etso 2c153 date: draft v2.0 - 31/07/2013 - gama

ETSO 2C153

Date: draft v2.0 - 31/07/2013

European Technical Standard Order (ETSO)

DRAFT

SUBJECT: INTEGRATED MODULAR AVIONICS (IMA) PLATFORM AND MODULES

1 – Applicability

1.1. - General

This ETSO gives the requirements for IMA modules which are designed to compose an

Integrated Modular Avionics (IMA) platform and which are manufactured on or after the date

of this ETSO, must meet in order to be identified with the applicable ETSO marking.

See Appendix 1 for an introduction to Integrated Modular Avionics and applicable

definitions.

1.2 - Specific

This ETSO refers to IMA modules which are appliances composed of Hardware and Core

Software or any embedded software module contributing to the intended function of

resources sharing.

Nevertheless, if intended function of resource sharing is implemented:

o “Hardware only” module is acceptable if no further software module is needed to

perform resources sharing.

o Single LRU platform (as per ED-124/DO297), where the platform is limited to one

Line Removal Unit (LRU) is acceptable.

In the following content of this document, only the term “IMA module” will be used.

Are out of scope of this ETSO:

o IMA platform composed of multiple LRUs or LRMs (distributed platform – ED-124/DO-

297 example D2) that have to be addressed at system level.

o Stand-alone (without the hardware target) core software.

o Configuration data, which are part of IMA system integration and installation.

o IMA applications.

o Equipment used to generate radio frequency signals for intentional transmitters.

This ETSO refers to seven classes of Minimum Performance Specifications (MPS) referring to

seven different resource sharing functions:

o CLASS A: Rack Housing (RH)

o CLASS B: Processing (PR).

o CLASS C: Graphical Processing (GP).

o CLASS D: Data Storage (DS).

o CLASS E: Interface (IF).

o CLASS F: Power Supply (PS).

o CLASS G: Display Head (DH).

An IMA module (a part) can be compliant to a combination of MPS classes. In this case the

IMA module will be marked with all the covered classes.

Example: Single LRU platform can be authorized “ETSO 2C153 CLASS B + D+E” if

the resource sharing intended function is implemented on Processing, Data and

Interface.

For ETSO-2C153 CLASS G compliance, IMA module must be compliant to relevant

requirements of ETSO C113a. Conformity demonstrations to both ETSOs could be

complementarily managed. In this case, IMA module will be double marked 2C153 CLASS G

+ C113.

See Appendix 1 for a definition of the seven basic classes of IMA modules.

2 - Procedures

2.1. - General

Applicable procedures are detailed in CS-ETSO Subpart A.

2.2 - Specific

Data to be submitted to EASA are defined in Part 21 Subpart O and CS-ETSO Subpart A

Additional data which must be supplied by IMA module manufacturer are specified into

Appendix 3.

If some tools are qualified, qualification data are considered as data to be summited to EASA

in the frame of ETSO-2C153 authorization.

3 - Technical Conditions

3.1 – Basic

3.1.1 - Minimum Performance Standard

See Appendix 2

3.1.2 - Environmental Standard

See CS-ETSO Subpart A paragraph 2.1 and Appendix 4

3.1.3 - Computer Software

See CS-ETSO Subpart A paragraph 2.2

3.1.4 – Electronic Hardware Qualification

See CS-ETSO Subpart A paragraph 2.3

3.2 - Specific

3.2.1 Failure Condition Classification

No Failure Condition can be defined at ETSO-2C153 IMA module level. Failure condition

classification will depend on the implemented aircraft functions into the IMA system. This

classification is beyond the scope of ETSO-2C153.

If assumptions are proposed, guidance of CS-ETSO subpart A §2.4 should be followed by

ETSO-2C153 applicant.

Qualitative and safety mechanisms requirements are specified into 2C153 MPS (in § safety

requirements MPS for each type of module – Appendix 2)

Design Assurance Level is not specified but shall be defined in to Installation Manual and

DDP while guaranteed by ETSO applicant.

Any assumptions about the installation, interfacing software and hardware, or operation

required to maintain the hardware design assurance and software levels must also be stated

and included in the Installation Manual.

3.2.2 Specific Development and installation requirements

3.2.2.1 Development process

Standard ED-124 (Integrated Modular Avionics (IMA) development guidance and certification

considerations) contains guidance for Integrated Modular Avionics (IMA) developers,

application developers, integrators, certification applicants, and those involved in the

approval and continued airworthiness of IMA systems in civil certification projects.

In order to prepare the integration of the ETSO-2C153 IMA module, their development

should meet objectives of ED-124 guidance related to task 1 (table A-1 objectives).

Table A-1 objective 8 and 9 are only relevant in case of Single LRU platform (as per §1.2

definition).

3.2.2.2 Installation consideration

ETSO-2C153 IMA module is by definition an incomplete system.

Definition of activities to be performed to properly use the ETSO-2C153 IMA module should

be defined for the installer. Associated test procedures to check that the authorized IMA

module is properly used should also be documented in the Installation Manual in order to

allow the integrator to perform task 3 & 4 of the ED-124.

4. Marking

4.1 - General

Marking is detailed in CS-ETSO Subpart A paragraph 1.2

4.2 – Specific

The part must be permanently and legibly marked with the MPS class as defined in

paragraph 1.2 of this ETSO.

Each Rack (CLASS A) authorized under this ETSO must be marked with a note “ETSO

authorization for rack only”. This note should be on the ETSO nameplate or in close proximity

to the nameplate).

If ETSO-2C153 IMA module contains Loadable Software Parts that is manufactured under

this ETSO, the part may support a means by which the required information can be

determined using an external means (for example, an electronic display).

Notice: ETSO 2C153 marking do not cover IMA-hosted applications and IMA configuration

with are Software Parts not covered by this ETSO"

5 - Availability of Referenced Document

See CS-ETSO Subpart A paragraph 3

APPENDIX 1

INTEGRATED MODULAR AVIONIC OVERVIEW, DEFINITION AND EXAMPLES

This appendix provides:

o Chapter 1 : An overview of Integrated Modular Avionics

o Chapter 2 : Applicable definitions

o Chapter 3 : Minimum Performance Specification (MPS) classes definition

o Chapter 4 : Examples of IMA platform using IMA modules

Chapter 1: Integrated Modular Avionics Overview

In the field of this ETSO, Integrated Modular Avionics is defined according to EUROCAE standard

ED-124 (equivalent to the RTCA standard DO-297):

Integrated Modular Avionics : is a shared set of flexible, reusable, and interoperable

hardware and software resources that, when integrated, form a platform that provides

services, designed and verified to a defined set of safety and performance requirements,

to host applications performing aircraft functions..

IMA architecture integrates many aircraft functions on the same platform, provided by several

hosted applications that historically have been contained in functionally and physically separated

‘boxes’ or LRUs.

IMA platforms are composed of modules which are designed to be reusable in order to reduce

development cost and occasionally facilitate certification programs. Some modules provide only

mechanical, possibly cooling and electrical power supply functions. Others include core software

and associated computing capabilities.

The IMA modules are usually both generic and configurable, and the same platform could

therefore be used on different aircraft models.

Chapter 2: Applicable definitions

Legend

o [ED-124]: Definitions from EUROCAE standard ED-124 (equivalent to the RTCA

standard DO-297)

Aircraft Function[ED-124]: the capability of the aircraft that may be provided by the hardware

and the software of the systems on the aircraft;

Application[ED-124]: software and/or application-specific hardware with a defined set of

interfaces that, when integrated with the platform, performs a function;

Component[ED-124]: a self-contained hardware, software part, database or combination thereof

that is configuration controlled. A component does not provide an aircraft function by itself;

Configuration data [ED-124]: see § 3.7.1

Core Software[ED-124]: The operating system and support software that manage resources to

provide an environment in which applications can execute. Core software is a necessary

component of a platform and is typically comprised of one or more modules.

Operating System[ED-124]: 1) The same as executive software.

2) The software kernel that services only the underlying hardware platform.

3) Software that directs the operations of a computer, resource allocation and data

management, controlling and scheduling the execution of computer hosted applications,

managing memory, storage, input/output, and communication resources.

Support software: Embedded software necessary as a complement to the Operating System to

provide general services such as contributing to the intended function of resources sharing,

handling hardware, drivers, software loading, health monitoring, boot strap etc...

IMA System[ED-124]: consists of (an) IMA platform(s) and a defined set of hosted applications;

Module[ED-124]: A component or collection of components that may be accepted by themselves

or in the context of IMA. A module may also comprise other modules. A module may be

software, hardware, or a combination of hardware and software, which provides resources to

the IMA-hosted applications. Modules may be distributed across the aircraft or may be co-

located;

Platform[ED-124]: Module or group of modules, including core software, which manages

resources in a manner sufficient to support at least one application. IMA hardware resources and

core software are designed and managed in a way that provides computational, communication

and interface capabilities for hosting at least one application. Platforms by themselves do not

provide any aircraft functionality. The IMA platform may be accepted independently of hosted

applications.

Cabinet[ED-124]: A physical package containing one or more IMA components or modules, which

provides partial protection from environmental effects (shielding) and may enable installation and

removal of those component(s) or module(s) from the aircraft without physically altering other

aircraft systems or equipment.

Rack: A standardized frame or enclosure for mounting multiple modules.

Unit: set of physical components (hardware and or software) in charge of supporting an intended

function.

Chapter 3: Minimum Performance Specification (MPS) classes definition

For this ETSO, IMA module shall be compliant to at least one of the following classes of

Minimum Performance Specification (MPS):

CLASS A : Rack Housing (RH)

For ETSO-2C153 Class A:

1.3.A.1 : IMA module is a physical package able to contain at least two IMA hardware modules,

that may provide protection from environmental effects (shielding) and enable installation and

removal of those module(s) from the aircraft without physically altering other aircraft systems

or equipment.

1.3.A.2 : IMA module may be simple mechanical enclosures, or they may incorporate

communication interfaces, backplanes for data and power supplies, active cooling or any

combination of these features.

1.3.A.3 : IMA module does not offer the capacity to host applications by itself.

1.3.A.4 : IMA module may be configurable.

CLASS B : Processing (PR)

For ETSO-2C153 Class B:

1.3.B.1 : IMA module contains CPU component, memory component, interface devices and

potentially associated Core Software which constitute one or several Processing, Memory or

Interface Unit(s).

1.3.B.2 : The intended function of such IMA module is to share Processing, Data and

Information between at least two IMA applications, modules and/or components.

1.3.B.3 : IMA module offers the capability to host IMA applications.

1.3.B.4 : IMA module may be an association of hardware and Core Software.

o Hardware may (or may not) contain resident (not field loadable) software to enable

electronic part marking and/or future loading of Field Loadable Software parts.

o Core Software may be resident or a Field Loadable Software Part.

1.3.B.5 : IMA module may be configurable

CLASS C : Graphical Processing (GP)

For ETSO-2C153 Class C:

1.3.C.1 : IMA module contains graphical engine component or/and video engine component,

memories, interfaces and potentially associated Core Software which constitute one or several

Graphical Unit(s).

1.3.C.2 : The intended function of such IMA module is to share graphics and/or video signal

processing between at least two IMA applications, modules and/or components.

1.3.C.3 : IMA module does not offer the capacity to host IMA applications by itself.

1.3.C.4 : IMA module may be an association of hardware and Core Software.



o Core Software may be resident or a Field Loadable Software Part

1.3.C.5 : IMA module may be configurable.

CLASS D : Data Storage (DS)

For ETSO-2C153 Class D:

1.3.D.1 : IMA module contains memory, interface component and potentially associated Core

Software which constitute one or several Data Storage Unit(s).

1.3.D.2 : The intended function of such IMA module is to share stored data (e.g databases,

files…) between several IMA applications, modules and/or components.

1.3.D.3 : IMA module does not offer the capacity to host applications by itself.

1.3.D.4 : IMA module may be an association of hardware and a Core Software.




1.3.D.5 : IMA module may be configurable.

CLASS E : Interface (IF)

For ETSO-2C153 Class E:

1.3.E.1 : IMA module contains input/output component(s) and potentially associated Core

Software which constitute one or several Interface Unit(s). These interfaces can be discrete,

analog, serial interface, digital bus…

1.3.E.2 : The intended function of such IMA module is to share information between several IMA

applications, modules and/or components.

1.3.E.2 : IMA module does not offer the capacity to host applications by itself.

1.3.E.4 : IMA module may be an association of hardware and a Core Software.




1.3.E.5 : IMA module may be configurable.

CLASS F : Power Supply (PS)

For ETSO-2C153 Class F:

1.3.F.1 : IMA module contains set of components (hardware and or software) which constitute

one or several Power Supply Unit(s) in charge of managing power supply.

1.3.F.2 : The intended function of such IMA module installed into a rack is to provide Power

Supply from airborne electrical network to one or more IMA hardware modules embedded into

the same Rack.

1.3.F.3 : IMA module do not offer the capacity to host applications by itself.

1.3.F.4 : IMA module may be configurable.

1.3.F.5 : IMA module may be an association of hardware and a Core Software.




TYPE G : Display Head (DH)

For ETSO-2C153 Class G:

1.3.G.1 : IMA module contains set of components (hardware and or software) in charge of

managing displayed area which constitute one or several Display Unit(s).

1.3.G.2 : The intended function of such IMA module is to offer the capability to depict graphical

information received from IMA Application(s), component(s) and/or module(s) on one Display

Area.

1.3.G.3 : IMA module does not offer the capacity to host applications by itself.

1.3.G.4 : IMA module may be an association of hardware and a Core Software.



o Core Software may be resident or a Field Loadable Software Part

1.3.G.5 : IMA module may be configurable.

Chapter 4: Example of IMA platform using IMA modules.

ED-124 / DO-297 contains some examples relating to IMA module and platform definition.

These examples can be completed with example relating to Chapter 3 definitions.

