ABSTRACT Numerous factors have an impact on the temporal correction of integrated modular avionics application. As early as in the design phase, verification should be conducted to guarantee the rigorous temporal requirements for safety consideration which are fulfilled. This paper proposes a model for underlining verification in the design phase. The model captures the temporally related design in an industrial standard for software application and operation system (ARINC653). The finite-state machine mechanism is employed to formulate the behavior model of the application and application execution interface. Furthermore, temporal requirements are measured under the simulation of the state machine model. A case study is conducted on a real-world auto-pilot application that conformed with ARINC653.
I. INTRODUCTION
In recent years, real-time verification of safety critical system has received much attention due to requisite strict temporal requirements. Futile temporal behavior can cause the software and system failure, leading potential safety threats such as physical system damage or loss of human life. In the early design phase, real-time verification has been proved effective in the verification of real-time features of system [1] .
Avionics is one of the most important safety critical systems, becoming obligatory part in modern aircraft [2] . It has been used in many applications of aircraft, such as flight control [3] , auto-pilot, collision-avoidance [4] , weather systems used in civil aircraft, weapon system, electronic support measures (ESM) and defensive aids system (DAS) in the military etc.
Integrated Modular Avionics (IMA) architecture is a reference avionics architecture standardized by ARNIC653 [5] . It was first presented by Honeywell for cockpit on the Boeing 777 aircraft in 1995 [6] , and is extensively implemented in avionics design of Airbus 380 [7] , Boeing787 Dreamliner [4] , Boeing C130, F-22, Gulfstream G280 etc. Although the The associate editor coordinating the review of this manuscript and approving it for publication was Basit Shahzad. implementation of IMA can be different from manufacturers, the key concept conformed by IMA system designers is the same which is the spatial and temporal partition with the sharing of the computing resource.
In general, real-time verification enables the actual system to meet deadline requirement in a given context. To fulfill the requirement, three important factors should be considered. One aspect needs to be taken into account is the worst case execution time of program code. Secondly, one has to envision the worst case communication time of the network. Lastly, management overhead caused by the resource schedule for tasks is another feature that needs to be considered.
Similar investigations have been presented on these aspects of the avionics under IMA architecture to assure the satisfaction of real-time requirement. Worst case execution time (WCET) analysis conducts an upper estimation of the worst case execution time which performed at code level [8] , [9] . Execution order model of specific CPU to get a statically estimation of the execution time of each instruction. Network characterized by a bandwidth allocation gap (BAG) in the IMA system is also a critical part of a distributed avionics system. Modeling and analyzing the network performance by conducting a thorough analysis of integrating several applications to get a worst case communication time (WCCT) under IMA architecture during its early design stages [10] - [12] . To make sure the process execute inter or inner IMA partitions can meet their own deadline with given WCET and WCCT, another important issue to integrate the WCET and WCCT is real-time schedule [13] , [14] , a typical two layers schedule in IMA system has been modeled to verify the real-time feature of the system [15] , [16] .
Nevertheless, quantifying the temporal performance and verifying, whether it is acceptable according to system requirements are still vital tasks during the design phase of real-time system [17] , [18] . To conduct a feasible estimation of temporal based on the design of a system under ARINC653 architecture, designer needs to consider the following parameters:capacity of system resources (e.g.,CPU, memory),communication, Real-Time operation system, scheduling policy (e.g.,Fix priority scheduling), fault containment design for the potential faults (e.g.,transient hardware fault) in controlled Object(e.g.,actuators).
Many projects have been operated in this area, such as European IST, DIANA, Ptolemy project. Model-based systems engineering is a propitious solution to this problem, especially for complex aerospace systems. The componentbased design methodology and UML modeling profile MARTE [19] recently has been applied, particularly at the architecture design level. Contrariwise, Systems Modeling Language (SysML) derived from UML provides the system engineer powerful methods with which to represent the requirements and behaviors of complex systems [20] . Moreover, in modeling and verification on architecture model, AADL [21] is an imperative architecture description language(ADL) which can be used to demarcate the controlled object, control logic and fault behavior with behavior annex and error annex.
