www.thalesgroup.com

IFC

on I

MA

AM

S/1

3/0

00584 i

r 00

Incremental Functional Certification (IFC) on

Integrated Modular Avionics (IMA)

WICERT Grenoble March 22, 2013

Franck Aimé

2 / 2 /

IFC on IMA AMS/13/000584 ir00

Context

IMA system

and

dedicated

process

• Ensure incremental certification (IC) for

actual avionics systems oriented integrated

architecture

• Manage application qualification credit

towards federated architectural style

(partition centric)

• Does not allow incremental certification at

avionics functions level

IFC

framework

and

dedicated

process

•Have an ambition to extend incremental

certification with incremental functional

certification (IFC)

•Manage avionics functions design towards

recent software means and methods

(Avionics Service component architecture,

software product line engineering, …)

•Suggest integrated architecture style based

on infrastructure solution

•Suggest certification credit capitalization

based on software component

IFC and IMA processes are complementary and enable FULL INCREMENTAL

CERTIFICATION for the next generation of avionics systems

Bo

tto

m-U

p B

ased

To

p-D

ow

n B

ased

FULL

3 / 3 /

IFC on IMA AMS/13/000584 ir00

Incremental Functional Certification

4 / 4 /

IFC on IMA AMS/13/000584 ir00

IFC Study

IFC study examined various capabilities to incrementally

accept an avionic system and provide six IFC criteria for

Engineering Composability

Process

Dependency & Independency Guarantee Relations specification

Robust Partitioning analysis

IFC

Composability

Function Relationship

Information

Interaction Execution

Safety & Security

Installation

IFC installation framework is based

on the fives Infrastructures

Relational Infr. (communication

between IFC components)

Interaction Infr.

Information Infr.

Execution Infr.

Functional Infr. (bridge between

abstraction and hierarchical levels

Infrastructure: To share a resource R, ∀ R ∈ infrastructure

5 / 5 /

IFC on IMA AMS/13/000584 ir00

Vertical & Horizontal Partitioning: Composability

Each infrastructure shall be managed as an IFC component

Developed to be reused…

De

ve

lop

ed

to sh

are

an

d to

be

reu

sed

…

Designed to be reused is a way to « certification credit »

MC

MC

M

A

AC AC

F

SC

P

MC

MC

M

MC

MC

M

SC SCA

AC AC

A

AC AC

Use

Use

Use

Use

M qualifiedA qualified using MP qualified contening M used by AF Qualified contening A used by M and contening SCP installed & certifiedF installed & certified

With SC:Special Component ≠MC & AC M:Module & MC Module ComponentA:Application & AC Application ComponentP:Platform or InfrastructureF:Function

MOPS

MOPS

Infr

astr

uct

ure

Function

6 / 6 /

IFC on IMA AMS/13/000584 ir00

Module

A component or collection of components that may be accepted by themselves or in the

context of IMA. A module may also comprise other modules. A module may be software,

hardware, or a combination of hardware and software, which provides resources to the IMA-

hosted applications. Modules may be distributed across the aircraft or may be co-located.

Application

Software and/or application-specific hardware with a defined set of interfaces that, when

integrated with a platform, performs a function.

Component

A self-contained hardware part, software part, database, or combination thereof that is

configuration controlled. A component does not provide an aircraft function by itself.

Increment

Component - RSC principle; for qualification capitalization (tools, library, actuator,…), two type

Module Component (shared) and Application Component (not shared)

Application - F-ETSO principle, for certification capitalization

Module - ETSO principle, for certification capitalization

The Mean to Reuse something already approved or accepted (using a shared resource)

ED-124/DO-297 Architecture’s Principles

Incremental Certification & Qualification strategy

The (pre-certifiable) Container to share something (resource)

The (pre-certifiable) Container to develop a Function (using a shared resource)

The (pre-qualifiable) Container to develop a part of a Function or Module (using a shared resource)

Reuse Share

Develop

7 / 7 /

IFC on IMA AMS/13/000584 ir00

My Need is …

To Reuse a shared resource

To share a resource

To develop a part of a Function

To Reuse a Function

To Reuse a part of a Function

To develop a means to share a reusable part of a function

…

… With a targeted credit about

Approval (certification)

Acceptance (qualification)

Architecture’s drivers

Reuse Share

Develop

The Purpose in Mind… shall Be Simple, Straightforward and Planified

Ce

rtif

ica

tio

n

Qu

alifi

cati

on

Null

Partial

Full

Qu

alifi

cati

on

Null

Partial

Full

Qu

alifi

cati

on

Null

Partial

Full

Null

Partial

Full

The two stages launcher

8 / 8 /

IFC on IMA AMS/13/000584 ir00

Targeted Credit Process and Material

Targeted Credit and material of Targeted Credit on

Data

Component

Module & Application

Function

Be aware : « reuse » does not mean « certification credit » from an aircraft to

another.

Common State of the art

Qualification Purpose Certification Purpose

Data ComponentModule /

ApplicationFunction

Null

Partial

Full

Null

Partial

Full

Null

Partial

Full

Null

Partial

Full

DO-178,DO-254,DO-200,DO-160

Artifacts

Data EvidenceFAA Order 8110.49 & EASA CM-SWCEH-002

Component EvidenceAC 20.148

Module / Application EvidenceARP4754, ARP4761, DO-297

Function EvidenceTSO/ETSO + Installation Manual

9 / 9 /

IFC on IMA AMS/13/000584 ir00

Reusable Software Component

When is RSC a bad idea?

No clearly defined functionality

Excessive customization required (say, 40% changes for each

installation)

Decision for RSC near end of project

No support from applicant

Few potential instantiations of RSC component

Large number of interface parameters

When is RSC a good idea?

