Towards fault-tolerance of IMA with safe dynamic reconfiguration

Abstract

Integrated Modular Avionics (IMA) is essential to modern avionics. It increases the possibilities for reuse of software and hardware resources by system integrators, through the use of standardized communication interfaces and operating system services. Meanwhile, the safety requirements of DO-297 dictate that the system architecture must prevent common cause failures and that a single failure cannot disable any critical function. As a result, critical functions have to be allocated redundantly to additional resources at integration-time. In the spirit of IMA, it may be desirable to pool together these resources so that they can be allocated to any critical function at run-time. For this, a way to redefine the communication between individual allocations of functions is necessary. In this paper, we demonstrate and evaluate a prototypical implementation of a message router that allows us to dynamically reconfigure the communication between the allocated functions, using only standardized communication interfaces and operating system services of ARINC 653. We discuss the safety implications of such an approach and how it may be possible to mitigate them, evaluate the feasibility of our approach using a combination of end-to-end delay measurements and on-target tracing, and verify our assumptions about the individual factors contributing to the end-to-end delay using a discrete event simulation. We find that the approach is feasible, but the usefulness for critical functions is limited by the communications overhead from routing the messages, insufficient real-time guarantees of standardized operating system services, and missing global time synchronization.