Determinism Enhancement and Reliability Assessment in Safety Critical AFDX Networks

RÉSUMÉ AFDX est une technologie basée sur Ethernet, qui a été développée pour répondre aux défis qui découlent du nombre croissant d’applications qui transmettent des données de criticité variable dans les systèmes modernes d’avionique modulaire intégrée (Integrated Modular Avionics). Cette technologie de sécurité critique a été notamment normalisée dans la partie 7 de la norme ARINC 664, dont le but est de définir un réseau déterministe fournissant des garanties de performance prévisibles. En particulier, AFDX est composé de deux réseaux redondants, qui fournissent la haute fiabilité requise pour assurer son déterminisme. Le déterminisme de AFDX est principalement réalisé par le concept de liens virtuels (Virtual Links), qui définit une connexion unidirectionnelle logique entre les points terminaux (End Systems). Pour les liens virtuels, les limites supérieures des délais de bout en bout peuvent être obtenues en utilisant des approches comme calcul réseau, mieux connu sous l’appellation Network Calculus. Cependant, il a été prouvé que ces limites supérieures sont pessimistes dans de nombreux cas, ce qui peut conduire à une utilisation inefficace des ressources et augmenter la complexité de la conception du réseau. En outre, en raison de l’asynchronisme de leur fonctionnement, il existe plusieurs sources de non-déterminisme dans les réseaux AFDX. Ceci introduit un problème en lien avec la détection des défauts en temps réel. En outre, même si un mécanisme de gestion de la redondance est utilisé pour améliorer la fiabilité des réseaux AFDX, il y a un risque potentiel souligné dans la partie 7 de la norme ARINC 664. La situation citée peut causer une panne en dépit des transmissions redondantes dans certains cas particuliers. Par conséquent, l’objectif de cette thèse est d’améliorer la performance et la fiabilité des réseaux AFDX. Tout d’abord, un mécanisme fondé sur l’insertion de trames est proposé pour renforcer le déterminisme de l’arrivée des trames au sein des réseaux AFDX. Parce que la charge du réseau et la bande passante moyenne utilisée augmente due à l’insertion de trames, une stratégie d’agrégation des Sub-Virtual Links est introduite et formulée comme un problème d’optimisation multi-objectif. En outre, trois algorithmes ont été développés pour résoudre le problème d’optimisation multi-objectif correspondant. Ensuite, une approche est introduite pour incorporer l’analyse de la performance dans l’évaluation de la fiabilité en considérant les violations des délais comme des pannes.----------ABSTRACT AFDX is an Ethernet-based technology that has been developed to meet the challenges due to the growing number of data-intensive applications in modern Integrated Modular Avionics systems. This safety critical technology has been standardized in ARINC 664 Part 7, whose purpose is to define a deterministic network by providing predictable performance guarantees. In particular, AFDX is composed of two redundant networks, which provide the determinism required to obtain the desired high reliability. The determinism of AFDX is mainly achieved by the concept of Virtual Link, which defines a logical unidirectional connection from one source End System to one or more destination End Systems. For Virtual Links, the end-to-end delay upper bounds can be obtained by using the Network Calculus. However, it has been proved that such upper bounds are pessimistic in many cases, which may lead to an inefficient use of resources and aggravate network design complexity. Besides, due to asynchronism, there exists a source of non-determinism in AFDX networks, namely frame arrival uncertainty in a destination End System. This issue introduces a problem in terms of real-time fault detection. Furthermore, although a redundancy management mechanism is employed to enhance the reliability of AFDX networks, there still exist potential risks as pointed out in ARINC 664 Part 7, which may fail redundant transmissions in some special cases. Therefore, the purpose of this thesis is to improve the performance and the reliability of AFDX networks. First, a mechanism based on frame insertion is proposed to enhance the determinism of frame arrival within AFDX networks. As the network load and the average bandwidth used by a Virtual Link increase due to frame insertion, a Sub-Virtual Link aggregation strategy, formulated as a multi-objective optimization problem, is introduced. In addition, three algorithms have been developed to solve the corresponding multi-objective optimization problem. Next, an approach is introduced to incorporate performance analysis into reliability assessment by considering delay violations as failures. This allowed deriving tighter probabilistic upper bounds for Virtual Links that could be applied in AFDX network certification. In order to conduct the necessary reliability analysis, the well-known Fault-Tree Analysis technique is employed and Stochastic Network Calculus is applied to compute the upper bounds with various probability limits

