978-1-4673-1900-3/12/$31.00 ©2012 IEEE 6A4-1

CIVIL CERTIFICATION OF MIL-STD-1553B Dipl. Ing. Tobias Schneider, CASSIDIAN, 89073 Ulm, Germany

Abstract

With the A400M a military transport aircraft is being developed and certified according to both civil and military rules and regulations. As can be expected, some of the civil and military requirements and rules contradict to each other.

This paper will give an overview of how the four independent MIL-STD-1553B military data buses installed on A400M were certified to civil standard for entry into service of the aircraft aimed for the end of 2012. This paper describes some of the issues encountered and how they were solved and also highlights the impact of stringent civil lightning strike requirements and how they can be met by the 1553 standard.

On the A400M, the aircraft level certification of the 1553 data buses is under the responsibility of CASSIDIAN, subsidiary of EADS .

Introduction of A400M

The Most Versatile Airlifter The A400M responds to the changing military

air transport needs and closes the gap between the tactical transporters (e.g. C-130, C-160, An-12) and the strategic airlifters (e.g. C-17, C-5, C-141, An-124, etc.).

The key characteristics and performance values of the aircraft are listed in Table 1.

The A400M is planned to replace the dated C-160 Transall and C-130 Hercules of several European nations. The political change over the last few years has identified a need for strategic and tactical airlift capability for combat, peace keeping and humanitarian missions.

The participating European nations formed the “Organisation Conjointe de Cooperation enmatière d’Armement” (OCCAR), which contracted AIRBUS Military to develop and build the A400M.

Table 1. A400M Key Characteristics (Abstract)

Performance Data

(4x - Engine) EuroProp International TP400-D6

(4x) 11.000 hp / 8.200kW

Maximum Operating Altitude

40.000ft / 12.200 m

Maximum Cruise Speed (TAS1

300 kt / 555 km/h )

Cruise Speed Range (Mach)

0.38 – 0.72 M

Range

Range with Max. Payload (37.000kg / 81.600lb)

1.780 nm / 3.300 km

Range with 20.000kg (44.000lb) Payload

3.450 nm / 6.400 km

Maximum Range (Ferry) 4.700 nm / 8.700 km

Civil and Military Certification Previously, civil aircraft were certified

according to the civil certification, while military aircraft were qualified according to the military regulation of the nations, and both were distinctly separated.

For the A400M it was required from the beginning that the aircraft be compliant to the EASA CS 25 regulation. Therefore, it was decided to have a full civil certification for the platform (TC) and several steps of military qualification (IOC and SOC) for integration of military systems.

1 TAS – True Air Speed

6A4-2

Military Organization For the military certification and qualification

new organizations where defined. Table 2 gives an

overview about the military organizations, their role and the civil equivalent.

Table 2. Military Organization

Name Definition Role Civil Equivalent

OCCAR Organisation Conjointe de

Cooperation en matière d’Armement

Customer – A400M aircraft buyer on behalf of the involved nations.

Airlines

CQC Certification and Qualification Committee

Airworthiness Authority (Military) EASA / FAA

CQP Certification and Qualification Panel

Link between CQC and Industry EASA Panels

TOA Terms of Approval Recognition of Airbus to be responsible for A400M design DOA

PADA Process for Appointment of Design Authority Issuance of TOA letter

Qualification Milestones In addition to the Type Certification (TC) 2, the

following additional military qualification milestones exist:: IOC 3, SOC 4

Military Avionics Domain

(which is divided into several stages).

