[go: up one dir, main page]

WO2001042932A2 - Two layer operating system and method for avionics software applications - Google Patents

Two layer operating system and method for avionics software applications Download PDF

Info

Publication number
WO2001042932A2
WO2001042932A2 PCT/US2000/033419 US0033419W WO0142932A2 WO 2001042932 A2 WO2001042932 A2 WO 2001042932A2 US 0033419 W US0033419 W US 0033419W WO 0142932 A2 WO0142932 A2 WO 0142932A2
Authority
WO
WIPO (PCT)
Prior art keywords
application
executive
central processing
processing unit
input
Prior art date
Application number
PCT/US2000/033419
Other languages
French (fr)
Other versions
WO2001042932A3 (en
Inventor
Mohamed Said Aboutabl
Younis Mohamed
Original Assignee
Honeywell International Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Honeywell International Inc. filed Critical Honeywell International Inc.
Priority to AU20793/01A priority Critical patent/AU2079301A/en
Priority to EP00984115A priority patent/EP1283997A2/en
Priority to JP2001544154A priority patent/JP2004500634A/en
Priority to CA002393828A priority patent/CA2393828A1/en
Publication of WO2001042932A2 publication Critical patent/WO2001042932A2/en
Publication of WO2001042932A3 publication Critical patent/WO2001042932A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/545Interprogram communication where tasks reside in different layers, e.g. user- and kernel-space

