Thanks to advances in programmable logic, today’s FPGAs can now be used to make high-reliability systems such as those in avionics both flexible and configurable as well as dramatically reduce the chance of errors that could compromise safety.
BY STEPHEN CUNHA, MEN MICRO
A number of innovations and changes are delivering new capabilities to aircraft operations. Modern aircraft are equipped with numerous electronic components. Some of them – like flight control and guidance systems – provide flight critical functions, while others may provide assistance services that are not critical to the plane’s safe operation, but rather reduce the crew’s workload. As the number of capabilities increases, so does the amount of information that needs to be processed and displayed.
Aircraft control systems generally consist of a number of sensors to read environmental or inertial data, with avionic subsystems performing certain flight-relevant control functions and outputs, like control actuators that perform rudder or flap movements. There has always been a need to interconnect these components and traditionally, a set of sensors and actuators were connected to form one avionics function. The main data buses used for these purposes were ARINC-429 and MIL-STD 1553.
AFDX in Today’s Avionics
Asynchronous Full Duplex Switched Ethernet (AFDX, designated ARINC-664) has been designed to account for the growing number of avionic subsystems in modern aircraft and their complex interaction. It resembles a true IP and UDP packet based on switched Ethernet compliant to the IEEE 802.3 industry standard. Based on these well-established standards, the AFDX technology adds protocol extensions to provide reliable packet transport and bounded transport latency to make it suitable for avionic applications.
At the application level, ADFX emulates logical point-to-point connections with clear separation of data streams and bandwidth allocation. In fact, a logic path that provides the same properties to an application as an ARINC-429 connection exists in AFDX. In addition, several of these connections are now multiplexed and run through one Ethernet wire, making AFDX a network architecture that significantly reduces the amount of cable runs. (Figure 1).
The AFDX network topology is much like any switched, full-duplex network with the exception that the network is doubled.
Networks A and B exist to increase the availability of the service, with packets being transferred on both networks. The receiver picks up the packet that arrives first and discards the second. While the real implementation is more complicated; this basic description provides the framework to see how FPGAs function within this system.
Handling Increased Data Complexity
An AFDX network consists of switches and end systems, which are components connected to the network capable of handling all AFDX-related protocol operations. Usually, an end system is part of an avionic or aircraft subsystem, which needs to send or receive data over the AFDX network. Depending on the network hierarchy, one or more switches are located on the data path between two end systems.
At the application level, AFDX is intended to replace ARINC-429 connections. With ARINC-429 representing point-to-point or point-to-multipoint connections, it is not surprising, that AFDX has similar characteristics, with the ARINC-429 connections represented by AFDX virtual links (VLs).
A single VL may connect exactly two end systems, in which case it represents a point-to-point connection. It may also connect one ‘sending’ end system with multiple ‘reading’ end systems, in which case it represents a point-to-multipoint (multicast) connection.
The advantages lie in the fact that AFDX presents itself as compatible with legacy solutions at the application level and – at the same time – saves a large amount of cable runs by multiplexing many individual VLs onto a single wire connection, utilizing the increased bandwidth of a 100 Mbit/s Ethernet connection. The VL bundle is de-multiplexed at the destination switch and forwarded to the appropriate end systems.
An avionics real-time capable network, like AFDX, is not susceptible to the inherent unsafe data transmission methods found in IP, or even TCP, where the route between peer-to-peer connections is not known upfront, and may even change during the session.
Also, as found in IP or TCP transmissions, larger packets are fragmented and re-assembled on their way from sender to recipient, and sometimes packets are received out of order. In AFDX, packet fragmentation may occur to allow for packets larger than the MTU at application level, however, the network guarantees all packets to be received in order. In principle, all network parameters are known and constant in AFDX, with the resulting IP layer being a lean implementation, free of fallback and retry algorithms.
FPGA Technology in an AFDX End System
End systems must continuously receive non-redundant packets on both interfaces with full wire speed without packet loss. Traditionally this was carried out on ASIC technology or on pure software implementations of the protocol stack.
