Post on 16-Apr-2017
transcript
1 | June 22, 2015 | © 2015 Curtiss-Wright
What is Safety Certifiable COTS?
Gregory Sikkens, Senior Product Manager
2 | June 22, 2015 | © 2015 Curtiss-Wright
Housekeeping
• Where DO-254 is used during this presentation, it refers to
RTCA DO-254 / EUROCAE ED-80
• Where DO-178 is used during this presentation, it refers to
RTCA DO-178B / EUROCAE ED-12B
3 | June 22, 2015 | © 2015 Curtiss-Wright
What is Safety Certification?
• Stringent compliance standards recognized by certification authorities like the FAA for
design in airborne electronic systems
• Originally created for the commercial aviation industry, were gradually adopted by the
military and defense industry
DO-254 defines the requirements for hardware
DO-178 defines the requirements for software
• Safety certification is based on a series of Design Assurance Levels (DALs) A through E,
DAL A being the most stringent, and DAL E being the least stringent.
4 | June 22, 2015 | © 2015 Curtiss-Wright
Why is Safety Certification Growing in Importance?
• FAA plugged the hole on simple vs. complex COTS, now difficult to claim simple
• Practice of reverse engineering is getting harder and harder for the certification authorities to accept
• Spreading from civil/commercial air to other similar industries including defense
• Growth in UAVs and associated ground stations • Application area: Ground based Air Traffic Control Systems
• Increasing numbers of military aircraft that fly over civil population centers
• Growing use of military avionics subsystems in commercial aircraft
5 | June 22, 2015 | © 2015 Curtiss-Wright
How do we provide your safety certifiable solutions at a
reasonable cost?
6 | June 22, 2015 | © 2015 Curtiss-Wright
COTS
• Open hardware architectures can mitigate obsolescence
• Reduction in procurement times
• Lower development cost
• Lower logistics costs
• Leverage higher collective volume • Cost effective • Increases assurance
• Modified COTS (MCOTS) remains cost effective and lower risk compared to custom development
COTS modules deliver applications with far greater capabilities that also comply with the
growing demand for safety certification
The key benefits of COTS include:
7 | June 22, 2015 | © 2015 Curtiss-Wright
Traditional Approach vs. COTS – What’s the Difference?
• Application-specific development
• High cost
• All DO-254/DO-178 Artifact costs allocated to single application
• Designed in artifacts
• Or already developed non-certifiable COTS
• May add risk
• Analyses and reverse engineer artifacts in support of the purchaser’s certification effort
• Example – CCA-147 (SBC)
• DO-254 DAL C/DO-178B DAL A
• General-purpose COTS development
• Lowers cost and risk
• Artifact costs reflect standard
product sales quantities
• Designed in artifacts
• Example – VPX3-150 (SBC)
• DO-254 DAL C/DO-178C DAL C
TRADITIONAL APPROACH COTS APPROACH
9 | June 22, 2015 | © 2015 Curtiss-Wright
General Purpose COTS DO-254 Development
We start with a rigorous rugged development process
Curtiss-Wright has continuously refined over 30+ years of work in the mil/aero market Every product is designed to be rugged from the start, not designed and then ruggedized We fully meet or exceed requirements of AS9100 quality system We execute requirements tracking and verification traceability using DOORS We do detailed reviews – very few issues found during hardware bring up and verification
You benefit from our proven rugged performance
Environmental qualification testing of design ESS testing of production units (manufactured in-house)
You also benefit from our high reliability
Reliability Risk Assessment – We document risks to reliability, manufacturing, etc., and categorize with
mitigation plans and actions. Reliability Demonstration Testing (RDT) - Where identified risks can not be mitigated through design or
analysis, testing is used.
10 | June 22, 2015 | © 2015 Curtiss-Wright
General Purpose COTS DO-254 Development – Cont’d
DO-254 requires a two-fold approach to achieve design assurance (certainty that the
design operates as intended)
Thorough verification at all junctures of the process to catch errors in the design
Include structured and audited design process with thorough planning, reviews, and
double-checking of each step within the flow
Curtiss-Wright’s standard development process is extended to include audited design
process to have a full DO-254 development process option.
11 | June 22, 2015 | © 2015 Curtiss-Wright
Where Do We Fit Into the Safety Certification Process?
