Applying Trajectory approach to AFDX avionics network Henri Bauer1,2 , Jean-Luc Scharbarg2 , Christian Fraboul2 1 Airbus France - 316 Route de Bayonne 31300 Toulouse, France 2 Universit´e de Toulouse - IRIT/ENSEEIHT/INPT - 2, rue Camichel 31000 Toulouse, France {Henri.Bauer, Jean-Luc.Scharbarg, Christian.Fraboul}@enseeiht.fr

Abstract AFDX (Avionics Full Duplex Switched Ethernet) standardized as ARINC 664 is a major upgrade for avionics systems. But network delay analysis is required to evaluate end-to-end delays upper bounds. In this paper we mainly present how the Trajectory approach can be applied to an AFDX avionics network. We explain how this approach can be optimized in this context in order to take into account AFDX specificity.

1

AFDX end-to-end delay analysis

The AFDX [1] has become the reference communication technology in the avionics context, enabling the multiplexing of communication flows over a full duplex switched Ethernet network. The indeterminism problem occurs at the switch level where various flows can enter in competition for sharing resources of a given switch (FIFO buffering of output ports). Main AFDX specific assumptions deal with the static definition of mono-emitter, multicast avionics flows (Virtual Links with a static routing assumption). All flows are asynchronous, but have to respect a bandwidth envelope (burst and rate) at network ingress point. A VL definition includes the Bandwidth Allocation Gap (BAG), the minimum and the maximum frame length (smin and smax ). BAG is the minimum delay between two consecutive frames of the associated sporadic VL. For a given flow, the end-to-end communication delay of a frame can be described as the sum of known transmission delays on links and latencies in switches (highly variable because of the confluence of asynchronous flows). Different approaches have been proposed in order to analyze flows end-to-end delay and jitter. The deterministic Network Calculus [6, 2] has been used to compute upper bounds, mainly for avionics network certification purposes [4, 5]. This worst case communication delays analysis gives also intermediate information on latency time in switch out-

put ports, which permits to scale the switch memory buffers and avoid buffer overflows (i.e. frame losses). But this worst case delay analysis is obviously pessimistic. The worst case scenario is considered on each node visited by a flow, taking into account maximum possible jitter introduced by previously visited nodes. The Network Calculus theory can be enhanced by taking into account the serialization of frame that have shared a communication link (grouping technique is used [5]). However, the obtained upper bounds are still pessimistic. We propose to use the Trajectory approach [7], as it considers the sequence of nodes visited by a frame along its trajectory. Unlike the holistic approach, the Trajectory approach is based on the analysis of the worst case scenario experienced by a packet on its trajectory and not on each visited node. This timing analysis approach enables to focus on a packet from a given flow, and to construct the packet sequences in each crossed node. The resulting jitters and delays lead to an end-to-end communication delay computation, which can then be compared to the upper bounds obtained by Network Calculus. In this paper, we propose a way to handle the serialization of flows sharing a common link in the trajectory approach.

2

Trajectory approach for the AFDX

The Trajectory approach [7, 8] has been developed to get guaranteed upper bounds on end-to-end response times in distributed systems. It considers a set of asynchronous sporadic flows. As presented in [7], a distributed system is composed of a set of interconnected processing nodes. Each flow crossing this system follows a static path. The Trajectory approach assumes, with regards to any flow τi following path Pi , that any flow τj following path Pj , with Pj 6= Pi and Pj ∩ Pi 6= ∅, never visits a node of path Pi after having left this path. Flows are FIFO scheduled in every visited node. Each flow τi has a minimum interarrival time Ti between two consecutive packets at ingress node, a maximum release jit-

