Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© 2017 WIND RIVER. ALL RIGHTS RESERVED.
WIND FORUM KOREA 2017 Multicore and the Challenges of Certification
윈드리버 코리아 장승한 차장
2 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
AGENDA
The Certification Process
COTS Multi-core hardware and software
– Integrating CAST-32A guidelines
Common misconceptions and best practices
Building a low-risk certification strategy
Using affordable COTS software foundations
Leveraging COTS RTCA DO-178C DAL A certification evidence with VxWorks® 653
3 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Software Certification Process
Exciting, fast, easy, or simple?
No!
– it is hard work, time-consuming, extremely detailed and expensive
Result?
– For the most recent Wind River certification project:
1.4 GB of evidence in 40,000 files
4 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Requirements > Implementation > Verification
Aircraft level Requirements
Aircraft level verification
System level Requirements
Subsystem Requirements (High Level)
SW and HW requirements
(Low Level)
Source Code Implementation
SW and HW verification
Subsystem verification
System verification
Verify Design
Production Testing/Result
Code
Code reviews
Test cases
Test case
reviews
PSAC
SDP
SCMP
SQA
SVP
Standards
SRS (HLRs)
SDD
SRS (LLRs)
RTD
STP
Reviews
Test Harness
Test case
results
Code
coverage test
and results
SAS
SVA*
Partitioning
Analysis*
SCI
Traceability
matrix
DO-178C Cert Evidence Deliverables
DO-178C Certification Evidence applies to:
Generic Operating System and Services and Standard C lib
Applicable to a specific processor (e.g., ARM A9, QorIQ T2080)
* SVA and Partitioning Analysis are specific to an architecture
Implementation
and Test Definition Project Startup
6 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
6
Plan for Software Aspects of Certification
(PSAC)
Software Quality Assurance Plan
Software Configuration Management Plan
(SCMP)
Software Development Plan (SDP)
– Software requirements standards
– Software design standards
– Software coding standards
Software Verification Plan (SVP)
Software Requirements Specification (SRS)
Software Design Document (SDD)
Version Description Document (VDD)
Traceability Matrix
Software Development Folder
– Design reviews
– Code reviews
– Test reviews (7,500 tests)
– Functional tests (270,000 LOC)
– Coverage results (object level)
Tool Qualification Documentation
– Development and verification tools
Software Accomplishment Summary (SAS)
Software Vulnerability Analysis
(will be required by DO-178C)
2.2GB sealed DVD with more than 65,000 hyperlinked
files.
Production Testing/Result Implementation
and Test Definition Project Startup
DO-178C Cert Evidence Deliverables
7 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Design and methodology considerations
MULTI-CORE AND SYSTEM CERTIFICATION
8 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
TODAY’S CHALLENGES
Reduce cost of development, deployment, and system maintenance
Robust standardized platforms with common skills, tools, and certification
System consolidation, A380-1000 – 10,000 sensors in each wing
Affordability
Cycle time is total time from beginning to end of the project
Projects start with a predicted technology readiness level
Reuse of software, test assets, and system simulation
Cycle Time Reduction
Conformance to safety, security, and industry standards across projects
Reduce regulatory pressures as market and capabilities expand
Regulatory Compliance
9 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
FEDERATED VS. INTEGRATED MODULAR AVIONICS (IMA)
Federated Architecture
Advantages
Independence of design and certification
Well-understood methodology
Established supply chain
Challenges
Greater size, weight, and power (SWaP) requirements Each function associates with a separate LRU
Less software reuse
Less portability, less modularity
IMA
Advantages
Lower SWaP requirements – Multiple functions on a single LRU
Better software reuse
Better portability
Better modularity
Challenges
Greater complexity of system integration
Greater complexity of design and certification
Inexperienced supply chain
Flight
Control
Displays
ARINC 429, MIL-STD-1553B, ARINC 664
Mission
Systems
Flight
Control
Mission
Systems Displays
Multi-core IMA Platform
10 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
DO-178C Failure Conditions
Failure Condition Level (% of Avionics SW*)
Catastrophic (May be total loss of life)
Level A (35%)
Hazardous/Severe (May be some loss of life)
Level B (30%)
Major (May be serious injuries)
Level C (20%)
Minor (May be minor injuries)
Level D (10%)
No Effect (No impact on passenger or
aircraft safety)
Level E (5%)
Process
Objectives
66
65
57
28
0
Code Coverage
Required
Level B + 100% of
conditions (MCDC)
Level C + 100% of
decisions
Level D + 100% of
lines
100% of
requirements
None
11 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