Curtiss-Wright
12 | June 22, 2015 | © 2015 Curtiss-Wright
Design Assurance Levels (DAL)
• EASA CM No.: EASA CM - SWCEH - 001 Issue No.: 01 • “For equipment and CBAs of DALs/IDALs A, B, C or D, the ED-80/DO-254 objectives of
Appendix A that are defined for level D should be applied.”
• CBA – Circuit Board Assembly
• FAA Advisory Circular AC No: 20-152 • “This AC recognizes the guidance in RTCA/DO-254 applies specifically to complex custom
micro-coded components with hardware design assurance levels of A, B, and C, such as ASICs, PLDs, and FPGAs.”
• “NOTE: We recognize that the hardware life cycle data for commercial-off-the-shelf (COTS) microprocessors may not be available to satisfy the objectives of RTCA/DO-254. Therefore, we don’t intend that you apply RTCA/DO-254 to COTS microprocessors. There are alternative methods or processes to ensure that COTS microprocessors perform their intended functions and meet airworthiness requirements. Coordinate your plans for alternative methods or processes with us early in the certification project.”
13 | June 22, 2015 | Proprietary | © 2015 Curtiss-Wright
Differences in Safety Certification: EASA vs. FAA
DAL A, B, or C (FAA) DAL D (EASA)
14 | June 22, 2015 | © 2015 Curtiss-Wright
What Is Curtiss-Wright’s Doing?
• Develop DO-254 standard COTS products that are accepted worldwide
• Board level development to DO-254 DAL D
• Complex custom micro-coded components to DO-254 DAL A
• Possibly DAL C w/ independence as intermediate step
• Establish a product breadth – SBC, graphics and I/O
15 | June 22, 2015 | © 2015 Curtiss-Wright
DO-254 Artifacts for DAL C
• Plan for hardware aspects of
certification
• Hardware Verification Plan
• Top-level drawing
• Hardware Accomplishment Summary
• Hardware Design Plan
• Hardware Validation Plan
• Hardware Configuration Management Plan
• Hardware Requirements
• Hardware Design Data
• Assembly Drawings/Installation Control Drawings
• Hardware Traceability Data
• Hardware Review and Analysis Results
• Hardware Test Procedures
• Hardware Test Results
ARTIFACT KIT SUPPORTING DOCUMENTS (IF REQUESTED BY AUTHORITIES)
16 | June 22, 2015 | © 2015 Curtiss-Wright
Development Data Kit
• To assist with the Preliminary System Safety Assessment (PSSA)
• Contents:
• Single Event Effects (SEE)
• Failure Modes and Effects Analysis (FMEA)
• Reliability Analysis (MTBF)
• Part Stress Method (using Part Stress Analysis)
• …
17 | June 22, 2015 | © 2015 Curtiss-Wright
We can do much more for you than just a DO-254
development process!
18 | June 22, 2015 | © 2015 Curtiss-Wright
ARP4754: System Development Process
• Safety monitoring requirements
• Functional requirements
19 | June 22, 2015 | © 2015 Curtiss-Wright
Safety Monitoring Requirements
Safety Assessment is mandatory for a certifiable equipment • How do we determine this in the absence of a Preliminary System Safety Assessment (PSSA)?
• Include a process procedure COTS Safety Assessment
Result - Safety requirements based on assessment of: • Component complexity (and a means of mitigation) • Environmental monitoring • Functional monitoring • Failure probability mitigation • Experience on what is typically required at the system level
Examples of safety functions included on Curtiss-Wright safety certifiable products: • Temperature sensors • Independent voltage monitors • Clock monitors • Video Integrity monitor • Watchdog Monitor • CoreNet Bandwidth monitor
20 | June 22, 2015 | © 2015 Curtiss-Wright
Let Our Experienced Team Help You!
