The architecture of Distributed Integrated Modular Avionics (DIMA) has been successfully applied to the aviation industry. A DIMA system installs standardized computer modules in spatially distributed locations that are connected by a unified bus system such as an AFDX network. Avionics applications residing on the modules run in ARINC-653 compliant operating systems. The generic distributed structure of DIMA significantly improves performance and availability as well as reduces development and maintenance costs, while it also dramatically increases the complexity of schedulability analysis. A schedulable DIMA system should fulfil not only the temporal requirements of real-time tasks in each ARINC-653 module but also communication constraints among the distributed nodes. As a result, the system integrators need to consider both computation and communication when analyzing the schedulability of DIMA architecture.
Currently, model checking approaches have been increasingly developed in the schedulability analysis of complex real-time systems. However, we found no studies that analyzed the schedulability of distributed avionics systems as a whole including the network by model checking. The related research isolates computation modules from their underlying network, thereby considering these nodes as independent hierarchical scheduling systems or investigating the network in isolation, which possibly leads to pessimistic results. There have been works using model-checking to analyze the temporal behavior of individual avionics modules in various formal models such as Coloured Petri Nets (CPN), preemptive Time Petri Nets (pTPN), Timed Automata (TA), and StopWatch Automata (SWA)[17, 9], and verify schedulability properties via state space exploration. Unfortunately, when being applied to concrete avionics systems, all of them suffer from an inevitable problem of state space explosion. For hierarchical scheduling systems, some studies[7, 19, 5] exploit the inherent temporal isolation of ARINC-653 partitions and analyze each partition separately, but they ignore the behavior of the underlying network or the interactions among partitions. Thus these methods are not applicable to DIMA environments in which multiple distributed ARINC-653 partitions communicate through a shared network to perform an avionics function together.
In this paper, we present a compositional approach for schedulability analysis of DIMA systems that are modeled as SWA, i.e. the TA extended with stopwatches. Compared with the clocks in TA, stopwatches can be blocked and resumed at any location and thus are effective in modeling task preemption. We decompose the system in such a way that we can check each ARINC-653 partition including a model of its communication environment individually and then assemble the local results together to derive conclusions about the schedulability of an entire system. Thereby, we verify a number of smaller, simpler, abstract systems rather than directly verifying a larger, more complex, concrete system including the details about all the partitions and the network. The main contributions of this paper are summarized as follows:
A compositional approach performs assume-guarantee reasoning to reduce the complexity of symbolic model-checking in the schedulability analysis of DIMA systems.
An abstraction relation, timed selection simulation relation, allows users to create a set of abstract models that collectively describe the external behavior of a concrete model, thereby simplifying the abstraction in assume-guarantee reasoning.
A notion of message interfaces decouples the communication dependencies between partitions. By composing any partition with its related message interfaces and verifying safety properties of the composition, we can conclude that these properties are still preserved at the global level.
The rest of the paper is organized as follows. Section 2 gives the necessary formal notions. The modeling of DIMA systems is presented in section 3. Section 4 gives the concept of timed selection simulation and its properties. In section 5, we detail the compositional analysis approach. Section 6 shows an experiment on a concrete DIMA system, and section 7 finally concludes.
In this section, we present formal definitions including SWA with an input/output extension and its semantic object Timed I/O Transition Systems(TIOTSs).
Suppose that is a finite set of clocks and is a finite set of integer variables. A valuation with denotes a mapping from to and from to . Let be the set of linear constraints. A guard is a linear constraint which is defined as a finite conjunction of atomic formulae in the form of , or with , and . Given any valuation , we change the values of clocks and integer variables using an update operation in the form of or where and , and is the set of all possible update operations. In addition, we define an action set . All the actions can be subsumed under two sets of unicast actions and broadcast actions . By contrast, denotes an internal action and .
Definition 1 (Stopwatch Automaton).
A stopwatch automaton is a tuple where is a finite set of locations, is the initial location, is a finite set of clocks, is a finite set of integer variables, is a set of edges, is a finite set of actions divided into inputs() and outputs(), is a mapping , and is a mapping .
From a syntactic viewpoint, SWA belongs to the class of TA extended with , which can prevent part of the clocks from changing in specified locations semantically. We now shift the focus to the semantic object TIOTS of SWA.
