https://orcid.org/0000-0002-5863-5215
Figures
Abstract
The aviation industry extensively employs integrated modular avionics (IMA) to enhance system efficiency by sharing resources across various functions. Despite the benefits, the design of IMA systems is not without its challenges, particularly in achieving cost-effectiveness, ensuring availability, and addressing safety concerns. Optimizing resource utilization in IMA systems is increasingly complex due to the growing functionality and quantity of resources in aviation modules and technological flexibility. This paper presents a multi-layer resource configuration and optimal design method for IMA systems, with a dual focus on resource sharing and isolation mechanisms (which prevent fault propagation and enhance system safety). Our approach takes into account not only the strategic planning of resource sharing but also the intricacies of isolation scheme design, especially in the context of risk propagation. The architecture of the multi-layer resource configuration is meticulously structured and formalized to account for the unique dynamics of risk propagation across different configurations. The optimization process for the configuration scheme is formalized as a constrained multi-objective optimization problem. An optimal performance configuration scheme for the IMA systems can be identified that requires the minimum amount of resources. Finally, the effectiveness of the proposed method is demonstrated through the presentation of an illustrative example. The results show that the proposed approach effectively balances safety, efficiency, and cost in IMA resource management.
Citation: Wang H, Chen Z, Fang X (2026) Multi-layer resource configuration and safety optimization for integrated modular avionics with resource sharing and isolation. PLoS One 21(3): e0345130. https://doi.org/10.1371/journal.pone.0345130
Editor: Antonio Javier Nakhal Akel, Universitas Mercatorum, ITALY
Received: October 17, 2025; Accepted: March 2, 2026; Published: March 31, 2026
Copyright: © 2026 Wang et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Data Availability: All relevant data are within the manuscript and its Supporting Information files.
Funding: The author(s) received no specific funding for this work.
Competing interests: The authors have declared that no competing interests exist.
1. Introduction
Integrated modular avionics (IMA) system is a platform that provides a shared set of flexible, reusable, and interoperable hardware and software resources. This platform is meticulously designed and rigorously verified to fulfill a defined set of safety and performance requirements for hosting aircraft functions [1], such as reliability, real-time performance, partition protection, and fault tolerance as specified in standards like DO-178C [2] and DO-254 [3]. The IMA architecture utilizes a sharing mechanism through modular and universal resources, as opposed to the traditional dedicated resources [4,5]. By enabling the sharing of multiple resources, the IMA architecture not only improves efficiency but also leads to savings in terms of space, weight, power, and maintenance infrastructure [6].
However, the sharing mechanism, while enhancing the utilization efficiency of resources, can also potentially lead to fault propagation and diffusion [7–9]. As the extent of resource sharing increases, the risk of fault coupling propagation and diffusion escalates alongside the improvement in resource utilization efficiency. To mitigate this risk, an isolation mechanism (also referred to as isolation design) is implemented to bolster the system safety of integrated modular avionics, ensuring that failures in one partition do not affect others. For instance, different application software is encapsulated within distinct partitions, employing specific isolation strategies within partition management. These partitions are effectively isolated from each other, thereby significantly enhancing the system’s fault tolerance capability [10]. The efficiency, safety, and availability of the system are contingent upon the effective configuration of resources for both shared and isolated designs. Achieving the optimal configuration that strikes a balance between resource sharing and isolation, ensuring system safety while maintaining high availability and efficiency, remains a significant challenge. Currently, although certain research has addressed aspects of this issue, there remains a gap in methods for optimizing IMA configuration.
Currently, research on IMA systems primarily emphasizes system architecture and hardware integration levels, with limited exploration of resource configuration within the IMA architecture. To systematically position our work, we categorize and review existing literature along three interlinked dimensions: (1) resource configuration modeling, (2) safety-integrated design, and (3) multi-objective optimization. 1) Resource Configuration Modeling: The foundation of IMA design lies in effectively mapping functions to shared hardware resources. Early work by Sagaspe et al. [11] pioneered a safety analysis method that considers the impact of resource sharing, employing model checking to derive safety constraints for configuration generation. Building on this, Sagaspe [12] proposed a constraint-based design approach that incorporates isolation requirements to determine system implementability on an IMA platform. To tackle the combinatorial complexity of mapping. Lohse [13] developed an optimization algorithm that generates and estimates new system variables, while Salzwedel [14] focused on optimizing resource configuration during the early system design phase to enhance architectural robustness. 2) Safety-Integrated Design and Scheduling: Ensuring safety within shared-resource environments necessitates integrating safety constraints into scheduling and allocation. Annighöfer [15,16] addressed this by developing scheduling tools that resolve time-division issues and practical constraints using integer programming for multi-objective optimization (e.g., weight, cost). From a verification perspective [17], modeled and verified software/hardware resource configurations to ensure real-time performance and safety. Similarly, Cai [18] proposed an adaptive multi-objective optimization algorithm that simultaneously considers access time, resource type, quantity, and isolation constraints. For systems with stringent reliability needs, Xie et al. [19] optimized resource schemes by balancing hardware cost, real-time requirements, and reliability, and Chu [20] formalized the configuration optimization for systems with functional redundancy as a hybrid constraint satisfaction and optimization problem. 3) Multi-Objective Optimization for Modern Constraints: Recent research has expanded objectives to include energy efficiency and communication scheduling. Chen et al. [21,22] developed energy-constrained scheduling algorithms for heterogeneous systems. Du et al. [23] advanced this direction by employing an improved ant colony optimization algorithm for energy-aware resource allocation. In the realm of platform configuration, Moraes [24] integrated Monte Carlo tree search with genetic algorithms to explore trade-offs in platform design. To address scheduling inflexibility, Zhou et al. [25] introduced a loosely coupled partition-message scheduling framework that decouples task and message scheduling, reducing complexity imposed by tight coupling, Research Gap and Our Contribution: While the aforementioned studies provide valuable insights, two critical gaps remain. First, most works adopt an economic or schedulability-centric perspective; safety is often treated as a binary constraint rather than a quantifiable objective interacting dynamically with resource sharing and isolation mechanisms. The modeling of risk propagation pathways and their impact on system safety under different configuration schemes is notably underdeveloped. Second, there is a lack of a unified, multi-layer resource configuration model that holistically optimizes the trade-off between safety (e.g., quantified failure probability, real-time performance), resource utilization efficiency, and cost. Existing approaches often focus on a single layer or a subset of objectives, failing to capture the hierarchical interdependencies in IMA systems where configuration decisions at one layer (e.g., partition) affect risk and performance at others.
