Abstract-AFDX (Avionics Full DupleX Switched Ethernet, ARINC 664) developed for the Airbus A380 represents a major upgrade in both bandwidth and capability. Its reliance on Ethernet technology helps to lower some implementation costs, but guaranteed service presents challenges for system designers.
I. INTRODUCTION
T HANKS to the Integrated Modular Avionics concept [1] , [2] , functions developed for civilian aircraft share computation resources. However, the continual growing number of these functions implies a huge increase in the quantity of data exchanged and thus in the number of connections between functions. Consequently, traditional ARINC 429 buses [3] cannot cope with the communication needs of modern aircraft. Indeed, ARINC 429 is a single-emitter bus with limited bandwidth and a huge number of buses would be required. Clearly, this is unacceptable in terms of weight and complexity.
In order to cope with this problem, the AFDX (Avionics Full DupleX Switched Ethernet) [4] - [6] was defined and has become the reference communication technology in the context of avionics. AFDX is a full duplex switched Ethernet network to which new mechanisms have been added in order to guarantee the determinism of avionic communications. This determinism has to be proved for certification reasons and an important challenge is to demonstrate that an upper bound can be determined for end-to-end communication delays.
An important assumption is that all the avionics communication needs can be statically described: asynchronous multicast communication flows are identified and quantified. All these flows can be statically mapped on the network of AFDX switches. For a given flow, the end-to-end communication delay of a frame can be described as the sum of transmission delays on links and latencies in switches. Thanks to full duplex links characteristics, no collision can occur on links [12] and transmission delays on links depend solely on bandwidth and frame length. But, as confluent asynchronous flows compete, on each switch output port (according to a servicing policy), highly variable latencies can occur when a frame crosses a switch. Thus it is necessary to analyze these latencies in order to determine the upper bounds on end-to-end communication delays for each flow.
The first step, mainly for avionic network certification purpose, was to use the deterministic network calculus theory in order to compute a worst-case upper bound for each communication flow of the avionic applications on an industrial AFDX network configuration [10] . This worst-case communication delay analysis allowed the comparison between the computed upper bounds and the constraints on the communication delays of each flow. Moreover it allowed the scaling of the switches memory buffers in order to avoid buffer overflow and frame losses. But such a worst case communication analysis is obviously pessimistic. Indeed, communication delays measured on a real configuration are much lower than the computed upper bound. This is mainly due to the fact that network calculus theory makes pessimistic assumptions on simultaneously arriving flows. It is also due to the fact that rare events are difficult to observe on a real configuration in a reasonable time.
In order to better understand the real behavior of the AFDX network, a simulation model of the network is proposed as a second step. Such a simulation approach allows the calculation, on the modeled network, of the end-to-end delay for each flow, according to a representative subset of possible scenarios. Thus an end-to-end delay distribution can be obtained for each flow, leading to a better understanding of communication delays. However such an approach cannot be used for certification needs as rare events can be missed by simulation.
In a third step, stochastic network calculus theory is proposed to compute a probabilistic upper bound. This theory allows the computation of the probability p for an end to end delay to exceed a given bound. This probability p can be interpreted as the acceptable probability that a frame misses its deadline. Such a result could be useful for new certification needs as many avionic functions are designed to give accurate results even if they miss some frames. This paper focuses on the probabilistic analysis of end-to-end delays on an avionics AFDX network. It considers both the simulation and the stochastic network calculus approaches. It shows how these two approaches are applied in an industrial application context. The paper is organized as follows. Section II details the main objectives of the study. Section III presents the simulation approach. Specifically, it shows how the simulation space can be drastically reduced by focusing on the part of the network which influences the end-to-end delay of a given flow. Section IV presents the stochastic network calculus approach. Examples of end-to-end delay analysis on an industrial network are presented in Section V. Section VI concludes and indicates directions for future research.
II. MAIN OBJECTIVES OF THE STUDY
This section presents the main challenges of applying a probabilistic analysis of end-to-end delays on an avionics switched Ethernet network, the characteristics of which are briefly summarized. Two complementary approaches are introduced, i.e., a simulation approach and a stochastic network calculus one.
