Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

¿Por qué certificar la seguridad COTS?

310 views

Published on

Son estrictas normas de cumplimiento reconocidos por las autoridades de certificación como la FAA para el diseño de sistemas electrónicos en el aire.

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

¿Por qué certificar la seguridad COTS?

  1. 1. 1 | June 22, 2015 | © 2015 Curtiss-Wright What is Safety Certifiable COTS? Gregory Sikkens, Senior Product Manager
  2. 2. 2 | June 22, 2015 | © 2015 Curtiss-Wright Housekeeping • Where DO-254 is used during this presentation, it refers to RTCA DO-254 / EUROCAE ED-80 • Where DO-178 is used during this presentation, it refers to RTCA DO-178B / EUROCAE ED-12B
  3. 3. 3 | June 22, 2015 | © 2015 Curtiss-Wright What is Safety Certification? • Stringent compliance standards recognized by certification authorities like the FAA for design in airborne electronic systems • Originally created for the commercial aviation industry, were gradually adopted by the military and defense industry DO-254 defines the requirements for hardware DO-178 defines the requirements for software • Safety certification is based on a series of Design Assurance Levels (DALs) A through E, DAL A being the most stringent, and DAL E being the least stringent.
  4. 4. 4 | June 22, 2015 | © 2015 Curtiss-Wright Why is Safety Certification Growing in Importance? • FAA plugged the hole on simple vs. complex COTS, now difficult to claim simple • Practice of reverse engineering is getting harder and harder for the certification authorities to accept • Spreading from civil/commercial air to other similar industries including defense • Growth in UAVs and associated ground stations • Application area: Ground based Air Traffic Control Systems • Increasing numbers of military aircraft that fly over civil population centers • Growing use of military avionics subsystems in commercial aircraft
  5. 5. 5 | June 22, 2015 | © 2015 Curtiss-Wright How do we provide your safety certifiable solutions at a reasonable cost?
  6. 6. 6 | June 22, 2015 | © 2015 Curtiss-Wright COTS • Open hardware architectures can mitigate obsolescence • Reduction in procurement times • Lower development cost • Lower logistics costs • Leverage higher collective volume • Cost effective • Increases assurance • Modified COTS (MCOTS) remains cost effective and lower risk compared to custom development COTS modules deliver applications with far greater capabilities that also comply with the growing demand for safety certification The key benefits of COTS include:
  7. 7. 7 | June 22, 2015 | © 2015 Curtiss-Wright Traditional Approach vs. COTS – What’s the Difference? • Application-specific development • High cost • All DO-254/DO-178 Artifact costs allocated to single application • Designed in artifacts • Or already developed non-certifiable COTS • May add risk • Analyses and reverse engineer artifacts in support of the purchaser’s certification effort • Example – CCA-147 (SBC) • DO-254 DAL C/DO-178B DALA • General-purpose COTS development • Lowers cost and risk • Artifact costs reflect standard product sales quantities • Designed in artifacts • Example – VPX3-150 (SBC) • DO-254 DAL C/DO-178C DAL C TRADITIONAL APPROACH COTS APPROACH
  8. 8. 8 | June 22, 2015 | © 2015 Curtiss-Wright How does DO-254 Safety Certifiable COTS work?
  9. 9. 9 | June 22, 2015 | © 2015 Curtiss-Wright General Purpose COTS DO-254 Development We start with a rigorous rugged development process  Curtiss-Wright has continuously refined over 30+ years of work in the mil/aero market  Every product is designed to be rugged from the start, not designed and then ruggedized  We fully meet or exceed requirements of AS9100 quality system  We execute requirements tracking and verification traceability using DOORS  We do detailed reviews – very few issues found during hardware bring up and verification You benefit from our proven rugged performance  Environmental qualification testing of design  ESS testing of production units (manufactured in-house) You also benefit from our high reliability  Reliability Risk Assessment – We document risks to reliability, manufacturing, etc., and categorize with mitigation plans and actions.  Reliability Demonstration Testing (RDT) - Where identified risks can not be mitigated through design or analysis, testing is used.
  10. 10. 10 | June 22, 2015 | © 2015 Curtiss-Wright General Purpose COTS DO-254 Development – Cont’d DO-254 requires a two-fold approach to achieve design assurance (certainty that the design operates as intended)  Thorough verification at all junctures of the process to catch errors in the design  Include structured and audited design process with thorough planning, reviews, and double-checking of each step within the flow Curtiss-Wright’s standard development process is extended to include audited design process to have a full DO-254 development process option.
