Hardware Reference
In-Depth Information
12.1.3
ARINC - APEX
ARINC 653 (Avionics Application Standard Software Interface) is a software specifi-
cation for avionics real-time systems that specifies how to host multiple applications
on the same hardware. To decouple the operating system from the application soft-
ware, ARINC 653 defines an API called APEX (APplication/EXecutive). The goal of
APEX is to allow analyzable safety critical real-time applications to be implemented,
certified and executed. Several critical real-time systems have been successfully built
and certified using APEX, including some critical components for the Boeing 777
aircraft.
Traditionally, avionics computer systems have followed a federated approach, where
separate functions are allocated to dedicated (often physically disjoint) computing
“black-boxes.” In recent years there has been a considerable effort by ARINC to
define standards for Integrated Modular Avionics (IMA) [ARI91] that allow saving
physical resources. IMA defines a standard operating system interface for distributed
multiprocessor applications with shared memory and network communications called
the Avionics Application Software Standard Interface [ARI96]. The standard provides
some indication about the kernel services expressed as pseudo-code.
Physical memory is subdivided into partitions, and software sub-systems occupy dis-
tinct partitions at run-time. An off-line cyclic schedule is used to schedule partitions.
Each partition is temporally isolated from the others and cannot consume more pro-
cessing time than that allocated to it in the cyclic schedule. Each partition contains one
or more application processes, having attributes such as period, time capacity, priority,
and running state. Processes within a partition are scheduled on a fixed priority basis.
Under APEX, a missed deadline is detected when a rescheduling operation occurs;
thus deadlines expiring outside the partition time-slice are only recognized at the start
of the next time-slice for that partition.
Communication between processes in different partitions occurs via message passing
over logical ports and physical channels. Currently, APEX restricts such messages
to be from a single sender to a single receiver. Physical channels are established at
initialization time, and many ports may be mapped to a single channel. Two types
of messages are supported:
Sampling Messages
, where the arrival of a new message
overwrites the previous one and messages are read non-consumable; and
Queuing
Messages
, where messages are enqueued in FIFO order and read operation is destruc-
tive. A sender blocks when the buffer is full, and a receiver blocks when the buffer
is empty. Processes within a partition can communicate using a variety of facilities,
including conventional buffers, semaphores and events, but none of these mechanisms
are visible outside the partition.
Search WWH ::
Custom Search