These models have significant influence on the temporal performance of the system, and the corresponding works have been proved to be helpful to solve these problems [17] , [21] . Nevertheless, they were not specifically proposed for RealTime verification of integrated modular avionics software to capture the Real-Time concepts defined in ARINC653 and is insufficient to verify the Real-Time design of the architecture design according to the application behavior. In this research study we present a State machine based Real-Time Modeling (SRTM) methodology that differs from related work by capture the real-time concept from ARINC653 as illustrate in Fig.1 : Fig.1 illustrates how SRTM should be applied and how it was derived from the high level requirement. From the right side of the figure, one can observe that avionics software is deployed on an RTOS partition as a layer of the IMA system. The RTOS partition provides application execution interfaces (APEX) (e.g., creating a process, sending a queuing message) standardized in ARINC653, to facilitate deployed software applications to perform intended functions. From the left side of the figure, one can perceive that requirements for deriving SRTM include two main parts: architecture modeling requirements and temporal requirements. We composed these requirements based on our domain knowledge and identified specific requirements from the ARINC653 standard. SRTM has two main parts: Simulation Facility and design model Process. Simulation Facility provides the libraries to simulate the essential services offered by RTOS partition. The Design Process provides guidelines to apply SRTM on the design model, which will be simulated in Simulink environment.
Furthermore, we have applied SRTM to autopilot system from our industry partner developing aeronautical computing techniques. This would provide assistance to conduct the real-time verification of architecture. The case study showed us four unintended miss deadlines under the model 's verification process. Conversely, requirement shows the task should be schedulable under given worst case execution time. Since this domain is highly safety-critical, every single fault identified in the architecture design phase is considered a significant contribution to assuring the overall safety of the system.
The rest of the paper is organized as follows. Section 2 will present the related contributions, terminologies and research work done within the domain. Problem definition is elucidated in the Section 3. However, the research methodology used in the research study is elaborated in Section 4. Section 5 explained the case study and our interpretation. Summarizes our conclusions and discussion on the research analysis will be argued in Section 6. In the end, Section 7 is acknowledgment for the funding organization.
II. RELATED WORK A. SYSTEM STATE ANALYSIS
State machine introduced by Harel [22] has been proved helpful to model the behavior and logic of the components in the real-time system domain. A system engineering methodology known as System State Analysis has been worked for modeling a system and identify undesirable or potentially hazardous states, evaluate requirements and objectives [23] .
B. TIMED AUTOMATA
The finite state machine(FSM) based theories and tools have been widely accepted for the early verification of the RealTime temporal requirement in both industry and academic area [24] . To model the behavior of finite-state asynchronous Real-Time systems, time automata theory was proposed by Alur and Dill [25] which extends the finite state machine with a finite set of clocks. Nevertheless, timed automata only contains clock variables, Larsen et al. [26] extended the timed automata with variables in value domain and then designed an important tool for modeling and verification of Real-Time system for the temporal verification with the state variables and clocks design in Uppaal.
C. PERIODIC FINITE STATE MACHINE (PFSM)
Furthermore, to fix the temporal defect in design of traditional event trigger architecture (ETA), a global time base architecture called time trigger architecture (TTA) was proposed by Kopetz [27] for the system design, and to describe and verify the temporal relation of the TTA, an extention of FSM by temporal verification which is called periodic finite state machine(PFSM) [28] was designed for the verification of the real-time feature of the system.
D. MDE IN AVIATION INDUSTRY
In the aviation industry, MDE has been widely accepted for the system development and also recommended by authorities such as FAA and EASA [5] . Commercial tools such as SCADE [29] , Mathworks tool suite [30] are important commercial tools to support the MDE. State-flow is an import part of Matlab/Simulink environment [31] . A state-flow chart can contain sequential and combinatorial logic in the form of state transition diagrams, flow charts, state transition tables, and truth tables. Which has been used as an important tool for the early verification of the algorithm and event based temporal logic system modeling in industry, such as NASA introduces state-flow in space launch system to address the criticality of the verification testing of these algorithms, and specifically the need for an early look at algorithm success criteria [32] , [33] .