A. Industrial AFDX Network Context
The AFDX is a switched Ethernet network taking into account avionic constraints. Fig. 1 depicts an illustrative example. It is composed of five interconnected switches to . There are no buffers on input ports and there is one FIFO buffer for each output port. The inputs and outputs of the network are called end systems ( to in Fig. 1 ). Each end system is connected to exactly one switch port and each switch port is connected to at most one end system. Links between switches are all full duplex.
The end-to-end traffic characterization is made by the definition of virtual links (VLs). As standardized by ARINC-664, VL is a concept of virtual communication channels. Thus it is possible to statically define the flows which enter the network [6] .
End systems exchange Ethernet frames through VLs. Switching a frame from a transmitting to a receiving end system is based on a VL. The Virtual Link defines a logical unidirectional connection from one source end system to one or more destination end systems. Coming back to the example in Fig. 1 , is a unicast VL with path , while is a multicast VL with paths and . The routing of each VL is statically defined. Only one end system within the avionic network can be the source for each Virtual Link, (i.e., Mono Transmitter assumption). A VL definition also includes the Bandwidth Allocation Gap (BAG) and the minimum and the maximum frame lengths ( and ). BAG is the minimum delay between two consecutive frames of the associated VL (which actually defines a VL as a sporadic flow).
The parameters of each VL (BAG, ) are assured by a shaping unit added on the corresponding emitting end system and a policing unit added on the first switch input port crossed by the VL (it is the only specificity of AFDX switches, compared with standard Ethernet switches).
Typically, an industrial AFDX network includes more than one hundred end systems and two redundant AFDX subnetworks, each composed of eight switches. Nearly 1000 VLs are transmitted on each subnetwork, corresponding to more than 6000 paths due to the multicast characteristic of VLs.
B. Modeling and Simulation Approach
The goal of the simulation approach is to approximate real network behavior. This approach needs a realistic model of the network and calculates the end-to-end delay of a given flow on a subset of all possible scenarios. Thus, the end-to-end delay distribution of that flow can be obtained, provided the considered subset is representative of all possible scenarios.
Section III-A shows that an industrial network leads to a huge number of possible scenarios. Consequently, finding a representative subset of scenarios in order to calculate the end-to-end delay distribution of a given flow is not easy. The key idea proposed in this paper is to model only the elements of the network configuration (VLs, output ports, links) which have an influence on the end-to-end delay distribution of the flow. These elements constitute the part of the network which is relevant to the flow.
C. Stochastic Network Calculus Approach
As mentioned in the introduction, certification is mandatory in the context of avionics. This cannot be obtained without a safe probabilistic upper bound on the end-to-end delay of each flow. An exact stochastic analysis of an industrial avionic network is unaffordable, due to the number of VLs of such a network configuration. One way to solve this problem is to use a pessimistic stochastic analysis which is a safe approximation of the exact stochastic analysis. This concept of pessimistic analysis is introduced in [15] . The pessimistic analysis is a safe approximation in the sense that the probability of exceeding the end-to-end delay bound it provides is guaranteed to be greater than the exact one. In other words, the calculated upper bound associated with a given probability is guaranteed to be greater than the exact upper bound.
The simulation approach presented in the previous section gives an approximation of the end-to-end delay distribution which leads to an experimental upper bound on end-to-end delays. This upper bound can be either optimistic or pessimistic. Thus, this experimental upper bound is not safe and this approach cannot be used for certification in the context of avionics.
The stochastic network calculus approach is based on the same modeling assumptions as the simulation approach. It can analytically determine a probabilistic upper bound on the end-to-end delay of a given flow mapped on a given network, provided a set of properties are verified. This approach is a pessimistic analysis, since it is based on pessimistic assumptions. Consequently, the stochastic network calculus approach could be a good candidate for new certification needs. In Section IV the required properties of the stochastic network calculus are verified in the context of an AFDX configuration.
III. END-TO-END DELAY ANALYSIS THROUGH
A SIMULATION APPROACH Before presenting the simulation approach, an overview is given on the different parts of a frame end-to-end delay on an AFDX network.
Let us consider a VL path . The end-to-end delay of a frame transmitted on is defined by where • is the transmission delay over the links: thanks to the full duplex characteristic of AFDX, there are no collisions on the links. Thus, the transmission delay over a link is where is the link bandwidth and is length. Therefore, considering that all the links have the same bandwidth where is the number of links in .
