H2-1 · Mission Computer: Scope & System Boundary

Goal: define what an avionics mission computer is responsible for, and—equally important—what it is not. This prevents scope creep into sibling topics (switching, timing, and power front-end design) while keeping the page engineering-useful for both procurement and implementation.

What a mission computer is (in-scope)

• Mission application host: sensor fusion, mission planning, payload control, and deterministic data processing pipelines.
• High-speed fabric hub: a PCIe-based compute/backplane fabric tying CPU/SoC, FPGA/accelerators, network I/O, and NVMe storage into a controlled topology.
• Assurance anchor: secure boot with a hardware root-of-trust (HSM/TPM-class device), plus audit-ready versioning and event evidence.
• Recorder & evidence loop: flight/mission logs, BIT artifacts, and “what happened when” timelines that survive resets and maintenance actions.

What a mission computer is not (out-of-scope, but interfaces are defined)

• Not the aircraft network switch (e.g., AFDX/TSN switching): only bandwidth/port/redundancy requirements and health indicators are referenced.
• Not the timing master (GPSDO/PTP/SyncE internals): only timing inputs/accuracy targets and “loss-of-sync” behavior requirements are referenced.
• Not the 28 V power front end (surge/spike chain): only the power-fail/brownout signaling seen by the mission computer is referenced.

Typical hardware forms and where the design pressure comes from

• Compute blade / SBC (VPX/OpenVPX, rugged COM-based modules): favors modularity and maintainability; stresses connector loss and SI margins.
• Backplane-centric chassis: favors scalable I/O and accelerators; stresses PCIe topology depth and reset/clock distribution discipline.
• Integrated mission box: favors size/weight/power; stresses thermals, serviceability, and controlled upgrade flows.

Boundary handoffs (the practical “contracts” with sibling domains)

Acceptance criteria (how “done” can be proven later)

• Determinism: critical task latencies are bounded and repeatable across temperature and load corners.
• Fault containment: a single endpoint failure does not collapse the fabric into repeated cascade resets.
• Auditability: boot chain, versions, and security policy changes leave tamper-evident records.
• Power-loss behavior: power-fail triggers a controlled sequence that preserves NVMe consistency and creates a post-event evidence packet.

H2-2 · Data Paths & I/O Map: How the System Connects

Goal: turn “interfaces” into a flow map that separates mission-critical traffic from management and maintenance. This section establishes the structure used later for PCIe topology, NVMe behavior under faults, and audit-ready upgrade paths.

Step 1 — Classify traffic into three planes

• Data plane (mission traffic): high throughput and bounded latency. Typical endpoints include accelerators, capture/processing cards, and NVMe record/playback.
• Control plane (management traffic): observability, policy, and lifecycle actions. Typical endpoints include BMC/management MCU, health sensors, event logs, and signed update mechanisms.
• Maintenance plane (service tools): restricted access for debugging and depot maintenance. Kept minimal to avoid accidental coupling to mission determinism.

Step 2 — Build a flow map, not a port list

A port list explains what exists; a flow map explains what must be protected. Each critical flow should be described by: source → processing → sink, plus the failure symptom that indicates the flow is compromised.

• Ingest flows: sensor/payload inputs → compute pipeline → decision outputs.
• Record flows: compute pipeline → NVMe (records) → export/maintenance access.
• Evidence flows: events/counters → log store → extraction tooling (BIT packages).

Step 3 — Enforce isolation (logic, bandwidth, fault containment)

• Logic isolation: updates and maintenance actions must not execute in the same privilege and timing context as mission tasks.
• Bandwidth isolation: reserve headroom so large transfers (e.g., record export) cannot starve mission pipelines.
• Fault containment: a misbehaving endpoint must not trigger repeated cascade resets across unrelated links.

Typical bottlenecks and the evidence that exposes them

• DMA congestion: symptoms include tail-latency spikes and periodic stalls; evidence includes queue depth, dropped frames, and latency histograms.
• Excessive fabric depth: symptoms include intermittent enumeration and frequent link retraining; evidence includes link-down/retrain counters and negotiated speed changes.
• Shared reset/refclk coupling: symptoms include “one fault resets many”; evidence includes correlated timestamps across reset causes and link events.

Throughput & latency budget template (copy/paste friendly)

H2-3 · Compute Architecture Choices: CPU, FPGA, Accelerators

Goal: explain why mission computing is rarely “just a bigger CPU.” The architecture must produce deterministic timing, fault containment, and an auditable lifecycle (updates, logs, and evidence) under harsh avionics constraints.

Role split that maps to mission outcomes (not to marketing terms)

Selection criteria that matter in avionics mission computing

• Determinism: key paths must have measurable and repeatable latency bounds (avg and tail). If tail latency cannot be bounded, the workload does not belong solely on a CPU.
• Certifiability / verifiability: isolate what must be proven (critical pipelines and safety monitors) from what evolves frequently (maintenance tools and analytics).
• Power & thermal envelope: peak compute must not trigger link instability, storage throttling, or unpredictable timing drift under worst-case temperature.
• Lifecycle supply: replacements should preserve the architecture contract (domain boundaries and interfaces), avoiding “recertify everything” events.

Domain partitioning: mission / management / safety monitor

Partitioning turns reliability and security from “features” into a system rule: maintenance actions and policy changes cannot steal time or privilege from mission execution.

• Mission domain: real-time workloads, deterministic pipelines, critical data paths.
• Management domain: secure boot enforcement, signed updates, telemetry collection, log packaging, and controlled configuration changes.
• Safety monitor domain: watchdog/health verdicts and safe-state requests; operates independently enough to remain credible when the mission domain misbehaves.

Common pitfalls (with symptoms and evidence)

• Everything on CPU → determinism cannot be proven: symptoms include tail-latency spikes and missed deadlines under load; evidence includes latency histograms, queue depth growth, and correlated drop events.
• Management mixed into mission → upgrades disturb operations: symptoms include anomalies during updates (retraining bursts, storage hiccups); evidence is a timeline overlap between maintenance events and mission faults.

H2-4 · PCIe Fabric Topology: Switches, Segments, Redundancy

Goal: treat PCIe as a designable fabric, not a wire. The mission computer must scale endpoints (NVMe, accelerators, high-speed I/O) while preventing single-device faults from collapsing the entire system into repeated retraining and resets.

Topology templates (choose by failure modes, not by aesthetics)

• Single-root, mostly direct: simplest; acceptable when endpoints are few and the physical channel is short and stable.
• Single-root with a switch segment: common for scalable mission computers; creates a clean subtree for endpoints and improves manageability.
• Dual-fabric / two switch domains (concept level): used when mission objectives require continued operation after a fabric-side fault. The key is defining what stays alive in degraded mode.

Switch selection criteria (engineering-useful, protocol-minimal)

• Ports and expansion headroom: cover today’s endpoints plus growth; avoid “forced daisy chains” that deepen the topology.
• Non-blocking bandwidth: critical flows should not be starved during simultaneous record + processing + export operations.
• Isolation capability (subtree containment): faults and traffic should be containable within a branch, instead of rippling across unrelated endpoints.
• Error reporting + manageability: link training events, retrain counts, error counters, and (when available) temperature/power telemetry should be readable.

Redundancy strategy (define the boundary and the proof)

• Boundary: identify which endpoints are “must survive” (e.g., critical record path or core compute) versus “optional in degraded mode.”
• Containment: ensure that a failing endpoint causes a local recovery (branch isolation), not system-wide churn.
• Proof: create logs that show: fault detected → branch isolated → system stabilized → degraded-mode entered (if required).

Observability: the minimum evidence set to log

• Link training timeline: up/down events, negotiated speed changes, and retrain bursts.
• Error counters: correctable vs uncorrectable trends, plus time correlation to mission anomalies.
• Thermal correlation (optional): hotspots that correlate with retraining or storage throttling.

H2-5 · Retimers & Signal Integrity: “Boots” Is Not “Flight-Ready”

Goal: explain why retimers/redrivers become an engineering requirement in avionics mission computers, and how to validate the PCIe channel under temperature, vibration, and long-duration stress—not just a single successful boot.

When a retimer becomes necessary (trigger conditions)

• Channel loss exceeds margin: long traces, multiple connectors, and backplane insertion loss reduce eye opening.
• Cross-board / backplane crossings: each connector/backplane segment consumes budget and increases sensitivity to environment.
• Higher generation targets: moving to faster link speeds tightens timing and loss margins, increasing “works sometimes” risk.
• Harsh corners: temperature drift, vibration micro-motion, and EMI can turn a marginal channel into frequent retrains.

