ARINC 653

Last updated July 27, 2023

ARINC 653 (Avionics Application Software Standard Interface) is a software specification for space and time partitioning in safety-critical avionics real-time operating systems (RTOS). It allows the hosting of multiple applications of different software levels on the same hardware in the context of an Integrated Modular Avionics architecture.^[1]

Overview

In order to decouple the real-time operating system platform from the application software, ARINC 653 defines an API called APplication EXecutive (APEX).

Each application software is called a partition and has its own memory space. It also has a dedicated time slot allocated by the APEX API. Within each partition, multitasking is allowed. The APEX API provides services to manage partitions, processes and timing, as well as partition/process communication and error handling. The partitioning environment can be implemented by using a hypervisor ^[2] to map partitions to virtual machines, but this is not required.

The standard is overseen by the AEEC APEX Subcommittee.

History

Part 1 (mandatory services): ARINC 653 partition management, Cold start and warm start definition, Application software error handling, ARINC 653 compliance, Ada and C language bindings;
Part 2 (optional services): File system access, Data logging, Service Access points, ...
Part 3 (Conformity Test Specification);

Current Organization of Standard

Part 0 - Introduction to ARINC 653 (currently at revision 3, released November 2021)^[4]

Part 1 - Required Services (currently at revision 5, released December 2019)^[5]
Part 2 - Extended Services (currently at revision 4, released December 2019)^[6]
Part 3A - Conformity Test Specification for Required Services (currently at revision 2, released November 2021)^[7]
Part 3B - Conformity Test Specification for Extended Services (currently at revision c1, released July 2019)^[8]
Part 4 - Subset Services (currently at revision 0, released June 2012)^[9]
Part 5 - Core Software Recommended Capabilities (currently at revision 1, released August 2019)^[10]

Basic principles of partitioning

ARINC 653 Platform

An ARINC 653 platform contains:

A hardware platform allowing real-time computing deterministic services.
An abstraction layer managing the timer and space partitioning constraints of the platform (memory, CPU, Input/output).
An implementation for the ARINC 653 services (the APEX API).
An interface to be able to configure the platform and its domain of use.
Various instrumentation tools.

Initialization

Initialization of an ARINC 653 partition creates resources used by the partition. Resources creation (PROCESS, EVENT, SEMAPHORE...) is performed by calling API services named CREATE_xxxx.

Error handling

The process error handler is a preemptive process of the highest priority dedicated to handle partition exceptions. It is created by the service CREATE_ERROR_HANDLER during partition initialization.

The API allows the error handler to stop a faulty process (STOP_SELF). In that case, the RTOS scheduler will elicit the next process with the highest priority.

ARINC 653 does not specify how the scheduler should behave if the error handler does not stop a faulty process. In some (theoretical) cases, this could lead to an infinite loop between the faulty process and the error handler.

The error handler can obtain information about the source and the context of the exception.

Mode management

Each partition can be in several activation modes:

COLD_START and WARM_START: Only the initialization process is executed,
NORMAL: The initialization process is stopped, and the other partition processes are called by the RTOS scheduler depending on their priority,
IDLE: No process is executed. However an implementation could still in theory execute a hidden process of the lowest priority, for example to start an infinite loop.

The SET_PARTITION_MODE service allows to manage these states. It can be called by any process in the partition. Entering the IDLE state is irreversible for the partition. Only an external event (such as a platform restart) can change the state to another mode when the partition is in this state.

Partition and process scheduling

The standard defines a two-level hierarchical schedule. The first level schedules the partitions. This is a round-robin, fixed schedule that repeats a Major Time Frame. The Major Time Frame schedules each partition in a fixed duration Minor Time Frame with a fixed offset from the start of the Major Time Frame.

Within the Minor Time Frame, the second level uses process scheduling. Each partition has at least one process. Process scheduling within a Minor Time Frame is preemptive. The scheduler is called either by a timer or by API services.

Multicore

ARINC 653 P1-5 was updated to address multicore processor architectures. Section 4.2.1 "O/S Multicore Implementation Compliance" indicates that an OS designed for multi-core processing should support two cases:

Use of multiple cores by a single partition (whose processes span multiple cores)
Use of multiple cores by multiple partitions

The position paper CAST-32A defines a set of requirements and guidance that should be met to certify and use multi-core processors in civil aviation by FAA and is expected to be replaced by an Advisory Circular, AC 20-193. The European Union aviation authority, EASA, published AMC 20-193 in January 2022.^[11]

API services

The ARINC 653 APEX services are API calls belonging in six categories:

Partition management
Process management
Time management
Inter-partition communication
Intra-partition communication
Error handling

No ARINC 653 services are provided for the memory management of partitions. Each partition has to handle its own memory (still under the constraints of memory partitioning enforced by ARINC 653).

