Rationale for the development of the UK defence standards forsafety-critical computer software

Changes in the procurement environment and developments in technology that will require the adoption of new development certification procedures within the next few years are examined. Characteristics of safety-critical computer systems and the safety problems posed by digital computers are described. The way in which the changes have influenced the preparation of the new draft defence standards offered for public debate in the UK prior to their formal adoption by the Ministry of Defence is discussed. Principle features of the future safety-critical systems policy are outlined. The use of Ada for safety-critical software is considered     

Component-Based Performance-Sensitive Real-Time Embedded Software

The software complexity is continuously increasing and the competition in the software market is becoming more intensive than ever. Therefore, it is crucial to improve the software quality, and meanwhile, minimize software development cost, and reduce software delivery time in order to gain competitive advantages. Recently, Component-Based Software Development (CBSD) was proposed and has now been applied in various industry and business applications as a possible way to achieve this goal. As verified by numerous practical applications in different fields, CBSD is able to increase software development productivity as well as improve software quality. Modern embedded real-time systems have both strict functional and non-functional requirements and they are essentially safety-critical, real-time, and embedded software-intensive systems. In particular, the crucial end-to-end quality-of-service (QoS) properties should be assured in embedded systems such as timeliness and fault tolerance. Herein, I first introduce the modern component technologies and commonly used component models. Then, the middleware in distributed real-time embedded systems is discussed. Further, adaptive system resource management is elaborated upon. Finally, the prospects of a component-based approach in implementing modern embedded real-time software is discussed and future research directions are suggested.     

Training, career development and registration for safety criticalsoftware systems specialists

A career development program for information systems practitioners currently being used widely by employers in the UK and now becoming available in North America is described. The program, called the Professional Development Scheme (PDS), was developed by the British Computer Society to address the lack of structure and quality control generally present in the way computing professionals were being trained. The performance standards underpinning the program (The British Computer Society Industry Structure Model) have been thoroughly updated and now include material specific to the development, maintenance, and management of software for safety-critical applications. The use of the program for this purpose and potential developments in the field of training and registration for safety-critical software specialists are discussed     

A safety kernel for traffic light control

The success of kernels for enforcing security in software systems has led to proposals to use kernels for enforcing safety. This paper presents a feasibility demonstration of one particular proposal for a safety kernel via the application of traffic light control. The paper begins with the safety properties for traffic light control and specifies a kernel that maintains the safety properties. An implementation sketch of the kernel in Ada is given and use of the kernel is discussed. The contribution of the paper is a demonstration that a kernel is a feasible and desirable technique for software in a realistic, safety-critical application. The paper also illustrates how formal methods aid the software engineer in constructing and reasoning about such software     

Reducing the risks of using Ada onboard the Space Station

The Ada programming language was chosen by NASA as the primary computer programming language for the development of new software for the US Space Station. Ada was selected based on the results of investigations coordinated through Johnson Space Center (JSC) and that resulted in the identification of a set of problems and risks associated with using software developed in Ada. Some of the specific solutions to problems identified through these investigations are described. Three areas in which Ada's use poses risks are discussed: real-time process control; the testing and verification of flight software for man-rated systems; and software error detection, identification, and recovery required in safety-critical systems     

Model-based robustness testing for avionics-embedded software

Robustness testing for safety-critical embedded software is still a challenge in its nascent stages. In this paper, we propose a practical methodology and implement an environment by employing model-based robustness testing for embedded software systems. It is a system-level black-box testing approach in which the fault behaviors of embedded software is triggered with the aid of modelbased fault injection by the support of an executable model-driven hardware-in-loop (HIL) testing environment. The prototype implementation of the robustness testing environment based on the proposed approach is experimentally discussed and illustrated by industrial case studies based on several avionics-embedded software systems. The results show that our proposed and implemented robustness testing method and environment are effective to find more bugs, and reduce burdens of testing engineers to enhance efficiency of testing tasks, especially for testing complex embedded systems.     

