Transcript Certification Issues

Safety Critical Solutions
DO-178B
Joe Colloca
Aonix
We’ll Cover …
• Review: Ada’s role in Safety Critical Systems
• Aonix Raven Solution Architecture
• Safety-Critical Systems
• Aonix / Ada Safety Critical Projects
2
Ada in Safety Critical Systems
• Ada is preferred, but not required
• Global use
– Aviation
– Rail
– Energy
• Existing standards support with Certifiable RTs
– DoD 178B
– SIL 4
– RIA 23
3
ObjectAda Raven
Safety Critical
Software Development Environment
Product Structure / Approach / Benefits
• Evolvable, “Base +” packaging
– Supports gradual buy-in
– Doesn’t require “all-at-once” commitment
• Platforms, Environments, Communications for
embedded development & testing
• Cover the breadth of lifecycle/process
• Value / price competitive
• Familiar Environments; Ease-of-use; Standards
5
Product Line Organization
Native
Core Solution Package
x Intel
Windows XP / 2003 / NT
UNIX / Linux / CDE
Eclipse
x PPC
Enterprise Scalability
Out of Box Certification
x ERC 32
x 68K
6
ObjectAda IDE
7
8
SCCI Support
List Files
Comment
Get Latest
Check In
Add to CM
Show History
CM Properties
Keep Checked Out
Select / UnSelect All
Check Out
Undo Check Out
Remove from CM
Show Differences
Invoke External CM
9
ObjectAda Raven
Certified / Certifiable
Compiler & RTS
Safety Systems - Legal
Laws
Regulations
Standards
Guidelines
PROCESS
Case Law
Precedence
Interpretations
Standards
Guidelines
Visibility
Traceability
EVIDENCE / RECORD
Confidence / Safety
11
Runtime Certifiability DoD-178B Level A
• Full Requirements through Test Results Mapping
• 100% Source Level Coverage
• 100% Machine Level Coverage
• Full MCDC Coverage
• Runtimes can be certified but,
– Termed “Certifiable”
– System as a whole is certified
– Must deliver certification evidence record
12
170 Pounds of Certification Evidence …
13
Hercules - C130J and C27
Flight
Management
Unit
Ground
Collision
Avoidance
System
Back-up
FMU
14
Certification Experience – C-130J
Avionics
Over 3000 signatures
required on certification material
for one RTS Certification system
RTS ~
6000 Lines of Code
• Reviews
– Requirements
– Design
– Code
• Functional Testing
• Coverage testing
• Large amount of test
data to be analyzed
15
HELP!
Ravenscar Profile
• Industry Wide Safety Critical Standard
• Ada95 Subset
– Deterministic
– Certifiable
• Tasking Allowed
– Rendezvous Disallowed
– Use Protected Objects for Communication
• No Dynamic Memory Allocation
17
Ravenscar Profile Support
Flags Ravenscar
Profile
violations at
compile time
PowerPC
New support:
Bounded
tasking model
32 bit Intel
New support:
Segregated
loads
ERC32
68K
18
Ravenscar Profile Support
• VectorCast
–
–
–
–
–
Source Level Coverage & Test Harness
Integrated Code Coverage
Repeatable Testing
Compiler integration
Embedded target based testing
• AdaCover
– Full target-based machine level coverage testing
• Out-of-Box Level A Certification Packages
19
Certification Record on Digital Media
20
Raven Example Packaging
• Core Pack
– Basic Development Environment
• Project Pack
– Advanced Language Sensitive tools for larger group source
consistency / style guideline conformance
• Test Pack
– Provides coverage for higher levels of quality verification in
mission- and safety-critical development
• Safety Critical Pack
– Comprehensive standards-based testing & documentation
through Level A
• Design Pack
– Implements best practices for designing and producing safer &
more reliable software applications & reusable components
21
Where is Ada in Safety Critical?
• Lockheed Martin - C130J and C27
• Boeing 777
• Boeing 737
• Westinghouse Electric - Nuclear Shutdown
• Westinghouse Brake and Signals
– London Underground - Jubilee Line extension
– Automatic Brakes and Signaling
22
Boeing 777
GPS
CMC
Axle Steering
Parker/Abex-NWL
Power Management
Sundstrand
Brakes
Crane/Hydro-Air
23
London Underground – Jubilee Line
• Software role
– Manage train separation – faster & closer together
– Inter-train communication
– Central control center
• Architecture & Safety Standard
– M68030 controllers
– Software Integrity Level 4 (SIL)
– RIA 23 required
• Mapping document produced between RIA 23
and Aonix (DO-178B) Certification materials
24
Aonix Program Success
•ITT Avionics: Integrated RF
Countermeasures
•Honeywell: H-764G Embedded GPS
•Thales Avionics: Global Positioning System
•Lockheed Martin: Missile and Guidance
System Upgrades
•Thales Avionics: Flight control data
concentrator AIRBUS A330-A340
•Thomson CSF: Braking and steering control
AIRBUS A330-A340
•Navia: Air Traffic Control (ATC) ground-based
instrument landing system
•Eurocontrol: ATC Germany, England, France,
Belgium
•Eurocontro: Flight Management System
•Thales Air Defence: ATC
•Wilcox Electric: Avionics radar system
•Chandler Evans: Engine control system
•Lockheed Martin: Flight Management:
Lockheed C130J
•Aerosystems International: Ground
Collision Avoidance System
•Lockheed Sanders: Avionics Displays
Lockheed C130J
•Canadian Marconi: GPS Boeing 777
•Parker/Abex-NWL: Axle Steering System
Boeing 777
•Sundstrand: Power Management System
Boeing 777
•Crane/Hydro-Air: Braking System Boeing
777
25
Aonix Program Success
•Alstom Transport: Radio Bloc Center
system Rail Traffic Management
•GEC Alsthom: Subway network control
systems Paris, Calcutta, and Cairo
•GEC Alsthom: Signal control system: TGV
North Lines / Channel Tunnel
•CSEE Transports: TGV Brake system / TVM
430 project
•Westinghouse: Brake and Signals system
London Underground Jubilee Line
•Swisslog Software: Supply Chain
Management System
•XATA: Telematics application framework
•Kordoba: Enterprise Data Model
•NORTEL Networks: Optical Switch Platform
•Siemens: Network Management System
•Astrium: Automated Transfer Vehicle
•Alcatel SEL: Satellite positioning system
•Aerospatiale: Ariane V launcher
•Matra Marconi Space: Ariane V launcher
CNES: Galileo Mars probe - switching and
telemeasuring systems
•CNES: Satellite imaging system
•Astrium Gmbh: International Space
Station - Columbus project
•NASA / Boeing: International Space
Station - Flight Control Systems
•Matra Marconi Space: Atmospheric
Pressure Module - Data / Network
management
26
Coming Soon
Multi-language Time & Memory partitioned kernel
27
Summary
• Ada is a good technical choice for high-integrity systems
• Aonix solution architecture delivers business value
throughout the development cycle
• Certification out-of-box
• Evolving Aonix solutions are a good technical – and
business - choice
28
www.aonix.com