ARINC 653

Last updated December 06, 2024

ARINC 653 (Avionics Application Software Standard Interface) is a software specification for space and time partitioning in safety-critical avionics real-time operating systems (RTOS). It allows the hosting of multiple applications of different software levels on the same hardware in the context of an Integrated Modular Avionics architecture.^[1]

Overview

In order to decouple the real-time operating system platform from the application software, ARINC 653 defines an API called APplication EXecutive (APEX).

Each application software is called a partition and has its own memory space. It also has a dedicated time slot allocated by the APEX API. Within each partition, multitasking is allowed. The APEX API provides services to manage partitions, processes and timing, as well as partition/process communication and error handling. The partitioning environment can be implemented by using a hypervisor ^[2] to map partitions to virtual machines, but this is not required.

The standard is overseen by the AEEC APEX Subcommittee, which is co-chaired by representatives from Airbus (currently Pierre Gabrilot) and Boeing (currently Steven H. VanderLeest).

History

Initial version

The initial version of ARINC 653 was published on October 10, 1996.

ARINC 653-1

Supplement 1 was published in January 1997 and introduced the concepts of APEX and Time and Space partitioning.

ARINC 653-2

Supplement 2 was published in 3 parts between March 2006 and January 2007:^[3]

Part 1 (mandatory services): ARINC 653 partition management, Cold start and warm start definition, Application software error handling, ARINC 653 compliance, Ada and C language bindings;
Part 2 (optional services): File system access, Data logging, Service Access points, ...
Part 3 (Conformity Test Specification);

Current Organization of Standard

Part 0 - Introduction to ARINC 653 (currently at revision 3, released November 2021)^[4]

Part 1 - Required Services (currently at revision 5, released December 2019)^[5]
Part 2 - Extended Services (currently at revision 4, released December 2019)^[6]
Part 3A - Conformity Test Specification for Required Services (currently at revision 2, released November 2021)^[7]
Part 3B - Conformity Test Specification for Extended Services (currently at revision c1, released July 2019)^[8]
Part 4 - Subset Services (currently at revision 0, released June 2012)^[9]
Part 5 - Core Software Recommended Capabilities (currently at revision 1, released August 2019)^[10]

Basic principles of partitioning

ARINC 653 Platform

An ARINC 653 platform contains:

A hardware platform allowing real-time computing deterministic services.
An abstraction layer managing the timer and space partitioning constraints of the platform (memory, CPU, Input/output).
An implementation for the ARINC 653 services (the APEX API).
An interface to be able to configure the platform and its domain of use.
Various instrumentation tools.

Initialization

Initialization of an ARINC 653 partition creates resources used by the partition. Resources creation (PROCESS, EVENT, SEMAPHORE...) is performed by calling API services named CREATE_xxxx.

Error handling

The process error handler is a preemptive process of the highest priority dedicated to handle partition exceptions. It is created by the service CREATE_ERROR_HANDLER during partition initialization.

The API allows the error handler to stop a faulty process (STOP_SELF). In that case, the RTOS scheduler will elicit the next process with the highest priority.

ARINC 653 does not specify how the scheduler should behave if the error handler does not stop a faulty process. In some (theoretical) cases, this could lead to an infinite loop between the faulty process and the error handler.

The error handler can obtain information about the source and the context of the exception.

Mode management

Each partition can be in several activation modes:

COLD_START and WARM_START: Only the initialization process is executed,
NORMAL: The initialization process is stopped, and the other partition processes are called by the RTOS scheduler depending on their priority,
IDLE: No process is executed. However an implementation could still in theory execute a hidden process of the lowest priority, for example to start an infinite loop.

The SET_PARTITION_MODE service allows to manage these states. It can be called by any process in the partition. Entering the IDLE state is irreversible for the partition. Only an external event (such as a platform restart) can change the state to another mode when the partition is in this state.

Partition and process scheduling

The standard defines a two-level hierarchical schedule. The first level schedules the partitions. This is a round-robin, fixed schedule that repeats a Major Time Frame. The Major Time Frame schedules each partition in a fixed duration Partition Time Window (sometimes called a Minor Time Frame) with a fixed Partition Time Window Offset from the start of the Major Time Frame.

During the Partition Time Window, the second level of scheduling uses process scheduling. Each partition has at least one process. Process scheduling within a partition during the Partition Time Window is preemptive. The scheduler is called either by a timer or by API services.

