Research on Resource Allocation Method of Integrated Avionics System considering Fault Propagation Risk

The integrated modular avionics (IMA) system has coupled cross-linked support characteristics between physical resource entities and logical functions, and the existing resource allocation methods, which mainly consider system performance and resource utilization, do not consider the associated impact of fault propagation among resource entities. Aiming at the fault propagation risk in the resource allocation process of the IMA system, a hierarchical model of the IMA system is established. The fault propagation behavior caused by coupling association during the physical realization of the function layer logical architecture is analyzed, and the impact of di ﬀ erent resource allocation methods on the fault propagation behavior is determined. Secondly, resource capacity constraints are established according to the resource requirement for hosted function, and the fault propagation risk model of the IMA system is constructed by considering the fault propagation impact factor, the relative importance of nodes, and the function safety criticality. The resource allocation method is evaluated according to the fault propagation risk model, and a heuristic algorithm is applied to optimize the resource allocation method of the IMA system. The simulation results show that the average propagation probability of the optimized resource allocation scheme decreases by 17.4%, and the overall fault propagation risk of the resource network decreases by 50.3%, indicating that the proposed resource allocation method can e ﬀ ectively improve the safety of the IMA system.


Introduction
With the increasing demand for general computing power and comprehensive integration of avionics systems, integrated modular avionics (IMA) system is gradually replacing traditional federated avionics systems, which greatly realize the physical integration, functional integration, and management integration of avionics systems and reduce system weight and form an open system that can be easily updated [1][2][3][4]. Because of these advantages, IMA architecture is widely used in the system design of new-generation civil aircraft such as the B787, A380, and C919 [5,6]. The IMA system employs a shared resource platform to load software for hosted functions, and the shared mechanism simplifies the equipment development and validation process and improves resource utilization by assembling modular and common physical resources [7]. Different from the dedi-cated resources of "one function and one set of equipment" in the federated avionics system, the function integration and resource sharing characteristics of the IMA system determine that the mapping relationship between the logical layer functions and the physical layer resources is complex and diverse, causing the problem of multiple hosted functions competing for limited general resources [8]. Therefore, a reasonable resource allocation method becomes the key to ensure the effective and reliable execution of the avionics system functions.
Many studies have been conducted on resource allocation methods for avionics systems. Zhou et al. [9] proposed a hierarchical resource allocation scheme for distributed IMA systems, with platform-level communication costs and workloads as optimization targets, and node-level optimization of partitioning parameters. Chu et al. [10] presented the impact of functional redundancy requirements on the design of IMA system configuration schemes, taking into account schedulability and reliability constraints to find the best solution. Khamvilai et al. [11] proposed a distributed resource allocation algorithm for safety-critical application on a parallel computing architecture, using an abstract graph to represent the parallel computing architecture, and transforming the allocation problem into an integer linear programming optimization problem. The above researches for resource allocation methods focus on partition performance, resource utilization, and functional availability but do not consider the fault propagation risk caused by deep coupling of resource allocation processes in IMA systems.
To address the safety problems arising from the dynamic coupling of time-space resources in the IMA partition, Li et al. [12] proposed an improved timed colored Petri net with time-space coupling safety constraints based on the dynamic association of the time and space domains of resource modules. For the component state correlation and system dynamic fault behavior caused by the resource sharing mechanism of IMA system, Han et al. [13] proposed an improved colored generalized stochastic Petri net modeling and analysis method considering the IMA fault recovery characteristics. Jiang et al. [14] considered the influence of fault propagation time and proposed a multidimensional safety risk theory on the basis of fault propagation probability and potential severity. Yan et al. [15] constructed the failure severity matrix based on the resource layer coupling relationship of the DIMA platform and analyzed the fault propagation behavior by considering the system fault propagation probability and edge betweenness comprehensively. The above research focuses on evaluating the determined resource allocation scheme and identifying the critical route of avionics system fault propagation, which is a design assessment analysis that fails to successfully feed the analysis results into the design scheme.
Based on the foregoing, in order to reduce the fault propagation risk caused by the resource allocation process, this paper assesses the fault propagation risk for different resource allocation schemes in the design phase. To begin, the IMA system hierarchical model is established to quantify the resource capability of the resource layer and construct the IMA system resource allocation model. Second, the fault propagation risk of IMA system is analyzed, and a risk model for IMA system fault propagation is developed. Finally, the fault propagation risk is applied to evaluate the IMA system resource allocation scheme, and the validity of the proposed resource allocation method is demonstrated by example verification.

