An event-driven link-level simulator for validation of AFDX and Ethernet avionics networks

Aircraft are composed of many electronic systems: sensors, displays, navigation equipment and communication elements. These elements require a reliable interconnection, which is a major challenge for communication networks as high reliability and predictability requirements must be verified for safe operation. In addition, their verification via hardware deployments is limited because these are costly and make difficult to try different architectures and configurations, thus delaying the design and development in this area. Therefore, verification at early stages of the design process is of great importance that has to be supported via simulation. In this context, the present work presents an event-driven link level framework and simulator for the validation of avionics networks. The presented tool supports communication protocols such as Avionics Full-Duplex Switched Ethernet (AFDX), which is a common protocol in avionics, as well as Ethernet, which is used with static routing in such scenarios. The simulator also uses realistic element models to provide accurate results. The proposed platform is evaluated in Clean Sky’s Disruptive Cockpit for Large Passenger Aircraft architecture scenario. The speed of the verification is a key factor, so the computational cost is analyzed, proving that the execution time is linearly dependent on the number of messages sent.


Introduction
The aerospace industry has undergone tremendous advances since its conception just over 100 years ago by the Wright brothers.Of great importance in these advances has been the introduction of avionics (a term derived from the combination of aviation and electronics), which encompasses all the electronic systems that have been added to aircraft, including a wide range of equipment such as actuators, sensors and communication systems, and which make up the majority of the safety-critical elements in an aircraft.Within the advancement of avionics, the approach based on the concept of Integrated Modular Avionics (IMA) [1] has been extended to commercial aviation with the design of airplanes like the Airbus A380 [2] and Boeing 777 [3].This approach involves distributing various safety-critical functions, which are becoming increasingly numerous due to technological advancements, into separate independent modules connected within an avionics network.Moreover, the new generations of IMAs use not only software distribution, as in the original versions, but also employ hardware distribution, which places the modules closer to the components they monitor for faster response.These newer generations are referred to as Distributed IMA (DIMA).These systems cover diverse categories and applications, such as navigation, communication, flight control, etc.
There are several buses and protocols available for establishing this kind of networks, including Ethernet, CAN bus, and serial bus, among others.Ethernet-based protocols are currently the most widely used, with particular emphasis on Avionics Full-Duplex Switch Ethernet (AFDX) [4].AFDX is an implementation of the ARINC 664 Part 7 standard and offers dedicated bandwidth and a fixed Quality of Service (QoS).Additionally, Time Sensitive Networking (TSN) [5] standard is other Ethernet-based option that is expected to become the standard for future generations of aircraft.Currently, a working group is in the process of developing a TSN profile tailored specifically to the avionics sector, covering aspects such as shapers, scheduling, and stream isolation [6].Other protocols, such as Time-Triggered Ethernet (TTEthernet), have also been proposed and are commonly used in spacecraft applications [7].
Some protocols, such as AFDX, introduce a paradigm where determinism is achieved through a specific network structure.Consequently, each network configuration must undergo individual analysis to ensure that real-time requirements, including Figures of Merit (FoM) like delay and jitter, are satisfied.Additionally, as avionics systems evolve, their bandwidth demands increase, making it challenging to devise new networks that align with safety and certification requirements.This validation process extends the time it takes to bring an aircraft to market.In this context, simulators play a crucial role in accelerating development.
In this context, Model Based Systems Engineering (MBSE) [8] methodology is usually used in the design process of the aerospace sector [9].This methodology uses models to design and analyse complex systems and involves the creation of a digital representation of a system.In this way, the model can be used to simulate and test different scenarios before the system is built.The MBSE design process consists in a realization of a series of steps, which are depicted in the V-model of Figure 1.These steps range from requirements definition to Software-in-the-loop (SIL), Hardware-in-the-loop (HIL) and integration.In this matter, the SIL phase is of great importance in the aerospace sector for several reasons.First and foremost, the significant cost associated with avionics equipment requires a cautious approach, making it impractical to move to a hardware implementation until certain design guarantees have been met.In addition, the complexity, heterogeneity, and vast number of elements within a network limit the amount of hardware testing that can be done prior to final implementation.Furthermore, stringent delay and throughput requirements impose the need to evaluate networks across different architectures and potential scenarios.Finally, the presence of a wide variety of protocols and technologies, including emerging ones such as TSN, emphasises the need for a comprehensive evaluation during the SIL phase.
Considering this, the development of new approaches to support and speed up the evaluation of this kind of networks has been considered essential.In this field, a review of the main communication protocols used in avionics networks, has been carried out and an event-driven link level simulator has been designed and proposed for the validation of these networks, supporting the main protocols of Ethernet and AFDX.For this purpose, the elements of the network in the simulator have been designed, as well as the scenarios for the simulator evaluation.Finally, a validation of this simulator has been carried out.
Therefore, the present work is structured as follows.Section 2 gives a brief summary of the supported protocols.Section 3 introduces the simulator developed.Section 4 analyses the correctness of the simulator results and the computational performance.Finally, Section 5 presents the main conclusions of this work.