Figure 1 gives a schematic overview about the main civil and military systems and their interconnections. The military domain of the A400M consists of three groups:

• M-MMS5

2 TC – Type Certification

– is the gateway system to the military domain. It enables the communication between the military

3 IOC – Initial Operational Clearance 4 SOC – Standard Operational Clearance 5 M-MMS – Military Mission Management System

DASS6 and COMM7 devices and the civil avionic systems on AFDX8

o Low Level Flight Planning and Monitoring

. Furthermore it contains tactical functions such as:

o Tactical Ground Collision Avoidance

o Arial Delivery Computation o COMM Management o Auto Tuning o Emission Control o Tactical Situation Awareness o Display Capabilities for DASS

and MIDS9

6 DASS – Defensive Aids Sub System

7 COMMS – Communication Systems 8 AFDX - 9 MIDS – Multifunctional Information Distribution System

6A4-3

o Terrain Referenced Navigation • COMMS – the communication system is

the collection of voice radios, secondary radar IFF10

• DASS – the defensive aids sub system, which is optional, includes the elements which are necessary to protect the aircraft against threats. The main element, the defensive aid computer (DAC

and the MIDS. The control of this system is managed via the M-MMS and the cockpit displays.

11), collects all of the information and will then determines the counter measure allocation.

Figure 1. A400M Military Structure

Terms, Definition and Glossary

Certification Certification is the process of demonstrating

compliance with regulations and standards which are required by an authority (usually a civil certification authority).

Qualification Qualification is the process of demonstrating

compliance with the requirements from the customer.

CRIs / MCRIs Certification Review Items / Military CRIs are

document issued by the authorities describing

10 IFF – Identification Friend or Foe 11 DAC – Defensive Aids Computer

additional rules, requirements, processes or guidelines, to be fulfilled in addition to the CS 25 to pass the certification of the aircraft.

Bus Owner The bus owner for certification is the system

which includes the bus controller.

Bus User The bus user is a system or equipment which is

connected to the bus either as remote terminal bus controller or bus monitor.

MIL-STD-1553B and A400M The A400M contains four dual-redundant MIL-

Buses (see Figure 2), three of which are under the design responsibility of CASSIDIAN, the fourth one (Figure 2 – grey area) is under the responsibility of AIRBUS Military. The following scheme gives a rough overview:

Figure 2. A400M MIL-IL-STD-1553B

Architecture

The M-MMS is composed of two M-MMCs. The M-MMS includes two MIL-STD-1553B buses, the COMM bus, which controls voice communication and the MISSION bus, which controls the mission-related communication including IFF, MIDS and DASS. The third MIL-Bus is the DASS internal bus, which controls the data exchange between the DASS equipment and the DAC.

The M-MMS is connected via AFDX to the civil domain; this includes the cockpit display system, flight management system, maintenance systems and other systems. For backup, there are some additional A429 interfaces installed.

6A4-4

Physical Layout As shown in Figure 2, there are three MIL-Buses

under the responsibility of CASSIDIAN. See Table 3

for details; the colour mentioned in the top row identifies the bus.

6A4-5

Table 3. Physical Layout of A400M MIL-Busses

COMM

Bus

(yellow)

MISSION Bus

(green)

DASS Bus

(orange)

Number of Couplers per Lane

6 4 4

Number of stubs 24 16 16

Number of equipments

14 6 4

Main Bus Length [m / ft]

50 / 164

30 / 98

52 / 171

Aver. Stub Length [m / ft]

1,5 / 5 2,8 / 9,2

2,1 / 6,9

Logical Layout The logical layout for each single piece of

equipment is defined in the associated logical ICD. As described in the section “Equipment Diversity”, each of the equipment will react in a different way to the optional commands and functions.

As seen in Figure 1, the M-MMS is the gateway system between the civil and the military world. The M-MMS has to ensure the data flow in both directions. Therefore an internal routing database was created, which use input information from interface data and the dataflow of the internal functions, guaranteeing that the data is consistent.

Equipment Diversity One of the main challenges faced in the

development of the A400M MIL-Buses is the different interpretation of the MIL-Bus standard by a

large variety of COTS 12 and MOTS 13

In the case of the A400M MIL-Buses, some of equipments, mainly connected to the COMM Bus, were of the shelf equipment already chosen by the customer. Therefore a common MIL-Bus design was not possible. The opposite situation was faced on the DASS Bus, where all the devices are new developments or adaptations of existing ones. Here it was possible to come up with common MIL-Bus requirements for all devices.

devices in addition to devices which were newly developed.

