RADIATION-TOLERANT SYSTEM-ON-CHIP (SOC) WITH DETERMINISTIC SWITCHING FOR SCALABLE MODULAR LAUNCHER AVIONICS

Christian Fidi, Ivan Masar, Jean-Francois Dufour, Mirko Jakovljevic, TTTech Computertechnik AG, Vienna, Austria

for long duration manned missions that cannot be Keywords supported or resupplied from earth. Next-Gen Launcher Avionics, Integrated Modular Furthermore, increasing levels of integration and Architectures, Mixed Criticality Systems, SoC, Cyber- IMA capabilities allows the optimization of a set of Physical Systems, SAE AS6802, AFDX, TTEthernet functions, and new considerations on system architecture.

Abstract Space Industry and COTS In space applications with very demanding Space industry is a low-volume industry which environment for electronic components, dedicated devices requires costly high-integrity components designed for are needed to ensure the required reliability and special space environments and operation time of over 20 availability for different mission profiles. Therefore, a years. To reduce system costs, open software platform dedicated reconfigurable radiation-tolerant SoC (System- standards and COTS components are considered in On-Chip) with integrated computing and Ethernet different programs. switching supports the design of future modular As an example, since the Constellation program, architectures. This work presents the motivation for its NASA’s strategy for the design of future spacecraft introduction and describes key SoC properties and architectures (including launchers, landers, etc.) has advances in high performance networking and heavily prioritized the use of COTS technologies for the semiconductor technology for scalable next-generation purpose of reducing cost, minimizing the required amount space avionics systems. of additional development, and removing the schedule risk associated with the creation of custom hardware. Introduction However, many spacecraft subsystems require a high Modern spacecraft architectures are moving towards degree of reliability and fault tolerance (e.g. 10-9 adopting Integrated Modular Avionics (IMA) architecting failures/hour) not traditionally achievable without the use principles, with tighter payload and platform integration. of specially designed and proprietary solutions (e.g. IMA enables use of a smaller set of components and custom self-checking computers). Studies conducted modules which can be (re)used for different missions and during the Orion program showed that the application of in different topologies with minimal modifications. purely COTS designs to such systems would result in insufficient reliability and undue expense over the life of Typically, such integrated systems contain a number the program [2,3]. of real-time and hard real-time functions which share common computing, networking/wiring, IO, power supply, These problems are compounded by the IMA physical housing, and other physical embedded resources philosophy of leveraging the same hardware resources for lead to reduction in physical complexity. Such resource both critical and non-critical functions, and the resulting sharing reduces SWaP (Size, Weight and Power), or need for robust time and space partitioning within both the facilitate some other desirable architecture optimizations. computing platforms (e.g. memory space, computation The overall reduction in computing platforms, unique time) and the data network (e.g. bus access) [4]. sparing, connector count, reduction and harness mass in Nonetheless, advancements in COTS technologies (e.g. in more integrated spacecraft avionics potentially offers radiation tolerance) continue to make their incorporation significant cost and weight savings over federated design into architectures for human-rated spacecraft more feasible approaches [1]. The resulting increase in commonality, and attractive. Especially the components from both among the interfaces and hardware platforms commercial aerospace, defense or other critical themselves, supports reconfiguration and maintainability infrastructure applications, may use appropriate design assurance and robust internal architectures, can be Those issues can lead to system state explosion even attractive for integrated space systems [5]. with deterministic asynchronous communication, and the solution [11-12] is to have a verified synchronous operation model, robust global time, input synchronization, Integrated systems with Hard RT Performance at which are the cornerstones of TTA [9] model and SAE Reduced Complexity AS6802-based IMA systems. There are two types of complex integrated Deterministic modular controls and integrated architectures, as described in RTCA DO-297 [6]: architectures based on periodic TDMA communication • Complex IMA with fixed latency and strictly controlled jitter use TTA • Distributed IMA computing model. Early space systems, with MIL-1553 Complex IMA systems are designed around databuses operating in synchronous mode and triple/quad- ARINC653/ARINC664 [7] and L-TTA [8] redundant synchronous computers and networks fall into computing/communication model, while Distributed IMA the same category. This approach is attractive as it reduces can be built around ARINC653, TTA [9] or L-TTA logical complexity, simplifies resource sharing, and computing/communication model, and requires unambiguously determines all key system interfaces. synchronous or time-division multiplexing (TDM) Unfortunately with MIL-1553, low bandwidth and long- communication. Distributed IMA has been used in term obsolescence issues become more critical over time. different forms since 1980s, in avionics and modular Therefore, both the French R&T projects (Avionic-X [13]) aircraft control architectures for deterministic system and the Future Launcher Preparatory Programme (FLPP integration and minimized use of embedded resources. Period 2) trade-offs have concluded that the Ethernet based This approach was useful due to low computing and switched networks are the most promising option for the networking bandwidth. future, due to their capabilities, and broad cross-industry support (telecommunication, commercial aircraft and Since 2006, Time-Triggered Ethernet (standardized automotive) [14]. as SAE AS6802 [10]) has enabled synchronous Ethernet communication without traffic congestions, which enables Therefore, SAE AS6802 supports Ethernet-based the realization of complex IMA and Distributed IMA time-driven communication which enables specific properties in one integrated system. capabilities in architecture and embedded platform design, which cannot be fully or at all realized by asynchronous Switches with SAE AS6802 services, can support communication, such as: integration of asynchronous ARINC664 communication and best-effort Ethernet communication in one network, so  System-level hard RT performance and virtualization that system architects can use the system integration for distributed functions approach, which meets their application constraints for  Full decoupling of software function from controlled scalable determinism and functional integration. Both SAE object due to full QoS guarantees (fixed latency, µs- AS6802 and ARINC664 are complementary Layer2 jitter, hard RT communication) enhancements tailored to design a set of parameter-driven  Integration of mixed criticality functions and critical architectures using different models of computation and functions in open systems communication such as TTA and L-TTA.  