Based on the current state-of-the-art in avionics, the adoption of new networking technologies and their integration into complex systems requires important efforts to guarantee the respect of system level requirements. This sets a need for a more effective and systematic approach to validate new technological choices and their integration process. In this paper, we propose a hardware prototyping platform for validating the design of an avionic transducers network in an early development stage. The specific implementation reported in this paper targets two boards based on a Spartan-6 LX45T Xilinx FPGA. Both boards were configured to validate a custom transducers network architecture proposed by the authors. The resulting prototype is configured to maintain a throughput of at least 1 Mbit/s and to guarantee a deterministic traffic on the field bus to conform to actual avionic constraints. This paper covers the methodology involved in the design of our prototyping platform and highlights some of the advantages it offers.
Introduction
The introduction of electric systems for critical applications within an aircraft is expected to provide several benefits to the airplane industry over the next few years. An important aspect of this migration covers the flight control systems. Traditionally, these systems were implemented using mechanical, pneumatic, or hydraulic components, which usually imply a considerable weight issue and an inherently inflexible infrastructure. Although these older technologies offer great robustness, an electrical implementation would improve flexibility and overall network performance. Significant weight, wiring, and complexity reductions can also be expected with the replacement of existing systems by their electronic counterparts.
This migration towards the new generation of avionics system requires the redesign of data network for onboard airplane use with the possible adoption of new data communication technologies, such as ARINC 825 and ARINC 664 developed in the recent years. Although these standards were primarily designed to provide and guarantee reliable information transfers, their inherent performance and characteristics can vary greatly from each other. Based on the current state-of-the-art in the avionics field, the adoption of these new technologies and their integration into complex systems require a sizeable time and effort to guarantee meeting the system level requirements, such as reliability, determinism, and bandwidth. Although commercial products for most of these new technologies are becoming available, the use of a generic custom implementation can be helpful to validate the required theoretical analysis and to identify specific problematic cases. This sets a requirement for a more effective and systematic approach to validate new technological choices and their integration process under strict constraints for safety-critical applications.
In this paper, we propose a method based on a hardware prototyping platform and a generic architecture for validating the design of an avionic transducers network in an early development stage. Design choices can easily be implemented within a complete network, including features such as fault injection, as well as bandwidth and latency measurement capabilities, to ensure that all constraints, specified at the desired level, are met. Our implementation developed by following the method reported in this paper targets two boards based on a Xilinx Spartan-6 LX45T FPGA. Both boards are configured to validate our custom architecture of a transducers network design [1] . The resulting prototype is configured to maintain a throughput of at least 1 Mbit/s and to guarantee a 2D5-2 deterministic traffic over the field bus to conform to actual constraints for avionic applications. With this prototype, many types of transducers can be easily connected to an AFDX End System through a network architecture based on the ARINC 825 protocol.
The rest of the paper is organized as follows. The "Related Work" section first presents some researches related to the subjects dealt within the present article. It also introduces the generic architecture used in the development of the described prototype. The basic principles, the advantages and the limitations of the architecture based on enhancements of the IEEE 1451 standard are highlighted for further references. The following section details the methodology that we have adopted in order to implement our transducers network and to validate the design choices we made. Each of the steps of the methodology is then explained in details. Our FPGA-based implementation is then presented to illustrate the application of our proposed approach. The motivations behind our design choices are also explained. The final part of the section covers our custom fault management mechanism for a typical ARINC 825 controller and the validation of their positive impact within the network to serve as an example. The results obtained based on the presented prototype implementation, as well as observations and analyses, are presented in the "Results' section. Finally, concluding remarks and discussion on the improvements offered by the proposed methodology and hardware platform are provided in the "Conclusions" section.
Related Work
As data communication standards evolve over the years, the need to evaluate and validate new standards for new applications has become a critical part of any design process. Academic and industrial groups have already proposed monitoring and testing systems that ensure correct functionality of several existing communication standards. Most of their work focuses on application domains other than avionics and for non-critical purposes. This section presents some achievements reported in the literature.