In a TIOTS, there are two types of transitions: delay and action transitions. We use the set to denote the delay, and refer to the 0-delay as .
Definition 2 (Timed I/O Transition System).
A timed I/O transition system is a tuple where is an infinite set of states, is the initial state, is a finite set of actions divided into inputs() and outputs(), , and is a transition relation. represents , which has the properties of time determinism, time reflexivity, and time additivity.
For any SWA, a state is defined as a pair where is a location and is a valuation over clocks and integer variables. On the basis of TIOTSs, the operational semantics of SWA is defined as follows.
The operational semantics of a stopwatch automaton is a timed I/O transition system where is the set of states of , is the initial state of , is the same set of actions as , and is the transition relation defined by
For any transition , two symbols and denote the action belonging to input and output respectively. Given , iff , s.t. . or denotes the reflexive and transitive closure of . iff , or , s.t. and , s.t. or and .
The definition of parallel composition of TIOTSs is similar to that in . Given two TIOTSs , they are compatible iff they satisfy the following conditions:
(Unique output) .
(Deterministic-pair unicast) .
Note that broadcast actions in the composition of TIOTSs are input-enabled: .
Definition 4 (Parallel Composition).
Suppose two timed I/O transition systems and are compatible. The parallel composition is the timed I/O transition system where , , , , , and is the largest relation generated by the following rules:
We use to denote the set of TA and SWA in our modeling framework. For any , we define the composite model iff their TIOTSs satisfy .
3 Avionics System Modeling
We focus on a generic DIMA architecture including a set of ARINC-653 modules connected by an AFDX network, as shown in Fig.1. There is a three-layer structure in the DIMA system that consists of scheduling, task, and communication layers.
The scheduling layer is defined as the scheduling facilities for generic computation resources of a DIMA system, where standardized computer modules execute concurrent application tasks in partitioned operating systems. In this operating system, partitions are scheduled by a Time Division Multiplexing (TDM) scheduler and each partition also has its local scheduling policy, preemptive Fixed Priority (FP), to manage the internal tasks. The scheduling layer is modeled as two TA templates PartitionSupply and TaskScheduler in 111Models available at http://eptcs.web.cse.unsw.edu.au/paper.cgi?MARSVPT2018:2. The PartitionSupply depicted in Fig.2 provides the service of TDM partitioning for a particular partition pid. The TaskScheduler implementing FP scheduling allocates processor time to the task layer only when the partition is active.
The task layer contains all the application tasks executing avionics functions. A task is regarded as the smallest scheduling unit, each of which runs concurrently with other tasks in the same partition. The execution of a task is modelled as a sequence of commands that are either computing for a duration, locking/unlocking a resource, or sending/receiving a message. We consider two task types: periodic tasks and sporadic tasks. A periodic task has a fixed release period, while a sporadic task is characterized by a minimum separation between consecutive jobs. The task layer is instantiated from two SWA templates PeriodicTask and SporadicTask in . Since the tasks in a partition are scheduled by a task scheduler, we use a set of binary channels as scheduling actions to communicate between task models and TaskScheduler.
The communication layer carries out inter-partition communication over a common AFDX network. The AFDX protocol stack realized by an End System(ES) interfaces with the task layer through ARINC-653 ports. Based on the AFDX protocol structure, the communication layer is further divided into UDP/IP layer and Virtual Link layer, where a Virtual Link (VL) ensures an upper bound on end-to-end delay. In , the UDP/IP layer is divided into two TA templates IPTx and IPRx, which calculate the latency of the UDP/IP layer in a transmitting ES and a receiving ES respectively. Similarly, two TA templates VLinkTx and VLinkRx model the delay of a VL in opposite directions.
From a global view of the system, its schedulability is also affected by the communication layer. According to the ARINC-653 standard, there are two types of ARINC-653 ports, sampling ports and queuing ports. A sampling port can accommodate at most a single message that remains until it is overwritten by a new message. A refresh period is defined for each sampling port. This attribute provides a specified arrival rate of messages, regardless of the rate of receiving requests from tasks. In contrast, a queuing port is allowed to buffer multiple messages in a message queue with a fixed capacity. However, the operating system is not responsible for handling overflow from the message queue.
In this paper, we verify the following three typical schedulability properties:
All the tasks meet their deadlines in each partition.