III. PROBLEM DEFINITION A. IMA ARCHITECTURE
A typical distributed Integrated modular avionics can be simply described in Fig.2 . The APEX (Application Execution Interface) standardized by ARNIC 653 is to facilitate distributed software applications development [34] . RTOS deployed into a so-called Core Processing Module (CPM),which connects with many external devices (e.g. sensors, actuators). The application deployed into RTOS partition (illustrate in Fig.2 as P i ) .
The definition of avionics application represented in Fig.2 can be described formally by a set P = P 1 , . . . , P i of partitions that have to be allocated and scheduled on a set of In industry, hundreds of connections can be established among these basic components during the implementation of integrated modular avionics. In the early stage of host avionics application development, how we can verify the temporal performance under this distributed while sharing resource platform is a crucial problem need to be settled. Consequently, in this paper, our research aims to answer the followings RQs:
RQ1: How to verify the temporal requirement of architecture design under integrated modular avionics(IMA)?
Integrated modular avionics (IMA) system is a typical distributed real-time system. Different components are developed distributedly by different suppliers. Each component has its own design model from a different point of view, such as the fault tolerance model of sensor, safety design for the function, configuration model for the platform. Therefore, how to evaluate the temporal performance of the design during the early design phrase of the application, is a question that should be answered.
RQ2: How to model and evaluate the effect of the temporal performance of correlated components design independently?
The distributed development of integrated modular avionics is required to make protocol or assumption between correlated components. The temporal performance evaluation of the avionics application also needs to take these protocols or assumptions into consideration. In other words, these protocols or assumptions need to be modeled with the design model of the avionics application. Thus, to get a full performance evaluation, independent temporal verification is needed to be settled first as recommended by DO-297.
RQ3: How to evaluate the effect of the temporal performance of correlated components design jointly?
The combination of different models from different components can be a more common scenario in practice. These models take effect to the temporal performance in different mechanisms. It may amplify or mitigate the effect to the temporal consumption. Therefore, it is much significant for the system designer to verify the temporal performance by integrating the models and analysis the temporal performance under the combination of independent components mentioned in RQ2.
IV. METHODOLOGY
The objective of this research study is to verify the temporal requirement of avionics application under IMA architecture in the early design phase. The methodology used in this research study is to answer the research question achieved by modeling the static architecture component and dynamic behavior defined in the ARINC653 standard.
Furthermore, the specific functionality design of avionics application is described with the integration of behavior model and temporal property for the verification of temporal requirement.
In this research study, fundamental design and temporal relation are extracted from ARINC653. Similar research has been conducted in the past can be found the research studies [5] . Temporal requirement and design of avionics (e.g.,redundancy, fault handle strategy) are modeled according to our domain knowledge [3] , a finite state machine(FSM) with temporal logic were introduced to model the behavior and temporal performance of the system.
The methodology used in the case study in this research consist of total 210 states, with 335 transitions and 149 functions has been defined in state machine model. Moreover, a comprehensive 15 experiments each of with 200 simulation cycles have been conducted to analyze the contribution of models in temporal verification of architecture design.
IMA architecture is a sharing and configurable resource platform as illustrated in Fig.3 . There are many softwares and hardwares (application, RTOS, network, sensor, actuators. . .) with functional and structural dependency. Each component has timing and safety requirements with different levels of criticality. Functions are allocated to the resources according to the requirement. These requirements are provided in terms of processing time, memory, network communications, and interface according to the platform. The allocation of these resources is defined in the configuration table.
In IMA design, the process for architecture a system on the platform can be described as an incremental process which is recommended by DO-297 as can be seen in Fig.4 . Functions (e.g., Autopilot, Primary Flight Controls) are allocated the required resources in terms of allocation unit (e.g., processing, memory, and network) through configuration tables. Therefore, the first step is to define the required functions and correlated hardware of a given application. After that, the logical architecture of SW/HW should be designed, and also, the availability and performance according to the requirement should be verified. The third step needs to define the SW and HW requirements. The fourth step is to define the communication between system elements. The final step is to allocate the logical system onto the interface with the assistance of configuration tables.