Since the focus of this paper is the evaluation of the impact of the integration of a pair of ARINC 825 busses within our system, the first papers relative to our work present monitoring system limited to this same standard. The implementation of a simple monitoring system for a CAN bus, which is a less reliable version of ARINC 825, is proposed in [2] and [3] . Although the solution of [2] is supported by a software application and that of [3] by a hardware platform, the results they reported are similar to most of those focusing on less reliable version of the standard for application in the automotive industry.
To address the issue of deciding which standard should be selected when designing a complex onboard electronic system, [4] proposed an exhaustive review of emerging and traditional communication standards. Although extensive knowledge about the inherent characteristics of each standard is very useful in selecting and integrating them to any system, a practical implementation or simulation model is necessary to fully understand a standard. A system under development can then be optimized for better performances while taking into account its weaknesses. To help in this task, [5] proposed an approach based on a software simulation tool to emulate and provide guidelines in order to meet specified requirements. We feel that our hardware-based approach allows us to achieve similar goals while granting additional benefits in terms of implementing fault detection mechanism, processing actual workload, and testing sensor integration as will be shown in this paper.
In terms of testing and validating fault detection and management mechanisms, several attempts have been made to improve upon the basic redundancy scheme, which is currently the most frequently used for improving the reliability of systems in the industry. In order to test their new redundancy strategy, [6] developed a dedicated microprocessorbased infrastructure for testing the communication between a space robot arm and its testing apparatus. Although they showed the effectiveness of their approach, their dedicated platform still lacks the flexibility to test other fault management strategies over different communication standards. The use of commercial components also limits their ability to inject and detect errors at the required level of abstraction to help identify and solve unforeseen problems. Some of the features of our system addressing these limitations will be presented in the "Implementation" section.
2D5-3

Network Architecture
Our approach is based on the adoption of a generic network architecture proposed in our research project [1] . For a better understanding of the complete method, the basics principles behind this architecture are presented here. In addition, since the architecture studied in the present work is an improvement of the IEEE 1451 standard, it is briefly reviewed for self consistency.
The goal of the IEEE 1451 standard is to allow access and control of smart transducers through normalized interfaces. The use of microprocessors or any other dedicated electronic hardware to handle digital communications has also opened the opportunity for adding intelligence to sensors and actuators. One important feature of this standard is the transducer electronic data sheet (TEDS) which is a nonvolatile memory, located in the transducer, used for storing transducer identification, calibration, correction data, measurement range, and manufacture-related information. The proposed interfaces allow transducers to be connected to a processor, an instrumentation system, or any other control network. The reference model, shown in Figure 1 , is completely independent from communication protocols and hence, it is also applicable to wireless networks. Note that this reference model is very similar to structures found in avionic transducer networks with the exception of the interoperability inherent to the use of the standard. The functionality proposed in IEEE 1451 is separated into two main modules. The transducer interface module (TIM) has the following responsibilities: analog signal conditioning, digital conversion, command processing, data transfer, and TEDS storage. The transducers, from a single sensor or actuator to many heterogonous units, are enclosed within the TIM. The second part of this model is the network capable application processor (NCAP) linking the TIM to user networks. The NCAP is responsible for interface control, command routing, data correction, and message coding and decoding. The physical interface between TIM and NCAP is left to the designer's choice and is not covered by the standard. Nowadays, smart sensors are slowly starting to make their way in some applications, mostly in less restrictive fields. Their onboard utilization in aircrafts has been studied, but has not yet been adopted [8] . The first practical use of this standard is to facilitate testing of aircrafts by reducing wiring and complexity. In this specific case, the IEEE 1451 standard was only implemented in apparatus for ground testing. NASA has explored IEEE 1451 to identify its benefits and limitations [9] . Our study on this standard has led us to some conclusions similar to those reported in [9] regarding the flexibility and the limited reliability. This is the main motivation behind the development of our own architecture for critical applications. . This architecture is designed to be as generic as possible. In this architecture, the NCAP and TIM modules have the same functionality as the one described in the basic IEEE 1451 specification. The number of field busses and different modules are dictated by various requirements, such as reliability and bandwidth. Although the method presented in the next section is based on this particular architecture, many other architectures meeting the specified constraints could be tested in the same way.
