Anda di halaman 1dari 33

SAVUNMA SANAY MSTEARLII

Kalite Test ve Sertifikasyon Daire Bakanl

INTERAKTF KOKPT GRNT SSTEMLER ve


SERTFKASYONU
iin YAZILIM YAKLAIMLARI
ARINC 653 / DO-178C ve ARINC 661
Konferans
30 Kasm 2012, Ankara

ARINC-653 and
Virtualization
Concepts for SafetyCritical Systems
Alex Wilson, Wind River, Director, EMEA Aerospace and Defence

SAVUNMA SANAY MSTEARLII


Kalite Test ve Sertifikasyon Daire Bakanl

INTERAKTF KOKPT GRNT


SSTEMLER ve SERTFKASYONU
iin YAZILIM YAKLAIMLARI
ARINC 653 / DO-178C ve ARINC 661

Tarih
Saat
Yer

PROGRAM :
09:00 - 09:10
09:10 - 09:30
09:30 - 11:00
11:00 - 11:15
11:15 - 13:00
13:00 - 14:00
14:00 - 15:00

15:00 - 15:15
15:15 - 17:30

17:30 - 17:45

: 30 KASIM 2012
: 09:00-17:45
: SSM Sosyal Tesisleri

Al ve Konumalar
Challenges Facing Aerospace and Defense Suppliers
Alex Wilson, Wind River Director, Aerospace and Defence
ARINC-653 and Virtualization Concepts for Safety-Critical Systems
Alex Wilson, Wind River Director, Aerospace and Defence
ay-Kahve Molas
Getting Ready for DO-178C
Bernard Dion, Ph.D., Esterel Technologies Chief Technical Officer
Yemek Aras
Introduction to ARINC 661 Standard
Cockpit Display System Interfaces to User System
Vincent Rossignol, Esterel Technologies Product Marketing
Manager
ay-Kahve Molas
An Implementation of ARINC 661 Standard
Vincent Rossignol, Esterel Technologies Product Marketing
Manager
Kapan Konumas Soru ve Cevaplar

Kayt : event@tektronik.com.tr

En iyisinin teminat

ARINC-653 and
Virtualization Concepts for
Safety-Critical System

Why virtualize?
Consolidation
(Mergingorreducingseveralsystems)

Performance
(Increasespeedandfunctionalityinexistingsystem)

Separation
(Splitexistingfunctionalityforsafetyand/orsecurity)

11

| 2012 Wind River. All Rights Reserved.

Virtualization and Partitioning


Virtual Machine 1

Virtual Machine 2

Application 1

Application 2

Guest Operating System 1

Guest Operating System 2

Virtual Machine Monitor (Hypervisor)


Single or Multi-core Processor

12

| 2012 Wind River. All Rights Reserved.

Cores
Memory
Devices

Avionics Consolidation Trend


19902000

1980s

2010+
Multicore Platform
App

App

App

App

Virtualization Layer
Core

One box
One function
One OS
One safety/security level

Federated systems
13

| 2012 Wind River. All Rights Reserved.

One board
Multiple functions
One OS
Multiple safety/security levels

Integrated Modular Avionics

Core

Core

Core

One die
Multiple functions
Multiple OS
Multiple safety/security levels

Multi-core integration

Virtualization and Avionics


Avionics Bus:
ARINC 429/629
ARINC 664
MIL STD 1553
SAE AS6802
Federated Avionics Computer:
Inertial Reference System

Integrated Modular Avionics (IMA) Computers:


Flight Management
Mission Computer
Displays (ARINC 661)
Navigation
Engine Monitoring
Fire Control
Stores Management
Targeting Computer

Federated Avionics Computer:


Flight Controls

Federated Avionics Computer:


HUD/HDD (ARINC 661)

Federated Avionics Computer:


Engine Controls

Federated Avionics Computer:


Weapons Controls

14

| 2012 Wind River. All Rights Reserved.

Federated Avionics Computer:


Sensor Systems

Federated and Integrated Modular Avionics


Federated

IMA

Advantages
High performance
Independence of design and
certification
Well-understood methodology
Established supply chain
Challenges
Greater size, weight, and power
(SWaP) requirements

Each function is separate LRU

Less software reuse


Less portability, less modularity
Cannot scale into larger platforms

Advantages
Lower SWaP requirements

Multiple functions on single LRU

Better software reuse, refresh


Better portability, modularity
More efficient platform certification

Challenges
Greater complexity of system
integration
Greater complexity of design and
certification
Less experienced supply chain

Radar
Flight
Management

Graphics

Flight
Management

Radar

Graphics

Time and Space Partitioning


ARINC 653 Operating System
ARINC 429

15

| 2012 Wind River. All Rights Reserved.

