Architecture Design of Aviation Fault-tolerant Computer Based on ARINC659 Bus Technology

. The ARINC659 backplane bus is suitable for high safety and high reliability requirements of aircraft on-board computer communication systems. This paper analyzes the structure of ARINC 659 serial backplane bus and the bus fault tolerance mechanism. On the basis of backplane bus, a 4 degree of aviation fault-tolerant computer is designed. Moreover, the computer architecture and computer system of the instruction branch and monitoring branch are designed in the computer channel. The fault-tolerant management of the computer is realized by bus fault tolerance, redundancy voting between computers and the monitoring of the instruction and monitoring branches.


Introduction
With the rapid development of avionics, the aircraft relies more and more on Avionics systems.In order to realize the coordination of each air system, grasp and deal with the changing data information at any time, achieve the sharing of resources, so that the entire avionics system and integrated, and can efficiently and reliably work, then it must rely on high speed, reliable, aviation data bus standard [1].
Airborne data bus technology is one of the most important key technologies of Avionics Integration in modern aircraft.With the development of avionics system, new requirements have been put forward for airborne data bus, which has promoted the development of airborne data bus, and the airborne data bus determines the degree of integration of avionics systems.As the skeleton and nerve of avionics system, data bus plays an important role in avionics system, and it promotes each other synchronously with the development of avionics technology [2].
The ARINC 659 avionics data bus by the Aeronautical Radio Incorporation in 1993 to meet the bus standard proposed for efficient aircraft information transmission requirements, and has been used in commercial aviation, aircraft such as the Boeing 777 aircraft information management system.ARINC 659 is a kind of air bus with high data throughput, high fault tolerance and data certainty.The transmission rate is 60Mb/s and the coding efficiency is 98%.There is no need to transmit address information in transmission data, and 4 channel signals are used for error detection.The fault tolerance is better than the traditional double redundancy, and the complexity is lower than the a An_gang@163.com;b kingliyu@sina.com;c 370713464@qq.comtraditional 4 redundancy.It can be used in the field of aviation, navigation, spaceflight and other bad working conditions.

Bus structure
The ARINC 659 bus specification is a standard for the development of digital data information transmission between modular Modular Avionics devices and field replaceable modules, and is a specification for the requirements of LRM.This specification describes the electrical characteristics and bus characteristics required for the integrated backplane avionics bus.Specifications specify the protocol, timing, speed, and physical characteristics of the bus.The ARINC 659 bus is a serial backplane bus, which reduces the hardware resources, simplifies the mode of operation and the bus monitoring mode.
The ARINC 659 bus is a half duplex, dual -dual serial data bus.Divided into A, B bus, X bus and Y containing each of the two sets of bus, there are AX, AY, BX, BY bus redundant information transmission.Each bus contains an independent clock line and two data lines, while transmitting two bits of data, so the full bus contains 12 signal lines.Bus monitoring is double redundancy, through the method of election input and cross comparison detection, the fault detection is carried out to ensure the high reliability data transmission [3].
The clock frequency of the ARINC 659 bus is 30MHz.At the same time, two bit data is transmitted, and the maximum throughput is close to 60 megabits per second (Mbps).The ARINC-659 bus uses the BTL bus driver, and the BTL driver is an open collector device with line or capability.The ARINC-659 bus structure is shown in figure 1.

Bus fault-tolerance
The advantage of serial transmission lies in: Reduce hardware, simplify full concurrent monitoring, and therefore improve the reliability of the bus.To improve availability, each bus interface unit BIU (Bus Interface Unit) is connected to the two bus.Each line replaceable unit using dual LRM bus interface unit, cross check between the bus interface unit between four bus also cross check, the online replaceable unit LRM with dual self-test capability.Cross validation between four buses improves the availability of data.
By accessing the TDPA ( The ARINC 659 bus is a dual -dual configuration bus consisting of dual bus pairs (A and B).Each bus pair consists of a "X" and a "Y" bus.Each bus (Ax, Ay, Bx, and By) has a separate clock and two data lines, capable of transmitting two bit data at the same time.Thus, a complete bus group is composed of 12 bus transmission lines.The ARINC 659 bus is organized as shown in figure 2.

