Methods and Tools for the Temporal Analysis of Avionic Networks 415
The routing is statically defined. Only one end system within the avionics network can be the source of one Virtual Link, (i.e. mono transmitter assumption). A VL v definition also includes the Bandwidth Allocation Gap (BAG(v)), the minimum and the maximum frame length (s min (v) and s max (v) ). BAG(v) is the minimum delay between two consecutive frames of the associated VL (which actually defines a VL as a sporadic flow). VL parameters (BAG(v) , s max (v)) compliance is ensured by a shaping unit at end system level and a traffic policing unit at each switch entry port (specificity of AFDX switches, compared to standard Ethernet switches). The delay incurred by the switching fabric is upper bounded by a constant value, i.e. 16 μs.
A realistic AFDX configuration is presented and analyzed in section 7. It includes nearby one thousand VLs. The next paragraph characterizes the end-to-end delay of a VL transmitted on an AFDX network.
Characterization of the end-to-end delay of a VL
Let's consider a path p x of a VL v. The end-to-end delay D (F v , p x ) of a frame F v transmitted on p x is defined by 
where nbl(p x ) is the number of links in p x .
• SD (F v , p x ) is the delay in switches between input and output ports: in the context of this presentation, the delay in a switch from an input port to an output port is considered as a constant td, since the only available information about this delay is a guaranteed upper bound of 16 μs. Thus 
where ev is F v source end system, p x Ψ is the set of switches in p x , WD (F v , p x , ev) is the delay in ev output buffer and WD (F v , p x , sk) is the delay in sk output port buffer. Consequently, D (F v , p x ) can be divided into a fixed part LD (F v , p x ) + SD (F v , p x ) and a variable part WD (F v , p x ). The fixed part can be statically computed since it depends solely on the path p x , the length of the frame F v and the bandwidth o the links. The variable part depends on dynamic characteristics, such as the sequence of frames which are emitted by each VL (the length of each frame) and the offsets between the different VLs, i.e. the emission instant of the first frame of each VL, as it is shown by the following example. Let's consider the AFDX configuration in figure 2. This configuration includes five unicast VLs v1. . . v5. The parameters of these VLs -their BAGs, frames sizes and paths -are given in table 1. The bandwidth of every link is 100 Mb/s (t byte = 0,08 μs). Figure 3 exhibits three possible scenarios for the transmission of the frames of the five VLs v1. . . v5 on the network in figure 2. The switching delay td is assumed to be null. This means that SD(Fi, pi) = 0 for every frame Fi on every path pi. One single BAG of the three considered scenarios is depicted in figure 3 . The analysis focuses on the end-to-end delay of the frame F 1 of VL v1 (the path is p1 = e1 -s1 -s3 -e6). When the length of F 1 is s max (v1) (i.e. 500 bytes), the transmission delay on the links LD(F1, p1) is 3 × (0,08 × 500) = 120 μs. When the length of F 1 is s min (v1) (i.e. 300 bytes), this transmission delay LD(F1, p1) is 3 × (0,08 × 300) = 72 μs. In figure 3 , the frame F i from VL vi is denoted i. 
417
In the scenario a, each VL vi emits a frame with the maximal length s max (vi) . The end-to-end delay of F 1 is 160 μs. It includes the transmission on links (120 μs) and the waiting time in output port buffers (40 μs). Indeed, F 1 waits for frame F 2 in switch s1 and it waits for frame F 3 in switch s3.
In the scenario b, the frames are generated at the same instants as in the scenario a, but the length of the frame F 1 of VL v1 is now 300 bytes. The end-to-end delay of F 1 is now 107 μs. It includes the transmissions on links (72 μs) and the waiting time in the output port buffer in switch s3 (35 μs). The scenarios a and b show that the length of a given frame can influence its waiting delay in output port buffers. In the scenario c, v1, v2, v3 and v4 generate a frame with the maximal possible length (i.e. 500 bytes), while v5 does not generate a frame. The instant where the frames from v1 and v2 are generated are switched in comparison with the two previous scenarios, while these intants are not modified for v3 and v4. In this scenario c, the frame F 1 of v1 does not wait in output port buffers. Consequently, its end-to-end delay is 120 μs, i.e. the transmission time on links. This scenario shows that, for a given VL, its offset to the other VLs and the emission or non emission of frames by the other VLs influence its end-to-end delay.