A hardware implementation in general has advantages, because the logic and its timing are easier to prove, due to the synchronous nature and the true parallelism in execution. And today’s high end FPGAs are fast, large and robust enough to implement the AFDX protocol for handling the requirements of modern avionics systems. Also FPGAs enable advanced design through their flexible configuration.
AFDX End Systems Can Use Robust, High-speed FPGA Designs.
Current architectures include a customizable chip that enables users to build AFDX-based communication systems independent of a form factor, while providing high data integrity, redundancy and a deterministic quality of service (QoS). This FPGA can be installed directly on the boards of the end system. Developers no longer need an additional integration module for the protocols to send information between avionics subsystems.
Design Flexibility Benefits Developers
Originating on a set of DO-254 compliant SBCs, this FPGA chip showed a larger potential in other safety-critical applications, specifically avionics. The designers at MEN extracted it from the original SBC design, and engineered it to meet AFDX requirements. The resulting FPGA is not only DO-254-compliant, certifiable up to DAL-A, but was developed according to ARINC 664P7-1.
Lending itself to the inherent flexibility of the FPGA architecture, the chip meets specific Airbus and Boeing AFDX requirements simultaneously, allowing it to be used in applications for both airplane suppliers—no design changes are needed. In either case, the flash-based architecture and triple-redundant logic provides real-time capabilities and enables single event upset (SEU) resistance.
Any safety-relevant system design needs to consider all possible failure modes of the component, their effects at the interface level, and finally, the probability for them to occur during the period of operation. At a high level, AFDX end system failure modes can be split by distinguishing failures occurring in the FPGA and those being caused by external components, such as the buffer RAM, PCI-Bus or local power supply. They can be grouped into design or configuration errors, and transient errors caused by cosmic particle radiation, or spontaneous hardware failures.
Applying DO-254 to the development and verification processes of AFDX systems helps ensure that design errors are avoided. Of course, the FPGA needs to account for design errors and be robust against the occurrence of such errors. But still undetected errors will undoubtedly have adverse effects on safety, and by meeting the objectives of DO-254, design error probability is lower.
Safety and Reliability
Since AFDX provides the main interconnect between the major subsystems of today’s aircraft, it is literally the backbone of the avionics. The integrity of the data travelling along this path, its timely delivery, and the availability of the transport service to the clients that need them, at the time they are needed, are key factors in a truly safe and reliable AFDX-based system.
An AFDX end system needs to be robust with respect to its failure rates, specifically defined in this instance as follows: the probability of the failure mode “loss of function” must be very low, usually in the magnitude of less than 10-6 per flight hour.
The triple-module redundancy (TMR) architecture in the FPGA is a way to affect this rate. While DO-254 addresses design assurance for FPGAs, it is the hardware system and not the individual component that achieves DO-254 certification — an integrated circuit (IC) cannot be DO-254 certified. FPGAs are always considered complex, as they cannot be rigorously tested over all operating conditions and must rely on a disciplined hardware design assurance process for verification. Each system, including any FPGAs and their associated bitstreams, must be tested and validated. All other safety certifications are implemented on the hardware.
As AFDX End-Systems are deployed in avionics subsystems a line-replaceable units (LRUs), a certification according to DO-254 has to be considered in the design of the FPGA, as well as the process that is established to achieve the design and its verification.
While detected errors relate to end system availability, any undetected error within the end system or the AFDX network affects the safety of the nodes attached to it. The probability of an undetected error to occur at the end system level is usually requested to be less than 10-7 per flight hour and also depends on the assigned design assurance level (DAL)
Not only are modern FPGAs enhancing data reliability and transport across multiple avionics subsystems within a network, they are offering a new level of design configuration that translates into significant cost savings over traditional ASIC designs. And with its built-in flexibility and ability to handle large volumes of information, FPGA technology will continue to contribute to data management in modern networks. Just as avionics have increased in complexity over the past few decades so have FPGAs making them a viable method for integrating disparate network systems within an aircraft while ensuring redundant, robust data transmission.
Blue Bell, PA.