Example 1: Single LRU platform (as per ED-124 / DO-297)

This example illustrates the sharing of computational and I/O resources within a single Line

Replaceable Unit (LRU). Key IMA characteristics include:

• Hosting of multiple applications.

• Platform configuration data and data loading.

• Defined API between the platform and hosted applications.

Figure 1 Single LRU platform (as per ED-124 / DO-297)

At one level, this example illustrates a single platform providing core computational

resources. At another level, this example illustrates a module to be used within a larger

IMA platform.

If sharing of processing, memory, and I/O resources are implemented with Robust

Partitioning within the LRU, such single LRU platform will be eligible to CLASS B, D and E.

Example 2: Single LRU A664 switch equipment.

This example illustrates the sharing of A664 I/O resources within a single Line Replaceable

Unit (LRU). Key IMA characteristics include:

• No capability to host application.

• Module configuration data and data loading.

Figure 2 Single LRU A664 switch principle

If sharing of A664 I/O resources are implemented with Robust Partitioning within the LRU,

such single LRU platform will be eligible to CLASS E.

Example 3: IMA modules co-located into a Rack Module (Line Replaceable Module).

Rack

2 C153

CLASS A

2C153

CLASS B+E

Rack

LRM

1

LRM

2

LRM

3

LRM

2

LRM

4

2C153

CLASS C

2C153

CLASS F

Non ETSO

Module

Figure 3 IMA modules installed into a Rack Module

This example illustrates the sharing of resources within sereval single Line Replaceable

Modules (LRM) collocated inside a Rack:

• Rack: is an IMA module will be eligible CLASS A

• LRM 1: provides shared Processing and Input / Output with Robust Partitioning and

will be eligible to CLASS B+E

• LRM2: provides shared Graphical Processing with Robust Partitioning and will be

eligible to CLASS C

• LRM3: provides shared Power Supply with Robust Partitioning to LRM embedded into

the same Rack and will be eligible to CLASS F

• LRM 4: does not provide shared resource. This module will be considered as a non-

ETSO-2C153 module.

All these modules are considered as Parts.

APPENDIX 2

INTEGRATED MODULAR AVIONIC MODULE

MINIMUM PERFORMANCE SPECIFICATION (MPS)

This appendix provides Specific Minimum Performance Specification per CLASS.

o CLASS A : Rack Housing (RH)

o CLASS B : Processing (PR)

o CLASS C : Graphical Processing (GP)

o CLASS D : Data Storage (DS)

o CLASS E : Interface (IF)

o CLASS F : Power Supply (PS)

o CLASS G : Display Head (DH)

This document contains “must”, "shall", "should", “may” and “will” statements with the

following meanings:

• The use of word “must” indicates a legislative criterion; i.e compliance with the

criterion is mandatory regarding legislative requirements.

• The use of the word "shall" indicates a mandated criterion; i.e. compliance with the

criterion is mandatory and no alternative may be applied;

• The use of the word "should" indicates that though the criterion is regarded as the

preferred option, alternative criteria may be applied. In such cases, alternatives

should be identified in appropriate approval plans and agreement sought from the

approval authority; and

• The use of the word "may" describes expected module behavior when the module

complies with the reference requirements, and/or this section's requirements

• The use of the word "will" describes an example.

For verification procedures, following definitions and symbols are used in this appendix:

Analysis

Analysis is the method of verification which consists of comparing hardware design with known

scientific and technical principles, technical data, or procedures and practices to validate that

the proposed design will meet the specified functional or performance requirements.

Demonstration

Demonstration is the method of verification where qualitative versus quantitative validation of a

requirement is made during a dynamic test of the system/equipment. In general, software

functional requirements are validated by demonstration since the functionality must be observed

through some secondary media.

Inspection

Inspection is the method of verification to determine compliance with specification requirements

and consists primarily of visual observations or mechanical measurements of the

system/equipment, physical location, or technical examination of engineering support

documentation.

Test

Test is the method of verification that will measure system/equipment performance under

specific configuration and load conditions and after the controlled application of known stimuli.

Quantitative values are measured, compared against previous predicated success criteria and

then evaluated to determine the degree of compliance.

X/Y

Either test method X or test method Y may be used to verify the requirement (i.e., D/A can be

verified by Demonstration or Analysis).

X+Y

Both test methods must be used to verify the requirement (i.e., D+A means the requirement

must be verified by Demonstration and Analysis).

APPENDIX 2

INTEGRATED MODULAR AVIONIC PLATFORM AND MODULE


CLASS A : Rack Housing (RH)

1 Purpose and scope

1.1 Introduction

This document contains CLASS A Minimum Performance Standards (MPS).

These standards specify module characteristics that should be useful to designers,

manufacturers, installers and users of the IMA module.

1.2 Overview

For ETSO-2C153 CLASS A, IMA module is a physical package able to contain one or more IMA

hardware modules, which provides partial protection from environmental effects (shielding) and

may enable installation and removal of those module(s) from the aircraft without physically

altering other aircraft systems or equipment.

IMA module may be simple mechanical enclosures, or they may incorporate passive

communication interfaces, passive interconnection for data and power, or power supplies, active

cooling unit or any combination of these features.

Following definitions are used:

o Mounted: is said for another hardware IMA module installed and fixed inside the IMA

Rack Module after a human operation in aircraft.

o Slot: the physical envelop dedicated to one mounted IMA module or component inside

the Rack Module

These definitions are independent of the design choices made by the IMA module manufacturer.

Note:

o IMA module compliant to ETSO-2C153 CLASS A MPS is only relevant in case of IMA

Platform architecture using a Cabinet.

o Mounted hardware IMA modules can be compliant or not with other ETSO-2C153 MPS

CLASS (from B to G) but it is not mandatory.

2C153Author ized

2C153Author ized

Rack(CLASS A)

Power Supply(CLASS F)

Comm.

Module

Processing

Module

2C153Authorized

Data Storage (CLASS D)

2C153Authorized

Processing(CLASS B)

Figure 1 Illustration of IMA platform architecture based on Cabinet

1.3 Intended function

Based on the definition of the CLASS A MPS, this section provides Minimum Performance

Standards (MPS) for the intended function which is to provide the capability to share some

housing services supplied by one mechanical unit.

This intended function can be divided into 4 sub-functions:

o F1 : Housing (mandatory)

o F2 : Shielding (optional)

o F3 : Interconnection (optional)

o F4 : Cooling (optional)

The following figure provides an overview of the previously mentioned Rack Module intended

functions and interfaces.

Rack Module

Cooling unit

Mountedmodule

Mountedmodule

Mountedmodule

Mecanical unitInterconnection

F1 & F2 : Housing & Shelding

Env ironment

Power dissipation

Airfow

Mecanic

Installat ion / RemovalF2 : Data and/or

power supply

interconnections

Threads

Airfow

F4 : Cooling

isolation

slot slot slot

Figure 2: IMA module overview for ETSO-2C153 CLASS A

2 Module requirements

2.1 F1 – Housing

2.1.1 Description

For ETSO-2C153 CLASS A, IMA module provides shared resources for housing needs of

hardware IMA modules. This sub-function merges:

o The capacity to host at least two hardware IMA modules inside at least two slots.

o The capacity to mount and un-mount a hardware IMA module in its slot directly in

the aircraft thanks to a human (potentially tooled) intervention.

Rack IMA Module

Mounted Module

Mounted Module

Mounted Module

Mechanical unit

Mounted Module

AIRCRAFT

The Slot defines one housing volume

Figure 3: CLASS A Housing function overview

2.1.2 Functional requirements

For ETSO-2C153 CLASS A:

a) The IMA Module shall provide to at least two mounted hardware IMA modules and/or

components the capacity to use shared housing volume thanks to a mechanical interface.

b) The IMA Module shall provide at least two mechanical slots allowing hosting at least two

mounted hardware IMA modules.

c) The mechanical isolation (i.e. a physical envelop defined inside the housing volume)

between mounted hardware modules or components shall be ensured by the IMA Module.

d) The IMA module shall provide with a list of slots (e.g slot 1, slot 3…). The list of types of

slots and the associated attributes shall be provided in the installation manual.

e) For each type of slot, a mean to avoid mounting of unexpected hardware IMA shall be

implemented (e.g. Mechanical key…).

f) Mounted hardware IMA module Installation and Extraction Means or Methods shall be

specified inside the installation manual. These means or methods may be identical for all

the slot of the Rack Module.

g) The attributes of each type of slot may be configurable.

h) If compliance to MPS is reached thanks to any additional mechanical component. This

element shall be inseparable of the IMA module (Rack) and part of its identification and

marking.

MECANICAL UNIT

HOUSING VOLUME,

SLOT SLOTSLOT SLOT

HW IMA MODULE

HW IMA MODULE

HW IMA MODULE

HW IMA MODULE

Mecanical interface Mecanical interface Mecanical interface Mecanical interface

Figure 4: CLASS A Housing elements relationship

2.1.3 Performance requirements

None

2.1.4 Safety requirements

Not relevant for mechanical elements.

2.1.5 Required data (linked to §2.2)

i) The applicant shall provide the list of type of slots, the associated attributes, their

configurability (if any) and their sizing dimensions (drawings).

This will include:

o The list of authorized or predefined hardware IMA modules

o Slot mounting scheme (mechanical profile / Drawings)

o Power dissipation and airflow profile.

j) As required in Appendix 3, the applicant shall provide in installation manual all

constraints (including limitations, Usage Domain and activities) to be respected by the

users.

k) The Applicant shall provide any data needed to evaluate weight and gravity center of a populated rack.

2.1.6 Verification procedures

Following table gives verification method for each MPS:

MPS Ref MPS text Verification method

(A/I/D/T)

Verification

Acceptance Criteria


(A/I/D/T)

Verification

Acceptance Criteria

2.1.2 a) The IMA Module shall provide to at least

two mounted hardware IMA modules

and/or components the capacity to use

shared housing volume thanks to a

mechanical interface.

I+A+T 2.1.6.1

2.1.2 b) The IMA Module shall provide at least two

mechanical slots allowing hosting at least

two mounted hardware IMA modules.

I+A+T 2.1.6.1

2.1.2 c) The mechanical isolation (i.e. a physical

envelop defined inside the housing volume)

between mounted hardware modules or

components shall be ensured by the IMA

Module.

I+A 2.1.6.2

2.1.2 d) The IMA module shall provide with a list of

slots (e.g slot 1, slot 3…). The list of types

of slots and the associated attributes shall

be provided in the installation manual.

I 2.1.6.3

2.1.2 e) For each type of slot, a mean to avoid

mounting of unexpected hardware IMA

shall be implemented (e.g. Mechanical

key…).

I 2.1.6.4

2.1.2 f) Mounted hardware IMA module Installation

and Extraction Means or Methods shall be

specified inside the installation manual.

These means or methods may be identical

for all the slot of the Rack Module.

I 2.1.6.5

2.1.2 g) The attributes of each type of slot may be

configurable.

I 2.1.6.6

2.1.2 h) If compliance to MPS is reached thanks to

any additional mechanical component. This

element shall be inseparable of the IMA

module (Rack) and part of its identification

and marking.

I 2.1.6.7

2.1.5 i) The applicant shall provide the list of type

of slots, the associated attributes, their

configurability (if any) and their sizing

dimensions (drawings).

I 2.1.6.8

2.1.5 j) As required in Appendix 3, the applicant

shall provide in installation manual all

constraints (including limitations, Usage

Domain and activities) to be respected by

the users.

I 2.1.6.9

2.1.5 k) The Applicant shall provide any data

needed to evaluate weight and gravity

center of a populated rack.

I 2.1.6.10

Table 1 : Verification Acceptance Criteria

2.1.6.1 Verification of 2.1.2 a) and 2.1.2 b)

1 – Inspect the Installation Manual to determine the range number [Min - Max] of

hardware IMA modules which it is possible to mount into the IMA module (Rack).

2 – Verify that the Min number is at least equal to two.

3 – Initialize the IMA module in consistency with Usage Domain contained into the

Installation Manual.

4 – Verify that in valid equivalence classes and boundary values of [Min – Max] the

hardware IMA modules can be correctly mounted into the IMA module (Rack).

5 – Verify that mechanical interfaces are well implemented according to its (their)

specification(s) given into the Installation Manual.

2.1.6.2 Verification of 2.1.2 c)

1 – Inspect the drawings of the IMA module (Rack) and verify that there is no conflict

(contact, overlap…) between slot mounting schemes.

2.1.6.3 Verification of 2.1.2 d)

1 – Inspect the Installation Manual to verify that the list of slots is well defined.

2 - Inspect the Installation Manual to verify that the attributes of each type of slot are

well defined. Attributes are:

• Usage domain rules associated to each slot type.

• Mechanical interface associated to each slot type.

2.1.6.4 Verification of 2.1.2 e)

1 – Inspect the Installation Manual to verify that the criteria to authorize hardware IMA

module mounting are available.

2 – Verify that a mean is implemented avoiding to mount unauthorized hardware IMA

module consistently to defined criteria.

2.1.6.5 Verification of 2.1.2 f)

1 – Inspect the Installation Manual to verify that means and methods needed to mount

hardware IMA module inside the IMA module (Rack) are defined.

2 - Initialize the IMA module (Rack) in consistency with Usage Domain contained into the


3 – Verify that hardware IMA module can be correctly install and extract thanks to

supplied means.

2.1.6.6 Verification of 2.1.2 g)

If 2.1.2 g) is implemented:

1 – Inspect the Installation Manual to verify that the configurable attributes of types of

slot are well defined.

2 – Inspect the Installation Manual to verify that the authorized values of each

configurable attributes are well defined as Usage Domain rules.

2.1.6.7 Verification of 2.1.2 h)

If compliance to MPS is reached thanks to any additional mechanical component:

1 – Inspect the Installation Manuel that this component is well identified.

2 – Verify that this component is part of IMA module (Rack) identification and is

inseparable.

