ETSO 2C153
Date: draft v2.0 - 31/07/2013
European Technical Standard Order (ETSO)
DRAFT
SUBJECT: INTEGRATED MODULAR AVIONICS (IMA) PLATFORM AND MODULES
1 – Applicability
1.1. - General
This ETSO gives the requirements for IMA modules which are designed to compose an
Integrated Modular Avionics (IMA) platform and which are manufactured on or after the date
of this ETSO, must meet in order to be identified with the applicable ETSO marking.
See Appendix 1 for an introduction to Integrated Modular Avionics and applicable
definitions.
1.2 - Specific
This ETSO refers to IMA modules which are appliances composed of Hardware and Core
Software or any embedded software module contributing to the intended function of
resources sharing.
Nevertheless, if intended function of resource sharing is implemented:
o “Hardware only” module is acceptable if no further software module is needed to
perform resources sharing.
o Single LRU platform (as per ED-124/DO297), where the platform is limited to one
Line Removal Unit (LRU) is acceptable.
In the following content of this document, only the term “IMA module” will be used.
Are out of scope of this ETSO:
o IMA platform composed of multiple LRUs or LRMs (distributed platform – ED-124/DO-
297 example D2) that have to be addressed at system level.
o Stand-alone (without the hardware target) core software.
o Configuration data, which are part of IMA system integration and installation.
o IMA applications.
o Equipment used to generate radio frequency signals for intentional transmitters.
This ETSO refers to seven classes of Minimum Performance Specifications (MPS) referring to
seven different resource sharing functions:
o CLASS A: Rack Housing (RH)
o CLASS B: Processing (PR).
o CLASS C: Graphical Processing (GP).
o CLASS D: Data Storage (DS).
o CLASS E: Interface (IF).
o CLASS F: Power Supply (PS).
o CLASS G: Display Head (DH).
An IMA module (a part) can be compliant to a combination of MPS classes. In this case the
IMA module will be marked with all the covered classes.
Example: Single LRU platform can be authorized “ETSO 2C153 CLASS B + D+E” if
the resource sharing intended function is implemented on Processing, Data and
Interface.
For ETSO-2C153 CLASS G compliance, IMA module must be compliant to relevant
requirements of ETSO C113a. Conformity demonstrations to both ETSOs could be
complementarily managed. In this case, IMA module will be double marked 2C153 CLASS G
+ C113.
See Appendix 1 for a definition of the seven basic classes of IMA modules.
2 - Procedures
2.1. - General
Applicable procedures are detailed in CS-ETSO Subpart A.
2.2 - Specific
Data to be submitted to EASA are defined in Part 21 Subpart O and CS-ETSO Subpart A
Additional data which must be supplied by IMA module manufacturer are specified into
Appendix 3.
If some tools are qualified, qualification data are considered as data to be summited to EASA
in the frame of ETSO-2C153 authorization.
3 - Technical Conditions
3.1 – Basic
3.1.1 - Minimum Performance Standard
See Appendix 2
3.1.2 - Environmental Standard
See CS-ETSO Subpart A paragraph 2.1 and Appendix 4
3.1.3 - Computer Software
See CS-ETSO Subpart A paragraph 2.2
3.1.4 – Electronic Hardware Qualification
See CS-ETSO Subpart A paragraph 2.3
3.2 - Specific
3.2.1 Failure Condition Classification
No Failure Condition can be defined at ETSO-2C153 IMA module level. Failure condition
classification will depend on the implemented aircraft functions into the IMA system. This
classification is beyond the scope of ETSO-2C153.
If assumptions are proposed, guidance of CS-ETSO subpart A §2.4 should be followed by
ETSO-2C153 applicant.
Qualitative and safety mechanisms requirements are specified into 2C153 MPS (in § safety
requirements MPS for each type of module – Appendix 2)
Design Assurance Level is not specified but shall be defined in to Installation Manual and
DDP while guaranteed by ETSO applicant.
Any assumptions about the installation, interfacing software and hardware, or operation
required to maintain the hardware design assurance and software levels must also be stated
and included in the Installation Manual.
3.2.2 Specific Development and installation requirements
3.2.2.1 Development process
Standard ED-124 (Integrated Modular Avionics (IMA) development guidance and certification
considerations) contains guidance for Integrated Modular Avionics (IMA) developers,
application developers, integrators, certification applicants, and those involved in the
approval and continued airworthiness of IMA systems in civil certification projects.
In order to prepare the integration of the ETSO-2C153 IMA module, their development
should meet objectives of ED-124 guidance related to task 1 (table A-1 objectives).
Table A-1 objective 8 and 9 are only relevant in case of Single LRU platform (as per §1.2
definition).
3.2.2.2 Installation consideration
ETSO-2C153 IMA module is by definition an incomplete system.
Definition of activities to be performed to properly use the ETSO-2C153 IMA module should
be defined for the installer. Associated test procedures to check that the authorized IMA
module is properly used should also be documented in the Installation Manual in order to
allow the integrator to perform task 3 & 4 of the ED-124.
4. Marking
4.1 - General
Marking is detailed in CS-ETSO Subpart A paragraph 1.2
4.2 – Specific
The part must be permanently and legibly marked with the MPS class as defined in
paragraph 1.2 of this ETSO.
Each Rack (CLASS A) authorized under this ETSO must be marked with a note “ETSO
authorization for rack only”. This note should be on the ETSO nameplate or in close proximity
to the nameplate).
If ETSO-2C153 IMA module contains Loadable Software Parts that is manufactured under
this ETSO, the part may support a means by which the required information can be
determined using an external means (for example, an electronic display).
Notice: ETSO 2C153 marking do not cover IMA-hosted applications and IMA configuration
with are Software Parts not covered by this ETSO"
5 - Availability of Referenced Document
See CS-ETSO Subpart A paragraph 3
APPENDIX 1
INTEGRATED MODULAR AVIONIC OVERVIEW, DEFINITION AND EXAMPLES
This appendix provides:
o Chapter 1 : An overview of Integrated Modular Avionics
o Chapter 2 : Applicable definitions
o Chapter 3 : Minimum Performance Specification (MPS) classes definition
o Chapter 4 : Examples of IMA platform using IMA modules
Chapter 1: Integrated Modular Avionics Overview
In the field of this ETSO, Integrated Modular Avionics is defined according to EUROCAE standard
ED-124 (equivalent to the RTCA standard DO-297):
Integrated Modular Avionics : is a shared set of flexible, reusable, and interoperable
hardware and software resources that, when integrated, form a platform that provides
services, designed and verified to a defined set of safety and performance requirements,
to host applications performing aircraft functions..
IMA architecture integrates many aircraft functions on the same platform, provided by several
hosted applications that historically have been contained in functionally and physically separated
‘boxes’ or LRUs.
IMA platforms are composed of modules which are designed to be reusable in order to reduce
development cost and occasionally facilitate certification programs. Some modules provide only
mechanical, possibly cooling and electrical power supply functions. Others include core software
and associated computing capabilities.
The IMA modules are usually both generic and configurable, and the same platform could
therefore be used on different aircraft models.
Chapter 2: Applicable definitions
Legend
o [ED-124]: Definitions from EUROCAE standard ED-124 (equivalent to the RTCA
standard DO-297)
Aircraft Function[ED-124]: the capability of the aircraft that may be provided by the hardware
and the software of the systems on the aircraft;
Application[ED-124]: software and/or application-specific hardware with a defined set of
interfaces that, when integrated with the platform, performs a function;
Component[ED-124]: a self-contained hardware, software part, database or combination thereof
that is configuration controlled. A component does not provide an aircraft function by itself;
Configuration data [ED-124]: see § 3.7.1
Core Software[ED-124]: The operating system and support software that manage resources to
provide an environment in which applications can execute. Core software is a necessary
component of a platform and is typically comprised of one or more modules.
Operating System[ED-124]: 1) The same as executive software.
2) The software kernel that services only the underlying hardware platform.
3) Software that directs the operations of a computer, resource allocation and data
management, controlling and scheduling the execution of computer hosted applications,
managing memory, storage, input/output, and communication resources.
Support software: Embedded software necessary as a complement to the Operating System to
provide general services such as contributing to the intended function of resources sharing,
handling hardware, drivers, software loading, health monitoring, boot strap etc...
IMA System[ED-124]: consists of (an) IMA platform(s) and a defined set of hosted applications;
Module[ED-124]: A component or collection of components that may be accepted by themselves
or in the context of IMA. A module may also comprise other modules. A module may be
software, hardware, or a combination of hardware and software, which provides resources to
the IMA-hosted applications. Modules may be distributed across the aircraft or may be co-
located;
Platform[ED-124]: Module or group of modules, including core software, which manages
resources in a manner sufficient to support at least one application. IMA hardware resources and
core software are designed and managed in a way that provides computational, communication
and interface capabilities for hosting at least one application. Platforms by themselves do not
provide any aircraft functionality. The IMA platform may be accepted independently of hosted
applications.
Cabinet[ED-124]: A physical package containing one or more IMA components or modules, which
provides partial protection from environmental effects (shielding) and may enable installation and
removal of those component(s) or module(s) from the aircraft without physically altering other
aircraft systems or equipment.
Rack: A standardized frame or enclosure for mounting multiple modules.
Unit: set of physical components (hardware and or software) in charge of supporting an intended
function.
Chapter 3: Minimum Performance Specification (MPS) classes definition
For this ETSO, IMA module shall be compliant to at least one of the following classes of
Minimum Performance Specification (MPS):
CLASS A : Rack Housing (RH)
For ETSO-2C153 Class A:
1.3.A.1 : IMA module is a physical package able to contain at least two IMA hardware modules,
that may provide protection from environmental effects (shielding) and enable installation and
removal of those module(s) from the aircraft without physically altering other aircraft systems
or equipment.
1.3.A.2 : IMA module may be simple mechanical enclosures, or they may incorporate
communication interfaces, backplanes for data and power supplies, active cooling or any
combination of these features.
1.3.A.3 : IMA module does not offer the capacity to host applications by itself.
1.3.A.4 : IMA module may be configurable.
CLASS B : Processing (PR)
For ETSO-2C153 Class B:
1.3.B.1 : IMA module contains CPU component, memory component, interface devices and
potentially associated Core Software which constitute one or several Processing, Memory or
Interface Unit(s).
1.3.B.2 : The intended function of such IMA module is to share Processing, Data and
Information between at least two IMA applications, modules and/or components.
1.3.B.3 : IMA module offers the capability to host IMA applications.
1.3.B.4 : IMA module may be an association of hardware and Core Software.
o Hardware may (or may not) contain resident (not field loadable) software to enable
electronic part marking and/or future loading of Field Loadable Software parts.
o Core Software may be resident or a Field Loadable Software Part.
1.3.B.5 : IMA module may be configurable
CLASS C : Graphical Processing (GP)
For ETSO-2C153 Class C:
1.3.C.1 : IMA module contains graphical engine component or/and video engine component,
memories, interfaces and potentially associated Core Software which constitute one or several
Graphical Unit(s).
1.3.C.2 : The intended function of such IMA module is to share graphics and/or video signal
processing between at least two IMA applications, modules and/or components.
1.3.C.3 : IMA module does not offer the capacity to host IMA applications by itself.
1.3.C.4 : IMA module may be an association of hardware and Core Software.
o Hardware may (or may not) contain resident (not field loadable) software to enable
electronic part marking and/or future loading of Field Loadable Software parts.
o Core Software may be resident or a Field Loadable Software Part
1.3.C.5 : IMA module may be configurable.
CLASS D : Data Storage (DS)
For ETSO-2C153 Class D:
1.3.D.1 : IMA module contains memory, interface component and potentially associated Core
Software which constitute one or several Data Storage Unit(s).
1.3.D.2 : The intended function of such IMA module is to share stored data (e.g databases,
files…) between several IMA applications, modules and/or components.
1.3.D.3 : IMA module does not offer the capacity to host applications by itself.
1.3.D.4 : IMA module may be an association of hardware and a Core Software.
o Hardware may (or may not) contain resident (not field loadable) software to enable
electronic part marking and/or future loading of Field Loadable Software parts.
o Core Software may be resident or a Field Loadable Software Part.
1.3.D.5 : IMA module may be configurable.
CLASS E : Interface (IF)
For ETSO-2C153 Class E:
1.3.E.1 : IMA module contains input/output component(s) and potentially associated Core
Software which constitute one or several Interface Unit(s). These interfaces can be discrete,
analog, serial interface, digital bus…
1.3.E.2 : The intended function of such IMA module is to share information between several IMA
applications, modules and/or components.
1.3.E.2 : IMA module does not offer the capacity to host applications by itself.
1.3.E.4 : IMA module may be an association of hardware and a Core Software.
o Hardware may (or may not) contain resident (not field loadable) software to enable
electronic part marking and/or future loading of Field Loadable Software parts.
o Core Software may be resident or a Field Loadable Software Part.
1.3.E.5 : IMA module may be configurable.
CLASS F : Power Supply (PS)
For ETSO-2C153 Class F:
1.3.F.1 : IMA module contains set of components (hardware and or software) which constitute
one or several Power Supply Unit(s) in charge of managing power supply.
1.3.F.2 : The intended function of such IMA module installed into a rack is to provide Power
Supply from airborne electrical network to one or more IMA hardware modules embedded into
the same Rack.
1.3.F.3 : IMA module do not offer the capacity to host applications by itself.
1.3.F.4 : IMA module may be configurable.
1.3.F.5 : IMA module may be an association of hardware and a Core Software.
o Hardware may (or may not) contain resident (not field loadable) software to enable
electronic part marking and/or future loading of Field Loadable Software parts.
o Core Software may be resident or a Field Loadable Software Part.
TYPE G : Display Head (DH)
For ETSO-2C153 Class G:
1.3.G.1 : IMA module contains set of components (hardware and or software) in charge of
managing displayed area which constitute one or several Display Unit(s).
1.3.G.2 : The intended function of such IMA module is to offer the capability to depict graphical
information received from IMA Application(s), component(s) and/or module(s) on one Display
Area.
1.3.G.3 : IMA module does not offer the capacity to host applications by itself.
1.3.G.4 : IMA module may be an association of hardware and a Core Software.
o Hardware may (or may not) contain resident (not field loadable) software to enable
electronic part marking and/or future loading of Field Loadable Software parts.
o Core Software may be resident or a Field Loadable Software Part
1.3.G.5 : IMA module may be configurable.
Chapter 4: Example of IMA platform using IMA modules.
ED-124 / DO-297 contains some examples relating to IMA module and platform definition.
These examples can be completed with example relating to Chapter 3 definitions.
Example 1: Single LRU platform (as per ED-124 / DO-297)
This example illustrates the sharing of computational and I/O resources within a single Line
Replaceable Unit (LRU). Key IMA characteristics include:
• Hosting of multiple applications.
• Platform configuration data and data loading.
• Defined API between the platform and hosted applications.
Figure 1 Single LRU platform (as per ED-124 / DO-297)
At one level, this example illustrates a single platform providing core computational
resources. At another level, this example illustrates a module to be used within a larger
IMA platform.
If sharing of processing, memory, and I/O resources are implemented with Robust
Partitioning within the LRU, such single LRU platform will be eligible to CLASS B, D and E.
Example 2: Single LRU A664 switch equipment.
This example illustrates the sharing of A664 I/O resources within a single Line Replaceable
Unit (LRU). Key IMA characteristics include:
• No capability to host application.
• Module configuration data and data loading.
Figure 2 Single LRU A664 switch principle
If sharing of A664 I/O resources are implemented with Robust Partitioning within the LRU,
such single LRU platform will be eligible to CLASS E.
Example 3: IMA modules co-located into a Rack Module (Line Replaceable Module).
Rack
2 C153
CLASS A
2C153
CLASS B+E
Rack
LRM
1
LRM
2
LRM
3
LRM
2
LRM
4
2C153
CLASS C
2C153
CLASS F
Non ETSO
Module
Figure 3 IMA modules installed into a Rack Module
This example illustrates the sharing of resources within sereval single Line Replaceable
Modules (LRM) collocated inside a Rack:
• Rack: is an IMA module will be eligible CLASS A
• LRM 1: provides shared Processing and Input / Output with Robust Partitioning and
will be eligible to CLASS B+E
• LRM2: provides shared Graphical Processing with Robust Partitioning and will be
eligible to CLASS C
• LRM3: provides shared Power Supply with Robust Partitioning to LRM embedded into
the same Rack and will be eligible to CLASS F
• LRM 4: does not provide shared resource. This module will be considered as a non-
ETSO-2C153 module.
All these modules are considered as Parts.
APPENDIX 2
INTEGRATED MODULAR AVIONIC MODULE
MINIMUM PERFORMANCE SPECIFICATION (MPS)
This appendix provides Specific Minimum Performance Specification per CLASS.
o CLASS A : Rack Housing (RH)
o CLASS B : Processing (PR)
o CLASS C : Graphical Processing (GP)
o CLASS D : Data Storage (DS)
o CLASS E : Interface (IF)
o CLASS F : Power Supply (PS)
o CLASS G : Display Head (DH)
This document contains “must”, "shall", "should", “may” and “will” statements with the
following meanings:
• The use of word “must” indicates a legislative criterion; i.e compliance with the
criterion is mandatory regarding legislative requirements.