Therefore, this paper addresses the following research question: How can we optimize the multi-layer resource configuration in IMA systems to systematically balance resource sharing (for efficiency) and isolation (for safety), while explicitly quantifying and mitigating the risk of fault propagation? Targeted at the aforementioned challenges and constraints, and taking the inherent trade-off between resource sharing and isolation into account, this paper proposes a method to optimize the design of multi-layer resource configuration in an IMA system. Our approach aims to mitigate the risk of fault association propagation due to resource sharing and to strike a balance between sharing and isolation, thereby attaining a safe and efficient optimal configuration.
To achieve this, high real-time performance, high reliability, and efficiency—which are crucial metrics for safety-critical complex embedded systems—are formally utilized as conditions for safety optimization. They are encapsulated as constraints within our comprehensive assessment framework to ensure the viability of all candidate configuration schemes. Specifically, this paper introduces a shared resource configuration optimization model alongside a comprehensive optimization process. The effectiveness of this process is illustrated through the application of a formal mathematical model and the Non-Dominated Sorting Genetic Algorithm-II (NSGA-II), showcasing its successful implementation in a representative case study. The proposed method provides technical support for achieving efficient, safe, and balanced resource configuration optimization for IMA systems.
The remainder of this paper is organized as follows. Section 2 introduces the IMA system and its shared and isolation design for resources. Section 3 proposes a configuration model for IMA resource sharing and isolation. Section 4 describes the configuration optimization process. In Section 5, we demonstrate the applicability of the proposed technique through a case study of the Integrated Display and Control System (IDCS). Finally, Section 6 concludes the paper by summarizing the research paths that deserve more attention from the community in the near future and drawing concluding remarks.
2. IMA system, resource sharing and isolation design
2.1. IMA system description
An IMA system’s core consists of a cluster of entities encompassing numerous shared processing resources capable of simultaneously supporting functions across different missions [4]. As illustrated in Fig 1, these resources are interconnected by data buses, constituting a distributed network system known as the shared platform. Each function is deployed independently within a partition. The real-time tasks associated with a specific function application are performed within the respective partition through a local scheduling mechanism. Furthermore, a central server scheduling mechanism oversees the management of all partitions across a processing resource. To accommodate a variety of target tasks, a pre-designed configuration scheme dictates the deployment of these functions within the shared platform.
The IMA system can be conceptualized as comprising resources and Hosted Functions (HFs). To fulfill its designated tasks, a single HF may require support from multiple resources. The interconnections between different HFs are depicted in Fig 2. Within the IMA system, there are various classes of HFs, each serving distinct purposes, with multiple function objects potentially existing beneath each class. The function objects within a particular class may establish backup relationships with each other for safety reasons or work collaboratively to improve task execution.
As shown in Fig 2, the IMA architecture follows a layered mapping: the system level comprises multiple hosted functions (HFs), each of which is implemented by a set of resources. This mapping forms the basis for configuring sharing and isolation. The model consists of three layers: 1) System Layer: Represents the overall IMA platform. 2) Function Layer (Hosted Functions, HFs): Each HF class (e.g., Navigation, Communication) contains multiple function objects that may collaborate or provide redundancy. 3) Resource Layer: Physical or logical resources (e.g., GPMs, partitions) that implement the functions. Arrows indicate allocation relationships: a function may require multiple resources, and resources may be shared across functions.
However, while the design of tasks and functions operates at the logical layer of the system, their execution relies on the utilization of physical resources. Specifically, the management of each function involves the collaboration of multiple resources to establish an allocation mapping from the logical to the physical resource layer.
Similarly, Fig 3 illustrates how resources are structured into classes and objects. This hierarchy supports flexible allocation and enables both sharing (multiple functions using the same resource object) and isolation (dedicated resource objects for safety-critical functions). Resources are organized into classes (e.g., General Processing Module (GPM), memory, bus) and instances (e.g., GPM1, GPM2). 1) Class level: Defines resource type and properties. 2) Object level: Specific instances that can host multiple function objects. Dashed lines represent potential sharing relationships; solid lines indicate allocation. Each resource objects can accommodate multiple function objects.
2.2. Shared resources and isolation design
The shared resources in an IMA system include physical shared resources (e.g., processors, memory) and data shared resources (e.g., databases, algorithms). Physical sharing is realized through time- and space-division multiplexing, while data sharing enables reuse and result exchange across functions. Both forms improve resource utilization but introduce potential fault propagation risks. To mitigate fault propagation risks introduced by sharing, isolation mechanisms (e.g., partitioning, dedicated resources) are employed. In this work, isolation refers to the design strategies that prevent fault propagation between functions or resources. Isolation can be categorized as: 1) Temporal Isolation: Functions are allocated non-overlapping time slots on shared resources (e.g., via time-partitioning in ARINC 653). 2) Spatial Isolation: Functions are assigned to physically separate resources (e.g., dedicated processors or memory regions). 3) Logical Isolation: Functions are separated through software mechanisms such as memory protection units (MPUs) or virtualization. 4) Fault-Containment Isolation: Resources are designed to limit the impact of a fault to a predefined boundary (e.g., using health monitoring and reset mechanisms). Isolation prevents low-criticality functions from affecting high-criticality ones, enhancing system safety and fault tolerance..
