Transcript Certifiable Software for the ATN

Certifiable Software for the ATN
Making ATN a reality…now…
Presented by Forrest Colliver
ACI General Manager
26-27 September
2000
ATN2000 (London)
1
The Nature of Portable
Communications Software
What is portable software ?
Software quality and the ATN…
How is portable ATN software developed ?


Methodologies
Quality Standards
How is portable software used ? By whom ?
ACI’s Portable & Certifiable ATN Software
26-27 September 2000
ATN2000 (London)
2
What is “portable software”?
Types of Software
Ready-to-run binary end-user software



Examples: personal computer software, game software, etc.
For consumption by individual or organizational end-users
Plug and play operation
Portable binary library or source code software



Examples: linkable object modules (databases, interfaces, etc.)
or source code (protocols, drivers, or other code requiring
adaptation to platforms & operating systems)
For consumption by manufacturers or sophisticated end-users
having in-house information technology support
Usable after integration in & customization for target platform
Although used in different contexts, both may be called
“commercial off-the-shelf” (COTS) software
26-27 September 2000
ATN2000 (London)
3
What is “portable software”?
Why use Portable Software?
Manufacturer’s perspective



Non-recurring cost reduction: no need for redevelopment of
commercially available code; no opportunity cost where
internal resources could be better applied to other projects
Lifecycle cost reduction: portable modules warranted and
maintained by software vendor
Risk reduction:
 Pre-tested software modules are ready to integrate
 Portable software can be supplied with certification artifacts
 Facilitates earlier delivery of manufacturers’ products to market
End-user’s perspective


Reduced end-user pricing; more competitive products
Improved confidence: “Intel-inside” effect
Factors above contribute to what should essentially be
a “make/buy” decision by manufacturer
26-27 September 2000
ATN2000 (London)
4
Software Quality & the ATN
The architecture can offer…
ATN architecture was created for support of
both safety-critical ATS and AOC applications



Controller/pilot communications (ATS), e.g. clearances
Controller/controller communications (ATS), e.g. handoff
Airline dispatch/pilot communications (AOC), e.g. re-routing
How?

Integrity Assurance via protocol design
 “what is received is what was sent”

Enhanced Availability via routing architecture
 “information transferred end-to-end in a timely manner”
 Remember: key role of the ATN is to manage missioncritical communication resources & message traffic
26-27 September 2000
ATN2000 (London)
5
Software Quality & the ATN
…but software must deliver
Accordingly, mission-critical application of ATN
protocols demands software design & quality
assurance consistent with “Essential” systems

Rationale: undetected integrity/availability failures may
contribute to operational errors and/or lead to unacceptable
dispatch/controller/pilot work-load
RTCA DO-178B provides software development
guidelines for Level C, to meet “Essential”
systems requirements
ACI’s approach to problem…

To ensure ATN software mission-readiness…all ACI RRI/ASE
software conforms to DO178B Level C guidelines
26-27 September 2000
ATN2000 (London)
6
How is ACI’s software developed ?
Production Methodology
DO-178B Level C


Constitutes the norm for “essential” avionics systems
ACI offers full development & documentation compliance
 includes configuration management & quality assurance aspects

Maximizes certification credit by optimizing certification effort
during portation process, using supplied certification artifacts
MIL-STD-498



FAA and other US government users specify MIL-STD-498
development methodology & lifecycle compliance for missioncritical software & systems
Applied on both code development & documentation aspects
Complementary to DO 178B Level C
26-27 September 2000
ATN2000 (London)
7
How is ACI’s software developed ?
Lifecycle Functional View
Functional
Requirements
Validation
System/Software
Requirements
Software
Design
Formal Test
Execution
Code
Generation,
Unit Test &
Integration
26-27 September 2000
ATN2000 (London)
8
How is ACI’s software developed ?
Traceability of Requirements
Specifications
ICAO
PICS/SARPs
FRS
Performance requirements
Non-functional requirements
S/SRS
SDD
CODE
VTC
Testable requirements
VTP
26-27 September 2000
ATN2000 (London)
9
How is ACI’s software developed ?
Testing/Verification (1/2)
Software verification testing consists of two
key components:

