Approaches to Certification of Reconfigurable IMA Systems Paul Hollow, John McDermid, Mark Nicholson, University of York, UK Abstract

Transcription

1 Approaches to Certification of Reconfigurable IMA Systems Paul Hollow, John McDermid, Mark Nicholson, University of York, UK Abstract The aerospace industry have been investigating integrated modular avionics (IMA) for some years. IMA offers the opportunity of greater flexibility in use of computing resources by reconfiguring the software to employ different processors and communications. Such reconfiguration poses difficulties for certification since current certification practice requires assessment of each configuration. The approach we have adopted is to seek ways of clearing an instance of a system that incorporates a number of equivalent configurations. This analysis enables us to define reconfiguration tables for the IMA operating system; reconfiguration using this table is still guaranteed to meet the system requirements. We have formulated the search for a set of equivalent configurations as a multi-objective optimisation problem. 1 Keywords: Integrated Modular Avionics, certification, analysis, distributed systems, reconfiguration 1. Introduction Conventional avionics systems are implemented as federated systems where each major function, or application, within the system is incorporated into a separate hardware box. These boxes may be interconnected via one or more buses at the system level. Each box is considered at a single level of criticality, which requires safety analysis and certification of each box in turn. This type of system can be seen, for instance, in the Airbus 320, which has 88 computers of 50 different types. The lifecycle costs of such systems are huge and this has led to research into an alternative approach; Integrated Modular Avionics (IMA). IMA is an integrated approach to systems architecture where multiple functions, or applications, run in a single hardware box with each function or application communicating via services provided by an operating system. IMA aims to provide a more efficient use of system resources, since resources can now be used in different configurations. Reconfiguration allows software components (processes and / or messages) to employ different processors and communications media to respond to system load, failures or battle damage. One of the perceived barriers to the introduction of such systems is safety certification. Under current certification procedures, each architectural configuration that might be employed by a given IMA would need to be analysed and certified. Effectively, it appears that the cost of the computing system has been moved from federation and maintenance into certification of system configurations. The objectives of the work being undertaken at York are to build, develop and extend both the way in which IMA architectures are modelled and the way in which reconfiguration is achieved under hardware failure conditions, within a certification framework. The framework should allow groups of "equivalent" IMA configurations to be analysed and certified. To achieve this we aim to employ off-line analysis and static reconfiguration under failure. This work should also provide pointers for certification of more advanced reconfiguration techniques. In Section 2 we consider the issues surrounding the certification of IMA systems to set the scene and scope the problem being addressed by this paper. In Section 3 we propose a process 1 The work described here is being undertaken by a Doctoral student funded through the BAe Dependable Computing Systems Centre at York 1

2 for producing and certifying a group of equivalent architectures. In Section 4 we propose a classical search based approach to determining the group and provide details on the scoring of different proposed architectures. In Section 5 we discuss the integrity requirements for the search algorithms and indicate how we envisage our work progressing. 2. Certification of Avionics Systems Standards for the development and certification of avionics systems have been produced, for example, ARP-4754 [1] and the accompanying ARP-4761 for commercial aircraft. However, these standards tend to be applicable to one system type or one stage of the development and certification process. In order for an aircraft to be certified as safe to fly, all certification agencies and government bodies require a safety case to be presented to prove that sufficient safety analysis has been performed on the aircraft and all its sub-systems. The evidence provided in current safety cases relies on two main assumptions: 1. the system can be presented as a single entity 2. the behaviour of the system is deterministic Neither, of these assumptions is likely to hold for IMA systems since one of the major gains from IMA is the ability to reconfigure the system on failure, thus producing a new system whose behaviour is not deterministic at design time. The behaviour of the system is likely to be predictable however. In fact it is even more complicated than this. Bradley et al [2] list seven areas of avionics system certification which are affected significantly by the use of IMA principles and technology: Isolation can no longer purely be provided by physically separating the system functions Scheduling will require a mechanism similar to priority based scheduling [3] Common cause failures may be introduced by means of the management units employed to provide isolation and reconfiguration Safety critical application functions will be placed on standard commercial processors Interchangeability of modules foe ease of maintenance Reconfiguration Re-use of certification evidence In this paper we assume priority based scheduling will be employed. We concentrate on the last two aspects, reconfiguration and re-use of safety evidence. Note is taken of the other aspects however. For instance, we restrict the set of possible system reconfigurations under failure to maintain physical separation to guard against common cause failure due to physical proximity and battle damage and to keep copies of functions apart for redundancy purposes. 3. Certification of Reconfiguration of IMA As we have seen the issues surrounding IMA are numerous and complex. We have focused on one particular aspect, reconfiguration, that we believe is amenable to a systematic analysis via classical search techniques. We propose that certification of a reconfigurable IMA architecture requires the following steps: 1. Model the system and allocate the software components to the given IMA hardware components to produce a "baseline" system. This "baseline" model must be shown to meet all performance requirements. 2

