Marc Gatti

Ensuring robust partitioning in multicore platforms for IMA systems

Robust partitioning enforcement is a mandatory requirement in IMA1 systems. In this paper, we refine this requirement in the context of multicore processors and discuss a strategy to ensure it. We focus on a scenario in which several ARINC 653 partitions hosted on the same platform are executed at the same time on different cores. When this scenario is deployed on modern COTS2 hardware, robust partitioning may be impaired by inter-core conflicts sequences. The issue with such a deployment strategy lies in the isolated parallel execution of several partitions. The approach presented here aims at identifying conditions that entail inter-core conflicts with a sufficient level of detail. This representation helps identifying robust partitioning failure causes. Such information is a first step towards an acceptation of true parallelism in partitioned systems, i.e. deployment on multicores.

Model driven early exploration of IMA execution platform

Nowadays the conception of avionics platform follows the Integrated Modular Avionics (IMA) concept. This concept specifies network architectures, composed of computing modules capable of hosting more than one application that communicates through the AFDX network. Thanks to IMA, the number of modules aboard is reduced, as their footprint in term of space and weight. But the complexity of the design, verification and certification processes for the execution platform (hardware and OS) increases, while time to market tends to decrease. Facing this growing complexity, platform design relies on model-based approaches to assist the refinement of system requirements and to proceed to early analysis. Current model-based approaches focus on software description and approximate hardware components characteristics by set of predefined properties corresponding to a general category of component, and interactions between components in terms of distribution over time. In this paper, we propose a modeling approach allowing describing with different levels of detail an execution platform and simulate it in order to retrieve dynamic performance at early phase of the development process, and test the compliancy between the proposed architecture and a given set of applications. Applications are considered as entry point, and we focus on the response of the platform services and hardware architecture to the applications stimuli. Our method relies on two standardized languages: AADL to model with high level of abstraction the complete platform, and SystemC to refine the description of the execution platform and simulate this latter. In this paper we present our approach, the two languages it relies on, and expose the mapping rules we defined to generate a SystemC model from the execution platform model described in AADL. We also present promising experimental results obtained on an avionic use-case.

Deterministic platform software for hard real-time systems using multi-core COTS

Future generations of avionic equipments are expected to embed multi-core processors. Using Components Off-The-Shelf (COTS) processors is considered both by the industrial and academic communities, as well as certification authorities. However, in the safety-critical domain, a common issue with COTS multi-core processors is their lack of predictability, directly linked to the difficulty to foresee and manage inter-core interferences due to shared hardware resources. A possible solution consists in defining a Usage Domain that constrains the use of shared resources down to a level for which interference situations are known and their impact on software execution time is acceptable. Nevertheless, COTS processors have not been designed to see their behavior restricted by such usage domains, and do not provide dedicated mechanisms for that purpose. Hence the usage domains are enforced by more complex mechanisms implemented in dedicated pieces of software running below the applicative level. We call them Deterministic Platform Software (DPS). The objective of this paper is to propose an overview of existing DPS solutions, and propose criteria leading to a uniform classification. Additionally, we propose a mapping of these solutions to a selection of avionic use cases.

A design approach for predictable and efficient multi-core processor for avionics

This paper presents design principles of a predictable and efficient multi-core system to meet embedded computers requirements in avionics. Multi-core processors are commonplace for massive data processing and personal use. Much of such systems have a number of features whose primary purpose is to improve performance. It results in the design of a set of hardware features which are difficult to analyze for certifiable avionic hard realtime applications. Such analysis is necessary because a fault in these applications could jeopardize the flight itself. Throughout a study of various academic and industrial works, we propose an approach to manage bottlenecks to meet avionic requirements in terms of partitioning, performance and predictability (determinism).

