabl
routines toation of poted, for exam
vel (DAL) pments shoul
EAS
CCC/12/0068
-001 can bevices suggeaches, this ce EASA gui
processors tthat could b
ncluding proASA guidanion managee specificall
the Intercoen Industry f those agree
mitation in tularly for thhence for tASA guidans [4] and [5
erating Sysevel immedle upfront fo cater withential safetymple, the aper ED-12B/ld be perfo
SA
898 – rev. 07
e used to bests a reviecould be usedance on C
that could rbe candidat
oprietary dance materialement (Itemly addresse
onnect crossand Authorements.
the usage ohe interconthe showingnce material] of section
tem, Kerneiately on tofrom the Ch all aspecty effects. H
applicant sh/C-DO-178rmed consi
build w of ed to OTS
raise e for
ata to l has
ms [3] ed in s-bar rities
of the nnect g of l has
n 9 in
el or op of OTS ts of
Hence hould B/C. stent
10
"Tco In chbu ThMoOSintmacer ThSyusa Thprorepma Beif n
Thales Avio
0. OUTREA
This report cmplement i
addition, aracteristics
uilding safet
he proposedore generalS providersterested in anufacturersrtification a
his report haystems. Thuage at a hig
his report aovide illustpresentativeaybe one se
esides, the fneeded:
On thea repotechniknowl
On thmonthperforworks
On theprojecdispera study
onics
ACH
could be usits guidance
we think ts of such dty-critical E
d recommenlly, this reps, system the avioni
s will have authority.
as been writus it can be gh level of c
aims to sumtrations on e of a largeeries) to take
following su
e technical ort might reical issues. ledge for a b
e form of thly meetingsrmed and rehop would
e task implect would be rsion of issuy project wi
ed first-of-ae with speci
that the readevices and Embedded A
ndations areport targets integrators,ic market. to be strong
tten on purptaken as a
criticality.
mmarize theFreescale
e family of e benefit of
uggestions o
content of tequire prereHowever, rbetter under
the study as were deem
eorient the rhave been e
ementation to limit the
ues over tooithin a limit
M
all for whatfic aspects r
ader could into the si
Aircraft Syst
mainly dirthe whole certificatioCollaborati
ger to demo
pose to be rfirst glance
e features tP2020, Qoprocessors,its specific
or lessons l
the report: Tequisite knoreference torstanding of
nd report: Tmed fruitful esearch effoeven more u
methodologe breakdowno many packted amount
MULCOR
page 123
t it was desrelated to C
find someignificant fetems with su
rected to plaavionic comon authorition betweeonstrate the
readable wie at feature
that are comorIQ™ P40, a deeper scharacteris
learned cou
Though expowledge froo available f the report.
Technical el and allowefort towards useful.
gy: A lesson into tasks kages and toof time.
RS
stined for inCOTS multic
e insight ineatures, whuch devices
atform provmmunity (fty) and th
en avionic platform ai
th little baces regarding
mmon to a080 and Astudy wouldstics.
ld be addre
planations am the readeliterature is
exchanges aed Thales to
the actual a
n learned frto less than
o better fit w
Réf. C
n the first pcore proces
nto both thhich have sas.
viders and evfunction supe processocomponentirworthines
ckground in g multi-core
all multi-corARM CORT
d have to f
ssed when a
re provideder prior to es also prov
and reviewso both improand detailed
rom such ann a few (4 towith the exp
EAS
CCC/12/0068
place, that issors.
he understaafety impac
ventual sysppliers, plat
or manufactt providersss (including
n digital Eme processors
re processoTEX®-A15focus on on
applicable t
d whenever entering int
vided in ord
s with EASove the cond expectatio
n organizatio 6 tasks) in
pected achie
SA
898 – rev. 07
s to help EA
anding of mct when use
tem integratform supplturers who
and proceg RAMS) to
mbedded Airs for an avi
ors. Even if5 MPCore™ne processo
to other stu
necessary, to the detai
der to build
SA at dedicntent of the tons of EASA
ion for a simn order to aevement of
ASA
main ed in
ators. liers,
o are essor o the
rcraft ionic
f we ™ as r (or
udies,
such ils of
d that
cated tasks A. A
milar avoid such
11
11
Ththeas- Homa
A mesom In likThdifon Th
Thales Avio
. CONCL
.1. CONC
he complexie past few y- or better th
owever a COanufacturer. Acces And/o
possibProces
reduction oeeting requime research
this report,ke Memory,hese featurefferences w
nes.
he managem At Air
o
At Hyo
onics
LUSIONS
CLUSIONS
ity of COTyears, whilehan for COT
OTS compo. Two appros to additio
or mitigationbly combinessor Drivers
of the comired determh.
Thales has Bus, Netw
es are the we can say th
ment can be:rborne Softw
If AirbornSoftware example iapplicatiooffer deter
ypervisor levIn this coThese condeterminis
S WITH RE
S, in particue the level TS without
onent remaioaches wounal data undn of potented with reas (Hypervis
mplexity andministic beh
s put emphawork, Interna
differences hat the cons
: ware Level ne Softwareapplicationis that the
ons to otherrminism forvel
onfigurationnstraints resm and so t
M
ESPECT TO
ular Highlyof demonstsuch increm
ins a COTSld be possibder agreemeial COTS fal-time survor) and/or O
d difficultieavior and t
asis on special Registers
between sstrained mul
behavior isns to cores,allocation o
r cores and r this config
, the Hypereduce the ghe global be
MULCOR
page 124
O THE RE
y Complex tration for dment in com
S componenble to cater ents with thfaults or errveillance anOperating S
es that arostarget levels
ific Multi-C, Clock Masingle-core
ulti-core beh
s well knowwe can dem
of a DAL-Aprogrammi
guration
rvisor is usglobal perfehavior can
RS
EDUCTION
COTS Muldesign assurmplexity.
nt, i.e. it feafor such a c
he COTS marors via Synd detectio
System.
se from thes of perform
Core featurenagement, eand multi-
havior is equ
wn and well monstrate thA softwareing of the a
ed to constformance ofn be demons
Réf. C
N OF COM
ti-Core Prorance shoul
atures proprichallenge: anufacturer stem-level,
on mechanis
use of Mumance integ
es linked to etc. -core deviceuivalent to t
managed, the non-inteapplication
arbiter to fa
rain the behf the multistrated.
EAS
CCC/12/0068
MPLEXITY
ocessors hasld remain a
rietary data
Safety-orie
sms embed
ulti-Core pgrity has be
Shared Res
es, so by mthat of mult
then by alloeraction betwn to one cofavor DAL-
havior of thi-core proc
SA
898 – rev. 07
Y
s increased t least the s
from the C
ented stratedded within
rocessors ween propose
source Acce
managing ttiple single-
ocating Airbween cores
ore, lower DA software
he interconncessor but o
over same
OTS
gies, n the
while ed in
esses
these -core
borne s. An DAL e can
nect. offer
11
DeCoforrullim
11
ReMupla Fofolpro
11
MiAiof FoThSoreq Mubeswdetimva
Thales Avio
.2. MULT
efinition, Vore processor Complex les related t
mitations (w
.3. SIGNI
efer to sectiulti-cores thatforms.
or the partillowing stepocessors; su
1) Chara2) Determ3) Incorp4) Collec5) Depen6) Apply
.4. CONC
itigation toirborne Softthe comput
or example, his possibiloftware devquirements
ulti-softwar ensured. F
witching thatterminism s
me lower thalue.
onics
TI-CORE P
Validation anors is requirand Highly
to segregatiwithin a sing
IFICANT F
ion 9.5.4 fohat could p
icular case p by step a
uch an approcterization mination of porated realct data for anding on they necessary
CLUSIONS
o cater for tware level ting platform
defensive lity is not velopers hato meet in o
re architectuFor examplet should be shall be en
han any kno
PROCESSO
nd Verificared. This apy Complex ion constraigle core).
FEATURES
for a summotentially a
of determapproach caoach is alsoof execution
f the Worst c-time monit
assessment oe above assemodificatio
S ON ROBU
the inherenis possible
m.
programmiaccessible
ave only acorder to allo
ures are nowe an essentiminimized sured know
own Maximu
M
OR USAGE
tion of a Upproach is aCOTS. Onents (e.g. seg
S RELATE
ary of mitiaffect the us
mining WCEan be recom
o valid for mn time jittercase exec. Ttoring of acof the proceessment, estons.
UST PART
nt complexwhenever t
ing techniqufor multi-
ccess to anow adequate
w commonial feature ito allow tim
wing given um value, a
MULCOR
page 125
E DOMAIN
Usage Domaalready knowe recommengregation b
ED CONCL
igation mease of COTS
ET, knowinmmended to
multi-core prr of the operTime (WCEctual exec timessor + Airbtablish addi
TITIONING
xity of multhe develop
ues can be -Airborne n allocated e operation
n, hence robis the execume-determincriteria. Foand/or Exec
RS
N RELATE
ain (UD) fown and offendation wouetween core
LUSIONS
ans suggestS multi-core
ng the higo ensure throcessors: rating syste
ET) plus allome versus a
borne Softwitional rules
G
lti-core proper has allow
used to coSoftware eportion of
of the whol
bust partitioution time vnistic behavr example,
cution Time
Réf. C
ED CONCL
or such highered by exisuld be to dies), from th
ed for the es as part o
h variabilithe temporal
m services, owed margiallowed WC
ware operatins or limitatio
ocessors viawed access
ompensate fexecution pf the platfole integrated
oning of Airvariations dvior. Indeedsuch criter
e variations
EAS
CCC/12/0068
LUSIONS
hly complesting certifiistinguish b
he UD rules
various feaof safety-cri
ty of execul determinis
, ins, CET, ng behaviorons,
a functionato and deta
for potentiaplatforms wform with sd system.
rborne Softdue to jitterd, guidance ria can be:
lower than
SA
898 – rev. 07
x COTS Mcation guid
between thes related to l
atures of Ctical compu
ution time,stic behavio
r,
al robustnesailed knowl
al misbehavwhere Airbstrict rules
tware must ing on partis that tempTotal execu
n a bounded
Multi-dance e UD local
OTS uting
, the or of
ss at edge
viors. borne
and
then tition poral ution d low
11
11
BeAp Co(Etow Delim Coen Thin deAu
11
Syve SimCM(de
Thales Avio
.5. CONC
.5.1. Rout
esides EASAppendix A),
ollecting daCMR) comwards this e
emonstratiomitations) ve
onsiderationnsures the ro
he route to cproviding
cisions imputhorities (e
.5.2. Adva
ystem safetyrification m
mulated SerM SWCEHeterministic
onics
CLUSIONS
tes to comp
A CM SWC, different ro
ata from themplemented end.