安全关键软件可靠性验证测试方法研究

为了在不降低安全关键软件可靠性验证测试结果可信性的前提下减少测试用例量,在分析经典统计假设测试和无先验贝叶斯统计方法的基础上,提出了一种先验知识动态整合的贝叶斯推断统计测试方法;并提供了软件失效概率的概率密度函数先验分布参数的详细求解办法。实验表明,所提供的安全关键软件可靠性验证测试方法可以用较少的测试用例获得同样的结果可信性。     

Independent validation and verification of the TCAS II collisionavoidance subsystem

This paper describes the specification-based testing, analysis tools, and associated processes used to independently validate, verify, and ultimately, provide for certifying safety-critical software developed for the Traffic Alert and Collision Avoidance System (TCAS II) program. These tools and processes comprise an effective and Independent Validation and Verification (IV and V) activity applied to the Collision Avoidance Subsystem (GAS) software development process. A requirements specification language called the Requirements State Machine Language (RSML), originally developed by the University of California, Irvine (UCI), was employed for the specification of GAS. The end result is the next generation of TCAS II collision avoidance logic, referred to as Version 7, that is of a higher quality than its predecessors, meets the certification requirements of DO-178B Level B (Ref. 1), and can be shown to satisfy the new operational requirements it was developed to address     

A hazard analysis via an improved timed colored petri net with time–space coupling safety constraint

Petri nets are graphical and mathematical tools that are applicable to many systems for modeling, simulation, and analysis. With the emergence of the concept of partitioning in time and space domains proposed in avionics application standard software interface(ARINC 653), it has become difficult to analyze time–space coupling hazards resulting from resource partitioning using classical or advanced Petri nets. In this paper, we propose a time–space coupling safety constraint and an improved timed colored Petri net with imposed time–space coupling safety constraints(TCCP-NET) to fill this requirement gap. Time–space coupling hazard analysis is conducted in three steps: specification modeling, simulation execution, and results analysis. A TCCP-NET is employed to model and analyze integrated modular avionics(IMA), a real-time, safety-critical system. The analysis results are used to verify whether there exist time–space coupling hazards at runtime. The method we propose demonstrates superior modeling of safety-critical real-time systems as it can specify resource allocations in both time and space domains. TCCP-NETs can effectively detect underlying time–space coupling hazards.     

Review on signal-by-wire and power-by-wire actuation for more electric aircraft

The huge and rapid progress in electric drives offers new opportunities to improve the performances of aircraft at all levels:fuel burn,environmental footprint,safety,integration and production,serviceability,and maintainability.Actuation for safety-critical applications like flight-controls,landing gears,and even engines is one of the major consumers of non-propulsive power.Conventional actuation with centralized hydraulic power generation and distribution and control of power by throttling has been well established for decades,but offers a limited potential of evolution.In this context,electric drives become more and more attractive to remove the natural drawbacks of conventional actuation and to offer new opportunities for improving performance.This paper takes the stock,at both the signal and power levels,of the evolution of actuation for safety-critical applications in aerospace.It focuses on the recent advances and the remaining chal lenges to be taken toward full electrical actuation for commercial and military aircraft,helicopters,and launchers.It logically starts by emphasizing the specificity of safety-critical actuation for aero space.The following section addresses in details the evolution of aerospace actuation from mechanically-signaled and hydraulically-supplied to all electric,with special emphasis on research and development programs and on solutions entered into service.Finally,the last section reviews the challenges to be taken to generalize the use of all-electric actuators for future aircraft programs.     

Design by extrapolation: an evaluation of fault tolerant avionics

Over the past 30 years, safety-critical avionics systems such as Fly-By-Wire (FBW) flight controls, full-authority digital engine controls, and other systems have been introduced on many commercial and military airplanes and spacecraft. Early FBW systems, such as on the F-16 and Airbus A320, were considered revolutionary and introduced with extreme caution. These early systems and their successors all make use of redundant and fault-tolerant avionics to provide the required dependability and safety, but have used significantly different architectures. This paper examines the different levels of criticality and fault tolerance required by different types of avionics systems, establishes architectural categories of fault-tolerant architectures, and identifies the discriminating features of the varied approaches. Examples of discriminators include the level of redundancy, methods of engaging backup systems, protection from software errors, and the use of dissimilar hardware and software. The strengths and weaknesses of the approaches will be identified. The paper concludes with some speculation on trends for future systems based on this evaluation of previous systems     

烟丝配料单片机控制系统

本文介绍了配料生产过程中单片机控制系统的硬件结构及软件流程。由于硬件和软件设计上都采用了模块化的结构，所以便于安装调试，整个系统可推广到诸如水泥、矿产、食品加工等生产中。     

The J-MASS Marketplace: a new way for DoD to do business

It is current DoD policy to use commercial off-the-shelf software whenever it meets DoD requirements. The application of this policy to modeling and simulation has resulted in the concept of “The Joint Modeling and Simulation System (J-MASS) Marketplace.” J-MASS is designed as an Open Systems Architecture with the capability for the Simulation Support Environment (SSE) to be expanded by the addition of site specific software. In the “J-MASS Marketplace” industry will build commercial tools to work with J-MASS and individual organizations will license what they need for their particular site. The J-MASS SSE is a framework or backplane into which everything else plugs. A J-MASS product release would have the core capabilities, but the unique needs of various organizations would be satisfied by industry. This paper addresses how the J-MASS Marketplace could work and how compliance can be defined. It will outline opportunities for industry in both building software for the Marketplace and in defining the Marketplace concept     

