The Overview of Avionics Full-Duplex Switched Ethernet

This paper deals about basic preface about superior avionic system AFDX. Avionics Signalling and communication in avionics have been significant topics ever since electronic devices were first used in aerospace systems. To deal with the challenges introduced by the extensive use of general purpose computing in marketable avionics, standards like ARINC 419 and later on 429 were available and adopted by the trade. AFDX combines confirmed safety and accessibility functionality with recent Ethernet technology to be able to handle todayrsquo;s needs. These papers outlines two of the most fundamental avionics network architectures and aims at depicting the development of networking concepts and wants over the course of the past 30 years. It mainly focuses on ARINC 429 and AFDX, the most important current and past standards, but also covers two other attractive past protocols

Integration of generic operating systems in partitioned architectures

Tese de mestrado, Engenharia Informática (Arquitectura, Sistemas e Redes de Computadores), Universidade de Lisboa, Faculdade de Ciências, 2009The Integrated Modular Avionics (IMA) specification defines a partitioned environment hosting multiple avionics functions of different criticalities on a shared computing platform. ARINC 653, one of the specifications related to the IMA concept, defines a standard interface between the software applications and the underlying operating system. Both these specifications come from the world of civil aviation, but they are getting interest from space industry partners, who have identified common requirements to those of aeronautic applications. Within the scope of this interest, the AIR architecture was defined, under a contract from the European Space Agency (ESA). AIR provides temporal and spatial segregation, and foresees the use of different operating systems in each partition. Temporal segregation is achieved through the fixed cyclic scheduling of computing resources to partitions. The present work extends the foreseen partition operating system (POS) heterogeneity to generic non-real-time operating systems. This was motivated by documented difficulties in porting applications to RTOSs, and by the notion that proper integration of a non-real-time POS will not compromise the timeliness of critical real-time functions. For this purpose, Linux is used as a case study. An embedded variant of Linux is built and evaluated regarding its adequacy as a POS in the AIR architecture. To guarantee safe integration, a solution based on the Linux paravirtualization interface, paravirt-ops, is proposed. In the course of these activities, the AIR architecture definition was also subject to improvements. The most significant one, motivated by the intended increased POS heterogeneity, was the introduction of a new component, the AIR Partition OS Adaptation Layer (PAL). The AIR PAL provides greater POS-independence to the major components of the AIR architecture, easing their independent certification efforts. Other improvements provide enhanced timeliness mechanisms, such as mode-based schedules and process deadline violation monitoring.A especificação Integrated Modular Avionics (IMA) define um ambiente compartimentado com funções de aviónica de diferentes criticalidades a coexistir numa plataforma computacional. A especificação relacionada ARINC 653 define uma interface padrão entre as aplicações e o sistema operativo subjacente. Ambas as especificações provêm do mundo da aviónica, mas estão a ganhar o interesse de parceiros da indústria espacial, que identificaram requisitos em comum entre as aplicações aeronáuticas e espaciais. No âmbito deste interesse, foi definida a arquitectura AIR, sob contrato da Agência Espacial Europeia (ESA). Esta arquitectura fornece segregação temporale espacial, e prevê o uso de diferentes sistemas operativos em cada partição. A segregação temporal é obtida através do escalonamento fixo e cíclico dos recursos às partições. Este trabalho estende a heterogeneidade prevista entre os sistemas operativos das partições (POS). Tal foi motivado pelas dificuldades documentadas em portar aplicações para sistemas operativos de tempo-real, e pela noção de que a integração apropriada de um POS não-tempo-real não comprometerá a pontualidade das funções críticas de tempo-real. Para este efeito, o Linux foi utilizado como caso de estudo. Uma variante embedida de Linux é construída e avaliada quanto à sua adequação como POS na arquitectura AIR. Para garantir uma integração segura, é proposta uma solução baseada na interface de paravirtualização do Linux, paravirt-ops. No decurso destas actividades, foram também feitas melhorias à definição da arquitectura AIR. O mais significante, motivado pelo pretendido aumento da heterogeneidade entre POSs, foi a introdução de um novo componente, AIR Partition OS Adaptation Layer (PAL). Este componente proporciona aos principais componentes da arquitectura AIR maior independência face ao POS, facilitando os esforços para a sua certificação independente. Outros melhoramentos fornecem mecanismos avançados de pontualidade, como mode-based schedules e monitorização de incumprimento de metas temporais de processos.ESA/ITI - European Space Agency Innovation Triangular Initiative (through ESTEC Contract 21217/07/NL/CB-Project AIR-II) and FCT - Fundação para a Ciência e Tecnologia (through the Multiannual Funding Programme

Intégration d'un simulateur de partitionnement spatial et temporel à un flot de conception basé sur les modèles