In this research study, the temporal related element defined in ARINC653 is captured to support early Real-Time verification of SW architecture design. From the temporal perspective as illustrated in Fig.5 , the configuration table define the major time frame (MAF) which is the cyclic interval defined in the core module. The offset, duration and period defined in the partition is the time slot which is assigned to partitions and constitutes the cyclic interval. During the time slot, tasks execute under the schedule of specific preemptive schedule algorithm. Furthermore, the task should be scheduled in a given period and need to meet its capacity and deadline requirement. The temporal allocation and preemptive schedule constitutes a two-layer schedule, which will be affected by the time management operation (e.g. Replenish request) or the error handle strategy defines in the Healthy Monitor(HM).
According to the concept model, four important entity needs to be modeled from ARINC653. Moreover, four parts of the state need to be captured to model the dynamic behavior and verify the temporal requirement of the element define in ARINC653:
• state and transition between states • state variable definition • trigger event and transition guard conditions of state • temporal logic defined in state transfer However, the concrete temporal requirement is not part of the content described in ARINC653, which will be defined in the requirement or the design of specific RTOS and application according to the implementation.
A. PARTITION MODEL
The state and their transitions are defined in Fig.6 ,as is shown, four states of partition have been defined in ARNIC653: IDLE, NORMAL, COLD_START, WARM_START. In IDLE mode, no process is executing, but partition windows allocated to the partition is preserved. In normal mode, the partition's initialization is complete and the partition's process scheduler is active. COLD_START and WARM_START are two methods to initialize the partition, the difference between them is the initial environment can be different (e.g.,WARM_START do not need to copy data from Non Volatile Memory to RAM).
B. PROCESS MODEL
According to ARNIC653 standard, four states and transitions have been defined in the behavior model. These states are dormant, ready, running and waiting, which are also accompanied by their properties, period, priority and APEX interfaces are also required by the standard. In this research study, the states with properties mentioned above are modeled into process simulation model. As it is shown in Fig.7 ,the states and transitions are defined with the event, guard condition and postcondition between states. 
C. TIME MANAGEMENT OF PROCESS
In temporal management, three operations are used to manage the temporal capacity of the process:
• TIMED_WAIT operation request suspends execution for a minimum amount of elapsed time. Especially, a delay time of zero allows round-robin scheduling of processes of the same priority. • PERIODIC_WAIT operation request suspends execution of the requesting periodic process until the next release point in the processor timeline according to the periodic of the process.
• REPLENISH service request updates the deadline of the current process with a specified BUDGET_TIME value, however, the process'deadline cannot be postponed past its next release point.
D. HEALTHY MONITOR
Healthy Monitor(HM) is invoked by calling the APEX service either by the O/S or hardware detecting a fault by the avionics application. The recovery actions for each module and each partition level error are specified in the HM tables while the recovery actions for process level errors are defined by the application programmer in a specific error handle process. The mechanism can be modeled as below: When the application raises the error such as deadline missed or numeric error, the partition will create an error handler which will get error status (e.g., error code, identifier, address) from HM which stores the errors temporarily in a FIFO queue. The error handle process can start or stop the process and also can invoke the APEX SET_PARTITION_MODE to restart (COLD_START or WARM_START). However, if the error handler is not created, the error is considered as a partition error, which will be recovered as the definition of partition HM table.
E. CONFIGURATION MODEL
As required by ARNIC653, the resource allocation or the application deployment is defined by configuration table. In this research study, the key elements defined in the configuration have also been modeled to facilitate the simulation of application, and here we show the relationship between key elements in the configuration file in a class diagram as the Fig.9 .
As it is shown in Fig.9 , the whole system can be deployed to one or more partitions and each partition will be allocated at least one task, which will create more than one communication port within or between partitions.