• The use of the word "shall" indicates a mandated criterion; i.e. compliance with the
criterion is mandatory and no alternative may be applied;
• The use of the word "should" indicates that though the criterion is regarded as the
preferred option, alternative criteria may be applied. In such cases, alternatives
should be identified in appropriate approval plans and agreement sought from the
approval authority; and
• The use of the word "may" describes expected module behavior when the module
complies with the reference requirements, and/or this section's requirements
• The use of the word "will" describes an example.
For verification procedures, following definitions and symbols are used in this appendix:
Analysis
Analysis is the method of verification which consists of comparing hardware design with known
scientific and technical principles, technical data, or procedures and practices to validate that
the proposed design will meet the specified functional or performance requirements.
Demonstration
Demonstration is the method of verification where qualitative versus quantitative validation of a
requirement is made during a dynamic test of the system/equipment. In general, software
functional requirements are validated by demonstration since the functionality must be observed
through some secondary media.
Inspection
Inspection is the method of verification to determine compliance with specification requirements
and consists primarily of visual observations or mechanical measurements of the
system/equipment, physical location, or technical examination of engineering support
documentation.
Test
Test is the method of verification that will measure system/equipment performance under
specific configuration and load conditions and after the controlled application of known stimuli.
Quantitative values are measured, compared against previous predicated success criteria and
then evaluated to determine the degree of compliance.
X/Y
Either test method X or test method Y may be used to verify the requirement (i.e., D/A can be
verified by Demonstration or Analysis).
X+Y
Both test methods must be used to verify the requirement (i.e., D+A means the requirement
must be verified by Demonstration and Analysis).
APPENDIX 2
INTEGRATED MODULAR AVIONIC PLATFORM AND MODULE
MINIMUM PERFORMANCE SPECIFICATION (MPS)
CLASS A : Rack Housing (RH)
1 Purpose and scope
1.1 Introduction
This document contains CLASS A Minimum Performance Standards (MPS).
These standards specify module characteristics that should be useful to designers,
manufacturers, installers and users of the IMA module.
1.2 Overview
For ETSO-2C153 CLASS A, IMA module is a physical package able to contain one or more IMA
hardware modules, which provides partial protection from environmental effects (shielding) and
may enable installation and removal of those module(s) from the aircraft without physically
altering other aircraft systems or equipment.
IMA module may be simple mechanical enclosures, or they may incorporate passive
communication interfaces, passive interconnection for data and power, or power supplies, active
cooling unit or any combination of these features.
Following definitions are used:
o Mounted: is said for another hardware IMA module installed and fixed inside the IMA
Rack Module after a human operation in aircraft.
o Slot: the physical envelop dedicated to one mounted IMA module or component inside
the Rack Module
These definitions are independent of the design choices made by the IMA module manufacturer.
Note:
o IMA module compliant to ETSO-2C153 CLASS A MPS is only relevant in case of IMA
Platform architecture using a Cabinet.
o Mounted hardware IMA modules can be compliant or not with other ETSO-2C153 MPS
CLASS (from B to G) but it is not mandatory.
2C153Author ized
2C153Author ized
Rack(CLASS A)
Power Supply(CLASS F)
Comm.
Module
Processing
Module
2C153Authorized
Data Storage (CLASS D)
2C153Authorized
Processing(CLASS B)
Figure 1 Illustration of IMA platform architecture based on Cabinet
1.3 Intended function
Based on the definition of the CLASS A MPS, this section provides Minimum Performance
Standards (MPS) for the intended function which is to provide the capability to share some
housing services supplied by one mechanical unit.
This intended function can be divided into 4 sub-functions:
o F1 : Housing (mandatory)
o F2 : Shielding (optional)
o F3 : Interconnection (optional)
o F4 : Cooling (optional)
The following figure provides an overview of the previously mentioned Rack Module intended
functions and interfaces.
Rack Module
Cooling unit
Mountedmodule
Mountedmodule
Mountedmodule
Mecanical unitInterconnection
F1 & F2 : Housing & Shelding
Env ironment
Power dissipation
Airfow
Mecanic
Installat ion / RemovalF2 : Data and/or
power supply
interconnections
Threads
Airfow
F4 : Cooling
isolation
slot slot slot
Figure 2: IMA module overview for ETSO-2C153 CLASS A
2 Module requirements
2.1 F1 – Housing
2.1.1 Description
For ETSO-2C153 CLASS A, IMA module provides shared resources for housing needs of
hardware IMA modules. This sub-function merges:
o The capacity to host at least two hardware IMA modules inside at least two slots.
o The capacity to mount and un-mount a hardware IMA module in its slot directly in
the aircraft thanks to a human (potentially tooled) intervention.
Rack IMA Module
Mounted Module
Mounted Module
Mounted Module
Mechanical unit
Mounted Module
AIRCRAFT
The Slot defines one housing volume
Figure 3: CLASS A Housing function overview
2.1.2 Functional requirements
For ETSO-2C153 CLASS A:
a) The IMA Module shall provide to at least two mounted hardware IMA modules and/or
components the capacity to use shared housing volume thanks to a mechanical interface.
b) The IMA Module shall provide at least two mechanical slots allowing hosting at least two
mounted hardware IMA modules.
c) The mechanical isolation (i.e. a physical envelop defined inside the housing volume)
between mounted hardware modules or components shall be ensured by the IMA Module.
d) The IMA module shall provide with a list of slots (e.g slot 1, slot 3…). The list of types of
slots and the associated attributes shall be provided in the installation manual.
e) For each type of slot, a mean to avoid mounting of unexpected hardware IMA shall be
implemented (e.g. Mechanical key…).
f) Mounted hardware IMA module Installation and Extraction Means or Methods shall be
specified inside the installation manual. These means or methods may be identical for all
the slot of the Rack Module.
g) The attributes of each type of slot may be configurable.
h) If compliance to MPS is reached thanks to any additional mechanical component. This
element shall be inseparable of the IMA module (Rack) and part of its identification and
marking.
MECANICAL UNIT
HOUSING VOLUME,
SLOT SLOTSLOT SLOT
HW IMA MODULE
HW IMA MODULE
HW IMA MODULE
HW IMA MODULE
Mecanical interface Mecanical interface Mecanical interface Mecanical interface
Figure 4: CLASS A Housing elements relationship
2.1.3 Performance requirements
None
2.1.4 Safety requirements
Not relevant for mechanical elements.
2.1.5 Required data (linked to §2.2)
i) The applicant shall provide the list of type of slots, the associated attributes, their
configurability (if any) and their sizing dimensions (drawings).
This will include:
o The list of authorized or predefined hardware IMA modules
o Slot mounting scheme (mechanical profile / Drawings)
o Power dissipation and airflow profile.
j) As required in Appendix 3, the applicant shall provide in installation manual all
constraints (including limitations, Usage Domain and activities) to be respected by the
users.
k) The Applicant shall provide any data needed to evaluate weight and gravity center of a populated rack.
2.1.6 Verification procedures
Following table gives verification method for each MPS:
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
2.1.2 a) The IMA Module shall provide to at least
two mounted hardware IMA modules
and/or components the capacity to use
shared housing volume thanks to a
mechanical interface.
I+A+T 2.1.6.1
2.1.2 b) The IMA Module shall provide at least two
mechanical slots allowing hosting at least
two mounted hardware IMA modules.
I+A+T 2.1.6.1
2.1.2 c) The mechanical isolation (i.e. a physical
envelop defined inside the housing volume)
between mounted hardware modules or
components shall be ensured by the IMA
Module.
I+A 2.1.6.2
2.1.2 d) The IMA module shall provide with a list of
slots (e.g slot 1, slot 3…). The list of types
of slots and the associated attributes shall
be provided in the installation manual.
I 2.1.6.3
2.1.2 e) For each type of slot, a mean to avoid
mounting of unexpected hardware IMA
shall be implemented (e.g. Mechanical
key…).
I 2.1.6.4
2.1.2 f) Mounted hardware IMA module Installation
and Extraction Means or Methods shall be
specified inside the installation manual.
These means or methods may be identical
for all the slot of the Rack Module.
I 2.1.6.5
2.1.2 g) The attributes of each type of slot may be
configurable.
I 2.1.6.6
2.1.2 h) If compliance to MPS is reached thanks to
any additional mechanical component. This
element shall be inseparable of the IMA
module (Rack) and part of its identification
and marking.
I 2.1.6.7
2.1.5 i) The applicant shall provide the list of type
of slots, the associated attributes, their
configurability (if any) and their sizing
dimensions (drawings).
I 2.1.6.8
2.1.5 j) As required in Appendix 3, the applicant
shall provide in installation manual all
constraints (including limitations, Usage
Domain and activities) to be respected by
the users.
I 2.1.6.9
2.1.5 k) The Applicant shall provide any data
needed to evaluate weight and gravity
center of a populated rack.
I 2.1.6.10
Table 1 : Verification Acceptance Criteria
2.1.6.1 Verification of 2.1.2 a) and 2.1.2 b)
1 – Inspect the Installation Manual to determine the range number [Min - Max] of
hardware IMA modules which it is possible to mount into the IMA module (Rack).
2 – Verify that the Min number is at least equal to two.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
4 – Verify that in valid equivalence classes and boundary values of [Min – Max] the
hardware IMA modules can be correctly mounted into the IMA module (Rack).
5 – Verify that mechanical interfaces are well implemented according to its (their)
specification(s) given into the Installation Manual.
2.1.6.2 Verification of 2.1.2 c)
1 – Inspect the drawings of the IMA module (Rack) and verify that there is no conflict
(contact, overlap…) between slot mounting schemes.
2.1.6.3 Verification of 2.1.2 d)
1 – Inspect the Installation Manual to verify that the list of slots is well defined.
2 - Inspect the Installation Manual to verify that the attributes of each type of slot are
well defined. Attributes are:
• Usage domain rules associated to each slot type.
• Mechanical interface associated to each slot type.
2.1.6.4 Verification of 2.1.2 e)
1 – Inspect the Installation Manual to verify that the criteria to authorize hardware IMA
module mounting are available.
2 – Verify that a mean is implemented avoiding to mount unauthorized hardware IMA
module consistently to defined criteria.
2.1.6.5 Verification of 2.1.2 f)
1 – Inspect the Installation Manual to verify that means and methods needed to mount
hardware IMA module inside the IMA module (Rack) are defined.
2 - Initialize the IMA module (Rack) in consistency with Usage Domain contained into the
Installation Manual.
3 – Verify that hardware IMA module can be correctly install and extract thanks to
supplied means.
2.1.6.6 Verification of 2.1.2 g)
If 2.1.2 g) is implemented:
1 – Inspect the Installation Manual to verify that the configurable attributes of types of
slot are well defined.
2 – Inspect the Installation Manual to verify that the authorized values of each
configurable attributes are well defined as Usage Domain rules.
2.1.6.7 Verification of 2.1.2 h)
If compliance to MPS is reached thanks to any additional mechanical component:
1 – Inspect the Installation Manuel that this component is well identified.
2 – Verify that this component is part of IMA module (Rack) identification and is
inseparable.
2.1.6.8 Verification of 2.1.5 i)
1 – Inspect the Installation Manual to verify that the list of types of slot, their associated
attributes, their configurability and their performances (e.g. dimensions, drawings…) are
well documented, including boundaries, Usage Domain Rules, mechanical interface rules.
2.1.6.9 Verification of 2.1.5 j)
1 – Inspect the Installation Manual to verify that the constraints to be respected are
specified for all types of slots, including their associated Usage Domain Rules and
mechanical interface rules.
2.1.6.10 Verification of 2.1.5 k)
1 – Inspect the Installation Manual to verify that means needed to evaluate weight and
gravity and center of populated rack are available.
2 - Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
3 – Verify that the weight and gravity and center of populated rack can be correctly
thanks to supplied means.
2.2 F2 – Shielding
2.2.1 Description
F2 is an optional sub-function of ETSO-2C153 CLASS A.
In this case, IMA module provides shared resources for shielding needs of mounted
hardware IMA modules. This sub-function merges:
o A level of protection of the mounted hardware IMA modules from aircraft
environmental.
o A level of environmental isolation (shielding) between mounted hardware modules
inside the rack
Rack IMA Module
Mounted Module
Mounted Module
Mounted Module
Mechanical unit
Mounted Module
AIRCRAFT ENVIRONMENT
Enviromental isolation
Figure 5: CLASS A Shielding function overview
2.2.2 Functional requirements
For ETSO-2C153 CLASS A, additionally to MPS specified into § 2.1,
a) A level of environmental protection (shielding) for each mounted hardware modules
shall be ensured by the IMA Module. This protection shall take into account effects of
aircraft environment (outside the rack) and interactions between the modules
themselves.
b) The IMA module shall provide the list of slots (e.g slot 1, slot 3…) for which the
protection (a) is guaranteed. The list of types of slots and the associated
characteristics in terms of protection shall be provided in the installation manual.
c) The attributes of each type of slot may be configurable.
d) If the (a) shielding objective is reached thanks to any additional mechanical element.
This element shall be inseparable of the IMA Module and part of its identification and
marking
MECANICAL UNIT
SHIELDING
SLOT SLOTSLOT SLOT
HW IMA MODULE
HW IMA MODULE
HW IMA MODULE
HW IMA MODULE
Mecanical interface Mecanical interface Mecanical interface Mecanical interface
Figure 6: CLASS A shielding elements relationship
2.2.3 Performance requirements
e) The level of environmental protection (shielding) of each slot provided in §2.2.2 shall
be characterized and bounded and documented in the installation manual.
2.2.4 Safety requirements
Not relevant for mechanical elements.
2.2.5 Required data (linked to §2.2)
f) The applicant shall provide the list of type of slots, the associated characteristics in
terms of environmental protection (shielding)
This will include:
• The list of authorized or predefined hardware modules or components
• Slot Mounting Scheme (mechanical profile / isolation / Drawings)
• Level of isolation and level of shielding per slot
• The list of environmental tests that can be granted to a hardware IMA module
(see Appendix 4 - EQT) mounted in to the rack.
g) As required in § 2.2, the applicant shall provide in installation manual all constraints
(including limitations, Usage Domain and activities) to be respected by the users.
2.2.6 Verification procedures
Following table gives verification method for each MPS:
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
2.2.2 a) A level of environmental protection
(shielding) for each mounted hardware
modules shall be ensured by the IMA
Module. This protection shall take into
account effects of aircraft environment
(outside the rack) and interactions between
the modules themselves.
I+A+T
2.2.6.1
2.2.2 b) The IMA module shall provide the list of
slots (e.g slot 1, slot 3…) for which the
protection (a) is guaranteed. The list of
types of slots and the associated
characteristics in terms of protection shall
be provided in the installation manual.
I 2.2.6.2
2.2.2 c) The attributes of each type of slot may be
configurable.
I 2.2.6.3
2.2.2 d) If the (a) shielding objective is reached
thanks to any additional mechanical
element. This element shall be inseparable
of the IMA Module and part of its
identification and marking
I 2.2.6.4
2.2.3 e) The level of environmental protection
(shielding) of each slot provided in §2.2.2
shall be characterized and bounded and
documented in the installation manual.
I+A 2.2.6.5
2.2.5 f) The applicant shall provide the list of type
of slots, the associated characteristics in
terms of environmental protection
(shielding)
I 2.2.6.6
2.2.5 g) As required in § 2.2, the applicant shall
provide in installation manual all
constraints (including limitations, Usage
Domain and activities) to be respected by
the users.
I 2.2.6.7
Table 2 : Verification Acceptance Criteria
2.2.6.1 Verification of 2.2.2 a)
1 – Verify in Installation Manual that the characteristics of each type of slot in terms of
environmental protection are well defined.
2 - Initialize the IMA module (Rack) in consistency with Usage Domain contained into the
Installation Manual (especially environmental aspects)
3 – Verify via EQT procedures (see Appendix 4) that the level of protection per type of
slot is in consistency of the one defined into the Installation Manual.
In particular, the usage domain of the IMA module must be defined and maintained in
order that at least the subset of qualification tests specified into Appendix 4 produces a
credit for mounted hardware IMA module in a dedicated slot.
2.2.6.2 Verification of 2.2.2 b)
1 – Inspect the Installation Manual to verify that the list of slots is well defined.
2 - Inspect the Installation Manual to verify that the characteristics of each type of slot in
terms of environmental protection are well defined.
2.2.6.3 Verification of 2.2.2 c)
If 2.1.2 g) is implemented:
1 – Inspect the Installation Manual to verify that the configurable attributes of types of
slot are well defined.
2 – Inspect the Installation Manual to verify that the authorized values of each
configurable attributes are well defined as Usage Domain rules.
2.2.6.4 Verification of 2.2.2 d)
If compliance to shielding objective is reached thanks to any additional mechanical
component:
1 – Inspect the Installation Manuel that this component is well identified.
2 – Verify that this component is part of IMA module (Rack) identification and is
inseparable.
2.2.6.5 Verification of 2.2.3 e)
1 – Verify in Installation Manual that the characteristics of each type of slot in terms of
environmental protection are well defined. These characteristics will be defined per
Environmental Conditions and Test Procedures category.
2.2.6.6 Verification of 2.2.5 f)
1 – Inspect the Installation Manual to verify that the list of types of slot, their associated
attributes, their configurability and their performances (in terms of environmental
protection are well documented, including boundaries, Usage Domain Rules, mechanical
interface rules.
