Slash Avionics Integration Costs with DO-178C Certifiable Connectivity Software

DO-178C Level A Certifiable DDS

The Connectivity Platform for the Industrial Internet of Things™

Mission Critical andSafety Critical Software

2

Integration of UAS with Commercial Aviation

• Ensure safety of commercial aviation

• Ensure safe integration of UAS into the NAS

©2015 Real-Time Innovations, Inc.

Communication Co-operation and Control

3

UAS Segments

• Aircraft Segment– Typically - Distinct Physical Boundary

• Control Segment– One or more control segment, static or mobile– E.g. separation between navigation and mission

• Communications Segment– Possible multipath – E.g. Line of sight, beyond line of sight

• Air Traffic Network– Evolving (NextGen)


4

NAS Communication

Comm

unication Segment

Communication SegmentAircraft

NAS

OtherAircraft

ATC - Air Traffic Control

ATC – Communications

Surveillance and Navigation

Surveillance



5

UAS/NAS Communication

Com

mun

icatio

n Se

gmen

t

Communication Segment

Comm

unication Segment

Communication SegmentAircraftSegment

NASControlSegment

OtherAircraft

ATC - Air Traffic Control

ATC – Communications ATC –

Communications

Command and Control


Surveillance and Navigation

Surveillance

Flight planning and Aeronautical information



6

UAS integrated in NAS

Vehicle Operator

Payload Operator

OperationsController

ATC Traffic Controller

Control Segment

Payload

Onboardsystem Cooperative

Targets

Un-CooperativeTargets

Surveillance

Safety

Security


7

Role of Connectivity


Sensors

Communications

FusionActuators

Control

Displays

Recording

©2015 Real-Time Innovations, Inc. 8

Traditional Approach to Distributed Avionics:Bespoke Connectivity and Integration

• Apps/connectivity layer written directly to transport• Tied to transport’s:

– Semantics, e.g.: 11, 1many, reliable, unreliable…– Proximity assumption, e.g.: same partition, same node

Sockets, AFDX, shared memory, ARINC ports, message queues…

Application

OS & Transport

Connectivity

Application

OS & Transport

Connectivity

May not be clean separation between app, connectivity and

integration logic

9

Traditionally Handled by Custom Logic

• Addressing• Discovery / presence / health• Startup order dependencies• Reliability over unreliable transports

(e.g., multicast)• Heterogeneous interoperability

• Reconnections• Failover• State synchronization• Timing control and visibility• Bridging across nets, xports


Application

OS & Transport

Connectivity

Application

OS & Transport

Connectivity

10

Costs Increase over Time

• Often use point-to-point integration– Changing or adding components affects others– Necessitates integration work, re-certification– O(n2) complexity

• Requirements change, e.g., moving apps and changing xports• Systems become more stovepipe, brittle and expensive to maintain

over time



Connext DDS Cert

• Handles connectivity heavy lifting• Replaces custom code, simplifies app and integration logic• Based on Data Distribution Service (DDS) standard

DDS APIApplication

Operating System

Application

Operating System

xport1 xportn… xport1 xportn…Connext DDS Cert Connext DDS Cert

DDS-RTPS Wire Interoperability Protocol:• Interoperable across programming languages, operating systems, CPU families• Interoperates with other Connext DDS products for mixed-criticality environments• Reliable or best effort delivery, even over unreliable transports

Pluggable transport interface:Supports multiple concurrent

Standard semantics:• Data-Centric Publish-Subscribe• Transport independent

12

Publish/Subscribe for Loose Coupling

• Apps can be added and changed w/o changes to other deployed components• Easy to test; RTI provides record and replay services


DDS Software Data Bus

Sens

or D

ata

Control App

Com

man

ds

Stat

us

Sensor

Sens

or D

ata

Actuator

Com

man

ds

Stat

us

Sensor

Sens

or D

ata

Display App

Sens

or D

ata

Stat

us

13

Data-Centric Publish/Subscribe

• Similar to using a database• Apps publish and subscribe to data objects• DDS maintains shared state for system robustness

– Applications maintain consistent view– Late joining applications get current snapshot, desired history– Not necessary to persist or reliably deliver all messages

PublishSubscribe

Squawk Long Lat Alt

1234 37.4 -122.0

500.0

7654 40.7 -74.0 250.0

Line Flight Dest Arv

UA 567 SFO 7:32

AA 432 LAX 9:15

Squawk Line Flight

1234 UA 567

7654 AA 432


14

Facilitates Modular, Open Architectures• Well-defined interfaces between components

– Standard data-centric publish-subscribe paradigm– Well-defined data model using OMG IDL or XML– Code generation from data model for type safety– Standard network protocol and serialization

• DDS widely used for FACE, UCS, OMS, others• RTI provides FACE Transport Services Segment (TSS) reference implementation


DDS Application

Operating System

FACE Unit of Portability (UoP)