2D5-4
Figure 2. Generic Architecture
Methodology
Based on the current state-of-the-art gathered from the literature, we recognized the need for a more effective and systematic approach to validate new technological choices and their integration process under important constraints. Some even consider that prior experience from participating engineers is usually the main source for initial network selection [5] . To address this challenge, we present and propose an approach we followed to develop a novel architecture for the integration of actuators within an airplane. This section will briefly present the steps we have taken, as more details will be provided in the following sections. Figure 3 shows our proposed methodology.
Figure 3. Proposed Methodology
While developing our methodology for critical applications in avionics, we felt the need to take into account the certification process required for the development of airborne components. Although our approach is hardware based with the application of the DO-254 certification process, the same principles can be applied to a software implementation. Based on the conclusions provided by a team of engineer from Mentor Graphics on the application of the DO-254 standards, several characteristics have been identified to reduce the verification challenge imposed by the process [10] . The five following characteristics have been labeled as the most important:
• it must pass the DO-254 compliance review;
• it must use industry standard tools and languages;
• it must interface with current and future designs;
• it should support new hardware verification language (HVL) constructs;
• tests should be easy to create, maintain, and alter.
Based on these characteristics, we feel that our approach can also bring benefits in terms of reducing the complexity of certification while improving the design process for such systems. The first characteristic is mandatory for any certified components and a structured approach as the one proposed in this paper is likely to help in this regard. The rest of these characteristics will be covered as they become relevant in the rest of this paper.
Requirements Definition
The first step of the proposed approach for designing or integrating communication networks is the requirements definition. This is especially important in the avionics field where stringent regulations and reliability assurances have to be enforced. In the context of our work, we have selected features related to reliability, determinism, latency, load, and bandwidth in order to satisfy the demands and requirements of our industrial partner. Our approach tries to satisfy simultaneously all constraints, but tradeoffs can be made manually when no configuration of the architecture can directly meet them all. We limited ourselves to the above requirements although other requirements such as power consumption, weight, number of nodes, and even the wire's length, could have been considered.
Architecture Optimization
The next step is to describe the generic architecture by MATLAB models. Upon the selection of a network configuration, defining parameters such as the number of busses, TIMs and NCAPs, performance values are obtained analytically and 2D5-5 these values are compared with the constraints. In the various experiments that we conducted, it was always possible through an iterative trial an error process to generate a configuration of the network meeting all the selected requirements. Although this process is currently done manually, automation to obtain the optimal configuration could be implemented as a next step of this research. Table 1 shows the requirements selected to pursue the objectives of our project. [11] . Requirements relative to the maximum load and determinism are imposed by the choice of ARINC 825, which recommends a bus load inferior to 50% during normal operating conditions [12] . The load over an ARINC 825 bus is given by
Implementation
The next step consists of implementing the basic modules of the configuration selected during the previous step. Various mixes of hardware, software, IP, or COTS parts can be selected to implement this generic architecture. Our implementation is based on a VHDL custom description. This allowed implementing and testing a previously proposed [13] fault management scheme by reprogramming the FPGA platform. Complete custom development also gave us full control for configuring the fault management mechanisms. At this stage, the required interfaces, from real operating transducers to higherlevel traffic generation, can also be included in the prototype for improved testing and validation. More details of our prototyping platform and its possible interfaces will be presented in the "Implementation" section.
