LynuxWorks Webinar on REUSABLE SOFTWARE … Federated Architecture ... Integrated Modular Avionics...
Transcript of LynuxWorks Webinar on REUSABLE SOFTWARE … Federated Architecture ... Integrated Modular Avionics...
LynuxWorks LynuxWorks Webinar Webinar ononREUSABLE SOFTWARE COMPONENTSREUSABLE SOFTWARE COMPONENTS
June 13, 2007June 13, 2007
AgendaAgendaIntroductions & HousekeepingIntroductions & HousekeepingHistorical overview of Software in the Historical overview of Software in the Airborne EnvironmentAirborne EnvironmentSoftware Certification standard: RTCA/DOSoftware Certification standard: RTCA/DO--178B178BReusable Software Components: Advisory Reusable Software Components: Advisory Circular 20Circular 20--148148–– LynuxWorks LynuxWorks LynxOSLynxOS--178 Operating System178 Operating System–– BenefitsBenefits
IntroductionsIntroductions
Presenter: Joe Presenter: Joe WladWlad, Director of , Director of Product Management at LynuxWorksProduct Management at LynuxWorks–– Federal Aviation Administration Federal Aviation Administration
Designated Engineering RepresentativeDesignated Engineering Representative
Post Q&A at anytimePost Q&A at anytime–– Answers at the endAnswers at the end
Presentation available for download Presentation available for download laterlater–– Instructions to be providedInstructions to be provided
First Generation Commercial Aircraft First Generation Commercial Aircraft CharacteristicsCharacteristics
Few Digital Systems Few Digital Systems outside of Inertial outside of Inertial Navigation SystemsNavigation Systems
Minimal integrationMinimal integration–– Human interface with every Human interface with every
computer or its input/outputcomputer or its input/output
Analog computers that Analog computers that communicate using communicate using discretes discretes and signalsand signals
747747--200 Autopilot System:200 Autopilot System:–– 20 separate computers to 20 separate computers to
handle pitch, roll, yaw, trim, handle pitch, roll, yaw, trim, throttles and landing!throttles and landing!
The B747 Flight DeckThe B747 Flight Deck1960’s technology1960’s technology> 1000 switches> 1000 switchesDozens of unique Dozens of unique indicators akin to a indicators akin to a boiler roomboiler room33--person crew to person crew to control, navigate control, navigate and manage flightand manage flightOperating and Operating and maintenance costs maintenance costs are very highare very high
Software Use on Aircraft Software Use on Aircraft Software use on aircraft is Software use on aircraft is now pervasivenow pervasive–– Lowers costs, Reliability Lowers costs, Reliability
ImprovedImproved–– Crew workload reducedCrew workload reduced
Modern Flight Decks are Modern Flight Decks are becoming totally becoming totally automated automated –– Millions of lines of code Millions of lines of code
now running inside a now running inside a modern airlinermodern airliner
FAA software certification FAA software certification to DOto DO--178178
Typical Federated Architecture Typical Federated Architecture Boeing 757 Flight Management SystemBoeing 757 Flight Management System
Typical FMS interacts Typical FMS interacts with 15with 15--20 subsystems 20 subsystems on an aircrafton an aircraft
Advantage: Failures Advantage: Failures can usually be can usually be localized to a single localized to a single system or computersystem or computer
Disadvantages:Disadvantages:–– Integration also Integration also
controlled by vendorcontrolled by vendor–– Separate Separate LRU’s LRU’s for for
each system using each system using different processorsdifferent processors
FlightManagement
Computer
FCC
ILS/MLSDME/ADF VOROMC
IRSGPS
CDU FQIS
EEC
FDR
MCP
ADC
IDS
CLOCK
Integrated Modular Avionics (IMA)Integrated Modular Avionics (IMA)Modern processors can Modern processors can support more than a single support more than a single applicationapplication–– Memory Management Units Memory Management Units
assist with providing application assist with providing application separation along with a separation along with a partitioned operating systempartitioned operating system
IMA allows for consolidation IMA allows for consolidation and portability of applications and portability of applications thereby reducing program thereby reducing program lifecycle costslifecycle costs
IMA AdvantagesIMA AdvantagesReduce the number of Reduce the number of LRU’sLRU’s–– Lower maintenance costsLower maintenance costs–– Reduce weight and sizeReduce weight and size
Improve portabilityImprove portability–– Reduce upgrade costsReduce upgrade costs–– Flexibility and fault Flexibility and fault
tolerancetolerance
Improved dispatch reliabilityImproved dispatch reliabilityBoeing claims that IMA Boeing claims that IMA design can save 1000 design can save 1000 pounds of weight on the 787pounds of weight on the 787
DODO--178B Background178B BackgroundDODO--178B: Software Considerations in Airborne 178B: Software Considerations in Airborne Systems and Equipment Certification, circa 1992Systems and Equipment Certification, circa 1992
–– Evolved from DOEvolved from DO--178A, circa 1985178A, circa 1985