Definitions

  • This invention relates to a circuit module and method for administrating process or job execution over a digital data processing system, especially for a an Integrated Modular Avionics circuit card programmed to provide a two-layer operating system.
  • IMA Integrated Modular Avionics
  • LRU line replaceable units
  • VHF communication or VOR navigation a dedicated function
  • IMA uses a few multifunction LRUs to perform the various avionics functions, typically performed by several dedicated LRUs.
  • Each IMA LRU contains several modules that perform processing, inputs, and outputs to other aircraft hardware.
  • the IMA approach uses a common chassis and power supply for the various modules within each IMA LRU.
  • the invention integrates multiple software applications to run on one central processing unit (CPU), wherein technology has made available CPUs that are powerful enough to meet the combined computation demands of several avionics software applications.
  • the invention further provides a software architecture in which the operating system portion is split into two distinct layers, consisting of a system executive layer and multiple application executive layers.
  • this software architecture allows various real-time operating systems to run concurrently on the same CPU.
  • System-level functions such as software and configuration database loading, application health monitoring, problem logging, basic operating system support and high-level handling of input/output can be shared among the several applications running on an integrated modular avionics (IMA) module.
  • IMA integrated modular avionics
  • the two-layer architecture provides the ability to integrate software applications developed by various software vendors.
  • the invention also eliminates the need to re-test the whole set of software applications running on an IMA module when only a single software application is added, upgraded, or removed from the system.
  • the first, system executive, layer of the two-layer architecture provides each software application with a protected partition, within which each distinct software application can execute together with an appropriate application executive.
  • the second, application executive, layer of the two-layer architecture is a modified version of a real-time operating system that provides each software application with a virtual machine and a set of interface library (IL) functions. These IL functions facilitate communication between the application executive and the system executive.
  • An embodiment of the invention includes one system executive and multiple application executives.
  • each application executive and its associated software applications are spatially isolated from other application executives and their associated software applications by enforcing access restrictions on memory address space.
  • each application executive and its associated software applications are temporally isolated from other application executives and their associated software applications by enforcing usage restrictions on the CPU and other system resources based on a pre- computed static execution timetable.
  • the system executive initializes, monitors, and terminates each software application modules and maintains a real-time clock to strictly implement the execution timetable from which each software application is assigned well-defined time slices.
  • the system executive also handles context switching and communication between the various application executives, manages all IMA module hardware input and output resources, and enforces strict isolation of protected memory regions.
  • the system executive prevents the propagation of faults and extraneous data across the various application executives and their associated software applications by assigning and enforcing protected memory partitions for each application executive.
  • Each application executive is a customized version of an available real-time operating system.
  • Each application executive provides services, for its associated software applications tasks, including communication, synchronization and dynamic memory management.
  • Each application executive also provides, for its associated software applications, access to system level resources, including IMA module hardware input and output (I/O) devices, via interface library functions.
  • an application executive implements its own strategy for scheduling tasks contained in an associated software application.
  • Customization of an available real-time operating system into an application executive comprises redirecting functions related to communication, memory management, and access to I/O devices through the interface library functions to the system executive. It is an aspect of the invention that no application executive may perform any boot sequence procedure such as probing for or initialization of hardware devices, initializing interrupt tables, or setting up registers of a memory management unit (MMU). These boot sequence procedures, of the available real-time operating systems, are replaced by a set of initialization data structures located within the protected memory partition of the application executive. As part of the system initialization procedure, the system executive initializes the initialization data structures of all application executives.
  • boot sequence procedure such as probing for or initialization of hardware devices, initializing interrupt tables, or setting up registers of a memory management unit (MMU).
  • FIG 1 illustrates a prior art line replaceable unit (LRU), commonly referred to as a 'black box' that is intended for aircraft installation.
  • LRU line replaceable unit
  • the particular LRU shown is representative of an integrated modular avionics (IMA) cabinet.
  • IMA integrated modular avionics
  • FIG. 2 illustrates a module or circuit card assembly (CCA), in accordance with one illustrative embodiment of our invention that is suitable for installation in an IMA cabinet.
  • Figure 3 illustrates the software architecture of the software that runs on each IMA module according to our invention.
  • Figure 4 illustrates a flow chart of the system executive layer of our invention.
  • Figure 5 illustrates the interaction between the system executive layer and each application executive layer as described in the present invention.
  • Figure 6 illustrates a timeline showing the execution sequence of the system executive, and the application executives, the software applications associated with each of the several application executives.
  • the IMA chassis 101 contains a multiplicity of IMA modules 200, one or more connectors 103, and a motherboard 102 to interconnect the IMA modules 200 with each other and with the connectors 103.
  • the connectors 103 interface aircraft electrical signals with the circuitry contained on the IMA modules. In other embodiments, optical and radio frequency signals are communicated between the IMA modules and other aircraft equipment.
  • an IMA module 200 is provided with a memory management unit 202.
  • the memory management unit 202 splits system memory 204 into protected partitions and controls read and write access to the partitions according to context instructions sent from a system executive 301 (seen in Figure 3), which executes on a central processing unit 201.
  • a clock 203 generates periodic timer interrupts 505, as shown in Figure 5, to the central processing unit 201.
  • the clock 203 is a real-time clock running independent of the rest of the IMA module 200 hardware.
  • the system executive 301 is able to read the current time from the clock 203 without disrupting its operation.
  • the IMA module 200 of our invention also includes the input/output hardware device 205, input/output bus device 206 and connectors 211 to interface electrical signals with the IMA motherboard 102.
  • Figure 3 illustrates an architectural layout of a complement of software that is programmed to run on the central processing unit 201. As shown in Figure 3, it is an aspect of our invention that the software applications 321 do not directly communicate with the input/output hardware devices 205 or the input/output bus devices 206.
  • a software application 321 that had been previously linked with an associated real-time operating system during a previous build is linked with an associated application executive 31 1 and an associated set of interface library functions 312, according to our invention.
  • the software applications 321 communicate with the input/output hardware devices 205 and the input/output bus devices 206 by calling interface library functions 312 associated with each appLcation executive 311.
  • the interface library functions 312 access the input/output hardware device 205 by calling a hardware device driver 302 software application via the system executive 301. All functions of each hardware device 205 are controlled via device driver 302 software applications.
  • the interface library functions 312 access the input/output bus device 206 by calling a bus driver 303 software application via the system executive 301. All functions of each bus device 206 are controlled via device driver 303 software applications.
