Commercial Off-the-shelf (COTS) Integrated Circuits Legends

1
Commercial Off-the-shelf (COTS)
Integrated Circuits Legends Myths
Peter Skaves, FAA Software
Avionics Complex Hardware Conference
July 28, 2005
2
Briefing Objectives

• COTS Integrated Circuits presentation overview
• Aircraft Avionics Design Assurance Process
• COTS Integrated Circuits Applicability
• COTS Products Legends Myths
• COTS Integrated Circuits Aircraft Computers
• COTS Integrated Circuit Functional Hazard
• Assessment (FHA)
• Redundancy Fault Handling
• Federated Systems Vs. Integrated Modular Avionics
• Built-In-Test Equipment (BITE)
• Numerical Analysis Limitations
• Discussion and wrap-up

3
Avionics Design Assurance Process
4
The Airplane System Design Assurance Process
VHF Antenna
SATCOM Antenna
OOOI Security Sensor Input

• Examples of airplane systems certification rules
  and guidance
• FAR 25.1301 General Requirements for Intended
  Function
• FAR 25.1309 Equipment Systems and Installation
• AC 20-115B Invokes RTCA DO-178B Software
  Guidance
• System Safety Assessment (SSA) Process ( e.g.,
  SAE ARP, 4761 Guidelines and Methods for
  Conducting the Safety Assessment Process on Civil
  Airborne Systems Equipment)

5
Aircraft Regulations for Integrated Circuits
Avionics Systems

• FAR 25.1301 (a) requires that each item of
  installed equipment be of a kind and design
  appropriate to its intended function
• FAR 25.1309 (a) requires that equipment must be
  designed to ensure that they perform their
  intended functions under all foreseeable
  conditions

6
Aircraft Avionics Design Assurance

• The certification process includes
• System description of the intended function
• Safety, Performance and Interoperability
  description
• Functional Hazard Assessment (FHA)
• FHA is used in part to assess both normal
  operations and failure mode effects

• Certification process for avionics systems
  include numerical analysis failure rates which
  are based on aircraft per flight hours
• As an example, a failure classification of
  Major is equivalent to not more than one
  failure per 100,000 flight hours per aircraft

7
Use of COTS Integrated Circuits for the Planet
Aircraft Certification
8
COTS Integrated Circuits

• Used in many commercial applications
• Home Computers
• Home Appliances
• Television sets
• Automobiles
• Video Games
• Pinball Machines
• Medical Equipment
• Cell Phones
• Stereo Systems
• Test Equipment
• Airplanes
• Trains

• Manufacturers include
• Texas Instruments
• LSI Logic
• Advanced Micro Devices
• Motorola

9
COTS Products Legends Myths
10
Definition of Legend

• An unverified popular story handed down from
  earlier times
• A body or collection of such stories

11
Definition of Myths

• A fiction or half truth or one that forms part of
  the ideology of a society (e.g., Star Trek)

12
Avionics System COTS Integrity Legend or Myth ?

• COTS hardware software components embedded in
  aircraft avionics systems do not meet the
  intended function
• Legend or Myth ?

13
COTS Integrated Circuits Design Issues

• Intended Function
• Service History
• Quantity of parts (e.g., mass produced or
  limited production)
• Design mitigation(s) for fault handling
• Revision update rate configuration control
• Failure effect classification
• Reliability
• Prediction of integrated circuit failure rates
• Assessment of failure effect at the component and
  system level
• Environmental Test Conditions and Test Procedures
  for Airborne Equipment (e.g., RTCA DO-160(x))
• Integrated Circuit component Level
• Avionics System Level

14
Integrated Circuits Aircraft Computers

• COTS versus Custom Integrated Circuits
• COTS integrated circuits that were not
  specifically designed for aircraft applications
  (e.g., COTS Microprocessors)
• Approximately 95 of the integrated circuits used
  in airplane applications are COTS based products
• Custom integrated Circuits (e.g., Application
  Specific Integrated Circuits (ASIC)
  Programmable Logic Devices (PLD)) are
  specifically designed for aircraft applications
• Hardware Life Cycle Data per RTCA/DO-254
• In general, COTS integrated circuits do not have
  the life cycle data to satisfy the objectives in
  RTCA/DO-254
• Summary Alternate methods or processes to
  ensure that COTS integrated circuits perform
  their intended function and meet airworthiness
  requirements is required

