Avionics safety certification for UASs must juggle security, multicore, mission challenges

Military and commercial aviation communities are pushing for stricter certifications of unmanned aerial systems (UAS), known colloquially as drones, as the (NAS) becomes more congested. A crowded NAS means increased danger of underdeveloped, undercertified flying alongside manned aircraft. Meanwhile, the use of processors has risen for use in both manned and unmanned aircraft certification, but security concerns continue to pester the aviation community.

The genie is out of the bottle when it comes to unmanned aircraft flying in the national airspace. Government regulation will forever be playing catch-up, but it is critical that the regulators and avionics designers stay ahead of the game when it comes to certifying the software and hardware on unmanned aircraft as they have done with manned platforms, especially in the area of certifying multicore technology.

Industry officials are seeing a push toward ensuring that both manned and unmanned aircraft follow similar – if not the same – safety procedures. Unfortunately, unmanned system certification continues to lag even as more UAS take to the skies. To address the situation, the aviation community is increasingly looking at using DO-178/ certifications.

“I’m old enough to remember the first personal computers and people’s reactions: ‘It’s cool but there’s no software and it won’t serve a practical purpose,’” says Vance Hilderman, chief technical officer, AFuzion Inc. (Los Angeles, California). “That view lasted a few years until a tipping point was reached and computer usage exploded. We’re now at that same tipping point with unmanned systems. The FAA [Federal Aviation Administration] and EASA [European Union Aviation Safety Agency] have made great strides recently coalescing on workable standards. Obviously, the new ADS-B mandates and applying ADS-B Out to more UAVs is helping also. And the larger unmanned producers are now finally applying similar safety/reliability standards as for smaller manned aircraft (e.g., Part 23, which covers performance-based safety standards), so that is greatly increasing both aircraft and operational reliability.”

DO-254 certification is has become even more of a requirement. David Mead, president and CEO, Holt Integrated Circuits (Mission Viejo, California), says: “The military has become more interested in DO-254 certification in the last three to five years, primarily driven by the need to share commercial airspace and provide a design assurance level (DAL) similar to the commercial aircraft industry. All safety or mission-critical systems are typically certified to DAL A, the highest assurance level, where a failure condition would be catastrophic, preventing continued safe flight and landing.”

Quite frankly, the challenges are significant: “DO-178 and DO-254 are guidelines for developing safe software and firmware in the scope of safe systems, says George Graves of Mercury Mission Systems, a unit of Mercury Systems (Andover, Massachusetts). These documents have been built with industry and government collaboration over decades.”

The safety-certification stats speak for themselves: “The current safety record is a testament to the amount of vision and effort that has gone into providing this guidance,” he continues.

While the aviation community has decades of experience in flying, certifying, and keeping the skies safe, some view it a necessity to certify unmanned systems via DO-254/DO-178. In other words, unmanned systems need to quickly and efficiently play the catch-up game – all for the sake of safety.

Of course, the challenge remains in “updating the safety assessment and certification process to support that level of safety without a man in the loop,” Graves adds. “To support the transformation to unmanned systems – doing what we can do today with the safety we have today – will take many more decades with the methods and the guidance that are in place. Therefore, an additional significant challenge we face is the acceleration of these processes while still allowing the use of the more complex technologies required to support autonomy.”

Automation will help the process, but the problem persists that “unmanned systems now face the need to certify to DO-254 and DO-178 in a way not initially considered by UAS manufacturers,” says Dan Joncas, vice president of sales and marketing for CoreAVI (Tampa, Florida). “The wide variation in the size of UASs from large systems such as Global Hawk down to hand-launched platforms means that there is a huge variation in both the certification requirements and in the hardware available due to increased space, weight, and power constraints over those typically found in manned aircraft. This means, for instance, that typical hardware form factors used for manned aircraft may be impractical for smaller UASs, which may also place constraints on the software that can be ­supported.” (Figure 1.)

Figure 1: A TrueCore commercial off-the-shelf (COTS) graphical processor software safety monitor library is designed to assist users to reach DAL A certification of graphics without the need for diverse GPU architectures. Photo courtesy of CoreAVI.
(Click graphic to zoom)

Small drones are definitely a point of concern since the December 2018 incident at London’s Gatwick airport, in which a small drone stopped hundreds of flights at the airport. These types of events where “civil air traffic was disrupted for days at Gatwick airport – one of the largest in Europe – by a small UAS, appropriate certification and control of UAS use is only likely to become more important,” Joncas adds. “Similarly, the nascent air taxi market means that we are now looking at man-carrying UASs with no pilot control. Israel is pioneering this work for military programs.”

