www.thalesgroup.com

International Conference on

Integrated Modular Avionics – Moscow

1) Ensuring robust partitioning in multicore platforms for IMA Systems

2) Versatile & Reconfigurable Inputs/Outputs for IMA Systems

2012-10-29

2/2/

ENSURING ROBUST

PARTITIONING IN MULTICORE

PLATFORMS FOR IMA SYSTEMS

3/3/ From federated to IMA systems

4/4/ From physical to logical fault isolation

� Federated systems

� Physical fault confinement

� Integrated systems

� Logical fault confinement: robust partitioning

5/5/ Integrated Modular Avionics: Mandatory requirements

� Robust partitioning

� Platform determinism

� Platform limitations for WCET scenario definition

Why ensuring robust partitioning is difficult on mu lticore platforms ?

6/6/ Multicore for IMA, “good properties”

� How could Avionics Platforms take benefit of multicore processors ?

� Allow all cores to be used whatever the level of criticality

� Minimize porting effort and re-certification of legacy applications

� Compatibility with ARINC 653 and ARINC 664 guidelines for APEX and Network partitioning

� Incremental certification

Digital avionic systems confidence have never regre ssed during technological steps

7/7/ Robust partitioning in ARINC 653 on single core

� Current process

� Time and space partitioning

� Disjoint memory areas for each partitions

� Full allocation of processing resources to one process in one partition at one time

� Targets the Alternative Gold Standard for Robust Partitioning

8/8/ Partitions deployment on Multicore

� Symmetrical Multi Processing :

� Time and space partitioning remains unchanged at pa rtition level

� Inter-process conflicts impacts WCET

� Requires parallelization of single-core application s

Constraints are shared between Function Supplier and Platform Supplier

9/9/

� Asymmetrical Multi Processing :

� Inter partition and applications conflicts when acc essing shared resources

� Backward compatibility with legacy applications

Partitions deployment on Multicore

Main constraints are at Platform Provider level

10/10/ Partitioning issues on COTS multicore platforms

� Timing issues and inter-core conflicts

� Transaction collisions in the interconnect

� Shared caches

� Shared I/O

� Limited knowledge of the interconnect features

� Nearly impossible to determine all situations of collisions

� Hardware mechanisms to avoid transaction collisions impact average performances

Alternative Gold Standard seems difficult to ensure if the hardware has not been developed for it

11/11/ Gold Standard enforcement

� Direct proof of robust partitioning

� Requires a generic model of faults for partitions

� A priori, we have to consider all couples of faults to ensure no propagation

� We have to consider many possible sequences of conf licts

� Fault propagation result from sequences of inter-co re conflicts

� For each fault, we determine the set of resulting conflicts classes

� For each fault, we determine the set of causing conflicts classes

� If those two sets are disjoint, robust partitioning is proven

Highly complex analysis that have never been perfor med

12/12/ Model of multicore platform

� Abstract representation of the platform internal ac tivity

� We have to deal with the lack of information

� Model refinement with the available information

� We can represent conflicts situations

� Simultaneous presence of two transactions in one component

13/13/ Core refinement

� Core Software

� Can be a hypervisor, its execution is local

� Core controller

� Internal controllers, memory protection units, exception and interrupts generator

� Local Memory

� Internal caches and scratchpads

� Partitions

� Transactions generator

14/14/ Interconnect refinement

� Each component has a pool of transactions it can handle

� This enables to represent many behaviors inside the interconnect

� Black box sub-components cannot be refined

15/15/ Conclusion

� The use of multicore in avionics requires new metho ds to enforce robust partitioning

� ARINC 653 time partitioning is not applicable

� Inter-partition true parallelism

� Concurrent transactions management in the interconnect with few visibility on its behavior

� Incremental certification objectives

� Two strategies to enforce robust partitioning:

� Control transactions flow emission in the core with the hypervisor

� Represent transactions flow management in the interconnect

� Those two strategies are complementary to authorize parallelism in partitioned systems

16/16/

VERSATILE INPUTS / OUTPUTS

FOR IMA SYSTEMS

17/17/ Outline

� Introduction and problematic

� Our approach: versatility

� CALYPSO: first integrated versatile

input prototype

� First Experimental Results

18/18/ Outline

� Introduction and problematic

� Our approach: versatility

� CALYPSO: first integrated versatile

input prototype

� First Experimental Results

19/19/ Definition

Definition: Input/Output Interface:

Set of functional blocks which allows interaction between Actuators, Sensors or Loads and an Information Processing System.

CPUI/O

Processor

Network

RAM

NVM

ROM

I/O interface

I/O interface

I/O interface

� Offer ways

� to communicate

� to sense

� to act

20/20/ Current Avionics Architecture

Data Processing Unit

� 100 Discrete I/Os

� 20 A429

� 2 Analog Acquisitions

Remote Data Concentrator

� 30 Discrete I/Os

� 5 A429

� 6 LVDT

� 20 Various Analog acquisitions� Temperature, DC Voltage…

Flight Control Management

� 10 Discrete I/Os

� A429 (# 50 IN, # 20 OUT)

� 10 LVDT

� 10 Analog acquisitions …

What makes these computers different?

