DO-178 B / C, EASA ED-12C and DO-254

Graphics Certification Process

DO-178C Software Development Phases

Formal 6 Phase Development Process 1. Planning Phase

2. Requirements Phase

3. Design Phase

4. Coding Phase

5. Integration Phase

6. Testing Phase

Each Phase has specified: Objectives, Input, Output and Activities

Integral Process Activities (CM, QA, Verification and Certification Authority Liaison)

Phase Transition Criteria Phase Transition Review Assessment and Meeting with QA transition approval

DO-178B/C Certification Package

• Certification Planning Documents (PSAC, SDP and SVP)

• CoreAVI Process Documents (CMP and QAP)

• CoreAVI Standards (Requirements, Design and Code)

• System, High-level and Low-Level Requirements

• Software Architecture Description

• Software Verification Results – Software Test Plan

– Test Results

– Requirements Coverage Analysis

– Data & Control Coupling Analysis Report

– Structural Coverage Analysis Report

• Trace Matrices

• Executable Object Code

• Software Accomplishment Summary

• Software Configuration Index (includes SECI)

• Verification, Configuration Management, SQA and Tool Qualification Artefacts are available for Audit

Graphics Application

ArgusSC

Graphical Display(s)

E4690 GPU and Display

Controller HardwareVxWorks 653 v2.3.0.1

Operating System

API 1API 2

API 3 API 5 API 6

SCADE

Application Code

ArgusSC Kernel Mode Driver ArgusSC Shaders

OpenGL SC Example (E4690 GPU) - ArgusSC

• Modular Design (light green imply ArgusSC software) – 6 APIs exposed to the

graphics application

– 14 Modules with defined interfaces (addresses data and control coupling certification requirements)

– ArgusSC Kernel Mode Driver

– E4690 Shader

CoreAVI EGL

EGL Upper Level

State Management

Carddata

OS Module

Abstraction of OS

requirements of Argus

VxWorks RTOS

And BSP

SysInit

Module

GPU

Registers, VRAM, DMA

buffer

ArgusSC Framework Internals

gl.h

glext.h

Memory Management

Module

Handles the

management of

graphics memory

Graphics Memory

Allocations

System Memory

Allocations

Error

Reporting

Setup Information

Obtain Initial

VRAM Memory

egl.h

eglext.h

eglplatform.

h

coreavi_display.h

coreavi_generic

_types.h

Dispatch Module

External Headers

os_helper.h

OS Helper

Render Module

GPU specific low level driver implementation

GPU Writes/Reads

Utilities

CoreAVI GL

OpenGL SC Upper Level

State

bit.h

Card Specific Library

(CSL)

Card specific driver

implementation

Display Output

Module

OS

Sp

eci

fic

Re

gis

ter/

DM

A/V

RA

M

Re

ad

s &

Write

s

ArgusSC Shaders

System

Initialization

ArgusSC Kernel

Mode Driver

OpenGL SC Example Con’t

Requirements

• One High Level Requirement per external API function (e.g. glVertex3f)

• 298 High Level Requirements

• One Low Level Requirement per internal function (e.g. CoreAVIGlVertex3f) which

describes the logical behavior that function must implement

• Each High Level Requirement describes what the external API Function does

• Each Low Level Requirement describes how the internal API function implements its

functionality

• 1235 Low Level Requirements

OpenGL SC Example Con’t

• Complete Set of Test Cases and Test Procedures • Normal and Robustness Test Procedures

• 665 HLR-based Test Procedures

• 978 LLR-based Test Procedures

• Provides 100% Statement Coverage

• Specific Test Cases and Test Procedures for Decision and MC /DC Coverage

DO-254 Certification Package

• The CoreAVI E4690 DO-254 Certification Package supports the use of a COTS GPU within an graphics card (which employs an E4690 ) that is to be certified to DO-254 Level C. • The graphics card would also require a DO-254 Level C certification dataset that would

include the CoreAVI E4690 Certification Package

• The CoreAVI E4690 DO-254 Certification Package also supports the use of a COTS GPU in to a DO-254 Level A system that includes architectural means to mitigate the display of Hazard Misleading Information (HMI) as described in CAST-29 position paper. • The graphics card or board incorporating the E4690 and the architectural means of

mitigating HMI would also require a DO-254 certification dataset that would include the CoreAVI E4690 Certification Package

DO-254 Certification Package

• Plan for Hardware Aspects of Certification (PHAC)