2 – Inspect the Installation Manual to verify that the list of environmental tests that can
be granted to a hardware IMA module level mounted into the rack is well defined (see
Appendix 4 – EQT)
3 – Verify this information are in consistency with EQT results.
2.2.6.7 Verification of 2.2.5 g)
1 – Inspect the Installation Manual to verify that the constraints to be respected are
specified for all types of slots, including their associated Usage Domain Rules and
mechanical interface rules.
2.3 F3 - Interconnection
2.3.1 Description
F3 is an optional sub-function of ETSO-2C153 CLASS A.
In this case, IMA module provides the capacity to interconnect hardware IMA module
together inside the Rack Module. This interconnection allows exchanging dat a or power
supply.
Note:
• The Communication and Power supply interconnection capacity is only composed of
passive components.
• Power supply exchanges between mounted hardware IMA modules, needs that at
least one module is compliant to ETSO-2C153 CLASS F shall be mounted into a
slot.
Rack Module
Mounted Module
TYPE F
Mounted Module
MountedModule
Interconnection unit
Mounted Module
Data
ThreadPower
Flows
AIRCRAFT ELECTRICAL NETWORK
Power
Flow
Figure 7: CLASS A Interconnection function overview
2.3.2 Functional requirements
For ETSO-2C153 CLASS A, additionally to MPS specified into § 2.1,
a) The IMA module shall provide the capacity to interconnect mounted hardware IMA
modules thanks to data or power supply buses available through an electrical
interface(s) supplied by one or several interconnection unit(s). These buses will be
dedicated to :
• Data exchanges
• Power supply exchanges
b) If the IMA module provides more than one bus, the isolation between buses used by
mounted hardware IMA modules shall be ensured by the IMA module.
The interface(s) of the IMA module will conform to characteristics as described by a
standard (ARINC600 or ARINC 664 for example).
INTERCONNECTIONUNIT
POWER / DATAINTERCONNECTION
BUS BUSBUS BUS
INTERCONNECTIONUNIT
INTERCONNECTIONUNIT
Electrical interface Electrical interface Electrical interface Electrical interface
PowerFlows
DataThreads
Figure 8: CLASS A Interconnection elements relationship
2.3.3 Performance requirements
c) The data and power supply buses shall not degrade the transmitted signals. An
attenuation profile will be defined if relevant.
d) The performances of each type of buses provided in a) shall be characterized,
bounded and documented in the Installation Manual.
2.3.4 Safety requirements
e) For ETSO-2C153 CLASS A, the IMA module shall implement a fault containment
concerning interconnection unit to prevent from fault propagation between data or
power supply buses.
f) Failures modes:
For at least following failure modes, failure rate shall be provided:
• Loss of the interconnection function
• Erroneous Behavior of interconnection function
Monitoring coverage:
Monitoring Coverage rate (PBIT, CBIT…) shall be provided for all failure modes of
the interconnection function.
Events such as bad sequencing, delay, corruption, impersonation will be taken into
account during the safety analysis
2.3.5 Required data (linked to §2.2)
g) The applicant shall provide the list of types of buses, the associated attributes, their configurability, and their sizing and performances.
h) As required in § 2.2, the Applicant shall provide in installation manual all constraints
(including limitations, Usage Domain and activities) to be respected by the users.
2.3.6 Verification procedures
Following table gives verification method for each MPS:
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
2.3.2 a) The IMA module shall provide the capacity
to interconnect mounted hardware IMA
modules thanks to data or power supply
buses available through an electrical
interface(s) supplied by one or several
interconnection unit(s). These buses will be
dedicated to :
I+T 2.3.6.1
2.3.2 b) If the IMA module provides more than one
bus, the isolation between buses used by
mounted hardware IMA modules shall be
ensured by the IMA module.
A+T 2.3.6.2
2.3.3 c) The data and power supply buses shall not
degrade the transmitted signals.
A+T 2.3.6.3
2.3.3 d) The performances of each type of buses
provided in a) shall be characterized,
bounded and documented in the
Installation Manual.
I+A 2.3.6.4
2.3.4 e) For ETSO-2C153 CLASS A, the IMA module
shall implement a fault containment
concerning interconnection unit to prevent
from fault propagation between data or
power supply buses.
I+A 2.3.6.5
2.3.4 f) Failures modes:
For at least following failure modes,
failure rate shall be provided:
• Loss of the
interconnection function
• Erroneous Behavior of
interconnection function
Monitoring coverage:
Monitoring Coverage rate (PBIT,
CBIT…) shall be provided for all
failure modes of the interconnection
function.
A 2.3.6.6
2.3.5 g) The applicant shall provide the list of types
of buses, the associated attributes, their
configurability, and their sizing and
performances.
I 2.3.6.7
2.3.5 h) As required in § 2.2, the Applicant shall
provide in installation manual all
constraints (including limitations, Usage
Domain and activities) to be respected by
the users.
I 2.3.6.8
Table 3 : Verification Acceptance Criteria
2.3.6.1 Verification of 2.3.2 a)
1 – Inspect the Installation Manual to verify the data buses and power supply buses
schematics inside the IMA module (Rack) are well specified including electrical interfaces.
2 – Initialize the IMA module (Rack) in consistency with Usage Domain contained into the
Installation Manual?
3 – Verify that all the interconnection data buses and power supply buses are well
implemented
4 – Verify that Interfaces are well implemented according to its (their) specification(s)
given into the Installation Manual.
2.3.6.2 Verification of 2.3.2 b)
If the IMA module (Rack) provides more than one bus:
1 – Inspect the Partitioning Analysis of the IMA module and verify that all the
unauthorized interferences between buses are well identified and mitigated by
either design either a Usage Domain rule.
2 – Inspect the Installation Manual to determine the range number [Min - Max] of
hardware IMA modules which can use the buses.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
4 – Verify that in valid equivalence classes and boundary values of [Min – Max],
for each unauthorized interference, isolation is well implemented.
2.3.6.3 Verification of 2.3.3 c)
For each type of bus:
1 - Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
2 – Send a data (resp. power supply) thread on the bus and verify that the design
of interconnection unit(s) does not degrade transmitted signals.
Note that the acceptance can be done accordantly to a previously defined
attenuation profile.
2.3.6.4 Verification of 2.3.3 d)
1 – Inspect the Installation Manual to verify that the list of types of buses is well defined.
2 - Inspect the Installation Manual to verify that the attributes and performances of each
type of bus thread are well defined. Attributes are:
• Usage domain rules associated to bus type.
• Electrical interface associated to bus type.
2.3.6.5 Verification of 2.3.4 e)
1 - Inspect the Failure Mode and Effect Analysis (FMEA) to verify that fault containment
mechanism is well identified
2 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual
3 – Verify that each fault containment mechanism is well implemented avoiding fault
propagation between data threads managed by the IMA Module, and outside the IMA
Module, by observing the sanction associated to fault and raised by monitoring.
2.3.6.6 Verification of 2.3.4 f)
1 - Inspect the Failure Mode and Effect Analysis (FMEA) and Fault Tree Analysis [FTA] to
verify that required feared event are well quantified.
2.3.6.7 Verification of 2.3.5 g)
1 – Inspect the Installation Manual to verify that the list of types of buses, their
associated attributes, their configurability and their performances are well documented,
including boundaries, Usage Domain Rules, electrical interface rules.
2.3.6.8 Verification of 2.3.5 h)
1 – Inspect the Installation Manual to verify that the constraints to be respected are
specified for all types of data thread, including their associated Usage Domain Rules and
logical interface rules.
2.4 F4 - Cooling
2.4.1 Description
F4 is an optional sub-function of ETSO-2C153 CLASS A.
In this case, IMA module provides the capacity to:
• Distribute Airflow between aircraft environment (outside the rack) and the mounted
hardware IMA modules inside the IMA module (rack).
• Enforce Airflow with cooling generation unit.
Rack Module
Mounted Module
Mounted Module
MountedModule
Cooling unit
Power dissipation
Airfow
Mounted Module
Power dissipation
Airfow
Figure 9: CLASS A cooling function overview
2.4.2 Functional requirements
For ETSO-2C153 CLASS A, additionally to MPS specified into § 2.1,
a) The IMA module shall distribute airflow to/from mounted hardware IMA module thanks to
a mechanical interface. This distribution shall be realized per slot basis. The IMA module
shall guarantee a cooling performance per slot.
b) The IMA module may provide a mean – named cooling generation unit – to enforce
airflow between aircraft environment and the mounted hardware IMA modules.
c) The Cooling generation unit may be configurable.
COOLINGUNIT
AIRFLOW
SLOT SLOTSLOT SLOT
HW COMPONENTor MODULE
HW COMPONENT
or MODULE
HW COMPONENTor MODULE
HW COMPONENTor MODULE
Mecanical interface Mecanical interface Mecanical interface Mecanical interface
Figure 10: CLASS A Cooling elements relationship
2.4.3 Performance requirements
d) An airflow performance of each slot provided shall be characterized and bounded and
documented in the installation manual.
2.4.4 Safety requirements
e) Failures modes:
For at least following failure modes, failure rate shall be provided:
• Loss of the Cooling generation function
• Erroneous Behavior of the Cooling generation function
Monitoring coverage:
Monitoring Coverage rate (PBIT, CBIT…) shall be provided for all failure modes of
the Cooling generation function.
Events such as Partial loss, too low performance, corruption, impersonation will be taken
into account during the safety analysis.
2.4.5 Required data (linked to §2.2)
f) The Applicant shall provide the list of types of slots, their associated attributes, their
configurability and their performances in terms of cooling.
2.4.6 Verification procedures
Following table gives verification method for each MPS:
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
2.4.2 a) The IMA module shall distribute airflow
to/from mounted hardware IMA module
thanks to a mechanical interface. This
distribution shall be realized per slot basis.
The IMA module shall guarantee a cooling
performance per slot.
A+T 2.4.6.1
2.4.2 b) The IMA module may provide a mean –
named cooling generation unit – to enforce
airflow between aircraft environment and
the mounted hardware IMA modules.
A+T 2.4.6.2
2.4.2 c) The Cooling generation unit may be
configurable.
I 2.4.6.3
2.4.3 d) An airflow performance of each slot
provided shall be characterized and
bounded and documented in the installation
manual.
I+A 2.4.6.4
2.4.4 e) g) Failures modes:
For at least following failure
modes, failure rate shall be
provided:
• Loss of the
Cooling
generation
function
• Erroneous
Behavior of the
Cooling
generation
function
Monitoring coverage:
Monitoring Coverage rate
(PBIT, CBIT…) shall be
provided for all failure modes
of the Cooling generation
function.
Events such as Partial loss, too low
performance, corruption,
impersonation will be taken into
account during the safety analysis.
A 2.4.6.5
2.4.5 f) The Applicant shall provide the list of types
of slots, their associated attributes, their
configurability and their performances in
terms of cooling.
I 2.4.6.6
Table 4 : Verification Acceptance Criteria
2.4.6.1 Verification of 2.4.2 a)
1 – Inspect the Installation Manual to determine the range number [Min - Max] of
hardware IMA modules between which it is possible to distribute airflow inside the rack
and what the airflow specifications per slot are.
2 – Verify that the Min number is at least equal to two.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
4 – Verify that in valid equivalence classes and boundary values of [Min – Max], the
hardware IMA modules are correctly cooled compliantly to specified airflow value.
2.4.6.2 Verification of 2.4.2 b)
If 2.4.2b) is implemented, perform same verification as in 2.4.1a) but with airflow
specifications taking into account cooling generation unit contribution.
2.4.6.3 Verification of 2.4.2 c)
If 2.4.2 c) is implemented:
1 – Inspect the Installation Manual to verify that the configurable attributes of the cooling
generation unit are well defined.
2.4.6.4 Verification of 2.4.3 d)
1 - Inspect the Installation Manual to verify that the airflow performances of each slot are
well documented, including boundaries, Usage Domain Rules, and mechanical interface
rules.
2.4.6.5 Verification of 2.4.4 e)
1 - Inspect the Failure Mode and Effect Analysis (FMEA) and Fault Tree Analysis [FTA] to
verify that required feared event are well quantified.
2.4.6.6 Verification of 2.4.5 f)
1 – Inspect the Installation Manual to verify that the list of types of slots, their associated
attributes, their configurability and their performances in terms of airflow are well
documented, including boundaries, Usage Domain Rules, mechanical interface rules.
APPENDIX 2
INTEGRATED MODULAR AVIONIC PLATFORM AND MODULE
MINIMUM PERFORMANCE SPECIFICATION (MPS)
CLASS B: Processing (PR)
1. Purpose and scope
1.1. Introduction
This document contains CLASS B Minimum Performance Standards (MPS).
These standards specify characteristics that should be useful to designers, manufacturers,
installers and users of the IMA module.
1.2. Module Overview
For ETSO-2C153 CLASS B, IMA module provides shared resources in terms of processing, data
storage and interfaces between IMA applications, modules and/or components.
Following definitions are used:
� Processing Unit: set of physical components (hardware and or software) in charge of
supplying and managing a shared processing resource.
� Storage Unit: set of physical components (hardware and or software) in charge of
supplying and managing a shared data storage resource.
� Interface Unit: set of physical components (hardware and or software) in charge of
supplying and managing a shared information resource.
� Processing Element: well-defined set of data which is a primary form of software
execution and for which a level of isolation would be guaranteed by IMA module.
1.3. Intended Function
Based on the definition of the CLASS B MPS, this section provides Minimum Performance
Standards (MPS) for the intended function which is to provide the capability to share
Processing, Data storage, information supplied by one or several processing, storage,
interfaces units.
These services are limited to the following ones:
• F1: Processing sharing
• F2: Information sharing
• F3: Data Storage sharing
The following figure provides an overview of the previously mentioned IMA module intended
function and associated interfaces:
Processing Module
Interface unit
Hosted Component
Hosted Applications
Hosted Module
Processing UnitStorage Unit
Interfaces
Data thread
Storage ElementProcessing
ElementProcessing
Element
Figure 1: IMA module overview for ETSO-2C153 CLASS B
2. Requirements
2.1. F1 - Processing
2.1.1. Description
For ETSO-2C153 CLASS B, IMA module provides shared resources for processing needs of
IMA applications, modules and/or components.
2.1.2. Functional requirements
For ETSO-2C153 CLASS B:
a) The IMA module shall provide to IMA applications, modules and/or components the
capacity to use shared Processing Resource thanks to Processing Elements handled
through a logical interface (such as an API).
b) The robust partitioning between Processing Elements used by IMA applications, modules
and/or components shall be ensured by the IMA module.
c) The IMA module shall provide the list of types of Processing Elements (e.g. application,
partition, process, thread…) for which the robust partitioning is guaranteed. The list of
types of Processing Element and the associated attributes shall be provided in the
installation manual.
d) Any breach in robust partitioning guaranteed by c) shall be detected by the IMA module.
e) Some attributes of each Processing Element guaranteed by c) may be configurable.
The logical interface of the IMA module will conform to characteristics as described by a
standard (ARINC653 for example).
PROCESSINGUNIT
PROCESSINGUNIT
PROCESSINGUNIT
PROCESSINGRESOURCE
PROCESSINGELEMENT
PROCESSINGELEMENT
PROCESSINGELEMENT
PROCESSINGELEMENT
Programming interface
Figure 2: CLASS B Processing (PR) elements relationship
2.1.3. Performance requirements
f) The performances (inc. sizing, access time…) of each management mechanism including
monitoring shall be characterized, bounded and documented in the Installation Manual.
2.1.4. Safety requirements
g) For ETSO-2C153 CLASS B, The IMA module shall implement a fault containment
mechanism concerning processing unit(s) to prevent from fault propagation between
processing elements managed by the IMA module, and outside the IMA module.
h) Failures modes:
For at least following failure modes, failure rate shall be provided:
• Loss of the IMA module
• Erroneous Behavior of the IMA module
• Loss of the shared processing resource
• Erroneous Behavior of the shared processing resource
Monitoring coverage:
Monitoring Coverage rate (PBIT, CBIT…) shall be provided for all failure modes of
the IMA module (inc. Shared and unshared resources).
For shared processing resource, monitoring Coverage rate (inc. Resource itself,
sharing mechanisms and robust partitioning mechanisms) shall be provided.
Events such as bad sequencing, delay, corruption, impersonation will be taken into
account during the safety analysis.
2.1.5. Required data
i) The Applicant shall provide the list of types of Processing Element, the associated
attributes, their configurability and their temporal and sizing performances.
j) The Applicant shall provide any data needed to evaluate Worst Case Execution Time
(WCET) usage of hosted application, module or component
k) As required in § 2.2, the Applicant shall provide in installation manual all constraints
(including limitations, Usage Domain and activities) to be respected by the users.
2.1.6. Verification procedures
Following table gives verification method for each MPS:
MPS Ref MPS text Verification
method (A/I/D/T)
Verification Acceptance
Criteria
2.1.2 a) The IMA module shall provide to IMA
applications, modules and/or
components the capacity to use shared
Processing Resource thanks to
Processing Elements handled through a
logical interface (such as an API).
I+T 2.1.6.1
2.1.2 b) The robust partitioning between
Processing Elements used by IMA
applications, modules and/or
components shall be ensured by the IMA
module.
