Professional Documents
Culture Documents
A New Approach For Distributed Computing in Avionics Systems
A New Approach For Distributed Computing in Avionics Systems
avionics systems
Miguel A. Sánchez-Puebla Jesús Carretero
EADS Spain Computer Science Department
Avda John Lennon s/n Universidad Carlos III de Madrid,
Getafe, 28906, Madrid, Spain Avda. Universidad 30
Email:masrodri@inf.uc3m.es Leganés, 28911, Madrid, Spain
Abstract
Historically, a typical avionics system architecture has been designed as a federated architecture of black-boxes with
well-defined functions and implemented on fully dedicated computers. The new Integrated Modular Avionics (IMA)
architecture relies on an architecture more similar to conventional computers, where several general-purpose
processors are connected through a bus and all the Inputs/Outputs (I/O) come from the I/O units (like Remote
Interface Units, RIUs) through the bus to the processors. This architecture imposes a heavy traffic on data networks,
which cannot be satisfied by traditional buses such as the MIL-STD-1553, but still requires determinism, which
cannot be provided by general-purpose networks. In this paper, we describe the basics of IMA and the
communication network designed for the new Airbus 380. The preliminary evaluation results show the feasibility of
the IMA approach.
1 Introduction
Historically, aviation-based computing systems have used a federated design approach, where
functions (and their associated criticality) are isolated from others by confining them into
dedicated boxes. However, the trend of manufacturers in recent years has been to integrate
numerous functions into single computing systems with different levels of criticality [1].
A typical avionics system architecture is designed as a federated architecture of black-boxes.
Each box can be a hardware/software (Hw/Sw) configuration totally different to the others (i.e.
Central Processing Unit, language, Operating System). This architecture is inherently robust and
fault-tolerant. The applications are physically protected from one another so that failures of one
or more applications do not affect others. For example, in Figure 1, a Line Replaceable Unit
(LRU) fails without affecting the remainder systems. However, this architecture is very
expensive to build in terms of cost, power consumption, cooling, and weight. Moreover, adding
new functions means adding new boxes. Thus, modifications, upgrades and improvements
usually convey serious drawbacks in terms of complexity, costs, time, etc.
580
This means that part of system Inputs/Outputs will be deported to one or more IOMs and will
have to be transmitted among the CPIOM and the IOM(s). Such inter-module exchanges are
made via the shared aircraft network (AFDX or Fibre Channel), and only the services included in
the Avionics Application Software Standard Interface (ARINC 653) can be used [3].
The basic principle of IMA is "sharing". This is accomplished by:
- Sharing of processing resources through a robust partitioning mechanism that enables the
various applications to be executed by the same computational resource providing protection
through space and time segregation.
- Sharing of communication network, because a unique communication media is used among
the various modules, but also between these modules and the remaining boxes.
- Input sharing, because input data is acquired only once (with the exception of redundancies
required to meet safety and schedulability constraints) and redistributed to user systems via
the communication network.
Specific partitions within an IMA system are scheduled on a fixed, cyclic basis (a major time
frame of fixed duration). The order of partition activation is static and fully defined at
configuration time using configuration tables [9]. According to [9] a uniprocessor system
consisting of a fixed set of applications partitions executing atomic instructions and Inter-
Partition Communication (IPC) services is equivalent to a federated architecture. It must be
verified that each atomic instruction has read only access to its inputs and write access to its
outputs parameters. For IPC the condition to be guaranteed is that the IPC service has access to
both the communication resources and the application resources of the requestor. Time is unique
and independent of partition execution within an IMA module. There are not time capabilities
relative to a specific partition execution. The O/S is responsible for providing time slicing,
deadline, periodicity, delays and time-outs, and these mechanisms are only accessed through
attributes or services provided by the ARINC 653 APEX.
581
that generate time stamps and allow to measure how long it takes a packet of information to go
from an end-system, through a switch and to another end system. The standard Ethernet switch
has been also modified due to IMA requirements in terms of safety, segregation and partitioning.
Redundant networks are also used to satisfy network reliability and safety criteria. Figure 3
shows the AFDX network architecture.
582
Figure 4 AFDX evaluation testbench
Our main tests run a Hard Real-Time application sharing I/O resources and exchanging data by
Ethernet in an ARINC 664 way. The hard real-time constraint has a minor frame of 80 ms. The
main part of the software is an aperiodic tasking scheduler based on Rate Monotonic Analysis
(RMA) [10]. This scheduler scheme has been issued based on the ARINC 653 APEX by using a
single process per partition (additional process with a high priority have been issued to handle
with the devices drivers) and one partition per CPU board. Each process requests a
“PERIODIC_WAIT” service to get the equivalence with “delay_until” . The inter-partition
communication has been issued in sampling mode, and each I/O device is handled by one
independent process. Blackboard services have been used to read/write onto these devices.