DODO--178B is a guidance document only and focuses 178B is a guidance document only and focuses on software processes and objectives to comply with on software processes and objectives to comply with these processesthese processes
–– Developed by RTCA, Inc (a not for profit company) and its Developed by RTCA, Inc (a not for profit company) and its members to ensure that software meets airworthiness members to ensure that software meets airworthiness requirementsrequirements
Called out in many certification requirements Called out in many certification requirements documents as the recommended method to obtain documents as the recommended method to obtain approval of airborne softwareapproval of airborne software
–– Design Approvals through FAA Technical Standard Orders Design Approvals through FAA Technical Standard Orders and Supplemental Type Certificatesand Supplemental Type Certificates
Many other standards exists: SEIMany other standards exists: SEI--CMM, DEF STAN CMM, DEF STAN 0000--55, ISO, DOD55, ISO, DOD--2167, IEC 615082167, IEC 61508
DODO--178B Background178B BackgroundDODO--178B is not prescriptive178B is not prescriptive––Vendors are allowed to decide how objectives are Vendors are allowed to decide how objectives are
satisfiedsatisfied
DODO--178B objectives vary, depending upon 178B objectives vary, depending upon how software failures can affect system safetyhow software failures can affect system safetyConsider two aircraft examplesConsider two aircraft examples––1) Software controlling the coffeemakers in the aft 1) Software controlling the coffeemakers in the aft
galley failsgalley fails•• Outcome: passenger safety not compromised Outcome: passenger safety not compromised
––2) Software controlling the aircraft during an 2) Software controlling the aircraft during an automatic landing in zero visibility conditions fails automatic landing in zero visibility conditions fails •• Outcome: Possibly catastrophic and lives lostOutcome: Possibly catastrophic and lives lost
Obviously these two software applications Obviously these two software applications need not be developed to the same rigorneed not be developed to the same rigor
DODO--178B Background178B BackgroundFor this reason, DOFor this reason, DO--178B defines five software levels178B defines five software levels
Each level is defined by the failure condition that can result Each level is defined by the failure condition that can result from anomalous software behaviorfrom anomalous software behavior
Software LevelFailure Condition
Catastrophic Level A
Hazardous/Severe - Major Level B
Major Level C
Minor Level D
No Effect Level E
DODO--178B Background178B Background
Once a system safety assessment is Once a system safety assessment is done and the safety impact of software done and the safety impact of software on is known then the level is definedon is known then the level is definedLevel A has 66 objectivesLevel A has 66 objectivesLevel B 65 objectives Level B 65 objectives Level C 57 objectivesLevel C 57 objectivesLevel D 28 objectivesLevel D 28 objectivesLevel E: NoneLevel E: None
DODO--178B Processes178B ProcessesUse of standard processes and compliance Use of standard processes and compliance with prewith pre--determined objectives help avoid the determined objectives help avoid the common pitfalls of software developmentcommon pitfalls of software developmentDODO--178B defines the following processes (as 178B defines the following processes (as well as objectives for each):well as objectives for each):––Planning ProcessPlanning Process––Development ProcessDevelopment Process––Requirements ProcessRequirements Process––Design ProcessDesign Process––Coding and Integration ProcessCoding and Integration Process––Testing and Verification ProcessTesting and Verification Process––Configuration Management ProcessConfiguration Management Process––Quality Assurance ProcessQuality Assurance Process
DODO--178B Software Certification178B Software CertificationFAA Software Certification standard = FAA Software Certification standard = RTCA/DORTCA/DO--178B178BFor every line of Code there will be 5 For every line of Code there will be 5 -- 10 10 lines of testslines of testsFor every 2 lines of code there will be one For every 2 lines of code there will be one signature on some review formsignature on some review formOne requirement for every 5One requirement for every 5--10 lines of code10 lines of codeVerification of execution coverage for all Verification of execution coverage for all decisions and conditions that impact decisions and conditions that impact decisionsdecisions–– Address compiler added functions tooAddress compiler added functions too
Historical Certification ProcessHistorical Certification Process
LynxOS-178
User Code
Target System
SystemC or Ada Code
OperatingSystem
Operating System cannot be certified unless System is installed, tested and certified
New FAA Policy: Reusable Software New FAA Policy: Reusable Software ComponentsComponents
Advisory Circular AC 20Advisory Circular AC 20--148, Dec 2004148, Dec 2004–– Allows for “certification” of components such as Allows for “certification” of components such as
