DOCSLIB.ORG

A Framework for Model-Based Testing of Integrated Modular Avionics

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Framework for Model-Based Testing of Integrated Modular Avionics A Framework for Model-based Testing of Integrated Modular Avionics Dissertation zur Erlangung des Doktorgrades der Ingenieurwissenschaften (Dr.-Ing.) vorgelegt von Christof Efkemann Fachbereich 3 Informatik/Mathematik AFramework for Model-based Testing of Integrated Modular Avionics Dissertation zur Erlangung des Doktorgrades der Ingenieurwissenschaften (Dr.-Ing.) vorgelegt von Christof Efkemann im Fachbereich 3 (Informatik/Mathematik) der Universität Bremen im August 2014 Revision 205. Typeset with X LE ATEX in Adobe Garamond Pro. Eingereicht am 06. August 2014 Gutachter: Prof. Dr. Jan Peleska (Universität Bremen) Prof. Dr. Anne E. Haxthausen (Technical University of Denmark) 5 Erklärung Die vorliegende Dissertation wurde ohne fremde Hilfe angefertigt. Es wur- den keine anderen als die angegebenen Quellen und Hilfsmittel benutzt. Al- le Stellen, die wörtlich aus Veröffentlichungen entnommen wurden, sind als solche kenntlich gemacht. Datum Unterschrift 7 Zusammenfassung In modernen Flugzeugen basiert das Design der Elektronik und der Steue- rungssysteme auf dem Konzept der Integrierten Modularen Avionik (IMA). Obwohl dies diverse Vorteile mit sich bringt (Gewichtsreduktion, niedrige- rer Strom- und Treibstoffverbrauch, geringere Entwicklungs- und Zertifizie- rungskosten und -aufwände), stellt die IMA-Plattform eine zusätzliche Kom- plexitätsebene dar. Aufgrund der sicherheitskritischen Eigenschaften vieler Avionikfunktio- nen sind sorgfältige und akkurate Verifikation und Tests dieser Systeme zwin- gend erforderlich. Diese Dissertation beschreibt Forschungsergebnisse bezüglich des mo- dellbasierten Testens von IMA-Systemen, welche zum Teil im Rahmen des europäischen Forschungsprojekts SCARLETT erzielt wurden. Die Arbeit be- schreibt ein vollständiges Rahmenwerk, welches es einem IMA-Domänen- experten ermöglicht, modellbasierte Tests auf Modul-, Konfigurations- so- wie Anwendungsebene zu entwerfen und in einer standardisierten Testum- gebung auszuführen. Der erste Teil dieser Arbeit bietet Hintergrundinformationen zu den ihr zugrunde liegenden Themen: dem IMA-Konzept, domänenspezifischen Spra- chen, modellbasiertem Testen und dem TTCN-3-Standard. Im zweiten Teil werden das Rahmenwerk der IMA-Testmodellierungssprache (ITML) und dazugehörige Komponenten eingeführt. Es wird eine hierfür maßgeschnei- derte TTCN-3-Testumgebungmit passenden Adaptern und Codecs beschrie- ben. Basierend auf MetaEdit+ und dem Meta-Metamodell GOPPRR werden die drei Varianten der domänenspezifischen Sprache ITML definiert, jeweils mit abstrakter und konkreter Syntax sowie statischer und dynamischer Se- mantik. Die Generierung von Testprozeduren aus ITML-Modellen wird im Detail erklärt. Darüber hinaus werden das Design und die Entwicklung ei- nes universellen Testagenten beschrieben. Zur Steuerung des Agenten wird ein dediziertes Kommunikationsprotokoll definiert. Für den dritten Teil dieser Arbeit wurde eine Evaluation des Rahmen- werks durchgeführt. Es werden Einsatzszenarien im SCARLETT-Projekt be- schrieben und Vergleiche zwischen ITML und verwandten Werkzeugen und Ansätzen gezogen. Außerdem wird auf die Vorteile der Benutzung des ITML- Rahmenwerks durch IMA-Domänenexperten eingegangen. Der letzte Teil bietet eine Reihe von ITML-Beispielmodellen. Er enthält darüber hinaus Referenzmaterial, u. a. XML-Schemata, Quellcode des Rah- menwerks und Modellvalidatoren. 9 Abstract In modern aircraft, electronics and control systems are designed based on the Integrated Modular Avionics (IMA) system architecture. While this has nu- merous advantages (reduction of weight, reduced power and fuel consump- tion, reduction of development cost and certification effort), the IMA plat- form also adds an additional layer of complexity. Due to the safety-critical nature of many avionics functions careful and accurate verification and testing are imperative. This thesis describes results achieved from research on model-based test- ing of IMA systems, in part obtained during the European research project SCARLETT. It presents a complete framework which enables IMA domain experts to design and run model-based tests on bare module, configured mod- ule, and application