CAST-32A and AC 20-193 for Avionics Multi-Core Processing
AMC 20-193 / CAST-32A is the worldwide (America, Europe, Asia) Certification Authorities Software Team (CAST) guidance for ensuring safe implementation of Multi-Core Processing (MCP) within avionics systems. A “core” is a separate computational engine within a processor, with multiple-cores providing simultaneous operations using potentially shared resources such as cache, memory, and communications. Prior to AMC 20-193 / CAST-32A, multiple active cores were not allowed; increased performance demands in aviation combined with near-ubiquitous MCP usage in consumer devices lead to the release of AMC 20-193 / CAST-32A which defines rules for safe multiple-core usage. RTOS vendors and application developers both must perform Interference Analysis with planning, development, and verification all proving determinism when two or more cores are potentially utilizing shared resources.
AC 20-193 further clarifies Multi-Core Processing (MCP) rules for avionics developers beginning in 2021. This paper describes AC 20-193 and CAST-32A requirements for avionics software/hardware.
AMC 20-193 / CAST-32A presents the coordinated position of avionics certification authorities regarding Multi-Core Processors (MCPs). While today’s aerospace ecosystem could benefit from the use of MCPs, when AMC 20-193 / CAST-32A was published FAA/EASA had not yet devised a means to obtain certification credit for safety-critical software deployed to an MCP. Toward that end, the AMC 20-193 / CAST-32A position paper identifies topics of concern that could impact the safety, performance, and integrity of DO-178C aviation software deployed to MCP(s).
For each topic, this paper provides a rationale that explains why these topics are of concern and proposes objectives to address the concern. (AMC 20-193 / CAST-32A, “Purpose”, p. 3)
Since relevant avionics software certification documents (DO-178B/C and ED-12B/C) were written before MCPs were used in civil aircraft, those certification guidelines can only address software executing on single-core hardware. The Certification Authorities Software Team (CAST) is an international team of aviation experts who clarify and harmonize the aviation development ecosystem. Their AMC 20-193 / CAST-32A position is that MCPs could credibly deliver size, weight, power, and cost (SWaP-C) advantages and that today’s aerospace equipment suppliers are interested in using MCPs in their systems.
The consumer device world has fully embraced MCPs and many of the devices used daily by the readers of this paper contain MCPs. Some in fact predict the obsolescence of single-core processors (SCPs) altogether.
Tomorrow’s avionics will most certainly contain more sophisticated avionics, meaning greatly expanded processing power. MCPs are a major solution to this rapidly expanding need for enhanced computing architectures and processing power; therefore, the aerospace industry in general must consider how best to utilize MCPs in future designs. But how can MCP challenges be overcome?
Before describing MCP (and AMC 20-193 / CAST-32A’s) topics of concern, which emphasize partitioning and its degradation by interference, first consider the background influencing the use of MCPs. Engineers and managers who already anticipate using MCPs as hardware targets for their next generation of software will benefit from considering these influences for future designs.
MCP Interference Concerns
DO-178C and DO-254 projects must recognize AMC 20-193 / CAST-32A organizes MCP concerns into a set of questions. These questions are answerable, in view of the 2017 publication of FAA TC-16/51 which accompanies DO-178C and DO-254. Measurable answers to the AMC 20-193 / CAST-32A concerns will define a partitioning architecture which is sufficiently “robust” against all identified interference threats. The AMC 20-193 / CAST-32A “topics to address,” or questions, are summarized in the following table applicable to DO-178C and DO-254:
Robust Partitioning vs. MCP Interference
AMC 20-193 / CAST-32A compliance requires answering the following question: Given an IMA context, can an MCP be used to safely consolidate partitioned resources from multiple SCP compute modules? Relying on a bevy of prior definitions , AMC 20-193 / CAST-32A formulates the following definition for its intended Robust Partitioning:
“MCP Platform With Robust Partitioning: an MCP platform that complies with the objectives of this document and provides Robust Resource and Time Partitioning as defined in this document, not only between software applications hosted on the same core, but also between applications hosted on different cores of an MCP or between applications that have threads hosted on several cores.
Granted this definition of Robust Partitioning for an MCP platform AMC 20-193 / CAST-32A will require consideration of any hardware-supported application parallelization. Specifically, designers must be explicit about which applications are allocated to which hardware cores or threads, if applicable. Addressing these concerns will require software designers to consider the following interference scenarios, presented in ascending order of difficulty:
Figure: AMC 20-193 / CAST-32A Robustness Considerations for DO-178C Certifiability
As implied by this hierarchy (above), efforts to obtain DO-178C and AMC 20-193 / CAST-32Arobust partitioning can be simplified by minimizing or eliminating interfaces and communications between applications. However, a concern arises whenever an application (or a time slice allocation to an application) migrates from one hardware core (or thread) to another. Since SMP operating systems treat all cores (and all time slices of cores, with respect to scheduling) as symmetrically interchangeable, a byproduct of this SMP convention is that knowledge about an application’s allocation to one core or another is hidden from the software developer by the OS. In the same token, an SMP OS is generally free to migrate an application to a new core after preemption. (For free training video on DO-178C AMC 20-193 / CAST-32A Multi-core Processing, view here:
While a DO-178C and AMC 20-193 / CAST-32A avionics software designer may want to minimize cases where an application’s threads could be allocated among multiple cores (see level 3, above) an SMP OS may not provide the best tools to force asymmetric distinctions onto assumed-symmetric cores. Taking this concern to an extreme, some avionics designs go so far as to disable all cores except one on an MCP. Doing so ensures application-to-core binding, while still realizing many benefits of an OS. But the main benefit of MCP-based designs per DO-178C is to harness the greater computational abilities of simultaneous processing and increased computing power, which is lost by disabling all except one core.
Click below to download the remaining 10 pages of this CAST-32A paper or here for CAST-32A training: https://afuzion.com/private-training/cast-32a-multi-core-processing-training/
Details of all the above are contained within the following 12 pages of this paper (download to read). For additional CAST-32A & MCP training, guidance, gap analysis, and mentoring, simply contact AFuzion. (Note: Details of all the above mentioned details are contained within the following pages of this paper (download to read). For additional CAST-32A and MCP development training, guidance, gap analysis, and mentoring, simply contact AFuzion.)