• Hardware Validation and Verification Plan (HVVP)

• Configuration Management Plan (CMP)

• Quality Assurance Plan (QAP)

• Electronic Components Management Plan (ECMP)

• Requirements Standards

• Hardware Requirements Data (HRD)

• Hardware Verification Cases & Procedures (HVCP)

• Hardware Verification Reports (HVR)

• Trace Matrices

• Hardware Accomplishment Summary (HAS)

• Configuration Management Records

• Quality Assurance Records

FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10

• CAST 29 Section 2.2 Possible CGP Contribution to HMI on Airborne Displays • Implementing a formal and rigorous Preliminary System Safety Assessment

(PSSA) and System Safety Assessment (SSA) process, focussed on the display system, is an essential step addressing this concern.

• Architecturally a display system which includes a self-monitoring scheme implemented in the graphics pipeline to detect GPU anomalies that are unlikely to be detected by the flight crew is a proven means to address this issue.

• The display system architecture and monitoring scheme must be detailed in the PSSA and SSA including how the monitoring mitigates all reasonable failure modes during which the COTS GPU could cause an image to be corrupted in a way that could lead to the display of HMI and a subsequent Hazardous or Catastrophic airplane event.

FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10

• CAST 29 Section 2.4 CGP Device Variation During Production Life

“CGPs, depending on the type, complexity, and supplier, may exhibit performance variations across the production lifetime of the device.”

– The system designer may mention that variations in the performance of the CGP over the expected operating temperature range are factored into the published electrical specifications

– For each COTS GPU, CoreAVI, as a value added re-seller of COTS GPUs, does the following before the COTS GPU is shipped:

• manually inspects

• cleans (removes residue from ball grid areas),

• temperature-screens, by executing an extensive suite of tests at both temperature extremes,

– In addition, for each CGP CoreAVI ships, CoreAVI maintains a record containing a unique serial ID allowing traceability through to manufacturing and test history

FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10

• CAST 29 Section 2.5 CGP Configurable Elements

“Many CGPs contain configurable elements. Some of these may be selectable by loading specific microcode instructions into the device.”

– ArgusSC loads pre-generated microcode (supplied by manufacturer of the COTS GPU) for the following micro-controller functions: • GPU’s command processor,

• Universal Video Decode (UVD) engine,

• Direct Memory Access (DMA) engine,

• Interrupt controller

– This pre-generated microcode is embedded-in and treated as ArgusSC source code. As a result any change to the suppier microcode is treated as a change to the certified ArgusSC software and would have to go through a formal Change Request process that includes a detailed impact analysis.

FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10

• CAST 29 Section 2.6 CGP Changes after Certification

“The CGP part numbering, change control process, and revision identification scheme used by the individual CGP suppliers may not be understood by the system developer or applicant.”

– A ‘footprint’ identifies each batch of inventory with a unique license (consisting of a quantity of specific lot/date code of product) and tracks the actions taken against the license i.e. batch split, location transfers, relative humidity exposure, testing and order allocation. Additionally the lot and date code provides the framework for revision control as lot and date codes are subject to specific revisions which is also stored within the ‘FootPrint’ inventory management system.

– CoreAVI reviews all PCNs and CoreAVI’s quality manager identifies any customer and inbound shipments that will be affected. When a customer is to be notified of a PCN, the notification time frame will be at least 30 days before the changes become effective.

FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10

• CAST 29 Section 2.7 Unused CGP Functionality

“The CGP design may include functionality that will not be used in the specific design of the airborne display system that could result in unintended operation of the device if that function were to be activated under unusual operating conditions or failures.”

– During the DO-178C Level A certification process over 2000 ArgusSC test procedures are executed on the target many of which specifically test the robustness of the CGP.

– ArgusSC BIT API functions allow the graphics application to monitor GPU registers associated with unused functionality and to determine whether the registers have changed.

– the verification of the ArgusSC driver software according to DO-178C Level A objectives while integrated with the GPU

– the execution of the GPU HLR-based test cases according to the DO-254 Level C objectives

FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10

• CAST 29 Section 2.8 Open GL Software Drivers Compliance to DO-178B/ED-12B

“CGPs may require graphics software that allows functional applications to draw visual components on the display, e.g., a software package that implements the OpenGL (Graphics Library) graphics drivers and applications. The developer of the display system may not be the same company that develops the graphics software. In addition, the software graphics packages for the CGPs may not have been developed to the guidance of DO-178B/ED-12B (or other acceptable means of compliance for software).”

