Slash Avionics Integration Costs with DO-178C Certifiable Connectivity Software

DO-178C Level A Certifiable DDS
The Connectivity Platform for the Industrial Internet of Things™
Mission Critical and
Safety Critical Software

Integration of UAS with Commercial Aviation
• Ensure safety of commercial aviation
• Ensure safe integration of UAS into the NAS
©2015 Real-Time Innovations, Inc. 2
Communication Co-operation and Control

UAS Segments
• Aircraft Segment
– Typically - Distinct Physical Boundary
• Control Segment
– One or more control segment, static or mobile
– E.g. separation between navigation and mission
• Communications Segment
– Possible multipath
– E.g. Line of sight, beyond line of sight
• Air Traffic Network
– Evolving (NextGen)

NAS Communication
Communication SegmentAircraft
NAS
Other
Aircraft
ATC - Air Traffic Control
ATC –
Communications
Surveillance
and Navigation
Surveillance
ATC – Communications

UAS/NAS Communication
Communication Segment
Communication SegmentAircraft
Segment
NAS
Control
Segment
Other
Aircraft
ATC - Air Traffic Control
ATC –
Communications ATC –
Communications
Command and
Control
Surveillance
and Navigation
Surveillance
Flight planning and Aeronautical information

UAS integrated in NAS
Vehicle
Operator
Payload
Operator
Operations
Controller
ATC Traffic
Controller
Control
Segment
Payload
Onboard
system Cooperative
Targets
Un-
Cooperative
Targets
Surveillance
Safety
Security

Role of Connectivity
©2015 Real-Time Innovations, Inc.
Sensors
Communications
Fusion
Actuators
Control
Displays
Recording
7

Traditional Approach to Distributed Avionics:
Bespoke Connectivity and Integration
• Apps/connectivity layer written directly to transport
• Tied to transport’s:
– Semantics, e.g.: 11, 1many, reliable, unreliable…
– Proximity assumption, e.g.: same partition, same node
Sockets, AFDX, shared memory,
ARINC ports, message queues…
Application
OS & Transport
Connectivity
Application
OS & Transport
Connectivity
May not be clean separation
between app, connectivity and
integration logic

Traditionally Handled by Custom Logic
• Addressing
• Discovery / presence / health
• Startup order dependencies
• Reliability over unreliable transports
(e.g., multicast)
• Heterogeneous interoperability
• Reconnections
• Failover
• State synchronization
• Timing control and visibility
• Bridging across nets, xports
Application
OS & Transport
Connectivity
Application
OS & Transport
Connectivity

Costs Increase over Time
• Often use point-to-point integration
– Changing or adding components affects others
– Necessitates integration work, re-certification
– O(n2) complexity
• Requirements change, e.g., moving apps and changing xports
• Systems become more stovepipe, brittle and expensive to
maintain over time

Connext DDS Cert
• Handles connectivity heavy lifting
• Replaces custom code, simplifies app and integration logic
• Based on Data Distribution Service (DDS) standard
DDS APIApplication
Operating System
Application
Operating System
xport1 xportn… xport1 xportn…
Connext DDS Cert Connext DDS Cert
DDS-RTPS Wire Interoperability Protocol:
• Interoperable across programming languages, operating systems, CPU families
• Interoperates with other Connext DDS products for mixed-criticality environments
• Reliable or best effort delivery, even over unreliable transports
Pluggable transport interface:
Supports multiple concurrent
Standard semantics:
• Data-Centric Publish-Subscribe
• Transport independent

Publish/Subscribe for Loose Coupling
• Apps can be added and changed w/o changes to other deployed components
• Easy to test; RTI provides record and replay services
DDS Software Data Bus
Control
App
CommandsSensor
SensorData
ActuatorSensor
SensorData
Display
App