To clarify the concepts of resource sharing and isolation, consider an IMA system with two functions: 1) Function A: Flight Control (high criticality); 2) Function B: Data Logging (low criticality).
Shared Resource Design: Both functions may be allocated to the same General Processing Module (GPM) using time partitions. This improves resource utilization but introduces a risk: a fault in Function B could propagate to Function A via the shared GPM.
Isolated Resource Design: Function A is assigned a dedicated GPM, while Function B uses a separate GPM. This eliminates coupling faults but increases resource usage.
The challenge in IMA configuration is to balance these two approaches to achieve efficiency (through sharing) and safety (through isolation), which is the focus of our optimization method.
3. Configuration model of IMA shared resource and isolation
To establish an efficient IMA system, it is crucial to tackle the configuration of IMA resources proactively. This approach enables the seamless integration of aircraft-level functions into the IMA system, provided that the resources are properly configured. According to the DO-297 [1] specification, the IMA platform is composed of a variety of configurable resources. It is imperative to configure these resources efficiently to facilitate the execution of diverse aircraft-level functions on the IMA platform.
3.1. Multi-level resource configuration
Notation and Definitions
For clarity, the following notation is used throughout this paper:
- SR: set of resource elements
- n: number of resource types
- Nt: number of resources of type t
: the Nt-th resource object of type n
- fm: the m-th upper-layer function or resource
: resource-to-function mapping matrix, where
if resource ri is allocated to function fj, otherwise 0
: association matrix for resources of type n, where
indicates a coupling between
and
: probability of failure propagation from
to
: failure probability of resource
, considering both inherent and propagated failures
The IMA system encompasses various resource types, including hardware, software, data, and network resources. The objective of resource configuration is to assign each resource to an appropriate location for efficient utilization. However, resource configuration must adhere to certain constraints. For example, the configuration rules prohibit assigning two different resource types to the same location, and high-criticality resources are designated as non-shareable.
Expanding on the shared resources and isolation discussed in Section 2, this section proposes a multi-layer resource configuration method for the IMA system’s resource layer. The association between software and hardware is achieved through various resource types, including node, partition, process, and variable resources. These associations are determined based on the attributes of each resource type.
The resource layer element set SR is a physical or logical unit used to enable system functions. The SR comprises all resources in the IMA system, organized by type and object. Let there be T types of resources, indexed by t = 1,2,…,T. Each resource type t contains Nt objects. The set can be expressed as [26]:
in which, denotes the Nt-th object of resource type n,
,
. Nt is the total number of objects of type t. The first superscript indicates the resource type, the second indicates the object index. For example,
represents the second resource object allocated from the third type of resource.
Once all shared resources have been allocated according to a specific configuration scheme, a multi-layer resource configuration can be established. At this time, the coupling association relationship within the resource layer can be determined. An adjacency matrix can be used to describe this relationship as a formal representation. Specifically, the mapping association configuration matrix between resource elements (rn) and upper-layer resources (fm) can be expressed as:
The allocation matrix , where a column sum of 1 indicates exclusive allocation (spatial isolation). where, the shared resource configuration in the upper layer resource is 1. If the shared resource is not allocated to the upper-layer resource, it is 0. So
can be expressed as:
Since the bottom resources of complex integrated system support the realization of the upper functions, the configuration of resources should be based on the functional requirements. denotes Class l function. Multiple sub-functions realize a class of functions
,
. k is the number of sub-functions,
.
3.2. Safety constraint model
IMA resource sharing and isolation can be configured in various ways to satisfy the constraints. However, different configuration approaches have varying impacts on aircraft performance, installation cost, and safety. Thus, identifying the optimal resource configuration within these constraints is a critical issue. In this section, we first model the shared resource configuration. We then express the corresponding safety constraints using mathematical expressions. This approach facilitates the optimal configuration of resource sharing and isolation. The specific constraints are as follows:
Constraint 1. The number of each bottom-layer shared resource cannot exceed the total number of upper-layer resources.
This constraint indicates that there is at least one 1 in the allocation of of the lowest level resource
, but it is less than or equal to the sum of the upper level resources configured,
; A set of inequalities is used to describe the constraint:
among them, is a summation vector,
ensures each resource is used at least once,
limits the maximum allocation to m functions. Example: If there are m = 3 upper-layer functions, a shared resource can be assigned to 1, 2, or all 3 functions, but not to none or more than 3.
By multiplying the associated configuration matrix (formula (2) in formula (4)), it can be seen that the sum of the values of elements in each row of
is between 1 and
, so this constraint condition is met, every shared resource is all used.
What needs illustration is that: When , the number of configurations of each resource is 1. If
, the higher the degree of resource sharing is. If
, the lower the degree of resource sharing is, the higher the degree of isolation design is. When
, each resource adopts isolated safety design, that is, all resources are not shared.
Constraint 2. Constraints on the number of dedicated resources.
A shared resource contains dedicated resources, which support only one upper-layer resource or sub-function. Therefore, dedicated resources cannot be shared. That is, the number of dedicated resources corresponding to h upper-layer resources or sub-functions can only be h, and h ≤ t, where t is the upper-layer resource or sub-function. The configuration number of this special resource constraints has to be 1, namely the values of
have only one 1, namely
. Use an equality expression to describe this constraint:
in which ,
. The association configuration matrix
represent the association configuration relationship between dedicated resources and upper-layer resources (a special case in formula (2)). By analyzing the associated configuration matrix multiplication in formula (5), it can be seen that there is only one 1 for all elements in the n row of dedicated resource
, and the sum of its values can only be equal to 1.
In addition, dedicated resources can be configured with other shared resources in the same upper-layer resource or sub-function. Therefore, the number of shared resources in the upper-layer resource configured with dedicated resources is , that is,
. The constraint is expressed by the inequality as:
in which ,
. For the dedicated resource
, all elements in the
column must have at least one 1. The sum of the values must be greater than or equal to 1.
Formula (5) states that each dedicated resource appears exactly once in the allocation matrix.
Formula (6) ensures that the upper-layer function receiving a dedicated resource also uses at least one other shared resource.
Example: A dedicated sensor is allocated only to function
, and
also uses shared processor
.
Constraint 3. Conflicting resources cannot be allocated to the same upper-layer resource, and isolation constraints must be satisfied.
In the IMA system resource configuration process, certain resources are not allowed to be allocated to the same upper-layer resource simultaneously; these are referred to as conflicting resources. In our model, this constraint determines which resources are in conflict based on the actual situation in the configuration process. In addition, shared resources that feature isolated designs are considered conflicting and should not be allocated to the same upper-layer resource. Certain resources are designated as “conflicting”, including that: 1) Scheduling Conflicts: If two resources require simultaneous access to the same shared bus or processor, they may cause timing violations or deadline misses. 2) Access Contention: Resources that share a common physical or logical channel (e.g., memory bus, I/O port) may conflict if accessed concurrently, leading to performance degradation or data corruption. 3) Safety Isolation Requirements: For fault containment, resources of different criticality levels must be isolated. Co-allocation could allow fault propagation across safety boundaries. 4) Functional Interference: Some resources perform mutually exclusive functions (e.g., two sensors measuring the same physical quantity) and should not be assigned to the same function to avoid redundancy loss or measurement conflict. For example, suppose that the resource object
and the
resource object
of the
resource are configured to the
upper resource, that is,
. In fact, there may be multiple groups of resources that need to meet the isolation conditions. The constraint is described by an inequality:
The conflict matrix , which enforces that conflicting resources are not co-allocated. Among them, each row in a matrix
is assigned a value of 1 on the resource that may conflict. The number of rows in matrix
is the number of resource groups that need to meet the isolation condition in practice, and the number of columns is the number of shared resources that are used in practice, that is, the value of
in the above.
, the row number
of this matrix corresponds to the number of rows in
, the number of columns
corresponds to the upper resource allocation, namely the
value of the above. Each row of
indicates a pair of conflicting resources, and
ensures they are not co-allocated. For example: If
and
are conflicting (e.g., two redundant sensors that must be isolated), then
for any function
.
Constraint 4. Safety-critical resources require a separate isolated design.
“Safety Critical Resource (SCR)” is used to describe a resource or function that has a direct impact on system safety. SCR refers to any resource or function the failure, malfunction, or absence of which could directly lead to system malfunction in a specific context. Safety critical resources or functions must be isolated and should not share the same resource, with the exception of dedicated resources, to enhance system safety. This constraint indicates that the safety-critical resource has only one upper-layer resource and one dedicated resource, that is,
has only two 1, that is,
. Use an equality expression to describe this constraint:
among them, ,
.
represents the configuration relationship between the SCR and the upper-layer resource (a special case in formula (2)). By analyzing the associated configuration matrix multiplication in formula (8), it can be seen that there are two 1 for all elements in the
column where the SCR
is located, and the sum of their values can only be equal to 2.
where ensures that the safety-critical resource and its dedicated backup are both allocated. For example: A flight control processor
(safety-critical) is allocated to function
, along with a dedicated monitoring processor
.
Dedicated resources and safety-critical resources are assigned with strict isolation constraints (formula (5)–(8)).
4. Configuration optimization
In the previous sections, we discussed the constraints used to evaluate the effectiveness of the resource sharing and isolation configuration scheme. In this section, we propose a method to optimize the configuration scheme. Our objective is to find a resource configuration scheme that minimizes cost, ensures safety constraints, maintains real-time system performance, and achieves the highest possible resource utilization.
4.1. Safety formalization model
Various safety indices are employed to assess the safety of a system, including failure probability, real-time performance, and fault tolerance. Failure probability serves as a quantitative measure in safety analysis, derived from an analysis of the system’s functional structure. It sequentially infers the failure probabilities of all the system’s logical components to determine the frequency of various incidents. Real-time performance is a crucial metric for evaluating safety-critical complex embedded systems. Given the stringent requirements for high real-time performance of the IMA system, it is regarded as a safety index. In this study, failure probability and real-time performance are used as quantitative measures within the safety model to assess the safety level of shared resource and isolation configurations in the IMA system.
- 1) Failure probability.
In this study, safety levels are categorized into four distinct layers, and the inherent failure logic relationships are used to describe these failures, as illustrated in Fig 2. The inherent failure logic relationships among the first three layers—the system layer, the functional class layer, and the function object layer—remain consistent. Regardless of resource configuration, the inherent failure logic within the system remains unchanged.
The failure probability of the IMA system can be calculated by considering the coupling correlation failure logic relations among its resources. The resource layer’s coupling association represents the relationships between resource elements, resulting from the need for resource sharing. This association arises in two ways: first, from the inherent correlation failure logic within the resource layer, reflecting the relationships between resources needed to perform system functions or tasks; second, once the shared resource configuration is finalized, associations between resource elements serving the same higher-level resource or function are established. After analyzing different resource configurations, we can determine the failure logical relationships for each scheme. These relationships can be inherent or generated by the specific resource configurations. To quantify the coupling relations in the resource layer, a specific definition or metric is required.
The association coefficient is used to describe the association relationship between various resource elements, representing information exchange, material sharing, or resource contention between elements within the same layer after different resource configurations. The association information within the same resource layer can be represented by the association matrix
, which contains the association coefficients of shared resources at each layer:
where and
. So the above formula can be expressed as:
Influence probability of failure propagation is the failure probability of shared resources in the same resource layer affected by fault propagation. Failure association propagation probability matrix
of the same resource level is:
The inherent failure probability of shared resource is the inherent failure probability of the
shared resource in the
class resource.