ter Ji at the ingress node, an end-to-end deadline Di which is the maximum acceptable end-to-end response time and a maximum processing time Cih on each node h from Pi . The transmission time of any packet on any link is bounded by Lmin and Lmax . There are neither collisions nor packet losses on links. The end-to-end response time of a packet is the sum of the transmission delays on links (upper bounded by Lmax ) and the time spent in each crossed nodes. The time spent by a packet m in a node h depends on the pending packets in h at the arrival time of m in h (due to FIFO scheduling, they will be processed before m). The problem is then to upper bound the overall time spent in the visited nodes. The Trajectory approach is based on the busy period concept. A busy period of level L is an interval [t, t′ ) such that t and t′ are both idle times of level L and there is no idle time of level L in (t, t′ ). An idle time t of level L is a time such as all packets with priority greater than or equal to L generated before t have been processed at time t. With FIFO scheduling, no packet from the busy period of level corresponding to the priority of m can have arrived after m on the considered node. For a packet m from flow τi generated at time t, Trajectory approach identifies the busy period and the packets impacting its end-to-end delay on all the nodes visited by m (starting from the last visited node backwards to the ingress node). This decomposition enables the computation of the latest starting time of m on its last node. This starting time can be computed recursively and leads to the worst case end-to-end response time of the flow τi . The elements of the system considered in the Trajectory approach are instantiated in the following way in the context of AFDX. Each node of the system corresponds to an AFDX switch output port (including the output link), each link of the system corresponds to the switching fabric and each flow corresponds to a VL path. All the assumptions of the Trajectory approach are verified. VL parameters match the definition of sporadic flows in the following manner: Ti = BAG, Cih = smax /R, Ji = 0. Since all the AFDX ports work at the same rate R = 100M b/s, Cih = Ci = smax /R for every node h in the network. e1 e2 e3 e4

v1 v2

S1 v3 v4

S2

v1,v2 v3,v4 e5 v5

v1,v3,v4,v5 S3

v2

e6 e7

Figure 1. Illustrative AFDX configuration Let us illustrate the trajectory approach on the sample AFDX configuration depicted in Figure 1. All the VLs have BAG = 4000 µs and smax = 4000 bits. The entire network works at R = 100 M b/s and the switch fabric latency is L = 16 µs. Figure 2 shows an arbitrary scheduling of the packets,

ae3 f (e3)

e3

3 = f (e3) busy period bpe3

S2

aS2 = aS2 f (S2) p(e3) 4 = f (S2) busy period bpS2

S3

3 = p(e3) aS3 aS3 aS3 4 5 1

aS3 3

4 = f (S3)

1

5

busy period 0

40

80

120

160

3

bpS3

200

240

t

Figure 2. An arbitrary packet scheduling where packet i corresponds to VL vi. Time origin is chosen as the arrival time of packet 3 on node e3 (ae3 3 ). After being processed in node e3 and after a 16µs switch factory delay, the packet arrives at node S2 at time aS2 3 = 56. Packet 4 also arrives on node S2 at time aS2 4 = 56 and is arbitrarily processed before packet 3. Packet 4 arrives at node S3 at time aS3 4 = 112 where it is immediately processed. Packet 1 and packet 5 arrive respectively at times aS3 1 = 127 and aS3 5 = 136. Packet 3, which is the last to be processed in bpS3 arrives at node S3 at time aS3 3 = 152. Packet 3 from flow v3 crosses three busy periods (bpe3 , bpS2 , and bpS3 ) on its trajectory. Let us consider bpS3 , the busy period in which 3 is processed on node S3. Let f (S3) be the first packet processed in bpS3 with priority higher than or equal to this of packet 3. As flows do not necessary follow the same path in the network, packet f (S3) may not come from the same previous node as packet 3. We then define p(S2) as the first packet processed between f (S3) and 3 that comes from the same node as packet 3. Here p(S2) = f (S3) is packet 4 from node S2. Packet p(S2) has been processed on node S2 in a busy period bpS2 of level corresponding to the priority of p(S2). f (S2) is then the first packet processed in bpS2 with a priority higher or equal to this of p(S2). Here, we also have f (S2) = p(S2). The same naming process is applied backwards until the ingress node of the VL is reached: the busy period bpe3 on node e3, of level corresponding to the priority of packet p(e3) in which f (1) is processed. By adding parts of the busy periods considered, we can express the latest starting time of packet 3 in node S3. It has been shown in [7] that the scheduling presented in Figure 2 leads to a worst case end-to-end delay for packet 3. In this scheduling, for every node, the arrival time of every packet competing with packet 3 for the first time (i.e. coming from another preceding node) is postponed in order to increase the departure time of packet 3 in its last node. In node S3, packets 1 and 5 arrive between packets 4 and 3. Clearly, if packets 1 or 5 arrive before packet 4, the busy period bpS2 would begin earlier, leading to an earlier processing of packet 3. Similarly, if packets 1 or 5 arrive later than

packet 3, packet 3 would be processed before packets 1 or 5. Similar observations can be made on node S2. From Figure 2, the maximal end-to-end delay of packet 3 is: L + C3e3 + C4S2 + L + (C1S3 + C5S3 + C4S3 ) + C3S3 = h 6C + 2L = 272µs (Cm = C = smax /R = 40µs, ∀(h, m) and L = 16µs). The same computation can be done for every VL of the network. The results for all the VLs of the example have been computed. The exact worst case is computed with the model checking approach (as presented in [3], this approach gives worst case end-to-end delays for small configurations). The results are summarized in Table 1. VL v1 v2 v3, v4 v5

