High Integrity Software for High Integrity Systems George Romanski - - PowerPoint PPT Presentation

high integrity software for high integrity systems
SMART_READER_LITE
LIVE PREVIEW

High Integrity Software for High Integrity Systems George Romanski - - PowerPoint PPT Presentation

Mar 27, 2023 1.6k likes •2.02k views

High Integrity Software for High Integrity Systems George Romanski Romanski@Verocel.com Outline System safety Safety standards Safety objectives Military avionics Ground based systems Future policy Directions 2 High

slide-1
SLIDE 1

High Integrity Software for High Integrity Systems

George Romanski Romanski@Verocel.com

slide-2
SLIDE 2

High Integrity Software for High Integrity Software 2

SigAda2000

Outline

  • System safety
  • Safety standards
  • Safety objectives
  • Military avionics
  • Ground based systems
  • Future policy
  • Directions
slide-3
SLIDE 3

High Integrity Software for High Integrity Software 3

SigAda2000

Brake-by-Wire Safety Solutions

  • System Design - Limit speed to 5 mph
  • Hardware Design - use mechanical/hydraulic

backup

  • Replicate Computer systems - no common

mode errors

  • Software assurance through compliance with

standards (e.g. DO-178B)

Hydraulic System Computer System Pedal Brake

slide-4
SLIDE 4

High Integrity Software for High Integrity Software 4

SigAda2000

DO-178B / ED-12B

  • Acceptable means of compliance to the

regulators of software in avionics systems

Not the only means of compliance ! But, if you choose a different approach Must show DO-178B/ED-12B

  • bjectives have been met
slide-5
SLIDE 5

High Integrity Software for High Integrity Software 5

SigAda2000

Intent of DO-178B

  • Describe objectives for Life-Cycle Processes
  • Describe process activities
  • Describe evidence required at different

assurance levels

slide-6
SLIDE 6

High Integrity Software for High Integrity Software 6

SigAda2000

SC-190, WG-52 Committee

  • 150 Registered Members
  • Consensus based
  • 4 years - Report published

– Annual Report for Clarification of DO-178B (DO-248A) – Annual Report for Clarification of ED12B (ED-94A)

  • Position Papers

– Document corrections – FAQ’s (Clarifications) – Discussion Papers

  • CNS/ATM - Work Continues
slide-7
SLIDE 7

High Integrity Software for High Integrity Software 7

SigAda2000

Typical DO-248A clarifications

  • Is recursion permitted in airborne applications?

– Yes, but it must be bounded ( …etc)

  • Is Source-code to Object-code traceability

required? – Yes, if providing coverage analysis at source code and level A – No, if providing coverage at machine code

  • If some run-time functions are inlined, is

coverage still required – Yes, cannot conceal coverage obligations

slide-8
SLIDE 8

High Integrity Software for High Integrity Software 8

SigAda2000

Typical DO-248A clarifications Cont.

  • Can compiler features be used to simplify

coverage analysis at object code? – Yes! (e.g. short-circuit operations) – But, the compiler (feature) is being used as a verification tool so compiler (feature) must be qualified as a verification tool

  • What are the issues for reverification of COTS

software? –

slide-9
SLIDE 9

High Integrity Software for High Integrity Software 9

SigAda2000

Standard Waterfall Process Model

Requirements Design Code Test Where is the Evidence?

slide-10
SLIDE 10

High Integrity Software for High Integrity Software 10

SigAda2000

Code Exists - Requirements re-engineered

Requirements Design Code Test

1 2

slide-11
SLIDE 11

High Integrity Software for High Integrity Software 11

SigAda2000

Requirements Based tests

Requirements Design Code Test

1 2

Develop Tests

3 4

slide-12
SLIDE 12

High Integrity Software for High Integrity Software 12

SigAda2000

Standard Waterfall Model

Requirements Design Code Test

1 2

Develop Tests

3 4

Materials Developed /Reviewed by Re-engineering

slide-13
SLIDE 13

High Integrity Software for High Integrity Software 13

SigAda2000

Validation and Verification

Req 1 Req 2 Req 3 Req 4 Req 5 Req 6 Component 1 Component 2 Component 3 Component 4 Component 5 Component 6

? ? Goals ? Complete and Correct System built to Requirements Validation Verification

slide-14
SLIDE 14

High Integrity Software for High Integrity Software 14

SigAda2000

RTS an Important Component

Application Programming Interface Application Code

Run-Time System

SYSTEM in one address space

System cannot be Certified unless RTS is Verified Same assurance level for all components

slide-15
SLIDE 15

High Integrity Software for High Integrity Software 15

SigAda2000

Functionality Resources Time

Deterministic Behavior

slide-16
SLIDE 16

High Integrity Software for High Integrity Software 16

SigAda2000

  • Results of a function are the inevitable consequence of its

inputs: – Parameters – Global variables

  • Bound on the resources used

– Memory - no new memory after startup – Stack - HUGE margins

  • Bound on the time taken to complete the function

– time taken to execute a function depends on many system level parameters, – non-linear relationships are noted as they can cause the application to miss deadlines

Deterministic Behavior

slide-17
SLIDE 17

High Integrity Software for High Integrity Software 17

SigAda2000

Black Box Testing

  • No single failure should prevent “Continuous safe flight

and landing.”

  • Statistical testing cannot show absence of a single

state that will cause a failure

  • Software has discontinuities
  • Software does not follow Gauss/Normal Distribution

There is no foundation for statistical reasoning about software faults or safety There is no foundation for statistical reasoning about software faults or safety

slide-18
SLIDE 18

High Integrity Software for High Integrity Software 18

SigAda2000

Coverage Analysis

  • Analysis of testing methods and results to

show effectiveness of testing

  • Method to show absence of unintended

function

  • Should be based (as much as possible) on

requirements based tests

  • Rigor depends on criticality level

Coverage Analysis not Coverage Testing Coverage Analysis not Coverage Testing Note:

slide-19
SLIDE 19

High Integrity Software for High Integrity Software 19

SigAda2000

Coverage at Level B and C

  • Statement Coverage
  • Decision Coverage

– Entry Points – Exit Points – All Decisions – All Outcomes

Level C Level B

slide-20
SLIDE 20

High Integrity Software for High Integrity Software 20

SigAda2000

Coverage at Level A

  • Coverage required at Machine Code level or
  • Show source to object code traceability and

test at source level or

  • Use different compilers and different languages
  • r
  • MCDC testing required

– each condition must have effect on outcome

slide-21
SLIDE 21

High Integrity Software for High Integrity Software 21

SigAda2000

Military Avionics

  • D0-178B - now mandated by congress
  • Need Safety - even though:

– Pilots have parachutes – Pilots don’t sue

  • Want safe software

– Don’t need the evidence ? – Must withstand an audit

slide-22
SLIDE 22

High Integrity Software for High Integrity Software 22

SigAda2000

The ‘Requirements’ for ATM Systems

Safety Capacity Costs Resource constraints More Increase in Lower Fewer Want to use COTS !!!

slide-23
SLIDE 23

High Integrity Software for High Integrity Software 23

SigAda2000

The ‘Challenges’ for ATM Systems

Becomoing obsolete Increasing in cost Increasing 6% pa. Increasing 4% pa. Current technology New Technology Air Traffic in Europe Air Traffic in US

slide-24
SLIDE 24

High Integrity Software for High Integrity Software 24

SigAda2000

WAAS

Selective availability helps Sun may distort signal Ionospheric storm data

slide-25
SLIDE 25

High Integrity Software for High Integrity Software 25

SigAda2000

The “Flight Profile”

Departure Procedure Static Information Dynamic Information

  • Terrain
  • Airways
  • Airport
  • Weather
  • warnings
  • capacity constraints
  • Special use airspace schedules
  • Etc.

Airport P r e f e r r e d C l i m b Preferred Path Preferred Descent

slide-26
SLIDE 26

High Integrity Software for High Integrity Software 26

SigAda2000

Object Oriented ‘Free-Flight’

Flight Profile

Filed Flight Trajectory Active Flight Trajectory Traffic Density Predictions Dynamic Route Structures Dynamic Route Structures Airspace Data Objects

slide-27
SLIDE 27

High Integrity Software for High Integrity Software 27

SigAda2000

Object Oriented Technology

  • Pressure from industry to use it
  • Industry expect lower certification costs -

eventually

  • Certification authorities nervous
slide-28
SLIDE 28

High Integrity Software for High Integrity Software 28

SigAda2000

Reusable Software Components (RSC)

RSC Run-Time system RSC Developer Integrator Subsystem manufacturer Applicant Airframe manufacturer Subsystem manufacturer Product e.g. FMS Product e.g. Airplane, FMS

FAA

slide-29
SLIDE 29

High Integrity Software for High Integrity Software 29

SigAda2000

Reusable Software Component - Credit

  • Applicant applies for Type Certificates for

Product

  • Applicant supplies DO-178B materials for RSC

– Software Level (A, B, C, D) – Identified Processor type – Identified Compiler

  • FAA provides letter to RSC developer which

documents certification credit

  • Eliminates / Reduces reverification on new

project

slide-30
SLIDE 30

High Integrity Software for High Integrity Software 30

SigAda2000

Cabin Management

Multiple Systems

Cabin Management

Primary ARINC Bus Secondary ARINC Bus

Power Management Power Management 1 box 2 CPU’s

slide-31
SLIDE 31

High Integrity Software for High Integrity Software 31

SigAda2000

Partitioned Systems

Primary ARINC Bus Secondary ARINC Bus

Integrated Modular Avionics Cabin Management Power Management Cabin Management Power Management APEX ARINC 653 OS OS

slide-32
SLIDE 32

High Integrity Software for High Integrity Software 32

SigAda2000

The Partitioned Promise

  • Cheaper to verify components
  • Cheaper to re-verify components
  • Lowers criticality level - lowers certification

costs

  • Less software to audit when component

changed/upgraded

slide-33
SLIDE 33

High Integrity Software for High Integrity Software 33

SigAda2000

Don’t Argue with the Auditors

  • Arguing with the auditors is like mud wrestling

with a pig

  • After a while you find out the pig really likes it!