The end-to-end delay analysis of a path p x of a VL v has to take into account all the possible scenarios. This analysis should determine the following characteristics of this end-to-end delay.
• The smallest possible value of the end-to-end delay, which corresponds to the scenarios where the VL v emits a frame with minimal length s min (v) which never waits in output ports. This smallest possible value is denoted D min (v, p x ) and it is computed from equations 1, 2 and 3: 
• The highest possible value of the end-to-end delay, which corresponds to the worst case scenario. It is mandatory for the certification of the avionic network. In the general case, finding this worst-case scenario requires an exhaustive analysis of all the possible scenarios. Section 4 presents an approach which implement this exhaustive analysis. Such an exhaustive enumeration is impossible for any realistic configuration, since the number of possible scenarios is huge, due to the number of VLs (around 1000). An alternative solution is the computation of a safe upper bound of the end-to-end delay, based on a modelling of the configuration which over-estimate the traffic and/or underestimate the service offered by the network (pessimistic assumptions). Sections 5 and 6 present two approaches which compute a pessimistic safe upper bound of the end-to-end delay of any VL of an industrial AFDX configuration.
•
The distribution of the end-to-end delay between its smallest and its highest possible values. This distribution is valuable when prototyping the whole system. This distribution can be obtained thanks to a simulation approach which is summarized in section 3. Figure 4 summarizes the characteristics of the end-to-end delay. This delay is always between a minimum and a maximum value. Most of the time, the exact maximum value cannot be computed and it is lower-bounded by the maximum observed value and upper bounded by the computed safe upper bound. 
The simulation approach for the distribution of end-to-end delays
A simulation scenario is characterized by the sequence of frames emitted by each VL and the offsets between the different VLs. It has been previously noted that a typical AFDX network includes around 1000 VLs. Clearly, this leads to a huge set of possible scenarios from which it is difficult to extract a representative subset. The resulting challenge is, for each VL path, to focus on the part of the network that is relevant for this path's end-to-end delay distribution in order to reduce the simulation space. This is a mandatory requirement for the simulation approach. It is fulfilled by means of the VLs taxonomy that is presented in the next section.
A taxonomy of VLs
The basic idea of the taxonomy is that, given a path px of a VL vx, the other VLs do not have the same level of influence on it. For example, a vx frame can wait for the end of transmission of another frame only if the latter shares at least one output port with px. The application of this idea is to focus the simulation on the VLs that influence the end-to-end delay distribution of vx frames. The taxonomy is illustrated considering the unicast VL vx in figure 5 . Its path px is e3-s3-s4-e8. The paths or portions of paths of other VLs of this AFDX configuration can be divided into three classes ], as depicted in figure 5 .
VL under study Direct influence Indirect influence no influence S2 v6,v8,v9 v6,v8,v9 e7 v2,v5 e9 e5 v5 v1,v3 e6 v4 S5 v1,v3,v4 e10 vx,v1 v2, v3 vx, v2 vx,v6,v7 v6,v7 
•
Class DI (Direct Influence) contains all the paths that share at least one output buffer with px, truncated after the last output buffer shared with px. In figure 5 , it contains the whole VL v7, path e1 -s1 -s4 -e8 of v6 and sub-paths e3 -s3 and e4 -s3 -s4 of v1 and v2 respectively.
Class II (Indirect Influence) contains all the paths or portions of paths that share no output buffer with px, but at least one output buffer with a DI or an I I path. In figure 5 , sub-paths e1 -s1 of v8, e2 Considering this VL classification, VLs in class NI clearly have no impact on the end to end delay of their associated path px. Thus, VLs in class NI will not be considered in the definition of a scenario for a px end-to-end delay analysis. For the network analyzed in figure 6 , this leads to a drastic reduction of the simulation space for approximately 800 VLs paths (each scenario includes less than 150 VLs instead of nearby 1000). Unfortunately, this reduction is quite poor for the 5600 remaining VLs paths (each scenario includes an average of 800 Vls). In order to obtain a larger reduction of the simulation space, the VL classification has to be exploited more effectively. The main idea concerns VLs in class II. They could be ignored in the definition of a scenario for a px end-to-end delay analysis provided they have no influence on px end-to-end delay distribution. The next section studies the effective influence of VLs in class II.
