Avionics Industry Advances Toward DAL A Multicore Adoption
Embedded systems suppliers and avionics manufacturers are making progress toward enabling more widespread adoption of multicore processors for safety critical Design Assurance Level A (DAL A) avionics applications.
Avionics vendors and embedded software, real time operating system and processing suppliers are making major strides toward certifying the use of multicore processors to design assurance level (DAL) A, a goal the industry has worked towards throughout the last decade and is on track to make a widespread reality in the 2020s.
“We see a significant increase in customers requesting certifiable multicore solutions, due to increased SWAP constraints in UAVs and rotary platforms as well as demand for increased application performance and converged applications,” Ike Song, vice president of mission systems at Mercury Systems told Avionics International.
Mercury is developing a 3U VPX avionics flight computer that will be certified to a DO-254/178 DAL A level, the specific applications and functionality of which are “proprietary to our customer,” Song said.
“Mercury is working on a project now to certify a multicore avionics application,” Song added. “We are developing a 3U VPX avionics flight computer that will be certified to a DO-254/178 DAL A level. The specifics of the system are proprietary to our end customer. We are aware of a number of multicore projects that are in-process and expect some to achieve acceptance in 2020. Industry is in the early stages of wide adoption and certification authority approval.”
Some of the key players that Mercury is partnering with in these efforts to mitigate the challenges of multicore interference include certifiable RTOS providers, middleware, and silicon, according to Song.
One of the most advanced forms of next generation avionics functionality that Mercury will support¬ — and where multicore processors are necessary — will come through electric vertical takeoff and landing eVTOL air taxis. Since 2018, Mercury has been working with Switzerland-based startup Daedalean to develop artificial intelligence within the use of autonomous flight control systems for electric air taxis of the future.
Daedalean’s goal is to develop the aviation industry’s first autopilot system to feature an advanced form of artificial intelligence (AI) known as deep convolutional feed forward neural networks.
“DAL-C comes first, A is harder,” Luuk van Dijk, founder and CEO of Daedalean told Avionics International.
The autopilot system Daedalean is developing has to be capable of replicating a human pilot’s level of decision-making and situational awareness. Furthermore, it will have to be constantly updating the flight trajectory followed by the autopilot system.
“DAL levels are not goals in themselves, but follow from what we try to accomplish and what we expect the bar imposed on us will be,” van Dijk said. “If the authorities would require less than DAL-C, for such a system it would mean we have built an instrument that could be missed, which is not our ambition. In the long run we aim for full autonomy and [to] bypass any human judgment, which means we will have to meet and exceed the highest standards available. DAL-A and beyond.”
Certified multicore in a safety critical avionics application has been an objective for the avionics industry for some time, but the adoption of multicore processors in widespread use cases across the commercial and military avionics industry faces several challenges, including the following:
- Using multiple processing cores on a single CPU causes the need for resources such as memory and cache to go from being dedicated to one processor’s applications to becoming on-demand resources shared by multiple processors
- Avionics systems are more prone to malfunctioning as a result of this shared resources architecture because the sharing mechanism increases time delays leading to increases in the worst-case execution time of hosted applications.
- Meeting the latest available international regulatory objectives for multicore processor certification in safety critical applications requires suppliers of hardware, operating systems, platform software, application software and the systems integrator to all become involved in the compliance process.
Multicore processor certification to DAL A in avionics systems is so complicated and complex, in fact, that there is currently no actual official international civil aviation regulatory certification path for the technology in this way. Instead, in 2016, the Certification Authorities Software Team — consisting of civil aviation authority officials from Asia, Europe, North and South America — published the CAST-32A position paper as the official global guidance for ensuring safe implementation of multicore processing within avionics systems.
Suprisingly, multicore processors were an item highlighted by Markus Gornemann, Head of the Design Organizations & ETSO Department Deputy Certification Director, in his is third and final “J-News” information bulletin of 2019.
The information bulletin included Gornemann’s summary of generic Certification Review Items (CRIs), which are effectively design features or certification aspects featured within a product where airworthiness requirements are defined by the means of a more generic nature with special conditions, interpretative material, means of compliance or equivalent safety findings.
Under the category of Software/AEH, Gornemann specifically refers to “the use of multi-core processors” and notes his desire to “inform that [certification memorandums] CMs used in many projects are now superseded by AMC 20 material and will not lead to CRIs in the future anymore.”