Staff trained on DO-254 development
Completed DO-254 DAL C Modified COTS (MCOTS)
development projects
• MCOTS – re-use existing IP to develop a new product
Work with strong DER representation
• Tammy Reeve, Patmos Engineering
• Chairs US DO-254 User’s Group
• Very active in progressing DO-254 and associated
guidance documents
21 | June 22, 2015 | © 2015 Curtiss-Wright
Strengthened by Services
• Franchise Only Supply (FOS)
• Protects against counterfeit material
• Longevity Of Supply (LOS)
• Extends life of product
• Longevity Of Repair (LOR)
• Extends period of repair support
23 | June 22, 2015 | © 2015 Curtiss-Wright
Can facilitate supporting information
• Freescale Semiconductor
• AMD
• Intel
24 | June 22, 2015 | © 2015 Curtiss-Wright
Safety Certifiable Products
Product Features Benefits System Ready
Application
Full
Details
VPX3-150
Freescale VPX P5020 Dual-core
64-bit, 1.2 GHz, 2-8 GB DRAM, 256 MB Flash, 16-64 GB
Flash Storage
CANbus, Elapsed Time Counter
Safety Certifiable DO-254/DO-178C
XMC-TBD
Freescale T2080 single core with Altivec @ 1.5 GHz Up to 16 GB DDR3 memory 1866 MT/S (4 ranks) One Bank NOR Flash – 256MB One bank of NAND Flash– 8GB 512KB Non Volatile Memory (MRAM)
Safety Certifiable DO-254
Altivec-enhanced
VPX3-718
AMD Radeon E4690 - Dual independent outputs
HD-SDI/DVI/STANAG 3350/analog supported
512 MB dedicated video memory
H.264 decompression
Safety Certifiable DO-254/DO-178C
Low latency video capture
Full frame rate video capture
XMC-725
AMD Radeon E8860 processor
Dual independent graphics outputs
2 GB dedicated video memory
H.264 decompression
Safety Certifiable DO-254/DO-178C
Larger video memory than E4690 based graphics
15 year supply
VPX3-611
FPGA-based I/O module with:
2x MIL-STD-1553, 10x ARINC 429 Tx, 18x ARINC 429 Rx,
8x UART, 16x discretes, 2x Analog inputs, 2x Analog
outputs, 2x audio outputs
Safety Certifiable DO-254/DO-178C
SferiAdvise
Digital Mapping
Concept
SferiAdvise
Digital Mapping
Concept
25 | June 22, 2015 | © 2015 Curtiss-Wright
2016 2015
Safety Certifiable Roadmap Future
Customer Driven
In Design
Shipping
Roadmaps Subject to Change
3U Power Architecture SBCs
T2080 single Core 16 GB, 1.5 GHz with Altivec
150
P5020/P3041 @ 1.2 GHz 64-bit core Up to 8 GB SDRAM
611
FPGA-based I/O module
I/O Modules
AMD E4690 – 2 O/P Dual HD-SDI/Analog Capture
Decompression
718
3U Graphics Cards
XMC Mezzanine Cards AMD E8860 5 O/P Compression/Decompression
725 133C
26 | June 22, 2015 | © 2015 Curtiss-Wright
Certification Credits
• Planning to submit VPX3-150 and VPX3-718 to EASA
• ETSO-C165 (digital map)
• ETSO-C194 (HTAWS)
• Using Airbus SferiAdvise digital map and HTAWS application
28 | June 22, 2015 | © 2015 Curtiss-Wright
Software Support
• Wind River • VxWorks CERT Platform – Certified Operating System based on VxWorks compliant with ED-12B/DO-178B
• VxWorks 653 Platform – Operating System featured from VxWorks with an ARINC653 API supporting DO-197
• Green Hills Software • Integrity-178B tuMP which offers an ARINC653 API
• Integrity Multivisor : an hypervisor that offers virtualization to help hosting a wide diversity of Operating Systems
• SYSGO • PikeOS a micro-kernel offering both a RTOS and a virtualization concept
• Lynx Software Technologies • LynxOS-178a RTOS offering via Virtual Machine a virtualization concept
• FAA – accepted Reusable Software Component (RSC)
• DDC-I • DEOS, a RTOS certified up to level A supporting ARINC653 part 4
29 | June 22, 2015 | © 2015 Curtiss-Wright
Board Support Package/Driver Support
DO-254 Processor VxWorks 653 VxWorks 6.6 Cert Integrity 178b PikeOS Lynx178 DEOS
VPX3-150 DAL C P5020 Yes
VPX3-718 DAL C E4690 Yes
XMC-725 DAL C E8860 Yes Yes Yes Yes
VPX3-716 E8860 Yes Yes Yes Yes
VPX3-1701 LS1020A Yes
DMV-186 P4080 Yes Yes
VPX6-187 P4080 Yes Yes
DMV-183 7447A Yes Yes Yes
XMC-715 E4690 Yes Yes Yes Yes Yes
30 | June 22, 2015 | © 2015 Curtiss-Wright
DO-178 Software
Outsource DO-178 software development
• We contract development and resell w/ artifacts
• Performed with PSAC and Accomplishment Summary
• We also enable and support RTOS providers that customers can work with directly
UBOOT source code may be provided under a source code license agreement to
facilitate a DO-178 software implementation.
