Most of us have heard an aviation safety demonstration – a short speech that reminds us to buckle up seat belts, locate emergency exits, and put personal electronics in airplane mode. While all of these safety measures are important, the onerous task of turning off electronics is perhaps one of the most critical as it protects against interference from aircraft technology or equipment malfunction.
Putting our tablets in airplane mode is relatively straightforward, but raises an interesting question; if a simple cell phone can cause interference, can vital aviation technology easily malfunction? After all, seeing a blue screen on our laptops can disrupt our work day, but a pilot’s computer that crashes or turns off in mid-flight is a scary proposition.
This is precisely why the electronics operating critical aviation applications, such as autopilot, air navigation and ground communications, must prove airworthiness. Unlike cell phones, which can be put into airplane mode with the swipe of a finger, these electronic devices go through a comprehensive safety certification process that proves they meet the highest levels of reliability.
Design Assurance Level Classification (DAL)
A safety critical system is one the failure of which can result in death, serious injury, property damage, or degradation of the mission. Each system is assigned a Design Assurance Level (DAL) based on the impact it can have in the event of a failure. For example, a computer that lowers the landing gear might be classified as DAL-A because its failure will result in a crash, but a computer that displays secondary symbology might be DAL-C.
Each DAL corresponds to the probability of an error in a system – for DAL-A, the probability of a system design error is one in a billion.
Determinism and information assurance
Safety critical systems are deterministic – they must perform well over and over again under multiple operating conditions and not have any unforeseen anomalies.
One of the ways that design engineers achieve this is to design the hardware in a simplistic but highly available way to minimize application interactions that occur through shared system memory, I / O, and others. resources. Such interactions can cause interference paths that delay critical aircraft functions, resulting in non-deterministic and dangerous behavior.
For example, a computer controlling the landing of a DAL-A aircraft and DAL-C communications must allocate independent computing resources to each function and have redundant paths so that the landing gear is lowered deterministically-correctly. and on time even if communications are malfunctioning or operating at maximum capacity.
Technological collaboration to build artifacts
To achieve certification, system developers must submit detailed documentation, or âartifacts,â that ensure the system and its individual components are free from design errors. Thus, artifacts from a safety critical mission computer must characterize the performance, behavior, and mitigation of silicon components such as the FPGA and CPU against all potential failure conditions.
When a developer builds a safety-critical subsystem with commercial silicon, they encounter difficulty in collecting the necessary design information because silicon vendors may consider it to be proprietary. For example, processor manufacturers may hide details about how the shared cache of a multi-core processor works, even though how the cache works has a significant impact on application performance.
Table 1: Undesirable Processor Mechanisms Affecting Time Determinism **
Therefore, it is necessary for system developers to work with commercial off-the-shelf silicon engineers (COTS) to understand the behaviors and mechanisms of processors affecting determinism. This technological relationship facilitates the creation of comprehensive artefacts that ensure successful certification and accelerate time to market. After all, it was through close collaboration with Intel and major Real-Time Operating System (RTOS) partners that Mercury launched the first IntelÂ® Core â¢ i7 certifiable single-board computer with the latest generation processor.
“Airplane Mode” electronics
The Radio Technical Commission for Aeronautics (RTCA) defines the processes required to create DO-254 (hardware) and DO-178C (software) artifacts. Since certification takes place at the platform level, system integrators look to board and subsystem developers who provide DO-254 and DO-178C artifacts with their solutions and support all integrators. throughout the certification process.
If questions and concerns arise during certification, integrators may need to add artifacts and look to developers and their technology partners for additional information, input, and advice. In conclusion, meticulous design engineers, safety experts and technology partners prepare the flight electronics for “airplane mode” and the certification guarantees them for take off.
* Definition taken from the NIST glossary
** Table of the synthesis of Intel solutions: “Airworthiness of systems using Intel Multi-Core processors”