I+A+T 2.1.6.2
2.1.2 c) The IMA module shall provide the list of
types of Processing Elements (e.g.
application, partition, process, thread…)
for which the robust partitioning is
guaranteed. The list of types of
Processing Element and the associated
attributes shall be provided in the
installation manual.
I 2.1.6.3
2.1.2 d) Any breach in robust partitioning
guaranteed by c) shall be detected by
the IMA module.
I+A+T 2.1.6.4
2.1.2 e)
Some attributes of each Processing
Element guaranteed by c) may be
configurable.
I 2.1.6.5
2.1.3 f) The performances (inc. sizing, access
time…) of each management mechanism
including monitoring shall be
characterized, bounded and documented
in the Installation Manual.
I+A 2.1.6.6
MPS Ref MPS text Verification
method (A/I/D/T)
Verification Acceptance
Criteria
2.1.4 g) For ETSO-2C153 CLASS B, The IMA
module shall implement a fault
containment mechanism concerning
processing unit(s) to prevent from fault
propagation between processing
elements managed by the IMA module,
and outside the IMA module.
I+T 2.1.6.7
MPS Ref MPS text Verification
method (A/I/D/T)
Verification Acceptance
Criteria
2.1.4 h) Failures modes:
For at least following failure modes,
failure rate shall be provided:
• Loss of the
IMA module
• Erroneous
Behavior of
the IMA
module
• Loss of the
shared
processing
resource
• Erroneous
Behavior of
the shared
processing
resource
•
• Monitoring
coverage:
• Monitoring
Coverage rate
(PBIT, CBIT…)
shall be
provided for
all failure
modes of the
IMA module
(inc. Shared
and unshared
resources).
For shared processing resource,
monitoring Coverage rate (inc.
Resource itself, sharing
mechanisms and robust
partitioning mechanisms) shall be
provided.
Events such as bad
sequencing, delay,
corruption, impersonation
will be taken into account
during the safety analysis.
A 2.1.6.8
2.1.5 i) The Applicant shall provide the list of
types of Processing Element, the
associated attributes, their
configurability and their temporal and
sizing performances.
I 2.1.6.9
MPS Ref MPS text Verification
method (A/I/D/T)
Verification Acceptance
Criteria
2.1.5 j) The Applicant shall provide any data
needed to evaluate Worst Case
Execution Time (WCET) usage of hosted
application, module or component
I 2.1.6.10
2.1.5 k) As required in § 2.2, the Applicant shall
provide in installation manual all
constraints (including limitations, Usage
Domain and activities) to be respected
by the users.
I 2.1.6.11
Table 1 : Verification Acceptance Criteria
2.1.6.1. Verification of 2.1.2 a)
1 – Inspect the Installation Manual to determine the range number [Min - Max] of IMA
applications, components and/or modules between which it is possible to share the
processing resource.
2 – Verify that the Min number is at least equal to two.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
4 – Verify that in valid equivalence classes and boundary values of [Min – Max], the IMA
applications, components and/or modules access correctly to share processing resource.
5 – Verify that Logical Interface is well implemented according to its specification given
into the Installation Manual.
2.1.6.2. Verification of 2.1.2 b)
1 – Inspect the Partitioning Analysis of the IMA module and verify that all the temporal or
spatial unauthorized interferences between processing element are well identified and
mitigated by either a design mechanism either a Usage Domain rule.
2 – Inspect the Installation Manual to determine the range number [Min - Max] of IMA
applications, components and/or modules between which it is possible to share the
processing resource.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
4 – Verify that in valid equivalence classes and boundary values of [Min – Max], for each
unauthorized interference, a robust partitioning mechanism is well implemented.
2.1.6.3. Verification of 2.1.2 c)
1 – Inspect the Installation Manual to verify that the list of types of processing elements
(e.g. application, partition, process and thread...) for which the temporal and spatial
robust partitioning is guaranteed is well defined.
2 - Inspect the Installation Manual to verify that the attributes of each type of processing
elements are well defined. Attributes are:
� Usage domain rules associated to Processing Element type.
� Programming interface associated to Processing Element type.
� Software production rules associated to Processing Element type.
2.1.6.4. Verification of 2.1.2 d)
1 – After Verification of 2.1.2c)
2 – For each type of processing element, initialize the attributes in consistency with
Usage Domain contained into the Installation Manual.
3 – Verify with an outer value of valid equivalence classes and boundary values of
processing element attributes, that the associated robust partitioning breach detection is
well implemented.
2.1.6.5. Verification of 2.1.2 e)
If 2.1.e) is implemented:
1 – Inspect the Installation Manual to verify that the configurable attributes of types of
processing elements (e.g. application, partition, process and thread...) are well defined.
2 – Inspect the Installation Manual to verify that the authorized values of each
configurable attributes are well defined as Usage Domain rules.
2.1.6.6. Verification of 2.1.3 f)
1 - Inspect the Installation Manual to verify that the temporal performances of each
management mechanism including monitoring of each type of Processing Element are
well documented, including boundaries, Usage Domain Rules, Programming Interface and
Software rules.
2.1.6.7. Verification of 2.1.4 g)
1 - Inspect the Failure Mode and Effect Analysis (FMEA) to verify that fault containment
mechanism is well identified
2 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual
4 – Verify that each fault containment mechanism is well implemented avoiding fault
propagation between processing element managed by the IMA module, and outside the
IMA module, by observing the sanction associated to fault and raised by monitoring.
2.1.6.8. Verification of 2.1.4 h)
1 - Inspect the Failure Mode and Effect Analysis (FMEA) and Fault Tree Analysis (FTA) to
verify that required feared event are well quantified.
2.1.6.9. Verification of 2.1.5 i)
1 – Inspect the Installation Manual to verify that the list of types of Processing Element,
their associated attributes, their configurability and their temporal, performances are well
documented, including boundaries, Usage Domain Rules, programming interface and
software production rules.
2.1.6.10. Verification of 2.1.5 j)
1 – Inspect the Installation Manual to verify that means needed to evaluate WCET of
processing element are available.
2 - Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
3 – Verify that the WCET and WCM of processing element can be correctly evaluated
thanks to supplied means.
2.1.6.11. Verification of 2.1.5 k)
1 – Inspect the Installation Manual to verify that the constraint to be respected is
specified for all types of managed processing element, including their associated Usage
Domain Rules and logical interface rules.
2.2. F2 Information sharing
2.2.1. Description
For ETSO-2C153 CLASS B, IMA module provides shared resources for interfaces of IMA
applications, modules and/or components.
The description and the specification of this sub-function F2 is based on Minimum
Performance Specification of the ETSO-2C153 CLASS E (IF).
2.2.2. Functional requirements
For ETSO-2C153 CLASS B:
a) The IMA module shall provide to hosted IMA hosted Applications, modules and/or
components the following capabilities allowing Information Resource sharing through a
logical interface (such as an API) :
o Information acquisition & control with an optional conversion function
o Information forwarding & control with an optional conversion function
Additionally to this requirement, ETSO-2C153 CLASS E functional requirements (§ 2.1)
from a) to e) are applicable to IMA module.
2.2.3. Performance requirements
For ETSO-2C153 CLASS B, ETSO-2C153 CLASS E performance requirements (§ 2.2) are
applicable to IMA module.
2.2.4. Safety requirements
For ETSO-2C153 CLASS B, ETSO-2C153 CLASS E safety requirements (§ 2.3) are
applicable to IMA module.
2.2.5. Required data
For ETSO-2C153 CLASS B, ETSO-2C153 CLASS E Required data requirements (§ 2.4) are
applicable to IMA module.
2.2.6. Verification procedures
Following table gives verification method for each MPS:
MPS Ref MPS text Verification
method (A/I/D/T)
Verification Acceptance
Criteria
2.2.2 a) The IMA module shall provide to hosted
IMA hosted Applications, modules and/or
components the following capabilities
allowing Information Resource sharing
through a logical interface (such as an
API) :
I+T 2.2.6.1
N/A ETSO-2C153 CLASS E requirements § 2
a) to k)
Apply ETSO-
2C153 CLASS E
Verification
Methods
Apply ETSO-2C153
CLASS E Verification
Methods
Table 2 : Verification Acceptance Criteria
2.2.6.1. Verification of 2.2.2a)
1 – Inspect the Installation Manual to determine the range number [Min - Max] of IMA
applications, components and/or modules between which it is possible to share the
information resource.
2 – Verify that the Min number is at least equal to two.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual
4 – Verify that in valid equivalence classes and boundary values of [Min – Max], the IMA
applications, components and/or modules access correctly to share information resource
through the programming interface defined into the Installation Manual.
2.3. F3 Data Storage sharing
2.3.1. Description
For ETSO-2C153 CLASS B, IMA module provides shared data storage resource to IMA
applications, modules and/or components.
The description and the specification of this sub-function F3 is based on Minimum
Performance Specification of the ETSO-2C153 CLASS D (DS).
2.3.2. Functional requirements
For ETSO-2C153 CLASS B, all ETSO-2C153 CLASS D Minimum Performance Specification
are applicable to IMA module.
2.3.3. Performance requirements
For ETSO-2C153 CLASS B, all ETSO-2C153 CLASS D performance requirements are
applicable to IMA module.
2.3.4. Safety requirements
For ETSO-2C153 CLASS B, all ETSO-2C153 CLASS D safety requirements are applicable to
IMA module.
2.3.5. Required data
For ETSO-2C153 CLASS B, all ETSO-2C153 CLASS D required data requirements are
applicable to IMA module.
2.3.6. Verification procedure
For ETSO-2C153 CLASS B, all ETSO-2C153 CLASS D verification procedures are applicable
to IMA module.
APPENDIX 2
INTEGRATED MODULAR AVIONIC MODULE
MINIMUM PERFORMANCE SPECIFICATION (MPS)
CLASS C: Graphical Processing (GP)
1. Purpose and scope
1.1. Introduction This document contains CLASS C Minimum Performance Specification (MPS).
These standards specify characteristics that should be useful to designers, manufacturers,
installers and users of the IMA module.
1.2. Overview For ETSO-2C153 CLASS C, IMA module provides shared resources in terms of graphical
conversion and graphical laying out between IMA applications, modules and/or components
based on commands coming from these IMA applications, modules and/or components.
Following definitions are used:
� Graphical conversion: Transformation of a set of data information (digital) into set of
graphical and displayable information.
� Laying out : Operation consisting in a combination of merging or/and splitting actions on
graphical and displayable information in order to build final Graphical Thread to be
rendered.
� Conversion Unit: set of physical components (hardware and/or software) in charge of
supplying and managing a shared graphical conversion based on command thread.
� Laying out Unit: set of physical components (hardware and/or software) in charge of
supplying and managing a shared graphical laying out based on command thread.
� Graphical Thread: set of graphical (display) information for which a level of isolation
would be guaranteed by the IMA module.
� Data Thread: well-defined set of data which is a primary form of drawing information
received as input by the IMA module from IMA applications, modules and/or components.
� Command Thread: well-defined set of directives received as input by the IMA module
from IMA applications, modules and/or components in order to change the conversion
and laying out settings.
Note:
The both units can be merged in one hardware component.
The final rendering of the graphical thread(s) is out of scope of this module (refer to Type G).
1.3. Intended function Based on the definition of the CLASS C MPS, this section provides Minimum Performance
Standards (MPS) for the intended function which is to provide the capability to share
graphical conversion and graphical laying out supplied by one or several graphical
conversion and graphical laying out unit(s).
This intended function is Graphical Conversion and Laying out resource sharing composed of
o Information acquisition & control,
o Information conversion and laying out,
o Information forwarding & control.
The following figure provides an overview of the previously mentioned intended function and
associated interfaces:
Graphical thread = F(Σdata threads)(Cd)
Σ Command threads
Figure 1: IMA module overview for ETSO-2C153 CLASS C
2. Requirements
2.1. Graphical Conversion and laying out resource sharing
2.1.1. Description
For ETSO-2C153 CLASS C, IMA module provides shared resources for graphical conversion
and graphical laying out needs of IMA applications, modules and/or components.
2.1.2. Functional requirements
For ETSO-2C153 CLASS C:
a) The IMA Module shall provide to IMA applications, modules and/or components the capacity
to use shared Graphical Conversion Resource and Graphical Laying out Resource based on
command threads through logical and/or physical interface(s).
b) The robust partitioning between threads from IMA applications, modules and/or components
using the shared Graphical Conversion Resource and Laying out Resource shall be ensured
by the IMA Module.
c) The IMA Module shall provide the list of types of thread for which the robust partitioning is guaranteed. The list of types of thread and the associated attributes shall be provided in the
installation manual.
d) Any breach in robust partitioning guaranteed by c) shall be detected by the IMA Module. e) Some attributes of each thread guaranteed by c) may be configurable.
The interface(s) of the IMA Module will conform to characteristics as described by a standard
(ARINC 661, ARINC 708, STANAG for example).
GRAPH ICAL CO NVE RSION
UNIT
GRAP HICAL CONVE RSION
UNIT
GRA PH ICA L CON VERS IO N
UNIT
GR A PH IC A L C ON V ER S IONR E SO UR C E
D ATAT HREA D
DATAT HREAD
In pu t i nt erfa ce
GRA PHICA LT READ
GR A PHIC A LTREAD
G RAP HICALTR E AD
O u pu t i nt erfa ce
GRAPHICAL L A YING OUT
UNIT
G RAPHICAL LAYING OUT
U NIT
GRAPHICAL L AYING O UT
UNIT
GR A PH IC A L LA Y IN G OU TR ES OU R C E
IM A a ppl ic a t ions
D ATAT HREAD
DATATHR EAD
I nt erna l in terf ace
CO MMAND STH READ
COM MANDSTHR EAD
GRA PH ICA LTREAD
GRA PH ICA LTREAD
GRA PH ICA LTREAD
I np ut i nt erfa ce In pu t in terf ace
I MA a ppli c at io ns E xt e rna l s ourc es Di s pla y U nit
Figure 2: CLASS E Graphical Processing (GP) elements relationship
2.1.3. Performance requirements
f) The performances of each management mechanism including monitoring shall be
characterized, bounded and documented in the installation manual.
2.1.4. Safety requirements
g) For ETSO-2C153 CLASS C, the IMA module shall implement a fault containment mechanism
concerning graphical unit(s) to prevent from fault propagation between threads managed by
the IMA module, and outside the IMA module.
h) Failures modes:
For at least following failure modes, failure rate shall be provided:
� Loss of the IMA module
� Erroneous Behavior of the IMA module
� Loss of the shared Graphical Conversion Resource and Laying out Resource
� Erroneous Behavior of the shared Graphical Conversion Resource and Laying
out Resource
Monitoring coverage:
Monitoring Coverage rate (PBIT, CBIT…) shall be provided for all failure modes of the IMA
Module (inc. Shared and unshared resources).
For shared Graphical Conversion Resource and Laying out Resource, monitoring Coverage
rate (inc. Resource itself, sharing mechanisms and robust partitioning mechanisms) shall
be provided.
Events such as delay, corruption, impersonation, loss, frozen information will be taken into
account during the safety analysis.
Particular emphasis should be given to precluding or mitigating failures which could result in
hazardously misleading information. Undetected loss of information or frozen information
could contribute to hazardously misleading information.
2.1.5. Required data (linked to §2.2)
i) The Applicant shall provide the list of type of threads, the associated attributes, their
configurability, their sizing and graphical processing time performances.
j) As required in § 2.2, the Applicant shall provide in installation manual all constraints
(including limitations, Usage Domain and activities) to be respected by the users.
k) The applicant shall provide any data needed to evaluate Worst Case Graphical Elaboration
Time of managed threads.
2.1.6. Verification procedures
Following table gives verification method for each MPS:
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
2.1.2 a) The IMA Module shall provide to IMA
applications, modules and/or components
the capacity to use shared Graphical
Conversion Resource and Graphical Laying
out Resource based on command threads
through logical and/or physical
interface(s).
I+T 2.1.6.1
2.1.2 b) The robust partitioning between threads
from IMA applications, modules and/or
components using the shared Graphical
Conversion Resource and Laying out
Resource shall be ensured by the IMA
Module.
I+A+T 2.1.6.2
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
2.1.2 c) The IMA Module shall provide the list of
types of thread for which the robust
partitioning is guaranteed. The list of types
of thread and the associated attributes
shall be provided in the installation
manual.
I 2.1.6.3
2.1.2 d) Any breach in robust partitioning
guaranteed by c) shall be detected by the
IMA Module.
I+A+T 2.1.6.4
2.1.2 e) Some attributes of each thread guaranteed
by c) may be configurable.
I 2.1.6.5
2.1.3 f) The performances of each management
mechanism including monitoring shall be
characterized, bounded and documented in
the installation manual.
I+A 2.1.6.6
2.1.4 g) For ETSO-2C153 CLASS C, the IMA module
shall implement a fault containment
mechanism concerning graphical unit(s) to
prevent from fault propagation between
threads managed by the IMA module, and
outside the IMA module.
I+T 2.1.6.7
2.1.4 h) Failures modes:
For at least following failure modes,
failure rate shall be provided:
� Loss of the IMA module
� Erroneous Behavior of
the IMA module
� Loss of the shared
Graphical Conversion
Resource and Laying out
Resource
� Erroneous Behavior of
the shared Graphical
Conversion Resource and
Laying out Resource
Monitoring coverage:
Monitoring Coverage rate (PBIT,
CBIT…) shall be provided for all
failure modes of the IMA Module
(inc. Shared and unshared
resources).
