With the FAA and EASA adopting aviation standards such as DO-178C and ARP4754A,
UAV software developers should familiarize themselves with these standards,
particularly when transitioning to model-based design.
Few applications place more importance on verification, or prescribe more process guidance, than aviation. The FAA and its European equivalent, EASA, provide guidance using standards such as ARP4754 for aircraft systems and DO-178B for flight software. These standards are often used outside of civil aviation, in whole or in part, for applications including military aircraft and land vehicles. Adoption for UAV programs is rapidly growing because of the FAA’s recent decision to require UAS and OPA certification via FAA Order 8130.34A. UAV systems are heterogeneous, and not restricted just to flight software. Therefore, other standards are used such as DO-254 for hardware and DO-278 for ground and space software.
With model-based design, UAV engineers develop and simulate system models comprised of hardware and software using block diagrams and state charts, as shown in Figures 1 and 2. They then automatically generate, deploy, and verify code on their embedded systems. With textual computation languages and block diagram model tools, one can generate code in C, C++, Verilog, and VHDL languages, enabling implementation on MCU, DSP[], FPGA[], and ASIC hardware. This lets system, software, and hardware engineers collaborate using the same tools and environment to develop, implement, and verify systems. Given their auto-nomous nature, UAV systems heavily employ closed-loop controls, making system modeling and closed-loop simulation, as shown in Figures 1 and 2, a natural fit.
ARP4754A addresses the complete aircraft development cycle from requirements to integration through verification for three levels of abstraction: aircraft, systems, and item. An item is defined as a hardware or software element having bounded and well defined interfaces. According to the standard, aircraft requirements are allocated to system requirements, which are then allocated to item requirements.
The fact that ARP4754A addresses allocation of system requirements to hardware and software components is significant to UAV developers, especially suppliers. Some suppliers might have claimed that UAV subsystem development was beyond the scope of the original ARP4754, even for complex subsystems containing hardware and software, but not anymore. ARP4754A also more clearly refers to DO-178 and DO-254 for item design. In fact, the introductory notes for ARP4754A acknowledge that its working groups coordinated with RTCA special committees to ensure that the terminology and approach being used are consistent with those being developed for the DO-178B update [DO-178C].
Given the high coupling among systems, hardware, and software for UAVs, it is helpful that the governing standards now clarify relationships between systems and hardware/software subsystems.
ARP4754A recommends the use of modeling and simulation for several process-integral activities involving requirements capture and requirements validation.
ARP4754A Table 6 recommends (R) analysis, modeling and simulation (tests) for validating requirements at the highest Development Assurance Levels (A and B). For Level C, modeling is listed as one of several recommendations. While ARP4754 made similar recommendations, ARP4754A provides more insight and states that a representative environment model, such as the plant model shown in Figure 1, is an essential part of a system model.
Also noted in ARP4754A is that a graphical representation or model can be used to capture system requirements. The standard now notes that a model can be reused for software and hardware design.
If engineers use models to capture requirements, ARP4754A recommends engineers consider the following:
1. Identify the use of models/modeling
2. Identify the intended tools and their usage during development
3. Define modeling standards and libraries
When using model-based design with ARP4754A and DO-178C, additional verification capabilities are often needed beyond in-the-loop testing described in Table 2. These including requirement tracing, model standard checking, model-to-code structural equivalence checking, and robustness analysis using formal methods. For UAVs, rigorous verification that includes multiple verification technologies is paramount given their autonomous nature and system complexity.
DO-178C
Not surprisingly, one of the first changes new in DO-178C is an explicit mention of ARP4754A in Section 2: System life-cycle processes can be found in other industry documents (for example, SAE ARP4754A).
Clarification updates aside, such as the one noted earlier, DO-178C does not differ significantly from DO-178B, at least at first glance. In fact, a casual reader might miss an item mentioned in Section 1.4: How to Use this Document: One or more supplements to this document exist and extend the guidance in this document to a specific technique… if a supplement exists for a specific technique, the supplement should be used …
In other words, the standard’s big changes are captured in the supplemental documents, such as RTCA DO-331, Model-Based Development and Verification Supplement to DO-178C and DO-278A.
