FR3045879A1 - AVIONIC EXECUTION PLATFORM AND DEVELOPMENT PLATFORM FOR INDEPENDENT CERTIFICATION OF SOFTWARE COMPONENTS - Google Patents

Abstract

This software (50) hosted on a target execution platform (4) comprises: at least one processing block (51), providing a specific functionality, the or each processing block constituting a component of the application software that can be certified in a manner independent of other components; an application core (56) orchestrating the call of or of each processing block (51) and / or operating system services (48) of the target execution platform (4); a software container (58), which, on request from the application kernel, executes a binary code (85) present in memory (42) and associated with the processing block (51), the execution of the binary code being performed in a partitioned manner, the executed source code being unable to exchange data with another binary code of another processing block of the application software or an operating system service without going through the application kernel, the application software once certified can be set to day by modifying the binary code corresponding to a processing block when said source code has been certified.

Description

PLANE OF EXECUTION AVIONIC AND DEVELOPMENT PLATFORM FOR THE INDEPENDENT CERTIFICATION OF SOFTWARE COMPONENTS The field of the invention is that of avionics software, that is to say software applications capable of being executed on a target execution platform of the type avionics.

The modification of a part of avionics software requires a new certification of all this software.

It must indeed ensure that the modified part does not interfere with or disrupt the smooth operation of the rest of the software that has not been modified.

However, the certification of avionics software is a long and expensive procedure. It is sometimes even necessary to perform flight tests to verify the correct operation of the software.

As a result, the addition of a functionality in an existing avionics software can only be done when a new certified version of the software is made available.

In addition, avionics software is complex software, which is developed by several teams working in parallel on the basis of specifications. It may be that a secondary feature is not available when it is necessary to certify a version of the software in order to equip aircraft ready for delivery. We must wait for the next version of the software that will be certified to offer this secondary feature.

Finally, the version of a software executed on board an aircraft may depend on a choice of the client. The latter may wish, during the operation of the aircraft, update the embedded software by purchasing new features or by changing an existing feature. It is therefore a question of certifying all the versions under which the software is likely to be sold.

There is therefore, in general, a need to facilitate certification of avionics software. The invention therefore aims to meet this need. The subject of the invention is an application software hosted on a target execution platform of the avionic type, characterized in that it comprises the following components: at least one processing block, providing a specific functionality to the application software, the each processing block constituting a component of the application software that can be certified independently of the other components of the software; an application core orchestrating the call of or of each processing block and / or operating system services of the target execution platform; a software container, which, at the request of the application kernel, executes a binary code present in the memory of the target execution platform and associated with the processing block, the execution of the binary code being carried out in a spatially and temporally partitioned manner, the executed source code unable to exchange data with another binary code of another application software processing block or an operating system service without going through the application kernel, the once-certified application software being updatable by modifying the binary code corresponding to a processing block once said source code has been certified.

According to other advantageous aspects of the invention, the software comprises one or more of the following characteristics, taken separately or in any technically possible combination: the application core is developed on the basis of specifications describing the most complete version of the each block of treatment that it is planned to develop. the binary code associated with a processing block is executed using an execution set defined from the most complete version envisaged for said processing block. the set of maximum parameters comprises: A general temporal parameter corresponding to the WCET; A list of global variables relating to the input data and the output data of said processing block; A list of local variables of said processing block; A byte size of the binary code of said processing block; An octet size of the global variables; A byte size of the local variables. a default value is assigned to a global variable of the set of maximum execution parameters that the binary code associated with the processing block considered and present in the memory of the target execution platform at the time of execution of the software application is not able to process. the application core is a state machine, each state of said automaton corresponds to a software procedure that initiates and controls an execution of an ordered sequence of calls to processing blocks of the application software and / or services of the application system. operation of the target execution platform, and each transition of a state of said automaton to another state of said automaton depending on values returned at the end of their execution, by the processing blocks of the application software and the services of the system called exploitation. the application core calculates a context status of the aircraft from different external data, the transition from an initial state to a final state of said automaton also dependent on the current context status of the calculated aircraft. The invention also relates to a target execution platform of the avionics type, comprising a hardware layer and a software layer, the hardware layer comprising a memory and a processor, the software layer comprising an avionics operating system and an application software. characterized in that said application software is in accordance with the preceding software. The invention also relates to a development platform, comprising a hardware layer and a software layer, the hardware layer comprising a memory and a processor, the software layer comprising an operating system and a compilation software, characterized in that the memory comprises a source code of a processing block of an application software according to the preceding software, and the compilation software is able to generate a binary code from the source code, the binary code being able to be loaded into the memory of a target execution platform of the avionics type on which said application software is executed.

