Avionics software
Encyclopedia
Avionics software is embedded software
with legally mandated safety and reliability
concerns used in avionics
. The main difference between avionic software and conventional embedded software is that the development process is required by law and is optimized for safety.
It is claimed that the process
described below is only slightly slower and more costly (perhaps 15 percent) than the normal ad-hoc processes used for commercial software
. Since most software fails because of mistakes, eliminating the mistakes at the earliest possible step is also a relatively inexpensive, reliable way to produce software. In some projects, however, mistakes in the specifications may not be detected until deployment. At that point, they can be very expensive to fix.
The basic idea of any software development model is that each step of the design process has outputs called "deliverables." If the deliverables are tested for correctness and fixed, then normal human mistakes can't easily grow into dangerous or expensive problems. Most manufacturers follow the waterfall model
to coordinate the design product, but almost all explicitly permit earlier work to be revised. The result is more often closer to a spiral model
.
For an overview of embedded software see embedded system
and software development models. The rest of this article assumes familiarity with that information, and discusses differences between commercial embedded systems and commercial development models.
Most modern commercial aircraft with auto-pilots use flight computers and so called flight management systems that can fly the aircraft without the pilot's active intervention during certain phases of flight. Also under development or in production are unmanned vehicles: missiles and drones which can take off, cruise and land without airborne pilot intervention.
In many of these systems, failure is unacceptable. The reliability of the software running in airborne vehicles (civil or military) is shown by the fact that most air borne accidents occur due to manual errors.
In the U.S.
, avionic and other aircraft components have safety and reliability standards mandated by the Federal Aviation Regulations, Part 25 for Transport Airplanes, Part 23 for Small Airplanes, and Parts 27 and 29 for Rotorcraft. These standards are enforced by "designated engineering representatives" of the FAA
who are usually paid by a manufacturer and certified by the FAA.
In the European Union
the IEC
describes "recommended" (mandatory!) requirements for safety-critical systems, which are usually adopted without change by governments. A safe, reliable piece of avionics has a "CE Mark." The regulatory arrangement is remarkably similar to fire safety in the U.S. and Canada. The government certifies testing laboratories, and the laboratories certify both manufactured items and organizations. Essentially, the oversight of the engineering is outsourced from the government and manufacturer to the testing laboratory.
To assure safety and reliability, national regulatory authorities (e.g. the FAA, CAA
, or DOD
) require software development standards. Some representative standards include MIL-STD-2167
for military systems, or RTCA DO-178B
for civil aircraft.
The regulatory requirements for software can be expensive compared to other software, but they are usually the minimum that is required to produce the necessary safety.
s is that the actual standards are often far more detailed and rigorous than commercial standards, usually described by documents with hundreds of pages.
Since the process is legally required, most processes have documents or software to trace requirements from numbered paragraphs in the specifications and designs to exact pieces of code, with exact tests for each, and a box on the final certification checklist. This is specifically to prove conformance to the legally mandated standard.
Deviations from a specific project to the processes described here can occur due to usage of alternative methods or low safety level requirements.
Almost all software development standards describe how to perform and improve specifications, designs, coding, and testing (See software development model). However avionics software development standards add some steps to the development for safety and certification:
. The early stages of the project, already have at least a vague idea of the main parts of the project. An engineer then takes each block of a block diagram and considers the things that could go wrong with that block, and how they affect the system as a whole. Subsequently, the severity and probability of the hazards are estimated. The problems then become requirements that feed into the design's specifications.
Projects involving military cryptographic security usually include a security analysis, using methods very like the hazard analysis.
There are several levels to most standards. A low-safety product such as an in-flight entertainment unit (a flying TV) may escape with a schematic and procedures for installation and adjustment. A navigation system, autopilot or engine may have thousands of pages of procedures, inspections and rigging instructions. Documents are now (2003) routinely delivered on CD-ROM, in standard formats that include text and pictures.
