Certifiable Production Code Development

Similar documents
AIRBORNE SOFTWARE VERIFICATION FRAMEWORK AIMED AT AIRWORTHINESS

The Verification Company. Software Development and Verification compliance to DO-178C/ED-12C

2010 The MathWorks, Inc. Model-Based Design for High Integrity Software and Hardware

SABRe : Supplier Problem Resolution Process. Supplier Briefing Pack. Problem Improvement Request (PIR) Rolls-Royce plc The information in this

Formal Methods in Aerospace: Constraints, Assets and Challenges. Virginie Wiels ONERA/DTIM

9. Verification, Validation, Testing

Model-Based Design for ISO Applications. April 2010

A Model-Based Reference Workflow for the Development of Safety-Critical Software

The Impact of Modelling and Simulation in Airbus Product Development

Safety Risks in an Airworthiness Organisation

Frontload the design, V&V and certification of software-intensive mechatronic systems by adopting the Digital Twin approach

DO-178B 김영승 이선아

SABRe Design & Development Process

Model-Based Design for High Integrity Software Development Mike Anthony Senior Application Engineer MathWorks Tucson, AZ USA

SABRe Design & Development Process

Model-Based Design with MATLAB and Simulink to shorten the design of a new infusion pump

Airborne Electronic Hardware Lessons Learned Panel National Software and Airborne Electronic Hardware (SW & AEH) Conference

Better power for a changing world

Brochure. About. Tools. Services. Where can we help? Our approach Why choose Rapita?

Brochure Services. About. Tools. »» Where can we help? »» Unit/system testing. »» Multicore timing services»» Our approach

SABRe : Inspection Processes. Supplier Briefing Pack.

Introduction to Simulink & Stateflow

ISTQB Sample Question Paper Dump #11

Roadmap towards autonomous ships

TEST I VIDAREUTVECKLINGEN AV GRIPENS AVIONIK- OCH MARKSTÖDSYSTEM

SABRe Design & Development Process

Temperature Measurement for Better Processes to Create Better Products and Services

A Cost-effective Methodology for Achieving ISO26262 Software Compliance. Mark Pitchford

2008 Presagis Canada Inc. All rights reserved. Presagis and VAPS are trademarks of Presagis Canada Inc. and/or its subsidiaries or affiliated

Deterministic Modeling and Qualifiable Ada Code Generation for Safety-Critical Projects

This document describes the overall software development process of microcontroller software during all phases of the Company Name product life cycle.

SABRe Briefs & Guidance

Automotive Safety and Security in a Verification Continuum Context

Developing Europe s nuclear supply chain

ISO Software Compliance with Parasoft: Achieving Functional Safety in the Automotive Industry

Building Executable Specifications using Model Based Design Chinmay Chinara Mahindra Research Valley Chennai

Verification and Validation Working agile when developing a complex and safety critical product

Results of the IEC Functional Safety Assessment

Integrated Computational Materials Engineering from a Gas Turbine Engine Perspective

A Wholly Owned Subsidiary of ENSCO, Inc.

Brochure Services. About. Tools. »» Where can we help? »» Unit/system testing. »» Software verification services»» Our approach

Integrating Functional Safety with ARM. November, 2015 Lifeng Geng, Embedded Marketing Manager

Making IoT / Industry 4.0 implementation a success through the alignment of culture, technology, strategy and people

Functional Safety Implications for Development Infrastructures

Measuring and Assessing Software Quality

Utilization of Simulink Verification and Validation (V&V) and Simulink Design Verifier (SDV) for HVAC Controls Software

Brochure Services. About. Tools. »» Where can we help? »» Unit/system testing. »» Software verification services»» Our approach

Development of AUTOSAR Software Components with Model-Based Design

SPACE. Independent software. Satellite communications, earth observation, navigation and positioning and control stations. indracompany.

Software verification services for aerospace. »» Unit and integration testing. »» Timing analysis and optimization»» System and acceptance testing

VHDL Introduction. EL 310 Erkay Savaş Sabancı University

Brochure Services. About. Tools. » Where can we help? » Unit/system testing. » Software verification services» Our approach

Model Driven Approaches to Firmware Development in Selex ES. 21 Jan. 2015

Using Employee Surveys to Measure and Improve Ethics and Compliance Programme Effectiveness

Work Plan and IV&V Methodology

Architectural Considerations for Validation of Run-Time Application Control Capabilities for Real-Time Systems

Applying Model-Based Design to Commercial Vehicle Electronics Systems

SUPPLIER WEBEX Resource Efficiency: Finding waste reduction opportunities

Organization-technical methods for development of on-board equipment based on IMA Koverninskiy Igor V., Kan Anna V. FGUP GosNIIAS

IEC Functional Safety Assessment

SOFTWARE DEVELOPMENT STANDARD

Airbus A350 CERTIFICATION REVIEW ITEM

Safety inside! ensured with technology

Verification & Validation of an Autonomous Quadcopter System

Design to Cost Updated on with Audiences Responses on 25 June 2010

Space Product Assurance

Certification of Safety-Critical Software Under DO-178C and DO-278A

PayFix An Automated Repair Package for Payments Processed Through Any CBT Software

High Level Tools for Low-Power ASIC design

Model-Driven Development of Integrated Support Architectures

14595: Model Based Engineering for Embedded Test Software Requirements Development

Architecture-led Incremental System Assurance (ALISA) Demonstration

MathWorks Vision for Systematic Verification and Validation

How to build an autonomous anything

Service Suppliers Engaged in Condition Monitoring of Machinery Onboard Ships and Mobile Offshore Units

Introduction To Software Testing. Brian Nielsen. Center of Embedded Software Systems Aalborg University, Denmark CSS

IATF - International Automotive Task Force IATF 16949:2016 Frequently Asked Question (FAQ)

IEC Functional Safety Assessment

La Modélisation et la Simulation au service de l Innovation

Using System Theoretic Process Analysis (STPA) for a Safety Trade Study

Sharing and Deploying MATLAB Programs

Autonomy Requirements for Smart Vehicles

Deliverables list for Projects in the fertilizer industry

IEC Functional Safety Assessment

Matthew Clark V&V of Autonomous Systems Autonomous Control Branch (AFRL/RQQA) Integrity Service Excellence

Changing the way the world thinks about software systems

Better power for a changing world

VectorCAST Presentation AdaEurope 2017 Advanced safety strategies for DO178C certification Massimo Bombino, MSCE

GAIA. GAIA Software Product Assurance Requirements for Subcontractors. Name and Function Date Signature 15/09/05 15/09/05 15/09/05 15/09/05 15/09/05

R214 SPECIFIC REQUIREMENTS: INFORMATION TECHNOLOGY TESTING LABORATORY ACCREDITATION PROGRAM

System-level Co-simulation of Integrated Avionics Using Polychrony durch Klicken bearbeiten

A Candid Industrial Evaluation of Formal Software Verification using Model Checking

What s New in MATLAB and Simulink

International Workshop on Maritime Autonomous Surface Ships and IMO regulations.

Development of Safety Related Systems

ENHANCED SYSTEM VERIFICATION (ESV)

Software Process 2/12/01 Lecture #

The Rise of Engineering-Driven Analytics. Richard Rovner VP Marketing

New Solution Deployment: Best Practices White Paper

Transcription:

Certifiable Production Code Development David Owens Rolls-Royce Control Systems 2017 Rolls-Royce plc and/or its subsidiaries The information in this document is the property of Rolls-Royce plc and/or its subsidiaries and may not be copied or communicated to a third party, or used for any purpose other than that for which it is supplied without the express written consent of Rolls-Royce plc and/or its subsidiaries. This information is given in good faith based upon the latest information available to Rolls-Royce plc and/or its subsidiaries, no warranty or representation is given concerning such information, which must not be taken as establishing any contractual or other commitment binding upon Rolls-Royce plc and/or its subsidiaries. Trusted to deliver excellence

Overview The Trent 7000 EMU is the first time that Rolls-Royce has gone through the DO-178C (ED-12C) certification process for certifying software in an airborne system using the Model Based Supplement DO-331 (ED-218) This presentation discusses the Model Based Design method used during the application software development and the MathWorks tools which enabled the workflow. 2

Contents Background What is the EMU What steps are required for DO-178C certification Development Process Model development from requirements Model verification activities Code production and verification Tool Qualification Future Enhancements Further tool adoption 3

Background 4

What is the EMU The EMU is the Engine Monitoring Unit Also known as the EVHMU Engine Vibration and Health Monitoring Unit. The unit has two primary functions:- 1. A high integrity partition which interfaces with the cockpit displays. 2. A engine health monitoring partition which sends data in the form of reports back to Rolls-Royce to feed into the TotalCare aftermarket service. 5

What is the EMU From 2006 to 2016: Hardware: Supplied by sub-tier supplier Cockpit Displays Software: Specified by Rolls-Royce, supplied by sub-tier supplier EHM Software : Engines fitted with EMUs: Trent900, 1000, XWB From 2016 onwards: Hardware: Specified by Rolls-Royce, supplied by sub-tier supplier Rolls-Royce Control Systems Cockpit Displays Software: Rolls-Royce Control Systems EHM Software: Rolls-Royce Control Systems Engines (to be) fitted with EMUs: All future Civil Large, and Medium Corporate engines A software development method which could deliver to the tight engine timescales was required: The solution:- Model Based Design 6

What is the EMU Aircraft level certification for large aeroplanes requires that:- An indicator to indicate rotor system unbalance is displayed to the pilot for turbo-jet engine-powered aeroplanes. [CS-25 directive 25.1305 d3] As the pilot makes decisions based on information provided by the EMU the HW and SW need to be developed to the appropriate Design Assurance Level (DAL). The EMU is designated as a DAL C unit as misleading indication could lead to increased pilot workload and as such it must be certified by EASA against the standard Software Considerations In Airborne Systems and Equipment Certification also known as DO-178 (ED-12) 7

What steps are required for DO-178C certification A-3.2 Accuracy & Consistency A-3.4 Verifiability A-3.5 Conformance A-3.7 Algorithm Accuracy A-4.9 Consistency A-4.12 Conformance A-4.13 Partition Integrity A-5.2 Compliance A-5.4 Conformance A-5.6 Accuracy & Consistency A-5.8 PDI Correct & Complete A-5.9 PDI Verified Compliance with requirements Conformance to standards Orange indicates Testing Green indicates Review/Analysis A-4.8 Architecture Compatibility Software Architecture A-5.7 Complete & Correct System Requirements High-Level Requirements Source Code Executable Object Code A-3.1 Compliance A-3.6 Traceability A-4.1 Compliance A-4.6 Traceability Low-Level Requirements A-5.1 Compliance A-5.5 Traceability A-6.1 Compliance A-6.2 Robustness A-4.2 Accuracy & Consistency A-4.5 Conformance A-4.7 Algorithm Accuracy A-6.3 Compliance A-6.4 Robustness A-6.5 Compatible With Target A-7.1 Procedures are correct A-7.2 Results are Correct A-7.3 Test Coverage of HLRs A-7.4 Test Coverage of LLRs A-7.7 Statement Coverage A-7.8 Coupling Coverage 8

What steps are required for DO-178C certification High-Level Requirements Design Model* Software Architecture Low-Level Requirements Automatic Code Generation Source Code Processor-In-The-Loop (PIL) Simulation Orange indicates Testing Green indicates Review/Analysis * A Design Model includes low-level requirements and/or architecture [DO-178C MB.1.6.2] Executable Object Code 9

Development Process 10

Model development from requirements Starting with an example High Level Requirement: Rqmt : The Boolean fault status associated with the N1C-1 speed signal shall be confirmed and latched as being True if the N1C-1 fault status is continuously set to any other state than OK for more than 3 seconds. 11

Model development from requirements Adding traceability between the model and the requirement. The Requirements Management Interface from the Verification and Validation Toolbox is used to add bidirectional traceability. 12

Model development from requirements The models were developed from 359 High Level Requirements A total of 10 individual Design Models form the EMU application software design A total of 3876 Model Blocks are used and all are traceable to the High Level Requirements 13

Model verification activities Check that the model conforms to standards. The Model Advisor Checks from the Verification and Validation Toolbox are used. 14

Model verification activities Simulate the model Simulation cases written against the high level requirements were used to fully exercise the model using a test tool developed in house. Reviewed and approved test case taken from CM tool. CC2 Analysed and documented simulation environment taken from CM tool. CC2 Simulink Reviewed and approved Design Model taken from CM tool CC1 Test output report added to CM tool CC2 Simulation Case.xml file Test strategy and expected results.m file Test case static inputs file.m file Test case dynamic inputs file Signal Synthesis Vibration sensor emulations Speed sensor emulations Pressure sensor emulations Hardware Inputs Hardware acquisition chain emulation Input APSW Software Design Fcn 1 Fcn 2 Fcn 3 (subsystem under test) Test input variables 1 Test input variables 2 Test output variables Output Automatic Pass/Fail Check Test Output A report is generated detailing the requirement IDs tested by the test, plots of the test point data of interest and the pass/fail result of the test. This report is added to the CM tool as evidence of the verification activity. (The same data sets are also output as in test activity A to help investigations into test failures). Model coverage analysis.mat file Time series expected results Time-Series Expected Results 15

Model verification activities Simulation activity outputs - Results Report Uses The Expected If reference Test model Case Results results checksum is linked and are Simulation provided to guarantee the an the requirement Results automatic correct are Pass/Fail model displayed which was it result is tested testing is returned 16

Model verification activities Simulation activity outputs Model Coverage Decision and Condition 17

Model verification activities Simulation activity outputs Model Coverage Report 18

Model verification activities Simulation activity outputs Model Coverage Report - Cumulative 19

Model verification activities The model is automatically documented using the report generation tool 20

Model verification activities The Design Description Report captures the complete In-Memory Representation of the Model 21

Model verification activities 129 Test Cases were authored against the high level requirements A total of 1.7 million test points compared in the automatic pass/fail reporting Testing against high level requirements achieved the necessary level of model coverage The functionality of the design is fully validated before a single line of code is produced 22

Code production and verification Once the Design Model has been fully verified it is ready to produce code Ctrl+B 23

Code production and verification The compiled code must be tested to show compliance with the high level requirements. - Tests written against the high level requirements already exist from the model simulation. The compiled code must be tested to show compliance against the Design Model. - This can be achieved by equivalence testing the object code behaviour against the Design Model behaviour. The compiled code must be shown to be compatible with the target architecture. - This can be achieved by running all paths of the compiled code on representative target architecture Is there a way that all this can be achieved with the test cases which already exist? 24

Code production and verification Processor-in-the-Loop testing 25

Code production and verification Processor-in-the-Loop testing 26

Code production and verification Processor-in-the-Loop testing 27

Code production and verification Processor-in-the-Loop testing Results Report The The PIL version infrastructure number reports of the object execution timing code on under a code test function is reported level 28

Tool Qualification When is tool qualification required? Qualification of a tool is needed when processes of this document are eliminated, reduced, or automated by the use of a software tool without its output being verified [DO-178C 12.2.1] Which parts of this process required Tool Qualification? - The Model Advisor checks automated part of the compliance with standards process. - The Report Generator is qualified to show equivalence with the in-memory representation of the model. - The Model Coverage tool is qualified as this automates the metrics associated with the model coverage process. - The pass/fail reporting of test results automated parts of the compliance processes - The PIL infrastructure automates code coverage. 29

Tool Qualification DO Qualification Kit (for DO-178) - DO Qualification Kit provides documentation, test cases, and procedures that let you qualify Simulink software verification tools - The kit contains tool qualification plans, tool operational requirements, and other materials required for qualifying software verification tools 30

Future Enhancements 31

Further tool adoption Automated code review - The source code required a manual review to show compliance against the Design Model. - This activity could be automated by using the Simulink Code Inspector Simulink Test - The in-house test frame work has a maintenance overhead, especially around version migration. - The introduction of Simulink Test in means we now have an alternative solution which is natively supported by the MathWorks. 32

Thank You 33

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback