47 research outputs found
Determinism Enhancement and Reliability Assessment in Safety Critical AFDX Networks
RĂSUMĂ AFDX est une technologie basĂ©e sur Ethernet, qui a Ă©tĂ© dĂ©veloppĂ©e pour rĂ©pondre aux dĂ©fis qui dĂ©coulent du nombre croissant dâapplications qui transmettent des donnĂ©es de criticitĂ© variable dans les systĂšmes modernes dâavionique modulaire intĂ©grĂ©e (Integrated Modular
Avionics). Cette technologie de sĂ©curitĂ© critique a Ă©tĂ© notamment normalisĂ©e dans la partie 7 de la norme ARINC 664, dont le but est de dĂ©finir un rĂ©seau dĂ©terministe fournissant des garanties de performance prĂ©visibles. En particulier, AFDX est composĂ© de deux rĂ©seaux redondants, qui fournissent la haute fiabilitĂ© requise pour assurer son dĂ©terminisme. Le dĂ©terminisme de AFDX est principalement rĂ©alisĂ© par le concept de liens virtuels (Virtual Links), qui dĂ©finit une connexion unidirectionnelle logique entre les points terminaux (End Systems). Pour les liens virtuels, les limites supĂ©rieures des dĂ©lais de bout en bout peuvent ĂȘtre obtenues en utilisant des approches comme calcul rĂ©seau, mieux connu sous lâappellation Network Calculus. Cependant, il a Ă©tĂ© prouvĂ© que ces limites supĂ©rieures sont pessimistes dans de nombreux cas, ce qui peut conduire Ă une utilisation inefficace des ressources et augmenter la complexitĂ© de la conception du rĂ©seau. En outre, en raison de lâasynchronisme de leur fonctionnement, il existe plusieurs sources de non-dĂ©terminisme dans les rĂ©seaux AFDX. Ceci introduit un problĂšme en lien avec la dĂ©tection des dĂ©fauts en temps rĂ©el. En outre, mĂȘme si un mĂ©canisme de gestion de la redondance est utilisĂ© pour amĂ©liorer la fiabilitĂ© des rĂ©seaux AFDX, il y a un risque potentiel soulignĂ© dans la partie 7 de la norme ARINC 664. La situation citĂ©e peut causer une panne en dĂ©pit des transmissions redondantes dans certains cas particuliers. Par consĂ©quent, lâobjectif de cette thĂšse est dâamĂ©liorer la performance et la fiabilitĂ© des rĂ©seaux AFDX.
Tout dâabord, un mĂ©canisme fondĂ© sur lâinsertion de trames est proposĂ© pour renforcer le dĂ©terminisme de lâarrivĂ©e des trames au sein des rĂ©seaux AFDX. Parce que la charge du
rĂ©seau et la bande passante moyenne utilisĂ©e augmente due Ă lâinsertion de trames, une stratĂ©gie dâagrĂ©gation des Sub-Virtual Links est introduite et formulĂ©e comme un problĂšme
dâoptimisation multi-objectif. En outre, trois algorithmes ont Ă©tĂ© dĂ©veloppĂ©s pour rĂ©soudre le problĂšme dâoptimisation multi-objectif correspondant. Ensuite, une approche est introduite pour incorporer lâanalyse de la performance dans lâĂ©valuation de la fiabilitĂ© en considĂ©rant les violations des dĂ©lais comme des pannes.----------ABSTRACT AFDX is an Ethernet-based technology that has been developed to meet the challenges due to the growing number of data-intensive applications in modern Integrated Modular Avionics systems. This safety critical technology has been standardized in ARINC 664 Part 7, whose purpose is to define a deterministic network by providing predictable performance guarantees. In particular, AFDX is composed of two redundant networks, which provide the determinism
required to obtain the desired high reliability.