Exact worst case 272µs 192µs 272µs 176µs

Trajectories 312µs 192µs 272µs 216µs

The Trajectory approach gives the exact worst case for VLs v2, v3 and v4. However, for VLs v1 and v5, it introduces a 40µs pessimism. The next section shows that this pessimism is due to the fact that the trajectory approach does not take into account the serialization of packets on links and it proposes a way which could introduce this serialization in the approach.

The trajectory approach and the serialization of packets

Let us consider VL v5 in Figure 1. bpS3 is the busy period of level corresponding to the priority of packet 5 in node 3. Figure 3 shows the worst case scheduling for 5, as defined in Section 2. 5 = f (e5)

e5

S3 S3 S3 aS3 1 = a3 = a4 = ap(e5)

3

S3

1 busy period

0

40

80

120

4

5 = p(e5)

bpS3 160

200

5 = f (e5)

e5

S3 S3 aS3 1 = a4 = ap(e5)

aS3 3 3

S3

1

4

5 = p(e5)

busy period bpS3 0

40

80

120

160

t

Figure 4. Feasible worst case for v5

Table 1. End-to-end delay upper bounds

3

(the transmission delay for one packet). Then, a worst case scheduling for packet 5 occurs when packets 1 and exactly one of the two packets 3 and 4 arrives in S3 at the same time as packet 5, the remaining packet (3 or 4) arriving in S3 at least 40µs before or after packet 5. Figure 4 shows such a worst case scheduling.

t

Figure 3. Theoretical worst case for v5 This worst case corresponds to the scenario where packets 1, 3 and 4 arrive at node S3 at the same time as packet 5 and 1, 3 and 4 are arbitrarily processed before 5. The trajectory approach uses this scenario when analyzing v5, leading to a worst case end-to-end delay of 216µs (cf. Table 1). However, this scenario is not feasible, because packets 3 and 4 both come from link S2 − S3 and they are serialized on this link. Consequently, there is a minimum delay of 40µs between the arrival times of packets 3 and 4

The delay of packet 5 is then 176µs, as computed by the model checking approach. In this example, the pessimism introduced by the Trajectory approach is due to the fact that packets coming from the same link are already serialized. When a packet m arriving in a switch from a given link competes with packets arriving in the switch from more loaded links, the trajectory approach computes a pessimistic worst case end-to-end delay for m. Then, the challenge is to take into account the serialization effect in the trajectory approach. This serialization effect has been taken into account in the Network Calculus approach thanks to the grouping technique. Now we briefly show how it could be possible to do the same with the Trajectory approach. We show that it leads to a feasible scenario. However, we do not prove that the obtained scenarios are worst cases. The main idea of our proposition is to cut the packet queue from the most loaded link at the length of the queue from the link through which the considered packet arrives. Considering the analysis of v5, the most loaded input link of node S3 is S2 − S3. We remove packets from v3 from the analysis, so that link S2 − S3 has the same load as link e5 − S3 (the link of v5). This corresponds to the feasible worst case scenario depicted in Figure 4, where packet 3 has no influence on the delay of packet 5. With this removal of v3, the trajectory approach gives the exact worst case endto-end delay for v5. Applying the same technique to all the VLs of the configuration of Figure 1 leads to the exact worst case end-to-end delay for all of these VLs. Another AFDX configuration is depicted in Figure 5. With no loss of generality, we consider that the switch fabric delay L = 0. The worst case scheduling for packet 1 considered by the basic trajectory approach is depicted in Figure 5. It leads to an end-to-end delay of 12C for packet 1. Applying the technique presented above, packets 11 and 12 are removed, in order to have the same load on links S1 − S2 and S4 − S2. The resulting scheduling is depicted on Figure 5 (line modif). The trajectory approach then gives

ae1 1 =0

v1

e1

1

e1

v2 aS1 1

S3 12

S4

v3

3

2

1

7

6

5

4

11

10

9

8

S1

12

S2

11

7

S2

v4, v5, v6, v7

S3

v8, v9, v10, v11, v12

S4

Sample AFDX configuration

aS2 p(S1)

aS2 f (S2)

v1, v2, v3

S1

10

6

3

9

5

2

8

f (S2) 7

modif.

