Commercial Off-the-shelf (COTS) Integrated Circuits Legends &

Myths

Peter Skaves, FAA Software & Avionics Complex

Hardware Conference July 28, 2005

2

Briefing ObjectivesCOTS Integrated Circuits presentation

overview: Aircraft Avionics Design Assurance Process COTS Integrated Circuits & Applicability COTS Products Legends & Myths COTS Integrated Circuits & Aircraft Computers COTS Integrated Circuit Functional Hazard Assessment (FHA) Redundancy & Fault Handling Federated Systems Vs. Integrated Modular

Avionics Built-In-Test Equipment (BITE) Numerical Analysis Limitations Discussion and wrap-up

3

Avionics Design Assurance Process

4

VHF Antenna

OOOI & SecuritySensor Input

The Airplane System Design Assurance ProcessThe Airplane System Design Assurance Process

SATCOM Antenna

Examples of airplane systems certification rules and guidance FAR 25.1301 “General Requirements for Intended

Function” FAR 25.1309 “Equipment Systems and Installation” AC 20-115B “Invokes RTCA DO-178B Software Guidance” System Safety Assessment (SSA) Process ( e.g., SAE ARP,

4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems &Equipment)

5

FAR 25.1301 (a) requires that each item of installed equipment be of a kind and design appropriate to its intended function

FAR 25.1309 (a) requires that equipment must be designed to ensure that they perform their intended functions under all foreseeable conditions

Aircraft Regulations for Integrated Circuits &

Avionics Systems

6

The certification process includes: System description of the

intended function Safety, Performance and

Interoperability description Functional Hazard

Assessment (FHA) FHA is used in part to assess

both normal operations and failure mode effects

Aircraft Avionics Design Assurance

Certification process for avionics systems include numerical analysis failure rates which are based on aircraft per flight hours

As an example, a failure classification of “Major” is equivalent to not more than one failure per 100,000 flight hours per aircraft

7

Use of COTS Integrated Circuits for the Planet &

Aircraft Certification

8

Used in many commercial applications: Home Computers Home Appliances Television sets Automobiles Video Games Pinball Machines Medical Equipment Cell Phones Stereo Systems Test Equipment Airplanes Trains

COTS Integrated Circuits

Manufacturers include: Texas Instruments LSI Logic Advanced Micro

Devices Motorola

9

COTS Products Legends & Myths

10

Definition of Legend

An unverified popular story handed down from earlier times

A body or collection of such stories

11

Definition of Myths

A fiction or half truth or one that forms part of the ideology of a society (e.g., Star Trek)

12

Avionics System & COTS Integrity Legend or Myth ?

COTS hardware & software components embedded in aircraft avionics systems do not meet the “intended function”

Legend or Myth ?

13

Intended Function Service History Quantity of parts (e.g., mass produced or

limited production) Design mitigation(s) for fault handling Revision update rate & configuration control Failure effect classification

Reliability Prediction of integrated circuit failure rates Assessment of failure effect at the component and system level

Environmental Test Conditions and Test Procedures for Airborne Equipment (e.g., RTCA DO-160(x)) Integrated Circuit component Level Avionics System Level

COTS Integrated Circuits Design Issues

14

COTS versus Custom Integrated Circuits: COTS integrated circuits that were not specifically designed for

aircraft applications (e.g., COTS Microprocessors) Approximately 95% of the integrated circuits used in airplane

applications are COTS based products Custom integrated Circuits (e.g., Application Specific Integrated

Circuits (ASIC) & Programmable Logic Devices (PLD)) are specifically designed for aircraft applications

Hardware Life Cycle Data per RTCA/DO-254 In general, COTS integrated circuits do not have the life cycle

data to satisfy the objectives in RTCA/DO-254 Summary: “Alternate methods or processes to ensure that COTS

integrated circuits perform their intended function and meet airworthiness requirements is required”

Integrated Circuits & Aircraft Computers

15

Military Specifications for integrated Circuits: Generally address “Environmental Conditions and Test

