Complex Integrated Avionic Systems and System Safety

1Federal AviationAdministration 1

Complex Integrated Avionics and System SafetyJune 9, 2005

Complex Integrated Avionic Systems and System Safety

Presentation to: Europe/U.S. International Aviation Safety ConferenceName: Ali Bahrami

Date: June 9, 2005

Federal AviationAdministration



Integrated Mod Avionics (IMA)Ex. 777

Trends in Avionics: Integration and Complexity

1980 1990 2000

Electronic flight inst.

Ex. 757/767

•Integration within closely related functions

•Most functionality in hardware/firmware

Integrated display system

Ex. 747-400

•Integration of most display-related avionics functions

•Most functionality re-programmable

•Integration of many avionics functions

•Card-based processors in cabinet racks

Expanded IMA

Ex. Falcon EASy, ERJ-170

•Integration of avionics + some flt. control and airplane systems

•More generic processors & software-based functionality



Trends in Avionics: Architectures

Huge increases in: • Functional integration.• Software size and complexity.

Shift in techniques for isolation/independence:• Traditionally, redundant features were completely isolated –

now they communicate with each other.• High/low criticality functions traditionally physically isolated

from each other – now share computing and databus resources.

Mix of new and reused (“legacy”) software.



Trends in Avionics: TSO

TSOs:• Traditionally, TSOs were used for simple equipment (e.g. seat

belts) and well-defined “stand-alone” functions (e.g. air speed indicator). Installation issues were minimal.

• Now, TSO requirements cover only a small fraction of the designed functionality.

• TSO functionality may be embedded in an integrated avionics suite (“functional TSO”).

• Vendors need TSOA to ship “brain-dead” hardware which doesn’t comply with the full TSO requirements until installed and software is loaded.



Trends in Avionics: Engineering and Business Practices

Increasing dependence on Commercial Off-the-Shelf (COTS) hardware and software. Examples:• Microprocessors (from PC industry).• Operating systems (e.g. Windows).• Graphic processors (from video game industry).

Changes in manufacturer-vendor relationships and responsibilities. Global design and manufacturing of highly integrated avionics

functions. Shift from airframe manufacturer as “designer/builder” to

“integrator/assembler.”



Certification Challenges

Integration and complexity:• Current processes (e.g. DO-178B/ED-12B for software) were

developed with much simpler architectures in mind.• Experience is showing that there are complex and often

unexpected “connections” between traditionally unrelated or independent functions, especially during failures.

• Failures become more difficult to predict and diagnose.• It becomes less and less feasible to test all inter-related failure

modes.• Fully integrated test facilities become more challenging and

expensive to build and operate.




Software:

• Software-based isolation and independence is much more “fluid” and difficult to assure than relying on hardware.

• Mixing of COTS, reused, and new software – all developed by different processes and to different standards – makes assessing the safety issues much more difficult, especially in standardized ways.




“Functional” TSO:• Difficult to separate TSO issues from installation issues

– TSO’d function may be part of the software that resides on a circuit card.

– TSO compliance can only be assessed when installed in the host system.

– Even simple issues like part marking become complicated.– TSO change processes were not developed with these complex

TSO “packages” in mind. Engineering and Business practices:

• COTS products are not developed to traditional aviation standards.

• Detailed certification data and knowledge often resides at vendor rather than manufacturer.



How the Authorities Have Responded

The authorities have already taken a number of actions to support recent IMA trends and specific projects, including:• Development of IMA AC and TSO.• Development of an Order on software reuse.• Approval of functional TSOs.• Numerous DO-178B/ED-12B “workarounds.”• Additional relevant guidance is in work.

However, continued industry support is needed…



What is Needed to Support the Trend?

Current software certification methods did not envision modern IMA architectures, so we need new methods… • That are equally effective in ensuring safety… • While supporting the certification of IMA.

The current TSO process is not well-suited for embedded software functions, so we need new approaches to TSOA…• Which allow design and production approval for traditional TSO

functions in IMA architectures… • While protecting the level of safety provided by type

certification processes.



What is Needed to Support the Trend?

When manufacturers out-source development and test: • New processes for authorities/manufacturer/vendor

communication are needed. Testing:

• Testing of the IMA “pieces” will not find integration problems.• The actual airplane is not an adequate test environment for

many IMA issues.• Full-scale integration test facilities may not be commercially

viable.• Industry needs to help develop new approaches to integration

testing that will find and characterize IMA problems before certification.



Authority-Industry Partnership

Cooperation is needed more than ever.• Traditional certification processes were developed to match

past commercial practices• The pace of change is increasing

Industry will need to lead the effort to develop new methods of compliance.• New methods cannot just “do less” – they MUST preserve, and

where possible, improve the level of safety.• Focus on safety-related issues while with IMA, it is more

difficult to separate what is or is not “safety-related.”



Summary and Future Perspectives

The authorities support industry’s efforts to advance the technology • Historic cooperation between the authorities and industry has

been essential in developing viable and effective methods of compliance and safety assurance.

Cooperation is even more critical as we collectively support rapid technological advances while at the same time increase the level of safety.

Potential broader issue: Does the overall safety assessment process need to be revisited, to account for the migration of functionality (and failure conditions) from hardware to software?

Documents

Complex Integrated Avionic Systems and System Safety