RÉSUMÉ L'architecture avionique modulaire intégrée (IMA) représente une préoccupation cruciale pour l'industrie aérospatiale dans le développement de systèmes de plus en plus complexes, afin de réduire les coûts, ainsi que les temps, de développement, de certification et de production. D'un point de vue logiciel, cet objectif pousse les développeurs à développer ou migrer une multitude d'applications vers des systèmes d'exploitation temps réel (RTOS) conformes à la norme ARINC 653. Cette norme propose un partitionnement dans l'espace et dans le temps sécuritaire pour les systèmes critiques, un élément crucial aux IMA. Toutefois, le prix des licences pour les principaux environnements de développement commerciaux peut être très élevé. Il devient donc intéressant de s’attarder aux alternatives moins dispendieuses qui pourraient très bien être utilisées en début de développement aux fins de simulations, préalablement au déploiement sur la plateforme cible. D’un autre côté, plusieurs alternatives offrent peu de documentation ou de support, et sont souvent limitées quant aux approches de développement basé sur les modèles, ou quant à la conformité à la norme ARINC 653. Pour répondre à cette problématique, ce projet se concentre sur ces environnements de développement peu coûteux ou libres de licences, et propose un flot de conception novateur incluant à la fois un environnement de modélisation efficace pour l'analyse basée sur les modèles, ainsi qu’un environnement de simulation. Le flot proposé utilise le langage « Architecture Analysis and Design Language (AADL) » pour modéliser le système, et le simulateur commercial de système IMA (SIMA) développé par l’entreprise GMV pour exécuter les applications. Ce simulateur est conforme à la norme ARINC 653, et s'exécute sur un ordinateur de bureau par dessus un système d’exploitation Linux comportant un noyau temps-réel. Pour faire le pont entre les deux environnements, le générateur de code libre OCARINA, qui prend en entrée du AADL, a été étendu pour réaliser la génération de fichiers de configurations, et de codes sources, vers la cible SIMA. Le code source généré vise la gestion des appels aux services de l’interface de programmation ARINC 653. Une application avionique a été développée en tant qu’étude de cas pour expérimenter ce flot. Elle consiste en une unité de contrôle et d’affichage multiusage (de l’anglais : « Multi-purpose Control and Display Unit » ou MCDU) communiquant avec un système de gestion de vol simulé fourni par CMC Électronique. Durant l’expérimentation, le simulateur s’est démontré utile en permettant l’identification et la correction d’erreurs de conception dans la configuration et dans l’implémentation du MCDU, ce qui a réduit considérablement les erreurs de transmission de pages. Il a aussi été démontré qu’il pouvait être déployé sur une plateforme dotée d’une distribution Linux embarquée. Concernant le générateur étendu, les résultats furent concluants. La version actuelle de l’outil réduit considérablement le temps alloué à la configuration du système, et à la migration d’application vers l’environnement ARINC 653. De plus, le simulateur SIMA a dorénavant accès à une approche de développement basé sur les modèles. Par contre, des limitations fondamentales ont été identifiées quant à la génération de code source. Néanmoins, nous considérons que le flot que nous proposons est un point de départ satisfaisant qui pourra être étendu à d’autres technologies dans le cadre de futurs travaux.----------ABSTRACT The Integrated Modular Avionics (IMA) architecture has been a crucial concern for the aerospace industry in developing more complex systems, while seeking to reduce cost as well as development, certification and production time. From a software perspective, that objective pushes developers to develop or migrate most applications toward real-time operating systems (RTOS) compliant to the ARINC 653 standard which offers a safety critical space and time partitioning central to IMA. However, due to very high license costs, mainstream commercial development environments can be restrictive. That situation is even more striking considering low-cost alternatives could instead be used in early simulation, before deployment on target platform. On the other hand, many alternatives offer little documentation or support, and are often limited when it comes to either model-based engineering (MBE) approach, or compliance to the ARINC 653 standard. To answer that problematic, this project reviewed existing low-cost and open-source development environments, and proposes a novel flow including both a modeling environment effective for model-based analysis and a simulation level. The proposed flow uses the Architecture and Analysis Design Language (AADL) to model the system, and the commercial Simulated IMA (SIMA) simulator developed by GMV to execute its applications. That simulator is ARINC 653 compliant, and runs on a desktop computer over a Linux distribution with a real-time kernel. To bridge the two environments, the open-source OCARINA generator, which takes AADL inputs, was extended to achieve source code and configuration generation toward the SIMA target. The generated source code aims to manage calls to the ARINC 653 programming interface services. An avionic application was developed as a case study to experiment the latter flow. It consisted of a Multi-purpose Control and Display Unit (MCDU) communicating with an external Flight Management System (FMS) simulation provided by CMC Electronics. During the experiment, the simulator proved useful in leading to the identification and correction of design flaws in the MCDU system configuration, which considerably reduced page transmission failures. It also demonstrated that it could be deployed on a platform with an embedded Linux distribution. Concerning the extended generator, results have proved successful so far. The current version of the tool greatly reduces the time required to configure the system or migrate applications to an ARINC 653 environment. It also enhances the simulator with a MBE approach. However, fundamental limitations were identified as far as source code generation is concerned. Nevertheless, we consider our proposed flow to be a satisfying starting point, which could be extended to other technologies in future work

