End-to-end delay analysis in an Integrated Modular Avionics architecture

National audienceRecent modular avionics architectures have been designed to share computation and communication resources. However, such an approach creates new challenges to master the temporal properties of avionics applications. In the context of IMA (Integrated Modular Avionics), it is crucial to investigate the performance gains that future integration platforms and software will propose. This paper brings to light the impact of spatial and temporal integration choices on the communication performance (e.g. message loss rate, latencies, ...). The conclusion of this investigation is that it is necessary to conduct a thorough modeling and simulation study of an IMA architecture integrating several applications during its early design stages

Network Latency and Packet Delay Variation in Cyber-physical Systems

The problem addressed in this paper is the limitation imposed by network elements, especially Ethernet elements, on the real-time performance of time-critical systems. Most current network elements are concerned only with data integrity, connection, and throughput with no mechanism for enforcing temporal semantics. Existing safety-critical applications and other applications in industry require varying degrees of control over system-wide temporal semantics. In addition, there are emerging commercial applications that require or will benefit from tighter enforcement of temporal semantics in network elements than is currently possible. This paper examines these applications and requirements and suggests possible approaches to imposing temporal semantics on networks. Model-based design and simulation is used to evaluate the effects of network limitations on time-critical systems

Freshness and Reactivity Analysis in Globally Asynchronous Locally Time-Triggered Systems

International audienceCritical embedded systems are often designed as a set of real-time tasks, running on shared computing modules, and communicating through networks. Because of their critical nature, such systems have to meet timing properties. To help the designers to prove the correctness of their system, the real-time systems community has developed numerous approaches for analyzing the worst case times either on the processors (e.g. worst case execution time of a task) or on the networks (e.g. worst case traversal time of a message). However, there is a growing need to consider the complete system and to be able to determine end-to-end properties. Such properties apply to a functional chain which describes the behavior of a sequence of functions, not necessarily hosted on a shared module, from an input until the production of an output. This paper explores two end-to-end properties: freshness and reactivity, and presents an analysis method based on Mixed Integer Linear Programming (MILP). This work is supported by the French National Research Agency within the Satrimmap project

A Modeling and Verification Approach to the Design of Distributed IMA Architectures Using TTEthernet

AbstractIntegrated Modular Avionics (IMA) architectures complemented with Time-Triggered Ethernet (TTEthernet) provides a strong platform to support the design and deployment of distributed avionic software systems. The complexity of the design and continuous integration of such systems can be managed using a model-based methodology. In this paper, we build on top of our extension of the AADL modeling language to model TTEthernet-based distributed systems and leverage model transformations to enable undertaking the verification of the system models produced with this methodology. In particular, we propose to transform the system models to a model suitable for a simulation with DEVS. We illustrate the proposed approach using an example of a navigation and guidance system and we use this example to show the verification of the contention-freedom property of TTEthernet schedule

A time-predictable many-core processor design for critical real-time embedded systems