TRADITIONAL INTEGRATED MODULAR AVIONICS SYSTEM
Safety Systems Are Mature
Multiple levels of criticality
Multiple cores for separation
Time and space partitioning
– ARINC 653 standard
Abstraction interface
– ARINC 653 APIs
– VxWorks APIs
– POSIX APIs
DO-178C certification
12 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
MANAGING CONTENT
Managing contention between cores for shared resources
Application isolation and determinism
– Core Deactivation
– Multi-core Interference
– Error Handling
Figure 2. Benchmarks results for dual core operation with single memory controller
Figure 1. Benchmark results for single core operation
Figure 3. Benchmarks results for dual core operation with dual memory controller
13 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Multi-core System Issues
Contention makes it difficult to prove that timing constraints are met
Most SoCs uses hardware that is shared between cores
Designs and effects of sharing are often unavailable
Sharing effects may change as SoC microcode is updated
Addressing these issues can involve additional cert effort
Performance and certification costs depend on matching the choice of
strategies of the multicore hardware and the software application
14 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Certification Authorities Software Team -- CAST-32A (Multi-Core Processors)
FAA-published guidance on usage of multi-core processors in aviation
Available free on FAA website
Topics Applicable to Multi-Core Processors (MCP) in Safety-Critical Applications
– Sixteen objectives on MCP Determinism
– Six objectives for MCP Software
– Two objectives for MCP Error Handling
– CAST paper addresses only 2 cores at this time, but is largely applicable to more than 2 cores
– Wind River Verification Activities will support many objectives, but integrators will need to conduct additional activities to ensure compliance
Released
November 2016
CAST-32A Appendix has
mapping from CAST 32 to 32A
16 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
The minimalist
“ Since this has been certified
before, why can’t we reuse
all the artifacts.
“ Anonymous
17 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Any new code, has to go through the process
All new features must adhere to the process
Defects can be found in any stage of the process
A code defect can end up modifying or adding requirements
A test case may not capture the requirement
Always keep an eye on safety in the process
Every DER is different, and will see different things
– They always find something
18 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
The schedule hound
“ What can we cut to keep the
schedule? Lets minimize
the verification… We know it
works in other programs.
“
Anonymous
19 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Saving testing till the end
Continuous incremental testing is a key.
– Test for credit can be stored, but don’t wait to long.
Discovery of a failure near the end of a program can cause churn and possibly respin of a requirement.
Trackable
21 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Software Requirements
“ many of the problems
encountered in software
development come from
poorly defined system
requirements and architecture.
“
Leanna Rierson;
Author of Developing Safety Critical Software
22 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Spend time on requirements
Requirements must be unambiguous
Requirements should be short
Requirements should not overlap
Requirements should be testable
If the requirement is fuzzy, the code and hence the behavior will be to.
23 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Train your people
Establish a training curriculum
Train on a regular basis for newcomers
When a new DER is involved, they may find a common mistake, make sure to update the curriculum.
Enforce consistency through proper training
24 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Track your progress
Estimate how many requirements are needed
– Add additional requirements as needed.
Track them through the phases
– Draft
– In Review
– Reviewed
– Approved
25 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Modularize to Reduce Recert Costs
Decouple components
Isolate changes
– Implementation of a module
– Underlying physical transports
Promote reuse
© 2016 RTI 25
Operating System
DDS Middleware
UD
P
TC
P
Shm
em
Qs/p
orts
M
odule
Module
Module
Operating System
Transport &
Proximity
Assumption
(e.g., queues, ports,
shmem or TCP)
Application Code
Custom Logic for
IPC & Integration
26 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Use certified COTS components
Integrate certification evidence packages into your own project
Reduce project risk
Keep the schedule and budget
28 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
MARKET DRIVERS
Safety and Security
Risk Reduction
Regulatory
Affordability
WHY WIND RIVER?