Modifications do not change temporal behavior of The complexity issues with asynchronous system already integrated functions integration for IMA and advanced architectures and  Complexity reduction for embedded platform and resulting complexity has been recognized by industry middleware with full separation of temporal and leaders [11]. Key challenges with asynchronous functional behavior communication are:  Simplified sensor fusion and redundancy management  Significantly reduced consumption of embedded • Jitter: Nodes execute at slightly varying times, and resources, as different function operates in synchrony messages arrive at slightly different times without excessive queue memories • Non-deterministic (or not fully deterministic)  Simpler software and reduction in LOC (line-of-code) behavior: non-deterministic ordering of interactions count between nodes  Reduction in system integration costs and effort • Race Conditions: Behavior dependent on order of interactions between nodes There are other issues related to design methodology, • Deadlock: Unanticipated execution sequences incremental certification and system upgrades. With SAE AS6802 latency/jitter bounds and constraints can be set • No Fault Found (NFF): Non-repeatable failures first, and then the configuration is calculated. With ARINC664, latency/jitter can be calculated using Network separate systems will not change how they operate. System Calculus (NC) only after all traffic and virtual links (VLs) functions will simply recognize loss of sensors or data, in in the system are known. Network calculus computes some parts of the system, but they will not change their bounds from network traffic configuration based on real-time behavior or subsystem synchronization. If periodicity and priority [15], and it does not start with configured so, the launcher can be integrated with ground latency and jitter constrains as design input. segments and controls and operate as one integrated real- Therefore, the jitter/latency fine tuning is time system until the launch. accomplished iteratively as performance of one flow depends on all other flows. Any change leads to a new set of latency/jitter bound finding iterations, which can be UPPER STAGE lengthy process. Furthermore, average latency can change which can increase the frequency of transient bug FCU PSMUPSMU FCU (Power/ appearance. (Flight Ctrl) Measurm.) The methodology for design of network configuration in synchronous networks and DIMA is TTE TTESWITCH reverse. First the traffic is defined with expected latency or FADEC SWITCH ECU memory use bounds, and then the configuration which satisfies the system and application constraints is created FADEC ECU by the tool. There are no additional iterations or traffic interferences needed. Therefore, the integration effort will differ significantly for “ARINC664-only” and “SAE AS6802-only” based systems. However being able to LOWER STAGE support both Layer 2 enhancements in one system as TTE complementary traffic classes, covers a broader set of use PSMU TTESWITCH ECU cases. SWITCH Network capabilities influence system design PSMU ECU methodology (including the cost of design, integration, V&V, certification, reuse, upgrades and modifications) and enable system architecture optimizations which contribute to system lifecycle cost reduction. A system designed on Figure 1. Example topology: Integrated Ethernet-based system integration technology based on Ethernet and architecture in launchers (adapted from [13, 14]) supporting synchronous and asynchronous networking, creates new options for system lifecycle costs optimization. Time-Triggered Ethernet Switch and End-System Controller Modular Launcher Avionics and Integrated Space In demanding space environment and applications, Systems electronic components should provide required reliability The capabilities mentioned in the last chapter are also and availability for different mission profiles. Therefore, a relevant for any type of integrated and modular control dedicated radiation-tolerant ASIC for TTEthernet, named system architecture (2-10 switches, 4-20+ computers), “TTE-Switch Controller Space” has been developed as human-rated avionics (10-20+ switches, 20-100+ product for the use in different space applications not only computers), and habitats or modular space stations restricted to human space exploration or launchers, but (Nx10switches, Nx100 computers). suitable for any aerospace and ground application targeting critical infrastructure. Those system properties and attributes are fully supported by Time-Triggered Ethernet (SAE AS6802) Ethernet networks consists of two different services which are implemented as a Layer2 service components - End Systems (Network Interface) and enhancement. For launcher applications (Figure 1), Switches. TTEthernet switches specify a set of Layer2 available synchronization services are completely enhancements that can be implemented on top of standard independent on modular separation of boosters and stages, Ethernet (SAE AS6802, ARINC664). Since these services as the network protocol adapts automatically to changes, have tight constraints on the timing they are typically without any change in timing or resource use for functions implemented in hardware by means of FPGAs or ASICs. operating in the system. If a complete configuration has The switch contains all basic Ethernet packet-switching described a system (e.g. with 10 switches and 40 and communication services, and implements the computers), physical separation of this system into synchronization engine (described in SAE AS6802) and the schedule table in the End Systems and in the Switches. intended for use with a core voltage of 1.2V ±0.10V, and Since the switch is the central element implementing the is tested up to 300kRADS. The product is available in compression master functionality from SAE AS6802 and either 352-pin CQFP or 400-pin PBGA package to support ensures the policing and routing of the different traffic high-end long term as well as cost competitive high- classes it is the more complex network component. volume missions.

