Date post: | 13-Apr-2017 |
Category: |
Software |
Upload: | real-time-innovations-rti |
View: | 915 times |
Download: | 3 times |
DO-178C Level A Certifiable DDS
The Connectivity Platform for the Industrial Internet of Things™
Mission Critical andSafety Critical Software
2
Integration of UAS with Commercial Aviation
• Ensure safety of commercial aviation
• Ensure safe integration of UAS into the NAS
©2015 Real-Time Innovations, Inc.
Communication Co-operation and Control
3
UAS Segments
• Aircraft Segment– Typically - Distinct Physical Boundary
• Control Segment– One or more control segment, static or mobile– E.g. separation between navigation and mission
• Communications Segment– Possible multipath – E.g. Line of sight, beyond line of sight
• Air Traffic Network– Evolving (NextGen)
©2015 Real-Time Innovations, Inc.
4
NAS Communication
Comm
unication Segment
Communication SegmentAircraft
NAS
OtherAircraft
ATC - Air Traffic Control
ATC – Communications
Surveillance and Navigation
Surveillance
ATC – Communications
©2015 Real-Time Innovations, Inc.
5
UAS/NAS Communication
Com
mun
icatio
n Se
gmen
t
Communication Segment
Comm
unication Segment
Communication SegmentAircraftSegment
NASControlSegment
OtherAircraft
ATC - Air Traffic Control
ATC – Communications ATC –
Communications
Command and Control
ATC – Communications
Surveillance and Navigation
Surveillance
Flight planning and Aeronautical information
ATC – Communications
©2015 Real-Time Innovations, Inc.
6
UAS integrated in NAS
Vehicle Operator
Payload Operator
OperationsController
ATC Traffic Controller
Control Segment
Payload
Onboardsystem Cooperative
Targets
Un-CooperativeTargets
Surveillance
Safety
Security
©2015 Real-Time Innovations, Inc.
7
Role of Connectivity
©2015 Real-Time Innovations, Inc.
Sensors
Communications
FusionActuators
Control
Displays
Recording
©2015 Real-Time Innovations, Inc. 8
Traditional Approach to Distributed Avionics:Bespoke Connectivity and Integration
• Apps/connectivity layer written directly to transport• Tied to transport’s:
– Semantics, e.g.: 11, 1many, reliable, unreliable…– Proximity assumption, e.g.: same partition, same node
Sockets, AFDX, shared memory, ARINC ports, message queues…
Application
OS & Transport
Connectivity
Application
OS & Transport
Connectivity
May not be clean separation between app, connectivity and
integration logic
9
Traditionally Handled by Custom Logic
• Addressing• Discovery / presence / health• Startup order dependencies• Reliability over unreliable transports
(e.g., multicast)• Heterogeneous interoperability
• Reconnections• Failover• State synchronization• Timing control and visibility• Bridging across nets, xports
©2015 Real-Time Innovations, Inc.
Application
OS & Transport
Connectivity
Application
OS & Transport
Connectivity
10
Costs Increase over Time
• Often use point-to-point integration– Changing or adding components affects others– Necessitates integration work, re-certification– O(n2) complexity
• Requirements change, e.g., moving apps and changing xports• Systems become more stovepipe, brittle and expensive to maintain
over time
©2015 Real-Time Innovations, Inc.
©2015 Real-Time Innovations, Inc. 11
Connext DDS Cert
• Handles connectivity heavy lifting• Replaces custom code, simplifies app and integration logic• Based on Data Distribution Service (DDS) standard
DDS APIApplication
Operating System
Application
Operating System
xport1 xportn… xport1 xportn…Connext DDS Cert Connext DDS Cert
DDS-RTPS Wire Interoperability Protocol:• Interoperable across programming languages, operating systems, CPU families• Interoperates with other Connext DDS products for mixed-criticality environments• Reliable or best effort delivery, even over unreliable transports
Pluggable transport interface:Supports multiple concurrent
Standard semantics:• Data-Centric Publish-Subscribe• Transport independent
12
Publish/Subscribe for Loose Coupling
• Apps can be added and changed w/o changes to other deployed components• Easy to test; RTI provides record and replay services
©2015 Real-Time Innovations, Inc.