One of the odder documentation requirements is that most commercial contracts require an assurance that system documentation will be available indefinitely. The normal commercial method of providing this assurance is to form and fund a small foundation or trust. The trust then maintains a mailbox and deposits copies (usually in ultrafiche) in a secure location, such as rented space in a university's library (managed as a special collection), or (more rarely now) buried in a cave or a desert location.
The code is also often examined by special programs that analyze correctness (Static code analysis
), such as SPARK examiner for the SPARK
(a subset of the Ada programming language) or lint
for the C-family of programming languages (primarily C, though).
The compiler
s or special checking programs like "lint" check to see if types of data are compatible with the operations on them, also such tools are regularly used to enforce strict usage of valid programming language subsets and programming styles.
Another set of programs measure software metric
s, to look for parts of the code that are likely to have mistakes.
All the problems are fixed, or at least understood and double-checked.
Some code, such as digital filter
s, graphical user interface
s and inertial navigation system
s, are so well-understood that software tools have been developed to write the software. In these cases, specifications are developed and reliable software is produced automatically.
. A "coverage" tool is often used to verify that every instruction is executed, and then the test coverage is documented as well, for legal reasons.
This test is among the most powerful. It forces detailed review of the program logic, and detects most coding, compiler and some design errors. Some organizations write the unit tests before writing the code, using the software design as a module specification. The unit test code is executed, and all the problems are fixed.
Next, the most valuable features of the software are integrated. It is very convenient for the integrators to have a way to run small selected pieces of code, perhaps from a simple menu system.
Some program managers try to arrange this integration process so that after some minimal level of function is achieved, the system becomes deliverable at any following date, with increasing amounts of features as time passes.
The first test of the software, and one of the most difficult to meet in a tight schedule, is a realistic test of the unit's radio emissions. This usually must be started early in the project to assure that there is time to make any necessary changes to the design of the electronics.
At this point, the software is usually very good software by any measurement.
Embedded system
An embedded system is a computer system designed for specific control functions within a larger system. often with real-time computing constraints. It is embedded as part of a complete device often including hardware and mechanical parts. By contrast, a general-purpose computer, such as a personal...
with legally mandated safety and reliability
Reliability engineering
Reliability engineering is an engineering field, that deals with the study, evaluation, and life-cycle management of reliability: the ability of a system or component to perform its required functions under stated conditions for a specified period of time. It is often measured as a probability of...
concerns used in avionics
Avionics
Avionics are electronic systems used on aircraft, artificial satellites and spacecraft.Avionic systems include communications, navigation, the display and management of multiple systems and the hundreds of systems that are fitted to aircraft to meet individual roles...
. The main difference between avionic software and conventional embedded software is that the development process is required by law and is optimized for safety.
It is claimed that the process
Software development process
A software development process, also known as a software development life cycle , is a structure imposed on the development of a software product. Similar terms include software life cycle and software process. It is often considered a subset of systems development life cycle...
described below is only slightly slower and more costly (perhaps 15 percent) than the normal ad-hoc processes used for commercial software
Computer software
Computer software, or just software, is a collection of computer programs and related data that provide the instructions for telling a computer what to do and how to do it....
. Since most software fails because of mistakes, eliminating the mistakes at the earliest possible step is also a relatively inexpensive, reliable way to produce software. In some projects, however, mistakes in the specifications may not be detected until deployment. At that point, they can be very expensive to fix.
The basic idea of any software development model is that each step of the design process has outputs called "deliverables." If the deliverables are tested for correctness and fixed, then normal human mistakes can't easily grow into dangerous or expensive problems. Most manufacturers follow the waterfall model
Waterfall model
The waterfall model is a sequential design process, often used in software development processes, in which progress is seen as flowing steadily downwards through the phases of Conception, Initiation, Analysis, Design, Construction, Testing, Production/Implementation and Maintenance.The waterfall...
to coordinate the design product, but almost all explicitly permit earlier work to be revised. The result is more often closer to a spiral model
Spiral model
The spiral model is a software development process combining elements of both design and prototyping-in-stages, in an effort to combine advantages of top-down and bottom-up concepts. Also known as the spiral lifecycle model , it is a systems development method used in information technology...
