Aircraft don't use multicores for the Level A parts. They are even afraid to use RTOS for the very critical parts (which I think is a mistake).
The difference is very simple: about 100000 people die in cars each year (even Europe has 35000). Only 500 die in an airplane worldwide.
ASIL level D (the highest for automotive) is the second highest level (SIL3) as defined in IEC-61508. They dropped SIL4 when defining ISO_26262. ASIL D is more or less a supervised fault detection (OK, you could call it SIL 3.5). If a failure is detected, it moves the system to a so-called fail-safe state (like limiting the engine to 1000 rpm). How safe is that at high speed on the highway?
Granted, multicore is used for the lower levels (e.g. anything that is not really safety critical). And that's why the title is misleading. If the automotive industry would apply the same process and rigor as avionics, then I would agree. But technology itself is not making cars safer. The main reason for using multicores is not safety, it's cost reduction. Of course, when you do this, partitioning is a must-have. But this is not aircraft specific. It is a standards safety supporting technique. Add then the complexity and the common mode failure risk, and how much is safety really improved vs. using dedicated processors?
The whole idea is ti NOT re-certify everything when an application (in this system called partition) is changed. The middleware is certified independently from the partitions and each partition is certified independently from the others. The idea is to permit several levels of safety on the same platform, thus reducing cost (and complexity) for the part not requiring a high level of reliability. So, the over-design may be reduced.
Also, AUTOSAR have increased the complexity (and resources) needed from the platform. But it provided far greater advantages in flexibility, cost reduction, fault isolations, separation of concerns...
Multicore, multiprocessors, SoC are extremely complex and will be more and more unmanageable. But the desired functionality is also increasing. It still requires something to provide designers high-performance resources, quality assurance but also ease of use. Hypervisors are only a step in this direction. Not final, not perfect, but still useful and far more important than the added resources consumptions.
And some hypervisors are still relatively simple. I suggest you to look at ARINC 653 in avionics (the APEX part) or OKL4 for small devices. ARINC 653-based systems have been certified under DO178 at an A level. Some have been certified EAL 7.
And, finally, yes, the processors are often limited by the memory. But this is a limitation the designers have to live with. Anyway, most of the highest performance applications do not requires a very high level of safety. For the highest performance application with a high level of safety requirement, the CPU-to-Memory problem is not the most challenging (or first) problem. The data integrity in the complex multicore CPU architecture (CPU to cache, cache coherency... ) will have first to be looked for security and safety. This is not trivial at all.
In avionics, the multicore problems and the GPU integration are not solved yet. Only workarounds have been used... with success.
Why is this called safer?
First of all, it increases a lot the complexity (and hence the risks) as the underlying partitioning hypervisor has to timeslice through the different applications. Change one application and one has to re-examine all. Not to forget that the chip has to run a lot faster than before.
Secondly, multicore promises a lot like higher density of CPUs at a lower cost but memory accesses become more stochastic, not to speak of the common mode failure. Of course ASIL level D in automotive is still not fault tolerant (vs. DAL-A in avionics), so maybe this sector cares less?
Micro kernels gives us better stability and security.Now is the time to start research to use it in automobile applications because lot of electronic monitoring and control are being introduced in the cars. Especially in the Hybrid vehicles.
Many of the technology that first starts in defense then go to consumer or automotive applications. That's interesting about virtual operating systems within a single processor. I see that's a way to reduce the hardware usage. I think this perhaps would be an adequate way of taking advantage of multi-core technology. One core per OS?
NASA's Orion Flight Software Production Systems Manager Darrel G. Raines joins Planet Analog Editor Steve Taranovich and Embedded.com Editor Max Maxfield to talk about embedded flight software used in Orion Spacecraft, part of NASA's Mars mission. Live radio show and live chat. Get your questions ready.
Brought to you by