[RTAS ’22 Best Student Paper] FlyOS: Integrated Modular Avionics for Autonomous Multicopters

“FlyOS: Integrated Modular Avionics for Autonomous Multicopters” by Anam Farrukh and Richard West won the best student paper award from amongst the outstanding category of papers at the 28th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS) in 2022. This blog post gives an overview of the work. 

From Federated to Integrated Architectures

Traditionally, flight management systems across all avionic domains: air, space and rotor-craft, have employed federated architectures to host on-board functionality in a physically distributed manner. Under this design paradigm, flight- , mission- and non-critical functions are safely mapped to dedicated processing modules that are loosely coupled over an external network. For example, a multicopter might feature a dedicated flight controller and a separate mission computer to support unmanned objectives, including search and rescue, aerial photography, building inspection, or package delivery. Highly critical flight control functions might be replicated on separate hardware, thereby ensuring operation in the presence of separate component failures. At the same time, mission functions are strongly isolated from flight tasks, ensuring predictable execution of timing-sensitive functionality.

As flight management systems increase in functional complexity it becomes prohibitive to continue with federated architectures. Adding new hardware to handle separate functions leads to a rapid increase in the size, weight and power costs (SWaP-C). Multicopter unmanned aerial vehicles (UAVs) and other airborne craft would either be unable to accommodate a proliferation of hardware functional units (e.g., due to space constraints), or they would add unneeded payload that could impact flight range. At the same time, the loosely coupled communication between functional units leads to delays that impact the responsiveness of the airborne craft. A multirotor UAV, for example, might not be able to detect and avoid collision with obstacles if flight reaction times were impacted by unacceptable communication delays.

The commercial aircraft domain recognized the above problems in the 1990s and proposed a consolidated approach to flight management, referred to as Integrated Modular Avionics (IMA). Under IMA, software components of different criticality levels operate on a centralized hardware platform. Standards such as ARINC-653 later emerged to extend IMA’s definition for strict temporal and spatial partitioning of avionic functions. Isolation in time and space allow IMA architectures to ensure flight safety and integrity under all operating conditions, normal or otherwise. According to the standard, an IMA host partitions the system’s resources between software functions and manages each execution environment in a predictable and deterministic manner. As such, the host software emulates a logically federated architecture, which avoids run-time interference of timing- and safety-critical control functions from less critical tasks within the system.

IMA’s functional consolidation offers advantages in terms of lower communication costs, tighter coupling between correlated functions, system-wide redundancy in software and reduced SWaP requirements. However, state-of-the-art approaches to IMA either fall short in meeting strict real-time temporal constraints of critical tasks or exhibit poor overall flight performance. Predictable & efficient partitioning therefore presents an open research problem.

In response to all these challenges, we introduce FlyOS: a novel approach to IMA for designing safe, predictable and performance efficient flight management systems for next-generation multicopters.

A Reference IMA Architecture

FlyOS consolidates mixed-criticality flight functions in software on a heterogeneous multicore aerial platform, while ensuring temporal and spatial isolation of critical components from execution-time interference. The architecture is based on the separation-kernel concept, which statically partitions system resources among virtualized sandboxed operating systems (OSes) or guest domains. Originally envisioned by John Rushby, a separation-kernel enables isolated software regimes that appear indistinguishable from separate physical machines to coexist on a shared platform. Connected via software defined communication channels, individual system partitions thus operate together as a tightly coupled distributed system-on-a-chip.

FlyOS employs a partitioning hypervisor as an IMA host to implement the separation kernel. Hardware virtualization capabilities are leveraged to statically assign machine resources to concurrently executing guest OSes. Each guest directly manages its own allocated subset of resources without any run-time intervention of the most trusted compute base (TCB) of the hypervisor. Static partitioning thus avoids hypervisor-level runtime resource management, which improves end-to-end response time latencies and minimizes the TCB of the IMA host layer. The figure below summarizes the architectural properties of our IMA framework.

FlyOS is designed around a characteristic set of goals for functional safety,
timing predictability and efficiency of flight control. Isolation, extensibility, enhanced avionic capability and fault redundancy are at the heart of FlyOS’s IMA design. We present a dual-sandbox prototype configuration shown above, where timing- and safety-critical flight control tasks execute in a real-time OS (Quest) alongside mission-critical vision-based navigation tasks in a legacy Linux sandbox. For this purpose we retrofit a popular UAV autopilot, Cleanflight, as a real-time multithreaded application for Quest and design an autonomous face detection and tracking application for Linux. Low latency shared memory communication allows mission commands and flight data to be relayed between the two sandboxes. We also present a hypervisor-based fault-tolerance mechanism, which protects against fault propagation across guest boundaries and ensures failover flight control in case of critical function or timing failures.

The video below provides a quick demo of one of our test experimental scenarios that verifies FlyOS’s autonomous flight in real-time. The copter performs face detection using camera input, processes the appropriate mission commands to enable tracking of the ground-truth image (top-right insert) and adjusts the flight controller’s output to the motors to rotate in the yaw-right direction. For analysis results, we refer the reader to our paper.

In summary, FlyOS presents a new design paradigm for multicore IMA with a space-time partitioning approach, which is on par with the strict isolation requirements of avionic standards such as ARINC-653. The architecture has the potential to revolutionize the current architectural landscape of integrated modular avionics for the performance efficient multicopter domain. Further details of our work are presented in the paper.

Authors: Anam Farrukh, Richard West

Disclaimer: Any views or opinions represented in this blog are personal, belong solely to the blog post authors and do not represent those of ACM SIGBED or its parent organization, ACM.