www.thalesgroup.com
IFC
on I
MA
AM
S/1
3/0
00584 i
r 00
Incremental Functional Certification (IFC) on
Integrated Modular Avionics (IMA)
WICERT Grenoble March 22, 2013
Franck Aimé
2 / 2 /
IFC on IMA AMS/13/000584 ir00
Context
IMA system
and
dedicated
process
• Ensure incremental certification (IC) for
actual avionics systems oriented integrated
architecture
• Manage application qualification credit
towards federated architectural style
(partition centric)
• Does not allow incremental certification at
avionics functions level
IFC
framework
and
dedicated
process
•Have an ambition to extend incremental
certification with incremental functional
certification (IFC)
•Manage avionics functions design towards
recent software means and methods
(Avionics Service component architecture,
software product line engineering, …)
•Suggest integrated architecture style based
on infrastructure solution
•Suggest certification credit capitalization
based on software component
IFC and IMA processes are complementary and enable FULL INCREMENTAL
CERTIFICATION for the next generation of avionics systems
Bo
tto
m-U
p B
ased
To
p-D
ow
n B
ased
FULL
3 / 3 /
IFC on IMA AMS/13/000584 ir00
Incremental Functional Certification
4 / 4 /
IFC on IMA AMS/13/000584 ir00
IFC Study
IFC study examined various capabilities to incrementally
accept an avionic system and provide six IFC criteria for
Engineering Composability
Process
Dependency & Independency Guarantee Relations specification
Robust Partitioning analysis
IFC
Composability
Function Relationship
Information
Interaction Execution
Safety & Security
Installation
IFC installation framework is based
on the fives Infrastructures
Relational Infr. (communication
between IFC components)
Interaction Infr.
Information Infr.
Execution Infr.
Functional Infr. (bridge between
abstraction and hierarchical levels
Infrastructure: To share a resource R, ∀ R ∈ infrastructure
5 / 5 /
IFC on IMA AMS/13/000584 ir00
Vertical & Horizontal Partitioning: Composability
Each infrastructure shall be managed as an IFC component
Developed to be reused…
De
ve
lop
ed
to sh
are
an
d to
be
reu
sed
…
Designed to be reused is a way to « certification credit »
MC
MC
M
A
AC AC
F
SC
P
MC
MC
M
MC
MC
M
SC SCA
AC AC
A
AC AC
Use
Use
Use
Use
M qualifiedA qualified using MP qualified contening M used by AF Qualified contening A used by M and contening SCP installed & certifiedF installed & certified
With SC:Special Component ≠MC & AC M:Module & MC Module ComponentA:Application & AC Application ComponentP:Platform or InfrastructureF:Function
MOPS
MOPS
Infr
astr
uct
ure
Function
6 / 6 /
IFC on IMA AMS/13/000584 ir00
Module
A component or collection of components that may be accepted by themselves or in the
context of IMA. A module may also comprise other modules. A module may be software,
hardware, or a combination of hardware and software, which provides resources to the IMA-
hosted applications. Modules may be distributed across the aircraft or may be co-located.
Application
Software and/or application-specific hardware with a defined set of interfaces that, when
integrated with a platform, performs a function.
Component
A self-contained hardware part, software part, database, or combination thereof that is
configuration controlled. A component does not provide an aircraft function by itself.
Increment
Component - RSC principle; for qualification capitalization (tools, library, actuator,…), two type
Module Component (shared) and Application Component (not shared)
Application - F-ETSO principle, for certification capitalization
Module - ETSO principle, for certification capitalization
The Mean to Reuse something already approved or accepted (using a shared resource)
ED-124/DO-297 Architecture’s Principles
Incremental Certification & Qualification strategy
The (pre-certifiable) Container to share something (resource)
The (pre-certifiable) Container to develop a Function (using a shared resource)
The (pre-qualifiable) Container to develop a part of a Function or Module (using a shared resource)
Reuse Share
Develop
7 / 7 /
IFC on IMA AMS/13/000584 ir00
My Need is …
To Reuse a shared resource
To share a resource
To develop a part of a Function
To Reuse a Function
To Reuse a part of a Function
To develop a means to share a reusable part of a function
…
… With a targeted credit about
Approval (certification)
Acceptance (qualification)
Architecture’s drivers
Reuse Share
Develop
The Purpose in Mind… shall Be Simple, Straightforward and Planified
Ce
rtif
ica
tio
n
Qu
alifi
cati
on
Null
Partial
Full
Qu
alifi
cati
on
Null
Partial
Full
Qu
alifi
cati
on
Null
Partial
Full
Null
Partial
Full
The two stages launcher
8 / 8 /
IFC on IMA AMS/13/000584 ir00
Targeted Credit Process and Material
Targeted Credit and material of Targeted Credit on
Data
Component
Module & Application
Function
Be aware : « reuse » does not mean « certification credit » from an aircraft to
another.
Common State of the art
Qualification Purpose Certification Purpose
Data ComponentModule /
ApplicationFunction
Null
Partial
Full
Null
Partial
Full
Null
Partial
Full
Null
Partial
Full
DO-178,DO-254,DO-200,DO-160
Artifacts
Data EvidenceFAA Order 8110.49 & EASA CM-SWCEH-002
Component EvidenceAC 20.148
Module / Application EvidenceARP4754, ARP4761, DO-297
Function EvidenceTSO/ETSO + Installation Manual
9 / 9 /
IFC on IMA AMS/13/000584 ir00
Reusable Software Component
When is RSC a bad idea?
No clearly defined functionality
Excessive customization required (say, 40% changes for each
installation)
Decision for RSC near end of project
No support from applicant
Few potential instantiations of RSC component
Large number of interface parameters
When is RSC a good idea?
