Architecting ARINC 664, Part (AFDX) Solutions XAPP1130 (v1.0.1) 2

The Datasheet Archive - 100 Million Datasheets from 7500 Manufacturers.

Architecting ARINC 664, Part (AFDX) Solutions XAPP1130 (v1.0.1) 2

Datasheet Thumbnail

Top Searches for this datasheet

Application Note: Virtex-4 Virtex-5 FPGAs
Architecting ARINC 664, Part (AFDX) Solutions
XAPP1130 (v1.0.1) 2009 Author: Land Jeff Elliott
Summary
Each generation commercial aircraft grown more complex, especially with heavy reliance fly-by-wire associated avionics. more systems designed into airframes, traditional point-to-point wiring schemes longer practical. designers Airbus A380 searched solution reduce amount wiring, increase bandwidth, make commercial-off-the-shelf (COTS) technology where possible. ARINC Specification (ARINC 664), Part result that search. This application note provides users with detailed overview architecture function avionics full-duplex switched Ethernet (AFDX) defined specification ARINC 664, Part ([Ref 1]). addition, detailed description various functional blocks required AFDX system mapped both Virtex®-4 Virtex-5 architectures included.
ARINC Overview
AFDX combines concepts taken from asynchronous transfer mode (ATM) applies them variant IEEE 802.3 (Ethernet). physical layer, AFDX consists star-topology, fullduplexed switched Ethernet (either 100BASE-TX 100BASE-FX). This topology eliminates collision issue found half-duplexed Ethernet. Note: background development AFDX, "Appendix Background," page addition, network profiled. airframe, connection, addressing, bandwidth requirements entire network known advance. Each part network tailored specific connection. network profile updated when there upgrades changes electronics aircraft. protocol level, AFDX creates concept virtual link (VL) point-to-point multicast connection through network. mimics unidirectional connections found ARINC Specification [Ref (see also "ARINC 429," page 24). Again, network profiled, addressing bandwidth requirements each defined advance. Moreover, network deterministic with latency each connection known advance. traffic flow shaping mechanisms help guarantee latency, jitter, bandwidth each link, providing required avionics systems. last issue addressed robustness. AFDX relies parallel, redundant networks provide additional level fault tolerance. Each data packet sent across both networks simultaneously. Redundancy management mechanisms ensure that only copy each packet transmitted, that sequential order packets maintained. ARINC Specification divided into eight parts: Part Systems Concepts Overview [Ref Part Ethernet Physical Data Link Layer Specifications Part Internet-based Protocols Services Part Internet-based Address Structures Assigned Numbers Part Network Interconnection Services Functional Elements Part Reserved
2009 Xilinx, Inc. XILINX, Xilinx logo, Virtex, Spartan, ISE, other designated brands included herein trademarks Xilinx United States other countries. PowerPC trademark Corp. used under license. other trademarks property their respective owners.
XAPP1130 (v1.0.1) 2009
www.xilinx.com
AFDX Details Part Avionics Full Duplex Switched Ethernet (AFDX) Network Part Upper Layer Services
AFDX defined Part along with IEEE 802.3 (Ethernet standard).
AFDX Details
Network Topology
AFDX network consists systems connected switch (Figure Switches cascaded increase capacity network. Total switch capacity limited 4,096 (including routing either originating terminating beyond systems connected that switch). Note: There explicit limit number system support. maximum number
function amount required bandwidth each maximum frame length.
X-Ref Target Figure
Avionics Subsystem AFDX System Avionics Subsystem AFDX System Avionics Subsystem AFDX System Avionics Subsystem AFDX System
Avionics Subsystem AFDX System
Avionics Subsystem AFDX System
AFDX Switch
AFDX Switch
AFDX System Avionics Subsystem
AFDX Switch
AFDX System Avionics Subsystem
AFDX System Avionics Subsystem
AFDX System Avionics Subsystem
AFDX System Avionics Subsystem
AFDX System Avionics Subsystem
AFDX System Avionics Subsystem
X1130_01_030809
Figure
AFDX Topology (Redundancy Shown)
network profiled routes addressing predefined contained configuration both systems switches, simplifying network configuration. Transmitting systems responsible enforcing bandwidth limits, receiving systems manage redundancy. Switches responsible routing frames, policing bandwidth, shaping traffic.
XAPP1130 (v1.0.1) 2009
www.xilinx.com
AFDX Details There intra-switch communication (other than passing data frames) between redundant cascaded switches. routes based upon switch's routing table. standard (ARINC 664, Part also allows mapping other protocols over AFDX. example, ARINC links built across AFDX network through concentrators/protocol conversion modules.
Redundancy
increase robustness system, AFDX network consists redundant networks; each system Ethernet ports with ports connected switch ports, which connected switch (Figure Identical frames sent system both ports simultaneously. Each switch routes their frames independently destination systems. receiving system responsible managing reception redundant frames, deleting duplicates out-of-order frames.
X-Ref Target Figure
Controller AFDX Avionics Subsystem System Controller
Controller AFDX Avionics System Subsystem Controller
AFDX Switch Network
AFDX Switch Network
X1130_02_012309
Figure
AFDX Redundancy
Note: Redundancy required turned given provided thorough
evaluation impact completed.
Frame Format
AFDX frame format (Figure compliant with IEEE 802.3 (Ethernet). frame contains addressing identifying source destination systems well assigned virtual link. AFDX frame length vary from 1518 bytes (plus 7-byte frame preamble, frame start byte, 12-byte interframe (IFG), with data payload between 1471 bytes (payload must padded minimum length bytes).