ARINC 653 for Integrated Modular Avionics


Goal: Reduce size, weight, and power (SWaP) requirements
ARINC 653: Industry specification for Integrated Modular Avionics (IMA)
Includes API of 56 routines

Time and space partitioning

Inter- and intra-partition communications (IPC)

Health monitoring (error detection and reporting)

ARINC 653 OSs and applications are typically certified to DO-178C / ED-12C
RTCA/DO-297: Integrated Modular Avionics Development, Guidance and Certification,
Shared set of flexible, reusable, and interoperable hardware and software resources

Integrated Modular Avionics (IMA)


Flight
Management

Radar

Graphics

Time and Space Partitioning


ARINC 653 Operating System

16

| 2012 Wind River. All Rights Reserved.

VxWorks 653 DO-178C and ED-12C


Level A Certification Evidence Package
Plan for Software Aspects of Certification (PSAC)
Software Quality Assurance Plan
Software Configuration Management Plan (SCMP)
Software Development Plan (SDP)
Software requirements standards
Software design standards
Software coding standards
Software Verification Plan (SVP)
Software Requirements Specification (SRS) (7,000
requirements)
Software Design Document (SDD)
Software Life Cycle Environment Configuration Index
(SECI)

Traceability Matrix
Software Development Folder
Design reviews
VxWorks 653 source files and binary code
Code reviews (40,000 LOC)
Test reviews (7,500 tests)
Functional tests (270,000 LOC)
Coverage results (object level)
Software Accomplishment Summary (SAS)
Tools Qualification Documents (TQD)
Test Harness for VxWorks 653
VerOcode, VerOLink, VeroSource-A, VeroTrace
WindSH

2.9GB sealed DVD with certification artifacts


and more than 70,000 hyperlinked files
17

| 2012 Wind River. All Rights Reserved.

VxWorks 653
The Avionics Platform of the Future
First Flight: December 2010
FAA Certification: September 2011
GE Common Core certified to DO-178B Level A
Eliminated over 100 different LRUs
17 Boeing suppliers, dozens of teams
DO-297 used for multi-vendor integration / re-use

November 2012: VxWorks 653 leads the IMA industry with


over 270 projects, used by over 150 customers in over 55 aircraft
Photo by LongBachNguyen.com

18

| 2012 Wind River. All Rights Reserved.

All Rights Reserved.

The ARINC 653 standard


ARINC 653 Specification First Published <Jan 1997>
ARINC 653P1-3 (Part 1 Supplement 3 Required Services) <Oct 2010>

ARINC 653 partition management


Cold start and warm start definition
Application software error handling
ARINC 653 compliance
Ada and C language bindings

ARINC 653P2-2 (Part 2 Supplement 2 Extended Services) <Jun 2012>


Including File System, Logbook, Service Access points

ARINC 653P3 (Part 3 Conformity Test Specification) <Oct 2006>


Supplement 1 in progress

Added ARINC 653 Part 4 (Subset Services) <Jun 2012>


New Proposal
Part 0 Overview of APEX Services
Part 5 - Non-API Related O/S Capabilities (working title)
19

| 2012 Wind River. All Rights Reserved.

ARINC 653 Scheduling


Standards-based virtualization approach
"Virtual machine" approach as described in DOT/FAA/AR-99/58,
Partitioning in Avionics Architectures: Requirements, Mechanisms and
Assurance, by John Rushby
Virtualization enables applications to run on partition OSs

Partition 1

Partition 2

Partition OS

Partition OS

Partition 1 Time Slice

Partition 2 Time Slice

Time
20

| 2012 Wind River. All Rights Reserved.

IMA in the Real World - Lessons Learned


IMA systems can be extremely complex:
Large number of applications: 10+
Large application: 2,000,000+ lines of code, 4-8 MBytes
Large configuration data: 50,000+ configuration entries

Complexity must be managed to be successful


Roles and responsibilities have to be defined
Role activities have to be decoupled

Development cycles are shorter and shorter


Cost of change must be low
Introducing a change should have a low impact, even during the
certification cycle
Must be scalable

21

| 2012 Wind River. All Rights Reserved.

So what is DO-297 / ED-124?


Integrated Modular Avionics (IMA) Development
Guidance and Certification Considerations
Purpose:
..provides guidance for IMA developers, integrators, applicants, and
those involved in the approval and continued airworthiness of IMA
systems. It provides specific guidance for the assurance of IMA
systems as differentiated from traditional federated avionics
Results of joint US/EU Study RTCA SC-200 and EUROCAE WG-60
Defines roles and responsibilities Certification applicant, Systems
Integrator, Platform Provider, Application Developer
References RTCA DO-178B (EUROCAE ED-12B) and ARINC 653

22

| 2012 Wind River. All Rights Reserved.

Certification of IMA system


From DO-297 :
Six tasks define the incremental acceptance of IMA systems in the certification process:
Task 1: Module acceptance
Task 2: Application software or hardware acceptance
Task 3: IMA system acceptance
Task 4: Aircraft integration of IMA system including Validation and Verification
Task 5: Change of modules or applications
Task 6: Reuse of modules or applications

Key implementation and certification challenges:

23

How to change application or configuration entities without affecting the entire


system?
Without requiring re-testing or re-certification of other independent entities
How to reuse applications from one IMA project on the next IMA project?
Without having to re-write and re-test the entire application

| 2012 Wind River. All Rights Reserved.

Benefits of incremental certification


Development of applications independently
Ability to modify an application
Re-use of applications

24

| 2012 Wind River. All Rights Reserved.

DO-297/ED-124 certification stakeholders


Certification Authority

Organization that grants approval on behalf of the state(s) responsible for the aircraft/engine
certification

Certification Applicant

Responsible for demonstrating compliance to applicable aviation regulations

Seeking TC, Amended TC, Supplemental TC or Amended STC

System Integrator

Integrating the platform and applications to produce IMA System

System Configuration, Resource allocation, IMA V&V

Platform Supplier

Provide processing hardware and software resources (including the core software)

Specify interfaces, shared resources, configuration tables

Platform V&V

Application Supplier

25

Develops Hosted applications and verifies on platform

Specifies external interfaces and resource requirements of application

| 2012 Wind River. All Rights Reserved.

Independent software delivery / DO-297


Supplier 1

Supplier 2

Supplier 3

Supplier 4

Graphics
Generator
Application

Display
Application

IMA System
Integrator

User
Mode

Flight
Management
Application

Radar
Application

Level A

Level B

Level C

Level D

ARINC 653
Partition OS

POSIX
Partition OS

VxWorks
Partition OS

Ada/Java
Partition OS

VxWorks 653
Application Executive

Application

XML Configuration Data

Platform
Supplier

Architecture Support
Package (ASP)

Board Support
Package (BSP)
Hardware

26

| 2012 Wind River. All Rights Reserved.

Suppliers

Kernel
Mode

XML Table Generator for


Review of Configuration Data for Credit
Platform
Supplier

Application
Suppliers

System
Integrator

Nav

XML Tables

XML Config
File

XML Tables

XML Config
File

XML Config
File

XML Tables

FMS
XML Tables

XML Tables

Display

XML Config
File

XML Config
File

XML Compiler/Checker
DO-178 Qualified Development Tool
XML Business
Rules
Platform
Data

Schedule
Tables

HM Table
HM Table
HM Table

FMS

Nav

Reviewers, DERs and Certification Authorities


27

| 2012 Wind River. All Rights Reserved.

Display

New FAA Policy:


Reusable IMA Components
Advisory Circular AC 20-170*, October, 2010
Integrated Modular Avionics Development, Integration,
Verification and Approval Using RTCA DO-297 and TSO C153
Technical Standard Order C153**: IMA Hardware Elements

Allows for reuse of previously accepted IMA components


Applications, OSs and hardware

Software accepted by the FAA as meeting DO-297


objectives across IMA platforms
Allows for portability of certification effort to other products
without full re-verification of unmodified software components

* http://www.faa.gov/regulations_policies/
** http://rgl.faa.gov/Regulatory_and_Guidance_Library/rgTSO.nsf/Frameset?OpenPage
28

| 2012 Wind River. All Rights Reserved.