.
For an overview of embedded software see embedded system
Embedded system
An embedded system is a computer system designed for specific control functions within a larger system. often with real-time computing constraints. It is embedded as part of a complete device often including hardware and mechanical parts. By contrast, a general-purpose computer, such as a personal...
and software development models. The rest of this article assumes familiarity with that information, and discusses differences between commercial embedded systems and commercial development models.
General overview
Since most avionics manufacturers see software as a way to add value without adding weight, the importance of embedded software in avionic systems is increasing.Most modern commercial aircraft with auto-pilots use flight computers and so called flight management systems that can fly the aircraft without the pilot's active intervention during certain phases of flight. Also under development or in production are unmanned vehicles: missiles and drones which can take off, cruise and land without airborne pilot intervention.
In many of these systems, failure is unacceptable. The reliability of the software running in airborne vehicles (civil or military) is shown by the fact that most air borne accidents occur due to manual errors.
Regulatory issues
Because of the safety requirements, most nations regulate avionics, or at least adopt standards in use by a group of allies or a customs union. The three regulatory organizations that most affect international aviation development are the U.S, the E.U. and Russia.In the U.S.
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
, avionic and other aircraft components have safety and reliability standards mandated by the Federal Aviation Regulations, Part 25 for Transport Airplanes, Part 23 for Small Airplanes, and Parts 27 and 29 for Rotorcraft. These standards are enforced by "designated engineering representatives" of the FAA
Federal Aviation Administration
The Federal Aviation Administration is the national aviation authority of the United States. An agency of the United States Department of Transportation, it has authority to regulate and oversee all aspects of civil aviation in the U.S...
who are usually paid by a manufacturer and certified by the FAA.
In the European Union
European Union
The European Union is an economic and political union of 27 independent member states which are located primarily in Europe. The EU traces its origins from the European Coal and Steel Community and the European Economic Community , formed by six countries in 1958...
the IEC
International Electrotechnical Commission
The International Electrotechnical Commission is a non-profit, non-governmental international standards organization that prepares and publishes International Standards for all electrical, electronic and related technologies – collectively known as "electrotechnology"...
describes "recommended" (mandatory!) requirements for safety-critical systems, which are usually adopted without change by governments. A safe, reliable piece of avionics has a "CE Mark." The regulatory arrangement is remarkably similar to fire safety in the U.S. and Canada. The government certifies testing laboratories, and the laboratories certify both manufactured items and organizations. Essentially, the oversight of the engineering is outsourced from the government and manufacturer to the testing laboratory.
To assure safety and reliability, national regulatory authorities (e.g. the FAA, CAA
CAA
-Arts:*China Academy of Art, the highest university of art in China which founded in 1928*College Art Association, a professional association in the United States for scholars of art, art history, and art criticism...
, or DOD
United States Department of Defense
The United States Department of Defense is the U.S...
) require software development standards. Some representative standards include MIL-STD-2167
MIL-STD-2167
The terms "DOD-STD-2167" and "DOD-STD-2168" are the official specification numbers for superseded U.S. DoD military standards describing documents and procedures required for developing military computer systems....
for military systems, or RTCA DO-178B
DO-178B
DO-178B, Software Considerations in Airborne Systems and Equipment Certification is a document dealing with the safety of software used in airborne systems....
for civil aircraft.
The regulatory requirements for software can be expensive compared to other software, but they are usually the minimum that is required to produce the necessary safety.
Development process
The main difference between avionics software and other embedded systemEmbedded system
An embedded system is a computer system designed for specific control functions within a larger system. often with real-time computing constraints. It is embedded as part of a complete device often including hardware and mechanical parts. By contrast, a general-purpose computer, such as a personal...
s is that the actual standards are often far more detailed and rigorous than commercial standards, usually described by documents with hundreds of pages.
