Automated aircraft control has traditionally been divided into distinct functions that
are implemented separately (e.g., autopilot, autothrottle, flight management); each function
has its own fault-tolerant computer system, and dependencies among different functions
are generally limited to the exchange of sensor and control data. A by-product of this
“federated” architecture is that faults are strongly contained within the computer system of
the function where they occur and cannot readily propagate to affect the operation of other
functions.
More modern avionics architectures contemplate supporting multiple functions on a
single, shared, fault-tolerant computer system where natural fault containment boundaries
are less sharply defined. Partitioning uses appropriate hardware and software mechanisms
to restore strong fault containment to such integrated architectures.
This report examines the requirements for partitioning, mechanisms for their realization,
and issues in providing assurance for partitioning. Because partitioning shares some
concerns with computer security, security models are reviewed and compared with the
concerns of partitioning.