26-27 September 2000 ATN2000 (London) 1 Certifiable Software for the ATN Making ATN a reality…now… Presented by Forrest Colliver ACI General Manager
26-27 September 2000
ATN2000 (London) 1
Certifiable Software for the ATN
Making ATN a reality…now…
Presented by Forrest ColliverACI General Manager
26-27 September 2000 ATN2000 (London) 2
The Nature of Portable Communications
Software
What is portable software ?Software quality and the ATN…How is portable ATN software developed ? Methodologies Quality Standards
How is portable software used ? By whom ?ACI’s Portable & Certifiable ATN Software
26-27 September 2000 ATN2000 (London) 3
What is “portable software”?Types of Software
Ready-to-run binary end-user software Examples: personal computer software, game software,
etc. For consumption by individual or organizational end-users Plug and play operation
Portable binary library or source code software Examples: linkable object modules (databases, interfaces,
etc.) or source code (protocols, drivers, or other code requiring adaptation to platforms & operating systems)
For consumption by manufacturers or sophisticated end-users having in-house information technology support
Usable after integration in & customization for target platform
Although used in different contexts, both may be called “commercial off-the-shelf” (COTS) software
26-27 September 2000 ATN2000 (London) 4
What is “portable software”?Why use Portable
Software?Manufacturer’s perspective
Non-recurring cost reduction: no need for redevelopment of commercially available code; no opportunity cost where internal resources could be better applied to other projects
Lifecycle cost reduction: portable modules warranted and maintained by software vendor
Risk reduction: Pre-tested software modules are ready to integrate Portable software can be supplied with certification artifacts Facilitates earlier delivery of manufacturers’ products to
market
End-user’s perspective Reduced end-user pricing; more competitive products Improved confidence: “Intel-inside” effect
Factors above contribute to what should essentially be a “make/buy” decision by manufacturer
26-27 September 2000 ATN2000 (London) 5
Software Quality & the ATNThe architecture can
offer…ATN architecture was created for support of both safety-critical ATS and AOC applications
Controller/pilot communications (ATS), e.g. clearances Controller/controller communications (ATS), e.g. handoff Airline dispatch/pilot communications (AOC), e.g. re-routing
How? Integrity Assurance via protocol design
“what is received is what was sent” Enhanced Availability via routing architecture
“information transferred end-to-end in a timely manner”
Remember: key role of the ATN is to manage mission-critical communication resources & message traffic
26-27 September 2000 ATN2000 (London) 6
Software Quality & the ATN…but software must
deliverAccordingly, mission-critical application of ATN protocols demands software design & quality assurance consistent with “Essential” systems
Rationale: undetected integrity/availability failures may contribute to operational errors and/or lead to unacceptable dispatch/controller/pilot work-load
RTCA DO-178B provides software development guidelines for Level C, to meet “Essential” systems requirementsACI’s approach to problem…
To ensure ATN software mission-readiness…all ACI RRI/ASE software conforms to DO178B Level C guidelines
26-27 September 2000 ATN2000 (London) 7
How is ACI’s software developed ?
Production MethodologyDO-178B Level C
Constitutes the norm for “essential” avionics systems ACI offers full development & documentation compliance
includes configuration management & quality assurance aspects
Maximizes certification credit by optimizing certification effort during portation process, using supplied certification artifacts
MIL-STD-498 FAA and other US government users specify MIL-STD-498
development methodology & lifecycle compliance for mission-critical software & systems
Applied on both code development & documentation aspects
Complementary to DO 178B Level C
26-27 September 2000 ATN2000 (London) 8
How is ACI’s software developed ?
Lifecycle Functional View
System/SoftwareRequirements
SoftwareDesign
Code Generation, Unit Test & Integration
FunctionalRequirements
Formal TestExecution
Validation
26-27 September 2000 ATN2000 (London) 9
How is ACI’s software developed ?
Traceability of Requirements
Specifications
SDD
CODE
FRS
ICAO PICS/SARPs
S/SRS
VTCN
on-functional requirements
Perform
ance requirements
VTP
Testable requirements
26-27 September 2000 ATN2000 (London) 10
How is ACI’s software developed ?
Testing/Verification (1/2)
Software verification testing consists of two key components: Requirements-based testing (RBT)
Software tested against each requirement to ensure that it does what it is supposed to do and doesn’t perform any unintended functionality
Structural coverage analysis (SCA) Identifies code structures (at the instruction level
for DO 178B Level C) that are not exercised by the RBT
Ensures that every software instruction is required; i.e. has been invoked at least once
26-27 September 2000 ATN2000 (London) 11
How is ACI’s software developed ?
