www.thalesgroup.com

Th

ale

s A

vio

nic

s –

30th

octo

ber

2012

Feedback on IMA certification and on-going

regulatory work in Europe

Cédric ChevrelSystem & IMA Referent Certification Expert

Airworthiness Certification Directorate

THALES Avionics

International IMA Conference – Moscou 2012

2 /2 / IMA System Certification Manager

Life of a System Certification

Manager before IMA ...

Life of a System Certification

Manager with IMA ...

3 /3 / Content

IMA perimeter in Avionics System

Certification Process

Incremental Certification

Lessons Learned

On-going Regulatory work in Europe

www.thalesgroup.com

Th

ale

s A

vio

nic

s –

30th

octo

ber

2012

Avionics System IMA perimeter

International IMA Conference – Moscou 2012

5 /5 / Avionics System Perimeter

Avionics

System

Flight

Management

Cockpit

Integrated Modular Avionics

Communication Utilities / Cabin

A trend : from Equipment, to Subsystem and Open Avionics System Package

Flight Guidance

& Envelope

Surveillance

Recording

Maintenance

Display and Warning

Localisation

Navigation

6 /6 / Integrated Modular Avionics (IMA)

Now with IMABeforePlatform composed by a set of non system specific and highly configurable computers

ARINC 429

1 function = 1 computer

Multiple systems applications are executed on the same platform and network

Allowing highly integrated architecture, IMA permits recurrent, development

and maintenance cost savings optimizing industrial business model

7 /7 / IMA business model

Platform / Module supplier :

Production, Supply chain, component obsolescence management and

capacity to F3 design in the future

In Service Experience on COTS hardware component (Certification constraint)

RT Operating System (such as A653) skills

Robust Partitioning demonstration (Partitioning) skills

Sub-System Designers / Application Suppliers

Functional domain (Flight Management, Fuel, Cabin...) skills

Functional oriented Software engineering skills

IMA system integrator

Complex integration (mixing software and functional aspects) skills

Incremental Integration & Acceptance

IMA objective : Select the best supplier for each task taking into

each specificity

www.thalesgroup.com

Th

ale

s A

vio

nic

s –

30th

octo

ber

2012

Integrated Modular Avionics Certification Process

THALES Avionics

International IMA Conference – Moscou 2012

9 /9 /

System Development &

Type Certification Contribution

Avionics System

Supplier

(Thales)

Suppliers

Sub-contractors

Contract

Certification Actors

Aircraft

Manufacturer

Type Certification

Airworthiness

Authority

Country A (IAC-AR)

TC Validation

Airworthiness

Authority

Country C (ex:FAA)

Agreements

Arrangements

between AAs

Airworthiness

Authority

Country B (EASA)Technical Standard Order

(TSO) Authorization

TSO installation

TSO Equipment

10 /10 /A

ircra

ft

Aircraft

Certification

Basis

Aircraft

Certification Basis:

- CS 25/AP25/FAR 25

Determination of

Certification Basis

AUTHORITY

CRI F-xx/IP S-xx

A/C Manufacturer

Eq

uip

ment

DO-254

DO-178B

DO-160

HW

SW

Environmental

Equipment

“Qualification”

Basis

Standards

System Supplier

Syste

m

System

ARP4761

ARP4754

IMA

DO-297

System

“Qualification”

Basis

Equipment Supplier

Certification basis flow-down

- Special Conditions,

Exemptions, ESF

AMC (generic)

IM (specific CRI / IP)

11 /11 / IMA FAA/EASA Regulatory materials

FAA :

2002 : TSO C153 « IMA hardware elements »

2003 : AC20-145 about TSO C153 (obsolete with AC20-170)

2004 : AC20-148 about « reusable software component (RSC) »

2010 : AC20-170 making the link between TSO C153, AC20-148 "reusable software component" and DO-297

2012 : PS-ANM-25-08 provides criteria to determine if the guidance in AC 20 170 is applicable (Am I an IMA ?)