Procedures for Airborne Equipment” Temperature, vibration, moisture, shock testing, etc. Improved manufacturing standards and hardware reliability

Hardware Life Cycle Data per RTCA/DO-254 In general, integrated circuits developed to Military Standards

do not have the life cycle data to satisfy the objectives in RTCA/DO-254

Summary: “Alternate methods or processes to ensure that integrated circuits developed to Military Standards perform their intended function and meet airworthiness requirements is required”

Military Standard for Integrated Circuits

16

Application Specific Integrated Circuits (ASIC) Custom integrated circuits that are usually developed and

manufactured by a vendor for specific airplane applications Usually RTCA/DO-254 and RTCA DO-160(x) compliant ASIC integrated circuits are very expensive and may cost $1,000

or more per device

COTS Field Programmable Logic Devices Avionics manufactures typically buy and write programs for the

programmable logic devices Typical cost of these integrated circuits is $40 Avionics manufacturers are responsible for programming devices

and associated costs Programming process is usually RTCA/DO-254 compliant

Custom Integrated Circuits

17

May be used in Flight Deck Displays

The failure contribution of the CGP must be mitigated by system architecture for Hazardous or Catastrophic failure conditions

Mitigation strategy should include protection mechanisms and fault handlers

COTS Graphical Processors (CGP)

Loss of function should be mitigated by redundancy

Common mode failure conditions may require independent back-up systems

Wrap around and monitoring tests for output validation

Configuration management and part number control

RTCA/DO-254 may be used for custom CGP

18

Transport airplane Directorate has published a Issue Paper on means of compliance for Graphical Processors for a specific project

The Issue Paper was coordinated with Washington, Headquarters and is consistent with Advisory Circular for RTCA DO-254

Development of National Policy for CGP across all aircraft models is in progress

COTS Graphical Processors Policy

19

The airplane avionics system design must include mitigation strategy for integrated circuit failures Common-Mode integrated

circuit failures should be limited to a “major” failure effect

Single point integrated circuit failures should be limited to a “minor” failure effect classification

Integrated Circuit Functional Hazard Assessment

If single point or common mode integrated circuit failures are determined to be “hazardous” or “catastrophic” than the design is not acceptable Design does not meet FAR

25.1309

20

Functional Hazard Assessment (FHA) “Minor” Vs. “Major” failure

classification (What’s the big deal ?)

“Minor” failure rate should not exceed one error per 1,000 flight hours

“Major” failure rate should not exceed one error per 100,000 flight hours

Avionics System Failure Classification Cost Impact

In summary: “Major” classification

requires an improvement in the order of “100 times better”

Hazardous multiply by another factor of “100”

Catastrophic multiply by another factor of “100”

21

Examples of COTS products used in aircraft avionics Systems: COTS Hardware Components

Chassis Components, Connectors, Motherboard

COTS Integrated Circuits (e.g., Simple & Complex Devices, Firmware)

COTS Micro-Processors Gate Arrays I/O handlers

Aircraft Avionics COTS Examples

Historically, the failure contribution of the COTS products have been addressed at the “system level” during the Aircraft Certification design assurance process

Fault handling, Fail Safe

Designs, and Avionics Architecture should be used to mitigate COTS hardware failure conditions

22

There are many contributing factors to ensure that avionics systems meet their intended function: Airplane RequirementsSystem RequirementsSystem interfacesSystem Architecture & RedundancyDissimilar Back-Up SystemsHardware Components (e.g., integrated circuits)Software programs

The software process by itself, does not ensure that the avionics systems meet their intended function

Contributing Factors for Avionics “Intended Function”

23

Avionics Hardware / Software Redundancy & Fault Handling:

Typically dual or triple channel

Voting planes are used to detect and isolate various sensors and aircraft interface inputs

Built-in Test Equipment (BITE) software are used for internal computer validity checks (e.g, Memory, CPU)

