Safety Critical Avionics Certification: Changes and Challenges
The certification of computer hardware and software used in safety-critical aircraft systems is essential to the integrity of air transportation. The FAA and other civil aviation authorities have set a high bar for avionics safety and reliability, epitomized by RTCA guidelines such as DO-254 and DO178C, which apply to electronic hardware and software, respectively. Within the safety-critical certification world, however, there have been changes and ongoing challenges. One change was the approval of the “C” version of DO-178, which consolidates and clarifies guidance on new technologies such as object-oriented programming (OOP).
Another is the evolution of certification processes to enable the use of complex multicore processors. Others are the advent of “safety-certifiable” commercial off-the-shelf (COTS) cards that bake in RTCA guidelines from the start and the gradual convergence of civil and military standards. In the more than five years since DO-178C was approved for use, many Level A projects have been completed, said John Mannarino, president and founder of Montreal-based Mannarino Systems & Software, a specialist in DO-178 and DO254 software and hardware design and analysis. The Canadian fi rm has several DO-178C, Level A, projects to its credit.
Mannarino cites a real-time executive – essentially an operating system – and board support package for a gas turbine full authority digital engine control system for a Part 25 aircraft. He also notes a finding of compliance for Level A software for a Part 25 aircraft’s fly-by-wire flight control system. DO-178C, with its four new-technology supplements, is more voluminous than DO-178B “but I wouldn’t say that it’s imposed any new conditions that weren’t practically there before,” Mannarino said.
The newer technologies, such as formal methods, OOP languages, and model-based development, have been used for years on a certification-by-certification basis, but now all that guidance material has been consolidated and issued in standards documents.
While some critics have complained that the new technology supplements impose new restrictions, “my view is that the guidance has simply been formalized, and that transparency and clarity are good things,” Mannarino said. If there is any area a little lacking in clarity, it’s probably model-based development and verification, as there were so many interests that had to be balanced to come up with a consensus document, he said.
Collins Aerospace, meanwhile, has taken on a major challenge, the certification of multicore processing in a DO-254/DO-178C, Level A, flight deck display system for a civil helicopter program. The avionics company expects to obtain a TSO for the three-and-a-half-year-old project in 2019. It will be the first to certify a multicore IC with full civil certification and with all the cores operational, said Harold Tiedeman Jr., a technical fellow with Collins Aerospace.
Working directly with the FAA on this project, “we felt that being the first would be the best position to be in because you’re all figuring it out together,” he said. In addition to the RTCA guidelines, Collins is “certifying against CAST-32A for the multicore-unique certification objectives,” he said. CAST — the Certification Authorities Software Team — is an international group of certification
and regulatory authority representatives, according to the FAA. The company decided to go for the “general use case,” where flight-critical applications may be running together with mission-critical or non-critical applications on the same core or the same processor. Since this certification project will seed many other projects at Collins, “we wanted to make sure it was applicable to any use case,” Tiedeman said.
Among the challenges with these ICs is interference that is introduced when multiple applications running on multiple cores share resources such as memory and communications fabric. The candidate for certification has to analyze all interference channels and prove that software will run deterministically on the multicore processor when other applications and interference are present.
Safety-certifiable COTS cards — with guidelines such as DO-254 and DO-178 built in from the start — have generated buzz in the aerospace market, as this approach can save development time and money. Curtiss-Wright Defense Solutions has been on top of this trend for several years, said Rick Hearn, the company’s senior product manager of safety certifiable solutions.
As part of this effort, Curtiss-Wright and Mannarino Systems & Software have set up a cost and revenue sharing partnership, under which the Canadian fi rm performs DO-178C software and DO-254 firmware activities on the respective components on Curtiss-Wright’s COTS safety-certifiable boards, Mannarino explains. The idea of safety-certifiable COTS is to make hardware — with supporting artifacts and analysis — commercially available, Hearn said. These parts also can be certified under TSO 153 for integrated modular avionics, which reduces risk going into higher-level certifications, Hearn said. Boards that are designed from scratch using RTCA guidelines can be brought to market in one to two years, depending on the complexity of the card, Hearn says.