Since the process is legally required, most processes have documents or software to trace requirements from numbered paragraphs in the specifications and designs to exact pieces of code, with exact tests for each, and a box on the final certification checklist. This is specifically to prove conformance to the legally mandated standard.
Deviations from a specific project to the processes described here can occur due to usage of alternative methods or low safety level requirements.
Almost all software development standards describe how to perform and improve specifications, designs, coding, and testing (See software development model). However avionics software development standards add some steps to the development for safety and certification:
Human interfaces
Projects with substantial human interfaces are usually prototyped or simulated. The video tape are usually retained, but the prototype retired immediately after testing, because otherwise senior management and customers can believe the system is complete. A major goal is to find human-interface issues that can affect safety and usability.Hazard analysis
Safety-critical avionics usually have a hazard analysisHazard analysis
A hazard analysis is used as the first step in a process used to assess risk. The result of a hazard analysis is the identification of risks. Preliminary risk levels can be provided in the hazard analysis. The validation, more precise prediction and acceptance of risk is determined in the Risk...
. The early stages of the project, already have at least a vague idea of the main parts of the project. An engineer then takes each block of a block diagram and considers the things that could go wrong with that block, and how they affect the system as a whole. Subsequently, the severity and probability of the hazards are estimated. The problems then become requirements that feed into the design's specifications.
Projects involving military cryptographic security usually include a security analysis, using methods very like the hazard analysis.
Maintenance manual
As soon as the engineering specification is complete, writing the maintenance manual can start. A maintenance manual is essential to repairs, and of course, if the system can't be fixed, it won't be safe.There are several levels to most standards. A low-safety product such as an in-flight entertainment unit (a flying TV) may escape with a schematic and procedures for installation and adjustment. A navigation system, autopilot or engine may have thousands of pages of procedures, inspections and rigging instructions. Documents are now (2003) routinely delivered on CD-ROM, in standard formats that include text and pictures.
One of the odder documentation requirements is that most commercial contracts require an assurance that system documentation will be available indefinitely. The normal commercial method of providing this assurance is to form and fund a small foundation or trust. The trust then maintains a mailbox and deposits copies (usually in ultrafiche) in a secure location, such as rented space in a university's library (managed as a special collection), or (more rarely now) buried in a cave or a desert location.
Design and specification documents
These are usually much like those in other software development models. A crucial difference is that requirements are usually traced as described above. In large projects, requirements-traceability is such a large expensive task that it requires large, expensive computer programs to manage it.Code production and review
The code is written, then usually reviewed by a programmer (or group of programmers) that didn't write it originally (another legal requirement). Special organizations also usually conduct code reviews with a checklist of possible mistakes. When a new type of mistake is found it's added to the checklist, and fixed throughout the code.The code is also often examined by special programs that analyze correctness (Static code analysis
Static code analysis
Static program analysis is the analysis of computer software that is performed without actually executing programs built from that software In most cases the analysis is performed on some version of the source code and in the other cases some form of the object code...
), such as SPARK examiner for the SPARK
SPARK programming language
SPARK is a formally-defined computer programming language based on the Ada programming language, intended to be secure and to support the development of high integrity software used in applications and systems where predictable and highly reliable operation is essential either for reasons of safety...
(a subset of the Ada programming language) or lint
Lint programming tool
In computer programming, lint was the name originally given to a particular program that flagged some suspicious and non-portable constructs in C language source code. The term is now applied generically to tools that flag suspicious usage in software written in any computer language...
for the C-family of programming languages (primarily C, though).
The compiler
Compiler
A compiler is a computer program that transforms source code written in a programming language into another computer language...
s or special checking programs like "lint" check to see if types of data are compatible with the operations on them, also such tools are regularly used to enforce strict usage of valid programming language subsets and programming styles.
