Reducing Certification Granularity to Increase Adaptability of Avionics Software
📝 Abstract
A strong certification process is required to insure the safety of airplanes, and more specifically the robustness of avionics applications. To implement this process, the development of avionics software must follow long and costly procedures. Most of these procedures have to be reexecuted each time the software is modified. In this paper, we propose a framework to reduce the cost and time impact of a software modification. With this new approach, the piece of software likely to change is isolated from the rest of the application, so it can be certified independently. This helps the system integrator to adapt an avionics application to the specificities of the target airplane, without the need for a new certification of the application.
💡 Analysis
A strong certification process is required to insure the safety of airplanes, and more specifically the robustness of avionics applications. To implement this process, the development of avionics software must follow long and costly procedures. Most of these procedures have to be reexecuted each time the software is modified. In this paper, we propose a framework to reduce the cost and time impact of a software modification. With this new approach, the piece of software likely to change is isolated from the rest of the application, so it can be certified independently. This helps the system integrator to adapt an avionics application to the specificities of the target airplane, without the need for a new certification of the application.
📄 Content
REDUCING CERTIFICATION GRANULARITY TO INCREASE ADAPTABILITY OF AVIONICS SOFTWARE Martin Rayrole, David Faura, Marc Gatti, Thales Avionics, Meudon la Forêt, France
Abstract
A strong certification process is required to
insure the safety of airplanes, and more specifically
the robustness of avionics applications.
To implement this process, the development of
avionics software must follow long and costly
procedures. Most of these procedures have to be re-
executed each time the software is modified.
In this paper, we propose a framework to reduce
the cost and time impact of a software modification.
With this new approach, the piece of software likely
to change is isolated from the rest of the application,
so it can be certified independently. This helps the
system integrator to adapt an avionics application to
the specificities of the target airplane, without the
need for a new certification of the application.
Introduction
The
Integrated
Modular
Avionics
(IMA)
principles offers the possibility to host several
avionics software applications in a single avionics
module, by using partitioning properties specified in
avionics standards such as ARINC 653 [1]. These
principles reduce the place, the weight and the
consumption of avionics equipments, but they
increase the interference between applications.
This interference makes the certification more
complex, because one has to prove that an application
failure cannot be propagated to another one on the
same module. This additional certification work is
significant because, as presented in [2], the impact of
IMA in the certification process concerns most of the
functional domains of an avionics platform.
In this paper, we propose a framework to reduce
this additional certification work. The proposed
framework allows isolating a piece of software from
the rest of the application. At run time, a mechanism
guaranties a strong (space and time) partitioning
between these two parts of the application. These
properties offer the possibility to modify and re-
certify the isolated piece of software, without re-
certifying the rest of the application.
A New Approach for Building Avionics
Applications
With the “state of the art” technologies, the
certification of software obliges to freeze the entire
source code before delivering the software to a
system integrator. No additional source code can be
added to certified software without re-launching the
certification process for this software. To deal with
this constraint, two solutions are used to adapt a
software behavior to the integration context: defining
configuration
data,
and
using
incremental
certification.
Configuration Data
Some configuration data can be defined by the
avionics application supplier to select the software
behavior among a set of pre-defined behaviors.
Configuration data are easy to use by the system
integrator, but they are limited to tuning capabilities
that have been foreseen in detail during the software
development phase.
Incremental Certification
The incremental certification is an efficient
solution to deal with this certification complexity of
IMA. The incremental certification mechanisms
allow to independently certify the avionics platform
and each of the partitions hosted in this platform.
Thanks to these mechanisms, one partition can be
modified in order to be adapted to a particular
context, without affecting the certification of other
partition housed in the same calculator.
The properties of incremental certification can
be used to isolate two sub-parts of an avionics
application: the piece of software likely to change
can be run in an additional partition. The application
is then composed of two partitions that can
communicate through inter-partition communication
mechanisms.
The creation of an additional partition offers
good capabilities to adapt the software behavior, but
it is heavy to implement and not adapted to small
pieces of code.
Proposed Approach
The proposed approach offers wide capabilities
to adapt an avionics application, with a minimum
impact on the certification work.
For that, a new framework is defined. This
framework offers the capability to modify a software
behavior by adding a piece of source code, which can
be certified independently from the software.
This source code is compiled with a certified
macro-compiler, and dataloaded on the embedded
avionics calculator (called the “target platform”).
During the target platform startup procedure, the
compiled file is checked to verify its compatibility
with the platform configuration. At run time, the
compiled file is read, interpreted and executed inside
a container, which guaranties the strong memory and
time segregation between the compiled file execution
and the other platform activities.
In the next chapters, we will present the
proposed framework. Then we will describe the two
main tools that support the
This content is AI-processed based on ArXiv data.