X-Ref Target Figure
AFDX Frame
Bytes Preamble Byte Bytes Bytes Bytes 0x800 IPv4 Bytes Bytes 1-1471 Bytes AFDX Payload 0-16 Bytes Byte Padding Bytes Frame Check Sequence Bytes InterFrame
X1130_03_030809
Start Destination Source Frame Address Address Delimiter
Structure Structure
Figure
AFDX Frame
one-byte frame sequence number used maintain ordinal integrity frames given well assist detecting missing frames. During transmission, sequence number incremented each frame, starting wrapping Note: sequence number used indicate reset condition transmitting system.
XAPP1130 (v1.0.1) 2009
www.xilinx.com
AFDX Details
Addressing
data link layer, each assigned address system integrator. 48-bit destination address (Figure consists bits constant field (identical systems network) bits identify AFDX frames routed switch destination systems identified switch configuration.
X-Ref Target Figure
Bits
Bits Constant Field XXXX XX11 XXXX XXXX XXXX XXXX XXXX XXXX Bits Virtual Link Identifier NNNN NNNN NNNN NNNN
X1130_04_012309
Figure
Destination Address Format
48-bit source address (Figure identifies Ethernet controller system originating frame. first bits address constant value. Following constant value 16-bit unique identifier controller system integrator (ARINC provides only general guidance setting this value). Following 16-bit unique identifier 3-bit value used identify which network controller connected (001 network network other values used). final bits constant: 0000.
X-Ref Target Figure
Bits
Bits Constant Field 0000 0010 0000 0000 0000 0000 Bits User-Defined Identifier NNNN NNNN NNNN NNNN Bits Interface Bits Constant Field 0000
X1130_05_012309
Figure
Source Address Format
Note: focus this application note data link physical layers. more information
about addressing within network, refer ARINC 664, Part standard.
Virtual Links
goal ARINC 664, Part preserve point-to-point links while reducing amount wiring. physical point-to-point links ARINC [Ref replaced virtual links, connecting sensors actuators with control units (Figure links time-division multiplexed system transmission over network.
XAPP1130 (v1.0.1) 2009
www.xilinx.com
AFDX Details
X-Ref Target Figure
Avionics Subsystem AFDX System Avionics Subsystem AFDX System
Avionics Subsystem AFDX System
Avionics Subsystem AFDX System
Avionics Subsystem AFDX System Avionics Subsystem
AFDX System
AFDX Switch
AFDX Switch
AFDX System Avionics Subsystem
AFDX Switch
AFDX System Avionics Subsystem
AFDX System Avionics Subsystem
AFDX System Avionics Subsystem
AFDX System Avionics Subsystem
AFDX System Avionics Subsystem
AFDX System Avionics Subsystem
Figure Virtual Links over AFDX Network
X1130_06_012309
Each guaranteed specific maximum bandwidth well end-to-end maximum latency. assigned bandwidth controlled system enforced switch, where latency defined system integrator, bounded limits standard (see "Latency," page addition, assigned maximum allowed frame size LMAX. Note: switch specification section standard, LMAX referred SMAX. addition, that
section specifies minimum allowed frame size SMIN each (see "Frame Filtering," page 10).
total bandwidth assigned cannot exceed total bandwidth available network. Additionally, demands bandwidth each switch must known because each switch must handle originating terminating attached systems being forwarded other switches network. Each composed four sub-VLs. Sub-VLs used handle less critical data with less stringent bandwidth requirements (bandwidth guarantees apply only level). Data queues each sub-VL read round-robin fashion, with each frame containing data
XAPP1130 (v1.0.1) 2009
www.xilinx.com
AFDX Details only from sub-VL queue (any fragmentation handled layer). After frame sub-VL created, that frame handled network differently than frame. Note: Sub-VLs optional implementation, available user needed. Moreover,
standard does specify sub-VLs identified. Possibly unique identifier assigned each sub-VL system integrator.
Systems
Virtual Link Management
primary responsibility management transmitting receiving data virtual links. system handle maximum built needed configuration, example, transmit four receive VLs, with receive being composed three sub-VLs. one-size-fits-all design required. each sub-VL, system must maintain FIFO queue (sub-VLs FIFO queues read round-robin fashion fill assigned FIFO queue) ordinal integrity transmitted frames must maintained. size VL/sub-VL queues specified ARINC 664, Part total queues given application partitions defined ARINC Specification [Ref must least application partition have more VLs). transmission, system responsible for: Reading each queue. Incrementing frame sequence number. Scheduling each frame transmission maintain bandwidth guarantee within allowed jitter. Transmitting redundant frames both controllers
reception, system responsible for: Deleting redundant frames policing ordinal integrity. Separating data writing received frames appropriate queue.
Note: system must continue transmit frames even there link failure. redundant reception, system should: When redundancy management active, pass copy redundant data partition (see "Redundancy Management"). When redundancy management active, pass both copies redundant data partition.
non-redundant reception, system should pass data from either channel partition (redundancy management active not).
Bandwidth Control
bandwidth control mechanism varies frame payload frame transmission interval. Essentially, each assigned transmission time slot transmit frame within assigned bandwidth allocation gap. bandwidth allocation represents minimum time interval (less allowed jitter) between beginning consecutive frames given (Figure however, system transmit frames from differing within limits defined IEEE 802.3. Note: data available next available bandwidth allocation gap, system
required transmit data other words, empty frame). Moreover, bandwidth allocation represents minimum interval transmission transmit data longer interval than assigned bandwidth allocation gap. Although explicitly stated, standard implies that frames exceeding allocated bandwidth dropped incoming AFDX port.