The refresh period of any sampling port is guaranteed.
The overflow from any queuing ports must be avoided.
The schedulability of an avionics system is described and verified as a safety property of the above TA/SWA models. We add a set of error locations to the templates. Once schedulability is violated, the related model will lead itself to one of the error locations immediately. Thus, the schedulability is replaced with this safety property :
which belongs to a simplified subset of TCTL used in .
However, since the verification algorithm inside for SWA introduces a slight over-approximation222Exact reachability for SWA with more than 3 stopwatches is known to be undecidable., may sometimes give the verification result “Maybe satisfied” or “May not be satisfied”. To further refine the result in this case we manually analyse the possible counter example using ’s concrete simulator to determine if the system is unschedulable. Alternatively, the statistical model-checking (SMC) engine could be invoked to attempt an automatic falsification. In our experiences, the result only appears when the system is on the very borderline of being schedulable.
4 Timed Selection Simulation
We propose a notion of timed selection simulation relation to support assume-guarantee reasoning. Compared with some other abstraction relations like timed simulation and timed ready simulation, timed selection simulation only abstracts a selected subset of actions from the concrete model. Applying timed selection simulation to the abstraction of a concrete system, one can pay attention to part of the system, individually model the behavior of each component, and thereby obtain a composite abstract model rather than a monolithic one.
Considering the semantic object of an automaton , we denote the error states of by the set where is the error-location set of . Thus, for any TIOTS , its error states are defined as a set , and the following function indicates whether a state has violated schedulability properties:
Given two compatible TIOTSs with the error-state set , their composition has the error-state set and the function .
Based on the function , the formal definition of timed selection simulation is given as follows.
Definition 5 (Timed Selection Simulation).
Let and be two timed I/O transition systems with . Let R be a relation from to . We call R a timed selection simulation from to , written via , provided and for all , and
if for some , , then such that and
if for some , , then such that and
if for some , , then such that and
if for some , , then such that and
Let be stopwatch automata. We say that , if and only if their corresponding timed I/O transition systems satisfy .
We now give some necessary properties of timed selection simulation.
Timed selection simulation is a preorder.
For any automaton , by construction, the reachability of its error locations is equivalent to that of the error states in the corresponding TIOTS . Hence the following theorem shows that timed selection simulation can preserve the satisfaction of the safety properties in the form of Eq.(1).
Theorem 2 (Property preservation).
Let be timed I/O transition systems and be the set of error states of . Given a safety property that any error states are not reachable, if and , then .
Theorem 3 (Abstraction compositionality).
Let be timed I/O transition systems. If , , and and are compatible, then .
Theorem 4 (Compositionality).
Let , be timed I/O transition systems. Suppose and are the parallel compositions of compatible timed I/O transition systems. If , and , then .
5 Compositional Analysis
We apply assume-guarantee reasoning to the schedulability analysis, and describe the schedulability goal as a safety property (Eq.(1)). As shown in Fig.3, our compositional analysis is comprised of the following four steps:
Decomposition: The system is first decomposed into a set of communicating partitions modeled by TA and SWA. The global property is also divided into several local properties, each of which belongs to one partition.
Construction of message interfaces: We define message interfaces as the assumption and abstraction of the communication environment for each partition. In general, the templates of message interfaces should be built manually by the engineers.
Model checking: The local properties under the assumptions and the abstraction relations are verified by model checking.
Deduction: From the assume-guarantee rules, we finally derive the global property by combining all the local results.
The procedure can be performed automatically except for the first construction of message interfaces. We assume that a task never blocks while communicating with other partitions, which is commonly used in avionics systems[12, 7]. Otherwise a loop of communication dependency will cause circular reasoning, because the assumptions of a partition might be based on its own state recursively.
Assume that there are constituent partitions in a system. Let be the SWA composite model of a partition. Let be the error-location set of . The safety property : denotes the schedulability of . The global property is therefore written as , and the goal of our schedulability analysis is expressed as the verification problem:
that can be further divided into satisfaction relations:
Since the error-location set is only allowed to be manipulated by , we check each partition model independently for the corresponding local property instead of the original verification problem with a large and complex system. However, the communication environment of , which denotes the behavior that receives messages from other partitions, may affect the satisfaction of the schedulability property . Hence when performing the verification for partition , one needs to give the assumptions of its communication environment and verifies the local property under these assumptions.
