Assured Partitioning for FACE Systems

In this third blog post of the series, we focus on partitioning. Avionics system designers and integrators designing to the FACE standard under the safety, safety-extended, or security profiles must include an ARINC 653 partitioned operating environment in their architecture. System integrators need guidance on how to be successful with implementing partitioning while maintaining performance and achieving flight certification.

Benefits of Partitioning

In the commercial aerospace world, going back to the first days of Integrated Modular Avionics, it was recognized that partitioned systems could provide benefits in terms of both mixed-criticality systems and recertification of future systems (for updates and changes to applications).

The ARINC 653 standard was developed to define how to construct partitioned systems, which support hosting multiple applications at different design assurance levels on the same computing platform. For example, whereas the flight management system application and the flight navigation application might have been hosted on separate Line Replaceable Unit (LRU) computing hardware in the past, a modern processor is fast enough to host both applications, provided partitioning ensures they do not interference with one another’s functionality. Partitioning enforces modularity and provides portability through a standard API, as well as contains faults, thus easing integration and certification.

Partitioning Required but Not Assured

In Supplement 5 of ARINC 653 Part 1, the scope of the standard is well defined: "ARINC 653 is intended for use on a partitioned environment. To assure a high degree of portability, aspects of the partitioned environment are discussed and assumed. However, this specification does not define the complete system, hardware, and software requirements for partitioning, nor does it provide guidance on proper implementation of partitioning, and in particular, robust partitioning. It must not be construed that compliance to ARINC 653 assures robust partitioning."

FACE requires compliance with the ARINC 653 Part 1 standard. Thus, conformance to the FACE technical standard implies partitioning is provided, but robust partitioning is not assured. Further work, beyond simply meeting the FACE and ARINC 653 standards, is necessary to provide safety assurance evidence toward flight certification of such a system.

Assurance of Partitioning

Because ARINC 653 defines the interfaces and functionality of partitioning, but not the assurance, this lack of guidance for safety certification of Integrated Modular Avionics systems led to the development and creation of RTCA DO-297 (EUROCAE ED-124) “Integrated Modular Avionics (IMA) Development Guidance and Certification Considerations”, which sets out guidance on safety certification of IMA systems. This document introduced the concepts of roles and responsibilities such that you could allocate resources where needed and have clear guidelines on who does what to ensure compliance with the safety standards.

The standard states that “The IMA Platform should be capable of providing robust partitioning and other protection means that allow multiple applications to share a platform and its resources.” Further, it introduces the concept of Robust Partitioning which “will ensure that any hosted application or function has no unintended effect on other hosted applications or functions.” The standard includes a complete section (3.5) on robust partitioning and how to ensure it meets the requirements of an IMA system.

Time partitioning allows a unicore system to support multiple partitions, each hosting an independent application, as shown in the diagram below. A fixed schedule of partitions is repeated each major time frame (e.g., every 50 ms). Within the major time frame, each partition is scheduled within a minor frame that is a fixed offset from the start of the major frame. Time partitioning, also known as time slicing or multiplexing, ensures that only one partition is using the computing platform at a time.

Proving the correctness of time-partitioning even on a unicore is challenging. Although only one partition can run at a time with only a single core, partitions could still interfere with each other directly by causing unconstrained partition jitter, i.e., variation in the time for each partition scheduled time slot without a deterministic bound. The end of each minor time frame is enforced by the partitioned Operating System (OS), usually using an interrupt-based system timer that invokes the OS at the end of the minor time frame, allowing it to perform a partition switch. During this partition switch, the OS saves the state of the partition that is finishing its minor frame, then determines which partition should be run in the next minor frame, sets a new timer, and then begins execution of the new partition. If partitioning is sufficiently robust, then each partition runs independently, without knowledge of the other partitions or interference from them.

Partitions on single cores can also interfere with each other indirectly. For example, one partition could start an operation using a bus master other than the CPU, whose activity extends past the end of the partition’s scheduled time slot, and thus overlaps and possible contends with another partition’s activity. For example, in the architecture diagram below, each partition while running on the unicore during its minor time frame likely accesses main memory. Even though the other partitions might have data in some parts of that memory, because they are not running simultaneously, they do not interfere with each other. However, if Partition 1 starts a DMA access between locations in main memory, this has the potential to continue running past the end of the minor time frame for Partition1, potentially interfering with memory access by Partition2. This interference allows Partition1 to impact the performance of Partition2, thus robust partitioning has been lost. A well-designed partitioned OS will thus need to curtail all access by a partition to shared resources in the system, except within its assigned minor time frame.

Wrap-up

System designers and integrators need help to be successful in implementing partitioned avionics systems while maintaining performance and achieving flight certification. Assuring the safety of these systems can be challenging. Wind River and Rapita Systems can be your guide to success. Wind River provides operating system technology for robust ARINC 653 partitioning and the artifacts to support flight certification. Rapita provides timing analysis within an automated verification tool suite, which can provide the insights you need early in the project and the certification artifacts you need at the end of the project.

Wind River and Rapita Systems can help you build your FACE system with our “one-stop shopping” ecosystem, starting with the Wind River OSS and including the tools to test/integrate/certify systems based on the FACE Technical Standard, such as the Rapita Systems Verification Suite and CAST-32A Compliance Package.

Assuring partitioning on a unicore is challenging, but largely a solved problem. Assuring partitioning on a multicore system is much more difficult. This is the subject of our next blog, where we will look at the current guidance and some best practices for dealing with simultaneously running cores hosting mixed-criticality partitions.

Learn about the FACE standard and how to comply with it in our blog series:

Part 1: How the Operating System Segment fits into the FACE architecture 
Part 2: FACE Components - Interchangeable but not Equal 
Part 3: Assured Partitioning for FACE Systems (this post) 
Part 4: Assured Multicore Partitioning for FACE Systems 
Part 5: Leveraging FACE Conformance Artifacts to Support Airworthiness