Multicore

ARINC 653 P1-5 was updated to address multicore processor architectures. Section 4.2.1 "O/S Multicore Implementation Compliance" indicates that an OS designed for multi-core processing should support two cases:

Use of multiple cores by a single partition (whose processes span multiple cores)
Use of multiple cores by multiple partitions

The position paper CAST-32A defines a set of requirements and guidance that should be met to certify and use multi-core processors in civil aviation by FAA and is expected to be replaced by an Advisory Circular, AC 20-193. The European Union aviation authority, EASA, published AMC 20-193 in January 2022.^[11]

API services

The ARINC 653 APEX services are API calls belonging in six categories:

Partition management
Process management
Time management
Inter-partition communication
Intra-partition communication
Error handling

No ARINC 653 services are provided for the memory management of partitions. Each partition has to handle its own memory (still under the constraints of memory partitioning enforced by ARINC 653).

Each service returns a RETURN_CODE value which indicates if the call has been successful:

NO_ERROR: the service performed nominally after a valid request
NO_ACTION: the state of the system has not changed after executing the service
NOT_AVAILABLE: the service is temporarily unavailable
INVALID_PARAM: at least one of the service's parameters is invalid
INVALID_CONFIG: at least one of the service's parameters is incompatible with the current configuration of the system
INVALID_MODE: the service is incompatible with the current mode of the system
TIMED_OUT: the delay for the execution of the service has expired

Links to POSIX and ASAAC

The field covered by ARINC 653 is similar to ASAAC Def Stan 00-74. However, there are differences between the two standards.^[12]

Some ARINC 653 (APEX) calls have a POSIX equivalent, but are different from how they are defined in POSIX.^[12]

For example, the following call defined in ASAAC:

 receiveBuffer

would be translated in ARINC 653 by:

 RECEIVE_BUFFER()

and also in POSIX by:

 recv()

Related Research Articles

The Portable Operating System Interface is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines application programming interfaces (APIs), along with command line shells and utility interfaces, for software compatibility (portability) with variants of Unix and other operating systems. POSIX is also a trademark of the IEEE. POSIX is intended to be used by both application and system developers.

An embedded system is a specialized computer system—a combination of a computer processor, computer memory, and input/output peripheral devices—that has a dedicated function within a larger mechanical or electronic system. It is embedded as part of a complete device often including electrical or electronic hardware and mechanical parts. Because an embedded system typically controls physical operations of the machine that it is embedded within, it often has real-time computing constraints. Embedded systems control many devices in common use. In 2009, it was estimated that ninety-eight percent of all microprocessors manufactured were used in embedded systems.

QNX is a commercial Unix-like real-time operating system, aimed primarily at the embedded systems market.

A Berkeley (BSD) socket is an application programming interface (API) for Internet domain sockets and Unix domain sockets, used for inter-process communication (IPC). It is commonly implemented as a library of linkable modules. It originated with the 4.2BSD Unix operating system, which was released in 1983.

RTLinux is a hard realtime real-time operating system (RTOS) microkernel that runs the entire Linux operating system as a fully preemptive process. The hard real-time property makes it possible to control robots, data acquisition systems, manufacturing plants, and other time-sensitive instruments and machines from RTLinux applications. The design was patented. Despite the similar name, it is not related to the Real-Time Linux project of the Linux Foundation.

Nucleus RTOS is a real-time operating system (RTOS) produced by the Embedded Software Division of Mentor Graphics, a Siemens Business, supporting 32- and 64-bit embedded system platforms. The operating system (OS) is designed for real-time embedded systems for medical, industrial, consumer, aerospace, and Internet of things (IoT) uses. Nucleus was released first in 1993. The latest version is 3.x, and includes features such as power management, process model, 64-bit support, safety certification, and support for heterogeneous computing multi-core system on a chip (SOCs) processors.

Aeronautical Radio, Incorporated (ARINC), established in 1929, was a major provider of transport communications and systems engineering solutions for eight industries: aviation, airports, defense, government, healthcare, networks, security, and transportation. ARINC had installed computer data networks in police cars and railroad cars and also maintains the standards for line-replaceable units.

The Linux kernel provides multiple interfaces to user-space and kernel-mode code that are used for varying purposes and that have varying properties by design. There are two types of application programming interface (API) in the Linux kernel:

the "kernel–user space" API; and
the "kernel internal" API.

Real-Time Executive for Multiprocessor Systems (RTEMS), formerly Real-Time Executive for Missile Systems, and then Real-Time Executive for Military Systems, is a real-time operating system (RTOS) designed for embedded systems. It is free and open-source software.

PikeOS is a commercial hard real-time operating system (RTOS) which features a separation kernel-based hypervisor. This hypervisor supports multiple logical partition types for various operating systems (OS) and applications, each referred to as a GuestOS. PikeOS is engineered to support the creation of certifiable smart devices for the Internet of Things (IoT), ensuring compliance with industry standards for quality, safety, and security across various sectors. In instances where memory management units (MMU) are not present but memory protection units (MPU) are available on controller-based systems, PikeOS for MPU is designed for critical real-time applications and provides up-to-standard safety and security.

Integrated modular avionics (IMA) are real-time computer network airborne systems. This network consists of a number of computing modules capable of supporting numerous applications of differing criticality levels.