Avionic protocols
In this section, some of the most important protocols used in avionics networks nowadays are analyzed.

ARINC 664
AFDX is a packet switching protocol built over Ethernet networks that provide deterministic timing and redundancy management while using Internet Protocol (IP) and User Datagram Protocol (UDP) as upper layer protocols.This protocol is characterised by three factors.First, the ARINC 664 standard proposes a duplicity in the network hardware for redundancy purposes.Second, AFDX implements the packet routing by defining unidirectional logical paths to follow called Virtual Links (VL).Third, AFDX regulates the packet traffic by limiting the bandwidth through the so-called Band Allocation Gap (BAG), which is the maximum rate at which data can be sent, and the data is guaranteed to be sent at that interval.Therefore, with the BAG, the maximum jitter is bounded, as depicted in Figure 2.These three factors are the ones that provides the determinism to the network.
AFDX networks are composed by two types of devices: End Systems (ES), which are the end points of the network, and switches for interconnecting the ES.

End System
The ESs are entities that act as interface between the IMA equipment and the AFDX network, allowing the communication between them and multiplexing the data flows through the configured VLs.ARINC 664 specifies network redundancy by implementing two identical networks to provide security in the communications.Therefore, the ESs send and receive the packets through two VLs simultaneously.Therefore, the ES must manage the redundancy at the reception with a redundancy management policy, for which first-valid-wins is usually used.

Switch
The switches are the entities responsible for delivering the packets to their destinations.In ARINC 664, the routing is done at the Data-Link layer, so the AFDX switches must be able to perform layer 2 switching, for which the VL identifier in the frame header shall be used.Besides, the switches are responsible for applying the different policies in order to ensure determinism in the network.

Ethernet for avionics
AFDX is a widely spread protocol in aircraft.The redundancy that this protocol implements provides great reliability, but at the same time it supposes an increase in the number of devices and cables on board the aircraft, thus increasing the weight and integration costs of the aircraft.For instance, the Airbus A380 contains 500 km of cables [10].So, despite this protocol being commonly used in avionics, there are efforts to change the protocol implemented in order to reduce costs.In this way, Ethernet networks with static routing are still used in aircraft.
Ethernet is a widely used networking technology that forms the backbone of Local Area Networks (LANs).Developed in the 1970s, Ethernet has become a standard for wired networking, providing a reliable and efficient way for devices to communicate within a local area network.The basic principle of Ethernet is the use of a protocol that governs how data is transmitted over the network.It relies on a system of frames, which are packets of data that contain both source and destination addresses, allowing devices on the network to identify and process the information.
Ethernet typically uses a star or bus topology where devices are connected to a central hub or switch.Each device on the network has a unique identifier, known as a Media Access Control (MAC) address, which assists in the proper routing of data.The most common form of Ethernet uses twisted-pair cable with RJ45 connectors, and data is transmitted using a Carrier Sense Multiple Access with Collision Detection (CSMA/CD) protocol.With advancements such as Gigabit Ethernet and 10 Gigabit Ethernet, Ethernet continues to adapt to the increasing demands of modern networking, providing a robust and scalable solution for connecting devices within a local area network.
For example, [11] proposes to get rid of the switches for small avionics network and build a distributed avionics communication network using Ethernet-based devices.Then, in [12] and [13], new topologies are explored for Ethernet-based avionics networks, making emphasis in ring topologies.They compare the Airbus A380 AFDX topology with variations in an Ethernet ring topology, resulting in better delays than AFDX implementation.
This effort to leaving AFDX behind can be seen in the market.For example, in [14], an analysis of an AFDX and a custom Ethernet-based network is made in order to determine which implementation is more suitable for what a specific enterprise is looking for.This work determine that the Ethernet implementation is more flexible and suitable for the enterprise interests.However, Ethernet is not as reliable as AFDX, so a thoughtful validation must be done to ensure that they fulfill the real-time requirements needed, thus justifying simulators such as the one presented in this work.

Time-Sensitive Networking
As stated in [15], it is expected that AFDX, whose Commercial off-the-shelf (COTS) products have a high cost, will transition to the emerging TSN, which can be implemented with low-cost COTS components, and it may be superior to AFDX in terms of determinism and performance.
TSN is a set of standards of IEEE 802. 1 [16] based on Ethernet to provide communications with real time requirements.It includes several profiles, including Audio Video Bridging (802.1 BA), Fronthaul (802.1 CM/de), Industrial Automation (IEC/IEEE 60802) and Automotive In-Vehicle (P802.1 DG).Recently, TSN has emerged as a promising protocol for avionics networks.The IEEE 802.1 Task Group is actively developing a TSN profile specifically tailored for avionics networks (IEEE 802.1 DP), which need specifications slightly different from the other profiles.
To create the aerospace profile, the Task Group is replicating AFDX protocol, adapting its structure with IEEE 802.1 substandards.In contrast to the AFDX VL, the IEEE 802.1QStream is introduced; the AFDX ES is opposed by the IEEE 802.1QEnd Station, and the AFDX Switch is replaced by the IEEE 802.1QBridge.
On the one hand, various shapers are being considered, including Asynchronous Traffic Shaper (ATS) and synchronous alternatives such as credit-based shapers, Time Aware Shaper (TAS) or Burst Limiting Shaper (BLS).Asynchronous shapers are designed for slower time cycles (periodicities greater than 50 ms), while synchronous shapers are designed for periodicities around 1 ms.
On the other hand, aerospace TSN networks require redundancy similar to AFDX, which shall be implemented through the 802.1 CB -Frame Replication and Elimination for Reliability (FRER) substandard.These TSN networks accommodate not only TSN traffic, but also Best Effort (BE) traffic, increasing network flexibility.In addition, AFDX filtering and policing concepts are incorporated into the TSN aerospace profile.
A notable difference between TSN and AFDX is the ease of configuration, with TSN networks benefiting from simplified configuration using the YANG data models developed by IEEE.

Proposed system
As emphasized in Section 1, the acquisition of essential metrics to evaluate the performance of avionics networks is a fundamental task during their development, validation, and verification processes.The primary concern is to verify that the specified delay thresholds, which are critical to the proper operation of aircraft, are consistently met.An avionics network simulator has been developed to achieve this objective.A previous version of this simulator is presented in [17], which only supports AFDX protocol and has a less advanced switch model based only in First In First Out (FIFO)s and without switch capacity monitoring.Also, the current version is easier to configure and to create use cases.

General framework
On the one hand, the simulator takes a series of inputs in order to create the model for simulation.These inputs, which are summarized in Table 1, include the simulation time, Bit Error Rate (BER) and the topology of the network.The topology encompasses the protocol used (Ethernet or AFDX), the connections between the different elements in the network (through adjacency matrix), the routing of each flow/VL (can be set manually or randomly), the periodicity/BAG, the length of the frames and some parameters of the switches such as switching delay and the internal memory.Using these inputs, the network model generation process uses the information to build the network model that includes all specified ES and switches.In addition, the model links each VL to its corresponding ES and establishes all essential connections between ES and switches.
The simulator has been developed in Matlab/Simulink, which performs event-driven simulations modelling the packets as entities.It has been developed this way so there is a step in the simulation compiler only when it is needed, so the simulations can be faster.Besides, the simulator works by modelling the Data Link Layer packet transmission by managing the packet entities in the ES and switches generated models.Therefore, a key factor in the simulator is the models used for these elements of the network, which are described next.

End System model
The ES is modelled with two components: a receiver and a transmitter.In the context of emulating on-board equipment, the transmitter generates the frames by incorporating a packet generator source, a redundancy management module, and a route selection module.This logical process is illustrated in Figure 4.The Timer and Packet Generator modules substitute the IMA device in the network and generate the frames in its place.So, the operation starts with a timer that is set when the packets are generated.As the data passes through the system, the redundancy management module intervenes where necessary, duplicating messages to improve data integrity.These processed messages, together with any duplications, are then routed through the appropriate physical interfaces to reach their intended destinations.In addition, the ES sets the Cyclic Redundancy Check (CRC) based on the BER input, modelling transmission errors.

Switch model
The operation of the switch is structured around two core processes, namely scheduling and filtering policy, as shown in Figure 4.The upper part of the figure is dedicated to scheduling, which uses the Round Robin algorithm to manage message prioritisation and transmission order.Conversely, the lower part of the figure focuses on the filtering policy, which is implemented using a Token Bucket shaper that regulates the rate of message flow.Within this switch, messages are discarded in case of incorrect CRC or insufficient credit.
The internal memory configuration uses a shared queue system, a common approach found in commercial switches such as the one described in [18].As shown in Figure 5, this system consists of individual FIFO queues allocated to each port, providing dedicated memory space.In addition, there is a shared memory that is used when a particular FIFO reaches its capacity limit, ensuring that it does not compromise the reserved memory of other ports.This design protects each port from the saturation effects of burst traffic from other ports.