Preferably, the memory of the development platform comprises a set of maximum execution parameters for a processing block of said application software. The invention will be better understood on reading the following description of a particular embodiment, given solely by way of illustrative and nonlimiting example, the description being made with reference to the appended drawings, in which: Figure 1 is a schematic representation of the electronic system implemented according to the invention; FIG. 2 is a schematic representation of a source file of a processing block of the software according to the invention; FIG. 3 is a schematic representation of an intermediate file of a processing block of the software according to the invention; and, - Figure 4 is a schematic representation of the method of use of the system of Figure 1.

GENERAL PRESENTATION

In general, the functionalities of an application software are distributed between a plurality of independent processing blocks and a common application kernel.

It is then possible to add to the different processing blocks constituting an existing application software, hosted on a target execution platform, one or more additional processing blocks (s), corresponding to a new functionality or a richer functionality, which it is desired to provide. the application software.

The application software has a specific structure ensuring that additional processing blocks that have been separately certified, following the modification of the application software by adding the additional processing blocks, do not need to be certified again. the unmodified processing blocks, that is blocks that were already present in the application software.

There is therefore only to independently certify each processing block and the application core.

This can drastically reduce the time and cost of certification and, therefore, facilitate the introduction of new features throughout the life and use of application software.

Indeed, during the certification of the modified application software, the certification credits of unmodified processing blocks can be reused as is.

For example, the invention could be used for piloting application software, which has already acquired the demonstration of conformity to the main performance requirements specified by the RTCA DO-325 standard for stability or trajectory control. of an aircraft. If it is desired that this software acquires compliance with the additional performance requirements specified by the RTCA DO-309 standard for indication and impact alerts with the terrain of an aircraft, it is sufficient to add a or more additional processing blocks developed to achieve this functionality. Since these processing blocks have been certified as such, there is no need to certify all of the updated application software.

More specifically, with reference to FIG. 1, the application software 50 according to the invention comprises an application core 56, a software container 58 and a plurality of processing blocks 51 to 53.

Treatment block

Each processing block allows, during its execution, to realize a defined functionality.

The processing blocks that can be integrated into the application software are predefined according to specifications. Thus, the application software comprises N processing blocks. In FIG. 1, N is equal to three and the processing blocks are referenced 51, 52 and 53.

A processing block is a component of the application software that can be certified independently of the other components of the software, i.e. other processing blocks, application kernel or software container.

On the target execution platform, a processing block is in the form of a binary code stored in the memory of this platform and capable of being executed by the processor of this platform.

To obtain this binary code, a source code of the processing block is compiled, by means of a compilation software run on a development platform, separate from the target execution platform.

The compilation software used is specific, including the target execution platform on which the resulting binary code will be executed.

The binary code of a processing block is then downloaded, by suitable means, from the development platform to the target execution platform.

On the target execution platform, the downloaded binary code is stored in a configuration file present in the memory of this platform.

The configuration file therefore comprises all the binary codes of the active processing blocks. The versions of each of these active processing blocks, the version of the software container, and the version of the application kernel, define the version of the application software hosted on the target execution platform.

During the execution of the application software, the binary code of a called processing block is executed.

More precisely, the binary code is executed inside the software container.

The software container provides a spatial and temporal partitioning of the execution of the binary code considered. This software partitioning takes place inside the partition allocated by the operating system to the application software, a partition that ensures a spatial and temporal partitioning of the different software running on the target execution platform.

In order to ensure this partitioning, a processing block executed can not exchange data with another processing block of the application software or an operating system service, without going through the communication mechanisms of the application core.

The manner in which a binary code is executed within the software container of the application software will be described in detail hereinafter.

A processing block has no direct call to an operating system service of the target execution platform. The application core is the only interface between any processing block and the operating system.

A processing block, when executed, performs processing on input data, so as to output output data.

Novau application

The application core 56 in FIG. 1 constitutes the main software component of the application software according to the invention.

