ARINC 653 (Avionics Application Software Standard Interface) is a software specification for space and time partitioning in

safety-critical A safety-critical system or life-critical system is a system whose failure or malfunction may result in one (or more) of the following outcomes: * death or serious injury to people * loss or severe damage to equipment/property * environmental h ...

avionics Avionics (a portmanteau of ''aviation'' and ''electronics'') are the Electronics, electronic systems used on aircraft. Avionic systems include communications, Air navigation, navigation, the display and management of multiple systems, and the ...

real-time operating system A real-time operating system (RTOS) is an operating system (OS) for real-time computing applications that processes data and events that have critically defined time constraints. A RTOS is distinct from a time-sharing operating system, such as Unix ...

s (RTOS). It allows the hosting of multiple applications of different software levels on the same hardware in the context of an Integrated Modular Avionics architecture. It is part of ARINC 600-Series Standards for Digital Aircraft & Flight Simulators.

Overview

In order to decouple the real-time operating system platform from the application software, ARINC 653 defines an

API An application programming interface (API) is a connection between computers or between computer programs. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build ...

called APplication EXecutive (APEX). Each application software is called a partition and has its own memory space. It also has a dedicated time slot allocated by the APEX API. Within each partition, multitasking is allowed. The APEX API provides services to manage partitions, processes and timing, as well as partition/process communication and error handling. The partitioning environment can be implemented by using a

hypervisor A hypervisor, also known as a virtual machine monitor (VMM) or virtualizer, is a type of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called ...

to map partitions to virtual machines, but this is not required. The standard is overseen by the AEEC APEX Subcommitt

which is co-chaired by representatives from

Airbus Airbus SE ( ; ; ; ) is a Pan-European aerospace corporation. The company's primary business is the design and manufacturing of commercial aircraft but it also has separate Airbus Defence and Space, defence and space and Airbus Helicopters, he ...

(currently Pierre Gabrilot) and

Boeing The Boeing Company, or simply Boeing (), is an American multinational corporation that designs, manufactures, and sells airplanes, rotorcraft, rockets, satellites, and missiles worldwide. The company also provides leasing and product support s ...

(currently Steven H. VanderLeest).

History

Initial version

The initial version of ARINC 653 was published on October 10, 1996.

ARINC 653-1

Supplement 1 was published in January 1997 and introduced the concepts of APEX and Time and Space partitioning.

ARINC 653-2

Supplement 2 was published in 3 parts between March 2006 and January 2007: * Part 1 (mandatory services): ARINC 653 partition management, Cold start and warm start definition, Application software error handling, ARINC 653 compliance, Ada and C language bindings; * Part 2 (optional services): File system access,

Data logging A data logger (also datalogger or data recorder) is an electronic device that records data over time or about location either with a built-in instrument or sensor or via external instruments and sensors. Increasingly, but not entirely, they a ...

, Service Access points, ... * Part 3 (Conformity Test Specification);

Current Organization of Standard

* Part 0 - Introduction to ARINC 653 (currently at revision 3, released November 2021) * Part 1 - Required Services (currently at revision 5, released December 2019) * Part 2 - Extended Services (currently at revision 4, released December 2019) * Part 3A - Conformity Test Specification for Required Services (currently at revision 2, released November 2021) * Part 3B - Conformity Test Specification for Extended Services (currently at revision c1, released July 2019) * Part 4 - Subset Services (currently at revision 0, released June 2012) * Part 5 - Core Software Recommended Capabilities (currently at revision 1, released August 2019)

Basic principles of partitioning

ARINC 653 Platform

An ARINC 653 platform contains: * A hardware platform allowing

real-time computing Real-time computing (RTC) is the computer science term for Computer hardware, hardware and software systems subject to a "real-time constraint", for example from Event (synchronization primitive), event to Event (computing), system response. Rea ...

deterministic services. * An

abstraction layer In computing, an abstraction layer or abstraction level is a way of hiding the working details of a subsystem. Examples of software models that use layers of abstraction include the OSI model for network protocols, OpenGL, and other graphics libra ...

managing the timer and space partitioning constraints of the platform (

memory Memory is the faculty of the mind by which data or information is encoded, stored, and retrieved when needed. It is the retention of information over time for the purpose of influencing future action. If past events could not be remembe ...

CPU A central processing unit (CPU), also called a central processor, main processor, or just processor, is the primary processor in a given computer. Its electronic circuitry executes instructions of a computer program, such as arithmetic, log ...

Input/output In computing, input/output (I/O, i/o, or informally io or IO) is the communication between an information processing system, such as a computer, and the outside world, such as another computer system, peripherals, or a human operator. Inputs a ...

). * An implementation for the ARINC 653 services (the APEX API). * An interface to be able to configure the platform and its domain of use. * Various instrumentation tools.

