Complex Integrated Avionic Systems and System Safety

1
Complex Integrated Avionic Systems and System
Safety
Presentation to Europe/U.S. International
Aviation Safety
ConferenceName Ali Bahrami Date June 9, 2005
2
Trends in Avionics Integration and Complexity
2000
1980
1990

• Integration of many avionics functions
• Card-based processors in cabinet racks

3
Trends in Avionics Architectures

• Huge increases in
• Functional integration.
• Software size and complexity.
• Shift in techniques for isolation/independence
• Traditionally, redundant features were completely
  isolated now they communicate with each other.
• High/low criticality functions traditionally
  physically isolated from each other now share
  computing and databus resources.
• Mix of new and reused (legacy) software.

4
Trends in Avionics TSO

• TSOs
• Traditionally, TSOs were used for simple
  equipment (e.g. seat belts) and well-defined
  stand-alone functions (e.g. air speed
  indicator). Installation issues were minimal.
• Now, TSO requirements cover only a small fraction
  of the designed functionality.
• TSO functionality may be embedded in an
  integrated avionics suite (functional TSO).
• Vendors need TSOA to ship brain-dead hardware
  which doesnt comply with the full TSO
  requirements until installed and software is
  loaded.

5
Trends in Avionics Engineering and Business
Practices

• Increasing dependence on Commercial Off-the-Shelf
  (COTS) hardware and software. Examples
• Microprocessors (from PC industry).
• Operating systems (e.g. Windows).
• Graphic processors (from video game industry).
• Changes in manufacturer-vendor relationships and
  responsibilities.
• Global design and manufacturing of highly
  integrated avionics functions.
• Shift from airframe manufacturer as
  designer/builder to integrator/assembler.

6
Certification Challenges

• Integration and complexity
• Current processes (e.g. DO-178B/ED-12B for
  software) were developed with much simpler
  architectures in mind.
• Experience is showing that there are complex and
  often unexpected connections between
  traditionally unrelated or independent functions,
  especially during failures.
• Failures become more difficult to predict and
  diagnose.
• It becomes less and less feasible to test all
  inter-related failure modes.
• Fully integrated test facilities become more
  challenging and expensive to build and operate.

7
Certification Challenges

• Software
• Software-based isolation and independence is much
  more fluid and difficult to assure than relying
  on hardware.
• Mixing of COTS, reused, and new software all
  developed by different processes and to different
  standards makes assessing the safety issues
  much more difficult, especially in standardized
  ways.

8
Certification Challenges

• Functional TSO
• Difficult to separate TSO issues from
  installation issues
• TSOd function may be part of the software that
  resides on a circuit card.
• TSO compliance can only be assessed when
  installed in the host system.
• Even simple issues like part marking become
  complicated.
• TSO change processes were not developed with
  these complex TSO packages in mind.
• Engineering and Business practices
• COTS products are not developed to traditional
  aviation standards.
• Detailed certification data and knowledge often
  resides at vendor rather than manufacturer.

9
How the Authorities Have Responded

• The authorities have already taken a number of
  actions to support recent IMA trends and specific
  projects, including
• Development of IMA AC and TSO.
• Development of an Order on software reuse.
• Approval of functional TSOs.
• Numerous DO-178B/ED-12B workarounds.
• Additional relevant guidance is in work.
• However, continued industry support is needed

10
What is Needed to Support the Trend?

• Current software certification methods did not
  envision modern IMA architectures, so we need new
  methods
• That are equally effective in ensuring safety
• While supporting the certification of IMA.
• The current TSO process is not well-suited for
  embedded software functions, so we need new
  approaches to TSOA
• Which allow design and production approval for
  traditional TSO functions in IMA architectures
• While protecting the level of safety provided by
  type certification processes.

11
What is Needed to Support the Trend?

• When manufacturers out-source development and
  test
• New processes for authorities/manufacturer/vendor
  communication are needed.
• Testing
• Testing of the IMA pieces will not find
  integration problems.
• The actual airplane is not an adequate test
  environment for many IMA issues.
• Full-scale integration test facilities may not be
  commercially viable.
• Industry needs to help develop new approaches to
  integration testing that will find and
  characterize IMA problems before certification.

12
Authority-Industry Partnership

• Cooperation is needed more than ever.
• Traditional certification processes were
  developed to match past commercial practices
• The pace of change is increasing
• Industry will need to lead the effort to develop
  new methods of compliance.
• New methods cannot just do less they MUST
  preserve, and where possible, improve the level
  of safety.
• Focus on safety-related issues while with IMA, it
  is more difficult to separate what is or is not
  safety-related.

13
Summary and Future Perspectives

• The authorities support industrys efforts to
  advance the technology
• Historic cooperation between the authorities and
  industry has been essential in developing viable
  and effective methods of compliance and safety
  assurance.
• Cooperation is even more critical as we
  collectively support rapid technological advances
  while at the same time increase the level of
  safety.
• Potential broader issue Does the overall safety
  assessment process need to be revisited, to
  account for the migration of functionality (and
  failure conditions) from hardware to software?