DDS Software Data Bus
Sens
or D
ata
Control App
Com
man
ds
Stat
us
Sensor
Sens
or D
ata
Actuator
Com
man
ds
Stat
us
Sensor
Sens
or D
ata
Display App
Sens
or D
ata
Stat
us
13
Data-Centric Publish/Subscribe
• Similar to using a database• Apps publish and subscribe to data objects• DDS maintains shared state for system robustness
– Applications maintain consistent view– Late joining applications get current snapshot, desired history– Not necessary to persist or reliably deliver all messages
PublishSubscribe
Squawk Long Lat Alt
1234 37.4 -122.0
500.0
7654 40.7 -74.0 250.0
Line Flight Dest Arv
UA 567 SFO 7:32
AA 432 LAX 9:15
Squawk Line Flight
1234 UA 567
7654 AA 432
©2015 Real-Time Innovations, Inc.
14
Facilitates Modular, Open Architectures• Well-defined interfaces between components
– Standard data-centric publish-subscribe paradigm– Well-defined data model using OMG IDL or XML– Code generation from data model for type safety– Standard network protocol and serialization
• DDS widely used for FACE, UCS, OMS, others• RTI provides FACE Transport Services Segment (TSS) reference implementation
©2015 Real-Time Innovations, Inc.
DDS Application
Operating System
FACE Unit of Portability (UoP)
Operating System
xport1 xportn… xport1 xportn…Connext DDS Cert Connext DDS Cert
DDS-RTPS Wire Interoperability Protocol
FACE TSS• FACE type-specific Transport
Services (TS) API• Generated from FACE
Platform Data Model by RTI IDL compiler
15
Connext DDS Inherently Well-Suited toSafety-Critical Systems
• Non-stop availability– Decentralized architecture– No single point of failure– Support for redundant networks– Automatic failover between redundant publishers– Dynamic upgrades
• No central server or services• Version-independent interoperability protocol
• Control over real-time Quality of Service• Visibility into missed deadlines and presence• Proven in thousands of mission critical systems
©2015 Real-Time Innovations, Inc.
16
Example: US Army Asset Tracking System
Legacy Capability:• 500K lines of code• 8 yrs to develop• 21 servers• Achieved: 20K tracked
updates/sec, reliability and uptime challenges
With Connext DDS:• 50K lines of code—order
of magnitude less• 1 yr to develop—8x less• 1 laptop—20x less• Achieved: 250K+ tracked
updates/sec, no single point of failure
“This would not have been possible with any other known technology.”—Network Ops Center Technical Lead
©2015 Real-Time Innovations, Inc.
17
Connext DDS Cert:Designed for DO-178C Level A
• Certifiable subset of DDS API and protocol– Apps are portable to other DDS– Interoperates P2P with other Connext DDS products– Interoperates with other DDS via RTI Routing Service
• Compact, modular and portable– ~21,000 Executable Lines Of Code (ELOC)– ≤335 KB ROM/flash– Bulk of certification evidence is reusable– Well-defined transport and OS interfaces
©2015 Real-Time Innovations, Inc.
18
DO-178C Certification Data Package
• Available now• Produced by certification leader Verocel• Supports Design Assurance Level (DAL) A• Includes:
– DDS “C” API– VxWorks Cert OS– Transports: intra-process and UDP with multicast– PowerPC CPU
• ~93% of code is transport, OS and CPU independent– Minor delta cert for ports, DDS C++ API and FACE TSS
©2015 Real-Time Innovations, Inc.
Certification of Connext DDS Cert
20
Relationships between Standards
AssessSafety
DevelopSystem
DevelopHardware
DevelopSoftware
DO-178C(Software)
DO-254
ARP 4754A(Systems)
ARP 4761 (Safety)
IntendedAircraftFunction
Allocated Functionsand Requirements
DevelopedSoftware
Requirementsallocated to
Software
Requirementsallocated toHardware
DevelopedHardware
FunctionalSystem
(ComplexElectronicHardware)
DevelopedSystem
©2015 Real-Time Innovations, Inc.
21
Implementation Centric View
DevelopHardware
DevelopSoftware
IntegrateSystem
AssessSafety
DO-254
DO-178C(Software)
ARP 4761 (Safety)
(Complex Electronic Hardware)
Allocated AircraftFunctions
IntendedAircraftFunction
ARP 4754A(Systems)
Implementation
Implementation
Function Failure andSafety Information
FunctionalSystem
System Design
Software Design
©2015 Real-Time Innovations, Inc.
SC-228 A-Interim (1, 2, and 3)• A-Interim 1, Command and Control (C2) Data Link, MOPS For
Verification and Validation• A-Interim 2, MOPS for Air-to-Air Radar for Detect and Avoid
Systems– If the equipment implementation includes software, the guidelines
contained in DO-178C should be considered.• A-Interim 3, Detect and Avoid (DAA) MOPS for Verification and
Validation– If the equipment implementation includes software, the guidelines
contained in DO-178C may apply at the appropriate software level
22
MOPS - Minimum Operational Performance Standards
They are large documents, but Interim only.Many parameters and other data still to be evaluated and specified
©2015 Real-Time Innovations, Inc.
Connext DDS Cert in a Safety Context
• System will have its own Certification Plan• Applications have own Certification Plan
– Plan for Software Aspects of Certification (PSAC)• Real Time OS
– PSAC – and Certification Data Package• Connext DDS Cert
– Has its own PSAC, SAS etc.– Certification Data Package
• Includes all documents and Lifecycle data
23©2015 Real-Time Innovations, Inc.
24
Certification Data Package (CDP)
©2015 Real-Time Innovations, Inc.
830.5 Mb of Data
25
Connext DDS Cert Is Part of a System
• As a COTS product, there is no system to trace to
• Derived Requirements need special treatment• Information to be presented to System Safety
Assessment process• Verocel provides Software Vulnerability
Analysis to support Safety Assessment
©2015 Real-Time Innovations, Inc.
Software Vulnerability Analysis (SVA)
• What and why?• Connext DDS Cert certified on reference board• Middleware is tested as stand alone system
– No System or Application to reference to
26
How to handle possible errors to be mitigated by the system?
©2015 Real-Time Innovations, Inc.
SVA Examples (sample)
• Description of Vulnerability SVA.5– Invalid IPv4 address is ignored and no error is
reported• Observable Behavior
– If an invalid address is specified in one of the enabled_transports Qos policies it is ignored
• Mitigation– User needs to ensure address is valid in
• enabled_transports field of struct DDS_TransportQosPolicy
27©2015 Real-Time Innovations, Inc.
SVA Examples (sample)
• Description of Vulnerability SVA.3– System does not check for rollover of the following
counters• … OSAPI Tick ...
• Observable Behavior– A system running continuously … will experience a
rollover of tick_sec …• Mitigation
– system must not run continuously for more than 2147483648 seconds (about 68 years).
28©2015 Real-Time Innovations, Inc.
29
Requirement Centric Hyperlinking
©2015 Real-Time Innovations, Inc.
30
Traceability and Impact Analysis Performed with VeroTrace (Verocel’s Qualified tool)
©2015 Real-Time Innovations, Inc.
Impact Analysis managed by qualified Traceability tool
Stack Analysis• Worst Case stack size calculated for every API function• Object code is analyzed• All paths checked, and worst case size provided when possible
– Not possible if RTOS functions called– Not possible when user callbacks present
• Calculator provided– Users can provide RTOS sizes and Callbacks
31
Calculator will show true Worst Case Sizes for user in their Analysis
©2015 Real-Time Innovations, Inc.
Example for the Maximum Stack Depth Calculator
32
DDS_DataReader_read MAX ( 1056, 864 + MSD(semTake), 624 + MSD(strcmp), 656 + MSD(memcpy), 992 + MSD(semGive), 656 + MSD(LISTENERS_DATAREADER_on_sample_lost), 720 + MSD(LISTENERS_SUBSCRIBER_on_sample_lost), 784 + MSD(LISTENERS_PARTICIPANT_on_sample_lost), 224 + MSD(TYPE_PLUGIN_copy_sample), 352 + MSD(strlen), 448 + MSD(bcopy), 496 + MSD(memalign), 528 + MSD(bfill)
)
RTOS Functions
RTOS Functions
UserProvidedCallbackroutines
Maximum Stack Depth
©2015 Real-Time Innovations, Inc.