• is the delay in switches between input and output ports: in the context of this paper, the delay in a switch from an input port to an output port is considered as a constant , since the only available information about this delay is a guaranteed upper bound of 16 s. Thus where is the number of switches in .
• is the delay in switches and end system output buffers: this delay highly depends on each output port load at the time where reaches it, as will be illustrated in Section III-A. Thus where is source end system, is the set of switches in is the delay in output buffer and is the delay in output port buffer. Consequently, can be divided into a fixed part and a variable part . The fixed part can be statically computed since it depends solely on the path length and links bandwidth. The variable part depends on the scenario that is defined in the next section.
A. Simulation Scenario Parameters
A simulation scenario is defined by considering, on the one hand, the VL characteristics and, on the other hand, the interferences between VLs. As presented in Section II, a VL is defined by the minimum delay between the emission of two consecutive frames (the BAG) and the minimum and the maximum frame lengths and . A VL transmits a given set of application data . At the beginning of each BAG, a subset of that application data is ready for transmission. This subset can be or a predefined non-empty part of . If is ready, no frame is transmitted. defines while the smallest predefined non-empty part of defines . Thus, at the beginning of each BAG, each VL transmits either no frame or a frame with a length between and . Therefore, the delay between two consecutive frames of a VL is a multiple of its BAG (a VL is a periodic flow with holes). An example of frame emissions for a VL is depicted in Fig. 2 . In this example, there are four possible frame lengths: 0 bytes , 200 bytes , 300 bytes, and 500 bytes . VLs interfere with each other in end systems and switch output port buffers since they share communication links. Obviously, if several frames arrive at the same time at a switch output port, most of them will have to wait to be transmitted. Conversely, if frames arrive at sufficiently spaced intervals at the same output port, all of them will be transmitted immediately. The arrival time of a frame at an output port mainly depends on its emission by the corresponding VL source end system. Thus, interferences between VLs frames are a function of their emission times (the phasing between VLs). Let us consider the example in Fig. 3 , where the link is shared by VLs and . Fig. 4 depicts frame transmissions for two possible phasings of and . With phasing has to wait for the end of transmission of frame while it does not have to wait with phasing . Moreover, if transmits no frame during a given BAG (because it has no data to transmit), the corresponding frame will not wait, whatever phasing is considered.
In short, the following parameters define a scenario:
• the sequence of frames emitted by each VL, i.e., BAG occupation and frame lengths;
• the phasing between VLs, i.e., the first frame emission time for each VL. Any phasing is possible, since avionic functions are asynchronous. It has been previously noted that a typical AFDX network includes approximately 1000 VLs. Clearly, this leads to a huge set of possible scenarios from which it is difficult to extract a representative subset. The resulting challenge is, for each VL path, to focus on the part of the network that is relevant for this path's end-to-end delay distribution in order to reduce the simulation space. This is a mandatory requirement for the simulation approach. It is fulfilled by means of the VLs taxonomy that is presented in the next section.
B. Taxonomy of VLs
The basic idea of the taxonomy is that, given a path of a VL , the other VLs do not have the same level of influence on it. For example, a frame can wait for the end of transmission of another frame only if the latter shares at least one output port with . The application of this idea is to focus the simulation on the VLs that influence the end-to-end delay distribution of frames.
The taxonomy is illustrated considering the unicast VL in Fig. 1 . Its path is . The paths or portions of paths of other VLs of this AFDX configuration can be divided into three classes [11] , as depicted in Fig. 5 .
• Class (Direct Influence) contains all the paths that share at least one output buffer with , truncated after the last output buffer shared with . In Fig. 5 , it contains the whole VL , path of and subpaths and of and , respectively. • Class (Indirect Influence) contains all the paths or portions of paths that share no output buffer with , but at least one output buffer with a or an path. In and VLs, respectively.
Considering this VL classification, VLs in class clearly have no impact on the end to end delay of their associated path . Thus, VLs in class will not be considered in the definition of a scenario for a end-to-end delay analysis. For the network analyzed in Fig. 6 , this leads to a drastic reduction of the simulation space for approximately 800 VLs paths (each scenario includes less than 150 VLs instead of nearby 1000). Unfortunately, this reduction is quite poor for the 5600 remaining VLs paths (each scenario includes an average of 800 Vls). In order to obtain a larger reduction of the simulation space, the VL classification has to be exploited more effectively. The main idea concerns VLs in class . They could be ignored in the definition of a scenario for a end-to-end delay analysis provided they have no influence on end-to-end delay distribution. The next section studies the effective influence of VLs in class .