  • the system executive 301 consists of a set of instructions that are stored in the memory 204 and are executed on a central processing unit 201.
  • This system executive 301 is responsible for the operation of all devices mounted on IMA circuit card 200, which in turn is installed in the IMA chassis 101.
  • Each application executive 311 consists of a set of instructions that are stored in a memory 204 within an application partition 500 (shown in Figure 5) address space where read/write access in controlled by the memory management unit 202, and the instructions are executed on the central processing unit 201.
  • the software applications 321, interface library 312, and timer interrupt services routines 501 (shown in Figure 5) associated with each application executive 311 also consist of instructions that are executed on central processing unit 201 and are stored in the same application partition 500 (shown in Figure 5) as the associated application executive 311.
  • Figure 4 shows a flow chart that illustrates the instruction steps of the system executive 301 as it executes on the central processing unit 201.
  • the system executive 301 comprises a set of start-up steps that are executed once followed by a main loop 410 comprising steps that are executed in a pre-determined sequence that repeats indefinitely.
  • the system executive 301 further comprises a sequence of shut-down steps that are executed once after the main loop is terminated.
  • the start-up steps of the system executive 301 comprise the following sequence of software steps that are executed by the central processing unit 201.
  • the input/output hardware devices 205 and the input/output bus devices 206 are initialized at step 401.
  • the data memory 204 is partitioned into virtual application memory partitions 500 (shown in Figure 5) by causing the central processing unit 201 to issue a command sequence to the memory management unit 202 at step 402.
  • the indefinite main loop 410 of the system executive 301 comprises the following sequence of software steps that are executed by the central processor 201.
  • the system executive 301 reads (step 415) the application time slice 601 (shown in Figure 6) and the application executive 311 clock tick length 602 (shown in Figure 6), associated with the next scheduled application partition 500, from the static time table schedule (not shown).
  • the system executive 301 calculates (step 415) the number of full-length ticks, 'Nticks', and the length of the remaining partial tick, 'parTick', using the following equations.
  • the application full length clock ticks, 'Nticks', and remaining partial tick 'parTick' are used to update the application partition 500 (shown in Figure 5) local time structure (not shown).
  • the central processing unit 201 is instructed to busy-wait for a starting time of a next application executive 311 at step 411.
  • the starting time of each application executive 311 is stored in a predefined scheduling timetable (not shown) that resides in memory 204.
  • the memory management unit 202 is instructed to use an associated virtual memory partition 500 (shown in Figure 5) to resolve memory address references and control of central processing unit 201 is passed to application executive 311.
  • the application executive 311 provides instructions to central processing unit 201 except when periodic timer interrupts cause associated timer service routines 501 to be run, as shown in Figure 5.
  • These timer interrupt service routines 501 comprise instructions that are run at the same privilege level as the system executive 301.
  • the application executive 311 is a modified version of a real-time operating system for which associated application software 321 was originally developed. According to our invention, it is essential that the system executive 301 be the first to respond to any exception raised by software applications 321; therefore an interrupt service routine 501 (shown in Figure 5) is provided to intercept 'exception interrupts' that are raised by the central processing unit 201. Re-mapping exception handling functions from existing real-time operating systems requires functionality in both the system executive 301 and the application executive 311.
  • both the software application 321 and the application executive 311 run low 'user' privilege level instructions on central processing unit 201 as contrasted with the system executive 301 and the application interrupt service routine 501 (shown in Figure 5), which both run high 'operating-system' privilege level instructions on central processing unit 201.
  • the interface library 312 comprises a set of functions that are created to replace some of the services provided by a specific real-time operating system; advantageously, a minimum number of real-time operating system services are replaced. Further, the device driver 302 may directly incorporate low-level code of a prior art real-time operating system.
  • Each application executive 311 maintains its own data structures to keep track of the progress of real-time.
  • the time duration between periodic timer interrupts 505 is 10 milliseconds.
  • Figure 5 illustrates the details of the transfer of control between the system executive 301, an application executive 311, and a software application 321.
  • the system executive passes control of the central processing unit 201 at step 412 using a timer interrupt service routine 501.
  • the timer interrupt service routine 501 associated with the application executive 311, executes instructions on central processing unit 201 at the same privilege level as the system executive 301.
  • the timer interrupt service routine 501 comprises instructions that are stored in the data memory 204 within the application partition 500 address space.
  • the application executive 311 always acts as the entry point of every application partition 500.
  • the application memory partition 500 cooperates with the timer interrupt service routine 501, associated with the system executive 301, that services initial entry into the application partition 500 and periodic timer interrupts 505 that occur during the application partition's time slice 601 (as shown in Figure 6).
  • the application executive 31 1 schedules the software application 321 tasks within the time slice 601.
  • the timer interrupt service routine 501 stores the current time and current state of the partition and returns controls of the central processor unit 201 to the system executive 301.
  • timer interrupt 501 adjusts partition local time data structure and passes control to the application executive 31 1.
  • the application executive 321 will determine which task from associated software applications is due and will dispatch said task. According to our invention, it is essential that control of the central processing unit 201 is not given directly to a software application 321 task, but is rather first handed to the associated application executive 311, even if the task was interrupted before completion.
  • the memory space allocated for each application partition 500 includes a predetermined amount of 'heap' memory for use as a dynamic memory pool.
  • Each application executive 311 manages the dynamic memory 'heap' within the application's own partition 500.
  • the central processing unit 201 executes all instructions that are included in the system executive 301, the application executives 31 1, and the software applications 321.
  • Timer interrupts 505 are periodically applied to the central processing unit 201 from the clock 203. These timer interrupts 505 are used to initiate the execution of the system executive 301 and the application executive 31 1 as defined in a static schedule (not shown).
  • This timeline provides temporal isolation between the software applications 321 associated with different application executives 31 1.
  • Each application partition 500 is allocated an application time slice 601 and a clock tick length 602 in a predefined static timetable (not shown).
  • this temporal isolation prevents the software applications from interfering with one another.
  • Our invention accordingly comprises a two-layer operating system for use with multiple avionics software applications 321 that run various aircraft subsystems.
  • the processing throughput and hardware interfaces for these multiple applications are contained on a single IMA card 200 which is installed with other similar cards in an aircraft mounted cabinet 101.
  • our invention takes advantage of the higher speed processors that are currently available, while still allowing reuse of previously developed avionic:, software applications.
  • the multiple software applications are temporally (time) and spatially (memory) isolated from each other.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Design And Manufacture Of Integrated Circuits (AREA)
  • Train Traffic Observation, Control, And Security (AREA)
  • Feedback Control In General (AREA)
  • Stored Programmes (AREA)
  • Executing Machine-Instructions (AREA)
  • Multi Processors (AREA)