EASA :

CRI-Fxx : Interpretative Materials for Integrated Modular Avionics System

CRI-Fxx : Interpretative Materials for Incremental Certification

These regulatory materials are calling on industrial standards as means

of compliance

12 /12 / System/Hardware/Software Industrial Standards

Guidelines for Integrated

Modular Avionics

(DO-297/ED-124)

Electronic Hardware

Development Process

(DO254 / ED-80)

Software

Development Process

(DO178 / ED-12)

Aircraft & System Development

Process

(ARP-4754 / ED-79)

ARP4754 (+ARP4761) and more recently DO297 are structuring IMA system development and certification processes

ARP4754A

DO297

13 /13 / IMA definitions

According to DO-297 :

Generic Perimeter

=

Platform independent from

Avionics functions

Aircraft functions

DO297 shall be used to structure IMA definitions in order to avoir misleading interpretation at the beginning of the certification program

14 /14 / Authority Involvement

PLAN

PHASE

Certification Plan,

Syst. FHA, EQTP,

PSAC, PHAC, PCAC

Specifications and

Design data

Flight/Lab Test

procedures

and results

Certification summary,

SSA, EQTR, SAS, HAS,

CAS, PAS (IMA)REQUIREMENT

PHASE

ARCHITECTURE

PHASE

DESIGN

PHASE

VERIFICATION

PHASE

Accomplishment

Status to the Plan

Manufacturer

requirements

Certification basisSYSTEM / SUB-SYSTEM / EQUIPMENT Development cycle

SOI : Airworthiness Authority Stage of Involvement

SOI1

Plan Review

SOI 2

Development/

Design Audit

SOI3

Verification

Audit

SOI4

Certification

Review

Which kind of authority involvement

and audit reviews with IMA ?

www.thalesgroup.com

Th

ale

s A

vio

nic

s –

30th

octo

ber

2012

Integrated Modular Avionics Incremental Certification

International IMA Conference – Moscou 2012

16 /16 / Integrated Modular Avionics (IMA) certification

Highly Integrated

Architecture

Multi-system

Integration

Open Industrial

Workshare

Robust

Partitioning(*)

One function with

DAL A / DAL D

DO178B

partitioning definition

IMA system

Incremental

Certification

Now with IMABefore

(*) DO297/ED124 definition

In the frame of each TC , specific CRI/IP (IM) are published considering IMA

architecture as a system. But a system whose certification shall be handled via

an incremental process (see DO297)

17 /17 / What was at stake ?

2 ways are identified to manage resources sharing issues at system level:

IMA conventional way (API ARINC 653):

Multi system integration on platform

IMA Incremental way (API ARINC 653 + Incremental process):

Replacement of multi-system integration by qualification credit based on Usage Domain qualified at

platform level

Sub-System 1

Platform

Sub-System n

Platform

Sub-System 1

Sub-System n

Platform

Sub-System 1

Sub-System n

Platform

Sub-System 1

Sub-System n

Platform

Simu/Aircraft

+ other systems

Usage Domain &

IMA Process

Sub- System 1

Platform

Sub- System n

Platform

Sub- System 1

Sub- System n

PlatformCREDITS

Sub-System 1

Sub- System n

Platform

Simu/Aircraft

+ other systems

!

« AA warned about potential difficulties during the compliance demonstration in case of

Incremental approch is not followed. This is derived from the complexity of IMA systems »

V&V activities

18 /18 / What is at stake regarding IMA certification?

What is at stake :

Performance and safety of integrated module in any operational situation. The IMA architecture (including networks) is considered as a complex system of the aircraft.

Independent qualification of some components and credit from some components pre-qualification is needed to simplify final approval.

Qualification credits :

Credit n°1: Bare Module & Tools pre-qualification : Modules & tool chain properties (partitionning, configurability, performances) is demonstrated and guaranteed in a frame of a Usage Domain.

Credit n°2 : A qualified tool chain guarantes that Modules are well configurated compliantly to Usage Domain

Credit n°3: Standalone qualification of Avionic applications are expected to be granted in the context of an integrated module with several functions

Keys Points :

Incremental qualification process shall be defined to master the interactions between the industrial players

Incremental qualification taking benefit from Module & Tool properties (partitionning, configurability & usage domain)

19 /19 / Certification program breakdown

development

Bare module

and Tools

development

Configuration

developmentApplication

Software 1

development

qualification qualification qualification

Aircraft

Certification

Function 3

Function 2

Function 1

Application

acceptationModule

acceptation

Usage Domain

&

PartionningCredit n°1 + n°2 + n°3Credit n°1

Credit n°2 Credit n°3

Qualified

Integrated Module

IMA PROCESS

SYNTHESIS

Tools

functional

performances

Module

Audit Domain

Module Integrator

Audit Domain

Avionic Application (Function)

Audit Domain(s)

IMA system

Domain

Functional Vs

Qualification

1

3

3 2

3

4

x DO297 task

Full incremental

Certification Approach

www.thalesgroup.com

Th

ale

s A

vio

nic

s –

30th

octo

ber

2012

Lesson learnt from recent IMA certification

International IMA Conference – Moscou 2012

21 /21 / Lessons Learned (1)

A/C Certification Basis understanding and good anticipation (Special Conditions, Issue Papers, etc)

Including additional requirements from Importing Authorities.

