En Sci 176 04

Integrated Modular Avionics
Development Guidance and Certification Considerations
René L.C. Eveleens

National Aerospace Laboratory NLR
P.O. Box 90502
1006BM Amsterdam
Netherlands
[email protected]
ABSTRACT
From 2001 to 2005 a working group within the European Organisation for Civil Aviation Equipment
(EUROCAE) has been working on the definition of development guidance and certification considerations
for Integrated Modular Avionics. This paper explains the standardised terminology, the concept of
incremental acceptance, the certification tasks and associated certification data and the many objectives
defined in this guidance document, which will be published in 2006 as ED-124.
1.0 INTRODUCTION
The use of Integrated Modular Avionics (IMA) is rapidly expanding and is found in all classes of aircraft.
In recognition of this rapid growth RTCA established Special Committee 200 (SC-200) and EUROCAE
established Working Group 60 (WG-60) to jointly develop a document that could be used as guidance in
the design, development and application of IMA. This paper explains the background of this document,
introduced the terminology and processes required for a smooth certification process of IMA.
2.0 BACKGROUND
At the start of this century, within the avionics industry it was felt that there was a urgent need for
guidance on development processes and certification issues for modular avionics. The modular avionics
technology had come to a maturity level and industry was now ready to bring products to the market.
Biggest challenge within this area is that modular avionics is a composition of building blocks, preferably
supplied by different companies in the supply chain. Each supplier is supposed to bring its part to a certain
level of qualification, and after this a system integrator can use these “pre-qualified” part in the overall
certification process.
To face this challenge EUROCAE founded a working group (number 60) in September 2001, which was
tasked to define this guidance. Later, in November 2002, there was a merge with an RTCA steering
committee (number 200). The mission of this joint working group was to “propose, document and deliver
means to support the certification (or approval) of modular avionics, systems integration, and hosted
applications, including considerations for installation and continued airworthiness in all categories and
classes of aircraft”.
Besides this mission, the term of reference for both WG60 and SC200 stated that the group would define
key characteristics of modular avionics, define specific issues in regulatory materials and practices, aims
Eveleens, R.L.C. (2006) Integrated Modular Avionics Development Guidance and Certification Considerations. In Mission Systems
Engineering (pp. 4-1 – 4-18). Educational Notes RTO-EN-SCI-176, Paper 4. Neuilly-sur-Seine, France: RTO. Available from:
http://www.rto.nato.int.
RTO-EN-SCI-176 4-1
for stand-alone approval of individual building blocks, assure the re-use of accepted process, data,
product, etc., tackle safety and performance issues, involve certification authorities and support TSO, AC,
ACJ production, and have a close working relationship with other groups.
During its existence the group has had a wide participation from industry (both avionics industry and
aircraft integrators), certification authorities and research establishments. The final document was
delivered end of 2005. RTCA has issued the document as DO-297. EUROCAE is planning to issue the
document in 2006 as ED-124.
3.0 IMA TERMINOLOGY

Before entering the details of development and certification processes it is important to define a common
set of terminology to be use with respect to integrated modular avionics.
Application 1 Application N
Component
Component Component
(Application Specific
(Software) (Software)
Hardware)
Avionics Function Specific
General Purpose
Platform
(Module)
Module Shared
Resources
Module Module Module
Component Component Component Component

Component Component
(Hardware (Hardware (Hardware (Hardware
or Software) or Software) or Software) or Software)
Figure 1: IMA terminology
The design terminology as depicted in Figure 1 [1] defines a clear distinction between IMA elements that
are general purpose and those that are specific to the avionics function. When focussing on the general
purpose elements there is a top-level definition for what is called a platform. In fact a platform can consist
of one or more modules which can be hardware or software components. Another specific property of a
platform is the fact that it has core software inside and that it can host the IMA applications.
Another important term that needs to be introduced and defined is “acceptance”. Within the context of
IMA this is defined as [1]: “Acknowledgement by the certification authority that the module, application,
or system complies with its defined requirements. Acceptance is recognition by the certification authority
(typically in the form of a letter or stamped data sheet) signifying that the submission of data, justification,
or claim of equivalence satisfies applicable guidance or requirements. The goal of acceptance is to
achieve credit for future use in a certification project.” The IMA building block (i.e. platform or module),
4-2 RTO-EN-SCI-176
together with the certification data that has received this acceptance, can now be used in an incremental
way, building up and integrating the IMA architecture. This process is called incremental acceptance.
Finally, this incremental acceptance will facilitate the certification process.
4.0 INTEGRATION AND ACCEPTANCE