2.1.6.8 Verification of 2.1.5 i)

1 – Inspect the Installation Manual to verify that the list of types of slot, their associated

attributes, their configurability and their performances (e.g. dimensions, drawings…) are

well documented, including boundaries, Usage Domain Rules, mechanical interface rules.

2.1.6.9 Verification of 2.1.5 j)

1 – Inspect the Installation Manual to verify that the constraints to be respected are

specified for all types of slots, including their associated Usage Domain Rules and

mechanical interface rules.

2.1.6.10 Verification of 2.1.5 k)

1 – Inspect the Installation Manual to verify that means needed to evaluate weight and

gravity and center of populated rack are available.

2 - Initialize the IMA module in consistency with Usage Domain contained into the


3 – Verify that the weight and gravity and center of populated rack can be correctly

thanks to supplied means.

2.2 F2 – Shielding

2.2.1 Description

F2 is an optional sub-function of ETSO-2C153 CLASS A.

In this case, IMA module provides shared resources for shielding needs of mounted

hardware IMA modules. This sub-function merges:

o A level of protection of the mounted hardware IMA modules from aircraft

environmental.

o A level of environmental isolation (shielding) between mounted hardware modules

inside the rack

Rack IMA Module

Mounted Module

Mounted Module

Mounted Module

Mechanical unit

Mounted Module

AIRCRAFT ENVIRONMENT

Enviromental isolation

Figure 5: CLASS A Shielding function overview


For ETSO-2C153 CLASS A, additionally to MPS specified into § 2.1,

a) A level of environmental protection (shielding) for each mounted hardware modules

shall be ensured by the IMA Module. This protection shall take into account effects of

aircraft environment (outside the rack) and interactions between the modules

themselves.

b) The IMA module shall provide the list of slots (e.g slot 1, slot 3…) for which the

protection (a) is guaranteed. The list of types of slots and the associated

characteristics in terms of protection shall be provided in the installation manual.

c) The attributes of each type of slot may be configurable.

d) If the (a) shielding objective is reached thanks to any additional mechanical element.

This element shall be inseparable of the IMA Module and part of its identification and

marking

MECANICAL UNIT

SHIELDING

SLOT SLOTSLOT SLOT

HW IMA MODULE

HW IMA MODULE

HW IMA MODULE

HW IMA MODULE


Figure 6: CLASS A shielding elements relationship


e) The level of environmental protection (shielding) of each slot provided in §2.2.2 shall

be characterized and bounded and documented in the installation manual.


Not relevant for mechanical elements.


f) The applicant shall provide the list of type of slots, the associated characteristics in

terms of environmental protection (shielding)

This will include:

• The list of authorized or predefined hardware modules or components

• Slot Mounting Scheme (mechanical profile / isolation / Drawings)

• Level of isolation and level of shielding per slot

• The list of environmental tests that can be granted to a hardware IMA module

(see Appendix 4 - EQT) mounted in to the rack.

g) As required in § 2.2, the applicant shall provide in installation manual all constraints

(including limitations, Usage Domain and activities) to be respected by the users.




(A/I/D/T)

Verification

Acceptance Criteria


(A/I/D/T)

Verification

Acceptance Criteria

2.2.2 a) A level of environmental protection

(shielding) for each mounted hardware

modules shall be ensured by the IMA

Module. This protection shall take into

account effects of aircraft environment

(outside the rack) and interactions between

the modules themselves.

I+A+T

2.2.6.1

2.2.2 b) The IMA module shall provide the list of

slots (e.g slot 1, slot 3…) for which the

protection (a) is guaranteed. The list of

types of slots and the associated

characteristics in terms of protection shall


I 2.2.6.2

2.2.2 c) The attributes of each type of slot may be

configurable.

I 2.2.6.3

2.2.2 d) If the (a) shielding objective is reached

thanks to any additional mechanical

element. This element shall be inseparable

of the IMA Module and part of its

identification and marking

I 2.2.6.4

2.2.3 e) The level of environmental protection

(shielding) of each slot provided in §2.2.2

shall be characterized and bounded and

documented in the installation manual.

I+A 2.2.6.5

2.2.5 f) The applicant shall provide the list of type

of slots, the associated characteristics in

terms of environmental protection

(shielding)

I 2.2.6.6

2.2.5 g) As required in § 2.2, the applicant shall

provide in installation manual all



the users.

I 2.2.6.7


2.2.6.1 Verification of 2.2.2 a)

1 – Verify in Installation Manual that the characteristics of each type of slot in terms of

environmental protection are well defined.

2 - Initialize the IMA module (Rack) in consistency with Usage Domain contained into the

Installation Manual (especially environmental aspects)

3 – Verify via EQT procedures (see Appendix 4) that the level of protection per type of

slot is in consistency of the one defined into the Installation Manual.

In particular, the usage domain of the IMA module must be defined and maintained in

order that at least the subset of qualification tests specified into Appendix 4 produces a

credit for mounted hardware IMA module in a dedicated slot.

2.2.6.2 Verification of 2.2.2 b)

1 – Inspect the Installation Manual to verify that the list of slots is well defined.

2 - Inspect the Installation Manual to verify that the characteristics of each type of slot in

terms of environmental protection are well defined.


If 2.1.2 g) is implemented:


slot are well defined.




If compliance to shielding objective is reached thanks to any additional mechanical

component:

1 – Inspect the Installation Manuel that this component is well identified.

2 – Verify that this component is part of IMA module (Rack) identification and is

inseparable.


1 – Verify in Installation Manual that the characteristics of each type of slot in terms of

environmental protection are well defined. These characteristics will be defined per

Environmental Conditions and Test Procedures category.


1 – Inspect the Installation Manual to verify that the list of types of slot, their associated

attributes, their configurability and their performances (in terms of environmental

protection are well documented, including boundaries, Usage Domain Rules, mechanical

interface rules.

2 – Inspect the Installation Manual to verify that the list of environmental tests that can

be granted to a hardware IMA module level mounted into the rack is well defined (see

Appendix 4 – EQT)

3 – Verify this information are in consistency with EQT results.



specified for all types of slots, including their associated Usage Domain Rules and

mechanical interface rules.

2.3 F3 - Interconnection

2.3.1 Description


In this case, IMA module provides the capacity to interconnect hardware IMA module

together inside the Rack Module. This interconnection allows exchanging dat a or power

supply.

Note:

• The Communication and Power supply interconnection capacity is only composed of

passive components.

• Power supply exchanges between mounted hardware IMA modules, needs that at

least one module is compliant to ETSO-2C153 CLASS F shall be mounted into a

slot.

Rack Module

Mounted Module

TYPE F

Mounted Module

MountedModule

Interconnection unit

Mounted Module

Data

ThreadPower

Flows

AIRCRAFT ELECTRICAL NETWORK

Power

Flow

Figure 7: CLASS A Interconnection function overview



a) The IMA module shall provide the capacity to interconnect mounted hardware IMA

modules thanks to data or power supply buses available through an electrical

interface(s) supplied by one or several interconnection unit(s). These buses will be

dedicated to :

• Data exchanges

• Power supply exchanges

b) If the IMA module provides more than one bus, the isolation between buses used by

mounted hardware IMA modules shall be ensured by the IMA module.

The interface(s) of the IMA module will conform to characteristics as described by a

standard (ARINC600 or ARINC 664 for example).

INTERCONNECTIONUNIT

POWER / DATAINTERCONNECTION

BUS BUSBUS BUS

INTERCONNECTIONUNIT

INTERCONNECTIONUNIT

Electrical interface Electrical interface Electrical interface Electrical interface

PowerFlows

DataThreads

Figure 8: CLASS A Interconnection elements relationship


c) The data and power supply buses shall not degrade the transmitted signals. An

attenuation profile will be defined if relevant.

d) The performances of each type of buses provided in a) shall be characterized,

bounded and documented in the Installation Manual.


e) For ETSO-2C153 CLASS A, the IMA module shall implement a fault containment

concerning interconnection unit to prevent from fault propagation between data or

power supply buses.

f) Failures modes:

For at least following failure modes, failure rate shall be provided:

• Loss of the interconnection function

• Erroneous Behavior of interconnection function

Monitoring coverage:

Monitoring Coverage rate (PBIT, CBIT…) shall be provided for all failure modes of

the interconnection function.

Events such as bad sequencing, delay, corruption, impersonation will be taken into

account during the safety analysis


g) The applicant shall provide the list of types of buses, the associated attributes, their configurability, and their sizing and performances.

h) As required in § 2.2, the Applicant shall provide in installation manual all constraints





(A/I/D/T)

Verification

Acceptance Criteria

2.3.2 a) The IMA module shall provide the capacity

to interconnect mounted hardware IMA

modules thanks to data or power supply

buses available through an electrical

interface(s) supplied by one or several

interconnection unit(s). These buses will be

dedicated to :

I+T 2.3.6.1

2.3.2 b) If the IMA module provides more than one

bus, the isolation between buses used by

mounted hardware IMA modules shall be

ensured by the IMA module.

A+T 2.3.6.2

2.3.3 c) The data and power supply buses shall not

degrade the transmitted signals.

A+T 2.3.6.3

2.3.3 d) The performances of each type of buses

provided in a) shall be characterized,

bounded and documented in the


I+A 2.3.6.4

2.3.4 e) For ETSO-2C153 CLASS A, the IMA module

shall implement a fault containment

concerning interconnection unit to prevent

from fault propagation between data or

power supply buses.

I+A 2.3.6.5

2.3.4 f) Failures modes:

For at least following failure modes,

failure rate shall be provided:

• Loss of the

interconnection function

• Erroneous Behavior of

interconnection function


Monitoring Coverage rate (PBIT,

CBIT…) shall be provided for all

failure modes of the interconnection

function.

A 2.3.6.6

2.3.5 g) The applicant shall provide the list of types

of buses, the associated attributes, their

configurability, and their sizing and

performances.

I 2.3.6.7

2.3.5 h) As required in § 2.2, the Applicant shall




the users.

I 2.3.6.8



1 – Inspect the Installation Manual to verify the data buses and power supply buses

schematics inside the IMA module (Rack) are well specified including electrical interfaces.

2 – Initialize the IMA module (Rack) in consistency with Usage Domain contained into the

Installation Manual?

3 – Verify that all the interconnection data buses and power supply buses are well

implemented

4 – Verify that Interfaces are well implemented according to its (their) specification(s)

given into the Installation Manual.


If the IMA module (Rack) provides more than one bus:

1 – Inspect the Partitioning Analysis of the IMA module and verify that all the

unauthorized interferences between buses are well identified and mitigated by

either design either a Usage Domain rule.


hardware IMA modules which can use the buses.



4 – Verify that in valid equivalence classes and boundary values of [Min – Max],

for each unauthorized interference, isolation is well implemented.


For each type of bus:



2 – Send a data (resp. power supply) thread on the bus and verify that the design

of interconnection unit(s) does not degrade transmitted signals.

Note that the acceptance can be done accordantly to a previously defined

attenuation profile.


1 – Inspect the Installation Manual to verify that the list of types of buses is well defined.

2 - Inspect the Installation Manual to verify that the attributes and performances of each

type of bus thread are well defined. Attributes are:

• Usage domain rules associated to bus type.

• Electrical interface associated to bus type.


1 - Inspect the Failure Mode and Effect Analysis (FMEA) to verify that fault containment

mechanism is well identified


Installation Manual

3 – Verify that each fault containment mechanism is well implemented avoiding fault

propagation between data threads managed by the IMA Module, and outside the IMA

Module, by observing the sanction associated to fault and raised by monitoring.


1 - Inspect the Failure Mode and Effect Analysis (FMEA) and Fault Tree Analysis [FTA] to

verify that required feared event are well quantified.


1 – Inspect the Installation Manual to verify that the list of types of buses, their

associated attributes, their configurability and their performances are well documented,

including boundaries, Usage Domain Rules, electrical interface rules.

2.3.6.8 Verification of 2.3.5 h)


specified for all types of data thread, including their associated Usage Domain Rules and

logical interface rules.

2.4 F4 - Cooling

2.4.1 Description


In this case, IMA module provides the capacity to:

• Distribute Airflow between aircraft environment (outside the rack) and the mounted

hardware IMA modules inside the IMA module (rack).

• Enforce Airflow with cooling generation unit.

Rack Module

Mounted Module

Mounted Module

MountedModule

Cooling unit

Power dissipation

Airfow

Mounted Module

Power dissipation

Airfow

Figure 9: CLASS A cooling function overview



a) The IMA module shall distribute airflow to/from mounted hardware IMA module thanks to

a mechanical interface. This distribution shall be realized per slot basis. The IMA module

shall guarantee a cooling performance per slot.

b) The IMA module may provide a mean – named cooling generation unit – to enforce

airflow between aircraft environment and the mounted hardware IMA modules.

c) The Cooling generation unit may be configurable.

COOLINGUNIT

AIRFLOW

SLOT SLOTSLOT SLOT

HW COMPONENTor MODULE

HW COMPONENT

or MODULE




Figure 10: CLASS A Cooling elements relationship


d) An airflow performance of each slot provided shall be characterized and bounded and

documented in the installation manual.


e) Failures modes:


• Loss of the Cooling generation function

• Erroneous Behavior of the Cooling generation function



the Cooling generation function.

Events such as Partial loss, too low performance, corruption, impersonation will be taken

into account during the safety analysis.


f) The Applicant shall provide the list of types of slots, their associated attributes, their

configurability and their performances in terms of cooling.




(A/I/D/T)

Verification

Acceptance Criteria

2.4.2 a) The IMA module shall distribute airflow

to/from mounted hardware IMA module

thanks to a mechanical interface. This

distribution shall be realized per slot basis.

The IMA module shall guarantee a cooling

performance per slot.

A+T 2.4.6.1

2.4.2 b) The IMA module may provide a mean –

named cooling generation unit – to enforce

airflow between aircraft environment and

the mounted hardware IMA modules.

A+T 2.4.6.2

2.4.2 c) The Cooling generation unit may be

configurable.