math libraries, operating systems and math libraries, operating systems and communication protocolscommunication protocols
–– See http://www.See http://www.faafaa..govgov/regulations_policies//regulations_policies/
S/W accepted by the FAA as meeting DOS/W accepted by the FAA as meeting DO--178B objectives across hardware platforms178B objectives across hardware platforms–– Allows for “portability” of certification effort to Allows for “portability” of certification effort to
other products without reother products without re--verification of the verification of the software componentsoftware component
Our Customer NeedsOur Customer Needs
Reduce cost, risk and time to market when Reduce cost, risk and time to market when deploying safety critical devicesdeploying safety critical devices
Cost of change is an area that heretofore has Cost of change is an area that heretofore has been ignored in the embedded marketbeen ignored in the embedded market–– Consider that in the 1980’s a oneConsider that in the 1980’s a one--line change to line change to
the OFP on the Space Shuttle cost nearly $1Mthe OFP on the Space Shuttle cost nearly $1M–– Today, cost of software changes for safety Today, cost of software changes for safety
critical products is still too highcritical products is still too high
RSC Certification ProcessRSC Certification Process
LynxOS-178
User Code
Target System
SystemFAA ACCEPTED OperatingSystem Component
FAA Accepted OS is deployed without requiring recertification
LynxOSLynxOS--178 Reusable Software Components178 Reusable Software Components
LynxOS-178B
User Code
PPC 750 Target Hardware
Display System
FAA acceptance of LynxOS-178 is “grandfathered” across platforms, reducing cost of change
User Code
PPC 7447 Target Hardware
Flight Management System
User Code
PPC 440 Target Hardware
Flight Control System
RSC AcceptanceLetter
RSC Development Cycle Supports RSC Development Cycle Supports Multiple ArchitecturesMultiple Architectures
PPC 440 CSP
UnadulteratedLynxOS-178
Develop, Debug, Tune
DO-178B Verification,
Code coverage
Application 21001
LynxOS-178
PPC 603 BSP
Application 1
Certified applications
using LynxOS-178
Application 2
Application1 1001
LynxOS-178
How much “credit” applies?How much “credit” applies?Level A calls out 66 explicit objectivesLevel A calls out 66 explicit objectivesBecause of the way RTCA/DOBecause of the way RTCA/DO--178 is 178 is structured, one can not take full credit for all structured, one can not take full credit for all DODO--178B objectives with a RSC178B objectives with a RSCRemaining objectives are partially satisfied Remaining objectives are partially satisfied but required input from integrator to be but required input from integrator to be completecomplete–– E.g., S/W load control, traceability to System level E.g., S/W load control, traceability to System level
requirements, compatibility with target computer, requirements, compatibility with target computer, certification liaison certification liaison
Requires that a RSC guidance package Requires that a RSC guidance package provide clear instructions on how to use the provide clear instructions on how to use the RSC, integrate it and retain DORSC, integrate it and retain DO--178B credit178B credit
What makes a good RSC?What makes a good RSC?Ideally, the software should be hardware Ideally, the software should be hardware independentindependent–– Changes to hardware should not result in Changes to hardware should not result in
modificationsmodifications
Network stacks and services, file systems Network stacks and services, file systems and operating system servicesand operating system servicesVery challenging to make a Time/Space Very challenging to make a Time/Space Partitioned operating system achieve FAA Partitioned operating system achieve FAA acceptance as a reusable software acceptance as a reusable software componentcomponent–– Requires detailed testing and analysis of time, Requires detailed testing and analysis of time,
space and resource partitioning to support fault space and resource partitioning to support fault containment of multiple applications at different containment of multiple applications at different levels of DOlevels of DO--178B178B
Reusable Software Component Reusable Software Component -- CreditCreditRSC is initially approved through a TSO or RSC is initially approved through a TSO or STC/TC processSTC/TC process–– Mechanism is through a PSAC and AC 20Mechanism is through a PSAC and AC 20--148148–– Results in FAA RSC Acceptance LetterResults in FAA RSC Acceptance Letter
RSC Developer provides RSC Data Package RSC Developer provides RSC Data Package to RSC Integrator, includes:to RSC Integrator, includes:–– Acceptance Letter & Data SheetAcceptance Letter & Data Sheet–– RSC FunctionsRSC Functions–– Limitations & AssumptionsLimitations & Assumptions–– Partitioning and RSC Analysis dataPartitioning and RSC Analysis data–– ReqsReqs, Design, SCI, SAS, Design, SCI, SAS
Other RSC Integrators use unadulterated Other RSC Integrators use unadulterated binary files to build and certify its applicationbinary files to build and certify its application
RSC Compliance Matrix exampleRSC Compliance Matrix example178B Obj#
Obj Description
Resp. Org.