level in a standardised test environment. The first part of this thesis provides background information on therele- vant topics: the IMA concept, domain-specific languages, model-based test- ing, and the TTCN-3 standard. The second part introduces the IMA Test Modelling Language (ITML) framework and its components. It describes a tailored TTCN-3 test environment with appropriate adapters and codecs. Based on MetaEdit+ and its meta-metamodel GOPPRR, it defines the three variants of the domain-specific language ITML, each with its abstract and concrete syntax as well as static and dynamic semantics. The process of test procedure generation from ITML models is explained in detail. Further- more, the design and implementation of a universal Test Agent is shown. A dedicated communication protocol for controlling the agent is defined as well. The third part provides an evaluation of the framework. It shows usage scenarios in the SCARLETT project, gives a comparison to related tools and approaches, and explains the advantages of using the ITML framework for an IMA domain expert. The final part presents several example ITML models. It also provides reference material like XML schemata, framework source code, and model validators. 11 Acknowledgements Writing this thesis would not have been possible if it weren’t for the support of a number of people. First of all, I would like to thank my advisor, Jan Peleska, for giving me the opportunity to work in his research group at the University of Bremen. Second, I am very grateful to have had the opportu- nity of being a part of the European research project SCARLETT. I enjoyed these three and a half years of my life, working with such a vast group of in- teresting and skilled people from all across Europe. Two people I would like to thank in particular: Florian Bommer for his strenuous efforts to make the I/O-intensive demonstration a success, and Arne Graepel for his very helpful support with the TTCN-3 test environment. I would also like to thank my kind colleagues, both at the university as well as at Verified Systems. I very much enjoyed the pleasant working atmosphere and their constructive support. In particular, I would like to thank Uwe Schulze and Helge Löding for sharing their invaluable expertise on model-based testing and rtt-tcgen. Not unmentioned shall go my two proofreaders: Oliver Meyer and Kai Thomsen. Thanks to their labour many a typo or inaccuracy could beelimi- nated—any remaining are entirely my own fault. And last, but by no means least, I would like to thank my family and my friends for their love, their trust, and for believing in me. 13 Contents Contents 15 List of Figures 19 List of Tables 21 1 Introduction 23 1.1 Goals .............................. 24 1.2 Main Contribution ...................... 24 1.3 Related Work .......................... 25 1.4 Outline of this Document . 25 Part I: Background 2 Integrated Modular Avionics 29 2.1 AFDX .............................. 30 2.2 ARINC 653 .......................... 31 2.2.1 Partitioning ...................... 32 2.2.2 Communication ................... 33 2.2.3 Initialisation ..................... 34 2.3 Module Configuration .................... 34 2.4 Testing IMA Systems ..................... 36 2.5 Research Project SCARLETT . 36 3 Domain-specific Languages 39 3.1 Domain-specific Modelling . 40 3.2 MetaEdit+ ........................... 41 3.2.1 GOPPRR ....................... 42 3.2.2 Metamodelling .................... 42 3.2.3 Modelling ....................... 43 3.2.4 Generators ...................... 45 4 Model-based Testing 49 15 CONTENTS 5 TTCN-3 53 5.1 Language Syntax ........................ 54 5.2 Components and Concurrency . 56 5.3 Communication ........................ 57 5.4 Runtime Architecture ..................... 59 Part II: Framework Architecture 6 Test Case Generation and Execution Process 63 7 Test Agent 65 7.1 Test Agent Control Protocol . 66 7.1.1 Layer 1 ........................ 67 7.1.2 Layer 2 ........................ 68 7.1.3 Coding Example ................... 72 7.2 Runtime Behaviour ...................... 73 7.2.1 Initialisation ..................... 73 7.2.2 Sequence Number Initialisation . 74 7.2.3 Main Loop ...................... 74 7.2.4 Protocol Handling . 75 7.3 Wireshark TACP Dissector . 76 8 TTCN-3 Environment 79 8.1 Proxy SA ............................ 