Commercial Offtheshelf COTS Integrated Circuits Legends Myths Peter

Commercial Off-the-shelf (COTS) Integrated Circuits Legends & Myths Peter Skaves, FAA Software & Avionics Complex Hardware Conference July 28, 2005 1

Briefing Objectives COTS Integrated Circuits presentation overview: ü ü ü Aircraft Avionics Design Assurance Process COTS Integrated Circuits & Applicability COTS Products Legends & Myths COTS Integrated Circuits & Aircraft Computers COTS Integrated Circuit Functional Hazard Assessment (FHA) ü Redundancy & Fault Handling ü Federated Systems Vs. Integrated Modular Avionics ü Built-In-Test Equipment (BITE) ü Numerical Analysis Limitations ü Discussion and wrap-up 2

Avionics Design Assurance Process 3

The Airplane System Design Assurance Process VHF Antenna OO O Sen I & Se sor c Inpu urity t SATCOM Antenna Examples of airplane systems certification rules and guidance ü FAR 25. 1301 “General Requirements for Intended Function” ü FAR 25. 1309 “Equipment Systems and Installation” ü AC 20 -115 B “Invokes RTCA DO-178 B Software Guidance” ü System Safety Assessment (SSA) Process ( e. g. , SAE ARP, 4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems &Equipment) 4

Aircraft Regulations for Integrated Circuits & Avionics Systems Ø FAR 25. 1301 (a) requires that each item of installed equipment be of a kind and design appropriate to its intended function Ø FAR 25. 1309 (a) requires that equipment must be designed to ensure that they perform their intended functions under all foreseeable conditions 5

Aircraft Avionics Design Assurance Ø The certification process includes: ü System description of the intended function ü Safety, Performance and Interoperability description ü Functional Hazard Assessment (FHA) Ø FHA is used in part to assess both normal operations and failure mode effects Ø Certification process for avionics systems include numerical analysis failure rates which are based on aircraft per flight hours Ø As an example, a failure classification of “Major” is equivalent to not more than one failure per 100, 000 flight hours per aircraft 6

Use of COTS Integrated Circuits for the Planet & Aircraft Certification 7

COTS Integrated Circuits Ø Used in many commercial applications: ü ü ü Home Computers Home Appliances Television sets Automobiles Video Games Pinball Machines Medical Equipment Cell Phones Stereo Systems Test Equipment Airplanes Trains Ø Manufacturers include: ü ü Texas Instruments LSI Logic Advanced Micro Devices Motorola 8

COTS Products Legends & Myths 9

Definition of Legend ØAn unverified popular story handed down from earlier times ØA body or collection of such stories 10

Definition of Myths ØA fiction or half truth or one that forms part of the ideology of a society (e. g. , Star Trek) 11

Avionics System & COTS Integrity Legend or Myth ? Ø COTS hardware & software components embedded in aircraft avionics systems do not meet the “intended function” üLegend or Myth ? 12

COTS Integrated Circuits Design Issues Ø Intended Function ü Service History ü Quantity of parts (e. g. , mass produced or limited production) ü Design mitigation(s) for fault handling ü Revision update rate & configuration control ü Failure effect classification Ø Reliability ü Prediction of integrated circuit failure rates ü Assessment of failure effect at the component and system level Ø Environmental Test Conditions and Test Procedures for Airborne Equipment (e. g. , RTCA DO-160(x)) ü Integrated Circuit component Level ü Avionics System Level 13

Integrated Circuits & Aircraft Computers Ø COTS versus Custom Integrated Circuits: ü COTS integrated circuits that were not specifically designed for aircraft applications (e. g. , COTS Microprocessors) ü Approximately 95% of the integrated circuits used in airplane applications are COTS based products ü Custom integrated Circuits (e. g. , Application Specific Integrated Circuits (ASIC) & Programmable Logic Devices (PLD)) are specifically designed for aircraft applications Ø Hardware Life Cycle Data per RTCA/DO-254 ü In general, COTS integrated circuits do not have the life cycle data to satisfy the objectives in RTCA/DO-254 ü Summary: “Alternate methods or processes to ensure that COTS integrated circuits perform their intended function and meet airworthiness requirements is required” 14