5.2 Construction of message interfaces
A set of TA models is created to describe the message-sending behavior of a partition. Each of the TA is called a message interface of this partition and associated with a particular message type. Suppose there are a number of messages sent from partition to another partition and their corresponding message interfaces make up a composite TA model . When we analyze in the compositional way, it should be safe for to replace . Hence, we say that a message interface of is an abstraction of .
Our abstraction of the message delivery between a partition and its underlying network is modelled using broadcast synchronization. A broadcast action represents a specific message types. Let be the action set of a composite model for any partition . An action (resp. ) denotes that receives(resp. sends) messages with the type from(resp. to) other partition(s). The symbol represents the condition that there exists a partition sending messages to via an action set .
Definition 7 (Message Interface).
Let be the output action set of a stopwatch automaton . For any output action , the timed automaton with an action set is a message interface of if and only if there exists a timed selection simulation relation on such that
We build the templates of message interfaces in accordance with the characteristics of message-sending actions. In practice, the structure of an interface can be designed straightforwardly from the task specification. The template in Fig.4 shows a message interface that sends messages periodically via the action array pmsg. Then we make an automatized binary search for the interface’s parameters such as offset in the template and meanwhile check the satisfaction of timed selection simulation relation.
The message interfaces can serve as the assumptions of the communication environment of a partition. The composition of the message interfaces for all provides with a “complete” abstraction of , which models the behavior of all the output actions from to . According to the abstraction compositionality (Theorem 3) of the preorder , we have
Considering all the partitions except in the system, we describe the communication environment of as the composite model .
5.3 Model checking
In the third step, the local property of under assumption can be verified by model checking. We denote these subproblems by
Normally, in Eq.(7) has a much smaller model size than its corresponding partition model in Eq.(4). Thus, the compositional approach allows us to verify a simpler abstract partition model instead of a complex concrete system model including the details about all the partitions.
In addition, we capture the computation time of each task as an interval between a best-case and worst-case execution time. When analyzing the schedulability of a partition, the model-checker explores all scheduling decisions that can be made in such an interval, and hence also examines possible cases of scheduling timing anomalies.
We derive the global property by combining local results in the last step. For any schedulable system, each property should be concluded from the satisfaction of Eq.(7) under assumptions and all the abstraction relations of Eq.(6). According to the compositionality (Theorem 4) and property preservation (Theorem 2) of timed selection simulation, we have the following assume-guarantee rule:
Note that this assume-guarantee rule only provides a sufficient schedulability condition, for abstract message interfaces might slightly over-approximate the external behavior of a partition.
A simplified DIMA system exemplifies the reasoning procedure. In the example, the system model is decomposed into three partitions . We divide the global property into three local properties . Accordingly, the goal of the verification problem is to check
From Eq.(4), this problem can be replaced with three subproblems:
Without loss of generality, we take the verification of for example to show how the model-checking and deduction are carried out in the following steps.
Assume that sends two types of messages, and , via two actions and respectively, and sends only a with action . We create one message interface (like Eq.(5)) for each message type received by in the system. The abstraction relations from Eq.(5) can be expressed as
From abstraction compositionality of the preorder , we can obtain
Then, from reflexivity and compositionality of the preorder , the composite model of the system satisfies
Note that when we apply the compositionality to checking a partition , any output actions sent to will never be removed in abstraction relations (Eq.(12)), which satisfies the condition (2) of theorem 4.
With Eq.(13), we have from property preservation of the abstraction relation that
Since Eq.(15) covering all three partitions in the system has a higher complexity than Eq.(14), the techniques of model checking can be adopted to verify the simpler problem Eq.(14) instead of the original goal Eq.(15). The same steps will be repeated for local properties and .
Consequently, we conclude all the local results of (10) according to the reasoning process from Eq.(11) to Eq.(15). When we analyze the partition and its communication environment, the local result of Eq.(15) can be deduced from Eq.(11) and Eq.(14) in the following assume-guarantee rule.
The local results are then combined to constitute the global result of Eq.(9).
