26-27 september 2000atn2000 (london)1 certifiable software for the atn making atn a reality…now…...

26-27 September 2000

ATN2000 (London) 1

Certifiable Software for the ATN

Making ATN a reality…now…

Presented by Forrest ColliverACI General Manager

26-27 September 2000 ATN2000 (London) 2

The Nature of Portable Communications

Software

What is portable software ?Software quality and the ATN…How is portable ATN software developed ? Methodologies Quality Standards

How is portable software used ? By whom ?ACI’s Portable & Certifiable ATN Software


What is “portable software”?Types of Software

Ready-to-run binary end-user software Examples: personal computer software, game software,

etc. For consumption by individual or organizational end-users Plug and play operation

Portable binary library or source code software Examples: linkable object modules (databases, interfaces,

etc.) or source code (protocols, drivers, or other code requiring adaptation to platforms & operating systems)

For consumption by manufacturers or sophisticated end-users having in-house information technology support

Usable after integration in & customization for target platform

Although used in different contexts, both may be called “commercial off-the-shelf” (COTS) software


What is “portable software”?Why use Portable

Software?Manufacturer’s perspective

Non-recurring cost reduction: no need for redevelopment of commercially available code; no opportunity cost where internal resources could be better applied to other projects

Lifecycle cost reduction: portable modules warranted and maintained by software vendor

Risk reduction: Pre-tested software modules are ready to integrate Portable software can be supplied with certification artifacts Facilitates earlier delivery of manufacturers’ products to

market

End-user’s perspective Reduced end-user pricing; more competitive products Improved confidence: “Intel-inside” effect

Factors above contribute to what should essentially be a “make/buy” decision by manufacturer


Software Quality & the ATNThe architecture can

offer…ATN architecture was created for support of both safety-critical ATS and AOC applications

Controller/pilot communications (ATS), e.g. clearances Controller/controller communications (ATS), e.g. handoff Airline dispatch/pilot communications (AOC), e.g. re-routing

How? Integrity Assurance via protocol design

“what is received is what was sent” Enhanced Availability via routing architecture

“information transferred end-to-end in a timely manner”

Remember: key role of the ATN is to manage mission-critical communication resources & message traffic


Software Quality & the ATN…but software must

deliverAccordingly, mission-critical application of ATN protocols demands software design & quality assurance consistent with “Essential” systems

Rationale: undetected integrity/availability failures may contribute to operational errors and/or lead to unacceptable dispatch/controller/pilot work-load

RTCA DO-178B provides software development guidelines for Level C, to meet “Essential” systems requirementsACI’s approach to problem…

To ensure ATN software mission-readiness…all ACI RRI/ASE software conforms to DO178B Level C guidelines


How is ACI’s software developed ?

Production MethodologyDO-178B Level C

Constitutes the norm for “essential” avionics systems ACI offers full development & documentation compliance

includes configuration management & quality assurance aspects

Maximizes certification credit by optimizing certification effort during portation process, using supplied certification artifacts

MIL-STD-498 FAA and other US government users specify MIL-STD-498

development methodology & lifecycle compliance for mission-critical software & systems

Applied on both code development & documentation aspects

Complementary to DO 178B Level C



Lifecycle Functional View

System/SoftwareRequirements

SoftwareDesign

Code Generation, Unit Test & Integration

FunctionalRequirements

Formal TestExecution

Validation



Traceability of Requirements

Specifications

SDD

CODE

FRS

ICAO PICS/SARPs

S/SRS

VTCN

on-functional requirements

Perform

ance requirements

VTP

Testable requirements



Testing/Verification (1/2)

Software verification testing consists of two key components: Requirements-based testing (RBT)

Software tested against each requirement to ensure that it does what it is supposed to do and doesn’t perform any unintended functionality

Structural coverage analysis (SCA) Identifies code structures (at the instruction level

for DO 178B Level C) that are not exercised by the RBT

Ensures that every software instruction is required; i.e. has been invoked at least once



Testing/Verification (2/2)

Requirements at lowest level (SDD) completely cover higher level requirements

Requirements inspection process assures coverage

Computer Software Unit (CSU) tests ensure SDD requirement conformance

Inspection process assures that tests fully cover requirements

Test cases identify WHAT is to be tested Test procedures identify HOW the test will be performed

CSU tests cover both normal operations and evaluation of robustness under limit conditions

Check validity of external data prior to CSU importation Checks for validity of CSU arithmetic operations


Certifiable ATN Software Portable Building Blocks

Four RRI Component Builds Airborne Boundary Intermediate System (ABIS) Ground Boundary Intermediate System (GBIS) Airborne End System (AES) Ground End System (GES)

Four Application Service Element (ASE) Modules

Context Management (CM) Automatic Dependent Surveillance (ADS) Controller/Pilot Data Link Communication (CPDLC) Flight Information Service (FIS)


Certifiable ATN Software System Architecture

A irb o rn eE n dS y stem

A E S

G E S G B IS

G B IS

G E S

A B IS

A irb orn eB ou n d aryIn term ed ia teS ystem(m ob ile )