Each service returns a RETURN_CODE value which indicates if the call has been successful:

NO_ERROR: the service performed nominally after a valid request
NO_ACTION: the state of the system has not changed after executing the service
NOT_AVAILABLE: the service is temporarily unavailable
INVALID_PARAM: at least one of the service's parameters is invalid
INVALID_CONFIG: at least one of the service's parameters is incompatible with the current configuration of the system
INVALID_MODE: the service is incompatible with the current mode of the system
TIMED_OUT: the delay for the execution of the service has expired

Links to POSIX and ASAAC

The field covered by ARINC 653 is similar to ASAAC Def Stan 00-74. However, there are differences between the two standards.^[12]

Some ARINC 653 (APEX) calls have a POSIX equivalent, but are different from how they are defined in POSIX.^[12]

For example, the following call defined in ASAAC:

 receiveBuffer

would be translated in ARINC 653 by:

 RECEIVE_BUFFER()

and also in POSIX by:

 recv()

Related Research Articles

The Portable Operating System Interface is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines both the system and user-level application programming interfaces (APIs), along with command line shells and utility interfaces, for software compatibility (portability) with variants of Unix and other operating systems. POSIX is also a trademark of the IEEE. POSIX is intended to be used by both application and system developers.

QNX is a commercial Unix-like real-time operating system, aimed primarily at the embedded systems market. QNX was one of the first commercially successful microkernel operating systems.

RTLinux is a hard realtime real-time operating system (RTOS) microkernel that runs the entire Linux operating system as a fully preemptive process. The hard real-time property makes it possible to control robots, data acquisition systems, manufacturing plants, and other time-sensitive instruments and machines from RTLinux applications. The design was patented. Despite the similar name, it is not related to the Real-Time Linux project of the Linux Foundation.

Nucleus RTOS is a real-time operating system (RTOS) produced by the Embedded Software Division of Mentor Graphics, a Siemens Business, supporting 32- and 64-bit embedded system platforms. The operating system (OS) is designed for real-time embedded systems for medical, industrial, consumer, aerospace, and Internet of things (IoT) uses. Nucleus was released first in 1993. The latest version is 3.x, and includes features such as power management, process model, 64-bit support, safety certification, and support for heterogeneous computing multi-core system on a chip (SOCs) processors.

Aeronautical Radio, Incorporated (ARINC), established in 1929, was a major provider of transport communications and systems engineering solutions for eight industries: aviation, airports, defense, government, healthcare, networks, security, and transportation. ARINC had installed computer data networks in police cars and railroad cars and also maintains the standards for line-replaceable units.

The Linux kernel provides several interfaces to user-space applications that are used for different purposes and that have different properties by design. There are two types of application programming interface (API) in the Linux kernel that are not to be confused: the "kernel–user space" API and the "kernel internal" API.

Avionics Full-Duplex Switched Ethernet (AFDX), also ARINC 664, is a data network, patented by international aircraft manufacturer Airbus, for safety-critical applications that utilizes dedicated bandwidth while providing deterministic quality of service (QoS). AFDX is a worldwide registered trademark by Airbus. The AFDX data network is based on Ethernet technology using commercial off-the-shelf (COTS) components. The AFDX data network is a specific implementation of ARINC Specification 664 Part 7, a profiled version of an IEEE 802.3 network per parts 1 & 2, which defines how commercial off-the-shelf networking components will be used for future generation Aircraft Data Networks (ADN). The six primary aspects of an AFDX data network include full duplex, redundancy, determinism, high speed performance, switched and profiled network.

Real-Time Executive for Multiprocessor Systems (RTEMS), formerly Real-Time Executive for Missile Systems, and then Real-Time Executive for Military Systems, is a real-time operating system (RTOS) designed for embedded systems. It is free and open-source software.

<span class="mw-page-title-main">OS2000</span> Real-time operating system

Baget RTOS is a real-time operating system developed by the Scientific Research Institute of System Development of the Russian Academy of Sciences for a MIPS architecture and Intel board support packages (BSPs). Baget is intended for software execution in a hard real-time embedded systems (firmware).

PikeOS is a commercial, hard real-time operating system (RTOS) that offers a separation kernel based hypervisor with multiple logical partition types for many other operating systems (OS), each called a GuestOS, and applications. It enables users to build certifiable smart devices for the Internet of things (IoT) according to the high quality, safety and security standards of different industries. For safety and security, critical real-time applications on controller-based systems without memory management unit (MMU) but with memory protection unit (MPU) PikeOS for MPU is available.

Integrated modular avionics (IMA) are real-time computer network airborne systems. This network consists of a number of computing modules capable of supporting numerous applications of differing criticality levels.