I2C + TTEthernet has been considered and selected by Ethernet Ports 3xMDIO 2xSPI 2xUART 3xRGMII/RMII Ariane 6 teams as the most promising candidate owing to the architecture opportunities it brings at design, the simplicity it brings for software validation and the CPU RGU Reset Config TTE-End System Management & Controller Functions flexibility offered during exploitation and system lifecycle Frame Oscillator Memory CGU of the launcher system [14]. In addition both ARINC664 and PLL and SAE AS6802 are supported by TTEthernet devices. Ethernet Port

I AHB/APB IOMU C AHB to PCI Translated into high-level avionics benefits, the P I P S complexity and program cost reduction can be Q AHB to SPI MCU / I P

S TTE-Switch TTE-Switch

accomplished by [14]: e

r Controller

i Controller

W AHB to MON COM e DIF Debug I/O c SpaceWire a p

 Simplifying the flight software due to network S performance and as a consequence, simplifying the Ethernet Ports associated flight software qualification test campaign SW Ports  Simplifying the redundancy concepts management 6xRGMII/RMII + 12xRMII

and new opportunities of data processing Figure 2. TTE-Switch Controller Space Architecture. management/distribution by using the native synchronization of the end-systems on a TTEthernet network. Core SoC Functions  Simplifying ground operations (AIT) thanks to the The TTEthernet TTE-Switch Controller Space TTEthernet flexibility and the full Ethernet IEEE802.3 (Figure 2) is a digital system on a chip (SoC) ASIC compliance designed to fulfill two main functions:  Merging of functional and telemetry communication on a single network. 1. The 2 or 3 port TTEthernet End System function This SoC (TTE-Switch Controller Space) allows 2. The 24-port TTEthernet Switch function design of integrated space system architectures at reduced complexity and system lifecycle costs, and facilitates their However, the chip also supports an integrated CPU reuse and reconfiguration for different space missions and with multiple general-purpose interfaces as it is illustrated payloads. For Space Systems in general [14], this in Figure 2. In different configurations it can act also as a technology was considered as the most relevant choice for core processing CPU and can service or access different the new generation of high speed communication networks peripherals. Three different external host interfaces (SPI, within the European space community. Finally it was PCI and SpaceWire) provide the flexibility to connect the selected for Ariane 6, and currently there are numerous SoC to different CPUs or FPGAs. ongoing architecture studies for next generation systems SoC Interconnect and Configurability using equivalent system integration capabilities. The TTE-Switch Controller Space has an AHB system-bus connecting all functional blocks via this shared TTEthernet SoC Description and Capabilities bus. With a configuration register the SoC functional The SoC designs should satisfy space industry blocks can be selected and activated. This selection requirements at sufficiently small fabrication geometries. enables the functional block operation and performs clock Widely available 45-90nm fabrication processes proven gating on all the not-used blocks to prevent unintended since 2005 are already sufficient for complete SoC design interactions and to reduce power consumption. with 32-bit computing, networking, GPIO, and additional interfaces and peripherals to support configurable All SoC functional blocks which are switched off application for different use cases. and inactive, are shielded by memory protection for the AHB-bus. This means that the inactivated functional Fabrication technology blocks cannot get into a state which allows them to send anything on AHB bus and interfere with other functions. One