3 2. Produce a list of systems that would pertain under any hardware single point of failure. That is, list every hardware architecture resulting from a single module, processor or link failure. Determine which of these systems no longer meet all their performance requirements. 3. For those single point of failure systems that no longer meet their performance requirements reallocate the software components. Produce a "reconfiguration table" of allocations for each new configuration. 4. If there remain single point of failure systems for which there are no allocations that meet all performance requirements then revisit step one to produce a new baseline model. Repeat steps 1 to 4 until an acceptable set of "equivalent" systems are found or a stopping criterion is met. 5. Investigate the mode change problem for each new configuration. 6. Persuade the certification authorities to accept the set of IMA configurations 7. Repeat steps 2 to 6 for two points of hardware failure. In this circumstance it may be possible to use configurations with degraded performance. 8. Persuade the certification authorities to accept the system, its architectural components and the reconfiguration process. The approach we have taken is to produce a baseline IMA architecture and then to consider how to reconfigure this baseline architecture under different hardware failure situations. Clearly this is an iterative process. It would, for instance, be desirable to negotiate a "buy in" to the "baseline" model by the certification authorities early on in the process. However, it may be necessary to change the baseline architecture if no acceptable reconfigurations exist for some failure scenarios. 4. Approach Taken at York For the purposes of showing the basic elements that need to be considered in our approach to reconfiguration we have produced a model of a simple IMA architecture. The aim is to extend and improve this model as work progresses. The model (Figure 1) consists of one IMA cabinet containing three line replaceable modules (LRMs). One LRM contains four processors, one contains three processors and the third two. All processors are fully connected using ADPM network links within the LRM. LRMs are fully interconnected within the cabinet via ATM point-to-point network links. Each LRM has a "system" processor residing on the LRM and the network links external to each LRM. Three abstract tasks are defined to execute on the architecture. Each task is composed of a number of sub-tasks (processes). Each sub-task may generate one or more messages. The majority of the information contained within the architectural model remains constant, such as the memory capacity of processors and the requirements on the system. Some of the elements of the architecture however are amenable to change under failure conditions such as which processors are linked and the allocation of processes to processors and messages to communication media. Thus we have an allocation problem; to allocate processes to processors and messages to communication media such that all performance and safety related requirements are met. Extensions to this architecture can be easily envisaged such as multiple cabinets, heterogeneous processors within modules and restrictions on placement of software elements due to zonal issues, battle damage and failure. We maintain that the approach presented here can be adapted to incorporate such elements. 3

4 CABINET MODULE MODULE MODULE ID 44 ID 48 ID 51 0,1 6,7 10 ID 6 ID 7 ID 45 ID 19 ID 18 ID 49 ID 25 ID 24 ID 52 2, ID 8 ID 9 ID 46 ID 20 ID 21 ID 50 4 ID 15 ID 14 9 ID 22 ID 23 ID 10 ID 11 ID 47 ID 16 ID 13 ID 17 5 ID 12 Proc id 0 Proc id 1 Proc id 2 Proc id 3 Proc id 4 Proc id 5 Proc id 6 Proc id 7 Proc id 8 26 ID 30 ID 35 ID 39 ID 41 ID ID 31 ID 27 ID ID 38 ID ID 42 ID 43 ID 37 ID 36 ID 28 ID 29 ID 32 ID 33 SYSTEM PROCESSOR (Gateway) SYSTEM PROCESSOR (Gateway) SYSTEM PROCESSOR (Gateway) 12 (Copy task) 13 (Copy task) 14 (Copy task) ID 0 ID 2 ID 1 ID 3 ID 5 ID 4 Figure 1: IMA Architecture Model 4.1 Determining an "Equivalent" IMA architecture Two IMA architectures can be said to be acceptable and equivalent if they both meet all the performance and safety requirements on the system. If a reconfiguration between two such architectures is to be acceptable then the mode change problem must also be addressed. Thus we define two IMA architectures to be equivalent under configuration if they meet all their requirements and a safe mode change path exists from one configuration to the other. We can represent the notion of equivalence as a fitness value (function) which indicates how close to being equivalent two proposed configurations are. Four elements to this fitness function can be envisaged; 1. Resource usage - hardware and software constraints placed on the system 2. Timing properties - each task must be shown to meet its worst case response time (WCRT) deadlines 3. Time to Failure - each task must be shown to have an acceptable failure probability, expressed as the mean time to failure (MTTF) of the task 4. Costs of reconfiguration - cost of moving from one configuration to another must be within acceptable bounds. If two IMA architectures are equivalent we propose that the following fitness function elements should sum to zero. P(s) = k 1 net + k 2 processor + k 3 task + k 4 subtask + k 5 message where k i = net = weighting factor for the element penalty for too many messages on a communication media plus penalty for too many bytes of data plus penalty for number of messages that should not be placed on the same communication media, for fault tolerance, but have. 4