The variability of individual equipment characteristics on all buses has to be managed by the Bus Controller. This makes functionality of the MIL-Bus Management SW, which is hosted on the bus controller, more complex and leads to additional test and certification effort.

According to MCRI F120 the system which includes bus controller is the bus owner.

Certification of MIL-STD-1553B

First Concepts Before the MIL-Bus system development for

A400M, CASSIDIAN had met with AIRBUS and the CQP to discuss how to certify the MIL-STD-1553B data buses. The intention from CASSIDIAN was to use the experience from other programs (Eurofighter Typhoon and Tornado) and introduce the verification and validation tests defined inside the SAE-AS-411x documents, while the first approach of the CQP was to take the (EASA) CRI F-30 “Secondary Data-Buses” into consideration against the CS25.1301 and CS25.1309 as acceptable means of compliance.

CASSIDIAN proposed to introduce the SAE-AS-4111 to SAE-AS-4117 as acceptable means to demonstrate compliance with the objectives of MIL-HDBK-1553B.

Defining a New MCRI After several rounds of discussion, it was agreed

that the application of the SAE-AS-4111 to 4117, as an acceptable means, is valid to demonstrate that the objectives of the military handbook for MIL-STD-

12 COTS – Commercial Of The Shelf 13 MOTS – Military Of the Shelf

6A4-6

155314

Functional Breakdown

data buses are met. This is a very important part of the MCRI-F120, which allows the usage of existing test cases and test environments for verification.

Because of the inclusion of several partner systems for the MIL-Bus certification, it was necessary to split the certification strategy of the MIL-Bus from the strategy for the M-MMS. This split decouples the dependency of the M-MMS system from other systems. Furthermore as interconnection between systems the MIL-Bus provides the same functionality as the AFDX network, which is handled as a separate system.

Ultimately, a dedicated certification package within the overall M-MMS certification package was created especially for the MIL-STD-1553B.

The Plan A new certification plan was written defining the

road map for the MIL-STD_1553B certification. It addresses the Interpretative Military Material, which is defined in the MCRI-F120.

Tailoring had to be introduced to adapt the SAE-AS-411x test cases to the system and equipment design of the A400M. For the justification of this tailoring a separate document was created, describing the analysing and the tailoring in detail.

Within the tailoring, adaptations where made to state-of-the-art measurement technology and the peculiarities (like the dimensions of the aircraft, bus routing, type of couplers) of the A400M aircraft. The combination of several tests in one test and the use of modern signal generators and digital oscilloscopes reduced the overall test amount significantly.

The approach had to be discussed and agreed with the authorities / CQP.

Certification Report The MIL-Bus Certification Report collects all of

the evidence, analyses and justifies the evidence to meet all of the applied regulations as well as to identify possible deviations.

14 MIL-HDBK-1553A

Civil vs. Military During the certification of the MIL-STD-1553B,

CASSIDAN faced the situation that the civil environmental requirements contradicted the requirements of the MIL-STD-1553B: the requirements for protection against lightning require that the protection is installed at equipment level. Therefore, equipment lightning protection devices were installed on all interfaces – including the MIL-STD-1553B interfaces. These protection devices influence the electrical characteristics in such a way that output voltage and input impedance could no longer meet the MIL-STD-1553B.

Taking the focus only on the equipment, it is not a problem to deal with this deviation; a single deviation of input impedance and output value may be acceptable. But at the system level, a different part of the situation became visible: not only one equipment had deviations in the electrical parameters. Summarising all the deviations can have a significant impact on the overall bus performance. At this stage of the design, a DAL D device would be able to disturb and interrupt DAL C device.

Let us continue with the assumption that only the civil requirements should be taken into account. In the current scenario, this may lead to an inoperable bus network. The possibilities are now to reduce the overall electrical load (e.g. by reducing the overall length of the main bus or reducing the number of terminals), but this depends on the overall design and environmental condition for the routing of the bus network.

The other option would be to focus only on the military standard by getting rid of the lightning protection devices. The risk here is that the device will not pass the civil certification or that other impacts will increase e.g. maintenance costs due to the maintenance effort of the shielding of the network.