Operating System

xport1 xportn… xport1 xportn…Connext DDS Cert Connext DDS Cert

DDS-RTPS Wire Interoperability Protocol

FACE TSS• FACE type-specific Transport

Services (TS) API• Generated from FACE

Platform Data Model by RTI IDL compiler

15

Connext DDS Inherently Well-Suited toSafety-Critical Systems

• Non-stop availability– Decentralized architecture– No single point of failure– Support for redundant networks– Automatic failover between redundant publishers– Dynamic upgrades

• No central server or services• Version-independent interoperability protocol

• Control over real-time Quality of Service• Visibility into missed deadlines and presence• Proven in thousands of mission critical systems


16

Example: US Army Asset Tracking System

Legacy Capability:• 500K lines of code• 8 yrs to develop• 21 servers• Achieved: 20K tracked

updates/sec, reliability and uptime challenges

With Connext DDS:• 50K lines of code—order

of magnitude less• 1 yr to develop—8x less• 1 laptop—20x less• Achieved: 250K+ tracked

updates/sec, no single point of failure

“This would not have been possible with any other known technology.”—Network Ops Center Technical Lead


17

Connext DDS Cert:Designed for DO-178C Level A

• Certifiable subset of DDS API and protocol– Apps are portable to other DDS– Interoperates P2P with other Connext DDS products– Interoperates with other DDS via RTI Routing Service

• Compact, modular and portable– ~21,000 Executable Lines Of Code (ELOC)– ≤335 KB ROM/flash– Bulk of certification evidence is reusable– Well-defined transport and OS interfaces


18

DO-178C Certification Data Package

• Available now• Produced by certification leader Verocel• Supports Design Assurance Level (DAL) A• Includes:

– DDS “C” API– VxWorks Cert OS– Transports: intra-process and UDP with multicast– PowerPC CPU

• ~93% of code is transport, OS and CPU independent– Minor delta cert for ports, DDS C++ API and FACE TSS


Certification of Connext DDS Cert

20

Relationships between Standards

AssessSafety

DevelopSystem

DevelopHardware

DevelopSoftware

DO-178C(Software)

DO-254

ARP 4754A(Systems)

ARP 4761 (Safety)

IntendedAircraftFunction

Allocated Functionsand Requirements

DevelopedSoftware

Requirementsallocated to

Software

Requirementsallocated toHardware

DevelopedHardware

FunctionalSystem

(ComplexElectronicHardware)

DevelopedSystem


21

Implementation Centric View

DevelopHardware

DevelopSoftware

IntegrateSystem

AssessSafety

DO-254

DO-178C(Software)

ARP 4761 (Safety)

(Complex Electronic Hardware)

Allocated AircraftFunctions

IntendedAircraftFunction

ARP 4754A(Systems)

Implementation

Implementation

Function Failure andSafety Information

FunctionalSystem

System Design

Software Design


SC-228 A-Interim (1, 2, and 3)• A-Interim 1, Command and Control (C2) Data Link, MOPS For

Verification and Validation• A-Interim 2, MOPS for Air-to-Air Radar for Detect and Avoid

Systems– If the equipment implementation includes software, the guidelines

contained in DO-178C should be considered.• A-Interim 3, Detect and Avoid (DAA) MOPS for Verification and

Validation– If the equipment implementation includes software, the guidelines

contained in DO-178C may apply at the appropriate software level

22

MOPS - Minimum Operational Performance Standards

They are large documents, but Interim only.Many parameters and other data still to be evaluated and specified


Connext DDS Cert in a Safety Context

• System will have its own Certification Plan• Applications have own Certification Plan

– Plan for Software Aspects of Certification (PSAC)• Real Time OS

– PSAC – and Certification Data Package• Connext DDS Cert

– Has its own PSAC, SAS etc.– Certification Data Package

• Includes all documents and Lifecycle data

23©2015 Real-Time Innovations, Inc.

24

Certification Data Package (CDP)


830.5 Mb of Data

25

Connext DDS Cert Is Part of a System

• As a COTS product, there is no system to trace to

• Derived Requirements need special treatment• Information to be presented to System Safety

Assessment process• Verocel provides Software Vulnerability

Analysis to support Safety Assessment


Software Vulnerability Analysis (SVA)

• What and why?• Connext DDS Cert certified on reference board• Middleware is tested as stand alone system

– No System or Application to reference to

26

How to handle possible errors to be mitigated by the system?


SVA Examples (sample)

• Description of Vulnerability SVA.5– Invalid IPv4 address is ignored and no error is

reported• Observable Behavior

– If an invalid address is specified in one of the enabled_transports Qos policies it is ignored

• Mitigation– User needs to ensure address is valid in

• enabled_transports field of struct DDS_TransportQosPolicy


SVA Examples (sample)

• Description of Vulnerability SVA.3– System does not check for rollover of the following

counters• … OSAPI Tick ...

• Observable Behavior– A system running continuously … will experience a

rollover of tick_sec …• Mitigation

– system must not run continuously for more than 2147483648 seconds (about 68 years).


