June 21st, 2007

A380 ATA 42 certificationCISEC IMA day - Toulouse, June 21st, 2007

A380 ATA 42 certification – CISEC IMA day

Presented by

Benoit BERTHEAirbus France

June 21st, 2007A380 ATA 42 presentation to CISEC Page 2© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.Agenda

• ATA 42-10IMA (Integrated Modular Avionics)

• ATA 42-30ADCN (Avionics Data Communication Network)

June 21st, 2007

ATA 42-10 – IMA (Integrated ModularAvionics)

June 21st, 2007A380 ATA 42 presentation to CISEC Page 4© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.IMA principle

• Each CPIOM hosts independent applications in the same computing andmemory resource, and also supplies an Input/Output interface service to someof the conventional avionics.

June 21st, 2007A380 ATA 42 presentation to CISEC Page 5© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.CPIOM types

June 21st, 2007A380 ATA 42 presentation to CISEC Page 6© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.CPIOM internals

• The CPIOM configuration table software provides the module and the avionicsapplications with configuration data.

e.g.: memory, CPU, input/output allocations, etc.

June 21st, 2007A380 ATA 42 presentation to CISEC Page 7© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.IMA certification 1/5

• “Integrated” and “modular” have been buzzwords inavionics for a long time

• First used to characterise multi-function boxes such asAIMS on Boeing 777 or Primus Epic on Dassault &Embraer aircraftsBut only integrates applications from a unique supplier

hosted on a platform provided by this same supplier• A380 was the first introduction of what can be called ‘open

IMA’, i.e. hosting applications from several suppliers on aplatform provided by another supplierAlso enables easy portability of applications, thanks to

API standardisation• Also the first formalisation of “incremental certification”,

through a dedicated Certification Review Item

June 21st, 2007A380 ATA 42 presentation to CISEC Page 8© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.IMA certification 2/5

• Principal goal of IMA certification was two-fold:Demonstration of generic properties at platform level, to

avoid constant re-qualificationDemonstration of functional equivalence between

applications developed in a ‘standalone’ context and thesame applications hosted in an ‘integrated’ CPIOM

June 21st, 2007A380 ATA 42 presentation to CISEC Page 9© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.IMA certification 3/5

• Main properties to demonstrate generically at platform levelwere robust partitioning (i.e. without any assumptions onthe behaviour of applications) and fine-grainedcharacterisation of API response times

• Dedicated partitioning analysis was produced, identifyingall the possible ‘perturbation channels betweenapplications, especially in the spatial or temporal domains(cf. Rushby @ NASA Langley) and the associatedmitigation means (for example dedicated ASIC to double-check Power PC MMU)

• Worst Case Execution Time characterisation was alsoundertaken, with identification of every single hardware orsoftware contribution (cache, pipelines, SDRAM refresh…)

– In some cases, use has been made of abstract interpretationstatic analysis tools (cf Cousot) to provide ‘formal proofs’

June 21st, 2007A380 ATA 42 presentation to CISEC Page 10© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.IMA certification 4/5

• The perimeter under which those basic properties are guaranteed iscalled Usage Domain

• It is “a subset of possible configuration parameters [...] for which it canbe shown that:

– the component is compliant to its (i) functional, (ii) performanceand (iii) safety requirements,

– the component is compliant to the applicable airworthinessrequirements,

– the component is robust to faults, errors and aggressionsincluding functional and environmental aspects.”

• Elaboration of usage domain was a complete screening of the designand implementation to identify relevant constraints, and then ‘translate’them in the semantics of configuration parameters

• Finally, a last analysis was produced to characterise the ‘locality’ ofconfiguration parameters, to facilitate independent evolution ofapplications within the integrated CPIOM

June 21st, 2007A380 ATA 42 presentation to CISEC Page 11© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.IMA certification 5/5

• Second step was to demonstrate two main topics at integrated CPIOMlevel:The preservation of internal compatibility indexes when relevant (so

called “impact analyses”)The equivalence analysis between the standalone qualification

context and the integrated CPIOM context– This asks for complete identification of differences at every level

(hardware, core software, configuration parameters, configurationgeneration tool chain, compiler/linker, …)

• Thanks to all those analyses, it is then possible to not perform formaltests at integrated module level

• As stated by EASA during an audit at design office level, “Within thecontext of [Airbus A380] IMA, it was possible to take full credit of theverification activity performed by the function supplier to cover theexpected activity to be performed in terms of verification for the IMA atthe integrated module level.”

June 21st, 2007

ATA 42-30 – ADCN (Avionics DataCommunication Network)

June 21st, 2007A380 ATA 42 presentation to CISEC Page 13© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.Statement of purpose of ADCN

• The Avionics Data Communication Network (ADCN) is theprincipal means of communication technology betweenavionics equipments chosen for the A380

• It leverages maturity of quasi-ubiquitous IT (Ethernet, IP…)standards with adaptation to aeronautical constraints, suchas determinism.