IMA System Model
The IMA system effectively reduces aircraft weight and cost through function synthesis and resource sharing and provides great convenience for system updates, but because of deep coupling and resource sharing, a subsystem fault can propagate to other systems through the IMA platform, which has a wide-scale impact on system safety [16]. To address the above problems, this paper performs a hierarchical decomposition of the IMA system and analyzes the IMA system characteristics by establishing a task-functionresource hierarchy model [14,17,18].

IMA System Hierarchy Model
2.1.1. Task Layer. The design of IMA system architecture needs to specify the task objectives of the avionics system based on flight safety requirements and consider the specific task context to build the capability requirements. The task layer identifies system use case scenarios by capturing and analyzing system application capability requirements, and these expected use case scenarios can be defined as the task layer. In order to achieve a specific task, the basic functions required to accomplish the task need to be identified, and a task-function mapping relationship is formed.

Function
Layer. Function is a task-oriented capability organization model. The task-function mapping relationship associates the application space with the capability space and realizes the integration of the IMA system through the generation and organization of functions. In the design process of the function layer, according to the task requirements, safety requirements, and interface requirements that need to be realized, combined with the characteristics of the IMA platform, the IMA system functions are planned, which is essentially the allocation of resources. When IMA platform resources are allocated to hosted functions, the corresponding sensors, actuators, and nonplatform remote control units need to be configured to form a unique functional architecture for each system, and the resource allocation scheme will have an impact on the functional architecture [19]. The minimum requirements for calculation, communication, and memory resources for the IMA system hosted functions can be expressed as where RN i denotes the resource requirement for the normal execution of the ith hosted function of the IMA system and CAL i , COM i , and MEM i denote the specific values of the minimum requirements for calculation, communication, and memory resources, respectively.

Resource
Layer. The function design belongs to the logical architecture. To realize the design of the system logical layer, the mapping relationship between the logical space and the physical entity must be established. IMA system resources can be defined as hardware and software entities with specific capabilities such as calculation, memory, and network communication that can be invoked remotely [20]. According to the development process of hosted application and resource allocation activities in DO-297, the resources of the IMA platform should be quantified first when developing a hosted application, and the resources used by the hosted application to execute the corresponding functions should meet the resource limits of the platform [21]. IMA systems usually contain multiple resource modules, each of which can provide multiple types of resources, and this paper simplifies the resources that can be provided by IMA systems into three categories: calculation resources, memory resources, and communication resources [22]. IMA systems usually contain multiple common resource 2 International Journal of Aerospace Engineering modules, and the calculation, communication, and memory resources provided by each resource module for a single hosted function can be expressed as where rp j represents the specific value of the resource provided by the jth resource module in the general resource module set of the IMA system for the hosted function and cal j , com j , and mem j denote the specific values of the calculation, communication, and memory resources provided, respectively. The maximum value of resources of the jth module in the IMA system is denoted by max rp j : max rp j = max cal j , max com j , max mem j À Á : ð3Þ Figure 1 shows the hierarchy architecture of the IMA system. Through the requirement analysis of the IMA system, use case scenarios are constructed, and these use case scenarios form the system task layer. The top-level task application requirements are passed and decomposed to generate capability requirements of function, forming specific functions to achieve a particular task, and the resource layer is based on the capability requirements of function to organize and allocate physical resources to achieve the corresponding functions.

