safety critical solutions do-178b joe colloca aonix
TRANSCRIPT
Safety Critical Solutions DO-178B
Safety Critical Solutions DO-178B
Joe CollocaAonix
2
We’ll Cover …We’ll Cover …
• Review: Ada’s role in Safety Critical Systems
• Aonix Raven Solution Architecture
• Safety-Critical Systems
• Aonix / Ada Safety Critical Projects
3
Ada in Safety Critical Systems
Ada in Safety Critical Systems
• Ada is preferred, but not required• Global use
– Aviation– Rail– Energy
• Existing standards support with Certifiable RTs– DoD 178B– SIL 4– RIA 23
ObjectAda RavenObjectAda Raven
Safety Critical Software Development
Environment
5
• Evolvable, “Base +” packaging– Supports gradual buy-in – Doesn’t require “all-at-once” commitment
• Platforms, Environments, Communications for embedded development & testing
• Cover the breadth of lifecycle/process
• Value / price competitive
• Familiar Environments; Ease-of-use; Standards
Product Structure / Approach / Benefits Product Structure / Approach / Benefits
6
Product Line OrganizationProduct Line Organization
Windows XP / 2003 / NTWindows XP / 2003 / NT
UNIX / Linux / CDEUNIX / Linux / CDE
EclipseEclipse
Core Solution PackageCore Solution Package
Enterprise ScalabilityEnterprise Scalability
Out of Box CertificationOut of Box Certification
NativeNative
x Intelx Intel
x ERC 32x ERC 32
x 68Kx 68K
x PPCx PPC
7
ObjectAda IDEObjectAda IDE
8
9
SCCI SupportSCCI Support
List Files Keep Checked OutComment Select / UnSelect
AllGet Latest Check OutCheck In Undo Check OutAdd to CM Remove from CMShow History Show DifferencesCM Properties Invoke External CM
ObjectAda RavenObjectAda Raven
Certified / Certifiable Compiler & RTS
11
Safety Systems - LegalSafety Systems - Legal
LawsRegulationsStandardsGuidelines
Case LawPrecedenceInterpretationsStandardsGuidelines
Visibility Traceability
PROCESS
EVIDENCE / RECORDEVIDENCE / RECORD
Confidence / Safety
12
Runtime Certifiability DoD-178B Level A
Runtime Certifiability DoD-178B Level A
• Full Requirements through Test Results Mapping
• 100% Source Level Coverage• 100% Machine Level Coverage• Full MCDC Coverage• Runtimes can be certified but,
– Termed “Certifiable”– System as a whole is certified– Must deliver certification evidence record
13
170 Pounds of Certification Evidence …170 Pounds of Certification Evidence …
14
Hercules - C130J and C27
Hercules - C130J and C27
Flight Management Unit
Ground Collision AvoidanceSystem
Back-up FMU
15
Certification Experience – C-130J Avionics
Certification Experience – C-130J Avionics
• Reviews– Requirements– Design– Code
• Functional Testing• Coverage testing• Large amount of test
data to be analyzed
Over Over 30003000 signatures signaturesrequired on certification materialrequired on certification materialfor one RTS Certification systemfor one RTS Certification system
Over Over 30003000 signatures signaturesrequired on certification materialrequired on certification materialfor one RTS Certification systemfor one RTS Certification system
RTS ~ RTS ~ 6000 Lines of Code6000 Lines of Code
RTS ~ RTS ~ 6000 Lines of Code6000 Lines of Code
HELP!HELP!
