Firstly, this paper introduces the airworthiness certification standard DO-178B for civil aircraft airborne software. Secondly, it introduces a set of airborne software for air management system and its controller.
Taking the design stage data in the development process of the airborne software as an example, it describes the evaluation process of software design data, and summarizes the key points and difficulties of the evaluation. Finally, it concludes the current situation. The software airworthiness evaluation technology is summarized and prospected. Airplanes and cars are important means of transportation, but their safety requirements are very different. When a car collides and fails, the probability of human survival is relatively high; once an aircraft collides and fails, the probability of survival is almost zero. Therefore, the requirement of safety in the process of aircraft development is much higher than that of automobiles. We can simply divide aircraft into two categories: military aircraft and civil aircraft. Every country has its own standards and quality supervision system for the development of military aircraft, but for civil aircraft, because the aircraft developed by one country will fly to other countries, it requires an internationally recognized standard and quality system to ensure the safety of aircraft. Specifically, thermostatic element aircraft usually need to pass four certifications before they can actually be put into operation: Type Certificate, Production Certificate, Airworthiness Certificate and Operational Certificate. DO-178B standard is the applicable standard for airworthiness certification of airborne software, and it is an important standard in the whole civil aviation standard system.
DO-178B first determines the software design assurance level according to the software failure conditions, which are classified according to the impact on aircraft, crew and passengers. According to the severity, DO-178B can be divided into the following five levels. The corresponding relationship between the software level and the objectives in DO-178B Schedule A is shown in Table 1. Chapter 11 of DO-178B specifies the life cycle data corresponding to the above development process. A civil aircraft air management system described in this paper is mainly composed of air conditioning system, air source system and wing anti-icing system. The system mainly uses engine air supply (APU or air source vehicle on the ground). Through air source system adjustment, air meeting the temperature and pressure requirements is provided to the left and right refrigeration components of the air conditioning system or the wing anti-icing system. The air conditioning system adjusts the air flow, temperature and pressure in the cockpit to provide safety and comfort for the passengers. At the same time, the wing anti-icing system uses the hot air from the air source to heat and prevent the ice for the wing.
Generally speaking, in order to realize the integrated control of air management subsystem functions and consider redundant backup, the system will set up two controllers. E) The two controllers are distinguished by pin programming. The purpose of the airborne software design phase review is to assess the conformity of the life cycle data to the plans and standards, to assess the changes in the plan documents, and to assess the conformity of the life cycle data to the goals in schedule A-2, A-3, A-4, A-5, A-8, A-9 and A-10 of DO-178B. Controller airborne software generates a series of life cycle data in the design stage of its development process, including software high-level requirements, low-level requirements, software source code and traceability matrix between them, software requirement confirmation records, software configuration records, software review records, software problem report records and so on.
The opening items left over from the preliminary evaluation, etc. The system supplier needs to submit these data to the host plant for review. The relationship between the review data items and DO-178B at the design stage of the software is shown in Table 2. The evaluation of the main engine plant is initiated by the evaluation committee. The reviewers mainly involve project managers, system engineers, software and hardware engineers, and quality and airworthiness managers. C) Complete the review summary report of controller airborne software design phase based on the whole review activity. The content of the review report includes the purpose, materials and activities of the review, and elaborates the conformity to DO-178B, lists all action items and completion deadlines in the evaluation activities, and gives the conclusion of the review. The software involves the control functions of many subsystems, such as air source system, wing anti-icing system, air conditioning system and so on. Demand sampling should be based on the main functions, interfaces and safety of each subsystem.
Therefore, it is necessary to be familiar with the system functions in order to extract the core requirements for sampling. Software partition design usually includes time partition and space partition.
In the design of space partition, we need to focus on reviewing the protection methods of data flow and data isolation between different levels of software. In the design of time partition, we need to focus on real-time processing of re-exceeding limit, time series conflict, time interval measurement fault, interrupt suppression and so on. Mechanism. In order to reduce the amount of labor, reduce the cost of development, and reduce the errors introduced artificially, more and more tools are introduced into the software design process. The development of tools is independent of the software design process, and the errors of tools may be magnified by their reuse.
In the process of software design, it is necessary to pay attention to the plan of tool identification and the data of tool identification when using the identified tools. DO-178B is process-oriented and goal-oriented. Its stability has made this standard used for 25 years.
A) The goal is only “relative stability”, it can not be “eternal stability”. New technologies of software development emerge in endlessly, and the emergence of some technologies makes it easier to achieve these goals, which guarantees the “relative stability” of the goals; while the emergence of some technologies makes some goals no longer applicable, which makes it impossible for the goals to be “eternally stable”, such as object-oriented technology and model-based development and verification, while D. O-178B lacks the corresponding evaluation criteria for these new methods. B) DO-178B has not fully implemented the principle of “goal-oriented”. Among the 66 targets defined in DO-178B, a small number of targets are not real “targets”, but “technologies”, such as MC/DC coverage, judgment coverage, statement coverage, etc. These “technologies” appear in the standard in the form of “targets”, which reduces the stability of DO-178B standard. In order to remedy these shortcomings, the DO-178C and its supplements prepared by the Joint Working Group are based on the principle that the existing “goal-oriented” principle remains unchanged and the core content remains basically stable with only minor changes.
DO-178C and its supplementary documentation focus on adding object-oriented technology, model-based development and evaluation criteria for formal methods, and replacing or updating objectives no longer applicable in DO-178B. In the future, DO-178C will gradually replace DO-178B as the airworthiness certification standard of new generation airborne software.