C. Effective Influence of VLs in Class
The influence of a VL in class on is illustrated the example depicted in Fig. 7 . It includes one switch , four end systems and three VLs and . These three VLs have identical BAGs and frame lengths. Using the taxonomy presented in Section III-B, unicast VL is directly influenced by (class ) and indirectly influenced by (class ). Depending on the scenario (phasings for , and ), can have an influence on the end-to-end delay by modifying the arrival time at the switch output port. The three possible cases are illustrated in Fig. 8 , considering three scenarios. For each of them, Fig. 8 shows the modification of the end-to-end delay due to frames. For the three scenarios, and are ready for transmission simultaneously and each frame is arbitrarily transmitted before the corresponding frame. Thus, the nontransmission of a frame advances the arrival time of the corresponding frame at the switch output port. In scenario in Fig. 8 , this leads to a shorter end-to-end delay because it allows the frame to complete transmission on the link before the arrival of the frame at the output port. Conversely, it leads to a longer end-to-end delay in scenario , because the arrival order of the and frames at the output port is inverted and consequently, the frame has to wait. Finally, the nontransmission has no influence in scenario , because the frame arrives before the one in both cases and as a result never waits.
Thus, depending on the application scenario, frames can shorten, lengthen or have no influence on end-to-end delays. However, it remains to be seen if VLs in class (e.g., ) modify the end-to-end delay distribution of , their associated VL path.
In order to answer this question, every possible VL path must be examined. The basic idea is to determine, for each VL path, the end-to-end delay distributions considering first, that VLs in class are present, and second, that they are not present. The goal is to determine whether VLs in class modify the end-to-end delay distributions (there is at least one VL path for which the two obtained distributions are different) or not (such a VL path does not exist). In the latter case, VLs in class do not have to be taken into account when determining end-to-end delay distributions.
1) VL Modeling Approach: End-to-end delay distributions are obtained using a simulation approach. Such an approach needs a model for each considered VL path. The model corresponding to a given path includes , all the VLs in its class and possibly VLs in its class . The general structure of the model depends on the length of (number of crossed switches) and on the characteristics of the VLs in classes and . Fig. 9 shows four generic models that cover all possible VL paths of length one or two. Each model defines a path from a VL emitted by end system and received by end system . • Model 1 covers VL paths of length 1, directly or indirectly influenced by VLs generated by end systems directly linked to switch input ports.
• Model 2 covers VL paths of length 2, directly or indirectly influenced by VLs generated by end systems directly linked to switches or input ports.
• Model 3 is a generalization of model 1: VLs in classes and can cross other switches before reaching .
• Model 4 is a generalization of model 3: VLs in classes and can cross other switches before reaching or . Similar models can be considered for longer paths .
A more detailed view of Model 1 is depicted in Fig. 10 Since the number of possible VL paths is huge, an exhaustive analysis of them all is impractical in general case. Fortunately, the characteristics of the industrial applications consid- Fig. 11 . Model 1 example P 1 ered in this paper limit the number of possible VL paths. Indeed, a typical industrial AFDX configuration is composed of eight switches. The path length (number of crossed switches) is between one and four and links are lightly loaded. Consequently, a set of VL paths can be defined that covers all the possible VL paths of an industrial network configuration.
The results of the evaluation of the influence of VLs in class were presented in [26] . They are summarized in the following paragraph.