The failure probability of each shared resource is not only related to the inherent failure probability
of the shared resource, but also affected by the failure propagation due to the existence of correlation, that is, the failure propagation influence probability
. The expression of failure probability
for each shared resource is:
Particularly attention is: the shared resource set at the next lower level allocate in the same resource
. If the upper resource
fails, all the lower shared resources will fail under the influence of failure propagation.
The failure probability represents the likelihood of the top event occurring in the failure logic relation of the IMA system. In summary, the failure probability is calculated by adding the probability of system failure due to upper-layer resource failure to that due to the upper-layer resource functioning correctly, considering both the inherent correlation logic of the complex system and the post-configuration shared resource correlations. The failure probability
value for each shared resource can be deduced using formulas (2), (11), and (12).
- 2) Real-time performance
High real-time performance includes short response times to events and short task execution times. Task execution time is closely related to the allocation of time resources. Different allocations of time resources can result in varied system idle times, which in turn lead to different task execution times. Therefore, to represent the system’s real-time performance, we use the system idle time index, while ensuring that there is redundancy built into the system’s design schedule. The idle time of all tasks running on the q-th Integrated Processing Module (IPM) can be expressed as: , in which
is the total time allocated to the q th compute module,
is the total time consumed by all tasks. The total system idle time is then:
. This metric reflects the schedulability margin and is used to evaluate real-time performance in our optimization.
4.2. Resource utilization efficiency model
The IMA system’s shared resource feature optimizes resource allocation, leading to better utilization efficiency. This study focuses on quantifying resource utilization efficiency to evaluate the effectiveness of resource sharing and isolation designs. Resource utilization efficiency is defined as the degree or quantity of shared resources used to achieve safe and accurate system operations during the configuration of resource sharing and isolation. It reflects whether resources are sharing or isolation and is a crucial indicator for measuring the extent of resource utilization.
The resource utilization efficiency of an IMA system is defined as follows:
where, represents the utilization efficiency influence factor of class
resources,
. The higher the level of shared resources, the greater the utilization efficiency influence factor
.
indicates the number of class
resources actually used,
. Note: every shared resource will be used, that is,
will not appear. The resource utilization efficiency is related to the number of shared resources used. The higher the degree of sharing, the lower the isolation degree, and the lower the number of shared resources used, the higher the resource utilization efficiency. Conversely, the lower the sharing degree is, the higher the isolation degree is, and the more shared resources are used, the lower the resource utilization efficiency.
counts the usage of the
shared resource object,
. Each configuration scheme can obtain a mapping association matrix, equation (2). Then, by calculating the elements in the
line of formula
, we can get
:
in which, .
Then, can be calculated by all elements in the formula
:
Generally, the optimal configuration scheme has the highest resource efficiency.
In addition, the configured number of shared resources is related to the usage of the
shared resource object
,
. Assume that
resources need to be configured in
upper-layer resources and there are
type of shared resource objects. The value of
ranges from
to
shared resource objects. The constraint is described by an inequality:
where, ,
.
.
.
4.3. Multi-objective optimization of resource sharing and isolation design
To sum up, the constraints for shared resource configuration are presented in the following formulas. We combine these constraints with the objective function of the optimization to derive the standard multi-objective optimization model for shared resources:
The established multi-objective optimization model incorporates a variety of equality and inequality constraints. Typically, in the optimization process, the objective functions restrict each other, and the goal is to find an optimal solution that maximizes all target values. In recent years, extensive and in-depth research has been conducted on multi-objective optimization across various fields. This has led to the proposal of different multi-objective evolutionary algorithms. Researchers commonly employ two main categories of methods: mathematical programming and meta-heuristic approaches [27]. Although mathematical programming offers faster convergence and higher accuracy, it can be challenging to apply to more complex real-world systems. Consequently, meta-heuristic algorithms have become increasingly popular. Heuristic algorithms are considered the most effective for solving complex systems’ optimization problems related to reliability, safety, and economics [28].
The NSGA-II is a well-known multi-objective genetic algorithm that utilizes a non-dominated sorting approach, allowing for a satisfactory spread of solutions while achieving satisfactory convergence in the obtained non-dominated front [29]. NSGA-II integrates unique advantages, such as ranking, elitism, and the absence of shared parameters, and has demonstrated significant improvements in computing efficiency. This paper selected NSGA-II for the following reasons: 1) Pareto-Optimality Handling: NSGA-II efficiently generates a diverse set of Pareto-optimal solutions, which is essential for multi-objective optimization involving safety, efficiency, and real-time performance. 2) Non-Dominated Sorting: It ranks solutions based on dominance, allowing us to explore trade-offs between conflicting objectives without weighting. 3) Applicability to Constrained Problems: NSGA-II can handle the equality and inequality constraints defined in our model (Section 3.2) through constraint-domination principles. 4) Proven Effectiveness in Embedded Systems: NSGA-II has been widely adopted in avionics and embedded system optimization, demonstrating robustness and scalability for similar configuration problems. As a result, NSGA-II is used in this paper to address the multi-objective optimization problem of IMA resource sharing and isolation configuration.
5. Case study
In this section, we discuss the optimization process for configuring shared resources in a small-scale IMA system known as the Integrated Display and Control System (IDCS). The design of the IDCS is informed by empirical data and related research, as cited in references [30] and [31]. The IDCS is a complex modern integrated system with resource sharing as its main feature. The primary purpose of the IDCS is to present data from airborne sensors and systems to pilots and crew, enabling safe flight and mission completion. The IDCS consists of two main components: display and control. The display component serves as the input function for the pilot, while the control component serves as the output function.