– CoreAVI’s ArgusSC OpenGL (Graphics Library) and any customer specific enhancements are specifically designed and tested to meet the guidance of DO-178C/ED-12C DAL A.

– ArgusSC is tested on the target display system, the display system developer provides system level requirements for the graphics software which are the genesis of all ArgusSC non-derived requirements. Any concerns or disconnects with these requirements vs. ArgusSC requirements are identified and addressed with the display system developer

FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10

• EASA CM-SWCEH-001 Ch 10.1 - The following devices include some of the concerns and issues that could arise when CGPs are used in safety-critical airborne systems:

“Because CGPs are devices of very high complexity that typically have very short design cycles, there is an increased possibility that they may contain design errors, hardware failures or inappropriate responses to external events (e.g., EMI, high operating temperature) that could result in the undetected display of Hazardously Misleading Information (HMI) to the flight crew. If the resulting erroneous information is not flagged as Invalid Data, it could induce the flight crew to take inappropriate and potentially hazardous action based on that erroneous data, or to not take appropriate action when action is required.”

– Implementing a formal and rigorous Preliminary System Safety Assessment (PSSA) and System Safety Assessment (SSA) process, focussed on the display system, is an essential step addressing this concern.

– Architecturally a display system which includes a GPU output monitoring scheme implemented in the graphics pipeline to detect GPU anomalies that are unlikely to be detected by the flight crew is a proven means to address this issue.

– Important to design software and firmware to support an airborne display system design that mitigates the display of HMI by architectural means.

FAA Certification

CoreAVI’s DO-178B/C & DO-254 DER:

Marty Gasiorowski

martyg@wwcert.com

http://www.wwcert.com/

• CoreAVI provides its customers with formal FAA Form 8110-3(s) for its certification product releases.

Embedded Graphics Software Support

OpenGL SC - Fixed Function Pipeline Safety Critical Profile

OpenGL ES 2.0 - Programmable Pipeline Shader Language

OpenGL 1.x - Fixed Function Pipeline

Argus ES2SC – CoreAVI ES 2.0 based Safety Critical Profile

CoreAVI Embedded OpenGL Drivers

WindRiver VxWorks VxWorks 653, MILS

Green Hills Integrity Integrity 178

DDCI Deos

Sysgo/Thales PikeOS

Microsoft Windows

Linux

Proprietary

Other

Operating Systems Supported Standards Aligned

Software Drivers Designed for Safety Critical

• Designed and developed from ground up for FAA DO-178C / EASA ED-12C Level A certification

• No 3rd party software IP use

• Scalable power and performance management

• Multicore, Multiple Threads / Applications and Multiple Secure Partitioning

• Hypervisor OpenGL module designed support multicore / multi-guest OS

• Drivers are integrated and compatible with HMI tools, SCADE, iData, Disti

• CoreAVI OpenGL SC – fixed function shader based implementation – Filed Patent Pending

• Solutions aligned with Future Airborne Capability Environment (FACE™) Technical Standard, Edition 2. 0

CoreAVI Certification Experience

• DO-178 B / C Certification of Graphics Software • From Level D up to and including Level A

• Proven Formal Software Development Process

• Personnel Experienced with DO-178 B / C processes up to and including Level A

• Level A Independence implemented on all activities independent of Project designated assurance level (DAL)

• Four Stage of Involvement (SOI) Audits conducted by CoreAVI’s DER and supported by SQA

• CoreAVI provides a position paper on CAST 29 (Use of CGP in Airborne systems)

• Addresses E4690 / 8860 shaders

• DO-254 Certification Level C Artifacts for E4690 /8860

DO-178C Level A Certification Packages H

igh

Pe

rfo

rma

nce

L

ow

-

Po

we

r

2014 2015 2016 2017

AMD Radeon™ E8860

Freescale i.MX 6

AMD Radeon™ E4690

Intel HD4000

Intel HD5000

AMD G Series SoC

ArgusVideoDecode

ArgusES2SC

ArgusSC

ArgusES2SC

ArgusES2SC

ArgusSC

ArgusSC

ArgusSC

ArgusVideoDecode

ArgusVideoDecode

ArgusSC

ArgusVideoDecode

ArgusES2SC

ArgusVideoDecode

ArgusES2SC

“When it is Critical”

Lee Melatti

Dan Joncas

dan.joncas@ch1group.com

+1 647 300 5791

www.coreavi.com