Effective influence of VLs in class II
The influence of a VL in class II on px is illustrated with the example depicted in figure 7 . It includes one switch s1, four end systems e1, . . . , e4 and three VLs vx, v1 and v2. These three VLs have identical BAGs and frame lengths. Using the taxonomy presented in section 3.1, unicast VL vx is directly influenced by v1 (class DI) and indirectly influenced by v2 (class I I). Depending on the scenario (phasings for vx, v1 and v2), v2 can have an influence on the vx end-to-end delay by modifying the v1 arrival time at the switch s1 output port. The three possible cases are illustrated in figure 8 , considering three scenarios. For each of them, figure 8 shows the modification of the vx end-to-end delay due to v2 frames. For the three scenarios, v1 and v2 are ready for transmission simultaneously and each v2 frame is arbitrarily transmitted before the corresponding v1 frame. Thus, the non-transmission of a v2 frame advances the arrival time of the corresponding v1 frame at the switch s1 output port. In scenario a in figure 8 , this leads to a shorter vx end-to-end delay because it allows the v1 frame to complete transmission on the s1 -e3 link before the arrival of the vx frame at the s1 output port. Conversely, it leads to a longer vx end-to-end delay in scenario b, because the arrival order of the vx and v1 frames at the s1 output port is inverted and consequently, the vx frame has to wait. Finally, the non-transmission has no influence in scenario c, because the vx frame arrives before the v1 one in both cases and as a result never waits. Thus, depending on the application scenario, v2 frames can shorten, lengthen or have no influence on vx end-to-end delays. However, it remains to be seen if VLs in class II (e.g. v2) modify the end-to-end delay distribution of px, their associated VL path. In order to answer this question, every possible VL path must be examined. The basic idea is to determine, for each VL path, the end-to-end delay distributions considering first, that VLs in class II are present, and second, that they are not present. The goal is to determine whether VLs in class II modify the end-to-end delay distributions (there is at least one VL path for which the two obtained distributions are different) or not (such a VL path does not exist). In the latter case, VLs in class II do not have to be taken into account when determining end-to-end delay distributions. End-to-end delay distributions are obtained using a simulation approach. The simulation process is detailed in [Scharbarg et al. (2009) ]. It considers all the possible kinds of VLs of a typical industrial AFDX configuration. For each considered VL, it compares the distribution of end-to-end delays obtained, first when VLs in class II are transmitted, second when VLs in class II are not transmitted. The two obtained distributions are the same for all the tested VLs. Thus the conclusion is that VLs in class II do not have to be taken into consideration for the computation of vx end-to-end delay distribution. The resulting reduced simulation space makes it possible to determine an experimental probabilistic upper bound for every VL path in a realistic network. The simulation process considers a specific model for each VL path. Since an industrial network configuration includes more than 6000 paths, this leads to a heavy simulation process. A mean of speeding up this process has been presented in [Scharbarg & Fraboul (2007) ; Scharbarg et al. (2009)] . It consists in building a simplified model for each VL path. Such a model is depicted in Figure  9 . It corresponds to a VL path which crosses two switches. The set of componants (switches and end systems) leading to each input port of a switch crossed by the path is modeled by one end system which emits all the VLs crossing this input port. It has been shown in [Scharbarg & Fraboul (2007) ; Scharbarg et al. (2009) ] that this simplification does not modify the computed end-to-end delay distribution. The simplified flow model allows the evaluation of end-to-end delays by queueing network simulation mechanisms. The obtained end-to-end delay distributions give important information for the designer about the real behavior of the applications sharing the AFDX network configuration. Moreover, it provides both an experimental upper bound as well as an estimation of the probability to exceed a given bound. These experimental upper bounds obtained by simulation are not safe, because simulation mechanisms are unable to efficiently take into account rare events. But safe upper bounds are needed for certification purposes. The next sections present different approaches which allow the computation of such safe upper bounds.
The model checking approach for computing exact worst-case delay
The proposed approach is based on a modeling in timed automata. Timed automata have been first proposed in [Alur & Dill (1994) ] in order to describe systems behavior with time.