XAPP1130 (v1.0.1) 2009
www.xilinx.com
AFDX Details
X-Ref Target Figure
Bandwidth Allocation
Bandwidth Allocation
Bandwidth Allocation
Jitter Window Frame
Jitter Window Frame
Jitter Window Frame
X1130_07_012309
Figure
Single Transmission within Bandwidth Allocation Defined Jitter Bandwidth allocation gaps range from minimum maximum size determined Equation Equation Bandwidth Allocation Size where integer range bandwidth allocation value each assigned system integrator, based needs application, stored configuration tables system (and switch). traffic shaping function/scheduler, system reads each queue needed, then determines optional transmission order, taking advantage allowed jitter scheduling frames. Each frame transmitted outside limits bandwidth allocation (less jitter) respecting proper interframe between frames from differing (Figure
X-Ref Target Figure
Preamble
Bandwidth Allocation GapVL1 Bandwidth Allocation GapVL1 Bandwidth Allocation GapVL1
JitterVL1
Frame Frame
JitterVL1
Frame Frame
JitterVL1
Frame Frame
JitterVL2
Bandwidth Allocation GapVL2
JitterVL2
Bandwidth Allocation GapVL2
JitterVL2
Bandwidth Allocation GapVL2
X1130_08_012309
Figure
Scheduling Streams
system must capable transmitting data maximum frame rate supported medium. Conversely, system must able receive process frames that same maximum rate.
Jitter
traffic shaping function allowed introduce jitter when transmitting frames. This jitter allows system flexibility when transmitting simultaneous near simultaneous) frames from differing VLs. AFDX, jitter defined time between beginning bandwidth allocation interval first frame transmitted that bandwidth allocation interval, measured transmitting system. standard allows jitter result transmitting technology plus amount based upon bandwidth requirements VLs, limited maximum maximum allowed jitter shown Equation
XAPP1130 (v1.0.1) 2009
www.xilinx.com
AFDX Details
where:
Jitter
Equation
JitterMAX limited maximum LMAX bytes. bandwidth transmission medium bits second.
Latency
ARINC 664, Part does specify system-wide latency does provide some limits system switch level. System system, standard limits latency during reception less than During transmission, maximum latency defined
Latency frame bandwidth allocation Jitter Equation
where represents number frame sequence data burst, fragmented data. single frame with evenly spaced data, Switch standard defines latency switch elapsed time between reception last frame until transmission last frame. Switch latency composed three parts: technological latency switching function, configuration latency switch loading, time required transmit frame medium. standard specifies limit only technological latency (less than
Determining System Capacity
standard sets limit number system support states that system must able transmit medium's maximum frame rate. However, system must respect bandwidth limits LMAX values each well comprehend total limit switch. worst-case (minimum) number occurs when LMAX each 1,518 bytes each assigned maximum bandwidth (bandwidth allocation ms). Mb/s, frame this size (1,518 bytes bytes overhead) takes 123.04 transmit. With each respecting bandwidth allocation system could only handle eight VLs. Note: This based unit analysis only. doubtful that system could effectively schedule traffic from eight, maximum-bandwidth, maximum-frame-length VLs. Thorough traffic modeling required determine feasible maximum. Without considering limitations switch level, best case (maximum) number occurs when LMAX each bytes, each assigned minimum bandwidth (bandwidth allocation ms). Mb/s, frame this size bytes bytes overhead) takes 6.72 transmit. With each respecting bandwidth allocation system could handle 19,047 exceeding capacity switch. Limits number supported system must system integrator.
Redundancy Management
During transmission, unless required system must simply transmit redundant frames both controllers. standard specifies that redundant frames must sent within each other.
XAPP1130 (v1.0.1) 2009
www.xilinx.com
AFDX Details During reception, system must first check each incoming frame's integrity both channels parallel (irrespective redundancy settings). each received frame passed from MAC, Integrity Checker must verify that frame received expected sequence number previous sequence number (PSN) received plus either (taking into account that sequence numbers wrap from Integrity Checker encounters invalid frame, frame dropped system notified error. result this check allows single dropped frame data stream. Note: This check based upon last frame received, even discarded. This last requirement
implies that previous sequence number must updated with sequence number discarded frame used check next frame, allowing dropped data stream resumed.
There special cases when Integrity Checker must pass frame that appears order (not equal +2): sequence number zero always accepted (indicates transmitting system reset). frame sequence number accepted first valid frame received after receiving system reset.
Note: specification requires that possible disable integrity checking VL-by-VL basis.
Integrity checking status system start-up configuration file.
After Integrity Checker valid frame, passes that frame Redundancy Manager, where frames from both channels compared, passing first valid frame partition dropping redundant frames. Redundancy Manager operates two-step process VL-by-VL basis): frame received either channel ascending frame sequence number, then passed partition. Next, Redundancy Manager looks duplicate frame from other channel.
AFDX, duplicate/redundant frame defined frame with same identical sequence number last frame passed Redundancy Manager (for that VL), received with specified time window (defined standard SkewMAX). redundant frame received after SkewMAX identified frame passed partition. values SkewMAX should system integrator based upon network topology. standard does explicitly state assumes that values SkewMAX specific received specific system. Note: standard also does specify maximum value SkewMAX; however, maximum implied commentary.
