Avionics standards, software and IMA

International audienceThe paper covers the definition of Integrated Modular Avionics (IMA), the associated avionics standards and the impact on the Avionics Software. ARINC and RTCA/EUROCAE committees, in which all Avionic stakeholders are involved, developed these standards. 2005 is a key year for standardization: ARINC653 part1 supplement2 and part3 are ready for publishing, RTCA-SC200 / EUROCAE-WG60 is under ballot. The concepts of IMA, the new architecture in Avionics, were defined in the late Eighties and published for the first time in the ARINC651 standard in 1991. The IMA concepts were firstly applied on Boeing 777, extended and used on Airbus A380 and now selected for the future Boeing 787. These concepts divide the avionic embedded domain into Platform (Hardware+Core Software) and Applications instead of Hardware and Software. Several applications of different criticality levels could reside on the same platform. The consequences were the development of new standards and guidelines for supporting these concepts, e.g.:-ARINC653 defines the API and the behavior of the Core Software services.-DO-255/ED-96 contains the description of an Avionic Computing Resource (a platform separated from its hosted applications).-DO-248B/ED-94B clarifies DO-178B/ED-12B and defines concepts like robust partitioning.-SC200/WG60 (future ED-124) contains the IMA Development Guidance and Certification.-SC205/WG71 has started. It reviews and extends DO-178B/ED-12B and DO-248B/ED-94B in regard of new technologies The paper describes the objectives and the results of these standardization committees. It focuses on ARINC653 and ED-124 standards and presents shortly the associated standards

Safety arguments for next generation location aware computing

Concerns over the accuracy, availability, integrity and continuity of Global Navigation Satellite Systems (GNSS) have limited the integration of GPS and GLONASS for safety-critical applications. More recent augmentation systems, such as the European Geostationary Navigation Overlay Service (EGNOS) and the North American Wide Area Augmentation System (WAAS) have begun to address these concerns. Augmentation architectures build on the existing GPS/GLONASS infrastructures to support locationbased services in Safety of Life (SoL) applications. Much of the technical development has been directed by air traffic management requirements, in anticipation of the more extensive support to be offered by GPS III and Galileo. WAAS has already been approved to provide vertical guidance against ICAO safety performance criteria for aviation applications. During the next twelve months, we will see the full certification of EGNOS for SoL applications. This paper identifies strong similarities between the safety assessment techniques used in Europe and North America. Both have relied on hazard analysis techniques to derive estimates of the Probability of Hazardously Misleading Information (PHMI). Later sections identify significant differences between the approaches adopted in application development. Integrated fault trees have been developed by regulatory and commercial organisations to consider both infrastructure hazards and their impact on non-precision RNAV/VNAV approaches using WAAS. In contrast, EUROCONTROL and the European Space Agency have developed a more modular approach to safety-case development for EGNOS. It remains to be seen whether the European or North American strategy offers the greatest support as satellite based augmentation systems are used within a growing range of SoL applications from railway signalling through to Unmanned Airborne Systems. The key contribution of this paper is to focus attention on the safety arguments that might support this wider class of location based services