I 2.1.6.8
2.1.5 i) The Applicant shall provide the list of type
of threads, the associated attributes, their
configurability, their sizing and graphical
processing time performances.
I 2.1.6.9
2.1.5 j) As required in § 2.2, the Applicant shall provide in installation manual all
constraints (including limitations, Usage
Domain and activities) to be respected by
the users.
I 2.1.6.10
2.1.5 k) The applicant shall provide any data
needed to evaluate Worst Case Graphical
Elaboration Time of managed threads.
I + A 2.1.6.11
Table 1 : Verification Acceptance Criteria
2.1.6.1. Verification of 2.1.2 a)
1 – Inspect the Installation Manual to determine the range number [Min - Max] of IMA
applications, components and/or modules between which it is possible to share the
graphical conversion resource and graphical laying out resource.
2 – Verify that the Min number is at least equal to two.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual
4 – Set commands to IMA module in consistency with Usage Domain contained into the
Installation Manual
5 – Verify that in valid equivalence classes and boundary values of [Min – Max], the IMA
applications, components and/or modules access correctly to share graphical conversion
resource and graphical laying out resource depending on commands set.
6 – Verify that Interfaces are well implemented according to their specifications given
into the Installation Manual.
2.1.6.2. Verification of 2.1.2 b)
1 – Inspect the Partitioning Analysis of the IMA module and verify that all the
unauthorized interferences between threads from IMA applications, components and/or
modules are well identified and mitigated by either a design mechanism either a Usage
Domain rule.
2 – Inspect the Installation Manual to determine the range number [Min - Max] of IMA
applications, components and/or modules between which it is possible to share the
graphical conversion resource and graphical laying out resource.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
4 – Set commands to IMA module in consistency with Usage Domain contained into the
Installation Manual.
5 – Verify that in valid equivalence classes and boundary values of [Min – Max], for each
unauthorized interference, a robust partitioning mechanism is well implemented.
2.1.6.3. Verification of 2.1.2 c)
1 – Inspect the Installation Manual to verify that the list of types of thread for which the
robust partitioning is guaranteed are well defined.
2 - Inspect the Installation Manual to verify that the attributes of each type of thread are
well defined. Attributes are:
� Usage domain rules associated to thread type.
� Programming interface and/or physical interface associated to thread type.
2.1.6.4. Verification of 2.1.2 d)
1 – After Verification of 2.1.2 c)
2 – For each type of thread, initialize (and potentially configure) the attributes of thread
in consistency with Usage Domain contained into the Installation Manual.
3 – Set commands to IMA module in consistency with Usage Domain contained into the
Installation Manual.
4 – Verify with an outer value of valid equivalence classes and boundary values of thread
attributes, that the associated robust partitioning breach detection is well implemented.
2.1.6.5. Verification of 2.1.2 e)
If 2.1.2 e) is implemented:
1 – Inspect the Installation Manual to verify that the configurable attributes of types of
thread are well defined.
2 – Inspect the Installation Manual to verify that the authorized values of each
configurable attribute are well defined as Usage Domain rules.
2.1.6.6. Verification of 2.1.3 f)
1 - Inspect the Installation Manual to verify that the sizing (e.g. Bandwidth) and the
distribution time (e.g. Latency) performances of each management mechanism including
monitoring of each type of thread are well documented, including boundaries, Usage
Domain Rules, and logical Interface rules.
2.1.6.7. Verification of 2.1.4 g)
1 - Inspect the Failure Mode and Effect Analysis (FMEA) to verify that Fault Containment
mechanism is well identified
2 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual
3 – Set application commands in consistency with Usage Domain contained into the
Installation Manual
4 - Verify that each fault containment mechanism is well implemented avoiding fault
propagation between threads managed by the GP, and outside the GP by observing the
sanction associated to fault and raised by monitoring.
2.1.6.8. Verification of 2.1.4 h)
1 - Inspect the Failure Mode and Effect Analysis (FMEA) and Fault Tree Analysis (FTA) to
verify that required feared event are well quantified.
2.1.6.9. Verification of 2.1.5 i)
1 – Inspect the Installation Manual to verify that the list of types of thread, their
associated attributes, their configurability and their performances are well documented,
including boundaries, Usage Domain Rules, interface rules.
2.1.6.10. Verification of 2.1.5 j)
1 – Inspect the Installation Manual to verify that the constraint to be respected is
specified for all types of data and command thread, including their associated Usage
Domain Rules and interface rules.
2.1.6.11. Verification of 2.1.5 k)
1 – Inspect the Installation Manual to verify that means needed to evaluate Worst Case
Graphical Elaboration Time of graphical thread(s) are available.
2 - Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
3 - Set commands to IMA module in consistency with Usage Domain contained into the
Installation Manual
4 – Verify that the Worst Case Graphical Elaboration Time of each type of threads can be
evaluated thanks to supplied means.
APPENDIX 2
INTEGRATED MODULAR AVIONIC PLATFORM MODULE
MINIMUM PERFORMANCE SPECIFICATION (MPS)
CLASS D: Data Storage (DS)
1. Purpose and scope
1.1. Introduction
This document contains CLASS D Minimum Performance Standards (MPS).
These standards specify characteristics that should be useful to designers, manufacturers,
installers and users of the IMA module.
1.2. Overview
For ETSO-2C153 CLASS D, IMA module provides shared resources in terms of data storage
between IMA applications, modules and/or components.
Data Storage refers to the storage of data in a persisting and machine-readable mode. A Data
Storage that only holds information is a recording article. Data Storage that record data may
both access a separate portable (removable) recording component or a permanent component
to store and retrieve data.
Following definitions are used:
� Storage Unit: set of physical components (hardware and/or software) in charge of
supplying and managing recorded data resource (e.g. memory components and
associated interfaces…)
� Data Storage Element: well-defined set of data storage which is a primary form of
recorded data and for which a level of isolation would be guaranteed by the IMA module.
Each Data Storage Element handled by the IMA module may be bidirectional or symmetrical, but
not necessarily, between interconnected components, modules, and/or IMA applications.
1.3. Intended Function
Based on the definition of the CLASS D MPS, this section provides Minimum Performance
Standards (MPS) for the intended function which is to provide the capability to share
recorded data supplied by one or several storage units.
2. Requirements
For ETSO-2C153 CLASS D, IMA module provides shared resources for data record needs of
IMA applications, modules and/or components.
2.1. Functional requirements
For ETSO-2C153 CLASS D:
a) The IMA module shall provide to IMA applications, modules and/or components the
capacity to use shared recorded data resource thank to data storage elements accessible
through a logical and/or physical interface(s).
b) The robust partitioning between data storage elements used by IMA applications,
modules and/or components shall be ensured by the IMA module.
c) The IMA module shall provide the list of types of Data Storage Element for which the
robust partitioning is guaranteed. The list of types of Data Storage Element and the
associated attributes shall be provided in the installation manual.
d) Any breach in robust partitioning guaranteed by c) shall be detected by the IMA module.
e) Some attributes of each Data Storage Element guaranteed by c) may be configurable.
The interface(s) of the IMA module will conform to characteristics as described by a
standard (ARINC665, ARINC600 or ARINC 664 for example). The interface(s) includes
recorded data format.
STORAGEUNIT
STORAGEUNIT
STORAGEUNIT
RECORDEDDATA
RESOURCE
DataStorageElement
DataStorageElem ent
DataStor ageElem ent
DataStor ageElem ent
Interfaces
Figure 1: CLASS D Data Storage (DS) elements relationship
2.2. Performance requirements
f) The performances of each management mechanism including monitoring shall be
characterized, bounded and documented in the Installation Manual.
2.3. Safety requirements
g) For ETSO-2C153 CLASS D, the IMA module shall implement a fault containment
mechanism concerning Storage Unit(s) to prevent from fault propagation between data
storage elements managed by the IMA module, and outside the IMA module.
h) Failures modes:
For at least following failure modes, failure rate shall be provided:
• Loss of the IMA module
• Erroneous Behavior of the IMA module
• Loss of the shared recorded data resource
• Erroneous Behavior of the shared recorded data resource
Monitoring coverage:
Monitoring Coverage rate (PBIT, CBIT…) shall be provided for all failure modes of
the IMA Module (inc. Shared and unshared resources).
For shared recorded data resource, monitoring Coverage rate (inc. Resource itself,
sharing mechanisms and robust partitioning mechanisms) shall be provided.
Events such as bad record, bad read access, delay, corruption, impersonation will be
taken into account during the safety analysis.
2.4. Required data (linked to §2.2)
i) The Applicant shall provide the list of type of data storage elements, the associated
attributes, their configurability, their sizing and access time performances
j) As required in § 2.2, the Applicant shall provide in installation manual all constraints
(including limitations, Usage Domain and activities) to be respected by the users.
k) The Applicant shall provide any data needed to evaluate Worst Case Access Time of
managed data storage element.
2.5. Verification Procedures
Following table gives verification method for each MPS:
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
2.1 a) The IMA module shall provide to IMA
applications, modules and/or components
the capacity to use shared recorded data
resource thank to data storage elements
accessible through a logical and/or physical
interface(s).
I+T 2.5.1
2.1 b) The robust partitioning between data
storage elements used by IMA applications,
modules and/or components shall be
ensured by the IMA module.
I+A+T 2.5.2
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
2.1 c) The IMA module shall provide the list of
types of Data Storage Element for which
the robust partitioning is guaranteed. The
list of types of Data Storage Element and
the associated attributes shall be provided
in the installation manual.
I 2.5.3
2.1 d) Any breach in robust partitioning
guaranteed by c) shall be detected by the
IMA module.
I+A+T 2.5.4
2.1 e)
Some attributes of each Data Storage
Element guaranteed by c) may be
configurable.
I 2.5.5
2.2 f) The performances of each management
mechanism including monitoring shall be
characterized, bounded and documented in
the Installation Manual.
I+A 2.5.6
2.3 g) For ETSO-2C153 CLASS D, the IMA module
shall implement a fault containment
mechanism concerning Storage Unit(s) to
prevent from fault propagation between
data storage elements managed by the IMA
module, and outside the IMA module.
I+T 2.5.7
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
2.3 h) Failures modes:
For at least following failure modes, failure
rate shall be provided:
• Loss of the IMA
module
• Erroneous
Behavior of the
IMA module
• Loss of the
shared recorded
data resource
• Erroneous
Behavior of the
shared recorded
data resource
Monitoring coverage:
Monitoring Coverage rate
(PBIT, CBIT…) shall be
provided for all failure modes
of the IMA Module (inc.
Shared and unshared
resources).
For shared recorded data
resource, monitoring
Coverage rate (inc. Resource
itself, sharing mechanisms
and robust partitioning
mechanisms) shall be
provided.
Events such as bad record, bad read
access, delay, corruption,
impersonation will be taken into
account during the safety analysis.
A 2.5.8
2.4 i) The Applicant shall provide the list of type
of data storage elements, the associated
attributes, their configurability, their sizing
and access time performances
I 2.5.9
2.4 j) As required in § 2.2, the Applicant shall
provide in installation manual all
constraints (including limitations, Usage
Domain and activities) to be respected by
the users.
I 2.5.10
2.4 k) The Applicant shall provide any data
needed to evaluate Worst Case Access Time
of managed data storage element.
I + A 2.5.11
Table 1 : Verification Acceptance Criteria
2.5.1. Verification of 2.1a)
1 – Inspect the Installation Manual to determine the range number [Min - Max] of IMA
applications, components and/or modules between which it is possible to share the
recorded data resource.
2 – Verify that the Min number is at least equal to two.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
4 – Verify that in valid equivalence classes and boundary values of [Min – Max], the IMA
applications, components and/or modules access correctly to share recorded data
resource.
5 – Verify that Interfaces are well implemented according to its (their) specification(s)
given into the Installation Manual.
2.5.2. Verification of 2.1b)
1 – Inspect the Partitioning Analysis of the IMA module and verify that all the
unauthorized interferences between elements from IMA applications, components and/or
modules are well identified and mitigated by either a design mechanism either a Usage
Domain rule.
2 – Inspect the Installation Manual to determine the range number [Min - Max] of IMA
applications, components and/or modules between which it is possible to share the
recorded data resource.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
4 – Verify that in valid equivalence classes and boundary values of [Min – Max], for each
unauthorized interference, a robust partitioning mechanism is well implemented.
2.5.3. Verification of 2.1c)
1 – Inspect the Installation Manual to verify that the list of types of Data Storage
element for which the robust partitioning is guaranteed are well defined.
2 - Inspect the Installation Manual to verify that the attributes of each type of Data
Storage element are well defined. Attributes are:
• Usage domain rules associated to Data Storage element type.
• Programming interface associated to Data Storage element type.
2.5.4. Verification of 2.1d)
1 – After Verification of 2.1c)
2 – For each type of data element, initialize (and potentially configure) the attributes of
Data Storage element in consistency with Usage Domain contained into the Installation
Manual.
3 – Verify with an outer value of valid equivalence classes and boundary values of Data
Storage element attributes, that the associated robust partitioning breach detection is
well implemented.
2.5.5. Verification of 2.1e)
If 2.1e) is implemented:
1 – Inspect the Installation Manual to verify that the configurable attributes of types of
Data Storage element are well defined.
2 – Inspect the Installation Manual to verify that the authorized values of each
configurable attribute are well defined as Usage Domain rules.
2.5.6. Verification of 2.2f)
1 - Inspect the Installation Manual to verify that the sizing (e.g. Bandwidth) and the
distribution time (e.g. Latency) performances of each management mechanism including
monitoring of each type of Data Storage element are well documented, including
boundaries, Usage Domain Rules, and logical Interface rules.
2.5.7. Verification of 2.3g)
1 - Inspect the Failure Mode and Effect Analysis (FMEA) to verify that fault containment
mechanism is well identified
2 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual
3 – Verify that each fault containment mechanism is well implemented avoiding fault
propagation between Data Storage elements managed by the DS, and outside the DS by
observing the sanction associated to fault and raised by monitoring.
2.5.8. Verification of 2.3h)
1 - Inspect the Failure Mode and Effect Analysis (FMEA) and Fault Tree Analysis (FTA) to
verify that required feared event are well quantified.
2.5.9. Verification of 2.4i)
1 – Inspect the Installation Manual to verify that the list of types of data storage
element, their associated attributes, their configurability and their performances are well
documented, including boundaries, Usage Domain Rules, logical interface associated to
Data Storage element type.
2.5.10. Verification of 2.4j)
1 – Inspect the Installation Manual to verify that the constraints to be respected are
specified for all types of data storage element, including their associated Usage Domain
Rules and logical interface rules.
2.5.11. Verification of 2.4k)
1 – Inspect the Installation Manual to verify that means needed to evaluate Worst Case
Access Time of each type of Data Storage element are available.
2 - Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
3 – Verify that the Worst Case Access Time of each type of Data Storage elements can be
evaluated thanks to supplied means.
APPENDIX 2
INTEGRATED MODULAR AVIONIC MODULE
MINIMUM PERFORMANCE SPECIFICATION (MPS)
CLASS E: Interface (IF)
1. Purpose and scope
1.1. Introduction
This document contains CLASS E Minimum Performance Standards (MPS).
These standards specify characteristics that should be useful to designers, manufacturers,
installers and users of the IMA module.
1.2. Overview
For ETSO-2C153 CLASS E, IMA module provides shared resources in terms of interfaces
between IMA applications, modules and/or components.
Following definitions are used:
� Interface Unit: set of physical components (hardware and/or software) in charge of
supplying and managing a shared information resource.
� Data Thread: well-defined set of data which is a primary form of information and for
which a level of isolation would be guaranteed by IMA module.
Each data thread handled by Interface may be bidirectional or symmetrical, but not necessarily,
between interconnected components, modules, and/or IMA applications.
1.3. Intended Function
Based on the definition of the CLASS E MPS, this section provides Minimum Performance
Standards (MPS) for the intended function which is to provide the capability to share
information supplied by one or several interfaces units.
This intended function is Information Sharing composed of
o information acquisition & control,
o information conversion and,
o Information forwarding & control.
The information forwarding & control function is the mean allowing to share information
between components, modules and/or infrastructures.
The following figure provides an overview of the previously mentioned intended function and
associated interfaces:
Interface
Communication Node
Module 1
Module 2
Module 3
Conversion
Data Link
Data Thread
Component, Module,
function or
Infrastructure
Acquisition & control
Forwarding & control
Figure 1: IMA module overview for ETSO-2C153 CLASS E
2. Requirements
For ETSO-2C153 CLASS E, IMA module provides shared resources for communication
needs of IMA applications, modules and/or components.
2.1. Functional requirements
For ETSO-2C153 CLASS E:
a) The IMA module shall provide to IMA applications, modules and/or components the
capacity to use shared Information Resource thanks to data threads handled through
logical and/or physical interface(s).
b) The robust partitioning between data threads used by IMA applications, modules and/or
components shall be ensured by the IMA module.
c) The IMA module shall provide the list of types of data thread for which the robust
partitioning is guaranteed. The list of types of data thread and the associated attributes
shall be provided in the installation manual.
d) Any breach in robust partitioning guaranteed by c) shall be detected by the IMA module.
e) Some attributes of each data thread guaranteed by c) may be configurable.