Switches
AFDX switch consists full-duplex (but non-redundant) Ethernet ports, central switch fabric, plus single-channel system data loading monitoring functions. minimal system configuration, there redundant switches, network network however, there communication between switches, each routes traffic independently other. many ways, AFDX switch resembles commercial switch frames forwarded based static routing table, redundancy, etc. However, AFDX switch must perform vital functions: frame filtering traffic policing. goal these functions only pass valid frames (from both structure bandwidth perspectives) switch fabric. This strategy isolates links from rest network. addition, switch output ports must discard frame that older than maximum delay value specified port-by-port basis configuration file. This requirement helps remove data from network (the assumption that redundant version frame
XAPP1130 (v1.0.1) 2009
www.xilinx.com
AFDX Details transmitted successfully redundant switch, older redundant frame would removed receiving system anyway). standard requires that switch provides traffic prioritization mechanism, allowing high-priority traffic precedence over priority traffic. standard specifies that this prioritization based destination system, specified basis configuration file. Note: This standard seems contradiction because have more than destination
system. other words, situation could easily arise where transmitting port must handle high priority destined same system.
Because design AFDX switch beyond scope this document, aspects switch functionality covered detail. Refer ARINC 664, Part details [Ref
Frame Filtering
Upon frame reception switch port, frame filtered ensure validity frame based upon parameters contained configuration table. each received frame: frame size verified within defined limits length (between SMIN LMAX/SMAX). frame verified have integer number bytes check alignment. frame calculated verified against value contained frame. incoming switch port assignment verified. destination addressed verified reachable.
frame verified valid discarded entry made into management information base (MIB). Valid frames passed traffic policing function.
Traffic Policing
Valid frames then filtered bandwidth. frame that exceeds defined bandwidth limit discarded. standard specifies token-bucket algorithm policing bandwidth allows option selecting either frame-based byte-based policing. Note: standard does explicitly state that entry frame discarded traffic policing function needs logged MIB; however, best practices recommend logging. Regardless which version algorithm chosen, discarded frames used calculating bandwidth used. goal enforce bandwidth limit blocking only those frames excess defined limit.
Switch System
addition switch ports, each switch system. design switch system resembles other systems network except there requirement redundancy. switch system handles direct communication with switch supports both data loading network management.
Network Management
Management AFDX network handled network management function that communicates with each AFDX network component (equipment, subscriber, switch) monitor health status network. Note: standard does discuss where network management function should hosted. Network health monitored simple network management protocol (SNMP) agents running each subscriber (line-replaceable unit (LRU)/partition) system (including switch
XAPP1130 (v1.0.1) 2009
www.xilinx.com
Solutions Building Systems system). Health status errors logged local MIBs, with status messages sent requested network management function.
Application Level
parallel with development AFDX rise integrated modular avionic (IMA). Rather than having dedicated hardware each onboard function (LRU), standardized computing platform used multiple avionics applications/subsystems (partitions). Each partition assigned individual address spaces, limits their usage create isolation between partitions. Within AFDX network, each partition assigned address. Avionics subsystems communicate with network standard application programming interface (API). Each partition transfer data system either communication service access point (SAP) ports. ARINC653 [Ref defines types communication ports, sampling queuing, both accessible UDP. ARINC allows third port type, SAP, support legacy UDP/TCP traffic outside defined ARINC653. These ports communication points VLs. Each sub-VL sourced single AFDX communication port; each sub-VL terminates AFDX communication port destination partition.
Solutions Building Systems
basic building blocks required build AFDX system are: Ethernet controllers (MAC plus PHY), processor, memory, general-purpose logic. Because profiled custom nature AFDX network, Xilinx® FPGAs with their flexibility ideal solutions. Virtex-5 Virtex-4 families, with their embedded Ethernet MACs PowerPC® processors, represent ideal solutions AFDX systems. addition, devices from these families provide ample memory logic resources implement system building blocks plus user logic. Both these families available extended temperature ranges, making them suitable avionics applications. Given compatibility between architectures both Virtex-5 Virtex-4 FPGAs, families viewed continuum solutions from smallest Virtex-4 device system with bandwidth demands largest Virtex-5 devices system with high bandwidth demands locally hosted AFDX partitions.
Virtex-4 Family
Virtex-4 FPGAs extend earlier Virtex series devices, adding additional resources such embedded Ethernet MAC. Family members equipped with either four embedded Ethernet MACs either embedded PowerPC405 processors (PPC405 processor), making even smallest member suitable constructing system. Virtex-4 FPGA Tri-Mode Ethernet supports 10/100/1000 Mb/s data rates designed IEEE 802.3-2002 specifications. Ethernet operate singlespeed (10, 100, 1000 Mb/s) tri-mode, either full half duplex. embedded supports Media Independent Interface (MII), Gigabit Media Independent Interface (GMII), Reduced Gigabit Media Independent Interface (RGMII) connecting external PHY. Virtex-4 FPGA Ethernet block [Ref contains Ethernet MACs that share single host interface (Figure host interface either generic host through bridge communicate with embedded PPC405 processor.
XAPP1130 (v1.0.1) 2009
www.xilinx.com
Solutions Building Systems
X-Ref Target Figure
StatsIP1
Stats MUX1 ClientTX1/RX1
Stats MUX1 TX1/RX1
EMAC1
PowerPC block Generic Host Bridge Host Interface
ClientTX0/RX0
EMAC0
TX0/RX0
Ethernet Block FPGA Logic
Stats MUX0
Stats MUX0
StatsIP0
X1130_09_013009
Figure
Virtex-4 FPGA Ethernet Block
PPC405 processor 32-bit implementation PowerPC embedded-environment architecture. processor provides fixed-point embedded applications with high performance power consumption: operation DMIPs/MHz performance Five-stage datapath pipeline instruction cache data cache Enhanced instruction data on-chip memory (OCM) controllers Auxiliary Processor Unit (APU) interface direct connection from PPC405 coprocessors FPGA logic
Refer PowerPC Processor Reference Guide [Ref Virtex-5 Family Overview [Ref Virtex-5 FPGA Embedded Tri-Mode Ethernet User Guide [Ref more details.
