Integration of generic operating systems in partitioned architectures

Tese de mestrado, Engenharia Informática (Arquitectura, Sistemas e Redes de Computadores), Universidade de Lisboa, Faculdade de Ciências, 2009The Integrated Modular Avionics (IMA) specification defines a partitioned environment hosting multiple avionics functions of different criticalities on a shared computing platform. ARINC 653, one of the specifications related to the IMA concept, defines a standard interface between the software applications and the underlying operating system. Both these specifications come from the world of civil aviation, but they are getting interest from space industry partners, who have identified common requirements to those of aeronautic applications. Within the scope of this interest, the AIR architecture was defined, under a contract from the European Space Agency (ESA). AIR provides temporal and spatial segregation, and foresees the use of different operating systems in each partition. Temporal segregation is achieved through the fixed cyclic scheduling of computing resources to partitions. The present work extends the foreseen partition operating system (POS) heterogeneity to generic non-real-time operating systems. This was motivated by documented difficulties in porting applications to RTOSs, and by the notion that proper integration of a non-real-time POS will not compromise the timeliness of critical real-time functions. For this purpose, Linux is used as a case study. An embedded variant of Linux is built and evaluated regarding its adequacy as a POS in the AIR architecture. To guarantee safe integration, a solution based on the Linux paravirtualization interface, paravirt-ops, is proposed. In the course of these activities, the AIR architecture definition was also subject to improvements. The most significant one, motivated by the intended increased POS heterogeneity, was the introduction of a new component, the AIR Partition OS Adaptation Layer (PAL). The AIR PAL provides greater POS-independence to the major components of the AIR architecture, easing their independent certification efforts. Other improvements provide enhanced timeliness mechanisms, such as mode-based schedules and process deadline violation monitoring.A especificação Integrated Modular Avionics (IMA) define um ambiente compartimentado com funções de aviónica de diferentes criticalidades a coexistir numa plataforma computacional. A especificação relacionada ARINC 653 define uma interface padrão entre as aplicações e o sistema operativo subjacente. Ambas as especificações provêm do mundo da aviónica, mas estão a ganhar o interesse de parceiros da indústria espacial, que identificaram requisitos em comum entre as aplicações aeronáuticas e espaciais. No âmbito deste interesse, foi definida a arquitectura AIR, sob contrato da Agência Espacial Europeia (ESA). Esta arquitectura fornece segregação temporale espacial, e prevê o uso de diferentes sistemas operativos em cada partição. A segregação temporal é obtida através do escalonamento fixo e cíclico dos recursos às partições. Este trabalho estende a heterogeneidade prevista entre os sistemas operativos das partições (POS). Tal foi motivado pelas dificuldades documentadas em portar aplicações para sistemas operativos de tempo-real, e pela noção de que a integração apropriada de um POS não-tempo-real não comprometerá a pontualidade das funções críticas de tempo-real. Para este efeito, o Linux foi utilizado como caso de estudo. Uma variante embedida de Linux é construída e avaliada quanto à sua adequação como POS na arquitectura AIR. Para garantir uma integração segura, é proposta uma solução baseada na interface de paravirtualização do Linux, paravirt-ops. No decurso destas actividades, foram também feitas melhorias à definição da arquitectura AIR. O mais significante, motivado pelo pretendido aumento da heterogeneidade entre POSs, foi a introdução de um novo componente, AIR Partition OS Adaptation Layer (PAL). Este componente proporciona aos principais componentes da arquitectura AIR maior independência face ao POS, facilitando os esforços para a sua certificação independente. Outros melhoramentos fornecem mecanismos avançados de pontualidade, como mode-based schedules e monitorização de incumprimento de metas temporais de processos.ESA/ITI - European Space Agency Innovation Triangular Initiative (through ESTEC Contract 21217/07/NL/CB-Project AIR-II) and FCT - Fundação para a Ciência e Tecnologia (through the Multiannual Funding Programme

Future manned systems advanced avionics study

COTS+ was defined in this study as commercial off-the-shelf (COTS) products, ruggedized and militarized components, and COTS technology. This study cites the benefits of integrating COTS+ in space, postulates a COTS+ integration methodology, and develops requirements and an architecture to achieve integration. Developmental needs and concerns were identified throughout the study; these needs, concerns, and recommendations relative to their abatement are subsequently presented for further action and study. The COTS+ concept appears workable in part or in totality. No COTS+ technology gaps were identified; however, radiation tolerance was cited as a concern, and the deferred maintenance issue resurfaced. Further study is recommended to explore COTS+ cost-effectiveness, maintenance philosophy, needs, concerns, and utility metrics. The generation of a development plan to further investigate and integrate COTS+ technology is recommended. A COTS+ transitional integration program is recommended. Sponsoring and establishing technology maturation programs and COTS+ engineering and standards committees are deemed necessary and are recommended for furthering COTS+ integration in space

