Multicore, COTS certification, open architecture the hot topics at European avionics event

Discussions on safety certification, certifying commercial off-the-shelf (COTS) hardware and software to Design Assurance Level – A (DAL-A), and leveraging open architecture standards for avionics took place among embedded computing suppliers attending the Aviation Electronics Europe show and its sister conference the Avionics & Space Testing Expo – both held this spring in Munich.

[In the interest of full disclosure, it should be noted that I am a member of the Advisory Committee for both events.]

In the main session of the Aviation Electronics Europe conference, Alex Wilson of Wind River shared how the Future Airborne Capability Environment (FACE) open architecture standard can apply to European avionics systems development: “It provides an opportunity for non-U.S. suppliers to [go for] U.S. programs,” Wilson said in his presentation. Understanding FACE, and complying with it, is particularly important as many U.S. aircraft programs may either require FACE in the future or at least show a path for upgrading to FACE-compliant systems, he added.

Wilson went on to say that the number of alternative standards is small and that FACE is well-suited for adoption by NATO, as it is becoming a de facto standard with U.S. adoption.

FACE enables reuse of software components, which is also beneficial to those manufacturers and designers who need to meet such safety-certification requirements as DO-178B/C and DO-254. Safety certification was extensively covered at the event, including an entire workshop covering safety certification and multicore.

“The use of multicore processors has shifted from a study phase and into initial development phases,” says Laurent Meilleur, Vice President of Strategic Markets for DDC-I, Inc., in Scottsdale, Arizona. “There is a mix of multicore technologies, where RTOS [real-time-operating system] vendors are taking different approaches and relying upon different technologies – which may greatly influence the performance and level of certification challenges for these RTOS users. These technical differences, along with processor use and other factors, are the reasons why we are seeing a shift in jockeying amongst the RTOS vendors in avionics industry.”

The multicore shift is also driving growth among suppliers of COTS RTOSs.

“The reasoning is simple,” Meilleur continues. “First, multicore in safety-critical requires the systemwide management of processor and resource management. Second, it is very hard for even the largest avionics companies to create a business case that would support the development costs, risks, and lifetime burdens of developing a multicore RTOS environment on their own.”

The multicore activity is also helping drive the push toward certifying COTS hardware to DAL-A, which has not always been a popular choice.

“Just ten years ago it was difficult to certify civil avionics software using C++, but today that’s been resolved via DO-332,” says Vance Hilderman, CEO of safety-critical engineering consulting firm AFuzion, Inc. “Similarly, many systems are DAL-A, which requires redundancy to achieve. That redundancy is more likely to have common single-point failure areas when relying solely on unique customized solutions each time. One answer is COTS. From the new multi-core DAL RTOSs to fully integrated single-board computers, COTS components are on the increase even for DAL-A.”

Sometimes the objection to COTS at DAL-A depends on the civilian authority; Europe and the U.S. have slightly different methodologies regarding some hardware components – such as FPGAs – and whether the components are being certified on military versus civilian aircraft.

“In the European Union (EU), it is commonplace for military systems to require formal certification – where in the U.S. it is rare for military systems to truly mandate the formal certifications processes,” Meilleur says. “On the commercial side, there are only minor differences between the EU and the U.S. Much of Asia (e.g., China, South Korea, India, etc.) is expanding its certification experience and knowledge at a very high rate. It is interesting to note that as a whole, the Asian countries are very progressive in using higher-level languages, test tools, and the like.”

“Asia is mostly copying the U.S., but EASA [European Aviation Safety Agency] has gradually – for its strongest focus which is civilian by far – adopted a more conservative stance toward DO-178C and DO-254 interpretation, whereas the FAA has become more accommodating in some areas,” Hilderman says. “This trend continues, with the FAA examining new ‘Overarching Conditions’ which may in the near future provide U.S. avionics developers various forms of credit for proven experience and histories.”

Globally, safety certification is evolving as the avionics become complicated and embrace more commercial software and hardware standards, creating more challenges for safety certification compliance.

“The avionics development ecosystem is undergoing massive changes,” Hilderman says. “The core documents are relatively unchanged but the systems, safety, and verification process are being continually refined and reinterpreted to North American and European standards.”