I 2.4.6.3

2.4.3 d) An airflow performance of each slot

provided shall be characterized and

bounded and documented in the installation

manual.

I+A 2.4.6.4

2.4.4 e) g) Failures modes:

For at least following failure

modes, failure rate shall be

provided:

• Loss of the

Cooling

generation

function

• Erroneous

Behavior of the

Cooling

generation

function


Monitoring Coverage rate

(PBIT, CBIT…) shall be

provided for all failure modes

of the Cooling generation

function.

Events such as Partial loss, too low

performance, corruption,

impersonation will be taken into

account during the safety analysis.

A 2.4.6.5

2.4.5 f) The Applicant shall provide the list of types

of slots, their associated attributes, their

configurability and their performances in

terms of cooling.

I 2.4.6.6




hardware IMA modules between which it is possible to distribute airflow inside the rack

and what the airflow specifications per slot are.




4 – Verify that in valid equivalence classes and boundary values of [Min – Max], the

hardware IMA modules are correctly cooled compliantly to specified airflow value.


If 2.4.2b) is implemented, perform same verification as in 2.4.1a) but with airflow

specifications taking into account cooling generation unit contribution.


If 2.4.2 c) is implemented:

1 – Inspect the Installation Manual to verify that the configurable attributes of the cooling

generation unit are well defined.


1 - Inspect the Installation Manual to verify that the airflow performances of each slot are

well documented, including boundaries, Usage Domain Rules, and mechanical interface

rules.





1 – Inspect the Installation Manual to verify that the list of types of slots, their associated

attributes, their configurability and their performances in terms of airflow are well

documented, including boundaries, Usage Domain Rules, mechanical interface rules.

APPENDIX 2

INTEGRATED MODULAR AVIONIC PLATFORM AND MODULE


CLASS B: Processing (PR)

1. Purpose and scope

1.1. Introduction

This document contains CLASS B Minimum Performance Standards (MPS).

These standards specify characteristics that should be useful to designers, manufacturers,

installers and users of the IMA module.

1.2. Module Overview

For ETSO-2C153 CLASS B, IMA module provides shared resources in terms of processing, data

storage and interfaces between IMA applications, modules and/or components.


� Processing Unit: set of physical components (hardware and or software) in charge of

supplying and managing a shared processing resource.

� Storage Unit: set of physical components (hardware and or software) in charge of

supplying and managing a shared data storage resource.

� Interface Unit: set of physical components (hardware and or software) in charge of

supplying and managing a shared information resource.

� Processing Element: well-defined set of data which is a primary form of software

execution and for which a level of isolation would be guaranteed by IMA module.

1.3. Intended Function

Based on the definition of the CLASS B MPS, this section provides Minimum Performance

Standards (MPS) for the intended function which is to provide the capability to share

Processing, Data storage, information supplied by one or several processing, storage,

interfaces units.

These services are limited to the following ones:

• F1: Processing sharing

• F2: Information sharing

• F3: Data Storage sharing

The following figure provides an overview of the previously mentioned IMA module intended

function and associated interfaces:

Processing Module

Interface unit

Hosted Component

Hosted Applications

Hosted Module

Processing UnitStorage Unit

Interfaces

Data thread

Storage ElementProcessing

ElementProcessing

Element

Figure 1: IMA module overview for ETSO-2C153 CLASS B

2. Requirements

2.1. F1 - Processing

2.1.1. Description

For ETSO-2C153 CLASS B, IMA module provides shared resources for processing needs of

IMA applications, modules and/or components.

2.1.2. Functional requirements

For ETSO-2C153 CLASS B:

a) The IMA module shall provide to IMA applications, modules and/or components the

capacity to use shared Processing Resource thanks to Processing Elements handled

through a logical interface (such as an API).

b) The robust partitioning between Processing Elements used by IMA applications, modules

and/or components shall be ensured by the IMA module.

c) The IMA module shall provide the list of types of Processing Elements (e.g. application,

partition, process, thread…) for which the robust partitioning is guaranteed. The list of

types of Processing Element and the associated attributes shall be provided in the

installation manual.

d) Any breach in robust partitioning guaranteed by c) shall be detected by the IMA module.

e) Some attributes of each Processing Element guaranteed by c) may be configurable.

The logical interface of the IMA module will conform to characteristics as described by a

standard (ARINC653 for example).

PROCESSINGUNIT

PROCESSINGUNIT

PROCESSINGUNIT

PROCESSINGRESOURCE

PROCESSINGELEMENT

PROCESSINGELEMENT

PROCESSINGELEMENT

PROCESSINGELEMENT

Programming interface

Figure 2: CLASS B Processing (PR) elements relationship

2.1.3. Performance requirements

f) The performances (inc. sizing, access time…) of each management mechanism including

monitoring shall be characterized, bounded and documented in the Installation Manual.

2.1.4. Safety requirements

g) For ETSO-2C153 CLASS B, The IMA module shall implement a fault containment

mechanism concerning processing unit(s) to prevent from fault propagation between

processing elements managed by the IMA module, and outside the IMA module.

h) Failures modes:


• Loss of the IMA module

• Erroneous Behavior of the IMA module

• Loss of the shared processing resource

• Erroneous Behavior of the shared processing resource



the IMA module (inc. Shared and unshared resources).

For shared processing resource, monitoring Coverage rate (inc. Resource itself,

sharing mechanisms and robust partitioning mechanisms) shall be provided.



2.1.5. Required data

i) The Applicant shall provide the list of types of Processing Element, the associated

attributes, their configurability and their temporal and sizing performances.

j) The Applicant shall provide any data needed to evaluate Worst Case Execution Time

(WCET) usage of hosted application, module or component

k) As required in § 2.2, the Applicant shall provide in installation manual all constraints


2.1.6. Verification procedures


MPS Ref MPS text Verification

method (A/I/D/T)

Verification Acceptance

Criteria

2.1.2 a) The IMA module shall provide to IMA

applications, modules and/or

components the capacity to use shared

Processing Resource thanks to

Processing Elements handled through a

logical interface (such as an API).

I+T 2.1.6.1

2.1.2 b) The robust partitioning between

Processing Elements used by IMA

applications, modules and/or

components shall be ensured by the IMA

module.

I+A+T 2.1.6.2

2.1.2 c) The IMA module shall provide the list of

types of Processing Elements (e.g.

application, partition, process, thread…)

for which the robust partitioning is

guaranteed. The list of types of

Processing Element and the associated

attributes shall be provided in the


I 2.1.6.3

2.1.2 d) Any breach in robust partitioning

guaranteed by c) shall be detected by

the IMA module.

I+A+T 2.1.6.4

2.1.2 e)

Some attributes of each Processing

Element guaranteed by c) may be

configurable.

I 2.1.6.5

2.1.3 f) The performances (inc. sizing, access

time…) of each management mechanism

including monitoring shall be

characterized, bounded and documented

in the Installation Manual.

I+A 2.1.6.6


method (A/I/D/T)


Criteria

2.1.4 g) For ETSO-2C153 CLASS B, The IMA

module shall implement a fault

containment mechanism concerning

processing unit(s) to prevent from fault

propagation between processing

elements managed by the IMA module,

and outside the IMA module.

I+T 2.1.6.7


method (A/I/D/T)


Criteria

2.1.4 h) Failures modes:



• Loss of the

IMA module

• Erroneous

Behavior of

the IMA

module

• Loss of the

shared

processing

resource

• Erroneous

Behavior of

the shared

processing

resource

•

• Monitoring

coverage:

• Monitoring

Coverage rate

(PBIT, CBIT…)

shall be

provided for

all failure

modes of the

IMA module

(inc. Shared

and unshared

resources).

For shared processing resource,

monitoring Coverage rate (inc.

Resource itself, sharing

mechanisms and robust

partitioning mechanisms) shall be

provided.

Events such as bad

sequencing, delay,

corruption, impersonation

will be taken into account

during the safety analysis.

A 2.1.6.8

2.1.5 i) The Applicant shall provide the list of

types of Processing Element, the

associated attributes, their

configurability and their temporal and

sizing performances.

I 2.1.6.9


method (A/I/D/T)


Criteria

2.1.5 j) The Applicant shall provide any data

needed to evaluate Worst Case

Execution Time (WCET) usage of hosted

application, module or component

I 2.1.6.10

2.1.5 k) As required in § 2.2, the Applicant shall



Domain and activities) to be respected

by the users.

I 2.1.6.11


2.1.6.1. Verification of 2.1.2 a)

1 – Inspect the Installation Manual to determine the range number [Min - Max] of IMA

applications, components and/or modules between which it is possible to share the

processing resource.




4 – Verify that in valid equivalence classes and boundary values of [Min – Max], the IMA

applications, components and/or modules access correctly to share processing resource.

5 – Verify that Logical Interface is well implemented according to its specification given

into the Installation Manual.

2.1.6.2. Verification of 2.1.2 b)

1 – Inspect the Partitioning Analysis of the IMA module and verify that all the temporal or

spatial unauthorized interferences between processing element are well identified and

mitigated by either a design mechanism either a Usage Domain rule.



processing resource.



4 – Verify that in valid equivalence classes and boundary values of [Min – Max], for each

unauthorized interference, a robust partitioning mechanism is well implemented.

2.1.6.3. Verification of 2.1.2 c)

1 – Inspect the Installation Manual to verify that the list of types of processing elements

(e.g. application, partition, process and thread...) for which the temporal and spatial

robust partitioning is guaranteed is well defined.

2 - Inspect the Installation Manual to verify that the attributes of each type of processing

elements are well defined. Attributes are:

� Usage domain rules associated to Processing Element type.

� Programming interface associated to Processing Element type.

� Software production rules associated to Processing Element type.

2.1.6.4. Verification of 2.1.2 d)

1 – After Verification of 2.1.2c)

2 – For each type of processing element, initialize the attributes in consistency with

Usage Domain contained into the Installation Manual.

3 – Verify with an outer value of valid equivalence classes and boundary values of

processing element attributes, that the associated robust partitioning breach detection is

well implemented.

2.1.6.5. Verification of 2.1.2 e)

If 2.1.e) is implemented:


processing elements (e.g. application, partition, process and thread...) are well defined.



2.1.6.6. Verification of 2.1.3 f)

1 - Inspect the Installation Manual to verify that the temporal performances of each

management mechanism including monitoring of each type of Processing Element are

well documented, including boundaries, Usage Domain Rules, Programming Interface and

Software rules.

2.1.6.7. Verification of 2.1.4 g)




Installation Manual


propagation between processing element managed by the IMA module, and outside the

IMA module, by observing the sanction associated to fault and raised by monitoring.

2.1.6.8. Verification of 2.1.4 h)

1 - Inspect the Failure Mode and Effect Analysis (FMEA) and Fault Tree Analysis (FTA) to


2.1.6.9. Verification of 2.1.5 i)

1 – Inspect the Installation Manual to verify that the list of types of Processing Element,

their associated attributes, their configurability and their temporal, performances are well

documented, including boundaries, Usage Domain Rules, programming interface and

software production rules.

2.1.6.10. Verification of 2.1.5 j)

1 – Inspect the Installation Manual to verify that means needed to evaluate WCET of

processing element are available.



3 – Verify that the WCET and WCM of processing element can be correctly evaluated

thanks to supplied means.

2.1.6.11. Verification of 2.1.5 k)

1 – Inspect the Installation Manual to verify that the constraint to be respected is

specified for all types of managed processing element, including their associated Usage

Domain Rules and logical interface rules.

2.2. F2 Information sharing

2.2.1. Description

For ETSO-2C153 CLASS B, IMA module provides shared resources for interfaces of IMA


The description and the specification of this sub-function F2 is based on Minimum

Performance Specification of the ETSO-2C153 CLASS E (IF).


For ETSO-2C153 CLASS B:

a) The IMA module shall provide to hosted IMA hosted Applications, modules and/or

components the following capabilities allowing Information Resource sharing through a

logical interface (such as an API) :

o Information acquisition & control with an optional conversion function

o Information forwarding & control with an optional conversion function

Additionally to this requirement, ETSO-2C153 CLASS E functional requirements (§ 2.1)

from a) to e) are applicable to IMA module.


For ETSO-2C153 CLASS B, ETSO-2C153 CLASS E performance requirements (§ 2.2) are

applicable to IMA module.


For ETSO-2C153 CLASS B, ETSO-2C153 CLASS E safety requirements (§ 2.3) are



For ETSO-2C153 CLASS B, ETSO-2C153 CLASS E Required data requirements (§ 2.4) are





method (A/I/D/T)


Criteria

2.2.2 a) The IMA module shall provide to hosted

IMA hosted Applications, modules and/or

components the following capabilities

allowing Information Resource sharing

through a logical interface (such as an

API) :

I+T 2.2.6.1

N/A ETSO-2C153 CLASS E requirements § 2

a) to k)

Apply ETSO-

2C153 CLASS E

Verification

Methods

Apply ETSO-2C153

CLASS E Verification

Methods


2.2.6.1. Verification of 2.2.2a)



information resource.



Installation Manual


applications, components and/or modules access correctly to share information resource

through the programming interface defined into the Installation Manual.

2.3. F3 Data Storage sharing

2.3.1. Description

For ETSO-2C153 CLASS B, IMA module provides shared data storage resource to IMA


The description and the specification of this sub-function F3 is based on Minimum

Performance Specification of the ETSO-2C153 CLASS D (DS).


For ETSO-2C153 CLASS B, all ETSO-2C153 CLASS D Minimum Performance Specification

are applicable to IMA module.


For ETSO-2C153 CLASS B, all ETSO-2C153 CLASS D performance requirements are



For ETSO-2C153 CLASS B, all ETSO-2C153 CLASS D safety requirements are applicable to

IMA module.


For ETSO-2C153 CLASS B, all ETSO-2C153 CLASS D required data requirements are


2.3.6. Verification procedure

For ETSO-2C153 CLASS B, all ETSO-2C153 CLASS D verification procedures are applicable

to IMA module.