• ADCN is the name of the system, the technology is calledAvionics Full DupleX Switched Ethernet (AFDX).

• ADCN is used for the exchange of operational,maintenance and loading data between subscribers

• This type of network is easily configurable and does notrequire new connections in case of new messages.

June 21st, 2007A380 ATA 42 presentation to CISEC Page 14© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.ADCN subscribers

• The ADCN is composed of two redundant networks (A andB).

• Both networks are composed of AFDX switches,connected to each other with AFDX cables.

• Each ADCN subscriber has an input/output interface calledAFDX End System.This AFDX End System lets the subscriber send and receive AFDX

frames to and from another(s) ADCN subscriber(s).The AFDX End System duplicates AFDX frames in transmission

and keeps the first incoming valid one in reception.This duplication increases the availability of A/C system data by

sending them simultaneously on both redundant networks A and B.On A380, the subscribers can communicate at 10 or 100 Mbits/s

bitrates.

June 21st, 2007A380 ATA 42 presentation to CISEC Page 15© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.Virtual link 1/3

• A/C system data are sent simultaneously from an ADCN subscriber toanother ADCN subscriber(s) on both redundant networks A and Bthrough AFDX switches according to a predefined path called VirtualLink (VL).

• The VL is similar to an unidirectional "pipe" through the ADCN:It has one specific identificationIt is sent by one transmitter onlyIt is received by one or more subscribers in receive mode

• The switching function within each AFDX switch has a switchingfunction.This function receives the VL coming from one emitter, routes it to

the appropriate output port(s) based on the configuration table.• To sum up, the emitter sends a VL simultaneously to both first AFDX

switches (one per network), then, each AFDX switch, according to theVL identification and its configuration table, routes the VL to thefollowing AFDX switch and so forth till the receiver.

June 21st, 2007A380 ATA 42 presentation to CISEC Page 16© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.Virtual Link 2/3

June 21st, 2007A380 ATA 42 presentation to CISEC Page 17© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.Virtual Link 3/3

June 21st, 2007A380 ATA 42 presentation to CISEC Page 18© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.ADCN certification 1/2

• The most important property to demonstrate through the certificationprocess was ADCN intrinsic determinism

• Determinism covers in fact five different properties:bounded propagation timebounded propagation jitterguaranteed bandwidthno loss of data linked to contentionpreservation of order

• This was achieved through mathematical characterization of trafficupper bound, based on the Virtual Link properties (notably BAG andMax Frame size) and regulation algorithms embedded on the switchBased on network calculus theory (Cruz, Le Boudec & al)Verified by dedicated tool, qualified at Development Assurance

Level A (as per DO-178B)

June 21st, 2007A380 ATA 42 presentation to CISEC Page 19© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.ADCN certification 2/2

• Another important topic was to demonstrate safetyobjectivesClassification ‘a priori’ of the relevant Failure conditions (for

example, total loss should not be CATastrophic, due topotential common mode failure)

Some failures are easy to characterise (total loss, doublelosses, ….), some not

Combinatorics make it impossible to deal with bottom-upanalysis only

So top-down methodology including cumulative effectanalysis was also used

Also assessed on simulator and flight test aircraft, includingEASA/FAA attendance

– FAA praised the outstanding robustness of the system

June 21st, 2007

Conclusion

June 21st, 2007A380 ATA 42 presentation to CISEC Page 21© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.Conclusion

• A380 Type Certificate was granted jointly by EASA andFAA on December 12nd, 2006ATA 42 was identified as a major ‘first’

• Airbus is setting the standards:Boeing 787 also features ‘open IMA’ in the Common Core

System, albeit with different suppliers and methodologiesADCN has been proposed by Airbus for standardisation

(ARINC 664), and is used on all new major transport aircraftprogrammes (A380, A400M, A350 XWB, B787, SukhoïSuperjet, …)

June 21st, 2007A380 ATA 42 presentation to CISEC Page 22© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.

Thank you for your attention !

June 21st, 2007A380 ATA 42 presentation to CISEC Page 23© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.

Thank you for your attention !

June 21st, 2007A380 ATA 42 presentation to CISEC Page 24© A

IRBU

S S.

A.S.

All

right

s re

serv

ed. C

onfid

entia

l and

pro

prie

tary

doc

umen

t.

This document and all information contained herein is the soleproperty of AIRBUS S.A.S. No intellectual property rights aregranted by the delivery of this document and the disclosure ofits content. This document shall not be reproduced ordisclosed to a third party without the express written consentof AIRBUS S.A.S. This document and its content shall not beused for any purpose other than that for which it is supplied.

The statements made herein do not constitute an offer. Theyare based on the mentioned assumptions and are expressedin good faith. Where the supporting grounds for thesestatements are not shown, AIRBUS S.A.S. will be pleased toexplain the basis thereof.