Next-gen aviation systems see push for automation, multicore processors in the certification process

2As the complexity of aviation systems rises, certifying safety-critical systems in manned and unmanned aircraft has pushed engineers towards automation and working in parallel to increase the efficiency of the process. Multicore processors are playing a major role in this push, along with added tools to ease the process. However, challenges remain as the Federal Aviation Administration (FAA) and European Aviation Safety Agency (EASA) work toward streamlining the process.

The complexity of systems has grown exponentially over the years, pushing the industry to look for ways to make the process more efficient.

In fact, “The sheer complexity of next-generation systems is demanding that suppliers need to provide more than raw hardware and software to systems integrators – they also need to provide safety certification artifacts to enable the rapid integration and certification testing of systems,” says Chip Downing, senior director of the aerospace and defense unit at Wind River in the San Francisco Bay area.

In response, designers are using automated tools to ease the certification process in unmanned and manned aircraft. “The use of automated tools in the life cycle of a system is a dramatic change,” says George Romanski, president and CEO of Verocel, Inc. in Westford, Massachusetts. That’s because “the standards require a very rigorous approach to certification. You have to produce requirements and review those requirements, produce design, review the design, produce code, review the code, and so on. In a typical system, we’ll have thousands of artifacts and these artifacts have to be developed and they have to be reviewed and we have to make sure that these requirements are sound and fit well to each other.”

The process is becoming quite unrealistic. “Keeping an Excel spreadsheet of the massive number of requirements and derived requirements is very cumbersome and tedious,” says Rick Hearn, product manager at Curtiss-Wright Defense Solutions in Ottawa, Canada. “Any automation that you can put in place through software tools to be able to trace all of those requirements, both up and down through the life cycle, the better off you are.”

Designers are certifying safety-critical systems in phases: “What most people are trying to do is to start working in parallels so you can have requirements, you may have five thousand requirements, and a thousand of them might be ready so you can start implementing those, but another four thousand are still being developed, and while you’ve developed the design, now you can start doing implementation,” Romanski explains. “In other words, you start overlapping these processes and if you manage the information very tightly, then it’s possible to make this process much more efficient. To do this, it requires use of a database, it requires linking that database to a configuration control system, and it requires very tight baseline.”

The process also requires automated authentication, he adds. “People can now review within the database and you can maintain the whole development process for the whole project, and you can have distributed teams working on this concurrently.”

“The magnitude of the testing that has to be done on these systems because of the complexity is growing exponentially and there has to be automation for that testing,” says Scott Engle, director of business development at Mercury Mission Systems, in Tucson, Arizona. “There’s no way that one could do this manually.”

Romanski explains that Verocel’s VeroTrace manages and controls all life cycle data including requirements, design, source code, test cases, results, documents, and more. More importantly, VeroTrace manages the states of each life cycle data item and provides traceability links between each item to satisfy a number of standards including DO-178C, IEC61508, and ISO26262. (See Figure 1).

21
Figure 1: Verocel’s VeroTrace database can be exported to a DVD ROM that allows hyperlinked browsing of all data and documents. Courtesy of Verocel.

The rise of the multicore processor

The enabling factor will be the use of . The move away from single-core processors and towards working in parallel has grown over the years to the point that “there is an interest to certify processors for safety applications,” says Greg Tiedemann, Director, PLM & BD, Mission Systems Group, Mercury Systems, in New York City. “From a safety perspective, it’s easier to certify when you just have one processor. It’s a bit more challenging when you have multiple processors working on the same application. The demand for that really is pretty straightforward. You see it in other markets as well and in other parts of Mercury. We’ve adopted multicore because of the efficiencies that you gain in processing and power and just general SWaP [size, weight, and power] requirements. You can do a lot more in a smaller space.”

“The trend is toward multicore, but it’s also a trend for much higher complexity in the systems,” Engle clarifies. “Back when we had federated aircraft design where the were single-purpose, special-purpose boxes located throughout the aircraft, and now with consolidation and Integrated Modular Avionics (IMA) onto much fewer number or pieces of equipment, and now adding multicore on top of that, these systems are getting incredibly complex. With that complexity is just a lot more potential for error.”

The industry has struggled to create viable multicore safety solutions for the past ten years. “We have struggled because we have tried to apply the same test and examination processes we used in single-core processors to multicore designs,” Wind River’s Downing explains. “When using a single-core processor, that memory management unit (MMU) was very good at creating memory-protected partitions; when coupled with a robust scheduling foundation, this was a low-risk path to certification.

“In multicore environments, the use of an MMU on one to many cores simply cannot manage all of the resources that need to be controlled in a safety-critical solution,” he adds. “In the future, multicore safety solutions must use a capability called ‘hardware assist.’ This capability creates and manages all resources for virtualized partitions/containers/virtual machines (VMs) that cannot be done reliably by software alone. Hardware-assisted virtualization creates another, more powerful, more reliable, more encompassing separation environment that resolves many of the issues with trying to use MMU-based separation and processor/driver controls of single-core systems.”

In spite of this progress, “the use of multicore processors is not quite ready for deployment, because of a number of challenges,” Tiedemann states. “However, there’s generally a lot of interest in it. I think it’s a significant trend in the market that we’re tracking very closely to make sure that we’re ready to take advantage of it when the solutions are there to support it.”

“Hardware-assisted virtualization creates an opportunity to do more,” Downing points out. “First, it adds an execution envelope that controls the processor and board resources so operating systems (OSs) running in these virtual machines can run as if they control the entire processor. This virtual machine can also be allocated on one to many cores, providing another level of separation and abstraction.

“Additionally, each core can use the MMU for separation of tasks/threads on each core, creating multiple levels of separation,” he adds. “Virtual machines also enable the use of unmodified guest-OS execution environments, enabling the insertion of both embedded and enterprise OSs, like , on a shared compute platform. Finally, with virtual machines controlling and separating the computer/board resources, this technology creates very good packaging for supporting mixed safety-criticality environments, providing hardware-controlled access to shared board/devices.”

A holistic approach to streamlining the process

The growing interest in using automated tools and multicore processors comes at a time when increasing numbers of unmanned aircraft are taking to the national airspace.

To address those challenges, the Federal Aviation Administration () and the European Aviation Safety Agency () are working to streamline the process. “There is a trend for an increase in FAA and EASA alignment,” Hearn states. “They’re calling it ‘harmonization.’ What we’ve seen in the past is that the EASA and the FAA have much the same set of rules for certification but they tend to differ in their implementation. Increasingly, though, we’re seeing rules being harmonized through the standards bodies and through some of the meetings that they have between the two certifying bodies.”

The FAA has “a set of overarching principles that they’ve been discussing to streamline the overall certification process,” Romanski says. “They’re looking at it from a more holistic perspective and more of a system perspective rather than the very prescriptive rules that they set out in DO-178B and DO-254.”

The process began about a year and a half ago with a group of people working for the FAA, EASA, and other certification agencies. “We are developing a new streamlined approach for certification,” he adds. “This is only a start and the current version was published in September, and we are continuing to refine it, but this is a process where we are trying to meld together the system standard, ARP4754A; the software standard for DO-178C; and the complex hardware standard for DO-254.

“Together the overarching properties will try to meld the essence of the other standards so that you can develop certification evidence using these overarching properties, instead of the traditional ones like DO-178C. It’s still in the early stages, but this way gives users more flexibility on how to approach certification,” Romanski says. “The other approach the FAA is taking is trying to work out a risk-based software certification process, especially for the smaller aircraft, the general-aviation aircraft. What the FAA has found is that in these general-aviation craft, there are new devices coming onboard, which should be certified because they are safety-critical; the problem now is currently you can either fly without these devices, or you can put these devices on the plane to make the small planes safer.”

21
Sidebar 1