Test Case Generation
This step is mainly used to define the test cases used to validate the architecture and the design of the network. Different possible configurations can be identified and selected in order to validate any requirements from any point of view. Various fault injection mechanisms, like the one we developed, can be added in the model to optimize the architecture. Worst-case scenarios can then be created for analysis. These features are especially useful to support certification processes such as DO-254 or DO-178. Finally, planning for the necessary measurement mechanisms to ensure that the constraints are met is required. This motivated us to implement our own network monitoring system. Although our system utilizes the ARINC 825 standard as a field bus, our work differs from the literature as we focus on monitoring the requirements at the system level. Traditional monitoring at lower levels can cause misinterpretation of the effects on the overall system, such as unforeseeable bottlenecks at higher level or the incorrect functionality of the fault management systems.
Prototype Validation
The last step of the proposed approach is the assembly of the prototyping platform and the application of the test cases. Because of the inherently reconfigurable nature of the adopted FPGA platform, several configurations and implementations can be validated against the requirements. Even with a small prototype platform, we are able to apply many possible test cases to all modules in any desired conditions, which is very useful for certification. The certification process of a complex system usually requires the exploration of every possible case. Combining design and certification is bound to reduce the total efforts needed for the complete development of airborne electronic equipment. The process of reconfiguring the FPGAs and applying test cases are performed manually in our research project. Note that an automated process could be put in place to accelerate architecture validation.
2D5-6
Implementation
This section presents the validation of a specific network architecture through our hardware platform to serve as an example. All important implementation details will be covered and discussed. The description of the validation process will follow the four last steps of our proposed approach (the selected requirements have already been presented). This will serve to highlight the benefits of the proposed approach and justify our design choices.
Architecture Optimization
Upon selection of the requirements of the desired network, the number of sensors to integrate within our example architecture is fixed to 4. The critical nature of the application implies that each transducer must be duplicated at least once to obtain the required level of reliability for the complete network. Figure 4 shows the configuration that is expected to meet the requirements and that was obtained through several iterations with our MATLAB models. 
Implementation
The chosen configuration of the generic architecture is prototyped using an FPGA-based platform for an exhaustive performance validation. In order to implement this architecture, at least two FPGA boards are necessary to test all possibilities. Our prototype is based on 2 SP605 boards from Xilinx [14] because of its numerous connection interfaces, facilitating its portability and extensibility. This derives from the fact that the FPGAs embedded in the rather inexpensive SP605 are relatively small. The complexity of the various modules composing our proposed architecture is reported in Table 2 . As we can see from this table, the combination of a complete TIM and NCAP can be easily contained within a single FPGA. As the TIM is not completely filled, additional sensors can be included in the network through a simple reconfiguration of the FPGA. The utilization values for the global network imply that 4 FPGAs are required to fully implement the final architecture. We implemented an ARINC 825 field bus physical layer through typical CAN connectors. Two additional ports are provided for each of the two ISM networking boards [15] . The configured prototype with a single TIM and NCAP is shown in Figure 5 . In this picture, the TIM is directly connected to the sensor array containing several COTS digital temperature sensors. For the validation process, we 2D5-7 connected only four of these sensors through a standard I2C communication protocol, based again on a custom implementation. The remaining available sensors can be connected to another board if the connection between two TIMs was required. Through reconfiguration of the FPGA platforms, the specific parts for applying stimuli and examining their effects can be implemented without having to implement the whole network. This platform can also be easily connected to other types of transducers, transducers models and emulators, whether they be implemented or not within the FPGAs. In the context of our project, we are in the process of interfacing with a novel analog data acquisition module for a promising new sensor technology.
Figure 5. Sample Configuration of Hardware Prototype
We have implemented a subset of the required functionality, which was selected to test every part of the platform. A limited subset is recommended by the NASA experts [9] as a first step to start implementing the IEEE 1451 standard in transducers networks. A basic implementation can always be upgraded with more complex features while remaining compatible. Using their recommendation, combined with our approach, could significantly reduce costs during early design phases. Fault injection mechanisms are also included within the prototype to validate the fault handling system implemented in the present work. One of these custom fault-management systems is devised with the development of a dual ARINC 825.