of mature processes for rad-hard SoC designs is provided by ST Micro [16]. The C65SPACE is fabricated Moreover, the core SoC functional blocks (the end on a proprietary 65nm, 7 metal layers CMOS process system, the switch and the CPU) are sharing a common volatile memory associated to these blocks during start-up. also supports IEEE802.3 features like bandwidth policing If configured so, the CPU has access to all used AHB per port, dynamic address learning and performs all the addresses for status and diagnostics and is therefore able to checks as standard Ethernet switches. It provide the diagnostic and status data of the SoC and further supports VLANs and IEEE1588V2 one-step clock. network component operation via the network. The SoC The TTE-Switch further support critical traffic (time- can be also flexibly configured via different external triggered and rate-constrained) and therefore implements interfaces without computing core participation, and the AS6802 and the ARINC664 part 7 standard. allows different means of integration with external The switch can be used as a high-integrity component computers. which can suppress any hard to detect errors in real-time Due to reconfiguration capability and internal and ensure fail-silent behavior which facilitates design of architecture flexibility, the power consumption, depending robust integrated architectures. Both switches are designed on the use-case and SoC configuration, is between 0.1Watt as dual-core lock-step (DCLS) designs with phase-shifted and 2Watt (at 14Gbit/s throughput in switch mode). The clocking and are placed on separate silicon areas. stand-by mode power consumption is below 0.02Watt. TTE-End System Controller 32-bit Management/Computing Leon-2FT CPU The End System controller is responsible for The TTE-Controller has an integrated Leon2FT CPU connecting to a host (internal CPU, external CPU or with a core frequency of 125MHz, which is used for the FPGA) to allow sending and receiving Ethernet frames end system and switch management and diagnostics. It into the TTEthernet network. The End System has 3 ports has access to the end system and switch via the AMBA to support design of dual and triple redundant networks. AHB/APB interfaces allowing downloading or uploading This functional block provides core CPU off-loading and configurations to these blocks or reading out status traffic partitioning capability required for the design of information. Therefore, the CPU is able to send out integrated architectures. diagnostic data frames including the status and diagnostics The End System supports the three different traffic information of the switch and end system internal status classes: time-triggered, rate-constraint and best effort. It for e.g. health monitoring purposes. further supports the AS6802 fault-tolerant synchronization

TTE-Application protocol. The TTE-End System functional block provides a memory partitioning at the host interface which allows accessing the different partitions via different participants on the AHB-bus allowing to send and receive data from

ARINC653-COM Interface different interfaces e.g. (Q)SPI and SpaceWire via the TTE-End System block simultaneously. This capability UDP-COM Interface enables simplified design of gateways. IP-COM Interface Moreover, the TTE-End System provides a built-in MAC-COM Interface IP/UDP/ARINC653 network stack for critical traffic

MAC-RAW Interface illustrated in Figure 3. This stack is designed as an CPU off-loading engine in hardware, and allows a convenient Time-Triggered & Best-Effort Rate-Constraint Traffic way to send and receive data between different end Traffic systems in the network. It supports IP fragmentation of TTE-End System Controller frame with up to 8kByte for streaming UDP protocol data.

