Partitioning in Avionics Architectures: Requirements, Mechanisms, and Assurance

John Rushby

NASA Contractor Report CR-1999-209347. Also issued by the FAA as DOT/FAA/AR-99/58 (pdf)

Abstract

Automated aircraft control has traditionally been divided into distinct "functions" that are implemented separately (e.g., autopilot, autothrottle, flight management); each function has its own fault-tolerant computer system, and dependencies among different functions are generally limited to the exchange of sensor and control data. A by-product of this "federated" architecture is that faults are strongly contained within the computer system of the function where they occur and cannot readily propagate to affect the operation of other functions.

More modern avionics architectures contemplate supporting multiple functions on a single, shared, fault-tolerant computer system where natural fault containment boundaries are less sharply defined. Partitioning uses appropriate hardware and software mechanisms to restore strong fault containment to such integrated architectures.

This report examines the requirements for partitioning, mechanisms for their realization, and issues in providing assurance for partitioning. Because partitioning shares some concerns with computer security, security models are reviewed and compared with the concerns of partitioning.

gzipped postscript, or plain postscript or PDF or crude ascii (for your Palm Pilot)

BibTeX Entry

@TECHREPORT{Rushby99:partitioning,
	AUTHOR = {John Rushby},
	TITLE = {Partitioning for Avionics Architectures:
		Requirements, Mechanisms, and Assurance},
	INSTITUTION = {NASA Langley Research Center},
	YEAR = 1999,
	TYPE = {NASA Contractor Report},
	NUMBER = {CR-1999-209347},
	MONTH = jun,
	NOTE = {Also to be issued by the FAA}
}
Having trouble reading our papers?
Return to the Formal Methods Program home page
Return to the Computer Science Laboratory home page