Figure 1 Architectural Unit
2.7 Barriers are not perfect; a metal box does not reduce the EM (Electromagnetic) environment (due to outside sources of EM interference) within the box to zero. Neither does it provide equal protection for all frequencies. Similarly, for the non-interruptible scheduler, the protection may not extend to cover hardware interrupts or timeliness interference due to errors in the operating system itself. Consequently, the amount of protection provided by an individual barrier is represented in Figure 1 by the thickness of its line.
2.8 The behaviour of the barrier can either be described from an internal perspective or an external perspective. An internal perspective would view the barrier as preventing alteration to a property of the function, whereas an external perspective would view the barrier as preventing a particular type of interference from coming through the barrier wall. For example, an internal perspective on the non-interruptible scheduler is that it protects the timeliness of the functions and so limits interference in time, whereas an external perspective on the metal case round a hardware unit is that it prevents EM interference.
2.9 There are many different types of interference. Consequently, for full protection, many different barriers are needed. The gaps in Figure 1 illustrate where no barrier exists and therefore where there is no protection.
NOTE: Barriers are put in place to protect the functions of the element from external interference, not to stop interference being exported. This is normal practice. Standards, such as DO 178, take the view that a high integrity function should take the responsibility of protecting itself from interference from lower integrity functions for two reasons:
.
The higher integrity function is expected to carry overheads associated with greater development rigour. To have to carry an overhead for protection as well is not considered too onerous .
.
The rigour of development of a lower integrity function would give little support to an argument that it did not export any interference.
The consequence of this line of reasoning is that functions within an element, which are protected by the same set of barriers, can expect no protection from the other functions operating within the same element. For example, although a metal box provides protection from external EM interference, the electronics within the box also generate interference and consequently one card in a box may be interfered with by the EM radiation of another. Similarly the OS provides no data or timeliness protection from functions that are part of the same programme unit. Thus the data of one function may be corrupted by another function within the same programme unit.
2.10 Even though individual barriers are not perfect and there may not be a complete set of them, the notion of a set of barriers surrounding a function is of practical benefit. Where the logical properties protected are a useful subset of all logical properties known to exist within some identifiable physical component, it enables the construction of systems from independently assessed components.
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:CAP 670 Air Traffic Services Safety Requirements 1(91)