Selection criteria (engineering-level, not a protocol lesson)

• Generation support: the part should support the intended link speed with adequate margin in worst-case channels.
• Equalization capability: EQ range should cover the channel loss envelope with stable training across corners.
• Latency/jitter impact: insertion should not break end-to-end latency budgets or amplify jitter into unstable links.
• Manageability: status and counters should be readable to build an evidence trail (training, errors, retrain bursts).

SI/PI coupling: how power noise turns into link instability

Validation checklist (flight-ready evidence)

• Eye/BER concept checks: verify the channel margin on representative worst-case paths (not only “best lane”).
• Temperature corners: run sustained load at cold and hot corners; record retrain/error statistics.
• Vibration/handling stress: measure retrains per hour under vibration windows (statistics, not anecdotes).
• Long-duration soak: observe error counters and link stability over time; capture “bursty” failure patterns.
• Evidence logging: store training events, negotiated speed changes, retrain counts, and correlation timestamps.

H2-6 · Memory & Storage: ECC + NVMe Control as a Data-Integrity Loop

Goal: make “data integrity” measurable and operational: detect errors, trend them, trigger defined actions, and preserve auditable evidence. This includes ECC memory health signals and NVMe behavior (consistency and tail latency) under real mission load.

ECC memory: why it matters and how it becomes health telemetry

• Engineering value: ECC reduces silent corruption risk and provides measurable health signals for long-duration operation.
• Correctable vs uncorrectable: correctable events (CE) are trend indicators; uncorrectable events (UE) trigger defined fault handling and evidence capture.
• Scrub (concept): periodic maintenance reduces accumulated risk; success/fail counts become part of health records.

NVMe control: the practical metrics that matter

• Write consistency: records and evidence should not be left in an ambiguous “half-written” state after resets or power events.
• Tail latency (QoS): bulk recording/export must not destroy mission determinism; evaluate p99/p999 write behavior under sustained load.
• Power-fail marker (concept): when a power-fail indicator is asserted, the system should perform controlled flush/commit steps and store an auditable shutdown record.

Data tiering: separate what must be preserved from what can be large

• System area: bootable images and controlled configurations (signed updates only).
• Evidence / logs area: event logs, BIT packages, version audits, CE/UE trends (prioritize integrity and accessibility).
• Records area: high-throughput mission records (allowed to follow defined degraded rules, but must remain explainable).

Common pitfall: records and mission tasks share the same queue

• Symptom: export or heavy recording causes unpredictable tail latency and deadline misses.
• Root cause: queue contention and background storage behavior introduce non-deterministic stalls.
• Fix: partition/namespaces (concept), protect the evidence/logs area, and enforce bandwidth/priority separation.

H2-7 · Secure Boot with HSM: Chain of Trust + Maintainable Updates

Goal: treat secure boot as an engineering chain: clear responsibilities, observable failure modes, and verifiable evidence. The objective is a boot-and-update flow that remains secure while staying serviceable in the field.

Typical chain of trust (what is verified, and when)

• ROM (Root-of-Trust start): validates the first-stage boot component before executing it.
• Bootloader: validates the OS or hypervisor image and the platform policy bundle.
• OS / Hypervisor: validates mission applications and enforces runtime policy gates.
• Application stage: loads only approved modules and exports verifiable version/state into logs.

HSM / TPM / Secure Element: the practical responsibilities

• Protected key usage: cryptographic keys are used inside a protected boundary (avoid key export paths).
• Version counters / monotonic state: provide the anchor for rollback protection (anti-downgrade).
• Attestable measurements (optional concept): record “what booted” as evidence that can be audited later.

Measured boot vs secure boot (boundary definition)

• Secure boot: blocks execution if verification fails (enforced gate).
• Measured boot: allows boot but records measurements for audit (evidence-first).
• Engineering rule: use secure boot where unsafe code must never run; use measured boot to strengthen auditability and forensics.

Key provisioning and update serviceability (factory → field)

Common pitfalls (symptoms and fixes)

• Signed updates without rollback control: allows downgrade windows. Fix by enforcing monotonic version rules anchored in RoT state and making failures auditable.
• Unclear factory key handling: risks “same key across many units.” Fix with per-unit identity materials, batch isolation, least-privilege access, and complete provisioning audits.

H2-8 · Fault Tolerance & Health Monitoring: From WDT to Evidence Chains

Goal: make reliability operational: observable signals become deterministic verdicts, actions are executed in defined tiers, and every action leaves an auditable evidence record for maintenance and post-event review.