on of compersus Certif
ns on the imobustness of
compliancedesign ass
pacting the de.g. during f
anced guida
y approach bmethods cou
rvice HistorH-001 sectic or probabi
S ON SUGG
pliance
CEH-001 guoutes to rea
e componenby a questi
ponent capfication obje
mmediately f the use of
or a combiurance for developmenfamiliarizati
ance
based on intuld be applie
ry based onion 9 on ilistic), anal
M
GESTED M
uidance thatch complian
nt supplier,ionnaire app
abilities ‘Dectives (inte
surroundinthe device a
ination of rCOTS Mu
nt and certifion meeting
terpretationed to COTS
extensive tCOTS, butyses (e.g. re
MULCOR
page 126
MODIFICA
t can be usence for COT
, starting frproach alrea
Deterministiended funct
ng softwareand providi
routes selectulti-core as fication progs)
n and deployS Multi-Core
testing in lat would depresentativ
RS
ATION TO
ed, and possTS Multi-C
rom Electroady being p
ic behaviortion, safety
e layer, i.e. ng access to
ted by the dpart of a
cesses shou
yment of EDe processor
ab is an apprdeserve movity and stat
Réf. C
EASA GU
sibly improvCore could b
onic Compoput in practi
r, Partitioniaspects and
the Hyper-o the interna
developer arcertificatio
uld be prese
D-80/DO-25s,
roach that isre elaborattistic) and a
EAS
CCC/12/0068
UIDANCE
ved and simbe suggested
onent Manaice seems a
ing assurand foreseeabl
-visor, whoal resources
are some of on process. ented as earl
54 Appendi
s already oftion in ter
acceptable o
SA
898 – rev. 07
mplified (refd.
agement Rea good appr
nce and Ue conditions
se specificas.
the key-aspSuch techn
ly as possib
ix B on adv
ffered by EArms of meoutcomes.
fer to
eport oach
Usage s).
ation
pects nical
ble to
vance
ASA ethod
12
Thin In cerSWin ThCO
12
ThReexhe
RGThrouthe
Ra
Thales Avio
2. RECOM
he recommeaircraft / en
the currenrtification
WCEH-001ssection 9.3
he purpose oOTS multi-c
2.1. PURPO
he followingesults and opression acre above.
GL n°31he design ofutines or hae COTS suc
1) variab2) Servic3) Core i4) Cache5) Shared6) Inter-c7) Acces8) Progra
ationale: Fro
onics
MMENDAT
endations prngine airbor
nt EASA aspects of specifies ac.3.
of this Secticore process
OSE
g recommenoutcome anchievable in
f the compuardware mech as:
bility of execces and/or trinterconnecte architecturd services, core interrups to peripheamming lan
om task 5 an
TIONS
ropose to alrne systems
Certificatiof COTS mctivities for
ion is to defsors in airbo
ndations hand 11, Concn order to ca
uting platforechanisms a
cution timeransactions t switch, re structure,
pts, erals, nguages.
nd sections
M
low the usethat have s
on Specificmulti-core p
COTS proc
fine specificorne system
ave been exclusions of apture only
rm embeddiable to hand
, conflicts,
,
9.3 and 11
MULCOR
page 127
e of Commesafety implic
ations (CSprocessors. cessors and
c guidance fms.
xpressed basthis report.the essentia
ing COTS Mdle or mitig
of this repo
RS
ercial Off-Thcations for t
S), there arThe EASAincludes on
for certifica
sed on the c. Recommeal flavor tha
Multi-core pate the pote
ort.
Réf. C
he-Shelf Dithe aircraft.
re no specA AEH Cne paragrap
ation aspects
current studndations arat arose from
processors sential effect
EAS
CCC/12/0068
igital multi-.
cific requireCertificationph on multi-
s associated
dy as exposre written tm the consi
should incorts of signifi
SA
898 – rev. 07
-core proces
ements forn Memoran-core proces
d with the u
sed in sectioo the minimiderations g
rporate softwicant feature
ssors
r the ndum ssors
se of
on 9, mum given
ware es of
RGThhaAuusi Ra
RGExthiCO Ra
Thales Avio
GL n°32he routes toardware desuthorities (eing the here
ationale: Fro
GL n°33xisting guidis report, inOTS multi-c
ationale: Fro
onics
o compliancsign incorpoe.g. during feby provide
om task 6 an
dance on COncluding forcore process
om task 6 an
ce with cerorating COTfamiliarizatid recomme
nd sections
OTS (Compr suggestedsors.
nd sections
M
tification reTS Multi-cion meetingndations.
9.4 and 11
plex to Higd simplifica
9.4 and app
MULCOR
page 128
equirementscore processgs), showing
of this repo
ghly-Complations, could
pendix 14.1
RS
s selected asors shouldg that the de
ort
lex), possibd be used a
of this repo
Réf. C
as part of tbe present
evice compl
bly amendedas part of t
ort
EAS
CCC/12/0068
the certificated as earlylexity is ma
d using thethe certifica
SA
898 – rev. 07
ation procesy as possiblastered, poss
e conclusionation proces
ss of le to sibly
ns of ss of
12
Infbe
Infde
Thales Avio
2.2. PROC
We reo
o
o
o
o o o
o
We re
C
formation ohavior is av
formation osign is avai
onics
ESSOR SE
ecommend The manucommunicThe openndocumentThe abilitysafety anaThe abilityneeds andThe econoThe manuFor multi-delivered Selection analysis d
ecommend
Criteria
on the intercvailable
on the intercilable
ELECTION
to use selecufacturer’s wcations and ness of the atation (publiy and will t
alyses perfoy to produc
d to provide omic situatiufacturer’s p-core procesby the comcriteria mu
delivered by
to follow th
connect
connect
M
N GUIDE
ction criteriawill to cope press releas
architectureic or under to provide drmed on thee and maintassistance ton and the l
platforms arssor selectio
mponent manst include S
y the compo
he compone
Interc
The interc
The intercreordering
It is possibsent on the
Arbitration
Routing an
All informavailable
There is a silently
The interc
The arbiter
The manufhidden me
The interc
MULCOR
page 129
a guide for p with the ceses,
es proposed NDA)
descriptive, e different ptain the comto obsolesclifespan of tre supportedon, selectionnufacturer SEE analysionent manuf
ent selection
connect feat
onnect prot
onnect protg
ble to identie interconne
n rules desc
nd device al
mation on int
configurati
onnect topo
r is centrali
facturer hasechanisms
onnect has
RS
processor seertification p
by the man
qualitative platforms. mponents ovence in a cothe manufacd by severaln criteria m
s (SER in pfacturer
n criteria def
Sub-c
tures
tocol is docu
tocol implem
ify from an ect
cription is av
llocation ru
terconnects
on that cann
ology is doc
zed or distr
s stated that
internal wa
Réf. C
election (recprocess, cor
nufacturer, t
and qualitat
ver time comooperative mcturer l existing H
must include
processor ma
fine below
criteria
umented
mentation a
assembly co
vailable
les descript
features co
not be chan
cumented
ibuted
the intercon
iting queue
EAS
CCC/12/0068
called belowrresponding
the existing
tive data ab
mpatible wimanner.
Hypervisor aIntrinsic Re
anufacturer
:
allows transa
ode all tran
tion is avail
onfiguration
nged dynam
onnect embe
s and conte
SA
898 – rev. 07
w) g
and availab
ble to suppor
ith avionics
and OS eliability da
r wording)
actions
sactions
able
n is
ically and
eds no
ntion
ble
rt
ata
Infint
Infwo
Trva
Infbe
Reare
Ca
Infcoav
Infcoan
Thales Avio
formation otegrity is av
formation oorst case beh
ransaction seariability can
formation ohaviour is a
estrictive cae available
ache disabli
formation oherency maailable
formation oherency imp
nalyses is av
onics
on the intercvailable
on the interchavior is av
ervice timinn be measur
on the cacheavailable
ache configu
ng is possib
on the cacheanagement i
on the cachepact on tim
vailable
connect
connect vailable
ng red
e
urations
ble
e is
e ming
M
mechanism
The interc
The intercmechanism
In case of to the conc
The timingwithout tak
The timingtaking into
The platfothe time va
The platfoobserve co
The procesworst caseInterconne
Shared
The availa
There exisreplaceme
The cache
The cache
The cache
It is possib
Cache C
Cache coh
Cache cohnodes on t
It is possibcoherency
It is possibcoherency
Shared
MULCOR
page 130
ms
Integrity
onnect prot
onnect embms, such as
internal failcerned core
WCET
g variabilityking into ac
g variabilityo account sp
orm embeds ariability of
orm embeds onflicts insid
ssor manufae timing varect Usage D
d Cache fea
able replace
st a cache prent policy
can serve m
can be part
can be con
ble to disabl
Coherency F
herency mec
herency traffthe platform
ble to providy traffic on c
ble to providy traffic on t
Services Fe
RS
tocol is tran
beds transacparity or EC
lure, the int and/or an e
y of a transaccount confl
y of a transapecific conf
hardware af transaction
internal mode the interc
acturer is abriability for
Domain restr
atures
ment polici
rediction alg
multiple tran
titioned per
nfigured part
le the shared
eatures
chanisms m
ffic may be pm
de acceptabcore transac
de acceptabtransactions
eatures
Réf. C
sactions los
ction corruptCC for even
erconnect cexternal mo
action servicflicts situatio
action servicflicts situatio
assist for mens service
onitoring mconnect
ble to confirtransaction rictions.
es are docu
gorithm tha
nsactions in
set and/or p
tially or tota
d cache
ay be disab
partitioned
ble bounds ftions in priv
ble bounds fservice in t
EAS
CCC/12/0068
ssless
ption detectintual interna
can propagaonitor
ce can be boons
ce can be boons
easuring in
mechanisms
rm observatservice und
umented
at supports a
n parallel
per way
ally as a SR
bled
inside a sub
for the impavate caches
for the impathe intercon
SA
898 – rev. 07
on al storage
ates an error
ounded
ounded
each core
that can
tions on der
at least one
RAM
bset of
act of cache
act of cache nnect
r
It iserpri
Intbe
Meproco
MeI/O
RGWRe RGW(SE
35 S
Thales Avio
is possible trvices confiivilege leve
ter-core inte controlled
emory mappotected againfiguration
emory mappO isolation
GL n°29 e recomme
eliability da
GL n°30 e recommeER35 using
SER : Softwa
onics
to restrict shiguration to el
errupts emis
ping can beinst non-cohs
ping allows
end, for mata delivered
end, for muprocessor m
are Error Ra
hared a high
ssion can
e herent
s I/O per
multi-core pd by the com
ulti-core promanufacture
te
M
Accesses tpower souwithout im
One core c
Inter-core a hypervis
There is a
All I/O macan be par
processor smponent ma
ocessor seler wording)
MULCOR
page 131
to the shareurces... can bmpacting acc
cannot reset
interrupts gsor
centralized
ay be accessrtitioned by
selection, tanufacturer.
ection, that delivered b
RS
d interrupt cbe restrictedcesses to oth
t another co
generation c
d service of m
sed in differthe MMU
that selecti
t selection by the comp
Réf. C
controller, Pd to the supeher peripher
ore at user pr
can be restri
memory pro
rent pages s
on criteria
criteria shoponent manu
EAS
CCC/12/0068
PLL, sharedervisor/hyprals
privilege lev
icted to a su
otection uni
so that I/O m
a should in
ould includufacturer.
SA
898 – rev. 07
d watchdog,ervisor
vel
upervisor or
it
managemen
nclude Intr
de SEE ana
,
r
nt
insic
alysis
12
Threcthe
RGWHyLe RGToDoma RGThSo RGTrdis RGFoDoma RGWInass RGWint
Thales Avio
2.3. USAGE
his section incommendate behavior o
GL n°1 hen an Hypypervisor shevel, at least
GL n°2 o be able toomain shouanufacturer
GL n°3 he Airborneoftware) on
GL n°4 ransactions rsable interc
GL n°5 or Safety, womain restranufacturer
GL n°7 e recommetegrity Ansistance of P
GL n°8 e recommeterconnect p
onics
E DOMAIN
ntroduces htions associaof the interc
pervisor is hall fulfill t the most s
o manage thuld be defin
e Embeddeinterconnec
reordering iconnect reor
we recommerictions thatassurances
end that thnalysis perProcessor M
end that the protocol tha
N
how and whated to the Iconnect of th
required toED-12/DOtringent Air
he behaviorned by the A
ed System ct accesses i
increases thrdering mec
end to use tht means thethat the int
he Interconnrformed unManufacture
Interconneat shall prov
M
hy determiniInterconneche multi-co
o manage thO-178 (B or
rborne Softw
r of the muAirborne Em
provider sin order to c
he difficultychanisms to
he interconne Airborne erconnect c
nect Usagender Airborer.
ect Usage Dvide lossless
MULCOR
page 132
ing the usagct usage Domore processo
he behaviorr C) requirware
ulti-core prombedded Sy
should impcomply with
y to characteo ensure a
nect in a staEmbedded
configuratio
e Domain rne Embed
Domain detes transaction
RS
ge domain omain. This U
or.
r of the interements at
ocessor, forystem prov
plement conh the Interco
erize the intbetter assur
able configd System pron cannot be
determinatidded Syste
ermination ns.
Réf. C
of each multUsage Dom
erconnect, tthe corresp
r each devicvider and va
ntrol mechonnect Usag
terconnect prance in the
uration undrovider shoue changed d
ion should m Provide
should cont
EAS
CCC/12/0068
ti-core procmain is requi
the developponding De
ce, an Interalidated wit
hanisms (Hge Domain.
protocol, wee transaction
nder the Inteould obtain dynamically
contain aner responsib
ntain analysi
SA
898 – rev. 07
cessor, and tired to man
pment of suesign Assur
rconnect Uth the proce
ardware an.
e recommenn manageme
erconnect Ufrom proce
y and silently
n Interconbility with
is regarding
the age
uch a rance
Usage essor
nd/or
nd to ent.
Usage essor y.
nnect the
g the
RGThcoser RGThtakva RGWtimthe
12
RGWco(hyde RGWOp RGWpri RGWit f RGWme
Thales Avio
GL n°9 he Interconnnflict situatrvices.
GL n°10 he Interconnking into acariability on
GL n°11 e recomme
ming variabe Interconne
2.4. CACH
GL n°12 e recommenfiguration ypervisor foployed simu
GL n°13 e recommenperating Sys
GL n°14 e recommeivate cache
GL n°15 e recommenfor the corre
GL n°25 e recommeechanisms i
onics
nect Usagetions in ord
nect Usageccount pessi
transaction
end that obility on tranect Usage D
HE COHER
end that rofor cache
for exampleultaneously
nd, preventstems is dep
nd, when c- finding up
nd confininect executio
end that muin order to b
e Domain dder to give t
e Domain dimistic timinn services.
servations nsactions seDomain hyp
RENCY
obust partite partitionie) if shared y on differen
ting undesirployed on e
cache coherepper bounds
ng cache cohon of embed
ultitasked Abe complian
M
definition stighter boun
definition sng hypothes
and tests pervices shoupothesis.
tioning for ing mechancache is co
nt cores and
rable behavach core wi
ency is enas on cache c
herency trafdded softwa
Airborne Sofnt with the I
MULCOR
page 133
should liminds for thei
should prevsis when it
performed buld be valid
shared cacnisms or sonfigured a
d use shared
vior, disablinith no share
able, boundicoherency t
ffic betweenare.
ftware desiInterconnect
RS
t the numbir impact on
vent all occis not possi
by the Airbdated by the
che shouldshould be as SRAM wd cache.
ng cache coed memory b
ing the timitraffic impac
n the concer
gn should mt Usage Dom
Réf. C
ber and then the timing
currences oble to deter
borne Embee processor
d be enforcenforced b
when partiti
oherency mebetween cor
ing variabilct -.
rned cores a
minimize thmain.
EAS
CCC/12/0068
e complexitg variability
of undesirabrmine bound
edded Systemanufactur
ced by defby softwarioned Oper
echanism wres.
lity when co
and periphe
he use of c
SA
898 – rev. 07
ty of inter-y of transac
ble conflictds on the tim
em Providerer accordin
fining hardwre managemating Syste
when partitio
ore access t
erals that req
cache coher
-core ction
ts by ming
er on ng to
ware ment
em is
oned
to its
quire
ency
12
RGTocen RGWabau RGWbe RGWpro RGWthr RGWforUs
12
RGWcorel RGWsha
Thales Avio
2.5. OPERA
GL n°6 o avoid conntralized m
GL n°18 e recommenle to reset
uthorization
GL n°23 e recommen decided at
GL n°24 e recommeotected by s
GL n°26 e recommenreads or task
GL n°27 e recommenr the Operasage Domai
2.6. SHARE
GL n°16 e recommenfiguration ly on a sing
GL n°17 e recommeared reserva
onics
ATING SY
ntention beanaged arbi
nd, in multit another cto perform
nd the use oDesign Tim
end, when Asemaphores
nd, if SMP ks are static
nd, if the Aating Systemin.
ED SERVI
end restricof shared
le static con
end that imation station
YSTEM &
etween coreitration whe
i-core conficore. Onlythis reset.
of partitioneme and forbi
Airborne Sos in case of c
mode is selcally allocat
Avionics Sofm is selecte
ICES
ting to hyservices. M
nfiguration
mplementations.
M
TASKS AL
es, and beten the interc
igurations, n Hyperviso
ed schedulinidden at Ru
oftware is acooperative
lected by thted to cores
ftware Behaed, the use
ypervisor oMultiple inst
that is deter
on of sema
MULCOR
page 134
LLOCATIO
tween coresconnect is n
not to authoor or Supe
ng algorithmun Time.
a multitaskee programm
he platform pto achieve
avior is notof a Hyper
or supervisotances of prmined at de
aphores sho
RS
ONS
s and sharenot a full cro
orize one coervisor (if
ms and stati
ed one thatming.
provider fordeterminism
t known by rvisor to ma
or (when privileged sesign time.
ould take in
Réf. C
ed resourceossbar.
ore, under Uhypervisor
ic allocation
t critical sec
r the Operatm and repea
the platformaster the be
hypervisor oftware run
n account p
EAS
CCC/12/0068
es, we reco
USER privilr doesn’t e
n of tasks to
ctions shou
ating Systematability.
m supplier ehavior of t
doesn’t enning on ea
potential de
SA
898 – rev. 07
ommend to
lege level, texist) have
o cores that
uld be expli
m that proce
and AMP mthe Intercon
exist) levelach core sh
eadlocks du
o use
to be e the
t will
icitly
sses,
mode nnect
the hould
ue to
12
RGW
RGWlevsin
12
RGWmeWtra RGWHysho
12
RGWfau
Thales Avio
2.7. CORE
GL n°19 e recommen
1 The us2 The co3 The A
softwa
GL n°20 e recommenvel – when ngle configu
2.8. PERIP
GL n°21 e recommeemory to pre recomme
ansactions s
GL n°22 e recommeypervisor orould be doc
2.9. FAILU
GL n°28 e recommeult containe
onics
ES
nd that:
se of inter-conditions th
Airborne Emare deploye
nd that the the Hypervuration for t
PHERALS
end that therovide tighteend that Wohould be en
end that acr Superviso
cumented in
URE MITIG
end, for miter between c
core interruphat rule the umbedded Syd on each c
configuratiovisor does nothe whole p
e Interconneer bounds oorst Case Rncapsulated
ccesses to or level – in the Interco
GATION
igation meacores.
M
pts should buse of inter-ystem providores comply
on of MMUot exist – inlatform.
ect Usage Dn timing va
Response Tinside them
shared I/Oif the Hypeonnect Usag
ans, that the
MULCOR
page 135
be restricted-core interruder should y with these
Us should ben order to pr
Domain shoariability of Time shouldm.