2) Simulation Process: Model 1 in Fig. 9 is considered first. As presented in Section II-C1, this model is characterized by the number of input links, the number of VLs transmitted on each of these input links and the dispatching of these VLs between link and the other output links. Moreover, BAGs and frame lengths associated with each VL have to be defined. In order to cover all possible cases in an industrial AFDX network, a typical network was examined and the following range of values deduced:
• , in italics in Fig. 11 ). All the VLs have the same BAG and frame length as .
is a very lightly loaded configuration. Specifically, link has a load of about 2% (12 frames of 84 bytes every 4 ms, at 100 Mb/s).
end-to-end delay distributions are computed considering first, that VLs in class are transmitted, and second, that they are not transmitted. The same end-to-end delay distribution is obtained for both cases. It is depicted in Fig. 12 ( curve) using a logarithmic scale. The probability associated with each value of the end-to-end delay is shown with an accuracy of 1 s. In this example, VLs in class have no influence on end-to-end delay distribution. The delay lower bound is 29 s ( frames never wait in output buffers). The delay upper bound obtained is 42 s. This means that no simulated scenario gives a end-to-end delay greater than 42 s. However, this experimental upper bound is not guaranteed, since simulations can fail to consider rare events. Fig. 12 depicts end-to-end delay distributions for the three other Model 1 examples described in Table I . and correspond to different network loads (respectively, 12%, 22%, and 32% on link ). As for , whatever case is considered for VLs in class , the same end-to-end delay distributions are obtained. These are depicted in Fig. 12 . Not surprisingly, end-to-end delays increase when the network load increases.
Similar evaluations have been done on Model 2, Model 3, and Model 4 VL paths (more than three hundred instances for each model). No configuration was evaluated where VLs in class influenced the end-to-end delays distribution. Fig. 13 presents obtained results in a slightly different manner than Fig. 12 . It depicts the probability of exceeding a given end-to-end delay for of the Model 2 examples in Table II . All VLs of these six examples have a BAG of and a frame length of 500 bytes. The results in Fig. 13 lead to the same conclusions as those in Fig. 12 .
Since the VL path configurations considered cover all possible cases in an industrial network, the conclusion is that VLs in class do not have to be taken into consideration for the computation of end-to-end delay distribution. The resulting reduced simulation space makes it possible to determine an experimental probabilistic upper bound for every VL path in an industrial network. The simulation process considers a specific model for each VL path. Since an industrial network configuration includes more than 6000 paths, this leads to a heavy simulation process. The next section presents a means of speeding up this process. The idea is to model a simplified network architecture which leads to the same end-to-end delay distributions as the original simplified architecture.
D. Speeding Up the Simulation Process
This section analyzes the differences between Model 1 and Model 3, as well as Model 2 and Model 4 in Fig. 9 . More pre- This study follows the same procedure as in the previous section concerning the effective influence of VLs in class . Results are presented in [25] and are summarized in this section.
Let us return to the Model 1 example in Fig. 11 . Fig. 14 depicts a possible Model 3 configuration corresponding to (VLs in class are eliminated, since they have no influence on end-to-end delay distribution). End system has been replaced by switch , which has two input end systems and . Each of these two end systems emits half of the VLs in class that were emitted by ( for and for ). The end-to-end delay distribution is computed for the Model 3 configuration in Fig. 14 • each or input end system is replaced by a switch with one input end system emitting all VLs in class that were emitted by ; • each or input end system is replaced by a switch with two input end systems, each emitting half of VLs in class that were emitted by (the case depicted in Fig. 14) Since the VL path configurations considered cover all possible cases in an industrial network, the conclusion is that the end-to-end delay distribution can be computed using its corresponding Model 1 or Model 2 configuration.
E. Synthesis of the Simulation Approach
The simulation approach allows a better understanding of avionic flow behavior. In fact, modeling of VLs is an important task based on the taxonomy of VLs defined in the context of existing avionic applications mapped over an industrial AFDX network configuration.
The simplified flow model allows the evaluation of end-to-end delays by queueing network simulation mechanisms. It has been shown that the proposed model simplifications have no observable influence on the obtained end-to-end delay distributions measured on a large set of realistic examples (no counterexample has been found).
The obtained end-to-end delay distributions give important information for the designer about the real behavior of the applications sharing the AFDX network configuration. Moreover, it provides both an experimental upper bound as well as an estimation of the probability to exceed a given bound.
These experimental upper bounds obtained by simulation are not safe, because simulation mechanisms are unable to efficiently take into account rare events. But safe upper bounds are needed for certification purposes. The next section presents the stochastic network calculus approach. The objective of this analytical approach is to provide safe probabilistic upper bounds. It reuses the modeling assumptions of the simulation approach and adds pessimistic assumptions on the concurrence of asynchronous flows.
