Multicore processors and unmanned aircraft trending in avionics safety certification circles

5Avionics safety certification – for software and hardware – is increasingly seen as an ongoing evolving process, reflected in the enhancements to standards such as DO-178C. This long-term understanding is enabling avionics experts to account for complex situations in certification standards such as the growth of multicore processors, avionics computing, and the role of safety certification in unmanned aircraft systems (UASs).

"Certification is finally being correctly perceived as a life-of-product activity, where lives are measured in decades, not months or years like consumer products," says Vance Hilderman, director of global services for Vector Software (www.vectorcast.com). "Certification is increasingly seen as an ecosystem of systems and operations, instead of application to single system boundaries. This certification ecosystem theme permeates all certification."

This is reflected in the demands from "our customers, [who] are asking for integrated, one-stop-procurement solutions and tighter integration of tools for both development and verification, including traceability and verification," Hilderman says. "They want to ensure 20-plus year viability, with the lowest possible lifetime costs, not necessarily the cheapest one-time solution that won't work tomorrow," he continues. "Vector Software's VectorCAST tools cover the full suite of software testing to promote continuous-based testing."

Tighter integration requirements and development of certification ecosystems are also related to the popularity of the agile development process.

"A number of companies, including Wind River, have moved from a more conventional software-design methodology of building software, testing it, and releasing it, and more monolithic ways that tend to take longer, the updates tend to occur at a slower rate; now they've adopted what's called an agile model of development where these customers can release functionality almost on a monthly basis," says Joe Wlad, senior director of product management for Wind River (www.windriver.com). "You can do incremental updates to software, you can build a product foundation, and the objective there is to give your customers more functionality more quickly.

"The agile process is now being adopted in safety-critical design, and there are some restrictions of course that have to take place but it requires more tooling, more testing, more analysis, and more of a thought process if you're to use an agile development model," Wlad continues.

"Now we also want to have massively parallel testing, which is really cool," Hilderman says. "It used to take days to execute all the tests on a single computer, so every time you make a change you'd spend days retesting. Well, now, we can farm it out automatically on the Internet, to 100, 500, 1,000 different servers that emulate that avionics system and what used to take two days to test can now be done in two minutes, because it's using a thousand different servers to speed up the work."

processors and

Faster speeds are also a feature of multicore processors, which have brought many performance advantages to not only military avionics applications, but also to radar, electronic warfare, and intelligence, surveillance, and reconnaissance (ISR) applications. However, the complexity of the devices necessitates more verification and testing, which add to an already complex certification process when it comes to avionics systems.

"Probably the most prevalent trend today is the need to adopt multicore silicon for use in safety-critical designs. This has been a trend that's been going on for the last five years, but one of the challenges when you use a multicore part is it's very difficult in some cases to understand the complete behavior of those parts because they're so complex, there's so much functionality that's substantiated in the part that it brings about a lot more scrutiny, a lot more tests, and a lot more verification when trying to deploy that part in a safety-critical platform," Wind River's Wlad says. "Some of the customers are wary to adopt multicore silicon for that reason.

"[However], in this past year there's been a couple of things that have happened that I think will finally move us in a positive direction and one of those things is the FAA [Federal Aviation Administration] released some guidance called CAST-32 on some of the criteria and objectives that would apply if one wants to use multicore silicon in safety-critical designs," Wlad continues. The CAST-32 document, written by a team of industry and FAA personnel, is a foundation upon which to judge all applicants, he adds.

"We're seeing a real strong desire to be able to certify multicore capability on both ARINC 653 and MIL applications. Again, I think the common theme here is more complex systems and having a desire for multicore," says Wayne McGee, vice president of sales and general manager of North American operations for Creative Electronic Systems (CES) (www.ces.ch). "CES is pulling a lot of cases where you would normally have a purpose-built, single box for each function, but now customers want to combine these functions into a multicore processor in a single box." The ultimate goal for customers is to be able to make more complex systems but still have them be certifiable, he adds.

"People are looking for easier ways to do the multicore certification and there are a number of techniques out there," McGee continues. "I hear that this year we're liable to start to see some multicore certifications. The rumors in the industry are too rampant and too consistent to not be based in truth. I just think it's going to be a very interesting time."

Design complexity always influences certification standards. "Classically, complexity and newness of the technology is the enemy of trying to get a DAL-A certification, so we are seeing people who are wanting to push forward to get much newer circuitry certified at higher DAL levels," McGee says. CES has a primary flight control unit that is DAL-A and DO-254 certified and is currently shipping (see Figure 1).

21
Figure 1: The Primary Flight Control Unit from CES is DO-254 DAL-A certified.
(Click graphic to zoom)

Along these lines there is "a trend toward distributed intelligent sensors with an increasing focus on ARM processors that offer a high degree of I/O integration on chip," says DDC-I's technical marketing manager, Gary Gilliland (www.ddci.com). Companies are finding this trend useful because having the device drivers in user space enhances the reliability and code reuse, plus it simplifies the certification process, according to Gilliland.

The future of unmanned aircraft in national airspace

Managing complexity may be an understatement when it comes to determining the path to safety certification for unmanned aircraft systems (UAS) platforms in the national airspace.

Although there are still no solid ground rules from the FAA pertaining to UASs in the national airspace, the FAA has committed to having a roadmap ready later this year, DDC-I's Gilliland says.

"As a result, we are seeing increasing interest in companies developing UASs moving from an in-house or -based environment to a COTS DO-178 RTOS environment. There is a lot of interest in the ARM SoC [system-on-chip] platforms in this space because they have extreme requirements for minimum SWaP," he continues.

Wind River is getting inquiries from both large- and small-scale unmanned developers for DO-178 compliance, Wlad says. "So even though the FAA hasn't come out with policy, it seems to be trending in that direction and the developers are starting to prepare themselves for ultimately complying with FAA certification rules. That means from a software point of view, compliance with DO-178, and we're seeing that on that are less than five pounds all the way up to a few thousand pounds. It's running the gamut of almost every size of vehicle you could think of."

Of course, the FAA has many valid concerns regarding allowing unmanned aircraft into the crowded national airspace. One of these concerns deals with collision-avoidance capabilities, "since the USA has vastly more private, general-aviation aircraft flying in crowded skies and those aircraft usually do not have TCAS (collision-avoidance) systems," Hilderman says.

Without knowing exactly what the FAA will require, it's difficult to anticipate what the next move should be. "We're trying to make sure we've got a path to get to certifiability, but at this point in time we don't exactly know what's going to be required," McGee says. "The thing that people sometimes overlook is that if you're not looking at the system at a top-level design, it's difficult to go in and then piecemeal figure out how you're going to get safety certifiability on each part," he explains.

This relates to a wider trend where "we're seeing a lot of customers that used to get waivers for DO-178 and DO-254 are now saying that ‘we don't think we're going to get a waiver on this next program, and so therefore we need a pass to certification,'" McGee continues. "I have a number of competitors who have advertised that they have ‘certifiable' boards, but not ‘certified' boards. They're saying it's ‘certifiable' but if you ask them who is flying it as a certified unit, they can't answer you. That's where there really is a large barrier to enter into this market from a cost standpoint, both in dollars and in hours of engineering."