Example: Helicopter architecture
Relationships
Related Elements
Description
Main Description

Product line architecture for helicopters


Black Hawk helicopter

MH-60L Black Hawk


UH-60A Black Hawk


Chinook helicopter


 

an Open System Architecture (OSA) using published and controlled interface definitions, such that its hardware and software components can be replaced or upgraded with alternate components

• variability isolation to accommodate changes in the system over its life cycle, such that the impact of change is isolated to the smallest system component

• use of layers and partitions with widely accepted interfaces to isolate system components

• redundant software using master/slave protocol where every application is resident on every box and some applications are active on multiple boxes to support quality attributes such as availability and safety

• use of application templates across applications, common software, and CoRE to support reusability, modifiability, repeatability, and affordability

• use of commercial standards including ARINC 661 (cockpit display system interface standards), POSIX, CORBA, IEEE P1386/P1386.1 (common mezzanine card families draft standards), OpenGL (graphical interfaces standards), and DO 178B (software considerations for airborne systems) to enhance portability, maintainability, and modifiability

• LynxOS-178 based on the flight-ready POSIX operating system (with standard POSIX API and Ada 95 support) to encapsulate and manage any interaction with the computing platform and provide DO-178B, Level A design assurance








 

 



Reliability is achieved through the following architectural approaches:

software redundancy: The strategy for software is to use a primary unit (master unit) and a hot backup (slave). Partitions use a watchdog service provided by the HM. A failure of a primary to stroke the watchdog within a specified time period can trigger a switch of the backup to the primary role.

health monitoring: The HM provides a number of capabilities to enhance system reliability. It monitors memory usage and responds to any memory protection violations by killing the offending partition. In addition to monitoring software versions to insure that compatible versions are loaded and checking for software corruption, HM performs background-initiated built-in test of processing elements.

memory persistence and warm start: Restarts due to momentary power interruptions are supported by semipersistent memory storage for state data. When the system detects a power interruption of less than two seconds in duration, it directs a warm start using state data stored in semipersistent memory.

display redundancy: A measure of reliability for the display of information is afforded by the transparency of display pages to the physical medium on which it is displayed. Each CDU has a separate copy of the CDU display manager, and each MFD has a separate copy of the MFD display manager. Any page generated by a partition can be displayed on any appropriate display device (CDU or MFD) so that the loss of a particular hardware device does not preclude the display of any page in the system. Users command which pages are displayed and where. The redundant displays do not assume a master/slave relationship but simply provide multiple devices capable of displaying (or inputting) the same information.

virtual circuit service: Communications reliability is provided by allowing connections to be established using a virtual circuit service. This service (provided by the Transmission Control Protocol [TCP]) provides for guaranteed in-order delivery of traffic. It keeps track of messages received and retransmits lost messages. It also monitors and reports the status of already established connections.


The overall list of CAAS software architectural approaches is given below, along with the quality attributes each one nominally affects:

• consistent partitioning strategy: definition of a partition, "brick wall" partitioning (availability, safety, modifiability, testability, maintainability)

• encapsulation: Encapsulation is used to isolate partitions. Between partitions, applications can only share state via the network. RSI and RSP are also examples of encapsulation that isolates the network implementation details. (modifiability, availability)

• interface strategy: The strategy of accessing components only via their interfaces is strictly followed. Besides controlling interactions and eliminating backdoor exploitation of changeable implementation details, this strategy reduces the number of inputs and outputs per partition. (modifiability, maintainability)

• layers: Layers are used to partition and isolate high-level graphics services. (portability, modifiability)


• distributed processing: A client server approach is used to decouple parts of the system providing separate functionality. Decoupling is also achieved through the use of information broadcast. (maintainability, modifiability)
- Both User Datagram Protocol (UDP) and TCP are used, and rules are established for each. With UDP, data consumers issue a warning when data does not arrive.
- Access to sockets, bandwidth, and data is guaranteed.


• virtual machine: A flight-ready POSIX-consistent operating system with a standard POSIX API and Ada 95 support providing Level A design assurance (modifiability, availability)


• HMs: HMs check the health of CDUs and MFDs. (availability)


• use of commercial standards: Standards include ARINC 661, POSIX, CORBA, IEEE P1386/P1386.1, OpenGL, and DO 178B. (portability, maintainability, modifiability)


• locational transparency: Applications do not know where other applications reside, and, hence, are unaffected when applications migrate to other hardware for schedulability or load-balancing reasons. Location is bound at configuration time. (portability, modifiability)

• redundant software: For flight-critical functions, redundant software is introduced using a master/slave protocol to manage failover. (portability, availability)
- Every application is resident on every box. (portability)
- Some applications are active on multiple boxes. (availability)


• memory and performance analysis: Partitions are cyclic. However, Rate Monotonic Analysis (RMA) is used to assign priorities to threads within partitions. The result is assured schedulability. (performance)


• application templates (the shell): A standard template for applications incorporates applications, common software, and CoRE and ensures that complicated protocols, such as failover, are handled consistently across all applications. (reuse, modifiability, repeatability, affordability)