Figure 2. Bus constitution
Each online replaceable unit, LRM, has two bus interface units, BIU (BIUx and BIUy).BIUx transmits through the X bus transmission line, and the BIUy transmits through the Y bus transmission line.Each bus interface unit receives the data information of all four buses.Each bus is driven by an independent transceiver in the LRM to prevent single faults from adversely affecting more than one bus (for example, each online replaceable module has four transceivers).
By reasonably designing the physical layer, the complexity and overhead of message structure are reduced:  Each individual clock eliminates the preamble that is used for clock phase synchronization. Double bus comparison eliminates the need for cyclic redundancy check (CRC) and other error control fields. The table driven protocol addressing save implicit contains the address field. The timing function of the table driven proportional access protocol eliminates the start and end characters.The use of these technologies makes the ARINC 659 bus more efficient than other bus protocols.These technologies also make minimum transmission delay, which is very important for real-time systems.
When the receiver performs error detection and correction over the redundant bus, the receiver performs the following comparisons: Ax=Ay, Bx=By, Ax=By, and Bx=Ay.The bus pairs in these alignments are called signal pairs.Comparisons between Ax=Bx and Ay=By are invalid because these signals come from the same hardware source and may have related errors from the same source.Because of the error detection of four effective signal pairs, the fault tolerance of ARINC 659 bus is better than the traditional double redundancy, and it has less complexity than the traditional four redundancy.
The ARINC 659 bus has been designed as a backplane bus that can correct all single path errors and detect all double faults.Errors in all single bus interface units can be detected by the ARINC 659 bus.All parts of the bus system are fully monitored.All operations are double operations.Relying on multi-point double detection, the integrity of the operation path is guaranteed.

Overall architecture
In order to achieve the security and reliability level of the system, the computer architecture must consider the reliability, security and other aspects of the computer system.Redundant technology, as well as a framework for supporting resource sharing and refactoring, is the best way to ensure security and reliability metrics at the moment [4].The open, modular architecture provides excellent support for system refactoring, system extensions, and system maintenance.
High security 4x2 computer fault tolerant redundancy configuration architecture, 4 redundancy computer system consists of 4 identical chassis components, each box contains a channel, the system is divided into 4 channels, numbered A, B, C, D. Each channel adopts two CPU boards with non similar design, and realizes the task function of the system arrangement by instruction and monitoring [5].Each channel of the computer is centered on the ARINC 659 serial backplane bus, and each function board is connected to the bus in the form of resources.Each function board is an intelligent node, which contains a processor or microcontroller to regulate and monitor the signal on the function board.All the functions are transmitted by serial bus in digital way.The CPU board is the system function computing resources, which consists of a time triggered bus to work, the calculation results on the data sending buffer, to other functions in the corresponding time slot transmission, bus time slot division as shown in figure 3.

T1 T9 T2 T8
Figure 3. Backplane time slot division Under the control of the board micro controller, the interface function board carries on the signal collection work at all times, and obtains the signal of the sensor in real time, and can carry on the data transmission at any time.At the same time, the micro controller responds to the commands transmitted by the bus in real time and performs the corresponding operation [6].
Data exchanges between redundant channels are performed by means of CCDL.Data transmission CCDL directly with the serial backplane bus connection, serial backplane bus data of four redundant channels of all connected, namely the backplane bus data is forwarded to the other case through the form of LVDS, while receiving other case data sent, the redundant system architecture in a unified "virtual".On.Each function board system between can exchange information, each function module is the system can be shared and resource reconfiguration of resources, this system can reach, to the function module for dynamic resource reconfiguration and system fault tolerance system to achieve the minimum unit.The block diagram of the computer system is shown in figure 4.

Computer composition
High security fault-tolerant computer, each channel internal resource composition of the same, single channel computer module units, as shown in Figure 5, described in detail below:  The instruction processor (CCPU) module: Calculation and management of the core, the main task is to control instruction solution and redundancy management, the basic work is the process of signal of various kinds of sensor redundancy management, and then use the voting results of control instruction calculation, then the output signal from the external command, I/O module to complete the corresponding control action. Monitoring processor (MCPU) module: synchronous acquisition and operation with CCPU board, but not external output instruction.Monitoring channel only transmits test data, and monitors all input and output data of CCPU.The output instruction signal of the monitoring channel is used to detect whether the instruction channel is out of order. Discrete quantity input output (DIO) module: discrete digital signal input and output processing. Analog input (AIN) module: analog signal input processing. Analog output (AOUT) module: analog signal output processing. Multi bus interface (MBI) module: according to the different uses and requirements of the computer, such as: MIL-1553B bus interface, ARINC429 bus interface, AFDX bus interface, and some necessary serial bus interface. Bus bridge transmission (BST) module: responsible for the exchange of the redundancy between computers and ARINC 659 bus data sharing, the backplane mode conversion for the cable model, in the form of LVDS is forwarded to the other LRM, is a continuation of the bus signal, the back signal in the conversion of computer level and transmission, to achieve more than cross communication data link the degree of inter channel (CCDL). Power supply (PS) module: 2-redundant power supply. Backplane (BP): ARINC 659 backplane bus as communication medium, module signal interconnection.