Requirements-based testing (RBT)
 Software tested against each requirement to ensure that
it does what it is supposed to do and doesn’t perform
any unintended functionality

Structural coverage analysis (SCA)
 Identifies code structures (at the instruction level for DO
178B Level C) that are not exercised by the RBT
 Ensures that every software instruction is required; i.e.
has been invoked at least once
26-27 September 2000
ATN2000 (London)
10
How is ACI’s software developed ?
Testing/Verification (2/2)
Requirements at lowest level (SDD) completely cover
higher level requirements

Requirements inspection process assures coverage
Computer Software Unit (CSU) tests ensure SDD
requirement conformance



Inspection process assures that tests fully cover requirements
Test cases identify WHAT is to be tested
Test procedures identify HOW the test will be performed
CSU tests cover both normal operations and evaluation
of robustness under limit conditions


Check validity of external data prior to CSU importation
Checks for validity of CSU arithmetic operations
26-27 September 2000
ATN2000 (London)
11
Certifiable ATN Software
Portable Building Blocks
Four RRI Component Builds




Airborne Boundary Intermediate System (ABIS)
Ground Boundary Intermediate System (GBIS)
Airborne End System (AES)
Ground End System (GES)
Four Application Service Element (ASE) Modules




Context Management (CM)
Automatic Dependent Surveillance (ADS)
Controller/Pilot Data Link Communication (CPDLC)
Flight Information Service (FIS)
26-27 September 2000
ATN2000 (London)
12
Certifiable ATN Software
System Architecture
A irb o rn e
End
S ystem
A irb orn e
B ou n d ary
In term ed iate
s-6
as
S ystem
C l er
S
t
(m ob ile)
R P R ou
SA
U p p er
L a y ers
Tra n sp o rt
L a y er
N etw o rk
L a y er
N etw ork
L ayer
D a ta L in k
L a y er
D ata L in k
L ayer
P h y sica l
L a y er
P h ysica l
L ayer
M o b ile N etw o rk
AES
A B IS
A ir/G rou n d
B ou n d ary
In term ed iate
S ystem
E n d S y stem
U p p er
L a y ers
Tra n sp o rt
L a y er
G rou n d /G rou n d
B ou n d ary
In term ed iate
4
S ystem
ssR
SA
a
Cl r
P S o u te
R
N etw o rk
L a y er
N etw ork
L ayer
D a ta L in k
L a y er
D ata L in k
L ayer
P h y sica l
L a y er
P h ysica l
L ayer
GES
26-27 September 2000
-5
ass
C l te r
S
R P R ou
SA
E n d S y stem
N etw ork
L ayer
U p p er
L a y ers
D ata L in k
L ayer
Tra n sp o rt
L a y er
P h ysica l
L ayer
N etw o rk
L a y er
G B IS
G ro u n d N etw o rk
D a ta L in k
L a y er
P h y sica l
L a y er
G B IS
ATN2000 (London)
GES
13
Certifiable ATN Software
Statistics
Each RRI build comprises between 60000 and
90000 source lines of DO 178B Level C code


AES/GES: 63000/75000
ABIS/GBIS: 87000/87000
Four ASEs together comprise between 60000 and
80000 source lines of code


Airborne ASEs: order of 15000 each
Ground ASEs: order of 20000 each
Approximately 5000 tested requirements overall
26-27 September 2000
ATN2000 (London)
14
Certifiable ATN Software
Component Architecture
Platform
Custom
ATN Portable Product
Package Components
(shaded)
Local
Manager
OS
System
Clock
26-27 September 2000
Core PSE
SEI
Subnet
Drivers
System Environment Exchange
User
PSE
ASEs
User Processes
NMA
HMI
User
Applications
ATN
Applications
Router
Stack
ATN2000 (London)
15
Certifiable ATN Software
B
nk
e
C
SE Environment I
nt
ms
E
t
Es
1
AS
rfa
ce
t
Sy s
SE C
o
r
e
eP
P
or
s
m
e
st
y
s
C
RR
I
S
ub
Note
ATN2000 (London)
1
e
e
Host
Operating System
1
26-27 September 2000
mD
sto
Sys
Environment Int
1
ce
rfa
Us
er
PS
SE
P
e
or
NM
A/H
M
I/
s
em
Data
li
rD
e
y
rs
rive
Cu
La
System Interfaces
: System Inter-task
Communications
a) Memory Management
b) Timer Management
16
Certifiable ATN Software
Product Composition
Source software modules
Documentation





