Your browser does not support JavaScript! Skip to main content
Free 30-day trial Customer portal Careers DO-178C Handbook
 
Rapita Systems
 

Industry leading verification tools & services

Rapita Verification Suite (RVS)

  RapiTest - Unit/system testing   RapiCover - Structural coverage analysis   RapiTime - Timing analysis (inc. WCET)   RapiTask - Scheduling visualization   RapiCoverZero - Zero footprint coverage analysis   RapiTimeZero - Zero footprint timing analysis   RapiTaskZero - Zero footprint scheduling analysis

Multicore Verification

  MACH178  Multicore Timing Solution  RapiDaemons

Engineering Services

  V & V Services  Qualification  Training  Tool Integration  Support

Industries

  Aerospace (DO-178C)   Automotive (ISO 26262)   Space

Other

  RTBx   Mx-Suite   Software licensing   Product life cycle policy  RVS development roadmap

Latest from Rapita HQ

Latest news

RVS 3.18 Launched
Solid Sands partners with Rapita Systems
Danlaw Acquires Maspatechnologies - Expanding Rapita Systems to Spain
Rapita co-authored paper wins ERTS22 Best paper award
View News

Latest from the Rapita blog

Measuring response times and more with RapiTime
Why mitigating interference alone isn’t enough to verify timing performance for multicore DO-178C projects
There are how many sources of interference in a multicore system?
Supporting modern development methodologies for verification of safety-critical software
View Blog

Latest discovery pages

do178c DO-178C Guidance: Introduction to RTCA DO-178 certification
matlab_simulink MATLAB® Simulink® MCDC coverage and WCET analysis
code_coverage_ada Code coverage for Ada, C and C++
amc-20-193 AMC 20-193
View Discovery pages

Upcoming events

NAVAIR FACE & SOSA TIM and Expo
2023-09-12
DASC 2023
2023-10-01
HISC 2023
2023-10-17
Aerospace Tech Week Americas 2023
2023-11-14
View Events

Technical resources for industry professionals

Latest White papers

DO178C Handbook
Efficient Verification Through the DO-178C Life Cycle
A Commercial Solution for Safety-Critical Multicore Timing Analysis
Compliance with the Future Airborne Capability Environment (FACE) standard
View White papers

Latest Videos

Challenges of certifying multicore avionics in line with A(M)C 20-193 objectives - ATW Europe 2023
Streamlined software verification with RVS 3.18
Sequence analysis with RapiTime
Visualize call dependencies with RVS thumbnail
Visualize call dependencies with RVS
View Videos

Latest Case studies

Supporting ISO 26262 ASIL D software verification for EasyMile
RapiCover’s advanced features accelerate the certification of military UAV Engine Control
Front cover of whitepaper collins
Delivering world-class tool support to Collins Aerospace
View Case studies

Other Downloads

 Webinars

 Brochures

 Product briefs

 Technical notes

 Research projects

Discover Rapita

Who we are

The company menu

  • About us
  • Customers
  • Distributors
  • Locations
  • Partners
  • Research projects
  • Contact us

US office

+1 248-957-9801
info@rapitasystems.com
Rapita Systems, Inc.
41131 Vincenti Ct.
Novi
MI 48375
USA

UK office

+44 (0)1904 413945
info@rapitasystems.com
Rapita Systems Ltd.
Atlas House
Osbaldwick Link Road
York, YO10 3JB
UK

Spain office

+34 93 351 02 05
info@rapitasystems.com
Rapita Systems S.L.
Parc UPC, Edificio K2M
c/ Jordi Girona, 1-3
Barcelona 08034
Spain

Working at Rapita

Careers

Careers menu

  • Current opportunities & application process
  • Working at Rapita
Back to Top

Assured Partitioning for FACE Systems

Breadcrumb

  1. Home
  2. Blog
  3. Assured Partitioning for FACE Systems
Alex Wilson (Wind River) and Steven H. VanderLeest (Rapita)
2020-10-12

In this third blog post of the series, we focus on partitioning. Avionics system designers and integrators designing to the FACE standard under the safety, safety-extended, or security profiles must include an ARINC 653 partitioned operating environment in their architecture. System integrators need guidance on how to be successful with implementing partitioning while maintaining performance and achieving flight certification.

