Post on 08-Apr-2017
DO-178 B / C, EASA ED-12C and DO-254
Graphics Certification Process
DO-178C Software Development Phases
Formal 6 Phase Development Process 1. Planning Phase
2. Requirements Phase
3. Design Phase
4. Coding Phase
5. Integration Phase
6. Testing Phase
Each Phase has specified: Objectives, Input, Output and Activities
Integral Process Activities (CM, QA, Verification and Certification Authority Liaison)
Phase Transition Criteria Phase Transition Review Assessment and Meeting with QA transition approval
DO-178B/C Certification Package
• Certification Planning Documents (PSAC, SDP and SVP)
• CoreAVI Process Documents (CMP and QAP)
• CoreAVI Standards (Requirements, Design and Code)
• System, High-level and Low-Level Requirements
• Software Architecture Description
• Software Verification Results – Software Test Plan
– Test Results
– Requirements Coverage Analysis
– Data & Control Coupling Analysis Report
– Structural Coverage Analysis Report
• Trace Matrices
• Executable Object Code
• Software Accomplishment Summary
• Software Configuration Index (includes SECI)
• Verification, Configuration Management, SQA and Tool Qualification Artefacts are available for Audit
Graphics Application
ArgusSC
Graphical Display(s)
E4690 GPU and Display
Controller HardwareVxWorks 653 v2.3.0.1
Operating System
API 1API 2
API 3 API 5 API 6
SCADE
Application Code
ArgusSC Kernel Mode Driver ArgusSC Shaders
OpenGL SC Example (E4690 GPU) - ArgusSC
• Modular Design (light green imply ArgusSC software) – 6 APIs exposed to the
graphics application
– 14 Modules with defined interfaces (addresses data and control coupling certification requirements)
– ArgusSC Kernel Mode Driver
– E4690 Shader
CoreAVI EGL
EGL Upper Level
State Management
Carddata
OS Module
Abstraction of OS
requirements of Argus
VxWorks RTOS
And BSP
SysInit
Module
GPU
Registers, VRAM, DMA
buffer
ArgusSC Framework Internals
gl.h
glext.h
Memory Management
Module
Handles the
management of
graphics memory
Graphics Memory
Allocations
System Memory
Allocations
Error
Reporting
Setup Information
Obtain Initial
VRAM Memory
egl.h
eglext.h
eglplatform.
h
coreavi_display.h
coreavi_generic
_types.h
Dispatch Module
External Headers
os_helper.h
OS Helper
Render Module
GPU specific low level driver implementation
GPU Writes/Reads
Utilities
CoreAVI GL
OpenGL SC Upper Level
State
bit.h
Card Specific Library
(CSL)
Card specific driver
implementation
Display Output
Module
OS
Sp
eci
fic
Re
gis
ter/
DM
A/V
RA
M
Re
ad
s &
Write
s
ArgusSC Shaders
System
Initialization
ArgusSC Kernel
Mode Driver
OpenGL SC Example Con’t
Requirements
• One High Level Requirement per external API function (e.g. glVertex3f)
• 298 High Level Requirements
• One Low Level Requirement per internal function (e.g. CoreAVIGlVertex3f) which
describes the logical behavior that function must implement
• Each High Level Requirement describes what the external API Function does
• Each Low Level Requirement describes how the internal API function implements its
functionality
• 1235 Low Level Requirements
OpenGL SC Example Con’t
• Complete Set of Test Cases and Test Procedures • Normal and Robustness Test Procedures
• 665 HLR-based Test Procedures
• 978 LLR-based Test Procedures
• Provides 100% Statement Coverage
• Specific Test Cases and Test Procedures for Decision and MC /DC Coverage
DO-254 Certification Package
• The CoreAVI E4690 DO-254 Certification Package supports the use of a COTS GPU within an graphics card (which employs an E4690 ) that is to be certified to DO-254 Level C. • The graphics card would also require a DO-254 Level C certification dataset that would
include the CoreAVI E4690 Certification Package
• The CoreAVI E4690 DO-254 Certification Package also supports the use of a COTS GPU in to a DO-254 Level A system that includes architectural means to mitigate the display of Hazard Misleading Information (HMI) as described in CAST-29 position paper. • The graphics card or board incorporating the E4690 and the architectural means of
mitigating HMI would also require a DO-254 certification dataset that would include the CoreAVI E4690 Certification Package
DO-254 Certification Package
• Plan for Hardware Aspects of Certification (PHAC)
• Hardware Validation and Verification Plan (HVVP)
• Configuration Management Plan (CMP)
• Quality Assurance Plan (QAP)
• Electronic Components Management Plan (ECMP)
• Requirements Standards
• Hardware Requirements Data (HRD)
• Hardware Verification Cases & Procedures (HVCP)
• Hardware Verification Reports (HVR)
• Trace Matrices
• Hardware Accomplishment Summary (HAS)
• Configuration Management Records
• Quality Assurance Records
FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10
• CAST 29 Section 2.2 Possible CGP Contribution to HMI on Airborne Displays • Implementing a formal and rigorous Preliminary System Safety Assessment
(PSSA) and System Safety Assessment (SSA) process, focussed on the display system, is an essential step addressing this concern.