User's Guide
Porting Guide
Functional Requirement Specification (FRS)
External Interface Control Document (EICD)
Software Quality Assurance Plan (SQAP)
Validation test scripts & sequences


System level
CSCI level
DO 178B Level C Certification artifacts
Products pre-ported for UNIX/Streams environment
26-27 September 2000
ATN2000 (London)
17
Certifiable ATN Software
Product Support & Evolution
RRI & ASE products under configuration & change
management process


Operated by ATNSI & ACI as open process; ATN stakeholder
interests and participation incorporated
Designed to allow incorporation of general problem reports (PRs)
as well as ICAO PDRs, plus agreed product improvements, while
respecting interoperability
Product Support



Through end of warranty period (mid 2002): RRI/ASE support
assured by ACI under CCB process
Following warranty: long-term RRI/ASE support committed by
ACI Member companies
To-date: maintenance releases made at regular intervals,
following initial RRI/ASE product deliveries in February 2000
26-27 September 2000
ATN2000 (London)
18
Certifiable ATN Software
Certification Credit
Controversial subject

Definitive approach awaits decisions by authorities
What is known:




Structural Coverage Analysis credit likely based on FAA analysis
Requirement Based Test procedures and results comprise part of
product package; can be rerun as required by certification
authorities
Validation Test procedures and results comprise part of product
package; can be rerun as required by customer for acceptance
testing
Conformance Test Suite (CTS) role; view of certification
authorities not yet definitive
 In any case, ACI software is designed to streamline, riskreduce, & cost-reduce the certification process
26-27 September 2000
ATN2000 (London)
19
Result: fit for purpose
portable ATN software…
 Product quality meets safety requirements,
meets specifications, and reduces lifecycle costs




Formalized nature of DO-178B Level C development process
leads to high overall product quality
Process facilitates change management & lifecycle support
Production of required artifacts demonstrates compliance and
supports users of software products
Full traceability of functions to design, to code, and to test
 Full functional test coverage

Verifies that all functions have been tested
 Full structural test coverage

Verifies that all code is executed
26-27 September 2000
ATN2000 (London)
20
The significance of all this…
Portable software designed to mission-ready
quality standards can reduce manufacturer cost
& schedule risks, and can facilitate certification
ATN software certifiable to DO 178B Level C
has been in the field since February 2000, and
will play a major role in the FAA CPDLC
communication infrastructure, as well as in the
products of the ACI partner companies
This portable & certifiable software is available
to 3rd parties under license, to provide the
same benefits of cost and risk reduction, and to
aid in bringing the ATN into service…TODAY
26-27 September 2000
ATN2000 (London)
21
Aeronautical Communication
International LLC
Who are we? What do we do?
ACI was formed in 1997 as a joint venture of AirsysATM, Honeywell International, Thomson-CSF Sextant &
Sofréavia, all suppliers of CNS/ATM products & services
ACI was created to execute the ATN Router Reference
Implementation (RRI) Project, under contract to ATNSI
In addition, ACI has financed a variety of ATN-related
software developments and service activities:





Complementary Application/Management Software
ATN standardization support (AEEC, IATA & ICAO)
ATNSI CTS Program Support
EUROCONTROL Petal II & CAERAF Program Support
FAA Ground Router Architecture & Evaluation Support
ACI is currently engaged as a subcontractor to CSC on
the FAA CPDLC Build I & Build I/A Programs
26-27 September 2000
ATN2000 (London)
22
Aeronautical Communication
International LLC
For more information …
Contact…
Forrest Colliver, General Manager
[email protected]
Bob Kerr, Marketing & Communications
[email protected]
Or, visit the ACI web site at…
www.aci-llc.com
26-27 September 2000
ATN2000 (London)
23