The development process and the certification process of IMA are very much correlated. Starting from
scratch, the development process will follow a traditional V-model approach. However, ideally the
development of the platform and the hosted applications is performed in parallel, which in fact forms a
double-V-model. One must keep in mind that the applications can never receive stand-alone acceptance
without a reference platform. Therefore, the integration steps (i.e. the upward leg of both V-models) are
strongly connected, and therefore this process is better known as W-model.
Task 1
Platform
Module Module
Task 3 Task 4
IMA System Aircraft
(off aircraft) Integration
Task 2
Application
Application
Application
Application Specific
Hardware
Task 5 / Task 6
Figure 2: Certification tasks
For each integration step a certification task can be defined, as depicted in Figure 2 [1]. Starting at the
lowest level (bottom of the V) the process starts with the integration of components and modules into a
platform. The certification task performed here is the platform or module acceptance. Once one
application gets integrated onto the platform it will result in an application acceptance. IMA acceptance is
achieved when integrating multiple applications with the platform and with one another. Then the aircraft
integration task is performed when integrating the IMA system within the aircraft and with the other
aircraft systems. Finally, changing the IMA system or re-using the installation in another aircraft are
special cases within the acceptance process.
5.0 CERTIFICATION DATA

The different certification tasks need to accepted by the certification authorities. In order to streamline this
process a pre-defined set of certification data is defined. This set is strongly correlated to the know
processes for defined in earlier RTCA/EUROCAE documents, for example DO-178/ED-12 [2] and DO-
254/ED-80 [3].
RTO-EN-SCI-176 4-3
Aircraft-Level IMA
Certification Plan and V&V Plan
System-Level IMA
Application
Application
Application
PSACs
PSACs
PSACs / Module Module
PHACs Acceptance Acceptance
Plan #1 Plan #n
PSACs
PSACs PHACs
PHACs EQPs
EQPs PSACs
PSACs PHACs
PHACs EQPs
EQPs
PSACs PHACs EQPs PSACs PHACs EQPs
Figure 3: IMA planning data
Figure 3 [1]shows how the planning data is related within the IMA certification process. Starting at the
top-level, the Aircraft-Level IMA certification plan and verification and validation (V&V) plan should
describe how the process will be performed. The lower level document fit within this scheme. At the
bottom level there are the traditional plans for software/hardware aspects of certification (PSAC/PHAC)
together with the environmental qualification plans (EQP). The same document trees are defined for
requirements data and compliance data.
6.0 CONCLUSIONS
Integrated Modular Avionics technology has introduced the possibility to fragment the certification
process into several steps, which is called incremental acceptance. The incremental process will benefit
from a common understanding and common approach to IMA development and certification. The
document recently published by RTCA and shortly to be published by EUROCAE has a wide acceptance
of both industry and certification authorities. The document provides guidance on a common development
process and defines the related certification tasks. It is strongly recommended to use this guidance in
future IMA projects.
4-4 RTO-EN-SCI-176
7.0 REFERENCES
[1] RTCA DO-297 / EUROCAE ED-124 (to be issued), Integrated Modular Avionics (IMA)
[2] RTCA DO-178 / EUROCAE ED-12, Software Considerations in Airborne Systems and Equipment
Certification.
[3] RTCA DO-254 / EUROCAE ED-80, Design Assurance Guidance for Airborne Electronic Hardware
RTO-EN-SCI-176 4-5
ANNEX: PRESENTATION SLIDES

René L.C. Eveleens

National Aerospace Laboratory NLR
P.O. Box 90502
1006BM Amsterdam
RTO SCI LS-176: “Mission System Engineering”

November 2006
Overview
IMA Certification Guidance
introduction to avionics certification processes
certification guidance
EUROCAE WG60 background
the definition of IMA
goal of the guidance document
the concept of "incremental acceptance"
IMA certification guidance document
conclusion
IMA development guidance and certification considerations Nov2006 2
4-6 RTO-EN-SCI-176
Introduction
System verification (1/2)
differences / similarities with “normal testing”?

z main difference
certification by an independent third party:
certification authority
z other differences / similarities basically depend on your

development and testing maturity...
z no requirements means: testing in the dark!

