EP1283997A2 - Two layer operating system and method for avionics software applications - Google Patents

Two layer operating system and method for avionics software applications

Info

Publication number
EP1283997A2
EP1283997A2 EP00984115A EP00984115A EP1283997A2 EP 1283997 A2 EP1283997 A2 EP 1283997A2 EP 00984115 A EP00984115 A EP 00984115A EP 00984115 A EP00984115 A EP 00984115A EP 1283997 A2 EP1283997 A2 EP 1283997A2
Authority
EP
European Patent Office
Prior art keywords
application
executive
central processing
processing unit
input
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP00984115A
Other languages
German (de)
English (en)
French (fr)
Inventor
Mohamed Said Aboutabl
Younis Mohamed
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Honeywell International Inc
Original Assignee
Honeywell International Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Honeywell International Inc filed Critical Honeywell International Inc
Publication of EP1283997A2 publication Critical patent/EP1283997A2/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/545Interprogram communication where tasks reside in different layers, e.g. user- and kernel-space

Definitions

  • This invention relates to a circuit module and method for administrating process or job execution over a digital data processing system, especially for a an Integrated Modular Avionics circuit card programmed to provide a two-layer operating system.
  • IMA Integrated Modular Avionics
  • LRU line replaceable units
  • VHF communication or VOR navigation a dedicated function
  • IMA uses a few multifunction LRUs to perform the various avionics functions, typically performed by several dedicated LRUs.
  • Each IMA LRU contains several modules that perform processing, inputs, and outputs to other aircraft hardware.
  • the IMA approach uses a common chassis and power supply for the various modules within each IMA LRU.
  • the invention integrates multiple software applications to run on one central processing unit (CPU), wherein technology has made available CPUs that are powerful enough to meet the combined computation demands of several avionics software applications.
  • the invention further provides a software architecture in which the operating system portion is split into two distinct layers, consisting of a system executive layer and multiple application executive layers.
  • this software architecture allows various real-time operating systems to run concurrently on the same CPU.
  • System-level functions such as software and configuration database loading, application health monitoring, problem logging, basic operating system support and high-level handling of input/output can be shared among the several applications running on an integrated modular avionics (IMA) module.
  • IMA integrated modular avionics
  • the two-layer architecture provides the ability to integrate software applications developed by various software vendors.
  • the invention also eliminates the need to re-test the whole set of software applications running on an IMA module when only a single software application is added, upgraded, or removed from the system.
  • the first, system executive, layer of the two-layer architecture provides each software application with a protected partition, within which each distinct software application can execute together with an appropriate application executive.
  • the second, application executive, layer of the two-layer architecture is a modified version of a real-time operating system that provides each software application with a virtual machine and a set of interface library (IL) functions. These IL functions facilitate communication between the application executive and the system executive.
  • An embodiment of the invention includes one system executive and multiple application executives.
  • each application executive and its associated software applications are spatially isolated from other application executives and their associated software applications by enforcing access restrictions on memory address space.
  • each application executive and its associated software applications are temporally isolated from other application executives and their associated software applications by enforcing usage restrictions on the CPU and other system resources based on a pre- computed static execution timetable.
  • the system executive initializes, monitors, and terminates each software application modules and maintains a real-time clock to strictly implement the execution timetable from which each software application is assigned well-defined time slices.
  • the system executive also handles context switching and communication between the various application executives, manages all IMA module hardware input and output resources, and enforces strict isolation of protected memory regions.
  • the system executive prevents the propagation of faults and extraneous data across the various application executives and their associated software applications by assigning and enforcing protected memory partitions for each application executive.
  • Each application executive is a customized version of an available real-time operating system.
  • Each application executive provides services, for its associated software applications tasks, including communication, synchronization and dynamic memory management.
  • Each application executive also provides, for its associated software applications, access to system level resources, including IMA module hardware input and output (I/O) devices, via interface library functions.
  • an application executive implements its own strategy for scheduling tasks contained in an associated software application.
  • Customization of an available real-time operating system into an application executive comprises redirecting functions related to communication, memory management, and access to I/O devices through the interface library functions to the system executive. It is an aspect of the invention that no application executive may perform any boot sequence procedure such as probing for or initialization of hardware devices, initializing interrupt tables, or setting up registers of a memory management unit (MMU). These boot sequence procedures, of the available real-time operating systems, are replaced by a set of initialization data structures located within the protected memory partition of the application executive. As part of the system initialization procedure, the system executive initializes the initialization data structures of all application executives.
  • boot sequence procedure such as probing for or initialization of hardware devices, initializing interrupt tables, or setting up registers of a memory management unit (MMU).