Data-Centric Publish/Subscribe
• Similar to using a database
• Apps publish and subscribe to data objects
• DDS maintains shared state for system robustness
– Applications maintain consistent view
– Late joining applications get current snapshot, desired history
– Not necessary to persist or reliably deliver all messages
Publish
Subscribe
Squawk
Lon
g
Lat Alt
1234 37.4 -122.0 500.0
7654 40.7 -74.0 250.0
Line
Fligh
t
Dest Arv
UA 567 SFO 7:32
AA 432 LAX 9:15 Squawk
Lin
e
Fligh
t
1234 UA 567
7654 AA 432

Facilitates Modular, Open Architectures
• Well-defined interfaces between components
– Standard data-centric publish-subscribe paradigm
– Well-defined data model using OMG IDL or XML
– Code generation from data model for type safety
– Standard network protocol and serialization
• DDS widely used for FACE, UCS, OMS, others
• RTI provides FACE Transport Services Segment (TSS) reference implementation
DDS Application
Operating System
FACE Unit of
Portability (UoP)
Operating System
xport1 xportn… xport1 xportn…
Connext DDS Cert Connext DDS Cert
DDS-RTPS Wire Interoperability Protocol
FACE TSS
• FACE type-specific Transport
Services (TS) API
• Generated from FACE
Platform Data Model by RTI
IDL compiler

Connext DDS Inherently Well-Suited to
Safety-Critical Systems
• Non-stop availability
– Decentralized architecture
– No single point of failure
– Support for redundant networks
– Automatic failover between redundant publishers
– Dynamic upgrades
• No central server or services
• Version-independent interoperability protocol
• Control over real-time Quality of Service
• Visibility into missed deadlines and presence
• Proven in thousands of mission critical systems

Example: US Army Asset Tracking System
Legacy Capability:
• 500K lines of code
• 8 yrs to develop
• 21 servers
• Achieved: 20K tracked
updates/sec, reliability
and uptime challenges
With Connext DDS:
• 50K lines of code—order
of magnitude less
• 1 yr to develop—8x less
• 1 laptop—20x less
• Achieved: 250K+ tracked
updates/sec, no single
point of failure
“This would not have been possible with any other known technology.”
—Network Ops Center Technical Lead

Connext DDS Cert:
Designed for DO-178C Level A
• Certifiable subset of DDS API and protocol
– Apps are portable to other DDS
– Interoperates P2P with other Connext DDS products
– Interoperates with other DDS via RTI Routing Service
• Compact, modular and portable
– ~21,000 Executable Lines Of Code (ELOC)
– ≤335 KB ROM/flash
– Bulk of certification evidence is reusable
– Well-defined transport and OS interfaces

DO-178C Certification Data Package
• Available now
• Produced by certification leader Verocel
• Supports Design Assurance Level (DAL) A
• Includes:
– DDS “C” API
– VxWorks Cert OS
– Transports: intra-process and UDP with multicast
– PowerPC CPU
• ~93% of code is transport, OS and CPU independent
– Minor delta cert for ports, DDS C++ API and FACE TSS

Certification of Connext DDS Cert

Relationships between Standards
Assess
Safety
Develop
System
Develop
Hardware
Develop
Software
DO-178C
(Software)
DO-254
ARP 4754A
(Systems)
ARP 4761 (Safety)
Intended
Aircraft
Function
Allocated
Functions
and Requirements
Developed
Software
Requirements
allocated to
Software
Requirements
allocated to
Hardware
Developed
Hardware
Functional
System
(Complex
Electronic
Hardware)
Developed
System

Implementation Centric View
21
Develop
Hardware
Develop
Software
Integrate
System
Assess
Safety
DO-254
DO-178C
(Software)
ARP 4761 (Safety)
(Complex Electronic Hardware)
Allocated
Aircraft
Functions
Intended
Aircraft
Function
ARP 4754A
(Systems)
Implementation
Implementation
Function Failure and
Safety Information
Functional
System
System Design
Software
Design