Automatic deployment of an RPAS Mission Manager to an ARINC-653 compliant system

[EN] The development process of avionics system requiring a high level of safety is subjected to rigorous development and verification standards. In order to accelerate and facilitate this process, we present a testbed that uses a suite of methods and tools to comply with aerospace standards for certification. To illustrate the proposed methodology, we designed a Mission Management System for Remotely Piloted Aircraft Systems (RPAS) that was deployed on a particular run-time execution platform called XtratuM, an ARINC-653 compliant system developed in our research group. The paper discusses the system requirements, the software architecture, the key issues for porting designs to XtratuM, and how to automatize this process. Results show that the proposed testbed is a good platform for designing and qualifying avionics applications.This research has been financed by the Institute of Control Systems and Industrial Computing (Ai2), and by projects GVA AICO/2015/126 (Ayudas para Grupos de Investigacion Consolidables) and GVA ACIF/2016/197 (Ayudas para la contratacion de personal investigador en formacion de caracter predoctoral) of the Spanish Regional Government "Generalitat Valenciana".Usach Molina, H.; Vila Carbó, JA.; Crespo, A.; Yuste Pérez, P. (2018). Automatic deployment of an RPAS Mission Manager to an ARINC-653 compliant system. Journal of Intelligent & Robotic Systems. 92(3-4):587-598. https://doi.org/10.1007/s10846-017-0694-3S587598923-4Aeronautical Radio, Inc.: ARINC specification 653-1. Avionics Application Software Standard Interface (2003)Bonasso, R., Kerri, R., Jenks, K., Johnson, G.: Using the 3T architecture for tracking Shuttle RMS procedures. In: Proceedings of the IEEE International Joint Symposia on Intelligence and Systems. IEEE, Rockville, MD, USA (1998) https://doi.org/10.1109/IJSIS.1998.685440fentISS: XtratuM Hypervisor Emulator (SKE) start guide. Tech. rep., Universidad Politècnica de València (2015)Fons, B.: Plataforma para diseño y ejecución de aplicaciones de aviónica. Universitat Politècnica de València, Master’s thesis (2013)International Civil Aviation Organization: Doc. 9613 AN/937: Performance-based Navigation (PBN) Manual, 4th edn. (2013)International Civil Aviation Organization: Doc. 10019, AN/507: Manual on Remotely Piloted Aircraft Systems (RPAS), 1st edn. (2015)Koehl, D.: SESAR initiatives for RPAS integration. In: ICAO Remotely Piloted Aircraft Systems Symposium. Montreal, Canada (2015)Masmano, M., Ripoll, I., Crespo, A., Metge, J.: XtratuM: A hypervisor for safety critical embedded systems. In: Proceedings of the 11th Real-Time Linux Workshop. Dresden, Germany (2009)Masmano, M., Valiente, Y., Balbastre, P., Ripoll, I., Crespo, A., Metge, J.: LithOS: A ARINC-653 guest operating for XtratuM. In: Proceedings of the 12th Real-Time Linux Workshop. Nairobi, Kenia (2010)McCarley, J.S., Wickens, C.D.: Human factors implications of UAVs in the national airspace. Tech. Rep. AHFD-05-05/FAA-05-01, University of Illinois, Institute of Aviation, Aviation Human Factors Division (2005)North Atlantic Treaty Organization: STANAG 4703: Light Unmanned Aircraft Systems Airworthiness Requirements. NATO Standarization Agency (2014)Radio Technical Commission for Aeronautics (RTCA): DO-178C/ED-12C Software Considerations in Airborne Systems and Equipment Certification. RTCA (2011)Ribeiro, L.R., Oliveira, N.M.R.: UAV autopilot controllers test platform using Matlab/Simulink and X-Plane. In: 40th ASEE/ IEEE Frontiers in Education Conference. IEEE, Washington, DC, USA (2010). https://doi.org/10.1109/FIE.2010.5673378Spitzer, C.R.: Digital Avionics Handbook: Elements, Software and Functions, 2nd edn. CRC Press (2006)The MathWorks Inc.: Simulink Coder Target Language Compiler (2012)Usach, H.: Integridad y tolerancia a fallos en sistemas de aviónica. Universitat Politècnica de València, Master’s thesis (2014)Usach, H., Fons, B., Vila, J., Crespo, A.: An autopilot testbed for IMA (Integrated Modular Avionics) architectures. In: Proceedings of the 19th IFAC Symposium on Automatic Control in Aerospace. Elsevier, Würzburg, Germany (2013). https://doi.org/10.3182/20130902-5-DE-2040.00076Usach, H., Vila, J., Crespo, A., Yuste, P.: A highly-automated RPAS Mission Manager for integrated airspace. In: Proceedings of the 5th International Conference on Application and Theory of Automation in Command and Control Systems, ATACCS’15. ACM, Toulouse, France (2015). https://doi.org/10.1145/2899361.289936