APPENDIX 2



CLASS C: Graphical Processing (GP)


1.1. Introduction This document contains CLASS C Minimum Performance Specification (MPS).



1.2. Overview For ETSO-2C153 CLASS C, IMA module provides shared resources in terms of graphical

conversion and graphical laying out between IMA applications, modules and/or components

based on commands coming from these IMA applications, modules and/or components.


� Graphical conversion: Transformation of a set of data information (digital) into set of

graphical and displayable information.

� Laying out : Operation consisting in a combination of merging or/and splitting actions on

graphical and displayable information in order to build final Graphical Thread to be

rendered.

� Conversion Unit: set of physical components (hardware and/or software) in charge of

supplying and managing a shared graphical conversion based on command thread.

� Laying out Unit: set of physical components (hardware and/or software) in charge of

supplying and managing a shared graphical laying out based on command thread.

� Graphical Thread: set of graphical (display) information for which a level of isolation

would be guaranteed by the IMA module.

� Data Thread: well-defined set of data which is a primary form of drawing information

received as input by the IMA module from IMA applications, modules and/or components.

� Command Thread: well-defined set of directives received as input by the IMA module

from IMA applications, modules and/or components in order to change the conversion

and laying out settings.

Note:

The both units can be merged in one hardware component.

The final rendering of the graphical thread(s) is out of scope of this module (refer to Type G).

1.3. Intended function Based on the definition of the CLASS C MPS, this section provides Minimum Performance


graphical conversion and graphical laying out supplied by one or several graphical

conversion and graphical laying out unit(s).

This intended function is Graphical Conversion and Laying out resource sharing composed of

o Information acquisition & control,

o Information conversion and laying out,

o Information forwarding & control.

The following figure provides an overview of the previously mentioned intended function and

associated interfaces:

Graphical thread = F(Σdata threads)(Cd)

Σ Command threads

Figure 1: IMA module overview for ETSO-2C153 CLASS C

2. Requirements

2.1. Graphical Conversion and laying out resource sharing

2.1.1. Description

For ETSO-2C153 CLASS C, IMA module provides shared resources for graphical conversion

and graphical laying out needs of IMA applications, modules and/or components.


For ETSO-2C153 CLASS C:

a) The IMA Module shall provide to IMA applications, modules and/or components the capacity

to use shared Graphical Conversion Resource and Graphical Laying out Resource based on

command threads through logical and/or physical interface(s).

b) The robust partitioning between threads from IMA applications, modules and/or components

using the shared Graphical Conversion Resource and Laying out Resource shall be ensured

by the IMA Module.

c) The IMA Module shall provide the list of types of thread for which the robust partitioning is guaranteed. The list of types of thread and the associated attributes shall be provided in the


d) Any breach in robust partitioning guaranteed by c) shall be detected by the IMA Module. e) Some attributes of each thread guaranteed by c) may be configurable.

The interface(s) of the IMA Module will conform to characteristics as described by a standard

(ARINC 661, ARINC 708, STANAG for example).

GRAPH ICAL CO NVE RSION

UNIT

GRAP HICAL CONVE RSION

UNIT

GRA PH ICA L CON VERS IO N

UNIT

GR A PH IC A L C ON V ER S IONR E SO UR C E

D ATAT HREA D

DATAT HREAD

In pu t i nt erfa ce

GRA PHICA LT READ

GR A PHIC A LTREAD

G RAP HICALTR E AD

O u pu t i nt erfa ce

GRAPHICAL L A YING OUT

UNIT

G RAPHICAL LAYING OUT

U NIT

GRAPHICAL L AYING O UT

UNIT

GR A PH IC A L LA Y IN G OU TR ES OU R C E

IM A a ppl ic a t ions

D ATAT HREAD

DATATHR EAD

I nt erna l in terf ace

CO MMAND STH READ

COM MANDSTHR EAD

GRA PH ICA LTREAD

GRA PH ICA LTREAD

GRA PH ICA LTREAD

I np ut i nt erfa ce In pu t in terf ace

I MA a ppli c at io ns E xt e rna l s ourc es Di s pla y U nit

Figure 2: CLASS E Graphical Processing (GP) elements relationship


f) The performances of each management mechanism including monitoring shall be

characterized, bounded and documented in the installation manual.


g) For ETSO-2C153 CLASS C, the IMA module shall implement a fault containment mechanism

concerning graphical unit(s) to prevent from fault propagation between threads managed by

the IMA module, and outside the IMA module.

h) Failures modes:


� Loss of the IMA module

� Erroneous Behavior of the IMA module

� Loss of the shared Graphical Conversion Resource and Laying out Resource

� Erroneous Behavior of the shared Graphical Conversion Resource and Laying

out Resource


Monitoring Coverage rate (PBIT, CBIT…) shall be provided for all failure modes of the IMA

Module (inc. Shared and unshared resources).

For shared Graphical Conversion Resource and Laying out Resource, monitoring Coverage

rate (inc. Resource itself, sharing mechanisms and robust partitioning mechanisms) shall

be provided.

Events such as delay, corruption, impersonation, loss, frozen information will be taken into


Particular emphasis should be given to precluding or mitigating failures which could result in

hazardously misleading information. Undetected loss of information or frozen information

could contribute to hazardously misleading information.

2.1.5. Required data (linked to §2.2)

i) The Applicant shall provide the list of type of threads, the associated attributes, their

configurability, their sizing and graphical processing time performances.

j) As required in § 2.2, the Applicant shall provide in installation manual all constraints


k) The applicant shall provide any data needed to evaluate Worst Case Graphical Elaboration

Time of managed threads.




(A/I/D/T)

Verification

Acceptance Criteria

2.1.2 a) The IMA Module shall provide to IMA

applications, modules and/or components

the capacity to use shared Graphical

Conversion Resource and Graphical Laying

out Resource based on command threads

through logical and/or physical

interface(s).

I+T 2.1.6.1

2.1.2 b) The robust partitioning between threads

from IMA applications, modules and/or

components using the shared Graphical

Conversion Resource and Laying out

Resource shall be ensured by the IMA

Module.

I+A+T 2.1.6.2


(A/I/D/T)

Verification

Acceptance Criteria

2.1.2 c) The IMA Module shall provide the list of

types of thread for which the robust

partitioning is guaranteed. The list of types

of thread and the associated attributes

shall be provided in the installation

manual.

I 2.1.6.3


guaranteed by c) shall be detected by the

IMA Module.

I+A+T 2.1.6.4

2.1.2 e) Some attributes of each thread guaranteed

by c) may be configurable.

I 2.1.6.5

2.1.3 f) The performances of each management

mechanism including monitoring shall be

characterized, bounded and documented in

the installation manual.

I+A 2.1.6.6

2.1.4 g) For ETSO-2C153 CLASS C, the IMA module


mechanism concerning graphical unit(s) to

prevent from fault propagation between

threads managed by the IMA module, and

outside the IMA module.

I+T 2.1.6.7

2.1.4 h) Failures modes:




� Erroneous Behavior of

the IMA module

� Loss of the shared

Graphical Conversion

Resource and Laying out

Resource

� Erroneous Behavior of

the shared Graphical

Conversion Resource and

Laying out Resource


Monitoring Coverage rate (PBIT,

CBIT…) shall be provided for all

failure modes of the IMA Module

(inc. Shared and unshared

resources).

I 2.1.6.8

2.1.5 i) The Applicant shall provide the list of type

of threads, the associated attributes, their

configurability, their sizing and graphical

processing time performances.

I 2.1.6.9

2.1.5 j) As required in § 2.2, the Applicant shall provide in installation manual all



the users.

I 2.1.6.10

2.1.5 k) The applicant shall provide any data

needed to evaluate Worst Case Graphical

Elaboration Time of managed threads.

I + A 2.1.6.11





graphical conversion resource and graphical laying out resource.



Installation Manual

4 – Set commands to IMA module in consistency with Usage Domain contained into the

Installation Manual


applications, components and/or modules access correctly to share graphical conversion

resource and graphical laying out resource depending on commands set.

6 – Verify that Interfaces are well implemented according to their specifications given




unauthorized interferences between threads from IMA applications, components and/or

modules are well identified and mitigated by either a design mechanism either a Usage

Domain rule.



graphical conversion resource and graphical laying out resource.








1 – Inspect the Installation Manual to verify that the list of types of thread for which the

robust partitioning is guaranteed are well defined.

2 - Inspect the Installation Manual to verify that the attributes of each type of thread are


� Usage domain rules associated to thread type.

� Programming interface and/or physical interface associated to thread type.


1 – After Verification of 2.1.2 c)

2 – For each type of thread, initialize (and potentially configure) the attributes of thread

in consistency with Usage Domain contained into the Installation Manual.



4 – Verify with an outer value of valid equivalence classes and boundary values of thread

attributes, that the associated robust partitioning breach detection is well implemented.


If 2.1.2 e) is implemented:


thread are well defined.


configurable attribute are well defined as Usage Domain rules.


1 - Inspect the Installation Manual to verify that the sizing (e.g. Bandwidth) and the

distribution time (e.g. Latency) performances of each management mechanism including

monitoring of each type of thread are well documented, including boundaries, Usage

Domain Rules, and logical Interface rules.


1 - Inspect the Failure Mode and Effect Analysis (FMEA) to verify that Fault Containment



Installation Manual

3 – Set application commands in consistency with Usage Domain contained into the

Installation Manual

4 - Verify that each fault containment mechanism is well implemented avoiding fault

propagation between threads managed by the GP, and outside the GP by observing the

sanction associated to fault and raised by monitoring.





1 – Inspect the Installation Manual to verify that the list of types of thread, their


including boundaries, Usage Domain Rules, interface rules.



specified for all types of data and command thread, including their associated Usage

Domain Rules and interface rules.


1 – Inspect the Installation Manual to verify that means needed to evaluate Worst Case

Graphical Elaboration Time of graphical thread(s) are available.



3 - Set commands to IMA module in consistency with Usage Domain contained into the

Installation Manual

4 – Verify that the Worst Case Graphical Elaboration Time of each type of threads can be

evaluated thanks to supplied means.

APPENDIX 2

INTEGRATED MODULAR AVIONIC PLATFORM MODULE


CLASS D: Data Storage (DS)


1.1. Introduction

This document contains CLASS D Minimum Performance Standards (MPS).



1.2. Overview

For ETSO-2C153 CLASS D, IMA module provides shared resources in terms of data storage

between IMA applications, modules and/or components.

Data Storage refers to the storage of data in a persisting and machine-readable mode. A Data

Storage that only holds information is a recording article. Data Storage that record data may

both access a separate portable (removable) recording component or a permanent component

to store and retrieve data.


� Storage Unit: set of physical components (hardware and/or software) in charge of

supplying and managing recorded data resource (e.g. memory components and

associated interfaces…)

� Data Storage Element: well-defined set of data storage which is a primary form of

recorded data and for which a level of isolation would be guaranteed by the IMA module.

Each Data Storage Element handled by the IMA module may be bidirectional or symmetrical, but

not necessarily, between interconnected components, modules, and/or IMA applications.


Based on the definition of the CLASS D MPS, this section provides Minimum Performance


recorded data supplied by one or several storage units.

2. Requirements

For ETSO-2C153 CLASS D, IMA module provides shared resources for data record needs of


2.1. Functional requirements

For ETSO-2C153 CLASS D:


capacity to use shared recorded data resource thank to data storage elements accessible

through a logical and/or physical interface(s).

b) The robust partitioning between data storage elements used by IMA applications,

modules and/or components shall be ensured by the IMA module.

c) The IMA module shall provide the list of types of Data Storage Element for which the

robust partitioning is guaranteed. The list of types of Data Storage Element and the

associated attributes shall be provided in the installation manual.


e) Some attributes of each Data Storage Element guaranteed by c) may be configurable.


standard (ARINC665, ARINC600 or ARINC 664 for example). The interface(s) includes

recorded data format.

STORAGEUNIT

STORAGEUNIT

STORAGEUNIT

RECORDEDDATA

RESOURCE

DataStorageElement

DataStorageElem ent

DataStor ageElem ent

DataStor ageElem ent

Interfaces

Figure 1: CLASS D Data Storage (DS) elements relationship

2.2. Performance requirements


characterized, bounded and documented in the Installation Manual.

2.3. Safety requirements

g) For ETSO-2C153 CLASS D, the IMA module shall implement a fault containment

mechanism concerning Storage Unit(s) to prevent from fault propagation between data

storage elements managed by the IMA module, and outside the IMA module.

h) Failures modes:




• Loss of the shared recorded data resource

• Erroneous Behavior of the shared recorded data resource



the IMA Module (inc. Shared and unshared resources).

For shared recorded data resource, monitoring Coverage rate (inc. Resource itself,


Events such as bad record, bad read access, delay, corruption, impersonation will be

taken into account during the safety analysis.

2.4. Required data (linked to §2.2)

i) The Applicant shall provide the list of type of data storage elements, the associated

attributes, their configurability, their sizing and access time performances



k) The Applicant shall provide any data needed to evaluate Worst Case Access Time of

managed data storage element.

2.5. Verification Procedures



(A/I/D/T)

Verification

Acceptance Criteria

2.1 a) The IMA module shall provide to IMA


the capacity to use shared recorded data

resource thank to data storage elements

accessible through a logical and/or physical

interface(s).

I+T 2.5.1

2.1 b) The robust partitioning between data

storage elements used by IMA applications,

modules and/or components shall be


I+A+T 2.5.2


(A/I/D/T)

Verification

Acceptance Criteria

2.1 c) The IMA module shall provide the list of

types of Data Storage Element for which

the robust partitioning is guaranteed. The

list of types of Data Storage Element and

the associated attributes shall be provided

in the installation manual.

I 2.5.3

2.1 d) Any breach in robust partitioning


IMA module.

I+A+T 2.5.4

2.1 e)

Some attributes of each Data Storage

Element guaranteed by c) may be

configurable.

I 2.5.5

2.2 f) The performances of each management



the Installation Manual.

I+A 2.5.6

2.3 g) For ETSO-2C153 CLASS D, the IMA module


mechanism concerning Storage Unit(s) to


data storage elements managed by the IMA

module, and outside the IMA module.

I+T 2.5.7


(A/I/D/T)

Verification

Acceptance Criteria

2.3 h) Failures modes:

For at least following failure modes, failure

rate shall be provided:

• Loss of the IMA

module

• Erroneous

Behavior of the

IMA module

• Loss of the

shared recorded

data resource

• Erroneous

Behavior of the

shared recorded

data resource


Monitoring Coverage rate

(PBIT, CBIT…) shall be

provided for all failure modes

of the IMA Module (inc.

Shared and unshared

resources).

For shared recorded data

resource, monitoring

Coverage rate (inc. Resource

itself, sharing mechanisms

and robust partitioning

mechanisms) shall be

provided.

Events such as bad record, bad read

access, delay, corruption,

impersonation will be taken into


A 2.5.8

2.4 i) The Applicant shall provide the list of type

of data storage elements, the associated

attributes, their configurability, their sizing

and access time performances

I 2.5.9

2.4 j) As required in § 2.2, the Applicant shall




the users.

I 2.5.10

2.4 k) The Applicant shall provide any data

needed to evaluate Worst Case Access Time

of managed data storage element.

I + A 2.5.11


2.5.1. Verification of 2.1a)



recorded data resource.





applications, components and/or modules access correctly to share recorded data

resource.



2.5.2. Verification of 2.1b)


unauthorized interferences between elements from IMA applications, components and/or


Domain rule.



recorded data resource.





2.5.3. Verification of 2.1c)

1 – Inspect the Installation Manual to verify that the list of types of Data Storage

element for which the robust partitioning is guaranteed are well defined.

2 - Inspect the Installation Manual to verify that the attributes of each type of Data

Storage element are well defined. Attributes are:

• Usage domain rules associated to Data Storage element type.

• Programming interface associated to Data Storage element type.

2.5.4. Verification of 2.1d)

1 – After Verification of 2.1c)

2 – For each type of data element, initialize (and potentially configure) the attributes of

Data Storage element in consistency with Usage Domain contained into the Installation

Manual.

3 – Verify with an outer value of valid equivalence classes and boundary values of Data

Storage element attributes, that the associated robust partitioning breach detection is

well implemented.

2.5.5. Verification of 2.1e)

If 2.1e) is implemented:


Data Storage element are well defined.



2.5.6. Verification of 2.2f)



monitoring of each type of Data Storage element are well documented, including

boundaries, Usage Domain Rules, and logical Interface rules.

2.5.7. Verification of 2.3g)




Installation Manual


propagation between Data Storage elements managed by the DS, and outside the DS by

observing the sanction associated to fault and raised by monitoring.

2.5.8. Verification of 2.3h)



2.5.9. Verification of 2.4i)

1 – Inspect the Installation Manual to verify that the list of types of data storage

element, their associated attributes, their configurability and their performances are well

documented, including boundaries, Usage Domain Rules, logical interface associated to

Data Storage element type.

2.5.10. Verification of 2.4j)


specified for all types of data storage element, including their associated Usage Domain

Rules and logical interface rules.

2.5.11. Verification of 2.4k)


Access Time of each type of Data Storage element are available.



3 – Verify that the Worst Case Access Time of each type of Data Storage elements can be


APPENDIX 2



CLASS E: Interface (IF)


1.1. Introduction

This document contains CLASS E Minimum Performance Standards (MPS).



1.2. Overview

For ETSO-2C153 CLASS E, IMA module provides shared resources in terms of interfaces

between IMA applications, modules and/or components.


� Interface Unit: set of physical components (hardware and/or software) in charge of

supplying and managing a shared information resource.

� Data Thread: well-defined set of data which is a primary form of information and for

which a level of isolation would be guaranteed by IMA module.

Each data thread handled by Interface may be bidirectional or symmetrical, but not necessarily,

between interconnected components, modules, and/or IMA applications.


Based on the definition of the CLASS E MPS, this section provides Minimum Performance


information supplied by one or several interfaces units.

This intended function is Information Sharing composed of

o information acquisition & control,

o information conversion and,

o Information forwarding & control.

The information forwarding & control function is the mean allowing to share information

between components, modules and/or infrastructures.



Interface

Communication Node

Module 1

Module 2

Module 3

Conversion

Data Link

Data Thread

Component, Module,

function or

Infrastructure

Acquisition & control

Forwarding & control

Figure 1: IMA module overview for ETSO-2C153 CLASS E

2. Requirements

For ETSO-2C153 CLASS E, IMA module provides shared resources for communication

needs of IMA applications, modules and/or components.

2.1. Functional requirements

For ETSO-2C153 CLASS E:


capacity to use shared Information Resource thanks to data threads handled through

logical and/or physical interface(s).

b) The robust partitioning between data threads used by IMA applications, modules and/or

components shall be ensured by the IMA module.

c) The IMA module shall provide the list of types of data thread for which the robust

partitioning is guaranteed. The list of types of data thread and the associated attributes

shall be provided in the installation manual.


e) Some attributes of each data thread guaranteed by c) may be configurable.


standard (ARINC600 or ARINC 664 for example).

INTERFACEUNIT

INTERFACEUNIT

INTERFACEUNIT

INFORMATIONRESOURCE

DATATHREAD

DATATHREAD

DATATHREAD

DATATHREAD

Interface Interface

Figure 2: CLASS E Interfaces (IF) elements relationship

2.2. Performance requirements



2.3. Safety requirements

g) For ETSO-2C153 CLASS E, the IMA module shall implement a fault containment

mechanism concerning interface unit(s) to prevent from fault propagation between data

threads managed by the IMA module, and outside the IMA module.

h) Failures modes:




• Loss of the shared information resource

• Erroneous Behavior of the shared information resource



the IMA Module (inc. Shared and unshared resources).

For shared information resource, monitoring Coverage rate (inc. Resource itself,




2.4. Required data (linked to §2.2)

i) The Applicant shall provide the list of types of data thread, the associated attributes,

their configurability, and their sizing and distribution time performances.



k) The Applicant shall provide any data needed to evaluate Worst Case Distribution Time of

managed data thread.

2.5. Verification Procedures



(A/I/D/T)

Verification

Acceptance Criteria

2.1 a) The IMA module shall provide to IMA


the capacity to use shared Information

Resource thanks to data threads handled

through logical and/or physical interface(s).

I+T 2.5.1

2.1 b) The robust partitioning between data

threads used by IMA applications, modules

and/or components shall be ensured by the

IMA module.

I+A+T 2.5.2


types of data thread for which the robust


of data thread and the associated attributes


I 2.5.3



I+A+T 2.5.4

2.1 e) Some attributes of each data thread

guaranteed by c) may be configurable.

I 2.5.5





I+A 2.5.6

2.3 g) For ETSO-2C153 CLASS E, the IMA module


mechanism concerning interface unit(s) to


data threads managed by the IMA module,


I+T 2.5.7


(A/I/D/T)

Verification

Acceptance Criteria




Loss of the IMA module

• Erroneous

Behavior of the

IMA module

• Loss of the

shared

information

resource

• Erroneous

Behavior of the

shared

information

resource

•

• Monitoring

coverage:

• Monitoring

Coverage rate

(PBIT, CBIT…)

shall be provided

for all failure

modes of the

IMA Module (inc.

Shared and

unshared

resources).

For shared information resource,

monitoring Coverage rate (inc.

Resource itself, sharing mechanisms

and robust partitioning mechanisms)

shall be provided.

Events such as bad

sequencing, delay,

corruption, impersonation will

be taken into account during

the safety analysis.

A 2.5.8

2.4 i) The Applicant shall provide the list of types

of data thread, the associated attributes,

their configurability, and their sizing and

distribution time performances

I 2.5.9





the users.

I 2.5.10


needed to evaluate Worst Case Distribution

Time of managed data thread.

I 2.5.11


2.5.1. Verification of 2.1 a)








applications, components and/or modules access correctly to share information resource.



2.5.2. Verification of 2.1 b)

1 – Inspect the Partitioning Analysis of the IMA module and verify that all the information

unauthorized interferences between data threads used by IMA applications, components

and/or modules are well identified and mitigated by either a design mechanism either a

Usage Domain rule.








2.5.3. Verification of 2.1 c)

1 – Inspect the Installation Manual to verify that the list of types of data thread for which

the robust partitioning is guaranteed is well defined.

2 - Inspect the Installation Manual to verify that the attributes of each type of data

thread are well defined. Attributes are:

• Usage domain rules associated to data thread type.

• Programming interface associated to data thread type.

2.5.4. Verification of 2.1 d)


2 – For each type of data thread, initialize the attributes of data thread in consistency

with Usage Domain contained into the Installation Manual.

3 – Verify with an outer value of valid equivalence classes and boundary values of data

thread attributes, that the associated robust partitioning breach detection is well

implemented.

2.5.5. Verification of 2.1 e)



data thread are well defined.



2.5.6. Verification of 2.2f)



monitoring of each type of data thread are well documented, including boundaries, Usage


2.5.7. Verification of 2.3g)




Installation Manual


propagation between data threads managed by the IMA Module, and outside the IMA

Module, by observing the sanction associated to fault and raised by monitoring.

2.5.8. Verification of 2.3 h)



2.5.9. Verification of 2.4 i)

1 – Inspect the Installation Manual to verify that the list of types of data thread, their


including boundaries, Usage Domain Rules, logical interface rules.

2.5.10. Verification of 2.4 j)


specified for all types of data thread, including their associated Usage Domain Rules and


2.5.11. Verification of 2.4 k)


Distribution Time of each type of data thread are available.



3 – Verify that the Worst Case Distribution Time of each type of data threads can be

correctly evaluated thanks to supplied means.

APPENDIX 2



TYPE F: Power Supply (PS)


1.1 Introduction

This document contains CLASS F Minimum Performance Standards (MPS).

These standards specify module characteristics that should be useful to designers,

manufacturers, installers and users of the module.

1.2 Overview

For ETSO-2C153 CLASS F, IMA module is a module mounted into a rack which is able to supply

power received from aircraft electrical network to one or more IMA hardware modules mounted

in the same rack.


� Power supply unit: set of physical components (hardware and or software) in charge of

managing a power supply (or a part of the power supply) resource.

� Power supply resource : obtained electrical energy from aircraft electrical network to be

distributed to electrical loads which are IMA module mounted into the rack

� Power flow: part of supplied power supply for which a level of isolation would be

guaranteed by the IMA module.

� Mounted: is said for a hardware IMA module fixed inside the Rack Module after an human

operation in aircraft.

� Slot : the physical envelop dedicated to one mounted hardware IMA module inside the

Rack Module


Based on the definition of the CLASS F MPS, this section provides Minimum Performance

Standards (MPS) for the intended function which is to provide the capability to share Power

Supply resource supplied by one of more Power Supply unit(s).


interfaces:

A/C ElectricalPower Supply

Interfaces

IMA module – Class F

Power Supply

unit

PowerFlow

Power Supply

unit

Power Supply

unit

Interfaces

IMA module

IMA module

IMA module

IMA module

Rack

Figure 1: IMA module overview for ETSO-2C153 CLASS F

2. Requirements

For ETSO-2C153 CLASS F, IMA module, mounted into a rack, provides shared power supply to

hardware IMA module mounted into the same rack.

2.1 Functional requirements

For ETSO-2C153 CLASS F:

a) Mounted into a rack, the IMA module shall provide to IMA hardware modules, which are

mounted into the same rack, the capacity to share power supply resource thanks to

power flows accessible through physical interface(s).

b) The robust partitioning between power flows used by IMA hardware modules shall be


c) The IMA module shall provide the list of type of power flow for which the robust

partitioning is guaranteed. The list of types of power flow and the associated attributes



e) Some attributes of each power flow guaranteed by c) may be configurable.

The interface(s) of the IMA module will conform to characteristics as described by a standard

(ARINC600 for example).

POWER SUPPLYUNIT

POWER SUPPLYUNIT

POWER SUPPLYUNIT

POWER SUPPLYRESOURCE

POWER FLOW

POWERFLOW

Input interface

POWERFLOW

POWERFLOW

POWERFLOW

Ouput interface

A/C Electr ical Power Supp ly

Powerthreads

Figure 2: CLASS F (PS) elements relationship

2.2 Performance requirements



2.3 Safety requirements

g) For ETSO-2C153 CLASS F, IMA module shall implement a fault containment mechanism

concerning powering unit(s) to prevent from fault propagation between power flows

managed by the IMA module, and outside the IMA module.

h) Failures modes:




• Loss of the shared power supply resource

• Erroneous Behavior of the shared power supply resource



the IMA module (inc. Shared and unshared resources).

For shared information resource, monitoring Coverage rate (inc. Resource itself,


Events such as too low voltage or current, too high voltage or current, corruption,

impersonation will be taken into account during the safety analysis.

2.4 Required data

As required in § 2.2, the Applicant shall provide all constraints (including limitations) to be

respected by the users through its documentation. Additionnaly to common required datas,

following informations have to be provided :

i) The Applicant shall provide the list of types of power flow, their associated attributes,

their configurability and their performances



k) The Applicant shall provide any data needed to evaluate power profile characteristics (e.g. Maximum Value, In Rush current) of managed power flows.

2.5 Verification methods



(A/I/D/T)

Verification

Acceptance Criteria

2.1 a) Mounted into a rack, the IMA module shall

provide to IMA hardware modules, which

are mounted into the same rack, the

capacity to share power supply resource

thanks to power flows accessible through

physical interface(s).

I+T 2.5.1

2.1 b) The robust partitioning between power

flows used by IMA hardware modules shall

be ensured by the IMA module.