The software of the Integrated Display Unit (IDU) is divided into two main parts: the application software and the platform software. These software components reside on the Input/Output Module (IOM), which serves as the General Processing Module (GPM) for the IDU. IDCS maps the logical and physical connections between software resource requirements and the platform’s hardware configuration. The platform-level tasks are broken down into essential functions, primarily display and control. The necessary resources for these functions are then effectively allocated to node, module, and partition resources.
The IDCS case model constructed in this section is shown in Fig 4, the IDCS consists of three resource layers: node resources (), module resources (
), and partition resources (
). Each sub-function is mapped to a set of resources, illustrating the sharing/isolation trade-off.
represents node resources.
stands for module resource, in this case the GPM is needed.
represents a partition resource. A partition is the smallest unit of resource configuration and invocation in the system. A module can be configured into several partitions. Display function
and control function
are each composed of two sub-functions, which are complementary to each other. It is important to note that in order to illustrate the effectiveness of the proposal approach, the IDCS examples in this article only cover these three types of resources.
In addition to its own failure, each shared resource is also affected by the failure propagation of its subordinate resources. Therefore, the inherent relationship between the function loss of this IDCS and resource failure can be divided into the following situations: When the third type of resource fails; When the third resource
does not fail and the second resource
fails; When the third resource
and the second resource
do not fail. To simplify the logical relationship of these three cases, there is a definite logic relationship in IDCS resource layer, and this inherent logic relationship (as shown in Fig 5) remains unchanged regardless of the amount and form of resource allocation. The two types of shared resources
and
involve sharing and isolation, the number of configurations is set to 2 and 3. Fig 5 depicts the inherent failure logic of IDCS resources. The diagram is used to derive the failure probability expressions in Eq. (18), independent of specific configurations. Therefore, the failure logic expression of the IDCS case is:
5.1 IDCS safety quantization model
The key parameters used in the IDCS case study—including resource failure probabilities (Table 1), task parameters (Table 2), and NSGA-II settings—are provided in the Supporting Information dataset accompanying this paper.
In this model of case, the number of resources that have realized functions is 、
. Table 1 shows the resource objects and inherent failure probability of various resources in the IDCS system.
In this case, the probability of failure propagation is given as ,
.
In this case, there are three types of shared resources: 、
、
、
、
、
、
、
. Among them,
、
、
、
、
are designed for sharing and isolation.
、
、
、
are designed to be shared without isolation, and
,
are conflicting resources. For shared resource
, the number of configurations is 1–2: When it is adopted sharing design, number of configurations is 1; And when it is adopted isolated design, number of configurations is 2, and for the sub-functions
and
use resource
and
. The shared resource
is a dedicated resource, so the number of this resources is configured as 4, that is, each shared resource in the second type of resource
corresponds to one dedicated resource
, then the sub-functions for
and
use
. At this time, the sub-function
uses
, and the sub-function
uses
; Shared resource
is a safety-critical resource.
In addition, this case has given the allocation results of the second type of shared resources ,
,
allocated in
,
, that is,
,
allocated in
, and
allocated in
. So the association matrix of the second type resources and propagation probability of failure influence have been determined.
In summary, according to the inherent failure logic of IDCS system, the failure probability of integrated display control system can be calculated as follows:
In this case, there are 10 tasks, including 6 computing tasks and 6 interface tasks (two of which are both computing tasks and interface tasks). Computing tasks are allocated to GPM module, while interface tasks are allocated to Remote Data Collector (RDC) module. Different computing tasks consume different time resources. Different IPM devices may lead to different idle time. Table 2 lists the resources and peripherals required for each task.
According to the description of the construction objective function in Section 4, system idle time can be obtained corresponding to this case. In which,
.
indicates the time allocated by the q th resource.
represents the time resource consumed by all tasks running on the q th module.
5.2 IDCS resource utilization efficiency model
Resource utilization efficiency measures the extent to which resources are utilized. According to the calculation of system resource utilization efficiency formula (15), the resource utilization efficiency of this IDCS case is:
The impact factor of IDCS case resources utilization efficiency is given as: ,
,
.
,
,
,
,
are shared and isolated design, and the number of configurations is given.
,
,
, and
are configured as shared resources without isolation design. Therefore, ① When the shared resource
adopts the shared design, the number of configurations is 1. ② When the shared resource
is isolated, the number of shared resources is 2. Table 3 shows the actual number of IDCS resource objects.
5.3 Safety constraints modeling
The IMA system is subject to many different safety constraints during the configuration of shared resources. The specific safety constraints of this IDCS case are as follows:
- 1) The bottom shared resources are all used
In this IDCS case, there are 6 kinds of bottom-layer shared resources, including ,
,
,
,
, and
, which are all configured. The mathematical description that meets this safety constraint is as follows:
among them, ,
.
- 2) Constrain on the number of dedicated resources
As shown in the previous Section 4, shared resource is a dedicated resource and cannot be shared. It supports only one upper-layer resource
, that is, each upper-layer resource
corresponds to one dedicated resource
. Thus, there are three dedicated resources:
,
,
, which allocate respectively in the upper resources
,
,
,
. Describe this safety constraint with a mathematical formula:
In this case, ,
.
In addition, these three dedicated resources are configured in upper layer resource like other lower-layer shared resources. Therefore, the number of resources in the upper layer resource allocated by dedicated resources is greater than or equal to 1,
. The constraint is expressed by the inequality as:
where ,
. In this case, the association configuration matrix
is different from
. It is equivalent to the associated configuration matrix when dedicated resources
,
,
are simultaneously configured with other five shared resources
,
,
,
,
.
- 3) Conflicting resources cannot be configured in the same upper-layer resource, and isolation constraints must be met
In the IDCS case, there are conflicting resources: the shared resources and
are conflicting resources, so they cannot be configured in the same upper layer resource
. Therefore, the correlation configuration matrix:
. The constraint is described by an inequality:
in which,
.
In addition, when the shared resource adopts the isolation design, its configuration quantity is 2, namely
and
. At this time, the two shared resources
and
are also conflicting resources, so they cannot be configured in the same upper layer resource
. Namely
. The constraint is described by an inequality:
where, ,
. In this case, the associated configuration matrix
is different from that of
. It is equivalent to the associated configuration matrix of the nine resources
,
,
,
,
,
,
,
, and
.
- 4) Safety-critical resources must be isolated
In this case, shared resource is a safety critical resource and must be isolated. That is, there is only one shared resource
and one dedicated resource
in the upper-layer resource
allocated to it. Therefore, the two value of the distribution of correlation matrix:
have and only have 1, namely the
. Use an equality expression to describe this constraint:
in which, ,
.
This case contains configurations of shared resource objects, but there is one safety critical resource and two conflicted resources, reducing the number of shared resources, the actual number of these three configurations is 1. In addition, there is one dedicated resource, so the actual shared resource constraint configured in this case is
. In order to better illustrate the proposed method, only the sharing and isolation design of
shared resource is analyzed, and the sharing and isolation form of other shared resources has been designed. Table Ⅱ shows the usage of shared resources.
According to the civil aircraft airworthiness regulation CCAR25.1309 [31,32], the quantitative index of aircraft failure should be less than 10−9. The failure of this kind of system will prevent continued safe flight and landing and cause a catastrophic accident. Therefore, in this IDCS case, the failure probability is required to be .
In summary, the optimization model of this IDCS case is shown as follow:
5.4 Configuration Optimization
Based on the conditions and preliminary analysis of the IDCS case, the optimization model for shared resource allocation in the integrated display control system can be solved using the NSGA-II optimization algorithm, as discussed in Section 3.3. For this example, the NSGA-II algorithm parameters are set as follows: population quantity ; maximum genetic algebra
; genetic crossover ratio
; proportion of genetic variation
; mutation probability
. The final Pareto solution set is obtained through iterative evolution, and its corresponding state position is shown in Fig 6.
The NSGA-II-based configuration scheme optimization algorithm generates a relatively large number of Pareto solution sets, from which a configuration scheme that aligns with the optimization objective can be selected. This paper aims to achieve optimal efficiency while maintaining system safety. As a result, 9 groups of Pareto solutions that satisfy these requirements have been identified in this example. These solutions meet the safety requirements and have the same optimal resource utilization efficiency . To identify the optimal solution, the one with the lowest failure probability and shortest idle time is selected, and the optimal configuration scheme of this IDCS case is presented in Fig 7.
The configuration scheme depicted in Fig 4 shows the shared resource that is adopted in isolation design, with a configuration quantity of 1. To better illustrate the difference between sharing and isolation configurations, a configuration scheme was selected from the Pareto solution set when
is adopted in shared design, as shown in Fig 8. This scheme was compared and analyzed with the optimal scheme depicted in Fig 7. The comparison of their optimization target values is presented in Table 4. It is evident from the two configuration schemes that although the shared resource
in Fig 8 utilizes the shared design with higher resource utilization efficiency, resource sharing exacerbates the risk of fault propagation, which does not meet the safety requirements of the IDCS system. Therefore, while the shared design can enhance the system’s efficiency, it also increases the risk, while the isolation design can enhance the system’s safety and reduce the probability of fault propagation.
To sum up, the configuration of each resource in the optimal configuration scheme of this IDCS case is shown in Table 5.
6. Conclusion
To ensure safety and prevent hazards and resource conflicts associated with shared resources, it is critical to establish a reasonable configuration scheme during system development. This scheme should efficiently manage resource sharing and isolation. Different configurations can lead to varying levels of risk related to fault propagation and coupling faults, highlighting the need to balance resource sharing and isolation.
This paper presents a method for optimizing the shared resource configuration scheme in the IMA system, focusing on modes for resource sharing and isolation. Safety and utilization efficiency are formalized as constraints in the configuration scheme evaluation, with mathematical expressions for these constraints to enhance computational capabilities.
The main contributions of this paper include: 1) establishing a configuration optimization model for multi-objective resource sharing and isolation design; 2) providing mathematical descriptions for safety constraints in resource configuration; 3) developing an optimization analysis method for resource sharing and isolation from safety and efficiency perspectives, offering technical support for efficient and safe resource configuration optimization in IMA systems.
While the proposed method demonstrates promising results, this research has several limitations. Currently, it employs only the failure probability model and real-time performance as quantitative safety indicators. Future studies should consider incorporating other critical safety indicators, such as fault tolerance, diagnosability, and system modifiability, to provide a more comprehensive safety assessment. Additionally, the optimization model assumes static configurations and relies on parameters such as failure probabilities, which may be uncertain in early design phases. Scalability to large-scale IMA systems with hundreds of resources requires further investigation, possibly through heuristic pruning or parallelization. Moreover, practical deployment faces challenges such as certification compliance (e.g., DO-297, ARINC 653) and integration with existing model-based engineering toolchains.
Future work will focus on: (1) extending the model to support dynamic reconfiguration for adaptive fault tolerance; (2) integrating the optimizer with system-level safety analysis tools (e.g., STPA, FTA) to automate constraint derivation; (3) developing decision-support interfaces to help designers navigate Pareto-optimal solutions; (4) incorporating broader safety metrics such as fault containment and modifiability; and (5) validating the approach on larger, industrial-scale IMA platforms in collaboration with avionics partners.These directions aim to enhance the method’s applicability, robustness, and integration into real-world avionics development processes.
Supporting information
S1 Dataset. IDCS resource/task data and NSGA-II algorithm parameters.
https://doi.org/10.1371/journal.pone.0345130.s001
(XLSX)
References
- 1.
RTCA. Integrated Modular Avionics (IMA) Development Guidance and Certification Considerations. DO-297. 2005.