Integration of generic operating systems in partitioned architectures

Tese de mestrado, Engenharia Informática (Arquitectura, Sistemas e Redes de Computadores), Universidade de Lisboa, Faculdade de Ciências, 2009The Integrated Modular Avionics (IMA) specification defines a partitioned environment hosting multiple avionics functions of different criticalities on a shared computing platform. ARINC 653, one of the specifications related to the IMA concept, defines a standard interface between the software applications and the underlying operating system. Both these specifications come from the world of civil aviation, but they are getting interest from space industry partners, who have identified common requirements to those of aeronautic applications. Within the scope of this interest, the AIR architecture was defined, under a contract from the European Space Agency (ESA). AIR provides temporal and spatial segregation, and foresees the use of different operating systems in each partition. Temporal segregation is achieved through the fixed cyclic scheduling of computing resources to partitions. The present work extends the foreseen partition operating system (POS) heterogeneity to generic non-real-time operating systems. This was motivated by documented difficulties in porting applications to RTOSs, and by the notion that proper integration of a non-real-time POS will not compromise the timeliness of critical real-time functions. For this purpose, Linux is used as a case study. An embedded variant of Linux is built and evaluated regarding its adequacy as a POS in the AIR architecture. To guarantee safe integration, a solution based on the Linux paravirtualization interface, paravirt-ops, is proposed. In the course of these activities, the AIR architecture definition was also subject to improvements. The most significant one, motivated by the intended increased POS heterogeneity, was the introduction of a new component, the AIR Partition OS Adaptation Layer (PAL). The AIR PAL provides greater POS-independence to the major components of the AIR architecture, easing their independent certification efforts. Other improvements provide enhanced timeliness mechanisms, such as mode-based schedules and process deadline violation monitoring.A especificação Integrated Modular Avionics (IMA) define um ambiente compartimentado com funções de aviónica de diferentes criticalidades a coexistir numa plataforma computacional. A especificação relacionada ARINC 653 define uma interface padrão entre as aplicações e o sistema operativo subjacente. Ambas as especificações provêm do mundo da aviónica, mas estão a ganhar o interesse de parceiros da indústria espacial, que identificaram requisitos em comum entre as aplicações aeronáuticas e espaciais. No âmbito deste interesse, foi definida a arquitectura AIR, sob contrato da Agência Espacial Europeia (ESA). Esta arquitectura fornece segregação temporale espacial, e prevê o uso de diferentes sistemas operativos em cada partição. A segregação temporal é obtida através do escalonamento fixo e cíclico dos recursos às partições. Este trabalho estende a heterogeneidade prevista entre os sistemas operativos das partições (POS). Tal foi motivado pelas dificuldades documentadas em portar aplicações para sistemas operativos de tempo-real, e pela noção de que a integração apropriada de um POS não-tempo-real não comprometerá a pontualidade das funções críticas de tempo-real. Para este efeito, o Linux foi utilizado como caso de estudo. Uma variante embedida de Linux é construída e avaliada quanto à sua adequação como POS na arquitectura AIR. Para garantir uma integração segura, é proposta uma solução baseada na interface de paravirtualização do Linux, paravirt-ops. No decurso destas actividades, foram também feitas melhorias à definição da arquitectura AIR. O mais significante, motivado pelo pretendido aumento da heterogeneidade entre POSs, foi a introdução de um novo componente, AIR Partition OS Adaptation Layer (PAL). Este componente proporciona aos principais componentes da arquitectura AIR maior independência face ao POS, facilitando os esforços para a sua certificação independente. Outros melhoramentos fornecem mecanismos avançados de pontualidade, como mode-based schedules e monitorização de incumprimento de metas temporais de processos.ESA/ITI - European Space Agency Innovation Triangular Initiative (through ESTEC Contract 21217/07/NL/CB-Project AIR-II) and FCT - Fundação para a Ciência e Tecnologia (through the Multiannual Funding Programme

Reuse of safety certification artefacts across standards and domains: A systematic approach