For the MIL-Buses on A400M, an investigation was started to analyze the robustness based on a worst-case scenario, taking all of the deviations from all devices into account. Finally, the robustness tests were executed on the aircraft platform, using the worst-case scenario. The analysis of the results provides the evidence that the performance of the MIL-Bus system can be guaranteed, even under the worst-case scenarios, by acceptable reduction of

6A4-7

performance. The remaining performance is still within the required parameters and has no negative impact on aircraft operation.

The result led to the final decision to accept the deviation from the MIL-STD-1553B and be compliant with the civil environmental requirements. For future equipment upgrades the analysis has to be repeated or revalidated with new equipment characteristics.

The critical point is that there are no standard procedures to solve such a conflict. Therefore, the analysis of the conflict is the way forward. This is a complex task, because all of the aspects have to be taken into account, which includes maintenance and commercial aspects too, and not only technical aspects. Furthermore most of the conflict situations may appear during the implementation or testing phase, rather then during analysis and design.

DAL Classification Parallel to the civil DAL classifications for the

A400M, the military mission reliability is mapped on civil DAL levels as Table 4 shows.

Table 4. Failure Condition Classification Mission Reliability Point of View

Military Classification DAL

Mission Interruption C

Mission Delay D

No Mission Effects E

For the MISSION and COMM Bus, the military classification is “Mission Interruption”, which is equivalent to civil DAL C classification. The devices connected to the bus are either classified as DAL D or DAL C. Finally, the buses consist of a mix of devices with different DAL classification (see Figure 3). The MCRI-F120 is only applicable for devices which are classified as DAL C or higher.

DAL C DAL C DAL D DAL D DAL C

Figure 3. Intermix of Different DAL Classifications

But how can one ensure a proper functioning of the overall bus in such a case, and especially when one already knows that there are some parameters which will not meet the overall bus performance?

After the analysis of the known deviations and the impact to the overall robustness, CASSIDIAN, in the role of bus owner, decided that the DAL D equipments have to provide evidence according to the MCRI-F120 too. This rule is applicable for all parameters and functions which could influence the DAL C communication in case of failure. For all other parameters and functions, which do not influence the DAL C communication, the rule is optional.

This decision was necessary after the first deviations of the devices were known (see section “Civil vs. Military”). It was necessary to identify all relevant parameters of the devices to do a robustness analysis of the complete network and to identify which deviations could be and which can not be accepted.

Based on the experience and the rules from A400M M-MMS SW engineering, CASSIDIAN took a similar approach for handling the interaction of different DAL functions: if the higher level DAL function receives data from a lower level DAL function, it must be ensured that the data are correct and reliable. This mechanism was transformed by the interaction of devices with different DAL level on a common bus. In the case of a failure of DAL D devices, the bus may not be disturbed or interrupted.

Therefore, it was additionally requested for all DAL D devices to provide selected evidence even if the device is classified for DAL D only.

Practical Implementation Figure 4 shows how the document relation is

established. Please note that this is only an abstract and does not cover the complete document tree.

On the top row (from left to right), the MIL-STD-1553B, MCRI-F120, MIL-Bus Certification Plan (Plan), MIL-Bus Justification (Justification) and the final MIL-Bus Certification Report (Final Report) are listed. These are the documents which contain the

6A4-8

relevant information to demonstrate certification compliance.

The next two rows show how the SAE-AS-4111 and SAE-AS-4115 are incorporated into the document flow, by generating Lab Test Requests (LTR) and Ground Test Request (GTR) out of the

SAE documents. For the GTR, it is necessary to define Ground Test Instructions (GTI) and during the tests several test reports are created. All this evidence is compiled into the Ground Test Report Analysis (GTRA).

Figure 4. Document Flow

In the end, the Final MIL-Bus Certification Report contains the summary of all the evidences. Furthermore, it contains the list of all the evidence and justification of the bus owner as described earlier. The idea behind this document flow is that either the existing SAE-AS-411x test cases 0 can be used or credit can be taken from the M-MMS system and equipment tests by demonstrating the compliance to the SAE-AS-411x by a coverage analysis.