This section first gives a brief overview of timed automata. Then, the modeling of the AFDX network is presented. Finally, the verification process which computes the exact end-to-end delay upper bound is described and applied to the sample configuration in Figure 2 .
Overview of timed automata
A timed automaton is a finite automaton with a set of clocks, i.e. real and positive variables increasing uniformly with time. Transitions labels can be:
updates, which assign new value to clocks. The composition of timed automata is obtained by a synchronous product. Each action a executed by a first timed automaton corresponds to an action with the same name a executed in parallel by a second timed automaton. In other words, a transition which executes the action a can be fired only if another transition labeled a is possible. The two transitions are performed simultaneously. Thus communication uses the rendez-vous mechanism. Performing transitions requires no time. Conversely, time can run in nodes. Each node is labeled by an invariant, that is a boolean condition on clocks. The node occupation is dependent of this invariant: the node is occupied if the invariant is true. Several extensions of timed automata have been proposed. One of these extensions is timed automata with shared integer variables. The principle consists in defining a set of integer variables which are shared by different timed automata. Consequently, the values of these variables can be consulted and updated by the different timed automata [Larsen et al. (1997) ; Burgueño Arjona (1998)]. A system modelled with timed automata can be verified using a reachability analysis which is performed by model-checking. It consists in encoding each property in terms of the reachability of a given node of one of the automata. So, a property is verified by the reachability of the associated node if and only if this node is reachable from an initial configuration. Reachability is decidable and algorithms exist [Larsen et al. (1997) ]. In the general case, reachability analysis is undecidable on timed automata with shared integer variables. In the particular case where the shared variables are represented by nodes of a timed automata, the reachability analysis is decidable. The approach considered in this paper is based on timed automata with shared integer variables which are represented by nodes of a timed automaton. The modeling of the AFDX with timed automata is now presented.
The modeling of an AFDX network
The modeling of an AFDX network considers an automaton for each VL and an automaton for each output port of a switch. Figure 10 depicts the timed automaton of a VL with a BAG equal to period. This automaton sends a first message send i (send 0 in the example) delayed by a duration between 0 and period, and then sends periodically a new message send i (the period is equal to the BAG of the VL, i.e. period). So, this automaton models a periodic VL with an offset between 0 and its BAG. Figure 11 shows an example of an output port of a switch. Each node of the automaton models a location in the FIFO queue associated to the port. Consequently, the number of nodes of the automaton equals the size of the queue (3 in the example of Figure 11 ). Each 423 transition from a node Position i to a node Position i+1 of the automaton models the arrival of one frame at the transmit port while each transition from a node Position i+1 to a node Postion i models the end of the transmission from this port. The automaton of the Figure 11 considers two flows (i.e. two VLs) received using signals send0 and send1 and transmitted using signals send4 and send5, corresponding respectively to send0 and send1. delay is the transmission time of the frame. In the considered example application, all the frames have the same length. pos1, pos2 and pos3 indicate the flows (0 or 1) corresponding to the frames waiting in each position of the queue. The global system is obtained by composing the timed automata of the VLs and the outpout ports of the switches. For instance, the network in Figure 2 is composed of 5 VLs and 4 output ports. So, the model is composed of 9 timed automata, as depicted in Figure 12 . As an example, VL v2 is modelled by the timed automaton v2, which sends signal send1. This is received by the timed automaton p1-1 which models the unique output port of the switch s1. v2 follows the path composed of signals send5 and send10. 
The computation of the exact worst-case end-to-end delay
Using the test automaton method [Burgueño Arjona (1998); Bérard et al. (2001) ], the worst case end-to-end delay of each VL is obtained from the model previously described. The test automaton corresponding to the VL v1 is depicted in Figure 13 . This automaton models the property "delay of v1 is less than bound". By receiving signal send0, it evolves to the node s2. Then the signal send9 is waited (transmission of v1 from the output port of the switch s3, see Figure 12 ). If this signal is not received before the delay of bound, the automaton evolves to the node reject. This behaviour corresponds to a scenario for which the transmission delay of v1 is greater than bound. So, the analysis consists in finding the lowest value of bound for which the node reject is reached. This value is the maximum end-to-end delay.