One of these cards, the VPX3152 single board computer, is slated to be released with Level A artifacts in 2019. While it costs Curtiss-Wright 25 to 30 percent more to design and develop a board to DO-254 guidelines than to develop a board without the accompanying artifacts and analytics, the company amortizes these additional costs over multiple customers and provides integrators an up to five-fold savings as well as reduced risk and time to market, he adds. If there is a tradeoff in the safety-certifiable COTS world, it’s that some of the COTS components may not be the smallest possible size and weight, Mannarino said. Because they are COTS components, they “haven’t been optimized completely for an application.” But the upside is that they are ready, available, and affordable.
One trend in the safety certification business is the military’s willingness to recognize DO-254, a civil aviation standard, Hearn said .
“They’re saying, if it’s good enough for commercial, it’s good enough for us – at a certain level.” The military tends to have a more “top-down, holistic” safety approach, whereas DO-254 and DO-178 are more prescriptive, process-intensive standards. But military and civil safety critical certification standards are converging, to some degree.
Although the military has been accepting the use of commercially derived standards for years, the U.S. Air Force’s highest certification document explicitly references DO-254 and DO178 as “means of compliance,” said Paul Hart, Curtiss-Wright chief technology officer. This shift reflects in part the military’s need to use certain civil-certified equipment — ADS-B transponders and RVSM-compliant altimeters, for example — when flying in commercial airspace as a result of programs like the FAA’s NextGen. The military provides its own airworthiness approvals for its aircraft, Collins’ Tiedeman says. But then they have to go ask FAA or EASA to let them fly in their airspace. So the more closely the military follows guidelines that the civil authorities are familiar with, the easier they make it for the civil authorities to approve. The military, however, also has airworthiness standards that go above and beyond civil requirements, such as resistance to corrosive gas and gunfire, Hart points out.
Among the challenges ahead are ensuring data security, accommodating technologies such as massively parallel graphics processors and artificial intelligence and controlling costs. Security technology is an area of growing importance Mannarino said. A lot of scrutiny is being given as to what the “ports of entry” are into aircraft systems, how data can be compromised, and what system protocols are necessary to protect the data. Mannarino Systems & Software has engaged with universities “to de-risk security requirements implementations for both its internal product development and customers’ applications,” he adds.
Users are analyzing their systems and aircraft to determine whether enough is being done or “whether they need an additional layer of protection.” Multicore processors are hard enough to certify, but what about graphics chips with thousands of cores? Those components have to be approached at a higher level, Tiedeman said. You have to “create the right monitoring of the device … to make sure it’s doing what you expect it to do.”
As for AI and machine learning, it’s probably not going to be DO-178C, he says. “You would need another standard or process altogether, [perhaps] more of a statistical model.” Maybe aviation could leverage some of the work being done in industrial automation in the automobile industry, such as ISO 26262, he said.
“I’d say the biggest challenge with DO-178 is cost,” Mannarino said. The thoroughness of the process, aimed at identifying and eliminating software errors, makes the costs of running a DO178 program high. Additionally, the rapid pace of change in hardware, tools, technologies, and business practices (such as outsourcing) sometimes makes it difficult to get a set of metrics which can be agreed to as a basis for further improvement, he said.
Outsourcing has increased over the past 20 years and has evolved during this period from short-term staffing expansions to a focus on cost, featuring outsourcing to low-cost countries.
“Sometimes the cost-cutting mentality has been overdone in the short term and certain programs have suffered from low quality and failed certification audits,” Mannarino said. “Outsourcing is still extremely relevant in the world of safety-critical software,” he said. Results can be “extremely positive” for all parties involved, “but I would caution that due diligence is required to ensure that the reasons for outsourcing are clear, that due diligence is performed on the supplier, and that the timeframe for success is realistic.”