Virtex-5 Family
Virtex-5 family extends capabilities found Virtex-4 FPGAs, improving logic, memory, performance, enhancing serial connectivity speeds, with enhanced processor performance PCIe Endpoint capabilities. Family members equipped with either four, six, eight embedded Ethernet MACs either embedded PowerPC processors (PPC440 processor). Similar Virtex-4 FPGA Ethernet block, Virtex-5 FPGA Ethernet block contains Ethernet MACs that share single host interface. host interface either generic host through bridge communicate with embedded PPC440 processor. Virtex-5 FPGA Ethernet block adds additional flexibility processor interface, reduces clock resource requirements, improves configuration capabilities over Virtex-4 FPGA version.
XAPP1130 (v1.0.1) 2009
www.xilinx.com
Building System 32-bit embedded PPC440 processor contains dual-issue, superscalar, pipelined processing unit, along with other functional elements required implement embedded systemon-a-chip solutions: operation Greater than 1000 DMIPS processor (2.0 DMIPS/MHz) Seven-stage pipeline Multiple instructions cycle Out-of-order execution 128-bit processor local buses (PLBs) Integrated scatter/gather controllers Dedicated interface connection DDR2 memory controller Auxiliary processor unit (APU) interface controller
Refer Embedded Processor Block Virtex-5 FPGAs Reference Guide [Ref First Portable AFDX Datasheet [Ref 10], ML410 Embedded Development Platform User Guide [Ref more details.
Building System
with design, deciding which functions best handled hardware which best handled software key. This application note presents possible solutions: more processor-centric solution more hardware-centric solution. processor-centric solution advantage allowing off-the-shelf solution, which speeds development, lacks ability customize/differentiate solution limited performance. hardware-centric solution allows more customization obvious performance advantages, longer development cycle. Note: similarities between Virtex-4 Virtex-5 FPGA architectures, solutions
described this application note applicable both. differences application between families highlighted.
Processor-Centric Solution
Because both Virtex-4 Virtex-5 FPGAs offer embedded PowerPC processors, they lend themselves processor-centric solution. processor-centric solution, entire AFDX protocol stack implemented software integrity checking, redundancy, bandwidth management hosted software. addition, layer, AFDX ports, network management functions included. COTS solutions software-only AFDX protocol stack available (see ML510 Embedded Development Platform User Guide [Ref example); however, there limits number total bandwidth available. processor-centric mode uses both Ethernet MACs block, passing data to/from processor packet FIFO. protocol stack running mediated processor handles aspects protocol, providing data avionics partitions AFDX communication ports. addition, processor handles network management functions with hosted SNMP agent, writing contained either internal external memory (depending upon required size amount memory required protocol stack).
XAPP1130 (v1.0.1) 2009
www.xilinx.com
Building System
X-Ref Target Figure
FPGA Logic
PowerPC
SNMP Agent
FIFO
EMAC0
Network
AFDX Ports
Avionics Partitions
Layer Layer Redundancy Manager Integrity Checker
Bridge
Host Interface
FIFO
EMAC1
Network
Ethernet Block
Database
X1130_10_013009
Figure Processor-Centric AFDX Solution Note: this (and other AFDX solutions described this application note), Ethernet MACs must placed promiscuous mode because address AFDX frame represents controller AFDX switch filters frame intended system. This solution leaves room other user applications places little demand basic FPGA logic.
Hardware-Centric Solution
hardware-centric solution, parts AFDX protocol stack below layer implemented hardware; integrity checking, redundancy management, transmit decode, bandwidth control implemented hardware, offloading these tasks from processor. embedded processor handles layer above. advantage hardware-centric solution performance scalability. hardware designed meet needs specific application (number receive transmit VL/subVLs, number size transmit receive frames, etc.).
Receive Path
receive path (Figure consists external 100BASE-TX both networks connected pair Ethernet MACs FPGA. These Ethernet MACs then pass data dual integrity checkers (via FIFO). single redundancy manager block reads data from both integrity checkers (again FIFO), passes only unique valid frames ordinal order each PowerPC processor (unless otherwise configured).
XAPP1130 (v1.0.1) 2009
www.xilinx.com
Building System
X-Ref Target Figure
FPGA Logic
SkewMAX Timer
PowerPC
SNMP Agent
Integrity Checker
FIFO
EMAC0
Network
Avionics Partitions
AFDX Ports Layer Layer
Redundancy Manager
FIFO
Bridge
Host Interface
Integrity Checker
FIFO
EMAC1
Network
Ethernet Block
Database
X1130_11_013009
Figure Ethernet MACs
AFDX Receive Path
each these operations, both integrity checkers redundancy manager must maintain database each Because system required maintain statistics network management function, some this data could stored off-chip MIB. Ethernet MACs must configured for: Full-duplex operation Mb/s operation only auto-negotiation) Address filtering disabled
Integrity Checker each frame passed integrity checker (Figure 12), block must check frame sequence number that stream. frame with sequence number that next expected number next expected number plus dropped, entry made into (unless frame sequence number zero this first frame received after system reset). frame found valid passed redundancy manager (writing common FIFO both channels). both cases, last sequence number entry that must updated database. Note: integrity checker write valid frames common FIFO because redundancy manager
only needs supply valid frames does need know which channel frame received
Rather than store last sequence number, more efficient increment last sequence number allow unity comparison. After match fail, value incremented again compared. second match fail detected, frame discarded sequence number that frame incremented stored database.