To verify the property, we use the model-checker UPPAAL. The calculation takes less than 1s on a Linux station with a Pentium 4 processor and 2GB of memory size. The exact worst case end-to-end delays obtained for each VLs in the Figure 2 are given in Table 2 .
EWC end-to-end delays in μs
This approach exhibits the exact worst-case and it is valuable, since it helps to understand the worst-case behaviour of the network. However, it cannot be used for the certification of a realistic network (e.g. the AFDX of the A380), due to the well known combinatorial explosion problem. Therefore, methods which upper bound the end-to-end delay of each flow are used. 
AFDX worst-case delay analysis with Network Calculus
Network Calculus [Chang (2000) ; Le Boudec & Thiran (2001) ] has been proposed for the computation of an upper bound for the delay and the jitter of a flow transmitted over a network. It can be used on a set of sporadic flows with no assumption concerning the arrival time of packets. The basic application of Network Calculus to the AFDX is presented in paragraph 5.1. The improvement of this basic approach in the context of AFDX is described in paragraph 5.2.
The basic Network Calculus approach for the AFDX
Network Calculus is mathematically based on the (min,+) dioid, for which the convolution ⊗ and the deconvolution are defined as follows: The delay experienced by a flow R constrained by a service curve α in a node offering a service curve is bounded by the maximum horizontal difference between curves α and .
This difference is formally defined by:
Each VL of an AFDX network (a flow) is modeled by a leaky bucket r,b , with b = s max (v) and
The burst b is the capacity of the bucket and the rate r is the leak rate.
Each output port of an AFDX switch offers a service curve R,T = R[t -T] + . T is the maximal technological latency of the switch, i.e. 16μs. R is the servicing rate (100 Mb/s in our context) and [x] + = max (0, x) . Thus, in the context of this chapter, the service curve which is offered by each output port is 100, 16 . Figure 14 (a) illustrates the delay h(α, ) experienced by a flow R constrained by a service curve α= r,b in an output port of an AFDX switch, provided R is the only flow crossing this output port. The VLs which compete for a given output port are merged into a single flow by summing their respective arrival curves. The overall computation is illustrated on the small example in Figure 2 . Let's consider the VL v1. Its arrival curve in S1 is α 1 = 1,4000 , since
shares the output port of S1 with v2, whose arrival curve in S1 is α 2 = 1,4000 . Consequently, the overall arrival curve for the output port of switch s1 is α 1 + α 2 = 2,8000 . As previously mentioned, the service curve of this port is 100, 16 . Thus, the delay in this output port is bounded by the maximum horizontal difference between 2,8000 and 100,16 , which is 96 μs, as depicted in Figure 14 a) The maximum delay h(α, ) (b) Output port of switch S1 (c) Output curve after switch S1 or S2
Fig. 14. Curves for network calculus
Then, the computation proceeds to switch S3 and it needs the input curves of v1, v3, v4 and v5 in S3. These input curves are the output curves of the VLs in their previous crossed output port, i.e. S1 for v1, S2 for v3 and v4, e5 for v5. In the general case, the output curve α´ of the flow is given by: α´ = α jitter . α is the input curve of the flow in the port, jitter is the maximum jitter encountered by the flow in the port and jitter is a guaranteed delay service
Graphically, it comes down to shift the arrival curve α to the left by the duration of the jitter. The maximum jitter in an output port clearly corresponds to the maximum waiting time in the corresponding buffer. Coming back to v1, its maximum jitter when leaving S1 is 40 μs, i.e. the maximum waiting time in the output buffer of S1. Then, the input curve α´1 of v1 at S3 is obtained by shifting α 1 by 40 μs to the left: α´1 = α 1 40 = 1,4040 . It is illustrated in Figure 14 (c). Clearly, the input curves of v3, v4 and v5 at S3 are respectively 1,4040 , 1,4040 and 1,4000 . They lead to an overall arrival curve 4,16120 in the output port of S3. Then, the maximum delay for v1 in S3 is 177.2 μs, leading to a maximum end-to-end delay of 313.2 μs. It is composed of the transmission delay from e1 to S1 (40 μs) and the maximum delay computed for S1 and S3, i.e. 96 μs and 177.2 μs. Column BNC in Table 3 Table 3 show that, on this small configuration, the basic Calculus approach is pessimistic (more than 40 μs for nearly all the VLs). The next paragraph presents an improvement of the basic Network Calculus approach in the context of AFDX.
