lynuxworks webinar on reusable software … federated architecture ... integrated modular avionics...

LynuxWorks LynuxWorks Webinar Webinar ononREUSABLE SOFTWARE COMPONENTSREUSABLE SOFTWARE COMPONENTS

June 13, 2007June 13, 2007

AgendaAgendaIntroductions & HousekeepingIntroductions & HousekeepingHistorical overview of Software in the Historical overview of Software in the Airborne EnvironmentAirborne EnvironmentSoftware Certification standard: RTCA/DOSoftware Certification standard: RTCA/DO--178B178BReusable Software Components: Advisory Reusable Software Components: Advisory Circular 20Circular 20--148148–– LynuxWorks LynuxWorks LynxOSLynxOS--178 Operating System178 Operating System–– BenefitsBenefits

IntroductionsIntroductions

Presenter: Joe Presenter: Joe WladWlad, Director of , Director of Product Management at LynuxWorksProduct Management at LynuxWorks–– Federal Aviation Administration Federal Aviation Administration

Designated Engineering RepresentativeDesignated Engineering Representative

Post Q&A at anytimePost Q&A at anytime–– Answers at the endAnswers at the end

Presentation available for download Presentation available for download laterlater–– Instructions to be providedInstructions to be provided

Historical Review of Software Historical Review of Software use in aircraftuse in aircraft

First Generation Commercial Aircraft First Generation Commercial Aircraft CharacteristicsCharacteristics

Few Digital Systems Few Digital Systems outside of Inertial outside of Inertial Navigation SystemsNavigation Systems

Minimal integrationMinimal integration–– Human interface with every Human interface with every

computer or its input/outputcomputer or its input/output

Analog computers that Analog computers that communicate using communicate using discretes discretes and signalsand signals

747747--200 Autopilot System:200 Autopilot System:–– 20 separate computers to 20 separate computers to

handle pitch, roll, yaw, trim, handle pitch, roll, yaw, trim, throttles and landing!throttles and landing!

The B747 Flight DeckThe B747 Flight Deck1960’s technology1960’s technology> 1000 switches> 1000 switchesDozens of unique Dozens of unique indicators akin to a indicators akin to a boiler roomboiler room33--person crew to person crew to control, navigate control, navigate and manage flightand manage flightOperating and Operating and maintenance costs maintenance costs are very highare very high

Software Use on Aircraft Software Use on Aircraft Software use on aircraft is Software use on aircraft is now pervasivenow pervasive–– Lowers costs, Reliability Lowers costs, Reliability

ImprovedImproved–– Crew workload reducedCrew workload reduced

Modern Flight Decks are Modern Flight Decks are becoming totally becoming totally automated automated –– Millions of lines of code Millions of lines of code

now running inside a now running inside a modern airlinermodern airliner

FAA software certification FAA software certification to DOto DO--178178

Typical Federated Architecture Typical Federated Architecture Boeing 757 Flight Management SystemBoeing 757 Flight Management System

Typical FMS interacts Typical FMS interacts with 15with 15--20 subsystems 20 subsystems on an aircrafton an aircraft

Advantage: Failures Advantage: Failures can usually be can usually be localized to a single localized to a single system or computersystem or computer

Disadvantages:Disadvantages:–– Integration also Integration also

controlled by vendorcontrolled by vendor–– Separate Separate LRU’s LRU’s for for

each system using each system using different processorsdifferent processors

FlightManagement

Computer

FCC

ILS/MLSDME/ADF VOROMC

IRSGPS

CDU FQIS

EEC

FDR

MCP

ADC

IDS

CLOCK

Integrated Modular Avionics (IMA)Integrated Modular Avionics (IMA)Modern processors can Modern processors can support more than a single support more than a single applicationapplication–– Memory Management Units Memory Management Units

assist with providing application assist with providing application separation along with a separation along with a partitioned operating systempartitioned operating system

IMA allows for consolidation IMA allows for consolidation and portability of applications and portability of applications thereby reducing program thereby reducing program lifecycle costslifecycle costs

IMA AdvantagesIMA AdvantagesReduce the number of Reduce the number of LRU’sLRU’s–– Lower maintenance costsLower maintenance costs–– Reduce weight and sizeReduce weight and size

Improve portabilityImprove portability–– Reduce upgrade costsReduce upgrade costs–– Flexibility and fault Flexibility and fault

tolerancetolerance

Improved dispatch reliabilityImproved dispatch reliabilityBoeing claims that IMA Boeing claims that IMA design can save 1000 design can save 1000 pounds of weight on the 787pounds of weight on the 787

RTCA/DORTCA/DO--178B Background178B Background

DODO--178B Background178B BackgroundDODO--178B: Software Considerations in Airborne 178B: Software Considerations in Airborne Systems and Equipment Certification, circa 1992Systems and Equipment Certification, circa 1992

–– Evolved from DOEvolved from DO--178A, circa 1985178A, circa 1985

DODO--178B is a guidance document only and focuses 178B is a guidance document only and focuses on software processes and objectives to comply with on software processes and objectives to comply with these processesthese processes

–– Developed by RTCA, Inc (a not for profit company) and its Developed by RTCA, Inc (a not for profit company) and its members to ensure that software meets airworthiness members to ensure that software meets airworthiness requirementsrequirements

Called out in many certification requirements Called out in many certification requirements documents as the recommended method to obtain documents as the recommended method to obtain approval of airborne softwareapproval of airborne software

–– Design Approvals through FAA Technical Standard Orders Design Approvals through FAA Technical Standard Orders and Supplemental Type Certificatesand Supplemental Type Certificates

Many other standards exists: SEIMany other standards exists: SEI--CMM, DEF STAN CMM, DEF STAN 0000--55, ISO, DOD55, ISO, DOD--2167, IEC 615082167, IEC 61508

DODO--178B Background178B BackgroundDODO--178B is not prescriptive178B is not prescriptive––Vendors are allowed to decide how objectives are Vendors are allowed to decide how objectives are

satisfiedsatisfied

DODO--178B objectives vary, depending upon 178B objectives vary, depending upon how software failures can affect system safetyhow software failures can affect system safetyConsider two aircraft examplesConsider two aircraft examples––1) Software controlling the coffeemakers in the aft 1) Software controlling the coffeemakers in the aft

galley failsgalley fails•• Outcome: passenger safety not compromised Outcome: passenger safety not compromised

––2) Software controlling the aircraft during an 2) Software controlling the aircraft during an automatic landing in zero visibility conditions fails automatic landing in zero visibility conditions fails •• Outcome: Possibly catastrophic and lives lostOutcome: Possibly catastrophic and lives lost

Obviously these two software applications Obviously these two software applications need not be developed to the same rigorneed not be developed to the same rigor

DODO--178B Background178B BackgroundFor this reason, DOFor this reason, DO--178B defines five software levels178B defines five software levels

Each level is defined by the failure condition that can result Each level is defined by the failure condition that can result from anomalous software behaviorfrom anomalous software behavior

Software LevelFailure Condition

Catastrophic Level A

Hazardous/Severe - Major Level B

Major Level C

Minor Level D

No Effect Level E

DODO--178B Background178B Background

Once a system safety assessment is Once a system safety assessment is done and the safety impact of software done and the safety impact of software on is known then the level is definedon is known then the level is definedLevel A has 66 objectivesLevel A has 66 objectivesLevel B 65 objectives Level B 65 objectives Level C 57 objectivesLevel C 57 objectivesLevel D 28 objectivesLevel D 28 objectivesLevel E: NoneLevel E: None

DODO--178B Processes178B ProcessesUse of standard processes and compliance Use of standard processes and compliance with prewith pre--determined objectives help avoid the determined objectives help avoid the common pitfalls of software developmentcommon pitfalls of software developmentDODO--178B defines the following processes (as 178B defines the following processes (as well as objectives for each):well as objectives for each):––Planning ProcessPlanning Process––Development ProcessDevelopment Process––Requirements ProcessRequirements Process––Design ProcessDesign Process––Coding and Integration ProcessCoding and Integration Process––Testing and Verification ProcessTesting and Verification Process––Configuration Management ProcessConfiguration Management Process––Quality Assurance ProcessQuality Assurance Process

DODO--178B Software Certification178B Software CertificationFAA Software Certification standard = FAA Software Certification standard = RTCA/DORTCA/DO--178B178BFor every line of Code there will be 5 For every line of Code there will be 5 -- 10 10 lines of testslines of testsFor every 2 lines of code there will be one For every 2 lines of code there will be one signature on some review formsignature on some review formOne requirement for every 5One requirement for every 5--10 lines of code10 lines of codeVerification of execution coverage for all Verification of execution coverage for all decisions and conditions that impact decisions and conditions that impact decisionsdecisions–– Address compiler added functions tooAddress compiler added functions too

Historical Certification ProcessHistorical Certification Process

LynxOS-178

User Code

Target System

SystemC or Ada Code

OperatingSystem

Operating System cannot be certified unless System is installed, tested and certified

New FAA Policy: Reusable Software New FAA Policy: Reusable Software ComponentsComponents

Advisory Circular AC 20Advisory Circular AC 20--148, Dec 2004148, Dec 2004–– Allows for “certification” of components such as Allows for “certification” of components such as

math libraries, operating systems and math libraries, operating systems and communication protocolscommunication protocols

–– See http://www.See http://www.faafaa..govgov/regulations_policies//regulations_policies/

S/W accepted by the FAA as meeting DOS/W accepted by the FAA as meeting DO--178B objectives across hardware platforms178B objectives across hardware platforms–– Allows for “portability” of certification effort to Allows for “portability” of certification effort to

other products without reother products without re--verification of the verification of the software componentsoftware component

Our Customer NeedsOur Customer Needs

Reduce cost, risk and time to market when Reduce cost, risk and time to market when deploying safety critical devicesdeploying safety critical devices

Cost of change is an area that heretofore has Cost of change is an area that heretofore has been ignored in the embedded marketbeen ignored in the embedded market–– Consider that in the 1980’s a oneConsider that in the 1980’s a one--line change to line change to

the OFP on the Space Shuttle cost nearly $1Mthe OFP on the Space Shuttle cost nearly $1M–– Today, cost of software changes for safety Today, cost of software changes for safety

critical products is still too highcritical products is still too high

RSC Certification ProcessRSC Certification Process

LynxOS-178

User Code

Target System

SystemFAA ACCEPTED OperatingSystem Component

FAA Accepted OS is deployed without requiring recertification

LynxOSLynxOS--178 Reusable Software Components178 Reusable Software Components

LynxOS-178B

User Code

PPC 750 Target Hardware

Display System

FAA acceptance of LynxOS-178 is “grandfathered” across platforms, reducing cost of change

User Code


Flight Management System

User Code


Flight Control System

RSC AcceptanceLetter

RSC Development Cycle Supports RSC Development Cycle Supports Multiple ArchitecturesMultiple Architectures

PPC 440 CSP

UnadulteratedLynxOS-178

Develop, Debug, Tune

DO-178B Verification,

Code coverage

Application 21001

LynxOS-178

PPC 603 BSP

Application 1

Certified applications

using LynxOS-178

Application 2

Application1 1001

LynxOS-178

How much “credit” applies?How much “credit” applies?Level A calls out 66 explicit objectivesLevel A calls out 66 explicit objectivesBecause of the way RTCA/DOBecause of the way RTCA/DO--178 is 178 is structured, one can not take full credit for all structured, one can not take full credit for all DODO--178B objectives with a RSC178B objectives with a RSCRemaining objectives are partially satisfied Remaining objectives are partially satisfied but required input from integrator to be but required input from integrator to be completecomplete–– E.g., S/W load control, traceability to System level E.g., S/W load control, traceability to System level

requirements, compatibility with target computer, requirements, compatibility with target computer, certification liaison certification liaison

Requires that a RSC guidance package Requires that a RSC guidance package provide clear instructions on how to use the provide clear instructions on how to use the RSC, integrate it and retain DORSC, integrate it and retain DO--178B credit178B credit

What makes a good RSC?What makes a good RSC?Ideally, the software should be hardware Ideally, the software should be hardware independentindependent–– Changes to hardware should not result in Changes to hardware should not result in

modificationsmodifications

Network stacks and services, file systems Network stacks and services, file systems and operating system servicesand operating system servicesVery challenging to make a Time/Space Very challenging to make a Time/Space Partitioned operating system achieve FAA Partitioned operating system achieve FAA acceptance as a reusable software acceptance as a reusable software componentcomponent–– Requires detailed testing and analysis of time, Requires detailed testing and analysis of time,

space and resource partitioning to support fault space and resource partitioning to support fault containment of multiple applications at different containment of multiple applications at different levels of DOlevels of DO--178B178B

Reusable Software Component Reusable Software Component -- CreditCreditRSC is initially approved through a TSO or RSC is initially approved through a TSO or STC/TC processSTC/TC process–– Mechanism is through a PSAC and AC 20Mechanism is through a PSAC and AC 20--148148–– Results in FAA RSC Acceptance LetterResults in FAA RSC Acceptance Letter

RSC Developer provides RSC Data Package RSC Developer provides RSC Data Package to RSC Integrator, includes:to RSC Integrator, includes:–– Acceptance Letter & Data SheetAcceptance Letter & Data Sheet–– RSC FunctionsRSC Functions–– Limitations & AssumptionsLimitations & Assumptions–– Partitioning and RSC Analysis dataPartitioning and RSC Analysis data–– ReqsReqs, Design, SCI, SAS, Design, SCI, SAS

Other RSC Integrators use unadulterated Other RSC Integrators use unadulterated binary files to build and certify its applicationbinary files to build and certify its application

RSC Compliance Matrix exampleRSC Compliance Matrix example178B Obj#

Obj Description

Resp. Org.

RSC Credit

Assumption Original Integrator

AssumptionFollow-o integrator

Means of Compliance for the Objective

Activities Remaining For Integrator Applicant

1-1 Softwaredevelopmentand integralprocessesactivities aredefined. 4.1 a,4.3

LW Full None None LynxOS-178(RSC) PSAC [7]LynxOS-178(RSC) SDP [8]LynxOS-178(RSC) SCMP [9]LynxOS-178(RSC) SVP [10]LynxOS-178(RSC) SQAP [11]

Follow on Integrator:the integrator’s PSACwill need to obtainapproval to use AC 20-148andreference the LynxOS-178 (RSC) FAA RSCapproval letter anddemonstrate identicalityof configuration.

LynxOSLynxOS--178 RSC Data Package178 RSC Data PackageExample RSC DocumentsExample RSC Documents–– RSC BUILD PROCEDURERSC BUILD PROCEDURE–– RSC RSC TIMING MARGIN ANALYSISTIMING MARGIN ANALYSIS–– RSC RSC PARTITIONING & RSC PARTITIONING & RSC

INTERFACE ANALYSISINTERFACE ANALYSIS–– RSC S/W ACCOMPLISHMENT RSC S/W ACCOMPLISHMENT

SUMMARY (SAS)SUMMARY (SAS)–– RSC S/W CONFIGURATION INDEXRSC S/W CONFIGURATION INDEX–– RSC VERIFICATION ENVIRONMENT RSC VERIFICATION ENVIRONMENT

CONFIGURATION INDEXCONFIGURATION INDEX–– RSC DATASHEETRSC DATASHEET

LynuxWorks RSC Data SheetLynuxWorks RSC Data SheetData Sheet gives integrator a topData Sheet gives integrator a top--level view level view of of LynxOS LynxOS certification pedigreecertification pedigreeCovers functions of the time/space/resource Covers functions of the time/space/resource partitioned OSpartitioned OSGives overview of design and how time/space Gives overview of design and how time/space and resource partitioning are maintainedand resource partitioning are maintainedProvides assumptions and required activities Provides assumptions and required activities of integrator to retain reuse creditof integrator to retain reuse creditSummary of Safety Issues and LimitationsSummary of Safety Issues and Limitations

RSC Value to IntegratorsRSC Value to IntegratorsFAA acceptance of RSC means reduced FAA acceptance of RSC means reduced certification risk for integratorscertification risk for integrators–– Integrators no longer have to “wait” for the OS Integrators no longer have to “wait” for the OS

supplier to complete its certification work before supplier to complete its certification work before submitting certification artifactssubmitting certification artifacts

RSC documentation is structured around RSC documentation is structured around providing guidance on RSC integration as providing guidance on RSC integration as well as demonstrating RTCA/DOwell as demonstrating RTCA/DO--178B credit178B creditThousands of labor hours are saved by using Thousands of labor hours are saved by using accepted certification techniquesaccepted certification techniques

RSC RSC vs vs standard 178 Artifactsstandard 178 Artifacts

Source CodePSAC, SQAP, SCMP, SDPSRS, SDS, SW Coding StdsSVPDesign reviewsCode reviewsTool qualification docsSW Vulnerability AnalysisPartitioning Documents?

