commercial off-the-shelf (cots) integrated circuits legends & myths peter skaves, faa software...
TRANSCRIPT
Commercial Off-the-shelf (COTS) Integrated Circuits Legends &
Myths
Peter Skaves, FAA Software & Avionics Complex
Hardware Conference July 28, 2005
2
Briefing ObjectivesCOTS Integrated Circuits presentation
overview: Aircraft Avionics Design Assurance Process COTS Integrated Circuits & Applicability COTS Products Legends & Myths COTS Integrated Circuits & Aircraft Computers COTS Integrated Circuit Functional Hazard Assessment (FHA) Redundancy & Fault Handling Federated Systems Vs. Integrated Modular
Avionics Built-In-Test Equipment (BITE) Numerical Analysis Limitations Discussion and wrap-up
3
Avionics Design Assurance Process
4
VHF Antenna
OOOI & SecuritySensor Input
The Airplane System Design Assurance ProcessThe Airplane System Design Assurance Process
SATCOM Antenna
Examples of airplane systems certification rules and guidance FAR 25.1301 “General Requirements for Intended
Function” FAR 25.1309 “Equipment Systems and Installation” AC 20-115B “Invokes RTCA DO-178B Software Guidance” System Safety Assessment (SSA) Process ( e.g., SAE ARP,
4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems &Equipment)
5
FAR 25.1301 (a) requires that each item of installed equipment be of a kind and design appropriate to its intended function
FAR 25.1309 (a) requires that equipment must be designed to ensure that they perform their intended functions under all foreseeable conditions
Aircraft Regulations for Integrated Circuits &
Avionics Systems
6
The certification process includes: System description of the
intended function Safety, Performance and
Interoperability description Functional Hazard
Assessment (FHA) FHA is used in part to assess
both normal operations and failure mode effects
Aircraft Avionics Design Assurance
Certification process for avionics systems include numerical analysis failure rates which are based on aircraft per flight hours
As an example, a failure classification of “Major” is equivalent to not more than one failure per 100,000 flight hours per aircraft
7
Use of COTS Integrated Circuits for the Planet &
Aircraft Certification
8
Used in many commercial applications: Home Computers Home Appliances Television sets Automobiles Video Games Pinball Machines Medical Equipment Cell Phones Stereo Systems Test Equipment Airplanes Trains
COTS Integrated Circuits
Manufacturers include: Texas Instruments LSI Logic Advanced Micro
Devices Motorola
9
COTS Products Legends & Myths
10
Definition of Legend
An unverified popular story handed down from earlier times
A body or collection of such stories
11
Definition of Myths
A fiction or half truth or one that forms part of the ideology of a society (e.g., Star Trek)
12
Avionics System & COTS Integrity Legend or Myth ?
COTS hardware & software components embedded in aircraft avionics systems do not meet the “intended function”
Legend or Myth ?