RSC Credit
Assumption Original Integrator
AssumptionFollow-o integrator
Means of Compliance for the Objective
Activities Remaining For Integrator Applicant
1-1 Softwaredevelopmentand integralprocessesactivities aredefined. 4.1 a,4.3
LW Full None None LynxOS-178(RSC) PSAC [7]LynxOS-178(RSC) SDP [8]LynxOS-178(RSC) SCMP [9]LynxOS-178(RSC) SVP [10]LynxOS-178(RSC) SQAP [11]
Follow on Integrator:the integrator’s PSACwill need to obtainapproval to use AC 20-148andreference the LynxOS-178 (RSC) FAA RSCapproval letter anddemonstrate identicalityof configuration.
LynxOSLynxOS--178 RSC Data Package178 RSC Data PackageExample RSC DocumentsExample RSC Documents–– RSC BUILD PROCEDURERSC BUILD PROCEDURE–– RSC RSC TIMING MARGIN ANALYSISTIMING MARGIN ANALYSIS–– RSC RSC PARTITIONING & RSC PARTITIONING & RSC
INTERFACE ANALYSISINTERFACE ANALYSIS–– RSC S/W ACCOMPLISHMENT RSC S/W ACCOMPLISHMENT
SUMMARY (SAS)SUMMARY (SAS)–– RSC S/W CONFIGURATION INDEXRSC S/W CONFIGURATION INDEX–– RSC VERIFICATION ENVIRONMENT RSC VERIFICATION ENVIRONMENT
CONFIGURATION INDEXCONFIGURATION INDEX–– RSC DATASHEETRSC DATASHEET
LynuxWorks RSC Data SheetLynuxWorks RSC Data SheetData Sheet gives integrator a topData Sheet gives integrator a top--level view level view of of LynxOS LynxOS certification pedigreecertification pedigreeCovers functions of the time/space/resource Covers functions of the time/space/resource partitioned OSpartitioned OSGives overview of design and how time/space Gives overview of design and how time/space and resource partitioning are maintainedand resource partitioning are maintainedProvides assumptions and required activities Provides assumptions and required activities of integrator to retain reuse creditof integrator to retain reuse creditSummary of Safety Issues and LimitationsSummary of Safety Issues and Limitations
RSC Value to IntegratorsRSC Value to IntegratorsFAA acceptance of RSC means reduced FAA acceptance of RSC means reduced certification risk for integratorscertification risk for integrators–– Integrators no longer have to “wait” for the OS Integrators no longer have to “wait” for the OS
supplier to complete its certification work before supplier to complete its certification work before submitting certification artifactssubmitting certification artifacts
RSC documentation is structured around RSC documentation is structured around providing guidance on RSC integration as providing guidance on RSC integration as well as demonstrating RTCA/DOwell as demonstrating RTCA/DO--178B credit178B creditThousands of labor hours are saved by using Thousands of labor hours are saved by using accepted certification techniquesaccepted certification techniques
RSC RSC vs vs standard 178 Artifactsstandard 178 Artifacts
Source CodePSAC, SQAP, SCMP, SDPSRS, SDS, SW Coding StdsSVPDesign reviewsCode reviewsTool qualification docsSW Vulnerability AnalysisPartitioning Documents?