In general, the application kernel orchestrates calls to the different processing blocks and / or services of the operating system of the target platform.

More precisely, the application kernel notably ensures the initialization and the stopping of the application software, the operating system starting the application software.

During the initialization of the application software, the application kernel accesses a configuration file indicating the list of active processing blocks constituting the version of the application software hosted on the target execution platform.

In conjunction with the software container, the application kernel loads the binary code corresponding to each processing block from the configuration file to the volatile memory of the target execution platform, for execution of these binary codes by the processor of this platform.

During this initialization, the software container verifies that the volatile memory used to store the binary codes does not exceed the memory size provided for this purpose and indicated in a parameter file of the application software.

The application core may advantageously be implemented in the form of a state machine. Each state of this controller corresponds to a software procedure that initiates and controls the execution of an ordered sequence of calls to processing blocks and services of the operating system.

The transition from one state of the controller to another state of the controller depends on the values returned by the processing blocks and the operating system services of the call suite being executed.

Advantageously, the application kernel calculates a context status of the aircraft from different data external to the partition in which the application software is executed. The transition from a state of the automaton to another state of the automaton also depends on the current context status of the aircraft thus calculated.

When executing an ordered sequence of calls, the application kernel determines the next processing block to call.

In concert with the software container, the application kernel prepares the input data to be transmitted to this processing block and starts the execution of this processing block on these input data. At the end of the execution of this processing block, the application kernel retrieves the output data.

Similarly, the application kernel calls the services of the operating system, including services for data exchange with other partitions of the target execution platform or with an input / output interface of the platform. target execution, the interface by which the platform is connected to other aircraft systems, in particular sensors and control / command systems.

As noted above, the application core provides all of the input data to a process block when it is called to execute and retrieves the output data resulting from the execution of this process block.

The application kernel allows software update by adding, modifying or removing this processing block, without requiring recertification of the application kernel. This requires anticipating all the possible evolutions of this processing block.

On the other hand, it should be noted that if a processing block evolves in a way that was not planned in advance, it will be necessary to adapt the functional core and certify it again. However, the other unchanged processing blocks will not have to be certified again.

The application core is developed on the basis of the specifications describing the application software and the set of processing blocks that it is intended, ultimately, to develop. In addition, for each processing block, the application core is developed to accommodate the most complete version that is planned to develop for this block of treatment.

This most complete version of a processing block is used to define a set of maximum execution parameters: - A general temporal parameter corresponding to WCET, for "Worst-Case Execution Time" in English, provided for the binary code of the most complete version; - A list of global variables related to the input and output data of the most complete version; - A maximum byte size of the binary code of this most complete version; - Byte size of the global variables of the most complete version; - A maximum byte size of the local variables of the most complete version.

Thus, if the version of a processing block implanted in the application software has certain limitations with respect to the version of this most complete processing block envisaged, the application core still transmits all the input data that it processing block is likely to take into account in its future evolutions, that is to say all the input data of the most complete version of this processing block.

Similarly, if the version of a processing block is not currently able to determine all the output data that this processing block is likely to calculate in its future evolutions, it nevertheless returns all the output data from the most complete version of this processing block.

The input or output data that can not be used or calculated by the version of the processing block implemented by the application software takes a default value, predetermined.

In the worst case, if the application software has a functional limitation, that is to say if a particular processing block is not implemented in the version of the software hosted on the target execution platform, this processing block is replaced by an inactive "plug" block. For such a "plug" block, all input and output data take default values.

The request for initialization of a processing block includes the maximum parameters ensuring that the hardware resources necessary for the execution of this processing block are assigned in coherence with the most complete version of this processing block, in particular the worst case WCET estimated execution for the binary code of the most complete version. In this way, all versions of this process block, from the "plug" block to the most complete version, via the intermediate versions, can be executed without disrupting the execution of the other processing blocks.

In this way, once the application software is certified, any new certified version of a processing block can be downloaded to the target execution platform to update this application software, without having to re-certify the entire application package. updated application software.

DETAILED PRESENTATION

Device

As shown in FIG. 1, the electronic system 1 comprises an offboard development platform 2. Platform 2 is, for example, a computer.

The electronic system 1 comprises a target execution platform 4, embedded in an aircraft, preferably of the "Integrated Modular Avionics" type.

