Integrated modular Avionics (IMA or ARINC 651), as it is currently implemented in large aircrafts, uses a limited number of complex processors interconnected through a communication network (AFDX or ARINC 664). The allocation of avionics applications is done according a communicating partitions model (APEX or ARINC 653) needed for guaranteeing robust partitioning when sharing processors (TDMA like schedule) and communication network (APEX channel). On smaller aircrafts (such as helicopters) the objective (due to room and weight constraints) is to use les complex processors and consequently to increase their number. Implementing such a distributed IMA architecture leads to a global (more complex) integration problem, which is twofold. Allocation and scheduling of partitions on each shared processor as well as end-to-end communication delays among distributed partitions must be compatible in order to guarantee timing requirements of distributed avionics applications. This paper points out the complexity of composing the two aspects of this integration problem on different possible target architectures.
INTRODUCTION
Helicopter and aircraft industries attempt to reduce weight and power consumption. The Integrated Modular Avionics (IMA) architecture is a first step in this direction: instead of having one function per processor like in federated architectures, several functions share the same processor. Moreover, communication means are also shared to reduce the number and the weight of cables [1] [3] .
In large aircraft, processing units are grouped in a limited number of centralized racks [3] . But in smaller aircraft such as helicopters, the idea is to integrate equipment in unused area. Moreover new devices have to be positioned so as to balance weight in the whole helicopter.
To face these new constraints, one way is to have a larger number of (possibly less complex) processors that can be distributed in the whole helicopter. The problem is then to
The authors retain copyright.
guarantee timing properties of distributed avionics systems.
In this paper we show that a compositional approach is needed to find an allocation that respects both scheduling and communication constraints. Figure 2 gives an overview of a simple avionic system executing on one processor. It is composed of a set of partitions (P 1 . . . P 6 in the example) with a period and a Worst-Case Execution Time (WCET) per partition, as well as a set of communication channels between partitions (from P 1 to P 2, P 3 to P 4 and P 5 to P 6 in the example). According ARINC 653, scheduling of the partitions on the processor is statically defined by a MAjor Frame (MAF). A MAF is a periodic schedule where slots are assigned to the partitions, based on their period and WCET. Figure 2 shows a valid MAF for the avionic system in Figure 2 . The schedule is repeated every 22 ms (least common multiple of the periods). Partitions P 1 and P 2 execute twice (every 11 ms) while other ones execute every 22 ms. End-to-end communication constraints have to be guaranteed by the MAFs. Different semantics are possible for these constraints, depending on the transmitted data [2] . In the context of this paper, we assume a button-to-action delay, which considers the first reaction to a data, as illustrated in Figure 2 for communication P 1 → P 2. Constraints are given in Figure 2 . The MAF in Figure 2 insures them.
PROBLEM STATEMENT
As explained in Introduction, a more distributed architecture composed of less powerful processors has to be deployed for small aircrafts or helicopters. Partition WCETs are then increased. The challenge is to find an optimal allocation that respects end-to-end constraints. The allocation is defined by the number of processors, assignment of the partitions on the processors and MAFs. Let's study the allocation of system in Figure 2 on less powerful processors (WCET is 4 ms for P 1 and P 2, 6 ms for the other partitions). Figure 2 shows that candidate allocations on two processors are rejected for different reasons. In the upper left solution, P 1 and P 2 are allocated to the same processor and there is no space for another partition on this processor. Thus the four remaining partitions have to be allocated to the other processor, which is impossible. In the right solution, P 1 and P 2 are allocated to different processors, leading to a possible missed end-to-end deadline for P 1 → P 2. One solution would be to oversample P 2, i.e. to execute it every 5.5 ms (twice per period). It leads to the lower left solution, which is also rejected since there is not enough space for remaining partitions. This small example shows that two types of properties have to be respected: valid MAFs for partition assignment to the processors and end-to-end constraints. Existing approaches consider separately both problems. We argue that an approach has to consider both problems at the same time to be efficient.
PROPOSED APPROACH
The problem can be summarized in the following way. The goal is to allocate a set of communicating partitions on a physical architecture (set of interconnected processors). Each partition is defined by a period and a WCET on the considered processor. A delay constraint is associated to each communication channel between partitions. Different architectures have to be considered, with different numbers of processors. For each architecture, every possible partition allocation is analyzed. The goal is to find a valid scheduling (valid MAF on each processor) which respect communication constraints.
In a first step, we developped an exhaustive analysis. A set of candidate architectures are selected (number of processors, interconnection means). For each architecture, Each possible allocation of the partitions on the processors is tested. An allocation is valid if MAFs exist which respect end-to-end constraints. An exhaustive search is done on MAFs. At the end of the overall process, a set of valid allocations is obtained.
This preliminary tool has been used to analyze the Vehicle Monitoring System (VMS) depicted in Figure 3 . It provides parameter values and alerts the pilot when a parameter is close to the alarm threshold. This system is up to now deployed on two duplex Aircraft Management Computers (AMCs), four multi-function displays (MFDs) and local I/Os. It includes 7 communicating partitions with four instances of each partition for redundancy reason. 
CONCLUSION
The problem introduced in this paper concerns the distribution of an IMA architecture using less powerful processors, in order to deal with small aircraft and helicopters. The applicative architecture includes a set of communicating partitions which are allocated to the processors. An allocation is valid if both scheduling of partitions and end-to-end constraints are guaranteed. The exhaustive search considered in this paper is only a first step, since it cannot deal with large case studies. Thus a heuristic approach has to be defined.