Another set of programs measure software metric
Software metric
A software metric is a measure of some property of a piece of software or its specifications. Since quantitative measurements are essential in all sciences, there is a continuous effort by computer science practitioners and theoreticians to bring similar approaches to software development...
s, to look for parts of the code that are likely to have mistakes.
All the problems are fixed, or at least understood and double-checked.
Some code, such as digital filter
Digital filter
In electronics, computer science and mathematics, a digital filter is a system that performs mathematical operations on a sampled, discrete-time signal to reduce or enhance certain aspects of that signal. This is in contrast to the other major type of electronic filter, the analog filter, which is...
s, graphical user interface
Graphical user interface
In computing, a graphical user interface is a type of user interface that allows users to interact with electronic devices with images rather than text commands. GUIs can be used in computers, hand-held devices such as MP3 players, portable media players or gaming devices, household appliances and...
s and inertial navigation system
Inertial navigation system
An inertial navigation system is a navigation aid that uses a computer, motion sensors and rotation sensors to continuously calculate via dead reckoning the position, orientation, and velocity of a moving object without the need for external references...
s, are so well-understood that software tools have been developed to write the software. In these cases, specifications are developed and reliable software is produced automatically.
Unit testing
"Unit test" code is written to exercise every instruction of the code at least once to get 100% code coverageCode coverage
Code coverage is a measure used in software testing. It describes the degree to which the source code of a program has been tested. It is a form of testing that inspects the code directly and is therefore a form of white box testing....
. A "coverage" tool is often used to verify that every instruction is executed, and then the test coverage is documented as well, for legal reasons.
This test is among the most powerful. It forces detailed review of the program logic, and detects most coding, compiler and some design errors. Some organizations write the unit tests before writing the code, using the software design as a module specification. The unit test code is executed, and all the problems are fixed.
Integration testing
As pieces of code become available, they are added to a skeleton of code, and tested in place to make sure each interface works. Usually the built-in-tests of the electronics should be finished first, to begin burn-in and radio emissions tests of the electronics.Next, the most valuable features of the software are integrated. It is very convenient for the integrators to have a way to run small selected pieces of code, perhaps from a simple menu system.
Some program managers try to arrange this integration process so that after some minimal level of function is achieved, the system becomes deliverable at any following date, with increasing amounts of features as time passes.
Black box and acceptance testing
Meanwhile, the test engineers usually begin assembling a test rig, and releasing preliminary tests for use by the software engineers. At some point, the tests cover all of the functions of the engineering specification. At this point, testing of the entire avionic unit begins. The object of the acceptance testing is to prove that the unit is safe and reliable in operation.The first test of the software, and one of the most difficult to meet in a tight schedule, is a realistic test of the unit's radio emissions. This usually must be started early in the project to assure that there is time to make any necessary changes to the design of the electronics.
Certification
Each step produces a deliverable, either a document, code, or a test report. When the software passes all of its tests (or enough to be sold safely), these are bound into a certification report, that can literally have thousands of pages. The designated engineering representative, who has been striving for completion, then decides if the result is acceptable. If it is, he signs it, and the avionic software is certified.At this point, the software is usually very good software by any measurement.
See also
- Annex: Acronyms and abbreviations in avionics
- DO-178BDO-178BDO-178B, Software Considerations in Airborne Systems and Equipment Certification is a document dealing with the safety of software used in airborne systems....
- software development model
- Hazard analysisHazard analysisA hazard analysis is used as the first step in a process used to assess risk. The result of a hazard analysis is the identification of risks. Preliminary risk levels can be provided in the hazard analysis. The validation, more precise prediction and acceptance of risk is determined in the Risk...
External links
- Generic Avionics Software Specification from the Software Engineering InstituteSoftware Engineering InstituteThe Carnegie Mellon Software Engineering Institute is a federally funded research and development center headquartered on the campus of Carnegie Mellon University in Pittsburgh, Pennsylvania, United States. SEI also has offices in Arlington, Virginia, and Frankfurt, Germany. The SEI operates...
(SEI)