This page contains a Flash digital edition of a book.
Instrumentation • Electronics


the opposite, because of the strong typing and exception handling, which is why I prefer Ada. C is easy to code, and equally easy to allow fatal errors.” Quentin Ochem, technical account manager at AdaCore,


agrees that checking result with Ada is easier than languages such as C. “This is the case only in the right subset though - removing too dynamic or too complex features - but that is fairly easy to do,” he says. Thales has chosen the AdaCore GNAT Pro technology,


including several safety-qualified tools, to develop critical systems for the new Airbus A350 XWB extra wide body family. Thales will use GNAT Pro and the Ada 2005 language to build the Air Data Inertial Reference Unit (ADIRU), to provide precise in-flight positioning information. It will meet Level A of the DO-178B standard and use ARINC 653 multi- partition operating system MACS2. Ochem continues: “With static analysis and proof, you


have a range of tools from bug finders to real provers. The key is that Ada allows developers to express a wide range of properties that can be verified and natural to write. “At the other end of the spectrum, the SPARK technology,


which is a safe Ada subset extended with formal annotations, has been used for over 20 years. It allows developers to formally prove various properties and is exempt of all kind of vulnerabilities.” At Marshall Aerospace in Cambridge, UK, a pensioned


off USAF C-130 aircraft was acquired by the Royal Netherlands Airforce (RNLAF) with the intention of extending its useful life. Prior to entry into service it was necessary for the aircraft to receive a number of upgrades and modifications in order to comply with EU legislation. The flight-deck was entirely upgraded with digital equipment replacing all previous analogue devices.


Failure modes and effects analysis


One key requirement was to perform a failure modes & effects analysis for the flight-deck to ensure no undesirable effects would propagate to the mission level as a result of the upgrade. The analysis was performed by Fraser Mackie, owner of ILS Complete in Munich, with personnel responsible for training individuals on the new equipment. Mackie reveals from previous experience: “The majority


of software events/failures I have encountered, whether it be COTS based or bespoke design, have been the result of change in specification external to the equipment for which it was designed. In those cases the software was doing exactly what it was designed to do despite leading to an unfavourable event. For example, a COTS based device I was using was processing radar data, when some months later, intermittent and ominous readings from the device would appear on the display. Fortunately the controller identified the track data as an error. Had the mistake not been identified there was a real risk tracks would be labelled incorrectly. The COTS device was replaced, but this did not fix the fault. “Weeks of fault finding later it was discovered a replacement


cable interfacing the COTS device to the system was replaced at the time the failure occurred. The cable was within electrical specification but for one key difference, its length. The increased length of the cable had meant the software on the COTS device could not handle the increased periods of time


Fig. 1. The US Navy Global Hawk high-altitude, long-endurance unmanned aircraft systems.


Lot homogeneity


A key requirement for high reliability applications is lot homogeneity, continues Andrews. Even lots of semiconductors having the same date code may use chips from different wafer lots as the date code is sometimes applied after final test. In order to verify a lot of COTS components are fit for purpose, extensive dynamic and climatic testing is often required. This can end up costing more than the cost of high reliability parts thereby defeating the object. General Dynamics UK uses Escher Technologies’


Perfect Developer (PD) to specify and design a safety-critical airborne stores management system. Guy Mason, senior software engineer at General Dynamics UK says: “Our need is to meet the requirements of defence standard 00-55 to Safety Integrity Level 4. Escher Technologies software met our requirements best. We were especially impressed by the automation of verification proofs, which will substantially reduce our costs, and by the level of support provided by Escher Technologies. ●


www.engineerlive.com 31


it took to retrieve data, process it, and send it to the display. Instead it took its best guess and sent the data anyway.” COTS is an emotive subject for Chris Andrews, product


marketing manager at C-MAC Aerospace, who believes that in some ways, it is the enemy of his business as customers strive to cut costs by using commercial grade parts for harsh environment applications. He says: “It is hugely controversial in the space market in particular, where the added issue of radiation tolerance hinders the life of electronics.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36