how to cut $2 m of your safety cert costs

Your systems. Working as one.

How to Cut $2M of Your Safety Certification Costs

Edwin de Jong, PhD

Modern Unmanned Aircraft Systems

• Network of– Multiple Unmanned Aerial Vehicles (UAVs)– Multiple Ground Control Stations (GCS’s)– Configurable payloads and smart sensors

• Multiple and changing mission objectives

• Challenge:– Make data and capabilities of smart sensors accessible to every relevant participant

4/10/2014 © 2014 REAL‐TIME INNOVATIONS, INC. 2

UAS Communication Infrastructure

Vehicle LAN

Data Link

Ground Station LAN


Baseline Capabilities for UASCommunication Infrastructure

• Open standards based– Commonality and interoperability

• True peer-to-peer architecture– No single point of failure or vulnerability

• Portable to any communication media– RF, optical links, high-speed interconnects

• Available for heterogeneous environments– Embedded, low-power, small foot-print, RTOS, ARINC 653– Mainstream OS’s (Windows, Linux) and CPUs (Intel)

• Certifiable component (DO-178C)– Integration of UAVs in national airspace


Peer‐To‐Peer Real‐Time DataBus

OMG Data Distribution Service

Control App

Commands

Sensor

Sensor Data

ActuatorSensor

Sensor Data

Display App


Data‐Centric IntegrationDistributed Data Model and System State

Source(Key) Latitude Longitude Altitude

RADAR1 37.4 -122.0 500.0UAV2 40.7 -74.0 250.0LPD3 50.2 -0.7 0.0


Hundreds Of Applications Rely on DDS


DO‐178C

• A guideline• Used by FAA as basisfor certification– Aircraft are “certified”– Software codedeveloped underDO‐178 provides “certification evidence”

• Increasingly adopted for military aircraft


DO‐178 Safety Levels

Level Failure Condition Typical % of avionics code

A Catastrophic(may be total loss of aircraft) 15%

B Hazardous/Severe(serious injuries) 35%

C Major(minor injuries) 30%

D Minor(inconvenience) 15%

E No effect 5%


Certification Costs

• DO‐178 costs $50‐$100 per ELOC

• Process objectives must be met

• All must be documented• Code must be clean

– Testable– No dead code– Deterministic

Level ProcessObjectives

Code Coverage

A 71 Level B and 100% of MCDC

B 69 Level C plus 100% of DC

C 62 Level D plus 100% of SC

D 26 100% of Requirements

E 0 None


Tenets Of Safety‐Critical Software

• Reduce code size• Consider testability in design• Design code to be deterministic


Communication‐Middleware Implications

• Specific implementation withfewer capabilities– Reduced ELOC

• Predictable– No dynamic memory allocation– Applications preconfigured

• Limited size of distributed system– Suiting most avionics systems– Larger size system integration through bridge


Reducing Middleware Size

• Use efficient data structures– Optimized for smaller‐scale systems – Simpler data structures allow middleware to remain small even as new functionality is added

• Balance capabilities versus size– Include capabilities relevant in safety‐critical systems only

– Focus on core capabilities


Safety‐Certifiable Communication Platform

• Scalable product linefor constrainedenvironments

• Certifiable component– DO‐178C Level A– ~25K ELOC

• Follows OMG DDS specification• FACE compliant interface in development


Certifiable DDS – Core Capabilities

• Support for multiple domains

• Domain Participant Factory

– Create/delete Domain Participants

• Domain Participant– Create topics (keyed and

keyless)– Create publications– Create subscriptions– Delete contained entities

• Subscription– Polling– Notification– Read/take

• Publication– Write with or without

timestamp– Dispose– Liveliness

• Thread-safe


Memory Model

Application

Network

DDS m

iddleware

Data Cache Discovery Database

Grows as more data produced

Grows as more nodes join

Configure resource limits before creating entitiesNo memory growth


Quality of Service (QoS) Support

• Communication protocols– Best effort– Reliable with periodic and piggyback heartbeats

• Optional durability– Last value kept in‐memory by publisher

• Send/receive cache resource configuration• Publication and subscription deadline• Ownership and strength


DDS Discovery

Peer 1 (up)

Peer 2 (down)Initial peers:Peer 1Peer 2


DDS Discovery – Stage 2

Peer 1 (up)

Peer 2 (down)


Discovery for Safety‐Critical Systems

Unknown number of participants connectingUnknown number of remote endpoints

Know which participants are upSimple protocol

Stage 1: dynamic participant discoveryStage 2: static loading of endpoints

Quasi‐static discovery


Certification Evidence

• Plan for Software Aspects of Certification (PSAC)

• Software Development Plan (SDP)– Requirements standards– Design standards– Code standards

• Software Verification Plan (SVP)• Software Configuration

Management Plan (SCM)• Software Quality Assurance Plan

• Software Requirements Data• Design Description• Traceability• SQA Records• SCM Records• Software Configuration Index• Software Verification Cases and

Procedures• Software Verification Results• Software Accomplishment

Summary

Certification evidence can be re‐used across programs4/10/2014 © 2014 REAL‐TIME INNOVATIONS, INC. 21

Savings from DDS Certification Evidence

30,000 ELOC 20,000 ELOC 10,000 ELOC

Level A $3,000,000 $2,000,000 $1,000,000

Level B $2,550,000 $1,700,000 $850,000

Level C $1,800,000 $1,200,000 $600,000

• DDS certification evidence available at fraction of cost

• Availability at start of project also reduces risk


Summary

• Certifiable DDS designed for safety‐critical applications now available– Connext DDS Cert– Standards compliant– Small footprint

• Code is certifiable to DO‐178 Level A– Minimal lines of code– Deterministic

• Certification evidence is reusable


Your systems. Working as one.Download

ConnextFree TrialNOW

www.rti.com/downloads

Thank you