29

Requirement Centric Hyperlinking


30

Traceability and Impact Analysis Performed with VeroTrace (Verocel’s Qualified tool)


Impact Analysis managed by qualified Traceability tool

Stack Analysis• Worst Case stack size calculated for every API function• Object code is analyzed• All paths checked, and worst case size provided when possible

– Not possible if RTOS functions called– Not possible when user callbacks present

• Calculator provided– Users can provide RTOS sizes and Callbacks

31

Calculator will show true Worst Case Sizes for user in their Analysis


Example for the Maximum Stack Depth Calculator

32

DDS_DataReader_read MAX ( 1056, 864 + MSD(semTake), 624 + MSD(strcmp), 656 + MSD(memcpy), 992 + MSD(semGive), 656 + MSD(LISTENERS_DATAREADER_on_sample_lost), 720 + MSD(LISTENERS_SUBSCRIBER_on_sample_lost), 784 + MSD(LISTENERS_PARTICIPANT_on_sample_lost), 224 + MSD(TYPE_PLUGIN_copy_sample), 352 + MSD(strlen), 448 + MSD(bcopy), 496 + MSD(memalign), 528 + MSD(bfill)

)

RTOS Functions

RTOS Functions

UserProvidedCallbackroutines

Maximum Stack Depth


Structural Coverage Analsysis• At Machine code level• Without instrumentation• Using Requirements based test only

33

Structural Coverage Analysis Summary ReportTEST COVERAGE RATE 99.91%

VEROCODE COVERAGE SUMMARYCoverage Lines Rate

Complete 84573 99.88%Partial 56 0.07%Missing 44 0.05%Total: 84673


Build and Test Support for User

34

Build and Test Support Build Support Build Headers and Makefiles Build Scripts

Certified Source Files CRC Log File -- librti_me_certz_a.txt

Certification Data Package Support Scripts CDPFetchItems.bat -- CDPFetchItems.bat CDPItems.csv -- CDPItems.csv installCDPItems.bat -- installCDPItems.bat installCDPRTIItems.bat -- installCDPRTIItems.bat

Allow a user to rebuild the executable image and check that it is the same


Test Results – all hyperlinked

35

Control Coupling Control Coupling Results Control Coupling Summary -- vxworks.xml Control Coupling Summary - Annotated -- vxworks_annotated.xml Control Coupling Summary Stylesheet -- VerOLink.xsl

Coverage Coverage Analysis -- TR_Summary_Report.xml Coverage Analysis StyleSheet -- TR_Summary_Report.xsl Coverage Result Stylesheet -- FR_display.xsl Coverage Summary -- CovSummary.html

Functional Functional Test Result Checklist -- FTR_ConMicro_Checklist_20150824.doc Functional Test Result Stylesheet -- FR_display.xsl Test Run Summary -- TR_Summary_Report.xml Test Run Summary Stylesheet -- TR_Summary_Report.xsl


Test Support

36

Test Support Application Header Files

BSP Build Files Build Binaries Test Harness Files Test Scripts

Test_Utilities Dedicated General

Tools CRC Tool -- VerCRC32.exe VerOStack Calculator Tool -- vstkCalculator.exe

Allows a user to repeat the testing performed from the CDP

Checks the integrity of the binary image


Test Results on CDP

37

Test Result Summaries Control Coupling Coverage Functional Stack Analysis



Certification is Expensive

• Processes must be defined and followed• Objectives must be met, and Activities completed• All must be documented• Code must be clean

– Traceable– Testable– No dead code– Deterministic in time and memory

• Code must be written for certifiability• Software must be recertified when changed

39

Reducing Certification Costs

• Minimize code that has to be certified– Replace custom code with COTS code that already

has certification evidence– Reduce and simplify application logic

• Decouple software modules and subsystems– Isolate changes– Minimize recertification effort as systems evolve



Customer Example: SRC

“SRC, Inc. is designing, integrating and testing a DO-178C Level B system of systems across VxWorks, Linux and QNX using RTI's DO-178C Level A Connext DDS Cert and Connext DDS products. Each system installation contains up to 32 subsystems that all communicate via DDS in real time. A portion of the subsystems are co-located with the rest located miles away. We are successfully using RTI DDS for our inter-process and inter-subsystem communications, recording, and in our DO-178C automated test environment that runs on Windows. Having RTI's Connext DDS Cert product available allows us to move forward with our certification efforts with system deployment scheduled in 2016!”

41

Connext DDS Cert Can Save $MM

• Replaces 10,000s lines of application code• Simplifies remaining application logic• Eases integration via well-defined interfaces

– Including safety-critical and non-critical components• Minimizes changes and re-certification as systems

evolve– Apps decoupled from underlying port, proximity– Apps isolated from changes in others

• Provides off-the-shelf certification evidence• Proven DO-178C certifiability


rti.com/downloads

Start using DDS Today!Download the FREE complete RTI Connext DDS Pro package for Windows and Linux:

• Leading implementation of DDS• C, C++, C#/.NET and Java APIs• Tools to monitor, debug, test, visualize and

prototype distributed applications and systems• Adapters to integrate with existing applications and

IT systems