Complex electronic hardware

Complex electronic hardware

Keywords: Aerospace industry, Electronics, Hardware

A wide range of organisations and expertise was represented at this Royal Aeronautical Society Conference which dealt with complex electronic systems and complex digital devices, with an explanation of the application of EUROCAE document ED-80.

The inital paper was concerned with the Electrical Load Management System (ELMS) developed in the early 1990s for the Boeing 777, and given by Smiths Industries. The system receives power from a variety of sources with comprehensive monitoring provided. A number of advantages are apparent with this system compared with previous practice. Circuit breakers were placed in remote locations and indications of the tripping of important breakers is indicated electronically. "Smart" contactors are used for protectionof most of the higher power 3-phase a.c. loads. System control includes not only receipt of specific commands via the databus, but also interpretation and responses to data received over the databus.

The requirements of a large, twin-engine, long range passenger aircraft have a typical installation involving some 550 electrical loads. Two primary a.c. power lanes are provided, normally powered from the left and right engines. Seven panels comprise the system, all located in the forward equipment bay. Three primary power panels perform the task of power source selection, one for each lane, undet the control of a separate Bus Power Control Unit outside the ELMS. The other four panels provide power distribution to the other aircraft loads. The requirements for integrity were also considered at the time, with a Certification Plan being drawn up at an early stage. At the time of ELMS development, no comprehensive hardware document existed and the methodology adopted followed a path equivalent to the "V" diagram traditionally:used for software.

The high current circuitrv comprise the traditional thermal circuit breakers standard Dower contactors "smart" contactors- and low current relays plus other components. The electronics comprise a number of modules mounted in an enslosed box- which Drovides the necessary "clean" area for protection against HIRF Guidelines for software development had already been laid down. system verification wasa continuous process performed throughout the development anomalies found during development- for whatever cause, were recorded as Problem Reports, and entered into a database. The validation process for the ELMS included a Failure Mode & Effacts Analysis (FMEA), with every component considered in turn inabottom up process. The many millions of flight hours that ELMS has achieved to date bear witness to the high standard of design.

Challenges of Component Obsolescence was presented by Airbus UK. It focuses on the fact that msny semiconductor components now have a life cycle of less than 5 years. Since aircraft are often in service for much longer than this, many key parts face obsolescence. Equipment currently being produced must minimise the cost and impact of changes due to obsolescence, whilst complying with the various international guidancesbeing generated on these issues.

In 1994 the Perry initiative occurred which was to have significant impact on electronic component availability. There has been a consequent reduction in the availability of semiconductors from the original manufacturers, and a number of alternative sources have become available. This raises anumber of problems. not least the difficulty of trying to find a full data sheet of the older component from which to identify a replacement.

It seems that the most appropriate organisation to address the various issues is the International Electrotechnical Commission (ETC), and with major support from Airbus and Boeing, TC-107 "Process Management for Avionics" was issued. The present work plan of TC-107 comprises 5 items of which 3 are directly or indirectly concerned with obsolescence management. Comprehensive measures are being taken to mitigate against the problems of electronic device obsolescence in the future. The larger producers are probably in a better position to cope with this situation.

Introduction to DO-254/ED-80

Until relatively recently there was no industry wide guidance on what design processes should be followed when designing airborne electronic hardware. As a consequence of the various inconsistencies, etc, arising both the RTCA and EUROCAE together laid the foundation for RTCA D0-254 and EUROCAE ED-80 document entitled "Design Assurance Guidance for Airborne Elrctronic hardware".

This document Consists of 11 chapters which can be mapped on to another document dealing with software considerations published in 1982. A key feature of DO-254/ED-80 is that it is intended to provide guidance on what should be done rather than how a particular activity should be undertaken; in other words, there are a number of wayseptable ways of meeting an objective (Figure 1).

Figure 1

Chapter 2 of DO-254/Ed-80 provides guidance on system aspects of hardware design. Chapter 3 identifies three main life cycle processes; a planning prozess, design process, and supporting processes. Chapter 4 defines the hardware planning process which involves the production of plans that are used to control the development of the hardware item. Chapter 5 defines the design processes, which are: Requirements Capture, Conceptual Design, Detailed Design, Implementation, and Production Transition.

Chapters 6 to 9 identify four supporting processes; Validation and Varification, Configuration Management, Process Assurance, and Certification Liasion. The first of these is the process that ensures that the hardware item derived requirements are correct and complete (validation) and that the hardware item implementation meets the requirements including derived requirements (verification). Activities include design reviews, analyses and tests. Configuration Management is the process that ensures aconsistent replication of the hardware item can be achieved in production, regeneration of the design life cycle data is possible and modification of the item can be made in a controlled way if necessary. The key feature of a successful configuration management system is that it ensures the hardware item under configuration control is uniquely identified and documented. Process Assurance ensures that life cycle process objectives are met and that deviations have been addressed. Certification Liaison is a process that establishes communication and understanding between the applicant and the certification authority throughout the hardware design cycle to assist in the certification process. This process should be accomplished by means of a Plan for Hardware Aspects of Certification (PHAC) and guidance on the plan is provided in both the planning process section and the certification liaison section of D)-254/ED-80.

Throughout the chapters of this document, the requirement for data items is implied. These are defined in chapter 10, and Appendix A defines which of the above data items are required for any particular hardware safety level. Chapter 11 provides guidance on topics not covered in other areas of the document. The Appendix A mentioned provides guidance for the modification of the hardware design life cycle data, and Appendix B provides guidance additional to that contained in the main text of DO-254/ED-80, for level A and level B systems. This document is the culmination of nearly ten years effort by up to 100 very experienced engineers from Virtually every discipline associated with the international aerospace industry.