Best-effort traffic can be sent over the same network Figure 3. TTE-End System Controller Host-Interfaces stack so that it does not influence other time-critical (time- triggered, ARINC664) network traffic. Upto 256 VLANs are supported for soft-time Ethernet communication. TTE-Switch Controller Higher layers defined in IEEE802.1Q are not supported with network stack implemented in hardware, as such The TTE-Switch block provides Ethernet switching Layer 3-4 can be typically implemented in a software stack functionality of 6x10/100/1000Mbit/s and by users. Best effort traffic can use raw MAC interface or 19x10/100Mbit/s Ethernet ports on ISO-Layer 2 for time- SAP (service access point) for soft-time communication as triggered, rate-constrained and standard Ethernet traffic. they (raw MAC, SAP) allow dynamic assignment of Together with the TTE-End System and the CPU (with the destination addresses and full Ethernet frame manipulation respective firmware) the TTE-Switch Controller is a fully (raw MAC). managed (TT)Ethernet switch providing TFTP dataloading The TTE-End System functional block supports up to and SNMP diagnostics functionality. The switch block 8 independent partitions for input and 8 partitions for output traffic. A partition is defined as an independent hardened cells (fabrication technology related!) of a address space, with a configured memory size separated mature radiation tolerant library have been used for all for input or output traffic with defined communication cells of the chip. The use of register BIST and memory ports (sampling, queuing or service access ports (SAP) BIST allows ensuring the right production test-coverage equivalent to ARINC664 standard). but these are also checked during start-up to ensure the This allows different tasks to access the TTE-End correct behavior of the cells and memories after each start- System Controller on the SoC without any interference for up. The test-results are stored in the diagnostic registers. sending and receiving data. The End System also provides The TTE-Switch Controller Space is developed according partitioning support. The partitioning is handled in the to TTTech internal processes which are compliant to the configuration table loaded into the TTE-Controller block. ECSS standards. This includes in-depth RAMS analyses, Both input and output partitions have a defined number of ASIC block IP design and V&V assurance documentation, sampling, queuing and SAP ports defined in the software, SoC V&V documentation. configuration. The memory size of partitions can be Moreover, the SoC end system and switch defined by statically configured information. The memory components incorporate commercial aerospace best allocation within the partition is dynamically assigned practices for their internal design and architecture, which according to their priority at runtime. The interface level support robust fault-detection and tolerance. Integrated e.g. MAC, IP, UDP, ARINC653 is defined in the networking functional blocks have been designed to DO- configuration and can be statically defined for each 25/DO-178 DAL A prior to integration in this SoC. The message and virtual link (VL). supply chain of the chip is according to ESCC9000 or QML-V standards and therefore the chip can be provided Deterministic Memory Control Unit (MCU) as high-reliability part. The MCU ensures the management of the internal volatile memory between the different blocks CPU, end Conclusion system and switch. There is 1MB of internal RAM divided into 8 blocks available which can be associated to the three The COTS technologies used in time-/safety-critical units by configuration at start-up. This unit is a direct applications such as SAE AS6802 and ARINC664 have interface to improve the speed of the access to the RAM been instantiated for space applications in the 65nm rad- memory, provides memory partitioning and prevents any hard SoC, with internal architectureto designed for flexible potential conflicts. This allows deterministic access on reconfiguration with strict partitioning and isolation of independent paths to different memory sections. internal resources. The rad-hard SoC described in this paper (TTE-Switch Controller Space) allows design of Radiation Tolerance and Reliability complex IMA systems, N-redundant fault-tolerant The TTE-Switch Controller Space has been designed computers, SpaceWire/RS-232/RS422/SPI/PCI/Ethernet/ to withstand harsh space environments by means of ARINC664/TTEthernet gateways, remote data temperature, shock and vibration as well as radiation of up concentrators (RDCs) with GPIO, or smart to 300kRAD. To ensure radiation-tolerance the chip uses sensors/actuators for demanding integrated architectures. EDAC on all memories and additional scrubbing on all This SoC is designed using best industry practices, and configuration memories. SoC design is accompanied with provides several layers of fault and radiation tolerance: a RAMS design/calculation sheet which allows accurate • Radiation-tolerant fabrication technology SoC reliability calculation in relation to mission profile, • Mature and proven radiation-tolerant libraries environmental conditions (temperature, radiation, power • Fault-tolerant and fail-silent state machine design, consumption, SEU…), internal SoC design/configuration before TMR is applied to state machine logic and SoC use, and ASIC fabrication technology. • TMR redundancy for state machines, comparators, In addition to the use of a radiation-hard process, critical logic and Ethernet MAC TMR redundancy is deployed for the Ethernet MAC, all • Internal SoC partitioning and isolation mechanisms state machines and the comparator logic of the on-chip protected by continuous scrubbing and BIST dual-core lock-step (DCLS). First, state machines are • Radiation tolerant memories designed to be fault-tolerant and fail-silent, with facilities • Error management via Leon-2FT, which on its own is to report their health to Leon-2FT. As an additional layer designed as fault-tolerant component of defense against radiation-induced faults, the state • Dual-Core Lock-Step or COM/MON switch design machines are designed with TMR logic, while internal can capture/prevent complex backbone/system faults synchronization lines are hardened against meta-stabilities and ensure design of high-integrity integrated and glitches. architectures The status of the errors and their correction is stored Due to the selected set of features, network in diagnostic registers. For the protection for the logic the technologies and peripherals, this SoC allows design of integrated embedded platforms and system architectures at [11] S. Miller, D. Coffer, L. Sha, “Implementing logical reduced complexity and system lifecycle costs, and synchrony in integrated modular avionics” Digital facilitates their reuse and reconfiguration for different Avionics Systems Conference, 2009. DASC '09. space missions and payloads. Currently, the SoC is IEEE/AIAA 28th, Orlando deployed for Ariane 6 control system and integrated [12] W. Steiner and J. Rushby, "TTA and PALS: Formally architecture design, while many ongoing architecture Verified Design Patterns for Distributed Cyber- studies and future spacecraft/space system architectures Physical Systems," Proceedings of the 29th rely on its capabilities. IEEE/AIAA Digital Avionics Systems Conference (DASC 2011)