IV. STOCHASTIC NETWORK CALCULUS APPROACH
This section presents the delay analysis of the AFDX network using a stochastic network calculus approach. The deterministic network theory allows the computation of delay and backlog upper bounds, which have been used for the certification of the AFDX network [10] . Unfortunately, these upper bounds can be very pessimistic as it has been shown that the obtained upper bound can be reached only in the case of a single node architecture [13] , [14] .
The aim of probabilistic network calculus is to obtain the statistical calculation of delay and backlog bounds. But the computation of a probabilistic upper bound needs extensions of deterministic network calculation concepts and remains a difficult problem. Many studies used probabilistic single node bounds on delay to derive multinode performance bounds by adding the per node bounds. The problem is often the rapid degradation of obtained results as the number of traversed nodes increases. The challenging (and still relatively open) problem is to be able to construct a probabilistic network service curve for a multinode architecture [16] . Few models are however known that allow concatenating probabilistic service curves to derive end-to-end probabilistic network models [12] .
The problem addressed in this paper mainly deals with the probabilistic phasing between VLs which is unknown (avionics functions are asynchronous) and conserves the deterministic arrival and service curves defined in the AFDX context. The main problem is to efficiently utilize statistical multiplexing while preserving node concatenation properties [9] , [18] , [27] , [28] .
As explained at the beginning of Section III, the problem resides in the evaluation, for a VL path , of the variable part of its end-to-end delay (i.e., the waiting times at buffers). For each VL path , the approach considers its corresponding Model 1 or Model 2 configuration, since it has been shown that this simplification has no effect on end-to-end delay distribution.
The approach is based on results from Vojnović and Le Boudec [27] , [28] . It proceeds in two parts: 1) the configuration consisting of a VL path crossing one or several switches and competing with other VLs is transformed into a configuration with a single VL path crossing a single switch [24] ; 2) the stochastic network calculus is then applied to this last configuration in order to compute the probabilistic upper bounds [23] . Section IV-A briefly notes results from Vojnović and Le Boudec which allow the computation of an end-to-end delays' probabilistic upper bound in the case of a single flow crossing a single switch (step 2). Section IV-B details the transformation process of step 1. Section IV-C illustrates the approach with some examples of VL paths.
A. Probabilistic Upper Bound in the Monoswitch Case
This section gives a brief overview of Vojnović's and Le Boudec's work concerning stochastic analysis on end-to-end delays of flows crossing a single switch [27] , [28] .
The following notations are used in the remaining of the paper:
• denotes the service curve offered by the switch to the aggregated flow; • denotes the service curve offered by the switch to the flow ; • denotes the possible amount of backlog present in the queue; • is the backlog encountered by a given packet at its arrival time;
• is the backlog encountered by a packet that arrives at time 0;
• is the delay incurred by a packet that arrives at time 0. Consider the flow depicted in Fig. 15 ; Vojnović and Le Boudec have studied and established the lowest stochastic bounds on the output buffer backlog and on the delay to cross switch . Their results can be applied iff the two following assumptions are verified:
• the switch offers to the flow a service curve, denoted (cf . Fig. 15 ); • the flow is regulated at the network ingress point, by a wide-sense increasing function, denoted (cf. Fig. 15 ). These two assumptions are true for the AFDX context. Concerning the first assumption, in the AFDX network, each switch can be modeled as a rate-latency function. A rate-latency curve is an affine function, , where is the minimum service offered to input flows, is the worst-case latency and . might be different from zero in the AFDX context. Therefore, in order to verify the first assumption, is removed from before computation and added to the resulting probabilistic upper bound. This assertion is valid since is a waiting time. Therefore, considering this time before or after the computations leads to the same upper bound.
Concerning the second assumption, each flow is regulated at its network access by a leaky-bucket function, defined in the following way. is the maximum length of a frame generated by the VL, denoted
. is the VL maximum rate, , where is the minimum delay between the emission of two consecutive frames of the VL by its source end system. Therefore, Vojnović's and Le Boudec's work can be used to compute the stochastic upper bound on the end-to-end delay of a single flow crossing a single switch in the AFDX context.
In order to determine the end-to-end delay, the first step is the computation of the backlog at the output buffer crossed by . Vojnović and Le Boudec established two results. The first result concerns the upper bound on the probability that the backlog at the output buffer can exceed a given value. The lowest bound is presented in [27] and given in Theorem 1.