“Software Aspects of Certification is superseded by ED Decision 2017/020/R publishing AMC 20-115D Airborne Software Development Assurance using EUROCAE ED-12 and RTCA DO-178,” Gornemann writes.
Elsewhere in the industry, a group that is key to advancing the use of multicore processors in safety critical DAL A avionics systems is the Multi-Core for Avionics (MCFA) working group, founded in 2008 by NXP, an Eindhoven, Netherlands-based semiconductor company. MCFA includes SoC designers, ecosystem software partners, and avionics system developers working to migrate avionics from federated architectures built on single core processors to integrated modular architectures using multicore systems on chips.
Since the publishing of CAST-32A, a primary objective for the MCFA group has been establishing methods that applicants looking to certify avionics systems featuring multicore processors can use to help regulators understand and characterize the timing behavior associated with their system. In August 2019, Rapita Systems, a U.K.-based supplier of on-target software verification tools for embedded aerospace and automotive applications.
In a white paper titled “Multicore Timing Analysis for DO-178C” published shortly after joining MCFA, Rapita outlines what the company believes could be critical to demonstrating functionality of software components within a multicore environment using their V-model process.
To demonstrate its effectiveness, the white paper features the company’s use of “YOLO” real-time object detection software on an NVIDIA Jetson AGX board with eight NVIDIA Carmel processing cores. The paper describes YOLO as an open-source image recognition application that uses neural network calculations performed on a graphics processor unit.
Using their Rapita Verification Suite (RVS) software verification tools, RapiDaemons shared hardware resource analysis program and high-rate data logger RTBx, they produced a software accomplishment summary report showing how their verification activities addressed CAST-32A objectives, thus providing a scripted method by which a collection of suppliers of hardware, operating systems, platform software, application software and systems integrators could show how their system featuring multicore processors satisfies regulatory certification requirements.
A key insight featured in the white paper is their observation that a measurement-based approach is necessary to certify the performance of multicore systems when all cores are enabled.
“Static execution time analysis approaches are not suitable as they require highly detailed models of the processor that are very difficult to obtain and their use would determine the pathological worst-case behavior of the code, which is extremely unlikely to occur,” RapitaSystems notes in their white paper. “A measurement-based analysis approach, however, does not rely on models, but instead exercises tests on the multicore hardware itself. Using such an approach, it is possible to collect timing data that reflects the behavior of the system and isn’t overly pessimistic.”
Collins Aerospace and WindRiver updated the industry on their efforts to certify a multicore processing platform that executes multiple functions with mixed DAL assignments on multiple cores within a single system on chip processor during their December 2019 webinar, “Civil Certification of Multicore Processing Systems in Commercial Avionics.”
Using the Freescale/NXP QorIQ power architecture processor, the T2080, Collins led what they describe as an “iterative trade study and experimentation” process to pursue a path to multicore processor certification. Through their membership in the MCFA group, they were able to establish proprietary relationships with operating system and system on chip vendors to help align certification plans that would address objectives listed in the CAST-32A position paper.
Those efforts led to the development of Collins’ multifunction display, the MFD-4068, running on Wind River’s VxWorks 653 using the T2080 multicore processor. According to Dave Radack, associate director of software engineering for Collins Aerospace, the display has completed more than 1,000 hours of flight-testing on “civil and military platforms.”
Testing efforts around the multicore display they developed are promising, and represent some of the industry’s most advanced work toward achieving the avionics industry goal of enabling all cores in the adoption of multicore processors for safety critical DAL systems. In fact, Collins is now on the verge of obtaining the industry’s first regulatory approval to DAL A for a multicore processor in a flight display system, having now moved on to the final certification review process with the FAA, known as Stages of Involvement 4 (SOI4).
“Collins Aerospace has submitted the remaining multi-core and a system level of certification packages earlier this year,” Radack said. “The hardware ADH devices, operating systems and middleware packages have all been SOI4 approved by FAA representatives. The platform software and applications offer packages including the overall integration activities have been reviewed and the teams are currently working with the FAA representatives in the SOI4 feedback, comment review cycle upon SOI4 closure, we expect the full TSO package to be reviewed and approved by the FAA within a few months of submission. But, since this is the first DAL A multicore TSO the timing is a bit unpredictable.”