[13] D. Monchaux, P. Gast, J. Sangare, „Avionic-X: A References demonstrator for the Next Generation Launcher Avionics“, ERTS 2012, Feb 2012, Toulouse, France [1] Rushby, J., “Partitioning in Avionics Architectures: [14] Clavier, P. Sautereau, J.-F. Dufour, “TTEthernet, a Requirements, Mechanisms, and Assurance,” Tech. promising candidate for Ariane 6”, Proceedings of the rep., NASA Langley Research Center, Hampton, VA, conference held 3-5 June 2014 in DASIA 2014, June 1999. Warsaw, Poland [2] Fletcher, M., “Progression of an Open Architecture: [15] M. Boyer, “Modelling avionics communicating from Orion to Altair and LSS,” Proc. Fault-Tolerant systems: successes, failures, challenges”, Dagstuhl Spaceborne Computing Employing New Seminar on Network Calculus, March 8-11, 2015, Technologies, Albuquerque, NM, May 2009. http://materials.dagstuhl.de/files/15/15112/15112.Mar [3] Driscoll, K., Hall, B., Sivencrona, H., and Zumsteg, cBoyer.Slides.pdf P., “Byzantine Fault Tolerance, from Theory to [16] ST Micro, C65SPACE: Rad hard 65nm CMOS Reality,” Proc. 22nd International Conference on technology platform for space applications, Computer Safety, Reliability, and Security http://www.st.com/resource/en/data_brief/c65space.pd (SAFECOMP03), Edinburgh, Scotland, UK, October f 2003. [4] Hodson, R., Chen, Y., Morgan, D., Butler, A., Sdhuh, J., Petelle, J., Gwaltney, D., Coe, L., Koelbl, T., Nguyen, H., “Heavy Lift Vehicle (HLV) Avionics Flight Computing Architecture Study,” Tech. rep., NASA Langley Research Center, Hampton, VA, June 2011. [5] Loveless, A., Fidi, C., and Wernitznigg, S., "A Proposed Byzantine Fault-Tolerant Voting Architecture using Time-Triggered Ethernet," SAE Aerotech 2017, Ft. Worth, TX, SAE Technical Paper 2017-01-2111, 2017. [6] RTCA, DO-297: Integrated Modular Avionics (IMA) Development Guidance and Certification Considerations, 2005-11-08 [7] A. Benveniste, A. Bouillard and P. Caspi. A unifying view of Loosely Time-Triggered Architectures, EMSOFT '10 Proceedings of the tenth ACM international conference on Embedded Software, Oct 2010, Arizona, USA [8] Kopetz H., Bauer G., The Time-Triggered Architecture, Proceedings of the IEEE, Volume 91, Issue 1, 2003 [9] ARINC664, “664P7-1 Aircraft Data Network, Part 7, Avionics Full-Duplex Switched Ethernet Network”,http://store.aviation- ia.com/cf/store/catalog_detail.cfm?item_id=1270, accessed Aug 2014 [10] SAE AS6802, Nov 2011, SAE Standards, http://standards.sae.org/as6802/