Developing Future High Integrity Processing Solutions

Developing Future High Integrity Processing
Solutions
11/10/2022
Private | © 2022 Rolls-Royce | Not Subject
to Export Control
Dave Sanders Engineering Associate Fellow – Complex Electronic Hardware
The information in this document is
proprietary and confidential to Rolls-
Royce and is available to authorised
recipients only - copying and onward
distribution is prohibited other than
for the purpose for which it was made
available.
Rolls-Royce content only
1

Private | © 2022 Rolls-Royce
No Export License Required
Agenda
2
Industry Overview
0
1
0
2
Development Challenges
0
3
Future Developments

3
Processor History
MIPS = MillionInstructions per Second
2010 2016
VisiumCOREMCM (100MIPS)
21M flight hours
2006
GR5 MCM (40 MIPS)
137M flight hours
2000
Hi-Core (20 MIPS)
67M flight hours
68020 (5 MIPS)
1984
Zilog Z8002 (1 MIPS)
1995
1979
R7 (>500MIPS)
2021 Late
2020s
Apple A4 Apple A5 Apple A6 Apple A7 Apple A8 Apple A9 Apple
A10
Fusion
Apple
A11
Bionic
Apple
A12
Bionic
Apple
A13
Bionic
Apple
A14
Bionic
Apple
A15
Bionic
Apple
A16
Bionic
A new iPhone processor every year for the past 13 years!

4
Semiconductor Industry Trends
• In 2020 the Global Semiconductor industry
was over $400 billion
• By 2028 it is predicted that it will exceed
$800 billion
• Military and Aerospace currently accounts
for ~1%
• Moores Law is largely still being observed, however it is
predicted to come to an end in the early 2020’s.
• The gap between the Mil/Aero and cutting edge technology
is widening.
• Industry direction of travel does not necessarily align to
Military and Aerospace needs.

5
Atmospheric Radiation
"NASA Sun Earth" by NASA Goddard Photo and Video is licensed under CC BY 2.0.
Credit: NASA's Goddard Space Flight Center/SDO
• ~13 Neutrons per square centimetre per
hour at sea-level in NYC
• Nominally ~600x worse at 40,000 ft above
NYC
• Solar enhancement events increase by a
further 1000x
• Carrington Event (1859) Caused sparking
and fires in multiple telegraph stations
• Particles with sufficient energy can corrupt electronics
• This effect ranges from a temporary upset to permanent
damage
• As semiconductor geometries shrink the amount of energy
required to cause corruption decreases.

6
Operating Environment
Engine Mounted Electronics
• Service requirements
• Life 30 years 100,000 hrs operating
• Reliability 100,000 hours MTBCD
• Civil Engine environment
• Operating temperature -55°C to 90°C
• Vibration 1-20g, 5-2000Hz
• Humidity
• Fire & Overheat Resistance (1100°C for 5 minutes)
• EMC and Lightning Strike
• High power RF environments
• Lightning Strike
- Increased threat with use of composite
airframes
- 1500V/1500A
• In all cases must maintain safety & reliable control &
protection of Gas Turbine

7
Safety Criticality
Design Assurance
Level
ASIL equivalent Classification Effect
A None Catastrophic Failure may cause a crash due to loss of functions required to continue safe flight and landing, which will
lead to potential loss of life.
B D Hazardous Failure has a large negative impact on safety or performance, or reduces the ability of the crew to
operate the aircraft due to physical distress or a higher workload, or causes serious or fatal injuries
among the passengers. (Safety-significant)
C B or C Major Failure is significant, but has a lesser impact than a Hazardous failure (for example, leads to passenger
discomfort rather than injuries) or significantly increases crew workload.
D A Minor Failure is noticeable, but has a lesser impact than a Major failure (for example, causing passenger
inconvenience or a routine flight plan change)
E QM No Effect Failure has no impact on safety, aircraft operation, or crew workload
Hazards based on loaded
passenger van as opposed to the
greater hazard of a large aircraft
loaded with fuel and passengers

8
Determinism
• Determinism is adversely
affected by
• Multi-core processors (interference)
• Instruction/Data Caches (cache
misses)
• High watermark timing is
generally used
• Requires additional headroom in
performance
Core 0
Core 1
Core 2
Core 3
L2
Cache
L2
Cache
L1
Cache
L1
Cache
L1
Cache
L1
Cache
L3
Cache
Main
Memory
Transfer speed
FAST SLOW

9
Future Performance Requirements
• Ever-increasing processing requirements
• Future control systems, have an even greater reliance on control system intelligence.

10
Cybersecurity Features
• Cyber-security is now an
essential requirement for
safety-critical applications.
•

11
Robust
Development
Safety Critical Atmospheric
Radiation
Key Differentiators:
• In accordance with DO-
254 DAL A
• Full control and
ownership of the
detailed design enables
a certifiable cyber-
secure design
• Obsolescence managed
in order to provide
supply chain security
over the long term.
• Deterministic timing
and performance for
safety critical
applications
• Full military
temperature range for
operation in harsh
environments
• Immune to SEL
• Robust to SEU
• High integrity features
designed into the
processor
How will the R7 be
different to COTS
processors?

12
Current Development
Future Development
Planned Development
Development Roadmap
• 32bit out of order RISC-V processor
• Single precision FPU
• MPU
• Scalar Cryptography extension
• CHERI
• Post Quantum Cryptography
• 64-bit RISC-V processor
• Double precision FPU
• Multi-core processing
• Vector processing
• 32-bit in-order RISC-V processor
R7 Rx

Developing Future High Integrity Processing Solutions

More Related Content

Similar to Developing Future High Integrity Processing Solutions

More from AdaCore

Recently uploaded

Developing Future High Integrity Processing Solutions