Platform 4 and platform 2 are connected by a data link 6. The link 6 is preferably a secure wired link, for example compliant with the ARINC 664 P7 standard. In a variant, the link 6 is a non-wired link, for example a radio link in accordance with the IEEE 802.11 standard.

The platform 2 comprises a hardware layer 26 and a software layer 27.

The material layer 26 comprises calculation means, such as a processor 20, and storage means, such as a memory 22. It furthermore comprises an input / output interface, such as a transmission card 24. link data 6.

Platform 4 comprises a hardware layer 46 and a software layer 47.

The hardware layer 46 comprises calculation means, such as a processor 40, and storage means, such as a memory 42.

The memory 42 comprises a volatile storage space 42A, for example of the RAM type, and a nonvolatile storage space 42B, for example a flash memory.

The hardware layer 46 further comprises an input / output interface, such as a card 44 for transmitting data on the link 6.

The components of the hardware layer 46 do not evolve during the use of the platform 4 and updates of the application software according to the invention.

The software layer 47 comprises a low level software layer and an application software layer.

The low-level software layer includes an operating system 48 for virtualizing the hardware layer 46. It forms an interface between the application software layer and the hardware layer 46. This operating system 48 is an avionics operating system real time.

The application software layer comprises a plurality of software packages, in particular a download software 30 and an application software 50 according to the invention.

Advantageously, the operating system 48 of the platform 4 provides spatial and temporal partitioning of the application software layer. A partition is the domain on which software can be run. It is both a space domain, in terms of software addressable areas of the memory 42, and a time domain, in terms of time slots during which software is executed by the processor 40 Preferably, spatial and temporal partitioning is in accordance with the ARINC 653 standard.

In particular, the downloading software 30 is executed on a first dedicated partition 31, and the application software 50 is executed on a second partition 32, distinct from the first.

The downloading software 30 comprises a plurality of instructions stored in the memory 42 and able to be executed by the processor 40.

The download software 30, when executed, is adapted to download, from the development platform 2, data, including one or more intermediate files associated with processing blocks of the application software 50.

The application software 50 comprises an application core 56 and a software container 58, as well as a plurality of processing blocks. In Figure 1, three processing blocks 51, 52 and 53 are shown. The application core 56, the software container 58 and the processing blocks 51, 52 and 53 are associated with the same partition 32.

Returning to the description of the execution platform 2, the software layer 27 comprises a low level software layer and an application software layer.

The low level software layer includes an operating system 28 for virtualizing the hardware layer 26. It forms an interface between the application software layer and the hardware layer 26. This operating system is a general operating system .

The application software layer comprises a compilation software 14. The software 14 is clean, when it is executed, to precompile and then to compile a source code so as to generate an executable binary code on the platform 4. The software 14 thus makes it possible to obtain the binary code 85 of the processing block 51 from the source code 61; the binary code 86 of the processing block 52 from the source code 62; and the binary code 87 of the processing block 53 from the source code 63.

The application software layer includes code generation software 10 for generating an intermediate file from the source code of a processing block. For this purpose, the software 10 uses the compilation software 14 to generate from the source code a binary code, which it then integrates into the intermediate file. The software 10 thus makes it possible to generate an intermediate file 81 for the application block 51 from the source code 61; generating an intermediate file 82 for the application block 52 from the source code 62; and generating an intermediate file 83 for the application block 53 from the source code 63.

The application software layer of the platform 2 comprises a software download 16 allowing, in cooperation with the download software 30 executed on the platform 4 to transfer an intermediate file from the memory 22 of the platform 2 to the memory 42 of the platform 4.

Thus, the memory 22 stores, for each processing block 51, 52, 53 an intermediate file 81, 82, 83 ready to be downloaded on the platform 4 during an update of the application software 50.

More specifically, as shown in FIG. 2, for, for example, the first processing block 51, the source code 61 comprises a list of global variables 72, a list of local variables 73 and a sequence of instructions 74.

The global variables 72 are visible variables accessible to the application kernel 56. They include the input and output variables of the processing block 51.

Local variables 73 are however visible only within the source code considered. These are intermediate variables used when executing the corresponding binary code.

The instruction suite 74 describes the functionality performed by the processing block 52 in a programming language.

As shown in FIG. 3, for the case, for example, of the first processing block 51, the intermediate file 81 comprises a header 71 and the binary code 85 resulting from the compilation by the software 14 of the source code 61.