O dealing wervisor levege Domain.
e Interconn
RS
d to supervisupts should provide ev
e rules.
e performedrove that sp
ould specifymemory tra
d be determ
with configel does not
nect Usage D
Réf. C
sor or hyperbe docume
idence that
d only at thepatial isolati
fy atomic acansactions,
mined for th
guration shexists – ac
Domain sho
EAS
CCC/12/0068
rvisor. ented.
all instanc
e Hypervisoion enforcem
ccess patter
hese pattern
hould be reccess patter
ould be def
SA
898 – rev. 07
es of privil
or or Supervment relies
rns to the m
ns and Mem
estricted torns to these
fined to act
eged
visor on a
main
mory
o the e I/O
as a
13
RT
SA
AR
RT
Ag
Ag
ARARARBla
Bo
Ch
Cra
Da
Fo
FreFreFreGr
Gu
Gu
Ha
Ha
Jea
Ku
Ma
Mo
No
Pe
Thales Avio
3. REFERE
TCA/DO-178:Softwa
AE/ARP-47544754 :
RINC-653 : AStanda
TCA/DO-297 RTCA/
grou, H., SainMulti-C
grou, H., SainAvionic
RM. (2012). ARM. (2012). CRM. (2012). Cake, G., Dres
IEEE, 2ob, G., Josep
EvaluaTransp
hattopadhyayanalys
aveiro, J. {., time- a
avis, R., & BuTechni
orsberg, H., &12).
eescale. (20eescale. (20eescale. (20een, B., Mar
Evaluau, Z., & Zhao
Journaustavsson, A
Architeardy, D. (201
Univerardy, D. (201
Rennean, X., Gatti,
IMA Syumar, R., Zyu
Mechaahapatra, R.
AuthorDepart
oscibroda, T.(pp. 18
owotsch, J., &Depen
ellizzoni, R., &Embed
onics
ENCES
B :Software are Consider4 : CertificatiCertification
Avionics Applard Interface : Integrated /DO-297 : Intnrat, P., FaurCore Processnrat, P., Gattcs RequiremARM ArchiteCoreLink™ CCortex™-A15slinski, R. G.26(6), 26-37
ph, M., Brian,ation Of Microportation. y, S., Roychois. (pp. 6:1--Rufino, J., &
and space-paurns, A. (200iques for Mu& Karlsson, K
11). EREF 212). e500mc12). P4080 Qrotta, J., Petration of Microo, Q. (2012). al of SoftwareA., Ermedahl,ectures using0). Analyse p
rsit{\'e} Renn0). Analyse p
es 1. , M., Faura, Dystems. uban, V., & Tanisms, Over
N., & Ahmadrity For Expetment of Tran., & Mutlu, O8:1--18:18). U& Paulitsch,
ndable Comp& Caccamo, dded System
Consideratiorations in Airon Consider
n Consideratilication Softw. Modular Avi
tegrated Modra, D., Gatti, sor For Avionti, M., & Toillo
ments. cture Refere
CCI-400 Cac5 MPCore™ , & Mudge, T. , P., Kirk, L., oprocessors
oudhury, A., 6:10). ACM.
& Singhoff, F.artitioned sys09). A Surveyultiprocessor K. (2006). CO
2.0: A Prograc Core RefereQorIQ Integrare, B., Lillestooprocessors A State-of-the Engineerin A., Lisper, B
g UPPAAL. (pire cas poues 1. pire cas pou
D., Pautet, L
Tullsen, D. Mrheads and Sd, S. (2006). nditure No. 4nsportation. . (2007). Me
USENIX AssM. (2012). L
puting ConferM. (2010). Im
ms. IEEE Tran
M
ons in Airborrborne Systerations for Hiions for Highware Standar
ionics (IMA) dular AvionicM., & Toillon
nics. on, P. (2012)
ence Manual che Coherent
Technical RT. (2009). A s
Spencer, R.For Airborne
& Mitra, T. (2
. (2011). Arcstems. SIGBy of Hard ReaSystems. tec
OTS CPU Se
mmer’s Refeence Manuaated Multicorolen, K., Spefor Airborne
he-Art Surveyg and Applic
B., & Pettersspp. 103-113)r processeur
r processeur
., & Robert, T
. (2005). InteScaling. SIGA
Microproces43 Phase 1 R
mory performociation. everaging Mrence, 0, 132mpact of Perns. Comput.,
MULCOR
page 136
rne Systems ems and Equghly-Integrat
hly-Integratedrd Interface.
Developmencs (IMA) Devn, P. (2011).
). Mastering
ARMv7-A ant Interconnec
Reference Masurvey of mu
., Nikhil, G., ee Systems. F
2010). Mode
chitecture, meBED Rev., 8,
al-Time Schechreport, Unelection Guid
erence Manul. re Communiencer, R., GuSystems. y on Real-Ti
cations, 05(0son, P. (201). {\"{O}}sterrr multi-coeur
r multi-coeur
T. (2012). En
erconnectionARCH Compssor EvaluatReport. DOT
mance attack
Multi-core Com2-143. ripheral-Proc, 59(3), 400-
RS
and Equipmuipment Certited or Compd or Complex(1997). ARIN
nt Guidance velopment Gu
A Design Ap
The Behavio
nd ARMv7-Rct Technical anual Revisioulticore proce
et al. (2011).Federal Aviat
eling shared c
echanisms a23-27. eduling Algoiversity of Yo
delines for Sa
ual for Freesc
ication Proceupta, N., et a
me Issues in4), 277-291.0). Towards reichische Crs disposant
rs disposant
nsuring Robu
ns in Multi-Coput. Archit. Ntions For SafT/FAA/AR-06
ks: denial of
mputing Arch
cessor Interfe415.
Réf. C
ent Certificaification. lex Aircraft S
x Aircraft SysNC-653 : Avi
and Certificauidance and pproach For
or Of Multico
R edition. Reference Mon: r3p2. essors. Signa
. Handbook Ftion Adminis
cache and b
nd schedulin
rithms and Sork, Departmafety-Critical
cale Power A
essor Family l. (2011). Ha
n Embedded
WCET Analyomputer Gesde caches p
de caches p
ust Partitioni
ore ArchitectNews, 33, 408fety-critical, R/34, Federal
memory serv
hitectures in
erence on W
EAS
CCC/12/0068
ation. (1992).
Systems. (19stems.
vionics Applic
ation Considd Certification
Predictable
ore Systems
Manual.
al Processin
For The Selestration - U.S
us in multi-c
ng analysis t
Schedulabilityment of Comp
Applications
Architecture®
Reference Mandbook for t
Systems Vir
ysis of Multicsellschaft.
partagés. THE
partagés. THE
ing In Multico
tures: Unders8-419. Real-time Ap Aviation Ad
rvice in multi-
Avionics. Eu
WCET Analys
SA
898 – rev. 07
RTCA/DO-1
996). SAE/AR
cation Softwa
erations. (20n ConsideratiAnd Efficient
To Match
g Magazine,
ection And . Departmen
ores for timin
ool for multic
y Analysis puter Sciences. IEEE, (pp.
® Processors
Manual, Rev.the Selection
rtualization.
core
ESE,
ESE, Univers
ore Platforms
standing
pplications: ministration,
-core system
uropean
sis of Real-Ti
178B
RP-
are
005). ions. t
nt of
ng
core
e. 1-
s.
. 1,. n and
sité
s For
U.S.
ms.
me
PitRu
ScSh
SmTeTeUn
VaWi
Wi
Ya
Thales Avio
tter, C. (2008ushby, J. (199
Sciencchoeberl, M., hah, H., Raab
latencymith, J. E., & xas-Instrumexas-Instrume
ngerer, T., Caof Hard
anderLeest, Slding, M. M.,
Embedlhelm, R., En
time pr36:53.
an, J., & Zhan89). IE
onics
8). Time-pred99). Partition
ce Laboratory& Puschner
be, A., & Knoy., (pp. 1-4). Nair, R. (200ents. (2011).ents. (2012).azorla, F., Sad Real-Time S. (2010). AR, Hardin, D. Sdded Applicangblom, J., Eroblem\—ove
ng, W. (2008EEE Compute
dictable memning in Aviony,SRI Internar, P. (2009). Ioll, A. (2011)
05). The Arc. DSP CoreP. TMS320C6ainrat, P., BeApplications
RINC 653 hyS., & Greve, ation IntegratErmedahl, A.erview of me
8). WCET Aner Society.
M
mory arbitratioics Architect
ational, MenlIs Chip-Multi. Priority divi
hitecture of VPac User Gui6678 - Multicoernat, G., Pets Supporting ypervisor., (pp
D. A. (1999)tion. (pp. 287, Holsti, N., T
ethods and su
nalysis for Mu
MULCOR
page 137
on for a Javatures: Requiro Park. NASiprocessing tision: A high
Virtual Machide. ore Fixed antrov, Z., RocAnalyzabilityp. 5.E.2-1 -5). Invariant P7--). IEEE CoThesing, S., urvey of tool
ulti-Core Pro
RS
a chip-multiprements, Me
SA Langley Tthe End of R-speed share
ines. Compu
nd Floating-Pchange, C., ey. IEEE Micr
5.E.2-20). Performance:omputer SocWhalley, D.,s. ACM Tran
ocessors with
Réf. C
processor. (pchanisms, an
Technical Reeal-Time Sched-memory b
uter, 38, 32-3
Point Digital Set al. (2010). ro, 30, 66-75
A Statemeniety. et al. (2008
ns. Embed. C
h Shared L2
EAS
CCC/12/0068
p. 115-122).nd Assurancport Server. heduling? Obus arbitratio
38.