80 8.2 TACP SA ............................ 81 8.3 TACP Protocol Handling ................... 83 8.4 Test Procedures ......................... 84 9 IMA Test Modelling Language 85 9.1 Domain Analysis ........................ 85 9.1.1 Bare Module Testing: Configuration . 86 9.1.2 Bare Module Testing: Behaviour . 90 9.1.3 Bare Module Testing: Test Suite . 97 9.1.4 Configured Module Testing . 98 9.1.5 Hardware/Software Integration Testing . 98 9.1.6 Design Considerations . 106 9.2 ITML-B: Bare Module Testing . 107 9.2.1 Configuration . 108 9.2.2 Behaviour . 110 9.2.3 Test Suite . 115 9.2.4 Dynamic Semantics . 116 9.3 ITML-C: Configured Module Testing . 124 9.3.1 Behaviour . 124 9.3.2 Test Suite . 124 16 CONTENTS 9.3.3 Dynamic Semantics . 125 9.4 ITML-A: Hardware/Software Integration Testing . 125 9.4.1 System Diagram . 125 9.4.2 Component Diagram . 128 9.4.3 Statechart . 130 9.4.4 Dynamic Semantics . 132 10 Test Generation 135 10.1 MERL Intermediate Format Generators . 135 10.2 Generation of ITML-B and ITML-C Tests .
Load more

Recommended publications
  • Software Model Checking of ARINC-653 Flight Code with MCP Sarah J
    Software Model Checking of ARINC-653 Flight Code with MCP Sarah J. Thompson Guillaume Brat SGT Inc., NASA Ames Research Center CMU, NASA Ames Research Center MS269-1, Moffett Field, California MS-269-1, Moffett Field, California [email protected] [email protected] Arnaud Venet SGT Inc., NASA Ames Research Center MS269-1, Moffett Field, California [email protected] Abstract The ARINC-653 standard defines a common interface for Integrated Modular Avionics (IMA) code. In particular, ARINC-653 Part 1 specifies a process- and partition-management API that is analogous to POSIX threads, but with certain extensions and restrictions intended to support the implementation of high reliability flight code. MCP is a software model checker, developed at NASA Ames, that provides capabilities for model checking C and C++ source code. In this paper, we present recent work aimed at implementing extensions to MCP that support ARINC-653, and we discuss the challenges and opportunities that consequentially arise. Providing support for ARINC-653’s time and space partitioning is nontrivial, though there are implicit benefits for partial order reduction possible as a consequence of the API’s strict interprocess communication policy. 1 Introduction NASA missions are becoming increasingly complex, and, more and more of this complexity is imple- mented in software. In 1977, the flight software for the Voyager mission amounted to only 3000 lines. Twenty years later, the software for Cassini had grown by a factor of ten, and more strikingly, the soft- ware for the Mars Path Finder mission amounted to 160 KLOCs (thousands of lines of code).
    [Show full text]
  • Communications for Integrated Modular Avionics
    Communications for Integrated Modular Avionics Richard L. Alena [email protected] John P. Ossenfort IV, SAIC Kenneth I. Laws, QSS Andre Goforth NASA Ames Research Center Moffett Field, CA 94035 Fernando Figueroa, NASA Stennis Space Center TABLE OF CONTENTS Abstract—The aerospace industry has been adopting avionics architectures to take advantage of advances in computer engineering. Integrated Modular Avionics (IMA), 1. INTRODUCTION ..................................................... 1 as described in ARINC 653, distributes functional modules 2. INTEGRATED MODULAR AVIONICS...................... 2 into a robust configuration interconnected with a “virtual 3. NETWORKS FOR AEROSPACE ............................... 4 backplane” data communications network. Each avionics 4. MISSION COMPUTER DESIGN............................... 8 module’s function is defined in software compliant with the 5. LAB EVALUATION............................................... 12 APEX Application Program Interface. The Avionics Full- 6. CONCLUSIONS..................................................... 16 Duplex Ethernet (AFDX) network replaces the point-to- REFERENCES........................................................... 17 point connections used in previous distributed systems with BIOGRAPHY ............................................................ 18 “virtual links”. This network creates a command and data path between avionics modules with the software and 1. INTRODUCTION network defining the active virtual links over an integrated physical network.