During compilation, the instructions 74 are transformed into instructions 94. The instruction sequence 94 is followed by an end instruction 95, added during the precompilation, able to return a return value, which indicates whether the execution binary code has been correctly executed or if this execution has been interrupted following the detection of an error. Header 71 includes a general time parameter 76 relating to the execution on platform 4 of the associated processing block 51. The general time parameter 76 indicates the maximum execution time of the binary code 85. This time parameter is calculated according to methods known to those skilled in the art. The header 71 further comprises the size in bytes 78 of the global variables 72 and the size in bytes 79 of the local variables 73.

On the platform 4, an intermediate file, 81, 82 and 83, is stored in a configuration file 45 of the application software 50, stored in the non-volatile storage space 42B.

During the execution of the application software 50, the application core 56 is able to access, via the operating system 48, the hardware layer 46.

The application core 56 is also able to read and extract, in the nonvolatile storage space 42B, the address of the intermediate file of the processing block to be executed, for example the intermediate file 81 of the first processing block 51.

The application kernel 56 is adapted to implement the global variables to provide a knowledge base to the processing block when it is executed by the software container 58, and to access the output variables resulting from the execution of this block treatment.

The application kernel 56 is able to develop a request to initialize a processing block.

The application core 56 is further able to develop a request for execution of a processing block.

The application kernel 56 is able to transmit each initialization or execution request to the software container 58.

Each initialization request includes the data indicative of the maximum memory space Emax allocated to the processing block to be executed, the maximum execution time Tmax allocated to the software container 58 to execute this processing block, and the intermediate file address. corresponding to this processing block.

The data indicative of the maximum memory space Emax and the maximum execution time Tmax are those corresponding to the most complete version of the processing block to be executed.

The data indicative of the maximum memory space Emax allocated to a processing block include, in the volatile storage space 42A, the memory area of the global variables 72, the memory area of the local variables 73, and the memory area where it is to be stored. loaded a copy of the binary code 85 corresponding to the processing block to be executed.

The software container 58 is capable of interpreting an initialization or execution request received from the application core 56.

The software container 58 is able to access the hardware layer 46 via the operating system 48. It is able to read the intermediate file of the processing block to be executed, for example the intermediate file 81 of the block 51.

It is suitable to compare the general time parameter 76 of the binary code 85 to execute, contained in the intermediate file 81, with the maximum execution time Tmax allocated to the software container 58 to execute the processing block, in this case the block 51.

It is also able to compare the information indicative of the size in bytes of the binary code 85, the size in bytes 78 of the global variables 72 and the size in bytes 79 of the local variables 73 with the data indicative of the maximum memory space Emax allocated to the called processing block 51.

The software container 58 is also capable of transmitting to the application core 56 an identifier referring to the initialized processing block.

The software container 58 is also able to read the binary code stored in the nonvolatile storage space 42B and to copy it into the volatile storage space 42A for execution. For example, it copies the binary code 85 of the nonvolatile storage space 42B to the volatile storage space 42A.

The software container 58 is also able to launch the execution of this copy of the binary code stored in the volatile storage space 42A for the implementation of the associated functionality. Those skilled in the art having normal skills in programming applications for avionics modular operating platforms know how to program applications to use and perform the functions mentioned above. Therefore, the specific programming codes of these applications are not described in more detail.

Operation

Referring to FIG. 4, if the user wishes to modify the functionality described by a processing block, for example the first processing block 51, he develops the source code 61 accordingly, and loads this modified source code 61 on the development platform 2.

To obtain the intermediate file 81 (step 100), during a step 100A of pre-compilation of the source code 61, the processor 20 executes the compilation software 14.

During this step 100A, the source code 61 is analyzed to check that it contains no reference to pointers, that it does not contain any recursive call of functions, that it does not contain any jump instruction at a given address (instructions of type "jump" or "goto"), that it does not refer to any function external to the source code 61, and that the size of the stack of the calls of functions never exceeds a value provided in parameter with the software 14 These types of checks are known to those skilled in the art. All of these checks make it possible to ensure that the source code constitutes a processing block within the meaning of the invention, that is to say a portion of the application software 50 that is autonomous in terms of certification.

During this same step 100A, the compilation software 14 calculates the size in bytes 78 of the global variables 72, and the size in bytes 79 of the local variables 73. These memory size data are stored in the memory 22.