� Different sensors/actuators

���� Different I/Os

Need for Versatility

21/21/ Outline

� Introduction and problematic

� Our approach: versatility

� CALYPSO: first integrated versatile

input prototype

� First Experimental Results

22/22/ Introducing Versatile Interface

Current Computer/RDC:

� Dedicated interfaces

���� Functionalities limited by hardware

���� In case of new specifications:

� new design

� validation

� certification

23/23/ Introducing Versatile Interface

Versatile Computer:

� Only one type of interface

� Reduced surface

� Easier design

� Easier reuse

� Scalability

Current Computer/RDC:

� Dedicated interfaces

���� Functionalities limited by hardware

���� In case of new specifications:

� new design

� validation

� certification

Versatiliy offers extended functionalities

24/24/

Versatile Interface as a differential Interface

� Discrete Inputs:• DSI Ground/Open

• DSI Vdd/Open

� Digital buses:• A429

Channels individually configurable to interface usual Inputs:

� Differential analog acquisitions:• DC Analog Voltage

• LVDT acquisition

• Current Monitoring

• LVDT excitation Monitoring

Versatile Interface as a Single Ended Interface

Versatile Interface Capabilities

75%-100% of CPIOM/RDC/FCC inputs type

25/25/ Current Interface Principle

Current Input Interface

� Each stage is specifically designed

� Static hardware

26/26/ Versatile Interface Principle

Versatile Interface

� Some stages can be programmed

27/27/ Versatile Interface Principle

Versatile Interface

� Analog Resources� Input Impedance

� Gain

� Offset

� Single Ended/Differential

…

� Digital Resources� Filtering

� Comparison Thresholds

� Timing controls

� Specific algorithms

…

28/28/ Complete Interface Architecture

29/29/ Outline

� Introduction and problematic

� Our approach: versatility

� CALYPSO: first integrated versatile

input prototype

� First Experimental Results

30/30/ ASIC CALYPSO: Characteristics

� Content of the mock-up ASIC:

� 1 analog front end for test purposes (channel 0).

� 1 ADC for test purposes (ADC0).

� 1 complete channel with 2 configurable analog front ends (Channels 1a and 1b), 1 mux and 1 ADC.

� To be implemented in next version:

� Instrumentation amplifier

� Basic digital data processing

� Parallel� Serial data output

� Serial configuration management

31/31/ ASIC CALYPSO: Capabilities

� Theoretical Capabilities:

� DSI GND/OPEN

� DSI 28V/OPEN

� A429 LS (ADC not fast enough)

� ANI ±10V

� LVDT

� For analog acquisitions: error correction thanks to references switching.

COMPOLDSI COMDSI

PDOWN

COMREF1 or

COMREF2 or

COMREF3 or

COMREF4

OFFSETGND OFFSETLINE CHANNELS

CONFIGURATION

X X X 1 0 Offset Correction

0 0 1 0 1 Analog Acquisition/

LVDT/A429

1 1 0 0 1 Discrete Ground/Open

0 1 0 0 1 Discrete Vdd/Open

X 0 0 X X DO NOT USE:

ABNORMAL

CONFIGURATION CAN

CAUSE PERMANENT

DAMAGE

ANY OTHER CONFIGURATION

32/32/ Outline

� Introduction and problematic

� Our approach: versatility

� CALYPSO: first integrated versatile

input prototype

� First Experimental Results

33/33/ ASIC CALYPSO: Results

� Exemple: DSI Vdd/Open

34/34/ Experimental results : DSI Gnd/Open

Vthdown Vthup

100 LSB

GND

Open

GND

Open

� Configurable thresholds for maximum flexibility

� Compatible with ABD100, Gulfstream Specs…

� Good distinction between states

� Strong immunity to ground fluctuation (hard point)

� Sinus, 30V pp @200Hz

35/35/ ASIC CALYPSO: Results

� Exemple: Analog Acquisition

36/36/ ASIC CALYPSO: Results

� Exemple: Analog Acquisition with dynamic error corr ection

Parameters of the interface can change:

���� Dynamic error correction

� We digitize the signal with its errors

� Not rejected common mode

� Offsets errors

� Gains errors…

� We inject references voltage to this signal

� We deduce interface parameters

We finally get signal without errors

37/37/ Dynamic error correction: experimental results

� Example:

� Input voltage� Sinewave

� 3V @30Hz

� An important error (30%) isintroduced on the gain

EXPERIMENTAL MEASUREMENTS

Smart error correction removes this error

Versatile interface manages to retrieve the correct signal

38/38/ Dynamic error correction: experimental results

±0.7%

From ±7% error, down to ±0.7% thanks to dynamic error correctiondown less than ±0,1% with the industrial ASIC

EXPERIMENTAL MEASUREMENTS

39/39/ Conclusion

Experimental results

� Very consistent with theoretical results

� Very consistent with simulation

� our models are correct and can be used for rapid error or misbehavior investigation

� Advanced functionalities are promising:

� Capability to change gains, offsets and impedances

� Discrete interfacing, with programmable pull (up or down)

� Immunity to important ground fluctuation (tested und functional)

� Dynamic error correction for precision voltage acqu isitions

� No sensitivity to temperature or process drifts

40/40/ VERSATILITY BROUGHT TO THE NEXT STEP

� Parts Number Reduced

�Maintenance

�Less spare parts

�Availability

� Hardware scalability

�Flexible

�Design simplified

41/41/

Thanks for your attention !

Source: http://asrs.arc.nasa.giv/publications/callback/cb_330.htm

42/42/

Proprietary Notice

This presentation includes THALES Avionics Proprietary Information and Background Intellectual Property Rights.

This presentation, in whole or in part, is confidential and shall not be used or disclosed without THALES Avionics prior written

authorization