6 Case Study
In this section, we applies the compositional approach to an avionics system which combines the workload of  and the AFDX configuration of . The workload consists of 5 partitions, and further divided into 18 periodic tasks and 4 sporadic tasks. Considering the inter-partition messages in the workload, we assign each message type a separate VL with the same subscript. The messages of and are handled at the refresh period in sampling ports. and are configured to operate in queuing ports, each of which can accommodate a maximum of one message.
As shown in Fig.5, we consider the distributed architecture that comprises 3 ARINC-653 modules connected by an AFDX network. The module accommodates and , the module executes and , and the partition is allocated to . There are 4 VLs - connecting 3 ESs across 2 switches and in the AFDX network. The arrows above VLs’ names indicate the direction of message flow.
The avionics system equips each of its processor cores with a partition schedule. Assume the modules in the experiment to be single-processor platforms. Fig.5 gives the partition schedules, which fix a common major time frame at and allocate to each partition within every . All the partition schedules are enabled at the same initial instant. The scheduling configuration keeps the temporal order of the partitions in . Hence the partition schedules contain five disjoint windows , , , , and , where the second parameter is the offset from the start of and last the duration.
We analyze the schedulability of this avionics system following the procedure in section 5:
(1) Decomposition: The system is first decomposed into five sets of SWA template instances corresponding to five partitions. The schedulability of any partition is described as the query :
where the boolean variable perror[i] should be assigned to True once any error locations are reached in . When analyzing the schedulability of , we only instantiate the set of SWA template instances of into processes. This set contains two scheduler models coming from PartitionSupply and TaskScheduler, all the PeriodicTask and SporadicTask models in , and the communication layer models from which receives messages.
(2) Construction of message interfaces: The message interfaces are constructed from the template depicted in Fig.4
, for all the messages originate in periodic tasks. There are four unknown parameters period, initOffset, offset, and jitter in the template. Initially, the parameters of a message interface are set to the same values as these of the source task. Then we employ a binary search to heuristically refine offset and jitter, meanwhile guaranteeing timed selection simulation relation exists.
(3) Model checking: The schedulability of five partitions is checked individually. After combining the models of and its message interfaces, we verify the property by model checking in . The verification was repeated for each partition to evaluate the schedulability of a complete system. The experiment was executed on the 4.1.19 64-bit version and an Intel Core i7-5600U laptop processor.
(4) Deduction: According to the assume-guarantee rule described in Eq.(8), we conclude the schedulability of the complete system from the results of the verification of five partitions.
Results of the Analysis
The result in Table 1 shows that each partition is separately schedulable (The results “Yes” of Case 1) except the partition (The result “No”). From a global view, we cannot conclude directly that the system is non-schedulable, because the compositional approach described in section 5 only provides a sufficient condition for schedulability. Nevertheless, we find a counter-example by simulation in , and thus it can be concluded that the current system is not schedulable. The counter-example shows that violates the constraint of the refresh period of due to network latency.
Considering the effect of network latency on the scheduling configuration, we updated the partition schedules by performing a swap of time slots between and . The modified partition schedules provide five windows , , , , and . The compositional analysis of the updated system was executed again. The result (Case 2 in Table 1) shows that all the partitions of the updated system are individually schedulable. Thus, the updated system finally achieves the schedulability at the global level.
Table 1 also shows the performance in terms of execution time and memory usage. In both cases, the partition contains more instantiated models (19 processes) than the other four partitions. As a result, model-checking runs evidently slower and requires more memory than the others. Nevertheless, the compositional analysis could be performed on ordinary computers within an acceptable time.
Compared with the compositional way, global analysis based on the same models would require 51 processes including all the 22 task models, whose state space is much more complex than the others. This causes to run out of memory within a few minutes, and thus makes the global analysis infeasible. In contrast, the compositional approach only requires at most 5 task models when we perform model checking, offering effective state space reduction.
In this paper, we present a compositional approach for schedulability analysis of DIMA systems, which are modeled as a set of stopwatch automata in , describing schedulability as safety properties of models. We check each ARINC-653 partition including its communication environment individually, thereby reducing the complexity of model-checking. The techniques presented in this paper are applicable to the design of DIMA scheduling systems. We have applied the compositional approach to a concrete DIMA system. As future work, we plan to develop a model-based approach to the automatic optimization and generation of the partition schedules of a DIMA system.
|No.||Case 1||Case 2|
-  AEEC (2010): Avionics application software standard interface: part 1 - required services. ARINC Specification 653P1-3, Aeronautical Radio Inc.