XAPP1130 (v1.0.1) 2009
www.xilinx.com
Building System
X-Ref Target Figure
Reset
Fetch Frame
Pass Frame Valid SeqNum Frame
Fetch Frame
Drop Frame SeqNum Frame
Frame SeqNum; SeqNum
Enter Error Fetch Frame
X1130_12_012809
Figure
Integrity Checker Flowchart
Because each checked independently, integrity checker engines parallel more performance needed (the standard requires that system able receive frames maximum frame rate specified standard, other words, back-to-back with required IFG). This option requires demultiplexer block segregate frames frames could read round-robin fashion, contention-handling function required (for example, allowing integrity checker engine lock database entry given VL). Redundancy Manager redundancy manager (Figure reads next frame from common post-integritychecker FIFO, reading both sequence number frame. manager compares sequence number received frame last sequence number passed manager
XAPP1130 (v1.0.1) 2009
www.xilinx.com
Building System that received sequence number greater than sequence number last frame passed redundancy manager last frame received more than SkewMAX ago, frame passed processor database updated. received sequence number less than last received frame sequence number, frame discarded. Note: Although clear from standard whether SkewMAX end-system-wide VL-specific
value, must tracked each however, implying individual timers required each
X-Ref Target Figure
Reset
Fetch Frame
SKEWMAX exceeded?
Drop Frame Enter Error
Frame SeqNum?
Frame SeqNum?
Pass Frame Valid SeqNum Frame
X1130_13_030809
Figure
Redundancy Manager Flowchart
XAPP1130 (v1.0.1) 2009
www.xilinx.com
Building System PowerPC Processor redundancy manager passes valid frames PowerPC processor, which responsible handling layers, plus SNMP agent AFDX ports. data passed AFDX ports avionics partitions.
Transmit Path
transmit path (Figure consists data streams from avionics partitions being passed PowerPC processor, which turn handles AFDX ports, layers, scheduling frames transmission. Frames written FIFO transmission order. regulator reads frames from FIFO then transmits each frame, respecting VL's bandwidth allocation jitter limits. Based redundancy settings, frames passed either both Ethernet MACs, which then transmit frames external PHY.
X-Ref Target Figure
FPGA Logic
PowerPC
SNMP Agent
BAG/Jitter Timer(s)
EMAC0
Network
Avionics Partitions
AFDX Ports Layer Layer Scheduler
FIFO
Regulator
Bridge
Host Interface
EMAC1
Network
Ethernet Block
Database
X1130_14_013009
Figure PowerPC Processor
AFDX Transmit Path
Aside from managing incoming AFDX ports, SNMP agent layers, PowerPC processor must handle scheduling (ordering) frames transmission (the regulator handles transmission timing). standard does specify algorithm method scheduling frames, scheduling function must take following into account: allowed bandwidth each sense VL's bandwidth allocation gap). Frames delayed should scheduled, that frame does block transmission another frame. loading each VL's incoming queue. must allowed transmit their maximum bandwidth. Frames delayed when needed, queue must served. required transmission time frame. remaining transmission window that frame. priority
Frames written output FIFO order required transmission.
XAPP1130 (v1.0.1) 2009
www.xilinx.com
Building System Regulator After frame ordering determined, regulator controls exact timing frame transmission, respecting VL's bandwidth allocation limit system allowed jitter. possible solution regulator by-the-book approach that transmits frames soon they available, respecting bandwidth allocation jitter limits. This approach ship consecutive frames separated only IFG. by-the-book approach depends PowerPC processor-based scheduler order frames properly. regulator (Figure reads frame from FIFO reads identifier determine proper bandwidth allocation gap. frame transmitted after bandwidth allocation elapsed, within jitter window. jitter window expires, frame still transmitted; however, bandwidth allocation timer reset (Figure 16). frame sent both Ethernet MACs (depending redundancy settings), next frame FIFO fetched.
X-Ref Target Figure
Reset
Fetch Frame
FLAGBAG set?
FLAGJITTER set?
RESETCOUNTER
Reset FLAGBAG
Transmit Frame
X1130_15_030809
Figure
Regulator Flowchart (Per
XAPP1130 (v1.0.1) 2009
www.xilinx.com
Building System
X-Ref Target Figure
Reset
Reset FLAGJITTER
Increment Timer
Increment Timer
Jitter time reached?
time reached?
FLAGJITTER
FLAGBAG
Reset FLAGBAG
RESETCOUNTER set?
FLAGBAG set?
X1130_16_012809
Figure
Bandwidth Allocation Gap/Jitter TImer Flowchart
XAPP1130 (v1.0.1) 2009
www.xilinx.com
Prototyping Solutions example, consider system with three transmit: bandwidth allocation LMAX 1,518 bytes bandwidth allocation LMAX 1,024 bytes bandwidth allocation LMAX bytes this system, allowed jitter (per Equation With by-the-book approach, frames transmitted soon they available. stream shown Figure assumes that three send traffic their maximum bandwidth have data available start. Frames only separated IFG, bandwidth allocation gap, allowed jitter.
X-Ref Target Figure
BAGC BAGB BAGA Jitter Jitter
Jitter
X1130_17_012809
Figure
By-the-Book Transmission
by-the-book approach: Requires smart scheduler Individual bandwidth allocation gap/jitter timers each
Ethernet MACs Regardless which approach chosen regulator, output frames transferred both Ethernet MACs (depending redundancy settings VL). Ethernet MACs transmit frames networks external PHYs. Ethernet MACs, must configured for: Full-duplex operation Mb/s operation only auto-negotiation)
Prototyping Solutions
Xilinx provides demonstration/evaluation kits developing AFDX system solutions.