Abstract

Integrated Modular Avionics (101) can take advantage of faster modern processors and can run multiple existing avionics software applications (321) on a single processor (201) by using a two-layer operating system consisting of a system executive (301) and multiple application executives (311).

Description

UNITED STATES PATENT APPLICATION FOR:
TWO LAYER OPERATING SYSTEM AND METHOD FOR AVIONICS
SOFTWARE APPLICATIONS
FIELD OF INVENTION
This invention relates to a circuit module and method for administrating process or job execution over a digital data processing system, especially for a an Integrated Modular Avionics circuit card programmed to provide a two-layer operating system.
BACKGROUND OF THE INVENTION
Several newly designed aircraft and new retrofits for older aircraft will use an integrated avionics architecture that is referred to in the industry as Integrated Modular Avionics (IMA). Prior to the development of integrated avionics architectures, aircraft typically used many line replaceable units (LRU), such as radios, where each LRU performed a dedicated function, such as VHF communication or VOR navigation. IMA uses a few multifunction LRUs to perform the various avionics functions, typically performed by several dedicated LRUs. Each IMA LRU contains several modules that perform processing, inputs, and outputs to other aircraft hardware. The IMA approach uses a common chassis and power supply for the various modules within each IMA LRU. This allows for an overall avionics system that is lighter and lower in cost than the typical 'federated' avionics architecture found on older generation aircraft. A large number of software applications have been developed for and certified on federated avionics systems is described above and it is advantageous to reuse this previously developed software. However, the existing avionics software applications run on several different real-time operating systems. There also exists a need to support integration of multiple software applications that have traditionally been implemented in federated LRUs. It is known that one of the side effects of merging multiple software applications using existing software development tools is unwanted dependencies between the software applications, such as the propagation of faults from one failing software application to others. For FAA aircraft certification, it is necessary to be able to show, with a very high level of assurance, that a problem or failure in a software application cannot have an adverse impact on any other software application.
A prior art avionics operating system environment is described in ARINC Specification 653, "Avionics Application Software Standard Interface", dated. January 1997, and RTCA SC-182/EUROCAE WG-48, "Minimum Operational Performance Standards for Avionics Computer Resource", dated November 1998.
SUMMARY OF THE INVENTION
The invention integrates multiple software applications to run on one central processing unit (CPU), wherein technology has made available CPUs that are powerful enough to meet the combined computation demands of several avionics software applications. The invention further provides a software architecture in which the operating system portion is split into two distinct layers, consisting of a system executive layer and multiple application executive layers. Advantageously, this software architecture allows various real-time operating systems to run concurrently on the same CPU. System-level functions such as software and configuration database loading, application health monitoring, problem logging, basic operating system support and high-level handling of input/output can be shared among the several applications running on an integrated modular avionics (IMA) module. Advantageously, the two-layer architecture provides the ability to integrate software applications developed by various software vendors. The invention also eliminates the need to re-test the whole set of software applications running on an IMA module when only a single software application is added, upgraded, or removed from the system. The first, system executive, layer of the two-layer architecture provides each software application with a protected partition, within which each distinct software application can execute together with an appropriate application executive. The second, application executive, layer of the two-layer architecture is a modified version of a real-time operating system that provides each software application with a virtual machine and a set of interface library (IL) functions. These IL functions facilitate communication between the application executive and the system executive. An embodiment of the invention includes one system executive and multiple application executives.
Advantageously, each application executive and its associated software applications are spatially isolated from other application executives and their associated software applications by enforcing access restrictions on memory address space. In addition, each application executive and its associated software applications are temporally isolated from other application executives and their associated software applications by enforcing usage restrictions on the CPU and other system resources based on a pre- computed static execution timetable.
The system executive initializes, monitors, and terminates each software application modules and maintains a real-time clock to strictly implement the execution timetable from which each software application is assigned well-defined time slices. The system executive also handles context switching and communication between the various application executives, manages all IMA module hardware input and output resources, and enforces strict isolation of protected memory regions. Advantageously, the system executive prevents the propagation of faults and extraneous data across the various application executives and their associated software applications by assigning and enforcing protected memory partitions for each application executive. Each application executive is a customized version of an available real-time operating system. Each application executive provides services, for its associated software applications tasks, including communication, synchronization and dynamic memory management. Each application executive also provides, for its associated software applications, access to system level resources, including IMA module hardware input and output (I/O) devices, via interface library functions. In one embodiment, an application executive implements its own strategy for scheduling tasks contained in an associated software application.