Differences between protocol implementations
Although AFDX is an Ethernet-based protocol, there are significant differences between them, as mentioned in Section 2. Therefore, there are notable differences that affect the handling of redundancy and routing strategies in the simulator implementation.While AFDX typically follows a standard approach that requires exact duplication of hardware components to ensure redundancy, Ethernet implementations offer a more flexible alternative.In terms of routing, Ethernet allows the use of IP routing and replaces the BAG with an assumed periodicity of messages that do not have to be a power of 2. This flexibility in Ethernet-based networks gives designers greater freedom in designing redundancy strategies.Consequently, the decision to use the redundancy management module within an ES becomes a matter of choice when working with Ethernet protocol in the simulator, as it may or may not be needed depending on the specific network design and redundancy requirements.

Evaluation
Regarding the evaluation of the simulator, two main areas have been analysed in this work.First, the accuracy of the simulation results has been verified to ensure that the simulator could be trusted.Second, the computational performance has been analysed in order to determine the usefulness of the simulator, while at the same time providing an example of the results that the simulator can produce.

Correctness of the results
In order to check the correctness of the simulator results, a comparison with the work made in [19] has been made.This work presents the use of an analytical method derived from Network Calculus for getting the worst possible delays in a AFDX network, then checks this method with a simple use case.The results of this use case have been replicated with the simulator presented in this work, in order to ensure that the simulator is capable of providing reliable results.The topology of the use case used is depicted in Figure 6.
The topology is composed by 7 ES, 3 switches and 5 VLs.The configuration of the VLs in this use case is described in Table 2, where it can be observed that 2 VLs go through switch S1, another 2 VLs go through switch S2 and all 5 VLs go through switch S3.Also, the length of the packets sent is 500 Bytes and the BAG configured is 4 ms.It can be seen in Table 2. Testing use case configuration [19].

Transmitter VL Receiver
Path Packet Length BAG Figure 7 the Simulink model that the simulator has automatically generated for this use case.The results of this use case are summarized in Table 3.Each row of the table represents the worst delay of each VL, and each ES transmission start time for achieving it, where ∆t is an insignificant delta of time used for establishing the packet order in the queues.As it can be observed in the three columns of the right, the simulation results match the results given in [19].
Besides, the simulator gives the opportunity of study in depth the causes of the different delays by looking at the FoM of switch capacity.This can be extracted as the usage of the memory of the switch throughout the simulation.For example, the usage of memory of the three switches during the collision of packets is represented in Figure 8.In particular, this simulation corresponds with the worst case for VL1 presented in Table 3.In both Switch 1 and Switch 2 (Figures 8a and 8b, respectively), it can be observed that two packets arrive at the same time and leave one after the other.Meanwhile, in Switch 3 (Figure 8c), more packets arrive at the same time: at time t = 112µs, the packets of VL2 and VL3 arrive to the switch and go to different queues; at time t = 152µs, both packets leave the switch and three packets from VL4, VL5 and VL1 arrive to the same queue (being processed in that order); at time t = 192µs, the first packet in the queue leaves; at time t = 232µs, the second packet leaves; and, at time t = 272µs, the packet corresponding to VL1 leaves and reaches its destination, as shown in Table 3.