  • FIG 1 illustrates a prior art line replaceable unit (LRU), commonly referred to as a 'black box' that is intended for aircraft installation.
  • LRU line replaceable unit
  • the particular LRU shown is representative of an integrated modular avionics (IMA) cabinet.
  • IMA integrated modular avionics
  • FIG. 2 illustrates a module or circuit card assembly (CCA), in accordance with one illustrative embodiment of our invention that is suitable for installation in an IMA cabinet.
  • Figure 3 illustrates the software architecture of the software that runs on each IMA module according to our invention.
  • Figure 4 illustrates a flow chart of the system executive layer of our invention.
  • Figure 5 illustrates the interaction between the system executive layer and each application executive layer as described in the present invention.
  • Figure 6 illustrates a timeline showing the execution sequence of the system executive, and the application executives, the software applications associated with each of the several application executives.
  • the IMA chassis 101 contains a multiplicity of IMA modules 200, one or more connectors 103, and a motherboard 102 to interconnect the IMA modules 200 with each other and with the connectors 103.
  • the connectors 103 interface aircraft electrical signals with the circuitry contained on the IMA modules. In other embodiments, optical and radio frequency signals are communicated between the IMA modules and other aircraft equipment.
  • an IMA module 200 is provided with a memory management unit 202.
  • the memory management unit 202 splits system memory 204 into protected partitions and controls read and write access to the partitions according to context instructions sent from a system executive 301 (seen in Figure 3), which executes on a central processing unit 201.
  • a clock 203 generates periodic timer interrupts 505, as shown in Figure 5, to the central processing unit 201.
  • the clock 203 is a real-time clock running independent of the rest of the IMA module 200 hardware.
  • the system executive 301 is able to read the current time from the clock 203 without disrupting its operation.
  • the IMA module 200 of our invention also includes the input/output hardware device 205, input/output bus device 206 and connectors 211 to interface electrical signals with the IMA motherboard 102.
  • Figure 3 illustrates an architectural layout of a complement of software that is programmed to run on the central processing unit 201. As shown in Figure 3, it is an aspect of our invention that the software applications 321 do not directly communicate with the input/output hardware devices 205 or the input/output bus devices 206.
  • a software application 321 that had been previously linked with an associated real-time operating system during a previous build is linked with an associated application executive 31 1 and an associated set of interface library functions 312, according to our invention.
  • the software applications 321 communicate with the input/output hardware devices 205 and the input/output bus devices 206 by calling interface library functions 312 associated with each appLcation executive 311.
  • the interface library functions 312 access the input/output hardware device 205 by calling a hardware device driver 302 software application via the system executive 301. All functions of each hardware device 205 are controlled via device driver 302 software applications.
  • the interface library functions 312 access the input/output bus device 206 by calling a bus driver 303 software application via the system executive 301. All functions of each bus device 206 are controlled via device driver 303 software applications.
  • the system executive 301 consists of a set of instructions that are stored in the memory 204 and are executed on a central processing unit 201.
  • This system executive 301 is responsible for the operation of all devices mounted on IMA circuit card 200, which in turn is installed in the IMA chassis 101.
  • Each application executive 311 consists of a set of instructions that are stored in a memory 204 within an application partition 500 (shown in Figure 5) address space where read/write access in controlled by the memory management unit 202, and the instructions are executed on the central processing unit 201.
  • the software applications 321, interface library 312, and timer interrupt services routines 501 (shown in Figure 5) associated with each application executive 311 also consist of instructions that are executed on central processing unit 201 and are stored in the same application partition 500 (shown in Figure 5) as the associated application executive 311.
  • Figure 4 shows a flow chart that illustrates the instruction steps of the system executive 301 as it executes on the central processing unit 201.
  • the system executive 301 comprises a set of start-up steps that are executed once followed by a main loop 410 comprising steps that are executed in a pre-determined sequence that repeats indefinitely.
  • the system executive 301 further comprises a sequence of shut-down steps that are executed once after the main loop is terminated.
  • the start-up steps of the system executive 301 comprise the following sequence of software steps that are executed by the central processing unit 201.
  • the input/output hardware devices 205 and the input/output bus devices 206 are initialized at step 401.
  • the data memory 204 is partitioned into virtual application memory partitions 500 (shown in Figure 5) by causing the central processing unit 201 to issue a command sequence to the memory management unit 202 at step 402.
  • the indefinite main loop 410 of the system executive 301 comprises the following sequence of software steps that are executed by the central processor 201.
  • the system executive 301 reads (step 415) the application time slice 601 (shown in Figure 6) and the application executive 311 clock tick length 602 (shown in Figure 6), associated with the next scheduled application partition 500, from the static time table schedule (not shown).
  • the system executive 301 calculates (step 415) the number of full-length ticks, 'Nticks', and the length of the remaining partial tick, 'parTick', using the following equations.
  • the application full length clock ticks, 'Nticks', and remaining partial tick 'parTick' are used to update the application partition 500 (shown in Figure 5) local time structure (not shown).
  • the central processing unit 201 is instructed to busy-wait for a starting time of a next application executive 311 at step 411.