Software testing: from theory to practice

This paper is about the disparity between what is known and what is being learned in academia and what is being used in industry. The author believes there are many reasons. Some of these represent accidental and some essential problems. Most are part of a general issue of quality in the software products. Most problems that make it more difficult to apply testing techniques are part of a larger problem which make them more cost-effective to produce high quality software. The author presents a list of reasons industry does not use the highly advanced, and in some cases, highly developed software testing techniques that are available. The problems are divided into three broad categories: problems in industry; problems in academic research and education; and problems in the interface between the two     

电传飞行控制系统的余度设计技术

余度设计是提高电传飞行控制系统安全性与任务可靠性的一种重要手段。对电传飞行控制系统中的余度设计内容进行了介绍,探讨了这一领域的一些重要问题。主要内容包括相似余度,非相似余度,解析余度,功能冗余设计技术。对其核心技术和研究难点进行了分析,为进一步研究打下了基础。     

Integrating system engineering software tools

System engineering projects typically involve the use of a variety of design, analysis, simulation, and management software tools that are home-grown or commercial-off-the-shelf (COTS). Very often, these applications are hosted on dissimilar computing platforms in a network environment. An application deployed on one platform may not be easily ported to another platform, and it usually cannot be readily accessed by software on the other platform. Enhancing the inter-operation among software applications or tools will greatly increase the effectiveness of the system engineering process. The middleware technology currently being developed by the computer industry promises to provide the needed software interface for integrating tools across a heterogeneous computer network. This paper discusses the experience of applying the middleware technology to software tools used in system engineering     

Derating Concerns for Microprocessors Used in Safety-Critical Applications

The use of commercial-off-the-shelf (COTS) microprocessors for safety-critical applications usually implies derating of the device to make it work in harsh environments. We discuss derating concerns for state-of-the-art microprocessors. Issues addressed herein include noise margins due to low voltage levels, multiple power supplies, frequency and current derating concerns, error sources, timing degradation, power-aware architectures, and new advanced microprocessor derating features.     

无人机捷联惯导系统测试设备的设计

针对某型无人机捷联惯导系统(SINS)的测试问题,采用虚拟仪器技术设计出了满足系统检测需求的测试设备.简单论述了该系统测试设备的总体设计,并对其软硬件设计进行了详细介绍.该测试设备以工业控制计算机为硬件平台,所有的测试板卡都安装在工业控制计算机插槽上,利用工业控制计算机的强大功能,完成信号采集、任务管理等功能.测试平台...     

Technology roll lessons learned on embedded avionics platforms

Open system architectures based on commercial off-the-shelf (COTS) building block components offer the ability to leverage the latest technology into fielded products while minimizing the impact to the operational flight software, typically the most costly component of an avionics development or upgrade. Our team has developed a layered hardware and software approach based on industry standard hardware and software interfaces to abstract the application (operational) software developers from the underlying technology rolls to the hardware and operating system software that naturally occur as part of the commercial marketplace, A technology roll is defined as the replacement of a current product with a subsequent generation of a product from the same product family. In this article, we describe the components and the layered architecture of our open system architecture approach. We discuss specific system, hardware, and software technology insertions that incorporate the latest available technology and how these changes have been abstracted from the application software. The article concludes by discussing lessons Learned from the use of these common components and corresponding technology rolls across various platforms     

Implementing reusable, instrument independent test programs in thefactory

Development of computer programs that control test sequences on Automatic Test Equipment (ATE) is costly and time consuming. Test Programs are usually written by specifying the instruments to be used in the ATE and the sequence of the setup and measurement parameters for these instruments. Reuse of test program software on other ATE is usually not possible without rewriting, revalidating and re-releasing the programs. This paper describes an implementation of a test program software development system and a standard of software runtime architecture used in our factories. The object-oriented development environment and its associated class libraries allow test programs to be written without knowledge of the ATE on which they will be run. Two main principles guided the design: the software architecture was based on recognized formal and industry standards; and our implementation used commercial off-the-shelf software products when possible. Emerging standards such as the IEEE-1226 (ABBET) as well as defacto industry standards including VXI Plug and Play have made our implementation possible. The current draft of the ABBET and P&P standards do not promote this instrument independence, but it is hoped that this will be added as the standards mature. Three immediate benefits are: cost savings that result from reusing validated test programs; cycle time reductions that result from concurrently developing test program software and ATE; and software defect reductions that result from using proven software