Computational performance analysis
In order to analyse the computational performance, the execution time of the simulations has been studied.For this, the network topology of a real airplane, such as the Airbus A350, has been simulated with different packet periodicity configurations.The   Airbus A350 architecture, which has been adapted from [20], is depicted in Figure 9.This architecture is composed by 37 ES, from which 6 are Calculator Unit (CU), and 7 switches.Then, this topology has been simulated for 1 second with 60 VL configured with a packet periodicity of 0.5 ms, 1 ms, 2 ms, 3 ms, 4 ms, 5 ms, 6 ms, 7 ms and 8 ms, meaning a total of 120000, 60000, 30000, 20000, 15000, 12000, 10000, 8570 and 7500 messages sent, respectively.Each configuration has been simulated 100 times in order to obtain statistically significant results.The mean execution time of these configurations (running on a Mac with an Apple M1 chip and 16 GB of RAM) results in 13.5, 6.4, 3.5, 2.6, 2.2, 1.8, 1.6, 1.5 and 1.4 minutes, respectively, as shown in Figure 10.These results show that the duration of  the simulations has a clear linear dependence on the messages sent , resulting in the linear expression of Equation 1 with a correlation value of R 2 = 0.97869.
In this way, it can be expected that the time required for each simulation will not grow much faster than the number of VL.These execution times would allow real networks to be evaluated in a timely manner.
Furthermore, the simulation-derived packet traces can serve as valuable data for generating time series metrics.This feedback is crucial in the design process and provides insight into the performance of the network during regular operation.It allows the evaluation of the efficiency of the network and the establishment of metrics beyond the worst-case delays that are typically used for certification purposes.
In this way, in the table 4 the statistics of the simulation for the periodicity of 0.5 µs.In the configuration of the simulations, a small difference of 200 Bytes between the minimum and maximum packet length has been set so that there is a variance in the traces of the VLs.The 60 VLs can be divided in two groups: the ones that go from a CU to a ES (VLs 2,4,5,29,40 and 52) and the ones that go from a ES to a CU (the rest of VLs).As it can be observed, the first group of VLs have a similar low latency (around 65 µs) due to that there are only five and the probabilities of conflicts in the queues are low.Meanwhile, the rest of VLs have delays from 65 µs to 170 µs due to the high probability of matching queues.Also, some VLs depart from the same ES, making their packets to wait until the previous one is sent.

Conclusions and outlook
In this work, a short analysis of the main protocols and standards used to communicate the different elements in an avionics network, such as Ethernet and Ethernet-based AFDX and TSN, has been presented.Also, it has bee observed that there is an effort to substitute AFDX with more low-cost Ethernet-based devices in the market.Moreover, it has been determined that the SIL step of MBSE design process is of great importance in the aerospace sector and, in concordance, a Matlab/Simulink-based link-level simulator for Ethernet and AFDX has been developed as a relevant tool for the early stages of the design process.This simulator can be easily integrated into validation frameworks and platforms.Besides, it has been successfully tested by replicating the results of a known use case, showing the possibilities of analysis that the simulator's FoMs procure as well.Then, the computational performance analysis with a real use case of Airbus A350 network topology has shown that the time needed for each simulation has a linear dependence with the number of messages sent, allowing evaluating real networks in a timely manner.Also, the fact that the simulator has been designed as an event-driven simulator makes it more efficient than other simulators with fixed-step solvers, and the versatility of the results facilitates informed decision making and refinement of avionics networks.
Further work would include the study of the TSN standards for their implementation in the simulator, as TSN is anticipated to become the standard for future generations of aircraft.Also, validation frameworks and platforms would be developed in order to automate the avionics design process.

Figure 3 .
Figure 3. ES model in the simulator.

Figure 9 .
Figure 9. Airbus A350 architecture used for the performance analysis adapted from [20].

Figure 10 .
Figure 10.Computational performance of the simulator: Execution time in minutes vs. Number of messages sent.

11 ATS 4 BAG 7 BE Best Effort. 5 BER 6 BLS 5 COTS 4 CRC 4 CU 10 DIMA Distributed IMA. 1 ES 11 FIFO 6 FoM
n°: 865416'); Ministry of Economic Affairs and Digital Transformation and the European Union -NextGenerationEU, in the framework of the Recovery, Transformation and Resilience Plan and the Recovery and Resilience Mechanism under the MAORI project; the Ministry of Science and Innovation (grant FPU21/04472); and the University of Malaga through the "II Plan Propio de Investigación, Transferencia y Divulgación Científica".The authors are grateful to Aertec Solutions for their support and collaboration in this project.Conflicts of Interest:The authors declare no conflict of interest.AcronymsAFDX Avionics Full-Duplex Switch Ethernet.2-7, Asynchronous Traffic Shaper.Band Allocation Gap. 3, 5, Bit Error Rate.5, Burst Limiting Shaper.Commercial off-the-shelf.Cyclic Redundancy Check.6 CSMA/CD Carrier Sense Multiple Access with Collision Detection.Calculator Unit.9, End Systems.3, 4, 6-8, 10, First In First Out. 5, Figures of Merit.

Table 1 .
Input configuration parameters.includes the maximum, minimum, mean, standard deviation values of each flow/VL in bits per second (bps).• Packet Loss: of each flow/VL in percentage.• Switch Capacity: general capacity of each switch through the simulation in percentage.
•Delay: includes the maximum, minimum, mean and standard deviation values of each flow/VL in milliseconds.The delay is set as the time from departure to arrival.•Jitter:includes the maximum, minimum, mean, standard deviation values of each flow/VL in milliseconds.•Throughput:

Table 3 .
Testing use case delay results comparison.

Table 4 .
Delay statistics (in µs) of the A350 simulation with 0.5 ms of periodicity.