The interface(s) of the IMA module will conform to characteristics as described by a
standard (ARINC600 or ARINC 664 for example).
INTERFACEUNIT
INTERFACEUNIT
INTERFACEUNIT
INFORMATIONRESOURCE
DATATHREAD
DATATHREAD
DATATHREAD
DATATHREAD
Interface Interface
Figure 2: CLASS E Interfaces (IF) elements relationship
2.2. Performance requirements
f) The performances of each management mechanism including monitoring shall be
characterized, bounded and documented in the Installation Manual.
2.3. Safety requirements
g) For ETSO-2C153 CLASS E, the IMA module shall implement a fault containment
mechanism concerning interface unit(s) to prevent from fault propagation between data
threads managed by the IMA module, and outside the IMA module.
h) Failures modes:
For at least following failure modes, failure rate shall be provided:
• Loss of the IMA module
• Erroneous Behavior of the IMA module
• Loss of the shared information resource
• Erroneous Behavior of the shared information resource
Monitoring coverage:
Monitoring Coverage rate (PBIT, CBIT…) shall be provided for all failure modes of
the IMA Module (inc. Shared and unshared resources).
For shared information resource, monitoring Coverage rate (inc. Resource itself,
sharing mechanisms and robust partitioning mechanisms) shall be provided.
Events such as bad sequencing, delay, corruption, impersonation will be taken into
account during the safety analysis.
2.4. Required data (linked to §2.2)
i) The Applicant shall provide the list of types of data thread, the associated attributes,
their configurability, and their sizing and distribution time performances.
j) As required in § 2.2, the Applicant shall provide in installation manual all constraints
(including limitations, Usage Domain and activities) to be respected by the users.
k) The Applicant shall provide any data needed to evaluate Worst Case Distribution Time of
managed data thread.
2.5. Verification Procedures
Following table gives verification method for each MPS:
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
2.1 a) The IMA module shall provide to IMA
applications, modules and/or components
the capacity to use shared Information
Resource thanks to data threads handled
through logical and/or physical interface(s).
I+T 2.5.1
2.1 b) The robust partitioning between data
threads used by IMA applications, modules
and/or components shall be ensured by the
IMA module.
I+A+T 2.5.2
2.1 c) The IMA module shall provide the list of
types of data thread for which the robust
partitioning is guaranteed. The list of types
of data thread and the associated attributes
shall be provided in the installation manual.
I 2.5.3
2.1 d) Any breach in robust partitioning
guaranteed by c) shall be detected by the
I+A+T 2.5.4
2.1 e) Some attributes of each data thread
guaranteed by c) may be configurable.
I 2.5.5
2.2 f) The performances of each management
mechanism including monitoring shall be
characterized, bounded and documented in
the Installation Manual.
I+A 2.5.6
2.3 g) For ETSO-2C153 CLASS E, the IMA module
shall implement a fault containment
mechanism concerning interface unit(s) to
prevent from fault propagation between
data threads managed by the IMA module,
and outside the IMA module.
I+T 2.5.7
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
2.3 h) Failures modes:
For at least following failure modes, failure
rate shall be provided:
Loss of the IMA module
• Erroneous
Behavior of the
IMA module
• Loss of the
shared
information
resource
• Erroneous
Behavior of the
shared
information
resource
•
• Monitoring
coverage:
• Monitoring
Coverage rate
(PBIT, CBIT…)
shall be provided
for all failure
modes of the
IMA Module (inc.
Shared and
unshared
resources).
For shared information resource,
monitoring Coverage rate (inc.
Resource itself, sharing mechanisms
and robust partitioning mechanisms)
shall be provided.
Events such as bad
sequencing, delay,
corruption, impersonation will
be taken into account during
the safety analysis.
A 2.5.8
2.4 i) The Applicant shall provide the list of types
of data thread, the associated attributes,
their configurability, and their sizing and
distribution time performances
I 2.5.9
2.4 j) As required in § 2.2, the Applicant shall
provide in installation manual all
constraints (including limitations, Usage
Domain and activities) to be respected by
the users.
I 2.5.10
2.4 k) The Applicant shall provide any data
needed to evaluate Worst Case Distribution
Time of managed data thread.
I 2.5.11
Table 1 : Verification Acceptance Criteria
2.5.1. Verification of 2.1 a)
1 – Inspect the Installation Manual to determine the range number [Min - Max] of IMA
applications, components and/or modules between which it is possible to share the
information resource.
2 – Verify that the Min number is at least equal to two.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
4 – Verify that in valid equivalence classes and boundary values of [Min – Max], the IMA
applications, components and/or modules access correctly to share information resource.
5 – Verify that Interfaces are well implemented according to its (their) specification(s)
given into the Installation Manual.
2.5.2. Verification of 2.1 b)
1 – Inspect the Partitioning Analysis of the IMA module and verify that all the information
unauthorized interferences between data threads used by IMA applications, components
and/or modules are well identified and mitigated by either a design mechanism either a
Usage Domain rule.
2 – Inspect the Installation Manual to determine the range number [Min - Max] of IMA
applications, components and/or modules between which it is possible to share the
information resource.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
4 – Verify that in valid equivalence classes and boundary values of [Min – Max], for each
unauthorized interference, a robust partitioning mechanism is well implemented.
2.5.3. Verification of 2.1 c)
1 – Inspect the Installation Manual to verify that the list of types of data thread for which
the robust partitioning is guaranteed is well defined.
2 - Inspect the Installation Manual to verify that the attributes of each type of data
thread are well defined. Attributes are:
• Usage domain rules associated to data thread type.
• Programming interface associated to data thread type.
2.5.4. Verification of 2.1 d)
1 – After Verification of 2.1.2c)
2 – For each type of data thread, initialize the attributes of data thread in consistency
with Usage Domain contained into the Installation Manual.
3 – Verify with an outer value of valid equivalence classes and boundary values of data
thread attributes, that the associated robust partitioning breach detection is well
implemented.
2.5.5. Verification of 2.1 e)
If 2.1e) is implemented:
1 – Inspect the Installation Manual to verify that the configurable attributes of types of
data thread are well defined.
2 – Inspect the Installation Manual to verify that the authorized values of each
configurable attributes are well defined as Usage Domain rules.
2.5.6. Verification of 2.2f)
1 - Inspect the Installation Manual to verify that the sizing (e.g. Bandwidth) and the
distribution time (e.g. Latency) performances of each management mechanism including
monitoring of each type of data thread are well documented, including boundaries, Usage
Domain Rules, and logical Interface rules.
2.5.7. Verification of 2.3g)
1 - Inspect the Failure Mode and Effect Analysis (FMEA) to verify that fault containment
mechanism is well identified
2 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual
3 – Verify that each fault containment mechanism is well implemented avoiding fault
propagation between data threads managed by the IMA Module, and outside the IMA
Module, by observing the sanction associated to fault and raised by monitoring.
2.5.8. Verification of 2.3 h)
1 - Inspect the Failure Mode and Effect Analysis (FMEA) and Fault Tree Analysis [FTA] to
verify that required feared event are well quantified.
2.5.9. Verification of 2.4 i)
1 – Inspect the Installation Manual to verify that the list of types of data thread, their
associated attributes, their configurability and their performances are well documented,
including boundaries, Usage Domain Rules, logical interface rules.
2.5.10. Verification of 2.4 j)
1 – Inspect the Installation Manual to verify that the constraints to be respected are
specified for all types of data thread, including their associated Usage Domain Rules and
logical interface rules.
2.5.11. Verification of 2.4 k)
1 – Inspect the Installation Manual to verify that means needed to evaluate Worst Case
Distribution Time of each type of data thread are available.
2 - Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
3 – Verify that the Worst Case Distribution Time of each type of data threads can be
correctly evaluated thanks to supplied means.
APPENDIX 2
INTEGRATED MODULAR AVIONIC PLATFORM MODULE
MINIMUM PERFORMANCE SPECIFICATION (MPS)
TYPE F: Power Supply (PS)
1. Purpose and scope
1.1 Introduction
This document contains CLASS F Minimum Performance Standards (MPS).
These standards specify module characteristics that should be useful to designers,
manufacturers, installers and users of the module.
1.2 Overview
For ETSO-2C153 CLASS F, IMA module is a module mounted into a rack which is able to supply
power received from aircraft electrical network to one or more IMA hardware modules mounted
in the same rack.
Following definitions are used:
� Power supply unit: set of physical components (hardware and or software) in charge of
managing a power supply (or a part of the power supply) resource.
� Power supply resource : obtained electrical energy from aircraft electrical network to be
distributed to electrical loads which are IMA module mounted into the rack
� Power flow: part of supplied power supply for which a level of isolation would be
guaranteed by the IMA module.
� Mounted: is said for a hardware IMA module fixed inside the Rack Module after an human
operation in aircraft.
� Slot : the physical envelop dedicated to one mounted hardware IMA module inside the
Rack Module
1.3 Intended function
Based on the definition of the CLASS F MPS, this section provides Minimum Performance
Standards (MPS) for the intended function which is to provide the capability to share Power
Supply resource supplied by one of more Power Supply unit(s).
The following figure provides an overview of the previously mentioned intended function and
interfaces:
A/C ElectricalPower Supply
Interfaces
IMA module – Class F
Power Supply
unit
PowerFlow
Power Supply
unit
Power Supply
unit
Interfaces
IMA module
IMA module
IMA module
IMA module
Rack
Figure 1: IMA module overview for ETSO-2C153 CLASS F
2. Requirements
For ETSO-2C153 CLASS F, IMA module, mounted into a rack, provides shared power supply to
hardware IMA module mounted into the same rack.
2.1 Functional requirements
For ETSO-2C153 CLASS F:
a) Mounted into a rack, the IMA module shall provide to IMA hardware modules, which are
mounted into the same rack, the capacity to share power supply resource thanks to
power flows accessible through physical interface(s).
b) The robust partitioning between power flows used by IMA hardware modules shall be
ensured by the IMA module.
c) The IMA module shall provide the list of type of power flow for which the robust
partitioning is guaranteed. The list of types of power flow and the associated attributes
shall be provided in the installation manual.
d) Any breach in robust partitioning guaranteed by c) shall be detected by the IMA module.
e) Some attributes of each power flow guaranteed by c) may be configurable.
The interface(s) of the IMA module will conform to characteristics as described by a standard
(ARINC600 for example).
POWER SUPPLYUNIT
POWER SUPPLYUNIT
POWER SUPPLYUNIT
POWER SUPPLYRESOURCE
POWER FLOW
POWERFLOW
Input interface
POWERFLOW
POWERFLOW
POWERFLOW
Ouput interface
A/C Electr ical Power Supp ly
Powerthreads
Figure 2: CLASS F (PS) elements relationship
2.2 Performance requirements
f) The performances of each management mechanism including monitoring shall be
characterized, bounded and documented in the Installation Manual.
2.3 Safety requirements
g) For ETSO-2C153 CLASS F, IMA module shall implement a fault containment mechanism
concerning powering unit(s) to prevent from fault propagation between power flows
managed by the IMA module, and outside the IMA module.
h) Failures modes:
For at least following failure modes, failure rate shall be provided:
• Loss of the IMA module
• Erroneous Behavior of the IMA module
• Loss of the shared power supply resource
• Erroneous Behavior of the shared power supply resource
Monitoring coverage:
Monitoring Coverage rate (PBIT, CBIT…) shall be provided for all failure modes of
the IMA module (inc. Shared and unshared resources).
For shared information resource, monitoring Coverage rate (inc. Resource itself,
sharing mechanisms and robust partitioning mechanisms) shall be provided.
Events such as too low voltage or current, too high voltage or current, corruption,
impersonation will be taken into account during the safety analysis.
2.4 Required data
As required in § 2.2, the Applicant shall provide all constraints (including limitations) to be
respected by the users through its documentation. Additionnaly to common required datas,
following informations have to be provided :
i) The Applicant shall provide the list of types of power flow, their associated attributes,
their configurability and their performances
j) As required in § 2.2, the Applicant shall provide in installation manual all constraints
(including limitations, Usage Domain and activities) to be respected by the users.
k) The Applicant shall provide any data needed to evaluate power profile characteristics (e.g. Maximum Value, In Rush current) of managed power flows.
2.5 Verification methods
Following table gives verification method for each MPS:
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
2.1 a) Mounted into a rack, the IMA module shall
provide to IMA hardware modules, which
are mounted into the same rack, the
capacity to share power supply resource
thanks to power flows accessible through
physical interface(s).
I+T 2.5.1
2.1 b) The robust partitioning between power
flows used by IMA hardware modules shall
be ensured by the IMA module.
I+A+T 2.5.2
2.1 c) The IMA module shall provide the list of
type of power flow for which the robust
partitioning is guaranteed. The list of types
of power flow and the associated attributes
shall be provided in the installation manual.
I 2.5.3
2.1 d) Any breach in robust partitioning
guaranteed by c) shall be detected by the
I+A+T 2.5.4
2.1 e) Some attributes of each power flow
guaranteed by c) may be configurable.
I 2.5.5
2.2 f) The performances of each management
mechanism including monitoring shall be
characterized, bounded and documented in
the Installation Manual.
I+A 2.5.6
2.3 g) For ETSO-2C153 CLASS F, IMA module
shall implement a fault containment
mechanism concerning powering unit(s) to
prevent from fault propagation between
power flows managed by the IMA module,
and outside the IMA module.
I+T 2.5.7
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
2.3 h) Failures modes:
For at least following failure modes, failure
rate shall be provided:
• Loss of the IMA module
• Erroneous Behavior of the IMA
module
• Loss of the shared power
supply resource
• Erroneous Behavior of the
shared power supply resource
Monitoring coverage:
Monitoring Coverage rate (PBIT, CBIT…)
shall be provided for all failure modes of
the IMA module (inc. Shared and unshared
resources).
For shared information resource,
monitoring Coverage rate (inc. Resource
itself, sharing mechanisms and robust
partitioning mechanisms) shall be provided.
Events such as too low voltage or current,
too high voltage or current, corruption,
impersonation will be taken into account
during the safety analysis.
A 2.5.8
2.4 i) The Applicant shall provide the list of types
of power flow, their associated attributes,
their configurability and their performances
I 2.5.9
2.4 j) As required in § 2.2, the Applicant shall
provide in installation manual all
constraints (including limitations, Usage
Domain and activities) to be respected by
the users.
I 2.5.10
2.4 k) The Applicant shall provide any data
needed to evaluate power profile
characteristics (e.g. Maximum Value, In
Rush current) of managed power flows.
I 2.5.11
Table 1 : Verification Acceptance Criteria
2.5.1 Verification of 2.1 a)
1 – Inspect the Installation Manual to determine the range number [Min - Max] of
hardware IMA modules between which it is possible to share the power supply resource.
2 – Verify that the Min number is at least equal to two.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
4 – Verify that in valid equivalence classes and boundary values of [Min – Max], the
hardware IMA modules access correctly to share power supply resource.
5 – Verify that Interfaces are well implemented according to its (their) specification(s)
given into the Installation Manual.
2.5.2 Verification of 2.1 b)
1 – Inspect the Partitioning Analysis of the IMA module and verify that all the information
unauthorized interferences between power flows used by IMA hardware modules are well
identified and mitigated by either a design mechanism either a Usage Domain rule.
2 – Inspect the Installation Manual to determine the range number [Min - Max] of IMA
hardware modules between which it is possible to share the power supply resource.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
4 – Verify that in valid equivalence classes and boundary values of [Min – Max], for each
unauthorized interference, a robust partitioning mechanism is well implemented.
2.5.3 Verification of 2.1 c)
1 – Inspect the Installation Manual to verify that the list of types of power flow for which
the robust partitioning is guaranteed is well defined.
2 - Inspect the Installation Manual to verify that the attributes of each type of power flow
are well defined. Attributes are:
• Usage domain rules associated to power flow type.
• Interface associated to power flow type.
2.5.4 Verification of 2.1 d)
1 – After Verification of 2.1.2c)
2 – For each type of power flow, initialize the attributes of power flow in consistency with
Usage Domain contained into the Installation Manual.
3 – Verify with an outer value of valid equivalence classes and boundary values of power
flow attributes, that the associated robust partitioning breach detection is well
implemented.
2.5.5 Verification of 2.1 e)
If 2.1e) is implemented:
1 – Inspect the Installation Manual to verify that the configurable attributes of types of
power flow are well defined.
2 – Inspect the Installation Manual to verify that the authorized values of each
configurable attributes are well defined as Usage Domain rules.
2.5.6 Verification of 2.2 f)
1 - Inspect the Installation Manual to verify that the performances of each management
mechanism including monitoring of each type of power flows are well documented,
including boundaries, Usage Domain Rules, and logical Interface rules.
2.5.7 Verification of 2.3 g)
1 - Inspect the Failure Mode and Effect Analysis (FMEA) to verify that fault containment
mechanism is well identified
2 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual
3 – Verify that each fault containment mechanism is well implemented avoiding fault
propagation between power flows managed by the IMA module, and outside the IMA
module, by observing the sanction associated to fault and raised by monitoring.
2.5.8 Verification of 2.3 h)
1 - Inspect the Failure Mode and Effect Analysis (FMEA) and Fault Tree Analysis [FTA] to
verify that required feared event are well quantified.
2.5.9 Verification of 2.4 i)
1 – Inspect the Installation Manual to verify that the list of types of power flow, their
associated attributes, their configurability and their performances are well documented,
including boundaries, Usage Domain Rules, logical interface rules.
2.5.10 Verification of 2.4 j)
1 – Inspect the Installation Manual to verify that the constraints to be respected are
specified for all types of power flow, including their associated Usage Domain Rules and
logical interface rules.
2.5.11 Verification of 2.4 k)
1 – Inspect the Installation Manual to verify that means needed to evaluate profile
characteristics of each type of power supply are available.
2 - Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
3 – Verify that the profile characteristics of each type of power flows can be correctly
evaluated thanks to supplied means.
APPENDIX 2
INTEGRATED MODULAR AVIONIC PLATFORM MODULE
MINIMUM PERFORMANCE SPECIFICATION (MPS)
CLASS G: Display Head (DH)
1. Purpose and scope
1.1 Introduction
This document contains CLASS G Minimum Performance Standards (MPS).
These standards specify characteristics that should be useful to designers, manufacturers,
installers and users of the module.
1.2 Overview
For ETSO-2C153 CLASS G, IMA module provides shared resources in terms of display area
between IMA Applications, components and/or modules.
Following definitions are used:
� Display Unit: set of physical components (hardware and/or software) in charge of
managing a display area (or a part of a display area).
� Display Area: Surface where some visual information can be depicted by one or several
Display Unit(s) based on received Graphical Threads.
� Graphical Thread: set of graphical information received as input by the HD from one or
more IMA Application(s), component(s) and/or module(s).
� Display Thread: set of depiction information for which level of isolation would be
guaranteed on the Display Area by HD.
1.3 Intended function
Based on the definition of the CLASS G MPS, this section provides Minimum Performance
Standards (MPS) for the intended function which is to provide the capability to share one
display area supplied by one or several display unit(s).
The following figure provides an overview of the previously mentioned intended function and
associated interfaces:
DisplayThread#1
DisplayThread#2
Display AreaGraphical threads
Interfaces
Display Head Module
DisplayUnit
DisplayUnit
DisplayUnit
DisplayUnit
Figure 1: IMA module overview for ETSO-2C153 CLASS G
2. 2. Requirements
2.1 Display area resource sharing
2.1.1. Description
For ETSO-2C153 CLASS G, IMA module provides shared resources for display area needs of
IMA applications, modules and/or components.
2.1.2. Functional requirements
For ETSO-2C153 CLASS G:
a) The IMA module shall provide to IMA Applications, modules and/or components the
capacity to use shared Display Area resource through a logical or physical interface.
b) The robust partitioning between threads from IMA Applications, modules and/or
components using the shared Display Area resource shall be ensured by the IMA Module.
c) The IMA Module shall provide the list of types of graphical and display threads for which the robust partitioning is guaranteed. The list of types of these threads and the
associated attributes shall be provided in the installation manual.
d) Any breach in robust partitioning guaranteed by c) shall be detected by the IMA Module. e) Some attributes of each thread guaranteed by c) may be configurable.
f) In addition, the IMA module shall be compliant (fully or partially) to MPS from ETSO C-
113a.
The interface(s) of the IMA Module will conform to characteristics as described by a
standard.
DISPLAY UNIT DISPLAY UNIT DISPLAY UNIT
DISPLAY AERA
DISPLAY TREAD
DISPLAYTREAD
GRAPHICAL TREAD
GRAPHICAL TREAD
Input interfaces
Figure 2: CLASS G Display Head (HD) elements relationship
2.1.3. Performance requirements
g) The performances of each management mechanism including monitoring shall be
characterized, bounded and documented in the installation manual.
2.1.4. Safety requirements
h) For ETSO-2C153 CLASS G, the IMA module shall implement a fault containment
mechanism concerning Display unit(s) to prevent from fault propagation between threads
managed by the IMA module, and ouside the IMA module.
i) Failures modes:
For at least following failure modes, failure rate shall be provided:
� Loss of the IMA module
� Erroneous Behavior of the IMA module
� Loss of the shared Display Area Resource
� Erroneous Behavior of the shared Display Area resource
Monitoring coverage:
Monitoring Coverage rate (PBIT, CBIT…) shall be provided for all failure modes of the
IMA Module (inc. Shared and unshared resources).
For shared Display Area Resource, monitoring Coverage rate (inc. Resource itself,
sharing mechanisms and robust partitioning mechanisms) shall be provided.
Events such as delay, corruption, impersonation, loss, frozen information will be taken
into account during the safety analysis.
2.1.5. Required data (linked to §2.2)
j) The Applicant shall provide the list of type of threads, the associated attributes, their
configurability, their sizing and display processing time performances.
k) As required in § 2.2, the Applicant shall provide in installation manual all constraints
(including limitations, Usage Domain and activities) to be respected by the users.
l) The applicant shall provide any data needed to evaluate Worst Case Display Elaboration
Time of managed threads.
m) The additional activities to be performed by the users related to ETSO C113a compliance
demonstration completeness shall be defined in the installation manual.
2.1.6. Verification procedures
Following table gives verification method for each MPS:
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
2.1.2 a) The IMA module shall provide to IMA
Applications, modules and/or components
the capacity to use shared Display Area
resource through a logical or physical
interface.
I+T 2.1.6.1
2.1.2 b) The robust partitioning between threads
from IMA Applications, modules and/or
components using the shared Display Area
resource shall be ensured by the IMA
Module.
I+A+T 2.1.6.2
2.1.2 c) The IMA Module shall provide the list of
types of graphical and display threads for
which the robust partitioning is
guaranteed. The list of types of these
threads and the associated attributes shall
be provided in the installation manual.
I 2.1.6.3
2.1.2 d) Any breach in robust partitioning
guaranteed by c) shall be detected by the
IMA Module.
I+A+T 2.1.6.4
2.1.2 e) Some attributes of each thread guaranteed
by c) may be configurable.
I 2.1.6.5
2.1.2 f) In addition, the IMA module shall be
compliant (fully or partially) to MPS from
ETSO C-113a.
I 2.1.6.6
2.1.3 g) The performances of each management
mechanism including monitoring shall be
characterized, bounded and documented in
the installation manual.
I+A 2.1.6.7
2.1.4 h) For ETSO-2C153 CLASS G, the IMA module
shall implement a fault containment
mechanism concerning Display unit(s) to
prevent from fault propagation between
threads managed by the IMA module, and
ouside the IMA module.
I+T 2.1.6.8
MPS Ref MPS text Verification method
(A/I/D/T)
Verification
Acceptance Criteria
2.1.4 i) Failures modes:
For at least following failure modes, failure
rate shall be provided:
• Loss of the IMA module
• Erroneous Behavior of the IMA
module
• Loss of the shared Display Area
Resource
• Erroneous Behavior of the
shared Display Area resource
Monitoring coverage:
Monitoring Coverage rate (PBIT, CBIT…)
shall be provided for all failure modes of
the IMA Module (inc. Shared and unshared
resources).
For shared Display Area Resource,
monitoring Coverage rate (inc. Resource
itself, sharing mechanisms and robust
partitioning mechanisms) shall be
provided.
I 2.1.6.9
2.1.5 j) The Applicant shall provide the list of type
of threads, the associated attributes, their
configurability, their sizing and display
processing time performances.
I 2.1.6.10
2.1.5 k) As required in § 2.2, the Applicant shall
provide in installation manual all
constraints (including limitations, Usage
Domain and activities) to be respected by
the users.
I 2.1.6.11
2.1.5 l) The applicant shall provide any data
needed to evaluate Worst Case Display
Elaboration Time of managed threads.
I + A 2.1.6.12
2.1.5 m) The additional activities to be performed
by the users related to ETSO C113a
compliance demonstration completeness
shall be defined in the installation manual.
I 2.1.6.13
Table 1 : Verification Acceptance Criteria
2.1.6.1. Verification of 2.1.2 a)
1 – Inspect the Installation Manual to determine the range number [Min - Max] of IMA
applications, components and/or modules between which it is possible to share the
Display Area resource.
2 – Verify that the Min number is at least equal to two.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual
4 – Verify that in valid equivalence classes and boundary values of [Min – Max], the IMA
applications, components and/or modules access correctly to share Display Area
resource.
5 – Verify that Interfaces are well implemented according to their specifications given
into the Installation Manual.
2.1.6.2. Verification of 2.1.2 b)
1 – Inspect the Partitioning Analysis of the IMA module and verify that all the
unauthorized interferences between threads from IMA applications, components and/or
modules are well identified and mitigated by either a design mechanism either a Usage
Domain rule.
2 – Inspect the Installation Manual to determine the range number [Min - Max] of IMA
applications, components and/or modules between which it is possible to share the
Display Area resource.
3 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
4 – Verify that in valid equivalence classes and boundary values of [Min – Max], for each
unauthorized interference, a robust partitioning mechanism is well implemented.
2.1.6.3. Verification of 2.1.2 c)
1 – Inspect the Installation Manual to verify that the list of types of thread for which the
robust partitioning is guaranteed are well defined.
2 - Inspect the Installation Manual to verify that the attributes of each type of thread are
well defined. Attributes are:
� Usage domain rules associated to thread type.
� Programming interface and/or physical interface associated to thread type.
2.1.6.4. Verification of 2.1.2 d)
1 – After Verification of
2 – For each type of thread, initialize (and potentially configure) the attributes of thread
in consistency with Usage Domain contained into the Installation Manual.
3 – Verify with an outer value of valid equivalence classes and boundary values of thread
attributes, that the associated robust partitioning breach detection is well implemented.
2.1.6.5. Verification of 2.1.2 e)
If Erreur ! Source du renvoi introuvable.Erreur ! Source du renvoi introuvable. is
implemented:
1 – Inspect the Installation Manual to verify that the configurable attributes of types of
thread are well defined.
2 – Inspect the Installation Manual to verify that the authorized values of each
configurable attribute are well defined as Usage Domain rules.
2.1.6.6. Verification of 2.1.2 f)
The verification activities related to ETSO C113a MPS implementation are defined in the
scope of the ETSO C113a compliance demonstration.
1 - Verify that the ETSO C113a compliance demonstration (fully or partially) is provided.
2.1.6.7. Verification of 2.1.3 g)
1 - Inspect the Installation Manual to verify that the sizing (e.g. Bandwidth) and the
distribution time (e.g. Latency) performances of each management mechanism including
monitoring of each type of thread are well documented, including boundaries, Usage
Domain Rules, and logical Interface rules.
2.1.6.8. Verification of 2.1.4 h)
1 - Inspect the Failure Mode and Effect Analysis (FMEA) to verify that Fault Containment
mechanism is well identified
2 – Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual
3 - Verify that each fault containment mechanism is well implemented avoiding fault
propagation between threads managed by the DH, and outside the DH by observing the
sanction associated to fault and raised by monitoring.
2.1.6.9. Verification of 2.1.4 i)
1 - Inspect the Failure Mode and Effect Analysis (FMEA) and Fault Tree Analysis (FTA) to
verify that required feared event are well quantified.
2.1.6.10. Verification of 2.1.5 j)
1 – Inspect the Installation Manual to verify that the list of types of thread, their
associated attributes, their configurability and their performances are well documented,
including boundaries, Usage Domain Rules, interface rules.
2.1.6.11. Verification of 2.1.5 k)
1 – Inspect the Installation Manual to verify that the constraint to be respected is
specified for all types of thread, including their associated Usage Domain Rules and
interface rules.
2.1.6.12. Verification of 2.1.5 l)
1 – Inspect the Installation Manual to verify that means needed to evaluate Worst Case
Display Elaboration Time of display thread(s) are available.
2 - Initialize the IMA module in consistency with Usage Domain contained into the
Installation Manual.
3 – Verify that the Worst Case Display Elaboration Time of each type of threads can be
evaluated thanks to supplied means.
2.1.6.13. Verification of 2.1.5 m)
1 - Inspect the Installation Manual to verify that the additional activities to be performed
by the users related to ETSO C113a compliance demonstration completeness are well
documented.
APPENDIX 3
INTEGRATED MODULAR AVIONIC MODULE
DATA REQUIREMENTS
Additionally to data required by CS-ETSO sub-part A (DO254, DO178, DO160, MPS data, DAL,
Limitations, Open Problem Reports…), following information must be provided by the IMA
module manufacturer:
• Chapter 1 - IMA module characteristics
• Chapter 2 - IMA module core software
• Chapter 3 - IMA module health management and reporting
• Chapter 4 - IMA module usage domain
• Chapter 5 - IMA module configuration
• Chapter 6 - IMA module tools
• Chapter 7 - IMA module compatibility & mixability information
Chapter 1: IMA module Characteristics
IMA module is composed of hardware and/or software components constituting one or several
unit(s) performing the intended function(s) specified into MPS class(es). This (these) units
permit(s) the IMA module to perform at least one of the ETSO-2C153 intended functions
specified into the MPS classes (Appendix 2).
IMA ModulePart Number xxx[xx]
unit
Component
Component
unit
Component
Component
Module Characteristics
DESIGN
InstallationManual
MPSClass(es)
ETSO 2C153Intended Function
MPSClass(es)
CS-ETSOSub-part A requirements
Figure 4 IMA module characteristics
The Installation Manual must address the appropriate IMA module characteristics, when
relevant, specified into the table below.
Module
Characteristic
Category
Characteristics to be documented by ETSO applicant in
Installation Manual for each IMA module
Module
Characteristic
Category
Characteristics to be documented by ETSO applicant in
Installation Manual for each IMA module
General
Information
• Power Dissipation.
• Thermal characteristics
Cooling characteristics (a detailler - TBC)
• Size and Weight.
• Input and Output (I/O) Connectors.
• Mating Connectors.
• Top-level drawings and Mechanical Interfaces
• Mounting Mechanism and scheme
• Clearance characteristics
• Air Flow characteristics
• Inter-Element Interfaces.
• Inter-Element Connections.
• Grounding and Shielding Provisions.
• Separation and/or Isolation Provisions.
• Module Installation and Extraction Means.
• Power Supply Interface of the Module : see Power Supply unit
Interfaces Unit
Characteristics
Analog Input Specifications For Each Analog Input
• Range.
• Accuracy.
• Resolution.
• Null and Offset.
• Filtering.
• Input Impedance.
• Analog-to-Digital Conversion Speed.
• Digital-to-Analog Conversion Speed.
• Steady State Voltage Rating.
• Transient Voltage Rating.
• Circuit Protection Techniques.
• Multiplexing.
Analog Output Specifications For Each Analog Output
• Range.
• Accuracy.
• Null.
• Linearity.
• Current Capacity.
Module
Characteristic
Category
Characteristics to be documented by ETSO applicant in
Installation Manual for each IMA module
• Output Impedance.
• Analog/Digital Conversion Speed.
• Steady State Voltage Rating.
• Transient Voltage Rating.
• Circuit Protection Techniques.
• Multiplexing.
Discrete Input Specifications For Each Discrete Input
• Trip Point.
• Hysteresis.
• Filtering.
• Input Impedance.
• Logic Sense.
• Maximum Logic-High Level.
• Maximum Logic-Low Level.
• Minimum Logic-High Level.
• Minimum Logic-Low Level.
• Steady State Voltage Rating.
• Transient Voltage Rating.
• Circuit Protection Techniques.
• Multiplexing.
Discrete Output Specifications For Each Discrete Output
• Voltage Levels.
• Current Source Capacity.
• Current Sink Capacity.
• Output Impedance.
• Circuit Protection Techniques.
• Multiplexing.
Digital Communications For Each Input and Output
• Data Rates.
• Integrity Checks.
• Signal Levels.
• Current Sink and Source.
• Input Impedance.
• Output Impedance.
• Signal Rise and Fall Times.
• Filtering.
• Stub Length Limits.
Module
Characteristic
Category
Characteristics to be documented by ETSO applicant in
Installation Manual for each IMA module
• Input and Output Capacitance.
• Isolation.
• Maximum Bit Error Rates.
• Circuit Protection Techniques.
• Resets.
• Monitors.
• Multiplexing.
Processing and
Memory Unit
characteristics
(inc. Graphical
Unit)
• Software Services Included (Core Software) : Dataloading, Health
Monitoring, Operating System
• User Software/Software Interface Mechanisms and Protocol(s).
• User Software/Hardware Interface Mechanisms and Protocol(s).
• Integration Requirements.
• Limitations of Software.
• Processing Unit (CPU, GPU...) Bus(es) and Core Clock Frequencies.
• Memory Size(s) and Type(s).
• Interrupts.
• Reset Structure.
• Memory Management, such as cache and MMU.
• Monitors.
• Backplane Interface. (if any)
• CPU, GPU Type.
• CPU, GPU Throughput.
• Timing Specifications.
Display Unit
characteristics
(rendering)
• refer to AS8034
Power Supply
Unit
• Regulation.
• Input Voltage & Current.
• Maximum Start-up (In-rush) Current Rating.
• Output Current Capacity.
• Hold-up Capacity.
• Restart.
• Transient Immunity.
• Voltage Outputs & Tolerances.
• Power Monitors & Status Outputs.
• Short Circuit Management.
Module
Characteristic
Category
Characteristics to be documented by ETSO applicant in
Installation Manual for each IMA module
• Power Resets and Recovery.
• Circuit Protection Techniques.
Chapter 2 - Core software
As defined in to Appendix 1, IMA module may be an association of hardware and a Core
Software.
