Critical Real-Time Embedded Systems (CRTES) industry aims at increasing the number and complexity of system functions to keep the competitive edge, e.g. in avionics [13] and automo- tive [14] domains. In order to support new sophisticated functionality, CRTES require levels
Chapter 3. A Time Predictable Architecture 26 of computing power higher than what currently used processors can supply. In this context, many-core1 processors stand as the solution to cope with the performance demand and cost
constraints of future CRTES. The use of many-cores in CRTES allows scheduling multiple applications into the same processor, maximizing the hardware utilization while meeting size, weight and power constraints. Furthermore, many-cores allow developers to exploit task level parallelism and improve performance of applications.
However, the use of many-cores in CRTES brings significant challenges. CRTES require evidence of the functional and timing correctness for all of their system components, which in case of many-core processors in not trivial, especially in the timing domain, which is the focus of this thesis. Hence, despite the advantages of many-cores and the fact that they are nowadays a reality in the embedded system domain (e.g. Tilera [18], Kalray MPPA [4]), their use in CRTES environment relies on finding efficient ways to deal with timing correctness issues.
A fundamental property of CRTES is incremental verification, that allows each system component to be subject to formal verification in isolation and independently from other components, with obvious benefits for cost, time and effort, reducing the products time to market. Current CRTES enable incremental verification by using standardized system software architectures, such as the Integrated Modular Avionics (IMA) [23,27] in the avionics domain and AUTOSAR [46] in the automotive domain.
Both software architectures enable incremental verification by guaranteeing robust space and time partitioning that make the functional and timing behavior of each application unaffected by other applications. To do so, applications are encapsulated into Software Partitions (SWPs) as defined in the ARINC 653 avionics [23] and ISO 26262 automotive [29] standards. This thesis focuses on time partitioning and facilitating derivation of time-composable Worst-Case Execution Time (WCET) estimates of IMA and AUTOSAR applications (i.e. WCET estimates independent of the co-runners).
SWPs are devised for running in single-core platforms. Each SWP has a dedicated time window in which it enjoys exclusive access to processor resources (e.g., bus and memory). Unfortunately, when moving towards parallel execution on many-cores, SWPs do not provide the desired time isolation properties. The fact that several SWPs can simultaneously access shared processor resources creates interferences among them. Thus the use of a dedicated time window per SWP fails in guaranteeing time isolation. This directly impacts certification cost, since when a new SWP is added or changed the entire system needs to be validated. Therefore, providing isolation among applications is key to exploit the performance opportunities of many-cores into CRTES while containing verification and certification costs.
Without loss of generality, this chapter will focus on the avionics domain, considering the communication and isolation mechanisms of IMA and ARINC653, with the objective to facilitate the explanation of the proposed time predictable architecture. However, the same principles presented in this chapter apply to ISO26262 and AUTOSAR. Section 3.2.3 describes the similarities among avionics and automotive software frameworks.
1We use the term many-core for processors with at least 16 cores . The problems that this chapter addresses, also arise, to a lesser extent, in multi-core processors.
Chapter 3. A Time Predictable Architecture 27 This chapter comprises the conference paper [30]. It adheres to the thesis goals and objectives defined in Section 1.4 and makes the following contribution:
• We extend the concept of ARINC 653 SWPs and introduce Parallel Software Partition (pSWP) in Section 3.4. We specify how interference among pSWPs in the accesses to hardware resources is controlled to enable incremental verification. pSWPs guarantee time and space partitioning, enable deriving time-composable WCET estimates and reduce integration-time effort (objectives O2 and O5).
• We propose the novel concept of Guaranteed Resource Partition (GRP) in Section 3.5. GRP defines an execution environment comprising a set of processor resources (cores, memory, etc.) in which a SWP runs, avoiding or bounding interferences among applications(objectives O1and O5).
• We evaluate and compare two many-core architectures supporting GRPs: one using hi- erarchical (tree+bus) Network on Chip (NoC) in Section 3.5.2.1 and another featuring mesh-based NoC (Section 3.5.2.2); as well as implementation aspects of a required memory controller (Section 3.5.2.3).
• We propose the compositional timing analysis that benefits from pSWPs and GRPs (Sec- tion 3.4.5 and Section 3.5.3) and reduces the pessimism in WCET estimates, while main- taining required property of time-composability (objective O3).
Overall, the combined use of pSWPs and GRPs enables incremental verification in the time domain for IMA systems running on many-cores and allows the use of compositional timing analysis that reduces the pessimism in WCET estimates. By doing so, it better exploits performance benefits of many-cores in avionics systems.
We evaluate our proposal with a system comprising two real ARINC 653-compliant parallel avionics applications provided by Honeywell International (Section 2.2.1): 3D Path Planning (3DPP ) and Stereo Navigation (SteroNav ) in Section 3.6 (objective O4). We demonstrate that pSWP and GRP fully isolate intra-SWP activities among different SWPs, while inter-SWP effect is reduced to less than 1%. Furthermore, in Section 3.6.4 we show benefits of folding of several pSWPs into a single GRP and flexibility of mesh-based GRPs implementation in improving overall system performance up to 4.9x.