Benefits of Partitioning

In the commercial aerospace world, going back to the first days of Integrated Modular Avionics, it was recognized that partitioned systems could provide benefits in terms of both mixed-criticality systems and recertification of future systems (for updates and changes to applications).

The ARINC 653 standard was developed to define how to construct partitioned systems, which support hosting multiple applications at different design assurance levels on the same computing platform. For example, whereas the flight management system application and the flight navigation application might have been hosted on separate Line Replaceable Unit (LRU) computing hardware in the past, a modern processor is fast enough to host both applications, provided partitioning ensures they do not interference with one another’s functionality. Partitioning enforces modularity and provides portability through a standard API, as well as contains faults, thus easing integration and certification.

Partitioning Required but Not Assured

In Supplement 5 of ARINC 653 Part 1, the scope of the standard is well defined: "ARINC 653 is intended for use on a partitioned environment. To assure a high degree of portability, aspects of the partitioned environment are discussed and assumed. However, this specification does not define the complete system, hardware, and software requirements for partitioning, nor does it provide guidance on proper implementation of partitioning, and in particular, robust partitioning. It must not be construed that compliance to ARINC 653 assures robust partitioning."

FACE requires compliance with the ARINC 653 Part 1 standard. Thus, conformance to the FACE technical standard implies partitioning is provided, but robust partitioning is not assured. Further work, beyond simply meeting the FACE and ARINC 653 standards, is necessary to provide safety assurance evidence toward flight certification of such a system.

Assurance of Partitioning

Because ARINC 653 defines the interfaces and functionality of partitioning, but not the assurance, this lack of guidance for safety certification of Integrated Modular Avionics systems led to the development and creation of RTCA DO-297 (EUROCAE ED-124) “Integrated Modular Avionics (IMA) Development Guidance and Certification Considerations”, which sets out guidance on safety certification of IMA systems. This document introduced the concepts of roles and responsibilities such that you could allocate resources where needed and have clear guidelines on who does what to ensure compliance with the safety standards.

The standard states that “The IMA Platform should be capable of providing robust partitioning and other protection means that allow multiple applications to share a platform and its resources.” Further, it introduces the concept of Robust Partitioning which “will ensure that any hosted application or function has no unintended effect on other hosted applications or functions.” The standard includes a complete section (3.5) on robust partitioning and how to ensure it meets the requirements of an IMA system.

Time partitioning allows a unicore system to support multiple partitions, each hosting an independent application, as shown in the diagram below. A fixed schedule of partitions is repeated each major time frame (e.g., every 50 ms). Within the major time frame, each partition is scheduled within a minor frame that is a fixed offset from the start of the major frame. Time partitioning, also known as time slicing or multiplexing, ensures that only one partition is using the computing platform at a time.

Proving the correctness of time-partitioning even on a unicore is challenging. Although only one partition can run at a time with only a single core, partitions could still interfere with each other directly by causing unconstrained partition jitter, i.e., variation in the time for each partition scheduled time slot without a deterministic bound. The end of each minor time frame is enforced by the partitioned Operating System (OS), usually using an interrupt-based system timer that invokes the OS at the end of the minor time frame, allowing it to perform a partition switch. During this partition switch, the OS saves the state of the partition that is finishing its minor frame, then determines which partition should be run in the next minor frame, sets a new timer, and then begins execution of the new partition. If partitioning is sufficiently robust, then each partition runs independently, without knowledge of the other partitions or interference from them.

Partitions on single cores can also interfere with each other indirectly. For example, one partition could start an operation using a bus master other than the CPU, whose activity extends past the end of the partition’s scheduled time slot, and thus overlaps and possible contends with another partition’s activity. For example, in the architecture diagram below, each partition while running on the unicore during its minor time frame likely accesses main memory. Even though the other partitions might have data in some parts of that memory, because they are not running simultaneously, they do not interfere with each other. However, if Partition 1 starts a DMA access between locations in main memory, this has the potential to continue running past the end of the minor time frame for Partition1, potentially interfering with memory access by Partition2. This interference allows Partition1 to impact the performance of Partition2, thus robust partitioning has been lost. A well-designed partitioned OS will thus need to curtail all access by a partition to shared resources in the system, except within its assigned minor time frame.

Wrap-up

System designers and integrators need help to be successful in implementing partitioned avionics systems while maintaining performance and achieving flight certification. Assuring the safety of these systems can be challenging. Wind River and Rapita Systems can be your guide to success. Wind River provides operating system technology for robust ARINC 653 partitioning and the artifacts to support flight certification. Rapita provides timing analysis within an automated verification tool suite, which can provide the insights you need early in the project and the certification artifacts you need at the end of the project.

Wind River and Rapita Systems can help you build your FACE system with our “one-stop shopping” ecosystem, starting with the Wind River OSS and including the tools to test/integrate/certify systems based on the FACE Technical Standard, such as the Rapita Systems Verification Suite and CAST-32A Compliance Package.

Assuring partitioning on a unicore is challenging, but largely a solved problem. Assuring partitioning on a multicore system is much more difficult. This is the subject of our next blog, where we will look at the current guidance and some best practices for dealing with simultaneously running cores hosting mixed-criticality partitions.

Learn about the FACE standard and how to comply with it in our blog series:

Part 1: How the Operating System Segment fits into the FACE architecture
Part 2: FACE Components - Interchangeable but not Equal
Part 3: Assured Partitioning for FACE Systems (this post)
Part 4: Assured Multicore Partitioning for FACE Systems
Part 5: Leveraging FACE Conformance Artifacts to Support Airworthiness

DO-178C webinars

DO178C webinars

White papers

DO178C Handbook Efficient Verification Through the DO-178C Life Cycle
A Commercial Solution for Safety-Critical Multicore Timing Analysis
Compliance with the Future Airborne Capability Environment (FACE) standard
5 key factors to consider when selecting an embedded testing tool

Related blog posts

Leveraging FACE Conformance Artifacts to Support Airworthiness

.
2021-01-14

Assured Multicore Partitioning for FACE Systems

.
2020-11-10

FACE Components: Interchangeable but not Equal

.
2020-08-03

How the Operating System Segment fits into the FACE architecture

.
2020-07-17
  • Solutions
    • Rapita Verification Suite
    • RapiTest
    • RapiCover
    • RapiTime
    • RapiTask
    • MACH178

    • Verification and Validation Services
    • Qualification
    • Training
    • Integration
  • Latest
  • Latest menu

    • News
    • Blog
    • Events
    • Videos
  • Downloads
  • Downloads menu

    • Brochures
    • Webinars
    • White Papers
    • Case Studies
    • Product briefs
    • Technical notes
    • Software licensing
  • Company
  • Company menu

    • About Rapita
    • Careers
    • Customers
    • Distributors
    • Industries
    • Locations
    • Partners
    • Research projects
    • Contact
  • Discover
    • AMC 20-193
    • What is CAST-32A?
    • Multicore Timing Analysis
    • MC/DC Coverage
    • Code coverage for Ada, C & C++
    • Embedded Software Testing Tools
    • Aerospace Software Testing
    • Automotive Software Testing
    • Certifying eVTOL
    • DO-178C
    • WCET Tools
    • Worst Case Execution Time
    • Timing analysis (WCET) & Code coverage for MATLAB® Simulink®

All materials © Rapita Systems Ltd. 2023 - All rights reserved | Privacy information | Trademark notice Subscribe to our newsletter