The determinism of AFDX is mainly achieved by the concept of Virtual Link, which defines a logical unidirectional connection from one source End System to one or more destination End Systems. For Virtual Links, the end-to-end delay upper bounds can be obtained by using the Network Calculus. However, it has been proved that such upper bounds are pessimistic in many cases, which may lead to an inefficient use of resources and aggravate network design
complexity. Besides, due to asynchronism, there exists a source of non-determinism in AFDX networks, namely frame arrival uncertainty in a destination End System. This issue introduces a problem in terms of real-time fault detection. Furthermore, although a redundancy management mechanism is employed to enhance the reliability of AFDX networks, there
still exist potential risks as pointed out in ARINC 664 Part 7, which may fail redundant transmissions in some special cases. Therefore, the purpose of this thesis is to improve the performance and the reliability of AFDX networks. First, a mechanism based on frame insertion is proposed to enhance the determinism of frame arrival within AFDX networks. As the network load and the average bandwidth used by a Virtual Link increase due to frame insertion, a Sub-Virtual Link aggregation strategy, formulated as a multi-objective optimization problem, is introduced. In addition, three algorithms have been developed to solve the corresponding multi-objective optimization problem. Next, an approach is introduced to incorporate performance analysis into reliability assessment
by considering delay violations as failures. This allowed deriving tighter probabilistic upper bounds for Virtual Links that could be applied in AFDX network certification. In order to conduct the necessary reliability analysis, the well-known Fault-Tree Analysis technique is employed and Stochastic Network Calculus is applied to compute the upper bounds with various probability limits
Refinement of AADL models using early-stage analysis methods : An avionics example
Model-Driven Engineering (MDE) is a relevant approach to support the engineering of distributed embedded systems with performance and dependability constraints. MDE involves models definitions and transformations to cover most of the system life-cycle: design, implementation and Verifi cation & Validation activities towards system quali fication. Still, few works evaluate the early integration of performance evaluation based on architectural models. In this report, we investigate the early-stage use of analysis in AADL modeling. Precisely, we exemplify on an avionics case study how to dimension the data flows for an application distributed over an AFDX network. Based on the insight from this study, we suggest a simple framework and associated techniques to e fficiently support analysis activities in the early-stage
design phases
Worst-case delay analysis of real-time switched Ethernet networks with flow local synchronization
Les rĂ©seaux Ethernet commutĂ© full-duplex constituent des solutions intĂ©ressantes pour des applications industrielles. Mais le non-dĂ©terminisme dâun commutateur IEEE 802.1d, fait que lâanalyse pire cas de dĂ©lai de flux critiques est encore un problĂšme ouvert. Plusieurs mĂ©thodes ont Ă©tĂ© proposĂ©es pour obtenir des bornes supĂ©rieures des dĂ©lais de communication sur des rĂ©seaux Ethernet commutĂ© full duplex temps rĂ©els, faisant lâhypothĂšse que le trafic en entrĂ©e du rĂ©seau peut ĂȘtre bornĂ©. Le problĂšme principal reste le pessimisme introduit par la mĂ©thode de calcul de cette borne supĂ©rieure du dĂ©lai. Ces mĂ©thodes considĂšrent que tous les flux transmis sur le rĂ©seau sont indĂ©pendants. Ce qui est vrai pour les flux Ă©mis par des nĆuds sources diffĂ©rents car il nâexiste pas, dans le cas gĂ©nĂ©ral, dâhorloge globale permettant de synchroniser les flux. Mais pour les flux Ă©mis par un mĂȘme nĆud source, il est possible de faire lâhypothĂšse dâune synchronisation locale de ces flux. Une telle hypothĂšse permet de bĂątir un modĂšle plus prĂ©cis des flux et en consĂ©quence Ă©limine des scĂ©narios impossibles qui augmentent le pessimisme du calcul. Le sujet principal de cette thĂšse est dâĂ©tudier comment des flux pĂ©riodiques synchronisĂ©s par des offsets peuvent ĂȘtre gĂ©rĂ©s dans le calcul des bornes supĂ©rieures des dĂ©lais sur un rĂ©seau Ethernet commutĂ© temps-rĂ©el. Dans un premier temps, il sâagit de prĂ©senter lâimpact des contraintes dâoffsets sur le calcul des bornes supĂ©rieures des dĂ©lais de bout en bout. Il sâagit ensuite de prĂ©senter comment intĂ©grer ces contraintes dâoffsets dans les approches de calcul basĂ©es sur le Network Calculus et la mĂ©thode des Trajectoires. Une mĂ©thode Calcul RĂ©seau modifiĂ©e et une mĂ©thode Trajectoires modifiĂ©e sont alors dĂ©veloppĂ©es et les performances obtenues sont comparĂ©es. Le rĂ©seau avionique AFDX (Avionics Full-Duplex Switched Ethernet) est pris comme exemple dâun rĂ©seau Ethernet commutĂ© full-duplex. Une configuration AFDX industrielle avec un millier de flux est prĂ©sentĂ©e. Cette configuration industrielle est alors Ă©valuĂ©e Ă lâaide des deux approches, selon un choix dâallocation dâoffsets donnĂ©. De plus, diffĂ©rents algorithmes dâallocation