Introduction
Embedded avionics systems have evolved from a federative architecture where calculators were interconnected through dedicated mono-emitter links [2] towards a modular architecture. The Integrated Modular Avionics (IMA) has been standardized as ARINC 651 standard [4] for the definition of the hardware architecture and as ARINC 653 [5] for the corresponding software architecture. They define the APEX (APplication EXecutive interface) which ensures the spatial and temporal partitioning of the avionics functions. Thus, it is possible to design the application software independently from the target IMA physical platform.
However, such a modular architecture still necessitates a thorough configuration step at the early stages of its design, both at the physical and software levels. The first point in this article is to evaluate the impact of such configuration and integration choices on the overall performance of the system. Indeed, sharing communication and computation resources in such a modular system increases the complexity of accounting for the temporal properties of the target avionics applications (e.g. execution frequency of functions, communication delays, ...). More specifically, we show that the core of this problem is to evaluate the real-time end-to-end communication delays between remotely located and distributed avionics functions.
This article is organized as follows. 
IMA applications integration
An IMA architecture interconnects several computation modules, sensors and actuators using one or more communication networks. Computation modules communicate mainly using an AFDX network (Avionic Full Duplex Switched Ethernet) which has been standardized in ARINC 664 [6] . AFDX relies on a switched Ethernet technology and provides communication means for asynchronous computation modules. Data is transmitted using the so-called virtual links (VLs) that ensure data flow segregation. A VL defines a mono-emitter logical communication path through a sequence of switches. It is characterized by the minimum time that separates two consecutive frames transmitted by the same source, referred to as the BAG (Bandwidth Allocation Gap) and a maximum frame size SMAX.
An avionics application is composed of a set of functions or tasks, which are executed in partitions that ensure the temporal and physical segregation between applications. These partitions communicate using ports and logical APEX channels. Partitions are executed periodically on the physical modules and are statically scheduled in a cyclical frame called MAF (MAjor time Frame). A partition hosts a set of periodic or aperiodic tasks that are scheduled based on a pre-defined policy. Two types of APEX port exist: sampling and queuing ports. In a sampling port, a new piece of data overwrites the previously stored one, whether the old one has been consumed (i.e. read) or not. In contrast, in a queuing port, all incoming pieces of data are stored in their order of arrival.
In the design of an IMA system, the problem is then to allocate the partitions to the computation modules (spatial allocation), to allocate the APEX channels for the various communications taking place between the tasks and to define appropriate MAFs (temporal allocation). This integration has to guaranty that end-to-end communication delays or packet losses are maintained below given limits.
This integration problem is illustrated for the application presented in Figure 1 . This application is composed of 14 partitions P 1 , ..., P 14 . Each partition P i , 1 ≤ i ≤ 14, executes a periodical function F i . At the end of its execution, each function (i.e. task) F i creates a message Msg i to be sent to function F i+7 . In this example, functions F 1 to F 6 have a period of 32ms while F 7 has a period of 16ms. The target physical architecture for this application is composed of two computation modules interconnected via an AFDX network. A first module M 1 is linked to sensors C 1 to C 7 whose values are read by functions F 1 to F 7 , respectively. These functions are hosted by partitions P 1 to P 7 , which are executed in module M 1 . A second module M 2 is linked to a set of actuators A 1 to A 7 which are commanded by functions F 8 to F 14 . Partitions P 8 to P 14 are executed on module M 2 for functions F 8 to F 14 , respectively.
Functions F i , 1 ≤ i ≤ 7, communicate with their remote functions F i+7 by sending at the end of each one of their activation period a message Msg i . The resulting seven message flows are transmitted from module M 1 to M 2 using seven VLs, V 1 , . . . , V 7 , defined in the AFDX port of M 1 (Msg i is sent on V i ). We assume that the size of a message does not exceed the maximum packet size of its VL. A reasonable design for the MAFs of M 1 knowing the periodicity of F 1 to F 7 is to create a MAF of 14ms repeating itself every 16ms. Each function is executed during 2ms. The MAF of M 1 is thus subdivided into 7 slots of 2ms each (cf. Figure 2) .
The first six slots are used every two MAF cycles (i.e. every 32ms) by F 1 to F 6 , while slot number seven is used each cycle (i.e. every 16ms) by F 7 . Accordingly, VLs V 1 to V 6 are assigned a BAG of 32ms and V 7 a BAG of 16ms.
Figure 2. MAFs of modules
The MAF of module M 2 follows the same model as M 1 as shown in Figure 2 . M 1 and M 2 modules are asynchronous, which means that MAFs can experience different offsets as the physical module is being started. Unfortunately, no simplifying assumption can be made regarding these offsets which are random by nature.
Impact of applications integration
This section investigates the impact of integration choices on end-to-end communication performance. To this end, we first define the end-to-end communication delay. Then, we show on the example of Figure 1 how integration choices impact these delays.
In our analysis, we derive the end-to-end communication delay of the function F 7 that transmits the messages Msg 7 to the function F 14 through VL V 7 . The end-to-end communication latency is here defined as the duration between the time Msg 1 is generated in F 7 and the time it has been consumed by F 14 . It is decomposed into three components:
−T V L : Msg 1 has to wait until a BAG has elapsed before being transmitted on the VL. T V L is the time Msg 1 is waiting for an available transmission slot in V 7 . T V L varies from 0ms to V 7 BAG size.
−T nw :it is the latency the message experiences in the network. It is completely determined by the target network properties.