Resource Allocation
Model for IMA System. The IMA system creates and organizes the required functions according to the specific avionics task requirements by analyzing the planned use case scenarios. At the same time, to ensure the smooth execution of top-level tasks, these functions organize and schedule the underlying physical resources. The resource allocation scheme of the IMA system reflects the way the logical architecture of the function layer is mapped to the physical implementation of the resource layer, and the interactive support of the resource module for the hosted function deepens the coupling association of the resource layer. The generation method of the direct coupling path includes the logical coupling of resource modules serving the same hosted function and the direct physical interaction between resource modules. The direct coupling reflects the direct data interaction between resource modules, but in the process of fault propagation, due to the cascading effect, indirect coupling also leads to potential risks. The indirect coupling path is that the fault of a single module will not only affect the directly coupled module during the fault propagation process but also affect other modules through the module association network, and even spread to the entire resource layer. The IMA system decomposes different task requirements into specific functions and then allocates general resources to each function. Figure 2 shows the fault propagation process of the IMA system, where the dashed line between the function and resource layers reflects the resource allocation relationship, and GPM indicates the   International Journal of Aerospace Engineering general processing module (GPM). In the figure, GPM2 and 4 are directly coupled when serving the thrust management function, and GPM4 and 7, which support the airplane condition monitoring function, are directly coupled. Therefore, GPM2 and 7 are indirectly coupled through GPM4 to generate the fault propagation path. According to the hierarchy model of the IMA system in Section 2.1, the essence of the data inheritance of the hosted function is that the data generates interaction between resource modules. The spatiotemporal partition defined by ARINC653 [23] effectively solves the data coupling of the hosted function caused by resource sharing within each partition of the IMA system. However, in addition to the partition shared data coupling, when a hosted function in the partition uses data processed by other resource modules through the avionics full duplex switched Ethernet (AFDX) data network, there is a problem of logical coupling due to the data dependency of resource modules serving the same hosted function [24,25].
To reduce the fault propagation risk caused by each resource module, the resource allocation scheme should be optimized during the design phase of the IMA system. Through resource sharing, the IMA system hosts a variety of avionics functions, and the correspondence between hosted functions and resource modules is no longer single; i.e., the hosted functions have a variety of allocation schemes. A resource allocation model based on the IMA system hierarchy model described in the previous section is established to evaluate the various allocation schemes: (i) Define the set of tasks T = ft 1 , t 2 , ⋯, t k g to indicate that the task layer of the IMA system contains k tasks (ii) Define the set of functions F = f f 1 , f 2 , ⋯, f n g to represent hosted functions of IMA system, and n is the total number of hosted functions (iii) Define the set of resources R = fr 1 , r 2 , ⋯, r m g to indicate that the IMA system resource contains m resource modules Since both the task and function layers represent the logical design of the system, this paper focuses on the physical   International Journal of Aerospace Engineering implementation of the function layer and studies how the physical resources of the IMA system are allocated to the hosted functions. The function-resource allocation relationship can be expressed as A : F ⟶ R. A resource allocation scheme matrix A is formed by assigning m resource modules to n hosted functions. If the resource module r j is assigned to the hosted function f i , then A ij is 1; otherwise, A ij is 0, where i = 1, 2, ⋯, n and j = 1, 2, ⋯, m.