T/S/R Partitioning AnalysesTest Proxies

RSC Interface AnalysisTiming Margin AnalysisDevice Driver Interface

StandardCSP/BSP API

HM RequirementsHM RequirementsRSC Letter of approvalRSC Letter of approval

DOORS traceabilityDOORS traceability

ReqmtsReqmtsDesignDesignSASSASSCISCI

Test ProceduresTest ProceduresTest ResultsTest Results

Coverage AnalysisCoverage AnalysisBuild ProcedureBuild Procedure

DO-178 ArtifactsRSC Artifacts

KEY DIFFERENCE: RSC ARTIFACTS CONTAIN GUIDANCE TO HELP CUSTOMER ACHIEVE CERTIFICATION OF THEIR APPLICATION

RSC Value PropositionRSC Value PropositionSome vendors provide a full set of artifacts Some vendors provide a full set of artifacts that include CM, QA, Reviews, etc.that include CM, QA, Reviews, etc.–– >10000 files on a CD ROM>10000 files on a CD ROM–– Information overload Information overload –– How does customer digest How does customer digest

this?this?

Other vendors may take customers’ hardware Other vendors may take customers’ hardware inin--house, runs the tests and certifies the BSP house, runs the tests and certifies the BSP and OS togetherand OS togetherWe preach that the RSC is better. All you We preach that the RSC is better. All you need is the letter and our RSC guidanceneed is the letter and our RSC guidance–– No need for source code or full 178 artifactsNo need for source code or full 178 artifacts–– Saves you time, money and reduces riskSaves you time, money and reduces risk

The RSC vs. Plain DOThe RSC vs. Plain DO--178 Artifacts178 ArtifactsStrict RTCA/DO-178B artifacts

LYNUXWORKS RSCRSC Artifacts Guidance

DO-178B Artifacts “Mountain” RSC Interface

Analysis, Device Driver

Interface standard,

CSP/BSP API

Confused Customer

Application 1001

LynxOS-178FAA Delays/Denial

Customer ProjectSuccessful Customer Project

FAA Approval

RSC Value: Reduced Cost and RSC Value: Reduced Cost and RiskRisk

Operating System certification effort is Operating System certification effort is reusable and portablereusable and portable–– RSC Artifacts provide Guidance on Integration RSC Artifacts provide Guidance on Integration

and Certification; saves 3and Certification; saves 3--9 months in labor over 9 months in labor over conventional “mountain of Certification Evidence conventional “mountain of Certification Evidence Certification” packagesCertification” packages

Certification results are reCertification results are re--usable and usable and portable to minimize cost of changeportable to minimize cost of changeReduce Risk:Reduce Risk:–– Auditors do not review what has already been Auditors do not review what has already been

approvedapproved–– RSC has been proven to meet DORSC has been proven to meet DO--178B Level A178B Level A–– Saves 3Saves 3--12 months of certification review12 months of certification review

What the What the LynxOSLynxOS--178 RSC 178 RSC coverscovers

Kernel Kernel –– Time/Space Partitioning, Resource Partitioning Time/Space Partitioning, Resource Partitioning

(I/O, shared resources), Task, Interrupt, Device (I/O, shared resources), Task, Interrupt, Device and File Managementand File Management

System ServicesSystem Services–– POSIX 1003.1, 1.b, .1cPOSIX 1003.1, 1.b, .1c–– Scheduling, MQ, Pipes, Socket, signals, SEMS, Scheduling, MQ, Pipes, Socket, signals, SEMS,

Clocks/Timers, Shared MemoryClocks/Timers, Shared Memory

Family of PPC includingFamily of PPC including–– 74xx, 750, 603, 4xx, and 97074xx, 750, 603, 4xx, and 970

Results in portable DOResults in portable DO--178B approval on 178B approval on more than one processor without added more than one processor without added engineering effortengineering effort

Key TakeawaysKey TakeawaysStandard Guidance exists on how to retain Standard Guidance exists on how to retain certification credit for software componentscertification credit for software components

Reusable Software Component acceptance Reusable Software Component acceptance results in:results in:–– Reduced Cost and time to marketReduced Cost and time to market–– Portability of Certification ArtifactsPortability of Certification Artifacts–– Increased ProductivityIncreased Productivity

LynuxWorks is the first COTS RTOS vendor LynuxWorks is the first COTS RTOS vendor to deliver a reusable software component to deliver a reusable software component (RSC) package(RSC) package

QuestionsQuestions

ThankThank--youyou