1

Safe Allocation of Avionics Shared Resources

Gérard Bel, Pierre Bieber, Frédéric Boniol, Charles Castel, Laurent Sagaspe

2

Overview

• Integrated Modular Avionics (IMA)– Potential benefits and drawbacks– Terrain Following/Terrain Avoidance Function

• IMA Resource Allocation Process– Failure Propagation Modelling– Safety Requirements Validation– Independence Constraint Identification– Allocation Constraint Solving

• Multi-domain Resource Allocation– Real-Time Performances– ElectroMagnetic Interference

3

Integrated Modular Avionics – 1/2

• Computing and Communicating resources shared by several avionics applications

– Civilian aircrafts: B777, A380, B787,...• Standards : ARINC 664 (AFDX), ARINC 653 (Real-time OS)

– Military aircrafts : F22, Gripen, A400M, ...• Standards: ASAAC

– Potential Benefits• Decrease weight of aircraft, maintenance simplification, ...

– Potential Drawbacks• One shared resource failure could lead to the failure of several

applications• Development is more complex as new teams participate in it

4

Integrated Modular Avionics – 2/2

• Resource Allocation Process

ApplicationDesigner

IMAteam

SafetyAnalyst

Can we implement these functions on the IMA architecture

and enforce their requirements ?

This is an allocation of resources to your functions such that

their requirements are enforced

Can we implement these functions on this architecture

and enforce these requirements ?

The functions can be implemented on the architecture

and enforce their requirements provided that

these allocation constraints are enforced

FailurePropagation

Model

Safety Requirement

Validation

Independence Constraints Identification

Allocation Constraint

Solving

5

Terrain Following/Terrain Avoidance

Powered by yFiles

Radar

TFTAPanel

Navigation

RadioAltimeter

FlightControl

VertAccelCmp

EmergencyClimbAlarmCmp

ConsolidatedRollCmp

TerrainInfo

SelHeight

Speed

VertSpeed

Altitude

Roll1

Roll2

VertAccel

EmergencyClimbAlarm

ConsolidatedRoll

• Computation of– Vertical acceleration

– Climb alarm

– Consolidated Roll angle

• Navigation in the vertical plane

6

Function and Architecture Description

Powered by yFiles

Radar

TFTAPanel

Navigation

RadioAltimeter

FlightControl

VertAccelCmp

EmergencyClimbAlarmCmp

ConsolidatedRollCmp

TerrainInfo

SelHeight

Speed

VertSpeed

Altitude

Roll1

Roll2

VertAccel

EmergencyClimbAlarm

ConsolidatedRoll

Terrain Following/Terrain Avoidance Function

• Tasks and Data flows • Attributes

– Worst Case Transmission/Execution Time, Period

– Failure Mode, Severity– …

Avionics architecture• Interconnected resources

– Virtual Communication and Computing resources

– Real Bus, Switch, CPU, …– Zones and routes in the

Aircraft

7

Overview

• Integrated Modular Avionics (IMA)– Potential benefits and drawbacks– Terrain Following/Terrain Avoidance Function

• IMA Resource Allocation Process– Failure Propagation Modelling– Safety Requirements Validation– Independence Constraint Identification– Allocation Constraint Solving

• Multi-domain Resource Allocation– Real-Time Performances– ElectroMagnetic Interference

8

Failure Propagation Modeling in AltaRica

What is Altarica ? • AltaRica model is a set of interconnected nodes

• Node has 3 parts : variable declarations, transitions and assertions

code drawing equivalent automaton

Node block

flow A,R : bool : in;

I : {ok,erroneous,lost} : in;

O : {ok,erroneous,lost} : out;

state S : {ok,erroneous,lost};

event loss, error;

trans S=ok |- loss -> S := lost;

S=ok |- error -> S := erroneous;

assert O = case{S=ok and R and A: I,

S=erroneous and R and A :erroneous,

else: lost};

init S := ok;

law extern <event loss>=«constant 1e-4»

<event error>=«constant 1e-5»

edon

loss (constant 1e-4)

S=okO = if {R and A } then I else lost

S=lostO = lost

S=erroneousO = erroneous

error (constant 1e-5)

9

Failure Propagation Model – 2/2

• TF/TA model was built using predefined nodes in an Altarica Library

• OCAS Tool (Dassault Système)– Model Edition– Interactive Simulation– Safety Tools – Used for Falcon 7X

certification

10

Safety Requirements – 1/2

• Qualitative Safety Requirement:– « No single failure shall cause an undetected erroneous vertical acceleration

»

• In the TF/TA model, an erroneous vertical acceleration is undetected if: VertAccel.O=erroneous and ClimbAlarm=false

• We are interested in cases where it remains undetected during three consecutive time steps:

FC = VertAccel.O=erroneous and ClimbAlarm=false and

X (VertAccel.O=erroneous and ClimbAlarm=false) and

X X (VertAccel.O=erroneous and ClimbAlarm=false)

The TF/TA model should enforce:

(F FC) => at_least_ 2_failures

11

Safety Requirements - 2/2

• Safety Assessment Techniques– OCAS Fault-Tree generation

• The fault tree can be exported to other tools (Simtree, Arbor,...) to compute minimal cut sets and probabilities

– OCAS Sequence Generator • Automatic generation of sequence of failure that lead to the violation of

Safety Requirements• Limit on the number of failures to be considered

– Cadence Labs SMV Model-checker • Translation from Altarica to SMV• Requirement proved by SMV model-checker or Counter-example generated

• Each technique has an application domain• Fault Tree generation: static systems and instantaneous failure conditions• Sequence generation: dynamic systems and instantaneous failure conditions• Model-checking: dynamic systems and temporal failure conditions

12

Independence Assumptions 1/2

• Assumptions are needed to prove that Safety Requirements hold

• The proof is split into two partsScenario Search: F FC => Scenarii

Assumptions: Independence_Assumptions => at_least_2_failures– Scenarii :

(F VertAccCmp.fail_error & F ClAlarmCmp.fail_lost)

or (F Radar.fail_error & F ClAlarmCmp.fail_lost)

or ...– Independence_Assumptions:

(F VertAccCmp.fail_error & F ClAlarmCmp.fail_lost) => at_least_2_failures

and (F Radar.fail_error & F ClAlarmCmp.fail_lost) => at_least_2_failures

and ...

13

Independence Assumptions - 2/2

• Segregation constraints are extracted from the independence assumptions:

– Example:• tasks VertAccCmp and ClAlarmCmp shall fail independently. They shall not share

computation resources.

– Example:• Dataflows VerAcc and Alarm should fail independently. They should not share

communication resources

• Alternative approach for identification of segregation constraints:– Use safety architecture patterns: Command and Monitor architecture

• Command channel : Navigation,Radar, TFTAPanel, VertAccelComp

• Monitor channel: RA, Navigation, Emergency

• Command and Monitor channels shall be segregated: " Navigation,Radar, TFTAPanel, VertAccelComp" and " RA, Navigation, Emergency" should fail independently.

14

Allocation Constraints

• Formalisation of allocation constraints– {0,1} linear inequalities.

• Variables :– allotc(task,cpu) : {0,1}– allodb(data,bus) : {0,1}– connected(cpu,bus) or connected(bus,cpu) : {0,1}

• Inequalities – Any task has to be allocated to one and only cpu

allotc(t,c1) +…+ allotc(t,cn) = 1– Two independent tasks should not be allocated to the same cpu

allotc(t1,c) + allotc(t2,c) + indep(t1,t2) < 2 allod(t1,c) allod(t2,c) si indep(t1,t2) = 1

– A connection (C,B) is used if there exists a data flow D and its producing task T such D is allocated to B and T is allocated to C.

• Criterion– Minimise the number of used connections

15

Tool Support for Constraint Solving• Generation of constraints• Call to solvers (ILOG solver, satzoo)• Visualisation of allocations

Goal= 8

16

Overview

• Integrated Modular Avionics (IMA)– Potential benefits and drawbacks– Terrain Following/Terrain Avoidance Function

• IMA Resource Allocation Process– Failure Propagation Modelling– Safety Requirements Validation– Independence Constraint Identification– Allocation Constraint Solving

• Multi-domain Resource Allocation– Real-Time Performances– ElectroMagnetic Interference

17

Multi-Domain Resource Allocation

• Resource Allocation Process

ApplicationDesigner

IMAteamSafety Analyst

Allocation Constraint

Solving

functions , requirements

functions, requirementsarchitecture

allocationconstraints

allocation

Real-Time Engineer

EMI specialist

18

Real-Time Performance Viewpoint

• Scheduling constraints are extracted:

– « allocation of tasks to the resources shall not overload the resources »

– « allocation of data-flows to communication resources shall enforce end-to-end latencies »

• Schedulability Analysis (holistic model, worst case ), ILOG solver

• Discrete Event Simulation (generalized model), Hyperformix

Tasks : execution delays for individual tasks (period enforcement) and for groups of tasks (end-to-end latency)

Resources: use indicators

Schedulabilty Analysis, example:Necessary Condition : i Ci/Ti < 1

Sufficient Condition for RMA: i Ci/Ti < 0.69

19

ElectroMagnetic Interference Viewpoint• Quantitative Requirement:

– « The probability that dataflow D is lost/erroneous due to ElectroMagnetic Perturbation Is smaller than 10-x»

• Place and routing constraints are extracted:– “Communication resource Bus1 should be routed in routes that have less that

Y abstract EMI perturbation units”

• Abstract stochastic model of electromagnetic interference

• --> computation of an additive measure of EMI perturbation for each zone and route

20

Conclusion

• The proposed approach is consistent with industrial practices– New safety analysis required for IMA design– allocation generation is not used by now

• Further Work– The approach could also be applied to integrate several

applications into a common avionics architecture• Associate constraints with each application

– Model reuse• Use libraries of components and patterns to limit the time/effort to

produce viewpoint models• Use standard modelling notations: COTRE, AADL,…