Towards Enabling Level 3A AI in Avionic Platforms

The role of AI evolves from human assistance over human/machine collaboration towards fully autonomous systems. As the push towards more autonomy subsequently removes the reliance on a human overseeing the system, means of self supervision must be provided to enable safe operations. This work explores dynamic reconfiguration to provide resilience to unforeseen environmental conditions that exceed the systems capabilities, but also against normal faults. We focus on providing the means for this in an ARINC 653 compliant environment, since we target avionics platforms. Scheduling and communication are two major aspects of dynamic reconfiguration. Hence, we discuss multiple respective implementation approaches. The third pillar of reconfiguration, the process of deciding when to reconfigure is also investigated. Combining these yields the building blocks for a self-supervising system

Cybersecurity Engineering: Bridging the Security Gaps in Avionics Architectures and DO-326A/ED-202A

Urban Air Mobility is envisioned as an on-demand, highly automated and autonomous air transportation modality. It requires the use of advanced sensing and data communication technologies to gather, process, and share flight-critical data. Where this sharing of mix-critical data brings opportunities, if compromised, presents serious cybersecurity threats and safety risks due to the cyber-physical nature of the airborne vehicles. Therefore the avionics system design approach of adhering to functional safety standards (DO-178C) alone is inadequate to protect the mission-critical avionics functions from cyber-attacks. To approach this challenge, the DO-326A/ED-202A standard provides a baseline to effectively manage cybersecurity risks and to ensure the airworthiness of airborne systems. In this regard, this paper pursues a holistic cybersecurity engineering and bridges the security gap by mapping the DO-326A/ED-202A system security risk assessment activities to the Threat Analysis and Risk Assessment process. It introduces Resilient Avionics Architecture as an experimental use case for Urban Air Mobility by apprehending the DO-326A/ED-202A standard guidelines. It also presents a comprehensive system security risk assessment of the use case and derives appropriate risk mitigation strategies. The presented work facilitates avionics system designers to identify, assess, protect, and manage the cybersecurity risks across the avionics system life cycle

DevOps for Airborne Software Exploring Modern Approaches

Presents tools and techniques which enable or improve the use of DevOps for airborne software engineering Describes first experiences gathered while implementing a demonstrator using these tools and techniques Based on specialized programming languages like Rust and Nix and standards like Do-178

Model-Based STPA: Towards Agile Safety-Guided Design with Formalization

The competition for market entry in emerging segments such as Urban Air Mobility highlights the need for efficient and flexible development processes. This is accompanied by the trend towards software-intensive avionics systems due to the requirement for complex and computationally expensive algorithms. Considering the successful application of agile developments in the software domain, one might conclude that the agile paradigm would be the perfect fit to address these issues. However, for highly safety-critical domains such as aviation, multiple conflicts with the agile paradigm exist. Especially the constraint to follow rigorous and well documented processes contradicts the ideas of agile. To bridge this gap, a comprehensive and well documented, but still flexible process is necessary. Accordingly, this paper proposes a first step towards such an agile safety-guided design, by combining Model-Based Systems Engineering with the System-Theoretic Process Analysis. Particularly, focus is placed on enabling an iterative safety-guided design by providing functionality to track design changes to the corresponding safety artifacts. This automated functionality is enabled by a formalized execution of the safety analysis. At first glance, formalization sounds like a contradiction to the agile paradigm. However, we argue that formality and agility are not necessarily contradicting each other. Our theory is that moving the focus of formality from the human activities to the assisting functionality even increases overall agility. The iterative safety-guided design and resulting identification of safety improvements is demonstrated with examples of a flight assistance system

WebAssembly in Avionics: Decoupling Software from Hardware

Avionics software development is expensive and release cadence is slow. Therefore, reusable software components and applications are particularly attractive to enable faster system development, increase quality and decrease costs. A common Application Programming Interface (API) can avoid strong coupling between software and its execution environment and enable re-use even when the execution environment changes. ARINC 653 describes such an API for avionics applications. However, orthogonal to the use of this API, some coupling to the hardware and the execution environment remains. Usually, an avionics application still has to be adapted to the OS implementing ARINC 653 and compiled for the target hardware architecture. In this paper, we outline a concept for removing this restriction, while increasing portability and re-usability, using WebAssembly as a common Application Binary Interface and object code format. Since WebAssembly is a universal byte-code written for a Virtual Machine, this also enables advantages towards certification and fault isolation. In this work we integrate a WebAssembly (Wasm) interpreter onto an ARINC 653 Hypervisor to demonstrate feasibility of the approach, and to assess runtime impact on binary size and performance. Moreover we argue that certification according to DO-178C is achievable for a Wasm interpreter based avionic software stack

Assuring APEX with a versatile Rust API

Hypervisors have become fundamental to Integrated Modular Avionics (IMA), by offering several benefits during development, certification, and operation. Unfortunately, requiring per-seat licensing, many hypervisors do not integrate well with DevOps practices. APEX -- ARINC 653 standardizes a portable interface to common functionality of different hypervisors. However, like for all safety critical software, detailed knowledge of the standard and careful testing are required. Especially, with ARINC 653 not preventing unsafe misuse of its API. The Rust programming language is designed to provide strong safety guarantees using zero-cost abstractions. In this paper, we present apex-rs, a safe and ergonomic API to the APEX interface, and apex-linux, a DevOps-friendly hypervisor that utilizes features of the Linux kernel to provide a low complexity APEX implementation

A Behavior Specification and Simulation Methodology for Embedded Real-Time Software

Safety-critical real-time systems must be carefully designed to guarantee both functional and temporal correctness. State-of-the-art approaches to achieve this are often based on formal notations capturing both the desired functionality and relevant timing properties. This work is concerned with the design of embedded software systems for emerging fields such as the Urban Air Mobility (UAM) sector. In this context, it deals with scenarios that benefit from a less formal programming model, but for which guarantees on functional and timing behavior must still be provided. We propose a concept to specify and simulate the behavior of embedded real-time software in a deterministic manner. It combines the Logical Execution Time (LET) paradigm with a flexible, code-based approach for behavior specification and performs discrete-event (DE) simulations to determine how exactly the designed system responds to given stimuli. We describe this concept, present a reference implementation using Ptolemy II as simulation backend, and discuss its application to a pilot assistance system from the UAM sector

Cybersecurity engineering: bridging the security gaps in avionic architectures and DO-326A/ED-202A

Urban Air Mobility is envisioned as an on-demand, highly automated and autonomous air transportation modality. It requires the use of advanced sensing and data communication technologies to gather, process, and share flight-critical data. Where this sharing of mix-critical data brings opportunities, if compromised, presents serious cybersecurity threats and safety risks due to the cyber-physical nature of the airborne vehicles. Therefore the avionics system design approach of adhering to functional safety standards (DO-178C) alone is inadequate to protect the mission-critical avionics functions from cyber-attacks. To approach this challenge, the DO-326A/ED-202A standard provides a baseline to effectively manage cybersecurity risks and to ensure the airworthiness of airborne systems. In this regard, this paper pursues a holistic cybersecurity engineering and bridges the security gap by mapping the DO-326A/ED-202A system security risk assessment activities to the Threat Analysis and Risk Assessment process. It introduces Resilient Avionics Architecture as an experimental use case for Urban Air Mobility by apprehending the DO-326A/ED-202A standard guidelines. It also presents a comprehensive system security risk assessment of the use case and derives appropriate risk mitigation strategies. The presented work facilitates avionics system designers to identify, assess, protect, and manage the cybersecurity risks across the avionics system life cycle

XANDAR: X-by-Construction Design framework for Engineering Autonomous & Distributed Real-time Embedded Software Systems

The next generation of networked embedded systems (ES) necessitates rapid prototyping and high performance while maintaining key qualities like trustworthiness and safety. However, development of safety-critical ES suffers from complex software (SW) toolchains and engineering processes. Moreover, the current trend in autonomous systems, which relies on Machine Learning (ML) and AI applications when combined with fail-operational requirements renders the Verification and Validation (V&V) of these new systems a challenging endeavor. Prime examples are Advanced Driver-Assistance Systems (ADAS) that are prone to various safety/security vulnerabilities. The XANDAR project aims at developing a mature SW toolchain (from requirements analysis to the actual code integration on target including V&V) fulfilling the needs of industry for rapid prototyping of interoperable and autonomous ES. Starting from a model-based system architecture, XANDAR will leverage automatic model synthesis and software parallelization techniques to achieve specific non-functional requirements setting the foundation for a novel (real-time, safety-, and security)-by-Construction paradigm