1. National Workshop on Aviation Software Systems for The Second Century of Flight: Design for Certifiably Dependable Systems (HCSS-AS) Claire Tomlin (UCB/Stanford) John Hansman (MIT) Jonathan Sprinkle (UCB) (Co-chairs) October 5-6, 2006 Alexandria VA http://chess.eecs.berkeley.edu/hcssas/

2. Welcome The Federal Government recognizes that the rapidly increasing software and system complexity of aviation systems makes the development of high integrity, high confidence aviation software and systems crucial for the future of civilian and military aviation systems 67 registered participants –28 from academia –21 from industry –18 from government 30 position papers Sponsors: –NSF (Helen Gill) –NCO (Frankie King, Sally Howe) –Federal Networking and Information Technology Research and Development (NITRD) Program High Confidence Software and Systems (HCSS) Coordinating Group (CG) Supporting government agencies: FAA, NASA, AFRL, OSD

3. The Problem Statement Software related issues are the “Achilles Heel” of modern aerospace system development –low level programming, ad hoc approaches, stand-alone and static implementations, and little code re-use –prolonged design schedules, excessive cost, dis-innovation, difficulty in maintenance, upgrades, and retrofits –issue is exacerbated for critical systems where high integrity requirements yield certification challenges and barriers –verification and validation is labor intensive and expensive Exacerbated for critical systems with high integrity requirements Current processes are inefficient and inadequate for future needs –Increased functionality leads to added complexity –Networked distributed systems –reconfigurable, adaptive, mixed initiative Academic community generally decoupled from practitioners New approaches, understanding and breakthroughs required Success would be a significant economic and opportunity stimulant Issue recognized by many organizations but real progress has been slow

4. HCSS-AS Workshop Planning Meeting November 9-10, 2005 at the University of Washington, Seattle 35 invited participants from academia, industry, and government Goals of the Workshop Planning Meeting: –Identify the key issue areas which will form the basis for the workshop –Define the key players who should be included –Define the current state of the art in software for critical aviation systems –Lay out potential research programs Talks and all other information available at: http://chess.eecs.berkeley.edu/hcssas/

5. Key Issues Identified Certification Issues –What should the certification criteria be? –How do you certify non-deterministic or adaptive systems? –Overlap between software and other parts of the system –Security issues Costs or Barriers to Innovation –Design for certification –Lifecycle issues, costs of upgrades, etc. –Design for reuse Methods –Automated tools for V&V –Experimental platforms –Metrics Systems Issues –Human/software integration issues –Hardware/software integration issues –Integration with procedures/environment Emergent Issues –Adaptive, non-deterministic systems Education

6. Application Domains –Air Traffic Management (ATM) –Unmanned Aerial Vehicles (UAVs) –Flight control –Command and Control (C&C) –Communication, Navigation, and Surveillance (CNS) systems –Aircraft and infrastructure integration

7. Overall Goal: Improve the design, certification, and operation of next generation avionics platforms, while maintaining strict levels of safety Workshop goal: –Bring together the practice community with the research community to define the intellectual agenda in software for critical aviation systems Define current state of the art Identify key issues and needs Identify promising research approaches Define educational needs and approaches HCSS-AS Workshop

8. HCSS-AS Workshop: Education Motivation: “We need to understand a priori how would the costs would get reduced if we invested in a better process for software design and certification.” “What technologies, what metrics, need to be achieved to instill confidence in an automated function?” Education: What are the common abstractions that everyone in the domain should understand? (Logic, dynamics, control…) It is hard to develop real-world scalable solutions without good examples, and it is hard to get good examples: how to recruit exemplars (sanitized) of “close to” real examples from industry? Need a “science of flight critical systems assurance”

9. Overall Program 4 Keynote talks –John Hansman –Michael Leahy –John Rushby –Don Winter 5 Invited Talk Sessions –Applications –Certification and assessment –Systems issues –Education –Methods General discussion time 4 Working Groups –Applications –Certification and assessment –Systems and crosscutting issues –Methods 2 Breakout sessions: –Thursday afternoon –Friday morning and afternoon Working group outbriefs: –Friday 2-3pm

