Safety-Certifiable COTS Hardware Delivers Big Benefits For Avionics System Designers
September 15, 2017 | BY: Rick Hearn
The embedded market is seeing increased requirements for cost-effective, reliable avionics solutions that support safety certifiability. To ensure that the electronic systems deployed on airborne platforms are designed and built to the required levels of performance and safety relative to their function, the Federal Aviation Administration established the DO-254 Design Assurance Guidance for Airborne Electronic Hardware safety certification standard. On the software side, the DO-178C standard establishes guidelines for avionics software. These airworthiness regulations were originally created for the commercial aviation industry. As a result of the excellent reusability, cost, and safety successes they have delivered in the commercial sector, they have also been adopted by the defense industry, especially for use in military aircraft flying in domestic airspace. This trend is being driven by a number of market factors, including cockpit digitization, multi-core processing (enabling a reduction in the number of separate systems), the growing use of common avionics subsystems, the increasing number of UAVs and other military aircraft flying over civil population centers, and the use of synthetic vision systems (SVS) for landing (which impacts the design assurance levels required of mission computers).
Some avionics hardware is not critical and will not have significant consequences for the platform and its passengers if it were to fail. For example, if the entertainment system were to break down, the worst consequence might be frustration or anger. On the other hand, other hardware systems have much greater levels of criticality and their failure can result in a wide range of serious problems, the ultimate being the failure of the aircraft and loss of life. The DO-254 standard takes into consideration the range of criticality of different avionics hardware and assigns five different Design Assurance Level (DAL) levels – A, B, C, D, and E – to the severity of effects resulting from potential failure. In the event of failure, hardware that meets DAL “E,” the lowest level, will have no effect on the aircraft’s operational capability or pilot workload. DAL “D” is for hardware that would cause only a minor failure condition for the aircraft. In the middle, failure of hardware intended for DAL “C” usage would result in a major failure condition for the aircraft, and typically involve serious injuries. As the levels go higher, and the potential consequences of system failure increase, the amount and complexity of the data artifacts required for DO-254 certification also increases.
A DAL “B” hardware failure is defined as one that could cause a hazardous/severe-major failure condition for the aircraft, and could involve some loss of life. The highest and most intensive level of the DO-254 standard, DAL “A,” is for hardware whose failure would result in a catastrophic failure condition for the aircraft and would likely result in total loss of life for all aboard. It’s estimated that over half of all avionics systems fit into the DO-254 DAL C/D/E categories. Until recently, a system integrator designing a hardware solution to meet DO-254 DAL C safety certifiablity faced the daunting challenges associated with ensuring that the processor, graphics, and I/O modules, for example, in their system could meet very stringent rules. The DO-254 development process requires the costly and time-consuming creation of detailed sets of “data artifacts” to prove that the proper design and production processes have been followed. Data artifacts include plans, requirements, design, integration, test, verification, and validation of the specific modules.
Until recently, electronics modules designed to meet the FAA’s safety certification requirements were custom designs. The cost of developing all of the artifacts needed to meet certification for a custom electronics module is typically in the millions of dollars. The burden of meeting DO-254 data artifact requirements, including cost, time, and complexity, has recently led integrators to consider the use of a new class of open-standards-based “safety-certifiable” custom-off-the-shelf (COTS) modules. These modules come with the data artifact packages already created, which addresses the key development challenges – cost, time and complexity. This new class of off-the-shelf safety certifiable modules dramatically reduces design and program risk. Even better, compared to the traditional custom approach, using COTS modules often delivers significant technology upgrades and obsolescence mitigation advantages.
A recent example of a new avionics system that takes advantage of safety certifiable COTS modules is HENSOLDT’s Configurable Safety-Certifiable Mission Computer. It provides a great example of how the use of COTS modules can reduce costs and speed the development of these critical systems. Because it uses boards that are supported with pre-existing data artifact packages, cost and development time is reduced by eliminating the complex and demanding documentation process the system integrator must otherwise undertake in order to provide proof of design assurance during the module’s design life cycle. HENSOLDT’s rugged mission computer, which can be certified to aviation safety standards DO-254 and DO-178C up to DAL B, uses open-standard COTS OpenVPX processors, I/O, and graphics module building blocks. For avionics applications that require graphics, like digital moving maps, the Configurable Safety-Certifiable Mission Computer supports Curtiss-Wright’s safety certifiable VPX3-718 3U OpenVPX graphics display card, based on the AMD Radeon E4690 GPUs. The rugged modules are designed for use on deployed platforms and meet the long lifecycle availability required for military programs through use of a suite of CoreAVI software drivers supported with a 20-year component supply program.
- VPX3-150 Single Board Computer (SBC): The VPX3-150 SBC features an NXP® Power Architecture® QorIQ™ P5020 processor. The VPX3-150 SBC is certifiable to DO-254 Design Assurance Level C to run flight critical software (up to DO-178C DAL C) and provides extensive safety monitoring features, as required by ARP 4754A, including loopback testing of interfaces, windowed watchdog timers, clock frequency, power supply, and temperature monitoring. This SBC is compatible with Wind River® VxWorks® 653. The processor provides the computing power to provide sensor fusion and tie the mission computer functions together.
- VPX3-718 Video Graphics and Capture Card: The VPX3-718 card uses the high-performance AMD E4690 graphics processing unit running the CoreAVI OpenGL SC2 safety-certified graphics device driver. The VPX3-718 is certifiable to DO-254 Design Assurance Level C. This card supports a number of standard and high-definition video inputs and outputs and can be used to generate the avionics displays with overlaid symbology or moving maps.
- VPX3-611 Aircraft Interface Card: The VPX3-611 is an Input/Output (I/O) card that supports a number of standard Avionics buses like MIL-STD-1553 and ARINC-249 to communicate with other elements of the aircraft and process sensor inputs and outputs. The VPX3-611 is certifiable to DO-254 Design Assurance Level C.
By offering select standard modules (such as those designed to the popular VPX board architecture) that are supported with pre-existing comprehensive packages of design certification artifacts and certification evidence, COTS hardware vendors can develop safety-certifiable products that can be successfully used in a DO-254 certified system. The availability of pre-existing data artifact packages effectively eliminates the complex and demanding documentation process that a customer must otherwise undertake.
Read the full article here