Taming interrupts: Deterministic asynchronicity in an ARINC 653 environment

Interrupts are forbidden in ARINC 653 partitioned environments - or so it appears. In this paper we will examine that prohibition and explore a means of using interrupts in a system while maintaining deterministic behavior. We begin with an overview of the benefits and costs of Integrated Modular Avionics (IMA), along with a review of associated standards. Next, we look at interrupt-driven Input/Output (I/O) handling, which is considered best practice, except in ARINC 653 systems. Because DO-248 requires deterministic behavior as a fundamental system property necessary to certify safety, most IMA system designers avoid interrupts, presuming that such asynchronous events introduce non-determinism and cause interpartition interference. We argue that implementing asynchronous events such as interrupts does not necessarily lead to non-determinism, when viewed from the level of partitioned system behavior and further, does not necessarily lead to cross-interference. The key is flexible reservation of time not allocated to statically scheduled partitions during the major time frame. System designers often consider this non-reserved time as “spare”, to be used for future expansion for new partition applications. Some vendors have targeted this time as “slack time” which can be used for non-critical background tasks. We propose a novel use: reserving it for interrupt handling. In considering the design of deterministic interrupt-driven I/O, we discuss classical approaches to scheduling and interrupt handling and show why they are insufficient for this application. We then introduce a method of credit-based scheduling using a dynamically decreasing time budget that preserves determinism at the partition behavior level and also continues to prevent interpartition interference. We conclude with a description of our initial implementation of this innovation within a customized version of the Xen hypervisor.