# AADL Networking Annex Status Report

Brendan Hall, Alexey Khoroshilov, Tiyam Robati

#### **Recent Version**

The most recent version available here:

https://gitlab.com/sae\_as2c/networking-annex/wikis/home

### **AFDX Trademark Question**

#### ARINC SPECIFICATION 664 PART 7 - Page 1

#### 1.0 INTRODUCTION

#### 1.1 Purpose of Document

The purpose of this document is to define a deterministic network: Avionics Full Duplex Switched Ethernet (AFDX™). AFDX™ is a trademark of Airbus and is used with permission. This document also highlights the additional performance requirements of avionics systems, within the context of AFDX.

This specification allows:

- System integrators to design flight critical systems using AFDX
- Equipment designers to specify equipment interoperable with AFDX

## **Open Questions**

- AFDX Trademark
- Feedback?
- TTEthernet?

#### **Old Action Items**

- AI1. Update AFDX reference model with the new example that demonstrates how to represent asymmetrical Network A-B designs in AADL. Responsible: Alexey
- Al2. Add to reference model a model of end to end protocol on top of AFDX virtual links. Responsible: Brendan
- Al3. Describe safety properties of AFDX components from the reference model with EMV2. Responsible: Brendan
- Al4. Propose recommendations how to model ICD in AADL.
   Responsible: Brendan
- Al5. Update TTEthernet reference model and organize its review by TTTech. Responsible: Tiyam, Brendan
- Al6. Prepare a plan of the Networking Annex text document.
   Responsible: Alexey

## **Next Steps**

How to proceed?

#### **Backup Slides**

Alexey Khoroshilov khoroshilov@ispras.ru

http://masiw.ispras.ru





## Scope of Networking Annex

- AFDX as defined in ARINC 664p7
- Deterministic Ethernet as defined by ARINC 664 and SAE AS6802 (TTEthernet)

#### Goal

- to provide recommendations how to model ARINC 664 and SAE AS6802 networks in AADL
- so we could achieve tools interoperability on the models

## **Target Use Cases**

- UC-1) Latency (timing) analysis of network
- UC-2) Buffer capacity analysis
- UC-3) Consistency analysis
- UC-4) Synthesis and trade-off analysis
- UC-5) Safety analysis
- UC-6) Configuration generation

#### **AFDX Model Variants**

- Pre-Synthesis model
  - Input data for AFDX virtual links generation
- Basic model
  - Represents internal structure of AFDX network
  - Ignores redundancy
  - Works well for symmetrical Network A and B
- Detailed model
  - Represents internal structure of AFDX network including asymmetrical redundancy configurations
- Model with safety related properties

## Software Layer



Let us suppose, we have a software system to be communicated via AFDX network.

#### **AFDX Model Variants**

- Pre-Synthesis model
  - Input data for AFDX virtual links generation
- Basic model (no redundancy)
  - Model internal structure, ignore redundancy
  - Works for symmetrical Network A and B
- Detailed model (redundancy support)
  - Model internal structure including redundancy
- Model with Safety related properties

## **Pre-Synthesis Model**

- The model describing an input for synthesis algorithm that automatically generates AFDX virtual links and their attributes meeting requirements (e.g., latency on connections, flows, etc.).
- The target for synthesis algorithm is AFDX\_Network virtual bus.
- Connections bound to it should go via AFDX Network that is formed by components of HW\_Platform AFDX\_Network bounds to.

## **Pre-Synthesis Model**



AFDX\_Network is used to define a target for AFDX configuration synthesis.

## **Pre-Synthesis Model**

```
--AFDX Model-----
SYSTEM AFDX PreSynthesis
END AFDX PreSynthesis;
SYSTEM IMPLEMENTATION AFDX PreSynthesis.i
  SUBCOMPONENTS
    Software Layer:: SYSTEM Software Layer::Software Layer.i;
   HW Platform : SYSTEM HW Platform.i;
    -- ARINC-653 Configuration
   P 1 : VIRTUAL PROCESSOR;
   P 2 : VIRTUAL PROCESSOR;
   P 3 : VIRTUAL PROCESSOR;
   P 4 : VIRTUAL PROCESSOR:
    -- AFDX Configuration
   AFDX Network : VIRTUAL BUS AFDX::Network;
  PROPERTIES
    -- Maps processes to processors
   Actual Processor Binding => (reference(P 1)) applies to Software Layer.P 1;
   Actual Processor Binding => (reference(P 2)) applies to Software Layer.P 2;
   Actual Processor Binding => (reference(P 3)) applies to Software Layer.P 3;
   Actual Processor Binding => (reference(P 4)) applies to Software Layer.P 4;
    Actual Processor Binding => (reference(HW Platform.CPM 1.CPU)) applies to P 1;
   Actual Processor Binding => (reference(HW Platform.CPM 2.CPU)) applies to P 2;
    Actual Processor Binding => (reference(HW Platform.CPM 3.CPU)) applies to P 3;
   Actual Processor Binding => (reference(HW Platform.CPM 3.CPU)) applies to P 4;
    -- Map connections to virtual links
   Actual Connection Binding => (reference(AFDX Network))
      applies to Software Layer.CQ 1 2, Software Layer.CS 1 2,
                Software Layer.C 2 3, Software Layer.C 1 3,
                Software Layer.C 1 4, Software Layer.C 2 4;
    -- Map AFDX Network to HW elements
   Actual Connection Binding => (reference(HW Platform.CPM 1.AFDX ES), reference(HW Platform.CPM 2.AFDX ES),
                                  reference(HW Platform.CPM 3.AFDX ES),
                                  reference(HW Platform.WIRE 1), reference(HW Platform.WIRE 2),
                                  reference(HW Platform.WIRE 3), reference(HW Platform.WIRE 4),
                                  reference(HW Platform.SW 1), reference(HW Platform.SW 2))
      applies to AFDX Network;
END AFDX PreSynthesis.i;
```