Reuse of systems and subsystem is a common practice in safety-critical systems engineering. Reuse can improve system development and assurance, and there are recommendations on reuse for some domains. Cross-domain reuse, in which a previously certified product typically needs to be assessed against different safety standards, has however received little attention. No guidance exists for this reuse scenario despite its relevance in industry, thus practitioners need new means to tackle it. This paper aims to fill this gap by presenting a systematic approach for reuse of safety certification artefacts across standards and domains. The approach is based on the analysis of the similarities and on the specification of maps between standards. These maps are used to determine the safety certification artefacts that can be reused from one domain to another and reuse consequences. The approach has been validated with practitioners in a case study on the reuse of an execution platform from railway to avionics. The results show that the approach can be effectively applied and that it can reduce the cost of safety certification across standards and domains. Therefore, the approach is a promising way of making cross-domain reuse more cost-effective in industry.European Commission's FP7 programm

Assessment team report on flight-critical systems research at NASA Langley Research Center

The quality, coverage, and distribution of effort of the flight-critical systems research program at NASA Langley Research Center was assessed. Within the scope of the Assessment Team's review, the research program was found to be very sound. All tasks under the current research program were at least partially addressing the industry needs. General recommendations made were to expand the program resources to provide additional coverage of high priority industry needs, including operations and maintenance, and to focus the program on an actual hardware and software system that is under development

Model-based specification of safety compliance needs for critical systems : A holistic generic metamodel

Abstract Context: Many critical systems must comply with safety standards as a way of providing assurance that they do not pose undue risks to people, property, or the environment. Safety compliance is a very demanding activity, as the standards can consist of hundreds of pages and practitioners typically have to show the fulfilment of thousands of safety-related criteria. Furthermore, the text of the standards can be ambiguous, inconsistent, and hard to understand, making it difficult to determine how to effectively structure and manage safety compliance information. These issues become even more challenging when a system is intended to be reused in another application domain with different applicable standards. Objective: This paper aims to resolve these issues by providing a metamodel for the specification of safety compliance needs for critical systems. Method: The metamodel is holistic and generic, and abstracts common concepts for demonstrating safety compliance from different standards and application domains. Its application results in the specification of “reference assurance frameworks” for safety-critical systems, which correspond to a model of the safety criteria of a given standard. For validating the metamodel with safety standards, parts of several standards have been modelled by both academic and industry personnel, and other standards have been analysed. We further augment this with feedback from practitioners, including feedback during a workshop. Results: The results from the validation show that the metamodel can be used to specify safety compliance needs for aerospace, automotive, avionics, defence, healthcare, machinery, maritime, oil and gas, process industry, railway, and robotics. Practitioners consider that the metamodel can meet their needs and find benefits in its use. Conclusion: The metamodel supports the specification of safety compliance needs for most critical computer-based and software-intensive systems. The resulting models can provide an effective means of structuring and managing safety compliance information

Open for Business: Business Models for Innovation with Modular Open Systems Approaches

Excerpt from the Proceedings of the Nineteenth Annual Acquisition Research SymposiumModular Open Systems Approaches (MOSA) build on techniques used in the commercial world to attempt to bring innovation, speed, and savings to Department of Defense (DoD) acquisition. However, while competition can be a powerful motivator, MOSA can be disruptive to those traditional defense industrial base business models that rely on the expectation of long-term production and sustainment revenue to make back corporate investments. This project undertook interviews and surveys to better understand how MOSA influences vendor incentives and what business models may best serve DoD needs going forward. MOSA’s promise of enabling faster technology refresh and bringing in new sources of innovation addresses technical and operational challenges associated with 21st century great power competition and longstanding DoD difficulties in accessing commercial technology. This project has identified three overarching challenges regarding MOSA adoption: communicating and demonstrating government commitment; developing a MOSA-enabled IP and data rights strategy; and establishing standards and interfaces. In addressing these three challenges, the government will need to employ its acquisition toolkit to take different approaches with different vendors. To better understand how to make this transition a success, this paper presents a framework for evaluating the DoD’s readiness for MOSA.Approved for public release; distribution is unlimited