Critical Real-Time Embedded Systems (CRTES) are in charge of controlling fundamental parts of embedded system, e.g. energy harvesting solar panels in satellites, steering and breaking in cars, or flight management systems in airplanes. To do so, CRTES require strong evidence of correct functional and timing behavior. The former guarantees that the system operates correctly in response of its inputs; the latter ensures that its operations are performed within a predefined time budget. CRTES aim at increasing the number and complexity of functions. Examples include the incorporation of \smarter" Advanced Driver Assistance System (ADAS) functionality in modern cars or advanced collision avoidance systems in Unmanned Aerial Vehicles (UAVs). All these new features, implemented in software, lead to an exponential growth in both performance requirements and software development complexity. Furthermore, there is a strong need to integrate multiple functions into the same computing platform to reduce the number of processing units, mass and space requirements, etc. Overall, there is a clear need to increase the computing power of current CRTES in order to support new sophisticated and complex functionality, and integrate multiple systems into a single platform. The use of multi- and many-core processor architectures is increasingly seen in the CRTES industry as the solution to cope with the performance demand and cost constraints of future CRTES. Many-cores supply higher performance by exploiting the parallelism of applications while providing a better performance per watt as cores are maintained simpler with respect to complex single-core processors. Moreover, the parallelization capabilities allow scheduling multiple functions into the same processor, maximizing the hardware utilization. However, the use of multi- and many-cores in CRTES also brings a number of challenges related to provide evidence about the correct operation of the system, especially in the timing domain. Hence, despite the advantages of many-cores and the fact that they are nowadays a reality in the embedded domain (e.g. Kalray MPPA, Freescale NXP P4080, TI Keystone II), their use in CRTES still requires finding efficient ways of providing reliable evidence about the correct operation of the system. This thesis investigates the use of many-core processors in CRTES as a means to satisfy performance demands of future complex applications while providing the necessary timing guarantees. To do so, this thesis contributes to advance the state-of-the-art towards the exploitation of parallel capabilities of many-cores in CRTES contributing in two different computing domains. From the hardware domain, this thesis proposes new many-core designs that enable deriving reliable and tight timing guarantees. From the software domain, we present efficient scheduling and timing analysis techniques to exploit the parallelization capabilities of many-core architectures and to derive tight and trustworthy Worst-Case Execution Time (WCET) estimates of CRTES.Los sistemas críticos empotrados de tiempo real (en ingles Critical Real-Time Embedded Systems, CRTES) se encargan de controlar partes fundamentales de los sistemas integrados, e.g. obtención de la energía de los paneles solares en satélites, la dirección y frenado en automóviles, o el control de vuelo en aviones. Para hacerlo, CRTES requieren fuerte evidencias del correcto comportamiento funcional y temporal. El primero garantiza que el sistema funciona correctamente en respuesta de sus entradas; el último asegura que sus operaciones se realizan dentro de unos limites temporales establecidos previamente. El objetivo de los CRTES es aumentar el número y la complejidad de las funciones. Algunos ejemplos incluyen los sistemas inteligentes de asistencia a la conducción en automóviles modernos o los sistemas avanzados de prevención de colisiones en vehiculos aereos no tripulados. Todas estas nuevas características, implementadas en software,conducen a un crecimiento exponencial tanto en los requerimientos de rendimiento como en la complejidad de desarrollo de software. Además, existe una gran necesidad de integrar múltiples funciones en una sóla plataforma para así reducir el número de unidades de procesamiento, cumplir con requisitos de peso y espacio, etc. En general, hay una clara necesidad de aumentar la potencia de cómputo de los actuales CRTES para soportar nueva funcionalidades sofisticadas y complejas e integrar múltiples sistemas en una sola plataforma. El uso de arquitecturas multi- y many-core se ve cada vez más en la industria CRTES como la solución para hacer frente a la demanda de mayor rendimiento y las limitaciones de costes de los futuros CRTES. Las arquitecturas many-core proporcionan un mayor rendimiento explotando el paralelismo de aplicaciones al tiempo que proporciona un mejor rendimiento por vatio ya que los cores se mantienen más simples con respecto a complejos procesadores de un solo core. Además, las capacidades de paralelización permiten programar múltiples funciones en el mismo procesador, maximizando la utilización del hardware. Sin embargo, el uso de multi- y many-core en CRTES también acarrea ciertos desafíos relacionados con la aportación de evidencias sobre el correcto funcionamiento del sistema, especialmente en el ámbito temporal. Por eso, a pesar de las ventajas de los procesadores many-core y del hecho de que éstos son una realidad en los sitemas integrados (por ejemplo Kalray MPPA, Freescale NXP P4080, TI Keystone II), su uso en CRTES aún precisa de la búsqueda de métodos eficientes para proveer evidencias fiables sobre el correcto funcionamiento del sistema. Esta tesis ahonda en el uso de procesadores many-core en CRTES como un medio para satisfacer los requisitos de rendimiento de aplicaciones complejas mientras proveen las garantías de tiempo necesarias. Para ello, esta tesis contribuye en el avance del estado del arte hacia la explotación de many-cores en CRTES en dos ámbitos de la computación. En el ámbito del hardware, esta tesis propone nuevos diseños many-core que posibilitan garantías de tiempo fiables y precisas. En el ámbito del software, la tesis presenta técnicas eficientes para la planificación de tareas y el análisis de tiempo para aprovechar las capacidades de paralelización en arquitecturas many-core, y también para derivar estimaciones de peor tiempo de ejecución (Worst-Case Execution Time, WCET) fiables y precisas