Introduction
System verification (2/2)
verification according to RTCA DO-178

z “… the evaluation of the results of a process to ensure
correctness and consistency with respect to the inputs
and standards to that process.”
testing according to RTCA DO-178

z ”… the process of exercising a system or system
component to verify that it satisfies specified
requirements and to detect errors.”
but
z testing cannot show the absence of errors
z therefore extensive verification effort required
– requirements analysis and traceability
– consistent documentation
RTO-EN-SCI-176 4-7
Introduction
Certification processes
• Certification Coordination
Safety
Safety Assessment
Assessment • Safety Assessment
Supporting Processes
[SAE
[SAE ARP
ARP 4761]
4761] • Requirements Validation
• Implementation verification
• Configuration Management
Function, • Process Assurance
INTENDED Failure
AIRCRAFT System Design
and Safety
FUNCTION Information Hardware
Development Life-Cycle
Functional [RTCA DO-254]
Avionics System System Avionics System
Development Processes
Integration and Test
[SAE ARP4754]
Software
Development Life-Cycle
Functions and [RTCA DO178B]
requirements
Qualification
Avionics/Electronics
Integrity Program
CERTIFICATION GUIDANCE THROUGH:

SAE ARP 4754 Certification considerations for highly-integrated or complex aircraft systems MIL-HDBK-87244 (USAF) Avionics/Electronics Integrity
SAE ARP 4761 Safety Assessment Process Guidelines & Methods • Concept Exploration
• Demonstration/Validation
RTCA DO-178B Software Considerations in Airborne Systems and Equipment Certification
• Engineering/Manufacturing Development
RTCA DO-254 EUROCAE ED-80 Design Assurance Guidance for Airborne Electronic Hardware • Production
RTCA DO-160D Environmental Test Specifications • Operation & Support

Certification guidance
DO-178B overview: introduction
Not a development standard: a guideline for

certification
Emphasis on requirements-based development
Emphasis on verification/testing
Based on a system safety assessment, software is

assigned a safety criticality level
Safety according to DO-178B: increasing

verification/testing effort with increasing software
levels
4-8 RTO-EN-SCI-176
Software criticality levels
Software Aircraft level Meaning

Level Criticality
A Catastrophic Aircraft destroyed,
Many fatalities
B Hazardous Damage to aircraft,
Crew overextended,
Occupants hurt, some fatal
C Major Large reduction in safety
margins, occupants injury
D Minor Little effect on operation of
aircraft and crew
workload
E No effect No effect on operation
of aircraft or crew
workload

Life cycle processes
Software planning process (1 table with process

objectives and outputs by software level)
Software development processes (1 table)
Software verification processes (5 tables) [next slide]
Software configuration management process (1

table)
Software quality assurance process (1 table)
Certification liaison process (1 table)
RTO-EN-SCI-176 4-9
Objective tables (example)

Software Lifecycle Data Items
Plan for Sw Aspects of Cert. (PSAC)
Software Dev. Plan Executable Object Code
Software Ver. Plan Software Ver Cases and Procs
Software CM Plan Software Verification Results
Software QA Plan Software LifeCycle Environment
Software Rqmts Stnds Configuration Index
Software Design Stnds Software Configuration Index
Software Code Stnds Problem Reports
Software Rqmts Data Software CM Records
Design Description Software Quality Assurance Records
Source Code SW Accomplishments Summary
4 - 10 RTO-EN-SCI-176
The DO-178B verification/testing process:
(global) specification
Level E: no activities (DO-178B not applicable)
Level D: test coverage of high-level requirements
Level C: level D +
z test coverage of low-level requirements +
z structural coverage: 100 % statement coverage
Level B: level C +
z structural coverage: 100 % decision coverage
Level A: level B +
z structural coverage: 100 % modified condition/decision
coverage, based on object code

