Safety analysis for integrated modular avionics based on blueprints

. The Integrated Modular Avionics System (IMA) has been a core technology for the new generation of aircrafts in recent years. It consists of a set of reusable and interoperable common functional modules. However, the highly coupled relationship of resources makes it difficult to identify and control dangers. As an effective and efficient way, the blueprints are used to describe and manage the IMA system. Owing to the system management functions provided by the blueprints, we can accurately determine the system resources configuration status, which is very crucial for safety analysis. In this paper, we explore the possibilities to conduct safety analysis based on blueprints. A safety analysis method based on blueprints is proposed, which applies mathematical logic to describe the logical relationship between targets and resources provided by the blueprints and uses semi-tensor product of matrix theory to simplify the logical expressions. Based on the mathematical model, we can conduct the fail safety analysis and identify resources failures that may undermine the IMA system safety.


Introduction
The avionics system is a comprehensive control information-intensive system consisting of hardware and software such as mission management, display control, detection sensors and weapons [1].From the end of the last century, the integrated modular avionics system is gradually applying to the modern aircraft design process, such as F22, A380. Different from the original discrete or federated avionics system, the IMA system implements a wide range of physical synthesis and functional integration. As shown in Figure 1, each function is not located within special processor or line replacement unit (LRUs) in the IMA system [2]. While the system is running, the resources are dynamically allocated to different targets, and it can be regarded that there are many variable virtual subsystems. Although there are many benefits offered by the resources sharing mechanism, such as improving the mission performance and operational performance, reducing the life cycle cost [3], several problems need to be solved urgently. One of the most important problem is how to conduct safety analysis after sharing resources widely. And the allocation of the applications to hardware in an effective and efficient way is also a critical issue. In order to solve the problems above, a concept called "blueprints" is used to describe the IMA system. In 1997, A.Marchetto [4] proposed an IMA system management methods using blueprints. He described blueprints as a means of centralizing and organizing the system definition information in such a way that changes of system integration decisions can be transferred, in a controlled and automatic or semi-automatic way, to the target system, simply altering the appropriate blueprints. Allied Standards Avionics Architecture Council (ASAAC) incorporated the blueprints into the recommended technology for IMA system management in its guidelines, and fault monitoring and management functions were added to the blueprints. In the same year, Graham Jolliffe and DM Nicholsan [2] explored the possibilities towards a preliminary safety case for IMA blueprints. Li Qian etc. [5] applied the blueprints technology to TV-command-guided system in 2009. Furthermore, there are also many researches on the IMA system blueprints design internationally. Shen Y [6] proposed a method for the design and implementation of IMA system blueprints using AADL in 2008, while Haotian Wang etc. [7] modelled the IMA system blueprints based GSPN and LP in 2013.
Recently, the blueprints technology is widely regarded as a method to centrally organize and manage the system definition information. And the blueprints are implemented by one or a group of management software located in the operating system. Except the system management functions, blueprints can also provide support for the safety analysis due to the definition of system information. In this paper, we apply mathematical logic to describe the logical relationship between targets and resources provided by the blueprints. And semi-tensor product of matrix theory is used to simplify the logical expressions. Based on the mathematical model, we can conduct the fail safety analysis and identify resources failures that may undermine system safety.
The rest of the paper is organized as follows. In Section 2, a brief introduction of the IMA blueprints is given. Section 3 discusses some basic concepts and related properties of matrix algebra at first. And then according to the semi-tensor product theory, the IMA systems model based on blueprints is proposed. In Section 4, we apply the method proposed above to a simple IMA system case. Section 5 is the concluding remarks.

IMETI 2017
Blueprints technology is a method to centrally organize and manage the system definition information. And they are implemented by one or a group of management software located in the operating system. The blueprints can implement the resources configuration and reconfiguration automatically or semiautomatically, which means the deterministic management of system resources. The IMA blueprints can be designed by AADL or ADA tools. As shown in Figure 2, the blueprints are usually subdivided into three parts recently, including software blueprints, hardware blueprints and system blueprints.
And the system blueprints can be further divided into static configuration blueprints and dynamic runtime blueprints.