Fault Propagation Risk
Model for the IMA System. Risk is the combination of the probability of a system's occurrence of a hazard and the severity of the consequences caused by this hazard [26], and the risk R can be expressed by the probability of hazard occurrence P and the severity of hazard consequences S as follows: Fault propagation risk reflects the probability of a system component fault propagating to cause other component failures and the degree of harm caused by the failure of other components due to propagation effects. For the resource coupling characteristics of IMA system, the IMA system resource modules are abstracted as complex network nodes, and the coupling relationships between modules are abstracted as edges. To assess the IMA system fault propagation risk, the following assumptions are made for the IMA system fault propagation behavior: Assumption 1. The AFDX network connects each module of the IMA system resource layer to each other, allowing for a fault propagation path between any two modules. Assumption 2. The probability of source fault propagating decreases with propagation distance. Hence, the fault propagation direction and path are determined by the least number of hops from the fault source node to other nodes.
IMA system functions are realized through IMA platform resources in the form of hosted applications, and according to the development assurance requirements of DO-178C [27], the reliability level of hosted applications is much higher than that of hardware resources, so the main reason for the fault of IMA system functions is the fault of the resource modules serving the functions. The resource modules serving the same function of the IMA system generate direct coupling, and according to the direct coupling relationship, a direct coupling matrix can be constructed, based on which the shortest path algorithm can be applied to derive the shortest path and interconnection relationship between all elements of the resource layer, forming a multinode fault propagation network. According to the theory related to complex networks, nodes with different positions in the network have different degrees of influence and dependence on other nodes [28]. It is difficult to fully reflect the IMA fault propagation risk only from the module fault propagation probability and the safety criticality of the functions supported by the module, and the importance of the nodes in the fault propagation network should also be considered. In order to assess the resource layer fault propagation risk under different resource allocation schemes, the factors influencing the fault propagation risk of IMA systems need to be analyzed: (1) Node Fault Propagation Impact Factor I j . It indicates that in the fault propagation network, node r j is affected by the total sum of other nodes fault propagation, and its larger value indicates that the node is affected by fault propagation more where P k⟶j represents the fault propagation probability, which reflects the probability that a fault at node r k affects node r j through path k ⟶ j in the resource layer network, and a larger value indicates a stronger fault propagation capability.
(2) Node Importance C j . C j integrates the local and global importance of the node in the network, reflecting the importance of the node's location in the network and reflecting the impact of node faults of different importance on the overall propagation risk of the network during fault propagation [29].
where δ j denotes the efficiency of node r j , which reflects the role of the node in information transmission in the network; m denotes the total number of nodes in the network, i.e., the total number of resource modules in the resource layer; and d jk denotes the distance from element r j to r k . In Equation (7), X jk denotes the contribution allocation parameter, which takes the value of 1 when element r j is directly connected to r k ; otherwise, it takes the value of 0. D k denotes the node degree value of element r k , which is the number of nodes directly connected to the node, and D denotes the average degree value of the network.
(3) Function Safety Criticality S i . The hosted functions of IMA system involve multiple ATA chapters, and each function failure has different degrees of impact on flight safety. The criteria for determining the severity of the failure condition are given in AC25.1309-1B [30] as shown in Table 1 5 International Journal of Aerospace Engineering According to the classification criteria in Table 1, the severity of the corresponding failure state of the IMA system function can be determined. Combining with the principle that the higher the severity of failure, the higher the development assurance level used to mitigate the failure condition in 4754A [31], the group analytic hierarchy process [32] is applied to evaluate the IMA system function. A number of experts in related fields are invited to construct a functional judgment matrix according to the severity of the failure condition. The subjective weight is determined according to the expert's academic level and work experience, and the objective weight is determined in combination with the judgment matrix given by the expert. Finally, the comprehensive weight of the expert is obtained according to the subjective and objective weight. The comprehensive judgment matrix is obtained by assembling the individual judgment matrix using Hadamard convex combination and expert comprehensive weights. Based on the comprehensive judgment matrix, the eigenvalue method is applied to calculate the importance of each function.
The classical safety risk theory usually assesses risk in two dimensions: the probability of hazard occurrence and the severity of hazard consequences, as shown in Equation (4). When considering the effect of fault propagation network topology, assessing fault propagation risk from only two dimensions is insufficient. Therefore, this paper considers the node importance in the fault propagation network and applies the fault propagation impact factor, node importance, and function safety criticality to quantify the fault propagation risk of a resource module. The fault propagation risk model can be formalized as presented in where C max denotes the maximum value of the importance of the resource module node in the fault propagation network and S i denotes the safety criticality of the function f i served by the resource module r j .