IMA guidance
WG60/SC200 background
- facts
EUROCAE WG60 (start: Sept 2001)
title: “Integrated Modular Avionics” (IMA)
joined with RTCA SC-200 (Nov 2002)
chairmen and secretaries

z WG60 co-chair: René Eveleens (NLR)
z WG60 co-secretary: David Brown (Airbus UK)
z SC200 co-chair: Cary Spitzer (Avionicon)
z SC200 co-secretary: John Lewis (FAA)
RTO-EN-SCI-176 4 - 11
IMA guidance
- mission
propose, document and deliver means to support the

certification (or approval) of modular avionics,
systems integration, and hosted applications,
including considerations for installation and
continued airworthiness in all categories and classes
of aircraft

IMA guidance
- terms of reference
modular avionics
z define key characteristics
z specific issues in regulatory materials and practices
z stand-alone approval
z re-use of accepted process, data, product, etc.
z safety and performance issues
z involvement of certification authorities
z support TSO, AC, ACJ production
z close working relationship with other groups
other topics
z fault management and health monitoring, safety,
environmental qualification, configuration management,
development assurance, incremental qualification,
single-event-upset, electrical systems, etc.
4 - 12 RTO-EN-SCI-176
IMA guidance
- participants
wide participation
z industry (avionics and aircraft integrators)
z certification authorities
z research establishments
overview of companies involved

z FAA, CAA, DGAC, Airbus, Boeing, Honeywell, NASA,
ARINC, Thales, Rockwell Collins, Diehl, Smiths
Aerospace, Transport Canada, BAE Systems, NLR,
TTTech, Pilatus etc.

IMA guidance
- status
IMA development guidance

and certification considerations
z RTCA issued DO-297
z EUROCAE planned to issue ED-124
RTO-EN-SCI-176 4 - 13
IMA guidance
- terminology
Application 1 Application N
Component
Component Component
(Application Specific
Hardware)
Avionics Function Specific
General Purpose
Platform
(Module)
Module Shared
Resources
Module Module Module
Component Component Component Component

Component Component
(Hardware (Hardware (Hardware (Hardware
or Software) or Software) or Software) or Software)

IMA guidance

- periphery
goal
z availability
z integrity
z safety
z health monitoring and fault management
z composability
stakeholders
z certification authorities
z certification applicant
z IMA system integrator
z platform and module suppliers
z application suppliers
z maintenance organization
4 - 14 RTO-EN-SCI-176
IMA guidance
- characteristics
key characteristics
z platform and hosted applications
z shared resources
z robust partitioning
z application programming interface (API)
z health monitoring and fault management
Typical Hardware Typical Software
Modules Modules
Real Time Executive Common

Back Plane
Built-in Test Software
Power Supply
Common On-board
Hardware CPU & Memory Maintenance
System Protocol
Application
Data Bus I/O Processing Specific Software
Application Application
I/O
Specific Hardware

IMA guidance
goal of the guidance document
quote WG60/SC200 mission:
“support the certification (or approval) of modular

avionics, systems integration, and hosted
applications, including considerations for installation
and continued airworthiness in all categories and
classes of aircraft”
RTO-EN-SCI-176 4 - 15
IMA guidance
the concept of “incremental acceptance”
definition
z a process for obtaining credit toward approval and
certification by accepting or finding that an IMA module,
application, and/or off-aircraft IMA system complies with
specific requirements. Credit granted for individual tasks
contributes to the overall certification goal
Integration Activity Acceptance Tasks
Integrate components and/or Task 1 Module and/or platform

modules to form a platform acceptance
Integrate a single application with Task 2 Application acceptance

the platform (software and/or hardware)
Integrate m ultiple applications with Task 3 IMA system acceptance

the platform (s) and one another
Integrate IMA system with aircraft Task 4 Aircraft integration