Initialization

Initialization of an ARINC 653 partition creates resources used by the partition. Resources creation (PROCESS, EVENT, SEMAPHORE...) is performed by calling API services named CREATE_xxxx.

Error handling

The process error handler is a preemptive

process A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic. Things called a process include: Business and management * Business process, activities that produce a specific s ...

of the highest priority dedicated to handle partition exceptions. It is created by the service CREATE_ERROR_HANDLER during partition initialization. The API allows the error handler to stop a faulty process (STOP_SELF). In that case, the RTOS

scheduler A schedule (, ) or a timetable, as a basic time-management tool, consists of a list of times at which possible tasks, events, or actions are intended to take place, or of a sequence of events in the chronological order in which such things ...

will elicit the next process with the highest priority. ARINC 653 does not specify how the scheduler should behave if the error handler does not stop a faulty process. In some (theoretical) cases, this could lead to an infinite loop between the faulty process and the error handler. The error handler can obtain information about the source and the context of the exception.

Mode management

Each partition can be in several activation modes: * COLD_START and WARM_START: Only the initialization process is executed, * NORMAL: The initialization process is stopped, and the other partition processes are called by the RTOS

depending on their priority, * IDLE: No process is executed. However an implementation could still in theory execute a hidden process of the lowest priority, for example to start an infinite loop. The SET_PARTITION_MODE service allows to manage these states. It can be called by any process in the partition. Entering the IDLE state is irreversible for the partition. Only an external event (such as a platform restart) can change the state to another mode when the partition is in this state.

Partition and process scheduling

The standard defines a two-level hierarchical schedule. The first level schedules the partitions. This is a round-robin, fixed schedule that repeats a Major Time Frame. The Major Time Frame schedules each partition in a fixed duration Partition Time Window (sometimes called a Minor Time Frame) with a fixed Partition Time Window Offset from the start of the Major Time Frame. ARINC653 schedule

During the Partition Time Window, the second level of scheduling uses process scheduling. Each partition has at least one

. Process scheduling within a partition during the Partition Time Window is preemptive. The scheduler is called either by a timer or by API services.

Multicore

ARINC 653 P1-5 was updated to address

multicore A multi-core processor (MCP) is a microprocessor on a single integrated circuit (IC) with two or more separate central processing units (CPUs), called ''cores'' to emphasize their multiplicity (for example, ''dual-core'' or ''quad-core''). Ea ...

processor architectures. Section 4.2.1 "O/S Multicore Implementation Compliance" indicates that an OS designed for multi-core processing should support two cases: * Use of multiple cores by a single partition (whose processes span multiple cores) * Use of multiple cores by multiple partitions The position paper CAST-32A defines a set of requirements and guidance that should be met to certify and use multi-core processors in civil aviation by FAA and is expected to be replaced by an

Advisory Circular __NOTOC__ Advisory circular (AC) refers to a type of publication offered by the Federal Aviation Administration (FAA) to "provide a single, uniform, agency-wide system … to deliver advisory (non-regulatory) material to the aviation community." A ...

, AC 20-193. The European Union aviation authority, EASA, published AMC 20-193 in January 2022.

API services

The ARINC 653 APEX services are

calls belonging in six categories: * Partition management * Process management * Time management * Inter-partition communication * Intra-partition communication * Error handling No ARINC 653 services are provided for the

memory management Memory management (also dynamic memory management, dynamic storage allocation, or dynamic memory allocation) is a form of Resource management (computing), resource management applied to computer memory. The essential requirement of memory manag ...

of partitions. Each partition has to handle its own memory (still under the constraints of memory partitioning enforced by ARINC 653). Each service returns a RETURN_CODE value which indicates if the call has been successful: * NO_ERROR: the service performed nominally after a valid request * NO_ACTION: the state of the system has not changed after executing the service * NOT_AVAILABLE: the service is temporarily unavailable * INVALID_PARAM: at least one of the service's parameters is invalid * INVALID_CONFIG: at least one of the service's parameters is incompatible with the current configuration of the system * INVALID_MODE: the service is incompatible with the current mode of the system * TIMED_OUT: the delay for the execution of the service has expired

Links to POSIX and ASAAC

The field covered by ARINC 653 is similar to ASAAC ''Def Stan 00-74''. However, there are differences between the two standards. Some ARINC 653 (APEX) calls have a

POSIX The Portable Operating System Interface (POSIX; ) is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines application programming interfaces (APIs), along with comm ...

equivalent, but are different from how they are defined in POSIX. For example, the following call defined in ASAAC: receiveBuffer would be translated in ARINC 653 by: RECEIVE_BUFFER() and also in POSIX by: recv()