F. TEMPORAL RELATION UNDER IMA
The temporal feature of IMA is cyclic, all partitions hosted on the same CPM are scheduled in a cyclical frame called major time frame (MAF). The relationship of temporal partition can be seen in Fig.10 : Partition is a periodic task defined within MAF, it can be described by the duration and period as the execution unit of the partitions defined within one module. The activation order of segments is demarcated statically by configuration table. Meanwhile, from the temporal view of point, all tasks run within partitions. Functions can be defined by a 5-tuple (start time, execute time, capacity, deadline, priority). The functions within a partition are scheduled under a preemptive schedule algorithm, a basic requirement of temporal verification is to make sure all the tasks finish their assignments before the deadline, while also guarantee the temporal separation between tasks. In this research study, the model was implemented with Simulink and Stateflow as a Simulink Library named IMA Simulation Tool(IST) to support the behavior modeling which complies the finite state machine definition in ARNIC653 standard, Fig.11 show the overall architecture of IST.
Here, two basic parts in the architecture defined in ARINC653 was designed to facilities the modeling for integrated modular avionics: VOLUME 7, 2019 FIGURE 11. IST tool architecture.
1) Stateflow lib defined the states and transitions according to ARNIC653.
2) Simulink lib defined the elements in host platform in ARNIC653.
The model we designed above presents the IMA system from different levels as reported previously work. However from the distinct prospect considering the dynamic behavior, the temporal property is not a built-in property in state-flow, while assigning time consumption by function may require a more complex calculation for the final result. The partition conception can be used to define global or local variables for time recording which can be helpful to get a reasonable robust result.
V. INDUSTRY CASE STUDY
The purpose of the case study is to model the design of avionics application by following the methodology mentioned in chapter IV. Furthermore, to prove the effectiveness of the methodology to verify the temporal performance of the avionics under IMA architecture in the early design phase.
A. DESCRIPTION OF CASE STUDY
Autopilot system controls and guides an aircraft, on the basis of control law computation that takes data sampled from sensors as input and sends commands to actuators. As a subsystem of an avionics system, a typical implementation of an autopilot system without including device drivers can have roughly 12,000 lines of code in the C language.
To ensure safe operation, the autopilot system is fault tolerant with a redundant design. At the end of each clock cycle, redundant inputs from sensors are given to the autopilot system and multiple computation methods produce redundant outputs to be voted. Many periodical tasks run in the application. According to the HLRs of the application, the application period is set as 20 ms-the minimal one among the periods of all the tasks (with periods as 20, 40, or 60 ms). The system is deployed on an RTOS partition (a layer of IMA, named as ARINC653Partition). The system period (20 ms) is further divided into two time frames of 6 and 14 ms to schedule different tasks sequentially. The datasampling task (sampling data from sensors), input-voting task, control law computation task, and output-voting task execute in the first frame sequentially. The tasks of output realization by actuators, actuator monitoring, fault auditing, and in-flight built-in test (IFBIT, periodically performing BIT during flight) execute in the second time frame sequentially. The fault-auditing task, as the safety-monitoring task, reviews faults reported by the tasks that are scheduled in the system period and records faults to external storage that is accessible when the system is in the maintenance mode.
There are four specific types of faults mentioned in the high level requirement of the autopilot system: synchronization faults (before data transmission), data transmission faults (during transmission), sensor faults, and actuator faults. To achieve reliable data transmission via a device (e.g. AFDX device [35] ), the device, sender, and receiver should be first synchronized via, for example, the request and acknowledgment mechanism. When a synchronization fault occurs such as the following reasons:
• failed to receive the acknowledgment from the receiver within the required time duration.
• There might be a scenario that data cannot be transmitted • The system would resynchronize in the next upcoming period
• transmission, sensors, and actuators faults should be treated as transient faults if they can be recovered within maximal 10 retries; otherwise, they are considered as permanent faults. The autopilot system has four BIT functionalities:
• PUBIT (power-up BIT, executed when the autopilot system is powered up)
• PBIT (preflight BIT, executed right before an aircraft takes off)
• IFBIT and MBIT (maintenance BIT, executed when the aircraft is in the maintenance mode) It is obvious that only IFBIT has safety effects on aircraft as it is inflight BIT and executed during flight.