and its systems
Identify changes and their impacts, Task 5 Change

and need for re-verification
Identify and use IMA components Task 6 Reuse

on other IMA system s and
installations

IMA guidance
IMA guidance document

- certification tasks
Task 1
Platform
Module Module
Task 3 Task 4
IMA System Aircraft
(off aircraft) Integration
Task 2
Application
Application
Application
Application Specific
Hardware
Task 5 / Task 6
4 - 16 RTO-EN-SCI-176
IMA guidance
- certification data
Aircraft-Level IMA
System-Level IMA
Application
Application
Application
PSACs
PSACs
PSACs / Module Module
PHACs Acceptance Acceptance
Plan #1 Plan #n
PSACs PHACs EQPs PSACs PHACs EQPs

PSACs
PSACs PHACs
PHACs EQPs
EQPs PSACs
PSACs PHACs
PHACs EQPs
EQPs

IMA guidance

- objective tables
example:
z IMA platform development process objectives
Life Cycle Data
Reference
Category
Control
Life Cycle Data

ID Objective Summary Doc ref
Description
1 Failure reporting process is 3.6 Aircraft Instructions for ICAW CC1

defined and in place to support Continued Airworthiness
continued airworthiness and/or IMA System
requirements for IMA system Certification Plan (or
components which may be used other lower level
in more that one IMA system. component’s plan)
RTO-EN-SCI-176 4 - 17
Conclusion
conclusion
IMA certification considerations

z document jointly prepared by RTCA / EUROCAE
z DO-297 / ED-124
z incremental acceptance
z guidance on
– definition of IMA
– design considerations
– certification tasks
z broad scope of stakeholders
z wide acceptance
– industry
– certification authorities
4 - 18 RTO-EN-SCI-176

En Sci 176 04

Uploaded by

Copyright:

Available Formats

En Sci 176 04

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

En Sci 176 04

Uploaded by

Copyright:

Available Formats

Integrated Modular Avionics

Development Guidance and Certification Considerations

René L.C. Eveleens

3.0 IMA TERMINOLOGY

Avionics Function Specific

Module Module Module

Component Component Component Component

Figure 1: IMA terminology

4.0 INTEGRATION AND ACCEPTANCE

Figure 2: Certification tasks

5.0 CERTIFICATION DATA

Figure 3: IMA planning data

ANNEX: PRESENTATION SLIDES

Integrated Modular Avionics

René L.C. Eveleens

RTO SCI LS-176: “Mission System Engineering”

IMA Certification Guidance

introduction to avionics certification processes

EUROCAE WG60 background

the definition of IMA

goal of the guidance document

the concept of "incremental acceptance"

IMA certification guidance document

IMA development guidance and certification considerations Nov2006 2

System verification (1/2)

differences / similarities with “normal testing”?

z other differences / similarities basically depend on your

z no requirements means: testing in the dark!

IMA development guidance and certification considerations Nov2006 3

System verification (2/2)

verification according to RTCA DO-178

testing according to RTCA DO-178

IMA development guidance and certification considerations Nov2006 4

CERTIFICATION GUIDANCE THROUGH:

IMA development guidance and certification considerations Nov2006 5

DO-178B overview: introduction

Not a development standard: a guideline for

Emphasis on requirements-based development

Based on a system safety assessment, software is

Safety according to DO-178B: increasing

IMA development guidance and certification considerations Nov2006 6

Software criticality levels

Software Aircraft level Meaning

IMA development guidance and certification considerations Nov2006 7

Life cycle processes

Software planning process (1 table with process

Software development processes (1 table)

Software verification processes (5 tables) [next slide]

Software configuration management process (1

Software quality assurance process (1 table)

Certification liaison process (1 table)

IMA development guidance and certification considerations Nov2006 8

Objective tables (example)

IMA development guidance and certification considerations Nov2006 9

Software Lifecycle Data Items

Plan for Sw Aspects of Cert. (PSAC)

Software Dev. Plan Executable Object Code

Software Ver. Plan Software Ver Cases and Procs

Software CM Plan Software Verification Results