Michaël Lauer

Analyzing end-to-end functional delays on an IMA platform

The Integrated Modular Avionics (IMA) platform is the latest generation of embedded architecture, in which functions share both the execution and communication resources. Functions execute in predefined time slots and communicate through an AFDX network. The purpose of the analysis presented is the verification of freshness requirements on the data exchanged between IMA applications. The two contributions of this paper are: (1) a modeling approach for IMA platforms based on networks of timed automata. For small models, it is possible to compute exact evaluation of temporal properties using symbolic reachability analysis, (2) the collaborative use of efficient methods for worst case traversal time (WCTT) computation on the AFDX network, which results are injected in the timed automata model to help the functional analysis.

Latency and freshness analysis on IMA systems

The Integrated Modular Avionics (IMA) architectures have been defined for sharing communication and computation resources. The aim of this paper is to evaluate latency and freshness properties of functions implemented on IMA platforms. The two contributions are : (1) a modeling approach for IMA platforms based on the tagged signal model and the abstraction of the network, (2) the definition of an evaluation method for these properties based on Integer Linear Programming (ILP). The industrial applicability of the method is showed on an Airbus A380-like platform. We propose a discussion on the significance of the over-approximations induced by the abstraction. This work is supported by the French National Research Agency within the Satrimmap project1.

Determinism Enhancement of AFDX Networks via Frame Insertion and Sub-Virtual Link Aggregation

Avionics Full Duplex Switched Ethernet (AFDX) is a standard proposed to implement deterministic networks by providing predictable performance guarantees. The determinism is enforced through the concept of Virtual Link, which defines a logical unidirectional connection between end systems. Although an upper bounded end-to-end delay can be obtained using analysis based on, e.g., network calculus, frame arrival uncertainty in destination End-System is a source of nondeterminism that introduces a problem with respect to real-time fault detection. In this paper, a mechanism based on frame insertion is proposed to enhance the determinism of frame arrival within AFDX networks. In order to mitigate network load increase due to frame insertion, a Sub-Virtual Link aggregation strategy, formulated as a multiobjective optimization problem, is introduced. In addition, a brute force algorithm, a greedy algorithm, and a greedy algorithm with preprocessing have been developed to find solutions to the optimization problem. Experiments are carried out and the obtained results confirm the validity and applicability of the developed approaches.

Engineering Adaptive Fault-Tolerance Mechanisms for Resilient Computing on ROS

Systems are expected to evolve during their service life in order to cope with changes of various natures, ranging from fluctuations in available resources to additional features requested by users. For dependable embedded systems, the challenge is even greater, as evolution must not impair dependability attributes. Resilient computing implies maintaining dependability properties when facing changes. Resilience encompasses several aspects, among which evolvability, i.e., the capacity of a system to evolve during its service life. In this paper, we discuss the evolution of systems with respect to their dependability mechanisms, and show how such mechanisms can evolve accordingly. From a component-based approach that enables to clarify the concepts, the process and the techniques to be used to address resilient computing, in particular regarding the adaptation of fault tolerance (or safety) mechanisms, we show how Adaptive Fault Tolerance (AFT) can be implemented with ROS. Beyond implementation, we draw the lessons learned from this work and discuss the limits of this runtime support to implement such resilient computing features in embedded systems.

Worst Case Temporal Consistency in Integrated Modular Avionics Systems

Integrated Modular Avionics (IMA) architectures have been defined for sharing communication and computation resources. The aim of this paper is to evaluate temporal consistency properties of functions implemented on IMA platforms. More specifically, the two contributions are : (1) a modeling approach for IMA platforms based on the tagged signal model and an abstraction of the network, (2) the definition of two evaluation methods for temporal consistency properties. The industrial applicability of the method is demonstrated on an Airbus A380-like platform. We also discuss the significance of the over-approximations induced by the network abstraction.

End-to-end latency and temporal consistency analysis in networked real-time systems

Critical embedded systems are often designed as a set of real-time tasks, running on shared computing modules, and communicating through networks. Because of their critical nature, such systems have to meet strict timing properties. To help the designers to prove the correctness of their system, the real-time systems community has developed numerous approaches for analysing the worst case scenarios either on the processors (e.g., worst case response time of a task) or on the networks (e.g., worst case traversal time of a message). These approaches provide results only for local components behaviours. However, there is a growing need for having a global view of the system, in order to determine end-to-end properties. Such a property applies to functional chains which describe the behaviour of sequences of tasks. We propose an approach to analyse worst case behaviour along functional chains in critical embedded systems. It is based on mixed integer linear programming (MILP) and is general in the sense that it can be applied to a variety of end-to-end properties. This paper focuses on two essential properties: end-to-end latency and temporal consistency. This work was supported by the French National Research Agency within the SATRIMMAP project.

Towards Adaptive Fault Tolerance on ROS for Advanced Driver Assistance Systems

The use of over-the-air updates has attracted very much interest these last few years with the software-intensive development of embedded systems in the car industry. The development of autonomous driving and ADAS (Advanced Driver Assistance Systems) renders over-the-air updates mandatory, for both user satisfaction and economic reasons. How to make sure that remote updates of critical ADAS do not have an impact on safety? This is the question we tackle in our work with a major car manufacturer. This paper is a progress report. We summarize our approach involving AFT (Adaptive Fault Tolerance) implemented on ROS (Robot Operating System), describe the simulation platform we have developed to experiment and validate over-the-air updates of ADAS and AFT, and finally draw some lessons learnt and perspectives.

Reliability Enhancement of Redundancy Management in AFDX Networks

Avionics Full Duplex Switched Ethernet is a safety critical network in which a redundancy management mechanism is employed to enhance the reliability of the network. However, as stated in the ARINC664-P7 standard, there still exists a potential problem, which may fail redundant transmissions due to sequence inversion in the redundant channels. In this paper, we explore this phenomenon and provide its mathematical analysis. It is revealed that the variable jitter and the transmission latency difference between two successive frames are the two main sources of sequence inversion. Thus, two methods are proposed and investigated to mitigate the effects of jitter pessimism, which can eliminate the potential risk. A case study is carried out and the obtained results confirm the validity and applicability of the developed approaches.