Post on 02-Jan-2016
description
1Federal AviationAdministration 1
Complex Integrated Avionics and System SafetyJune 9, 2005
Complex Integrated Avionic Systems and System Safety
Presentation to: Europe/U.S. International Aviation Safety ConferenceName: Ali Bahrami
Date: June 9, 2005
Federal AviationAdministration
2Federal AviationAdministration 2
Complex Integrated Avionics and System SafetyJune 9, 2005
Integrated Mod Avionics (IMA)Ex. 777
Trends in Avionics: Integration and Complexity
1980 1990 2000
Electronic flight inst.
Ex. 757/767
•Integration within closely related functions
•Most functionality in hardware/firmware
Integrated display system
Ex. 747-400
•Integration of most display-related avionics functions
•Most functionality re-programmable
•Integration of many avionics functions
•Card-based processors in cabinet racks
Expanded IMA
Ex. Falcon EASy, ERJ-170
•Integration of avionics + some flt. control and airplane systems
•More generic processors & software-based functionality
3Federal AviationAdministration 3
Complex Integrated Avionics and System SafetyJune 9, 2005
Trends in Avionics: Architectures
Huge increases in: • Functional integration.• Software size and complexity.
Shift in techniques for isolation/independence:• Traditionally, redundant features were completely isolated –
now they communicate with each other.• High/low criticality functions traditionally physically isolated
from each other – now share computing and databus resources.
Mix of new and reused (“legacy”) software.
4Federal AviationAdministration 4
Complex Integrated Avionics and System SafetyJune 9, 2005
Trends in Avionics: TSO
TSOs:• Traditionally, TSOs were used for simple equipment (e.g. seat
belts) and well-defined “stand-alone” functions (e.g. air speed indicator). Installation issues were minimal.
• Now, TSO requirements cover only a small fraction of the designed functionality.
• TSO functionality may be embedded in an integrated avionics suite (“functional TSO”).
• Vendors need TSOA to ship “brain-dead” hardware which doesn’t comply with the full TSO requirements until installed and software is loaded.
5Federal AviationAdministration 5
Complex Integrated Avionics and System SafetyJune 9, 2005
Trends in Avionics: Engineering and Business Practices
Increasing dependence on Commercial Off-the-Shelf (COTS) hardware and software. Examples:• Microprocessors (from PC industry).• Operating systems (e.g. Windows).• Graphic processors (from video game industry).
Changes in manufacturer-vendor relationships and responsibilities. Global design and manufacturing of highly integrated avionics
functions. Shift from airframe manufacturer as “designer/builder” to
“integrator/assembler.”
6Federal AviationAdministration 6
Complex Integrated Avionics and System SafetyJune 9, 2005
Certification Challenges
Integration and complexity:• Current processes (e.g. DO-178B/ED-12B for software) were
developed with much simpler architectures in mind.• Experience is showing that there are complex and often
unexpected “connections” between traditionally unrelated or independent functions, especially during failures.
• Failures become more difficult to predict and diagnose.• It becomes less and less feasible to test all inter-related failure
modes.• Fully integrated test facilities become more challenging and
expensive to build and operate.
7Federal AviationAdministration 7
Complex Integrated Avionics and System SafetyJune 9, 2005
Certification Challenges
Software:
• Software-based isolation and independence is much more “fluid” and difficult to assure than relying on hardware.
• Mixing of COTS, reused, and new software – all developed by different processes and to different standards – makes assessing the safety issues much more difficult, especially in standardized ways.
8Federal AviationAdministration 8
Complex Integrated Avionics and System SafetyJune 9, 2005
Certification Challenges
“Functional” TSO:• Difficult to separate TSO issues from installation issues
– TSO’d function may be part of the software that resides on a circuit card.
– TSO compliance can only be assessed when installed in the host system.
– Even simple issues like part marking become complicated.– TSO change processes were not developed with these complex
TSO “packages” in mind. Engineering and Business practices:
• COTS products are not developed to traditional aviation standards.
• Detailed certification data and knowledge often resides at vendor rather than manufacturer.
9Federal AviationAdministration 9
Complex Integrated Avionics and System SafetyJune 9, 2005
How the Authorities Have Responded
The authorities have already taken a number of actions to support recent IMA trends and specific projects, including:• Development of IMA AC and TSO.• Development of an Order on software reuse.• Approval of functional TSOs.• Numerous DO-178B/ED-12B “workarounds.”• Additional relevant guidance is in work.
However, continued industry support is needed…
10Federal AviationAdministration 10
Complex Integrated Avionics and System SafetyJune 9, 2005
What is Needed to Support the Trend?
Current software certification methods did not envision modern IMA architectures, so we need new methods… • That are equally effective in ensuring safety… • While supporting the certification of IMA.
The current TSO process is not well-suited for embedded software functions, so we need new approaches to TSOA…• Which allow design and production approval for traditional TSO
functions in IMA architectures… • While protecting the level of safety provided by type
certification processes.
11Federal AviationAdministration 11
Complex Integrated Avionics and System SafetyJune 9, 2005
What is Needed to Support the Trend?
When manufacturers out-source development and test: • New processes for authorities/manufacturer/vendor
communication are needed. Testing:
• Testing of the IMA “pieces” will not find integration problems.• The actual airplane is not an adequate test environment for
many IMA issues.• Full-scale integration test facilities may not be commercially
viable.• Industry needs to help develop new approaches to integration
testing that will find and characterize IMA problems before certification.
12Federal AviationAdministration 12
Complex Integrated Avionics and System SafetyJune 9, 2005
Authority-Industry Partnership
Cooperation is needed more than ever.• Traditional certification processes were developed to match
past commercial practices• The pace of change is increasing
Industry will need to lead the effort to develop new methods of compliance.• New methods cannot just “do less” – they MUST preserve, and
where possible, improve the level of safety.• Focus on safety-related issues while with IMA, it is more
difficult to separate what is or is not “safety-related.”
13Federal AviationAdministration 13
Complex Integrated Avionics and System SafetyJune 9, 2005
Summary and Future Perspectives
The authorities support industry’s efforts to advance the technology • Historic cooperation between the authorities and industry has
been essential in developing viable and effective methods of compliance and safety assurance.
Cooperation is even more critical as we collectively support rapid technological advances while at the same time increase the level of safety.
Potential broader issue: Does the overall safety assessment process need to be revisited, to account for the migration of functionality (and failure conditions) from hardware to software?