Including Interpretative Materials about Integration & Incremental Processes (which credit in which context ?).

Good sharing of the Certification Basis by A/C manufacturer with the IMA System Integrator, Application Suppliers and IMA Platform supplier

Joint Certification Strategy

TSOs / ETSOs

Incremental Certification Approach in line with business workshare.

Management of the Sub-contractors with correct cascading of certification requirements

22 /22 / Lessons Learned (2)

Bilateral Agreements or Arrangements between Authorities facilitate and optimize the Certification

Early agreement on a Certification Program structured in several audit domains

IMA System & Integration domain

Application software qualification

Platform qualification (hardware, Operating system and Tools)

Early validation by AA of the HW, SW, SYS Certification Plans (SOI 1) reduce the risk

Simple and Complex Hardware Components classification

Clear roadmap for COTS components (In Service Experience, Errata...)

Keep AA in the loop along the development process

SOI audits in good phasing along with development reviews

Relationship and confidence between Offices of Airworthiness is essential

www.thalesgroup.com

Th

ale

s A

vio

nic

s –

30th

octo

ber

2012

IMA Rulemaking in Europe

What else ?

International IMA Conference – Moscou 2012

24 /24 / Reuse Vs Certification credit

The IMA platforms are composed of elements/modules which are

both generic and configurable.

The IMA elements/modules are designed to be reusable in order to

reduce cost development and facilitate certification programs.

Nevertheless, « reuse » does not mean « certification credit » from

an aircraft to another. The certification credit from the Incremental

Acceptance is only granted for a dedicated Type Certificate (TC).

This credit should be granted independently of the aircraft thanks

to a [European] Technical Standard Order (TSO - Equipement

Certificate) and their certification data package recognised as

certification credit when reused for a new aircraft.

25 /25 / Regulatory materials

IMA Hardware TSO

C153

FAA system EASA system

Functional ETSO

Cxxx

ETSO 2C153

AC 20.170 Certification Review Item

CRI-Fxx : Integrated Modular Avionics System

CRI-Fxx : Incremental Certification

(E)TSO

Authorization

IMA system

Approval

TC

Functional TSO

Cxxx

(Incomplete TSO)Ex : C9c, C52b, C54,

C92c, C101, C106,

C115b, C151b

Functional TSO

Cxxx

(Complete TSO) Component

Qualification

Software

Qualification

Domain# 2, 5, 3, 4, 7

Hardware

Qualification

Domain#1

IMA System Installation(domain#6)

IMA System Installation

Complement

Qualification DO160

Thales promotes an European System (ETSO, AMC) facilitating reuse and

certification credit in IMA systems via an ETSO IMA platform (2C153) and

Software Functional ETSO approach (AMC)

26 /26 / Rulemaking Task (RMT) 0456

ETSO IMA and AMC will be created in EASA regulatory

corpus

ETSO 2C153 shall be developed and published enabling

authorizations at IMA platform/module level, independent from

aircraft.

FAA TSO C153 cannot simply be transposed into an ETSO,

because it does not contain sufficient Mimimum Performance

Specifications (MPS) and do not cover Core Software.

ETSO 2C153 to be complemented by AMC 20-170 (based on

ED124/DO297) to provide more guidance for integration at

function and aircraft level without needing dedicated

Certification Review Item (CRI)

26

RMT.0456 included in EASA Rulemaking Programme 2013-2016

27 /27 / ETSO 2C153 – key concepts

This ETSO refers to IMA platform modules which are appliances composed of Hardware and Core Software or any embedded software module contributing to the intended function of resources sharing.

Seven basic types of IMA platform modules are identified :

TYPE A : Rack Module (only relevant for Cabinet architecture)

TYPE B : Processing Module.

TYPE C : Graphical Processing Module.

TYPE D : Mass Data Storage Module.

TYPE E : Interface module. (Input/Output Module and/or network module)

TYPE F : Power Supply Module (only relevant for Cabinet architecture)

TYPE G : Display Head Module

En equipment can combine several types (e.g B+D)

28 /28 / Thank you for your attention

Any questions? cedric.chevrel@fr.thalesgroup.com