Refinement of AADL models using early-stage analysis methods : An avionics example

Model-Driven Engineering (MDE) is a relevant approach to support the engineering of distributed embedded systems with performance and dependability constraints. MDE involves models definitions and transformations to cover most of the system life-cycle: design, implementation and Verifi cation & Validation activities towards system quali fication. Still, few works evaluate the early integration of performance evaluation based on architectural models. In this report, we investigate the early-stage use of analysis in AADL modeling. Precisely, we exemplify on an avionics case study how to dimension the data flows for an application distributed over an AFDX network. Based on the insight from this study, we suggest a simple framework and associated techniques to e fficiently support analysis activities in the early-stage design phases

Worst-case delay analysis of real-time switched Ethernet networks with flow local synchronization

Les réseaux Ethernet commuté full-duplex constituent des solutions intéressantes pour des applications industrielles. Mais le non-déterminisme d’un commutateur IEEE 802.1d, fait que l’analyse pire cas de délai de flux critiques est encore un problème ouvert. Plusieurs méthodes ont été proposées pour obtenir des bornes supérieures des délais de communication sur des réseaux Ethernet commuté full duplex temps réels, faisant l’hypothèse que le trafic en entrée du réseau peut être borné. Le problème principal reste le pessimisme introduit par la méthode de calcul de cette borne supérieure du délai. Ces méthodes considèrent que tous les flux transmis sur le réseau sont indépendants. Ce qui est vrai pour les flux émis par des nœuds sources différents car il n’existe pas, dans le cas général, d’horloge globale permettant de synchroniser les flux. Mais pour les flux émis par un même nœud source, il est possible de faire l’hypothèse d’une synchronisation locale de ces flux. Une telle hypothèse permet de bâtir un modèle plus précis des flux et en conséquence élimine des scénarios impossibles qui augmentent le pessimisme du calcul. Le sujet principal de cette thèse est d’étudier comment des flux périodiques synchronisés par des offsets peuvent être gérés dans le calcul des bornes supérieures des délais sur un réseau Ethernet commuté temps-réel. Dans un premier temps, il s’agit de présenter l’impact des contraintes d’offsets sur le calcul des bornes supérieures des délais de bout en bout. Il s’agit ensuite de présenter comment intégrer ces contraintes d’offsets dans les approches de calcul basées sur le Network Calculus et la méthode des Trajectoires. Une méthode Calcul Réseau modifiée et une méthode Trajectoires modifiée sont alors développées et les performances obtenues sont comparées. Le réseau avionique AFDX (Avionics Full-Duplex Switched Ethernet) est pris comme exemple d’un réseau Ethernet commuté full-duplex. Une configuration AFDX industrielle avec un millier de flux est présentée. Cette configuration industrielle est alors évaluée à l’aide des deux approches, selon un choix d’allocation d’offsets donné. De plus, différents algorithmes d’allocation des offsets sont testés sur cette configuration industrielle, pour trouver un algorithme d’allocation quasi-optimal. Une analyse de pessimisme des bornes supérieures calculées est alors proposée. Cette analyse est basée sur l’approche des trajectoires (rendue optimiste) qui permet de calculer une sous-approximation du délai pire-cas. La différence entre la borne supérieure du délai (calculée par une méthode donnée) et la sous-approximation du délai pire cas donne une borne supérieure du pessimisme de la méthode. Cette analyse fournit des résultats intéressants sur le pessimisme des approches Calcul Réseau et méthode des Trajectoires. La dernière partie de la thèse porte sur une architecture de réseau temps réel hétérogène obtenue par connexion de réseaux CAN via des ponts sur un réseau fédérateur de type Ethernet commuté. Deux approches, une basée sur les composants et l’autre sur les Trajectoires sont proposées pour permettre une analyse des délais pire-cas sur un tel réseau. La capacité de calcul d’une borne supérieure des délais pire-cas dans le contexte d’une architecture hétérogène est intéressante pour les domaines industriels. ABSTRACT : Full-duplex switched Ethernet is a promising candidate for interconnecting real-time industrial applications. But due to IEEE 802.1d indeterminism, the worst-case delay analysis of critical flows supported by such a network is still an open problem. Several methods have