I+A+T 2.5.2


type of power flow for which the robust


of power flow and the associated attributes


I 2.5.3



I+A+T 2.5.4

2.1 e) Some attributes of each power flow

guaranteed by c) may be configurable.

I 2.5.5





I+A 2.5.6

2.3 g) For ETSO-2C153 CLASS F, IMA module


mechanism concerning powering unit(s) to


power flows managed by the IMA module,


I+T 2.5.7


(A/I/D/T)

Verification

Acceptance Criteria





• Erroneous Behavior of the IMA

module

• Loss of the shared power

supply resource

• Erroneous Behavior of the

shared power supply resource


Monitoring Coverage rate (PBIT, CBIT…)

shall be provided for all failure modes of

the IMA module (inc. Shared and unshared

resources).

For shared information resource,

monitoring Coverage rate (inc. Resource

itself, sharing mechanisms and robust

partitioning mechanisms) shall be provided.

Events such as too low voltage or current,

too high voltage or current, corruption,

impersonation will be taken into account

during the safety analysis.

A 2.5.8

2.4 i) The Applicant shall provide the list of types

of power flow, their associated attributes,

their configurability and their performances

I 2.5.9





the users.

I 2.5.10


needed to evaluate power profile

characteristics (e.g. Maximum Value, In

Rush current) of managed power flows.

I 2.5.11


2.5.1 Verification of 2.1 a)


hardware IMA modules between which it is possible to share the power supply resource.




4 – Verify that in valid equivalence classes and boundary values of [Min – Max], the

hardware IMA modules access correctly to share power supply resource.



2.5.2 Verification of 2.1 b)

1 – Inspect the Partitioning Analysis of the IMA module and verify that all the information

unauthorized interferences between power flows used by IMA hardware modules are well

identified and mitigated by either a design mechanism either a Usage Domain rule.


hardware modules between which it is possible to share the power supply resource.





2.5.3 Verification of 2.1 c)

1 – Inspect the Installation Manual to verify that the list of types of power flow for which

the robust partitioning is guaranteed is well defined.

2 - Inspect the Installation Manual to verify that the attributes of each type of power flow

are well defined. Attributes are:

• Usage domain rules associated to power flow type.

• Interface associated to power flow type.

2.5.4 Verification of 2.1 d)


2 – For each type of power flow, initialize the attributes of power flow in consistency with

Usage Domain contained into the Installation Manual.

3 – Verify with an outer value of valid equivalence classes and boundary values of power

flow attributes, that the associated robust partitioning breach detection is well

implemented.

2.5.5 Verification of 2.1 e)



power flow are well defined.



2.5.6 Verification of 2.2 f)

1 - Inspect the Installation Manual to verify that the performances of each management

mechanism including monitoring of each type of power flows are well documented,

including boundaries, Usage Domain Rules, and logical Interface rules.

2.5.7 Verification of 2.3 g)




Installation Manual


propagation between power flows managed by the IMA module, and outside the IMA

module, by observing the sanction associated to fault and raised by monitoring.

2.5.8 Verification of 2.3 h)



2.5.9 Verification of 2.4 i)

1 – Inspect the Installation Manual to verify that the list of types of power flow, their


including boundaries, Usage Domain Rules, logical interface rules.

2.5.10 Verification of 2.4 j)


specified for all types of power flow, including their associated Usage Domain Rules and


2.5.11 Verification of 2.4 k)

1 – Inspect the Installation Manual to verify that means needed to evaluate profile

characteristics of each type of power supply are available.



3 – Verify that the profile characteristics of each type of power flows can be correctly


APPENDIX 2



CLASS G: Display Head (DH)


1.1 Introduction

This document contains CLASS G Minimum Performance Standards (MPS).


installers and users of the module.

1.2 Overview

For ETSO-2C153 CLASS G, IMA module provides shared resources in terms of display area

between IMA Applications, components and/or modules.


� Display Unit: set of physical components (hardware and/or software) in charge of

managing a display area (or a part of a display area).

� Display Area: Surface where some visual information can be depicted by one or several

Display Unit(s) based on received Graphical Threads.

� Graphical Thread: set of graphical information received as input by the HD from one or

more IMA Application(s), component(s) and/or module(s).

� Display Thread: set of depiction information for which level of isolation would be

guaranteed on the Display Area by HD.


Based on the definition of the CLASS G MPS, this section provides Minimum Performance

Standards (MPS) for the intended function which is to provide the capability to share one

display area supplied by one or several display unit(s).



DisplayThread#1

DisplayThread#2

Display AreaGraphical threads

Interfaces

Display Head Module

DisplayUnit

DisplayUnit

DisplayUnit

DisplayUnit

Figure 1: IMA module overview for ETSO-2C153 CLASS G

2. 2. Requirements

2.1 Display area resource sharing

2.1.1. Description

For ETSO-2C153 CLASS G, IMA module provides shared resources for display area needs of



For ETSO-2C153 CLASS G:

a) The IMA module shall provide to IMA Applications, modules and/or components the

capacity to use shared Display Area resource through a logical or physical interface.

b) The robust partitioning between threads from IMA Applications, modules and/or

components using the shared Display Area resource shall be ensured by the IMA Module.

c) The IMA Module shall provide the list of types of graphical and display threads for which the robust partitioning is guaranteed. The list of types of these threads and the

associated attributes shall be provided in the installation manual.

d) Any breach in robust partitioning guaranteed by c) shall be detected by the IMA Module. e) Some attributes of each thread guaranteed by c) may be configurable.

f) In addition, the IMA module shall be compliant (fully or partially) to MPS from ETSO C-

113a.

The interface(s) of the IMA Module will conform to characteristics as described by a

standard.

DISPLAY UNIT DISPLAY UNIT DISPLAY UNIT

DISPLAY AERA

DISPLAY TREAD

DISPLAYTREAD

GRAPHICAL TREAD

GRAPHICAL TREAD

Input interfaces

Figure 2: CLASS G Display Head (HD) elements relationship


g) The performances of each management mechanism including monitoring shall be

characterized, bounded and documented in the installation manual.


h) For ETSO-2C153 CLASS G, the IMA module shall implement a fault containment

mechanism concerning Display unit(s) to prevent from fault propagation between threads

managed by the IMA module, and ouside the IMA module.

i) Failures modes:



� Erroneous Behavior of the IMA module

� Loss of the shared Display Area Resource

� Erroneous Behavior of the shared Display Area resource


Monitoring Coverage rate (PBIT, CBIT…) shall be provided for all failure modes of the

IMA Module (inc. Shared and unshared resources).

For shared Display Area Resource, monitoring Coverage rate (inc. Resource itself,


Events such as delay, corruption, impersonation, loss, frozen information will be taken

into account during the safety analysis.

2.1.5. Required data (linked to §2.2)

j) The Applicant shall provide the list of type of threads, the associated attributes, their

configurability, their sizing and display processing time performances.

k) As required in § 2.2, the Applicant shall provide in installation manual all constraints


l) The applicant shall provide any data needed to evaluate Worst Case Display Elaboration

Time of managed threads.

m) The additional activities to be performed by the users related to ETSO C113a compliance

demonstration completeness shall be defined in the installation manual.




(A/I/D/T)

Verification

Acceptance Criteria

2.1.2 a) The IMA module shall provide to IMA

Applications, modules and/or components

the capacity to use shared Display Area

resource through a logical or physical

interface.

I+T 2.1.6.1

2.1.2 b) The robust partitioning between threads

from IMA Applications, modules and/or

components using the shared Display Area

resource shall be ensured by the IMA

Module.

I+A+T 2.1.6.2

2.1.2 c) The IMA Module shall provide the list of

types of graphical and display threads for

which the robust partitioning is

guaranteed. The list of types of these

threads and the associated attributes shall


I 2.1.6.3



IMA Module.

I+A+T 2.1.6.4

2.1.2 e) Some attributes of each thread guaranteed

by c) may be configurable.

I 2.1.6.5

2.1.2 f) In addition, the IMA module shall be

compliant (fully or partially) to MPS from

ETSO C-113a.

I 2.1.6.6

2.1.3 g) The performances of each management



the installation manual.

I+A 2.1.6.7

2.1.4 h) For ETSO-2C153 CLASS G, the IMA module


mechanism concerning Display unit(s) to


threads managed by the IMA module, and

ouside the IMA module.

I+T 2.1.6.8


(A/I/D/T)

Verification

Acceptance Criteria

2.1.4 i) Failures modes:




• Erroneous Behavior of the IMA

module

• Loss of the shared Display Area

Resource

• Erroneous Behavior of the

shared Display Area resource


Monitoring Coverage rate (PBIT, CBIT…)

shall be provided for all failure modes of

the IMA Module (inc. Shared and unshared

resources).

For shared Display Area Resource,

monitoring Coverage rate (inc. Resource

itself, sharing mechanisms and robust

partitioning mechanisms) shall be

provided.

I 2.1.6.9

2.1.5 j) The Applicant shall provide the list of type

of threads, the associated attributes, their

configurability, their sizing and display

processing time performances.

I 2.1.6.10

2.1.5 k) As required in § 2.2, the Applicant shall




the users.

I 2.1.6.11

2.1.5 l) The applicant shall provide any data

needed to evaluate Worst Case Display

Elaboration Time of managed threads.

I + A 2.1.6.12

2.1.5 m) The additional activities to be performed

by the users related to ETSO C113a

compliance demonstration completeness

shall be defined in the installation manual.

I 2.1.6.13





Display Area resource.



Installation Manual


applications, components and/or modules access correctly to share Display Area

resource.

5 – Verify that Interfaces are well implemented according to their specifications given




unauthorized interferences between threads from IMA applications, components and/or


Domain rule.



Display Area resource.






1 – Inspect the Installation Manual to verify that the list of types of thread for which the

robust partitioning is guaranteed are well defined.

2 - Inspect the Installation Manual to verify that the attributes of each type of thread are


� Usage domain rules associated to thread type.

� Programming interface and/or physical interface associated to thread type.


1 – After Verification of

2 – For each type of thread, initialize (and potentially configure) the attributes of thread

in consistency with Usage Domain contained into the Installation Manual.

3 – Verify with an outer value of valid equivalence classes and boundary values of thread

attributes, that the associated robust partitioning breach detection is well implemented.


If Erreur ! Source du renvoi introuvable.Erreur ! Source du renvoi introuvable. is

implemented:


thread are well defined.




The verification activities related to ETSO C113a MPS implementation are defined in the

scope of the ETSO C113a compliance demonstration.

1 - Verify that the ETSO C113a compliance demonstration (fully or partially) is provided.




monitoring of each type of thread are well documented, including boundaries, Usage



1 - Inspect the Failure Mode and Effect Analysis (FMEA) to verify that Fault Containment



Installation Manual

3 - Verify that each fault containment mechanism is well implemented avoiding fault

propagation between threads managed by the DH, and outside the DH by observing the

sanction associated to fault and raised by monitoring.





1 – Inspect the Installation Manual to verify that the list of types of thread, their


including boundaries, Usage Domain Rules, interface rules.



specified for all types of thread, including their associated Usage Domain Rules and

interface rules.

2.1.6.12. Verification of 2.1.5 l)


Display Elaboration Time of display thread(s) are available.



3 – Verify that the Worst Case Display Elaboration Time of each type of threads can be


2.1.6.13. Verification of 2.1.5 m)

1 - Inspect the Installation Manual to verify that the additional activities to be performed

by the users related to ETSO C113a compliance demonstration completeness are well

documented.

APPENDIX 3


DATA REQUIREMENTS

Additionally to data required by CS-ETSO sub-part A (DO254, DO178, DO160, MPS data, DAL,

Limitations, Open Problem Reports…), following information must be provided by the IMA

module manufacturer:

• Chapter 1 - IMA module characteristics

• Chapter 2 - IMA module core software

• Chapter 3 - IMA module health management and reporting

• Chapter 4 - IMA module usage domain

• Chapter 5 - IMA module configuration

• Chapter 6 - IMA module tools

• Chapter 7 - IMA module compatibility & mixability information

Chapter 1: IMA module Characteristics

IMA module is composed of hardware and/or software components constituting one or several

unit(s) performing the intended function(s) specified into MPS class(es). This (these) units

permit(s) the IMA module to perform at least one of the ETSO-2C153 intended functions

specified into the MPS classes (Appendix 2).

IMA ModulePart Number xxx[xx]

unit

Component

Component

unit

Component

Component

Module Characteristics

DESIGN

InstallationManual

MPSClass(es)

ETSO 2C153Intended Function

MPSClass(es)

CS-ETSOSub-part A requirements

Figure 4 IMA module characteristics

The Installation Manual must address the appropriate IMA module characteristics, when

relevant, specified into the table below.

Module

Characteristic

Category

Characteristics to be documented by ETSO applicant in

Installation Manual for each IMA module

Module

Characteristic

Category



General

Information

• Power Dissipation.

• Thermal characteristics

Cooling characteristics (a detailler - TBC)

• Size and Weight.

• Input and Output (I/O) Connectors.

• Mating Connectors.

• Top-level drawings and Mechanical Interfaces

• Mounting Mechanism and scheme

• Clearance characteristics

• Air Flow characteristics

• Inter-Element Interfaces.

• Inter-Element Connections.

• Grounding and Shielding Provisions.

• Separation and/or Isolation Provisions.

• Module Installation and Extraction Means.

• Power Supply Interface of the Module : see Power Supply unit

Interfaces Unit

Characteristics

Analog Input Specifications For Each Analog Input

• Range.

• Accuracy.

• Resolution.

• Null and Offset.

• Filtering.

• Input Impedance.

• Analog-to-Digital Conversion Speed.

• Digital-to-Analog Conversion Speed.

• Steady State Voltage Rating.

• Transient Voltage Rating.

• Circuit Protection Techniques.

• Multiplexing.

Analog Output Specifications For Each Analog Output

• Range.

• Accuracy.

• Null.

• Linearity.

• Current Capacity.

Module

Characteristic

Category



• Output Impedance.

• Analog/Digital Conversion Speed.