5 processor = task = subtask = message = penalty for processors with too many processes allocated plus penalty for too much memory being used by resident processes plus penalty for inappropriate placement of system processes plus penalty for number of processes that should not be placed on the same processor, for fault tolerance, but have. penalty for number of tasks that fail to meet timing deadlines plus penalty for tasks that fail to meet MTTF requirements penalty for subtasks allocated to inappropriate processor (including failed processors) plus penalty for subtasks that do not meet their deadlines penalty for messages using a dead link plus penalty for messages routed so that they cannot reach their destination process plus penalise any message that fails to meet its delivery deadline The primary reason for determining a set of equivalent architectures is to allow reconfiguration under failure. Suppose that the system is working in its baseline configuration and a processor fails. Suppose further that four processes reside on this processor. A new system configuration is required such that these processes are placed on different, working, processors. This new configuration must be equivalent in that it meets all the system requirements. Extensive changes may be required to facilitate this, such as changing priorities of processes, reallocating messages to different communication media and moving processes other than the four directly affected. In figure x we show one such reconfiguration under failure. Figure x: two equivalent IMA architectures for our example architecture plus reconfiguration tables and accompanying fitness function values here Two equivalent IMA architectures may not be equally optimal. It may be that under failure one proposed architecture requires less changes to the existing architecture than another or exhibits better reliability. Therefore, we need to look for ways of not only finding a set of equivalent architectures but choosing between them. We need to search for good equivalent IMA architectures under failure. The fitness function is extended to include the following elements P(s)' = k 6 reconfig + k 7 reliability + k 8 WCRT where reconfig = reliability = WCRT = penalty for time taken to reconfigure the system (minimise mode change time) penalty for MTTF of tasks in the system (maximise overall MTTF) penalty for gap between WCRT and deadline (maximise to indicate timing flexibility in the system) 4.2 Searching for Good "Equivalent" IMA architectures It may under some circumstances be easy to define an acceptable equivalent architecture when a system failure has occurred. However, in general this will not be the case. For certification purposes we need to show that no single point of failure can lead to the system not meeting its requirements. Thus, we have to find n+m+1 equivalent architectures, where n is the number of processors and m is the number of communication media, if we are to show that no single hardware failure can lead to the loss of the safety critical services provided by the IMA system. Only a proportion of the attributes of an IMA architecture are amenable to change under reconfiguration. These are the processor a process resides on communication media a message resides on 5

6 priority of processes and messages Setting the values of these attributes for a given IMA architecture is known as the Allocation Problem. We thus have to consider m+n+1 allocation problems. Each allocation problem can be formulated as an assignment type problem (ATP) [4]. The important features of an ATP problem, with respect to producing a solution for non-trivial sized problems, are: 1. checking whether a proposed solution is ``acceptable'' with respect to a given set of criteria can be undertaken in polynomial time. 2. finding the optimal solution, with respect to a given set of criteria, is non-polynomial (NP). That is, calculus and enumerative searches cannot in general be guaranteed to find an optimal solution in polynomial time. Ribeiro et al [5], indicate that an implicit enumerative (guided) search, or some other form of problem specific heuristic, is required in order to find good solutions for such problems within a `usable' time period. Simulated Annealing [4, 6] has been chosen to address the problem of finding a group of equivalent allocations. Simulated Annealing (SA) has been applied to a wide range of practical problems [7]. A simple sequential SA algorithm for a minimisation problem, is presented in Figure Y. Tools exist to implement this search algorithm. We use the X-Samson tool developed at the University of East Anglia [8]. The initial solution s 0, is chosen randomly from the set of admissible allocations. The value P(s) for each proposed IMA architecture is calculated using the fitness function presented in Section 3. The initial temperature, t 0, is chosen automatically by the algorithm so that virtually all proposed moves are taken. The temperature is reduced by a factor α each iteration. Each proposed solution s represents a possible IMA architecture and is coded as an integer string of three sections; one representing the allocation of processes to processors, one representing the allocation of messages to communication media and one representing the priorities allocated to processes and messages. Thus the length of the integer string is dependent on the number of defined processes and messages between these processes. Problem: minimise P(s) such that s S Select an initial Solution s 0 ; Select an initial temperature t 0 > 0; Select a temperature reduction function α Repeat Repeat Randomly select s N(s 0 ); δ=p(s)-p(s 0 ); if (δ>s 0 ) then s 0= s; else generate random x uniformly in the range (0,1); if (x < exp(- δt)) then s 0 =s; Until iteration_count = nrep; Set t = α(t); Until stopping condition = true; S 0 is the approximation to the optimal solution. SA Minimisation Algorithm 6