Pertinent to this discussion, a long-standing issue with DO-178B for practitioners of model-based design is the uncertainty in mapping DO-178B objectives to model-based design artifacts. Addressing this mapping was a main goal of the DO-178C Sub-Group (SG-4) focused on model-based design. No single mapping sufficed, so several mappings are provided in DO-331. Some include the concept of a Specification model, which is a model separate from that of the one used for design and code generation. The other concept is a Design model, which serves as the detailed requirements used to generate code.
refer to:
http://mil-embedded.com/articles/transitioning-do-178c-arp4754a-uav-using-model-based-design/
Few applications place more importance on verification, or prescribe more process guidance, than aviation. The FAA and its European equivalent, EASA, provide guidance using standards such as ARP4754 for aircraft systems and DO-178B for flight software. These standards are often used outside of civil aviation, in whole or in part, for applications including military aircraft and land vehicles. Adoption for UAV programs is rapidly growing because of the FAA’s recent decision to require UAS and OPA certification via FAA Order 8130.34A. UAV systems are heterogeneous, and not restricted just to flight software. Therefore, other standards are used such as DO-254 for hardware and DO-278 for ground and space software.
With model-based design, UAV engineers develop and simulate system models comprised of hardware and software using block diagrams and state charts, as shown in Figures 1 and 2. They then automatically generate, deploy, and verify code on their embedded systems. With textual computation languages and block diagram model tools, one can generate code in C, C++, Verilog, and VHDL languages, enabling implementation on MCU, DSP[], FPGA[], and ASIC hardware. This lets system, software, and hardware engineers collaborate using the same tools and environment to develop, implement, and verify systems. Given their auto-nomous nature, UAV systems heavily employ closed-loop controls, making system modeling and closed-loop simulation, as shown in Figures 1 and 2, a natural fit.
ARP4754A addresses the complete aircraft development cycle from requirements to integration through verification for three levels of abstraction: aircraft, systems, and item. An item is defined as a hardware or software element having bounded and well defined interfaces. According to the standard, aircraft requirements are allocated to system requirements, which are then allocated to item requirements.
The fact that ARP4754A addresses allocation of system requirements to hardware and software components is significant to UAV developers, especially suppliers. Some suppliers might have claimed that UAV subsystem development was beyond the scope of the original ARP4754, even for complex subsystems containing hardware and software, but not anymore. ARP4754A also more clearly refers to DO-178 and DO-254 for item design. In fact, the introductory notes for ARP4754A acknowledge that its working groups coordinated with RTCA special committees to ensure that the terminology and approach being used are consistent with those being developed for the DO-178B update [DO-178C].
Given the high coupling among systems, hardware, and software for UAVs, it is helpful that the governing standards now clarify relationships between systems and hardware/software subsystems.
ARP4754A recommends the use of modeling and simulation for several process-integral activities involving requirements capture and requirements validation.
ARP4754A Table 6 recommends (R) analysis, modeling and simulation (tests) for validating requirements at the highest Development Assurance Levels (A and B). For Level C, modeling is listed as one of several recommendations. While ARP4754 made similar recommendations, ARP4754A provides more insight and states that a representative environment model, such as the plant model shown in Figure 1, is an essential part of a system model.
Also noted in ARP4754A is that a graphical representation or model can be used to capture system requirements. The standard now notes that a model can be reused for software and hardware design.
If engineers use models to capture requirements, ARP4754A recommends engineers consider the following:
1. Identify the use of models/modeling
2. Identify the intended tools and their usage during development
3. Define modeling standards and libraries
When using model-based design with ARP4754A and DO-178C, additional verification capabilities are often needed beyond in-the-loop testing described in Table 2. These including requirement tracing, model standard checking, model-to-code structural equivalence checking, and robustness analysis using formal methods. For UAVs, rigorous verification that includes multiple verification technologies is paramount given their autonomous nature and system complexity.
DO-178C
Not surprisingly, one of the first changes new in DO-178C is an explicit mention of ARP4754A in Section 2: System life-cycle processes can be found in other industry documents (for example, SAE ARP4754A).
Clarification updates aside, such as the one noted earlier, DO-178C does not differ significantly from DO-178B, at least at first glance. In fact, a casual reader might miss an item mentioned in Section 1.4: How to Use this Document: One or more supplements to this document exist and extend the guidance in this document to a specific technique… if a supplement exists for a specific technique, the supplement should be used …
In other words, the standard’s big changes are captured in the supplemental documents, such as RTCA DO-331, Model-Based Development and Verification Supplement to DO-178C and DO-278A.
Pertinent to this discussion, a long-standing issue with DO-178B for practitioners of model-based design is the uncertainty in mapping DO-178B objectives to model-based design artifacts. Addressing this mapping was a main goal of the DO-178C Sub-Group (SG-4) focused on model-based design. No single mapping sufficed, so several mappings are provided in DO-331. Some include the concept of a Specification model, which is a model separate from that of the one used for design and code generation. The other concept is a Design model, which serves as the detailed requirements used to generate code.
refer to:
http://mil-embedded.com/articles/transitioning-do-178c-arp4754a-uav-using-model-based-design/
沒有留言:
張貼留言