Green Hills Software Extends Multicore Interference Mitigation to Arm Cortex-A72 for DO-178C Level A Applications

INTEGRITY-178 tuMP Multicore RTOS Helps Avionics Integrators Meet CAST-32A

Green Hills Software announced that it has extended its solution for DO-178C Level A multicore interference mitigation to Arm® Cortex®-A72 processor cores. As part of the INTEGRITY®-178 Time-Variant Unified Multi-Processing (tuMP™) RTOS, the Bandwidth Allocation and Monitoring (BAM) functionality enables software architects to allocate and enforce bandwidth limits to shared resources for each processor core. By guaranteeing access to shared resources based on application requirements or assurance level, BAM effectively mitigates multicore interference and minimizes multicore worst-case execution time (WCET).

Multicore interference occurs when multiple processor cores attempt to access the same shared resource, such as memory, shared cache, I/O, or the on-chip interconnect. Interference is a significant enough problem to warrant an entire position paper from the Certification Authorities Software Team (CAST-32A) dedicated to identifying problem areas relating to safety, performance, and integrity of software executing in an airborne multicore system. Green Hills Software has demonstrated application WCET growing 8 times longer from just a single interfering core, and up to 13 times longer with 3 interfering cores.

The BAM interference mitigation functionality monitors and strictly enforces the use of the shared resources as defined by the system integrator. When coupled with Green Hills Software’s multicore SoC-specific WCET utility libraries, BAM ensures that critical partitions meet their required deadlines while enabling other lower criticality partitions to execute on other cores simultaneously with no impact on the critical applications. This remains true even as the other partitions are modified or as new partitions are introduced into the system. This is a vital capability for sustainment and growth of critical systems based on multicore architectures.

Even though CAST-32 was first published in 2014 and updated in 2016, some RTOS suppliers are only just now acknowledging that multicore interference is a serious problem and are starting to look for a solution. For example, Lynx Software is “involved with multiple researchers,” including the EU-funded MASTECS project. That project is due to complete in November 2021, with the expected output being timing analysis software tools, not mitigation solutions. Other operating system suppliers just leave this multicore interference for the system integrator to solve. The BAM functionality provides the solution today and has been shipping to customers for years, beginning with Power Architecture® e500mc cores.

“Green Hills Software has been leading the charge for multicore interference mitigation with DAL A-compliant solutions across multiple multicore architectures,” said Dan O’Dowd, founder and chief executive officer of Green Hills Software. “Our competitors, such as Lynx Software, noted recently that ‘the FAA has promised to allow the use of multiple cores in a multicore processor chip but only if adequate mitigations can be demonstrated to certifiers, based [on]the CAST-32A specifications.’ Yet no RTOS supplier other than Green Hills Software provides a DO-178C Level A-compliant solution for multicore interference mitigation that meets the CAST-32A requirements.”

Although some level of mitigation at the application level is possible, generally it requires retesting and re-verification of all the applications executing on the multicore system when any single application changes, thereby incurring significant costs and delays that contribute to vendor lock. In the same way that MMU support and partition schedules need to be implemented in the OS, the enforcement of the multicore interference mitigation needs to be in the OS in order to achieve robust multicore partitioning. INTEGRITY-178 tuMP provides a general solution to multicore interference mitigation, thereby minimizing retesting and verification after any application changes or additions.

Green Hills Software recognized the problem of multicore interference early on and started investing in a solution in 2010. Based upon more than 60 staff-years of research and development into multicore interference analysis and mitigation strategies, the DAL A compliant BAM functionality monitors and enforces the bandwidth allocation of the chip-level interconnect to each of the cores. Because the chip-level interconnect is at the center of interactions between the cores and other shared resources, it is the ideal place to observe and enforce limits on the use of shared resources. BAM emulates a high-rate hardware-based approach to ensure continuous allocation enforcement of the cores’ use of shared multicore resources. This contrasts with a “safety net” approach using coarse-grain threshold and fault detection to kill or suspend rogue processes. BAM regulates the bandwidth smoothly throughout the application’s execution time window, thereby allowing other applications in the same execution time window to acquire their allocated portion of the shared resources. These capabilities greatly lower integration and certification risks while also enabling integrators to gain the maximum performance advantages of multicore processors.