    [Show full text]
  • Avionics Applications on a Time-Predictable Chip-Multiprocessor
    Avionics Applications on a Time-predictable Chip-Multiprocessor Andre´ Rocha and Claudio´ Silva Rasmus Bo Sørensen, Jens Sparsø, and Martin Schoeberl GMV Department of Applied Mathematics and Computer Science Lisbon, Portugal Technical University of Denmark Email: [andre.rocha, claudio.silva]@gmv.com Email: [rboso, jspa, masca]@dtu.dk Abstract—Avionics applications need to be certified for The demonstrators were ported to the T-CREST platform the highest criticality standard. This certification includes using its compiler tool-chain and analysis tools. The demon- schedulability analysis and worst-case execution time (WCET) strators validate the T-CREST platform. Part of the exercise, analysis. WCET analysis is only possible when the software is written to be WCET analyzable and when the platform is however, is to evaluate the added value of the platform. The time-predictable. In this paper we present prototype avionics platform shall enable application developers to determine the applications that have been ported to the time-predictable WCET of their applications more precisely or more easily. T-CREST platform. The applications are WCET analyzable, Therefore, we compare the T-CREST platform with a well- and T-CREST is supported by the aiT WCET analyzer. This established platform in the avionics domain. combination allows us to provide WCET bounds of avionic tasks, even when executing on a multicore processor. The T-CREST platform was evaluated with the aid of the following three real-world avionic applications: (1) an Airlines Operational Centre (AOC), (2) a Crew Alerting I. INTRODUCTION System (CAS), and (3) an I/O Partition (IOP). We chose The mission of the T-CREST project [1], [2] is to develop T-CREST as platform for avionics applications as this is and build a multicore processor that is time-predictable and currently the only multicore processor where static WCET easy to analyze for the worst-case execution time (WCET).
    [Show full text]
  • WIND RIVER Vxworks 653 PLATFORM 2.4 and 2.5
    WIND RIVER VxWORKS 653 PLATFORM 2.4 AND 2.5 TABLE OF CONTENTS RTCA DO-178C Certification Evidence .......................................... 2 VxWorks 653 Platform Benefits ................................................. 2 VxWorks 653 Runtime Components ............................................ 3 VxWorks 653 Module OS ................................................... 4 Partition Management ..................................................... 4 Partition Scheduling ....................................................... 4 Partition Operating System ................................................. 4 COIL .................................................................... 5 APEX Application Support .................................................. 5 FACE Technical Reference 2.0 and 2.1 Support ................................ 5 Inter-partition Communication ............................................... 6 Intra-partition Communication ............................................... 6 Health Monitor ........................................................... 6 Wind River Workbench ..................................................... 7 Included Runtime Products .................................................. 12 Wind River DO-178C Network Stack ......................................... 12 Wind River Highly Reliable File System ....................................... 12 Technical Specifications ..................................................... 12 Supported Target Architectures ...........................................