des offsets sont testĂ©s sur cette configuration industrielle, pour trouver un algorithme dâallocation quasi-optimal. Une analyse de pessimisme des bornes supĂ©rieures calculĂ©es est alors proposĂ©e. Cette analyse est basĂ©e sur lâapproche des trajectoires (rendue optimiste) qui permet de calculer une sous-approximation du dĂ©lai pire-cas. La diffĂ©rence entre la borne supĂ©rieure du dĂ©lai (calculĂ©e par une mĂ©thode donnĂ©e) et la sous-approximation du dĂ©lai pire cas donne une borne supĂ©rieure du pessimisme de la mĂ©thode. Cette analyse fournit des rĂ©sultats intĂ©ressants sur le pessimisme des approches Calcul RĂ©seau et mĂ©thode des Trajectoires. La derniĂšre partie de la thĂšse porte sur une architecture de rĂ©seau temps rĂ©el hĂ©tĂ©rogĂšne obtenue par connexion de rĂ©seaux CAN via des ponts sur un rĂ©seau fĂ©dĂ©rateur de type Ethernet commutĂ©. Deux approches, une basĂ©e sur les composants et lâautre sur les Trajectoires sont proposĂ©es pour permettre une analyse des dĂ©lais pire-cas sur un tel rĂ©seau. La capacitĂ© de calcul dâune borne supĂ©rieure des dĂ©lais pire-cas dans le contexte dâune architecture hĂ©tĂ©rogĂšne est intĂ©ressante pour les domaines industriels. ABSTRACT : Full-duplex switched Ethernet is a promising candidate for interconnecting real-time industrial applications. But due to IEEE 802.1d indeterminism, the worst-case delay analysis of critical flows supported by such a network is still an open problem. Several methods have been proposed for upper-bounding communication delays on a real-time switched Ethernet network, assuming that the incoming traffic can be upper bounded. The main problem remaining is to assess the tightness, i.e. the pessimism, of the method calculating this upper bound on the communication delay. These methods consider that all flows transmitted over the network are independent. This is true for flows emitted by different source nodes since, in general, there is no global clock synchronizing them. But the flows emitted by the same source node are local synchronized. Such an assumption helps to build a more precise flow model that eliminates some impossible communication scenarios which lead to a pessimistic delay upper bounds. The core of this thesis is to study how local periodic flows synchronized with offsets can be handled when computing delay upper-bounds on a real-time switched Ethernet. In a first step, the impact of these offsets on the delay upper-bound computation is illustrated. Then, the integration of offsets in the Network Calculus and the Trajectory approaches is introduced. Therefore, a modified Network Calculus approach and a modified Trajectory approach are developed whose performances are compared on an Avionics Full-DupleX switched Ethernet (AFDX) industrial configuration with one thousand of flows. It has been shown that, in the context of this AFDX configuration, the Trajectory approach leads to slightly tighter end-to-end delay upper bounds than the ones of the Network Calculus approach. But offsets of local flows have to be chosen. Different offset assignment algorithms are then investigated on the AFDX industrial configuration. A near-optimal assignment can be exhibited. Next, a pessimism analysis of the computed upper-bounds is proposed. This analysis is based on the Trajectory approach (made optimistic) which computes an under-estimation of the worst-case delay. The difference between the upper-bound (computed by a given method) and the under-estimation of the worst-case delay gives an upper-bound of the pessimism of the method. This analysis gives interesting comparison results on the Network Calculus and the Trajectory approaches pessimism. The last part of the thesis, deals with a real-time heterogeneous network architecture where CAN buses are interconnected through a switched Ethernet backbone using dedicated bridges. Two approaches, the component-based approach and the Trajectory approach, are developed to conduct a worst-case delay analysis for such a network. Clearly, the ability to compute end-to-end delays upper-bounds in the context of heterogeneous network architecture is promising for industrial domains
Ethernet-based AFDX simulation and time delay analysis
Nowadays, new civilian aircraft have applied new technology and the amount of embedded systems and functions raised. Traditional avionics data buses design canât meet the new transmission requirements regarding weight and complexity due to the number of needed buses. On the other hand, Avionics Full Duplex Switched Ethernet (AFDX) with sufficient bandwidth and guaranteed services is considered as the next generation of avionics data bus. One of the important issues in Avionics Full Duplex Switched Ethernet is to ensure the data total time delay to meet the requirements of the safety-critical systems on aircraft such as flight control system. This research aims at developing an AFDX time delay model which can be used to analyse the total time delay of the AFDX network. By applying network calculus approach, both (Ï,Ï) model and Generic Cell Rate Algorithm (GCRA) model are introduced. For tighter time-delay result, GCRA model is applied. Meanwhile, the current AFDX network simulation platform, FACADE, will be enhanced by