Use of Model-Based Software Product Line Engineering for Certifiable Avionics Software Development

RÉSUMÉ Tous les systèmes logiciels avioniques sont soumis aux contraintes de certification imposées par les normes DO-178. Les fabricants d’équipements avioniques civils sont très conservateurs dans leur processus de développement de logiciels et la plupart utilisent encore des outils et des méthodes d’ingénierie logicielle éprouvés en raison des contraintes de certification strictes. Les contraintes de certification, avec la taille et la complexité du logiciel des systèmes avioniques modernes qui augmentent continuellement, ont un impact considérable sur le coût du développement de logiciel avionique certifiable. Pour réduire le coût de développement, les fabricants d’équipements avioniques doivent utiliser des méthodes de développement logiciel modernes, ce qui est possible avec la publication de la norme DO-178C. Dans le cadre de ma thèse, nous explorons l’utilisation de l’ingénierie de ligne de produit basée sur des modèles pour le développement de logiciels avioniques certifiables et proposons des solutions au niveau industriel pour utiliser un processus de ligne de produit utilisant des outils commerciaux. Dans le cadre de ma thèse, nous explorons également l’applicabilité de notre processus de development logiciel basé sur le concept de ligne de produit au développement de logiciels avioniques certifiables contrôlés. Nous identifions les contraintes qui limitent la réutilisation des composants logiciels dans les logiciels avioniques sous contrôle d’exportation et proposons des solutions techniques qui facilitent l’application de ligne de produit logiciel basée sur des modèles au développement de logiciels avioniques certifiés et sous contrôle d’exportation. Nous validons nos solutions proposées par des études de cas industriels.----------ABSTRACT All avionics software systems are subjected to certification constraints imposed by DO-178 standards. Civil avionics equipment manufacturers are quite conservative in their software development processes: most still use time-tested software engineering tools and methods, due to strict certification constraints. These certification constraints, along with the increasing size and complexity of modern avionics software-intensive systems, are having a huge impact on the cost of certifiable avionics software development. To cope with this increasing complexity, avionics equipment manufacturers need to use modern software development methodologies. This is possible with the release of DO-178C standard. In my thesis, I have explored the use of model-based software product line engineering for certifiable avionics software development, and have proposed industrial-level solutions for using a model-based software product line process based on commercially available tools. In this thesis, I have also explored the applicability of our model-based software product line process to export-controlled, certifiable avionics software development, identifying constraints that limit the reuse of software components among export-controlled avionics software and proposing technical solutions that facilitate the application of a model-based software product line to export-controlled, certifiable avionics software development. The proposed solutions are validated using industrial case studies

Quadruplex digital flight control system assessment

Described are the development and validation of a double fail-operational digital flight control system architecture for critical pitch axis functions. Architectural tradeoffs are assessed, system simulator modifications are described, and demonstration testing results are critiqued. Assessment tools and their application are also illustrated. Ultimately, the vital role of system simulation, tailored to digital mechanization attributes, is shown to be essential to validating the airworthiness of full-time critical functions such as augmented fly-by-wire systems for relaxed static stability airplanes

Provision and Collection of Safety Evidence: A Systematic Literature Review

Safety-Critical Systems (SCS) are becoming more and more present in modern societies’ daily lives, increasing people’s dependence on them. Current SCS are firmly based on computational technology; possible failures in the operation of these systems can lead to accidents and endanger human life, as well as damage the environment and property. SCS are present in many areas such as avionics, automotive systems, industrial plants (chemical, oil & gas, and nuclear), medical devices, railroad control, defense, and aerospace systems. Companies that develop SCS must present evidence of their safety to obtain certification and authorization. This paper presents a Systematic Literature Review (SLR) to investigate processes, tools, and techniques for collecting and managing safety evidence in SCS. The authors conducted this SLR according to the guidelines proposed by Kitchenham and Charters. The SLR comprises seven (7) research questions that investigate essential aspects of collecting and managing safety evidence. The primary studies analyzed in this SLR were selected based on a search string applied into four data sources: ACM, IEEE Xplore, SpringerLink, and ScienceDirect. Data extraction considered (fifty-one) 51 primary studies. The authors identified eleven (11) different approaches covering processes, tools, and techniques for collecting and managing safety evidence. Despite other SLR works conducted about safety evidence, none of them focused on the details related to safety evidence collection. We found that very few approaches focused specifically on the process of collecting safety evidence