Design and Architecture of a Hardware Platform to Support the Development of an Avionic Network Prototype

Résumé en français La récente évolution des architectures des systèmes avioniques a permis la création de réseaux avioniques modulaire embarqués (IMA) et l’augmentation du nombre de systèmes embarqués numériques dans chaque avion. Cette transition vers une nouvelle génération d’avions plus électriques permet une réduction du poids et de la consommation énergétique des aéronefs et aussi des couts de production et d’entretien. Pour atteindre une réduction du poids encore plus poussée et une amélioration de la bande passante des réseaux utilisés, des technologies innovatrices ont récemment été adoptées : ARINC 825 et AFDX qui permettent en fait une réduction du câblage nécessaire pour réaliser le réseau embarqué.Dans le cadre du projet AVIO 402, qui inclus plusieurs sujets de recherche qui concernent aussi les capteurs et leur interface avec le système IMA, une nouvelle architecture a été proposée pour la réalisation du réseau utilisé pour le système de contrôle de vol. Cette architecture est basée sur des bus ARINC 825 locaux, connectés entre eux en utilisant un réseau AFDX qui offre une meilleure bande passante ; les ponts entre les deux protocoles et les modules qui connectent les nœuds au réseau ont une structure générique pour supporter des protocoles différents et aussi plusieurs types des capteurs et actionneurs. Pour une évaluation des performances et une analyse des défis de son implémentation, la réalisation d’un prototype du réseau proposé est requise par le projet. Dans ce mémoire, le développement d’une plateforme matérielle pour soutenir la réalisation de ce prototype est traité et trois modules fondamentaux du prototype ont été conçus sous forme de "IP core" pour être subséquemment intégrés dans l’architecture du réseau qui sera implémenté en utilisant des FPGA. Les trois systèmes sont le contrôleur du bus CAN, utilisé comme base pour l’implémentation du protocole ARINC 825, le "End System" AFDX et le commutateur nécessaires pour la réalisation d’un réseau AFDX. Dans la première partie de ce mémoire, les objectifs visés sont présentés et une analyse des spécifications des protocoles considérés est fournie, cela permet d’identifier les fonctionnalités qui doivent être incluses dans chaque système et de déterminer si des solutions pour leur implémentation ont déjà été publiées et peuvent être réutilisées. Ensuite, le développement de chaque système est présenté et les choix de conception sont expliqués afin de montrer comment les fonctionnalités requises par les spécifications des deux protocoles peuvent être implémentées pour mieux répondre aux nécessités du projet AVIO 402.----------Abstract The objective of the present project is to design three modules for a hardware platform that will support the implementation of an avionic network prototype based on the FPGA technology. The considered network has been conceived to reduce cabling weight and to improve the available bandwidth, and it exploits the recently introduced ARINC 825 and AFDX protocols. In order to support the implementation of both these protocols, a CAN bus controller, an AFDX End System, and an AFDX Switch have been designed. After an extensive review of the existing literature about the two related avionic protocols, a study of the existing solutions for CAN and Ethernet protocols, on which they are based, has been done as well to identify what knowledge and technology could be reused. Because they are very similar, a flexible CAN controller has been implemented in hardware instead of an ARINC 825 one in order to support both these technologies and in order to reduce the IP core size. A combined HW/SW approach has been preferred for the AFDX End System architecture to leverage an existing UDP/IP protocol stack and the Ethernet layer included in the Linux kernel has been modified to create a portable and configurable implementation of AFDX. Since various problems have been encountered to reproduce an ARINC 653 compliant environment on the embedded system, the suggested design has been ported in a PC. Finally, an original solution for the implementation of the AFDX switch fabric has been finally presented; a space-division switching architecture has been chosen and tailored to meet the AFDX specification. Hardware parallelism is exploited to reduce the latency introduced on each frame by filtering them concurrently. Input buffers have been duplicated to separate high from low priority traffics, further reducing latency of critical frames and creating a redundancy that reduce the possibility of packet loss. Packet scheduling and double queuing guarantee that all critical frames are forwarded before low priority ones.Keywords: Avionic Full-Duplex Switched Ethernet, AFDX, ARINC 664, ARINC 825, CAN, Avionic Data Networks, Ethernet Switch, FPGA