Algorithmic components
Small number of interfaces
Little or no tie to physical I/O
Certain tools
If only limited credit is granted, it might be better just to include a data that is
“approvable” and let each client go through the certification process.
From : Reusable SW components (RSC) in real life, FAA, Mike DeWalt, 2005 Software/CEH Conference: Norfolk, VA
10 / 10 /
IFC on IMA AMS/13/000584 ir00
IMA regulatory material
11 / 11 /
IFC on IMA AMS/13/000584 ir00
System/Hardware/Software Industrial Standards
Guidelines for Integrated
Modular Avionics
(DO-297/ED-124)
Electronic Hardware
Development Process
(DO254 / ED-80)
Software
Development Process
(DO178 / ED-12)
Aircraft & System Development
Process
(ARP-4754 / ED-79)
ARP4754A (+ARP4761A ongoing) and more recently DO297 are structuring IMA
system development and certification processes
ARP4754A
DO297
12 / 12 /
IFC on IMA AMS/13/000584 ir00
Regulatory materials
IMA Hardware TSO
C153
FAA system EASA system
Functional ETSO
Cxxx
ETSO 2C153
Advisory Circular 20.170
(+ Advisory Circular 20.148)
(calling industrial standards DO-297)
Certification Review Item
CRI-Fxx : Integrated Modular Avionics System
CRI-Fxx : Incremental Certification
(calling industrial standards DO-297)
(E)TSO
Authorization
IMA system
Approval
TC / STC
Functional TSO
Cxxx
(Incomplete TSO) Ex : C9c, C52b, C54,
C92c, C101, C106,
C115b, C151b
Functional TSO
Cxxx
(Complete TSO) Component
Qualification
Functional Software
Qualification
Hardware
Qualification
IMA System Installation IMA System Installation
FAA system facilitate reuse and certification credit for manufacturers via
C153/ FTSO approach and IMA Acceptance Letter concept.
EASA system facilitate Type Certificate and credit for airframer (CRI is A/C
dedicated).
Complement
Qualification DO160
13 / 13 /
IFC on IMA AMS/13/000584 ir00
ED-124/DO-297 Architecture’s Principles
Platform is concerned by resources sharing need (resources used by at
least two functions / applications) and is the mean to share resources
(throughput Component and Module)
Avionics Functions are concerned by Application and Component
RTCA DO-297
14 / 14 /
IFC on IMA AMS/13/000584 ir00
ETSO 2C153 - Applicability
Applicability (
1.2)
This ETSO refers to IMA platform modules which are appliances composed of Hardware and Core Software or any embedded software module contributing to the intended function of resources sharing.
Nevertheless :
“Hardware only” module is acceptable if no further software module is needed to perform resources sharing.
Single LRU platform (as per ED-124/DO297), where the platform is limited to one LRU module (Smart Display, CPIOM...) , is acceptable.
Are out of scope of this ETSO :
IMA Platform composed of multiple LRUs (distributed platform) or LRMs (e.g. cabinet).
Configuration tables, which are components part of IMA system integration and installation.
Stand-alone core software.
IMA applications.
Equipment used to generate radio frequency signals for intentional transmitters
15 / 15 /
IFC on IMA AMS/13/000584 ir00
ETSO 2C153 - Applicability
Minimum Performance Specification (
3.1.1)
ETSO modular structure
Seven basic types MPS for IMA platform modules
TYPE A : Rack Module.
TYPE B : Processing Module.
TYPE C : Graphical Generation (/Processing) Module.
TYPE D : Mass Data Storage Module.
TYPE E : Interface module. (Input/Output Module And/Or network module)
TYPE F : Power Supply Module.
TYPE G : Display Head Module
Not limited to Cabinet architecture
ex : Single CPIOM platform = TYPE B
Combination of types are possible
ex : Single Display LRU platform = TYPE B + C + G
16 / 16 /
IFC on IMA AMS/13/000584 ir00
Full Incremental Certification : Thales Aproach
Composability of Certification Credit
ETSO 2C153 on the Infrastructure to build Open Platform Avionics
F-ETSO on the function to construct the function avionics and
advanced avionics function
[AC-20.170 & future AMC-20.170] Functional TSO : TSO with a defined function.
Examples of functional TSOs : TSO-C151b Terrain Awareness and Warning System
Improve Certification Credit at application level
Improve management for general irreversible trend to develop functional chain at
software level
Equipment with a set of (E)TSO a set of ETSO & F-ETSO
To make up the avionics
Credit
Credit
Credit
Credit
Credit
Full Incremental Certification invented a way to improve continuously Safety
of Flight
17 / 17 /
IFC on IMA AMS/13/000584 ir00
Incrementa-bility
Incremental Acceptance Process and Domain Engineering Process are
the two pillars for a well managed Full Incremental Certification Process
Functional Domain
F = f1+f2+f3 incremental approval F-ETSO
Functional thread shall be based on MOPS or CS (consistent CS Package)
CS Package allocated to sub-function are identified by domain engineering process
Be aware that the non-ETSO functions have a certification credit with TC and not with the F-
ETSO
Infrastructure Domain
C = a1+a2+a3+sc1+ac2 incremental acceptance ETSO 2C153
Component thread shall be based on infrastructure composability capacities (consistent
Component Package)
Component Package allocated to infrastructure component are identified by infrastructure
engineering process (IMA capabilities based)
Composability rule :
The container for a functional thread is a component of the infrastructure
18 / 18 /
IFC on IMA AMS/13/000584 ir00
Next steps
Common Functional Infrastructure
From Component Based architecture towards Service Oriented
Architecture
Connected Hybrid Avionics (Satellite Avionics)
19 / 19 /
IFC on IMA AMS/13/000584 ir00
Questions ?
Top Related