Analysis and evaluation of embedded graphics solutions for critical systems

En el camp dels sistemes crítics, que inclou l'automotriu, l'aviònica i els sistemes espacials, es necessita més capacitat de computació per aportar tant valor funcional com seguretat addicional. Per aconseguir-ho, la indústria està considerant noves arquitectures per futurs sistemes crítics. Una de les possibles opcions és l'ús de targetes gràfiques mòbils, que tenen un rendiment excel·lent per tasques computacionals complexes i un baix nivell de consum. Per desgràcia, les eines actuals de desenvolupament per programació de propòsit general de targetes gràfiques com CUDA o OpenCL no compleixen amb les regulacions dels estàndards de seguretat dels sistemes crítics segurs. Per altra banda, hi ha altres solucions per programar per gràfics, com ara OpenGL SC 2 i Brook Auto, que són fàcils de certificar. En aquest projecte, analitzem aquestes solucions per programar per targetes gràfiques i explorem els diferents aspectes del desenvolupament de programari de propòsit general amb elles. Us presentem la nostra experiència adaptant codi de dues aplicacions de dos sectors diferents de sistemes crítics, l'aviònica i els sistemes espacials, a diferents \textit{APIs} (OpenGL 2, OpenGL ES 2, OpenGL SC 2 i Brook Auto) i l'avaluació de les versions que nosaltres hem generat. En funcionalitat i rendiment, no s'ha observat cap diferència, tot i que sí que hem notat un gran salt comparatiu en la complexitat del desenvolupament i la productivitat entre eines orientades només a sistemes gràfics i Brook Auto.In the safety-critical systems domain, which includes automotive, avionics and space systems, more compute power is needed to provide additional functional value and safety. In order to achieve this, new hardware architectures are considered from industry for future critical systems. One of this approaches is the use of mobile GPUs, which have excellent performance capabilities for intensive computational tasks and low-power consumption. However, current programming models for general purpose programming of GPUs like CUDA and OpenCL do not comply with the safety standards of safety critical systems. On the other hand, there are alternative programming solutions based on graphics, namely OpenGL SC 2 and Brook Auto, which are certification-friendly. In this thesis, we perform an analysis of these safety-critical programming models for GPUs and we explore the different aspects of the development of general purpose software in them. We present our experience with porting two applications from two distinct safety-critical domains, aerospace and avionics, in several graphics-based APIs (OpenGL 2, OpenGL ES 2, OpenGL SC 2 and Brook Auto) and the evaluation of our produced versions. In terms of functionality and performance, no difference has been observed, whereas we noticed a big gap in the development complexity and productivity between pure graphics solutions and Brook Auto

Development and certification of mixed-criticality embedded systems based on probabilistic timing analysis