Based on the CAN protocol, the ARINC 825 standard was introduced to fulfill the requirements of safety critical networks. It is based on a multi-drop bi-directional communication protocol enabling a multicast reception through time synchronization. At the beginning of each frame, each node undergoes resynchronization in order to guarantee the time consistency throughout the network. Determinism and maximum latency can be obtained through each of the frame's identifier field. Unlike CAN, ARINC 825 relies uniquely on the 29-bit format identifier. The payload of each frame consists of 16 bits containing configuration bits and the data acquired by the sensor.
Other modifications from the original protocol are meant to reduce the network's load by limiting the use of certain types of frames and increase overall reliability. Even with these improvements, traditional CAN and ARINC 825 nodes are compatible and could be used within the same network. In order to achieve the utmost safety of data transfers, every node is implemented with several measures for error detection, signaling, and health management. Several complementary measures have been implemented as detection mechanism. They include CRC coding and bit stuffing while the state of each node is kept through the TEC and REC registers. High values of these registers indicate rough conditions in the bus while lower counts are observed during normal (event-free) traffic.
In order to follow the generic nature of the architecture, a mechanism to identify faulty controller and redirect traffic through healthy controllers is required. Such a mechanism has been implemented with the design of the dual controller based on two regular ARINC 825 controllers able to share queuing lines to ensure the transmission of every frame. Upon degradation of service on a connected bus, traffic is redirected through the fully functioning controller. Our custom fault management system relies on the status of each controller obtained from its own health management system, as described earlier. Upon the complete degradation of the bus, a controller switches to the "bus off" status and stops all communications. Traffic is then redirected when a controller enters this last mode. This improvement slightly more than doubles the amount of resources used, as we can expect from the duplication of a single controller, in addition to the fault management 2D5-8 system itself. More details on the fault management test and validation for the ARINC 825 field busses are presented in the next sections while the details of the components employed for the rest of the system are presented in another paper [13] .
Test Cases Generation
The main objective of this task is to devise and plan the test cases required to ensure that the actual architecture follows the requirements at the system level during normal operation or in the presence of faults. Although our implementation is focused on a low level of abstraction, the requirements cover the integration of the individual parts as a whole system. Based on this principle, we implemented our own measurement mechanisms to validate requirements at the system level instead of the specific validation of some parts like most of the work presented earlier.
The effects caused by a modification in the communication protocol, the fault management strategy or any design choice can be easily observed. By keeping the same test structure, the same highlevel requirements can be validated for various network architectures. The need for latency measurement is the main motivation for some proposed mechanism.
The measurement process is based on the inclusion, in the frames, of two extra fields containing the latency values of the associated frame. These two extra fields are directly enclosed with the payload and correspond to the time spent in the TIM and NCAP respectively. For each frame, a timestamp is taken upon data acquisition and is compared with the time it reaches the AFDX end system. Since the TIM and NCAP are not implemented on the same physical board, we use the required resynchronization for any transfer of frames on an ARINC 825 bus. This mechanism, providing time consistency for all nodes, has also served to ensure the synchronization of latency measurement modules. Based on this time synchronization, the level of precision of the measurements can be selected by varying the number of bits used to represent the latency and by changing the clock frequency of the associated time counter. The only drawback of this technique is that the extra bits, relative to the measurement of the latency itself, are transferred on the field bus and thus increase the length of transmissions and the overall latency. To correct this problem, a mathematical compensation computes the correct latency for each frame. To our knowledge, this measurement approach differs from previously reported measurement strategies [3] in that it can be used across different time domains and is based on a mixed practical and theoretical approach.
Another important feature of our prototype is its compatibility with commercially available software that can be used to analyze and generate data. Indeed, the prototype is interfaced with the ADS2 software through a connection on the ARINC 825 field bus. ADS2 is a powerful modular family of software components, designed to support the development, prototyping, test, and validation of avionics communication networks. The connection to ADS2 enables an automatic generation of test cases at a higher level of abstraction. This is again helpful if the system is used to validate modifications in the network as stimuli are expected to stay the same or could be easily modified. This connection with industry standard tools and the ease to alter and apply tests are especially useful as they are part of the suggested characteristics for an easier certification process. At this point, communication is successfully established with ADS2 through the ARINC 825 field bus. A future connection at the AFDX level is presently under development to grant additional flexibility for testing and validation of the methodology. This compatibility with future design is also an important factor in helping with certification.