Theorem 1: If , for any , the upper bound of the probability (denoted ) that the backlog is above a given level is (1) for any , and any , where is the intersection between the arrival curve and the service curve :
, and where The second result concerns the lowest upper bound on the probability that the backlog in the output buffer exceeds a given value at the arrival time of a frame. This probability is denoted and named the Palm probability [8] . Vojnović and Le Boudec have also proved (cf. [27] ) Corollary 1.
Corollary 1: If a packet arrives in the node at time 0, it holds that (2) An upper bound of the probability that the end-to-end delay of the flow exceeds a given value is deduced from the Palm probability. The lowest upper bound is established in [27] and recalled in Theorem 2.
Theorem 2: If a node arrives in node at time 0
The computation of the stochastic upper bound starts with . Then is increased until the probability obtained with the previous result is less than a chosen value, for example . It then becomes possible to establish the stochastic upper bound for a single AFDX flow crossing a single switch. Obviously, such a configuration is very unusual in an AFDX network. The majority of AFDX flows cross several switches and compete with several other flows. The next section shows how every AFDX flow configuration can be transformed into a single flow crossing a single switch.
B. Transformation of Multihop Flows
The transformation process is described considering flow depicted in Fig. 17(a) .
The process is based on a result that has been proved for the deterministic network calculus in [19] and summarized by Corollary 2. This result can be applied in the context of AFDX, since all the flows are independent at their ingress point and since the queueing service discipline in the output ports is FIFO.
Corollary 2: Consider the switch that serves two flows and (the flow . Each flow has an arrival curve (cf. the network configuration depicted in Fig. 16)) . If the service curve of the aggregated flow is , then flow has a service curve the output flow , denoted , has the curve Using Corollary 2, given the arrival curve of all the input flows and the service curve offered by the switch to the aggregate flow, the actual service curve offered to each flow and its output curve can be determined. This result is recursively applied to each crossed switch, until the exact service curves offered to the flow are obtained. The second step uses another result of [19] concerning the concatenation of switches. If the actual service curve offered to is known [cf. Fig. 18(a) ], the crossed switches can be concatenated to a single switch [cf. Fig. 18(b) ]. The service curve of this new switch is the convolution between the actual service curves.
C. Example of an Evaluation
In this section, the stochastic network calculus approach is applied to the network configurations evaluated by the simulation approach in the process described in Section III-C. Indeed, an important challenge is to estimate the pessimism of the stochastic network calculus approach. The comparison between the results of the two approaches (simulation and stochastic network calculus) measures this pessimism, since the simulation approach closely approximates real network behavior. Fig. 19 depicts the probabilistic upper bounds computed with the stochastic network calculus approach on the six Model 2 configurations of Table II . As with the simulation approach, the probabilistic upper bound corresponding to a given probability increases with the network configuration load. The set of configurations studied (Model 1, , Model 4) confirms these differences between the two upper bounds. It is minimal for lightly loaded configurations (under 5% per link), at most four times the value of the simulation upper bound for 15% loaded configurations and five times this upper bound for 30% loaded configurations. It was mentioned in Section II that nearly all the links in an industrial network have a load of under 15%. Thus, the probabilistic upper bound computed by the stochastic network calculus approach is at most about four times the actual upper bound in an industrial network.
V. END-TO-END DELAY ANALYSIS EXAMPLES ON AN INDUSTRIAL AFDX NETWORK CONFIGURATION
The two approaches presented in this paper have been validated on an industrial AFDX network [10] . It is composed of two redundant networks. Each networks includes 123 end systems, eight switches, 964 VLs, and 6412 VL paths (due to VL multicast characteristics). The left part of Table III gives the dispatching of VLs among BAGs. It can be seen that BAGs are harmonic between 2 and 128. The right part of Table III gives the dispatching of VLs among frame lengths, considering the maximum length . The majority of VLs consider short frames. Table IV shows the number of VL paths per length (i.e., the number of crossed switches).