Analyse pire cas exact du réseau AFDX

L'objectif principal de cette thèse est de proposer les méthodes permettant d'obtenir le délai de transmission de bout en bout pire cas exact d'un réseau AFDX. Actuellement, seules des bornes supérieures pessimistes peuvent être calculées en utilisant les approches de type Calcul Réseau ou par Trajectoires. Pour cet objectif, différentes approches et outils existent et ont été analysées dans le contexte de cette thèse. Cette analyse a mis en évidence le besoin de nouvelles approches. Dans un premier temps, la vérification de modèle a été explorée. Les automates temporisés et les outils de verification ayant fait leur preuve dans le domaine temps réel ont été utilisés. Ensuite, une technique de simulation exhaustive a été utilisée pour obtenir les délais de communication pire cas exacts. Pour ce faire, des méthodes de réduction de séquences ont été définies et un outil a été développé. Ces méthodes ont été appliquées à une configuration réelle du réseau AFDX, nous permettant ainsi de valider notre travail sur une configuration de taille industrielle du réseau AFDX telle que celle embarquée à bord des avions Airbus A380. The main objective of this thesis is to provide methodologies for finding exact worst case end to end communication delays of AFDX network. Presently, only pessimistic upper bounds of these delays can be calculated by using Network Calculus and Trajectory approach. To achieve this goal, different existing tools and approaches have been analyzed in the context of this thesis. Based on this analysis, it is deemed necessary to develop new approaches and algorithms. First, Model checking with existing well established real time model checking tools are explored, using timed automata. Then, exhaustive simulation technique is used with newly developed algorithms and their software implementation in order to find exact worst case communication delays of AFDX network. All this research work has been applied on real life implementation of AFDX network, allowing us to validate our research work on industrial scale configuration of AFDX network such as used on Airbus A380 aircraft. ABSTRACT : The main objective of this thesis is to provide methodologies for finding exact worst case end to end communication delays of AFDX network. Presently, only pessimistic upper bounds of these delays can be calculated by using Network Calculus and Trajectory approach. To achieve this goal, different existing tools and approaches have been analyzed in the context of this thesis. Based on this analysis, it is deemed necessary to develop new approaches and algorithms. First, Model checking with existing well established real time model checking tools are explored, using timed automata. Then, exhaustive simulation technique is used with newly developed algorithms and their software implementation in order to find exact worst case communication delays of AFDX network. All this research work has been applied on real life implementation of AFDX network, allowing us to validate our research work on industrial scale configuration of AFDX network such as used on Airbus A380 aircraft

NetGAP: A Graph-Grammar approach for concept design of networked platforms with extra-functional requirements

During the concept design of complex networked systems, concept developers have to assure that the choice of hardware modules and the topology of the target platform will provide adequate resources to support the needs of the application. For example, future-generation aerospace systems need to consider multiple requirements, with many trade-offs, foreseeing rapid technological change and a long time span for realization and service. For that purpose, we introduce NetGAP, an automated 3-phase approach to synthesize network topologies and support the exploration and concept design of networked systems with multiple requirements including dependability, security, and performance. NetGAP represents the possible interconnections between hardware modules using a graph grammar and uses a Monte Carlo Tree Search optimization to generate candidate topologies from the grammar while aiming to satisfy the requirements. We apply the proposed approach to the synthetic version of a realistic avionics application use case and show the merits of the solution to support the early-stage exploration of alternative candidate topologies. The method is shown to vividly characterize the topology-related trade-offs between requirements stemming from security, fault tolerance, timeliness, and the "cost" of adding new modules or links. Finally, we discuss the flexibility of using the approach when changes in the application and its requirements occur

Improving Hazard Analysis and Certification of Integrated Modular Avionics

Integrated modular avionics systems present new opportunities and benefits for developing advanced aircraft avionics, as well as a series of challenges related to hazard analysis and certification. This paper addresses some of those challenges and proposes a new procedure for improving hazard analysis of integrated modular avionics systems. A significant objective of integrated modular avionics architectures is the ability to develop individual software applications independently and then integrate those applications onto one platform. It has been very difficult for both designers and certifiers to understand and predict how the system will behave when the applications are integrated into one system. Traditional fault-based hazard analysis techniques are limited with respect to this problem. Therefore, this paper uses a different technique, called Systems-theoretic Process Analysis, to identify hazardous behavior that emerges when individual applications are integrated. Systems-theoretic process analysis is a systems-theoretic hazard analysis technique that accounts for hazardous behavior due to component interaction, including cases when the components have not failed or faulted. Systems-theoretic process analysis is extended in this paper to account for behavior that emerges when software applications share data, which is a requirement in aircraft systems. The paper illustrates the new approach with an example that includes real-world avionics functions

Toward optical coherence tomography on a chip: in vivo three-dimensional human retinal imaging using photonic integrated circuit-based arrayed waveguide gratings

In this work, we present a significant step toward in vivo ophthalmic optical coherence tomography and angiography on a photonic integrated chip. The diffraction gratings used in spectral-domain optical coherence tomography can be replaced by photonic integrated circuits comprising an arrayed waveguide grating. Two arrayed waveguide grating designs with 256 channels were tested, which enabled the first chip-based optical coherence tomography and angiography in vivo three-dimensional human retinal measurements. Design 1 supports a bandwidth of 22 nm, with which a sensitivity of up to 91 dB (830 µW) and an axial resolution of 10.7 µm was measured. Design 2 supports a bandwidth of 48 nm, with which a sensitivity of 90 dB (480 µW) and an axial resolution of 6.5 µm was measured. The silicon nitride-based integrated optical waveguides were fabricated with a fully CMOS-compatible process, which allows their monolithic co-integration on top of an optoelectronic silicon chip. As a benchmark for chip-based optical coherence tomography, tomograms generated by a commercially available clinical spectral-domain optical coherence tomography system were compared to those acquired with on-chip gratings. The similarities in the tomograms demonstrate the significant clinical potential for further integration of optical coherence tomography on a chip system