During this same step 100A, the compilation software 14 adds an end instruction following the instructions 74 of the source code 62.

It also adds to instructions 74 non-oversize test instructions of the tables implemented in the program, and non-division by zero test instructions, such instructions being conventionally known.

These instructions added by the software 14, as well as the limitations of the sequence of instructions described above, ensure that the instructions will not access a memory area located outside the memory area allocated to the global and local variables of the block of data. treatment 51.

During step 100B of compiling the precompiled source code, the processor 20 executes the compilation software 14. This generates the binary code 85 from the precompiled source code obtained at the output of step 100A. More particularly, the software 14 translates the sequence of instructions of the precompiled source code into a sequence of executable instructions 94, 95. At the end of step 100B, the memory 22 stores the binary code 85 thus obtained.

During a step 100C generation of the intermediate file 81, the software 10 is executed by the processor 20 so as to group, in a single file, the header 71, and the binary code 85. At the end of step 100C, the intermediate code 81 is stored in the memory 22.

Then, during a step 100D, the source code 61 is then the subject of a new certification, for example according to an industrial standard of the aeronautical field of DO-178 type.

Then a transmission step 102 is implemented, during which the intermediate file 81 is transmitted from the development platform 2 to the target execution platform 4, via the link 6. To do this, the software 16 is implemented on the platform 2 and the software 30 is implemented on the platform 4 to download the intermediate file of the processing block that is to be updated, for example the file 81 of the block 51.

The downloading software 30 receives the intermediate file 81 and stores it in the nonvolatile storage space 42B of the memory 42 of the platform 4.

Then, when the software application 50 is executed on the platform 4, an initialization step 104 is performed, during which the application kernel 56 requests the software container 58 to initialize each of the processing blocks contained in the file. configuration 45. For the processing block 51, the application kernel 56 extracts the address of the intermediate file 81 stored in the non-volatile storage space 42B.

During this same step 104, the application kernel 56 prepares a request to initialize the processing block 51. This request includes the memory address of the intermediate file 81, the data indicative of the maximum memory space Emax allocated to the block of data. processing 51, and the maximum execution period Tmax allocated to the software container 58 for the execution of the processing block 51. At the end of step 104, the application core 56 transmits the request to the software container 58.

During a step 106 of processing an initialization request, the software container 58 requires an access to the memory 42 from the processor 40. The software container 58 accesses the intermediate file 81, and extracts the data from it. header 71, in particular the general time parameter 76 and the information indicative of the size in bytes of the binary code 85, the information indicative of the size in bytes 78 of the global variables 72, and the information indicative of the size in bytes 79 of the local variables 73.

During this same step 106, the software container 58 interprets the initialization request according to a predetermined protocol.

This protocol comprises a first comparison, between the general time parameter 76 and the maximum execution time Tmax allocated to the software container 58 for the execution of the processing block 51. If the value of the general time parameter 76 is less than or equal to the value of the maximum execution time Tmax, then the first comparison is "positive".

This protocol further comprises a second comparison, between information indicative of the size in bytes of the binary code, global variables and local variables, and the data indicative of the maximum memory space Emax allocated to the processing block 51. size in bytes of the binary code, global variables and local variables is less than or equal to the maximum memory space Emax then the second comparison is "positive".

If the first or the second comparison is "negative", the software container 58 returns an error code to the application kernel 56. The method then ends in step 106.

If, on the other hand, the first and second comparisons are "positive", the software container 58 copies the binary code 85 into an indicated area of the volatile storage space 42A. This copy of the binary code 85 follows the binary code copying method imposed by the operating system 48.

Then, again during this same step 106, the software container 58 requires access to the memory 42 from the processor 40 and stores, in the volatile storage space 42A, the memory address of the copy of the binary code 85, the memory address of the beginning of the global variables 72 and the memory address of the beginning of the local variables 73.

The software container 58 then returns to the application core 56 an identifier referring to the processing block 51 thus loaded in volatile memory.

For example, the returned identifier corresponds to the memory address of the volatile storage space 42A where the software container 58 has stored the binary code 85. The step 108 of generating an execution request is then implemented. in which the application core 56 stores the input data of the processing block 51 in the memory allocated to the global variables.