Signal ProceMerasa: Mu.
nt of Task Iso
). The worst-Comput. Sys
Instruction C
SA
898 – rev. 07
ACM. ce. Computer
CG. on with boun
ssor. lticore Execu
olation Usefu
-case executt., 7(3), 36:1
Caches. (pp.
r
ded
ution
ul for
tion---
80-
14
14
EAonCoEA In muwidif
14
Re
Ite
[1]
[2]
Thales Avio
4. APPEND
4.1. REVIE
ASA CM SWn DAL andomments anASA CM SW
addition, Culti-processith the one fferent appr
4.1.1. Revie
eview of Se
em Su
] Classifirespecte.g. DArespectcompleSimpleand Comple
] Devicemanualerrata user’s sheets, installa
onics
DIXES
EW OF EX
WCEH-001d Complexind suggestioWCEH-001
COTS Graping capabilavailable fo
roach from o
ew of EASA
ction 9 on C
ummary
fication (wt to criticaliAL and wt exity, e, Comp
Highex)
data (usel, datashe
sheets amanual err
aation manua
XISTING E
1 section 9 ity. Those ons are raise section 9 a
phical Proceities. So it wor COTS. Cother COTS
A CM SWC
COTS and s
Mult
with ity,
with to
.g.: lex
hly-
Multi-c“automclassifiHighlyCompl
er’s eet, and rata and al)
Multi-cmeet objectifor CO
M
EASA GUID
is listing iteitems are
ed along wiare also coll
essors (CGPwas interest
CGP’s are aS.
CEH-001
section 10 o
ti-Core
core are matically” ied as
y lex.
ItsiImdacSCtab
core to same
ives as OTS CEH.
DmCid
MULCOR
page 138
DANCE IN
ems [1] to recollected
ith this recolected.
P’s) are conting to look
addressed by
on CGP’s is
Comme
Identificatiotechnology should be item for an In addition,made betwdevice, baapproach; classificatioSimple/ComComplex, tthe route toare the actibe performe
Data must bmanner as CEH. COTimply new data to be c
RS
N EASA CM
[16] requesd and a suollection. M
nsidered higk at the assoy EASA CM
illustrated
ents & Sug
on of novor of the added as overall asse, a distinctio
ween assessmased on a
followon mplex/Highthen by the o compliancivities recomed?)
be collectedfor any o
TS Multi-Cofeatures wi
collected.
Réf. C
M SWCEH
sting activitummary is
Multi-core as
ghly compleociated guidM SWCEH
in the table
ggestions
velty of thdevice itselpart of thiessment. on should bment of th
descriptivwed by
ahly-
selection oce (i.e. whammended t
d in the samother COTSore does noth respect t
EAS
CCC/12/0068
H-001 ISS. 1
ties documeprovided i
spects alrea
ex devices dance for CG
H-001 sectio
below:
CG
he lf is
be he ve y
as
of at to
Refer SWCEHsection CGP’s known multiple embeddeprocessorun asynchroCGP’s ”viewed “devicescomplex
me S ot to
Refer SWCEHsection 1e. CMonitoriSupplier
SA
898 – rev. 07
1 REV. 1
ented depenin table be
ady addresse
with embedGP’s, comp
on 10 but w
GP
to H-001
10.1. : are
to “use
ed micro-ors that
onously”. are as:
s of high xity”
to H-001 10.3 Item
Continued ing of r Data.
nding elow. ed in
dded pared
with a
Ite
[3]
[4]
[5]
[6]
Thales Avio
em Su
] Designavailabnot ava
] Usage (DefiniVerific
] Usage (Valida
] Errata (CapturControl
onics
ummary
n data (whble or whailable)
Domition aation)
Domation)
shere al)
Mult
hen hen
Multi-cdesign may availabstrong proprierestrict
main and
Multi-cUsage Definitcontainspecififeature
main Multi-cUsage V. andimply specifiactiviti
eets and
Multi-cmeet objectifor CO
M
ti-Core
core data
not be ble due to
etary tions.
EMdPss2pncA8Es
core Domain
tion may n more c
es.
Dtitil
core Domain
d V. may more
c ies.
DtViwdeFDafc
dioSe
core to same
ives as OTS CEH.
TirD
MULCOR
page 139
Comme
Electronic Managemendesign dataPart of theshould incsuch as ev254 sectiopossibly necessary, complex MAs alread80/DO-254Experience substantiate
Distinguishthe deviceidentificatiothen veimplementalimits.
Distinguishthe UsageVerificationits UD. Vwhenever tdevice meeensure SafForeseeableDistinguishassessment functional could then [1] as descdevice; animpact of on other System, Saetc.)
This item mitem [2] Derequired foDAL C Sim
RS
ents & Sug
nt Data shoa, if available route to clude dataidence per on 11.2.1
complemincl. f
Multi-core pry allowed section 1
can be ae assurance.
h between ase characteon of the rification
ation wit
h between Ve Domainn of the deValidation the capabilet Intendedfety Objecte h also
of character
be groupecriptive cri
nd the assthose vario
domains fety, Interfa
might be gevice data,
or all COTSmple COTS.
Réf. C
ggestions
Componenould include. complianc
a collectionED-80/DO(1 to 7
ented afor highlyrocessors. d per ED1.3, Servica means t
ssessment oeristics an
limitationsof th
thin thos
Validation o(UD) &
evice versuof UD i
lities of thd Functionstives withinConditions
betweenmulti-cor
ristics thad with itemiteria of thsessment oous feature
(Softwareaces, Perfos
rouped withas it is als
S except fo
EAS
CCC/12/0068
CG
nt de
ce on O-7) as ly
D-ce to
Refer SWCEHsection Items ElectronComponManagem
of nd s,
he se
Refer SWCEHsection 1f. UnFunction
of & us is
he s; in s.
en re at m he of es e, s,
Same aNote tapproachCGP’s isother around: UnintendFunctionversus Domain “IntendeFunction
th so or
Refer SWCEHsection 1e. CMonitoriSupplier
SA
898 – rev. 07
GP
to H-001
10.2 1
nic nent ment.
to H-001 10.3 Item nintended nality
s above. that the h to s just the
way
ded nality
Usage as the
ed nalities”
to H-001 10.3 Item
Continued ing of r Data.
Ite
[7]
[8]
[9]
[10
[1
Thales Avio
em Su
] Errata (Assess
] Experie(Errata workar
] ConfiguManage
0] ChangeAnalys
1] ValidatVerific
onics
ummary
shesment)
ence gain
rounds)
uration ement
e Impis
tion ation
Mult
eets Same a
ned Same a
Same a
pact Same a
& Same a
M
ti-Core
as above NM
as above TiEiWd
as above TwptD
as above SRsic
as above RsaR8bcsMgawcs
MULCOR
page 140
Comme
No specifiMulti-Core
This item mitem [13] Experience important Workaroundocumented
This impliwith the possibly incto be proDisclosure
Same as abRelationshishould beimpact onconsidered.
Reference tsuggests a activities. Reference 80/DO-254be sufficiencan be obtasystem-leveMulti-Core generally das hyper-vwith the Opconsideratioshould be p
RS
ents & Sug
c feature.
might be gas part
data. feature is
nds shod.
ies close device m
cluding propovided undAgreement
ove, and: ip with iteme establishn safety
to ED-79A/Asystem-lev
to V & V § 6 guidant, except ained from oel) V & V a
procesdriven via sovisors at thperating Syon on th
provided.
Réf. C
ggestions
with COTS
rouped withof ServicThe mosthat Errat
ould b
cooperationmanufacturer
prietary datder a Non
(NDA).
m [12] Safetyhed as th
must b
ARP-4754Avel V & V
V per EDance shoulif assurancoverall (e.g
activities. ssors aroftware suchhe interfacstem. Henc
hose diver
EAS
CCC/12/0068
CG
S Same as
th ce st ta be
Not spaddresseCGP’s.
on r, ta n-
Refer SWCEHsection 1e. CMonitoriSupplier
ty he be
Same aSee SWCEHsection 1c Vduring Producti
A V
D-ld ce .:
re ch ce ce rs
Not spaddresseCGP, considerSoftwareDrivers. SWCEHsection 1g.
SA
898 – rev. 07
GP
above.
ecifically ed for
to H-001 10.3 Item
Continued ing of r Data.
s above. also
H-001 10.3 Item Variations
on Life..
ecifically ed for
except ration on e
Refer to H-001 10.3 Item
Ite
[12
[13
[14
[15
[16
Thales Avio
em Su
2] Safety (Failurefailure functioetc.)
3] Service(identifPSE)
4] Service(validit
5] ArchiteMitigat
6] Partitio
onics
ummary
Analye mod
rates anal failur
e Experienfication
e Experienty of PSE)
ectural tion
oning featur
Mult
ysis des, and res,
Multi-cFailureAnalysnot achiev
nce of
Multi-cmeet objectifor CO
nce Same a
Multi-ctruly in arch
res Multi-ctruly in partitio
M
ti-Core
core e sis may
be able.
SgpwEqpAnfm
core to same
ives as OTS CEH.
IBtSoad
as above S
core are involved
hitectures.
AfCcSsebm
core are involved
S/W oning.
TiAotsrbI
MULCOR
page 141
Comme
Same as general, aperformed, way as forED-80/DO-qualitative preferred mAdditional necessary failure analmore suited
It is importaBoard/LRUtesting canService Eoperating happroach data.
Same as ab
Analysis ofailure or Common classical aSystem Ssoftware layembedded obe considermitigation.
This item mitem [12Analysis ofone of the that device support safrobust partiboth timInput/outpu
RS
ents & Sug
for COTSn FMEA
at least ir PLD. The-254, as approach, s
method. research
to determlysis method for Multi-C
ant to note tU/System, n be accouExperience. hours couldto genera
ove.
of Commonerrors as Mode Ana
activity of afety Anayer (e.g. : Hon the Multred in the
might be g] Safety f robust pamain methcapabilities
fety analysiitioning sho
me, memut partitionin
Réf. C
ggestions
S CEH incannot b
n a similae FFPA pe
a morhould be th
might bmine whichod would bCore.
that hours oi.e. Lab
unted for aSimulate
d then be ante ISE-lik
n Causes opart of thalysis is the overal
alysis. ThHyper-visorti-Core musarchitectur
rouped withAnalysis
artitioning ihod to shows adequatelyis. Note thaould includmory anng
EAS
CCC/12/0068
CG
in be ar er re he
be ch be
Refer SWCEHsection 1b. FailurCommonMode anFailure Ritem ConfigurDevices.
of ab as ed an ke
Refer SWCEHsection 13. Service Experien
Same as
of he
a ll
he r) st re
Refer SWCEHSection a HazMisleadiInformat
th s. is w ly at de nd
Not applicabCGP moment.
SA
898 – rev. 07
GP
to H-001 10.3 Item res due to n Failure nd item h Rate; and
d rable .
to H-001 10.2 Item
Product
nce.
above
to H-001 10.3 Item zardously ing tion.
really le to at the
.