  • the starting time of each application executive 311 is stored in a predefined scheduling timetable (not shown) that resides in memory 204.
  • the memory management unit 202 is instructed to use an associated virtual memory partition 500 (shown in Figure 5) to resolve memory address references and control of central processing unit 201 is passed to application executive 311.
  • the application executive 311 provides instructions to central processing unit 201 except when periodic timer interrupts cause associated timer service routines 501 to be run, as shown in Figure 5.
  • These timer interrupt service routines 501 comprise instructions that are run at the same privilege level as the system executive 301.
  • the application executive 311 is a modified version of a real-time operating system for which associated application software 321 was originally developed. According to our invention, it is essential that the system executive 301 be the first to respond to any exception raised by software applications 321; therefore an interrupt service routine 501 (shown in Figure 5) is provided to intercept 'exception interrupts' that are raised by the central processing unit 201. Re-mapping exception handling functions from existing real-time operating systems requires functionality in both the system executive 301 and the application executive 311.
  • both the software application 321 and the application executive 311 run low 'user' privilege level instructions on central processing unit 201 as contrasted with the system executive 301 and the application interrupt service routine 501 (shown in Figure 5), which both run high 'operating-system' privilege level instructions on central processing unit 201.
  • the interface library 312 comprises a set of functions that are created to replace some of the services provided by a specific real-time operating system; advantageously, a minimum number of real-time operating system services are replaced. Further, the device driver 302 may directly incorporate low-level code of a prior art real-time operating system.
  • Each application executive 311 maintains its own data structures to keep track of the progress of real-time.
  • the time duration between periodic timer interrupts 505 is 10 milliseconds.
  • Figure 5 illustrates the details of the transfer of control between the system executive 301, an application executive 311, and a software application 321.
  • the system executive passes control of the central processing unit 201 at step 412 using a timer interrupt service routine 501.
  • the timer interrupt service routine 501 associated with the application executive 311, executes instructions on central processing unit 201 at the same privilege level as the system executive 301.
  • the timer interrupt service routine 501 comprises instructions that are stored in the data memory 204 within the application partition 500 address space.
  • the application executive 311 always acts as the entry point of every application partition 500.
  • the application memory partition 500 cooperates with the timer interrupt service routine 501, associated with the system executive 301, that services initial entry into the application partition 500 and periodic timer interrupts 505 that occur during the application partition's time slice 601 (as shown in Figure 6).
  • the application executive 31 1 schedules the software application 321 tasks within the time slice 601.
  • the timer interrupt service routine 501 stores the current time and current state of the partition and returns controls of the central processor unit 201 to the system executive 301.
  • timer interrupt 501 adjusts partition local time data structure and passes control to the application executive 31 1.
  • the application executive 321 will determine which task from associated software applications is due and will dispatch said task. According to our invention, it is essential that control of the central processing unit 201 is not given directly to a software application 321 task, but is rather first handed to the associated application executive 311, even if the task was interrupted before completion.
  • the memory space allocated for each application partition 500 includes a predetermined amount of 'heap' memory for use as a dynamic memory pool.
  • Each application executive 311 manages the dynamic memory 'heap' within the application's own partition 500.
  • the central processing unit 201 executes all instructions that are included in the system executive 301, the application executives 31 1, and the software applications 321.
  • Timer interrupts 505 are periodically applied to the central processing unit 201 from the clock 203. These timer interrupts 505 are used to initiate the execution of the system executive 301 and the application executive 31 1 as defined in a static schedule (not shown).
  • This timeline provides temporal isolation between the software applications 321 associated with different application executives 31 1.
  • Each application partition 500 is allocated an application time slice 601 and a clock tick length 602 in a predefined static timetable (not shown).
  • this temporal isolation prevents the software applications from interfering with one another.
  • Our invention accordingly comprises a two-layer operating system for use with multiple avionics software applications 321 that run various aircraft subsystems.
  • the processing throughput and hardware interfaces for these multiple applications are contained on a single IMA card 200 which is installed with other similar cards in an aircraft mounted cabinet 101.
  • our invention takes advantage of the higher speed processors that are currently available, while still allowing reuse of previously developed avionic:, software applications.
  • the multiple software applications are temporally (time) and spatially (memory) isolated from each other.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Design And Manufacture Of Integrated Circuits (AREA)
  • Feedback Control In General (AREA)
  • Stored Programmes (AREA)
  • Train Traffic Observation, Control, And Security (AREA)
  • Executing Machine-Instructions (AREA)
  • Multi Processors (AREA)
EP00984115A 1999-12-10 2000-12-08 Two layer operating system and method for avionics software applications Withdrawn EP1283997A2 (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US17020099P 1999-12-10 1999-12-10
US170200P 1999-12-10
US64898500A 2000-08-28 2000-08-28
US648985 2000-08-28
PCT/US2000/033419 WO2001042932A2 (en) 1999-12-10 2000-12-08 Two layer operating system and method for avionics software applications

Publications (1)

Publication Number Publication Date
EP1283997A2 true EP1283997A2 (en) 2003-02-19

Family

ID=26865834

Family Applications (1)

Application Number Title Priority Date Filing Date
EP00984115A Withdrawn EP1283997A2 (en) 1999-12-10 2000-12-08 Two layer operating system and method for avionics software applications

Country Status (6)

Country Link
EP (1) EP1283997A2 (ja)
JP (1) JP2004500634A (ja)
CN (1) CN1434940A (ja)
AU (1) AU2079301A (ja)
CA (1) CA2393828A1 (ja)
WO (1) WO2001042932A2 (ja)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100430887C (zh) * 2004-03-31 2008-11-05 英特尔公司 事件处理方法和系统
US8768540B2 (en) 2006-04-10 2014-07-01 L-3 Communications Corporation Integrated avionics system
US9189195B2 (en) 2006-10-16 2015-11-17 Sandel Avionics, Inc. Integrity monitoring
CN101276292B (zh) * 2008-05-13 2010-04-21 杭州华三通信技术有限公司 中断合成方法和中断合成装置以及模块化主机系统
JP5607919B2 (ja) * 2009-12-16 2014-10-15 川崎重工業株式会社 統合型航空機搭載電子システム
JP5896423B2 (ja) * 2010-02-23 2016-03-30 アストロノーティクス コーポレイション オブ アメリカAstronautics Corporation Of America 単一プロセッサ・クラス3電子航空バッグ
FR3013880B1 (fr) * 2013-11-26 2017-03-31 Airbus Operations Sas Systeme avionique, notamment un systeme de gestion de vol d'un aeronef
CN104834567B (zh) * 2015-04-13 2018-04-17 中国航空无线电电子研究所 一种分区和应用时间窗符合性检测系统
US9983902B2 (en) 2015-05-14 2018-05-29 General Electric Company System and method for multi-level real-time scheduling analyses
CN105677413A (zh) * 2016-01-06 2016-06-15 中国航空无线电电子研究所 一种综合模块化航空电子系统多分区应用后加载方法
US10225349B2 (en) 2016-10-26 2019-03-05 Honeywell International Inc. Software development kit for aircraft tablet device and airborne application server
US11618585B2 (en) * 2019-10-10 2023-04-04 Ge Aviation Systems Limited Integrated system for improved vehicle maintenance and safety