B. THE BEHAVIOR MODEL OF AUTOPILOT SYSTEM
Behavior state machine model is described by t components, concretely by three parts as follows:
• Partition state machine which depicts the transformation state of partition defined by ARNIC653;
• Process state machine depicts the state transformation of the process defined by ARNIC653 and application, and also features specific by an application such as the period & priority of process;
• Component state machine depicts the runtime feature of components. In a process state machine, these processes are actually running over several components. Additionally, the actual time consumption will also be determined by these components. Every process owns its special components, whereas shared the FaultAuditor components. The functionalities of these processes can be described as follows: • Explicitly, for reliability consideration, Process1 is the task to collect flight data from the sensor. There are more than one sensor collecting data, the voter will decide which data can be used for ControlLawComputing
• On the other hand, Process2 is a task to compute the control law and send flight command to Actuator, whose action is to do as the command required to adjust fight status which is the process defined by Process3
• All the components'fault will send to Process4 and if the fault is true, then write them to NVRAM.
• Process5 is to check if every device runs well during the flight
C. TEMPORAL REQUIREMENT
The avionics application deployed on the RTOS which developed by our industry partner, RTOS deployed on a hardware platform with Power PC8640 1.0GHZ,Front side bus frequency 400MHZ,RAM 1GB, 32KB instruction and 32KB L1 cache, the temporal performance data is shown as below: Temporal related properties regarding the case are provided through several tables: scheduling of requirement for each partition can be seen in Fig.12 . one can observe that the scheduling policy between partitions is non-preemptive and the only difference is time assigned by configuration table.
The schedule policy of tasks within partition is preemptive, the priority and period can be seen in Table 4 . According to the HLR, and corresponded error handle strategies are also defined during the system design, as we can perceived from Table. 5.
D. EXPERIMENT AND RESULT ANALYSIS
There are inaccuracies conceivably occurring, during the running of the process. According to the HLR, and corresponded error handle strategies are also defined during the system design, as we can be perceived from Table. 5. We implement our experiment in two scenarios: 
1) ARCHITECTURAL MODEL
The corresponding simulation model is depicted in Fig.13 . Matlab/Simulink/Stateflow was applied in IST as experiment platform. There are three levels of the architecture depict in the model:
• schedule policy of the platform • state transformation of the application • communication inter/intra partitions The architectural model describes the constitution of a whole simulation model which composed of four parts:
• State Flow components, which is used to depict the partition concept of ARNIC653 system.
• Scheduler components include a pulse generator, which is used to simulate the partition schedule, while a process scheduler was designed resides the state flow components and is used to simulate the process schedule within the partition. • Communication channel which is simulated by shared buffer defined in Simulink.
• Result Record which can be used to conduct Real-Time analysis after the simulation. To get a full illustration of the temporal feature of the AP system under fault injection, we get a full set of the fault combination. In our allocation model, Process1, Process2, Process3 are deployed into partiton1 (P1), While Process4, Process5 are installed into Partition2 (P2). Consider about the workflow of the AP system, the IFBIT_FAULT in P2 will have no effect on the process in P1. However, every fault happens in P1 will be recorded by the FaultAudtor in P2. Consequently, we can get the combination of the fault in P1 by:
Consider about the fault in P2, we get the full set of fault combination of 2 numofFault which is 16 scenarios. We welldistributed these fault scenarios during the simulation in the simulation cycle and get the fault injection table as Table.6: As the fault happens in P2 will not have effect on P1, so the composition (1,6) can be deemed as the fault InvalidSamplerData_fault happens independently in P1, and as the requirement of system, if there is any fault happen in Fault_Auditor, the AP system will be shut down, so we do not take this fault into consideration in our simulation.
As required by the AP system, the time slot assigns to P1 T assign is 14ms and 6ms to P2, the time consumption of partition can be defined by t estimate , so the requirement of the AP system is:
t estimate we calculate here under the scenario of fault injection, so we give the distribution of the fault by:
The time consumption of process in the partition defined as t process (i) ,and the time fault handle defined as t errorhandle(i) :
so rewrite Equation (2) as:
Equation (5) defines the constraint of time consumption during different partitions, which should be satisfied with the temporal requirement of the AP system.