10

6

3

9

5

2

8

f (S2) −1

0

1

2

3

4

5

6

7

8

4

1

m−1

m

4

1

m−1

m

9

10

11

12

Figure 5. Modified Trajectory approach the exact worst case end-to-end delay (11C). The obtained scenario is always feasible since we only remove packets from busy periods. However we did not prove that it is a worst case scenario in the general case.

4

Results on an industrial configuration

An industrial AFDX network is composed of eight switches and nearby 1000 Virtual Links. A Network Calculus tool and a Trajectory tool compute all the end-to-end delays of every VL paths. Table 2 compares the obtained results considering the two approaches – Network calculus (NC) and Trajectory (Traj) – with (NC Ser, Traj Ser) and without (NC, Traj) the integration of the serialization.

NC Ser Vs NC Traj Vs NC Traj Vs NC Ser Traj Ser Vs Traj Traj Ser Vs NC Traj Ser Vs NC Ser

Average gain 24.21 % 16.69 % -10.45 % 16.60 % 30.89 % 9.01 %

Best gain 51.07 % 37.83 % 10.37 % 62.38 % 64.89 % 39.83 %

Table 2. Summary of end-to-end delays calculations on an industrial AFDX network The first line shows that the end-to-end delays computed with the Network Calculus approach including the serialization (N C Ser) are in average 24.21 % smaller than the delays computed with the basic Network Calculus approach (N C) and there is a VL path for which the end-to-end delay with serialization is even 51.07 % smaller than the delay without serialization. The grouping technique in network calculus has a significant impact on upper bounds. Indeed the average delays are reduced by about one quarter, and in some cases, they are even halved. The packet serialization on links is therefore a major aspect in AFDX networks. The basic Trajectory approach gives better results than the basic Network Calculus one. Nevertheless, when seri-

alization is considered, the Network Calculus takes advantage. The fact that the basic Trajectory approach does not take into account the serialization results in an average underperformance of more than 10 %. However, even if the average performance is poor, there are about one quarter of the VL paths for which the trajectory bounds are tighter than with the serialized Network Calculus approach. The benefit is up to 10 % in the best case. The modified trajectory results are actually no guaranteed upper bounds. Since they correspond to possible scenarios, they permit to give an upper bound on the pessimism of other methods. For the network calculus approach it is 9 % in average, up to 40 % for some paths.

5

Conclusion

We present in this paper how Trajectory approach can be applied in AFDX avionics network context. The resulting end-to-end delays computation is compared to the upper bounds obtained by deterministic Network Calculus, where the serialization effect on AFDX network is substantial. Taking into account the serialization effect in Trajectory approach is still an open problem as modifications proposed to Trajectory approach lead to unfavorable scenarios that are not proved to be upper bounds. Work underway aims at determining under which assumptions these unfavorable scenarios are exact worst cases.

References [1] ARINC Specification 664: Aircraft Data Network, Parts 1,2,7. Technical report, Aeronotical Radio Inc., 2002-2005. [2] C.-S. Chang. Performance Guarantees in Communication Networks. Springer-Verlag, London, UK, 2000. [3] H. Charara, J.-L. Scharbarg, J. Ermont, and C. Fraboul. Methods for bounding end-to-end delays on an AFDX network. In Proceedings of the 18th ECRTS, Dresde, Germany, July 2006. [4] F. Frances, C. Fraboul, and J. Grieu. Using network calculus to optimize the AFDX network. In Proceedings of ERTS, Toulouse, France, 2006. [5] J. Grieu. Analyse et e´ valuation de techniques de commutation Ethernet pour l’interconnexion des syst`emes avioniques. PhD thesis, INP-ENSEEIHT, France, September 2004. [6] J.-Y. Le Boudec and P. Thiran. Network Calculus: A Theory of Deterministic Queuing Systems for the Internet, volume 2050 of LNCS. Springer-Verlag, 2001. [7] S. Martin and P. Minet. Schedulability analysis of flows scheduled with fifo: application to the expedited forwarding class. Parallel and Distributed Processing Symposium, 2006. IPDPS 2006. 20th International, pages 8 pp.–, April 2006. [8] J. Migge. L’ordonnancement sous contraintes temps-r´eel : un mod`ele a` base de trajectoires. PhD thesis, INRIA, Sophia Antipolis France, November 1999.