During this same step 108, the application kernel 56 generates a request for execution of the processing block 51. This request includes the identifier returned by the software container 58 in step 106. At the end of the step 108, the application core 56 transmits the execution request to the software container 58.

During a next step 110 of processing an execution request, the software container 58 interprets the received execution request, then starts the execution of the copy of the binary code 85 stored in the volatile storage space 42A. The functionality corresponding to the processing block 51 is then implemented within the platform 4. At the end of this step 110, the software container 58 returns to the application core 56 a return value.

If the execution of the binary code 85 has proceeded correctly, the return value is the return value contained in the end instruction 95.

Otherwise, the return value indicates that the execution of the binary code 85 did not proceed correctly and indicates the nature of the detected error.

During a next step 112 of processing a return of execution, the application kernel 56 interprets the received return value and then accesses the output data of the application code 51 which has been stored in the memory allocated to the global variables when executing the binary code 85.

Claims (10)

1 computer program defining an application software (50) hosted on a target execution platform (4) of the avionic type, characterized in that it comprises computer program code instructions which define: - at least one processing block (51), providing, when said program is executed on the target execution platform, a functionality specific to the application software, the or each processing block constituting a component of the application software that can be certified independently of the other components software; an application core (56) providing, when said program is executed on the target execution platform, an orchestration of the call of or of each processing block (51) and / or services of the operating system (48); ) the target execution platform (4); a software container (58) which, when said program is executed on the target execution platform and on request of the application kernel, executes a binary code (85) present in the memory (42) of the target execution platform ( 4) and associated with the processing block (51), the execution of the binary code being performed in a spatially and temporally partitioned manner, the executed source code being unable to exchange data with another binary code of another processing block. application software or an operating system service without going through the application kernel, once the certified application software can be updated by modifying the binary code corresponding to a processing block once said source code has been certified. 2. - computer program according to claim 1, wherein the application core (56) is developed on the basis of specifications describing the most complete version of the or each processing block (51) that is planned to develop . 3. - computer program according to claim 2, wherein the binary code (85) associated with a processing block (51) is executed using a set of execution defined from the most complete version envisaged for said treatment block. 4 - computer program according to claim 3, wherein the set of maximum parameters comprises: a general time parameter corresponding to the WCET; A list of global variables relating to the input data and the output data of said processing block; A list of local variables of said processing block; A byte size of the binary code of said processing block; - Byte size of the global variables; A byte size of the local variables. 5. - Computer program according to claim 3 or claim 4, wherein a default value is assigned to a global variable of the set of maximum execution parameters that the binary code associated with the processing block considered and present. in the memory of the target execution platform (4) at the time of execution of the application software is not able to process. 6, - computer program according to any preceding claim, wherein the application core (56) is a state machine, each state of said controller corresponds to a software procedure that launches and controls a run of a suite ordinating calls to processing blocks (51) of the application software and / or services of the operating system of the target execution platform (4), and each transition of a state of said controller to another state of said automaton depending on values returned at the end of their execution, by the processing blocks of the application software and the services of the operating system (48) called. 7, - computer program according to claim 6, wherein the application core (56) calculates a context status of the aircraft from different external data, the transition from an initial state to a final state of said automaton also dependent on the current context status of the calculated aircraft. 8. - Targeting execution platform (4) of the avionic type, comprising a hardware layer (46) and a software layer (47), the hardware layer comprising a memory (42) and a processor (40), the software layer comprising a computer program defining an avionics operating system (48) and a computer program defining an application software, the hardware layer being configured by the software layer, characterized in that said computer program defining an application software ( 50) is according to any one of claims 1 to 7. 9. - Development platform (2), comprising a hardware layer (26) and a software layer (27), the hardware layer comprising a memory (22) and a processor (20), the software layer comprising a computer program defining an operating system (28) and a computer program defining a compilation software (14), the hardware layer being configured by the software layer, characterized in that the memory comprises a source code (61) of a a processing block (51) of a computer program defining an application software (50) according to any one of claims 1 to 7, and in that the computer program defining a compilation software is clean, when it is executed, generating a binary code (85) from the source code, the binary code being adapted to be loaded into the memory of a target execution platform (4) of the avionics type on which is executed said computer program defining an application software. 10. Development platform (2) according to claim 9, wherein the memory (22) comprises a set of maximum execution parameters for a processing block (51) of said computer program defining an application software (50).