Redundancy management
In order to meet the requirements of high reliability, high security, aviation computer, improve the ability of fault, in the existing basic components on the basis of the reliability, redundancy design and redundancy management technology can greatly enhance the ability of fault tolerance.Redundancy management refers to the simultaneous execution of several units in a system that perform the same task, so that if a unit fails, it can be switched.This method is now widely used, and it can greatly improve the reliability of the system [7].
The working principle of monitoring put is: a link in the system using a plurality of identical components or tasks, and then put their output results of monitoring, out of which the most reasonable result to the next step, in order to achieve shielding failure of components or tasks, improve the reliability of the data output.Relatively common voting algorithms include arithmetic, average voting, majority voting, median voting, etc. [8].
Before the signal is transmitted into the computer channel, the first monitoring voting is carried out, i.e., the input signal is voted.The computer collects analog signals of each sensor or discrete signals of other controllers as input.Each of the redundant computers collects analog or discrete quantities for CCDL and votes through a voter.After comparing the signal with the maximum and minimum threshold to determine the validity of the signal, the result is taken as a median output.The discrete quantity is determined by the corresponding truth table in the logical circuit, and the result is 1 or 0.
After the input signal is voted, the result is computed by the computer, and then the second monitoring vote is carried out.The signals are computed simultaneously on the CCPU and MCPU in the same LRM, and then the results are compared.If the results are the same, the calculation results are correct.Outputs the result through the CCPU to the bus, carries on the third surveillance voting.
CCPU outputs the calculated results, and compares the results of the four channel CCPU with the output signals.The voting algorithm of the output signal is the same as that of the input signal voting algorithm.The voting process is shown in figure 6.During the operation of the 4-redundancy master computer, each computer itself is W, and the identity of the remaining two computers is X, Y, Z. Thus, the correspondence between A, B, C, D, four computers and W, X, Y, and Z is as follows:

Signal acquisition
 Cross channel data transmission process The signal voting is reconstructed by the monitoring result of the monitor, determined and excluded the fault signal, and announced the system to input the channel at this time [9].The basic voting principle of analog quantity in this system is:  The 4 channel signal is effective, the voter takes the mean of this cycle, the second and the small. The 3 channel signal is effective, The voter takes the median of the 3 signals in this cycle. The 2 channel signal voting, the voter takes the mean of the 2 signals in this cycle. The 1 channel signal voting, when the corresponding sensor only has an effective channel, the input of the effective channel is the output of the voter.Vote between CCPU and MCPU.Because the CCPU and MCPU double redundancy, the input signal through the input after the vote and input to the CCPU and MCPU are calculated, calculation results, through the MCPU bus to transmit the data to CCPU, CCPU will receive the data and the

Conclusions
The ARINC659 bus has high data throughput, strict fault isolation, data transmission, encoding efficiency, data transmission process does not need to transmit the address information, has the advantages of good fault tolerance, suitable for high security, high reliability and high integrated aircraft for computer communication system.The ARINC659 bus as the computer motherboard bus communication standard, 4 redundant computer design is composed of command channel and monitoring channel with self monitoring ability.The computer carries on the signal conversion through the BST, thus realizes the CCDL communication between computers.The signal input and instruction output between 4 redundant computers are designed, and the two level monitoring voting surface is used to decide the input and output information.And through the MCPU set in the computer, the CCPU instruction operation results are monitored in real time, thus ensuring the correctness of the single computer channel instruction.The fault tolerance performance of ARINC659 bus redundancy analysis, computer architecture design and matching computer redundancy management strategy, which can satisfy the requirement of high security, high reliability and fault tolerance requirements of airborne computer.

Figure 7 .
Figure 7. Cross channel data transmission processThe signal voting is reconstructed by the monitoring result of the monitor, determined and excluded the fault signal, and announced the system to input the channel at this time[9].The basic voting principle of analog quantity in this system is: The 4 channel signal is effective, the voter takes the mean of this cycle, the second and the small. The 3 channel signal is effective, The voter takes the median of the 3 signals in this cycle. The 2 channel signal voting, the voter takes the mean of the 2 signals in this cycle. The 1 channel signal voting, when the corresponding sensor only has an effective channel, the input of the effective channel is the output of the voter.Vote between CCPU and MCPU.Because the CCPU and MCPU double redundancy, the input signal through the input after the vote and input to the CCPU and MCPU are calculated, calculation results, through the MCPU bus to transmit the data to CCPU, CCPU will receive the data and the

MATECFigure 8 .
Figure 8. Voting process of CCPU and MCPU  Input signals for input data voting, the voting results will be passed to CCPU and MCPU. MCPU and CCPU simultaneous calculation, MCPU will transfer the results of the calculation to CCPU, compare each other to vote. CCPU will vote data results transferred to BST for lower level voting.
Table Driven Proportional Access) protocol by table driven ratio, the ARINC 659 bus makes a deterministic division of time and space.It is controlled by commands stored in the nonvolatile command table memory in each bus interface unit BIU.
Voting process  CCPU collecting input discrete signals and analog signals, and signal processing.Monitor and vote the collected input signals.The effective value of the selected value in the analog signal is calculated by the average value, and the final voting result is obtained.The discrete signal is processed according to the logic circuit corresponding to the truth table.Pass the result of voting to CCPU and MCPU for calculation.Since CCPU and MCPU are dual redundant, the results are compared and the results are valid or invalid.The effective data is transmitted directly to the next processing unit or device, and the output results are voted on the next computing node.The output vote of the computing node is the input vote of the next computing node.Voting for 4 channel computers relies entirely on CCDL implementation.The 4 computers are represented by W, X, Y, and Z respectively.