An increasing variety of emerging systems relentlessly replaces or augments the functionality of mechanical subsystems with embedded electronics. For quantity, complexity, and use, the safety of such subsystems is an increasingly important matter. Accordingly, those systems are subject to safety certification to demonstrate system's safety by rigorous development processes and hardware/software constraints. The massive augment in embedded processors' complexity renders the arduous certification task significantly harder to achieve. The focus of this thesis is to address the certification challenges in multicore architectures: despite their potential to integrate several applications on a single platform, their inherent complexity imperils their timing predictability and certification. Recently, the Measurement-Based Probabilistic Timing Analysis (MBPTA) technique emerged as an alternative to deal with hardware/software complexity. The innovation that MBPTA brings about is, however, a major step from current certification procedures and standards. The particular contributions of this Thesis include: (i) the definition of certification arguments for mixed-criticality integration upon multicore processors. In particular we propose a set of safety mechanisms and procedures as required to comply with functional safety standards. For timing predictability, (ii) we present a quantitative approach to assess the likelihood of execution-time exceedance events with respect to the risk reduction requirements on safety standards. To this end, we build upon the MBPTA approach and we present the design of a safety-related source of randomization (SoR), that plays a key role in the platform-level randomization needed by MBPTA. And (iii) we evaluate current certification guidance with respect to emerging high performance design trends like caches. Overall, this Thesis pushes the certification limits in the use of multicore and MBPTA technology in Critical Real-Time Embedded Systems (CRTES) and paves the way towards their adoption in industry.Una creciente variedad de sistemas emergentes reemplazan o aumentan la funcionalidad de subsistemas mecánicos con componentes electrónicos embebidos. El aumento en la cantidad y complejidad de dichos subsistemas electrónicos así como su cometido, hacen de su seguridad una cuestión de creciente importancia. Tanto es así que la comercialización de estos sistemas críticos está sujeta a rigurosos procesos de certificación donde se garantiza la seguridad del sistema mediante estrictas restricciones en el proceso de desarrollo y diseño de su hardware y software. Esta tesis trata de abordar los nuevos retos y dificultades dadas por la introducción de procesadores multi-núcleo en dichos sistemas críticos: aunque su mayor rendimiento despierta el interés de la industria para integrar múltiples aplicaciones en una sola plataforma, suponen una mayor complejidad. Su arquitectura desafía su análisis temporal mediante los métodos tradicionales y, asimismo, su certificación es cada vez más compleja y costosa. Con el fin de lidiar con estas limitaciones, recientemente se ha desarrollado una novedosa técnica de análisis temporal probabilístico basado en medidas (MBPTA). La innovación de esta técnica, sin embargo, supone un gran cambio cultural respecto a los estándares y procedimientos tradicionales de certificación. En esta línea, las contribuciones de esta tesis están agrupadas en tres ejes principales: (i) definición de argumentos de seguridad para la certificación de aplicaciones de criticidad-mixta sobre plataformas multi-núcleo. Se definen, en particular, mecanismos de seguridad, técnicas de diagnóstico y reacción de faltas acorde con el estándar IEC 61508 sobre una arquitectura multi-núcleo de referencia. Respecto al análisis temporal, (ii) presentamos la cuantificación de la probabilidad de exceder un límite temporal y su relación con los requisitos de reducción de riesgos derivados de los estándares de seguridad funcional. Con este fin, nos basamos en la técnica MBPTA y presentamos el diseño de una fuente de números aleatorios segura; un componente clave para conseguir las propiedades aleatorias requeridas por MBPTA a nivel de plataforma. Por último, (iii) extrapolamos las guías actuales para la certificación de arquitecturas multi-núcleo a una solución comercial de 8 núcleos y las evaluamos con respecto a las tendencias emergentes de diseño de alto rendimiento (caches). Con estas contribuciones, esta tesis trata de abordar los retos que el uso de procesadores multi-núcleo y MBPTA implican en el proceso de certificación de sistemas críticos de tiempo real y facilita, de esta forma, su adopción por la industria.Postprint (published version

Armstrong Flight Research Center Research Technology and Engineering Report 2015

I am honored to endorse the 2015 Neil A. Armstrong Flight Research Centers Research, Technology, and Engineering Report. The talented researchers, engineers, and scientists at Armstrong are continuing a long, rich legacy of creating innovative approaches to solving some of the difficult problems and challenges facing NASA and the aerospace community.Projects at NASA Armstrong advance technologies that will improve aerodynamic efficiency, increase fuel economy, reduce emissions and aircraft noise, and enable the integration of unmanned aircraft into the national airspace. The work represented in this report highlights the Centers agility to develop technologies supporting each of NASAs core missions and, more importantly, technologies that are preparing us for the future of aviation and space exploration.We are excited about our role in NASAs mission to develop transformative aviation capabilities and open new markets for industry. One of our key strengths is the ability to rapidly move emerging techniques and technologies into flight evaluation so that we can quickly identify their strengths, shortcomings, and potential applications.This report presents a brief summary of the technology work of the Center. It also contains contact information for the associated technologists responsible for the work. Dont hesitate to contact them for more information or for collaboration ideas

