Mezzanine Boards

Developing an Obsolescence-Proof XMC for Safety-Critical Applications

The time needed to safety certify rapidly changing commercial hardware can run up against end-of-life issues. Making the product certifiable based on its firmware can guard against obsolescence.


  • Page 1 of 1
    Bookmark and Share

One look at today’s video games proves that 3D graphics are becoming increasingly realistic. Beyond gaming applications, 3D graphics are becoming ubiquitous in a host of markets–consumer devices, industrial equipment and medical equipment. The reason for this transition from 2D to 3D is simple: 3D delivers enhanced realism, whether for entertainment purposes or life-saving technologies.

Unfortunately, 3D graphics have not yet become ubiquitous in safety-critical environments–despite the fact that such graphics could provide a significant increase in performance and realism. At the center of this roadblock is that safety-critical environments have strict testing and validation requirements for both software (DO-178) and hardware (DO-254). These certifications specify both how one tests for errors in a system, as well as how a system compensates for any prospective errors to ensure continual rendering and performance. But one side effect of these strict validation requirements is that certifying a system for use in a safety-critical environment is a lengthy and expensive proposition. Two contributing factors to these increased costs–that all subsystems within a safety-critical environment must provide a long product lifetime and that these products must be ruggedized in order to withstand the harsh environments where these products are most often used–can be addressed by changing the way that graphic processing units (GPUs) are developed and deployed for the safety-critical market.

Figure 1 illustrates one such application for the safety-critical market that is insufficiently met by today’s deployable systems. The need, then, is for an obsolescence-proof GPU, one that makes use of an FPGA-based video and graphics processing core instead of the traditional approach of using dedicated GPU ASICs.

The very nature of the 3D graphics industry is in opposition to the needs of the safety-critical market. Historically, the next-generation 3D graphics ASIC is usually only 6-12 months away. What this enables for the gaming market–frequent improvements in performance–is counter to safety-critical applications. GPUs have typically had a lifecycle of a matter of years before becoming obsolete. When the application is a gaming console, a new GPU can mean the release of a new product.

But the needs of the safety-critical market are long product lifetimes and ruggedness. A real-time video processing system in a commercial aircraft, flight-certified helicopter radar, or a real-time map system (Figure 2) are all required to be designed for deployment for a decade or longer. With GPUs becoming obsolete in a matter of years, engineers in this market have been faced with a dilemma: to either forgo the benefits of 3D in a safety-critical application, or to develop a workaround that enables them to obtain a hardware waiver based on a statistical time test. They then must purchase enough material upfront to ensure availability over the projected lifetime of the product. This process, however, is a workaround that, while technically in compliance with the letter of DO-178B, fails to independently certify actual compliance. Thus, products that leverage GPUs with this waiver are fundamentally unproven–with people effectively looking the other way for lack of a better solution. The 3D graphic ASIC development cycle is not going to change, so the safety-critical market needs to resolve its obsolescence and certification issues by leveraging existing technologies in new ways.

The Fully Certifiable, Obsolescence-Proof XMC GPU

Instead of trying to obtain DO-178B and DO-254 waivers for an older generation of commercial GPUs, the goal is to develop a GPU that specifically meets the requirements of the safety-critical market. This new GPU would be easily certifiable to DO-178B and DO-254, avoid having to customize XMC Mezzanine Cards based on commercial GPU reference designs, avoid rewriting commercial drivers, and be developed specifically to address the environmental issues facing safety-critical deployments. By eschewing the traditional approach to a GPU, we can design a GPU from the ground up–with the needs of the safety-critical market in mind.

Objective number one is to pursue a rapid development process to get to market as quickly as possible. If we leverage an FPGA with an internal PowerPC core as the primary development platform, the FPGA will allow for rapid prototyping of the GPU blocks, with the ability to move to an ASIC after development is complete. The PowerPC core’s ability to run a full Linux kernel will allow for an easy and familiar development and debugging environment, thus helping to accelerate the development process. When moving to full DO-178B certification, Linux is easily removed and replaced with a simple executive that runs the same code developed under the Linux kernel.

Objective number two is to select hardware and software platforms that are geared toward the needs of the safety-critical market. This was a primary consideration at Quantum3D during the development of Sentiris AV1, our newest XMC (see sidebar “Sentiris AV1: Toward an Obsolescence-Proof GPU”). In looking at the feature set needed for a safety-critical GPU, we realized that the determinism of the OpenGL SC API far outweighed some of the non-deterministic advanced rendering features available in OpenGL ES or OpenGL 2.x found in many of the commodity GPUs. For DO-178B certifiability, we leveraged an existing OpenGL SC software rendering engine that already had artifacts leading to DO-178B certification. Then, we built up the hardware on a DO-254 XMC Mezzanine Card with the ruggedness needed for harsh safety-critical and military embedded environments. This approach allows for an entirely new type of GPU to be crafted–one that is based on a known DO-178B software renderer with a ground-up hardware design that meets the rigors of the safety-critical market.

Within the safety-critical and military embedded environment, there is no de facto standard for operating system or hardware platform. Understanding that the market is fractured and wanting to address as much of it as we can, the next goal is to design the system in such a way as to make it easy to port to new systems. Moving much of the complexity of a typical device driver from the host into the PowerPC core makes it possible to deliver a small, lightweight and portable device driver. This ensures operating system independence, thus enabling the capability to easily port to and support the various real-time operating systems that are required in the safety-critical and military embedded markets.

Typical operations, such as register setup for various operating states, are fully implemented in the on-chip PowerPC processor. This shifts the common paradigm of communication between the host and XMC from a register-centric view to a command-centric view where the host driver issues a command and the PowerPC executes the command with the knowledge of the appropriate registers to set. This means that, since the registers do not need to be mapped through the host hardware or exported to the host device driver, porting to new systems is radically simplified and provides for the wide range of hardware and operating systems common in this marketplace.

Finally, it is important to consider the easiest path to DO-178B software certification. For Sentiris AV1, Quantum3D leverages an OpenGL SC rendering engine that is based on our company’s IGL 178DO-178B certifiable renderer. This approach gives the flexibility to start with a pure software renderer and move the rendering pipeline into hardware as the project develops. The OpenGL SC engine takes the same philosophy as the rest of the system, with the host driver being as simple as possible. The host driver is only responsible for tokenizing the OpenGL SC commands and sending those commands as payload packets to the core OpenGL SC engine in the XMC hardware.

A New Set of Applications

Engineering an obsolescence-proof GPU for the safety-critical market requires a revolutionary approach. To meet the long-life and ruggedness requirements of this market, it is necessary to buck the trends that have defined GPU development to this point in time.

The benefits of such an approach are equally revolutionary. Because it is the code that is being certified–and because such code can be updated or put on subsequent generations of FPGAs without losing its certification–the safety-critical market will for the first time have a GPU that is legitimately certified, does not obsolete with EOL’d products, and is designed to meet the rugged requirements of the military/embedded applications for which safety-critical is so common.

San Jose, CA.
(408) 361-9999.