adding new functions. Moreover, avionics application simulation modules are developed to exchange data with FACADE. The total time delay analysis will be performed on the improved FACADE to validate this AFDX network simulation platform in several scenarios. Moreover, each scenario is appropriated to study the association between total time delay performance and individual variable. The results from updated FACADE reflect the correlation between total time delay and certain variables. Larger BAG and more switches between source and destination end systems introduce larger total time delay while Lmax could also affect the total time delay. However, the results illustrate that the total time delays from updated FACADE are much larger than GCRA time delay model which could up to 10 times which indicates that this updated FACADE needs further improvement
A simple and efïŹcient class of functions to model arrival curve of packetised ïŹows
International audienceNetwork Calculus is a generic theory conceived to compute upper bounds on network traversal times (WCTT - Worst Case Traversal Time). This theory models traïŹc constraints and service contracts with arrival curves and service curves. As usual in modelling, the more realistic the model is, the more accurate the results are, however a detailed model implies large running times which may not be the best option at each stage of the design cycle. Sometimes, a trade-oïŹ must be found between result accuracy and computation time. This paper proposes a combined use of two simple class of curves in order to produce accurate results with a low computational complexity. Experiments are then conducted on a realistic AFDX case-study to benchmark the proposal against two existing approaches
Design of Time-Sensitive Networks For Safety-Critical Cyber-Physical Systems
A new era of Cyber-Physical Systems (CPSs) is emerging due to the vast growth in computation and communication technologies. A fault-tolerant and timely communication is the backbone of any CPS to interconnect the distributed controllers to the physical processes. Such reliability and timing requirements become more stringent in safety-critical applications, such as avionics and automotive. Future networks have to meet increasing bandwidth and coverage demands without compromising their reliability and timing. Ethernet technology is efficient in providing a low-cost scalable networking solution. However, the non-deterministic queuing delay and the packet collisions deny low latency communication in Ethernet. In this context, IEEE 802.1 Time Sensitive Network (TSN) standard has been introduced as an extension of the Ethernet technology to realize switched network architecture with real-time capabilities. TSN offers Time-Triggered (TT) traffic deterministic communication. Bounded Worst-Case end-to-end Delay (WCD) delivery is yielded by Audio Video Bridging (AVB) traffic. In this thesis, we are interested in the TSN design and verification.
TSN design and verification are challenging tasks, especially for realistic safety-critical applications. The increasing complexity of CPSs widens the gap between the underlying networks' scale and the design techniques' capabilities. The existing TSN's scheduling techniques, which are limited to small and medium networks, are good examples of such a gap. On the other hand, the TSN has to handle dynamic traffic in some applications, e.g., Fog computing applications. Other challenges are related to satisfying the fault-tolerance constraints of mixed-criticality traffic in resource-efficient manners. Furthermore, in space and avionics applications, the harsh radiation environment implies verifying the TSN's availability under Single Event Upset (SEU)-induced failures. In other words, TSN design has to manage a large variety of constraints regarding the cost, redundancy, and delivery latency where no single design approach fits all applications. Therefore, TSN's efficient employment demands a flexible design framework that offers several design approaches to meet the broad range of timing, reliability, and cost constraints.
This thesis aims to develop a TSN design framework that enables TSN deployment in a broad spectrum of CPSs. The framework introduces a set of methods to address the reliability, timing, and scalability aspects. Topology synthesis, traffic planning, and early-stage modeling and analysis are considered in this framework. The proposed methods work together to meet a large variety of constraints in CPSs. This thesis proposes a scalable heuristic-based method for topology synthesis and ILP formulations for reliability-aware AVB traffic routing to address the fault-tolerance transmission. A novel method for scalable scheduling of TT traffic to attain real-time transmission. To optimize the TSN for dynamic traffic, we propose a new priority assignment technique based on reinforcement learning. Regarding the TSN verification in harsh radiation environments, we introduce formal models to investigate the impact of the SEU-induced switches failures on the TSN availability. The proposed analysis adopts the model checking and statistical model checking techniques to discover and characterize the vulnerable design candidates