ML410 Embedded Development Platform Virtex-4 FPGAs
ML410 series embedded development platforms [Ref offers designers versatile Virtex-4 device rapid prototyping system verification. addition more than 30,000 logic cells, over 2,400 block RAM, dual PPC405 processors, RocketIOtransceivers available FPGA, ML410 provides onboard Ethernet PHYs, memory, multiple slots, standard front panel interface ports within form-factor motherboard. integrated System ACEtool CompactFlash controller deployed perform board bring-up load applications from CompactFlash card.
ML510 Embedded Development Platform Virtex-5 FPGAs
ML510 series embedded development platforms [Ref offer designers versatile Virtex-5 device rapid prototyping system verification. addition more than 130,000 logic cells, over 10,700 block RAM, dual PPC440 processors, RocketIO transceivers available FPGA, ML510 provides onboard Ethernet PHYs,
XAPP1130 (v1.0.1) 2009 www.xilinx.com
AFDX DO-254 DDR2 memory, multiple slots, standard front panel interface ports within form-factor motherboard. integrated System tool CompactFlash (CF) controller loads applications from CompactFlash card.
AFDX DO-254
RTCA/DO-254 counterpart Europe, EUROCAE/ED-80, guidelines design complex electronic hardware (CEH) avionics systems. advisory circular 20-152 made DO-254 official requirement suppliers civil aviation avionics systems. DO-254 collection best industry practices design assurance airborne electronic hardware. These guidelines advocate top-down approach design verification safety critical electronics other avionics systems represent consensus aviation community.
System Failure Levels
defined number levels regarding safety criticality avionic system. example, engineers designing level face much more rigorous test, verification, documentation process than levels flight hardware needs classified having these failure levels [Ref 13]. Within AFDX network, system applications carry same level criticality. Each system application carries criticality level associated with avionics partitions supports. required level system integrator consultation with equipment supplier.
Network Safety versus Network Security
When discussing network, issue network safety versus network security must discussed. DO-254 addresses safety network, other words, reliability network susceptibility component failure. Network security, network's susceptibility viruses, hacking separate issues that addressed DO-254. related issue, also addressed standard, bitstream security. While tampering with FPGA bitstream remote possibility, Xilinx does provide effective bitstream security encryption solutions protect designs from malicious tampering [Ref 14].
Potential Methods DO-254 with ARINC (AFDX) Solution Using Xilinx Devices
Generally, designers have range potential methodologies available mitigate errors when designing solutions meet DO-254 requirements [Ref 13]. Depending upon design assurance level, designers employ several fault mitigation schemes when implementing design into FPGA descending order strength): Triple-FPGA redundancy with external voting circuits Dual-FPGA redundancy Triple-module redundancy (TMR) with voting circuits implemented FPGA Circuit redundancy with arbitration inside single FPGA Bitstream scrubbing with error correction Periodic FPGA reconfiguration
AFDX presents special case with respect DO-254 AFDX already includes redundancy well error mitigation. Given redundant nature AFDX, range additional, viable mitigation techniques narrowed. Depending upon design assurance level, possible techniques increase fault immunity AFDX application fall into categories:
XAPP1130 (v1.0.1) 2009
www.xilinx.com
Conclusion Multiple-device solutions: Networks split between FPGAs, placing network integrity, redundancy management, transmit regulator third FPGA. Single-device solutions: entire system implemented single FPGA, employing device-level mitigation techniques.
strength these solutions adjusted implementing descending order strength): FPGAs (for both solutions) only third FPGA supporting network integrity, redundancy management, transmit regulator (for multiple-device solution) Bitstream scrubbing with error correction Periodic FPGA reconfiguration
exact technique employed should determined consultation with both system integrator Designated Engineering Representative.
Conclusion
increased complexity today's commercial aircraft requires enhanced data communication solution. adapting commercial Ethernet technology, AFDX only provides much higher data rates compared earlier solutions allows leveraging existing silicon. Virtex-5 Virtex-4 families, with their embedded Ethernet MACs PowerPC processors, plus abundant resources user logic, represent ideal solutions AFDX systems.
References
ARINC Specification 664, Part Aircraft Data Network, Avionics Full Duplex Switched Ethernet (AFDX) Network. ARINC Specification 429, Mark Digital Information Transfer System (DITS). ARINC Specification 664, Part Aircraft Data Network, Systems Concepts Overview. ARINC Specification 653, Avionics Application Software Standard Interface. UG074, Virtex-4 FPGA Embedded Tri-Mode Ethernet MAC. UG011, PowerPC Processor Reference Guide. DS100, Virtex-5 Family Overview. UG194, Virtex-5 FPGA Embedded Tri-Mode Ethernet User Guide. UG200, Embedded Processor Block Virtex-5 FPGAs Reference Guide. First Portable AFDX Datasheet, SYSGO 2007. http://www.sysgo.com UG085, ML410 Embedded Development Platform User Guide. UG356, ML510 Embedded Development Platform User Guide. WP332, Meeting DO-254 ED-80 Guidelines when using Xilinx FPGAs. Design Security Solutions
XAPP1130 (v1.0.1) 2009
www.xilinx.com
Appendix Background
Appendix Background
modern commercial airframe connect thousands sensors actuators with plane's control systems. critical nature these systems, each sensors actuators must connected directly their control systems. Although bandwidth required these connections order kb/s less), connections must robust, providing guaranteed delivery data offering connection data collisions. many aspects requirements aircraft data network (ADN) mirror that public switched telephone network (PSTN), with thousands point-to-point, low-speed kb/s) connections requirement quality service (QoS) robustness analogy lost architects AFDX.