The Simple API for Grid Applications (SAGA) is a family of related standards specified by the Open Grid Forum to define an application programming interface (API) for common distributed computing functionality.

Lynx Software Technologies, Inc. is a San Jose, California software company founded in 1988. Lynx specializes in secure virtualization and open, reliable, certifiable real-time operating systems (RTOSes). Originally known as Lynx Real-Time Systems, the company changed its name to LynuxWorks in 2000 after acquiring, and merging with, ISDCorp, an embedded systems company with a strong Linux background. In May 2014, the company changed its name to Lynx Software Technologies.

SYSGO GmbH is a German information technologies company that supplies operating systems and services for embedded systems with high safety and security-related requirements, using Linux. For security-critical applications, the company offers the Hypervisor and RTOS PikeOS, an operating system for multicore processors and the foundation for intelligent devices in the Internet of Things (IoT).

Allied Standards Avionics Architecture Council, or ASAAC, is an effort to define and validate a set of Open Architecture Standards for Avionics Architecture, particularly in the field of Integrated Modular Avionics.

LynxSecure is a least privilege real-time separation kernel hypervisor from Lynx Software Technologies designed for safety and security critical applications found in military, avionic, industrial, and automotive markets.

ARINC 818: Avionics Digital Video Bus (ADVB) is a video interface and protocol standard developed for high bandwidth, low-latency, uncompressed digital video transmission in avionics systems. The standard, which was released in January 2007, has been advanced by ARINC and the aerospace community to meet the stringent needs of high performance digital video. The specification was updated and ARINC 818-2 was released in December 2013, adding a number of new features, including link rates up to 32X fibre channel rates, channel-bonding, switching, field sequential color, bi-directional control and data-only links.

XtratuM is a bare-metal hypervisor specially designed for embedded real-time systems available for the instruction sets LEON2/3/4, ARM v7 and V8 processors and RISC V processor.

An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build or use such a connection or interface is called an API specification. A computer system that meets this standard is said to implement or expose an API. The term API may refer either to the specification or to the implementation.

Cyphal is a lightweight protocol designed for reliable intra-vehicle communications using various communications transports, originally destined for CAN bus, but targeting various network types in subsequent revisions. OpenCyphal is an open-source project that aims to provide MIT-licensed implementations of the Cyphal protocol. The project was known as UAVCAN prior to rebranding in March 2022.

References

↑ "ARINC 653 - An Avionics Standard for Safe, Partitioned Systems" (PDF). Wind River Systems / IEEE Seminar. August 2008. Archived from the original (PDF) on 2009-10-07. Retrieved 2009-05-30.
↑ VanderLeest, S. H. (2010-10-01). "ARINC 653 hypervisor". 29th Digital Avionics Systems Conference. pp. 5.E.2–1–5.E.2–20. doi:10.1109/DASC.2010.5655298. ISBN 978-1-4244-6616-0. S2CID 5784484.
↑ "Product Focus: ARINC 653 and RTOS". aviationtoday.com. 2004-07-01. Archived from the original on 2009-12-03. Retrieved 2009-05-30.
↑ "Avionics Application Software Standard Interface: ARINC Specification 653 Part 0". Aeronautical Radio, Inc. 2019-12-23. Archived from the original on 2022-02-03.
↑ "Avionics Application Software Standard Interface: ARINC Specification 653P1-3, Required Services". Aeronautical Radio, Inc. 2022-02-04. Archived from the original on 2020-08-12. Retrieved 2022-02-04.
↑ "Avionics Application Software Standard Interface: ARINC Specification 653P2-2, Part 2, Extended Services". Aeronautical Radio, Inc. 2019-12-23. Archived from the original on 2020-08-12. Retrieved 2022-02-04.
↑ "653P3A-2 Avionics Application Software Standard Interface, Part 3A, Conformity Test Specifications for ARINC 653 Required Services". SAE ITC. 2021-11-17. Retrieved 2022-02-04.
↑ "653P3Bc1 Avionics Application Software Standard Interface, Part 3B, Conformity Test Specifications for ARINC 653 Extended Services". SAE ITC. 2019-07-18. Retrieved 2022-02-04.
↑ "Avionics Application Software Standard Interface: ARINC Specification 653 Part 4, Subset Services". Aeronautical Radio, Inc. 2012-06-01. Archived from the original on 2012-08-25. Retrieved 2013-10-20.
↑ "653P5-1 Avionics Application Software Standard Interface, Part 5, Core Software Recommended Capabilities". SAE ITC. 2019-08-07. Retrieved 2022-02-04.
↑ ""AMC-20 Amendment 23"". EASA. 2022-12-26. Retrieved 2022-12-22.
1 2 "Flexibility and Manageability of IMS Projects" (PDF). University of York . Retrieved 2008-07-27.