A ir /G rou n dB ou n d aryIn term ed ia teS ystem

G rou n d /G rou n dB ou n d aryIn term ed ia teS ystem

E n d S y stem E n d S y stem

G ro u n d N etw o rk

M o b ile N etw o rk

N etw o rkL ay er

N etw o rkL ay er

N etw o rkL ay er

D a ta L in kL ay er



P h y sica lL ay er

P h y sica lL ay er

P h y sica lL ay er

Tran sp ortL ay er

Tran sp ortL ay er

Tran sp ortL ay er

U p p erL ay ers

U p p erL ay ers

U p p erL ay ers

N etw o rkL a y er

N etw o rkL a y er

N etw o rkL a y er

D ata L in kL a y er



P h y sica lL a y er




Certifiable ATN Software Statistics

Each RRI build comprises between 60000 and 90000 source lines of DO 178B Level C code AES/GES: 63000/75000 ABIS/GBIS: 87000/87000

Four ASEs together comprise between 60000 and 80000 source lines of code Airborne ASEs: order of 15000 each Ground ASEs: order of 20000 each

Approximately 5000 tested requirements overall


Certifiable ATN Software Component Architecture

NMA

HMI

SubnetDrivers

System Clock

OS

Syst

em E

nvir

onm

ent E

xcha

nge

SEI

Cor

e P

SE

LocalManager

UserPSE

RouterStack

Platform Custom ATN Portable ProductPackage Components

(shaded)User Processes

UserApplications

ATNApplications

ASEs


Certifiable ATN Software System Interfaces

H o stO p era tin g S y stem

1

1

1

1N o te : S y s tem In te r-ta sk C o m m u n ica tio n sa ) M e m o ry M a n a g e m e n tb ) T im e r M a n a g em e n t


Certifiable ATN Software Product Composition

Source software modulesDocumentation User's Guide Porting Guide Functional Requirement Specification (FRS) External Interface Control Document (EICD) Software Quality Assurance Plan (SQAP)

Validation test scripts & sequences System level CSCI level

DO 178B Level C Certification artifactsProducts pre-ported for UNIX/Streams environment


Certifiable ATN Software Product Support &

EvolutionRRI & ASE products under configuration & change management process

Operated by ATNSI & ACI as open process; ATN stakeholder interests and participation incorporated

Designed to allow incorporation of general problem reports (PRs) as well as ICAO PDRs, plus agreed product improvements, while respecting interoperability

Product Support Through end of warranty period (mid 2002): RRI/ASE

support assured by ACI under CCB process Following warranty: long-term RRI/ASE support

committed by ACI Member companies To-date: maintenance releases made at regular intervals,

following initial RRI/ASE product deliveries in February 2000


Certifiable ATN Software Certification Credit

Controversial subject Definitive approach awaits decisions by authorities

What is known: Structural Coverage Analysis credit likely based on FAA

analysis Requirement Based Test procedures and results comprise

part of product package; can be rerun as required by certification authorities

Validation Test procedures and results comprise part of product package; can be rerun as required by customer for acceptance testing

Conformance Test Suite (CTS) role; view of certification authorities not yet definitive

In any case, ACI software is designed to streamline, risk-reduce, & cost-reduce the certification process


Result: fit for purpose portable ATN software…

Product quality meets safety requirements, meets specifications, and reduces lifecycle costs

Formalized nature of DO-178B Level C development process leads to high overall product quality

Process facilitates change management & lifecycle support Production of required artifacts demonstrates compliance

and supports users of software products Full traceability of functions to design, to code, and to test

Full functional test coverage Verifies that all functions have been tested

Full structural test coverage Verifies that all code is executed


The significance of all this…

Portable software designed to mission-ready quality standards can reduce manufacturer cost & schedule risks, and can facilitate certificationATN software certifiable to DO 178B Level C has been in the field since February 2000, and will play a major role in the FAA CPDLC communication infrastructure, as well as in the products of the ACI partner companiesThis portable & certifiable software is available to 3rd parties under license, to provide the same benefits of cost and risk reduction, and to aid in bringing the ATN into service…TODAY


Aeronautical Communication International LLC

Who are we? What do we do?

ACI was formed in 1997 as a joint venture of Airsys-ATM, Honeywell International, Thomson-CSF Sextant & Sofréavia, all suppliers of CNS/ATM products & servicesACI was created to execute the ATN Router Reference Implementation (RRI) Project, under contract to ATNSIIn addition, ACI has financed a variety of ATN-related software developments and service activities:

Complementary Application/Management Software ATN standardization support (AEEC, IATA & ICAO) ATNSI CTS Program Support EUROCONTROL Petal II & CAERAF Program Support FAA Ground Router Architecture & Evaluation Support

ACI is currently engaged as a subcontractor to CSC on the FAA CPDLC Build I & Build I/A Programs


Aeronautical Communication International LLC

For more information …

Contact…Forrest Colliver, General [email protected]

Bob Kerr, Marketing & [email protected]

Or, visit the ACI web site at…www.aci-llc.com

26-27 september 2000atn2000 (london)1 certifiable software for the atn making atn a reality…now…...

Documents