- 2.
RTCA. Software Considerations in Airborne Systems and Equipment Certification. 2012.
- 3.
RTCA. Design Assurance Guidance for Airborne Electronic Hardware. 2000. https://doi.org/RTCADO-254
- 4.
NATO. Modular and Open Avionics Architectures. 2005.
- 5. Huysseune J, Palmer P. Nevada-Pamela-Victoria: Towards the definition of new aircraft electronic systems. Air & Space Europe. 2001;3(3–4):180–3.
- 6. Fleming CH, Leveson NG. Improving hazard analysis and certification of integrated modular avionics. J Aerosp Inf Syst. 2014;11(6):397–411.
- 7.
Rong H, Gu Q, Chen Z, Xu D. Improving Hazard Analysis of Integrated Modular Avionics System based on System-Theoretic Process Analysis. In: 17th AIAA Aviation Technology, Integration, and Operations Conference. 2017. https://doi.org/10.2514/6.2017-3776
- 8. Wang HL, Zhong DM, Zhao TD. Avionics system failure analysis and verification based on model checking. Eng Fail Anal. 2019;105.
- 9. Wang H, Zhong D, Zhao T, Ren F. Integrating Model Checking With SysML in Complex System Safety Analysis. IEEE Access. 2019;7:16561–71.
- 10. Li XY, Xiong HG. Partition modelling and design in integrated avionics. J Beijing Univ Aeronaut Astronaut. 2011;37(1):5.
- 11.
Sagaspe L, Bel G, Bieber P, et al. Safe Allocation of Avionics Shared Resources. IEEE Int Symp High-Assur Syst Eng. IEEE Comput Soc. 2005:25–33.
- 12.
Sagaspe L. Constraint-based design and allocation of shared avionics resources. In: 2007 IEEE/AIAA 26th Digital Avionics Systems Conference. 2007. 2.A.5-1-2.A.5-10. https://doi.org/10.1109/dasc.2007.4391846
- 13.
Lohse F, Zerbe V, Luetzelberger T. Architecture analysis and optimization of reconfigurable, complex systems. In: 2010 IEEE 14th International Conference on Intelligent Engineering Systems. 2010;221–5. https://doi.org/10.1109/ines.2010.5483843
- 14. Salzwedel H, Fischer N, Schorcht G. Moving design automation of networked systems to early vehicle level design stages. SAE World Congr. 2009.
- 15. Annighöfer B, Thielecke F. Supporting the design of distributed integrated modular avionics systems with binary programming. Deutscher Luft- und Raumfahrtkongress; 2012.
- 16.
Annighofer B, Thielecke F. Multi-objective mapping optimization for distributed integrated modular avionics. In: 2012 IEEE/AIAA 31st Digital Avionics Systems Conference (DASC), 2012. 1–25. https://doi.org/10.1109/dasc.2012.6383063
- 17. Cheng Z. Research on resources configuration verification and optimization of IMA system based on model driven. Nanjing Univ Aeronaut Astronaut. 2016.
- 18. Cai X, Mei Z, Fan Z. A decomposition-based many-objective evolutionary algorithm with two types of adjustments for direction vectors. IEEE Trans Cybern. 2018;48(8):2335–48. pmid:28858821
- 19. Xie G, Chen Y, Li R, Li K. Hardware cost design optimization for functional safety-critical parallel applications on heterogeneous distributed embedded systems. IEEE Trans Ind Inf. 2018;14(6):2418–31.
- 20. Chu JY, Zhao TD, Jiao J. Optimal design of configuration scheme for integrated modular avionics systems with functional redundancy requirements. IEEE Systems Journal. 2020;99:1–12.
- 21. Chen J, Han P, Zhang Y, Yao T, Zheng P. Scheduling energy consumption-constrained workflows in heterogeneous multi-processor embedded systems. J Syst Archit. 2023;142(1).
- 22. Chen J, Li T, Zhang Y, You T, Lu Y, Tiwari P, et al. Global-and-Local Attention-Based Reinforcement Learning for Cooperative Behaviour Control of Multiple UAVs. IEEE Trans Veh Technol. 2024;73(3):4194–206.
- 23. Du X, Du C, Chen J. An energy-aware resource allocation method for avionics systems based on improved ant colony optimization algorithm. Comput Electr Eng. 2023.
- 24. de Moraes SR. Exploring trade-offs in concept design of integrated modular avionic platform configurations: topology generation, resource adequacy, and dependability. Linköping Univ Electron Press. 2024.
- 25. Zhou X, He F, Zhao L. Loosely coupled hybrid scheduling of processing and communication for TSN-Based IMA Systems. IEEE Trans Ind Inf. 2024;20(6):8884–95.
- 26. Ren FC. Research on the integrated safety problem and risk management technique for complex systems. Beihang Univ. 2018.
- 27. Garg H. A hybrid GSA-GA algorithm for constrained optimization problems. Inf Sci. 2019;478:499–523.
- 28. Khorshidi HA, Gunawan I, Ibrahim MY. A value-driven approach for optimizing reliability-redundancy allocation problem in multi-state weighted k-out-of-n system. J Manuf Syst. 2016;40:54–62.
- 29. Deb K, Pratap A, Agarwal S, Meyarivan T. A fast and elitist multiobjective genetic algorithm: NSGA-II. IEEE Trans Evol Computat. 2002;6(2):182–97.
- 30. Wang G, Zhang Y, Gu QF. Research on IMA task scheduling based on dynamic resource allocation. Avionics Technol. 2013;1:6.
- 31.
U.S. Dept Transp Federal Aviat Admin. System Design and Analysis, AC 25.1309-1B. U.S. FAA Aircraft Certification Serv. 2011.
- 32.
Europe EASA. System design and analysis, AMC 25.1309. EASA. 2011.