ARINC
nearly years, almost every commercial aircraft developed, starting with Boeing through Airbus A340, made ARINC data busing connecting onboard electronics. Electrically, ARINC buses composed single twisted wire pair connecting transmitter with receivers (Figure 18). communication unidirectional, sending 32-bit data words either (12.5 kb/s) high (100 kb/s) speed.
X-Ref Target Figure
BAGC BAGB BAGA Jitter Jitter
Jitter
X1130_18_012909
Figure
ARINC Topology
Despite robustness ARINC 429, starting with design first all-electronic, fly-bywire system Airbus A320, clear that replacement standard needed. With number systems required modern airframe, amount, size, weight wiring required connect sensors, controllers, actuators (also known Line Replaceable Units LRUs) made ARINC impractical future design (already, Boeing 747-400 aircraft miles wiring). Designers A380 began looking alternatives. avoid expensive lengthy development custom, aviation-only solution, A380 designers looked leverage much commercial-off-the-shelf (COTS) technology possible. While most avionic systems require high data rates, higher bandwidth solution sought support both newer technology also allow multiplexing connections. IEEE 802.3 Ethernet chosen basis solution,
Ethernet
IEEE 802.3 Ethernet even longer history than ARINC 429, advantage being widely deployed well understood. addition, there many commercial suppliers supporting aspects standard, allowing solution based Ethernet built largely commercially available building blocks. Despite bandwidth maturity, Ethernet, typically deployed, several drawbacks when compared needs ADN: Broadband connection standard handles transfer bulk data network with many receivers transmitters without central control. connection available bandwidth.
XAPP1130 (v1.0.1) 2009
www.xilinx.com
Revision History Data collisions allowed Ethernet does prevent data collisions from occurring, rather employes technique handling collisions when they occur using carrier sense multiple access with collision detection (CSMA/CD). Bandwidth shared there bandwidth guarantee single connection, effective bandwidth being function size network, topology, traffic. Best-effort network there requirement with Ethernet. data delivered based current network traffic. Vulnerability loss single wire severs connection between data terminals; however, other network connections might impacted.
Clearly, effective cannot built solely from commercial Ethernet concepts.
AGiven similarity ADNs with publicly switched telephone network (PSTN), concepts from telephony also applied. asynchronous transfer mode (ATM) cell-based packet-switched network protocol. protocol supports virtual point-to-point connections (virtual circuits) with guarantee (bandwidth, latency, jitter). Within PSTN, data multiple channels time-division multiplexed (TDM) over Aconnection. Each 53-byte Acell contains five header bytes containing addresses specifying virtual circuit path channel (the rest cell data payload). protocol allows each connection specify required (traffic contract).
Revision History
following table shows revision history this document.
Date 03/20/09 05/22/09 Version 1.0.1 Xilinx initial release. Revised authors. Revision
Notice Disclaimer
Xilinx disclosing this Application Note "AS-IS" with warranty kind. This Application Note possible implementation this feature, application, standard, subject change without further notice from Xilinx. responsible obtaining rights require connection with your implementation this Application Note. XILINX MAKES REPRESENTATIONS WARRANTIES, WHETHER EXPRESS IMPLIED, STATUTORY OTHERWISE, INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES MERCHANTABILITY, NONINFRINGEMENT, FITNESS PARTICULAR PURPOSE. EVENT WILL XILINX LIABLE LOSS DATA, LOST PROFITS, SPECIAL, INCIDENTAL, CONSEQUENTIAL, INDIRECT DAMAGES ARISING FROM YOUR THIS APPLICATION NOTE. XILINX PRODUCTS (INCLUDING HARDWARE, SOFTWARE AND/OR CORES) DESIGNED INTENDED FAIL-SAFE, APPLICATION REQUIRING FAILSAFE PERFORMANCE, SUCH LIFE-SUPPORT SAFETY DEVICES SYSTEMS, CLASS MEDICAL DEVICES, NUCLEAR FACILITIES, APPLICATIONS RELATED DEPLOYMENT AIRBAGS, OTHER APPLICATIONS THAT COULD LEAD DEATH, PERSONAL INJURY SEVERE PROPERTY ENVIRONMENTAL DAMAGE (INDIVIDUALLY COLLECTIVELY, "CRITICAL APPLICATIONS"). FURTHERMORE, XILINX PRODUCTS DESIGNED INTENDED APPLICATIONS THAT AFFECT CONTROL VEHICLE AIRCRAFT, UNLESS THERE FAIL-SAFE REDUNDANCY FEATURE (WHICH DOES INCLUDE SOFTWARE XILINX DEVICE IMPLEMENT REDUNDANCY) WARNING SIGNAL UPON FAILURE OPERATOR. CUSTOMER AGREES, PRIOR USING DISTRIBUTING SYSTEMS THAT INCORPORATE XILINX PRODUCTS, THOROUGHLY TEST SAME SAFETY PURPOSES. MAXIMUM EXTENT PERMITTED APPLICABLE LAW, CUSTOMER ASSUMES SOLE RISK LIABILITY XILINX PRODUCTS CRITICAL APPLICATIONS.
XAPP1130 (v1.0.1) 2009
www.xilinx.com

Architecting ARINC 664, Part (AFDX) Solutions XAPP1130 (v1.0.1) 2

Top Searches for this datasheet

Other recent searches