427

Optimizing the Network Calculus approach with grouping
The pessimism observed in Table 3 is partly due to the fact that the basic Network Calculus approach does not take into account the property that packets of different flows sharing a link cannot be transmitted at the same time on this link (they are serialized). Consequently, the burst considered in the overall input curves of the basic Network Calculus approach can never happen, as soon as at least two flows share the same link. This problem is different from the classical "pay burst only once" case described in [Le Boudec & Thiran (2001) ]. Indeed, the objective of "pay burst only once" is to aggregate successive switches in order to give an optimized aggregated service curve. The aggregation of nodes is not possible in our case, since flows can join and leave a path at any switch of the network. On the example in Figure 2 , the input curve of the output port of S3 shared by v1, v3, v4 and v5 is 4,16120 . The maximum burst (16120 bits) corresponds to the case where four packetsone for each VL -arrive at the same time in the output port. This is definitely impossible, since v3 and v4 share the same link. The grouping technique integrates this serialization. It proceeds in two steps. First, the overall arrival curve is computed for each link. It is the minimum between, on the one hand the sum of the arrival curves of all the flows sharing the considered link, on the other hand the curve bounding the burst to the maximum burst among the curves of the different flows sharing the link and the rate to the rate of the link. This first step is illustrated in Figure 15 Column NCG in Table 3 gives the upper bounds computed with this technique on the example in Figure 2 . Results are clearly improved, compared with the basic Network Calculus approach. A more recent approach, based on trajectories, has been proposed for the worst-case delay analysis of distributed systems. The next section shows how this approach can be applied and optimized in the context of the AFDX. The main goal is to compare this new approach with the Network Calculus one.
AFDX worst-case delay analysis with the Trajectory approach
The Trajectory approach [Martin (2004) ; Martin & Minet (2006a) ; Migge (1999) ] has been developed to get deterministic upper bounds on end-to-end response time in distributed systems. This approach considers a set of sporadic flows with no assumption concerning the arrival time of packets. The principle of the application of the Trajectory approach to the AFDX has been presented in [Bauer et al. (2009a) ]. The improvement of the approach has been proposed in [Bauer et al. (2009b) ]. Main features of the Trajectory approach applied to AFDX are summarized and illustrated in Sections 6.1 and 6.2. The proof of the optimization of the Trajectory approach computation is presented in Section 6.3.
The main features of the Trajectory approach
The approach developed for the analysis of the AFDX considers the results from [Martin & Minet (2006a)] . A distributed system is composed of a set of interconnected processing nodes. Each flow crossing this system follows a static path which is an ordered sequence of nodes. The Trajectory approach assumes, with regards to any flow τ i following path P i , that any flow j following path P j , with P j ≠ P i and P j ∩ P I ≠ ∅, never visits a node of path P i after having left this path.
Flows are scheduled with a FIFO algorithm in every visited node. Each flow τ i has a minimum inter-arrival time between two consecutive packets at ingress node, denoted T i , a maximum release jitter at the ingress node denoted J i , an end-to-end deadline D i that is the maximum end-to-end response time acceptable and a maximum processing time (t, t' ). An idle time t of level L is a time such as all packets with priority greater than or equal to L generated before t have been processed at time t. With FIFO scheduling, no packet from the busy period of level corresponding to the priority of m could have arrived after m on the considered node. The Trajectory approach considers a packet m from flow τ i generated at time t. It identifies the busy period and the packets impacting its end-to-end delay on all the nodes visited by m (starting from the last visited node backward to the ingress node). This decomposition enables the computation of the latest starting time of m on its last node. This starting time can be computed recursively and leads to the worst case end-to-end response time of the flow τ i . This computation will be illustrated in the context of AFDX. The elements of the system considered in the Trajectory approach are instantiated in the following way in the context of AFDX:
• each node of the system corresponds to an AFDX switch output port, including the output link, • each link of the system corresponds to the switching fabric, • each flow corresponds to a VL path. The assumptions of the Trajectory approach are verified by the AFDX (see Section 2.1). Indeed, switch output ports implement FIFO service discipline. The switching fabric delay is upper bounded by a constant value (16 μs), thus L = L min = L max = 16 μs. There are no collisions nor packet loss on AFDX networks. The routing of the VLs is statically defined. 