Figure 2. The IMA System Blueprints
The software blueprints describe the function software resources in terms of runtime requirements, processing and memory requirements and communication requirements. And the hardware blueprints describe the physical system [8]. The software blueprints and hardware blueprints together describe the resources set of the IMA system, which can be also called as resources pool [9].
The system blueprints guaranteed the safe operation of the IMA system. System designers make decomposition of system targets and determine the resources needed to complete the targets. The decomposition result can be given in the form of a tree as shown in Figure 3. According to the decomposition result and the resources capacity in the resources pool, the initial resources configuration plan is determined, and designers record it in the configuration blueprints. System designers also record the reconfiguration plans when some resources fail in the configuration blueprints. The monitoring and management of the running process are completed by the running blueprints. For example, while the resources R1.3 fails in the Figure 4, the system configuration changes into the configuration 2.

Matrix algebra
This paper is aimed at the logical relationship between targets and resources provided by the blueprints, and tries to simply the logic expressions using semi-tensor product of matric theory. In this section, we present some basic concepts and related properties of matrix algebra first [10][11][12].
While ( , ) t lcm n p  is the least common multiple of n and p, and k I is the k degree identity matrix.

A B
 , A B  and A B  testify the associative law and the distributive law. Furthermore, because the point product is a special case of the left semi-tensor product, this paper makes the following assumption: Definition 7: Assume that   1 2 , ,

IMA blueprints model and safety analysis
Based on the matric algebra theory shown in Section 3.1, we propose a method to model the IMA blueprints. And with the IMA blueprints model, we can find the combination of dangerous faults which may influence the system safety. Refer to definition 5, we represent the logical nodes (targets, functions and resources) as binary logical variables. According to the logical relationship between the nodes provided by the blueprints, we build the logical expressions, and simply them with the help of semi-tensor product of matrix theory. As long as we identify the structure matrix of the key targets which may influence the system safety, we can discuss the combination of dangerous failures by solving the logical equations. The flow chart of modelling and analysing is shown in Figure 5. Taking a simply example shown in Figure 6 to present the process of finding structure matrix, we represent the logical nodes as t 1 , f 1 , f 2 , r 1 , r 2 . t f f r r r      (11) According to the theory introduced in Section 3.1, we can convert formula 11 to formula 12. 1 0 0 0

A simple IMA system case
In this section, we take the radio data processing function as an example. As shown in Figure 7, the AAP1 represents voice data processing function while the APP2 represents general data processing function. And the APP1 has a higher priority than the APP2. And we consider the APP1 as the key target.

Figure 7. A Simple IMA System Case
According to the order of functions priority, the pre-set reconfiguration strategies which are record in the blueprints are as follows: 1) The APP1 has a higher priority than the APP2; 2) While the AIU+DCTR1 fails, stop the APP2 and reallocate the AIU+DCRT2 to APP1; 3) While the SPM1 fails and the SPM2 doesn't fail, use the SPM3 to replace the SPM1; While the SPM1 doesn't fail and the SPM2 fails, use the SPM3 to replace the SPM2; while the SPM1 and the SPM2 fail together, there isn't any change; 4) While the NSM1 fails, use the NSM2 to replace the NSM1; Similar to Figure 4, we describe the initial configuration plan as follows.  Table 1. by the blueprints and uses semi-tensor product of matrix theory to simplify the logical expressions.

R1
Based on the mathematical model, we can conduct the fail safety analysis and identify resources failures that may undermine system safety. Adopting the method proposed above, the value of the blueprints is further tapped. Owing to the system management functions provided by the blueprints, we can accurately determine the system resources configuration status, which is very crucial for safety analysis.