    [Show full text]
  • Towards a Real-Time Component Framework for Software Health Management
    Institute for Software Integrated Systems Vanderbilt University Nashville, Tennessee, 37203 Towards a Real-time Component Framework for Software Health Management Abhishek Dubey , Gabor Karsai , Robert Kereskenyi , Nagabhushan Mahadevan TECHNICAL REPORT ISIS-09-111 November, 2009 Towards a Real-time Component Framework for Software Health Management Abhishek Dubey Gabor Karsai Robert Kereskenyi Nagabhushan Mahadevan Institute for Software Integrated Systems, Vanderbilt University, Nashville, TN 37203, USA Abstract— The complexity of software in systems like aerospace industry, that deals with detecting anomalies, di- aerospace vehicles has reached the point where new techniques agnosing failure sources, and prognosticating future failures are needed to ensure system dependability. Such techniques in complex systems, like aerospace vehicles. While System include a novel direction called ‘Software Health Management’ (SHM) that extends classic software fault tolerance with tech- Health Management has been developed for physical (hard- niques borrowed from System Health Management. In this ware) systems, it provides interesting systems engineering paper the initial steps towards building a SHM approach are techniques for other fields like embedded software systems. described that combine component-based software construction The use of System Health Management techniques for with hard real-time operating system platforms. Specifically, embedded software systems points beyond the capabilities the paper discusses how the CORBA Component Model could be combined with the ARINC-653 platform services and the provided by the SFT techniques and can potentially in- lessons learned from this experiment. The results point towards crease a system’s dependability. This new direction is called both extending the CCM as well as revising the ARINC-653. Software Health Management (SHM) [4].
    [Show full text]
  • ARINC-653 Inter-Partition Communications and the Ravenscar Profile
    ARINC-653 Inter-partition Communications and the Ravenscar Profile Jorge Garrido Juan Zamorano Juan A. de la Puente Abstract The ARINC-653 standard is often used to build mixed-criticality systems, using a partitioned archi­ tecture. Inter-partition communication is carried out by means of a message-passing mechanism based on ports. The standard includes an API for Ada, but the implementation semantics of operation ports is not fully defined. Furthermore, the API was defined for the Ada 95 standard, and therefore does not take into account the enhancements to the real-time features of the language that have been incorporated in the 2005 and 2013 standards, most notably the Ravenscar profile. This paper is aimed at clarifying the implementation of ARINC communication ports in Ada and the Ravenscar profile. ARINC communi­ cation ports are analysed, and their compatibility with the Ravenscar profile is assessed. A new API that can be used with the profile is defined, and a pilot implementation is introduced. 1 Introduction Partitioning is a convenient approach for developing mixed-criticality systems on a single hardware plat­ form. Under this approach, a system is divided into a set of logical partitions, which are isolated from each other both in the temporal and spatial domains. Subsystems with different levels of criticaliry are allocated to different partitions, and failures in low-criticality components cannot propagate to high-criticality ones. Critical subsystems can thus be certified in isolation to the required level, provided that the partitioning ker­ nel is also certified to that level, but the validation of lower-criticality subsystems can be greatly simplified.
    [Show full text]
  • High-Assurance Separation Kernels: a Survey on Formal Methods
    1 High-Assurance Separation Kernels: A Survey on Formal Methods Yongwang Zhao, Beihang University, China David Sanan´ , Nanyang Technological University, Singapore Fuyuan Zhang, Nanyang Technological University, Singapore Yang Liu, Nanyang Technological University, Singapore Separation kernels provide temporal/spatial separation and controlled information flow to their hosted applications. They are introduced to decouple the analysis of applications in partitions from the analysis of the kernel itself. More than 20 implementations of separation kernels have been developed and widely applied in critical domains, e.g., avionics/aerospace, military/defense, and medical devices. Formal methods are mandated by the security/safety certification of separation kernels and have been carried out since this concept emerged. However, this field lacks a survey to systematically study, compare, and analyze related work. On the other hand, high-assurance separation kernels by formal methods still face big challenges. In this paper, an analytical framework is first proposed to clarify the functionalities, implementations, properties and stan- dards, and formal methods application of separation kernels. Based on the proposed analytical framework, a taxonomy is designed according to formal methods application, functionalities, and properties of separation kernels. Research works in the literature are then categorized and overviewed by the taxonomy. In accordance with the analytical framework, a compre- hensive analysis and discussion of related work are presented.