7 Once a baseline architecture has been produced by running this search algorithm for the scenario where all hardware items are working 2 we can investigate reconfiguration under failure. We do this by making a single hardware component unavailable. We then rerun the search algorithm to find the best equivalent architecture that does not employ the failed component. To facilitate this we restrict the set of admissible allocations so that no software component can use this piece of hardware and we employ a minimum change metric in the form of a measure of the time it takes for a reconfiguration to complete. We then repeat this procedure for each single hardware point of failure. If we find that there is no reconfiguration available for some single points of failure then a more extensive redesign may be required. However, it is also possible that we failed to employ an appropriate baseline architecture. We may wish to revisit this architecture in the light of this new evidence. It is hoped that eventually we may be able to co-evolve the baseline and configurations under failure. The results of this analysis should be a baseline architecture and a set of reconfiguration tables that can be further analysed and presented to certification authorities as a single package. 5. Integrity of the Heuristic and Future Aims The Simulated Annealing search algorithm is non-deterministic and as such cannot be guaranteed to find an optimal solution. However, it can be set up to be innately pessimistic; that is if it indicates there is a solution there is one. The trade-off for this is that it may fail to find a solution that exists. There is a safety-performance trade-off for the algorithm. However, it is possible to undertake extra analysis on the equivalent architectures and their accompanying reconfiguration tables after the algorithm has run to show their validity. We extend this work in a number of ways. For instance, we can investigate multiple failure architectures. In this case we would need to extend our approach to consider degradation scenarios. That is, situations where we remove less vital functionality from the system. Three levels of importance would appear reasonable; essential, desirable and optional. Restrictions based on hazard analyses can also be placed on the set of admissible allocations. We are looking at a number of example systems. One, the Integrated Flight Propulsion and Control System (IFPCS [9]) is an industrial test-bed that will allow us to validate our approach on an industrial scale problem. 6. Conclusions The work outlined in this paper presents a new and novel approach to the problem of safety analysis and certification of dynamically reconfigurable IMA systems. By modelling and analysing the system off-line a static and deterministic table of legal reconfigurations in the presence of specific failures can be generated. Since these reconfigurations are known before runtime, each can be verified and certified. The usefulness of this technique depends on the detail of the system model used and the criteria employed within the value (fitness) function used to score the model under analysis. External verification can be employed on the results to provide evidence for their validity. If the model detail and the fitness function criteria are sufficient, then we believe that this technique will provide a partial solution to a very difficult problem in the safety analysis and certification of the next generation of avionics systems. Work continues to show that this is in fact the case. 2 Note in this run the minimum change metric is not employed. 7

8 References [1] SAE, ARP 4754: Certification Considerations for Highly-integrated or Complex Aircraft Systems, : SAE, [2] J. Bradley, M. Fletcher, P. Miller, P. Moxon, and A. Wake, Integrated Modular Avionics & Certification - An IMA Design Team's View, presented at IEE Seminar: Certification of Ground/Air Systems, Savoy Place, London, WC2R 0BL, [3] A. Burns, A Preemptive Priority-Based Scheduling: An Appropriate Engineering Approach, in Advances in Real-Time Systems: Prentice-Hall, 1995, pp [4] Chern, On the Computational Complexity of Reliability Redundancy Allocation in a Series System, Operations Research Letters, vol. 11, pp , [5] C. Ribeiro, P. Treleavan, and C. Alippi, Genetic Algorithm Programming Environments, Computer, vol. 27, pp , [6] S. Kirkpatrick, C. D. Gelatt, and M. P. Vecchi, Optimisation by Simulated Annealing, Science, vol. 220, pp , [7] K. Dowsland, Variants of Simulated Annealing for Practical Problem Solving, presented at Adaptive Computing & Information Processing, [8] J. Mann, SAmson v1.6 User Manual,. School of Information Systems, University of East Anglia, [9] A. M. Cox, IFPCS Infrastructure Concept Document, British Aerospace Defence Ltd, Military Aircraft