2004
Treating Reconfiguration in IMA Systems as a Product Line Problem
In Proceedings of the Second Groningen Workshop on Software Variability Management, Technical Report 2004-7-01, University of Groningen Department of Mathematics and Computer Science, December 2004
A trend has recently been noted in software product line derivation
that indicates a move to later and later feature binding times. The
choice of which features are active in a product is increasingly being
made after the deployment of the product. To cope with the potential
range of different binding times, as well as the complexity of the
decisions, the models that we use for representing feature binding are
also becoming more complex.
We have an interest in safety-critical avionics systems, systems with dependencies that have traditionally been difficult to capture with simple feature dependency links. However, there has also been a traditional bias away from the introduction of flexibility in safety- critical environments, as flexibility introduces complexity, cost and pessimism into the safety analysis process.
In the last few years, though, this situation has begun to change. New avionics systems are being created using a technology called Integrated Modular Avionics (IMA). An IMA system is a distributed real-time computer network aboard an aircraft. The potential gains in using an IMA system include the ability to reallocate software tasks among different network nodes in cases of failure, or even a reduction in the minimum equipment needed to fly the aircraft by making use of reconfiguration as dynamic redundancy. The ability to fly with a reduced minimum equipment list (MEL) would reduce the number of cancelled flights and allow a shift from unscheduled to scheduled maintenance activities.
In the IMA scheme, key aspects of configuration include the detection of the need for a reconfiguration, the placement of authority to approve a reconfiguration, and the continued safety of the system as a whole during reconfiguration activities. Detection can occur in software units, in execution units, in dedicated hardware or may only be observed by considering the behaviour of a system (interaction between a module, partition and an application hosted by them) as a whole. Authority to approve a configuration could rest with the software for some kinds of reconfiguration, and with the pilot for others. This situation, with complex calculation of allowed reconfigurations at run-time by multiple authorities and potentially triggered by multiple events, is reminiscent of product-line binding issues. We hope that by considering the two scenarios as the same type of problem, advances may be possible in each area.
In the IMA domain, there is still some debate as to how to describe and assess reconfigurations (for non-functional characteristics such as reliability and safety, as well as functional characteristics). Especially important are the need to demonstrate properties of any possible sequence of allowed reconfigurations, and the ability to derive a reconfiguration scheme that has particular properties. We expect that the vocabulary and science of product-line binding will provide ways of describing and solving these problems.
In the product line field, there is a lack of information regarding safety-critical products and their particular non-functional dependencies, such as safety and timing. Non-functional dependencies are often late-emerging properties of the system in its environment, and often involve causal links between otherwise unrelated systems. These dependencies provide a strong challenge to any general-purpose feature binding model. IMA provides an example of a safety-critical architecture with some additional properties - the level of binding and rebinding is more constrained than in a general-purpose framework or scriptable system, but there is a higher level of post-deployment rebinding than in other avionics applications. As a further constraint, it will be necessary to demonstrate, in advance of any flight, that all of the possible reconfiguration sequences are safe. We expect that this application will exercise the capabilities of existing product-line binding theory.
We intend to apply product-line binding theories to IMA systems, using the characteristics of existing and planned IMA implementations to select an example system. We will derive an IMA reconfiguration strategy from standard product-line binding models and tool support, and evaluate the effectiveness of both the strategy and the process by which it is developed.
We have an interest in safety-critical avionics systems, systems with dependencies that have traditionally been difficult to capture with simple feature dependency links. However, there has also been a traditional bias away from the introduction of flexibility in safety- critical environments, as flexibility introduces complexity, cost and pessimism into the safety analysis process.
In the last few years, though, this situation has begun to change. New avionics systems are being created using a technology called Integrated Modular Avionics (IMA). An IMA system is a distributed real-time computer network aboard an aircraft. The potential gains in using an IMA system include the ability to reallocate software tasks among different network nodes in cases of failure, or even a reduction in the minimum equipment needed to fly the aircraft by making use of reconfiguration as dynamic redundancy. The ability to fly with a reduced minimum equipment list (MEL) would reduce the number of cancelled flights and allow a shift from unscheduled to scheduled maintenance activities.
In the IMA scheme, key aspects of configuration include the detection of the need for a reconfiguration, the placement of authority to approve a reconfiguration, and the continued safety of the system as a whole during reconfiguration activities. Detection can occur in software units, in execution units, in dedicated hardware or may only be observed by considering the behaviour of a system (interaction between a module, partition and an application hosted by them) as a whole. Authority to approve a configuration could rest with the software for some kinds of reconfiguration, and with the pilot for others. This situation, with complex calculation of allowed reconfigurations at run-time by multiple authorities and potentially triggered by multiple events, is reminiscent of product-line binding issues. We hope that by considering the two scenarios as the same type of problem, advances may be possible in each area.
In the IMA domain, there is still some debate as to how to describe and assess reconfigurations (for non-functional characteristics such as reliability and safety, as well as functional characteristics). Especially important are the need to demonstrate properties of any possible sequence of allowed reconfigurations, and the ability to derive a reconfiguration scheme that has particular properties. We expect that the vocabulary and science of product-line binding will provide ways of describing and solving these problems.
In the product line field, there is a lack of information regarding safety-critical products and their particular non-functional dependencies, such as safety and timing. Non-functional dependencies are often late-emerging properties of the system in its environment, and often involve causal links between otherwise unrelated systems. These dependencies provide a strong challenge to any general-purpose feature binding model. IMA provides an example of a safety-critical architecture with some additional properties - the level of binding and rebinding is more constrained than in a general-purpose framework or scriptable system, but there is a higher level of post-deployment rebinding than in other avionics applications. As a further constraint, it will be necessary to demonstrate, in advance of any flight, that all of the possible reconfiguration sequences are safe. We expect that this application will exercise the capabilities of existing product-line binding theory.
We intend to apply product-line binding theories to IMA systems, using the characteristics of existing and planned IMA implementations to select an example system. We will derive an IMA reconfiguration strategy from standard product-line binding models and tool support, and evaluate the effectiveness of both the strategy and the process by which it is developed.