A case study of agile software development for large-scale safety-critical systems projects

This study explores the introduction of agile software development within an avionics company engaged in safety-critical system engineering. There is increasing pressure throughout the software industry for development efforts to adopt agile software development in order to respond more rapidly to changing requirements and make more frequent deliveries of systems to customers for review and integration. This pressure is also being experienced in safety-critical industries, where release cycles on typically large and complex systems may run to several years on projects spanning decades. However, safety-critical system developments are normally highly regulated, which may constrain the adoption of agile software development or require adaptation of selected methods or practices. To investigate this potential conflict, we conducted a series of interviews with practitioners in the company, exploring their experiences of adopting agile software development and the challenges encountered. The study also explores the opportunities for altering the existing software process in the company to better fit agile software development to the constraints of software development for safety-critical systems. We conclude by identifying immediate future research directions to better align the tempo of software development for safety-critical systems and agile software development

SRAM-Based FPGA Systems for Safety-Critical Applications: A Survey on Design Standards and Proposed Methodologies

As the ASIC design cost becomes affordable only for very large-scale productions, the FPGA technology is currently becoming the leading technology for those applications that require a small-scale production. FPGAs can be considered as a technology crossing between hardware and software. Only a small-number of standards for the design of safety-critical systems give guidelines and recommendations that take the peculiarities of the FPGA technology into consideration. The main contribution of this paper is an overview of the existing design standards that regulate the design and verification of FPGA-based systems in safety-critical application fields. Moreover, the paper proposes a survey of significant published research proposals and existing industrial guidelines about the topic, and collects and reports about some lessons learned from industrial and research projects involving the use of FPGA devices

Intelligent Hardware-Enabled Sensor and Software Safety and Health Management for Autonomous UAS

Unmanned Aerial Systems (UAS) can only be deployed if they can effectively complete their mission and respond to failures and uncertain environmental conditions while maintaining safety with respect to other aircraft as well as humans and property on the ground. We propose to design a real-time, onboard system health management (SHM) capability to continuously monitor essential system components such as sensors, software, and hardware systems for detection and diagnosis of failures and violations of safety or performance rules during the ight of a UAS. Our approach to SHM is three-pronged, providing: (1) real-time monitoring of sensor and software signals; (2) signal analysis, preprocessing, and advanced on-the- y temporal and Bayesian probabilistic fault diagnosis; (3) an unobtrusive, lightweight, read-only, low-power hardware realization using Field Programmable Gate Arrays (FPGAs) in order to avoid overburdening limited computing resources or costly re-certi cation of ight software due to instrumentation. No currently available SHM capabilities (or combinations of currently existing SHM capabilities) come anywhere close to satisfying these three criteria yet NASA will require such intelligent, hardwareenabled sensor and software safety and health management for introducing autonomous UAS into the National Airspace System (NAS). We propose a novel approach of creating modular building blocks for combining responsive runtime monitoring of temporal logic system safety requirements with model-based diagnosis and Bayesian network-based probabilistic analysis. Our proposed research program includes both developing this novel approach and demonstrating its capabilities using the NASA Swift UAS as a demonstration platform

State of the art survey of technologies applicable to NASA's aeronautics, avionics and controls program

The state of the art survey (SOAS) covers six technology areas including flightpath management, aircraft control system, crew station technology, interface & integration technology, military technology, and fundamental technology. The SOAS included contributions from over 70 individuals in industry, government, and the universities