  11. 11. 11 | June 22, 2015 | © 2015 Curtiss-Wright Where Do We Fit Into the Safety Certification Process? Curtiss-Wright
  12. 12. 12 | June 22, 2015 | © 2015 Curtiss-Wright Design Assurance Levels (DAL) • EASA CM No.: EASA CM - SWCEH - 001 Issue No.: 01 • “For equipment and CBAs of DALs/IDALs A, B, C or D, the ED-80/DO-254 objectives of Appendix A that are defined for level D should be applied.” • CBA – Circuit Board Assembly • FAAAdvisory Circular AC No: 20-152 • “This AC recognizes the guidance in RTCA/DO-254 applies specifically to complex custom micro-coded components with hardware design assurance levels of A, B, and C, such as ASICs, PLDs, and FPGAs.” • “NOTE: We recognize that the hardware life cycle data for commercial-off-the-shelf (COTS) microprocessors may not be available to satisfy the objectives of RTCA/DO-254. Therefore, we don’t intend that you apply RTCA/DO-254 to COTS microprocessors. There are alternative methods or processes to ensure that COTS microprocessors perform their intended functions and meet airworthiness requirements. Coordinate your plans for alternative methods or processes with us early in the certification project.”
  13. 13. 13 | June 22, 2015 | Proprietary | © 2015 Curtiss-Wright Differences in Safety Certification: EASA vs. FAA DAL A, B, or C (FAA) DAL D (EASA)
  14. 14. 14 | June 22, 2015 | © 2015 Curtiss-Wright What Is Curtiss-Wright’s Doing? • Develop DO-254 standard COTS products that are accepted worldwide • Board level development to DO-254 DAL D • Complex custom micro-coded components to DO-254 DAL A • Possibly DAL C w/ independence as intermediate step • Establish a product breadth – SBC, graphics and I/O
  15. 15. 15 | June 22, 2015 | © 2015 Curtiss-Wright DO-254 Artifacts for DAL C • Plan for hardware aspects of certification • Hardware Verification Plan • Top-level drawing • Hardware Accomplishment Summary • Hardware Design Plan • Hardware Validation Plan • Hardware Configuration Management Plan • Hardware Requirements • Hardware Design Data • Assembly Drawings/Installation Control Drawings • Hardware Traceability Data • Hardware Review and Analysis Results • Hardware Test Procedures • Hardware Test Results ARTIFACT KIT SUPPORTING DOCUMENTS (IF REQUESTED BY AUTHORITIES)
  16. 16. 16 | June 22, 2015 | © 2015 Curtiss-Wright Development Data Kit • To assist with the Preliminary System Safety Assessment (PSSA) • Contents: • Single Event Effects (SEE) • Failure Modes and Effects Analysis (FMEA) • Reliability Analysis (MTBF) • Part Stress Method (using Part Stress Analysis) • …
  17. 17. 17 | June 22, 2015 | © 2015 Curtiss-Wright We can do much more for you than just a DO-254 development process!
  18. 18. 18 | June 22, 2015 | © 2015 Curtiss-Wright ARP4754: System Development Process • Safety monitoring requirements • Functional requirements
  19. 19. 19 | June 22, 2015 | © 2015 Curtiss-Wright Safety Monitoring Requirements Safety Assessment is mandatory for a certifiable equipment • How do we determine this in the absence of a Preliminary System Safety Assessment (PSSA)? • Include a process procedure COTS Safety Assessment Result - Safety requirements based on assessment of: • Component complexity (and a means of mitigation) • Environmental monitoring • Functional monitoring • Failure probability mitigation • Experience on what is typically required at the system level Examples of safety functions included on Curtiss-Wright safety certifiable products: • Temperature sensors • Independent voltage monitors • Clock monitors • Video Integrity monitor • Watchdog Monitor • CoreNet Bandwidth monitor
  20. 20. 20 | June 22, 2015 | © 2015 Curtiss-Wright Let Our Experienced Team Help You! Staff trained on DO-254 development Completed DO-254 DAL C Modified COTS (MCOTS) development projects • MCOTS – re-use existing IP to develop a new product Work with strong DER representation • Tammy Reeve, Patmos Engineering • Chairs US DO-254 User’s Group • Very active in progressing DO-254 and associated guidance documents
  21. 21. 21 | June 22, 2015 | © 2015 Curtiss-Wright Strengthened by Services • Franchise Only Supply (FOS) • Protects against counterfeit material • Longevity Of Supply (LOS) • Extends life of product • Longevity Of Repair (LOR) • Extends period of repair support
  22. 22. 22 | June 22, 2015 | Proprietary | © 2015 Curtiss-Wright Safety Certifiable Products
  23. 23. 23 | June 22, 2015 | © 2015 Curtiss-Wright Can facilitate supporting information • Freescale Semiconductor • AMD • Intel
  24. 24. 24 | June 22, 2015 | © 2015 Curtiss-Wright Safety Certifiable Products Product Features Benefits System Ready Application Full Details VPX3-150 Freescale VPX P5020 Dual-core 64-bit, 1.2 GHz, 2-8 GB DRAM, 256 MB Flash, 16-64 GB Flash Storage CANbus, Elapsed Time Counter Safety Certifiable DO-254/DO-178C XMC-TBD Freescale T2080 single core with Altivec @ 1.5 GHz Up to 16 GB DDR3 memory 1866 MT/S (4 ranks) One Bank NOR Flash – 256MB One bank of NAND Flash– 8GB 512KB Non Volatile Memory (MRAM) Safety Certifiable DO-254 Altivec-enhanced VPX3-718 AMD Radeon E4690 - Dual independent outputs HD-SDI/DVI/STANAG 3350/analog supported 512 MB dedicated video memory H.264 decompression Safety Certifiable DO-254/DO-178C Low latency video capture Full frame rate video capture XMC-725 AMD Radeon E8860 processor Dual independent graphics outputs 2 GB dedicated video memory H.264 decompression Safety Certifiable DO-254/DO-178C Larger video memory than E4690 based graphics 15 year supply VPX3-611 FPGA-based I/O module with: 2x MIL-STD-1553, 10x ARINC 429 Tx, 18x ARINC 429 Rx, 8x UART, 16x discretes, 2x Analog inputs, 2x Analog outputs, 2x audio outputs Safety Certifiable DO-254/DO-178C SferiAdvise Digital Mapping Concept SferiAdvise Digital Mapping Concept
  25. 25. 25 | June 22, 2015 | © 2015 Curtiss-Wright 20162015 Safety Certifiable Roadmap Future Customer Driven In Design Shipping Roadmaps Subject to Change 3U Power Architecture SBCs T2080 single Core 16 GB, 1.5 GHz with Altivec 150 P5020/P3041 @ 1.2 GHz 64-bit core Up to 8 GB SDRAM 611 FPGA-based I/O module I/O Modules AMD E4690 – 2 O/P Dual HD-SDI/Analog Capture Decompression 718 3U Graphics Cards XMC Mezzanine Cards AMD E8860 5 O/P Compression/Decompression 725 133C
  26. 26. 26 | June 22, 2015 | © 2015 Curtiss-Wright Certification Credits • Planning to submit VPX3-150 and VPX3-718 to EASA • ETSO-C165 (digital map) • ETSO-C194 (HTAWS) • Using Airbus SferiAdvise digital map and HTAWS application
  27. 27. 27 | June 22, 2015 | © 2015 Curtiss-Wright What about Software and DO-178?
  28. 28. 28 | June 22, 2015 | © 2015 Curtiss-Wright Software Support • Wind River • VxWorks CERT Platform – Certified Operating System based on VxWorks compliant with ED-12B/DO-178B • VxWorks 653 Platform – Operating System featured from VxWorks with an ARINC653 API supporting DO-197 • Green Hills Software • Integrity-178B tuMP which offers an ARINC653 API • Integrity Multivisor : an hypervisor that offers virtualization to help hosting a wide diversity of Operating Systems • SYSGO • PikeOS a micro-kernel offering both a RTOS and a virtualization concept • Lynx Software Technologies • LynxOS-178a RTOS offering via Virtual Machine a virtualization concept • FAA – accepted Reusable Software Component (RSC) • DDC-I • DEOS, a RTOS certified up to level A supporting ARINC653 part 4
  29. 29. 29 | June 22, 2015 | © 2015 Curtiss-Wright Board Support Package/Driver Support DO-254 Processor VxWorks 653 VxWorks 6.6 Cert Integrity 178b PikeOS Lynx178 DEOS VPX3-150 DAL C P5020 Yes VPX3-718 DAL C E4690 Yes XMC-725 DAL C E8860 Yes Yes Yes Yes VPX3-716 E8860 Yes Yes Yes Yes VPX3-1701 LS1020A Yes DMV-186 P4080 Yes Yes VPX6-187 P4080 Yes Yes DMV-183 7447A Yes Yes Yes XMC-715 E4690 Yes Yes Yes Yes Yes
  30. 30. 30 | June 22, 2015 | © 2015 Curtiss-Wright DO-178 Software Outsource DO-178 software development • We contract development and resell w/ artifacts • Performed with PSAC and Accomplishment Summary • We also enable and support RTOS providers that customers can work with directly UBOOT source code may be provided under a source code license agreement to facilitate a DO-178 software implementation. • Not applicable to the VPX3-150, the boot loader is DO-178 DAL C certifiable
  31. 31. 31 | June 22, 2015 | © 2015 Curtiss-Wright DO-178C Artifacts for DAL C • Plan for Software Aspects of Certification (PSAC) • Quality Assurance Plan (QAP) • Software Configuration Management Plan (SCMP) • Configuration Management Records • Quality Assurance Records • Software Requirements Data (SRD) • Software Design Description (SDD) • Software Coding, Development, and Requirements Standards • Software Verification Results (SVR) • Trace Matrices • Data and Control Coupling Results and Analysis • Structural Coverage Results and Analysis Report • Software Accomplishment Summary (SAS)
  32. 32. 32 | June 22, 2015 | Proprietary © Curtiss-Wright OpenGL® /UVD Driver • Certifiable up to and including DO-178C DAL A • OpenGL SC Certifiable Driver includes: • Conforms to Khronos™ OpenGL SC 1x specification • Static memory management • Deterministic display lists • 100% structural coverage (statement, DC, MC/DC) • Available from Curtiss-Wright • Looking at OpenGL ES 2.0 (specification underway with Khronos) • Universal Video Decoder (UVD) driver is also certifiable
  33. 33. 33 | June 22, 2015 | Proprietary © Curtiss-Wright VPX3-150 BSP Drivers • Board bring-up • Interrupt Controller • Timer • I2C • Board Management (Reset Control/GPIO/Watchdog/ …) • eMMC (Flash storage) • UART (Debug) • 2 * Ethernet (Debug) • GPIOs are available via APEX sampling ports • Cert Network Stack (UDP/IP via Ethernet) is adopted via APEX queuing ports (SAP Ports – Service Access Points) • eMMC (Flash Storage) access via POSIX (open/close/read/write/…) and HRFS file system • Board Managment (Reset Control/ GPIO/ …) is accessible via APEX sampling ports • Flash is accessible via I/O-Driver • NVMEM is accessible via I/O-Driver CORE DRIVERS FOR OS DRIVERS ACCESSIBLE BY PARTITIONS
  34. 34. 34 | June 22, 2015 | © 2015 Curtiss-Wright System Ready Applications Pre-Validated, Pre-Tested Best-of-Breed Solutions Saves you SferiAdvise™ Digital Mapping Solution 150 Airbus® DS’ SferiAdvise® 718 ENSCO IData® HMI Solution 131 715 ENSCO Avionics’ IData and and
  35. 35. 35 | June 22, 2015 | © 2015 Curtiss-Wright System Configuration Examples
  36. 36. 36 | June 22, 2015 | © 2015 Curtiss-Wright Safety Certifiable Digital Map/HTAWS PCIe G1 x4 PCIe G1 x4 VPX3-718 Graphics ProcessorVPX3-150 SBC VPX3-611 I/O module MIL-STD-1553 ARINC-429 Discretes Analog/Audio
  37. 37. 37 | June 22, 2015 | © 2015 Curtiss-Wright Safety Certifiable Single Slot SBC and I/O Solution VPX3-611 I/O module MIL-STD-1553 ARINC-429 Discretes Analog/Audio XMC-TBD
  38. 38. 38 | June 22, 2015 | © 2015 Curtiss-Wright Thank You www.cwcdefense.com Gregory Sikkens, Senior Product Manager Defense Solutions Division Curtiss-Wright T: 613.599.9199 x5449 | M: 613.899.4963 Greg.Sikkens@curtisswright.com
  39. 39. 39 | June 22, 2015 | © 2015 Curtiss-Wright VPX3-150 SBC • Freescale QorIQ P5020 at 1.2 GHz • Memory • Up to 8 GB DDR3 memory with ECC • 256 MB NOR flash • 16 GB eMMC memory • 512 KB NVMEM • Communications and I/O • (1) 10/100/1000Base-TX (GbE) interface • (1) 10/100/1000Base-KX interface • (1) asynchronous EIA-232 serial port and (1) asynchronous EIA-422 serial port • (2) SATA, (1) CANbus • Fabric Interconnect Ports • (2) x4 lane PCIe Gen2 • VxWorks 653 v2.5 AMP • Package from WindRiver includes Ethernet stack and filesystem • VxWorks 6.9 SMP • DO-254/DO-178C Artifact Kits • Additional Features • Temp sensors, ETC, DIO • Pin compatible with 131, 133, and 1257 Safety Cert.