Opposite to initial predictions, the main concerns to fit the hard real-time requirements have not
been related to neither Ada tasking, nor resources sharing, nor data exchanging. All these have
introduced a natural consumption of time, but always (See Table 1) inside time limits and
according to their access time, accommodated to fit the 80 ms scheduler. All tasks are
schedulable at theirs partitions according to [15]
Intra-partitions (µsg) Inter-partitions (µsg)
Write Read Write Read
Single Access (4 Bytes) 1 3 46 65
Block Transfer (64 Bytes) 46 51 46 52
Multiplexed Block Transfer (64 Bytes) 46 49 47 52
Block Transfer (8192 Bytes) 542 355 310 395
Multiplexed Block Transfer (8192 Bytes) 221 190 195 283
Table 1. AFDX (inter) and backplane (intra) transmission delays
Despite these facts, we observed that an overrun deadline occurred periodically. We traced this
characteristic to the fact that the timer provided by the compiler/APEX/CPU board is 16.66 ms
and the system timer provided by the compiler/OS/CPU board is based, of course, on that timer.
Therefore the 1st delay of 80 ms is converted to 5 system ticks, i.e., 5*16.66 = 83.33 ms of
effective delay. Then the 2nd delay is 80-3.33 = 76.66 ms, again converted in 5 system ticks (i.e.
83.33ms). Then the 3rd delay is 73.33 ms, again 5 system ticks. Then the 4th delay is 70 ms, and
again 5 system ticks. Finally, the 5th delay is 66.66 ms and now this time is converted to 4 system
ticks (i.e. 4*16.66=66.66ms). Thus, the sequence is 83.33ms, 83.33ms, 83.33 ms, 83.33 ms, and
66.66 ms (overrun) and so on (see Figure 5).
4 ticks= 66.6 ms ⇒ over-run
5 ticks = 83.35 ticks = 83.35 ticks = 83.35 ticks = 83.3
msg msg msg msg
583
The same scheduler scheme has been issued avoiding the APEX services, but using an
“delay_until” sentence. Therefore the “delay_until” is used to obtain the next self -compensating
period. In this case the compiler/OS/ CPU board time is again based on the OS/CPU board timer
and then the results have been the expected.
5 Conclusions
The use of an APEX standard will allow more complex system to work in less time and with less
effort. But the upper layers are (always) based on the lower layers. Our experience shows that
using an APEX standard eases the start up of an application in comparison with previous
standards. The evaluation also shows that besides, the ability of an APEX stantard to guarantee a
constant-time context (independent of the number of the tasks) of 80 ms, for instance, is
worthless if the compiler/OS/CPU board can not guarantee a trusty timer. At least three timers
models should be provided by the compiler/OS/CPU board: Chime model with large period, very
low overhead, for applications not needing true real time (i.e. Calendar.Clock); Alarm model
with time events implemented by an event queue and just one wide range timer to interrupt the
next expired event, and chime + alarm model if the CPU board does not include an alarm timer
wide enough. In this case two medium range timer shall be needed.
If these models are not available, the best solution is to implement a ‘tick’ by using a
semGive/semTake strategy that can be adapted quite easily to each context/board.
A major attraction of AFDX is its ability to free avionics data transfer in integrated avionics
systems from the logistical limitations of a backplane bus. Configuration tables allow to define
partitions and to distribute computing modules through several computers tightly integrated by
AFDX. This increases flexibility in placing computing resources and reduces the system updates
complexity. However, configuration tables activities should be improved by using a graphical
application in order “to visualise” what is in each parti tion and warning the system integrator that
the resources are not properly balanced among partitions. Currently is rather hard to configure an
IMA system.
AFDX has demonstrated to be deterministic, reliable (is a dual network), and fast enough to
satisfy transmission requirements. However, in order to validate the model, further research has
to be carried out in the heavily loaded environment of an airplane. This requires an IMA
simulator for a complete airplane, with intense signal traffic across the network.
6 References
[1] RTCA/DO-178B Software Considerations in Airborne Systems and equipment Certification
[2] ARINC Specification 664. Aircraft Data Network.
[3] ARINC Specification 653. Avionics Application Software Standard Interface. 1995
[4] IEEE Std 802.3, 2000 Edition: Full-duplex Operations
[5] IEEE Std 802.1d: Media Access Control Bridge
[6] IEEE Std 802.1q: Virtual Bridged Local Area Network
[7] B. Dobbing, “Building Partitioned Architectures based on Ravenscar Profile”. SIGAda November 2000
[8] G. Romanski, “High Integrity Softw are for High Integrity Systems”, SIGAda 2000.
[9] B.L. Di Vito, “A formal Model of Partitioning for Integrated Modular Avionics”, NASA/CR -1998-208703,
August 1998
[10] K. Tindell, “Deadline Monotonic Analysis,” Embedded Systems Programming, June 2000
http://www.embedded.com/2000/0006/0006feat1.htm.
[11] Aerospace Recommended Practice 4754 Certification Considerations for Highly Integrated or Complex Aircraft
Systems, 1996.
[12] Radstone PPC 4B Manual Rev A No. PPC4B-0HH 2.001
[13] WindRiver, “GNU Toolkit User’s Guide”, WindRiver 2.002
[14] WindRiver, “VxWorks Programmer’s Guide”, WindRiver 2.002
[15] L. Kim, “Software architecture supporting integrated real -time systems”, Younis, 2.001
[16] Murdock JK, Koenig JR. Open systems avionics network to replace MIL-STD-1553. In Proceedings of the
AIAA/IEEE 19th Digital Avionics Systems Conference, Philadelphia, PA, 2000.
584