Model-based fault detection and isolation design for flight-critical actuators in a harsh environment

Safety-impact on flight-critical systems such as flight or engine control systems is a major concern for aircraft equipment designers in civil and military fields. Current avionic equipments related to safety-critical systems are able to detect trivial faults such as loss of power, short circuits, open circuits or threshold overflow. The occurrence of these faults in actuator control loops, if detected, triggers a fail-safe mode. So, although system availability is reduced, the required safety level can still be ensured. This paper emphasizes a design methodology of nonlinear model-based FDI1 algorithms applied to a Hybrid Stepper Motor (HSM). The proposed design methodology combines a nonlinear dynamic inversion and residual generation using standard continuous Kalman Filter. The proposed fault detection method is based on residual mean-checking analysis, where the parameters are tuned with Kriging method.

Model driven resource usage simulation for critical embedded systems

Facing a growing complexity, embedded systems design relies on model-based approaches to ease the exploration of a design space. A key aspect of such exploration is performance evaluation, mainly depending on usage of the hardware resources. In model-driven engineering, hardware resources usage is often approximated by static properties. In this paper, we propose an extensible modeling framework, to describe with different levels of detail the hardware resource usage. Our method relies on the AADL to describe the whole system, and SystemC to refine the execution platform description. In this paper we expose how we generate and compose SystemC models from the execution platform model described in AADL. We also present promising experimental results obtained on an avionics use-case.

A new modeling approach for IMA platform early validation

This past few years, avionics platform conception changed to integrated architecture, permitting one processor to host some applications, in order to reduce weight and space. But this method entails more complexity, especially in safety domain, while time to market tends to decrease, so new development processes are needed. Model-based approaches are now mature enough to design embedded critical systems and perform architecture exploration. In this paper we present a new modeling approach allowing avionics platform description and dynamic simulation. This method aim at dimensioning the architecture according to the applications it has to process, and to achieve early platform validation.

A software approach for managing shared resources in multicore IMA systems

Multicore processors are now considered as relevant candidates for the next generation of Integrated Modular Avionics (IMA) systems. One expected benefit of multicore introduction inside IMA platforms is an increase of the number of avionic applications hosted on a single platform. This can be achieved by deploying several ARINC 653 partitions simultaneously on different cores. However to be certifiable, such an architecture must fulfill many dependability requirements. In this paper we focus on the problem of Worst Case Execution Time (WCET) computation of embedded partitions under the Robust Partitioning constraint. Todays multicore processors internal features make those requirements fulfillment difficult to ensure on the platform for any set of hosted partitions. That comes from the difficulty to characterize with a satisfying confidence the processor behavior when several unknown applications use simultaneously shared hardware resources, such as the main memory. We present in this paper a generic software solution that constrains the use of shared resources to remain inside predefined usage domains for which the processor has a deterministic behavior. We illustrate this approach with a case study based on a COTS processor from the Freescale QorIQ series.

Dynamic inversion of a Flight Critical actuator for fault diagnosis

Flight-Critical Systems (FCS) integrate usually actuators such as Electro Mechanical Actuators (EMA) controlled by Electronic Engine Control Units (EECU) or Flight Control Units (FCU). They are designed and developed regarding drastic safety requirements. Material Redundancy is therefore a safe design but requires an important amount of space, weight and costs. In this paper, observer-based fault detection methods are applied to a hybrid stepper motor (HSM) nonlinear model. First, state estimations are processed with an Extended Kalman Filter (EKF). After showing that the model is differentially flat, a nonlinear dynamic inversion (NLDI) is applied to the model in order to find its equivalent linear system. A Standard Kalman Filter (SKF) is then applied for fault detection. Faults due to short-circuits in the stator windings are considered.

Mastering the behavior of multi-core systems to match avionics requirements

This paper presents design principles of a predictable and efficient multi-core system to meet embedded computers requirements in avionics throughout a study of previous works and experimental analysis. Multi-core processors are commonplace for massive data processing and personal use. Much of such systems have a number of features whose primary purpose is to improve performance. These architectures are composed of black boxes when avionics requires white boxes to demonstrate that they can match avionics constraints. Thats why we also propose an approach to manage bottlenecks in order to meet avionic requirements in terms of partitioning, performance and predictability (determinism).