What to monitor (layered signals)

• Fabric/link layer: link up/down, retrain bursts, negotiated speed changes, error counter trends.
• Memory layer: ECC correctable (CE) trends and uncorrectable (UE) events.
• Thermal & power events: temperature limit flags, reset causes, power-fail markers (event-level only).
• Storage health (concept): NVMe health indicators and error trends, correlated to workload/temperature.

Verdicts: turn signals into actions

Action tiers (degrade first, reboot last)

• Degrade: limit throughput, pause non-critical recording/export, reduce concurrency.
• Isolate: quarantine a device/branch to prevent cascaded failures.
• Recover: retrain links or restart a subsystem if isolation is insufficient.
• Switch redundancy (concept): move to redundant paths/domains and keep mission in a defined degraded mode.

BIT/BIST in the mission computer (MC-only)

• PBIT (power-on): verify key links, storage tiers, and evidence-log readiness before mission start.
• CBIT (continuous): monitor counters/trends with minimal mission impact and produce periodic health records.
• MBIT (maintenance): deeper diagnostics during scheduled service windows; export evidence packs for review.

H2-9 · Power Holdup & Graceful Shutdown: “Write Completes, Evidence Remains”

Goal: define what the mission computer requires during a power-fail window and how to verify it. The focus is a controlled sequence (detect → flush → seal evidence → safe state), not holdup hardware details.

Power-fail detect: what triggers the controlled shutdown flow

• Power-fail indicator: a hardware or management-domain event that asserts when input power is collapsing.
• Interrupt-to-action path: the signal must reach a domain capable of pausing non-critical traffic and starting the flush sequence.
• Timestamped marker: record when the power-fail was detected so post-event analysis can reconstruct timing.

Holdup budgeting: convert “milliseconds needed” into a budget table

Budget the usable window from power-fail detect to the point where storage writes are no longer reliable. The core requirement is an auditable P × t budget tied to a defined flush sequence.

Data consistency strategy (engineering order of operations)

• Stop non-critical writes first: halt bulk recording/export to prevent queue contention.
• Flush metadata with a bounded time: commit the minimum set needed for explainable restart.
• Seal evidence before optional records: preserve the “what happened” timeline even if some record data is dropped.
• Enter safe state: reduce activity to minimize further corruption risk as voltage continues to fall.

Verification: power-cut injection tests (matrix + pass criteria)

• Injection phases: idle, high write load, mixed mission + record load, and during maintenance export.
• Corners: cold and hot temperature corners; include representative vibration windows when applicable.
• Pass criteria: evidence pack present and consistent; restart is explainable; failures produce clear reason codes.
• Evidence output: each injection produces a power-fail record: time, version, flush result, and shutdown stage.

H2-10 · Thermal, EMI, and Ruggedization: Full-Load Stability You Can Reproduce

Goal: translate avionics environmental reality into board-level and chassis-level constraints for a mission computer. The focus is sustained full-load behavior, controlled degradation, and reproducible evidence for intermittent faults.

Thermal path: board hotspots to chassis conduction

• Primary path: device → PCB → thermal interface → conduction plate / cold wall → chassis.
• Typical hotspots: PCIe switch, retimers, NVMe devices, and high-load compute zones.
• Engineering requirement: define allowable hotspot temperatures and a controlled derating policy when limits are approached.
• Evidence: log temperature peaks with timestamps and correlate them to link stability and throughput behavior.

EMI/EMC (system-level, minimal theory)

• Return-path continuity: high-speed SERDES stability depends on clean reference/return paths across connectors and shields.
• Symptom-based evidence: retrain bursts, rising error counters, and speed shifts correlated to specific operating modes or test exposure.
• Action intent: isolate noisy domains, keep return paths continuous, and maintain consistent shield/ground boundaries at the chassis level.

Vibration/shock: intermittent faults that must be made repeatable

• Connector micro-motion: vibration can create intermittent impedance changes that trigger retrains and endpoint drops.
• Correlation requirement: record retrain and link-down events during defined vibration windows and compute “events per hour.”
• Fix validation: changes are accepted only when statistics improve, not when the issue “seems gone.”

Rugged validation metrics (what “done” looks like)

• Thermal soak: full-load stability without uncontrolled resets; controlled derating is logged and explainable.
• EMI exposure: no unexplained link instability; counters and speed states remain within expected bounds.
• Vibration window: retrain/event rate below threshold; evidence packs generated for any excursions.