• Multiplexing.

Discrete Input Specifications For Each Discrete Input

• Trip Point.

• Hysteresis.

• Filtering.


• Logic Sense.

• Maximum Logic-High Level.

• Maximum Logic-Low Level.

• Minimum Logic-High Level.

• Minimum Logic-Low Level.




• Multiplexing.

Discrete Output Specifications For Each Discrete Output

• Voltage Levels.

• Current Source Capacity.

• Current Sink Capacity.



• Multiplexing.

Digital Communications For Each Input and Output

• Data Rates.

• Integrity Checks.

• Signal Levels.

• Current Sink and Source.



• Signal Rise and Fall Times.

• Filtering.

• Stub Length Limits.

Module

Characteristic

Category



• Input and Output Capacitance.

• Isolation.

• Maximum Bit Error Rates.


• Resets.

• Monitors.

• Multiplexing.

Processing and

Memory Unit

characteristics

(inc. Graphical

Unit)

• Software Services Included (Core Software) : Dataloading, Health

Monitoring, Operating System

• User Software/Software Interface Mechanisms and Protocol(s).

• User Software/Hardware Interface Mechanisms and Protocol(s).

• Integration Requirements.

• Limitations of Software.

• Processing Unit (CPU, GPU...) Bus(es) and Core Clock Frequencies.

• Memory Size(s) and Type(s).

• Interrupts.

• Reset Structure.

• Memory Management, such as cache and MMU.

• Monitors.

• Backplane Interface. (if any)

• CPU, GPU Type.

• CPU, GPU Throughput.

• Timing Specifications.

Display Unit

characteristics

(rendering)

• refer to AS8034

Power Supply

Unit

• Regulation.

• Input Voltage & Current.

• Maximum Start-up (In-rush) Current Rating.

• Output Current Capacity.

• Hold-up Capacity.

• Restart.

• Transient Immunity.

• Voltage Outputs & Tolerances.

• Power Monitors & Status Outputs.

• Short Circuit Management.

Module

Characteristic

Category



• Power Resets and Recovery.


Chapter 2 - Core software

As defined in to Appendix 1, IMA module may be an association of hardware and a Core

Software.

• Hardware may (or may not) contain resident (not field loadable) software to enable


• Core Software may be resident or a Field Loadable Software Part.

The Core Software is the operating system and support software that manage resources to

provide an environment in which the intended function is performed. Core software is typically

comprised of one or more component(s).

If IMA module contains a Core Software, following Core Software characteristics must be

documented into the IMA module installation manual:

• Identification of the Core Software component(s).

• Part of IMA module functionality, performance and safety requirements supported by

the Core Software.

• Interfaces and associated Data Coupling / Control Coupling information

• Integration and Loading Procedure(s).


unit

Component

Component

unit

Component

Component

Core SofwareCharacteristics

DESIGN

InstallationManual

MPSClass(es)


Core Software

MPSClass(es)

CS-ETSOSub-part A requirements

Figure 5 IMA module Core Software

Chapter 3 - IMA module health management and reporting

The Health Management and reporting (HM) function is responsible for detecting, isolating,

containing and reporting failures. This function should detect faults in the shared resources and

other resources that could adversely affect applications using the module resources or that

could adversely affect the resources themselves.

The Health Management and reporting (HM) function helps to isolate faults and prevents failures

from propagating. It should address both operational and maintenance concerns.


unit

Component

Component

unit

Component

Component

Heath monitoringCharacteristics and

faults attributes

DESIGN

InstallationManual

MPSClass(es)


Health monitoring

User

IMA application developmentIMA system installation

Figure 6 IMA module Health Monitoring

Each IMA module shall provide health management and reporting capability.

The health management and reporting function shall detect, contain and report faults of the

shared resources and other resources that could adversely affect applications using the module

resources or that could adversely affect the resources themselves.

Monitoring Coverage rate shall be defined for all failure modes of the Module (inc. Shared and

unshared resources)

The response to a user level fault may be configurable. Intended recovery of identified faults,

could be ignoring the fault, reinitializing, restarting or calling a user specified routine to take

user-specified actions.

The thresholds used to raise a fault may be configurable.

The logical interface provided to hosted application will conform to characteristics as described

by a standard (ARINC653 for example).

The fault management strategy should address the potential for SEU and provide appropriate

recovery capabilities.

Following HM Characteristics must be documented into the IMA module installation manual:

• Interface rules, constraints (including limitations) to be respected by the users,

• The list of HM monitoring,

• The list of monitored components, monitored services, monitored interfaces,

• The response to each type of fault,

• The fault reporting attributes.

Reporting refers to internal logging, indication to applications using the shared

resources, indication outside of the module.

• The configuration attributes if any.

Chapter 4 - IMA module usage domain

ETSO-2C153 authorization relies on the concept of Usage Domain (as per ED-124 and Appendix

1 - chapter 2 definitions).

The usage domain of an IMA module is defined as an exhaustive list of conditions to be

respected by the user(s) and for which it has been demonstrated that the following properties

are true:

• The module is compliant to its functional, performance, safety and environmental

requirements specified into at least one MPS class.

• The module characteristics documented into Installation Manual (as required by

Appendix 3 – Chapter 1) are guaranteed by manufacturer.

• The module is compliant to the applicable airworthiness requirements (inc. continued

airworthiness aspects)


unit

Component

Component

unit

Component

Component

DESIGN

InstallationManual

MPSClass(es)


Usage Domain

User

INSTALLATION

Figure 7 IMA module usage domain

The usage domain will be defined at IMA module level and used at Application (ED-124 Task 2)

and IMA system (ED-124 Task 3 & 4) level.

The definition of the usage domain should include consideration of the module functionality,

performance and safety requirements and its required environmental performance …

However, at the time the IMA module certification program is issued, the usage domain may not

be fully defined. Nevertheless, in any case, the methodology for capturing it will be described.

The IMA module manufactured to comply with this ETSO may be used to support other ETSOs or

systems approved under Certification Specifications (CS) 21, CS23, 25, 27, 29, 33 or 35. These

ETSO authorizations, IMA system approvals and aircraft-level approvals are not covered by this

ETSO but will rely on the fact that compliance to Usage Domain documented into Installation

Manual would be well implemented.

Chapter 5 - IMA module configuration data

IMA module may need to be configured before installation in the IMA system (ED-124 Task 2, 3

and 4).

If the IMA module is configurable, ETSO-2C153 authorization will be given to an IMA module

with a configuration capability. In that case, the installation manual must describe:

• The authorized configuration parameters (inc. combined parameters) in the usage

domain.

• The configuration activities to be conducted (inc. configuration procedures, means and

tools) by the user during application development (ED-124 – Task 2) and IMA system

(ED-124 – Task 3 and 4) integration.


unit

Component

Component

unit

Component

Component

DESIGN

InstallationManual

MPSClass (es)


User

INSTALLATION

Configuration

Figure 8 IMA module configuration

Chapter 6 - IMA module tools

IMA module may need to use some tools during installation in the IMA system (ED-124 Task 2,

3 and 4).

In that case, the installation manual must describe:

• the list of tools ,

• the user’s guide of tools and

• the activities to be conducted related to those tools during application development (ED-

124 – Task 2) and IMA system (ED-124 – Task 3 and 4) integration.

• The associated qualification credits that could be granted to the user of the tools.

If these tools are qualified, qualification data are considered as data to be summited to EASA in

the frame of ETSO-2C153 authorization.


unit

Component

Component

unit

Component

Component

DESIGN

InstallationManual

MPSClass(es)

ETSO 2C153Intended Function INSTALLATION

ToolsCha racteristics

ToolsTool qualification

data EASA

Figure 9 IMA module tools

Chapter 7 - IMA module compatibility and mixability information

The IMA module manufacturer must provide compatibility & mixability information between

hardware, software, tools and usage domain in the installation manual.

The information should give details of:

• How the authorized mixed combinations are verified.

• The compatibility assessment process with authorized mixed combinations of

interfacing module (external mixability).

• Any preventative measures (design or procedures) to be developed by the user to

prevent incorrect module combinations or software loads.

• Information to be provided to maintenance personnel.

APPENDIX 4


ENVIRONMENTAL QUALIFICATION REQUIREMENTS

CS-ETSO sub-part A § 2.3 requires compliance to complete DO160 Environmental Conditions

and Test Procedures.

For ETSO-2C153, some particularities have to be addressed

• Test Software representativeness

• Applicable Test Procedures

Chapter 1: Test Software representativeness

In the case that, IMA module is qualified without the functional software installed and operating,

engineering analysis from the manufacturer must determine that the “test” software (not the

target functional software) is representative of usage domain stress envelop for the

environmental tests (i.e. dissipated temperature, power consumption, radiated field radiation,

etc…).

Chapter 2: Applicable Test Procedures

For ETSO-2C153 authorization, IMA module may be a single LRU platform (Line Replaceable

Unit) or may be a module located into a Rack (Line Replaceable Module).

Two cases have to be considered depending on IMA module characteristics.

• Case 1: The IMA module is a single LRU platform (Line Replaceable Unit)

All environmental conditions are applicable to the IMA module. The usage domain must be

defined and maintained in order that all these qualification tests produce a complete credit

for other ETSOs authorization and Type Certificate level.

• Case 2: The IMA module is a module located into a Rack or the rack itself (Line Replaceable

Module).

The usage domain of the module must be defined and maintained in order that al least a

subset of qualification tests produces a credit for other ETSOs authorization and Type

Certificate level. This minimal subset is defined in the table below:

Environmental

Test RTCA / DO160G

section Guidance for ETSO-2C153

Temperature 4.5 For ETSO-2C153 application :

• The module can be subjected to these test

conditions. Credit for these tests can be granted

as part of this ETSO, with substantiated

environmental test conditions.

• In this case, the usage domain of the module

must be defined and maintained in order that

these tests produce some credit.

Otherwise, these tests will be performed as part

another ETSO application or as part of a [X] Type

Certification program.

Altitude 4.6 For ETSO-2C153 application :

• The module must be subjected to these test

conditions.

• Credit for these tests will be granted as part of

this ETSO.

• The usage domain of the module must be defined

and maintained in order that these tests produce

some credit.

Temperature

Variation

5.0 For ETSO-2C153 application :








• Otherwise, these tests will be performed as part



Humidity 6.0 For ETSO-2C153 application :


conditions.


this ETSO.



some credit.

Shock

(operational)












Shock (Crash

Safety)












Vibration 8.0 For ETSO-2C153 application :











Explosion

Atmosphere



conditions.


this ETSO.



some credit.

Waterproof 10.0 For ETSO-2C153 application :


conditions.


this ETSO.



some credit.

Fluids

Susceptibility



conditions.


this ETSO.



some credit.

Sand and Dust 12.0 For ETSO-2C153 application :


conditions.


this ETSO.



some credit..

Fungus

Resistance



conditions.


this ETSO.



some credit.

Salt Fog 14.0 For ETSO-2C153 application :


conditions.


this ETSO.



some credit.

Magnetic Effect 15.0 For ETSO-2C153 application :


conditions.


this ETSO.



some credit.

Power Input 16.0 For ETSO-2C153 application :


conditions.


this ETSO.



some credit.

Voltage Spike 17.0 For ETSO-2C153 application :


conditions.


this ETSO.

• The usage domain of the module must be

defined and maintained in order that these

tests produce some credit.

Audio Frequency

Conducted

Susceptibility—

Power Input



conditions.


this ETSO.



some credit.

Induced Signal

Susceptibility












Radio Frequency

Susceptibility

(Radiated and

conduced)












Emission of

Radio Frequency

Energy












Lightning

Induced

Transient

Susceptibility












Lightning Direct

Effects












Icing 24.0 For ETSO-2C153 application :


conditions.


this ETSO.



some credit.

Electro Static

Discharge (ESD)



conditions.


this ETSO.



some credit..

Fire,

Flammability



conditions.


this ETSO.



some credit. Figure 10 EQT minimum subset

Chapter 3 Parameters to be monitored during EQT

The IMA module manufacturer must define in IMA module characteristics (appendix 3 – chapter

1), the parameters to be monitored during each applicable test procedure in RTCA/DO-160G.

Regarding intended functions, the IMA module manufacturer must elect the key parameters and

associated pass and/or fail criteria to ensure that MPS are achieved according the table

hereafter:

MPS CLASS MPS paragraph

A (Rack) F1 : §2.1.2 (c)

F2 : §2.2.2 (a); §2.2.3 (e)

F3 : §2.3.2 (a) + (b); §2.3.3 (c); § 2.3.4 (e) + (f)

F4 : §2.4.2 (a) + (b); §2.4.3 (d); § 2.3.4 (e)

B (Processing) F1 : §2.1.2 (b) + (d); §2.1.3 (f); §2.1.4 (g) + (h)

F2 : CLASS D criteria are applicable

F3 : CLASS E criteria are applicable

C (Graphic) 2.1 (b) + (d); §2.2 (f); §2.3 (g) + (h)

D (Data Storage) 2.1 (b) + (d); §2.2 (f); §2.3 (g) + (h)

E (Interface) 2.1 (b) + (d); §2.2 (f); §2.3 (g) + (h)

F (power Supply) 2.1 (b) + (d); §2.2 (f); §2.3 (g) + (h)

G (Graphical Rendering) 2.1 (b) + (d) + (f); §2.2 f); §2.3 (g) + (h) Figure 11 Pass/Fail criteria

This selection must be documented in to the EQT plan submitted to EASA.

Document History (for information only)

18.12.2012: ETSO 2C153 draft v1.

31.07.2013: ETSO 2C153 draft v2 composed of: • Core document draft v2.2

• MPS CLASS A v1.0

• MPS CLASS B v1.0

• MPS CLASS C v1.0

• MPS CLASS D v1.2

• MPS CLASS E v1.2

• MPS CLASS F v2.0

• MPS CLASS G v1.0

etso 2c153 date: draft v2.0 - 31/07/2013 - gama

Documents