Multicore processors offer designers of safety-critical avionics the significant benefits of smaller size, lower power, and increased performance, but bringing those benefits to safety-critical systems has proved challenging. That is due mainly to the complexity of validating and certifying multicore software and hardware architectures.
Simplistic approaches to ease the validation effort can negate the benefits of multicore processors by limiting applications from running in parallel across multiple cores. Even worse, they can result in special case solutions that cannot be modified or expanded without revalidating the entire system. The two crucial components to achieving optimal multicore processing are to have a flexible software multi-processing architecture and to have a robust solution at the operating system level for mitigating contention for shared resources, also known as multicore interference mitigation.
Separate process cores (shown in gray) share many resources (shown in green) ranging from the interconnect to memory and I/O.
Software Multi-Processing Architecture
INTEGRITY-178 tuMP is a unified multicore RTOS that supports simultaneous combinations of Asymmetric Multi-Processing (AMP), Symmetric Multi-Processing (SMP), and Bound Multi-Processing (BMP). In AMP, each application is assigned to a single core, and each core is run independently with little or no meaningful coordination between the cores in terms of scheduling. This decoupling can result in underutilization due to the inability to expand application resources across physical or virtual cores, the lack of load balancing, and difficulty mitigating shared resource contention.
The modern alternative is Symmetric Multi-Processing (SMP), where a single OS controls all the resources, including which application threads are run on which cores. This architecture is easy to program because all cores access resources “symmetrically,” freeing the OS to assign any thread to any core. Not knowing which threads will be running on which cores is a major challenge and a risk for deterministic operation in critical systems. To address this, CAST-32A references the use of Bound Multi-Processing (BMP). BMP is an enhanced and restricted form of SMP that statically binds an application’s tasks to specific cores, allowing the system architect to tightly control the concurrent operation of multiple cores. BMP directly follows the multicore requirement in ARINC 653 Supplement 4 section 2.2.1 which states: “Multiple processes within a partition scheduled to execute concurrently on different processor cores.”
The time-variant capability of INTEGRITY-178 tuMP allows different bindings of applications to cores in different partition time windows.
The Time-variant Unified Multi-Processing (tuMP™) approach of INTEGRITY-178 tuMP provides maximum flexibility for porting, extending, and optimizing safety-critical and security-critical applications to a multicore architecture. It starts with a time-partitioned kernel running across all cores that allows any combination of AMP, SMP and BMP applications to be bound to a core or groups of cores called affinity groups. It then adds time-variance so that partition time windows do not need to be aligned across cores. The flexibility of time-variance and choice of AMP, SMP, or BMP give the software architect the tools to optimize safety-critical multicore performance.
The Only Safety-Critical RTOS with Full Multicore Support
INTEGRITY-178 tuMP is the only high-assurance RTOS that:
- Is part of a multicore certification to DO-178C and CAST-32A
INTEGRITY-178 tuMP is used in the PU-3000 Avionics Computer from CMC Electronics, which has TSO Approval as a flight director, and its certification included evidence of meeting all objectives in CAST-32A.
- Is certified to the latest version of the Future Airborne Capability Environment—FACE 3.0—for all three avionics processor architectures: Arm, Intel, and Power Architecture
INTEGRITY-178 tuMP is certified conformant to the FACE 3.0 Technical Standard for both safety and security.
- Supports the latest revisions of ARINC 653
Updated in 2015, ARINC 653, Part 1, Supplement 4 requires “Multiple processes within a partition scheduled to execute concurrently on different processor cores.” Supplement 5 continues that requirement. An RTOS that only supports Asymmetric Multi-Processing (AMP) does not meet Supplement 4 or 5. Likewise, an RTOS that supports SMP but not within an ARINC 653 partition does not meet Supplement 4 or 5. INTEGRITY-178 tuMP supports Bound Multi-Processing (BMP) and Symmetric Multi-Processing (SMP) in addition to AMP, all within an ARINC 653 partition.
- Includes CAST-32A multicore interference mitigation
Interference from multiple cores accessing the same shared processor resource, such as shared memory, is a huge impediment to deterministic performance. INTEGRITY-178 tuMP provides interface testing libraries and bandwidth allocation mechanisms to help system integrators meet CAST-32A guidance.
- Meets the spirit of multicore for IMA
True Integrated Modular Avionics (IMA) systems should not need to be re-architected if an application is modified or added. Only INTEGRITY-178 tuMP provides the general solution to multicore interference that avoids the majority of retesting and revalidating that would otherwise be needed.
- Supports virtual cores and hyper-threading
INTEGRITY-178 tuMP has a general solution for multi-processing that extends into virtual cores, allowing an application to use all the virtual cores and not just the physical cores (e.g., 8 virtual cores on a quad-core processor.)
- Delivers security certification evidence to meet the SKPP for multicore processors
INTEGRITY-178 is the only operating system ever certified to the NSA’s Separation Kernel Protection Profile (SKPP) “High Robustness” EAL6+, and INTEGRITY-178 tuMP meets those same requirements for multicore processors.