Modeling of Resource Allocation Method considering
Fault Propagation Risk. The solution of the resource allocation scheme of the IMA system is a constrained allocation problem, and the corresponding functions need to be realized under the limited resources.
3.2.1. Constraints. The constraints can be established based on the types of resources described in Section 2.1 as follows.
(1) Resource Requirement Constraint for Hosted Function.
The resource requirement for hosted function represents the minimum value of the resources required for the normal execution of the hosted function. The IMA system functionresource has the coupling and cross-linking feature; that is, a function often needs the collaborative support of multiple resource modules. The resource requirement constraint for hosted function indicates that the total amount of resources provided by multiple resource modules serving the same hosted function shall be greater than the minimum value of resources required for the normal execution of the hosted function.
(2) Capability Limitation for Each Resource Modular. The resource sharing feature of the IMA system allows multiple functions to host on the same resource module, but the total resources that a single resource module can provide is limited. The capability limitation for each resource modular indicates that the maximum amount of resources provided by each resource module for all functions hosting on it shall be less than the total amount of module resources.
3.2.2. Optimization Objective. The optimization objective of the resource allocation scheme of the IMA system is to improve the overall safety level of the system by reducing the fault propagation risk at the resource layer. The severity of the consequences caused by fault propagation hazards in the IMA system depends on the safety criticality of the functions served by the resource modules. Therefore, in the resource allocation process, safety-critical functions should be assigned to resource modules with a low fault propagation impact factor and low node relative importance as much as possible to minimize the overall fault propagation risk of the resource layer network. Considering the above factors affecting the resource allocation scheme, the following objective function can be established by combining Equation (8): 3.3. Solution of Resource Allocation Scheme Based on Genetic Algorithm 3.3.1. Introduction to Algorithm. A genetic algorithm (GA) simulates the genetic processes of biological organisms in nature according to the evolutionary law of survival of the fittest and is an optimal solution search method based on the principles of natural selection and genetics [33]. The algorithm was originally proposed by Professor Holland of the University of Michigan [34]. Because GA has the characteristics of coding without prior knowledge about the system and parallel development of multiple search routes, related theoretical and applied research has been developed rapidly.
In genetic algorithms, the decision variables of the search problem are encoded as chromosomes, and as a potential solution to the search problem, multiple chromosomal individuals form the population [35].
According to the resource allocation model established in Section 2.2, m resource modules need to be assigned to n hosted functions, and then, the resource allocation scheme 7 International Journal of Aerospace Engineering can be expressed in the following encoding: where G I denotes the Ith gene of the chromosome and takes the value of 0 or 1, indicating whether the jth resource module is assigned to the ith hosted function. i, j, and I are mathematically related as shown in Equations (13) and (14), and the symbols b∘c denote rounding down.
The fitness function is used to evaluate the performance of the resource allocation scheme in the initial population created after coding. In constructing the fitness function, the objective function of Equation (11) is necessarily its main component, while the penalty function is introduced to deal with the constraints, and according to Equations (9) and (10) in Section 3.2.1, the penalty function can be obtained as follows: The fitness function is obtained by combining the penalty function with the objective function in Equation (11): where γ denotes the penalty factor and a smaller value of the fitness function in this model indicates a more optimal allocation scheme.

Algorithm
Steps. The specific steps for solving the function-resource allocation scheme using genetic algorithm are as follows: (1) Coding. Follow the coding rules outlined in Section 3.3.1. In this problem, each chromosome represents an allocation scheme, and the genes of the chromosome describe the allocation relationship between the corresponding functions and resources, and changes in the value taken by each gene affect the overall allocation scheme (2) Initialized Population. The intrinsic information such as resource requirements for hosted functions and resource module capabilities is known in the resource allocation scheme, and the initial population is set in a specified distribution range. First, a random positive number j in the range of [1, m] is generated, and the gene value of chromosome I = ði − 1Þ × m + j is set to 1, indicating that the resource layer element r j is assigned to function f i . The number of random num-bers is adjusted according to the number of resource modules demanded by the hosted function, and the operation is repeated n times in turn to generate an initial individual. By extracting a certain number of individuals, the initial population can be obtained (3) Adaptation Evaluation. The candidate solutions in the population are evaluated by the fitness function constructed by Equation (16) (4) Genetic Operations. There are three primary operators in genetic operations: selection, crossover, and variation. Selection is the process of selecting the best individuals from a population to participate in the generation of offspring, and the most frequent ways are roulette selection and local selection. Roulette selection is used in the resource allocation process for IMA systems to expand the search space and avoid slipping into a local optimum. The random exchange of certain genes between the parent individuals and their offspring to generate novel gene combinations is known as crossover. The commonly used binary cross-over methods are single-point crossover and multipoint crossover. According to the characteristics of this model, the multipoint crossover method is selected. Variation is to change the gene values of individuals, which can enhance the local search ability of the algorithm. The solution to the assignment problem is a discrete problem, so the binary variation method is used (5) Termination Condition. The algorithm stops when the number of iterations reaches a preset value or the adaptation degree corresponding to the global optimal solution no longer changes The specific operational pseudocode for optimizing the resource allocation scheme using a genetic algorithm is as follows.