#### **AFDX Model Variants**

- Pre-Synthesis model
  - Input data for AFDX virtual links generation
- Basic model
  - Represents internal structure of AFDX network
  - Ignores redundancy
  - Works well for symmetrical Network A and B
- Detailed model
  - Represents internal structure of AFDX network including asymmetrical redundancy configurations
- Model with safety related properties

### **Basic Model**



Virtual Links are represented as virtual buses within AFDX\_Network.

#### **Basic Model**

```
--- 2. AFDX Network Configuration
 VIRTUAL BUS IMPLEMENTATION AFDX Network.i
   SUBCOMPONENTS
     VL1 : VIRTUAL BUS AFDX::Virtual Link;
     VL2: VIRTUAL BUS AFDX::Virtual Link;
     VL3: VIRTUAL BUS AFDX::Virtual Link;
   PROPERTIES
      -- Setup virtual links configuration
     AFDX Properties::BAG => 1 ms applies to VL1,VL2,VL3;
     AFDX Properties::Lmax => 1518 Bytes applies to VL1;
     AFDX Properties::Lmax => 512 Bytes applies to VL2,VL3;
     AFDX Properties::SkewMax => 1 ms applies to VL1,VL2,VL3;
 END AFDX Network.i;
```

#### **Basic Model**

```
-- Define virtual link configuration
Actual Connection Binding => (reference(HW Platform.CPM 1.AFDX ES), reference(HW Platform.WIRE 1), reference(HW
                              reference(HW Platform.WIRE 3), reference(HW Platform.CPM 2.AFDX ES))
  applies to AFDX Network.VL1;
Actual Connection Binding => (reference(HW Platform.CPM 2.AFDX ES), reference(HW Platform.WIRE 3), reference(HW
                              reference(HW Platform.WIRE 2), reference(HW Platform.SW 2),
                              reference(HW Platform.WIRE 4), reference(HW Platform.CPM 3.AFDX ES))
  applies to AFDX Network.VL2;
Actual Connection Binding => (reference(HW Platform.CPM 1.AFDX ES), reference(HW Platform.WIRE 1), reference(HW
                              reference(HW Platform.WIRE 2), reference(HW Platform.SW 2),
                              reference(HW Platform.WIRE 3), reference(HW Platform.CPM 2.AFDX ES),
                              reference(HW Platform.WIRE 4), reference(HW Platform.CPM 3.AFDX ES))
  applies to AFDX Network.VL3;
-- Map connections to virtual links
Actual Connection Binding => (reference(HW Platform.CPM 1.PCI BUS), reference(AFDX Network.VL1), reference(HW P
  applies to Software Layer.CQ 1 2;
Actual Connection Binding => (reference(HW Platform.CPM 1.PCI BUS), reference(AFDX Network.VL3), reference(HW P
  applies to Software Layer.CS 1 2;
Actual Connection Binding => (reference(HW Platform.CPM 1.PCI BUS), reference(AFDX Network.VL2), reference(HW P
  applies to Software Layer.C 2 3;
Actual Connection Binding => (reference(HW Platform.CPM 1.PCI BUS), reference(AFDX Network.VL3), reference(HW P
  applies to Software Layer.C 1 3;
Actual Connection Binding => (reference(HW Platform.CPM 1.PCI BUS), reference(AFDX Network.VL3), reference(HW P
  applies to Software Layer.C 1 4;
Actual Connection Binding => (reference(HW Platform.CPM 2.PCI BUS), reference(AFDX Network.VL2), reference(HW P
  applies to Software Layer.C 2 4;
-- Switch configuration
AFDX Properties::VL Route Table => ([
      vl => reference (AFDX Network.VL1);
      jitter => 8 us;
      priority => high;
      accountingPolicy => frame;
      vl => reference (AFDX Network.VL2);
      jitter => 16 us;
      priority => low;
      accountingPolicy => frame;
```

#### **AFDX Model Variants**

- Pre-Synthesis model
  - Input data for AFDX virtual links generation
- Basic model

The topic for today

- Represents internal structure of AF
- Ignores redundancy
- Works well for symmetrical Nork A and B
- Detailed model
  - Represents internal structure of AFDX network including asymmetrical redundancy configurations
- Model with safety related properties

## The First Attempt



netA and netB virtual buses inside VL, to be bound to HW devices.