15
Military Standard for Integrated Circuits

• Military Specifications for integrated Circuits
• Generally address Environmental Conditions and
  Test Procedures for Airborne Equipment
• Temperature, vibration, moisture, shock testing,
  etc.
• Improved manufacturing standards and hardware
  reliability
• Hardware Life Cycle Data per RTCA/DO-254
• In general, integrated circuits developed to
  Military Standards do not have the life cycle
  data to satisfy the objectives in RTCA/DO-254
• Summary Alternate methods or processes to
  ensure that integrated circuits developed to
  Military Standards perform their intended
  function and meet airworthiness requirements is
  required

16
Custom Integrated Circuits

• Application Specific Integrated Circuits (ASIC)
• Custom integrated circuits that are usually
  developed and manufactured by a vendor for
  specific airplane applications
• Usually RTCA/DO-254 and RTCA DO-160(x) compliant
• ASIC integrated circuits are very expensive and
  may cost 1,000 or more per device
• COTS Field Programmable Logic Devices
• Avionics manufactures typically buy and write
  programs for the programmable logic devices
• Typical cost of these integrated circuits is 40
• Avionics manufacturers are responsible for
  programming devices and associated costs
• Programming process is usually RTCA/DO-254
  compliant

17
COTS Graphical Processors (CGP)

• May be used in Flight Deck Displays
• The failure contribution of the CGP must be
  mitigated by system architecture for Hazardous or
  Catastrophic failure conditions
• Mitigation strategy should include protection
  mechanisms and fault handlers

• Loss of function should be mitigated by
  redundancy
• Common mode failure conditions may require
  independent back-up systems
• Wrap around and monitoring tests for output
  validation
• Configuration management and part number control
• RTCA/DO-254 may be used for custom CGP

18
COTS Graphical Processors Policy

• Transport airplane Directorate has published a
  Issue Paper on means of compliance for Graphical
  Processors for a specific project
• The Issue Paper was coordinated with Washington,
  Headquarters and is consistent with Advisory
  Circular for RTCA DO-254
• Development of National Policy for CGP across all
  aircraft models is in progress

19
Integrated Circuit Functional Hazard Assessment

• The airplane avionics system design must include
  mitigation strategy for integrated circuit
  failures
• Common-Mode integrated circuit failures should be
  limited to a major failure effect
• Single point integrated circuit failures should
  be limited to a minor failure effect
  classification

• If single point or common mode integrated circuit
  failures are determined to be hazardous or
  catastrophic than the design is not acceptable
• Design does not meet FAR 25.1309

20
Avionics System Failure Classification Cost Impact

• Functional Hazard Assessment (FHA)
• Minor Vs. Major failure classification
  (Whats the big deal ?)
• Minor failure rate should not exceed one error
  per 1,000 flight hours
• Major failure rate should not exceed one error
  per 100,000 flight hours

• In summary
• Major classification requires an improvement in
  the order of 100 times better
• Hazardous multiply by another factor of 100
• Catastrophic multiply by another factor of 100

21
Aircraft Avionics COTS Examples

• Examples of COTS products used in aircraft
  avionics Systems COTS Hardware Components
• Chassis Components, Connectors, Motherboard
• COTS Integrated Circuits (e.g., Simple Complex
  Devices, Firmware)
• COTS Micro-Processors
• Gate Arrays
• I/O handlers

• Historically, the failure contribution of the
  COTS products have been addressed at the system
  level during the Aircraft Certification design
  assurance process
• Fault handling, Fail Safe Designs, and Avionics
  Architecture should be used to mitigate COTS
  hardware failure conditions

22
Contributing Factors for Avionics Intended
Function

• There are many contributing factors to ensure
  that avionics systems meet their intended
  function
• Airplane Requirements
• System Requirements
• System interfaces
• System Architecture Redundancy
• Dissimilar Back-Up Systems
• Hardware Components (e.g., integrated circuits)
• Software programs
• The software process by itself, does not ensure
  that the avionics systems meet their intended
  function

23
Redundancy Fault Handling

• Avionics Hardware / Software Redundancy Fault
  Handling
• Typically dual or triple channel
• Voting planes are used to detect and isolate
  various sensors and aircraft interface inputs
• Built-in Test Equipment (BITE) software are used
  for internal computer validity checks (e.g,
  Memory, CPU)