−T dest : when Msg 1 arrives at the incoming port of M 2 , it has to wait until function F 14 is scheduled and can consume it. Thus, T dest is the duration Msg 1 has to wait in M 2 before being read by its destination function. These 1. Latency for an available VL slot In the example of Figure 3 , the MAF of M 1 and VL V 7 have an equal period (16ms). In this case, T V L is constant for each new message instance (cf. T V L on Figure 3) . Now, what happens if the period of a function F x does not match with a possible BAG value (BAGs values are limited to powers of two durations, starting at 1ms)? Let us consider a period for F x of 30ms. The corresponding partition can be allocated in a 30ms MAF cycle. To ensure the availability of a BAG of the VL V x from each message production, the BAG size has to be fixed to the largest available BAG size which is lower or equal to F x period, i.e. 16ms in this case. Thus, a message created every 30ms will always find an available slot for transmission in the VL of period 16ms.
Figure 4. Availabilty in V x
Consequently, it is possible to control the latency for the VL availability (as long as the message sending period is not lower than the smallest BAG i.e 1ms).
Latency through the network
In our specific case, the latency T nw of an AFDX VL is composed of two parts: i) the multiplexing delay d mux on the M 1 output port and ii) the transmission latency T p through the network. a) Multiplexing delay d mux : all the VL data frames are multiplexed in an ordered sequence according to the messages sending times in the AFDX port. Thus, a data frame of V 7 arrived after a set of data frames produced earlier by other VLs will have to wait for complete transmission of previous frames. This multiplexing delay is depicted in Figure 5 for three successive frames of V 7 of the illustrative example. All VLs carry here a frame size of 1530 bytes. At 100 Mbps, emission duration is of 0.122ms. The activation of the function F 1 to F 6 during the first occurrence causes a delay of 0.732ms for the data frame of V 7 . Considering the previously defined BAG values (16ms for V 7 , 32ms for V 1 to V 6 ), the same behavior is repeated in the third occurrence of V 7 . However, the second occurrence of V 7 is not affected (d mux = 0). The difference between the minimum and the maximum d mux value is denoted by multiplexing jitter. When the data frames generation times of the VLs are at the source module (e.i. modules and VLs offsets are known), this multiplexing jitter can be analytically computed [9] , otherwise, it requires a recursive derivation through simulations. b) Transmission latency through the AFDX network: it is the difference between the data frame release time from the output of the source module and the reception time in the destination module. In an AFDX network, this delay varies depending on the network traffic [10] . Different approaches to bound this variability exist [10] . Some approaches take into account the local scheduling of different VLs originating from the same source. It has also been shown that this local scheduling of VLs can significantly reduce the delays in the network [11] .
3. Latency at the destination module The variation in the latency T nw means that the successive data frames received at the destination module M 2 are no longer periodic. This is illustrated in Figure 6 . The function F 14 is periodic. However, the variable latency introduced by the AFDX network on Msg 7 occurrences results in an additional delay T dest on the reception time at the destination module. Since M 1 and M 2 are asynchronous, it is impossible to set execution times of P 14 on M 2 to compensate for this network jitter. It is therefore possible that two data frames of V 7 arrive between two successive executions of P 14 . This scenario is shown in Figure 7 .
Figure 7. Sampling and queueing reception modes
Depending on the type of destination port (queuing or sampling), such successive data receptions have a consequence on the communication performance. For a sampling port, the message Msg 7n+1 is overwritten by the new occurrence Msg 7n+2 . If it is a queueing port, the message Msg 7n+1 is consumed in the next execution of P 14 (n+2). In this case, T dest > 16ms. To avoid such losses of messages or additional delay problems, the execution period of P 14 has to be reduced to avoid the reception of two data frames of V 7 between two successive execution of P 14 . The minimal duration between the reception of two successive data frames on M 2 is determined by deducting the maximum multiplexing jitter induced by the network from the execution period of P 14 . The Figure  8 illustrates the minimal required duration to avoid message losses (sampling port) or additional delay (queueing port).
Proposed modeling and simulation tool
The analysis of Section 3 stresses the need for a tool capable to evaluate and compare different integration Our main objective is the modeling and simulation of an IMA platform. It consists in the description of the different characteristics (software architecture, physical architecture, integration), to generate a simulation model able to verify the application constraints and requirements. The proposed modeling approach is described in Figure 9 . It consists in three modeling levels: application model, architecture model and integration model.
Figure 9. Proposed modeling approach
The application model describes the avionics applications in term of communicating partitions across logical communication ports and APEX channels. It also describes the functions embedded onto the partitions.
The architecture model formalizes the description of an IMA platform architecture in terms of physical components (execution modules, sensors, actuators, ...) linked by heterogeneous networks.
The integration model describes the mapping of the application model onto the architecture model: spatial allocation of the partitions onto the execution modules, the APEX channels on the AFDX ports, the temporal allocation of partitions in their MAF and the virtual allocation of communication links (BAGs, SMAX).
The auto-generated simulation model is obtained from the integration model which is capable of driving the performance of the loaded IMA architecture, with respect to different communication metrics (end-to-end communication delay, jitters, message losses, ...)
The generated simulation model can be used to evaluate the performance of application and architecture models. Moreover, we can use these results to fine tune the parameters defined in the application and architecture model and re-generate the simulation model. This iterative process can help in early design phase to decide optimal parameters for IMA architecture. We are developing such a tool and initial results are encouraging.
Conclusion
In this paper, we have presented the complexity of communication delays analysis in the context of IMA architecture (impact of the multiplexing jitter, the communication in sampling and queueing modes, consequences of source and destination execution periods and influence of the choice of the logical communication channels).
An indepth analysis of these influential parameters requires a simulation tool able to consider the random aspects (offsets of the modules and networks, tasks execution duration, communication delay, ...).
The ongoing research covers the modeling approach of such an IMA architecture according to three levels (application, architecture, integration) and aims at generating ultimately a simulation tool that can be used to calculate the real end-to-end communication statistics of modeled software and physical architecture.