Redundancy & Fault Handling

Common mode failures may require independent back-up systems

Examples of independent back-up systems include Standby Flight Instruments or mechanical backup systems

24

Federated System Architecture

Triplex Redundancy

Flight Control Systems

With independent Backup system

Single Strand ACARS

Communication System

Dual Redundancy

Flight Management Computers

25

Federated Avionics Computer Architecture

Computer Architecture CPU Program Memory

(e.g., Flight Control Software)

RAM Memory Digital Busses (e.g.,

ARINC 429) Discrete I/O Variable Analog Power Supply Chassis

Strengths Isolation of faults Failure analysis and

fault detection are enhanced

Weakness Duplication of

hardware resource Dedicated airborne

software program for each avionics computer

26

Integrated Modular Avionics (IMA) Computer Resource

Computer Architecture CPU Memory

Management Units RAM Memory Digital Busses (e.g.,

ARINC 429) Discrete I/O Variable Analog Power Supply Chassis

Strengths Shared Hardware

Resources Software programs

are “swapped” and execute concurrently on same computer platform

Weakness Failure analysis,

fault detection & isolation of faults are more difficult

Common mode fault vulnerability

27

IMA Notional Diagram

L

Example: TWO cabinets replace over 50 Federated Systems

Shared Hardware Resources

Multiple Application Programs

Flight Deck Displays

28

Boeing 777 Fly-by-Wire Flight Control architecture Three digital Flight

Control Computers Analog back-up system

to mitigate generic common mode faults

C-17 Cargo Airplane Fly-by-Wire Flight

Control System Full Mechanical Back-up

Common Mode Failure Mitigation Examples

Boeing 737/747/757/767 Series Airplanes Do not require electric

power for continued safe flight and landing with the exception of the battery backup bus for the Standby Flight Instruments

Full mechanical backup Flight Control System

29

Built-in Test Equipment (BITE)

Examples of typical avionics BITE functions used to detect and mitigate system failure conditions:

Power on (long power interrupt) BITE

Warm restart (short power interrupt) BITE

Continuos or periodic BITE Initiated or maintenance BITE BITE checks are designed to

detect system errors including COTS integrated circuit errors

30

BITE Test Case ExamplesRandom Access Memory (RAM) TestsProgram Memory (PMEM) Checksum

TestsCPU register testsAnalog Signal wraparound testsDiscrete Signal wraparound testDigital data link activity and integrity

checksAirplane Interface checksCross Channel Data Link (CCDL) checksVoting Plane checksSignal Range checksSignal Validity checksSignal Activity checks

31

Redundancy & Voting Planes

Redundancy & voting planes are the backbone of the avionics systems availability & integrity

40% of certain Flight Control Computer software is BITE related

20% of certain Flight Control Computer software is related to the voting plane

Triplex Flight Control Computers compare thousands of pieces of information per second

Architecture is designed to use different sensor, power and avionics computer inputs to eliminate single point failures

Internal & External BITE performs checks during all flight phases

32

We are unable to use mathematics to determine numerical probabilities for software or complex hardware failure rates

Failure rates are based on aircraft per flight hours and do not include the software or complex hardware error contribution

Based on historical knowledge, avionics safety related errors are predominately requirements based

Numerical Analysis Limitations

Redundancy and back-up systems should be used to mitigate numerical probability limitations

33

Aircraft avionics development process has produced an excellent safety record

However, complexity of avionics systems and software programs is increasing exponentially (e.g. integrated modular avionics)

Design Approval Process Summary

FAA should develop policy to aid in standardization of:

Complex avionics systems and fault mitigation

Alternate methods or processes to ensure that COTS integrated circuits perform their intended function and meet airworthiness requirements

If single point or common mode integrated circuit failures are determined to be “hazardous” or “catastrophic” than the design is not acceptable

34

Questions & Wrap-Up

Send your questions to me at:peter.skaves@faa.gov Telephone (425) 227-2795

Thank you for your assistance !!!