The Simple API for Grid Applications (SAGA) is a family of related standards specified by the Open Grid Forum to define an application programming interface (API) for common distributed computing functionality.

Lynx Software Technologies, Inc. is a San Jose, California software company founded in 1988. Lynx specializes in secure virtualization and open, reliable, certifiable real-time operating systems (RTOSes). Originally known as Lynx Real-Time Systems, the company changed its name to LynuxWorks in 2000 after acquiring, and merging with, ISDCorp, an embedded systems company with a strong Linux background. In May 2014, the company changed its name to Lynx Software Technologies.

SYSGO GmbH is a German information technologies company that supplies operating systems and services for embedded systems with high safety and security-related requirements, using Linux. For security-critical applications, the company offers the Hypervisor and RTOS PikeOS, an operating system for multicore processors and the foundation for intelligent devices in the Internet of Things (IoT).

Allied Standards Avionics Architecture Council, or ASAAC, is an effort to define and validate a set of Open Architecture Standards for Avionics Architecture, particularly in the field of Integrated Modular Avionics.

LynxSecure is a least privilege real-time separation kernel hypervisor from Lynx Software Technologies designed for safety and security critical applications found in military, avionic, industrial, and automotive markets.

XtratuM is a bare-metal hypervisor specially designed for embedded real-time systems available for the instruction sets LEON2/3/4, ARM v7 and V8 processors and RISC-V processor.

An application programming interface (API) is a connection between computers or between computer programs. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build such a connection or interface is called an API specification. A computer system that meets this standard is said to implement or expose an API. The term API may refer either to the specification or to the implementation.

DDC-I, Inc. is a privately held company providing software development of real-time operating systems, software development tools, and software services for safety-critical embedded applications, headquartered in Phoenix, Arizona. It was first created in 1985 as the Danish firm DDC International A/S, a commercial outgrowth of Dansk Datamatik Center, a Danish software research and development organization of the 1980s. The American subsidiary was created in 1986. For many years, the firm specialized in language compilers for the programming language Ada.

Cyphal is a lightweight protocol designed for reliable intra-vehicle communications using various communications transports, originally destined for CAN bus, but targeting various network types in subsequent revisions. OpenCyphal is an open-source project that aims to provide MIT-licensed implementations of the Cyphal protocol. The project was known as UAVCAN prior to rebranding in March 2022.

References

↑ "ARINC 653 - An Avionics Standard for Safe, Partitioned Systems" (PDF). Wind River Systems / IEEE Seminar. August 2008. Archived from the original (PDF) on 2009-10-07. Retrieved 2009-05-30.
↑ VanderLeest, S. H. (2010-10-01). "ARINC 653 hypervisor". 29th Digital Avionics Systems Conference. pp. 5.E.2–1–5.E.2–20. doi:10.1109/DASC.2010.5655298. ISBN 978-1-4244-6616-0. S2CID 5784484.
↑ "Product Focus: ARINC 653 and RTOS". aviationtoday.com. 2004-07-01. Archived from the original on 2009-12-03. Retrieved 2009-05-30.
↑ "Avionics Application Software Standard Interface: ARINC Specification 653 Part 0". Aeronautical Radio, Inc. 2019-12-23. Archived from the original on 2022-02-03.
↑ "Avionics Application Software Standard Interface: ARINC Specification 653P1-3, Required Services". Aeronautical Radio, Inc. 2022-02-04. Archived from the original on 2020-08-12. Retrieved 2022-02-04.
↑ "Avionics Application Software Standard Interface: ARINC Specification 653P2-2, Part 2, Extended Services". Aeronautical Radio, Inc. 2019-12-23. Archived from the original on 2020-08-12. Retrieved 2022-02-04.
↑ "653P3A-2 Avionics Application Software Standard Interface, Part 3A, Conformity Test Specifications for ARINC 653 Required Services". SAE ITC. 2021-11-17. Retrieved 2022-02-04.
↑ "653P3Bc1 Avionics Application Software Standard Interface, Part 3B, Conformity Test Specifications for ARINC 653 Extended Services". SAE ITC. 2019-07-18. Retrieved 2022-02-04.
↑ "Avionics Application Software Standard Interface: ARINC Specification 653 Part 4, Subset Services". Aeronautical Radio, Inc. 2012-06-01. Archived from the original on 2012-08-25. Retrieved 2013-10-20.
↑ "653P5-1 Avionics Application Software Standard Interface, Part 5, Core Software Recommended Capabilities". SAE ITC. 2019-08-07. Retrieved 2022-02-04.
↑ ""AMC-20 Amendment 23"". EASA. 2022-12-26. Retrieved 2022-12-22.
1 2 "Flexibility and Manageability of IMS Projects" (PDF). University of York . Retrieved 2008-07-27.