10. Questions to Participants For working group break out sessions, participants are asked to consider each of the following four questions: –What are the top three lessons learned/technology in this area of X? –What are the top three needs that have not been met? –What are the top three research topics/challenges (with timelines) being/should be pursued in your domain of expertise related to X? –What are the top three challenges (with timelines) in the area of X (including outside your domain of expertise)? There will be a leader and scribe assigned to each working group Working group deliverables: –By Friday 2pm, the working groups will provide annotated powerpoint of the working group discussion.

11. Working group outbriefs and written report Problem statement Summary of state of the art R&D challenges Prioritized list of IT research needs Roadmap for the next 5 and 10 years

12. Deliverables of the Workshop Immediately after the workshop, the HCSS-AS website will have –Copies of the presentation slides –Audio clips of (some of) the talks First draft of WG summaries: November 2006 Final draft of WG summaries: January 2007 First draft executive summary: February 2007 Final report: April 2007

13. Today’s schedule Keynote address: John Hansman Morning: –Applications session –Discussion Keynote address: Michael Leahy Afternoon: –Certification and assessment –Systems issues –Education Working groups 6pm: Reception

14. Backups

15. System Certification System and Software Testing Design/Implementation Requirements Development Model V&V Control Power V&V Control Law V&V Functional V&V Software V&V Unit/Component Test Hardware/Software Integration (HSI) Hardware V&V Qualification Test (Safety of Flight) Aircraft Integration System V&V Standalone (Static) Integrated (Dynamic) Failure Modes and Effects Test (FMET) [Source: Jim Buffington, LM Aero] System Development and Certification

16. FAA regulatory standard: RTCA DO-178B FAA standard (1992): RTCA DO-178B (Eurocae standard ED-12B) “Software Considerations in Airborne Systems and Equipment Certification” “Process-based” certification Interesting points: –Certification applies to the end product (ie. airframe), incl. all systems –Applies to a given application of a given product (other applications of the same product require further certification) –It requires that all code MUST be there as a direct result of a requirement –It requires full testing of the system and all component parts (including the software) on the target platform and in the target environment –Objectives-Based tables: “What, not how” Criticality Categories (A,B,C,D) / Objectives Matrix SOFTWARE CONSIDERATIONS IN AIRBORNE SYSTEMS AND EQUIPMENT CERTIFICAION RTCA DOCUMENT NO. RTCA/DO-178B December 1, 1992 Prepared by: SC-167 “Requirements and Technical Concepts for Aviation” [sources: Jim Krodel, Pratt & Whitney, http://aar400.tc.faa.gov/Programs/FlightSafety/sdss/]

17. Issues Under Consideration for SC205 Sub-groups Technology/Domains Under Consideration –Formal Methods –Model Based Design & Verification Model Verification and Level of Pedigree Certification of Proof by Models –Software Tools And our reliance on them from a certification perspective –Object Oriented Technology –Comms-Nav-Sur/Air-Traffic-Management [source: Jim Krodel, Pratt & Whitney]

18. Designing safety critical control systems requires a seamless cooperation of tools: –Modeling and design at the control level –Development tools at the software level –Implementation tools at the platform level An example (from Paul Caspi’s group, Verimag, Grenoble) is a tool which combines: Simulink: natural control design tool, yet lacks essential programming language features (typing, modularity, simple and clear semantics) SCADE/Lustre: SCADE (Safety Critical Application Development Environment) based on the synchronous programming language Lustre –Includes a DO 178B compliant automatic code generator –Used in Airbus A340, A380 TTA (Time Triggered Architecture): distributed implementations built on a synchronous bus distributing to every computing unit a global fault tolerant clock –Used in Boeing B777 fly-by-wire system Simulink SCADE/Lustre TTA Tools for modeling, design, and code generation