The evaluation was conducted on a representative subset of the 6412 paths of the configuration. As an example, Fig. 20 depicts the model associated with the unicast VL . the path is --. Its BAG is 32 ms and its frame length is 343 bytes . is directly influenced by 90 other VLs emitted by 22 end systems. Each end system executes one or several avionic functions. For instance, PRIM1a is concerned with flight control. A description of all the end systems in Fig. 20 is beyond the scope of this paper. The upper link load is 14% (on link --2). Thus it is a quite heavily loaded configuration as far as an industrial network is concerned. Table V gives the obtained upper bounds for and five other VL paths with various path lengths (between 1 and 4) and different number of directly influencing VLs (from 14 to 228). Considering and a probability , the experimental upper bound (Simu UB) is 396 s, compared to 1062 s for the analytical upper bound (SNC UB). These values confirm the conclusions of Section IV-C (the latter is less than four times larger than the former). The same observation is made on the five other VLs in Table V . This result has been confirmed for all the studied paths of the industrial configuration.
VI. CONCLUSION
The study presented in this paper concerns the probabilistic analysis of end-to-end delays of an AFDX network. The goal is to compute a probabilistic upper bound for each application flow. Such an upper bound can be exceeded with a given probability . It is relevant in the context of avionics, since avionic functions are designed to give accurate results even if they miss some frames. Thus, a frame of a given flow may occasionally miss its deadline without any serious consequences on an avionic system. This paper shows how to compute a probabilistic upper bound in the context of industrial AFDX applications.
The simulation approach determines an experimental upper bound. It considers a model of the network configuration and calculates the end-to-end delays of a given flow out of a subset of all possible scenarios. The end-to-end delay distribution of the flow can then be deduced, provided this subset is representative of all possible scenarios. The main challenge of this approach is to extract this representative subset from the huge number of possible scenarios in an industrial network including approximately one thousand flows. This paper shows how it is possible to focus on the network part relevant for a given flow
. More precisely, it shows that all the flows which never compete directly with have no influence on its end-to-end delay distribution. Therefore, they do not need to be considered. A simulation model is derived and it provides end-to-end delays distributions, as it closely approximates industrial network behavior. Moreover, it allows the estimation of experimental upper bounds.
The stochastic network calculus approach analytically determines a probabilistic upper bound. It is based on Vojnović's and Le Boudec's work. For a given flow, it starts from the simplified model defined in the simulation approach context. It has been shown that this model can be transformed into another model consisting of a single flow crossing a single switch. The probabilistic upper bound is then computed on this latter model. This upper bound is a good candidate for certification since it is guaranteed. However, it is often pessimistic, due to the pessimism of network calculus assumptions.
The pessimism of this analytical upper bound can be evaluated on a given network by comparing it with the experimental upper bound. In an industrial AFDX network, the largest difference between the two upper bounds is never more than four times the experimental upper bound obtained by the simulation approach, regardless of the flow considered. It can be much smaller, depending on the load of the links followed by the flow.
An important point is to determine whether it is affordable to have such pessimism in the context of avionics. Clearly, it will be the case if it leads to an acceptable overdimensioning of the network. This has to be evaluated for each new aircraft. An open problem is still the optimization of the probabilistic upper bound obtained by network calculus. First, the degree of probabilism taken into account by our approach has to be precisely analyzed. Second, more recent results on the concatenation of probabilistic arrival and service curves [12] , [16] have to be evaluated in the context of an AFDX network. Moreover, other approaches for analytical analysis seem promising, such as the trajectory approach [20] and results on offsets for distributed systems with end-to-end constraints [21] . Open problems are the adequation of these methods and their efficiency in the context of AFDX network.
For future aircraft, the addition of other types of flows (audio, video, best-effort, …) on the AFDX network is envisioned. These different flows have different timing constraints and criticity levels. Thus, it is necessary to differentiate them and the FIFO policy on switch output ports is not suitable. Thus, it is necessary to consider other service disciplines, such as static priority queueing or weighted fair queueing [22] . Consequently, the two approaches presented in this paper should be extended to cope with these service disciplines.
Moreover, future avionic network architectures will include fieldbuses such as controller area network (CAN) [17] or FlexRay [7] in addition to AFDX (currently, there are already CAN buses embedded in aircraft). Considering that a flow can be transmitted over more than one technology (e.g., from a CAN station to an AFDX end system), it is necessary to analyze the end-to-end delays over heterogeneous paths. This should include the timing analysis of the bridging strategy between the different technologies. 