SC-228 A-Interim (1, 2, and 3)
• A-Interim 1, Command and Control (C2) Data Link, MOPS For
Verification and Validation
• A-Interim 2, MOPS for Air-to-Air Radar for Detect and Avoid
Systems
– If the equipment implementation includes software, the guidelines
contained in DO-178C should be considered.
• A-Interim 3, Detect and Avoid (DAA) MOPS for Verification and
Validation
– If the equipment implementation includes software, the guidelines
contained in DO-178C may apply at the appropriate software level
22
MOPS - Minimum Operational Performance Standards
They are large documents, but Interim only.
Many parameters and other data still to be evaluated and specified

Connext DDS Cert in a Safety Context
• System will have its own Certification Plan
• Applications have own Certification Plan
– Plan for Software Aspects of Certification (PSAC)
• Real Time OS
– PSAC – and Certification Data Package
• Connext DDS Cert
– Has its own PSAC, SAS etc.
– Certification Data Package
• Includes all documents and Lifecycle data
23

Certification Data Package (CDP)
830.5 Mb of Data

Connext DDS Cert Is Part of a System
• As a COTS product, there is no system to trace
to
• Derived Requirements need special treatment
• Information to be presented to System Safety
Assessment process
• Verocel provides Software Vulnerability
Analysis to support Safety Assessment

Software Vulnerability Analysis (SVA)
• What and why?
• Connext DDS Cert certified on reference board
• Middleware is tested as stand alone system
– No System or Application to reference to
26
How to handle possible errors to be mitigated by the system?

SVA Examples (sample)
• Description of Vulnerability SVA.5
– Invalid IPv4 address is ignored and no error is
reported
• Observable Behavior
– If an invalid address is specified in one of the
enabled_transports Qos policies it is ignored
• Mitigation
– User needs to ensure address is valid in
• enabled_transports field of struct
DDS_TransportQosPolicy
27

SVA Examples (sample)
• Description of Vulnerability SVA.3
– System does not check for rollover of the
following counters
• … OSAPI Tick ...
• Observable Behavior
– A system running continuously … will experience a
rollover of tick_sec …
• Mitigation
– system must not run continuously for more than
2147483648 seconds (about 68 years).
28

Requirement Centric Hyperlinking

Traceability and Impact Analysis Performed
with VeroTrace (Verocel’s Qualified tool)
Impact Analysis managed by qualified Traceability tool

Stack Analysis
• Worst Case stack size calculated for every API function
• Object code is analyzed
• All paths checked, and worst case size provided when possible
– Not possible if RTOS functions called
– Not possible when user callbacks present
• Calculator provided
– Users can provide RTOS sizes and Callbacks
31
Calculator will show true Worst Case Sizes
for user in their Analysis

Example for the Maximum Stack Depth Calculator
32
DDS_DataReader_read MAX (
1056,
864 + MSD(semTake),
624 + MSD(strcmp),
656 + MSD(memcpy),
992 + MSD(semGive),
656 + MSD(LISTENERS_DATAREADER_on_sample_lost),
720 + MSD(LISTENERS_SUBSCRIBER_on_sample_lost),
784 + MSD(LISTENERS_PARTICIPANT_on_sample_lost),
224 + MSD(TYPE_PLUGIN_copy_sample),
352 + MSD(strlen),
448 + MSD(bcopy),
496 + MSD(memalign),
528 + MSD(bfill)
)
RTOS Functions
RTOS Functions
User
Provided
Callback
routines
Maximum Stack Depth

Structural Coverage Analsysis
• At Machine code level
• Without instrumentation
• Using Requirements based test only
33
Structural Coverage Analysis Summary Report
TEST COVERAGE RATE 99.91%
VEROCODE COVERAGE SUMMARY
Coverage Lines Rate
Complete 84573 99.88%
Partial 56 0.07%
Missing 44 0.05%
Total: 84673

