SIMA Overview GMV-SKYSOFT Torre Fernão de Magalhães Av. D. João II Lote 1.17.02, 7º Andar 1998 - 025 Lisboa Portugal Property of GMV © GMV, 2010; all rights reserve

SIMA Overview Draft 0.5 Page 2 of 14 1 PURPOSE Simulated Integrated Modular Avionics ( (SIMA) is an execution environment, providing the ) ARINC 653 Application Programming Interface ( (API) and robust partitioning to operating systems that do not support these features by themselves. SIMA is designed to run on all POSIX-compliant OSes; it is tested and optimised for the Native POSIX Thread Library ; (NPTL), available on OSes like GNU/Linux, kernel version 2.6 or higher, and for RTEMS, version 4.6 or higher. This document focuses on SIMA on Linux. Its purpose is to give a brief overview on the...

SIMA Overview Draft 0.5 Page 3 of 14 2 SIMA OVERVIEW Simulated Integrated Modular Avionics (SIMA) is an execution environment, providing the ARINC 653 Application Programming Interface (API) and robust partitioning to operating systems that do not support these features by themselves. SIMA is designed to run on all POSIX-compliant OSes; it is tested and optimised for the Native POSIX Thread Library (NPTL), available on OSes like GNU/Linux, kernel version 2.6 or higher, and for RTEMS, version 4.6 or higher. The ARINC 653 standard specifies a programming interface for a Real-Time Operating System...

SIMA Overview Draft 0.5 Page 4 of 14 ARINC 653 defines a static configuration where each partition is assigned a set of execution windows. The program in the partition associated with the current execution window gains access to the processor. When the execution window terminates, the program is preempted; when the next execution window starts, the program continues execution from the point it was previously preempted preempted. Processes within the scope of a partiti partition are scheduled by a priority-based preemptive based scheduler with first-in-first first-out (FIFO) order for processes...

SIMA Overview Draft 0.5 Page 5 of 14 shared memory segments. Obviously, this approach does not answer safety and security threats, caused by random errors in the partitioned code. The POS has to respond correctly to the given commands which may not be true in the case where faulty or malicious application code corrupts the state of the POS. In fact, the POS was designed and developed, following safety critical software guidelines; its purpose is to support embedded applications. The MOS, however, was not; the MOS does only simulate the behaviour of an ARINC 653 compliant OS on top of non-safety...

SIMA Overview Draft 0.5 Page 6 of 14 3 HARD REAL-TIME ON LINUX The main problem, achieving hard real-time behaviour on Linux, is latency, defined as the time between the arrival of an event (like an interrupt) and the execution of its response. As a general purpose OS; Linux is designed to enhance the average response time, whereas realtime systems aim at enhancing the worst case response time as this is the fundamental factor of impact on the system predictability. Linux high latencies are a consequence of a non-preemptive kernel approach; the kernel contains large protected sections, where...

SIMA Overview Draft 0.5 Page 7 of 14 4 THE POS LIBRARY The POS library provides the ARINC 653 services to hosted applications. In particular, it implements the • ARINC 653 services of ARINC 653 Part 1 “Required Services”: Partition Management, Process Management, Time Management, Inter-Partition and IntraPartition Communications, Health Monitor Services; • A subset of ARINC 653 Part 2 “Extended Services”: Logbook System. The POS library is statically linked to the hosted application. It provides the library code and data, including interfaces to other simulation components. SIMA can run in two...

SIMA Overview Draft 0.5 Page 8 of 14 5 MOS SIMULATOR The purpose of the MOS program is to schedule and to health monitor partitioned applications. The MOS works in three phases: e 1. The configuration files are read and the corresponding entities like partitions and health monitor tables are created in memory; 2. The MOS goes into real time mode and starts the partitioned applications; real-time 3. The MOS enters the scheduling phase; from now on, the program will suspend and scheduling resume partitions and wait for health monitoring events. The MOS reads two c configuration files: the main...

SIMA Overview Draft 0.5 Page 9 of 14 6 HEALTH MONITORING Errors occurring during the execution of partitioned applications are reported to the MOS. The MOS looks up the error in the configuration and applies the corresponding action. Errors are handled on one of three possible levels: MODULE, PARTITION or PROCESS. Actions on PARTITION and MODULE level are directly specified in the configuration. Errors on PROCESS level are delegated to a user defined error handler process (EH). When the MOS invokes the EH, the latter is started and the control returned to the POS of the affected partition. Since...

SIMA Overview Draft 0.5 Page 10 of 14 7 PORTS ARINC 653 applications use ports to communicate with the outside world. Ports are memory areas within the partition address space where messages are written to or read from by application code. If ports are connected to a channel, the messages in a source port are copied to the memory area of the destination port. This transport mechanism is invisible to the application. It is also transparent to the application where the other port is located: In a partition on the same module or on another computer. Channels are defined in the ARINC 653 configuration...

SIMA Overview Draft 0.5 Page 11 of 14 The channel between ports is implemented by an internal process, called _apx_udp_listen. The process is automatically started when the application is . connected to the MOS or with the --connect option given in standalone mode. In standalone mode, this process runs with a priority lower than user process priorities. This implies that messages are only sent and received when no user process is ready. It implies also that the transportation mechanism interferes with the user process activity. These restrictions are acceptable for debugging, but certainly not...