Customization of an available real-time operating system into an application executive comprises redirecting functions related to communication, memory management, and access to I/O devices through the interface library functions to the system executive. It is an aspect of the invention that no application executive may perform any boot sequence procedure such as probing for or initialization of hardware devices, initializing interrupt tables, or setting up registers of a memory management unit (MMU). These boot sequence procedures, of the available real-time operating systems, are replaced by a set of initialization data structures located within the protected memory partition of the application executive. As part of the system initialization procedure, the system executive initializes the initialization data structures of all application executives.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 illustrates a prior art line replaceable unit (LRU), commonly referred to as a 'black box' that is intended for aircraft installation. The particular LRU shown is representative of an integrated modular avionics (IMA) cabinet.
Figure 2 illustrates a module or circuit card assembly (CCA), in accordance with one illustrative embodiment of our invention that is suitable for installation in an IMA cabinet. Figure 3 illustrates the software architecture of the software that runs on each IMA module according to our invention.
Figure 4 illustrates a flow chart of the system executive layer of our invention.
Figure 5 illustrates the interaction between the system executive layer and each application executive layer as described in the present invention. Figure 6 illustrates a timeline showing the execution sequence of the system executive, and the application executives, the software applications associated with each of the several application executives.
DETAILED DESCRIPTION OF THE INVENTION
Referring first to Figure 1, an integrated modular avionics (IMA) chassis 101, as presently used, is shown. The IMA chassis 101 contains a multiplicity of IMA modules 200, one or more connectors 103, and a motherboard 102 to interconnect the IMA modules 200 with each other and with the connectors 103. The connectors 103 interface aircraft electrical signals with the circuitry contained on the IMA modules. In other embodiments, optical and radio frequency signals are communicated between the IMA modules and other aircraft equipment.
Referring to Figure 2, in an embodiment of our invention, an IMA module 200 is provided with a memory management unit 202. The memory management unit 202 splits system memory 204 into protected partitions and controls read and write access to the partitions according to context instructions sent from a system executive 301 (seen in Figure 3), which executes on a central processing unit 201. A clock 203 generates periodic timer interrupts 505, as shown in Figure 5, to the central processing unit 201. The clock 203 is a real-time clock running independent of the rest of the IMA module 200 hardware. Advantageously, the system executive 301 is able to read the current time from the clock 203 without disrupting its operation. The IMA module 200 of our invention also includes the input/output hardware device 205, input/output bus device 206 and connectors 211 to interface electrical signals with the IMA motherboard 102. Figure 3 illustrates an architectural layout of a complement of software that is programmed to run on the central processing unit 201. As shown in Figure 3, it is an aspect of our invention that the software applications 321 do not directly communicate with the input/output hardware devices 205 or the input/output bus devices 206. A software application 321 that had been previously linked with an associated real-time operating system during a previous build is linked with an associated application executive 31 1 and an associated set of interface library functions 312, according to our invention. The software applications 321 communicate with the input/output hardware devices 205 and the input/output bus devices 206 by calling interface library functions 312 associated with each appLcation executive 311. The interface library functions 312 access the input/output hardware device 205 by calling a hardware device driver 302 software application via the system executive 301. All functions of each hardware device 205 are controlled via device driver 302 software applications. The interface library functions 312 access the input/output bus device 206 by calling a bus driver 303 software application via the system executive 301. All functions of each bus device 206 are controlled via device driver 303 software applications. According to our invention, the system executive 301 consists of a set of instructions that are stored in the memory 204 and are executed on a central processing unit 201. This system executive 301 is responsible for the operation of all devices mounted on IMA circuit card 200, which in turn is installed in the IMA chassis 101. Each application executive 311 consists of a set of instructions that are stored in a memory 204 within an application partition 500 (shown in Figure 5) address space where read/write access in controlled by the memory management unit 202, and the instructions are executed on the central processing unit 201. The software applications 321, interface library 312, and timer interrupt services routines 501 (shown in Figure 5) associated with each application executive 311 also consist of instructions that are executed on central processing unit 201 and are stored in the same application partition 500 (shown in Figure 5) as the associated application executive 311.
Figure 4 shows a flow chart that illustrates the instruction steps of the system executive 301 as it executes on the central processing unit 201. The system executive 301 comprises a set of start-up steps that are executed once followed by a main loop 410 comprising steps that are executed in a pre-determined sequence that repeats indefinitely. In another embodiment of our invention, that is not shown, the system executive 301 further comprises a sequence of shut-down steps that are executed once after the main loop is terminated.
The start-up steps of the system executive 301 comprise the following sequence of software steps that are executed by the central processing unit 201. First, the input/output hardware devices 205 and the input/output bus devices 206 are initialized at step 401. Second, the data memory 204 is partitioned into virtual application memory partitions 500 (shown in Figure 5) by causing the central processing unit 201 to issue a command sequence to the memory management unit 202 at step 402.
The indefinite main loop 410 of the system executive 301 comprises the following sequence of software steps that are executed by the central processor 201. First, the system executive 301 reads (step 415) the application time slice 601 (shown in Figure 6) and the application executive 311 clock tick length 602 (shown in Figure 6), associated with the next scheduled application partition 500, from the static time table schedule (not shown). Next, the system executive 301 calculates (step 415) the number of full-length ticks, 'Nticks', and the length of the remaining partial tick, 'parTick', using the following equations.