13
Intended Function Service History Quantity of parts (e.g., mass produced or
limited production) Design mitigation(s) for fault handling Revision update rate & configuration control Failure effect classification
Reliability Prediction of integrated circuit failure rates Assessment of failure effect at the component and system level
Environmental Test Conditions and Test Procedures for Airborne Equipment (e.g., RTCA DO-160(x)) Integrated Circuit component Level Avionics System Level
COTS Integrated Circuits Design Issues
14
COTS versus Custom Integrated Circuits: COTS integrated circuits that were not specifically designed for
aircraft applications (e.g., COTS Microprocessors) Approximately 95% of the integrated circuits used in airplane
applications are COTS based products Custom integrated Circuits (e.g., Application Specific Integrated
Circuits (ASIC) & Programmable Logic Devices (PLD)) are specifically designed for aircraft applications
Hardware Life Cycle Data per RTCA/DO-254 In general, COTS integrated circuits do not have the life cycle
data to satisfy the objectives in RTCA/DO-254 Summary: “Alternate methods or processes to ensure that COTS
integrated circuits perform their intended function and meet airworthiness requirements is required”
Integrated Circuits & Aircraft Computers
15
Military Specifications for integrated Circuits: Generally address “Environmental Conditions and Test
Procedures for Airborne Equipment” Temperature, vibration, moisture, shock testing, etc. Improved manufacturing standards and hardware reliability
Hardware Life Cycle Data per RTCA/DO-254 In general, integrated circuits developed to Military Standards
do not have the life cycle data to satisfy the objectives in RTCA/DO-254
Summary: “Alternate methods or processes to ensure that integrated circuits developed to Military Standards perform their intended function and meet airworthiness requirements is required”
Military Standard for Integrated Circuits
16
Application Specific Integrated Circuits (ASIC) Custom integrated circuits that are usually developed and
manufactured by a vendor for specific airplane applications Usually RTCA/DO-254 and RTCA DO-160(x) compliant ASIC integrated circuits are very expensive and may cost $1,000
or more per device
COTS Field Programmable Logic Devices Avionics manufactures typically buy and write programs for the
programmable logic devices Typical cost of these integrated circuits is $40 Avionics manufacturers are responsible for programming devices
and associated costs Programming process is usually RTCA/DO-254 compliant
Custom Integrated Circuits
17
May be used in Flight Deck Displays
The failure contribution of the CGP must be mitigated by system architecture for Hazardous or Catastrophic failure conditions
Mitigation strategy should include protection mechanisms and fault handlers
COTS Graphical Processors (CGP)
Loss of function should be mitigated by redundancy
Common mode failure conditions may require independent back-up systems
Wrap around and monitoring tests for output validation
Configuration management and part number control
RTCA/DO-254 may be used for custom CGP
18
Transport airplane Directorate has published a Issue Paper on means of compliance for Graphical Processors for a specific project
The Issue Paper was coordinated with Washington, Headquarters and is consistent with Advisory Circular for RTCA DO-254
Development of National Policy for CGP across all aircraft models is in progress
COTS Graphical Processors Policy
19
The airplane avionics system design must include mitigation strategy for integrated circuit failures Common-Mode integrated
circuit failures should be limited to a “major” failure effect
Single point integrated circuit failures should be limited to a “minor” failure effect classification
Integrated Circuit Functional Hazard Assessment
If single point or common mode integrated circuit failures are determined to be “hazardous” or “catastrophic” than the design is not acceptable Design does not meet FAR
25.1309
20
Functional Hazard Assessment (FHA) “Minor” Vs. “Major” failure
classification (What’s the big deal ?)
“Minor” failure rate should not exceed one error per 1,000 flight hours
“Major” failure rate should not exceed one error per 100,000 flight hours
Avionics System Failure Classification Cost Impact
In summary: “Major” classification
requires an improvement in the order of “100 times better”
Hazardous multiply by another factor of “100”
Catastrophic multiply by another factor of “100”
21
Examples of COTS products used in aircraft avionics Systems: COTS Hardware Components
Chassis Components, Connectors, Motherboard
COTS Integrated Circuits (e.g., Simple & Complex Devices, Firmware)
COTS Micro-Processors Gate Arrays I/O handlers
Aircraft Avionics COTS Examples
Historically, the failure contribution of the COTS products have been addressed at the “system level” during the Aircraft Certification design assurance process
Fault handling, Fail Safe
Designs, and Avionics Architecture should be used to mitigate COTS hardware failure conditions