-  Tobias Amnell, Elena Fersman, Leonid Mokrushin, Paul Pettersson & Wang Yi: TIMES: a tool for schedulability analysis and code generation of real-time systems. In: FORMATS 2003, doi:http://dx.doi.org/10.1007/978-3-540-40903-8˙6.
-  Björn Annighöfer & Frank Thielecke (2014): A systems architecting framework for distributed integrated modular avionics. DGLR, doi:http://dx.doi.org/10.1007/s13272-015-0156-1.
-  Jalil Boudjadar, Kim Guldstrand Larsen, Jin Hyun Kim & Ulrik Nyman: Compositional schedulability analysis of an avionics system using UPPAAL. In: AASE 2014.
-  Laura Carnevali, Giuseppe Lipari, Alessandro Pinzuti & Enrico Vicario: A formal approach to design and verification of two-level hierarchical scheduling systems. In: RST 2011, doi:http://dx.doi.org/10.1007/BF00360340.
-  Laura Carnevali, Alessandro Pinzuti & Enrico Vicario (2013): Compositional verification for hierarchical scheduling of real-time systems. IEEE Transactions on Software Engineering 39(5), pp. 638–657, doi:http://dx.doi.org/10.1109/TSE.2012.54.
-  Franck Cassez & Kim Larsen: The impressive power of stopwatches. In: CONCUR 2000, doi:http://dx.doi.org/10.1007/3-540-44618-4˙12.
-  Franco Cicirelli, Angelo Furfaro, Libero Nigro & Francesco Pupo: Development of a schedulability analysis framework based on pTPN and UPPAAL with stopwatches. In: DSRA 2012, doi:http://dx.doi.org/10.1109/DS-RT.2012.16.
-  Alexandre David, Kim G Larsen, Axel Legay, Ulrik Nyman & Andrzej Wasowski: Timed I/O automata: a complete specification theory for real-time systems. In: HSCC 2010, doi:http://dx.doi.org/10.1145/1755952.1755967.
-  RB Dodd (2006): Coloured petri net modelling of a generic avionics mission computer. Technical Report, DTIC.
-  Arvind Easwaran, Insup Lee, Oleg Sokolsky & Steve Vestal: A compositional scheduling framework for digital avionics systems. In: RTCSA 2009, doi:http://dx.doi.org/10.1109/RTCSA.2009.46.
-  Orna Grumberg & David Long (1994): Model checking and modular verification. Toplas 16(3), pp. 843–871, doi:http://dx.doi.org/10.1145/177492.177725.
-  J Javier Gutiérrez, J Carlos Palencia & Michael González Harbour (2014): Holistic schedulability analysis for multipacket messages in AFDX networks. Real-Time Systems 50(2), doi:http://dx.doi.org/10.1007/s11241-013-9192-2.
-  Henrik Jensen (1999): Abstraction-based verification of distributed systems. Ph.D. thesis, Aalborg university.
-  Henrik Jensen, Kim Larsen & Arne Skou: Scaling up UPPAAL. In: FTRFS 2000, doi:http://dx.doi.org/10.1007/3-540-45352-0˙4.
-  Marius Mikučionis, Kim Larsen, Jacob Rasmussen, Brian Nielsen, Arne Skou, Steen Palm, Jan Pedersen & Poul Hougaard: Schedulability analysis using UPPAAL: Herschel-Planck case study. In: ISoLA 2010, doi:http://dx.doi.org/10.1007/978-3-642-16561-0˙21.
-  Jan Reineke, Björn Wachter & Stefan Thesing et al.: A definition and classification of timing anomalies. In: WCET 2006.
-  Youcheng Sun, Giuseppe Lipari, Romain Soulat, Laurent Fribourg & Nicolas Markey: Component-based analysis of hierarchical scheduling using linear hybrid automata. In: RTCSA 2014, doi:http://dx.doi.org/10.1109/RTCSA.2014.6910502.
-  Guoqing Wang & Qingfan Gu: Research on distributed integrated modular avionics system architecture design and implementation. In: DASC 2013, doi:http://dx.doi.org/10.1109/dasc.2013.6712647.