    [Show full text]
  • ARINC-653 Inter-Partition Communications and the Ravenscar Profile∗
    ARINC-653 Inter-partition Communications and the Ravenscar Profile∗ Jorge Garrido Juan Zamorano Juan A. de la Puente [email protected] jzamora@datsi.fi.upm.es [email protected] Universidad Politecnica´ de Madrid (UPM), Spain Abstract The ARINC-653 standard is often used to build mixed-criticality systems, using a partitioned archi- tecture. Inter-partition communication is carried out by means of a message-passing mechanism based on ports. The standard includes an API for Ada, but the implementation semantics of operation ports is not fully defined. Furthermore, the API was defined for the Ada 95 standard, and therefore does not take into account the enhancements to the real-time features of the language that have been incorporated in the 2005 and 2013 standards, most notably the Ravenscar profile. This paper is aimed at clarifying the implementation of ARINC communication ports in Ada and the Ravenscar profile. ARINC communi- cation ports are analysed, and their compatibility with the Ravenscar profile is assessed. A new API that can be used with the profile is defined, and a pilot implementation is introduced. 1 Introduction Partitioning is a convenient approach for developing mixed-criticality systems on a single hardware plat- form. Under this approach, a system is divided into a set of logical partitions, which are isolated from each other both in the temporal and spatial domains. Subsystems with different levels of criticality are allocated to different partitions, and failures in low-criticality components cannot propagate to high-criticality ones. Critical subsystems can thus be certified in isolation to the required level, provided that the partitioning ker- nel is also certified to that level, but the validation of lower-criticality subsystems can be greatly simplified.
    [Show full text]
  • And Space-Partitioned Architecture for the Next Generation of Space Vehicle Avionics
    Building a Time- and Space-Partitioned Architecture for the Next Generation of Space Vehicle Avionics Jos´e Rufino, Jo˜ao Craveiro, and Paulo Verissimo University of Lisbon, Faculty of Sciences, LaSIGE [email protected], [email protected], [email protected] Abstract. Future space systems require innovative computing system architectures, on account of their size, weight, power consumption, cost, safety and maintainability requisites. The AIR (ARINC 653 in Space Real-Time Operating System) architecture answers the interest of the space industry, especially the European Space Agency, in transitioning to the flexible and safe approach of having onboard functions of different criticalities share hardware resources, while being functionally separated in logical containers (partitions). Partitions are separated in the time and space domains. In this paper we present the evolution of the AIR architecture, from its initial ideas to the current state of the art. We describe the research we are currently performing on AIR, which aims to obtain an industrial-grade product for future space systems, and lay the foundations for further work. 1 Introduction Space systems of the future demand for innovative embedded computing system architectures, meeting requirements of different natures. These systems must obey to strict dependability and real-time requirements. Reduced size, weight and power consumption (SWaP), along with low wiring complexity, are also crucial requirements both for safety reasons and to decrease the overall cost of a mission. A modular approach to software enabling component reuse among the different space missions also benefits the cost factor. At the same time, such an approach allows independent validation and verification of components, thus easing the software certification process.
    [Show full text]
  • Model-Based Development of ARINC 653 Using UML and Sysml Andreas Korff, Atego – OMG RT Workshop, Paris, 18.04.2012
    Model-based development of ARINC 653 using UML and SysML Andreas Korff, Atego – OMG RT Workshop, Paris, 18.04.2012 © 2011 Atego. All Rights Reserved. 1 Agenda Motivation of Integrated Modular Systems Modelling Notation Standards UML and SysML Applying UML and SysML to IMS ARINC 653 Using Models to support ARINC 653 Conclusion © 2011 Atego. All Rights Reserved. 2 Motivation of Integrated Modular Systems Integrated Modular Systems (or IMA) aim to Minimize Life Cycle Costs Enhance Mission and Operational Performance Allow greater flexibility and re-use in Development and Maintenance Existing standards for IMS ARINC 653 – for implementing IMS concepts onto RTOSes Stanag 4626/EN 4660 – to de-couple Avionics HW and SW © 2011 Atego . All Rights Reserved. 3 Federated Architectures (shown with UML) Broad range of possible problems: Any failure effects everything Scheduling sensitive to any change Difficult to maintain: Obsolecence One change effects again everything Re-Use? © 2011 Atego. All Rights Reserved. 4 A closer Look on Federated Architectures On Closer inspection, logical ‘wrappers’ appear that perform specific functions. These can be interpreted as ‘layers’ in a Federated Architecture Physical Interface Layer Central Data Formatting Layer Controller Data Processing Layer © 2011 Atego. All Rights Reserved. 5 From Federated to a Layered Architecture In an IMS layered architecture each layer has a clearly defined responsibility, interface and is as important as each of the other layers Federated Architecture Stanag 4626/EN 4660 (ASAAC) {maps for logic} Data Processing Layer Application Layer {maps for scheduling} {maps} Data Formating Layer Operating System Layer Physical Interface Lacer Module Support Layer © 2011 Atego.