been proposed for upper-bounding communication delays on a real-time switched Ethernet network, assuming that the incoming traffic can be upper bounded. The main problem remaining is to assess the tightness, i.e. the pessimism, of the method calculating this upper bound on the communication delay. These methods consider that all flows transmitted over the network are independent. This is true for flows emitted by different source nodes since, in general, there is no global clock synchronizing them. But the flows emitted by the same source node are local synchronized. Such an assumption helps to build a more precise flow model that eliminates some impossible communication scenarios which lead to a pessimistic delay upper bounds. The core of this thesis is to study how local periodic flows synchronized with offsets can be handled when computing delay upper-bounds on a real-time switched Ethernet. In a first step, the impact of these offsets on the delay upper-bound computation is illustrated. Then, the integration of offsets in the Network Calculus and the Trajectory approaches is introduced. Therefore, a modified Network Calculus approach and a modified Trajectory approach are developed whose performances are compared on an Avionics Full-DupleX switched Ethernet (AFDX) industrial configuration with one thousand of flows. It has been shown that, in the context of this AFDX configuration, the Trajectory approach leads to slightly tighter end-to-end delay upper bounds than the ones of the Network Calculus approach. But offsets of local flows have to be chosen. Different offset assignment algorithms are then investigated on the AFDX industrial configuration. A near-optimal assignment can be exhibited. Next, a pessimism analysis of the computed upper-bounds is proposed. This analysis is based on the Trajectory approach (made optimistic) which computes an under-estimation of the worst-case delay. The difference between the upper-bound (computed by a given method) and the under-estimation of the worst-case delay gives an upper-bound of the pessimism of the method. This analysis gives interesting comparison results on the Network Calculus and the Trajectory approaches pessimism. The last part of the thesis, deals with a real-time heterogeneous network architecture where CAN buses are interconnected through a switched Ethernet backbone using dedicated bridges. Two approaches, the component-based approach and the Trajectory approach, are developed to conduct a worst-case delay analysis for such a network. Clearly, the ability to compute end-to-end delays upper-bounds in the context of heterogeneous network architecture is promising for industrial domains

Ethernet-based AFDX simulation and time delay analysis

Nowadays, new civilian aircraft have applied new technology and the amount of embedded systems and functions raised. Traditional avionics data buses design can‘t meet the new transmission requirements regarding weight and complexity due to the number of needed buses. On the other hand, Avionics Full Duplex Switched Ethernet (AFDX) with sufficient bandwidth and guaranteed services is considered as the next generation of avionics data bus. One of the important issues in Avionics Full Duplex Switched Ethernet is to ensure the data total time delay to meet the requirements of the safety-critical systems on aircraft such as flight control system. This research aims at developing an AFDX time delay model which can be used to analyse the total time delay of the AFDX network. By applying network calculus approach, both (σ,ρ) model and Generic Cell Rate Algorithm (GCRA) model are introduced. For tighter time-delay result, GCRA model is applied. Meanwhile, the current AFDX network simulation platform, FACADE, will be enhanced by adding new functions. Moreover, avionics application simulation modules are developed to exchange data with FACADE. The total time delay analysis will be performed on the improved FACADE to validate this AFDX network simulation platform in several scenarios. Moreover, each scenario is appropriated to study the association between total time delay performance and individual variable. The results from updated FACADE reflect the correlation between total time delay and certain variables. Larger BAG and more switches between source and destination end systems introduce larger total time delay while Lmax could also affect the total time delay. However, the results illustrate that the total time delays from updated FACADE are much larger than GCRA time delay model which could up to 10 times which indicates that this updated FACADE needs further improvement