22
There are many contributing factors to ensure that avionics systems meet their intended function: Airplane RequirementsSystem RequirementsSystem interfacesSystem Architecture & RedundancyDissimilar Back-Up SystemsHardware Components (e.g., integrated circuits)Software programs
The software process by itself, does not ensure that the avionics systems meet their intended function
Contributing Factors for Avionics “Intended Function”
23
Avionics Hardware / Software Redundancy & Fault Handling:
Typically dual or triple channel
Voting planes are used to detect and isolate various sensors and aircraft interface inputs
Built-in Test Equipment (BITE) software are used for internal computer validity checks (e.g, Memory, CPU)
Redundancy & Fault Handling
Common mode failures may require independent back-up systems
Examples of independent back-up systems include Standby Flight Instruments or mechanical backup systems
24
Federated System Architecture
Triplex Redundancy
Flight Control Systems
With independent Backup system
Single Strand ACARS
Communication System
Dual Redundancy
Flight Management Computers
25
Federated Avionics Computer Architecture
Computer Architecture CPU Program Memory
(e.g., Flight Control Software)
RAM Memory Digital Busses (e.g.,
ARINC 429) Discrete I/O Variable Analog Power Supply Chassis
Strengths Isolation of faults Failure analysis and
fault detection are enhanced
Weakness Duplication of
hardware resource Dedicated airborne
software program for each avionics computer
26
Integrated Modular Avionics (IMA) Computer Resource
Computer Architecture CPU Memory
Management Units RAM Memory Digital Busses (e.g.,
ARINC 429) Discrete I/O Variable Analog Power Supply Chassis
Strengths Shared Hardware
Resources Software programs
are “swapped” and execute concurrently on same computer platform
Weakness Failure analysis,
fault detection & isolation of faults are more difficult
Common mode fault vulnerability
27
IMA Notional Diagram
L
Example: TWO cabinets replace over 50 Federated Systems
Shared Hardware Resources
Multiple Application Programs
Flight Deck Displays
28
Boeing 777 Fly-by-Wire Flight Control architecture Three digital Flight
Control Computers Analog back-up system
to mitigate generic common mode faults
C-17 Cargo Airplane Fly-by-Wire Flight
Control System Full Mechanical Back-up
Common Mode Failure Mitigation Examples
Boeing 737/747/757/767 Series Airplanes Do not require electric
power for continued safe flight and landing with the exception of the battery backup bus for the Standby Flight Instruments
Full mechanical backup Flight Control System
29
Built-in Test Equipment (BITE)
Examples of typical avionics BITE functions used to detect and mitigate system failure conditions:
Power on (long power interrupt) BITE
Warm restart (short power interrupt) BITE
Continuos or periodic BITE Initiated or maintenance BITE BITE checks are designed to
detect system errors including COTS integrated circuit errors
30
BITE Test Case ExamplesRandom Access Memory (RAM) TestsProgram Memory (PMEM) Checksum
TestsCPU register testsAnalog Signal wraparound testsDiscrete Signal wraparound testDigital data link activity and integrity
checksAirplane Interface checksCross Channel Data Link (CCDL) checksVoting Plane checksSignal Range checksSignal Validity checksSignal Activity checks
31
Redundancy & Voting Planes
Redundancy & voting planes are the backbone of the avionics systems availability & integrity
40% of certain Flight Control Computer software is BITE related
20% of certain Flight Control Computer software is related to the voting plane
Triplex Flight Control Computers compare thousands of pieces of information per second
Architecture is designed to use different sensor, power and avionics computer inputs to eliminate single point failures
Internal & External BITE performs checks during all flight phases
32
We are unable to use mathematics to determine numerical probabilities for software or complex hardware failure rates
Failure rates are based on aircraft per flight hours and do not include the software or complex hardware error contribution
Based on historical knowledge, avionics safety related errors are predominately requirements based
Numerical Analysis Limitations
Redundancy and back-up systems should be used to mitigate numerical probability limitations
33
Aircraft avionics development process has produced an excellent safety record
However, complexity of avionics systems and software programs is increasing exponentially (e.g. integrated modular avionics)
Design Approval Process Summary
FAA should develop policy to aid in standardization of:
Complex avionics systems and fault mitigation
Alternate methods or processes to ensure that COTS integrated circuits perform their intended function and meet airworthiness requirements
If single point or common mode integrated circuit failures are determined to be “hazardous” or “catastrophic” than the design is not acceptable
34
Questions & Wrap-Up
Send your questions to me at:[email protected] Telephone (425) 227-2795
Thank you for your assistance !!!