Reputation
Balance of features
Safety and Security
Certification Evidence
29 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
VXWORKS 653 FOR IMA
Complies with industry specification ARINC 653 for integrated modular avionics (IMA)
ARINC 653 compliance with:
• ARINC 653 APEX APIs
• Time and space partitioning
• Inter- and intra-partition communications (IPC)
VxWorks 653
• 3-level health management system (error detection and reporting)
• COTS RTCA DO-178C DAL A certification evidence
• FACE operating system segment (OSS) conformance
• Independent supplier build for DO-297 support
• XML complier qualified as a development tool for robust XML configuration
• Support for ARINC 653, VxWorks, POSIX, Ada, Java, third-party API partition environments
• More …
Flight
Control Radar Graphics
Time and Space Partitioning
ARINC 653 Operating System
30 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
VXWORKS 653 FOCUS
Safety first: Partitioning with MMU and hardware virtualization assist, deterministic software, strict communications
PARTITIONING
PORTABILITY
CERTIFICATION
STANDARDS
Portable, reusable software: From “simple” systems to complex systems and next-generation virtualized multi-core platforms
Commercial off-the-shelf (COTS) certification evidence to support rapid customer certification, reliability, and quality
Conformance with global avionics, and business safety standards
ARINC 653, POSIX, FACE, DO-178C, DO-297, more
31 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
VXWORKS 653 COTS DO-178C CERTIFICATION AND FACE CONFORMANCE
COTS RTCA DO-178C DAL A Certification Evidence Available
32 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Fe
de
rate
d
2000 2017
VxWorks Cert
DO-178 Level A
IEC-61508 SIL 3
PowerPC
750
PowerPC
74xx
PowerPC
8245
VxWorks Cert
DO-178 Level B
Intel
Pentium III
VxWorks Cert
DO-178 Level A
IEC-61508 SIL 3
PowerPC
MPC8349E
PowerPC
MPC7447
Intel
Core 2 Duo*
* Denotes single core operation
VxWorks Cert
DO-178 Level A
IEC-61508 SIL 3
PowerPC
MPC8349E
PowerPC
MPC7447
Intel
Core 2 Duo*
Intel
Atom*
VxWorks 653
DO-178 Level A
PowerPC
750
PowerPC
74xx
VxWorks 653
DO-178 Level A
PowerPC
750GX
VxWorks 653
DO-178 Level A
PowerPC
MPC8349E
PowerPC
MPC8560
VxWorks 653
DO-178 Level A
PowerPC
MPC8641D*
PowerPC
MPC8270
VxWorks 653
DO-178 Level A
PowerPC
MPC8349E
PowerPC
750GX
VxWorks Cert
DO-178 Level A
IEC-61508 SIL 3
PowerPC
750GX
PowerPC
MPC8548 (e500v2)
PowerPC
8280
VxWorks 653
DO-178 Level A
PowerPC
P4080* (e500mc)
PowerPC
MPC8548 (e500v2)
VxWorks 653
DO-178 Level A
+ FACE
PowerPC
P4080* (e500mc)
VXWORKS RTOS CERTIFICATION HISTORY
VxWorks 653
Multi-core Edition
DO-178 Level A
PowerPC
T2080 (e6500)
33 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
INTEGRATED MODULAR AVIONICS (IMA) WITH VXWORKS 653 MULTI-CORE EDITION
ARINC Ports
34 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Our heritage: More than 17 years of success in avionics
VxWorks Cert 5.4 released - Platform for
Safety Critical DO-178B 1.x, VxWorks 61508
Platform 2.x
2000
VxWorks 653 1.x release – including DO-178B
Certification Evidence Packages 2004
2005 VxWorks 653 2.x Evidence release for DO-
178B Certification
2007 VxWorks Cert 6.x release with DO-178B/C
Certification Evidence Packages
IEC61508 Certification Evidence Packages
2009 VxWorks 653 2.3VxWorks 653 3.0
Wind River DO-178B Network Stack
2014 VxWorks 653 3.0 Wind River DO-178B
Network Stack
Today Works 653 3.0 DO-178C DAL A Certification
Evidence Package
35 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
WIND RIVER A&D LEADERSHIP
More than 600 global Aerospace & Defense customers
More than 500 certification projects served
Over 2 billion devices deployed
Leaders in the Aerospace & Defense industries
35 © 2017 Wind River. All Rights Reserved.