Model Example.
In order to simulate the IMA system resource allocation problem as realistically as possible, the B787 resource allocation details are used as a case study to solve the avionics system resource allocation scheme considering the fault propagation risk. The common core system (CCS), which is used by the B787 avionics system, is a centralized cabinet for resource modules. The cabinet is loaded with many different types of line replaceable modules, such as general processing module and power conditioning modules. These resource modules support several hosted functions through organizational collaboration, but at the same time, they also generate fault propagation risks. In this study, we mainly consider the fault propagation risk posed by the data inheritance performed by resource modules, so we mainly consider the allocation process of general processing resource in the resource allocation process. Table 2 shows the resource allocation scheme of the B787 IMA system with 36 functions hosted in 16 GPMs of the B787 CCS, involving 14 ATA chapters [36]. 8 International Journal of Aerospace Engineering According to the B787 IMA resource allocation scheme, the resource requirements of hosted function are quantified, and due to the large number of hosted function and resource modules, the resource requirements are normalized for the convenience of calculation, and the specific results are shown in Table 3: Combining the resource allocation scheme of B787 in Table 2 and the resource requirements of the hosted functions established in Table 3 can determine the calculation, memory, and communication resources provided by each GPM resource module for a single hosted function, rp j = ð 30,40,50Þ. The actual resource allocation process of B787, a single GPM module, can support up to 12 hosted functions, from which we can get the maximum resource capacity of each GPM: max rp j = ð360,480,600Þ.
The safety criticality of the B787 IMA hosted functions in Table 2 is evaluated according to the group analytic hierarchy process proposed in the literature [32], and the four first-level functions of flight control function, environmental control function, consumables and energy supply, and human-machine interaction interface are determined by classifying the IMA system hosted functions. The specific function classification system is constructed in Figure 3.
With limited space, only the process of determining the safety criticality of the first-level functions fF1, F2, F3, F4g is given here. Three experts were invited to assess the relative importance of the four functions to obtain the judgment matrix as The consistency ratio of judgment matrix is CR 1 = 0:0038, CR 2 = 0:0263, and CR 3 = 0:0115, all of which are less than 0.1, so the consistency requirement is satisfied. Combined with the consistency ratio of judgment matrix and the scale matrix, the objective weights of experts λ The eigenvalue method was used to find the first level functional weights as F 1−4 = ð0:4212, 0:1738, 0:1083, 0:2967Þ, respectively. The safety criticality of the hosted functions of the IMA system was obtained as follows:

Simulation and Analysis.
The probability of fault propagation can be determined for each resource allocation scheme using the algorithm described in the literature [15], while the node importance can be determined by applying Equations (6) and (7) to the resource layer node adjacency matrix, and the genetic algorithm is used to solve the resource allocation scheme of the IMA system considering the fault propagation risk. The hardware platform parameters on which the simulation was run were Intel i5-10500 processor (3.1 GHz), 8 G of RAM (2666 MHz), and an operating system of Windows 10 (version 21H2). According to literature [37], GA recommended parameters can be taken as follows: population size NP = 50, crossover probability Pc = 0:6, variation probability Pm = 0:01, and evolutionary generation GN = 500.The adaptation evolution process of the algorithm is shown in Figure 4.
From the above figure, it can be seen that when the number of iterations reaches about 450, the fitness function takes a stable value and the minimum value of the final objective Input: RN, rp, max_rp, S Output: A 1. Function GA_allocation 2.
End for 14. Return P(Best) 15. End function International Journal of Aerospace Engineering function is 0.0583, which is smaller than 0.1173 of the existing allocation scheme of B787. The optimal resource allocation scheme considering the fault propagation risk is shown in Table 4.
The corresponding position taken in Table 4 indicates whether the jth resource module is assigned to the ith hosted function. For the purpose of analysis, the resource modules of the two cabinets on the left and right of B787 are numbered from left to right as 1-16. The direct coupling matrix is obtained according to the resource allocation scheme, and the fault propagation path can be obtained by applying the Floyd algorithm, based on which the fault propagation probability of the resource modules with different resource allocation schemes can be obtained. The fault propagation risk is highest when two nodes are directly connected (fault propagation distance d = 1). Tables 5 and 6 demonstrate the probability of directly connected fault path propagation under various resource allocation scheme, and it is obvious that the optimized scheme reduces fault path propagation probability and the impact of fault propagation across resource modules. The fault propagation network of the IMA system under different resource allocation schemes is shown in Figure 5. The curves between the nodes in the figure indicate the fault propagation reachability relationship, and the color shades of the curves reflect the magnitude of the fault propagation probability, and it can be seen that