    [Show full text]
  • Studying on ARINC653 Partition Run-Time Scheduling and Simulation
    World Academy of Science, Engineering and Technology International Journal of Computer and Systems Engineering Vol:6, No:11, 2012 Studying on ARINC653 Partition Run-time Scheduling and Simulation Dongliang Wang, Jun Han, Dianfu Ma, and Xianqi Zhao generation respecting the requirement specification from the Abstract—Avionics software is safe-critical embedded software models, which greatly speeding the development of the system and its architecture is evolving from traditional federated architectures and assuring high reliability of such system. to Integrated Modular Avionics (IMA) to improve resource usability. And with the rapid development of aviation technology, ARINC 653 (Avionics Application Standard Software Interface) is a computer technology and microelectronics technology, modern software specification for space and time partitioning in Safety-critical avionics Real-time operating systems. Arinc653 uses two-level avionics architecture has gradually evolved from the traditional scheduling strategies, but current modeling tools only apply to simple federated architecture to the integrated modular avionics problems of Arinc653 two-level scheduling, which only contain time system structure (IMA)[4]. property. In avionics industry, we are always manually allocating IMA integrated all the subsystems on a common computer tasks and calculating the timing table of a real-time system to ensure platform, so as to greatly reuse various hardware resources. But it’s running as we design. In this paper we represent an automatically this potentially reduces the error control of functions. In order generating strategy which applies to the two scheduling problems with dependent constraints in Arinc653 partition run-time environment. It to introduce the error isolation as which in the federated provides the functionality of automatic generation from the task and architecture into IMA, the concept of partition is introduced in partition models to scheduling policy through allocating the tasks to [5].
    [Show full text]
  • IVV on Orions ARINC 653 Flight Software Architecture100913
    IV&V on Orion’s ARINC 653 Flight Software Architecture Adelbert Lagoy and Todd A. Gauer Agenda • ARINC 653/DO 178 background • Advantages to a 653 FSW architecture – Development – V&V – Maintenance • Available COTS 653 systems • The impact of the selection of a ARINC 653 approach on baseline documentation – Alignment and misalignment of ARINC 653 to NASA documentation • IV&V impacts from application of 653 approach – Architecture verification impacts – Requirements validation impacts – FSW code verification impacts – Potential recertification impacts • Other impacts (adverse impacts) – “overhead” from 653 – Static partition definitions – COTS OS opacity • Orion IV&V Experience ARINC 653/DO 178 background ARINC 653 • The Aeronautical Radio, Incorporated (ARINC) specification ARINC 653 is a software time and space partitioning standard for Real Time Operating Systems (RTOSs). • The ARINC 653 standard supports Integrated Modular Avionics (IMA) architecture allowing appropriate integration of avionics software of differing levels within a single hardware device. • ARINC 653 provides a level of fault protected operation. – Faults within a partition should not stop other partitions from executing. • Metaphor – ARINC 653 compliant system’s partitions are like “virtual flight computers” within the flight computer. Metaphor – ARINC 653 Conventional Monolithic System ARINC 653 System with 4 Partitions Memory Memory Time Time • ARINC 653 splits the available processor time and space into partitions (partitions do not need to be the same size). • When we talk “partition” in this discussion you can substitute “virtual flight computer” if that is helpful. ARINC 653/DO 178 background ARINC 653 • Each partition is assured of its allocated processing time and memory – Lockup, freeze, endless loop, overrun, etc within one partition will not prevent another partition from operating.
    [Show full text]