Simulation/Emulation Techniques: Compressing Schedules With Parallel (HW/SW) Development

NASA has always been in the business of balancing new technologies and techniques to achieve human space travel objectives. NASA's Kedalion engineering analysis lab has been validating and using many contemporary avionics HW/SW development and integration techniques, which represent new paradigms to NASA's heritage culture. Kedalion has validated many of the Orion HW/SW engineering techniques borrowed from the adjacent commercial aircraft avionics solution space, inserting new techniques and skills into the Multi - Purpose Crew Vehicle (MPCV) Orion program. Using contemporary agile techniques, Commercial-off-the-shelf (COTS) products, early rapid prototyping, in-house expertise and tools, and extensive use of simulators and emulators, NASA has achieved cost effective paradigms that are currently serving the Orion program effectively. Elements of long lead custom hardware on the Orion program have necessitated early use of simulators and emulators in advance of deliverable hardware to achieve parallel design and development on a compressed schedule

DESIGN MODULAR COMMAND AND DATA HANDLING SUBSYSTEM HARDWARE ARCHITECTURES

Over the past few years, On-Board Computing Systems for satellites have been facing a limited level of modularity. Modularity is the ability to reuse and reconstruct the system from a set of predesigned units, with minimal additional engineering effort. CDHS hardware systems currently available have a limited ability to scale with mission needs. This thesis addresses the integration of smaller form factor CDHS modules used for nanosatellites with the larger counterparts that are used for larger missions. In particular, the thesis discusses the interfacing between Modular Computer Systems based on Open Standard commonly used in large spacecrafts and PC/104 used for nanosatellites. It also aims to create a set of layers that would represent a hardware library of COTS-like modules. At the beginning, a review of related and previous work has been done to identify the gaps in previous studies and understand more about Modular Computer Systems based on Open Standard commonly used in large spacecrafts, such as cPCI Serial Space and SpaceVPX. Next, the design requirements have been set to achieve this thesis objectives, which included conducting a prestudy of system alternatives before creating a modular CDHS hardware architecture which was later tested. After, the hardware suitable for this architecture based on the specified requirements was chosen and the PCB was designed based on global standards. Later, several functional tests and communication tests were conducted to assess the practicality of the proposed architecture. Finally, thermal vacuum testing was done on one of the architecture’s layers to test its ability to withstand the space environment, with the aim to perform the vibration testing of the full modular architecture in the future. The aim of this thesis has been achieved after going through several tests, comparing between interfaces, and understanding the process of interfacing between different levels of the CDHS. The findings of this study pave the way for future research in the field and offer valuable insights that could contribute to the development of modular architectures for other satellite subsystems

A Framework for Model-based Testing of Integrated Modular Avionics

In modern aircraft, electronics and control systems are designed based on the Integrated Modular Avionics (IMA) system architecture. While this has numerous advantages (reduction of weight, reduced power and fuel consumption, reduction of development cost and certification effort), the IMA platform also adds an additional layer of complexity. Due to the safety-critical nature of many avionics functions careful and accurate verification and testing are imperative. This thesis describes results achieved from research on model-based testing of IMA systems, in part obtained during the European research project SCARLETT. It presents a complete framework which enables IMA domain experts to design and run model-based tests on bare module, configured module, and application level in a standardised test environment. The first part of this thesis provides background information on the relevant topics: the IMA concept, domain-specific languages, model-based testing, and the TTCN-3 standard. The second part introduces the IMA Test Modelling Language (ITML) framework and its components. It describes a tailored TTCN-3 test environment with appropriate adapters and codecs. Based on MetaEdit and its meta-metamodel GOPPRR, it defines the three variants of the domain-specific language ITML, each with its abstract and concrete syntax as well as static and dynamic semantics. The process of test procedure generation from ITML models is explained in detail. Furthermore, the design and implementation of a universal Test Agent is shown. A dedicated communication protocol for controlling the agent is defined as well. The third part provides an evaluation of the framework. It shows usage scenarios in the SCARLETT project, gives a comparison to related tools and approaches, and explains the advantages of using the ITML framework for an IMA domain expert. The final part presents several example ITML models. It also provides reference material like XML schemata, framework source code, and model validators