Testing/Verification (2/2)
Requirements at lowest level (SDD) completely cover higher level requirements
Requirements inspection process assures coverage
Computer Software Unit (CSU) tests ensure SDD requirement conformance
Inspection process assures that tests fully cover requirements
Test cases identify WHAT is to be tested Test procedures identify HOW the test will be performed
CSU tests cover both normal operations and evaluation of robustness under limit conditions
Check validity of external data prior to CSU importation Checks for validity of CSU arithmetic operations
26-27 September 2000 ATN2000 (London) 12
Certifiable ATN Software Portable Building Blocks
Four RRI Component Builds Airborne Boundary Intermediate System (ABIS) Ground Boundary Intermediate System (GBIS) Airborne End System (AES) Ground End System (GES)
Four Application Service Element (ASE) Modules
Context Management (CM) Automatic Dependent Surveillance (ADS) Controller/Pilot Data Link Communication (CPDLC) Flight Information Service (FIS)
26-27 September 2000 ATN2000 (London) 13
Certifiable ATN Software System Architecture
A irb o rn eE n dS y stem
A E S
G E S G B IS
G B IS
G E S
A B IS
A irb orn eB ou n d aryIn term ed ia teS ystem(m ob ile )
A ir /G rou n dB ou n d aryIn term ed ia teS ystem
G rou n d /G rou n dB ou n d aryIn term ed ia teS ystem
E n d S y stem E n d S y stem
G ro u n d N etw o rk
M o b ile N etw o rk
N etw o rkL ay er
N etw o rkL ay er
N etw o rkL ay er
D a ta L in kL ay er
D a ta L in kL ay er
D a ta L in kL ay er
P h y sica lL ay er
P h y sica lL ay er
P h y sica lL ay er
Tran sp ortL ay er
Tran sp ortL ay er
Tran sp ortL ay er
U p p erL ay ers
U p p erL ay ers
U p p erL ay ers
N etw o rkL a y er
N etw o rkL a y er
N etw o rkL a y er
D ata L in kL a y er
D ata L in kL a y er
D ata L in kL a y er
P h y sica lL a y er
P h y sica lL a y er
P h y sica lL a y er
26-27 September 2000 ATN2000 (London) 14
Certifiable ATN Software Statistics
Each RRI build comprises between 60000 and 90000 source lines of DO 178B Level C code AES/GES: 63000/75000 ABIS/GBIS: 87000/87000
Four ASEs together comprise between 60000 and 80000 source lines of code Airborne ASEs: order of 15000 each Ground ASEs: order of 20000 each
Approximately 5000 tested requirements overall
26-27 September 2000 ATN2000 (London) 15
Certifiable ATN Software Component Architecture
NMA
HMI
SubnetDrivers
System Clock
OS
Syst
em E
nvir
onm
ent E
xcha
nge
SEI
Cor
e P
SE
LocalManager
UserPSE
RouterStack
Platform Custom ATN Portable ProductPackage Components
(shaded)User Processes
UserApplications
ATNApplications
ASEs
26-27 September 2000 ATN2000 (London) 16
Certifiable ATN Software System Interfaces
H o stO p era tin g S y stem
1
1
1
1N o te : S y s tem In te r-ta sk C o m m u n ica tio n sa ) M e m o ry M a n a g e m e n tb ) T im e r M a n a g em e n t
26-27 September 2000 ATN2000 (London) 17
Certifiable ATN Software Product Composition
Source software modulesDocumentation User's Guide Porting Guide Functional Requirement Specification (FRS) External Interface Control Document (EICD) Software Quality Assurance Plan (SQAP)
Validation test scripts & sequences System level CSCI level
DO 178B Level C Certification artifactsProducts pre-ported for UNIX/Streams environment
26-27 September 2000 ATN2000 (London) 18
Certifiable ATN Software Product Support &
EvolutionRRI & ASE products under configuration & change management process
Operated by ATNSI & ACI as open process; ATN stakeholder interests and participation incorporated
Designed to allow incorporation of general problem reports (PRs) as well as ICAO PDRs, plus agreed product improvements, while respecting interoperability
Product Support Through end of warranty period (mid 2002): RRI/ASE
support assured by ACI under CCB process Following warranty: long-term RRI/ASE support
committed by ACI Member companies To-date: maintenance releases made at regular intervals,
following initial RRI/ASE product deliveries in February 2000
26-27 September 2000 ATN2000 (London) 19
Certifiable ATN Software Certification Credit
Controversial subject Definitive approach awaits decisions by authorities
What is known: Structural Coverage Analysis credit likely based on FAA
analysis Requirement Based Test procedures and results comprise
part of product package; can be rerun as required by certification authorities
Validation Test procedures and results comprise part of product package; can be rerun as required by customer for acceptance testing
Conformance Test Suite (CTS) role; view of certification authorities not yet definitive
In any case, ACI software is designed to streamline, risk-reduce, & cost-reduce the certification process
26-27 September 2000 ATN2000 (London) 20
Result: fit for purpose portable ATN software…
Product quality meets safety requirements, meets specifications, and reduces lifecycle costs
Formalized nature of DO-178B Level C development process leads to high overall product quality
Process facilitates change management & lifecycle support Production of required artifacts demonstrates compliance
and supports users of software products Full traceability of functions to design, to code, and to test
Full functional test coverage Verifies that all functions have been tested
Full structural test coverage Verifies that all code is executed
26-27 September 2000 ATN2000 (London) 21
The significance of all this…
Portable software designed to mission-ready quality standards can reduce manufacturer cost & schedule risks, and can facilitate certificationATN software certifiable to DO 178B Level C has been in the field since February 2000, and will play a major role in the FAA CPDLC communication infrastructure, as well as in the products of the ACI partner companiesThis portable & certifiable software is available to 3rd parties under license, to provide the same benefits of cost and risk reduction, and to aid in bringing the ATN into service…TODAY
26-27 September 2000 ATN2000 (London) 22
Aeronautical Communication International LLC
Who are we? What do we do?
ACI was formed in 1997 as a joint venture of Airsys-ATM, Honeywell International, Thomson-CSF Sextant & Sofréavia, all suppliers of CNS/ATM products & servicesACI was created to execute the ATN Router Reference Implementation (RRI) Project, under contract to ATNSIIn addition, ACI has financed a variety of ATN-related software developments and service activities:
Complementary Application/Management Software ATN standardization support (AEEC, IATA & ICAO) ATNSI CTS Program Support EUROCONTROL Petal II & CAERAF Program Support FAA Ground Router Architecture & Evaluation Support
ACI is currently engaged as a subcontractor to CSC on the FAA CPDLC Build I & Build I/A Programs
26-27 September 2000 ATN2000 (London) 23
Aeronautical Communication International LLC
For more information …
Contact…Forrest Colliver, General [email protected]
Bob Kerr, Marketing & [email protected]
Or, visit the ACI web site at…www.aci-llc.com