IMA Acceptance Supports Multiple


Approvals by reducing time/effort
IMA Cabinet with
Applications, TSO
C153 Hardware and
VxWorks 653

Same Hardware and


OS reused in
different
configurations

Certified applications
approved in different
configurations using
VxWorks 653
29

| 2012 Wind River. All Rights Reserved.

What is Multi-Core?
Architecture where a single physical
processor contains the core logic of two
or more processors
Packaged into a single integrated circuit
(IC) called a die
Can also refer to multiple dies packaged
together

Multi-core enables the system to


perform more tasks with a greater
overall system performance

30

| 2012 Wind River. All Rights Reserved.

Why use Multi-core in Avionics?


Embrace the future!
Demand for more power
Pervasiveness of multi-core silicon
Virtualization for Multi-OS designs
Ability to separate applications
Security and safety separated too

31

| 2012 Wind River. All Rights Reserved.

Multicore configurations
Core Virtualization

Traditional

OS

OS
Single Core

Hypervisor
Core

SMP

Multi-core

OS

Core

Unsupervised AMP
OS

OS

Supervised AMP (sAMP)


OS

OS

Hypervisor
Core 1

32

OS

| 2012 Wind River. All Rights Reserved.

Core 2

Core 1

Core 2

Core 1

Core 2

Safety & multicore


Consolidation of safety-critical applications through IMA
ARINC 653 dominant

Consolidation of uni-processor systems onto multicore


Suitable approaches for safety-critical multicore systems
SMP:
Pros: attractive model
Cons: loss of determinism in multicore environment

AMP:
Pros: can be used with a Hypervisor to partition shared resources,
support multiple applications at different levels of criticality
Cons: still need to prevent coupling through shared resources

33

| 2012 Wind River. All Rights Reserved.

Typical Single Core architecture


- ARINC 653
User
Mode

Flight
Management
Application

Radar
Application

Graphics
Generator
Application

Display
Application

Level A

Level B

Level C

Level D

ARINC 653
Partition OS

POSIX
Partition OS

VxWorks
Partition OS

Ada/Java
Partition OS

VxWorks 653
Application Executive

XML Configuration Data

Architecture Support
Package (ASP)

CPU

34

| 2012 Wind River. All Rights Reserved.

Ethernet

Board Support
Package (BSP)

GPU

Memory, other I/O

Kernel
Mode

Multi-core:
Electronic Flight Bag Use Case
DO-178 Level A

DO-178 Level C

DO-178 Level E

DO-178 Level E

App 1
Server App

App 2
Server App

App 3
Server App

App 4
Server App

VxWorks

Linux

OS TBD

Android

Hypervisor

Core 1

Core 2

Core 3
Ethernet

35

| 2012 Wind River. All Rights Reserved.

GPU

Flash

Typical IMA Design:


Hardware and Software
Typical Hardware
Modules

Back Plane

Typical Software
Modules

Real Time Executive


Built-in Test

Common
Software

Power Supply
Common
Hardware

Application
Specific Hardware

CPU & Memory

On-board
Maintenance
System Protocol

Data Bus

I/O Processing

I/O

Application

Shaded areas show potential shared resources


36

| 2012 Wind River. All Rights Reserved.

Application
Specific Software

Safety Considerations
Some Challenges to Multiple Criticalities
No policies and guidance
Different multi-core implementations
Shared caches
Loss of determinism, cross channel coupling

Shared bus contention


Loss of determinism, cross channel coupling

Exception redirection
Exceptions may be directed to one core

Time management
Clock interrupt may be directed to one core

37

| 2012 Wind River. All Rights Reserved.

VxWorks Safe & Secure Platform


Development
Lifecycle Solutions

VxWorks
Cert
Incl APEX

Wind River Global Support

Wind River Professional Services

Operating Environments

VxWorks

Wind River
Linux

Other
OS

Separation Profiles

Real-Time
Hypervisor
Profile

Wind River
Test
Management

Safety
v
Separation
Profile

Security
Separation
Profile

ARINC 653, DO-178C, IEC 61508

MLS/CDS

Architecture Support: Single and Multicore

38

| 2012 Wind River. All Rights Reserved.

Wind River
Simics

Wind River
Workbench

Summary
Trends
Consolidation
Interoperability
Regulatory

39

ARINC 653 Standard


DO-297 / ED-124
Multicore
Safe and Secure Platform

| 2012 Wind River. All Rights Reserved.