A simple and efficient class of functions to model arrival curve of packetised flows

International audienceNetwork Calculus is a generic theory conceived to compute upper bounds on network traversal times (WCTT - Worst Case Traversal Time). This theory models traffic constraints and service contracts with arrival curves and service curves. As usual in modelling, the more realistic the model is, the more accurate the results are, however a detailed model implies large running times which may not be the best option at each stage of the design cycle. Sometimes, a trade-off must be found between result accuracy and computation time. This paper proposes a combined use of two simple class of curves in order to produce accurate results with a low computational complexity. Experiments are then conducted on a realistic AFDX case-study to benchmark the proposal against two existing approaches

Design of Time-Sensitive Networks For Safety-Critical Cyber-Physical Systems

A new era of Cyber-Physical Systems (CPSs) is emerging due to the vast growth in computation and communication technologies. A fault-tolerant and timely communication is the backbone of any CPS to interconnect the distributed controllers to the physical processes. Such reliability and timing requirements become more stringent in safety-critical applications, such as avionics and automotive. Future networks have to meet increasing bandwidth and coverage demands without compromising their reliability and timing. Ethernet technology is efficient in providing a low-cost scalable networking solution. However, the non-deterministic queuing delay and the packet collisions deny low latency communication in Ethernet. In this context, IEEE 802.1 Time Sensitive Network (TSN) standard has been introduced as an extension of the Ethernet technology to realize switched network architecture with real-time capabilities. TSN offers Time-Triggered (TT) traffic deterministic communication. Bounded Worst-Case end-to-end Delay (WCD) delivery is yielded by Audio Video Bridging (AVB) traffic. In this thesis, we are interested in the TSN design and verification. TSN design and verification are challenging tasks, especially for realistic safety-critical applications. The increasing complexity of CPSs widens the gap between the underlying networks' scale and the design techniques' capabilities. The existing TSN's scheduling techniques, which are limited to small and medium networks, are good examples of such a gap. On the other hand, the TSN has to handle dynamic traffic in some applications, e.g., Fog computing applications. Other challenges are related to satisfying the fault-tolerance constraints of mixed-criticality traffic in resource-efficient manners. Furthermore, in space and avionics applications, the harsh radiation environment implies verifying the TSN's availability under Single Event Upset (SEU)-induced failures. In other words, TSN design has to manage a large variety of constraints regarding the cost, redundancy, and delivery latency where no single design approach fits all applications. Therefore, TSN's efficient employment demands a flexible design framework that offers several design approaches to meet the broad range of timing, reliability, and cost constraints. This thesis aims to develop a TSN design framework that enables TSN deployment in a broad spectrum of CPSs. The framework introduces a set of methods to address the reliability, timing, and scalability aspects. Topology synthesis, traffic planning, and early-stage modeling and analysis are considered in this framework. The proposed methods work together to meet a large variety of constraints in CPSs. This thesis proposes a scalable heuristic-based method for topology synthesis and ILP formulations for reliability-aware AVB traffic routing to address the fault-tolerance transmission. A novel method for scalable scheduling of TT traffic to attain real-time transmission. To optimize the TSN for dynamic traffic, we propose a new priority assignment technique based on reinforcement learning. Regarding the TSN verification in harsh radiation environments, we introduce formal models to investigate the impact of the SEU-induced switches failures on the TSN availability. The proposed analysis adopts the model checking and statistical model checking techniques to discover and characterize the vulnerable design candidates