Marco Caccamo
University of Illinois
at Urbana Champaign
mcaccamo@illinois.edu
Multicore computer platforms pose new challenges for hard real-time systems, because of the complex temporal coupling between processing cores' shared last level cache, shared memory, I/O bandwidth and interconnections. Much of the real time scheduling for single core chips has centered on the CPU, because it has been the bottleneck resource. The emergence of multicore architectures has moved bottleneck resource away from CPU and towards the now globally shared memory, last level cache, and communication infrastructure.
Temporal coupling among concurrently running applications on different cores makes certification of safety-critical systems particularly challenging. Such problem particularly impacts the avionics and automotive industries, and has been largely recognized by the academic community. In the avionics domain, the Certification Authorities Software Team (CAST), an international group of avionics certification and regulatory representatives from North and South America, Europe, and Asia has formally expressed its concern toward the adoption of multi-core solutions for avionics system. In May 2014, CAST released Position Paper 32 on Multi-Core Processors (MCP, see CAST-32) to discuss topics related to safety of avionics software on multicore systems. Among other issues, the position paper identifies MCP Interference Channels, such as shared memory, cache and interconnect features, as possible sources of safety violations. While the position paper does not constitute binding policy on certification, it nevertheless strongly suggests that all such sources of interference must be:
- identified;
- analyzed;
- certifiably mitigated.
Recently, CAST released an update to the CAST-32 document, namely CAST-32A. The new document introduces important guidelines about how to extend temporal partitioning as in DO-248C / ED-94C and DO-297 / ED-124 standards to multicore platforms. The new certification guidance specifies that robust resource and time partitioning can be used to demonstrate compliance to the Applicable Software Guidance (e.g., DO-178).
In the automotive domain, the International Organization for Standardization has published the ISO-26262 standard for functional safety. ASIL decomposition can be performed by partitioning OS applications to different areas of the same multi-core ECU. The requirement is that logically independent partitions run without causing any mutual interference - freedom from interference. Although the requirements are well understood, there is a lack of consensus on the technology for next-generation automotive systems using multicore ECUs.
Inspired by the CAST-32, CAST-32A position papers and by the safety principles of the ISO-26262 standard, the goal of the workshop is to bring together the Real-Time Systems (RTS) community, industry, and regulatory agencies to address the challenges in the certification of multicore avionics and automotive systems. In particular, we will seek contributions from the community on how to analyze and mitigate the effects of interference channels in Commercial-Off-The-Shelf (COTS) multicore processors. Major goals involve:
- identify the set of timing-related challenges to be addressed;
- determine which solutions are available for such challenges, and whether the community agrees on a set of such solutions;
- determine which challenges remain as open problems and
- identify evidence based validation and certification procedures.
The previous edition of this workshop (CMAS'15) has led to a position paper that summarizes the fundamental principles and guidelines for the certification of multicore avionics. The paper, formally known as "Position Paper On Minimal Multicore Avionics Certification Guidance" has been officially endorsed by a number of research institutions and industries around the globe. The latest draft is available here.