Algorithmic components

Small number of interfaces

Little or no tie to physical I/O

Certain tools

If only limited credit is granted, it might be better just to include a data that is

“approvable” and let each client go through the certification process.

From : Reusable SW components (RSC) in real life, FAA, Mike DeWalt, 2005 Software/CEH Conference: Norfolk, VA

10 / 10 /

IFC on IMA AMS/13/000584 ir00

IMA regulatory material

11 / 11 /

IFC on IMA AMS/13/000584 ir00

System/Hardware/Software Industrial Standards

Guidelines for Integrated

Modular Avionics

(DO-297/ED-124)

Electronic Hardware

Development Process

(DO254 / ED-80)

Software

Development Process

(DO178 / ED-12)

Aircraft & System Development

Process

(ARP-4754 / ED-79)

ARP4754A (+ARP4761A ongoing) and more recently DO297 are structuring IMA

system development and certification processes

ARP4754A

DO297

12 / 12 /

IFC on IMA AMS/13/000584 ir00

Regulatory materials

IMA Hardware TSO

C153

FAA system EASA system

Functional ETSO

Cxxx

ETSO 2C153

Advisory Circular 20.170

(+ Advisory Circular 20.148)

(calling industrial standards DO-297)

Certification Review Item

CRI-Fxx : Integrated Modular Avionics System

CRI-Fxx : Incremental Certification

(calling industrial standards DO-297)

(E)TSO

Authorization

IMA system

Approval

TC / STC

Functional TSO

Cxxx

(Incomplete TSO) Ex : C9c, C52b, C54,

C92c, C101, C106,

C115b, C151b

Functional TSO

Cxxx

(Complete TSO) Component

Qualification

Functional Software

Qualification

Hardware

Qualification

IMA System Installation IMA System Installation

FAA system facilitate reuse and certification credit for manufacturers via

C153/ FTSO approach and IMA Acceptance Letter concept.

EASA system facilitate Type Certificate and credit for airframer (CRI is A/C

dedicated).

Complement

Qualification DO160

13 / 13 /

IFC on IMA AMS/13/000584 ir00

ED-124/DO-297 Architecture’s Principles

Platform is concerned by resources sharing need (resources used by at

least two functions / applications) and is the mean to share resources

(throughput Component and Module)

Avionics Functions are concerned by Application and Component

RTCA DO-297

14 / 14 /

IFC on IMA AMS/13/000584 ir00

ETSO 2C153 - Applicability

Applicability (

1.2)

This ETSO refers to IMA platform modules which are appliances composed of Hardware and Core Software or any embedded software module contributing to the intended function of resources sharing.

Nevertheless :

“Hardware only” module is acceptable if no further software module is needed to perform resources sharing.

Single LRU platform (as per ED-124/DO297), where the platform is limited to one LRU module (Smart Display, CPIOM...) , is acceptable.

Are out of scope of this ETSO :

IMA Platform composed of multiple LRUs (distributed platform) or LRMs (e.g. cabinet).

Configuration tables, which are components part of IMA system integration and installation.

Stand-alone core software.

IMA applications.

Equipment used to generate radio frequency signals for intentional transmitters

15 / 15 /

IFC on IMA AMS/13/000584 ir00

ETSO 2C153 - Applicability

Minimum Performance Specification (

3.1.1)

ETSO modular structure

Seven basic types MPS for IMA platform modules

TYPE A : Rack Module.

TYPE B : Processing Module.

TYPE C : Graphical Generation (/Processing) Module.

TYPE D : Mass Data Storage Module.

TYPE E : Interface module. (Input/Output Module And/Or network module)

TYPE F : Power Supply Module.

TYPE G : Display Head Module

Not limited to Cabinet architecture

ex : Single CPIOM platform = TYPE B

Combination of types are possible

ex : Single Display LRU platform = TYPE B + C + G

16 / 16 /

IFC on IMA AMS/13/000584 ir00

Full Incremental Certification : Thales Aproach

Composability of Certification Credit

ETSO 2C153 on the Infrastructure to build Open Platform Avionics

F-ETSO on the function to construct the function avionics and

advanced avionics function

[AC-20.170 & future AMC-20.170] Functional TSO : TSO with a defined function.

Examples of functional TSOs : TSO-C151b Terrain Awareness and Warning System

Improve Certification Credit at application level

Improve management for general irreversible trend to develop functional chain at

software level

Equipment with a set of (E)TSO a set of ETSO & F-ETSO

To make up the avionics

Credit

Credit

Credit

Credit

Credit

Full Incremental Certification invented a way to improve continuously Safety

of Flight

17 / 17 /

IFC on IMA AMS/13/000584 ir00

Incrementa-bility

Incremental Acceptance Process and Domain Engineering Process are

the two pillars for a well managed Full Incremental Certification Process

Functional Domain

F = f1+f2+f3 incremental approval F-ETSO

Functional thread shall be based on MOPS or CS (consistent CS Package)

CS Package allocated to sub-function are identified by domain engineering process

Be aware that the non-ETSO functions have a certification credit with TC and not with the F-

ETSO

Infrastructure Domain

C = a1+a2+a3+sc1+ac2 incremental acceptance ETSO 2C153

Component thread shall be based on infrastructure composability capacities (consistent

Component Package)

Component Package allocated to infrastructure component are identified by infrastructure

engineering process (IMA capabilities based)

Composability rule :

The container for a functional thread is a component of the infrastructure

18 / 18 /

IFC on IMA AMS/13/000584 ir00

Next steps

Common Functional Infrastructure

From Component Based architecture towards Service Oriented

Architecture

Connected Hybrid Avionics (Satellite Avionics)

19 / 19 /

IFC on IMA AMS/13/000584 ir00

Questions ?