Illustration on a sample AFDX configuration
Let us consider the sample AFDX configuration depicted in Figure 2 . Figure 16(a) shows an arbitrary scheduling of the packets, which are identified by their VL numbers (e.g. packet 3 is a packet from VL v3). The scheduling in Figure 16 Figure 16 (a), we have f (e3) = 3, f (S2) = 4 and f (S3) = 1. As flows do not necessarily follow the same path in the network, it is possible that packet f (N i ) does not come from the same previous node N i-1 as packet 3. This case occurs in node S2, where packet 4 comes from node e4. It also occurs in node S3, where packet 1 comes from node S1. Therefore, ) is defined as the first packet which is processed in i N bp and comes from node N i-1 . Considering the scheduling in Figure 16 (a), we have p(e3) = 3 and p(S2) = 4. The starting time of packet 3 in node S3 is obtained by adding parts of the three busy periods bp e3 , bp S2 , and bp S3 to the delays between the nodes, i.e. 2 × 16 μs. From [Martin & Minet (2006a) ], the part of the busy period Figure 16 (a), the parts which have to be considered are the transmission of packet 3 in node e3, the time elapsed between the arrival of packet 3 and the end of processing of packet 4 in node S2, the time elapsed between the arrival of packet 4 and the end of processing of packet 5 in node S3. These parts are shown by thick lines on top of the packets in Figure 16 (a). The starting time of packet 3 in node S3 on the example in Figure 16 (a) is 125 μs.
It has been shown [Martin & Minet (2006a) Figure 16 (a) is illustrated in Figure 16(b) . The arrival time of packet 4 at node S2 is postponed to the arrival time of packet 3 at node S2. In node S3, packets 1 and 5 have been postponed in order to arrive between packet 4 and 3. Then, the worst case end-to-end delay of a packet is obtained by adding its latest starting time on its last visited node and its processing time in this last node. For packet 3 in Figure  16 (b), this worst case end-to-end delay is 232 + 40 = 272 μs. More precisely, this delay includes the transmission times of packet 3 on node e3, packet 4 on node S2 and packets 4, 1, 5 and 3 on node S3. On this example, it can be seen that packets 3 and 4 are counted twice. Actually, it has been shown [Martin & Minet (2006a) ] that exactly one packet has to be counted twice in each node, except the slowest one. In the context of the AFDX, all the nodes work at the same speed. Thus, the slowest node is arbitrarily chosen as the last one. In the example in Figure 16 (b), packet 3 and 4 are respectively counted twice in nodes e3 and S2. Packet 3 is the longest one transmitted in nodes e3 and S2, while packet 4 is the longest one transmitted in node S2 and S3.
In the context of an AFDX network, it is not always possible to find a scheduling which cancels the term 1 () 
The resulting worst-case scheduling is depicted in Figure 17 . p(e5) is packet 5 and f(S3) is packet 3. From (10), we have 
Optimization of the Trajectory approach computation
The computation of the worst-case end-to-end delay a packet of a flow τ i has been formalized in [Martin & Minet (2006a) ]. In our context, all the nodes work at the same rate and the jitter in each emitting node is null. Thus, the worst case end-to-end response time of any flow τ i is bounded by: 
() Term (12) is the processing time, on one node, of the packets of the flow τ j which are transmitted in the same busy period as m.
Term (13) is the processing time of the longest packet for each node of path i P , except the last one. It represents the packets which have to be counted twice, as explained before.
Term (14) corresponds to the sum of switching delay. Term (15) sums for each node N h in i P the duration between the beginning of the busy period and the arrival of the first packet coming from the preceding node in i P , i.e. N h-1 .