To analysis the contribution of time consumption by different factors, the time consumption with and without the effect of factors was simulated. In this research, t_normal was defined as the time consumption in normal, while t effect is the time consumption under effect of factors, then the contribution can be defined as:
2) RESULT ANALYSIS
The objective of our research study was to provide a comprehensive reference model which can be used for the verification of the temporal requirement of the avionics in the early design phase. In this section, examination of the result has conversed. Moreover, at the end of this section, we have encountered all the research questions that have been ascended in the problem definition section. Data we obtained from our case study shows that the fault handle strategy of application can be a factor which makes a larger contribution to the overtime of partition, while the effect of other factors is not so significant. In our case, temporal performances were obtained from the simulation of state transition with the temporal attribute defined in the behavior model of the application. They are compared under the fault and no-fault scenario. One can get the effect of fault injection to the time performance of partition, and also can get the comparison with the effect for temporal performance on different fault handle strategies. Fig.14 summarized of the result obtained by using IST to get time performance of P1 and P2 under the fault and no fault scenarios. In the beginning, it was apparent that every partition run on schedule without temporal violation happens under the no-fault scenario, as it is shown in Fig.14(a) and Fig.14 (c) . Nevertheless, when faults happen in the partitions, then the violations of temporal requirement happen in running time. The temporal consumption without fault injection during the simulation cycle can achieve the temporal requirement of the system. We obtained a significant difference of data from simulation, under fault injection cycle, as it can be seen from Fig.14(b) and Fig.14 (d) . It can be observed that in cycle 10,30,50,60,70,80,100,110,120,130,140,150, time consumption under fault injection was considerably higher than in normal state. A significant high time consumption occurs in cycle 60,110,130,150, consequently, the violation of the temporal requirement of the system happens in P1 during these cycles which can be seen from Fig.14(b) . Fig.14(d) shows the time performance of P2 under fault injection, compared with Fig.14(c) , the time consumption increased greatly, nevertheless still satisfy the requirement of the system (less than 6ms). With Equation (6), we can get the contribution of different fault combinations as show in Fig.15 .
As it can be observed, the contribution of different factors and their combinations differs from each other. The fault combination with highest contribution is shown in the diagram, which has exceeded the limitation temporal requirement of partition. The common features in the scenario is that fault (1) and fault (3) happened simultaneously, which take great contribution to the violation of temporal requirement. When either of the faults occurs, we can observe in the figure, which will cause increases in time consumption.
The fault handle strategy used in fault (1) and fault (3) is a retry-twice operation, which is different from others and can be the reason why it takes much more contribution to the violation of temporal. In order to reduce the time consumption and to achieve the requirements of the system. We change strategy by reducing the number of retry time in fault(1) and fault(3) from retry-twice to retry-once with other factors standby, and simulate again. The result we obtain from the simulation can be seen in Fig.16 :
As we can comprehend from the figure, retry-once strategy significantly decreases the time consumption of the system and can make sure the system meets its time requirement in both partitions. We also observed that there is a reduction of time consumption at P2. We classified the experiments into a different group in which each group has five results from an independent experiment under the same condition. Afterwards, we take an average time of each group to get a more trustworthy result. Based on this approach, the results could not only be used to analyze the result in a specific execution order, while it can also provide a more general result for optimizing the design of the application.
With the help with this model and simulation tool, the designer can assess the different contribution of factors arises in the design phase, and furthermore, optimize or fix the early VOLUME 7, 2019 design according to the simulation result.Thus, the designer can be efficient to get a design with low temporal cost in the ARINC653 conformed application design.
The objective of this study was accompanied by the three research questions. After the formation of the reference model and implementation of research objectives, we are now in a state of responding to the answers of research questions.