Embedded Linux in a partitioned architecture for aerospace applications

Abstract—The ARINC 653 specification, defined for aeronau-tical applications, has the goal of providing a standard interface between a given real-time operating system (RTOS) and the corresponding applications. It also provides robust partitioning, with the final goal of guaranteeing safety and timeliness in mission-critical systems. The interest in ARINC 653 has extended to the aerospace industry, which resulted in the definition of an architecture, compliant with the specification, allowing for operating system heterogeneity. In this paper, we introduce the problem of integrating generic operating systems onto this architecture, and explore the case of GNU/Linux. Adding GNU/Linux allows running existing applications or interpreted scripts without needing to port the application or interpreter to an RTOS. In embedded systems, we have to cope with scarce resources and diverse existent hardware, and a balance between both issues must be reached. For such, we show the genesis of such a solution. Index Terms—Aerospace industry, computer applications, op-erating system kernels, operating systems, processor scheduling, real time systems. I

Determinism Enhancement and Reliability Assessment in Safety Critical AFDX Networks

RÉSUMÉ AFDX est une technologie basée sur Ethernet, qui a été développée pour répondre aux défis qui découlent du nombre croissant d’applications qui transmettent des données de criticité variable dans les systèmes modernes d’avionique modulaire intégrée (Integrated Modular Avionics). Cette technologie de sécurité critique a été notamment normalisée dans la partie 7 de la norme ARINC 664, dont le but est de définir un réseau déterministe fournissant des garanties de performance prévisibles. En particulier, AFDX est composé de deux réseaux redondants, qui fournissent la haute fiabilité requise pour assurer son déterminisme. Le déterminisme de AFDX est principalement réalisé par le concept de liens virtuels (Virtual Links), qui définit une connexion unidirectionnelle logique entre les points terminaux (End Systems). Pour les liens virtuels, les limites supérieures des délais de bout en bout peuvent être obtenues en utilisant des approches comme calcul réseau, mieux connu sous l’appellation Network Calculus. Cependant, il a été prouvé que ces limites supérieures sont pessimistes dans de nombreux cas, ce qui peut conduire à une utilisation inefficace des ressources et augmenter la complexité de la conception du réseau. En outre, en raison de l’asynchronisme de leur fonctionnement, il existe plusieurs sources de non-déterminisme dans les réseaux AFDX. Ceci introduit un problème en lien avec la détection des défauts en temps réel. En outre, même si un mécanisme de gestion de la redondance est utilisé pour améliorer la fiabilité des réseaux AFDX, il y a un risque potentiel souligné dans la partie 7 de la norme ARINC 664. La situation citée peut causer une panne en dépit des transmissions redondantes dans certains cas particuliers. Par conséquent, l’objectif de cette thèse est d’améliorer la performance et la fiabilité des réseaux AFDX. Tout d’abord, un mécanisme fondé sur l’insertion de trames est proposé pour renforcer le déterminisme de l’arrivée des trames au sein des réseaux AFDX. Parce que la charge du réseau et la bande passante moyenne utilisée augmente due à l’insertion de trames, une stratégie d’agrégation des Sub-Virtual Links est introduite et formulée comme un problème d’optimisation multi-objectif. En outre, trois algorithmes ont été développés pour résoudre le problème d’optimisation multi-objectif correspondant. Ensuite, une approche est introduite pour incorporer l’analyse de la performance dans l’évaluation de la fiabilité en considérant les violations des délais comme des pannes.----------ABSTRACT AFDX is an Ethernet-based technology that has been developed to meet the challenges due to the growing number of data-intensive applications in modern Integrated Modular Avionics systems. This safety critical technology has been standardized in ARINC 664 Part 7, whose purpose is to define a deterministic network by providing predictable performance guarantees. In particular, AFDX is composed of two redundant networks, which provide the determinism required to obtain the desired high reliability. The determinism of AFDX is mainly achieved by the concept of Virtual Link, which defines a logical unidirectional connection from one source End System to one or more destination End Systems. For Virtual Links, the end-to-end delay upper bounds can be obtained by using the Network Calculus. However, it has been proved that such upper bounds are pessimistic in many cases, which may lead to an inefficient use of resources and aggravate network design complexity. Besides, due to asynchronism, there exists a source of non-determinism in AFDX networks, namely frame arrival uncertainty in a destination End System. This issue introduces a problem in terms of real-time fault detection. Furthermore, although a redundancy management mechanism is employed to enhance the reliability of AFDX networks, there still exist potential risks as pointed out in ARINC 664 Part 7, which may fail redundant transmissions in some special cases. Therefore, the purpose of this thesis is to improve the performance and the reliability of AFDX networks. First, a mechanism based on frame insertion is proposed to enhance the determinism of frame arrival within AFDX networks. As the network load and the average bandwidth used by a Virtual Link increase due to frame insertion, a Sub-Virtual Link aggregation strategy, formulated as a multi-objective optimization problem, is introduced. In addition, three algorithms have been developed to solve the corresponding multi-objective optimization problem. Next, an approach is introduced to incorporate performance analysis into reliability assessment by considering delay violations as failures. This allowed deriving tighter probabilistic upper bounds for Virtual Links that could be applied in AFDX network certification. In order to conduct the necessary reliability analysis, the well-known Fault-Tree Analysis technique is employed and Stochastic Network Calculus is applied to compute the upper bounds with various probability limits