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5369767A (en) * 1989-05-17 1994-11-29 International Business Machines Corp. Servicing interrupt requests in a data processing system without using the services of an operating system
US6564241B1 (en) * 1996-05-14 2003-05-13 L-3 Communications Corporation Avionic computer software interpreter
WO1998012635A1 (en) * 1996-09-17 1998-03-26 Radisys Corporation Method and apparatus for encapsulating a protected-mode operating system within a real-time, protected-mode operating system
JP2001507835A (ja) * 1996-12-30 2001-06-12 シーラス ロジック,インコーポレイテッド 過去に互換性のあるオペレーティングシステムのリアルタイムサービス

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0142932A3 *

Also Published As

Publication number Publication date
CA2393828A1 (en) 2001-06-14
AU2079301A (en) 2001-06-18
CN1434940A (zh) 2003-08-06
WO2001042932A3 (en) 2002-12-05
WO2001042932A2 (en) 2001-06-14
JP2004500634A (ja) 2004-01-08

Similar Documents

Publication Publication Date Title
US6691146B1 (en) Logical partition manager and method
US8108196B2 (en) System for yielding to a processor
US8131891B2 (en) Updating I/O capability of a logically-partitioned computer system
US6453344B1 (en) Multiprocessor servers with controlled numbered of CPUs
CN100405305C (zh) 在逻辑分区的计算机中恢复临时资源的设备和方法
EP0536010B1 (fr) Procédé et dispositif pour la gestion temps réel d'un système comprenant au moins un processeur apte à gérer plusieurs fonctions
US20050251806A1 (en) Enhancement of real-time operating system functionality using a hypervisor
CN100487655C (zh) 具有多个逻辑分区的计算机系统及其硬件资源的管理方法
US8782296B2 (en) Method and device for incremental configuration of IMA type modules
US20070136721A1 (en) Sharing a kernel of an operating system among logical partitions
WO2001042932A2 (en) Two layer operating system and method for avionics software applications
CN113971095A (zh) 扩展进程中的kubernetes应用程序接口
Bollella et al. Support for real-time computing within general purpose operating systems-supporting co-resident operating systems
Mulmuley Randomized multidimensional search trees: Further results in dynamic sampling
US6681240B1 (en) Apparatus and method for specifying maximum interactive performance in a logical partition of a computer system independently from the maximum interactive performance in other partitions
JPH11272480A (ja) オンチップリアルタイムos
Gomes et al. Air hypervisor using RTEMS SMP
Matelan The FLEX/32 multicomputing environment
van Kampenhout et al. Model-based deployment of mission-critical spacecraft applications on multicore processors
JP2006012158A (ja) デジタルデバイスのファームウェアとオペレーティングシステムとの間の拡張可能インターラクションを提供する方法および装置
Ciotti et al. Early experiences with the 512 processor single system image Origin2000
Furht et al. Open systems for time-critical applications in telemetry
Odagiri et al. Porting EPICS to L4-Linux based system
CN102479111A (zh) Linux操作系统下的数据储存方法及其Linux计算机系统
Parkinson et al. Putting cots back in the box

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20020610

AK Designated contracting states

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

AX Request for extension of the european patent

Extension state: AL LT LV MK RO SI

17Q First examination report despatched

Effective date: 20030509

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20031216