Adding to the dilemma, a UAS must have certain built-in capabilities in order to operate safely, including the ability to avoid collisions. “Collision avoidance is still a major hurdle for UASs in commercial airspace without a line-of-sight pilot or no pilot at all; trusting non-line-of-sight flight is going to be required for commercial needs,” says Gary Gilliland, technical marketing manager for DDC-I Inc. (Phoenix, Arizona). “This capability will allow the commercial market to explode – not literally – inasmuch that there are a lot of moneymaking opportunities for UAS in the commercial market.”

In addition to avoiding objects in the sky, drones need “to identify incoming aircraft and act accordingly. This is a pilot requirement that now has to be software-driven, which leads to new systems based on sense-and-avoid technologies,” Petty says.

Each of these capabilities has to be certified. “The actual process of following DO-254 and DO-178 remains the same,” Petty explains. “The difficulty now moves to a higher level as you flow down system requirements in order to type-certify unmanned aircraft. This in turn flows down hardware and software requirements to the subsystems. This flow down would identify the system requirements and safety levels for subsequent certification.”

Security headaches in military and commercial drones

Security is also a major issue for the aviation community. Some concerns include, in particular, the idea “that the software you intend to be running on the avionics systems is all that is running on the system,” Gilliland says. “This capability is typically referred to as secure boot and secure upgrade. There are many ways to do this, but we are seeing the hardware vendors are adding capabilities in the hardware to assist in this effort.”

“Military customers typically have additional security requirements, such as antitamper and interaction with mission systems,” Petty adds. “These additional requirements can have an impact on the overall safety boundary and in some cases need to be included in the safety certification activities.”

Companies have started to add more capabilities to help counter malicious threats within mission systems; even further, AZFuzion offers training such as the DO-326A/ED202A security ecosystem.

“Aviation cybersecurity via the new DO-326A/ED-202A document set is exploding, with worldwide certification authorities insisting on compliance and the aircraft/avionics development and operational ecosystem quickly trying to cope with workable solutions,” Hilderman says. “Finally, Agile software development is being increasingly embraced as aviation suppliers try to cope with ever-faster schedules and changing system requirements; we’re finally seeing acceptance of what I call ‘MA’ for ‘Mostly Agile’ development in our previously staid development frameworks.”

Certifying multicore

Just when you thought safety certification wasn’t complicated enough already along comes multicore technology.

“The trends – or, really, recurring questions – that always arise within the broader aviation community are: ‘When will certification of multicore processors be routine?’ and ‘When will we have an approach to certify higher degrees of complexity such as autonomous or even intelligent systems?’” Mercury’s Graves says. “The industry has spent thousands of man-years to certify true multicore processors operating in multicore safety-critical modes.”

Hard work pays off, however, and users will see the effects of multicore processors in commercial aircraft by 2019 or 2020, Graves adds. “While this may be a trend as defined by a future direction, most computers produced today and for many years have been multicore.”

Just by looking at the history, users can get a glimpse of how long it takes to produce aviation safety-critical systems. “In fact, it has been 18 years since IBM first introduced the POWER4 multicore processor,” Graves continues. “Since it has taken so long to certify the complexity of multicore processing, there has been a lot of working-group discussion to examine alternative means of certification, with the hope of accelerating and enhancing the certification process. This should reduce the time required to gain safety-critical certification for very complex systems [including for military use].”

In addition, “Integrated modular avionics (IMA) continues to drive safety systems, bringing benefits including consolidation of mixed-criticality systems onto a common hardware platform and minimized cost of change through standardized modules and separation through partitioning,” says Ray Petty, vice president, Aerospace & Defense, Wind River (Alameda, California). “This has many advantages over fixed-functionality, single-application systems. Multicore adds more computing power to this architecture, potentially allowing even processor-intensive applications to run in a mixed-criticality system; however, this increases the burden of proof for safety for the platform provider and the application developer.”

Certifying multicore processors has the potential to not only reduce the time to market, but also lower the cost associated with certifying aircraft. As multicore processors edge out their legacy counterparts, certifying unmanned systems continues to be a challenge.

(Click graphic to zoom)
(Click graphic to zoom)