This term is null in the context of [Martin & Minet (2006a) ]. C i is subtracted, because Figure 18 . This construction is a generalization of the Trajectory approach presented in [Martin & Minet (2006a) 
Analysis of a realistic configuration
The realistic AFDX network considered in this chapter is composed of two redundant networks [Charara, Scharbarg, Ermont & Fraboul (2006) ]. Each network includes 123 end systems, 8 switches, 964 Virtual Links and 6412 VL paths (due to VL multicast characteristics). The left part in Table 4 gives the dispatching of VLs among BAGs. It can be seen that BAGs are harmonic between 2 and 128. The right part in Table 4 gives the dispatching of VLs among frame lengths, considering the maximum length s max . The majority of VLs consider short frames. The temporal analysis of this realistic configuration has been conducted. Table 6 summarizes the results obtained by the safe upper bound computation. As previously mentioned, the model checking approach cannot be applied on such large scale configurations. Both the Network Calculus and the Trajectory approaches have been implemented using Python programming language. Upper bounds of the end-to-end delays for each VL path of the realistic configuration have been computed with this tool. This computation takes less than two minutes for any approach on a Pentium 4 processor running at 2.8 GHz. The end-to-end delay distributions have been computed for the VLs of the realistic configuration, thanks to a home made tool implementing the simulation approach presented in Section 3. Table 7 gives the results obtained for five VL paths. Table 7 gives, for each VL path, the BAG, the minimum and the maximum frame sizes, the number of crossed switches (hops) and the load in each output port. Table 7 . Analysis of five typical VLs Table 7 gives the lower and upper delays observed by simulation for each VL (columns Min and Simu) and the safe upper bounds computed by the network calculus and trajectory approaches (columns NC and Traj). For each VL, the lower delay observed by simulation corresponds to the minimum possible value of the delay. The delay distributions for vl 1 and vl 4 are depicted in figures 19(a) and 19(b). It appears that the delay distribution is close to the minimum possible value of the delay and far from the the safe upper bound computed by either the network calculus or the trajectory approach. This is mainly due to the fact that the AFDX network is lightly loaded. Thus, the probability that several frames reach the same output port at the same time is very low. 
Conclusion
This chapter gives an overview of the temporal analysis of switched Ethernet avionic networks. Today, three approaches exist for the computation of a safe upper bound of the end-to-end delay of each flow transmitted on the avionic network. The first approach is based on model checking and allows the computation of the exact worst-case delay of each flow, but it is limited to small configurations, due to the combinatory explosion problem. The two other approaches are based on trajectories and network calculus and allow the computation of a safe upper bound of the end-to-end delay, which is most of the time larger than the exact worst-case, due to the pessimistic assumptions made by the two approaches. Nevertheless, these two approaches can be applied to industrial configurations. The computation of a safe upper bound is complemented by the evaluation of the end-to-end delay distribution, thanks to a simulation approach. The worst-case analysis approaches presented in this paper consider a set of sporadic flows with no assumption concerning the arrival time of packets. This does not take into account the scheduling of the flows which are emitted by the same component. This scheduling could be integrated in the modeling by the mean of assumptions on the relative arrival time of packets, as it has been done in the automotive context [Grenier et al. (2008) ]. The integration of this scheduling in the modeling of flows should distribute temporally the transmission of packets and very likely reduce the waiting time of packets in output buffers. Moreover, the sporadic characteristic of avionics flows could be taken into account with the help of a probabilistic modeling, as it has been proposed for the a periodic traffic in the automotive context [Khan et al. (2009)] . This leads to a probabilistic analysis of the worst case delay of flows. Such an analysis has been proposed [Scharbarg et al. (2009) ], based on a stochastic Network Calculus approach [Vojnović & Le Boudec (2002; 2003) ]. For future aircraft, the addition of other type of flows (audio, video, best-effort, . . .) on the AFDX network is envisioned. These different flows have different timing constraints and criticity levels. Thus, it is necessary to differentiate them and the FIFO policy on switch output ports is not suitable. Thus, it is necessary to consider other service disciplines, such as static priority queueing or weighted fair queueing [Parekh & Gallager (1993) ]. The introduction of static priority queueing in the stochastic Network Calculus approach has been presented in [Ridouard et al. (2008) ]. The Trajectory approach is promising for handling heterogeneous flows needing QoS aware servicing policies at switches level [Martin & Minet (2006a; ].