## The First Attempt

```
VIRTUAL BUS IMPLEMENTATION Virtual_Link.dup

SUBCOMPONENTS

netA : VIRTUAL BUS Virtual_Link;

netB : VIRTUAL BUS Virtual_Link;

END Virtual_Link.dup0;
```

netA and netB virtual buses inside VL, to be bound to HW devices.

## The First Attempt – Problems

```
VIRTUAL BUS IMPLEMENTATION Virtual_Link.dup

SUBCOMPONENTS

netA : VIRTUAL BUS Virtual_Link;

netB : VIRTUAL BUS Virtual_Link;

END Virtual_Link.dup0;
```

- According semantics of AADL 2.1 netA and netB are bound to VL
  - netA of VL provides resources to VL
    - then VL should be bond to netA
  - netA of VL is subchannel of VL
    - then netA could be bond to VL



VL is bound to netA and netB, netA and netB are bound to HW devices.



```
VIRTUAL BUS IMPLEMENTATION Virtual_Link.A
    PROPERTIES
    AFDX_Properties::networkSelector => A;
END Virtual_Link.A;

VIRTUAL BUS IMPLEMENTATION Virtual_Link.B
    PROPERTIES
    AFDX_Properties::networkSelector => B;
END Virtual_Link.B;
```

```
--- 2. AFDX Network Configuration
 VIRTUAL BUS IMPLEMENTATION AFDX Network.i
   SUBCOMPONENTS
      -- Virtual links
     VL1 : VIRTUAL BUS AFDX::Virtual Link.dup;
     VL2 : VIRTUAL BUS AFDX::Virtual Link.dup;
     VL3: VIRTUAL BUS AFDX::Virtual Link.dup;
      -- Virtual link path in network A-B
     VL1A: VIRTUAL BUS AFDX::Virtual Link.A;
     VL1B : VIRTUAL BUS AFDX::Virtual Link.B;
     VL2A : VIRTUAL BUS AFDX::Virtual Link.A;
     VL2B : VIRTUAL BUS AFDX::Virtual Link.B;
     VL3A: VIRTUAL BUS AFDX::Virtual Link.A:
     VL3B : VIRTUAL BUS AFDX::Virtual Link.B;
   PROPERTIES
      -- Setup binding A-B virtual links to paths in network A-B
     Actual Connection Binding => (reference(VL1A), reference(VL1B))
       applies to VL1:
     Actual Connection Binding => (reference(VL2A), reference(VL2B))
       applies to VL2;
     Actual Connection Binding => (reference(VL3A), reference(VL3B))
       applies to VL3;
      -- Setup virtual links configuration
     AFDX Properties::BAG => 1 ms applies to VL1,VL2,VL3;
     AFDX Properties::Lmax => 1518 Bytes applies to VL1;
     AFDX Properties::Lmax => 512 Bytes applies to VL2, VL3;
     AFDX Properties::SkewMax => 1 ms applies to VL1, VL2, VL3;
 END AFDX Network.i;
```

#### EMV2 – Virtual Link

```
VIRTUAL BUS IMPLEMENTATION Virtual_Link.dup
annex EMV2 {**
  use types AFDXErrorLib;
  use behavior AFDXErrorLib::Twostate;
  error propagations
     connection : in propagation {NoService};
     bindings : out propagation {NoService};
  end propagations;
  component error behavior
  transitions
              : Operational -[ 2 ormore( connection{NoService} ) ]-> Failed;
     fail
  propagations
     f : Failed -[]-> bindings(NoService);
  end component;
END Virtual Link.dup;
```

#### **AFDX Model Variants**

- Pre-Synthesis model
  - Input data for AFDX virtual links generation
- Basic model
  - Represents internal structure of AFD)
  - Ignores redundancy
  - Works well for symmetrical Network
- Detailed model
  - Represents internal structure of AFDX network including asymmetrical redundancy configurations
- Model with safety related properties

The next step

## **Update of Basic AFDX Model**

```
--- 1.1 AFDXWire
 BUS Wire
 END Wire;
 BUS TwinWire
 END TwinWire:
--- 1.2 AFDXSwitch
 ABSTRACT Switch
 END Switch;
  ABSTRACT TwinSwitch
  END TwinSwitch;
 ABSTRACT End System1
   FEATURES
     afdx : REQUIRES BUS ACCESS TwinWire;
 END End System1;
 ABSTRACT End System2
   FEATURES
     afdxA : REQUIRES BUS ACCESS Wire;
     afdxB : REQUIRES BUS ACCESS Wire;
 END End System2;
```

#### **AFDX** Reference Models

Available at github:

https://github.com/khoroshilov/aadl-networking-refmodel

My try to build TTEthernet model is also there

#### Thank you!

Alexey Khoroshilov khoroshilov@ispras.ru

http://masiw.ispras.ru