10
International Journal of Aerospace Engineering the overall fault propagation probability of the optimized scheme propagation network is reduced. During the propagation process of source fault, the influence of fault propagation decreases with the increase of propagation distance. Combined with the specific calculation results, it is considered that the source fault propagation influence can be ignored when the fault path propagation distance d > 3. Table 7 compares the average propagation probability of the B787 scheme and the optimized scheme for different propagation distances. It can be seen that the propagation

11
International Journal of Aerospace Engineering probability of all fault paths in the optimized scheme is smaller than that of the original resource allocation scheme. Figure 6 depicts the fault propagation risk for each resource module of the IMA system under B787 and the optimized resource allocation scheme. It can be seen that the optimized scheme reduces the fault propagation risk for most of the resource modules, reduces the possibility of unintended interactions between the corresponding hosted functions, and effectively improves the safety of the IMA system.
The hosted functions of IMA system cover several systems with different safety criticality, according to Parote's law [38]; 80% of serious flight accidents originate from the fault of 20% safety-critical functions. Based on the function safety criticality calculated in Section 3.1, the node fault propagation impact factor, node relative importance, and fault propagation risk of resource modules servicing the top 20% safety-critical functions (F13 flight management computer function, F15 airplane condition monitoring function, F48 primary flight display+head up display, F12 thrust management, F45 engine indication and crew alerting system display, F21 propulsion fire protection system, F43 crew alerting, F18 landing gear actuation-nose wheel system) are analyzed, respectively.
The comparison in Figure 7 shows that the fault propagation impact factor of resource module serving safety-critical functions under the optimized resource allocation scheme is Table 4: Details about resource allocation in the optimization scheme.

1L
2L 3L  4L  5L  6L  7L  8L  1R  2R  3R  4R  5R  6R  7R  8R   1 16 International Journal of Aerospace Engineering smaller than the original allocation scheme of B787, indicating that the optimized scheme effectively reduces the fault propagation impact on the resource modules where safety-critical functions host. As can be seen from Figure 8, the safety-critical functions of the IMA system in the optimized scheme host on resource modules with low relative importance of nodes.
Resource modules with low node relative importance are more independent in the fault propagation network, avoiding unnecessary interactions with other resource modules and effectively reducing the impact of fault propagation originating from other resource modules. Figure 9 shows that the optimization scheme reduces the fault propagation risk of the resource modules servicing    17 International Journal of Aerospace Engineering safety-critical functions, effectively ensures the reliable execution of the safety-critical functions of the IMA system, and reduces the potential risk caused by the coupling interaction of the IMA system resource modules.

Conclusion
This paper proposes a resource allocation method for the avionics system considering the fault propagation risk and realizes the optimization of the resource allocation scheme to reduce the fault propagation risk in the IMA system during the design phase: (1) By analyzing the function-resource mapping relationship of IMA system, the connection between the resource allocation method and fault propagation risk is determined, the fault propagation risk model of IMA system is constructed, and the safety criticality of IMA system hosted functions is evaluated by applying the group analytic hierarchy process (2) A resource allocation method for IMA system considering fault propagation risk is proposed to optimize the existing resource allocation method with the goal of reducing the fault propagation risk considering the resource capacity constraints (3) The B787-based example validation shows that the proposed IMA system resource allocation method can adequately reduce the fault propagation risk of resource modules servicing the safety-critical functions and effectively ensure the reliable execution of the safety-critical functions. This paper provides an idea to improve the safety of the IMA system at the design stage by optimizing the IMA system resource allocation method to reduce the fault propagation risk

Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
The authors declare that they have no conflicts of interest.