Eq. 1 Nticks = TimeS ce / TickLengt , /* Division - integer result */ Eq. 2 parTick = TimeSlice % TickLength, /* Modulo Division - remainder */
The application full length clock ticks, 'Nticks', and remaining partial tick 'parTick' are used to update the application partition 500 (shown in Figure 5) local time structure (not shown).
Next, the central processing unit 201 is instructed to busy-wait for a starting time of a next application executive 311 at step 411. The starting time of each application executive 311 is stored in a predefined scheduling timetable (not shown) that resides in memory 204. Next, at step 412, the memory management unit 202 is instructed to use an associated virtual memory partition 500 (shown in Figure 5) to resolve memory address references and control of central processing unit 201 is passed to application executive 311. During step 413, the application executive 311 provides instructions to central processing unit 201 except when periodic timer interrupts cause associated timer service routines 501 to be run, as shown in Figure 5. These timer interrupt service routines 501 comprise instructions that are run at the same privilege level as the system executive 301. When the time slice 601 (as shown in Figure 6) allocated to the application executive 311 expires, control of the central processing unit 201 is returned to the system executive 301 and the main loop 410 continues indefinitely. Strict enforcement of a time-based dispatching of application partitions, as described above, is based on a static timetable schedule (not shown), which is created during overall software build.
Referring again to Figure 3, the application executive 311 is a modified version of a real-time operating system for which associated application software 321 was originally developed. According to our invention, it is essential that the system executive 301 be the first to respond to any exception raised by software applications 321; therefore an interrupt service routine 501 (shown in Figure 5) is provided to intercept 'exception interrupts' that are raised by the central processing unit 201. Re-mapping exception handling functions from existing real-time operating systems requires functionality in both the system executive 301 and the application executive 311. According to our invention, both the software application 321 and the application executive 311 run low 'user' privilege level instructions on central processing unit 201 as contrasted with the system executive 301 and the application interrupt service routine 501 (shown in Figure 5), which both run high 'operating-system' privilege level instructions on central processing unit 201.
The interface library 312 comprises a set of functions that are created to replace some of the services provided by a specific real-time operating system; advantageously, a minimum number of real-time operating system services are replaced. Further, the device driver 302 may directly incorporate low-level code of a prior art real-time operating system.
Each application executive 311 maintains its own data structures to keep track of the progress of real-time. In one particular embodiment, the time duration between periodic timer interrupts 505 (shown in Figure 6) is 10 milliseconds.
Figure 5 illustrates the details of the transfer of control between the system executive 301, an application executive 311, and a software application 321. The system executive passes control of the central processing unit 201 at step 412 using a timer interrupt service routine 501. The timer interrupt service routine 501, associated with the application executive 311, executes instructions on central processing unit 201 at the same privilege level as the system executive 301. The timer interrupt service routine 501 comprises instructions that are stored in the data memory 204 within the application partition 500 address space. The application executive 311 always acts as the entry point of every application partition 500. The application memory partition 500 cooperates with the timer interrupt service routine 501, associated with the system executive 301, that services initial entry into the application partition 500 and periodic timer interrupts 505 that occur during the application partition's time slice 601 (as shown in Figure 6). The application executive 31 1 schedules the software application 321 tasks within the time slice 601. When the time slice 601 expires, the timer interrupt service routine 501 stores the current time and current state of the partition and returns controls of the central processor unit 201 to the system executive 301.
Upon reentry into partition 500, timer interrupt 501 adjusts partition local time data structure and passes control to the application executive 31 1. The application executive 321 will determine which task from associated software applications is due and will dispatch said task. According to our invention, it is essential that control of the central processing unit 201 is not given directly to a software application 321 task, but is rather first handed to the associated application executive 311, even if the task was interrupted before completion. The memory space allocated for each application partition 500 includes a predetermined amount of 'heap' memory for use as a dynamic memory pool. Each application executive 311 manages the dynamic memory 'heap' within the application's own partition 500.
Referring to Figure 6, the central processing unit 201 executes all instructions that are included in the system executive 301, the application executives 31 1, and the software applications 321. Timer interrupts 505 are periodically applied to the central processing unit 201 from the clock 203. These timer interrupts 505 are used to initiate the execution of the system executive 301 and the application executive 31 1 as defined in a static schedule (not shown). This timeline provides temporal isolation between the software applications 321 associated with different application executives 31 1. Each application partition 500 is allocated an application time slice 601 and a clock tick length 602 in a predefined static timetable (not shown). Advantageously, this temporal isolation prevents the software applications from interfering with one another.
Our invention accordingly comprises a two-layer operating system for use with multiple avionics software applications 321 that run various aircraft subsystems. The processing throughput and hardware interfaces for these multiple applications are contained on a single IMA card 200 which is installed with other similar cards in an aircraft mounted cabinet 101. Advantageously, our invention takes advantage of the higher speed processors that are currently available, while still allowing reuse of previously developed avionic:, software applications. The multiple software applications are temporally (time) and spatially (memory) isolated from each other.