Structural Coverage Analsysis• At Machine code level• Without instrumentation• Using Requirements based test only
33
Structural Coverage Analysis Summary ReportTEST COVERAGE RATE 99.91%
VEROCODE COVERAGE SUMMARYCoverage Lines Rate
Complete 84573 99.88%Partial   56 0.07%Missing   44 0.05%Total: 84673

©2015 Real-Time Innovations, Inc.
Build and Test Support for User
34
Build and Test Support Build Support Build Headers and Makefiles Build Scripts
Certified Source Files CRC Log File -- librti_me_certz_a.txt
Certification Data Package Support Scripts CDPFetchItems.bat -- CDPFetchItems.bat CDPItems.csv -- CDPItems.csv installCDPItems.bat -- installCDPItems.bat installCDPRTIItems.bat -- installCDPRTIItems.bat
Allow a user to rebuild the executable image and check that it is the same
©2015 Real-Time Innovations, Inc.
Test Results – all hyperlinked
35
Control Coupling Control Coupling Results Control Coupling Summary -- vxworks.xml Control Coupling Summary - Annotated -- vxworks_annotated.xml Control Coupling Summary Stylesheet -- VerOLink.xsl
Coverage Coverage Analysis -- TR_Summary_Report.xml Coverage Analysis StyleSheet -- TR_Summary_Report.xsl Coverage Result Stylesheet -- FR_display.xsl Coverage Summary -- CovSummary.html
Functional Functional Test Result Checklist -- FTR_ConMicro_Checklist_20150824.doc Functional Test Result Stylesheet -- FR_display.xsl Test Run Summary -- TR_Summary_Report.xml Test Run Summary Stylesheet -- TR_Summary_Report.xsl
©2015 Real-Time Innovations, Inc.
Test Support
36
Test Support Application Header Files
BSP Build Files Build Binaries Test Harness Files Test Scripts
Test_Utilities Dedicated General
Tools CRC Tool -- VerCRC32.exe VerOStack Calculator Tool -- vstkCalculator.exe
Allows a user to repeat the testing performed from the CDP
Checks the integrity of the binary image
©2015 Real-Time Innovations, Inc.
Test Results on CDP
37
Test Result Summaries Control Coupling Coverage Functional Stack Analysis
©2015 Real-Time Innovations, Inc.
©2015 Real-Time Innovations, Inc. 38
Certification is Expensive
• Processes must be defined and followed• Objectives must be met, and Activities completed• All must be documented• Code must be clean
– Traceable– Testable– No dead code– Deterministic in time and memory
• Code must be written for certifiability• Software must be recertified when changed
39
Reducing Certification Costs
• Minimize code that has to be certified– Replace custom code with COTS code that already
has certification evidence– Reduce and simplify application logic
• Decouple software modules and subsystems– Isolate changes– Minimize recertification effort as systems evolve
©2015 Real-Time Innovations, Inc.
©2015 Real-Time Innovations, Inc. 40
Customer Example: SRC
“SRC, Inc. is designing, integrating and testing a DO-178C Level B system of systems across VxWorks, Linux and QNX using RTI's DO-178C Level A Connext DDS Cert and Connext DDS products. Each system installation contains up to 32 subsystems that all communicate via DDS in real time. A portion of the subsystems are co-located with the rest located miles away. We are successfully using RTI DDS for our inter-process and inter-subsystem communications, recording, and in our DO-178C automated test environment that runs on Windows. Having RTI's Connext DDS Cert product available allows us to move forward with our certification efforts with system deployment scheduled in 2016!”
41
Connext DDS Cert Can Save $MM
• Replaces 10,000s lines of application code• Simplifies remaining application logic• Eases integration via well-defined interfaces
– Including safety-critical and non-critical components• Minimizes changes and re-certification as systems
evolve– Apps decoupled from underlying port, proximity– Apps isolated from changes in others
• Provides off-the-shelf certification evidence• Proven DO-178C certifiability
©2015 Real-Time Innovations, Inc.
rti.com/downloads
Start using DDS Today!Download the FREE complete RTI Connext DDS Pro package for Windows and Linux:
• Leading implementation of DDS• C, C++, C#/.NET and Java APIs• Tools to monitor, debug, test, visualize and
prototype distributed applications and systems• Adapters to integrate with existing applications and
IT systems