T/S/R Partitioning AnalysesTest Proxies
RSC Interface AnalysisTiming Margin AnalysisDevice Driver Interface
StandardCSP/BSP API
HM RequirementsHM RequirementsRSC Letter of approvalRSC Letter of approval
DOORS traceabilityDOORS traceability
ReqmtsReqmtsDesignDesignSASSASSCISCI
Test ProceduresTest ProceduresTest ResultsTest Results
Coverage AnalysisCoverage AnalysisBuild ProcedureBuild Procedure
DO-178 ArtifactsRSC Artifacts
KEY DIFFERENCE: RSC ARTIFACTS CONTAIN GUIDANCE TO HELP CUSTOMER ACHIEVE CERTIFICATION OF THEIR APPLICATION
RSC Value PropositionRSC Value PropositionSome vendors provide a full set of artifacts Some vendors provide a full set of artifacts that include CM, QA, Reviews, etc.that include CM, QA, Reviews, etc.–– >10000 files on a CD ROM>10000 files on a CD ROM–– Information overload Information overload –– How does customer digest How does customer digest
this?this?
Other vendors may take customers’ hardware Other vendors may take customers’ hardware inin--house, runs the tests and certifies the BSP house, runs the tests and certifies the BSP and OS togetherand OS togetherWe preach that the RSC is better. All you We preach that the RSC is better. All you need is the letter and our RSC guidanceneed is the letter and our RSC guidance–– No need for source code or full 178 artifactsNo need for source code or full 178 artifacts–– Saves you time, money and reduces riskSaves you time, money and reduces risk
The RSC vs. Plain DOThe RSC vs. Plain DO--178 Artifacts178 ArtifactsStrict RTCA/DO-178B artifacts
LYNUXWORKS RSCRSC Artifacts Guidance
DO-178B Artifacts “Mountain” RSC Interface
Analysis, Device Driver
Interface standard,
CSP/BSP API
Confused Customer
Application 1001
LynxOS-178FAA Delays/Denial
Customer ProjectSuccessful Customer Project
FAA Approval
RSC Value: Reduced Cost and RSC Value: Reduced Cost and RiskRisk
Operating System certification effort is Operating System certification effort is reusable and portablereusable and portable–– RSC Artifacts provide Guidance on Integration RSC Artifacts provide Guidance on Integration
and Certification; saves 3and Certification; saves 3--9 months in labor over 9 months in labor over conventional “mountain of Certification Evidence conventional “mountain of Certification Evidence Certification” packagesCertification” packages
Certification results are reCertification results are re--usable and usable and portable to minimize cost of changeportable to minimize cost of changeReduce Risk:Reduce Risk:–– Auditors do not review what has already been Auditors do not review what has already been
approvedapproved–– RSC has been proven to meet DORSC has been proven to meet DO--178B Level A178B Level A–– Saves 3Saves 3--12 months of certification review12 months of certification review
What the What the LynxOSLynxOS--178 RSC 178 RSC coverscovers
Kernel Kernel –– Time/Space Partitioning, Resource Partitioning Time/Space Partitioning, Resource Partitioning
(I/O, shared resources), Task, Interrupt, Device (I/O, shared resources), Task, Interrupt, Device and File Managementand File Management
System ServicesSystem Services–– POSIX 1003.1, 1.b, .1cPOSIX 1003.1, 1.b, .1c–– Scheduling, MQ, Pipes, Socket, signals, SEMS, Scheduling, MQ, Pipes, Socket, signals, SEMS,
Clocks/Timers, Shared MemoryClocks/Timers, Shared Memory
Family of PPC includingFamily of PPC including–– 74xx, 750, 603, 4xx, and 97074xx, 750, 603, 4xx, and 970
Results in portable DOResults in portable DO--178B approval on 178B approval on more than one processor without added more than one processor without added engineering effortengineering effort
Key TakeawaysKey TakeawaysStandard Guidance exists on how to retain Standard Guidance exists on how to retain certification credit for software componentscertification credit for software components
Reusable Software Component acceptance Reusable Software Component acceptance results in:results in:–– Reduced Cost and time to marketReduced Cost and time to market–– Portability of Certification ArtifactsPortability of Certification Artifacts–– Increased ProductivityIncreased Productivity
LynuxWorks is the first COTS RTOS vendor LynuxWorks is the first COTS RTOS vendor to deliver a reusable software component to deliver a reusable software component (RSC) package(RSC) package