Claims

WHAT IS CLAIMED IS:
1. A circuit module for an Integrated Modular Avionics arrangement, said module comprising: input/output hardware, an input/output bus, a real-time clock for generating a sequence of periodic timer interrupts, a memory management unit, a memory partitioned into a plurality of application partitions by said memory management unit; and a central processing unit, said central processing unit being programmed to provide a two-level software architecture including a system executive comprising an initialization sequence, an indefinite loop and a multiplicity of timer interrupt service routines responsive to said real-time clock, a plurality of application executives, each comprising a real-time operating system and associated with one of said timer interrupt service routines; and control of said memory management unit.
2. The circuit module according to claim 1 wherein the application executive further comprises an interface library of software functions that provide access to a set of hardware input/ output devices.
3. The circuit module according to claim 1 wherein the application executive maintains its own data structures to keep track of the progress of real-time.
4. A method for executing multiple existing avionics software applications, wherein the applications have been separated from their previous operating environment and have been linked with an application executive running concurrently with a system executive on a single central processing unit that is mounted on a circuit card assembly along with a memory management unit, a clock, data memory, input/output hardware devices and input/output bus devices, said method comprising the steps of: initializing the input/output hardware devices, initializing the input/output bus devices, partitioning the data memory using the memory management unit, and entering into and remaining in an indefinite loop comprising the steps of: waiting for a starting time of an application executive, instructing the memory management unit to resolve addresses in accordance with an application partition associated with said application executive, passing control of the central processing unit to said application executive, executing commands in accordance with said application executive, waiting for a time slice associated with said application executive to expire, and returning control of the central processing unit to the system executive.
5. The method of claim 4, wherein said indefinite loop further comprises the steps of: waiting for a starting time of a second application executive, instructing the memory management unit to resolve addresses in accordance with a second application partition associated with said second application executive, passing control of the central processing unit to said second application executive, executing commands in accordance with said second application executive, waiting for a time slice associated with said second application executive to expire, and returning control of the central processing unit to the system executive.
PCT/US2000/033419 1999-12-10 2000-12-08 Two layer operating system and method for avionics software applications WO2001042932A2 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
AU20793/01A AU2079301A (en) 1999-12-10 2000-12-08 Two layer operating system and method for avionics software applications
EP00984115A EP1283997A2 (en) 1999-12-10 2000-12-08 Two layer operating system and method for avionics software applications
JP2001544154A JP2004500634A (en) 1999-12-10 2000-12-08 Two-layer operating system and method for avionics software applications
CA002393828A CA2393828A1 (en) 1999-12-10 2000-12-08 Two layer operating system and method for avionics software applications

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US17020099P 1999-12-10 1999-12-10
US60/170,200 1999-12-10
US64898500A 2000-08-28 2000-08-28
US09/648,985 2000-08-28

Publications (2)

Publication Number Publication Date
WO2001042932A2 true WO2001042932A2 (en) 2001-06-14
WO2001042932A3 WO2001042932A3 (en) 2002-12-05

Family

ID=26865834

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/033419 WO2001042932A2 (en) 1999-12-10 2000-12-08 Two layer operating system and method for avionics software applications

Country Status (6)

Country Link
EP (1) EP1283997A2 (en)
JP (1) JP2004500634A (en)
CN (1) CN1434940A (en)
AU (1) AU2079301A (en)
CA (1) CA2393828A1 (en)
WO (1) WO2001042932A2 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008054507A3 (en) * 2006-04-10 2009-09-03 Aviation Communication & Surveillance Systems Llc Integrated avionics system
CN101276292B (en) * 2008-05-13 2010-04-21 杭州华三通信技术有限公司 Interrupt synthesis method, interrupt synthesis device and modular host system
WO2011106379A1 (en) * 2010-02-23 2011-09-01 Astronautics Corporation Of America Single processor class-3 electronic flight bag
US20120203997A1 (en) * 2006-10-16 2012-08-09 Sandel Avionics, Inc. Integrity monitoring
EP2514672A4 (en) * 2009-12-16 2017-11-22 Kawasaki Jukogyo Kabushiki Kaisha Integrated electronic system mounted on aircraft
US9983902B2 (en) 2015-05-14 2018-05-29 General Electric Company System and method for multi-level real-time scheduling analyses
EP3316127B1 (en) 2016-10-26 2020-09-09 Honeywell International Inc. Software development kit for aircraft tablet device and airborne application server

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100430887C (en) * 2004-03-31 2008-11-05 英特尔公司 Event handling method and system
FR3013880B1 (en) * 2013-11-26 2017-03-31 Airbus Operations Sas AVIONIC SYSTEM, IN PARTICULAR AN AIRCRAFT FLIGHT MANAGEMENT SYSTEM
CN104834567B (en) * 2015-04-13 2018-04-17 中国航空无线电电子研究所 A kind of subregion and application time window accordance detecting system
CN105677413A (en) * 2016-01-06 2016-06-15 中国航空无线电电子研究所 Multi-partition application post-loading method for comprehensive modularized avionics system
US11618585B2 (en) * 2019-10-10 2023-04-04 Ge Aviation Systems Limited Integrated system for improved vehicle maintenance and safety