14
ExIf CoMo ExIn trama ExIn CPnoanpromiim
14
A anan
Do
Sy
Sa
Thales Avio
4.1.2. Mult
xtract from ia COTS m
omplex: ore than on
xtract from icase of a
aining suppanufacturer
xtract from ithe case of
PU functionot limited tond determiniocessing, iniddleware,
mpact, safety
4.1.3. Struc
tentative grn allocation nalysed as fo
omain
ystem
afety
onics
ti-Core asp
item [1]: microcontro
e Central Pr
item [3]: highly com
port are n’s private da
item [5]: f multi-corenalities usino: multi-proism, Very Lnternal mempartitioning
y requireme
cturing act
rouping of Eof guidanc
ollows, toge
Reference 001 Section
[5] Usa(Validity) [10] ChAnalysis [15] Archit[16] Partiti
[1] Allocat[5] Usa(Validity) [12] Safety
ects alread
oller has an
rocessing U
mplex COTot sufficienata should b
e processor ng the multiocessing straLong Instrumory/cache g impact, unt impact, a
ivities
EASA CM Sce to Hardwether with co
to SWCn 9 Items
age Dom
hange Im
tecture ioning
tion of DALage Dom
y Analysis
M
dy available
ny of the fo
Unit (CPU) a
TS microconnt to addrbe requested
usage, an ai-core desigategy, simu
uction Wordmanagemenusage domaand impact o
SWCEH-00ware, Softwompliance o
CEH- Multi
main
mpact
Mustcompinclufor [16] Partit. Renotesbelowtable.
L main
Refernotesbelowtable.
MULCOR
page 142
e in EASA
following ch
are embedd
ntroller, if ress the asd and establ
assessment gn should beultaneous md (VLIW), Snt, softwareain impacton the WCE
01 section 9ware, System
of Multi-co
i-Core Co
t ply uding
item
tioningefer to s w .
[11EDtheactSugHaSys
r to s w .
Itembe esscha
RS
CM SWCE
haracteristic
ded and they
the compospects abolished.
of all specie performed
multi-threadiSingle Instre impact on, external ET strategy
9 activities um and Safetre:
mments &
1] ValidatioD-79(A)/ARe industry ivities. ggestion is rdware V stem V & V
m [10] Chanlisted with
sential to ange.
Réf. C
EH-001 Iss.
cs, it shoul
y use the sam
onent manuve, then a
ific multi-cod. This asseing, parallelruction Muln the OperatDatabus im.
under the vaty and to o
Suggestions
n & VerificRP-4754(A),
standard re
to make the& V per E
V per ED-79
nge Impact h the Safeassess safe
EAS
CCC/12/0068
. 1 Rev. 1
ld be class
me bus (wh
ufacturer’s paccess to
ore functionessment mal internal bltiple Data (ting Systemmpact, timi
arious itemsother transve
s
cation is ref, which is eserved for
e differenceED-80/DO-
9A/ARP-47
Analysis mety domain fety impact
SA
898 – rev. 07
ified as Hi
hich
public data the compo
nalities or uay include bus managem(SIMD), Ve
m and associng requirem
s [1] to [16]erse domain
ferring to typically
r System
e between -254 and 54A.
might also as it is
t of the
ighly
and onent
usual but is ment ector iated ment
into ns is
So
Ha
C/
Q/
V&
Thales Avio
oftware
ardware
/M
/A
&V
onics
[15] Archit[16] Partiti
[8] Errata w[10] ChAnalysis [15] Archit[16] Partiti
[1] DesClassificati[2] Device [3] Design [4] Usa(Definition[6] Errata s[7] Er(Assessme[8] Errata w[10] ChAnalysis [13] Servi(identify.) [14] Servi(validity)
[9] Manageme[10] ChAnalysis
[3] Design
[11] VVerificatio
tecture ioning
workaroundhange Im
tecture ioning
scription ion data data
age Domn) sheets (captrrata shnt) workaroundhange Im
ice Experi
ice Experi
Configuraent hange Im
data
Validation on
M
d mpact
MustcompparticconsihypervisorRefernotesbelowtable.
for
main
ture) heets
d mpact
ience
ience
MustcompCOTMultiis baHWRefernotesbelowtable.
ation
mpact
MustcompRefernotesbelowtable.
MustcompRefernotesbelowtable.
& Mustcomp
MULCOR
page 143
t ply in cular idering r-
r. r to s w .
Thehavrelaand
t ply as S i-Core
asically
r to s w .
[11add[3] of desmastil
t ply r to s w .
No
t ply r to s w .
SeeHa
t ply
See&V
RS
e “hyper-vve a fuationship tod [16].
1] Validatided with resDesign datdetail that
sign assuranay be embedll seen as H/
one.
e commentrdware.
e commentsV at system
Réf. C
visor” softwundamental o those activ
on & Verspect to ED-ta is rarely a
become unce. Note tdded in that /W from the
s made abo
s made abovand hardwa
EAS
CCC/12/0068
ware driveinvolvem
vities: [8], [
rification c-80/DO-254available to
useful to buthat some t H/W. Howe outside.
ove with r
ve with respare levels.
SA
898 – rev. 07
er would ment in [10], [15]
could be 4 V & V. the level
uild H/W firmware
wever it is
espect to
pect to V
No[1]de[3]pa[5]the[8][10an[15sol
Thales Avio
otes : ] Encompavice. ] Design d
articularly w] Usage Doe main featu] Errata wor0] Change
nd Software 5] Architecle Hardware
onics
ss Allocatio
data is listwhen actual omain (Valiure to be subrkaround is Impact Anain addition ture and [1e domain.
on of DAL
ted in bothlife-cycle didity) is listbstantiated listed in bo
alysis is assto Hardwar6] Partition
M
L related to
h Hardwaredesign data ited in both by those tw
oth Hardwarsociated wire. It could
ning are liste
MULCOR
page 144
o Safety an
e and Quais not availaSystem and
wo domains.re and Softwith Configualso be listeed in Syste
RS
nd Classific
ality Assuraable. d Safety do. ware withou
uration maned in the Sam, Safety a
Réf. C
cation based
ance, whos
mains as U
ut any doubagement an
afety domainand Softwar
EAS
CCC/12/0068
d on a Des
se combina
Usage Doma
bt. nd is listed n. re domains,
SA
898 – rev. 07
scription of
ation is us
ain validatio
in both Sy
, i.e. outside
f the
seful,
on is
stem
e the
1
InT
ID
1
2
Thales Avionic
4.2. EXAMPL
n regard to the mTexas plus the A
QorIQ™ CORTEX TMS320C Altera – C
D Crite
1 ARBITRATI
DOCUMENT
AVAIL
2 THE ARB
CENTRA
cs
LE OF PROCES
multi-core proceltera Cyclone V– P4080 – Frees
X® A15 MPCoreC6678™ – TexaCyclone V
eria F
ION RULES
TATION IS
ABLE
BITER IS
ALIZED
MU
p
SSOR CLASSI
essors criteria, w: scale e™ – ARM as Instruments
Freescale – QorP4080
No
Partially
ULCORS
page 145
FICATION
we propose to est
SADM
rIQ™ ARM
Int
It is t
Corethe
N/A
Noar
Réf. C
tablish a classifi
M – CORTEX®MPCore™
terconnect featu
Partially the case for periaccesses throug
elink™, but not e snoop control
A for the snoop cunit
o for Corelink™rbiter per periphe
EASA
CCC/12/006898 –
ication of the thr
® A15 TI –
ures
ipheral gh inside unit
ontrol
™: an eral
No
rev. 07
ree first architec
TMS320C6678
N/A
o: An arbiter per peripheral
ctures that is Fre
UMA
™ Altera
No for t
To be defor peri
eescale, ARM an
a – Cyclone V
he snoop controunit
efined by the useipheral accesses
N/A
nd
ol
er
ID
3
4
5
6
7
8
Thales Avionic
D Crite
3
THE ARBI
SERVE SE
TRANSAC
SIMULTAN
4 THE ARBI
POLIC
CONFIGU
5
POSSI
CONFIGUR
FOR ARBIT
POLICY (SU
6 ARBITER I
LOGIC INFO
IS AVAI
7
DEV
ALLOCATIO
INFORMA
AVAIL
8 DEV
ALLOCA
CONFIGU
cs
eria F
ITER CAN
EVERAL
CTIONS
NEOUSLY
Y
TRATION
CY IS
URABLE
IBLE
RATIONS
TRATION
UBSET OF)
INTERNAL
ORMATION
LABLE
VICE
ON RULES
ATION IS
ABLE
VICE
TION IS
URABLE
MU
p
Freescale – QorP4080
Yes: up to 4 transper bus cyc