Military Standard for Integrated Circuits Ø Military Specifications for integrated Circuits: ü Generally address “Environmental Conditions and Test Procedures for Airborne Equipment” ü Temperature, vibration, moisture, shock testing, etc. ü Improved manufacturing standards and hardware reliability Ø Hardware Life Cycle Data per RTCA/DO-254 ü In general, integrated circuits developed to Military Standards do not have the life cycle data to satisfy the objectives in RTCA/DO-254 ü Summary: “Alternate methods or processes to ensure that integrated circuits developed to Military Standards perform their intended function and meet airworthiness requirements is required” 15

Custom Integrated Circuits Ø Application Specific Integrated Circuits (ASIC) ü Custom integrated circuits that are usually developed and manufactured by a vendor for specific airplane applications ü Usually RTCA/DO-254 and RTCA DO-160(x) compliant ü ASIC integrated circuits are very expensive and may cost $1, 000 or more per device Ø COTS Field Programmable Logic Devices ü Avionics manufactures typically buy and write programs for the programmable logic devices ü Typical cost of these integrated circuits is $40 ü Avionics manufacturers are responsible for programming devices and associated costs ü Programming process is usually RTCA/DO-254 compliant 16

COTS Graphical Processors (CGP) ü May be used in Flight Deck ü Displays ü The failure contribution of the ü CGP must be mitigated by system architecture for Hazardous or Catastrophic failure conditions ü ü Mitigation strategy should include protection mechanisms and fault ü handlers Loss of function should be mitigated by redundancy Common mode failure conditions may require independent back-up systems Wrap around and monitoring tests for output validation Configuration management and part number control ü RTCA/DO-254 may be used for custom CGP 17

COTS Graphical Processors Policy ü Transport airplane Directorate has published a Issue Paper on means of compliance for Graphical Processors for a specific project ü The Issue Paper was coordinated with Washington, Headquarters and is consistent with Advisory Circular for RTCA DO-254 ü Development of National Policy for CGP across all aircraft models is in progress 18

Integrated Circuit Functional Hazard Assessment Ø The airplane avionics Ø If single point or common mode system design must include integrated circuit failures are mitigation strategy for determined to be “hazardous” integrated circuit failures or “catastrophic” than the ü Common-Mode integrated design is not acceptable circuit failures should be limited to a “major” failure effect ü Single point integrated circuit failures should be limited to a “minor” failure effect classification ü Design does not meet FAR 25. 1309 19

Avionics System Failure Classification Cost Impact Ø Functional Hazard Assessment (FHA) ü “Minor” Vs. “Major” failure classification (What’s the big deal ? ) ü “Minor” failure rate should not exceed one error per 1, 000 flight hours ü “Major” failure rate should not exceed one error per 100, 000 flight hours Ø In summary: ü “Major” classification requires an improvement in the order of “ 100 times better” ü Hazardous multiply by another factor of “ 100” ü Catastrophic multiply by another factor of “ 100” 20

Aircraft Avionics COTS Examples Ø Examples of COTS products used in aircraft avionics Systems: COTS ü ü ü Hardware Components Chassis Components, Connectors, Motherboard COTS Integrated Circuits (e. g. , Simple & Complex Devices, Firmware) COTS Micro-Processors Gate Arrays I/O handlers Ø Historically, the failure contribution of the COTS products have been addressed at the “system level” during the Aircraft Certification design assurance process Ø Fault handling, Fail Safe Designs, and Avionics Architecture should be used to mitigate COTS hardware failure conditions 21

Contributing Factors for Avionics “Intended Function” Ø There are many contributing factors to ensure that avionics systems meet their intended function: ü Airplane Requirements ü System interfaces ü System Architecture & Redundancy ü Dissimilar Back-Up Systems ü Hardware Components (e. g. , integrated circuits) ü Software programs Ø The software process by itself, does not ensure that the avionics systems meet their intended function 22

Redundancy & Fault Handling Ø Avionics Hardware / Software Redundancy & Fault Handling: ü Common mode failures may require independent back-up systems ü Examples of independent back-up systems include Standby Flight ü Typically dual or triple channel Instruments or mechanical backup ü Voting planes are used to detect systems and isolate various sensors and aircraft interface inputs ü Built-in Test Equipment (BITE) software used for internal computer validity checks (e. g, Memory, CPU) 23