• Not applicable to the VPX3-150, the boot loader is DO-178 DAL C certifiable
31 | June 22, 2015 | © 2015 Curtiss-Wright
DO-178C Artifacts for DAL C
• Plan for Software Aspects of Certification (PSAC)
• Quality Assurance Plan (QAP)
• Software Configuration Management Plan (SCMP)
• Configuration Management Records
• Quality Assurance Records
• Software Requirements Data (SRD)
• Software Design Description (SDD)
• Software Coding, Development, and Requirements Standards
• Software Verification Results (SVR)
• Trace Matrices
• Data and Control Coupling Results and Analysis
• Structural Coverage Results and Analysis Report
• Software Accomplishment Summary (SAS)
32 | June 22, 2015 | Proprietary © Curtiss-Wright
OpenGL® /UVD Driver
• Certifiable up to and including DO-178C DAL A
• OpenGL SC Certifiable Driver includes:
• Conforms to Khronos™ OpenGL SC 1x specification
• Static memory management
• Deterministic display lists
• 100% structural coverage (statement, DC, MC/DC)
• Available from Curtiss-Wright
• Looking at OpenGL ES 2.0 (specification underway with Khronos)
• Universal Video Decoder (UVD) driver is also certifiable
33 | June 22, 2015 | Proprietary © Curtiss-Wright
VPX3-150 BSP Drivers
• Board bring-up
• Interrupt Controller
• Timer
• I2C
• Board Management (Reset Control/GPIO/Watchdog/ …)
• eMMC (Flash storage)
• UART (Debug)
• 2 * Ethernet (Debug)
• GPIOs are available via APEX sampling ports
• Cert Network Stack (UDP/IP via Ethernet) is adopted via APEX queuing ports (SAP Ports – Service Access Points)
• eMMC (Flash Storage) access via POSIX (open/close/read/write/…) and HRFS file system
• Board Managment (Reset Control/ GPIO/ …) is accessible via APEX sampling ports
• Flash is accessible via I/O-Driver
• NVMEM is accessible via I/O-Driver
CORE DRIVERS FOR OS DRIVERS ACCESSIBLE BY PARTITIONS
34 | June 22, 2015 | © 2015 Curtiss-Wright
System Ready Applications
Pre-Validated, Pre-Tested Best-of-Breed Solutions
Saves you
SferiAdvise™ Digital
Mapping Solution
150
Airbus® DS’ SferiAdvise®
718
ENSCO IData®
HMI Solution
131 715
ENSCO Avionics’ IData
and and
36 | June 22, 2015 | © 2015 Curtiss-Wright
Safety Certifiable Digital Map/HTAWS
PCIe G1 x4
PCIe G1 x4
VPX3-718 Graphics Processor VPX3-150 SBC
VPX3-611 I/O module
MIL-STD-1553
ARINC-429
Discretes
Analog/Audio
37 | June 22, 2015 | © 2015 Curtiss-Wright
Safety Certifiable Single Slot SBC and I/O Solution
VPX3-611 I/O module
MIL-STD-1553
ARINC-429
Discretes
Analog/Audio
XMC-TBD
38 | June 22, 2015 | © 2015 Curtiss-Wright
Thank You
www.cwcdefense.com
Gregory Sikkens, Senior Product Manager
Defense Solutions Division Curtiss-Wright T: 613.599.9199 x5449 | M: 613.899.4963 Greg.Sikkens@curtisswright.com
39 | June 22, 2015 | © 2015 Curtiss-Wright
VPX3-150 SBC
• Freescale QorIQ P5020 at 1.2 GHz
• Memory • Up to 8 GB DDR3 memory with ECC • 256 MB NOR flash • 16 GB eMMC memory • 512 KB NVMEM
• Communications and I/O • (1) 10/100/1000Base-TX (GbE) interface • (1) 10/100/1000Base-KX interface • (1) asynchronous EIA-232 serial port and (1) asynchronous EIA-422 serial port • (2) SATA, (1) CANbus
• Fabric Interconnect Ports • (2) x4 lane PCIe Gen2
• VxWorks 653 v2.5 AMP • Package from WindRiver includes Ethernet stack and
filesystem
• VxWorks 6.9 SMP
• DO-254/DO-178C Artifact Kits
• Additional Features • Temp sensors, ETC, DIO • Pin compatible with 131, 133, and 1257
Safety
Cert.
41 | June 22, 2015 | © 2015 Curtiss-Wright
VPX3-718 OpenVPX Graphics Module
• AMD Radeon E4690 GPU w/ 512 MB GDDR3 SDRAM
(300E/400M ) • Universal Video Decoder (UVD) Single HD stream– H.264
• Dual independent display heads out of: • (2) HD-SDI (SMPTE-292M) • (2) single link DVI or (1) dual link DVI • (2) analog, PAL, STANAG 3350 B/C, RGBHV
• Dual independent video capture channels out of: • (2) HD-SDI (SMPTE-292M) • (2) analog, PAL, STANAG 3350 B/C
• Fabric Interconnect Ports • (2) x4 lane PCIe Gen 2 (also configurable as (1) x8 lane)
• Drivers • VxWorks 653 v2.5 AMP, VxWorks 6.9 SMP • OpenGL SC 1.0
• DO-254/DO-178C Artifact Kits
• Video Integrity Monitor (VIM)
Safety
Cert.
43 | June 22, 2015 | © 2015 Curtiss-Wright
XMC-725 Graphics XMC
• AMD RADEON E8860-based graphics XMC • 2 GB of GDDR5 dedicated graphics memory • X8 PCIe interface
• Universal Video Decoder (UVD) – H.264
• Video Compression Encoder (VCE) – H.264 • Power management
• 15 year supply
• Safety Certifiable up to DO-178C Level A
• DO-254 kit supporting up to DAL Level C
• Two independent display heads selectable from: • Dual DVI Outputs (24bpp)
• Dual single link DVI (162 MP/s)
• Single dual link DVI (268.5 MP/s) • Dual LVDS Outputs (18 or 24bpp)
• Either single- or dual-channel mode
• From XGA (or below) up to QXGA. • Dual DisplayPort outputs
• Analog non-interlaced output
• 10-bit DAC
• Maximum pixel frequency of 400 MHz
Safety
Cert.
45 | June 22, 2015 | © 2015 Curtiss-Wright
XMC-TBD Processor
• Freescale T2080 @ 1.5 GHz with AltiVec
• Memory • Up to 16 GB DDR3 memory with ECC • 256 MB NOR flash • 16 GB eMMC memory • 512 KB NVMEM
• Communications and I/O • (1) 10/100/1000Base-TX (GbE) interface • (1) asynchronous EIA-232 serial port and (1) asynchronous EIA-422 serial port • (2) SATA
Concept
• DO-254 Artifact Kit
• Additional Features
• Temp sensors, DIO
• Pin compatible with XMC-120
Safety
Cert.
47 | June 22, 2015 | © 2015 Curtiss-Wright
VPX3-611 I/O Module
• FPGA-based I/O module with: • 2x MIL-STD-1553
• 10x ARINC 429 Tx
• 18x ARINC 429 Rx
• 8x UART
• 16x discretes
• 2x Analog inputs
• 2x Analog outputs (can be used for audio)
• XMC mezzanine site • Support for Processor mezzanines
• 25W mezzanine support
Concept
• VxWorks 653 v2.5 AMP, VxWorks 6.9 SMP
• DO-254/DO-178C Artifact Kits
• Flexible Variants
• Different FPGA IP load or blank
• IO Mapper
• Maximize I/O pin utilization
• Interconnect I/O between FPGA and XMC
Safety
Cert.