The regulatory response

From the UK Civil Aviation Authority (CAA) came a paper which discussed the actions taken by the European Joint Aviation Authorities (JAA) to adopt EUROCAE document ED-80. On the important topic of certification standardisation, the JAA has set up a panel who review the application of standards across projects. A guidance leaflet is published which sets out to adopt the document as JAA policy. The Avionics Certification Standardisation Panel (CSP) of the JAA decided that the document needed to be augmented in certain areas to ensure an acceptable design assurance process for digital devices such as ASICs and PLDs.

A final draft of the leaflet is entitled "Recognition of EUROCAE document ED-80: Design assurance guidance for airborne electronic hardware".

It includes guidance applicable to complex digital devices such as Applicati6n Specific Integrated Circuits (ASICs) and Programable Logic Devices (PLDs) Various EUROCAE documents are referred to in the guidance leaflet] also- ASICs and PLDs have already been referred to, and there are also definitions. etc for Simple Hardware items and Comples Nardware Items, as well as Commercial Off-the-Shelf (COTS) components. The ED-80 document may be applied as a means but not the only means, of demonstrating that the processes used in the design of airborne electronic hardware, provide a level of design assurance commensurate with the intended use of that hardware-Unless stated otherwise! additional considerations are as detailed which apply to complex digital devices which are classified in Table 2 of ED-80 as requiring design assurance levels A, B or C. Relating to these devicesa certification Plan is identified. as well as Validation Processes Verification Processess, Traceability, Configuration Management and Toos Assessment and Qualification. The availabilitv of documents is also specified.

Practical experience

From TRW Aeronautical Systems came a review of many aspects, including design of an ASIC which reviewed ED-80, applied knowledge or background from the previous ED-12 (RTCA DO-178), produced top level plans and structure from concept to qualification of the ASIC in an electronic unit, and produced a document set and showed compliance to hardware development certification plan.

Plans and Internal Procedures include structure in line with ED-80. Top level plans have been generated, including Hardware Plan for Certifications, Quality Assurance and Configuration Management Plan, and Verification Plan. The first of these includes project overview, design life cycle, life cycle data, and project schedule. The second encompasses project management, design and development, and purchasing, while the verification plan deals with requirements verification, design verification, implementation verification and safety and reliability analysis. A complete design cycle is thus obtained and documentation available.

A System Example was given by Raytheon Systems UK, and provided details of the application of ED-80 to the integration of an IFF system onto multipleplatform types. Raytheon Systems is the prime contractor for the provisionof the next generation of Identification Friend or Foe (IFF) equipment for many applications. ED-80 identifies a process that may be used to orderthe flow of activities required to meet the goal of the programme, withrespect to the design assurance of the hardware items (Figure 2). The system discussed has been allocated a Functional Failure Path (FFP)Design Assurance Level of Level C. The system architecture is illustrated,based around the Raytheon IFF 800. The transponder unit is housed in a 4 MCU enclosure and contains system components to provide full antennadiversity operation, upper and lower antennas being provided by the air frame. Transponder operation is provided in Modes 1, 2, 3 and 4, with abuilt-in upgrade path to Mode 5 capability; civil ATC Modes A,C and S arealso provided.

Existing protocols are used to the full, which in most cases requires thatthe aircraft Design Authority achieve a recommendation for military aircraftrelease (MAR) from QuineticQ, Boscombe Down. Three primary LRUs combine'toform a single channel of the most complex system, as shown in the diaram..The Transponder Unit and Control and Display Unit (CDU) have been developedfrom existing equipment by the addition of interfaces, including that for TCAS. It can thus be used, for aircraft with and without TCAS. The Data Acquisition Unit (DAU) is a development of an existing air data unit approved for use for Reduced Vertical Separation Minima (RVSM) use.

A configurable system integration rig is being constructed that is able to simulate all aircraft interfaces in both static and dynamic modes of operation. System qualification will be achieved by dedicated purpose designed tools in the normal manner. The systems integration rig comprises a transponder and TCAS rig and a DAU test rig. The latter can accommodate two DAUs and their moniroring and control functions. Simulatior is by means of a dynamic air data test set.

The validation process requires that all requirements are correct and complete. Activies include hazard analysis, with system safety, considered at two levels. Human factors assurance also exists at the equipment and installed system level. Design assurance at aircraft level will utilise the work performed at equipment level to support the safety case built around the aircraft detailed design. All work that will be performed to obtain final certification will be documented in the System Certification Plan.

Figure 2

The military aspect

The Safety Case Approach from the military aspect was described by QuinetiQ which began by considering the concept. Safety cases can be ñ seen as a reflection of MOD exercising its duty of care- Some differences from the civil approach are that the UKs militarv target is about catastrophic loss; safety requirements for each svstem aren't predetermined; and system architecture isn't predetermined-Accounting for the system, environment and human raises several issues; the likelihood of the system mallunction propoagating to the next level, associated with system realfunction! adverse conditions. and human inability. The concept of "safety, critical" is another important topic.

If it is shown that system integrity is relied upon to achieve the desired salty target - as distinct from Dlacing reliance on the human element or on the conditions (or perhaps on avoiding certain conditions) then that svstem is deemed to be safety critical Some current tools include whole aircraft safety models; good structuring notation (this is being extensively pursued) and using civil certification evidence. Overall, there are many benefits of using safety cases. They help focus effort on the things that matter. Customers can avoid specifying what can and should be left to the designer. Safety cases support "through-life" decision making. Safety cases are of particular value in understanding the safety interdependencies in systems-of- systems. Also, unmanned air vehicles and their command, control and data link systems and their interaction with other airspace users and Air Traffic Control represent a prime example.