  40. 40. 40 | June 22, 2015 | Proprietary © 2015 Curtiss-Wright VPX3-150
  41. 41. 41 | June 22, 2015 | © 2015 Curtiss-Wright VPX3-718 OpenVPX Graphics Module • AMD Radeon E4690 GPU w/ 512 MB GDDR3 SDRAM (300E/400M ) • Universal Video Decoder (UVD) Single HD stream– H.264 • Dual independent display heads out of: • (2) HD-SDI (SMPTE-292M) • (2) single link DVI or (1) dual link DVI • (2) analog, PAL, STANAG 3350 B/C, RGBHV • Dual independent video capture channels out of: • (2) HD-SDI (SMPTE-292M) • (2) analog, PAL, STANAG 3350 B/C • Fabric Interconnect Ports • (2) x4 lane PCIe Gen 2 (also configurable as (1) x8 lane) • Drivers • VxWorks 653 v2.5 AMP, VxWorks 6.9 SMP • OpenGL SC 1.0 • DO-254/DO-178C Artifact Kits • Video Integrity Monitor (VIM) Safety Cert.
  42. 42. 42 | June 22, 2015 | Proprietary © 2015 Curtiss-Wright VPX3-718
  43. 43. 43 | June 22, 2015 | © 2015 Curtiss-Wright XMC-725 Graphics XMC • AMD RADEON E8860-based graphics XMC • 2 GB of GDDR5 dedicated graphics memory • X8 PCIe interface • Universal Video Decoder (UVD) – H.264 • Video Compression Encoder (VCE) – H.264 • Power management • 15 year supply • Safety Certifiable up to DO-178C Level A • DO-254 kit supporting up to DAL Level C • Two independent display heads selectable from: • Dual DVI Outputs (24bpp) • Dual single link DVI (162 MP/s) • Single dual link DVI (268.5 MP/s) • Dual LVDS Outputs (18 or 24bpp) • Either single- or dual-channel mode • From XGA (or below) up to QXGA. • Dual DisplayPort outputs • Analog non-interlaced output • 10-bit DAC • Maximum pixel frequency of 400 MHz Safety Cert.
  44. 44. 44 | June 22, 2015 | Proprietary © 2015 Curtiss-Wright XMC-725
  45. 45. 45 | June 22, 2015 | © 2015 Curtiss-Wright XMC-TBD Processor • Freescale T2080 @ 1.5 GHz with AltiVec • Memory • Up to 16 GB DDR3 memory with ECC • 256 MB NOR flash • 16 GB eMMC memory • 512 KB NVMEM • Communications and I/O • (1) 10/100/1000Base-TX (GbE) interface • (1) asynchronous EIA-232 serial port and (1) asynchronous EIA-422 serial port • (2) SATA Concept • DO-254 Artifact Kit • Additional Features • Temp sensors, DIO • Pin compatible with XMC-120 Safety Cert.
  46. 46. 46 | June 22, 2015 | © 2015 Curtiss-Wright XMC-TBD Concept
  47. 47. 47 | June 22, 2015 | © 2015 Curtiss-Wright VPX3-611 I/O Module • FPGA-based I/O module with: • 2x MIL-STD-1553 • 10x ARINC 429 Tx • 18x ARINC 429 Rx • 8x UART • 16x discretes • 2x Analog inputs • 2x Analog outputs (can be used for audio) • XMC mezzanine site • Support for Processor mezzanines • 25W mezzanine support Concept • VxWorks 653 v2.5 AMP, VxWorks 6.9 SMP • DO-254/DO-178C Artifact Kits • Flexible Variants • Different FPGA IP load or blank • IO Mapper • Maximize I/O pin utilization • Interconnect I/O between FPGA and XMC Safety Cert.
  48. 48. 48 | June 22, 2015 | Proprietary © 2015 Curtiss-Wright VPX3-611 Concept

×