• Architecturally a display system which includes a self-monitoring scheme implemented in the graphics pipeline to detect GPU anomalies that are unlikely to be detected by the flight crew is a proven means to address this issue.
• The display system architecture and monitoring scheme must be detailed in the PSSA and SSA including how the monitoring mitigates all reasonable failure modes during which the COTS GPU could cause an image to be corrupted in a way that could lead to the display of HMI and a subsequent Hazardous or Catastrophic airplane event.
FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10
• CAST 29 Section 2.4 CGP Device Variation During Production Life
“CGPs, depending on the type, complexity, and supplier, may exhibit performance variations across the production lifetime of the device.”
– The system designer may mention that variations in the performance of the CGP over the expected operating temperature range are factored into the published electrical specifications
– For each COTS GPU, CoreAVI, as a value added re-seller of COTS GPUs, does the following before the COTS GPU is shipped:
• manually inspects
• cleans (removes residue from ball grid areas),
• temperature-screens, by executing an extensive suite of tests at both temperature extremes,
– In addition, for each CGP CoreAVI ships, CoreAVI maintains a record containing a unique serial ID allowing traceability through to manufacturing and test history
FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10
• CAST 29 Section 2.5 CGP Configurable Elements
“Many CGPs contain configurable elements. Some of these may be selectable by loading specific microcode instructions into the device.”
– ArgusSC loads pre-generated microcode (supplied by manufacturer of the COTS GPU) for the following micro-controller functions: • GPU’s command processor,
• Universal Video Decode (UVD) engine,
• Direct Memory Access (DMA) engine,
• Interrupt controller
– This pre-generated microcode is embedded-in and treated as ArgusSC source code. As a result any change to the suppier microcode is treated as a change to the certified ArgusSC software and would have to go through a formal Change Request process that includes a detailed impact analysis.
FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10
• CAST 29 Section 2.6 CGP Changes after Certification
“The CGP part numbering, change control process, and revision identification scheme used by the individual CGP suppliers may not be understood by the system developer or applicant.”
– A ‘footprint’ identifies each batch of inventory with a unique license (consisting of a quantity of specific lot/date code of product) and tracks the actions taken against the license i.e. batch split, location transfers, relative humidity exposure, testing and order allocation. Additionally the lot and date code provides the framework for revision control as lot and date codes are subject to specific revisions which is also stored within the ‘FootPrint’ inventory management system.
– CoreAVI reviews all PCNs and CoreAVI’s quality manager identifies any customer and inbound shipments that will be affected. When a customer is to be notified of a PCN, the notification time frame will be at least 30 days before the changes become effective.
FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10
• CAST 29 Section 2.7 Unused CGP Functionality
“The CGP design may include functionality that will not be used in the specific design of the airborne display system that could result in unintended operation of the device if that function were to be activated under unusual operating conditions or failures.”
– During the DO-178C Level A certification process over 2000 ArgusSC test procedures are executed on the target many of which specifically test the robustness of the CGP.
– ArgusSC BIT API functions allow the graphics application to monitor GPU registers associated with unused functionality and to determine whether the registers have changed.
– the verification of the ArgusSC driver software according to DO-178C Level A objectives while integrated with the GPU
– the execution of the GPU HLR-based test cases according to the DO-254 Level C objectives
FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10
• CAST 29 Section 2.8 Open GL Software Drivers Compliance to DO-178B/ED-12B
“CGPs may require graphics software that allows functional applications to draw visual components on the display, e.g., a software package that implements the OpenGL (Graphics Library) graphics drivers and applications. The developer of the display system may not be the same company that develops the graphics software. In addition, the software graphics packages for the CGPs may not have been developed to the guidance of DO-178B/ED-12B (or other acceptable means of compliance for software).”