• Common mode failures may require independent
  back-up systems
• Examples of independent back-up systems include
  Standby Flight Instruments or mechanical backup
  systems

24
Federated System Architecture

• Single Strand
• ACARS Communication System

• Dual Redundancy
• Flight Management Computers

• Triplex Redundancy
• Flight Control Systems
• With independent Backup system

25
Federated Avionics Computer Architecture

• Computer Architecture
• CPU
• Program Memory (e.g., Flight Control Software)
• RAM Memory
• Digital Busses (e.g., ARINC 429)
• Discrete I/O
• Variable Analog
• Power Supply
• Chassis

• Strengths
• Isolation of faults
• Failure analysis and fault detection are enhanced
• Weakness
• Duplication of hardware resource
• Dedicated airborne software program for each
  avionics computer

26
Integrated Modular Avionics (IMA) Computer
Resource

• Computer Architecture
• CPU
• Memory Management Units
• RAM Memory
• Digital Busses (e.g., ARINC 429)
• Discrete I/O
• Variable Analog
• Power Supply
• Chassis

• Strengths
• Shared Hardware Resources
• Software programs are swapped and execute
  concurrently on same computer platform
• Weakness
• Failure analysis, fault detection isolation of
  faults are more difficult
• Common mode fault vulnerability

27
IMA Notional Diagram
Flight Deck Displays
Multiple Application Programs
Shared Hardware Resources
Example TWO cabinets replace over 50 Federated
Systems
28
Common Mode Failure Mitigation Examples

• Boeing 777 Fly-by-Wire Flight Control
  architecture
• Three digital Flight Control Computers
• Analog back-up system to mitigate generic common
  mode faults
• C-17 Cargo Airplane
• Fly-by-Wire Flight Control System
• Full Mechanical Back-up

• Boeing 737/747/757/767 Series Airplanes
• Do not require electric power for continued safe
  flight and landing with the exception of the
  battery backup bus for the Standby Flight
  Instruments
• Full mechanical backup Flight Control System

29
Built-in Test Equipment (BITE)

• Examples of typical avionics BITE functions used
  to detect and mitigate system failure conditions
• Power on (long power interrupt) BITE
• Warm restart (short power interrupt) BITE
• Continuos or periodic BITE
• Initiated or maintenance BITE
• BITE checks are designed to detect system errors
  including COTS integrated circuit errors

30
BITE Test Case Examples

• Random Access Memory (RAM) Tests
• Program Memory (PMEM) Checksum Tests
• CPU register tests
• Analog Signal wraparound tests
• Discrete Signal wraparound test
• Digital data link activity and integrity checks
• Airplane Interface checks
• Cross Channel Data Link (CCDL) checks
• Voting Plane checks
• Signal Range checks
• Signal Validity checks
• Signal Activity checks

31
Redundancy Voting Planes

• Redundancy voting planes are the backbone of
  the avionics systems availability integrity
• 40 of certain Flight Control Computer software
  is BITE related
• 20 of certain Flight Control Computer software
  is related to the voting plane
• Triplex Flight Control Computers compare
  thousands of pieces of information per second

• Architecture is designed to use different sensor,
  power and avionics computer inputs to eliminate
  single point failures
• Internal External BITE performs checks during
  all flight phases

32
Numerical Analysis Limitations

• We are unable to use mathematics to determine
  numerical probabilities for software or complex
  hardware failure rates
• Failure rates are based on aircraft per flight
  hours and do not include the software or complex
  hardware error contribution
• Based on historical knowledge, avionics safety
  related errors are predominately requirements
  based

• Redundancy and back-up systems should be used to
  mitigate numerical probability limitations

33
Design Approval Process Summary

• Aircraft avionics development process has
  produced an excellent safety record
• However, complexity of avionics systems and
  software programs is increasing exponentially
  (e.g. integrated modular avionics)

• FAA should develop policy to aid in
  standardization of
• Complex avionics systems and fault mitigation
• Alternate methods or processes to ensure that
  COTS integrated circuits perform their intended
  function and meet airworthiness requirements
• If single point or common mode integrated circuit
  failures are determined to be hazardous or
  catastrophic than the design is not acceptable

34
Questions Wrap-Up

• Send your questions to me at
• peter.skaves_at_faa.gov
• Telephone (425) 227-2795
• Thank you for your assistance !!!