J. Rushby. Partitioning for avionics architectures: Requirements, mechanisms, and assurance. NASA Contractor Report CR-1999-209347, NASA Langley Research Center, June 1999. Also to be issued by the FAA.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....considered, specifying and achieving graceful degradation becomes exponentially complex as the number of system components increases. Current industry practice for dealing with faults and failures in embedded systems focuses on the traditional approaches of fault tolerance and fault containment [9]. Software subsystems are physically separated into different hardware modules. Additionally, system resources, such as sensors and actuators, that may be commonly used are replicated for each subsystem. This approach provides assurance that faults will not propagate between subsystems since they ....

Rushby, J., "Partitioning in Avionics Architectures: Requirements, Mechanisms, and Assurance," NASA Contractor Report CR-1999-209347, June 1999.

....always effective, multiple barriers are common. The number of barriers depends on the level and acceptability of the risk that is associated with the hazardous events. The concept of risk is discussed in the next section. Partitioning (h w, s w, containment) refs (for data energy ) [Rushby99] 3.2.16 Failure Accountability Failure accountability indicates who has to fix the failed system, or has to pay for accepting or correcting the damage ensuing from system failure, whether this damage is physical, psychological, environmental, or financial. This may involve contractual ....

Rushby, J..: "Partitioning in Avionics Architectures: Requirements, Mechanisms, and Assurance", NASA Contractor Report NASA/CR-

....model in a direct execution JVM microprocessor [AW97,DAG98A] Our architecture provides hardware enforced guarantees of resource separation. We have extended this separation guarantee to support reconfigurable logic devices. Implementations of our architecture can be verified to be safe and secure [JMR98]. We outline our formal verification techniques, which are published and can be applied to modern safety critical and security critical development environments [DAG98B, SPM96] We detail an approach for formally validating that our architecture enforces separation. An architecture should be ....

....guarantees of resource isolation. The PMU ensures separation of applications; see Figure 3. The separation required by the Federal Aviation Administration (FAA) for safety critical applications is similar to the separation required by National Security Agency (NSA) for multiple level security [JMR98]. Applications that require separation from one another will be relegated to separate partitions. The PMU will be programmed to provide each partition access only to it allocated resources. Resources include memory space, processing time, and RCEs. The PMU to be used in this architecture is ....

[Article contains additional citation context not shown here]

John M. Rushby, "Partitioning in Avionics Architectures: Requirements, Mechanisms, and Assurance," Unpublished draft report, Computer Science Laboratory, SRI International, Menlo Park, CA, October 1998, available at http://www.csl.sri.com/~rushby/partitioning.html

....what it should, but how to confirm that it does not do other things as well. The problem of additional, unexpected behavior is an especial concern with safety related COTS products since there is a need for predictable, limited interactions and dependencies among components [Profeta et al. 1996] Rushby [1994] suggests that 10 Delta Robyn R. Lutz traditional methods of hierarchical verification via functional refinement may be inadequate and that notions of architectural notions of refinement may provide better verification. 3.3 Testing and evaluation of safety critical systems This subsection of the paper ....

Rushby, J. M. 1999b. Partitioning in avionics architectures: Requirements, mechanisms, and assurance. Technical report (March), SRI.

....are available at http: www.csl.sri.com bruno pvs prio ceiling.txt. independent tasks or processes that share a common processor cannot adversely affect each other. Real time kernels must then protect separate tasks from unwanted interference by implementing strong partitioning mechanisms [30]. Formal models addressing some of these issues have been proposed recently [10, 11, 39] but the results are still preliminary and incomplete. We are particularly interested in temporal noninterference, that is, the property that a temporal failure of a task, such as overrun or non termination, ....

J. Rushby. Partitioning in Avionics Architectures: Requirements, Mechanisms, and Assurance. Draft technical report, Computer Science Laboratory, SRI International, October 1998.

....the scheduling conditions requires temporal partitioning that can be implemented using timer interrupts to stop and take control away from overrunning processes. The various architectural and implementation issues pertaining to both spatial and temporal partitioning are discussed at large in [11]. Integrating Mixed Criticality Software Components 13 5 Discussion and Related Work In critical applications, the integration of multiple functions on shared hardware requires partitioning mechanisms that provide, with high assurance, a similar level of fault containment as the federated ....

....of a general dependable integration problem. For integrated architectures such as IMA to be acceptable in safety critical applications one must develop mechanisms to prevent unintended interaction between components and provide high assurance that these mechanisms are adequate. As discussed in [11], there is a large space of architectural and design choices that can achieve the required partitioning. The challenge is to define models that are general enough to encompass spatial, temporal, and communication aspects. The models above address memory partitioning and to some extent temporal ....

J. Rushby. Partitioning in Avionics Architectures: Requirements, Mechanisms, and Assurance. Draft technical report, Computer Science Laboratory, SRI International, October 1998.

....operation of nonfaulty components and applications, other than through loss of the services provided by the failed elements. It is quite easy to develop a formal statement of partitioning but only in the absence of the qualification introduced in the final clause of the previous sentence (see [51] for an extended discussion of this topic) In the absence of communication, partitioning is equivalent to isolation and this property has a long history of formal analysis in the security community [47] and has been adapted to include the real time attributes that are important in embedded ....

John Rushby. Partitioning for avionics architectures: Requirements, mechanisms, and assurance. NASA Contractor Report CR-1999.

No context found.

J. Rushby. Partitioning for avionics architectures: Requirements, mechanisms, and assurance. NASA Contractor Report CR-1999-209347, NASA Langley Research Center, June 1999. Also to be issued by the FAA.

No context found.

J. Rushby. Partitioning for avionics architectures: Requirements, mechanisms, and assurance. NASA Contractor Report CR1999 -209347, NASA Langley Research Center, June 1999. Also to be issued by the FAA.

No context found.

J. Rushby. Partitioning for avionics architectures: Requirements, mechanisms, and assurance. NASA Contractor Report CR-1999-209347, NASA Langley Research Center, June 1999.

No context found.

J. Rushby. Partitioning for avionics architectures: Requirements, mechanisms, and assurance. NASA Contractor Report CR-1999-209347, NASA Langley Research Center, June 1999. Also to be issued by the FAA.

No context found.

Rushby, J., "Partitioning in Avionics Architectures: Requirements, Mechanisms, and Assurance," NASA Contractor Report CR-

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC