This page contains a Flash digital edition of a book.
Aerospace


or quad flight computer/sensor combinations. So for a given signal, say an actuator position or an air pressure sensor, you have to make a list of how it can fail, then inject each of the failures and see how your system reacts. “If you have a failure, you want it to happen in the safety


of a laboratory or in a simulation, and not to catch you by surprise in flight. When you are finally out flying, and that signal fails, you then know your system can detect it and safely react to it,” he concludes. In the DO-178C update to DO-178B, there is new


guidance for the use of formal methods, as well as object oriented techniques (OOT), and also a ‘Model Based Development and Verification’ supplement. Steve Morton, Principal Engineer at Hawker Beechcraft holds that assuming the use of OOT, C++ and Ada actually complicate the translation of necessarily functional requirements allocated to the software into object-oriented architecture and design.


Reverse engineering of requirements


“For COTS, the problem tends to be considerably more complex than verification,” Morton contends. “COTS being developed to a much wider market than aerospace commonly includes functionality that isn’t intended by the aerospace application.


even if safety, both in software and hardware, is half the price of the aircraft, that is $11 per flight. “I used the 20 year figure which is pretty common for


airframes, but it should also be noted that some avionics software written 20 years ago is still being installed in new aircraft today because we made sure it worked. Conversely, consider the cost of pulling a whole fleet of aircraft in to correct a tiny little coding error. That can run into millions. “I would disagree that Ada simplifies the coding process,


unless you compare it to assembly language, which it was designed to replace - quite the opposite, because of the strong typing and exception handling, which is why I prefer Ada. C is easy to code, and equally easy to allow fatal errors.” Quentin Ochem, technical account manager at AdaCore,


agrees that checking result with Ada is easier than languages such as C. “This is the case only in the right subset though - removing too dynamic or too complex features - but that is fairly easy to do,” he says. Thales has chosen the AdaCore GNAT Pro technology,


including several safety-qualified tools, to develop critical systems for the new Airbus A350 XWB extra wide body family. Thales will use GNAT Pro and the Ada 2005 language to build the Air Data Inertial Reference Unit (ADIRU), to provide precise in-flight positioning information. It will meet Level A of the DO-178B standard and use ARINC 653 multi- partition operating system MACS2. Ochem continues: “With static analysis and proof, you


have a range of tools from bug finders to real provers. The key is that Ada allows developers to express a wide range of properties that can be verified and natural to write. “At the other end of the spectrum, the SPARK technology,


which is a safe Ada subset extended with formal annotations, has been used for over 20 years. It allows developers to formally prove various properties and is exempt of all kind of vulnerabilities.” At Marshall Aerospace in Cambridge, UK, a pensioned


off USAF C-130 aircraft was acquired by the Royal Netherlands Airforce (RNLAF) with the intention of extending its useful life. Prior to entry into service it was necessary for the aircraft to receive a number of upgrades and modifications in order to comply with EU legislation. The flight-deck was entirely upgraded with digital equipment replacing all previous analogue devices.


Failure modes and effects analysis


Fig. 2. The US Navy Global Hawk high-altitude, long-endurance unmanned aircraft systems.


“Further, the reverse engineering of requirements and design data should necessarily end with at least some changes to the COTS software. Being in a lower software level category may alleviate some of the issues, but COTS when it isn’t ‘aerospace COTS’ may always be problematic, given that safety must necessarily win out.” David Berlin, consulting aerospace software engineer,


adds: “Take the price of a 737, divide by the number of passengers over 20 years, and I get a figure of about $22. This includes maintenance but the main issue is design cost. So


One key requirement was to perform a failure modes & effects analysis for the entire flight-deck to ensure no undesirable effects would propagate to the mission level as a result of the upgrade. The analysis was performed by Fraser Mackie, owner of ILS Complete in Munich, in collaboration with personnel responsible for training individuals on the new equipment. The Marshall Aerospace project was successfully completed and delivered last year. Mackie reveals from previous experience: “The majority


of software events/failures I have encountered, whether it be COTS based or bespoke design, have been the result of change in specification external to the equipment for which it was designed. In those cases the software was doing exactly what it was designed to do despite leading to an unfavourable event.


www.engineerlive.com 63


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68