Marco Panunzio

The Priority-band Architecture: a Partitioning Approach to the Definition of Avionics Reference Architectures

Marco Panunzio, José A. Pulido, Tullio Vardanega

ESA Workshop on Avionics Data, Control and Software Systems (ADCSS 2007)

Presentation

Abstract

Integrated Modular Avionics (IMA) is a valuable paradigm to integrate multiple subsystems in one and the same computational node, thus permitting to avoid the inefficiency of pure federated architectures and to exploit the potential of new-generation processors. The most significant advantages of its adoption are: (1) the reduction of the overall hardware cost; (2) the reduction of physical interconnections which implicitly reduces the variability of the physical interfaces and thus drastically reduces the size and the heterogeneity of communication code.
The ASSERT project (IST-FP6-2004 004033) has investigated the "Priority-band architecture", a variant of the well-known paradigm of server-based hierarchical systems, which can be seen as an elegant and simple approach to the design of partitioned systems. Each priority band represents the implementation of a single logical partition and can have its own local scheduling policy, chosen among a predefined set of supporting policies. Each subsytem is thus assigned to a distinct priority band. The architecture is then coupled with the adoption of the Ravenscar Computational Model (RCM), which guarantees that all applications abiding by its constraints are fully amenable to static analysis.
Intra-partition communication are mediated by shared resources, equipped with a synchronization protocol to warrant mutual exclusion. The architecture also allows inter-partition communications with the same, simple mechanism.
Whatever paradigm is effectively used to design a real-time system, the two paramount properties of temporal isolation and spatial isolation among distinct partitions must be assured by static analysis and also enforced at run time.
Temporal isolation, albeit confirmed by timing analysis, should still be actively enforced at run time to prevent the risk of violations incurred on inaccurate WCET estimations or other sort of system faults. Standard means and mechanisms exist in some mainstream software technology that allows the middleware tier of the implementation to effectively perform this monitoring.
One delicate element in the use of the proposed architecture concerns the non-obvious relation between the criticality level to which subsystems (i.e., partitions) are individually classified and the priority band to which partitions have to be allocated. Whereas the priority level is a mechanism to reflect the urgency of execution, the criticality level is concerned with safety guarantees which are orthogonal to urgency. To adopt the proposed architecture we must devise a way to effectively relate the former to the latter without incurring distortions of sorts. A possible recipe to do so includes two ingredients: (1) to break up individual subsystems which contain functional activities with differing urgency of execution into multiple partitions which retain the original criticality level vis-a-vis safety but are attributed to distinct priority bands which reflect the spread of urgency of their processing contents; since the architecture efficiently supports and protects inter-partition communications, breaking up a subsystem into multiple priority bands fully preserves the functional cohesion of the original subsystem; (2) to provide analytical support to help the system designer gage the most convenient mapping of subsystems to priority bands.
Despite the intellectual hurdle just illustrated we can still contend that the proposed architecture features interesting advantages over classical IMA (for example in the incarnation of the ARINC 653 specification). ARINC 653 is much valued for its predictability, but it is also known to have several disadvantages: the system is inflexible to changes to the partitioning structure; it is impossible to exploit slack times across partitions; inter-partition communication is rigid and exposed to latency due to the time-triggered global scheduler; sporadic tasks are difficult to model. In contrast, the proposed architecture is exempt from those defects: the global scheduler based on fixed priority dispatching elects the highest-priority band which includes at least one ready task, which obviously serves to use up all useful slack time; priority bands can be added or removed or reconfigured with negligible effort; sporadic tasks are completely expressible in this architecture since they are natively included in the RCM.
We contend that the "priority-band architecture" is a promising conceptual starting point for the definition of avionics reference architectures. It retains the advantages of the "integrated paradigm" while catering for both performance and architectural improvements over the classical IMA implementations. Its flexibility and ease of configuration in particular allow the designer to concentrate on the definition of the contents of subsystems as opposed to risking to spend inordinate effort in the system integration.