UST034

88 flight testing. A recorder function in the tool collects the traces and gives a ‘waterfall’ or cascade view of the tasks. However, this instrumentation introduces a delay in execution, so it is removed from the production code to ensure that all the timings are worst case. Scheduler with hypervisor Taking 3-4 million lines of source code through a certification process on one operating system is impractical. Instead, an RTOS and hypervisor allow a system to be partitioned into ‘mixed criticality’ systems. With this approach, a hypervisor of around 20,000 lines of code is loaded into each core, linking and controlling the access to the cores and the memory. This creates a partition that can allow virtual machines to run operating systems or ‘bare metal’ applications that run directly on the processor. The deterministic real-time functions for certification are run on a RTOS running in a secure partition. These functions include decisions on direction, speed, distancing, detect & avoid, engine health and a fixed set of procedures in case of failure. Other functions, such as the cryptography and networking stacks, then run on a separate partition on a non- deterministic operating system such as Linux. These communicate via FIFO (first in, first out) queues in memory and message- passing protocols through virtual Ethernet. A separate virtual machine can be used to run other applications such as encryption directly on the processor core. The key advantage is that once the system boots with the hypervisor, there is no administrator login that can reallocate a core away from the different functions or shift functions to a different part of memory. For machine learning, the framework can run on Linux in its own virtual machine and then use some level of comms to the RTOS, whether for bare metal applications or higher level Ethernet protocols. However, the hypervisor layer is right on top of the hardware, which can be challenging with new processor architectures. For example, there are automotive processors with split locking, where cores can be locked together on the same clock signal to ensure that functions are fully synchronised. This needs more complex implementation of the hypervisor layer that sits on each core. The hypervisor approach also opens up innovation around detecting system anomalies. The hypervisor is ideally placed to know whether anomalous activities are happening, such as access to memory or a core doing unexpected things. This can then be reported back to the RTOS for fault management or an ML framework for preventative maintenance. Hypervisor with multiple partitions Another type of hypervisor supports multiple partitions. This allows developers to run multiple operating systems on top, with mission-critical code in one partition and have code with lower safety requirements running in parallel. The Certification Authorities Software Team (CAST), a group of certification and regulatory authority representatives from Europe and the US, has published a paper named CAST-32A, describing the conditions that would allow the use of multicore processors in airborne systems. It identifies major topics that could have an impact on system safety, and in most of the cases it has turned out that determinism is the key. The final conclusion of CAST-32A is that multicore processors can be used, but the scope is limited to a maximum of two active cores. The most controversial aspect of CAST-32A is ‘Interference Channels and Resource Usage’. This leaves it up to the developer to identify the interference between applications, define the resource usage and evaluate the impact on the deterministic behaviour of the overall system. This is key for the operation of an RTOS with multiple cores, each with its own memory cache. The cache temporarily holds copies of content from the main memory, enabling the core to operate on data that is in use frequently without having to use the relatively slow memory bus. Low-level caches are usually dedicated to a certain core, but the higher-level caches are shared among the processor cores. As a result, if a shared cache is involved, October/November 2020 | Unmanned Systems Technology PikeOS has the same API across automotive and aerospace implementations (Courtesy of Sysgo)