– CoreAVI’s ArgusSC OpenGL (Graphics Library) and any customer specific enhancements are specifically designed and tested to meet the guidance of DO-178C/ED-12C DAL A.
– ArgusSC is tested on the target display system, the display system developer provides system level requirements for the graphics software which are the genesis of all ArgusSC non-derived requirements. Any concerns or disconnects with these requirements vs. ArgusSC requirements are identified and addressed with the display system developer
FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10
• EASA CM-SWCEH-001 Ch 10.1 - The following devices include some of the concerns and issues that could arise when CGPs are used in safety-critical airborne systems:
“Because CGPs are devices of very high complexity that typically have very short design cycles, there is an increased possibility that they may contain design errors, hardware failures or inappropriate responses to external events (e.g., EMI, high operating temperature) that could result in the undetected display of Hazardously Misleading Information (HMI) to the flight crew. If the resulting erroneous information is not flagged as Invalid Data, it could induce the flight crew to take inappropriate and potentially hazardous action based on that erroneous data, or to not take appropriate action when action is required.”
– Implementing a formal and rigorous Preliminary System Safety Assessment (PSSA) and System Safety Assessment (SSA) process, focussed on the display system, is an essential step addressing this concern.
– Architecturally a display system which includes a GPU output monitoring scheme implemented in the graphics pipeline to detect GPU anomalies that are unlikely to be detected by the flight crew is a proven means to address this issue.
– Important to design software and firmware to support an airborne display system design that mitigates the display of HMI by architectural means.
FAA Certification
CoreAVI’s DO-178B/C & DO-254 DER:
Marty Gasiorowski
martyg@wwcert.com
http://www.wwcert.com/
• CoreAVI provides its customers with formal FAA Form 8110-3(s) for its certification product releases.
Embedded Graphics Software Support
OpenGL SC - Fixed Function Pipeline Safety Critical Profile
OpenGL ES 2.0 - Programmable Pipeline Shader Language
OpenGL 1.x - Fixed Function Pipeline
Argus ES2SC – CoreAVI ES 2.0 based Safety Critical Profile
CoreAVI Embedded OpenGL Drivers
WindRiver VxWorks VxWorks 653, MILS
Green Hills Integrity Integrity 178
DDCI Deos
Sysgo/Thales PikeOS
Microsoft Windows
Linux
Proprietary
Other
Operating Systems Supported Standards Aligned
Software Drivers Designed for Safety Critical
• Designed and developed from ground up for FAA DO-178C / EASA ED-12C Level A certification
• No 3rd party software IP use
• Scalable power and performance management
• Multicore, Multiple Threads / Applications and Multiple Secure Partitioning
• Hypervisor OpenGL module designed support multicore / multi-guest OS
• Drivers are integrated and compatible with HMI tools, SCADE, iData, Disti
• CoreAVI OpenGL SC – fixed function shader based implementation – Filed Patent Pending
• Solutions aligned with Future Airborne Capability Environment (FACE™) Technical Standard, Edition 2. 0
CoreAVI Certification Experience
• DO-178 B / C Certification of Graphics Software • From Level D up to and including Level A
• Proven Formal Software Development Process
• Personnel Experienced with DO-178 B / C processes up to and including Level A
• Level A Independence implemented on all activities independent of Project designated assurance level (DAL)
• Four Stage of Involvement (SOI) Audits conducted by CoreAVI’s DER and supported by SQA
• CoreAVI provides a position paper on CAST 29 (Use of CGP in Airborne systems)
• Addresses E4690 / 8860 shaders
• DO-254 Certification Level C Artifacts for E4690 /8860
DO-178C Level A Certification Packages H
igh
Pe
rfo
rma
nce
L
ow
-
Po
we
r
2014 2015 2016 2017
AMD Radeon™ E8860
Freescale i.MX 6
AMD Radeon™ E4690
Intel HD4000
Intel HD5000
AMD G Series SoC
ArgusVideoDecode
ArgusES2SC
ArgusSC
ArgusES2SC
ArgusES2SC
ArgusSC
ArgusSC
ArgusSC
ArgusVideoDecode
ArgusVideoDecode
ArgusSC
ArgusVideoDecode
ArgusES2SC
ArgusVideoDecode
ArgusES2SC
“When it is Critical”
Lee Melatti
Dan Joncas
dan.joncas@ch1group.com
+1 647 300 5791
www.coreavi.com