Federated System Architecture ü Triplex Redundancy ü Flight Control Systems ü With independent Backup system ü Dual Redundancy ü Flight Management Computers ü Single Strand ü ACARS Communication System 24

Federated Avionics Computer Architecture Ø Computer Architecture ü CPU ü Program Memory (e. g. , Flight Control Software) ü RAM Memory ü Digital Busses (e. g. , ARINC 429) ü Discrete I/O ü Variable Analog ü Power Supply ü Chassis Ø Strengths ü Isolation of faults ü Failure analysis and fault detection are enhanced Ø Weakness ü Duplication of hardware resource ü Dedicated airborne software program for each avionics computer 25

Integrated Modular Avionics (IMA) Computer Resource Ø Computer Architecture ü ü ü ü CPU Memory Management Units RAM Memory Digital Busses (e. g. , ARINC 429) Discrete I/O Variable Analog Power Supply Chassis Ø Strengths ü Shared Hardware Resources ü Software programs are “swapped” and execute concurrently on same computer platform Ø Weakness ü Failure analysis, fault detection & isolation of faults are more difficult ü Common mode fault vulnerability 26

IMA Notional Diagram Flight Deck Displays L Shared Hardware Resources Multiple Application Programs Example: TWO cabinets replace over 50 Federated Systems 27

Common Mode Failure Mitigation Examples Ø Boeing 777 Fly-by-Wire Flight Control architecture ü Three digital Flight Control Computers ü Analog back-up system to mitigate generic common mode faults Ø C-17 Cargo Airplane ü Fly-by-Wire Flight Control System ü Full Mechanical Back-up Ø Boeing 737/747/757/767 Series Airplanes ü Do not require electric power for continued safe flight and landing with the exception of the battery backup bus for the Standby Flight Instruments ü Full mechanical backup Flight Control System 28

Built-in Test Equipment (BITE) Q Examples of typical avionics BITE functions used to detect and mitigate system failure conditions: ü ü ü Power on (long power interrupt) BITE Warm restart (short power interrupt) BITE Continuos or periodic BITE Initiated or maintenance BITE checks are designed to detect system errors including COTS integrated circuit errors 29

BITE Test Case Examples ü Random Access Memory (RAM) Tests ü Program Memory (PMEM) Checksum Tests ü CPU register tests ü Analog Signal wraparound tests ü Discrete Signal wraparound test ü Digital data link activity and integrity checks ü Airplane Interface checks ü Cross Channel Data Link (CCDL) checks ü Voting Plane checks ü Signal Range checks ü Signal Validity checks ü Signal Activity checks 30

Redundancy & Voting Planes Ø Redundancy & voting planes are the backbone of the avionics systems availability & integrity ü 40% of certain Flight Control Computer software is BITE related ü 20% of certain Flight Control Computer software is related to the voting plane ü Triplex Flight Control Computers compare thousands of pieces of information per second ü Architecture is designed to use different sensor, power and avionics computer inputs to eliminate single point failures ü Internal & External BITE performs checks during all flight phases 31

Numerical Analysis Limitations Ø We are unable to use mathematics to determine numerical probabilities for software or complex hardware failure rates Ø Redundancy and back-up systems should be used to mitigate numerical probability limitations ü Failure rates are based on aircraft per flight hours and do not include the software or complex hardware error contribution ü Based on historical knowledge, avionics safety related errors are predominately requirements based 32

Design Approval Process Summary Ø Aircraft avionics development process has produced an excellent safety record Ø However, complexity of avionics systems and software programs is increasing exponentially (e. g. integrated modular avionics) Ø FAA should develop policy to aid in standardization of: ü Complex avionics systems and fault mitigation ü Alternate methods or processes to ensure that COTS integrated circuits perform their intended function and meet airworthiness requirements ü If single point or common mode integrated circuit failures are determined to be “hazardous” or “catastrophic” than the design is not acceptable 33

Questions & Wrap-Up Ø Send your questions to me at: ü peter. skaves@faa. gov ü Telephone (425) 227 -2795 Ø Thank you for your assistance !!! 34