36 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
SUMMARY
2 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
The Certification Process
Multi-core and system certification
Common misconceptions and best practices
Where Wind River fits into the process: customer use case
38 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Multi-Core Certification: A systems approach
We cannot possibly fully verify the behavior of a complex SoC using only the low-level techniques of DO-178 or DO-254
– Economically and technically not viable
As the silicon designs shrink, exposure to SEU or transient errors increase
– More time and effort will need to be devoted to understanding the impact of soft errors
A systems-level approach would augment/replace some DO-xxx activities
– Relies more heavily on systems analysis and design techniques similar to that for aircraft and avionics-level certification
39 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Partitioning Requires Role-Based Development and Delivery
© 2010 Wind River. All Rights Reserved. 39
Engineering teams and processes are organized around three roles per DO-297
1. Platform Supplier
2. Application Supplier
3. System Integrator
Enabling:
• Independent configuration, build, link, and load processes for each role
• Engineering teams work independently, in parallel, asynchronously
• Components can be evaluated and re-evaluated independently
Brakes Partitioning
Kernel
Configuration
Vectors
Certification Hardware Platform
NS XML
Middle-
ware
(MW)
Network
Stack
(NS)
MW XML MM XML
Mission
Mgmt.
(MM)
Graphics
Display
Systems
(GD)
GD XML
Flight
Control
(FC)
FC XML
40 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
Integrated Modular Avionics (IMA) with VxWorks 653
User
Mode
Kernel
Mode
ARINC 653
Partition OS
Flight Control
(FC)
Application
Level A
POSIX
Partition OS VxWorks
Partition OS
Ada/Java
Partition OS
Radar
Application
Level B
Graphics
Generator
Application
Level C
Display
Application
Level D
Supplier 1 Supplier 2 Supplier 3 Supplier 4
Hardware
VxWorks 653
Application Executive XML Configuration Data
Board Support
Package (BSP)
Architecture Support
Package (ASP)
41 © 2017 WIND RIVER. ALL RIGHTS RESERVED. 4
1
Independent software delivery / DO-297
User
Mode
Kernel
Mode
ARINC 653
Partition OS
Flight Control
(FC)
Application
Level A
POSIX
Partition OS VxWorks
Partition OS
Ada/Java
Partition OS
Radar
Application
Level B
Graphics
Generator
Application
Level C
Display
Application
Level D
Application
Suppliers
Platform
Supplier
Supplier 1 Supplier 2 Supplier 3 Supplier 4
Hardware
VxWorks 653
Application Executive XML Configuration Data
Board Support
Package (BSP)
Architecture Support
Package (ASP)
IMA System
Integrator
42 © 2017 WIND RIVER. ALL RIGHTS RESERVED.
VxWorks 653 3.x Multi-core Edition (MCE) Hypervisor
User
Mode
Kernel
Mode
ARINC 653
Guest OS
Flight Control
(FC)
Application
Level A
VxWorks
Guest OS Linux
Guest OS
Third Party
Guest OS
Radar
Application
Level B
Graphics
Generator
Application
Level C
Display
Application
Level D
Supplier 1 Supplier 2 Supplier 3 Supplier 4
Hardware
VxWorks 653
Multi-core Hypervisor XML Configuration Data
Board Support
Package (BSP)
Architecture Support
Package (ASP)