Even though the development structure of the A400M and the M-MMS is divided into several levels (L0 – aircraft level, L1 – System level, L2 – Supplier level, L3 Equipment level) and the SAE-AS411x documents either addresses equipment or system level, a one-to-one coverage was not possible.

The validation and verification strategy of the M-MMS allows the crediting from other levels tests. Therefore the evidence for the SAE-AS4115 system tests was not only found on the system level, the equipment level as well was used to take credit.

The tracing and coverage becomes more complex, but the overall test effort is reduced.

Lessons Learned

Early Discussion with the Authorities It proved beneficial to keep the military

certification panels informed from the start with respect to planning and status.

As soon as the first certification plan was written, the authorities were informed during several CQP meetings about how to do the certification for the MIL-STD-1553B and the current status and situation.

Usage of Existing (Military) Standards The usage of already existing (military)

standards, such as the SAE-AS-411x documents, reduces the effort and costs for validation and verification activities. Existing test procedures and equipment could be used.

Shared Experience from Other Projects The expected benefits from transferring MIL-

Bus Experience from other projects (e.g. Eurofighter Typhoon, Tornado or Eurcopter’s Tiger and NH90)

6A4-9

were smaller than expected. The transfer of knowledge for the MIL-STD-1553B basics was not the problem. As soon as the interaction with the aircraft was started, it became clear that the differences appeared between a fighter aircraft and an airlifter are multiple, like the following examples show:

• Dimensions of the aircraft: The dimensions of the airlifter are different from those of the fighter (of course this is nothing new). Test equipment which was developed for the small fighter could not be used for the A400M, because the length of the measurement cables was too short. The equipment locations for the MIL-Bus terminals are grouped into several avionic racks, which are spread over the whole aircraft.

• Inline Coupler vs. Boxed Coupler: Inside the fighter aircraft, mainly the inline couplers are used, included in a pre- manufactured cable harness. For the A400M, the impact on weight was not as critical as the possibility for easy assembly and maintenance, therefore the box coupler cable harness was chosen.

• STANAG 3910 (EFAbus Express – Eurofighter Avionics Bus) Some of the Eurofighter data networks are based on the STANAG 3910, which is a derivation of the MIL-STD-1553B (STANAG 3838) with parallel network of a low speed MIL-STD-1553B and a high speed optical data system. Therefore it was not possible to gain all experience.

Early Check for Conflicts Checking from time to time for new potential

risks, which may occur due to incompatibility or contradiction of different standards, will save time and money.

Outlook With IOC certification the foundation is set for

the further certification extensions with the next SOC certification objectives. By adding new military

devices, of course some of the system tests will have to be re-run and the certification evidence of the new devices will have to be analysed, but ultimately this is just a repetition of what has been already done for IOC.

The civil certification of the MIL-STD-1553B has shown that it is possible to do the certification for military standards. But it has also shown that there are several contradictions in between and that it will not be possible very often to incorporate military standards side-by-side without any tailoring or adaptations.

Finally, the designated use of the customer will determine whether civil certification of military standards and military platforms is necessary or not.

Author’s Biography Tobias Schneider is a systems engineer at

CASSIDIAN in Ulm, Germany, and is responsible for the MIL-STD-1553B data buses on the A400M.

After graduating with a degree in high frequency engineering in 2001 at the University of Ulm, Tobias Schneider started working as an engineer for “Euro Telematik”. A general aviation company, where he became familiar with the development of avionics, for both civil (general aviation) and military use. In 2003, he became responsible for Drivers interface software, which is part of the CAPTOR Tranche 2, the Eurofighter Typhoon radar.

In 2005 he took over the A400M MIL-Bus System. In the following years, he managed the A400M MIL-Bus team from aircraft level (platform), to system and all the way to equipment level. In early 2012, he took over the Options Management of the M-MMS in addition to the MIL-Bus responsibilities.

In the middle of 2012, he finalized all certification activities for the Initial Operational Clearance (IOC) of the A400M M-MMS MIL-Buses.

31st Digital Avionics Systems Conference October 14-18, 2012