Build and Test Support for User
34
Build and Test Support
Build Support
Build Headers and Makefiles
Build Scripts
Certified Source Files
CRC Log File -- librti_me_certz_a.txt
Certification Data Package Support Scripts
CDPFetchItems.bat -- CDPFetchItems.bat
CDPItems.csv -- CDPItems.csv
installCDPItems.bat -- installCDPItems.bat
installCDPRTIItems.bat -- installCDPRTIItems.bat
Allow a user to rebuild the executable image and check that it is the same

Test Results – all hyperlinked
35
Control Coupling
Control Coupling Results
Control Coupling Summary -- vxworks.xml
Control Coupling Summary - Annotated -- vxworks_annotated.xml
Control Coupling Summary Stylesheet -- VerOLink.xsl
Coverage
Coverage Analysis -- TR_Summary_Report.xml
Coverage Analysis StyleSheet -- TR_Summary_Report.xsl
Coverage Result Stylesheet -- FR_display.xsl
Coverage Summary -- CovSummary.html
Functional
Functional Test Result Checklist -- FTR_ConMicro_Checklist_20150824.doc
Functional Test Result Stylesheet -- FR_display.xsl
Test Run Summary -- TR_Summary_Report.xml
Test Run Summary Stylesheet -- TR_Summary_Report.xsl

Test Support
36
Test Support
Application Header Files
BSP Build Files
Build Binaries
Test Harness Files
Test Scripts
Test_Utilities
Dedicated
General
Tools
CRC Tool -- VerCRC32.exe
VerOStack Calculator Tool -- vstkCalculator.exe
Allows a user to repeat the testing
performed from the CDP
Checks the integrity of the binary image

Test Results on CDP
37
Test Result Summaries
Control Coupling
Coverage
Functional
Stack Analysis

Certification is Expensive
• Processes must be defined and followed
• Objectives must be met, and Activities completed
• All must be documented
• Code must be clean
– Traceable
– Testable
– No dead code
– Deterministic in time and memory
• Code must be written for certifiability
• Software must be recertified when changed

Reducing Certification Costs
• Minimize code that has to be certified
– Replace custom code with COTS code that already
has certification evidence
– Reduce and simplify application logic
• Decouple software modules and subsystems
– Isolate changes
– Minimize recertification effort as systems evolve

Customer Example: SRC
“SRC, Inc. is designing, integrating and testing a DO-178C
Level B system of systems across VxWorks, Linux and QNX
using RTI's DO-178C Level A Connext DDS Cert and
Connext DDS products. Each system installation contains
up to 32 subsystems that all communicate via DDS in
real time. A portion of the subsystems are co-located
with the rest located miles away. We are successfully
using RTI DDS for our inter-process and inter-subsystem
communications, recording, and in our DO-178C
automated test environment that runs on Windows.
Having RTI's Connext DDS Cert product available allows us
to move forward with our certification efforts with
system deployment scheduled in 2016!”

Connext DDS Cert Can Save $MM
• Replaces 10,000s lines of application code
• Simplifies remaining application logic
• Eases integration via well-defined interfaces
– Including safety-critical and non-critical components
• Minimizes changes and re-certification as systems
evolve
– Apps decoupled from underlying port, proximity
– Apps isolated from changes in others
• Provides off-the-shelf certification evidence
• Proven DO-178C certifiability

rti.com/downloads
Start using DDS Today!
Download the FREE complete RTI Connext
DDS Pro package for Windows and Linux:
• Leading implementation of DDS
• C, C++, C#/.NET and Java APIs
• Tools to monitor, debug, test, visualize and
prototype distributed applications and systems
• Adapters to integrate with existing applications and
IT systems

Slash Avionics Integration Costs with DO-178C Certifiable Connectivity Software

More Related Content

What's hot

Similar to Slash Avionics Integration Costs with DO-178C Certifiable Connectivity Software

More from Real-Time Innovations (RTI)

Recently uploaded

Slash Avionics Integration Costs with DO-178C Certifiable Connectivity Software