Standardization Roadmap for Unmanned Aircraft Systems, Version 2.0

This Standardization Roadmap for Unmanned Aircraft Systems, Version 2.0 (“roadmap”) is an update to version 1.0 of this document published in December 2018. It identifies existing standards and standards in development, assesses gaps, and makes recommendations for priority areas where there is a perceived need for additional standardization and/or pre-standardization R&D. The roadmap has examined 78 issue areas, identified a total of 71 open gaps and corresponding recommendations across the topical areas of airworthiness; flight operations (both general concerns and application-specific ones including critical infrastructure inspections, commercial services, and public safety operations); and personnel training, qualifications, and certification. Of that total, 47 gaps/recommendations have been identified as high priority, 21 as medium priority, and 3 as low priority. A “gap” means no published standard or specification exists that covers the particular issue in question. In 53 cases, additional R&D is needed. As with the earlier version of this document, the hope is that the roadmap will be broadly adopted by the standards community and that it will facilitate a more coherent and coordinated approach to the future development of standards for UAS. To that end, it is envisioned that the roadmap will continue to be promoted in the coming year. It is also envisioned that a mechanism may be established to assess progress on its implementation

Use of Field Programmable Gate Array Technology in Future Space Avionics

Fulfilling NASA's new vision for space exploration requires the development of sustainable, flexible and fault tolerant spacecraft control systems. The traditional development paradigm consists of the purchase or fabrication of hardware boards with fixed processor and/or Digital Signal Processing (DSP) components interconnected via a standardized bus system. This is followed by the purchase and/or development of software. This paradigm has several disadvantages for the development of systems to support NASA's new vision. Building a system to be fault tolerant increases the complexity and decreases the performance of included software. Standard bus design and conventional implementation produces natural bottlenecks. Configuring hardware components in systems containing common processors and DSPs is difficult initially and expensive or impossible to change later. The existence of Hardware Description Languages (HDLs), the recent increase in performance, density and radiation tolerance of Field Programmable Gate Arrays (FPGAs), and Intellectual Property (IP) Cores provides the technology for reprogrammable Systems on a Chip (SOC). This technology supports a paradigm better suited for NASA's vision. Hardware and software production are melded for more effective development; they can both evolve together over time. Designers incorporating this technology into future avionics can benefit from its flexibility. Systems can be designed with improved fault isolation and tolerance using hardware instead of software. Also, these designs can be protected from obsolescence problems where maintenance is compromised via component and vendor availability.To investigate the flexibility of this technology, the core of the Central Processing Unit and Input/Output Processor of the Space Shuttle AP101S Computer were prototyped in Verilog HDL and synthesized into an Altera Stratix FPGA

Operating System Contribution to Composable Timing Behaviour in High-Integrity Real-Time Systems

The development of High-Integrity Real-Time Systems has a high footprint in terms of human, material and schedule costs. Factoring functional, reusable logic in the application favors incremental development and contains costs. Yet, achieving incrementality in the timing behavior is a much harder problem. Complex features at all levels of the execution stack, aimed to boost average-case performance, exhibit timing behavior highly dependent on execution history, which wrecks time composability and incrementaility with it. Our goal here is to restitute time composability to the execution stack, working bottom up across it. We first characterize time composability without making assumptions on the system architecture or the software deployment to it. Later, we focus on the role played by the real-time operating system in our pursuit. Initially we consider single-core processors and, becoming less permissive on the admissible hardware features, we devise solutions that restore a convincing degree of time composability. To show what can be done for real, we developed TiCOS, an ARINC-compliant kernel, and re-designed ORK+, a kernel for Ada Ravenscar runtimes. In that work, we added support for limited-preemption to ORK+, an absolute premiere in the landscape of real-word kernels. Our implementation allows resource sharing to co-exist with limited-preemptive scheduling, which extends state of the art. We then turn our attention to multicore architectures, first considering partitioned systems, for which we achieve results close to those obtained for single-core processors. Subsequently, we shy away from the over-provision of those systems and consider less restrictive uses of homogeneous multiprocessors, where the scheduling algorithm is key to high schedulable utilization. To that end we single out RUN, a promising baseline, and extend it to SPRINT, which supports sporadic task sets, hence matches real-world industrial needs better. To corroborate our results we present findings from real-world case studies from avionic industry