• Hardware may (or may not) contain resident (not field loadable) software to enable
electronic part marking and/or future loading of Field Loadable Software parts.
• Core Software may be resident or a Field Loadable Software Part.
The Core Software is the operating system and support software that manage resources to
provide an environment in which the intended function is performed. Core software is typically
comprised of one or more component(s).
If IMA module contains a Core Software, following Core Software characteristics must be
documented into the IMA module installation manual:
• Identification of the Core Software component(s).
• Part of IMA module functionality, performance and safety requirements supported by
the Core Software.
• Interfaces and associated Data Coupling / Control Coupling information
• Integration and Loading Procedure(s).
IMA ModulePart Number xxx[xx]
unit
Component
Component
unit
Component
Component
Core SofwareCharacteristics
DESIGN
InstallationManual
MPSClass(es)
ETSO 2C153Intended Function
Core Software
MPSClass(es)
CS-ETSOSub-part A requirements
Figure 5 IMA module Core Software
Chapter 3 - IMA module health management and reporting
The Health Management and reporting (HM) function is responsible for detecting, isolating,
containing and reporting failures. This function should detect faults in the shared resources and
other resources that could adversely affect applications using the module resources or that
could adversely affect the resources themselves.
The Health Management and reporting (HM) function helps to isolate faults and prevents failures
from propagating. It should address both operational and maintenance concerns.
IMA ModulePart Number xxx[xx]
unit
Component
Component
unit
Component
Component
Heath monitoringCharacteristics and
faults attributes
DESIGN
InstallationManual
MPSClass(es)
ETSO 2C153Intended Function
Health monitoring
User
IMA application developmentIMA system installation
Figure 6 IMA module Health Monitoring
Each IMA module shall provide health management and reporting capability.
The health management and reporting function shall detect, contain and report faults of the
shared resources and other resources that could adversely affect applications using the module
resources or that could adversely affect the resources themselves.
Monitoring Coverage rate shall be defined for all failure modes of the Module (inc. Shared and
unshared resources)
The response to a user level fault may be configurable. Intended recovery of identified faults,
could be ignoring the fault, reinitializing, restarting or calling a user specified routine to take
user-specified actions.
The thresholds used to raise a fault may be configurable.
The logical interface provided to hosted application will conform to characteristics as described
by a standard (ARINC653 for example).
The fault management strategy should address the potential for SEU and provide appropriate
recovery capabilities.
Following HM Characteristics must be documented into the IMA module installation manual:
• Interface rules, constraints (including limitations) to be respected by the users,
• The list of HM monitoring,
• The list of monitored components, monitored services, monitored interfaces,
• The response to each type of fault,
• The fault reporting attributes.
Reporting refers to internal logging, indication to applications using the shared
resources, indication outside of the module.
• The configuration attributes if any.
Chapter 4 - IMA module usage domain
ETSO-2C153 authorization relies on the concept of Usage Domain (as per ED-124 and Appendix
1 - chapter 2 definitions).
The usage domain of an IMA module is defined as an exhaustive list of conditions to be
respected by the user(s) and for which it has been demonstrated that the following properties
are true:
• The module is compliant to its functional, performance, safety and environmental
requirements specified into at least one MPS class.
• The module characteristics documented into Installation Manual (as required by
Appendix 3 – Chapter 1) are guaranteed by manufacturer.
• The module is compliant to the applicable airworthiness requirements (inc. continued
airworthiness aspects)
IMA ModulePart Number xxx[xx]
unit
Component
Component
unit
Component
Component
DESIGN
InstallationManual
MPSClass(es)
ETSO 2C153Intended Function
Usage Domain
User
INSTALLATION
Figure 7 IMA module usage domain
The usage domain will be defined at IMA module level and used at Application (ED-124 Task 2)
and IMA system (ED-124 Task 3 & 4) level.
The definition of the usage domain should include consideration of the module functionality,
performance and safety requirements and its required environmental performance …
However, at the time the IMA module certification program is issued, the usage domain may not
be fully defined. Nevertheless, in any case, the methodology for capturing it will be described.
The IMA module manufactured to comply with this ETSO may be used to support other ETSOs or
systems approved under Certification Specifications (CS) 21, CS23, 25, 27, 29, 33 or 35. These
ETSO authorizations, IMA system approvals and aircraft-level approvals are not covered by this
ETSO but will rely on the fact that compliance to Usage Domain documented into Installation
Manual would be well implemented.
Chapter 5 - IMA module configuration data
IMA module may need to be configured before installation in the IMA system (ED-124 Task 2, 3
and 4).
If the IMA module is configurable, ETSO-2C153 authorization will be given to an IMA module
with a configuration capability. In that case, the installation manual must describe:
• The authorized configuration parameters (inc. combined parameters) in the usage
domain.
• The configuration activities to be conducted (inc. configuration procedures, means and
tools) by the user during application development (ED-124 – Task 2) and IMA system
(ED-124 – Task 3 and 4) integration.
IMA ModulePart Number xxx[xx]
unit
Component
Component
unit
Component
Component
DESIGN
InstallationManual
MPSClass (es)
ETSO 2C153Intended Function
User
INSTALLATION
Configuration
Figure 8 IMA module configuration
Chapter 6 - IMA module tools
IMA module may need to use some tools during installation in the IMA system (ED-124 Task 2,
3 and 4).
In that case, the installation manual must describe:
• the list of tools ,
• the user’s guide of tools and
• the activities to be conducted related to those tools during application development (ED-
124 – Task 2) and IMA system (ED-124 – Task 3 and 4) integration.
• The associated qualification credits that could be granted to the user of the tools.
If these tools are qualified, qualification data are considered as data to be summited to EASA in
the frame of ETSO-2C153 authorization.
IMA ModulePart Number xxx[xx]
unit
Component
Component
unit
Component
Component
DESIGN
InstallationManual
MPSClass(es)
ETSO 2C153Intended Function INSTALLATION
ToolsCha racteristics
ToolsTool qualification
data EASA
Figure 9 IMA module tools
Chapter 7 - IMA module compatibility and mixability information
The IMA module manufacturer must provide compatibility & mixability information between
hardware, software, tools and usage domain in the installation manual.
The information should give details of:
• How the authorized mixed combinations are verified.
• The compatibility assessment process with authorized mixed combinations of
interfacing module (external mixability).
• Any preventative measures (design or procedures) to be developed by the user to
prevent incorrect module combinations or software loads.
• Information to be provided to maintenance personnel.
APPENDIX 4
INTEGRATED MODULAR AVIONIC MODULE
ENVIRONMENTAL QUALIFICATION REQUIREMENTS
CS-ETSO sub-part A § 2.3 requires compliance to complete DO160 Environmental Conditions
and Test Procedures.
For ETSO-2C153, some particularities have to be addressed
• Test Software representativeness
• Applicable Test Procedures
Chapter 1: Test Software representativeness
In the case that, IMA module is qualified without the functional software installed and operating,
engineering analysis from the manufacturer must determine that the “test” software (not the
target functional software) is representative of usage domain stress envelop for the
environmental tests (i.e. dissipated temperature, power consumption, radiated field radiation,
etc…).
Chapter 2: Applicable Test Procedures
For ETSO-2C153 authorization, IMA module may be a single LRU platform (Line Replaceable
Unit) or may be a module located into a Rack (Line Replaceable Module).
Two cases have to be considered depending on IMA module characteristics.
• Case 1: The IMA module is a single LRU platform (Line Replaceable Unit)
All environmental conditions are applicable to the IMA module. The usage domain must be
defined and maintained in order that all these qualification tests produce a complete credit
for other ETSOs authorization and Type Certificate level.
• Case 2: The IMA module is a module located into a Rack or the rack itself (Line Replaceable
Module).
The usage domain of the module must be defined and maintained in order that al least a
subset of qualification tests produces a credit for other ETSOs authorization and Type
Certificate level. This minimal subset is defined in the table below:
Environmental
Test RTCA / DO160G
section Guidance for ETSO-2C153
Temperature 4.5 For ETSO-2C153 application :
• The module can be subjected to these test
conditions. Credit for these tests can be granted
as part of this ETSO, with substantiated
environmental test conditions.
• In this case, the usage domain of the module
must be defined and maintained in order that
these tests produce some credit.
Otherwise, these tests will be performed as part
another ETSO application or as part of a [X] Type
Certification program.
Altitude 4.6 For ETSO-2C153 application :
• The module must be subjected to these test
conditions.
• Credit for these tests will be granted as part of
this ETSO.
• The usage domain of the module must be defined
and maintained in order that these tests produce
some credit.
Temperature
Variation
5.0 For ETSO-2C153 application :
• The module can be subjected to these test
conditions. Credit for these tests can be granted
as part of this ETSO, with substantiated
environmental test conditions.
• In this case, the usage domain of the module
must be defined and maintained in order that
these tests produce some credit.
• Otherwise, these tests will be performed as part
another ETSO application or as part of a [X] Type
Certification program.
Humidity 6.0 For ETSO-2C153 application :
• The module must be subjected to these test
conditions.
• Credit for these tests will be granted as part of
this ETSO.
• The usage domain of the module must be defined
and maintained in order that these tests produce
some credit.
Shock
(operational)
7.2 For ETSO-2C153 application :
• The module can be subjected to these test
conditions. Credit for these tests can be granted
as part of this ETSO, with substantiated
environmental test conditions.
• In this case, the usage domain of the module
must be defined and maintained in order that
these tests produce some credit.
• Otherwise, these tests will be performed as part
another ETSO application or as part of a [X] Type
Certification program.
Shock (Crash
Safety)
7.3 For ETSO-2C153 application :
• The module can be subjected to these test
conditions. Credit for these tests can be granted
as part of this ETSO, with substantiated
environmental test conditions.
• In this case, the usage domain of the module
must be defined and maintained in order that
these tests produce some credit.
• Otherwise, these tests will be performed as part
another ETSO application or as part of a [X] Type
Certification program.
Vibration 8.0 For ETSO-2C153 application :
• The module can be subjected to these test
conditions. Credit for these tests can be granted
as part of this ETSO, with substantiated
environmental test conditions.
• In this case, the usage domain of the module
must be defined and maintained in order that
these tests produce some credit.
• Otherwise, these tests will be performed as part
another ETSO application or as part of a [X] Type
Certification program.
Explosion
Atmosphere
9.0 For ETSO-2C153 application :
• The module must be subjected to these test
conditions.
• Credit for these tests will be granted as part of
this ETSO.
• The usage domain of the module must be defined
and maintained in order that these tests produce
some credit.
Waterproof 10.0 For ETSO-2C153 application :
• The module must be subjected to these test
conditions.
• Credit for these tests will be granted as part of
this ETSO.
• The usage domain of the module must be defined
and maintained in order that these tests produce
some credit.
Fluids
Susceptibility
11.0 For ETSO-2C153 application :
• The module must be subjected to these test
conditions.
• Credit for these tests will be granted as part of
this ETSO.
• The usage domain of the module must be defined
and maintained in order that these tests produce
some credit.
Sand and Dust 12.0 For ETSO-2C153 application :
• The module must be subjected to these test
conditions.
• Credit for these tests will be granted as part of
this ETSO.
• The usage domain of the module must be defined
and maintained in order that these tests produce
some credit..
Fungus
Resistance
13.0 For ETSO-2C153 application :
• The module must be subjected to these test
conditions.
• Credit for these tests will be granted as part of
this ETSO.
• The usage domain of the module must be defined
and maintained in order that these tests produce
some credit.
Salt Fog 14.0 For ETSO-2C153 application :
• The module must be subjected to these test
conditions.
• Credit for these tests will be granted as part of
this ETSO.
• The usage domain of the module must be defined
and maintained in order that these tests produce
some credit.
Magnetic Effect 15.0 For ETSO-2C153 application :
• The module must be subjected to these test
conditions.
• Credit for these tests will be granted as part of
this ETSO.
• The usage domain of the module must be defined
and maintained in order that these tests produce
some credit.
Power Input 16.0 For ETSO-2C153 application :
• The module must be subjected to these test
conditions.
• Credit for these tests will be granted as part of
this ETSO.
• The usage domain of the module must be defined
and maintained in order that these tests produce
some credit.
Voltage Spike 17.0 For ETSO-2C153 application :
• The module must be subjected to these test
conditions.
• Credit for these tests will be granted as part of
this ETSO.
• The usage domain of the module must be
defined and maintained in order that these
tests produce some credit.
Audio Frequency
Conducted
Susceptibility—
Power Input
18.0 For ETSO-2C153 application :
• The module must be subjected to these test
conditions.
• Credit for these tests will be granted as part of
this ETSO.
• The usage domain of the module must be defined
and maintained in order that these tests produce
some credit.
Induced Signal
Susceptibility
19.0 For ETSO-2C153 application :
• The module can be subjected to these test
conditions. Credit for these tests can be granted
as part of this ETSO, with substantiated
environmental test conditions.
• In this case, the usage domain of the module
must be defined and maintained in order that
these tests produce some credit.
• Otherwise, these tests will be performed as part
another ETSO application or as part of a [X] Type
Certification program.
Radio Frequency
Susceptibility
(Radiated and
conduced)
20.0 For ETSO-2C153 application :
• The module can be subjected to these test
conditions. Credit for these tests can be granted
as part of this ETSO, with substantiated
environmental test conditions.
• In this case, the usage domain of the module
must be defined and maintained in order that
these tests produce some credit.
• Otherwise, these tests will be performed as part
another ETSO application or as part of a [X] Type
Certification program.
Emission of
Radio Frequency
Energy
21.0 For ETSO-2C153 application :
• The module can be subjected to these test
conditions. Credit for these tests can be granted
as part of this ETSO, with substantiated
environmental test conditions.
• In this case, the usage domain of the module
must be defined and maintained in order that
these tests produce some credit.
• Otherwise, these tests will be performed as part
another ETSO application or as part of a [X] Type
Certification program.
Lightning
Induced
Transient
Susceptibility
22.0 For ETSO-2C153 application :
• The module can be subjected to these test
conditions. Credit for these tests can be granted
as part of this ETSO, with substantiated
environmental test conditions.
• In this case, the usage domain of the module
must be defined and maintained in order that
these tests produce some credit.
• Otherwise, these tests will be performed as part
another ETSO application or as part of a [X] Type
Certification program.
Lightning Direct
Effects
23.0 For ETSO-2C153 application :
• The module can be subjected to these test
conditions. Credit for these tests can be granted
as part of this ETSO, with substantiated
environmental test conditions.
• In this case, the usage domain of the module
must be defined and maintained in order that
these tests produce some credit.
• Otherwise, these tests will be performed as part
another ETSO application or as part of a [X] Type
Certification program.
Icing 24.0 For ETSO-2C153 application :
• The module must be subjected to these test
conditions.
• Credit for these tests will be granted as part of
this ETSO.
• The usage domain of the module must be defined
and maintained in order that these tests produce
some credit.
Electro Static
Discharge (ESD)
25.0 For ETSO-2C153 application :
• The module must be subjected to these test
conditions.
• Credit for these tests will be granted as part of
this ETSO.
• The usage domain of the module must be defined
and maintained in order that these tests produce
some credit..
Fire,
Flammability
26.0 For ETSO-2C153 application :
• The module must be subjected to these test
conditions.
• Credit for these tests will be granted as part of
this ETSO.
• The usage domain of the module must be defined
and maintained in order that these tests produce
some credit. Figure 10 EQT minimum subset
Chapter 3 Parameters to be monitored during EQT
The IMA module manufacturer must define in IMA module characteristics (appendix 3 – chapter
1), the parameters to be monitored during each applicable test procedure in RTCA/DO-160G.
Regarding intended functions, the IMA module manufacturer must elect the key parameters and
associated pass and/or fail criteria to ensure that MPS are achieved according the table
hereafter:
MPS CLASS MPS paragraph
A (Rack) F1 : §2.1.2 (c)
F2 : §2.2.2 (a); §2.2.3 (e)
F3 : §2.3.2 (a) + (b); §2.3.3 (c); § 2.3.4 (e) + (f)
F4 : §2.4.2 (a) + (b); §2.4.3 (d); § 2.3.4 (e)
B (Processing) F1 : §2.1.2 (b) + (d); §2.1.3 (f); §2.1.4 (g) + (h)
F2 : CLASS D criteria are applicable
F3 : CLASS E criteria are applicable
C (Graphic) 2.1 (b) + (d); §2.2 (f); §2.3 (g) + (h)
D (Data Storage) 2.1 (b) + (d); §2.2 (f); §2.3 (g) + (h)
E (Interface) 2.1 (b) + (d); §2.2 (f); §2.3 (g) + (h)
F (power Supply) 2.1 (b) + (d); §2.2 (f); §2.3 (g) + (h)
G (Graphical Rendering) 2.1 (b) + (d) + (f); §2.2 f); §2.3 (g) + (h) Figure 11 Pass/Fail criteria
This selection must be documented in to the EQT plan submitted to EASA.
Document History (for information only)
18.12.2012: ETSO 2C153 draft v1.
31.07.2013: ETSO 2C153 draft v2 composed of: • Core document draft v2.2
• MPS CLASS A v1.0
• MPS CLASS B v1.0
• MPS CLASS C v1.0
• MPS CLASS D v1.2
• MPS CLASS E v1.2
• MPS CLASS F v2.0
• MPS CLASS G v1.0