Prototype Validation
The last step of our process consists on the final validation of the requirements through the proper configuration of the prototype. This section will present the validation process for each of the requirements specified above. The validation process also allows the detection and correction of possible problems with our custom fault management system. The bandwidth of the considered network is validated with the connection of the field bus through ADS2. With the proper configuration of ADS2, the desired 1 Mbit/s throughput has been confirmed. Again, the use of commercial software enabled us to validate our implementation of ARINC 825. The average frame latency under normal operation is presented in Table 3 while the worst-case latency and network load are shown in Table 4 . A transmission interval of 2D5-9 1 sec corresponding to a 500 transmission cycles is used in the reported experiments. Table 3 , a maximum latency of less than 2 ms is easily achievable with our network configuration for the specified number of sensors. This result can also be used to qualify the determinism of our network, since the frame latency variation between transmission cycles is very small, and is a consequence of the bit stuffing coding technique employed within the ARINC 825 protocol. The occurrence of 5 consecutive identical bits forces the addition of a stuffing bit. The length of the frame and its latency are thus proportional to the number of stuffing bits, which is caused by the value retrieved from sensor. For all the tests that we have applied to the network, the order in which the frames are received is always the same. As for Table 4 , we have forced a specific value onto the sensor data in order to generate the maximum number of additional bits and consequently obtain the worst-case scenario (in terms of latency). As can be seen in Table 4 , the frame with the largest latency never exceeds the limit. The variation in latency due to bit stuffing issues has also disappeared as it has been designed to test for the worst-case scenario. The full network determinism is validated through the completion of these last steps.
Another important part of this validation process is to ensure that the implemented fault management mechanism functions correctly providing the specified reliability target. This is especially important since the reliability analyses made during the architecture optimization process rely on these mechanisms to be respected. The validation process allowed the identification of an unforeseen problem. This situation occurred during the fault injection process at the field bus level. As was presented earlier, an ARINC 825 controller monitors the bus and modifies its behavior depending on the state of the bus. The original fault management mechanism, described in the "Implementation" section, begins to reroute frames only when the node reaches its "bus off" status, which stands for a completely inoperable bus. The state of the node switches the bus off when the TEC register [12] reaches a value of 256. Starting at 0, the TEC register increases by an amount of 8 each time it fails to successfully transmit a frame, which corresponds to 32 retransmissions of the same frame before switching the bus off. During the retransmissions, the frames scheduled for the faulty node are stuck in the transmission queue. By the time the fault management systems is activated and retransmitted through the appropriate redundant nodes, their maximum latency is well over the allowed limits. We found this last problem by analyzing the first results, similar to Table 3 , obtained with the first implementation of our fault management mechanism. Upon this last detection, we modified the fault management mechanism to begin redirecting the traffic at the start of the degradation on the bus instead of waiting for a fully disturbed bus. The results included in Table 4 have been obtained with the revised version that satisfies the requirements.
Conclusions
In this paper, we proposed a methodology based on a hardware prototyping platform and a generic architecture used to validate the design of avionic transducers networks in an early development stage. This 5-step process enables the designed prototype platform to be a very useful tool to integrate and select the required network architecture and/or communication standard. By following each of these steps, we have demonstrated the benefits of using the proposed approach. Based on specific requirements and initial design choices, we have managed to develop, test, and validate a network relevant to the avionics industry for the coming years. In order to measure the latency of each frame, we have also 2D5-11 implemented a measurement mechanism adapted to the particular characteristics of our platform. A better knowledge of different standards and a structured approach thus help in the design, the integration, the certification process, and the maintenance of complex systems such as safety-critical applications required in the avionics fields. For now, the developed platform is operated manually, but it could be automated to significantly decrease the efforts required to develop critical avionics systems.