RQ1: How to verify the temporal requirement of architecture design under integrated modular avionics(IMA)? A behavior model has been proposed to describe the dynamic mechanism defined in ARINC653, which form a basic facility for the modeling and validation of the interaction between APEX and application. Furthermore, it would also include some typical design of the RT system (e.g.,sensor redundancy, fault isolation) has been modeled to support temporal validation of early design. With these models, the temporal validation can be evaluated by simply running the simulation.
RQ2: How to model and evaluate the effect of the temporal performance of correlated components design independently? With the facility of finite state machine based behavior model, the evaluation of factors effecting independently is to model the concrete behavior of the application and RTOS in a concrete scenario. In our research case study, a typical process for modeling and evaluation of the temporal validation is presented. As shown in the case study, the fault injection was designed to evaluate the temporal with a different composition which is used to evaluate the contribution of temporal delay independently.
RQ3: How to evaluate the effect of the temporal performance of correlated components design jointly? To evaluate the combinational contribution of factors mentioned above needs to be modeled into the simulation tool, and also should follow the same process mentioned in RQ2. However, litter different is that the independence between factors should be analyzed before the simulation for efficient and the coverage of simulation. In the case study, two kinds of independent error and their composition were found causing the exceeding of the time limitation of the partition.
This study, therefore, indicates that a behavior model based time performance evaluation can be an effective method to get a better design.And the simulation framework provides a reusable library to validate the temporal performance of the design for host application referring IMA architecture during design phrase and also can be potentially extended to model and evaluate the contribution of more complex composition of factors to temporal requirement. However, some limitation worth noting, although in design level, time consumption caused by factors we considered here is mostly independent, the assumption does not always hold due to the shared resource architecture in IMA system.
VI. CONCLUSION
Ample work has been conducted on the verification of temporal requirements for integrated modular avionics, e.g., schedulable [15] , end-end latency of communication system [10] , static time analysis [8] , and PMBTA [36] .
For an industrial application, less consideration has been executed on the evaluation of the effect on the temporal requirement in the design phase. Known temporal information, such as communication delay, RTOS service performance, can be used to support the temporal validation of new application design. However, these factors do not take effect independently. Hence they need to be taken into crucial consideration in the design phase. Subsequently, it can be used further to support the designer to get a more feasible system design.
In this study, we modeled the application and host platform which conformed with ARNIC653. By feeding the model with empirical temporal parameters we conducted experiments to discover the contribution of the factors which may subsidize to the temporal delay in an industry case. Our method provides a helpful reference to the decision maker on design refinement and factor reconfiguration for the purpose of satisfying the temporal constraint.
The results show that, with this simulation model, the factors contributing to the temporal delay can be estimated and associated with the temporal violation in a quantitative manner. A common infrastructure is provided for the temporal verification of the ARINC653 conformed application. The cost of collecting related temporal attributes is reduced and the dynamic connection among the temporal attribute are illustrated. A designated method is offered to the designer to obtain a design with predictable mandatory temporal constraint in an earlier stage. CHAO LIU received the M.S. degree in computer software and theory and the Ph.D. degree from Beihang University, where he is currently a Professor of software engineering. In the recent ten years, he mainly focuses on the modeling and verification of the safety critical software and systems, including safety requirement modeling and analysis, evidence-based software safety analysis and evaluation, software safety and reliability analysis based on the software development process, and model-driven software testing. His research interests include software quality engineering, software testing, model-driven software development, and software process improvement.
SYED SARMAD ALI received the M.S. degree from Coventry University, U.K., in 2012. He is currently pursuing the Ph.D. degree in software engineering with the Software Engineering Institute, Beihang University. He was an Assistant Professor with The University of Lahore, Pakistan, for five years. His research mainly focuses on MOEAs using co-evolution in search-based software engineering.
JIAN REN received the M.Sc. degrees from the Queen Mary University of London and the Kings College London and the Ph.D. degree in computer science from the University College London. He is currently an Assistant Professor with the School of Computer Science, Beihang University, Beijing. His research interests include search-based software engineering, software project planning and management, requirements engineering, and evolutionary computation. VOLUME 7, 2019 