N/A
N/A
N/A
N/A
N/A
ULCORS
page 146
rIQ™ ARM
sactions le
Coprior
FixeRecethe
Réf. C
M – CORTEX®MPCore™
Yes
SCU: N/A orelink™: Yes, srities are configu
ed priorities withently Granted posame priority do
N/A
N/A
N/A
EASA
CCC/12/006898 –
® A15 TI – T
tatic urable
Yescon
h Least olicy in omain
FN/A in
rev. 07
TMS320C6678
Yes
s: static prioritiesnfigurable for bus
masters
Fixed priorities n the same prior
domain
N/A
N/A
N/A
™ Altera
s s S
rity
a – Cyclone V
Yes
SCU: N/A
N/A
N/A
ID
9
1
1
1
1
Thales Avionic
D Crite
9
POSSI
CONFIGUR
FOR DE
ALLOCA
(DEVIC
DEVI
(SUBSE
10
INFORMA
THE NET
TOPOLO
AVAIL
11 SEVERAL
EXIST FR
NODE TO A
12 INFORMA
THE ROUTI
IS AVAIL
13
POSSI
CONFIGUR
FOR ROUTI
(SUBSE
cs
eria F
IBLE
RATIONS
EVICE
ATION
CE PER
ICE) ET OF)
ATION ON
TWORK
OGY IS
ABLE
L PATHS
ROM ONE
ANOTHER
ATION ON
ING RULES
LABLE
IBLE
RATIONS
ING RULES ET OF)
MU
p
Freescale – QorP4080
N/A
No
N/A
N/A
N/A
ULCORS
page 147
rIQ™ ARM
C
Réf. C
M – CORTEX®MPCore™
N/A
SCU: N/A Corelink™: cross
SCU: N/A Corelink™: No
Thissin
EASA
CCC/12/006898 –
® A15 TI – T
sbar
Yes, iavail
d
o
s criteria is irrelengle path betwee
rev. 07
TMS320C6678
N/A
interconnect matlable in the publdocumentation
No
evant because then two nodes in t
™ Altera
trix ic S
here is always onthe interconnect
a – Cyclone V
SCU: N/A
N/A
ne
ID
1
1
1
1
1
Thales Avionic
D Crite
14
INFORMA
THE DIFF
KIND
TRANSAC
AVAIL
15
INFORMA
THE REL
BETWEEN A
INSTRU
EXECUTE
TRANSACTI
AVAIL
16
THE IN
PROCES
INTERRUPT
BE BLOCKE
INTERCO
17 SNOO
MECHANIS
DISAB
18
SNOO
MECHANIS
CONFINE
SUBSET O
cs
eria F
ATION ON
FERENT
S OF
TIONS IS
ABLE
ATION ON
LATION
ASSEMBLY
UCTION
ED AND
IONS SENT
ABLE
NTER-SSORS
TIONS CAN
ED BY THE
ONNECT
PING
M CAN BE
BLED
PING
M CAN BE
ED TO A
OF CORES
MU
p
Freescale – QorP4080
No
No
No
Yes
Yes
ULCORS
page 148
rIQ™ ARM
Coredesc
Réf. C
M – CORTEX®MPCore™
SCU: No elink™: Yes, thecribed in the AM
ACE protocol specifications
N/A
N/A
Yes
No
EASA
CCC/12/006898 –
® A15 TI – T
ey are MBA®
rev. 07
TMS320C6678
No
No
N/A
N/A
N/A
™ Altera
S
a – Cyclone V
SCU: No
No
N/A
N/A
N/A
ID
1
2
2
2
2
Thales Avionic
D Crite
19
THE INTER
PROVIDES
SYNCHRON
MECHA
20
ACC
RESTRICTIO
INTER
CONTROL
THE SUPER
POSSI
21
EACH COR
PRIVATE
SOURCE O
CIRC
22 THERE IS A
CLOCK F
COR
23
THERE
PROTEC
MECHANI
PREVENT
CONFIGUR
BE CORRU
RUNT
cs
eria F
RCONNECT
S A CORE
NIZATION
ANISM
ESS
ON TO THE
RUPT
LLER FOR
RVISOR IS
IBLE
RE HAS ITS
E CLOCK
OR PLL
CUIT
NobeTh
A SINGLE
FOR ALL
RES
E IS A
CTION
SM THAT
T A PLL
ATION TO
UPTED AT
TIME
MU
p
Freescale – QorP4080
N/A
Yes, in the Mconfiguratio
o, there are threee mapped on eighhe clock source i
PLL are configustartup, so theyprotected at run
ULCORS
page 149
rIQ™ ARM
Share
MU on
e PLL to ht cores. is shared
No
ured at y are ntime
Réf. C
M – CORTEX®MPCore™
N/A
ed resources fea
Yes, in the MMconfiguration
o, all cores sharesame clock sign
Yes
N/A
EASA
CCC/12/006898 –
® A15 TI – T
atures
U
e the nal
rev. 07
TMS320C6678
N/A
N/A
N/A
N/A
N/A
™ Alteraa – Cyclone V
N/A
N/A
N/A
N/A
ID
2
2
2
2
2
2
3
Thales Avionic
D Crite
24
THE MA
BETW
AVAILABLE
CORE
CONFIGU
25
THE POWE
OF EACH C
BE PROTEC
OTHER
CORRU
26 A CORE
HALTED B
COR
27 A CORE CA
IN SLEEP M
OTHER
28 EACH COR
PRIVATE
29 TIMERS CA
BY THE SAM
SOUR
30 TIMERS CA
BY AN EX
CLOCK S
cs
eria F
APPING
WEEN
E PLL AND
ES IS
URABLE
R SOURCE
CORE CAN
TED FROM
CORES
PTION
CAN BE
BY OTHER
RES
AN BE SET
MODE BY
CORES
RE HAS A
E TIMER
AN BE FED
ME CLOCK
RCE
AN BE FED
XTERNAL
SOURCE
MU
p
Freescale – QorP4080
Yes
N/A
N/A
N/A
Yes
Yes
Yes
ULCORS
page 150
rIQ™ ARM
Ye
Réf. C
M – CORTEX®MPCore™
N/A
N/A
N/A
es, but located inshared space
Yes
N/A
EASA
CCC/12/006898 –
® A15 TI – T
n the Yes,
rev. 07
TMS320C6678
N/A
N/A
N/A
but located in thshared space
Yes
N/A
™ Altera
he
Timerwithin th
Their mcores
a – Cyclone V
N/A
N/A
N/A
No
rs are provided he FPGA fabricmapping on the is user defined
.
ID
3
3
3
3
3
3
3
Thales Avionic
D Crite
31 TIMER
GENER
INTERR
32 TIMERS HA
OWN CLOCK
33 IT IS POSS
PERFORM
ON ONE
34 A CORE CA
ANOTHE
35 THERE
WATCHDO
PER C
36
IT IS POSS
RESTR
WATCH
CONFIGUR
ONE C
37
THE SHARE
OR SCRATC
SEVERAL R
WRITE P
cs
eria F
RS CAN
RATE
RUPTS
AVE THEIR
K CIRCUIT
SIBLE TO
A RESET
E CORE
AN RESET
R CORE
IS ONE
OG TIMER
CORE
SIBLE TO
RICT A
HDOG
ATION TO
CORE
ED CACHE
CHPAD HAS
READ AND
PORTS
Y
MU
p
Freescale – QorP4080
Yes
N/A
Yes
Yes
Yes
N/A
Yes, four read poone write po
ULCORS
page 151
rIQ™ ARM
Sha
orts and ort
decbank
daa
Réf. C
M – CORTEX®MPCore™
Yes
N/A
Yes
N/A
N/A
N/A
ared cache featu
Yes, the cache icomposed in fouks that contain seata banks and canaccessed in paral
EASA
CCC/12/006898 –
® A15 TI – T
Yes,
ures
is ur tag everal n be llel
rev. 07
TMS320C6678
Yes
N/A
Yes
N/A
but located in thshared space
N/A
N/A
™ Altera
Timerwithin th
Their mcores
he
a – Cyclone V
rs are provided he FPGA fabricmapping on the is user defined
N/A
N/A
N/A
N/A
N/A
.
ID
3
3
4
4
4
4
Thales Avionic
D Crite
38 IT IS POSS
PARTITION
CACHE P
39 IT IS POSS
PARTITION
CACHE PE
40
IT IS POSS
CONFIG
SHARED C
SRA
41
IT IS POSS
ONE CORE
SOME O
CONTENT
CAC
42
IT IS POSS
ONE CORE
SOME OF A
CORE’S CO
THE CA
43 THE INSTR
SET IS CO
cs
eria F
SIBLE TO
A SHARED
ER WAY
SIBLE TO
A SHARED
ER LINES
SIBLE TO
GURE A
CACHE IN
AM
Ye(6
IBLE FOR
TO LOCK
OF ITS
T IN THE
CHE
IBLE FOR
TO LOCK
ANOTHER
ONTENT IN
ACHE
RUCTION
OMPLETE
MU
p
Freescale – QorP4080
Yes
No
es with configura4K, 256K, 1M)
cache
Yes, cache lockpossible line pe
N/A
N/A
ULCORS
page 152
rIQ™ ARM
able size for each
Nos
king is er line
Réf. C
M – CORTEX®MPCore™
N/A
No
o, but the L2 memsystems can emb
internal RAM
No
N/A
Core features
N/A
EASA
CCC/12/006898 –
® A15 TI – T
Irr
mory bed
The Memor
a
Irr
rev. 07
TMS320C6678
relevant criteria
Multicore Sharery (MSM) is alreshared SRAM
relevant criteria
N/A
™ Altera
ed eady
a – Cyclone V
N/A
N/A
N/A
N/A
N/A
N/A
ID
4
4
4
4
4
4
Thales Avionic
D Crite
44
SEVERAL D
INSTRUCT
ARE SUPP
45 INSTRUCTI
THE SAME
46
THE INSTR
SET CA
EXTENDED
INSTRUCTI
BE DEF
47 THE INSTR
SET IS F
SUPPO
48
THE INSTR
SET SUP
HYPERV
PRIVILEG
49
INSTRUCT
BE RESTRI
SUPERVI
HYPERV
PRIVILEGE
SW CONFIG
cs
eria F
DIFFERENT
TION SETS
PORTED N
ONS HAVE
E LENGTH
RUCTION
AN BE
D (MICRO-IONS CAN
FINED)
RUCTION
FULLY
RTED
NofeA
RUCTION
PPORTS
VISOR
GE LEVEL
Yobt
IONS CAN
ICTED TO
ISOR OR
VISOR
LEVEL BY
GURATION
MU
p
Freescale – QorP4080
No, only Power I2.06 support
Yes
N/A
o, but the non sueatures are documAliases are also d
for some asseminstruction
Yes, hypervisor ptained with a sys
instruction
N/A
ULCORS
page 153
rIQ™ ARM
SA™ v ted
THU
Yth
upported mented. defined mbly ns
privilege stem call n
coph
Réf. C
M – CORTEX®MPCore™
Yes: ARM v7,UMB™, JAZEL
ISA supported
No
Yes, this is possibhrough coproces
instructions
N/A
Yes, the controprocessor can proypervisor privile
N/A
EASA
CCC/12/006898 –