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5369767A (en) * 1989-05-17 1994-11-29 International Business Machines Corp. Servicing interrupt requests in a data processing system without using the services of an operating system
US6564241B1 (en) * 1996-05-14 2003-05-13 L-3 Communications Corporation Avionic computer software interpreter
AU4353297A (en) * 1996-09-17 1998-04-14 Radisys Corporation Method and apparatus for encapsulating a protected-mode operating system within a real-time, protected-mode operating system
KR20000062377A (en) * 1996-12-30 2000-10-25 사이러스 로직, 인크. Real time services in backwardly compatible operating systems

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008054507A3 (en) * 2006-04-10 2009-09-03 Aviation Communication & Surveillance Systems Llc Integrated avionics system
US8768540B2 (en) 2006-04-10 2014-07-01 L-3 Communications Corporation Integrated avionics system
US20120203997A1 (en) * 2006-10-16 2012-08-09 Sandel Avionics, Inc. Integrity monitoring
US9189195B2 (en) * 2006-10-16 2015-11-17 Sandel Avionics, Inc. Integrity monitoring
US9702727B2 (en) 2006-10-16 2017-07-11 Sandel Avionics, Inc. Integrity monitoring
CN101276292B (en) * 2008-05-13 2010-04-21 杭州华三通信技术有限公司 Interrupt synthesis method, interrupt synthesis device and modular host system
EP2514672A4 (en) * 2009-12-16 2017-11-22 Kawasaki Jukogyo Kabushiki Kaisha Integrated electronic system mounted on aircraft
WO2011106379A1 (en) * 2010-02-23 2011-09-01 Astronautics Corporation Of America Single processor class-3 electronic flight bag
US20110238239A1 (en) * 2010-02-23 2011-09-29 Jason Shuler Single Processor Class-3 Electronic Flight Bag
US9223633B2 (en) 2010-02-23 2015-12-29 Astronautics Corporation Of America Single processor class-3 electronic flight bag
US9983902B2 (en) 2015-05-14 2018-05-29 General Electric Company System and method for multi-level real-time scheduling analyses
EP3316127B1 (en) 2016-10-26 2020-09-09 Honeywell International Inc. Software development kit for aircraft tablet device and airborne application server

Also Published As

Publication number Publication date
WO2001042932A3 (en) 2002-12-05
CN1434940A (en) 2003-08-06
AU2079301A (en) 2001-06-18
CA2393828A1 (en) 2001-06-14
JP2004500634A (en) 2004-01-08
EP1283997A2 (en) 2003-02-19

Similar Documents

Publication Publication Date Title
US6691146B1 (en) Logical partition manager and method
US8108196B2 (en) System for yielding to a processor
US5506963A (en) Real-time management system having coprocessors allocated time slices of different durations to functions and processors executed functions simultaneously in accordance with the time allocation
US8131891B2 (en) Updating I/O capability of a logically-partitioned computer system
US9189291B2 (en) Sharing a kernel of an operating system among logical partitions
US8782296B2 (en) Method and device for incremental configuration of IMA type modules
McGee The information management system IMS/VS, part I: General structure and operation
WO2001042932A2 (en) Two layer operating system and method for avionics software applications
CN1723440A (en) Apparatus and method for controlling resource transfers in a logically partitioned computer system
AU2002343733A1 (en) Method and system for concurrent handler execution in an smi and pmi-based dispatch-execution framework
Bollella et al. Support for real-time computing within general purpose operating systems-supporting co-resident operating systems
CN119201351A (en) An ARM TrustZone architecture for secure jailhouse virtualization
US6681240B1 (en) Apparatus and method for specifying maximum interactive performance in a logical partition of a computer system independently from the maximum interactive performance in other partitions
Gomes et al. Air hypervisor using RTEMS SMP
Younis et al. An approach for supporting temporal partitioning and software reuse in integrated modular avionics
US7434201B2 (en) Method and apparatus providing for extendable interaction between firmware and operating systems on digital devices
US20240330070A1 (en) System and method to switch operating modes in a partitioned system
Odagiri et al. Porting EPICS to L4-Linux based system
Cetre et al. Introducing GPU Persistent Graphs for Time-sensitive Workflows
Overgaard The quickest way to a compliant and interoperable Intelligent Platform Management Controller for AdvancedTCA
Reiger et al. Weitere Produktinformationen
Pepe Advanced Software Techniques for Data Management Systems. Volume 2: Space Shuttle Flight Executive System: Functional Design
Johnstone A real time executive system for manned spaceflight
Matelan The architecture and implementation of the FLEX/32 multicomputer
MATTERS et al. Safety-Critical Software Development for Integrated Modular Avionics

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
ENP Entry into the national phase

Ref document number: 2001 544154

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 2000984115

Country of ref document: EP

Ref document number: 2393828

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 008189102

Country of ref document: CN

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

AK Designated states

Kind code of ref document: A3

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

WWP Wipo information: published in national office

Ref document number: 2000984115

Country of ref document: EP

WWW Wipo information: withdrawn in national office

Ref document number: 2000984115

Country of ref document: EP