17
Ravenscar ProfileRavenscar Profile
• Industry Wide Safety Critical Standard• Ada95 Subset
– Deterministic– Certifiable
• Tasking Allowed– Rendezvous Disallowed– Use Protected Objects for
Communication• No Dynamic Memory Allocation
18
Ravenscar Profile Support
Ravenscar Profile Support
Flags Flags Ravenscar Ravenscar
Profile Profile violations at violations at compile timecompile time
Flags Flags Ravenscar Ravenscar
Profile Profile violations at violations at compile timecompile time
New support: New support: Bounded Bounded
tasking modeltasking model
New support: New support: Bounded Bounded
tasking modeltasking model New support: New support: Segregated Segregated
loadsloads
New support: New support: Segregated Segregated
loadsloads
PowerPC 32 bit Intel ERC32 68K
19
Ravenscar Profile Support
Ravenscar Profile Support
• VectorCast– Source Level Coverage & Test Harness– Integrated Code Coverage– Repeatable Testing– Compiler integration– Embedded target based testing
• AdaCover– Full target-based machine level coverage
testing
• Out-of-Box Level A Certification Packages
20
Certification Record on Digital Media
Certification Record on Digital Media
21
Raven Example Packaging
Raven Example Packaging
• Core Pack– Basic Development Environment
• Project Pack– Advanced Language Sensitive tools for larger group
source consistency / style guideline conformance• Test Pack
– Provides coverage for higher levels of quality verification in mission- and safety-critical development
• Safety Critical Pack– Comprehensive standards-based testing &
documentation through Level A• Design Pack
– Implements best practices for designing and producing safer & more reliable software applications & reusable components
22
Where is Ada in Safety Critical?
Where is Ada in Safety Critical?
• Lockheed Martin - C130J and C27
• Boeing 777
• Boeing 737
• Westinghouse Electric - Nuclear Shutdown
• Westinghouse Brake and Signals – London Underground - Jubilee Line extension– Automatic Brakes and Signaling
23
Boeing 777 Boeing 777
BrakesCrane/Hydro-AirAxle Steering
Parker/Abex-NWL
GPSCMC
Power ManagementSundstrand
24
London Underground – Jubilee Line
London Underground – Jubilee Line
• Software role– Manage train separation – faster & closer together– Inter-train communication– Central control center
• Architecture & Safety Standard– M68030 controllers– Software Integrity Level 4 (SIL)– RIA 23 required
• Mapping document produced between RIA 23 and Aonix (DO-178B) Certification materials
25
Aonix Program Success
Aonix Program Success
•ITT Avionics: Integrated RF Countermeasures
•Honeywell: H-764G Embedded GPS•Thales Avionics: Global Positioning System
•Lockheed Martin: Missile and Guidance System Upgrades
•Thales Avionics: Flight control data concentrator AIRBUS A330-A340
•Thomson CSF: Braking and steering control AIRBUS A330-A340
•Navia: Air Traffic Control (ATC) ground-based instrument landing system
•Eurocontrol: ATC Germany, England, France, Belgium
•Eurocontro: Flight Management System
•Thales Air Defence: ATC •Wilcox Electric: Avionics radar system
•Chandler Evans: Engine control system
•Lockheed Martin: Flight Management: Lockheed C130J
•Aerosystems International: Ground Collision Avoidance System
•Lockheed Sanders: Avionics Displays Lockheed C130J
•Canadian Marconi: GPS Boeing 777•Parker/Abex-NWL: Axle Steering System Boeing 777
•Sundstrand: Power Management System Boeing 777
•Crane/Hydro-Air: Braking System Boeing 777
26
Aonix Program Success
Aonix Program Success
•Astrium: Automated Transfer Vehicle
•Alcatel SEL: Satellite positioning system
•Aerospatiale: Ariane V launcher•Matra Marconi Space: Ariane V launcher CNES: Galileo Mars probe - switching and telemeasuring systems
•CNES: Satellite imaging system•Astrium Gmbh: International Space Station - Columbus project
•NASA / Boeing: International Space Station - Flight Control Systems
•Matra Marconi Space: Atmospheric Pressure Module - Data / Network management
•Alstom Transport: Radio Bloc Center system Rail Traffic Management
•GEC Alsthom: Subway network control systems Paris, Calcutta, and Cairo
•GEC Alsthom: Signal control system: TGV North Lines / Channel Tunnel
•CSEE Transports: TGV Brake system / TVM 430 project
•Westinghouse: Brake and Signals system London Underground Jubilee Line
•Swisslog Software: Supply Chain Management System
•XATA: Telematics application framework
•Kordoba: Enterprise Data Model •NORTEL Networks: Optical Switch Platform
•Siemens: Network Management System
27
Coming Soon Coming Soon
Multi-language Time & Memory Multi-language Time & Memory partitioned kernelpartitioned kernel
28
SummarySummary
• Ada is a good technical choice for high-integrity systems
• Aonix solution architecture delivers business value throughout the development cycle
• Certification out-of-box
• Evolving Aonix solutions are a good technical – and business - choice
www.aonix.comwww.aonix.com