® A15 TI – T
, LLE™ d
No, onIS
ble sor
ol ovide ege
No, o
rev. 07
TMS320C6678
nly TMS320C66SA is supported
N/A
N/A
Yes
only two privileglevels
N/A
™ Altera
x™ Yes: ARMand JAZ
s
Yes, tthroug
in
ge
a – Cyclone V
M v7, THUMB™ZELLE™ ISA arsupported
No
this is possible gh coprocessor nstructions
N/A
N/A
N/A
™ re
ID
5
5
5
5
5
5
Thales Avionic
D Crite
50
THE INSTR
UNIT CAN
SEVE
INSTRUCT
PARAL
51
THE INSTR
UNIT HAS
FETCH SE
DEPENDIN
BRANCH
52 THE PRE-F
LIMITED I
MEMORY
53 THE BR
PREDICTIO
DISAB
54
THE BR
PREDICTIO
IS CONFIG
STATIC/D
55 THE LSU R
THE MEMO
IO TRANS
cs
eria F
RUCTION
N FETCH
RAL
TIONS IN
LLEL
RUCTION
S A PRE-ERVICE
NG ON A
H UNIT
FETCH IS
INSIDE A
Y PAGE
RANCH
ON CAN BE
BLED
RANCH
ON POLICY
GURABLE
DYNAMIC
REORDERS
ORY AND
SACTIONS
MU
p
Freescale – QorP4080
Yes, up to fo
Yes
N/A
Yes
Yes
Yes
ULCORS
page 154
rIQ™ ARM
our
Réf. C
M – CORTEX®MPCore™
N/A
Yes
N/A
Yes
N/A
N/A
EASA
CCC/12/006898 –
® A15 TI – T
Yes,
rev. 07
TMS320C6678
8 instructions pfetch
N/A
N/A
N/A
N/A
N/A
™ Altera
er
a – Cyclone V
N/A
N/A
N/A
N/A
N/A
N/A
ID
5
5
5
5
Thales Avionic
D Crite
56 TRANSA
REORDERIN
DISAB
57
INTER
REGISTE
RENAMED
INSTRU
EXECU
58
THE MCENTRAL
DISTRIBUTE
THE C
59 TLB STO
CHARACTE
cs
eria F
ACTION
NG CAN BE
BLED
RNAL
ERS ARE
D BEFORE
UCTION
UTION
MU IS
LIZED OR
ED AMONG
ORES
O
Lo
ORAGE
ERISTICS
L
v
MU
p
Freescale – QorP4080
N/A
Yes
One MMU per coadditional filte
addresses througocal Access Win
platform lev
L1 data/instructioL2 unified TL
Fixed 4K pagesvariable 4K to 4G
ULCORS
page 155
rIQ™ ARM
ore, but er on gh the ndows at vel
Oma
on TLB LB s, and G pages
L1 d
Tranth
FixedVaria
sup
Réf. C
M – CORTEX®MPCore™
N/A
Yes
One MMU per coanaged by the C
coprocessor
data/instructionsL2 unified TLB
nslation Table stohe cache or the m
memory d 4K pages in Lable 4K to 16M pport for Large P
2M and 1G
EASA
CCC/12/006898 –
® A15 TI – T
ore P15
One MUn
virtual
s TLB B ored in
main
1 TLB pages,
Pages
Program
rev. 07
TMS320C6678
N/A
N/A
Memory Protectinit (no memory lization service)
core
mmable pages s
™ Altera
ion
per One M
sizes
a – Cyclone V
N/A
Yes
MMU per core
N/A
ID
6
6
6
6
6
6
Thales Avionic
D Crite
60
THE TREPLAC
ALGORI
IMPLEME
HARDWA
SOFTW
61 THE PAGE
FIXED OR V
62 THE MMUPAGES OVE
63 PRIVATE CA
SCRATC
CONTE
64 PRIVATE
REPLAC
POLI
65 THE OV
ARCHITEC
DOCUM
cs
eria F
TLB
EMENT
THM IS
ENTED IN
ARE OR
WARE
s
Co
E SIZE IS
VARIABLE
U DETECTS
RLAPPING
ACHE AND
CHPADS
ENTS
32
E CACHE
EMENT
ICY
VERALL
CTURE IS
ENTED
PAc
MU
p
Freescale – QorP4080
Hardware fordata/instruction
software for unifTLB
oherency L1/L2 by hardwar
Both
Yes
2k data, 32 K insL1
256k unified
Least Recently
Hard
Partially for Datcceleration Arch
(network streprocessing
ULCORS
page 156
rIQ™ ARM
r L1 n TLB, fied L2
ensured re
HameTL
Tra
Fixed
struction
L2 32k
Used L
dware accelerat
ta Path hitecture eam g)
Irr
Mprov
for
Réf. C
M – CORTEX®MPCore™
ardware replacemechanism: when LB miss occurs,MMU performs
anslation Table W
d in L1, variable
N/A
k data, 32k instru
east Recently U
tors for network
relevant criteria: CORTEX® A1
MPCore™ IP is nvided with I/O der network proces
EASA
CCC/12/006898 –
® A15 TI – T
ment a L2 the a Walk
Softwthe m
e in L2
uction
32K daBoth
partiallA storebe writ
sed The cathe rep
k processing fea
The 5 not evices ssing
Netwomul
Publ
rev. 07
TMS320C6678
are managementmemory protectio
unit
Variable
N/A
ata, 32K instructcan be configur
ly or fully as SRe instruction cantten in L1 data ca
ache is one way,placement policy
trivial
atures
ork coprocessor alticore navigatorlic documentatio
available
™ Altera
t of on
tion red
RAM nnot ache
32k data
, so y is Least
and r. on
To be dtime
a – Cyclone V
N/A
N/A
N/A
a, 32k instruction
recently Used
defined at designe by the user
n
n
ID
6
6
6
6
Thales Avionic
D Crite
66 THE HAR
ACCELE
EMBEDS MI
67
THE HAR
ACCELE
CONTAINS I
MEMO
68
THE ACCE
INTERNAL
IS PROT
AGAINST S
69 THE HAR
ACCELERA
BE BYPA
cs
eria F
RDWARE
ERATOR
ICROCODE M
RDWARE
ERATOR
INTERNAL
ORY
LERATOR
MEMORY
TECTED
EU/MBU
A
RDWARE
ATOR CAN
ASSED
Yne
MU
p
Freescale – QorP4080
Yes, in the FrManager. This mi
is proprietar
Yes
All internal memprotected with
Yes: for network uetwork controllemapped on the PPCIe bus rather
DPAA
ULCORS
page 157
rIQ™ ARM
ame icrocode ry
mory is ECC
usage, a er can be PCI or r than
Réf. C
M – CORTEX®MPCore™
EASA
CCC/12/006898 –
® A15 TI – T
AssumRx c
Yes: foa netwbe ma
rev. 07
TMS320C6678
med yes, as there core and a Tx cor
Yes
N/A
for a network usawork controller capped on the PC
™ Altera
is a re
age, can
CIe
a – Cyclone V
ID
7
7
7
7
Thales Avionic
D Crite
70
IT IS POSS
DEBUG ON
CORE WI
AFFECTI
OTHE
71
IT IS POSS
DEBUG O
COR
SYNCHRO
72
IT IS POSS
HAVE A TR
THE TRANS
GENERATED
COR
73
TH
MANUFACT
EXPERIENC
AVIONIC
cs
eria F
SIBLE TO
A SINGLE
ITHOUT
ING THE
ERS
Yem
JTcp(
J
SIBLE TO
ON ALL
RES
ONOUSLY
SIBLE TO
RACE OF
SACTIONS
D BY EACH
RES
Pagiv
HE
TURER HAS
CE IN THE
DOMAIN
MU
p
Freescale – QorP4080
es, internal perfomonitors on eachTAG interrupt avore per core, GDrovided with TO(Freescale hyperHyperTRK libraJTAG debug on
TOPAZ©
N/A
artially: Aurora ives a limited vie
Corenet™ acti
Yes
ULCORS
page 158
rIQ™ ARM
S
ormance h core, vailable
DB stub OPAZ© rvisor), ary for top of
©
PerACo
interface ew of the ivity
YMacr
timincl
Manufa
Réf. C
M – CORTEX®MPCore™
upport for debu
rformance moniARM v7 debug uoreSight™ interf
N/A
Yes: Program Trarocell, which is
me transaction trluded in CoreSig
facturer related
N/A
EASA
CCC/12/006898 –
® A15 TI – T
ug
tors, unit, face
Yes ustrace p
ace a real-acer
ght™.
Yes ustrace p
criteria
rev. 07
TMS320C6678
sing the Debug aproprietary solut
N/A
sing the Debug aproprietary solut
Yes
™ Altera
and tion
and tion
a – Cyclone V
N/A
N/A
N/A
No
ID
7
7
7
7
7
Thales Avionic
D Crite
74
TH
MANUFAC
INVOLVED
CERTIFIC
PROCESS
STUDIED PL
75
TH
MANUFAC
PUBLISHES
COMMUNI
76
TH
MANUFACT
A SUFFICIE
EXPECT
77
TH
MANUFAC
ENSURES
TERM SU
78
TH
MANUFAC
PROV
INFORMA
THE PRO
DESI
cs
eria F
HE
TURER IS
D IN THE
CATION
FOR THE
LATFORM
HE
CTURER
S SPECIFIC
ICATIONS
HE
TURER HAS
ENT LIFE
TANCY
HE
CTURER
A LONG
UPPORT
HE
CTURER
IDES
ATION ON
CESSOR
IGN
MU
p
Freescale – QorP4080
Yes
Yes
Yes
N/A
Partially under
ULCORS
page 159
rIQ™ ARM
NDA P
fu
Réf. C
M – CORTEX®MPCore™
N/A
No
Yes
N//A
Partially, with thnctional descrip
EASA
CCC/12/006898 –
® A15 TI – T
he tion
rev. 07
TMS320C6678
N/A
No
Yes
N/A
Yes
™ Alteraa – Cyclone V
N/A
No
Yes
N/A
Partially
ID
7
8
Thales Avionic
D Crite
79
TH
MANUFAC
PROV
INFORMA
BUGS AND
80
TH
MANUFAC
PROV
INFORMA
SER (SEU
cs
eria F
HE
CTURER
IDES
ATION ON
D ERRATA
HE
CTURER
IDES
ATION ON
U/MBU)
MU
p
Freescale – QorP4080
Yes
Partially under
ULCORS
page 160
rIQ™ ARM
NDA
Réf. C
M – CORTEX®MPCore™
N/A
N/A
EASA
CCC/12/006898 –
® A15 TI – T
rev. 07
TMS320C6678
N/A
N/A
™ Alteraa – Cyclone V
N/A
N/A